From 3bbf3c81c2330299a14fde03afa59224ddbb27d0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fabiano@fidencio.org>
Date: Tue, 8 Oct 2024 21:21:54 +0200
Subject: [PATCH 1/3] ci: mariner: Use the image instead of the initrd
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

As an image has been added for mariner as part of the commit 63c1f81c2,
let's start using it in the CI, instead of using the initrd.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
---
 tests/integration/kubernetes/gha-run.sh |  2 +-
 tests/integration/kubernetes/setup.sh   | 12 ++++++------
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/tests/integration/kubernetes/gha-run.sh b/tests/integration/kubernetes/gha-run.sh
index ccfef0d63e..86af65f69d 100755
--- a/tests/integration/kubernetes/gha-run.sh
+++ b/tests/integration/kubernetes/gha-run.sh
@@ -183,7 +183,7 @@ function deploy_kata() {
 	fi
 
 	if [ "${KATA_HOST_OS}" = "cbl-mariner" ]; then
-		yq -i ".env.allowedHypervisorAnnotations = \"initrd kernel default_vcpus\"" "${values_yaml}"
+		yq -i ".env.allowedHypervisorAnnotations = \"image kernel default_vcpus\"" "${values_yaml}"
 		yq -i ".env.hostOS = \"${KATA_HOST_OS}\""                                   "${values_yaml}"
 	fi
 
diff --git a/tests/integration/kubernetes/setup.sh b/tests/integration/kubernetes/setup.sh
index a72c7c743f..f6e44a21bf 100644
--- a/tests/integration/kubernetes/setup.sh
+++ b/tests/integration/kubernetes/setup.sh
@@ -99,19 +99,19 @@ add_annotations_to_yaml() {
 	esac
 }
 
-add_cbl_mariner_kernel_initrd_annotations() {
+add_cbl_mariner_specific_annotations() {
 	if [[ "${KATA_HOST_OS}" = "cbl-mariner" ]]; then
-		info "Add kernel and initrd path and annotations for cbl-mariner"
+		info "Add kernel and image path and annotations for cbl-mariner"
 		local mariner_annotation_kernel="io.katacontainers.config.hypervisor.kernel"
 		local mariner_kernel_path="/usr/share/cloud-hypervisor/vmlinux.bin"
 
-		local mariner_annotation_initrd="io.katacontainers.config.hypervisor.initrd"
-		local mariner_initrd_path="/opt/kata/share/kata-containers/kata-containers-initrd-mariner.img"
+		local mariner_annotation_image="io.katacontainers.config.hypervisor.image"
+		local mariner_image_path="/opt/kata/share/kata-containers/kata-containers-mariner.img"
 
 		for K8S_TEST_YAML in runtimeclass_workloads_work/*.yaml
 		do
 			add_annotations_to_yaml "${K8S_TEST_YAML}" "${mariner_annotation_kernel}" "${mariner_kernel_path}"
-			add_annotations_to_yaml "${K8S_TEST_YAML}" "${mariner_annotation_initrd}" "${mariner_initrd_path}"
+			add_annotations_to_yaml "${K8S_TEST_YAML}" "${mariner_annotation_image}" "${mariner_image_path}"
 		done
 	fi
 }
@@ -139,7 +139,7 @@ add_runtime_handler_annotations() {
 main() {
 	ensure_yq
 	reset_workloads_work_dir
-	add_cbl_mariner_kernel_initrd_annotations
+	add_cbl_mariner_specific_annotations
 	add_runtime_handler_annotations
 }
 

From 091ad2a1b2dfa0a2a222ec1fa2e2cfba2f8971bc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fabiano@fidencio.org>
Date: Wed, 9 Oct 2024 13:48:40 +0200
Subject: [PATCH 2/3] ci: mariner: Ensure kernel_params can be set
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The reason we're doing this is because mariner image uses, by default,
cgroups default-hierarchy as `unified` (aka, cgroupsv2).

In order to keep the same initrd behaviour for mariner, let's enforce
that `SYSTEMD_CGROUP_ENABLE_LEGACY_FORCE=1
systemd.legacy_systemd_cgroup_controller=yes
systemd.unified_cgroup_hierarchy=0` is passed to the kernel cmdline, at
least for now.

Other tests that are setting `kernel_params` are not running on mariner,
then we're safe taking this path as it's done as part of this PR.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
---
 tests/integration/kubernetes/gha-run.sh | 2 +-
 tests/integration/kubernetes/setup.sh   | 3 +++
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/tests/integration/kubernetes/gha-run.sh b/tests/integration/kubernetes/gha-run.sh
index 86af65f69d..7934ab958c 100755
--- a/tests/integration/kubernetes/gha-run.sh
+++ b/tests/integration/kubernetes/gha-run.sh
@@ -183,7 +183,7 @@ function deploy_kata() {
 	fi
 
 	if [ "${KATA_HOST_OS}" = "cbl-mariner" ]; then
-		yq -i ".env.allowedHypervisorAnnotations = \"image kernel default_vcpus\"" "${values_yaml}"
+		yq -i ".env.allowedHypervisorAnnotations = \"image kernel default_vcpus kernel_params\"" "${values_yaml}"
 		yq -i ".env.hostOS = \"${KATA_HOST_OS}\""                                   "${values_yaml}"
 	fi
 
diff --git a/tests/integration/kubernetes/setup.sh b/tests/integration/kubernetes/setup.sh
index f6e44a21bf..67c1a711f8 100644
--- a/tests/integration/kubernetes/setup.sh
+++ b/tests/integration/kubernetes/setup.sh
@@ -108,10 +108,13 @@ add_cbl_mariner_specific_annotations() {
 		local mariner_annotation_image="io.katacontainers.config.hypervisor.image"
 		local mariner_image_path="/opt/kata/share/kata-containers/kata-containers-mariner.img"
 
+		local mariner_annotation_kernel_params="io.katacontainers.config.hypervisor.kernel_params"
+		local mariner_kernel_params="SYSTEMD_CGROUP_ENABLE_LEGACY_FORCE=1 systemd.legacy_systemd_cgroup_controller=yes systemd.unified_cgroup_hierarchy=0"
 		for K8S_TEST_YAML in runtimeclass_workloads_work/*.yaml
 		do
 			add_annotations_to_yaml "${K8S_TEST_YAML}" "${mariner_annotation_kernel}" "${mariner_kernel_path}"
 			add_annotations_to_yaml "${K8S_TEST_YAML}" "${mariner_annotation_image}" "${mariner_image_path}"
+			add_annotations_to_yaml "${K8S_TEST_YAML}" "${mariner_annotation_kernel_params}" "${mariner_kernel_params}"
 		done
 	fi
 }

From 01a957f7e1d43dd0efb4bcc25b9b1e689d34702f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <fabiano@fidencio.org>
Date: Tue, 8 Oct 2024 21:45:03 +0200
Subject: [PATCH 3/3] ci: mariner: Stop building mariner initrd
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

As the mariner image is already in place, and the tests were modified to
use them (as part of this series), let's just stop building it as part
of the CI.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
---
 .github/workflows/build-kata-static-tarball-amd64.yaml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/build-kata-static-tarball-amd64.yaml b/.github/workflows/build-kata-static-tarball-amd64.yaml
index bbabe8ff0e..021efe8d1c 100644
--- a/.github/workflows/build-kata-static-tarball-amd64.yaml
+++ b/.github/workflows/build-kata-static-tarball-amd64.yaml
@@ -53,7 +53,6 @@ jobs:
           - rootfs-image-mariner
           - rootfs-initrd
           - rootfs-initrd-confidential
-          - rootfs-initrd-mariner
           - runk
           - shim-v2
           - trace-forwarder