"Tunnel Mode" (the default) is where all client traffic from the access points is tunneled back to the controller and the controller would in turn put the client traffic onto the network. The advantage is that access points can be on any VLAN, and as long as they can reach the controller, the client traffic can be extended anywhere you can place an access point. In the distant past, access points were configured individually and you had to configure a "trunk" on the switch for each individual access point so that each could send multiple different types of client traffic. In tunnel mode, the only trunk is configured on the controller, saving quite a bit of administrative work.
"Bridge Mode" is synonymous with configuring access points in the past, by configuring a trunk for each access point to be able to send multiple types of different traffic. You would typically do this if you have a wan link separating the access point on the controller, and tunneling client traffic would introduce too much latency. The current recommendation when a WAN link separates a controller and access point(s) is to use Aruba Instant, instead and NOT bridge mode.
You lose quite a few features using bridge mode and it is not recommended in practice.