From 9b62021049254986c3a3a9c65a6a9ccefc4a9c9e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Wed, 22 Apr 2026 09:54:56 +0200 Subject: [PATCH] kata-deploy: Remove untested arm64 and qemu-cca shim support MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We should not ship configurations that we do not actively test. This commit drops the following from the kata-deploy helm chart: values.yaml: - arm64 from supportedArches for the clh shim - arm64 from supportedArches for the cloud-hypervisor shim - arm64 from supportedArches for the dragonball shim - arm64 from supportedArches for the fc shim - arm64 from supportedArches for the qemu-nvidia-gpu shim - the entire qemu-cca shim definition try-kata-tee.values.yaml: - CCA from the file description comment - qemu-cca from the TEE shims list comment - the entire qemu-cca shim definition - arm64: qemu-cca from the defaultShim mapping, replaced with arm64: qemu-coco-dev-runtime-rs (which is tested) try-kata-nvidia-gpu.values.yaml: - arm64 from supportedArches for the qemu-nvidia-gpu shim - arm64: qemu-nvidia-gpu from the defaultShim mapping Once arm64 and qemu-cca support are properly tested, they can be re-added. Signed-off-by: Fabiano FidĂȘncio Made-with: Cursor --- docs/helm-configuration.md | 4 +--- .../try-kata-nvidia-gpu.values.yaml | 2 -- .../kata-deploy/try-kata-tee.values.yaml | 20 +++---------------- .../helm-chart/kata-deploy/values.yaml | 19 ------------------ 4 files changed, 4 insertions(+), 41 deletions(-) diff --git a/docs/helm-configuration.md b/docs/helm-configuration.md index 79b0bd4242..0ae4bc5b74 100644 --- a/docs/helm-configuration.md +++ b/docs/helm-configuration.md @@ -35,7 +35,6 @@ Shims can also have configuration options specific to them: enabled: ~ supportedArches: - amd64 - - arm64 allowedHypervisorAnnotations: [] containerd: snapshotter: "" @@ -107,7 +106,6 @@ Includes: - `qemu-tdx` - Intel TDX (amd64) - `qemu-se` - IBM Secure Execution for Linux (SEL) (s390x) - `qemu-se-runtime-rs` - IBM Secure Execution for Linux (SEL) Rust runtime (s390x) -- `qemu-cca` - Arm Confidential Compute Architecture (arm64) - `qemu-coco-dev` - Confidential Containers development (amd64, s390x) - `qemu-coco-dev-runtime-rs` - Confidential Containers development Rust runtime (amd64, arm64, s390x) @@ -123,7 +121,7 @@ helm install kata-deploy oci://ghcr.io/kata-containers/kata-deploy-charts/kata-d Includes: -- `qemu-nvidia-gpu` - Standard NVIDIA GPU support (amd64, arm64) +- `qemu-nvidia-gpu` - Standard NVIDIA GPU support (amd64) - `qemu-nvidia-gpu-snp` - NVIDIA GPU with AMD SEV-SNP (amd64) - `qemu-nvidia-gpu-tdx` - NVIDIA GPU with Intel TDX (amd64) diff --git a/tools/packaging/kata-deploy/helm-chart/kata-deploy/try-kata-nvidia-gpu.values.yaml b/tools/packaging/kata-deploy/helm-chart/kata-deploy/try-kata-nvidia-gpu.values.yaml index 3d78639b5b..668cda9f93 100644 --- a/tools/packaging/kata-deploy/helm-chart/kata-deploy/try-kata-nvidia-gpu.values.yaml +++ b/tools/packaging/kata-deploy/helm-chart/kata-deploy/try-kata-nvidia-gpu.values.yaml @@ -21,7 +21,6 @@ shims: enabled: true supportedArches: - amd64 - - arm64 allowedHypervisorAnnotations: [] containerd: snapshotter: "" @@ -78,7 +77,6 @@ shims: # Default shim per architecture (prefer NVIDIA GPU shims) defaultShim: amd64: qemu-nvidia-gpu # Can be changed to qemu-nvidia-gpu-snp or qemu-nvidia-gpu-tdx if preferred - arm64: qemu-nvidia-gpu runtimeClasses: enabled: true diff --git a/tools/packaging/kata-deploy/helm-chart/kata-deploy/try-kata-tee.values.yaml b/tools/packaging/kata-deploy/helm-chart/kata-deploy/try-kata-tee.values.yaml index f5986a564e..0ca624e682 100644 --- a/tools/packaging/kata-deploy/helm-chart/kata-deploy/try-kata-tee.values.yaml +++ b/tools/packaging/kata-deploy/helm-chart/kata-deploy/try-kata-tee.values.yaml @@ -1,5 +1,5 @@ # Example values file to enable Trusted Execution Environment (TEE) shims -# This includes confidential computing shims: SNP, TDX, SE, CCA, and COCO-dev +# This includes confidential computing shims: SNP, TDX, SE, and COCO-dev # # Usage: # helm install kata-deploy oci://ghcr.io/kata-containers/kata-deploy-charts/kata-deploy \ @@ -16,7 +16,7 @@ snapshotter: shims: disableAll: true - # Enable TEE shims (qemu-snp, qemu-snp-runtime-rs, qemu-tdx, qemu-tdx-runtime-rs, qemu-se, qemu-se-runtime-rs, qemu-cca, qemu-coco-dev, qemu-coco-dev-runtime-rs) + # Enable TEE shims (qemu-snp, qemu-snp-runtime-rs, qemu-tdx, qemu-tdx-runtime-rs, qemu-se, qemu-se-runtime-rs, qemu-coco-dev, qemu-coco-dev-runtime-rs) # NFD TEE labels (snp, tdx, se) are auto-injected into RuntimeClasses when NFD is detected; no need to set nodeSelector here. qemu-snp: enabled: true @@ -102,20 +102,6 @@ shims: httpsProxy: "" noProxy: "" - qemu-cca: - enabled: true - supportedArches: - - arm64 - allowedHypervisorAnnotations: [] - containerd: - snapshotter: nydus - forceGuestPull: false - crio: - guestPull: true - agent: - httpsProxy: "" - noProxy: "" - qemu-coco-dev: enabled: true supportedArches: @@ -150,7 +136,7 @@ shims: # Default shim per architecture (prefer TEE shims) defaultShim: amd64: qemu-snp # Can be changed to qemu-tdx if preferred - arm64: qemu-cca + arm64: qemu-coco-dev-runtime-rs s390x: qemu-se runtimeClasses: diff --git a/tools/packaging/kata-deploy/helm-chart/kata-deploy/values.yaml b/tools/packaging/kata-deploy/helm-chart/kata-deploy/values.yaml index 606fe4ac63..918eac1d09 100644 --- a/tools/packaging/kata-deploy/helm-chart/kata-deploy/values.yaml +++ b/tools/packaging/kata-deploy/helm-chart/kata-deploy/values.yaml @@ -94,7 +94,6 @@ shims: enabled: ~ # null = use disableAll setting (enabled when false, disabled when true) supportedArches: - amd64 - - arm64 allowedHypervisorAnnotations: [] containerd: snapshotter: "" @@ -103,7 +102,6 @@ shims: enabled: ~ supportedArches: - amd64 - - arm64 allowedHypervisorAnnotations: [] containerd: snapshotter: "" @@ -112,7 +110,6 @@ shims: enabled: ~ supportedArches: - amd64 - - arm64 allowedHypervisorAnnotations: [] containerd: snapshotter: "" @@ -121,7 +118,6 @@ shims: enabled: ~ supportedArches: - amd64 - - arm64 allowedHypervisorAnnotations: [] containerd: snapshotter: "devmapper" # requires pre-configuration on the user side @@ -151,7 +147,6 @@ shims: enabled: ~ supportedArches: - amd64 - - arm64 allowedHypervisorAnnotations: [] containerd: snapshotter: "" @@ -289,20 +284,6 @@ shims: httpsProxy: "" noProxy: "" - qemu-cca: - enabled: ~ - supportedArches: - - arm64 - allowedHypervisorAnnotations: [] - containerd: - snapshotter: nydus - forceGuestPull: false - crio: - guestPull: true - agent: - httpsProxy: "" - noProxy: "" - qemu-coco-dev: enabled: ~ supportedArches: