Add optional default-deny NetworkPolicy template.

[p-rog]

Add optional default-deny NetworkPolicy template

Add a namespace-wide default-deny NetworkPolicy that blocks all ingress
and egress for pods without an explicit allow policy. Gated by
defaultDenyNetworkPolicy.enabled (default false) so existing patterns
are unaffected.

Patterns that need zero-trust network isolation can enable this and
provide per-pod allow rules via vault.server.networkPolicy (already
supported by the upstream vault subchart).

Tested on an OpenShift 4.21 cluster with the layered-zero-trust pattern.