feat(init): add init agent for the agent to only mutate labeled resources

[AustinAbro321]

Description

This introduces a new flag to init --agent-mutation-policy with values all and labeled. The default value is all but we will likely change it to labled in v1.0. New namespaces created by Zarf during package deploy are labeled with zarf.dev/agent: mutate, so resources are still automaticaly pointed to the zarf agent.

Resource labels always take priority so if the resource has zarf.dev/agent: mutate and the namespace has zarf.dev/agent: ignore the resource will be mutated. If the resource has zarf.dev/agent: ignore and the namespace has zarf.dev/agent: mutate the resource will not be mutated

To my surprise the podinfo-flux example works even when the agent is in labeled mode. The reason for this is that even though Zarf doesn't deploy any resources to the intended deploy namespace (the flux resources are deployed to flux-system) the manifests.namespace field is declared to podinfo-git and so the mutate label is added

    manifests:
      - name: podinfo
        namespace: podinfo-git
        files:
          - git/podinfo-source.yaml
          - git/podinfo-kustomization.yaml

Checklist before merging

• Test, docs, adr added or updated as needed
• Contributor Guide Steps followed

[netlify]

✅ Deploy Preview for zarf-docs ready!

Name	Link
🔨 Latest commit	9566d2b
🔍 Latest deploy log	https://app.netlify.com/projects/zarf-docs/deploys/6a1f3402885b690008459448
😎 Deploy Preview	https://deploy-preview-4937--zarf-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[codecov]

Codecov Report

❌ Patch coverage is 66.89189% with 49 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
src/internal/agent/hooks/common.go	47.82%	8 Missing and 4 partials ⚠️
src/internal/agent/start.go	0.00%	9 Missing ⚠️
src/pkg/packager/deploy.go	0.00%	9 Missing ⚠️
src/cmd/initialize.go	14.28%	6 Missing ⚠️
src/internal/agent/operations/mutate.go	61.53%	5 Missing ⚠️
src/pkg/cluster/cluster.go	0.00%	2 Missing and 1 partial ⚠️
src/pkg/state/state.go	0.00%	2 Missing and 1 partial ⚠️
src/internal/packager/helm/post-render.go	0.00%	1 Missing ⚠️
src/internal/packager/template/template.go	0.00%	1 Missing ⚠️

Files with missing lines	Coverage Δ
src/cmd/viper.go	57.29% <100.00%> (+1.37%)	⬆️
src/internal/agent/hooks/argocd-application.go	72.22% <100.00%> (+1.01%)	⬆️
src/internal/agent/hooks/argocd-applicationset.go	87.50% <100.00%> (+9.72%)	⬆️
src/internal/agent/hooks/argocd-appproject.go	85.41% <100.00%> (+9.49%)	⬆️
src/internal/agent/hooks/argocd-repository.go	79.72% <100.00%> (+2.22%)	⬆️
src/internal/agent/hooks/flux-gitrepo.go	89.28% <100.00%> (+3.57%)	⬆️
src/internal/agent/hooks/flux-helmrepo.go	73.91% <100.00%> (+1.46%)	⬆️
src/internal/agent/hooks/flux-ocirepo.go	81.75% <100.00%> (+1.11%)	⬆️
src/internal/agent/hooks/pods.go	81.67% <100.00%> (+6.33%)	⬆️
src/pkg/cluster/namespace.go	22.44% <100.00%> (+5.05%)	⬆️
... and 9 more

... and 1 file with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[soltysh]

Dropping the double umarshaling and the flag validating would be my two blockers. The rest is just nice to have, or can be addressed in followup (especially that context one).

[soltysh]

Potential improvement, have you considered caching the labels here? For example up to a minute or so, the labels rarely change that fast, so 1min delay could buy us some time, and increase the throughput on subsequent requests.

[AustinAbro321]

One thing we might be able to do if I understand the package correctly is to setup a shared informer which would cache the item in memory and automatically update it for us

[soltysh]

Wouldn't just using a simple string flag and validating inside validateinitFlags be simpler than this?

[AustinAbro321]

Yeah, I liked the idea of using the pflag construct, but I suppose it is more code, and adds a type to the help docs that users don't care about.

[soltysh]

It seems you're passing ctx twice here:

1. when you're invoking withMutationGuard which means you're getting the early context into this function
2. inside this function again to pass to fn, that one is fine.

I think, the right way would be to pass per-request context, thus expanding the AdminFunc signature with context like so:

type AdmitFunc func(ctx context.Context, request *admission.AdmissionRequest) (*Result, error)

especially that you already wrap each execution, so you could guard each request separately.

Although the more I dig into it, it'll likely require a bigger rewrite, to ensure the admission handler from

zarf/src/internal/agent/http/admission/handler.go

Line 69 in b4d7f59

result, err := hook.Execute(review.Request)

properly passes a request-scope context.

[soltysh]

I'd suggest to fix that as followup, or I can pick that up.

[AustinAbro321]

Makes sense, I was able to write the complete fix, I'll submit a quick follow up after this PR is in