Add network policy for eirini webhook registration job

[kieron-dev]

WHAT is this change about?

Eirini has split the instance-index-env-injector component into a webhook registration job and a webhook service deployment to facilitate scaling and to remove cluster permissions from the webhook service.

The webhook service requires network to and from the control plane as before, so the eirini-instance-index-env-injector network policy is being left as is. The new registration job requires outbound network access to the control plane so we are adding this new network policy targeting the job.

This change is required to support versions of eirini > v2.0.0.

Story: https://www.pivotaltracker.com/story/show/175878489

Does this PR introduce a change to config/values.yml?

No

Acceptance Steps

• Deploy cf-for-k8s with the latest eirini-release from master. See that the cf-system/instance-index-env-injector job completes successfully (if not kapp deployment will fail).
• cf push an app. It should succeed and CF_INSTANCE_INDEX should be set in the app's environment. This can be viewed by describing one of the app's pods in cf-workloads.

Tag your pair, your PM, and/or team

@cloudfoundry/eirini

[cf-gitbot]

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/176496309

The labels on this github issue will be updated when the story is started.

[linux-foundation-easycla[bot]]

The committers are authorized under a signed CLA.

• :white_check_mark: Kieron Browne (2bab3994edb5d1c89ac3a73ff98b94a18325ea06)

[cf-rel-int-status-bot]

Hello friend, it looks like your pull request has failed one or more of our checks. Please take a look! :eyes: