Add NetworkPolicy to allow Traefik ingress into flux-system namespace

Without this policy, Flux default NetworkPolicies block traffic from kube-system
(where Traefik runs) to flux-system, causing 502 errors for both the weave-gitops
dashboard and cert-manager ACME HTTP-01 solver pods.

clusters/lab/infrastructure/weave-gitops.yaml

@@ -38,6 +38,26 @@ spec:
         memory: 128Mi
 ---
 apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-ingress-from-traefik
+  namespace: flux-system
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: kube-system
+    ports:
+    - port: 9001
+      protocol: TCP
+    - port: 8089
+      protocol: TCP
+---
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: weave-gitops