Fix bug with cross namespace policy

[jm96441n]

Changes proposed in this PR:

When new namespace is created we should automatically apply the cross-namespace-policy policy to the newly created namespace to ensure cross namespace communication is allowed.

Fixes #510

How I've tested this PR:

• Clone the files from the following gist: https://gist.github.com/jm96441n/7e005c82fa918b7b73c11abb617b4998
• Replace the <YOUR ENTERPRISE KEY> with a key for enterprise consul in the deploy.sh file
• From the api-gw repo run make docker/dev on the main branch (without these changes)
• Run the deploy.sh script
• After that finishes from the terminal run curl 0:30602 -vv --header 'Host: nginx.green.daskt.nsbug.it' and you should see a 503 error along with no healthy upstream
• In the consul UI if you select Manage Namespaces from the Namespaces drop down you will see the green namespace does not have the cross-namespace-policy attached to it
• In the api-gateway repo checkout this branch and run make docker/dev again to build the image with the changes from this branch
• Run the reload.sh script from the gist
• After that finishes from the terminal run curl 0:30602 -vv --header 'Host: nginx.green.daskt.nsbug.it' and you should see a response with a bunch of html (you may see a "connection reset by peer" error, if so give things a few seconds to reconcile and try again)
• In the consul UI if you select Manage Namespaces from the Namespaces drop down you will see the green namespace now has the cross-namespace-policy attached to it

How I expect reviewers to test this PR:

Code Review
Can run the above steps

Checklist:

• Tests added
• CHANGELOG entry added

  Run make changelog-entry for guidance in authoring a changelog entry, and
  commit the resulting file, which should have a name matching your PR number.
  Entries should use imperative present tense (e.g. Add support for...)

[andrewstucki]

Overall looks decent to me, two quick questions:

1. About the way we're adding flags, see below, and
2. About whether or not we want to handle patching existing namespaces with this additional policy

[andrewstucki]

Do we want to update an existing namespace with the policy in case it was created without? I'm thinking probably not since users could create the namespace themselves with a different set of policies that still allow for cross-namespace service resolution and maybe some other stuff they're interested in.

But, if we do I think we'll probably need to do something like append this policy onto an existing namespace and then CAS the namespace if the policy wasn't previously there.

[jm96441n]

yeah I don't think we want to patch existing namespaces for that reason you mentioned: they're not managed by us and might give broader permissions than the operator wants (it could be a bit of a footgun, but if the operator is manually creating namespaces I'd expect them to also be managing the permissions)

[andrewstucki]

We'll want to make a corresponding change in the Helm chart to set the environment variables. Feel free to link it back here.

[jm96441n]

so @andrewstucki it looks like there might already be an env variable in the helm chart to handle that (should've checked their there first) https://github.com/hashicorp/consul-k8s/blob/main/charts/consul/templates/api-gateway-controller-deployment.yaml#L119
going to update this PR to use that