fix: support for ephemeral container mutation

[brandtkeller]

Description

See the related issue - Ephemeral Containers are not explicitly supported by the zarf agent for mutation. This adds support by ensuring the pods/ephemeralcontainers subresource is being included in the MutatingWebhookConfiguration.

largely this should always be an operation that is being done on a pod that has already been patched - therefore we need to enable an exception for a pre-patched pod to still allow mutation of the ephemeral containers even if previously patched.

Changes

A pod cannot be created or updated with ephemeral containers defined declaratively. The original code for ephemeral containers should not be reachable - therefor moved it out of the primary pod mutation logic and into the ephemeral containers mutation logic.

Related Issue

Fixes #2153

Checklist before merging

• Test, docs, adr added or updated as needed
• Contributor Guide Steps followed

[netlify]

✅ Deploy Preview for zarf-docs ready!

Name	Link
🔨 Latest commit	d7317f4
🔍 Latest deploy log	https://app.netlify.com/sites/zarf-docs/deploys/67d45b417f2ea000086d87b2
😎 Deploy Preview	https://deploy-preview-3560--zarf-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[codecov]

Codecov Report

Attention: Patch coverage is 73.91304% with 12 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
src/internal/agent/hooks/pods.go	73.91%	9 Missing and 3 partials ⚠️

Files with missing lines	Coverage Δ
src/internal/agent/hooks/pods.go	74.61% <73.91%> (-2.06%)	⬇️

🚀 New features to boost your workflow:

• ❄ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[brandtkeller]

Current side-effect - image annotations get updated as a not-entirely-idempotent workflow. Working to address this.

[AustinAbro321]

@brandtkeller To give some more context, the reason the agent is not fully idemopotent is because of the crchash we append to images, see https://docs.zarf.dev/ref/init-package/#image-mutation-to-unique-hashed-tags. If the agent was to mutate these resources twice, the crchash would no longer be correct. Open to other ways of checking besides a patched label, but I know that confused me when I first saw it

[brandtkeller]

Thanks for the context @AustinAbro321. Agree on multiple mutation side-effects.

I do believe that the transform has an early return in the case of the crchash scenario that would prevent re-compute? Does this sound correct or is there something I am not considering?

[AustinAbro321]

Great point, I thought I remembered running into a gotcha here, maybe it was just the annotations

[AustinAbro321]

I think we should add to the E2E tests to ensure the kube API server is sending us the information we expect, I.E. an empty sub resource on non ephemeral container requests and responding to the changes in the webhook.yaml properly.

Other than that looks good

[brandtkeller]

This is a bit "cludgy" - if there is a better pattern here - I am open to it. Otherwise there is some race condition between the kubectl debug command and get command such that it returns an empty string (possibly getting information too quickly before the mutation and admission has occurred).

[AustinAbro321]

Looks like should work

kubectl wait --for=condition=Ready pod/my-debug-pod --timeout=10s

[mkcp]

Definitely favor an await-style API over polling and checking 👍

[brandtkeller]

The issue here being that the pod status never changes and the use of debug is adding a ephemeral container to an existing pod.

[AustinAbro321]

A few small tests things

[mkcp]

LGTM - nice job

[mkcp]

👍

[mkcp]

👍 Clean