add CNPs for write and backend pods

[QuantumEnigmaa]

Towards giantswarm/roadmap#3189

These CNPs could otherwise be added as extra-objects in the config. Or we could create an "additionalCiliumNetPols" field upstream (or something of the sort).
Until we decide on any of those, this will allow loki to work on CAPVCD clusters

[QuentinBisson]

LGTM if tested also on vintage :)

[QuantumEnigmaa]

This was tested on both gerbil and golem and it works as intended. But since on vintage these fields will be disabled I'm not sure we need to test it there 🤷

[QuentinBisson]

Sure :) then make sure to also do the config change

[QuantumEnigmaa]

Side note concerning golem : with or without the CNPs the gateway pods as well as the promtail ones are experiencing issues.

gateway pods :

100.64.0.78 - golem [20/Feb/2024:15:41:53 +0000]  502 "POST /loki/api/v1/push HTTP/1.1" 157 "-" "GrafanaAgent/v0.37.2" "3.11.43.118"
2024/02/20 15:41:55 [crit] 10#10: *3974 connect() to 172.31.98.99:3101 failed (1: Operation not permitted) while connecting to upstream, client: 100.64.4.134, server: , request: "POST /loki/api/v1/push HTTP/1.1", upstream: "http://172.31.98.99:3101/loki/api/v1/push", host: "loki.golem.gaws.gigantic.io

promtail :

level=warn ts=2024-02-20T15:40:27.606152414Z caller=client.go:419 component=client host=loki.golem.gaws.gigantic.io msg="error sending batch, will retry" status=502 tenant=golem error="server returned HTTP status 502 Bad Gateway (502): <html>"

So adding the CNPs didn't change anything but still I'm a bit troubled by this

[marieroque]

No more error on golem, it was related to https://github.com/giantswarm/loki-app/blob/master/CHANGELOG.md#fixed
We had to delete the loki-multi-tenant-proxy deployment.

[marieroque]

LGTM