feat(apm-ssi): Add a Remote Config receiver for Workload Selection (#41312)

### What does this PR do?
- Adds a Remote Config receiver for Workload Selection
- Embed the `dd-compile-policy` (1MB) into the Linux builds of the Agent (Deb/RPM/OCI)

### Motivation

### Describe how you validated your changes

### Additional Notes

Author: BaptisteFoy

.github/CODEOWNERS

@@ -382,6 +382,7 @@
 /comp/snmpscan @DataDog/ndm-core
 /comp/softwareinventory @DataDog/windows-products
 /comp/syntheticstestscheduler @DataDog/synthetics-executing
+/comp/workloadselection @DataDog/injection-platform
 # END COMPONENTS
 
 # Additional notification to  @iglendd about Agent Telemetry changes for optional approval and governance acknowledgement

Dockerfiles/agent/Dockerfile

@@ -161,6 +161,7 @@ RUN --mount=from=artifacts,target=/artifacts \
  && rm -rf usr etc/init lib \
     go/ \
     opt/datadog-agent/embedded/bin/installer \
+    opt/datadog-agent/embedded/bin/dd-compile-policy \
     opt/datadog-agent/sources \
     opt/datadog-agent/embedded/share/doc \
     opt/datadog-agent/embedded/share/man \

cmd/agent/subcommands/run/command.go

@@ -34,6 +34,7 @@ import (
 	agenttelemetryfx "github.com/DataDog/datadog-agent/comp/core/agenttelemetry/fx"
 	"github.com/DataDog/datadog-agent/comp/core/autodiscovery/providers/datastreams"
 	ssistatusfx "github.com/DataDog/datadog-agent/comp/updater/ssistatus/fx"
+	workloadselectionfx "github.com/DataDog/datadog-agent/comp/workloadselection/fx"
 
 	haagentfx "github.com/DataDog/datadog-agent/comp/haagent/fx"
 	snmpscanfx "github.com/DataDog/datadog-agent/comp/snmpscan/fx"
@@ -534,6 +535,7 @@ func getSharedFxOption() fx.Option {
 		diagnosefx.Module(),
 		ipcfx.ModuleReadWrite(),
 		ssistatusfx.Module(),
+		workloadselectionfx.Module(),
 		workloadfilterfx.Module(),
 		connectivitycheckerfx.Module(),
 		configstreamfx.Module(),

comp/README.md

@@ -806,3 +806,9 @@ versions, installation dates, and other relevant details for inventory tracking.
 
 Package syntheticstestscheduler defines a synthetics scheduler component to run
 network tests based on remote config.
+
+### [comp/workloadselection](https://pkg.go.dev/github.com/DataDog/datadog-agent/comp/workloadselection)
+
+*Datadog Team*: injection-platform
+
+Package workloadselection listens to Remote Config to receive & apply workload selection configuration

comp/core/config/setup.go

@@ -88,3 +88,8 @@ func setupConfig(config pkgconfigmodel.BuildableConfig, secretComp secrets.Compo
 
 	return nil
 }
+
+// GetInstallPath returns the install path for the agent
+func GetInstallPath() string {
+	return pkgconfigsetup.InstallPath
+}

comp/workloadselection/def/component.go

@@ -0,0 +1,12 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2025-present Datadog, Inc.
+
+// Package workloadselection listens to Remote Config to receive & apply workload selection configuration
+package workloadselection
+
+// team: injection-platform
+
+// Component is the component type.
+type Component interface{}

comp/workloadselection/fx/fx.go

@@ -0,0 +1,34 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2025-present Datadog, Inc.
+
+// Package fx provides the fx module for the workloadselection component
+package fx
+
+import (
+	uberfx "go.uber.org/fx"
+
+	workloadselection "github.com/DataDog/datadog-agent/comp/workloadselection/def"
+	workloadselectionimpl "github.com/DataDog/datadog-agent/comp/workloadselection/impl"
+	"github.com/DataDog/datadog-agent/pkg/util/fxutil"
+)
+
+// Module defines the fx options for this component
+func Module() fxutil.Module {
+	return fxutil.Component(
+		fxutil.ProvideComponentConstructor(
+			workloadselectionimpl.NewComponent,
+		),
+		fxutil.ProvideOptional[workloadselection.Component](),
+
+		// workloadselection is a component with no public method, therefore nobody depends on it and FX only instantiates
+		// components when they're needed. Adding a dummy function that takes our Component as a parameter forces
+		// the instantiation of workloadselection. This means that simply using 'workloadselectionfx.Module()' will run our
+		// component (which is the expected behavior).
+		//
+		// This prevents silent corner case where including 'workloadselection' in the main function would not actually
+		// instantiate it. This also removes the need for every main using workloadselection to add the line below.
+		uberfx.Invoke(func(_ workloadselection.Component) {}),
+	)
+}

comp/workloadselection/impl/workloadselection.go

@@ -0,0 +1,244 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2025-present Datadog, Inc.
+
+// Package workloadselectionimpl implements the workloadselection component interface
+package workloadselectionimpl
+
+import (
+	"bytes"
+	"encoding/json"
+	"fmt"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"regexp"
+	"sort"
+	"strconv"
+	"strings"
+
+	"github.com/DataDog/datadog-agent/comp/core/config"
+	log "github.com/DataDog/datadog-agent/comp/core/log/def"
+	rctypes "github.com/DataDog/datadog-agent/comp/remote-config/rcclient/types"
+	workloadselection "github.com/DataDog/datadog-agent/comp/workloadselection/def"
+	"github.com/DataDog/datadog-agent/pkg/remoteconfig/state"
+)
+
+var (
+	configPath                  = filepath.Join(config.DefaultConfPath, "managed", "rc-orgwide-wls-policy.bin")
+	ddPolicyCompileRelativePath = filepath.Join("embedded", "bin", "dd-compile-policy")
+	// Pattern to extract policy ID from config path: datadog/\d+/<product>/<config_id>/<hash>
+	policyIDPattern = regexp.MustCompile(`^datadog/\d+/[^/]+/([^/]+)/`)
+	// Pattern to extract numeric prefix from policy ID: N.<name>
+	policyPrefixPattern = regexp.MustCompile(`^(\d+)\.`)
+
+	// getInstallPath is a variable that can be overridden in tests
+	getInstallPath = config.GetInstallPath
+)
+
+// Requires defines the dependencies for the workloadselection component
+type Requires struct {
+	Log    log.Component
+	Config config.Component
+}
+
+// Provides defines the output of the workloadselection component
+type Provides struct {
+	Comp       workloadselection.Component
+	RCListener rctypes.ListenerProvider
+}
+
+// NewComponent creates a new workloadselection component
+func NewComponent(reqs Requires) (Provides, error) {
+	wls := &workloadselectionComponent{
+		log:    reqs.Log,
+		config: reqs.Config,
+	}
+
+	var rcListener rctypes.ListenerProvider
+	if reqs.Config.GetBool("apm_config.workload_selection") && wls.isCompilePolicyBinaryAvailable() {
+		reqs.Log.Debug("Enabling APM SSI Workload Selection listener")
+		rcListener.ListenerProvider = rctypes.RCListener{
+			state.ProductApmPolicies: wls.onConfigUpdate,
+		}
+	} else {
+		reqs.Log.Debug("Disabling APM SSI Workload Selection listener as the compile policy binary is not available or workload selection is disabled")
+	}
+
+	provides := Provides{
+		Comp:       wls,
+		RCListener: rcListener,
+	}
+	return provides, nil
+}
+
+type workloadselectionComponent struct {
+	log    log.Component
+	config config.Component
+}
+
+// isCompilePolicyBinaryAvailable checks if the compile policy binary is available
+// and executable
+func (c *workloadselectionComponent) isCompilePolicyBinaryAvailable() bool {
+	compilePath := filepath.Join(getInstallPath(), ddPolicyCompileRelativePath)
+	info, err := os.Stat(compilePath)
+	if err != nil {
+		if !os.IsNotExist(err) {
+			c.log.Warnf("failed to stat APM workload selection compile policy binary: %v", err)
+		}
+		return false
+	}
+	return info.Mode().IsRegular() && info.Mode()&0111 != 0
+}
+
+// compilePolicyBinary compiles the policy binary into a binary file
+// readable by the injector
+func (c *workloadselectionComponent) compileAndWriteConfig(rawConfig []byte) error {
+	if err := os.MkdirAll(filepath.Dir(configPath), 0755); err != nil {
+		return err
+	}
+	cmd := exec.Command(filepath.Join(getInstallPath(), ddPolicyCompileRelativePath), "--input-string", string(rawConfig), "--output-file", configPath)
+	var stdoutBuf, stderrBuf bytes.Buffer
+	cmd.Stdout = &stdoutBuf
+	cmd.Stderr = &stderrBuf
+	if err := cmd.Run(); err != nil {
+		return fmt.Errorf("error executing dd-policy-compile (%w); out: '%s'; err: '%s'", err, stdoutBuf.String(), stderrBuf.String())
+	}
+	return nil
+}
+
+// policyConfig represents a config with its ordering information
+type policyConfig struct {
+	path   string
+	order  int
+	config []byte
+}
+
+// extractPolicyID extracts the policy ID from a config path
+// Path format: configs/\d+/<ID>/<gibberish>
+func extractPolicyID(path string) string {
+	matches := policyIDPattern.FindStringSubmatch(path)
+	if len(matches) > 1 {
+		return matches[1]
+	}
+	return ""
+}
+
+// extractOrderFromPolicyID extracts the numeric order from a policy ID
+// If policy ID is in format N.<name>, returns N. Otherwise returns 0.
+func extractOrderFromPolicyID(policyID string) int {
+	matches := policyPrefixPattern.FindStringSubmatch(policyID)
+	if len(matches) > 1 {
+		if order, err := strconv.Atoi(matches[1]); err == nil {
+			return order
+		}
+	}
+	return 0
+}
+
+// mergeConfigs merges multiple configs by concatenating their policies in order
+func mergeConfigs(configs []policyConfig) ([]byte, error) {
+	type policyJSON struct {
+		Policies []json.RawMessage `json:"policies"`
+	}
+
+	allPolicies := make([]json.RawMessage, 0)
+
+	for _, cfg := range configs {
+		var parsed policyJSON
+		if err := json.Unmarshal(cfg.config, &parsed); err != nil {
+			return nil, fmt.Errorf("failed to parse config from %s: %w", cfg.path, err)
+		}
+		allPolicies = append(allPolicies, parsed.Policies...)
+	}
+
+	merged := policyJSON{Policies: allPolicies}
+	return json.Marshal(merged)
+}
+
+// onConfigUpdate is the callback function called by Remote Config when the workload selection config is updated
+func (c *workloadselectionComponent) onConfigUpdate(updates map[string]state.RawConfig, applyStateCallback func(string, state.ApplyStatus)) {
+	c.log.Debugf("workload selection config update received: %d", len(updates))
+	if len(updates) == 0 {
+		err := c.removeConfig() // No config received, we have to remove the file. Nothing to acknowledge.
+		if err != nil {
+			c.log.Errorf("failed to remove workload selection config: %v", err)
+		}
+		return
+	}
+
+	// Build a list of configs with their ordering information
+	var configs []policyConfig
+	for path, rawConfig := range updates {
+		policyID := extractPolicyID(path)
+		order := extractOrderFromPolicyID(policyID)
+
+		c.log.Debugf("Processing config path=%s policyID=%s order=%d", path, policyID, order)
+
+		configs = append(configs, policyConfig{
+			path:   path,
+			order:  order,
+			config: rawConfig.Config,
+		})
+	}
+
+	// Sort configs by order, then alphabetically by path for deterministic ordering
+	sort.SliceStable(configs, func(i, j int) bool {
+		if configs[i].order != configs[j].order {
+			return configs[i].order < configs[j].order
+		}
+		// Secondary sort by path for deterministic ordering when order values are equal
+		return configs[i].path < configs[j].path
+	})
+
+	// Track error state and apply callbacks on function exit
+	var processingErr error
+	defer func() {
+		for _, cfg := range configs {
+			if processingErr != nil {
+				applyStateCallback(cfg.path, state.ApplyStatus{
+					State: state.ApplyStateError,
+					Error: processingErr.Error(),
+				})
+			} else {
+				applyStateCallback(cfg.path, state.ApplyStatus{
+					State: state.ApplyStateAcknowledged,
+				})
+			}
+		}
+	}()
+
+	// Log the ordering for debugging
+	var orderInfo []string
+	for _, cfg := range configs {
+		policyID := extractPolicyID(cfg.path)
+		orderInfo = append(orderInfo, fmt.Sprintf("%s (order=%d)", policyID, cfg.order))
+	}
+	c.log.Debugf("Merging %d workload selection configs in order: %s", len(configs), strings.Join(orderInfo, ", "))
+
+	// Merge all configs into one
+	mergedConfig, err := mergeConfigs(configs)
+	if err != nil {
+		c.log.Errorf("failed to merge workload selection configs: %v", err)
+		processingErr = err
+		return
+	}
+
+	// Compile and write the merged config
+	err = c.compileAndWriteConfig(mergedConfig)
+	if err != nil {
+		c.log.Errorf("failed to compile workload selection config: %v", err)
+		processingErr = err
+		return
+	}
+}
+
+func (c *workloadselectionComponent) removeConfig() error {
+	// os.RemoveAll does not fail if the path doesn't exist, it returns nil
+	c.log.Debugf("Removing workload selection config")
+	if err := os.RemoveAll(configPath); err != nil {
+		return fmt.Errorf("failed to remove workload selection binary policy: %w", err)
+	}
+	return nil
+}