Add executor Cilium network policy guard

[marcleblanc2]

Summary

• add optional CiliumNetworkPolicy deny guards for executor controller and job pods
• select executor-created job pods by sourcegraph/job-id and sourcegraph/run-id instead of sourcegraph/queue
• deny other Sourcegraph pods, sourcegraph-frontend-internal, and frontend internal/debug ports while leaving existing frontend/code-host/DNS egress policies intact

Test plan

• helm template sourcegraph-executor charts/sourcegraph-executor/k8s --namespace executor-controller --set executor.queueNames='{batches,codeintel}' --set executor.namespace=executor-jobs --set executor.frontendPassword=dummy --set executor.frontendUrl=http://sourcegraph-frontend.sourcegraph.svc.cluster.local:30080 --set executor.ciliumNetworkPolicy.enabled=true --set executor.ciliumNetworkPolicy.sourcegraphNamespace=sourcegraph
• helm template sourcegraph-executor charts/sourcegraph-executor/k8s --namespace executor-controller --set executor.queueNames='{batches,codeintel}' --set executor.frontendPassword=dummy --set executor.frontendUrl=http://sourcegraph-frontend:30080 | rg -n "CiliumNetworkPolicy|cilium.io" || true
• helm lint charts/sourcegraph-executor/k8s --set executor.queueNames='{batches,codeintel}' --set executor.frontendPassword=dummy --set executor.frontendUrl=http://sourcegraph-frontend.sourcegraph.svc.cluster.local:30080 --set executor.ciliumNetworkPolicy.enabled=true --set executor.ciliumNetworkPolicy.sourcegraphNamespace=sourcegraph
• ./scripts/helm-docs.sh
• ruby -e 'require "yaml"; YAML.load_stream(File.read("/tmp/sourcegraph-executor-cilium-render.yaml")); puts "render yaml ok"'

[marcleblanc2]

Updated after the EKS Auto Mode vs normal EKS + Cilium distinction: the chart policy now explicitly allows egress to the user-facing Sourcegraph frontend service with egress.toServices, while keeping egressDeny for other Sourcegraph pods/services and frontend internal/debug ports. This should behave correctly if the customer already has Cilium default-deny egress in place.