[ci skip] switch VPA from Auto to Initial mode for Terraform compatibility

VPA Auto mode modifies Deployment specs at runtime, causing conflicts
with Terraform on every apply (drift -> reset -> VPA evict loop).

Initial mode only mutates Pod resource requests at creation time via
the admission webhook, leaving the Deployment spec unchanged. This
means terraform plan shows no drift while pods still get VPA-optimized
resources on every restart.

- 171 VPAs switched from Auto to Initial
- 20 VPAs remain Off (tier-0 critical services)
- Goldilocks dashboard continues to show recommendations

stacks/platform/modules/vpa/main.tf

@@ -133,9 +133,10 @@ resource "kubernetes_manifest" "vpa_auto_mode_label" {
             }
           }
         },
-        # All other namespaces: auto mode
+        # All other namespaces: initial mode (compatible with Terraform —
+        # VPA mutates pods at creation, not the deployment spec)
         {
-          name = "label-vpa-auto-default"
+          name = "label-vpa-initial-default"
           match = {
             any = [
               {
@@ -162,7 +163,7 @@ resource "kubernetes_manifest" "vpa_auto_mode_label" {
             patchStrategicMerge = {
               metadata = {
                 labels = {
-                  "goldilocks.fairwinds.com/vpa-update-mode" = "auto"
+                  "goldilocks.fairwinds.com/vpa-update-mode" = "initial"
                 }
               }
             }