ztunnel/helm: move ztunnel daemonset management from operator to helm

[nddq]

Move the ztunnel daemonset from being managed by a controller in the operator to being managed declaratively via Helm templates. This aligns ztunnel with other components like envoy and node-init that are already managed via Helm.

Changes:

• Add new Helm templates for ztunnel (daemonset, secret, serviceaccount)
• Add ztunnel configuration under encryption section in values.yaml
• Add ztunnel serviceAccount configuration in values.yaml
• Remove ztunnel controller from operator (cell.go, controller.go)
• Remove embedded ztunnel-daemonset.yaml from operator

The ztunnel resources are now conditionally deployed when:

• encryption.enabled=true
• encryption.type=ztunnel

Please ensure your pull request adheres to the following guidelines:

• For first time contributors, read Submitting a pull request
• All code is covered by unit and/or runtime tests where feasible.
• All commits contain a well written commit description including a title,
  description and a Fixes: #XXX line if the commit addresses a particular
  GitHub issue.
• If your commit description contains a Fixes: <commit-id> tag, then
  please add the commit author[s] as reviewer[s] to this issue.
• All commits are signed off. See the section Developer’s Certificate of Origin
• Provide a title or release-note blurb suitable for the release notes.
• Are you a user of Cilium? Please add yourself to the Users doc
• Thanks for contributing!

Fixes: #issue-number

<!-- Enter the release note text here if needed or remove this section! -->

[rgo3]

Did you accidentally remove the changes to the values.yaml? I thought I've seen it on your first push 🤔

Also this allows very fine grained configuration of ztunnel. AFAIK we wanted to keep configurability to a minimum for now so that users can't really "bring their own ztunnel" cc @ldelossa

[nddq]

@rgo3 It is fixed now, don't know what happened there 😅, needed to update the values.yaml.tmpl‎ file anyway. For the customization concerns, I think we need to have at least the image and the env vars configurable so that it is easier for testing/releasing.

[nebril]

LGTM, but I will defer to @rgo3 for the amount of configurability in the PR as I don't have enough context for this.

[rgo3]

I'm by no means experienced with helm charts, but looking at our other helm deployments this seems to do roughly the same things. I've pointed out some config nobs where I'm not sure if it makes sense to make them configurable given the cilium agent itself hardcodes these values. If you can make a case for them to stay I'm not going to object, but please see my comments for details.

Thanks for working on this @nddq

[rgo3]

Otherwise LGTM

[rgo3]

/test

[ldelossa]

/test

[rgo3]

Did you manually request the re-review or does this somehow happen after a force-push now @nddq? From the cilium slack I take it the latest change was just a rebase to get CI green and usually rebasing shouldn't trigger another round of getting all reviews. I'm a bit confused why I need to approve it for the 3rd time.

[nddq]

@rgo3 yeah it was a force push for a rebase, but GitHub showed the prompt that I can re-request for a review, so I assumed that a reapproval is needed

[ldelossa]

@nddq yeah no need for us to re-review on a simple force push to rebase against HEAD. :) this is also the third time I'm approving this PR lol

[ldelossa]

/test