feat(api): add spec.setup to Workspace for pre-agent init containers

[knechtionscoding]

What type of PR is this?

/kind feature

What this PR does / why we need it:

Adds a new optional spec.setup field to the Workspace CRD, allowing users to
run custom init containers after git clone but before the agent starts.

This enables use cases like:

• Running npm ci or pip install so the agent doesn't burn API credits on
  dependency installation
• Compiling protobuf definitions or running code generation
• Pulling large data files or setting up database schemas

Setup containers receive the workspace volume (at /workspace, working
directory set to /workspace/repo) and any user-defined spec.volumes mounts.
They run as the agent UID (61100) for filesystem permission compatibility.

Changes:

• api/v1alpha1/workspace_types.go: New SetupContainer and EnvVar types,
  Setup field on WorkspaceSpec
• internal/controller/job_builder.go: Appends setup containers as init
  containers after file injection, before plugin setup
• internal/controller/job_builder_test.go: 6 new tests (single, multiple,
  with volumes, with env vars, ordering with files+plugins, empty backward
  compat)
• Generated: deepcopy, CRD manifests via make update

Which issue(s) this PR is related to:

Part of kelos-dev#774 (second of two PRs — first was kelos-dev#921 adding spec.volumes)

Special notes for your reviewer:

• Init container ordering is: git-clone → remote-setup → branch-setup →
  workspace-files → setup containers → plugin-setup → skills-install
• SetupContainer.Env uses a simple EnvVar{Name, Value} type rather than
  corev1.EnvVar to keep the CRD surface small and avoid exposing
  valueFrom (secret refs, field refs) which would need additional RBAC
  consideration
• Also includes CEL validation rules on Volumes and a Pattern="^/" on
  MountPath from review feedback on feat(api): add spec.volumes to Workspace for mounting additional volumes kelos-dev/kelos#921

Does this PR introduce a user-facing change?

Add `spec.setup` field to Workspace CRD for running custom init containers (dependency installation, code generation) before the agent starts.

[greptile-apps]

Greptile Summary

This PR adds spec.setup to the Workspace CRD, enabling custom init containers (dependency installation, code generation, etc.) that run after git clone/file injection but before the agent starts. The implementation in job_builder.go and supporting types are well-structured and the six new tests give solid coverage of the new code path.

• The Setup field is missing the CEL uniqueness rule and reserved-name guard that Volumes already has — a setup container named \"git-clone\" or a duplicate name will be silently accepted at admission and cause a cryptic pod-creation failure at runtime.

Confidence Score: 4/5

Safe to merge after adding CEL validation rules to guard setup container name uniqueness and reserved names

One P1 finding: missing CEL uniqueness and reserved-name validation on the Setup field that is present on the analogous Volumes field — allows inputs that will fail at pod creation with opaque errors. All other findings are P2 style/hardening items.

api/v1alpha1/workspace_types.go — needs CEL XValidation markers on the Setup field before merge

Important Files Changed

Filename	Overview
api/v1alpha1/workspace_types.go	Adds SetupContainer and EnvVar types plus Setup field on WorkspaceSpec; missing CEL uniqueness/reserved-name validation on Setup (unlike Volumes) and MinLength=1 on EnvVar.Name
internal/controller/job_builder.go	Correctly appends setup init containers after file injection and before plugin-setup with proper volume mounts, WorkingDir, and AgentUID; variable shadowing on envVars is a minor style issue
internal/controller/job_builder_test.go	Six new tests cover single/multiple containers, volumes, env vars, ordering, and empty backward-compat — good coverage of the happy path
api/v1alpha1/zz_generated.deepcopy.go	Auto-generated deepcopy for SetupContainer and EnvVar is correct; EnvVar fields are all value types so shallow copy via copy() is safe
internal/manifests/charts/kelos/templates/crds/workspace-crd.yaml	CRD correctly reflects the new setup array with command/image/name required and env optional; CEL validation gaps are at the Go source level
internal/manifests/install-crd.yaml	Install CRD manifest generated correctly alongside chart CRD; no issues found

Sequence Diagram

sequenceDiagram
    participant K as Kubernetes
    participant JB as JobBuilder
    participant Pod as Job Pod

    K->>JB: Build(task, workspace, agentConfig, prompt)
    JB->>Pod: initContainer: git-clone
    JB->>Pod: initContainer: remote-setup (if remotes)
    JB->>Pod: initContainer: branch-setup (if branch)
    JB->>Pod: initContainer: workspace-files (if files)
    loop workspace.Setup[]
        JB->>Pod: initContainer: user setup container
    end
    JB->>Pod: initContainer: plugin-setup (if plugins)
    JB->>Pod: initContainer: skills-install (if skills)
    JB->>Pod: container: agent (claude-code / codex / gemini / ...)

Loading

_{Reviews (1): Last reviewed commit: "feat(api): add spec.setup to Workspace f..." | Re-trigger Greptile}