Support disabling Zookeeper client in Proxy

[lhotari]

Motivation

Pulsar proxy documentation makes this recommendation:

In a production environment service discovery is not recommended.

However, it is not secure to use service discovery. Because if the network ACL is open, when someone compromises a proxy, they have full access to ZooKeeper.

it also explains that you cannot use authorization when zookeeper client isn't configured in the proxy:

Proxy authorization requires access to ZooKeeper, so if you use these broker URLs to connect to the brokers, you need to disable authorization at the Proxy level. Brokers still authorize requests after the proxy forwards them.

Modifications

• add new values keys .Values.proxy.zookeeperClientEnabled and .Values.proxy.authorizationEnabled to allow disabling the zookeeper client in Proxy and for disabling authorization in the proxy. the default values are true for these settings.

[eolivelli]

I am +1 with this change, but please note that for Starlight for Kafka (and probably starlight for RabbitMQ) we need the ZooKeeper client and the Authorisation service on the Proxy. This is because the Kafka proxy has to implement authorisation

cc @cbornet

[lhotari]

I am +1 with this change, but please note that for Starlight for Kafka (and probably starlight for RabbitMQ) we need the ZooKeeper client and the Authorisation service on the Proxy. This is because the Kafka proxy has to implement authorisation

cc @cbornet

the defaults haven't changed. it would have to be explicitly disabled in values.yaml.