feat(tools): add local Talos cluster + snapshot chainsaw test

[ayuskauskas]

Summary

Adds an opt-in, kind-equivalent harness for spinning up a local Talos
Linux cluster on a developer laptop (tools/talos-test/) and a chainsaw
test that exercises the AICR snapshot agent against it
(tests/chainsaw/snapshot/deploy-agent-talos/). Also adds --requests
and --limits flags to aicr snapshot so the agent can be right-sized
on resource-constrained dev clusters.

Motivation / Context

PR #714 added Talos OS support (pkg/collector/talos/ + the OS=talos
pod-shape branch in pkg/k8s/agent/job.go), but the only coverage was
unit tests. There was no integration test running the snapshot agent
against an actual Talos node — and no easy way for a developer on macOS
to exercise that path locally without standing up a remote cluster.

The agent container's resource requests/limits were also hardcoded
(Privileged: 4Gi req / 8Gi lim memory). That sizing fits production
GPU nodes but blocks scheduling on the talosctl Docker provisioner's
default 2Gi worker, with no way to override at the node level.

Fixes: N/A
Related: #714, #565

Type of Change

• Bug fix (non-breaking change that fixes an issue)
• New feature (non-breaking change that adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation update
• Refactoring (no functional changes)
• Build/CI/tooling

Component(s) Affected

• CLI (cmd/aicr, pkg/cli)
• API server (cmd/aicrd, pkg/api, pkg/server)
• Recipe engine / data (pkg/recipe)
• Bundlers (pkg/bundler, pkg/component/*)
• Collectors / snapshotter (pkg/collector, pkg/snapshotter)
• Validator (pkg/validator)
• Core libraries (pkg/errors, pkg/k8s)
• Docs/examples (docs/, examples/)
• Other: tests/chainsaw, tools/, Makefile

Implementation Notes

tools/talos-test/{up.sh,down.sh,README.md} — cluster lifecycle

• Wraps talosctl cluster create docker (newer talosctl moved
  provisioners to subcommands; the old --provisioner flag is gone).
• Threads a containerd registry-mirror config patch via
  --config-patch so localhost:5001/aicr:local resolves transparently
  from inside Talos node containers (the host registry started by
  make dev-env).
• br_netfilter preflight: the macOS host VM (Docker Desktop's
  LinuxKit or Podman Machine's Fedora CoreOS) ships the module but
  does not auto-load it, so flannel CNI fails until we modprobe it via
  a one-shot privileged sidecar with /lib/modules bind-mounted from
  the VM. No-op on Linux hosts.
• talosctl health --wait-timeout 8m streams readiness phases
  (etcd, apid, kubelet, control plane, all k8s nodes ready, kube-proxy,
  CoreDNS). On failure the script prints diagnostic commands the
  developer can run to drill into stuck services.
• The Talos in-network IP (10.5.0.0/24) is not host-routable on
  macOS, so the script derives the docker-NAT'd apid host port (50000)
  and K8s API host port (6443) from docker port, passes them as
  --endpoints, and rewrites the kubeconfig server URL to
  https://127.0.0.1:<host-port> with insecure-skip-tls-verify=true.
• Relabels the default namespace with
  pod-security.kubernetes.io/enforce=privileged so the snapshot
  agent's privileged pod can be scheduled (Talos enforces restricted
  cluster-wide by default).

tests/chainsaw/snapshot/deploy-agent-talos/ — chainsaw test

• Invokes aicr snapshot --os talos -o cm://default/aicr-e2e-snapshot
  from a script: step. The CLI exercises pkg/k8s/agent.Deployer
  end-to-end (RBAC creation, OS=talos pod shape from
  pkg/k8s/agent/job.go, log streaming, Job completion, ConfigMap
  write, cleanup) — no hand-applied YAML fixtures to drift against
  job.go (the existing kind chainsaw test's drift risk is captured
  for follow-up in issues/e2e-update.md, kept local).
• Asserts only the surviving ConfigMap content. Uses chainsaw
  JMESPath filters ((sort([*].type)),
  (@[?type == 'X'] | [0].subtypes | sort([*].subtype))) so the
  assertion is order-independent at both the measurement-type and
  per-type subtype levels — collector goroutine completion order
  is non-deterministic.
• Pinned: 5 measurements; the set of types
  {GPU, K8s, NodeTopology, OS, SystemD}; per-type subtype names.
• Per-subtype data values are intentionally not pinned to avoid
  Talos / kernel / kubernetes version churn.

aicr snapshot — --requests / --limits

Adds two CLI flags accepting kubectl-style comma-separated
name=quantity lists:

--requests cpu=500m,memory=1Gi,ephemeral-storage=1Gi
--limits   cpu=1,memory=2Gi,ephemeral-storage=2Gi

Plumbed through pkg/snapshotter.AgentConfig and pkg/k8s/agent.Config
as corev1.ResourceList. applyPrivilegedSettings and
applyRestrictedSettings merge overrides on top of the existing
hardcoded defaults via a new mergeResourceList helper, so unspecified
keys keep the production defaults. The nvidia.com/gpu limit added
by --require-gpu is preserved on top of any override.

Make targets

talos-dev-env, talos-dev-env-clean, talos-snapshot-test. None
are wired into make qualify; Talos remains opt-in for now.

Testing

unset GITLAB_TOKEN
make build
make test     # touched packages
golangci-lint run -c .golangci.yaml ./pkg/k8s/agent/... ./pkg/cli/... ./pkg/snapshotter/...
make lint-yaml

End-to-end against a live local cluster (macOS Podman Machine, Talos
v1.9.0, talosctl 1.13.0):

make image IMAGE_REGISTRY=localhost:5001/aicr IMAGE_TAG=local
make build
make talos-dev-env
make talos-snapshot-test          # PASS
make talos-dev-env-clean

Coverage delta on touched packages:

• pkg/k8s/agent: 77.8% (baseline) → ~78% (added tests for resource-
  override paths)
• pkg/cli: ~52.9% (baseline) → comparable (added flag plumbing
  • parseResourceList; covered indirectly)
• pkg/snapshotter: ~52.2% (baseline) → comparable (1-line struct
  field + plumbing only)

Risk Assessment

• Low — Isolated change, well-tested, easy to revert
• Medium — Touches multiple components or has broader impact
• High — Breaking change, affects critical paths, or complex rollout

Rollout notes: Production callers of aicr snapshot are unaffected;
both new flags default to empty, in which case the hardcoded
privileged/restricted defaults remain in force exactly as before. The
Talos test harness is a new opt-in surface and is not wired into
make qualify or any CI workflow.

Checklist

• Tests pass locally (make test with -race)
• Linter passes (make lint) — only go: no such tool covdata on
  cmd/aicr/cmd/aicrd (a pre-existing local toolchain issue,
  unrelated to this branch — does not affect CI)
• I did not skip/disable tests to make CI green
• I added/updated tests for new functionality
• I updated docs if user-facing behavior changed
• Changes follow existing patterns in the codebase
• Commits are cryptographically signed (git commit -S)

[github-actions]

🌿 Preview your docs: https://nvidia-preview-feat-talos-local-test.docs.buildwithfern.com/aicr

[coderabbitai]

Actionable comments posted: 6

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@Makefile`:
- Around line 660-665: The Makefile target talos-dev-env passes TALOS_KUBECONFIG
into the script as KUBECONFIG_OUT which is correct but mismatches the README
variable name and can confuse users; update either the Makefile or the
documentation for consistency: either (A) change the environment var passed to
./tools/talos-test/up.sh to use TALOS_KUBECONFIG as the name consumed by the
script, or (B) add a one-line comment above the talos-dev-env target explaining
that TALOS_KUBECONFIG is forwarded into up.sh as KUBECONFIG_OUT, and optionally
update README.md to mention KUBECONFIG_OUT as the internal name; locate the
talos-dev-env target in the Makefile and the up.sh script to align names or add
the clarifying comment referencing KUBECONFIG_OUT, TALOS_KUBECONFIG, and
./tools/talos-test/up.sh.

In `@tests/chainsaw/snapshot/deploy-agent-talos/chainsaw-test.yaml`:
- Around line 78-91: The test uses a hardcoded
WORK="/tmp/chainsaw-snapshot-talos" which can collide in concurrent runs; change
the script that defines WORK to create a unique temp dir (e.g., assign
WORK="$(mktemp -d)" or similar) and update all uses of WORK in the "script"
block where chainsaw assert runs and in the "cleanup" block so the cleanup
removes that same unique directory (ensure mktemp failure is handled or the
script exits if WORK is empty).

In `@tools/talos-test/README.md`:
- Around line 66-84: Update the Troubleshooting section to use consistent
formatting by wrapping each problem statement/error condition in backticks
(e.g., `talosctl: command not found`, `localhost:5001 registry not reachable`,
`Image pull fails inside the Talos node with a TLS error`,
`localhost:5001/aicr:local not found inside the cluster`) and correct the
wording that currently reads "kind path" to "kind cluster" to avoid confusion;
ensure these edits are applied under the "Troubleshooting" heading and preserve
the explanatory text that follows each backticked problem.
- Around line 86-93: Replace the vague phrase "the kind path uses" in the "Why a
separate cluster?" paragraph with a clearer reference to the kind-based
development environment (e.g., "the path used by the kind-based dev environment"
or "the path used by KinD clusters"), so the sentence comparing Talos to kind
explicitly mentions KinD/kind-based dev environments; update the sentence
containing the string "the kind path uses" to use the clearer wording while
keeping the rest of the paragraph intact.

In `@tools/talos-test/up.sh`:
- Around line 47-52: The docker invocation in the up.sh script uses the floating
image tag alpine:3 which can change; update the command that contains "docker
run ... alpine:3 sh -c 'modprobe br_netfilter ...'" to reference a pinned Alpine
tag or digest (e.g., a specific version tag or `@sha256` digest) so the modprobe
check is reproducible in CI; replace the literal "alpine:3" string with the
chosen pinned image reference throughout the script and keep the rest of the
command unchanged.
- Around line 70-75: The talosctl invocation mistakenly includes the deprecated
"docker" subcommand; update the command in the script where talosctl cluster
create is called (referenced by variables CLUSTER_NAME, TALOS_VERSION,
PATCH_FILE, MIRROR_HOST) to remove the "docker" token so it uses the form
talosctl cluster create with flags --name "${CLUSTER_NAME}" --workers 1 --image
"ghcr.io/siderolabs/talos:${TALOS_VERSION}" --config-patch "@${PATCH_FILE}"
(keep the existing flags and variables intact, only remove the literal
"docker").

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: 5f48d4ab-cea7-425a-a581-a82c58392934

📥 Commits

Reviewing files that changed from the base of the PR and between 1e644aa and 2100ca1.

📒 Files selected for processing (12)

• Makefile
• docs/user/cli-reference.md
• pkg/cli/snapshot.go
• pkg/k8s/agent/job.go
• pkg/k8s/agent/job_test.go
• pkg/k8s/agent/types.go
• pkg/snapshotter/agent.go
• tests/chainsaw/snapshot/deploy-agent-talos/assert-snapshot-content.yaml
• tests/chainsaw/snapshot/deploy-agent-talos/chainsaw-test.yaml
• tools/talos-test/README.md
• tools/talos-test/down.sh
• tools/talos-test/up.sh

[mchmarny]

Solid PR — the Talos OS=talos pod-shape branch from #714 finally has end-to-end coverage, and the --requests/--limits plumbing is clean (separate types, merge-not-replace semantics, defaults preserved, non-mutating helper, unit tests exercising all three branches).

One medium concern on the --require-gpu vs --limits nvidia.com/gpu=N precedence — current behavior silently overrides the explicit limit and the CLI help text reads ambiguously. Worth deciding whether --require-gpu is "set if unset" or "always force to 1" and asserting it in tests. Plus a few nits on duplicate-key handling, image pinning in dev tooling, multi-arch find logic, and surfacing the namespace PSP relabel in the README. Nothing blocking; CI is still green where complete.

[github-actions]

Coverage Report ✅

Metric	Value
Coverage	76.8%
Threshold	75%
Status	Pass

Coverage Badge

![Coverage](https://img.shields.io/badge/coverage-76.8%25-green)

Merging this branch will increase overall coverage

Impacted Packages	Coverage Δ	🤖
github.com/NVIDIA/aicr/pkg/cli	62.92% (+0.34%)	👍
github.com/NVIDIA/aicr/pkg/k8s/agent	78.59% (+0.63%)	👍
github.com/NVIDIA/aicr/pkg/snapshotter	51.05% (ø)

---

Coverage by file

Changed files (no unit tests)

Changed File	Coverage Δ	Total	Covered	Missed	🤖
github.com/NVIDIA/aicr/pkg/cli/snapshot.go	31.71% (+27.71%)	82 (+32)	26 (+24)	56 (+8)	🌟
github.com/NVIDIA/aicr/pkg/k8s/agent/job.go	89.36% (+1.13%)	94 (+9)	84 (+9)	10	👍
github.com/NVIDIA/aicr/pkg/k8s/agent/types.go	100.00% (ø)	1	1	0
github.com/NVIDIA/aicr/pkg/snapshotter/agent.go	37.97% (ø)	158	60	98

Please note that the "Total", "Covered", and "Missed" counts above refer to code statements instead of lines of code. The value in brackets refers to the test coverage of that file in the old version of the code.

[github-actions]

@ayuskauskas this PR now has merge conflicts with main. Please rebase to resolve them.