Enable Istio mTLS for ECK Operator

By default, when istio is deployed, it's deployed with a PERMISSIVE mode that allows an istio injected pod to talk to any non-istio pod without mutual TLS.

Istio uses PeerAuthentication to enforce mTLS at the mesh level and can be applied either at the namespace level, which applies to all pods in the namespace, or at a global level when the PeerAuthentication is applied to the istio-system namespace.

1. Create the PeerAuthentication in the {{ .Release.Namespace }} namespace (NOTE: this should be added to the package repo).

   apiVersion: security.istio.io/v1beta1
   kind: PeerAuthentication
   metadata:
     name: default-{package}
     namespace: {{ .Release.Namespace }}
   spec:
     mtls:
       mode: STRICT

   If other packages deploy in the same namespace, add a selector so that the STRICT policy only applies to pods from this package.
2. Test the functionality of the package
3. When there are issues, add an exception policy

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: name-of-expection
  namespace: {{ .Release.Namespace }}
spec:
  selector:
    matchLabels:
      exception: label-here
  mtls:
    mode: PERMISSIVE

4. iterate on 2) and 3)
5. Add conditionals to the PeerAuthentication objects so that they are only created when .Values.istio.mtls and .Values.istio.enabled are true inside each package chart. Set istio.mtls to true by default in chart/values.yaml.