Extend `ssa.Apply` with field ignore rules

[stefanprodan]

To make kustomize-controller compatible with VPA, HPA for custom resources and other controllers which mutate Flux-managed fields in-cluster, we need to wire the ssa/jsondiff logic into the SSA apply functions.

Tasks:

• [x] Move the saa functions used in jsondiff to a dedicated package
• [ ] Add []jsondiff.IgnoreRule to the ssa.ApplyOptions
• [ ] Remove the ignored fields before the final apply if they diverge

Example:

	appliedObject := object.DeepCopy()

	if existingObject.GetResourceVersion() != "" {
		var sm = make(map[*jsondiff.SelectorRegex][]string, len(opts.DriftIgnoreRule))
		for _, ips := range opts.DriftIgnoreRule {
			sr, err := jsondiff.NewSelectorRegex(ips.Selector)
			if err != nil {
				return nil, fmt.Errorf("failed to create ignore rule selector: %w", err)
			}
			sm[sr] = ips.Paths
		}

		var ignorePaths jsondiff.IgnorePaths
		for sr, paths := range sm {
			if sr.MatchUnstructured(appliedObject) {
				ignorePaths = append(ignorePaths, paths...)
			}
		}

		if len(ignorePaths) > 0 {
			patch := jsondiff.GenerateRemovePatch(ignorePaths...)
			if err := jsondiff.ApplyPatchToUnstructured(appliedObject, patch); err != nil {
				return nil, err
			}
		}
	}

	if err := m.apply(ctx, appliedObject); err != nil {
		return nil, fmt.Errorf("%s apply failed: %w", FmtUnstructured(appliedObject), err)
	}

[alxbse]

Would like to contribute to getting this solved as flux has been great for my use cases until I now need to manage a CRD with a conversion webhook and a cert-manager caBundle that would keep getting removed/added.

Is it "just" a lack of priority and contributions that is blocking this issue or is there something else related to adding the ignore rules that makes this extra complicated to solve?

[stefanprodan]

@alxbse the CRD conversion webhook CA bundle issue was fixed in #952 and will be available in Flux 2.7