From 0cc2b07a8c0f99d07366e653731847126ad8157c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Aur=C3=A9lien=20Bombo?= <abombo@microsoft.com>
Date: Thu, 2 May 2024 18:25:36 +0000
Subject: [PATCH] tests: adapt Mariner CI to unblock CH v39 upgrade
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The CH v39 upgrade in #9575 is currently blocked because of a bug in the
Mariner host kernel. To address this, we temporarily tweak the Mariner
CI to use an Ubuntu host and the Kata guest kernel, while retaining the
Mariner initrd. This is tracked in #9594.

Importantly, this allows us to preserve CI for genpolicy. We had to
tweak the default rules.rego however, as the OCI version is now
different in the Ubuntu host. This is tracked in #9593.

This change has been tested together with CH v39 in #9588.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
---
 src/tools/genpolicy/rules.rego        | 3 ++-
 tests/gha-run-k8s-common.sh           | 3 +--
 tests/integration/kubernetes/setup.sh | 1 -
 3 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/src/tools/genpolicy/rules.rego b/src/tools/genpolicy/rules.rego
index 6ddfa07142..f123d661d8 100644
--- a/src/tools/genpolicy/rules.rego
+++ b/src/tools/genpolicy/rules.rego
@@ -66,7 +66,8 @@ CreateContainerRequest {
     p_oci := p_container.OCI
 
     print("CreateContainerRequest: p Version =", p_oci.Version, "i Version =", i_oci.Version)
-    p_oci.Version == i_oci.Version
+    # TODO: Reenable when the Mariner host is reinstated, see #9593.
+    # p_oci.Version == i_oci.Version
 
     print("CreateContainerRequest: p Readonly =", p_oci.Root.Readonly, "i Readonly =", i_oci.Root.Readonly)
     p_oci.Root.Readonly == i_oci.Root.Readonly
diff --git a/tests/gha-run-k8s-common.sh b/tests/gha-run-k8s-common.sh
index 6ce754bc13..9971174485 100644
--- a/tests/gha-run-k8s-common.sh
+++ b/tests/gha-run-k8s-common.sh
@@ -96,8 +96,7 @@ function create_cluster() {
         -n "$(_print_cluster_name ${test_type})" \
         -s "$(_print_instance_type)" \
         --node-count 1 \
-        --generate-ssh-keys \
-        $([ "${KATA_HOST_OS}" = "cbl-mariner" ] && echo "--os-sku AzureLinux --workload-runtime KataMshvVmIsolation")
+        --generate-ssh-keys
 }
 
 function install_bats() {
diff --git a/tests/integration/kubernetes/setup.sh b/tests/integration/kubernetes/setup.sh
index 94eaf83a2a..41538537f5 100755
--- a/tests/integration/kubernetes/setup.sh
+++ b/tests/integration/kubernetes/setup.sh
@@ -97,7 +97,6 @@ add_cbl_mariner_kernel_initrd_annotations() {
 
 		for K8S_TEST_YAML in runtimeclass_workloads_work/*.yaml
 		do
-			add_annotations_to_yaml "${K8S_TEST_YAML}" "${mariner_annotation_kernel}" "${mariner_kernel_path}"
 			add_annotations_to_yaml "${K8S_TEST_YAML}" "${mariner_annotation_initrd}" "${mariner_initrd_path}"
 		done
 	fi