fix: add NetworkPolicy for DSP apiserver pod self traffic

The DSP apiserver implements TLS by relying on the OpenShift
service cert signer. In order to get this to work nicely with
our openshift-oauth sidecar, we set the Kubernetes service as
the upstream for the oauth container. This means that all incoming
traffic to DSP goes like this:
`client -> DSP service -> DSP oauth -> DSP service -> DSP apiserver`
DSP oauth and DSP apiserver are in the same pod. We haven't explicitly
created a NetworkPolicy to allow that, but it works on AWS and
OpenStack-based clusters. For some yet to be determined reason,
it doesn't work on IBM / Calico / Secure-By-Default clusters.

Add a NetworkPolicy entry to allow the DSP pod to talk to itself
on 8888 and 8887. This fixes the issue where DSP(oauth) can't talk
to DSP(apiserver) via the service (that fronts both containers /
the pod).

Fixes: https://issues.redhat.com/browse/RHOAIENG-14571

Signed-off-by: Greg Sheremeta <gshereme@redhat.com>

config/internal/common/argo/policy.yaml.tmpl

@@ -29,6 +29,10 @@ spec:
         - namespaceSelector:
             matchLabels:
               kubernetes.io/metadata.name: redhat-ods-monitoring
+        - podSelector:
+            matchLabels:
+              app: ds-pipeline-{{.Name}}
+              component: data-science-pipelines
         - podSelector:
             matchLabels:
               app: mariadb-{{.Name}}