Add support for Kafka SASL/TLS authentication in the cost-onprem Helm chart for secure connections to enterprise Kafka clusters (AMQ Streams, MSK, Confluent).

Background

PR #99 (FLPATH-2685) added BYOI support for Kafka but scoped it to PLAINTEXT connections only. During implementation, we discovered that neither Koku nor ROS applications support Kafka SASL/TLS authentication from environment variables in non-Clowder (on-premise) mode. Chart-level wiring of SASL/TLS values would have no effect without upstream application changes.

Prerequisites (upstream)

Both Koku and ROS need to be updated to read Kafka SASL/TLS configuration from environment variables when running in on-prem mode (non-Clowder):
- Koku: KAFKA_SASL_MECHANISM, KAFKA_SASL_USERNAME, KAFKA_SASL_PASSWORD, KAFKA_SECURITY_PROTOCOL, KAFKA_SSL_CA_LOCATION
- ROS: equivalent Go-side configuration via environment variables or config file

Until those upstream changes land, chart-level SASL/TLS support cannot be implemented.

Scope

Once upstream support is available:
- Add kafka.sasl.mechanism, kafka.sasl.existingSecret, kafka.tls.enabled, kafka.tls.caCertSecret to values.yaml
- Wire these values into Koku and ROS deployment environment variables via _helpers-koku.tpl and _helpers.tpl
- Mount TLS CA certificate from the referenced secret if kafka.tls.enabled
- Update documentation in docs/operations/configuration.md (External Kafka section)
- Add E2E test coverage for SASL_SSL connections

Acceptance Criteria

• Chart renders correct SASL/TLS environment variables and volume mounts when configured
• helm template and helm lint pass with SASL_SSL configuration
• Documented in the External Kafka section of configuration.md
• Tested against a SASL_SSL-enabled Kafka cluster