docs(apply-safety): test plan reference for the apply-time gates

lexfrei · lexfrei · commit bafa4a821b8e · 2026-05-11T21:22:16.000+03:00
Capture the matrix of cases the gates were validated against during PR #173 development: Phase 1 link / disk / selector inputs, Phase 2A diff classification, Phase 2B mode gating, real-Talos validation steps against the dev17 reference cluster. Documents the known limitations (upgrade has no gates, insecure path can't render with discovery, --init --update non-tty UX gap). Future-self reference for re-validation after touching applycheck or the preflight hooks. Refs: #172 Signed-off-by: Aleksei Sviridkin <f@lex.la>
diff --git a/docs/apply-safety-gates-test-plan.md b/docs/apply-safety-gates-test-plan.md
@@ -0,0 +1,162 @@
+# Apply-time safety gates: test plan
+
+A reference checklist for validating changes to the apply-time safety gates introduced in #172 / PR #173. Covers the contract tests that ship with the package plus the manual real-Talos validation steps that surface issues unit tests cannot.
+
+## Build under test
+
+```bash
+cd ~/git/github.com/cozystack/talm && go build -o /tmp/talm-safety ./
+```
+
+Run all matrix cells against the binary at `/tmp/talm-safety`. Use the dev17 reference cluster (`~/git/github.com/lexfrei/work/env/dev17/talm/`, OCI 3-node Talos v1.12.6) for live runs.
+
+## Phase 1 — declared-resource existence
+
+### Link references
+
+| Case | How to trigger | Expected |
+| --- | --- | --- |
+| Typoed `LinkConfig.name` | Add `LinkConfig{name: eth9999}` to a node body | `[blocker] declared link "eth9999" not found …` plus available-links hint |
+| Typoed bond slave | Add `BondConfig{name: bond0, links: [ghost0, ens5]}` | Blocker on `ghost0` only; `bond0` (new bond) NOT flagged |
+| Typoed VLAN parent | Add `VLANConfig{name: ens5.99, link: ghost0, vlanID: 99}` | Blocker on `link: ghost0`; `name: ens5.99` not flagged (new VLAN) |
+| Typoed bridge port | Add `BridgeConfig{name: br99, ports: [ghost0]}` | Blocker on `ghost0` only; `br99` not flagged |
+| Typoed Layer2VIP link | Set `vipLink: ghost0` in values | Blocker on `link: ghost0` |
+| Legacy v1.11 interface | `machine.network.interfaces[].interface: eth9999` | Blocker; same hint shape |
+
+### Disk references
+
+| Case | How to trigger | Expected |
+| --- | --- | --- |
+| Bad literal disk | Set `machine.install.disk: /dev/sdz` | Blocker, hint lists real disks (sda, sdb) — **must omit** virtual class (dm-*, drbd*, loop*) |
+| Bad model selector | `diskSelector: {model: Samsumg}` | Blocker "matches zero disks", hint lists candidate disks with size |
+| Impossible size | `diskSelector: {size: ">= 99TB"}` | Blocker "matches zero disks" |
+| Lowercase units | `diskSelector: {size: ">= 100gb"}` | Matches as if `>= 100GB` (humanize.ParseBytes case-insensitive) |
+| Mixed case + spaces | `diskSelector: {size: "<= 200000MiB"}` | Parsed correctly |
+| Multiple matches | `diskSelector: {type: ssd}` on host with several SSDs | Warning (not blocker) "matches multiple disks; install picks the first match" |
+| Type semantics | `type: nvme/sd/hdd/ssd` per-disk Transport+Rotational | Mirror Talos `v1alpha1_provider.go:1325-1351` mapping |
+| Readonly excluded | Selector + a readonly disk on host | Readonly disk not counted as match |
+| CDROM excluded | Selector + a CD drive on host | CD not counted as match |
+| Virtual excluded | Selector on cozystack host with many dm/drbd/loop | dm/drbd/loop not counted; hint omits them |
+
+### Opt-out
+
+| Case | Trigger | Expected |
+| --- | --- | --- |
+| `--skip-resource-validation` | Pass with bad selector + bad link | No Phase 1 output; render proceeds |
+
+## Phase 2A — pre-apply drift preview
+
+### Diff classification
+
+| Case | Trigger | Expected |
+| --- | --- | --- |
+| Identical desired/on-node | First-run apply after the same render | `0 addition, 0 removal, 0 update, N unchanged.` |
+| Removed doc | Apply config that drops a previously-emitted doc (e.g. dropping a LinkConfig that was on-node) | `- LinkConfig{name: …}` line |
+| Added doc | Apply config that adds a fresh doc | `+ LinkConfig{name: …}` line |
+| Updated leaf | Change one nested field (e.g. `clusterDomain`) | `~ MachineConfig` plus `cluster.network.dnsDomain: cozy.local -> cozy.example` |
+| Identical inputs include Equal entries | Verified via Diff API; OpEqual entries returned, FilterChanged drops them | — |
+| Distinguish absent vs null | YAML `extraField: null` added to one side | FieldChange.HasOld=false / HasNew=true; formatter renders `(absent) -> <nil>` |
+| Stable ordering | Re-run on same inputs | Identical output bytes |
+
+### Path / mode interactions
+
+| Case | Trigger | Expected |
+| --- | --- | --- |
+| Dry-run shows preview | `talm apply --dry-run -f node.yaml` | Phase 2A runs; this is the "show me what would change" contract |
+| Insecure path | `talm apply -i -f node.yaml` (where chart can render offline) | `talm: drift verification unavailable on maintenance connection`; no block |
+| `--skip-drift-preview` | Pass with any change | Preview suppressed entirely |
+
+## Phase 2B — post-apply state verification
+
+Default off until the Talos-mutated-field allowlist lands. Enable explicitly with `--skip-post-apply-verify=false`.
+
+| Case | Trigger | Expected |
+| --- | --- | --- |
+| Clean apply | Apply config matching on-node, `--skip-post-apply-verify=false` | Silent success (no output, no error) |
+| Mode=staged | `--mode=staged --skip-post-apply-verify=false` | Phase 2B skipped (staged store doesn't change ActiveID) |
+| Mode=try | `--mode=try --skip-post-apply-verify=false` | Phase 2B skipped (rollback timer races verify) |
+| Mode=no-reboot/reboot/auto | Real apply with verify enabled | Phase 2B runs |
+| Dry-run | `--dry-run --skip-post-apply-verify=false` | Phase 2B skipped (no real apply) |
+| Reader error | Simulated COSI hiccup on auth path | Hint-bearing blocker `post-apply: re-reading on-node MachineConfig`, exit non-zero (the gate is here to catch silent rollbacks — error is not swallowed) |
+| Insecure path | `talm apply -i --skip-post-apply-verify=false` | `drift verification unavailable on maintenance connection` line; no block |
+
+## Real-Talos validation (dev17)
+
+Before requesting human review, exercise the gates against a live Talos node.
+
+### Setup
+
+```bash
+cd ~/git/github.com/lexfrei/work/env/dev17/talm
+```
+
+dev17 carries an OCI 3-node Talos v1.12.6 cluster (158.101.113.227 / 129.158.237.173 / 157.151.143.81). The vendored talm library in `charts/talm/` may need `talm init --update --preset cozystack` to pick up new helpers; preset templates (`templates/_helpers.tpl`) require interactive confirm and won't auto-update non-tty (known gap, see #174).
+
+### Sanity check
+
+```bash
+/tmp/talm-safety template -f nodes/node0.yaml > /tmp/rendered.yaml
+test -s /tmp/rendered.yaml || echo "render failed"
+```
+
+### Phase 1 (auth path)
+
+```bash
+# Clean run — should silently pass:
+/tmp/talm-safety apply --dry-run -f nodes/node0.yaml
+
+# Inject a bad link ref (cp + edit a temp file inside the talm project):
+cp nodes/node0.yaml nodes/_test-bad.yaml
+echo -e "---\napiVersion: v1alpha1\nkind: LinkConfig\nname: eth9999" >> nodes/_test-bad.yaml
+/tmp/talm-safety apply --dry-run -f nodes/_test-bad.yaml  # expect [blocker]
+rm nodes/_test-bad.yaml
+```
+
+### Phase 2A (drift preview)
+
+```bash
+# Dry-run against a clean cluster — should report 0/0/0 unchanged:
+/tmp/talm-safety apply --dry-run -f nodes/node0.yaml
+
+# Force a leaf change via values.yaml (back up then revert):
+sed -i.bak 's/^clusterDomain: .*/clusterDomain: cozy.example/' values.yaml
+/tmp/talm-safety apply --dry-run -f nodes/node0.yaml | grep -E "^  [+\-~=]|^      "
+mv values.yaml.bak values.yaml
+```
+
+### Phase 2B (real apply with verify enabled)
+
+```bash
+/tmp/talm-safety apply --mode=no-reboot --skip-post-apply-verify=false -f nodes/node0.yaml
+# Expected: drift preview + 'Applied configuration without a reboot' + silent post-apply verify
+```
+
+### Multi-node + mix
+
+```bash
+/tmp/talm-safety apply --dry-run -f nodes/node0.yaml -f nodes/node1.yaml -f nodes/node2.yaml
+# Each node renders its own preview; per-node independence.
+```
+
+### Insecure path
+
+`talm apply -i` exercises the maintenance connection. On dev17 the chart uses live discovery (`lookup "disks"`), which fails on insecure (no auth for COSI). The render errors before the gate runs — that's existing talm behaviour, not a regression.
+
+## Implementation health
+
+Run as part of every push:
+
+```bash
+go test ./...
+go test -race ./pkg/applycheck/... ./pkg/commands/...
+golangci-lint run ./...
+GOOS=windows golangci-lint run ./...
+go vet ./...
+```
+
+## Known limitations / follow-ups
+
+- **`talm init --update` non-tty UX gap** (#174): preset-template overwrites require interactive confirmation, so a CI-driven refresh leaves the operator on a stale preset that doesn't surface new validation logic. Work around by copying preset templates from the repo manually or running update under a tty.
+- **Talos-mutated-field allowlist** (open in #172): Phase 2B reports cert hashes / timestamps as divergence today; the verify is off by default until an allowlist lands.
+- **`talm upgrade` has no preflight gates**: the upgrade flow wraps `talosctl upgrade` and doesn't route through `buildApplyClosure` / `applyOneFileDirectPatchMode`. Wiring would require either reproducing the gate calls in `upgrade_handler.go` or refactoring the apply flow.
+- **Phase 1/2 on `--insecure`**: the safety gates can't run before the chart renders, and the chart's `lookup` calls need an authenticated COSI connection. Insecure path = effectively no gates today.
