From 3be57bb501a41e5ef1bcdfeaa31d384b2c9907eb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <ffidencio@nvidia.com>
Date: Thu, 22 Jan 2026 17:07:37 +0100
Subject: [PATCH] kata-deploy: Add Helm chart support for custom runtimes
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add Helm chart configuration for defining custom RuntimeClasses with
base configuration and drop-in overrides.

Usage:
  helm install kata-deploy ./kata-deploy \
    -f custom-runtimes.values.yaml

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
---
 .../templates/custom-runtimes.yaml            | 58 ++++++++++++++++++
 .../kata-deploy/templates/kata-deploy.yaml    | 18 ++++++
 .../helm-chart/kata-deploy/values.yaml        | 61 +++++++++++++++++++
 3 files changed, 137 insertions(+)
 create mode 100644 tools/packaging/kata-deploy/helm-chart/kata-deploy/templates/custom-runtimes.yaml

diff --git a/tools/packaging/kata-deploy/helm-chart/kata-deploy/templates/custom-runtimes.yaml b/tools/packaging/kata-deploy/helm-chart/kata-deploy/templates/custom-runtimes.yaml
new file mode 100644
index 0000000000..f58001a83e
--- /dev/null
+++ b/tools/packaging/kata-deploy/helm-chart/kata-deploy/templates/custom-runtimes.yaml
@@ -0,0 +1,58 @@
+{{- if and .Values.customRuntimes.enabled .Values.customRuntimes.runtimes }}
+---
+# ConfigMap containing custom runtime configurations and drop-in files
+# This is mounted into the kata-deploy pod at /custom-configs/
+apiVersion: v1
+kind: ConfigMap
+metadata:
+{{- if .Values.env.multiInstallSuffix }}
+  name: {{ .Chart.Name }}-custom-configs-{{ .Values.env.multiInstallSuffix }}
+{{- else }}
+  name: {{ .Chart.Name }}-custom-configs
+{{- end }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "kata-deploy.labels" . | nindent 4 }}
+data:
+  # Format: handler:baseConfig:containerd_snapshotter:crio_pulltype
+  custom-runtimes.list: |
+{{- range $name, $runtime := .Values.customRuntimes.runtimes }}
+{{- $handler := "" }}
+{{- /* Extract handler from runtimeClass YAML */ -}}
+{{- if $runtime.runtimeClass }}
+{{- range (splitList "\n" $runtime.runtimeClass) }}
+{{- $line := trim . }}
+{{- if hasPrefix "handler:" $line }}
+{{- $handler = trim (trimPrefix "handler:" $line) }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- if $handler }}
+    {{ $handler }}:{{ $runtime.baseConfig }}:{{ $runtime.containerd.snapshotter | default "" }}:{{ $runtime.crio.pullType | default "" }}
+{{- end }}
+{{- end }}
+{{- /* Generate drop-in files for each runtime */ -}}
+{{- range $name, $runtime := .Values.customRuntimes.runtimes }}
+{{- $handler := "" }}
+{{- if $runtime.runtimeClass }}
+{{- range (splitList "\n" $runtime.runtimeClass) }}
+{{- $line := trim . }}
+{{- if hasPrefix "handler:" $line }}
+{{- $handler = trim (trimPrefix "handler:" $line) }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- if and $handler $runtime.dropIn }}
+  dropin-{{ $handler }}.toml: |
+{{ $runtime.dropIn | indent 4 }}
+{{- end }}
+{{- end }}
+---
+# RuntimeClasses for custom runtimes
+{{- range $name, $runtime := .Values.customRuntimes.runtimes }}
+{{- if $runtime.runtimeClass }}
+{{ $runtime.runtimeClass }}
+---
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/tools/packaging/kata-deploy/helm-chart/kata-deploy/templates/kata-deploy.yaml b/tools/packaging/kata-deploy/helm-chart/kata-deploy/templates/kata-deploy.yaml
index f262237502..46d5fea24f 100644
--- a/tools/packaging/kata-deploy/helm-chart/kata-deploy/templates/kata-deploy.yaml
+++ b/tools/packaging/kata-deploy/helm-chart/kata-deploy/templates/kata-deploy.yaml
@@ -283,6 +283,10 @@ spec:
 {{- with .Values.env.hostOS }}
         - name: HOST_OS
           value: {{ . | quote }}
+{{- end }}
+{{- if and .Values.customRuntimes.enabled .Values.customRuntimes.runtimes }}
+        - name: CUSTOM_RUNTIMES_ENABLED
+          value: "true"
 {{- end }}
         securityContext:
           privileged: true
@@ -293,6 +297,11 @@ spec:
           mountPath: /etc/containerd/
         - name: host
           mountPath: /host/
+{{- if and .Values.customRuntimes.enabled .Values.customRuntimes.runtimes }}
+        - name: custom-configs
+          mountPath: /custom-configs/
+          readOnly: true
+{{- end }}
       volumes:
       - name: crio-conf
         hostPath:
@@ -303,6 +312,15 @@ spec:
       - name: host
         hostPath:
           path: /
+{{- if and .Values.customRuntimes.enabled .Values.customRuntimes.runtimes }}
+      - name: custom-configs
+        configMap:
+{{- if .Values.env.multiInstallSuffix }}
+          name: {{ .Chart.Name }}-custom-configs-{{ .Values.env.multiInstallSuffix }}
+{{- else }}
+          name: {{ .Chart.Name }}-custom-configs
+{{- end }}
+{{- end }}
   updateStrategy:
     rollingUpdate:
       maxUnavailable: 1
diff --git a/tools/packaging/kata-deploy/helm-chart/kata-deploy/values.yaml b/tools/packaging/kata-deploy/helm-chart/kata-deploy/values.yaml
index 7391d58ed9..13b59395fb 100644
--- a/tools/packaging/kata-deploy/helm-chart/kata-deploy/values.yaml
+++ b/tools/packaging/kata-deploy/helm-chart/kata-deploy/values.yaml
@@ -340,3 +340,64 @@ verification:
   #     --set-file verification.pod=/path/to/your-verification-pod.yaml
   #
   pod: ""
+
+# Custom Runtimes - bring your own RuntimeClass with base config + drop-in overrides
+# Each custom runtime uses an existing Kata config as a base and applies user overrides
+# via Kata's config.d drop-in mechanism.
+#
+# IMPORTANT: The base config is copied AFTER kata-deploy has applied its modifications
+# (debug, proxy, annotations). Custom runtimes inherit these settings from their base.
+#
+# Usage with values file (recommended):
+#   Create a custom-runtimes.values.yaml file:
+#
+#   customRuntimes:
+#     enabled: true
+#     runtimes:
+#       my-gpu-runtime:
+#         baseConfig: "qemu-nvidia-gpu"  # Required: existing config to use as base
+#         dropIn: |                       # Optional: overrides via config.d mechanism
+#           [hypervisor.qemu]
+#           default_memory = 1024
+#           default_vcpus = 4
+#         runtimeClass: |
+#           kind: RuntimeClass
+#           apiVersion: node.k8s.io/v1
+#           metadata:
+#             name: kata-my-gpu-runtime
+#             labels:
+#               app.kubernetes.io/managed-by: kata-deploy
+#           handler: kata-my-gpu-runtime
+#           overhead:
+#             podFixed:
+#               memory: "640Mi"
+#               cpu: "500m"
+#           scheduling:
+#             nodeSelector:
+#               katacontainers.io/kata-runtime: "true"
+#         # Optional: CRI-specific configuration
+#         containerd:
+#           snapshotter: "nydus"  # Configure containerd snapshotter (nydus, erofs, etc.)
+#         crio:
+#           pullType: "guest-pull"  # Configure CRI-O runtime_pull_image = true
+#
+#   Then deploy with:
+#     helm install kata-deploy ./kata-deploy -f custom-runtimes.values.yaml
+#
+# Available base configs: qemu, qemu-nvidia-gpu, qemu-snp, qemu-tdx, cloud-hypervisor, fc, etc.
+# The correct shim binary is automatically selected based on the baseConfig.
+#
+customRuntimes:
+  enabled: false
+  runtimes: {}
+  # Example structure:
+  # runtimes:
+  #   my-runtime:
+  #     baseConfig: "qemu-nvidia-gpu"   # Required: base config name
+  #     dropIn: ""                      # Optional: TOML overrides for config.d
+  #     runtimeClass: |
+  #       <full RuntimeClass YAML>
+  #     containerd:
+  #       snapshotter: ""  # Optional: nydus, erofs, or empty for default
+  #     crio:
+  #       pullType: ""  # Optional: guest-pull or empty for default