From 1a4928e7103a1747b5a9ab6093a7592c7f63b3ca Mon Sep 17 00:00:00 2001 From: Dan Mihai Date: Fri, 13 Sep 2024 18:54:38 +0000 Subject: [PATCH] gha: enable AUTO_GENERATE_POLICY where needed The behavior of Kata CI doesn't change. For local testing using kubernetes/gha-run.sh: 1. Before these changes: - AUTO_GENERATE_POLICY=yes was always used by the users of SEV, SNP, TDX, or KATA_HOST_OS=cbl-mariner. 2. After these changes: - Users of SEV, SNP, TDX, or KATA_HOST_OS=cbl-mariner must specify AUTO_GENERATE_POLICY=yes if they want to auto-generate policy. - These users have the option to test just using hard-coded policies (e.g., using the default policy built into the Guest rootfs) by using AUTO_GENERATE_POLICY=no. AUTO_GENERATE_POLICY=no is the default value of this env variable. Signed-off-by: Dan Mihai --- .github/workflows/run-k8s-tests-on-aks.yaml | 4 ++++ .github/workflows/run-kata-coco-tests.yaml | 3 +++ tests/integration/kubernetes/gha-run.sh | 8 -------- 3 files changed, 7 insertions(+), 8 deletions(-) diff --git a/.github/workflows/run-k8s-tests-on-aks.yaml b/.github/workflows/run-k8s-tests-on-aks.yaml index 00cf04bc82..0677e47c74 100644 --- a/.github/workflows/run-k8s-tests-on-aks.yaml +++ b/.github/workflows/run-k8s-tests-on-aks.yaml @@ -47,13 +47,16 @@ jobs: vmm: clh instance-type: small genpolicy-pull-method: oci-distribution + auto-generate-policy: yes - host_os: cbl-mariner vmm: clh instance-type: small genpolicy-pull-method: containerd + auto-generate-policy: yes - host_os: cbl-mariner vmm: clh instance-type: normal + auto-generate-policy: yes runs-on: ubuntu-22.04 env: DOCKER_REGISTRY: ${{ inputs.registry }} @@ -66,6 +69,7 @@ jobs: USING_NFD: "false" K8S_TEST_HOST_TYPE: ${{ matrix.instance-type }} GENPOLICY_PULL_METHOD: ${{ matrix.genpolicy-pull-method }} + AUTO_GENERATE_POLICY: ${{ matrix.auto-generate-policy }} steps: - uses: actions/checkout@v4 with: diff --git a/.github/workflows/run-kata-coco-tests.yaml b/.github/workflows/run-kata-coco-tests.yaml index 333d8752c4..e76584a1af 100644 --- a/.github/workflows/run-kata-coco-tests.yaml +++ b/.github/workflows/run-kata-coco-tests.yaml @@ -50,6 +50,7 @@ jobs: AUTHENTICATED_IMAGE_USER: ${{ secrets.AUTHENTICATED_IMAGE_USER }} AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }} ITA_KEY: ${{ secrets.ITA_KEY }} + AUTO_GENERATE_POLICY: "yes" steps: - uses: actions/checkout@v4 with: @@ -123,6 +124,7 @@ jobs: PULL_TYPE: ${{ matrix.pull-type }} AUTHENTICATED_IMAGE_USER: ${{ secrets.AUTHENTICATED_IMAGE_USER }} AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }} + AUTO_GENERATE_POLICY: "yes" steps: - uses: actions/checkout@v4 with: @@ -182,6 +184,7 @@ jobs: PULL_TYPE: ${{ matrix.pull-type }} AUTHENTICATED_IMAGE_USER: ${{ secrets.AUTHENTICATED_IMAGE_USER }} AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }} + AUTO_GENERATE_POLICY: "yes" steps: - uses: actions/checkout@v4 with: diff --git a/tests/integration/kubernetes/gha-run.sh b/tests/integration/kubernetes/gha-run.sh index 2a3e89054a..ccfef0d63e 100755 --- a/tests/integration/kubernetes/gha-run.sh +++ b/tests/integration/kubernetes/gha-run.sh @@ -277,14 +277,6 @@ function run_tests() { [ "$platform" = "kcli" ] && \ export KUBECONFIG="$HOME/.kcli/clusters/${CLUSTER_NAME:-kata-k8s}/auth/kubeconfig" - # TODO: enable testing auto-generated policy for other types of hosts too. - if [ "${KATA_HOST_OS}" = "cbl-mariner" ] || \ - [ "${KATA_HYPERVISOR}" = "qemu-tdx" ] || \ - [ "${KATA_HYPERVISOR}" = "qemu-sev" ] || \ - [ "${KATA_HYPERVISOR}" = "qemu-snp" ]; then - export AUTO_GENERATE_POLICY="yes" - fi - if [ "${AUTO_GENERATE_POLICY}" = "yes" ] && [ "${GENPOLICY_PULL_METHOD}" = "containerd" ]; then # containerd's config on the local machine (where kubectl and genpolicy are executed by CI), # might have been provided by a distro-specific package that disables the cri plug-in by using: