Add Istio ambient mode support to Helm chart (#1254)

This commit adds support for Istio ambient mode (sidecar-less data
plane) to all Pulsar components in the Helm chart, following the design
from sn-operator/docs/proposals/istio-ambient-mode-design.md.

Changes:
- Add dataplaneMode field to values.yaml istio section (defaults to
empty for backward compatibility)
- Update PulsarBroker template to include dataplaneMode in istio config
- Update PulsarProxy template to include dataplaneMode in istio config
- Add istio section with dataplaneMode to BookKeeperCluster template
- Add istio section with dataplaneMode to ZooKeeperCluster template

Benefits:
- Backward compatible (empty value defaults to sidecar mode via API)
- Enables ~70-80% resource savings with ambient mode
- Supports migration mode with permissive mTLS
- All components (Broker, Proxy, BookKeeper, ZooKeeper) support ambient
mode

Usage:
Set istio.dataplaneMode: "ambient" to enable sidecar-less data plane Set
istio.dataplaneMode: "sidecar" or leave empty for traditional sidecar
mode

🤖 Generated with [Claude Code](https://claude.com/claude-code)

<!--
### Contribution Checklist
  
- Name the pull request in the form "[charts/<chart-name>] Title of the
pull request".
Skip *[charts/<chart-name>]* if the PR doesn't change a specific chart.
E.g. `[docs] Fix typo in README`.

- Fill out the template below to describe the changes contributed by the
pull request. That will give reviewers the context they need to do the
review.
  
- Each pull request should address only one issue, not mix up code from
multiple issues.
  
  - Each commit in the pull request has a meaningful commit message

- Once all items of the checklist are addressed, remove the above text
and this checklist, leaving only the filled out template below.

**(The sections below can be removed for hotfixes of typos)**
-->

*(If this PR fixes a github issue, please add `Fixes #<xyz>`.)*

Fixes #<xyz>

*(or if this PR is one task of a github issue, please add `Master Issue:
#<xyz>` to link to the master issue.)*

Master Issue: #<xyz>

### Motivation

*Explain here the context, and why you're making that change. What is
the problem you're trying to solve.*

### Modifications

*Describe the modifications you've done.*

### Verifying this change

- [ ] Make sure that the change passes the CI checks.

*(Please pick either of the following options)*

This change is a trivial rework / code cleanup without any test
coverage.

*(or)*

This change is already covered by existing tests, such as *(please
describe tests)*.

*(or)*

This change added tests and can be verified as follows:

*(example:)*
- *Added integration tests for end-to-end deployment with large payloads
(10MB)*
  - *Extended integration test for recovery after broker failure*

### Documentation

Check the box below.

Need to update docs? 

- [ ] `doc-required` 
  
  (If you need help on updating docs, create a doc issue)
  
- [x] `no-need-doc` 
  
  (Please explain why)
  
- [ ] `doc` 
  
  (If this PR contains doc changes)

Co-authored-by: Claude <[email protected]>

Author: fantapsody

charts/sn-platform-slim/templates/bookkeeper/bookkeeper-cluster.yaml

@@ -176,6 +176,17 @@ spec:
         {{- include "pulsar.bookkeeper.ledgers.storage.class" . | nindent 8 }}
     reclaimPolicy: {{ .Values.bookkeeper.volumes.reclaimPolicy | default "Delete" }}
   {{- end }}
+  {{- if .Values.istio.enabled }}
+  istio:
+    enabled: true
+    {{- if .Values.istio.dataplaneMode }}
+    dataplaneMode: {{ .Values.istio.dataplaneMode }}
+    {{- end }}
+    {{- if .Values.istio.migration }}
+    mtls:
+      mode: permissive
+    {{- end }}
+  {{- end }}
   config:
     {{- with .Values.bookkeeper.rackAwareTopologyLabels }}
     rackAwareTopologyLabels:

charts/sn-platform-slim/templates/broker/broker-cluster.yaml

@@ -168,6 +168,9 @@ spec:
   {{- if and .Values.istio.enabled .Values.ingress.broker.enabled }}
   istio:
     enabled: true
+    {{- if .Values.istio.dataplaneMode }}
+    dataplaneMode: {{ .Values.istio.dataplaneMode }}
+    {{- end }}
     {{- if .Values.istio.migration }}
     mtls:
       mode: permissive

charts/sn-platform-slim/templates/proxy/proxy-cluster.yaml

@@ -114,6 +114,9 @@ spec:
   {{- if .Values.istio.enabled }}
   istio:
     enabled: true
+    {{- if .Values.istio.dataplaneMode }}
+    dataplaneMode: {{ .Values.istio.dataplaneMode }}
+    {{- end }}
     {{- if eq .Values.ingress.proxy.type "IstioGateway" }}
     gateway:
       selector:

charts/sn-platform-slim/templates/zookeeper/zookeeper-cluster.yaml

@@ -180,6 +180,17 @@ spec:
 {{- include "pulsar.zookeeper.dataLog.storage.class" . | nindent 6 }}
     reclaimPolicy: {{ .Values.zookeeper.volumes.reclaimPolicy | default "Delete" }}
   {{- end }}
+  {{- if .Values.istio.enabled }}
+  istio:
+    enabled: true
+    {{- if .Values.istio.dataplaneMode }}
+    dataplaneMode: {{ .Values.istio.dataplaneMode }}
+    {{- end }}
+    {{- if .Values.istio.migration }}
+    mtls:
+      mode: permissive
+    {{- end }}
+  {{- end }}
   config:
     serverCnxnFactory: {{ .Values.zookeeper.serverCnxnFactory }}
     # copy from configmap

charts/sn-platform-slim/values.yaml

@@ -2459,6 +2459,11 @@ istio:
   # mergeMetrics should be enabled if you want to scrape pulsar metrics from an external prometheus not running on Istio
   # prometheus and grafana will not be Istio injected if mergeMetrics is enabled
   mergeMetrics: false
+  # Istio data plane mode: "sidecar" or "ambient"
+  # - sidecar: Traditional per-pod sidecars (default if empty)
+  # - ambient: Sidecar-less data plane using ztunnel for L4 mTLS (~70-80% resource savings)
+  # Leave empty for default behavior (sidecar mode)
+  dataplaneMode: ""
   gateway:
     # gateway selector if it's not `istio: ingressgateway`
     selector: {}