Add a locked down mode for charmed istio which requires AuthorizationPolicies for all communication

[ca-scribner]

Enhancement Proposal

To enhance security within a charmed istio service mesh, we should add hardening configurations that can globally enforce:

• entities on the service mesh can only communicate with mTLS
• entities on the service mesh can only communicate with with other entities if that communication has been explicitly authorized (by charm or admin)

It might make sense to expose these as two separate configurations (so someone can require mTLS but not AuthorizationPolicies).

As part of this task, we should also investigate if there's any other hardening that should be done.

[ca-scribner]

With ambient, making an allow-nothing policy is not so straightforward:

• if a workload has no waypoint, then a global allow-nothing L4 policy works
• if a workload has a waypoint, then we need both allow-nothing L4 and L7 policies. afaict there is no global L7 allow-nothing equivalent (asked about it here), so we also need a specific L7 allow-nothing for every workload (including any non-charmed workloads)