feat(helm): add Gateway API and Istio native resource toggles, enable TCPRoute and VirtualService adjustments

Author: CoderYellow

kafka/README.md

@@ -21,6 +21,12 @@ Key toggles:
 - `mirrorMaker.enabled`
 - `istio.enabled` with opt-in `HTTPRoute`, `TCPRoute`, `VirtualService`, `DestinationRule`, `PeerAuthentication`, and `AuthorizationPolicy` resources
 
+API-family switches:
+
+- Gateway API only: `istio.enabled=true`, `istio.gatewayApi.enabled=true`, `istio.native.enabled=false`
+- Istio native only: `istio.enabled=true`, `istio.gatewayApi.enabled=false`, `istio.native.enabled=true`
+- Mixed: keep both enabled and enable only the individual resources available in the cluster
+
 For production, prefer providing an external Kerberos secret or RWX volume containing `client/krb5.conf` and service keytabs. When using a secret, set `kerberos.existingSecret` and map keys into nested paths with `kerberos.existingSecretItems`, for example `[{key: krb5.conf, path: client/krb5.conf}, {key: kafka-0.keytab, path: keytabs/kafka-0.keytab}]`.
 
 Kerberos clients should use the StatefulSet broker DNS names from the headless service. If exposing Kafka through an Istio TCP route, add a matching `kafka/<external-host>@REALM` service principal and keytab, or override the advertised listener and Kerberos principal pattern accordingly.

kafka/templates/istio.yaml

@@ -3,6 +3,7 @@
 {{- $fullname := include "kafka.fullname" . }}
 {{- $labels := include "kafka.labels" . }}
 {{- $parentRefs := .Values.istio.parentRefs }}
+{{- if .Values.istio.gatewayApi.enabled }}
 {{- range $name, $route := .Values.istio.httpRoutes }}
 {{- if $route.enabled }}
 ---
@@ -83,6 +84,8 @@ spec:
     {{- end }}
 {{- end }}
 {{- end }}
+{{- end }}
+{{- if .Values.istio.native.enabled }}
 {{- if .Values.istio.destinationRules.enabled }}
 {{- range .Values.istio.destinationRules.rules }}
 ---
@@ -212,7 +215,8 @@ spec:
   {{- with .rules }}
   rules:
     {{- toYaml . | nindent 4 }}
-  {{- end }}
+{{- end }}
+{{- end }}
 {{- end }}
 {{- end }}
 {{- end }}

kafka/values.yaml

@@ -225,6 +225,10 @@ istio:
   namespace: ""
   labels: {}
   annotations: {}
+  gatewayApi:
+    enabled: true
+  native:
+    enabled: true
   parentRefs:
     - name: k8s-infra-gateway
       namespace: istio-ingress
@@ -251,7 +255,7 @@ istio:
 
   tcpRoutes:
     kafka:
-      enabled: true
+      enabled: false
       apiVersion: gateway.networking.k8s.io/v1alpha2
       nameOverride: ""
       rules:
@@ -260,7 +264,7 @@ istio:
               port: 9092
 
   virtualServices:
-    enabled: false
+    enabled: true
     apiVersion: networking.istio.io/v1
     services: []
     # - name: kafka-tcp