feat(runtime): add ignore-fields selective field reconciliation

[sapphirew]

Summary

This PR adds an opt-in, runtime-level mechanism for selective field reconciliation — telling ACK to treat specific named fields of a custom resource as non-existent. An ignored field is not sent at create, excluded from the reconcile delta, never late-initialized, and never persisted to the CR spec.

The motivating case is aws-controllers-k8s/community#2367: IAM role tags that are injected externally (e.g. by an automated tagging system), where an SCP denies iam:UntagRole. Today ACK detects the externally-injected tags as drift and tries to remove them, which the SCP rejects, leaving the resource stuck in a reconcile-error loop. With this feature the operator can mark the tags field as ignored, so ACK leaves it entirely to the external manager.

The feature is opt-in two ways: it only activates when the resource carries the new annotation, and only when the Alpha SelectiveReconciliation feature gate is enabled (disabled by default).

Semantics

An ignored field is treated as if it does not exist on the desired resource:

• Not sent at create — cleared from the desired object before the create call.
• Excluded from the delta — observed values are merged into a deep copy of desired before the delta is computed, so no spurious diff is produced (suppression + anti-clobber).
• Not late-initialized — late-init results are stripped of ignored fields.
• Cleared from spec write-back — ignored fields are dropped from both patch sides in patchResourceMetadataAndSpec, so they are never persisted to the stored CR. The stored CR is never mutated in place.
• ResourceSynced stays True for ignored-only drift — drift on an ignored field never blocks sync.

What's in this PR (runtime pieces)

• New annotation services.k8s.aws/ignore-fields — comma-separated JSON-style field paths.
• New feature gate SelectiveReconciliation (Alpha, disabled by default).
• applyIgnoredFields — merges observed values into a deep copy of desired before the delta is computed (suppression + anti-clobber); the stored CR is never mutated.
• clearIgnoredFields — drops ignored fields at create and from the spec write-back (both patch sides in patchResourceMetadataAndSpec); late-init results are stripped of ignored fields.
• FilterIgnoredDeltaDifferences — removes ignored-path differences from a computed delta; intended to be called from generated per-resource delta code so requeue / IsSynced paths also ignore drift (see companion code-generator change).
• Process-wide SetGlobalFeatureGates / GetGlobalFeatureGates — write-once at startup via BindControllerManager, so generated package-level delta code can consult the gate.
• Log-only observability — drift on ignored fields is surfaced via a log line only (no condition in v1).

Companion PR / ordering

A companion code-generator PR adds a call to FilterIgnoredDeltaDifferences in the generated delta template, so that requeue / IsSynced paths also ignore drift on ignored fields. That PR depends on this PR being merged and released first, because it imports the new runtime helper. The link will be added here once the code-generator PR exists.

Out of scope / follow-ups

• Additive (partial collection) management — managing only some elements of a collection — is deferred due to the orphan / 3-way-merge problem.
• CR-visible drift condition — deferred pending multi-advisory handling; v1 surfaces ignored-field drift via a log line only.
• Identity-field protection — preventing identity/primary-key fields from being ignored.
• generator.yaml allowlist — restricting which fields a given resource is allowed to ignore.

Testing

• Unit tests for applyIgnoredFields / clearIgnoredFields (and supporting helpers) in pkg/runtime/selective_reconciliation_test.go.
• go build ./... passes.
• go test ./pkg/runtime/... ./pkg/condition/... ./pkg/featuregate/... ./apis/... passes.

Refs #2367

[sapphirew]

Companion code-generator PR: aws-controllers-k8s/code-generator#714 — it adds the call to FilterIgnoredDeltaDifferences in the generated delta template and depends on this PR being merged + released first.

[ack-prow]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: sapphirew
Once this PR has been reviewed and has the lgtm label, please assign a-hilaly for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment