chore(k8s): use upstream agent-sandbox manifests, install extensions

[rmalani-nv]

Summary

Use upstream agent-sandbox manifests directly in CI/e2e instead of vendoring them, and install the extension CRDs (SandboxClaim, SandboxTemplate, SandboxWarmPool) so future work like warm-pooling drops in without additional cluster onboarding.

Related Issue

Context: #1649 (no support matrix yet — kept docs/README on /releases/latest/download/ for that reason).

Changes

• Drop the vendored deploy/kube/manifests/agent-sandbox.yaml.
• e2e/with-kube-gateway.sh and tasks/scripts/helm-k3s-local.sh now apply manifest.yaml + extensions.yaml from github.com/kubernetes-sigs/agent-sandbox releases, pinned via AGENT_SANDBOX_VERSION env (default v0.4.6, overridable).
• Update public docs (docs/kubernetes/setup.mdx, helm chart README, README.md.gotmpl) with kubectl apply for both manifests using /releases/latest/download/.
• Add an air-gap note in docs/kubernetes/setup.mdx enumerating manifests + images operators need to mirror.

Testing

• mise run pre-commit / mise run ci pass locally. Pre-existing python:typecheck failures in python/openshell/sandbox.py (from feat(python-sdk): support OIDC Bearer auth on SandboxClient #1621) are unrelated to this branch.
• Unit tests added/updated (n/a)
• E2E exercises the new upstream-fetch path on this PR's CI run.

Checklist

• Follows Conventional Commits
• Commits are signed off (DCO)
• Architecture docs updated (if applicable)

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[TaylorMutch]

I would actually like to get away from vendoring the upstream manifests in our repo, since they change quickly and trying to keep up with vendoring is just going to create noise in the repo. Instead we should just use the upstream manifests in our CI / e2e.

Additionally I don't yet see a need for us to pin to a specific version in our public facing docs or in the readme. As we don't yet have a matrix for support (as far as I am aware we aren't seeing any incompatibilities yet, but we can be on the lookout for it; see #1649 for context as well), I'd prefer we not pin in the docs.

[TaylorMutch]

Why are extensions needed? We aren't currently using them in OpenShell.

[rmalani-nv]

Currently not used, but I'd like to use them in upcoming changes.

[TaylorMutch]

If they're not currently used or needed then we should add them with the related feature that utilizes them. Otherwise it just bloats the codebase and adds complexity when not required.

[rmalani-nv]

Pivoted as requested:

• Dropped the vendored deploy/kube/manifests/agent-sandbox.yaml (4120 lines gone).
• CI/e2e apply upstream URLs directly. e2e/with-kube-gateway.sh and tasks/scripts/helm-k3s-local.sh now kubectl apply -f https://github.com/kubernetes-sigs/agent-sandbox/releases/download/${AGENT_SANDBOX_VERSION}/{manifest,extensions}.yaml. Default is v0.4.6, overridable via env so a contributor testing a candidate release doesn't need to edit files.
• Reverted docs/README pin. docs/kubernetes/setup.mdx and the helm chart README/README.md.gotmpl go back to /releases/latest/download/... — agreed it's premature to pin publicly without the support matrix from docs: pin and document the supported agent-sandbox-controller version #1649.
• Kept the extensions.yaml install step in CI/e2e and the public docs/README. Upstream ships SandboxClaim, SandboxTemplate, and SandboxWarmPool CRDs there — installing them now means warm-pool support drops in cleanly when we want it, no extra cluster onboarding step for operators.
• Air-gap note added to docs/kubernetes/setup.mdx enumerating the manifests + images operators need to mirror.