From e1f8b8e8b46eac604d10047ae12acba4ca84948f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Tue, 7 Apr 2026 12:35:40 +0200 Subject: [PATCH 1/6] build: add arm64 tools build (genpolicy only) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The arm64 build workflow was missing the tools build entirely. Add build-tools-asset and create-kata-tools-tarball jobs mirroring the amd64 workflow so that genpolicy and the other tools are available for coco-dev tests that need auto-generated policy. Signed-off-by: Fabiano Fidêncio Made-with: Cursor --- .../build-kata-static-tarball-arm64.yaml | 106 ++++++++++++++++++ tools/packaging/static-build/tools/Dockerfile | 23 +++- 2 files changed, 123 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build-kata-static-tarball-arm64.yaml b/.github/workflows/build-kata-static-tarball-arm64.yaml index d463427861..115d8de43e 100644 --- a/.github/workflows/build-kata-static-tarball-arm64.yaml +++ b/.github/workflows/build-kata-static-tarball-arm64.yaml @@ -297,6 +297,112 @@ jobs: retention-days: 15 if-no-files-found: error + build-tools-asset: + name: build-tools-asset + runs-on: ubuntu-24.04-arm + permissions: + contents: read + packages: write + strategy: + matrix: + asset: + - genpolicy + stage: + - ${{ inputs.stage }} + steps: + - name: Login to Kata Containers quay.io + if: ${{ inputs.push-to-registry == 'yes' }} + uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 + with: + registry: quay.io + username: ${{ vars.QUAY_DEPLOYER_USERNAME }} + password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }} + + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + ref: ${{ inputs.commit-hash }} + fetch-depth: 0 # This is needed in order to keep the commit ids history + persist-credentials: false + + - name: Rebase atop of the latest target branch + run: | + ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch" + env: + TARGET_BRANCH: ${{ inputs.target-branch }} + + - name: Build ${{ matrix.asset }} + id: build + run: | + make "${KATA_ASSET}-tarball" + build_dir=$(readlink -f build) + # store-artifact does not work with symlink + mkdir -p kata-tools-build && cp "${build_dir}"/kata-static-"${KATA_ASSET}"*.tar.* kata-tools-build/. + env: + KATA_ASSET: ${{ matrix.asset }} + TAR_OUTPUT: ${{ matrix.asset }}.tar.gz + PUSH_TO_REGISTRY: ${{ inputs.push-to-registry }} + ARTEFACT_REGISTRY: ghcr.io + ARTEFACT_REGISTRY_USERNAME: ${{ github.actor }} + ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} + TARGET_BRANCH: ${{ inputs.target-branch }} + RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }} + + - name: store-artifact ${{ matrix.asset }} + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + with: + name: kata-tools-artifacts-arm64-${{ matrix.asset }}${{ inputs.tarball-suffix }} + path: kata-tools-build/kata-static-${{ matrix.asset }}.tar.zst + retention-days: 15 + if-no-files-found: error + + create-kata-tools-tarball: + name: create-kata-tools-tarball + runs-on: ubuntu-24.04-arm + needs: [build-tools-asset] + permissions: + contents: read + packages: write + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + ref: ${{ inputs.commit-hash }} + fetch-depth: 0 + fetch-tags: true + persist-credentials: false + - name: Rebase atop of the latest target branch + run: | + ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch" + env: + TARGET_BRANCH: ${{ inputs.target-branch }} + - name: get-artifacts + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + with: + pattern: kata-tools-artifacts-arm64-*${{ inputs.tarball-suffix }} + path: kata-tools-artifacts + merge-multiple: true + - name: merge-artifacts + run: | + ./tools/packaging/kata-deploy/local-build/kata-deploy-merge-builds.sh kata-tools-artifacts versions.yaml kata-tools-static.tar.zst + env: + RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }} + - name: Check kata-tools tarball size (GitHub release asset limit) + run: | + # https://docs.github.com/en/repositories/releasing-projects-on-github/about-releases#storage-and-bandwidth-quotas + GITHUB_ASSET_MAX_BYTES=2147483648 + tarball_size=$(stat -c "%s" kata-tools-static.tar.zst) + if [[ "${tarball_size}" -ge "${GITHUB_ASSET_MAX_BYTES}" ]]; then + echo "::error::tarball size (${tarball_size} bytes) >= GitHub release asset limit (${GITHUB_ASSET_MAX_BYTES} bytes)" + exit 1 + fi + echo "tarball size: ${tarball_size} bytes" + - name: store-artifacts + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + with: + name: kata-tools-static-tarball-arm64${{ inputs.tarball-suffix }} + path: kata-tools-static.tar.zst + retention-days: 15 + if-no-files-found: error + create-kata-tarball: name: create-kata-tarball runs-on: ubuntu-24.04-arm diff --git a/tools/packaging/static-build/tools/Dockerfile b/tools/packaging/static-build/tools/Dockerfile index eb52334592..17ede6581e 100644 --- a/tools/packaging/static-build/tools/Dockerfile +++ b/tools/packaging/static-build/tools/Dockerfile @@ -61,10 +61,21 @@ RUN ARCH=$(uname -m) && \ rm /tmp/oras.tar.gz && \ oras version -# Tools only build for x86_64 -RUN rustup target add x86_64-unknown-linux-musl +RUN ARCH=$(uname -m) && \ + case "${ARCH}" in \ + x86_64) MUSL_TARGET="x86_64-unknown-linux-musl" ;; \ + aarch64) MUSL_TARGET="aarch64-unknown-linux-musl" ;; \ + *) echo "Unsupported architecture: ${ARCH}" && exit 1 ;; \ + esac && \ + rustup target add "${MUSL_TARGET}" -RUN kernelname=$(uname -s | tr '[:upper:]' '[:lower:]'); \ - curl -fsSOL "https://go.dev/dl/go${GO_TOOLCHAIN}.${kernelname}-amd64.tar.gz" && \ - tar -C "${GO_HOME}" -xzf "go${GO_TOOLCHAIN}.${kernelname}-amd64.tar.gz" && \ - rm "go${GO_TOOLCHAIN}.${kernelname}-amd64.tar.gz" +RUN ARCH=$(uname -m) && \ + case "${ARCH}" in \ + x86_64) GO_ARCH="amd64" ;; \ + aarch64) GO_ARCH="arm64" ;; \ + *) echo "Unsupported architecture: ${ARCH}" && exit 1 ;; \ + esac && \ + kernelname=$(uname -s | tr '[:upper:]' '[:lower:]') && \ + curl -fsSOL "https://go.dev/dl/go${GO_TOOLCHAIN}.${kernelname}-${GO_ARCH}.tar.gz" && \ + tar -C "${GO_HOME}" -xzf "go${GO_TOOLCHAIN}.${kernelname}-${GO_ARCH}.tar.gz" && \ + rm "go${GO_TOOLCHAIN}.${kernelname}-${GO_ARCH}.tar.gz" From 861f15cdc4b93fa4bebb79f300cceb72d556d42c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Tue, 7 Apr 2026 12:27:55 +0200 Subject: [PATCH 2/6] build: add arm64 coco-dev build dependencies MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Build coco-guest-components, pause-image, and rootfs-image-confidential for arm64, which are required by qemu-coco-dev-runtime-rs. Enable MEASURED_ROOTFS on the arm64 shim-v2 build, add the aarch64 case to install_kernel() so the default kernel is built as a unified kernel (with confidential guest support, like x86_64), and adjust the kernel install naming so only CCA builds get the -confidential suffix. Also wire rootfs-image-confidential-tarball into the aarch64 local-build Makefile. Signed-off-by: Fabiano Fidêncio Made-with: Cursor --- .github/workflows/build-kata-static-tarball-arm64.yaml | 6 ++++++ tools/packaging/kata-deploy/local-build/Makefile | 1 + .../kata-deploy/local-build/kata-deploy-binaries.sh | 7 ++++++- tools/packaging/kernel/build-kernel.sh | 7 +++++-- tools/packaging/kernel/kata_config_version | 2 +- 5 files changed, 19 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build-kata-static-tarball-arm64.yaml b/.github/workflows/build-kata-static-tarball-arm64.yaml index 115d8de43e..96cf1b2650 100644 --- a/.github/workflows/build-kata-static-tarball-arm64.yaml +++ b/.github/workflows/build-kata-static-tarball-arm64.yaml @@ -43,6 +43,7 @@ jobs: - agent - busybox - cloud-hypervisor + - coco-guest-components - firecracker - kernel - kernel-debug @@ -51,6 +52,7 @@ jobs: - kernel-cca-confidential - nydus - ovmf + - pause-image - qemu - virtiofsd env: @@ -151,6 +153,7 @@ jobs: matrix: asset: - rootfs-image + - rootfs-image-confidential - rootfs-image-nvidia-gpu - rootfs-initrd steps: @@ -216,7 +219,9 @@ jobs: matrix: asset: - busybox + - coco-guest-components - kernel-nvidia-gpu-modules + - pause-image steps: - uses: geekyeggo/delete-artifact@176a747ab7e287e3ff4787bf8a148716375ca118 # v6.0.0 with: @@ -288,6 +293,7 @@ jobs: ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} TARGET_BRANCH: ${{ inputs.target-branch }} RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }} + MEASURED_ROOTFS: yes - name: store-artifact shim-v2 uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 diff --git a/tools/packaging/kata-deploy/local-build/Makefile b/tools/packaging/kata-deploy/local-build/Makefile index 05dbfb052a..49d6f9611b 100644 --- a/tools/packaging/kata-deploy/local-build/Makefile +++ b/tools/packaging/kata-deploy/local-build/Makefile @@ -60,6 +60,7 @@ BASE_TARBALLS = serial-targets \ shim-v2-tarball \ virtiofsd-tarball BASE_SERIAL_TARBALLS = rootfs-image-tarball \ + rootfs-image-confidential-tarball \ rootfs-cca-confidential-image-tarball \ rootfs-cca-confidential-initrd-tarball \ rootfs-initrd-tarball diff --git a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh index aa582672b6..73554e9132 100755 --- a/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh +++ b/tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh @@ -710,7 +710,7 @@ install_kernel_helper() { DESTDIR="${destdir}" PREFIX="${prefix}" "${kernel_builder}" -v "${kernel_version}" -f -u "${kernel_url}" "${extra_cmd}" } -#Install kernel asset (on x86_64 and s390x built with -x for TEE/confidential; other arches without -x) +#Install kernel asset (on x86_64, s390x, and aarch64 built with -x for TEE/confidential) install_kernel() { local extra_cmd="" case "${ARCH}" in @@ -719,6 +719,11 @@ install_kernel() { export MEASURED_ROOTFS="no" extra_cmd="-x" ;; + aarch64) + export CONFIDENTIAL_GUEST="yes" + export MEASURED_ROOTFS="yes" + extra_cmd="-x" + ;; x86_64) export CONFIDENTIAL_GUEST="yes" export MEASURED_ROOTFS="yes" diff --git a/tools/packaging/kernel/build-kernel.sh b/tools/packaging/kernel/build-kernel.sh index 612353e5d5..97d3a6e5c3 100755 --- a/tools/packaging/kernel/build-kernel.sh +++ b/tools/packaging/kernel/build-kernel.sh @@ -578,8 +578,11 @@ install_kata() { if [[ ${gpu_vendor} != "" ]]; then suffix="-${gpu_vendor}-gpu${suffix}" elif [[ ${conf_guest} != "" ]]; then - # CCA on aarch64 uses -confidential suffix; x86_64/s390x unified kernel does not - if [[ "${arch_target}" == "aarch64" ]]; then + # CCA kernel on arm64 needs a -confidential suffix to coexist + # with the unified kernel; the regular kernel with -x does not + # get the suffix (matching x86_64/s390x unified kernel behavior). + # CCA builds are identified by -H (linux_headers) being set. + if [[ "${arch_target}" == "arm64" ]] && [[ -n "${linux_headers}" ]]; then suffix="-${conf_guest}${suffix}" fi fi diff --git a/tools/packaging/kernel/kata_config_version b/tools/packaging/kernel/kata_config_version index e702a30b33..6c412452bc 100644 --- a/tools/packaging/kernel/kata_config_version +++ b/tools/packaging/kernel/kata_config_version @@ -1 +1 @@ -188 +189 From 588a67a3fbbb99db0c4d16927f58c570a960542f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Tue, 7 Apr 2026 12:16:22 +0200 Subject: [PATCH 3/6] kata-deploy: add arm64 support for qemu-coco-dev shims MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add aarch64/arm64 to the list of supported architectures for qemu-coco-dev and qemu-coco-dev-runtime-rs shims across kata-deploy configuration, Helm chart values, and test helper scripts. Note that guest-components and the related build dependencies are not yet wired for arm64 in these configurations; those will be addressed separately. Signed-off-by: Fabiano Fidêncio Made-with: Cursor --- docs/helm-configuration.md | 2 +- tests/gha-run-k8s-common.sh | 4 +++- tools/packaging/kata-deploy/binary/src/config.rs | 2 +- .../helm-chart/kata-deploy/try-kata-tee.values.yaml | 1 + .../packaging/kata-deploy/helm-chart/kata-deploy/values.yaml | 1 + 5 files changed, 7 insertions(+), 3 deletions(-) diff --git a/docs/helm-configuration.md b/docs/helm-configuration.md index 2b55f36321..79b0bd4242 100644 --- a/docs/helm-configuration.md +++ b/docs/helm-configuration.md @@ -109,7 +109,7 @@ Includes: - `qemu-se-runtime-rs` - IBM Secure Execution for Linux (SEL) Rust runtime (s390x) - `qemu-cca` - Arm Confidential Compute Architecture (arm64) - `qemu-coco-dev` - Confidential Containers development (amd64, s390x) -- `qemu-coco-dev-runtime-rs` - Confidential Containers development Rust runtime (amd64, s390x) +- `qemu-coco-dev-runtime-rs` - Confidential Containers development Rust runtime (amd64, arm64, s390x) ### [`try-kata-nvidia-gpu.values.yaml`](https://github.com/kata-containers/kata-containers/blob/main/tools/packaging/kata-deploy/helm-chart/kata-deploy/try-kata-nvidia-gpu.values.yaml) diff --git a/tests/gha-run-k8s-common.sh b/tests/gha-run-k8s-common.sh index 1463074be1..1d016499ed 100644 --- a/tests/gha-run-k8s-common.sh +++ b/tests/gha-run-k8s-common.sh @@ -707,7 +707,9 @@ function helm_helper() { yq -i ".shims.${shim}.supportedArches = [\"arm64\"]" "${values_yaml}" elif is_snp_hypervisor "${shim}" || is_tdx_hypervisor "${shim}" || is_confidential_gpu_hypervisor "${shim}"; then yq -i ".shims.${shim}.supportedArches = [\"amd64\"]" "${values_yaml}" - elif [[ "${shim}" == "qemu-runtime-rs" ]]; then + # qemu-coco-dev-runtime-rs is checked explicitly because + # qemu-coco-dev (Go runtime) does not support arm64. + elif [[ "${shim}" == "qemu-runtime-rs" ]] || [[ "${shim}" == "qemu-coco-dev-runtime-rs" ]]; then yq -i ".shims.${shim}.supportedArches = [\"amd64\", \"arm64\", \"s390x\"]" "${values_yaml}" elif is_non_tee_hypervisor "${shim}"; then yq -i ".shims.${shim}.supportedArches = [\"amd64\", \"s390x\"]" "${values_yaml}" diff --git a/tools/packaging/kata-deploy/binary/src/config.rs b/tools/packaging/kata-deploy/binary/src/config.rs index 37e1028a70..08c7e63a1b 100644 --- a/tools/packaging/kata-deploy/binary/src/config.rs +++ b/tools/packaging/kata-deploy/binary/src/config.rs @@ -734,7 +734,7 @@ fn parse_custom_runtimes() -> Result> { fn get_default_shims_for_arch(arch: &str) -> &'static str { match arch { "x86_64" => "clh cloud-hypervisor dragonball fc qemu qemu-coco-dev qemu-coco-dev-runtime-rs qemu-runtime-rs qemu-nvidia-gpu qemu-nvidia-gpu-snp qemu-nvidia-gpu-tdx qemu-snp qemu-snp-runtime-rs qemu-tdx qemu-tdx-runtime-rs", - "aarch64" => "clh cloud-hypervisor dragonball fc qemu qemu-runtime-rs qemu-nvidia-gpu qemu-cca", + "aarch64" => "clh cloud-hypervisor dragonball fc qemu qemu-coco-dev-runtime-rs qemu-runtime-rs qemu-nvidia-gpu qemu-cca", "s390x" => "qemu qemu-runtime-rs qemu-se qemu-se-runtime-rs qemu-coco-dev qemu-coco-dev-runtime-rs", "ppc64le" => "qemu", _ => "qemu", // Fallback to qemu for unknown architectures diff --git a/tools/packaging/kata-deploy/helm-chart/kata-deploy/try-kata-tee.values.yaml b/tools/packaging/kata-deploy/helm-chart/kata-deploy/try-kata-tee.values.yaml index 42dad88ad6..f5986a564e 100644 --- a/tools/packaging/kata-deploy/helm-chart/kata-deploy/try-kata-tee.values.yaml +++ b/tools/packaging/kata-deploy/helm-chart/kata-deploy/try-kata-tee.values.yaml @@ -135,6 +135,7 @@ shims: enabled: true supportedArches: - amd64 + - arm64 - s390x allowedHypervisorAnnotations: [] containerd: diff --git a/tools/packaging/kata-deploy/helm-chart/kata-deploy/values.yaml b/tools/packaging/kata-deploy/helm-chart/kata-deploy/values.yaml index 660822c729..606fe4ac63 100644 --- a/tools/packaging/kata-deploy/helm-chart/kata-deploy/values.yaml +++ b/tools/packaging/kata-deploy/helm-chart/kata-deploy/values.yaml @@ -322,6 +322,7 @@ shims: enabled: ~ supportedArches: - amd64 + - arm64 - s390x allowedHypervisorAnnotations: [] containerd: From 35e48fdfd10ba8aed789878a9b4ba5f5775957c7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Tue, 7 Apr 2026 12:19:00 +0200 Subject: [PATCH 4/6] ci: run qemu-coco-dev-runtime-rs tests on arm64 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add qemu-coco-dev-runtime-rs to the arm64 k8s test matrix so that the CoCo non-TEE configuration is exercised on aarch64 runners. Also enable auto-generated policy for qemu-coco-dev on aarch64 (matching the existing x86_64 behavior) and register the new job as a required gatekeeper check. Signed-off-by: Fabiano Fidêncio Made-with: Cursor --- .github/workflows/ci.yaml | 19 ++- .../run-kata-coco-tests-arm64-k8s.yaml | 128 ++++++++++++++++++ .../kubernetes/confidential_kbs.sh | 2 +- tests/integration/kubernetes/gha-run.sh | 2 +- tests/integration/kubernetes/tests_common.sh | 8 +- 5 files changed, 155 insertions(+), 4 deletions(-) create mode 100644 .github/workflows/run-kata-coco-tests-arm64-k8s.yaml diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index dffb6ff1f7..9611fdc4b1 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -217,7 +217,7 @@ jobs: tags: ghcr.io/kata-containers/test-images:unencrypted-${{ inputs.pr-number }} push: true context: tests/integration/kubernetes/runtimeclass_workloads/confidential/unencrypted/ - platforms: linux/amd64, linux/s390x + platforms: linux/amd64, linux/arm64, linux/s390x file: tests/integration/kubernetes/runtimeclass_workloads/confidential/unencrypted/Dockerfile run-kata-monitor-tests: @@ -277,6 +277,23 @@ jobs: pr-number: ${{ inputs.pr-number }} target-branch: ${{ inputs.target-branch }} + run-kata-coco-tests-on-arm64: + if: ${{ inputs.skip-test != 'yes' }} + needs: + - publish-kata-deploy-payload-arm64 + - build-and-publish-tee-confidential-unencrypted-image + uses: ./.github/workflows/run-kata-coco-tests-arm64-k8s.yaml + with: + tarball-suffix: -${{ inputs.tag }} + registry: ghcr.io + repo: ${{ github.repository_owner }}/kata-deploy-ci + tag: ${{ inputs.tag }}-arm64 + commit-hash: ${{ inputs.commit-hash }} + pr-number: ${{ inputs.pr-number }} + target-branch: ${{ inputs.target-branch }} + secrets: + AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }} + run-k8s-tests-on-nvidia-gpu: if: ${{ inputs.skip-test != 'yes' }} needs: publish-kata-deploy-payload-amd64 diff --git a/.github/workflows/run-kata-coco-tests-arm64-k8s.yaml b/.github/workflows/run-kata-coco-tests-arm64-k8s.yaml new file mode 100644 index 0000000000..68c0c6ad35 --- /dev/null +++ b/.github/workflows/run-kata-coco-tests-arm64-k8s.yaml @@ -0,0 +1,128 @@ +name: CI | Run kata coco tests on arm64 k8s +on: + workflow_call: + inputs: + tarball-suffix: + required: false + type: string + registry: + required: true + type: string + repo: + required: true + type: string + tag: + required: true + type: string + pr-number: + required: true + type: string + commit-hash: + required: false + type: string + target-branch: + required: false + type: string + default: "" + secrets: + AUTHENTICATED_IMAGE_PASSWORD: + required: false + +permissions: {} + +jobs: + run-k8s-tests-coco-arm64-k8s: + name: run-k8s-tests-coco-arm64-k8s (${{ matrix.vmm }}, ${{ matrix.k8s }}) + strategy: + fail-fast: false + matrix: + vmm: + - qemu-coco-dev-runtime-rs + k8s: + - kubeadm + runs-on: arm64-k8s + environment: + name: ci + deployment: false + env: + DOCKER_REGISTRY: ${{ inputs.registry }} + DOCKER_REPO: ${{ inputs.repo }} + DOCKER_TAG: ${{ inputs.tag }} + GH_PR_NUMBER: ${{ inputs.pr-number }} + KATA_HYPERVISOR: ${{ matrix.vmm }} + KUBERNETES: ${{ matrix.k8s }} + K8S_TEST_HOST_TYPE: all + TARGET_ARCH: "aarch64" + KBS: "true" + KBS_INGRESS: "nodeport" + AUTO_GENERATE_POLICY: "yes" + PULL_TYPE: "guest-pull" + SNAPSHOTTER: "nydus" + AUTHENTICATED_IMAGE_USER: ${{ vars.AUTHENTICATED_IMAGE_USER }} + AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }} + GH_TOKEN: ${{ github.token }} + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + ref: ${{ inputs.commit-hash }} + fetch-depth: 0 + persist-credentials: false + + - name: Rebase atop of the latest target branch + run: | + ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch" + env: + TARGET_BRANCH: ${{ inputs.target-branch }} + + - name: get-kata-tools-tarball + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + with: + name: kata-tools-static-tarball-arm64${{ inputs.tarball-suffix }} + path: kata-tools-artifacts + + - name: Install kata-tools + run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-tools-artifacts + + - name: Deploy Kata + timeout-minutes: 20 + run: bash tests/integration/kubernetes/gha-run.sh deploy-kata + + - name: Uninstall previous `kbs-client` + timeout-minutes: 10 + run: bash tests/integration/kubernetes/gha-run.sh uninstall-kbs-client + + - name: Deploy CoCo KBS + timeout-minutes: 10 + run: bash tests/integration/kubernetes/gha-run.sh deploy-coco-kbs + + - name: Install `kbs-client` + timeout-minutes: 10 + run: bash tests/integration/kubernetes/gha-run.sh install-kbs-client + + - name: Install `bats` + run: bash tests/integration/kubernetes/gha-run.sh install-bats + + - name: Run tests + timeout-minutes: 90 + run: bash tests/integration/kubernetes/gha-run.sh run-tests + + - name: Report tests + if: always() + run: bash tests/integration/kubernetes/gha-run.sh report-tests + + - name: Collect artifacts ${{ matrix.vmm }} + if: always() + run: bash tests/integration/kubernetes/gha-run.sh collect-artifacts + continue-on-error: true + + - name: Archive artifacts ${{ matrix.vmm }} + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + with: + name: k8s-coco-arm64-${{ matrix.vmm }}-${{ matrix.k8s }}-${{ inputs.tag }} + path: /tmp/artifacts + retention-days: 1 + + - name: Delete kata-deploy + if: always() + timeout-minutes: 15 + run: bash tests/integration/kubernetes/gha-run.sh cleanup diff --git a/tests/integration/kubernetes/confidential_kbs.sh b/tests/integration/kubernetes/confidential_kbs.sh index 4923fb6fdc..c71cdce808 100644 --- a/tests/integration/kubernetes/confidential_kbs.sh +++ b/tests/integration/kubernetes/confidential_kbs.sh @@ -227,7 +227,7 @@ kbs_install_cli() { source /etc/os-release || source /usr/lib/os-release case "${ID}" in - ubuntu) + debian|ubuntu) local pkgs="build-essential pkg-config libssl-dev" sudo apt-get update -y diff --git a/tests/integration/kubernetes/gha-run.sh b/tests/integration/kubernetes/gha-run.sh index c5ae2b115c..a2609da84a 100755 --- a/tests/integration/kubernetes/gha-run.sh +++ b/tests/integration/kubernetes/gha-run.sh @@ -453,7 +453,7 @@ function main() { if [[ "${KATA_HOST_OS}" = "cbl-mariner" ]]; then AUTO_GENERATE_POLICY="yes" elif [[ "${KATA_HYPERVISOR}" = qemu-coco-dev* && \ - "${TARGET_ARCH}" = "x86_64" && \ + ( "${TARGET_ARCH}" = "x86_64" || "${TARGET_ARCH}" = "aarch64" ) && \ "${PULL_TYPE}" != "experimental-force-guest-pull" ]]; then AUTO_GENERATE_POLICY="yes" elif [[ "${KATA_HYPERVISOR}" = qemu-nvidia-gpu-* ]]; then diff --git a/tests/integration/kubernetes/tests_common.sh b/tests/integration/kubernetes/tests_common.sh index be647ecaa3..34fce8cf17 100644 --- a/tests/integration/kubernetes/tests_common.sh +++ b/tests/integration/kubernetes/tests_common.sh @@ -112,6 +112,12 @@ is_k3s_or_rke2() { esac } +# The arm64 runner owners keep containerd updates synced across all runners. +is_arm64_host() { + [[ "$(uname -m)" == "aarch64" ]] && return 0 + return 1 +} + # Return the kubelet data directory, which varies by Kubernetes distribution. get_kubelet_data_dir() { case "${KUBERNETES:-}" in @@ -145,7 +151,7 @@ install_genpolicy_drop_ins() { # 20-* OCI version overlay if [[ "${KATA_HOST_OS:-}" == "cbl-mariner" ]]; then cp "${examples_dir}/20-oci-1.2.0-drop-in.json" "${settings_d}/" - elif is_k3s_or_rke2 || is_nvidia_gpu_platform || is_snp_hypervisor "${KATA_HYPERVISOR}" || is_tdx_hypervisor "${KATA_HYPERVISOR}" || [[ -n "${CONTAINER_ENGINE_VERSION:-}" ]]; then + elif is_k3s_or_rke2 || is_nvidia_gpu_platform || is_snp_hypervisor "${KATA_HYPERVISOR}" || is_tdx_hypervisor "${KATA_HYPERVISOR}" || [[ -n "${CONTAINER_ENGINE_VERSION:-}" ]] || is_arm64_host; then cp "${examples_dir}/20-oci-1.3.0-drop-in.json" "${settings_d}/" fi From d04bb98e09f29063c2d05ec7245cbd910e10109e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Tue, 14 Apr 2026 18:14:10 +0200 Subject: [PATCH 5/6] runtime-rs: Increase reconnect_timeout_ms for confidential VMs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The Go runtime's CoCo dev config uses dial_timeout = 45s, but all runtime-rs confidential VM configs had reconnect_timeout_ms set to 3000ms (3s) or 5000ms (SE). This is too short for confidential VMs, especially on arm64 where UEFI firmware (AAVMF) adds significant boot time on top of the measured boot process, causing ECONNRESET errors on the vsock connection before the agent is ready. Bump reconnect_timeout_ms to 45000ms across all confidential VM configs (coco-dev, SNP, TDX, SE) to match the Go runtime. Signed-off-by: Fabiano Fidêncio Made-with: Cursor --- .../configuration-qemu-coco-dev-runtime-rs.toml.in | 10 +++++----- .../config/configuration-qemu-se-runtime-rs.toml.in | 10 +++++----- .../config/configuration-qemu-snp-runtime-rs.toml.in | 10 +++++----- .../config/configuration-qemu-tdx-runtime-rs.toml.in | 10 +++++----- 4 files changed, 20 insertions(+), 20 deletions(-) diff --git a/src/runtime-rs/config/configuration-qemu-coco-dev-runtime-rs.toml.in b/src/runtime-rs/config/configuration-qemu-coco-dev-runtime-rs.toml.in index 2734d83cbb..1c37e39b64 100644 --- a/src/runtime-rs/config/configuration-qemu-coco-dev-runtime-rs.toml.in +++ b/src/runtime-rs/config/configuration-qemu-coco-dev-runtime-rs.toml.in @@ -544,17 +544,17 @@ kernel_modules = [] debug_console_enabled = false # Agent dial timeout in millisecond. -# (default: 10) -dial_timeout_ms = 10 +# (default: 100) +dial_timeout_ms = 100 # Agent reconnect timeout in millisecond. -# Retry times = reconnect_timeout_ms / dial_timeout_ms (default: 300) +# Retry times = reconnect_timeout_ms / dial_timeout_ms (default: 450) # If you find pod cannot connect to the agent when starting, please # consider increasing this value to increase the retry times. # You'd better not change the value of dial_timeout_ms, unless you have an # idea of what you are doing. -# (default: 3000) -reconnect_timeout_ms = 3000 +# (default: 45000) +reconnect_timeout_ms = 45000 # Timeout in seconds for guest components (attestation-agent, confidential-data-hub) # to create their Unix sockets after being spawned by the agent. diff --git a/src/runtime-rs/config/configuration-qemu-se-runtime-rs.toml.in b/src/runtime-rs/config/configuration-qemu-se-runtime-rs.toml.in index 93dbdf7846..99a6e1450f 100644 --- a/src/runtime-rs/config/configuration-qemu-se-runtime-rs.toml.in +++ b/src/runtime-rs/config/configuration-qemu-se-runtime-rs.toml.in @@ -521,17 +521,17 @@ kernel_modules = [] debug_console_enabled = false # Agent dial timeout in millisecond. -# (default: 10) -dial_timeout_ms = 90 +# (default: 100) +dial_timeout_ms = 100 # Agent reconnect timeout in millisecond. -# Retry times = reconnect_timeout_ms / dial_timeout_ms (default: 300) +# Retry times = reconnect_timeout_ms / dial_timeout_ms (default: 450) # If you find pod cannot connect to the agent when starting, please # consider increasing this value to increase the retry times. # You'd better not change the value of dial_timeout_ms, unless you have an # idea of what you are doing. -# (default: 3000) -reconnect_timeout_ms = 5000 +# (default: 45000) +reconnect_timeout_ms = 45000 # Timeout in seconds for guest components (attestation-agent, confidential-data-hub) # to create their Unix sockets after being spawned by the agent. diff --git a/src/runtime-rs/config/configuration-qemu-snp-runtime-rs.toml.in b/src/runtime-rs/config/configuration-qemu-snp-runtime-rs.toml.in index c76ca186db..b3905c29b9 100644 --- a/src/runtime-rs/config/configuration-qemu-snp-runtime-rs.toml.in +++ b/src/runtime-rs/config/configuration-qemu-snp-runtime-rs.toml.in @@ -563,17 +563,17 @@ kernel_modules = [] debug_console_enabled = false # Agent dial timeout in millisecond. -# (default: 10) -dial_timeout_ms = 10 +# (default: 100) +dial_timeout_ms = 100 # Agent reconnect timeout in millisecond. -# Retry times = reconnect_timeout_ms / dial_timeout_ms (default: 300) +# Retry times = reconnect_timeout_ms / dial_timeout_ms (default: 450) # If you find pod cannot connect to the agent when starting, please # consider increasing this value to increase the retry times. # You'd better not change the value of dial_timeout_ms, unless you have an # idea of what you are doing. -# (default: 3000) -reconnect_timeout_ms = 3000 +# (default: 45000) +reconnect_timeout_ms = 45000 # Timeout in seconds for guest components (attestation-agent, confidential-data-hub) # to create their Unix sockets after being spawned by the agent. diff --git a/src/runtime-rs/config/configuration-qemu-tdx-runtime-rs.toml.in b/src/runtime-rs/config/configuration-qemu-tdx-runtime-rs.toml.in index 2767324eaa..51bc649ead 100644 --- a/src/runtime-rs/config/configuration-qemu-tdx-runtime-rs.toml.in +++ b/src/runtime-rs/config/configuration-qemu-tdx-runtime-rs.toml.in @@ -539,17 +539,17 @@ kernel_modules = [] debug_console_enabled = false # Agent dial timeout in millisecond. -# (default: 10) -dial_timeout_ms = 10 +# (default: 100) +dial_timeout_ms = 100 # Agent reconnect timeout in millisecond. -# Retry times = reconnect_timeout_ms / dial_timeout_ms (default: 300) +# Retry times = reconnect_timeout_ms / dial_timeout_ms (default: 450) # If you find pod cannot connect to the agent when starting, please # consider increasing this value to increase the retry times. # You'd better not change the value of dial_timeout_ms, unless you have an # idea of what you are doing. -# (default: 3000) -reconnect_timeout_ms = 3000 +# (default: 45000) +reconnect_timeout_ms = 45000 # Timeout in seconds for guest components (attestation-agent, confidential-data-hub) # to create their Unix sockets after being spawned by the agent. From edfaeec3161c856af9af3f2d97212e7abf1796de Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Sat, 18 Apr 2026 00:29:30 +0200 Subject: [PATCH 6/6] tests: arm64: Skip tests which do not have a multi-arch image MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The image used has some special (as weird) properties that are being taking advantage of to implement policy related tests. Changing the image is a no-go at this point, otherwise we break the tests ... so let's just skip those for now. Signed-off-by: Fabiano Fidêncio --- tests/integration/kubernetes/k8s-policy-deployment-sc.bats | 2 ++ tests/integration/kubernetes/k8s-policy-deployment.bats | 2 ++ 2 files changed, 4 insertions(+) diff --git a/tests/integration/kubernetes/k8s-policy-deployment-sc.bats b/tests/integration/kubernetes/k8s-policy-deployment-sc.bats index 4ed4573e7d..072bf6352f 100644 --- a/tests/integration/kubernetes/k8s-policy-deployment-sc.bats +++ b/tests/integration/kubernetes/k8s-policy-deployment-sc.bats @@ -11,6 +11,7 @@ load "${BATS_TEST_DIRNAME}/tests_common.sh" setup() { auto_generate_policy_enabled || skip "Auto-generated policy tests are disabled." + [[ "$(uname -m)" == "x86_64" ]] || skip "Image used in the tests is not multi-arch." setup_common || die "setup_common failed" deployment_name="policy-redis-deployment" @@ -100,6 +101,7 @@ test_deployment_policy_error() { teardown() { auto_generate_policy_enabled || skip "Auto-generated policy tests are disabled." + [[ "$(uname -m)" == "x86_64" ]] || skip "Image used in the tests is not multi-arch." # Pod debugging information. Don't print the "Message:" line because it contains a truncated policy log. info "Pod ${deployment_name}:" diff --git a/tests/integration/kubernetes/k8s-policy-deployment.bats b/tests/integration/kubernetes/k8s-policy-deployment.bats index 9a442731b8..0543ef2ba8 100644 --- a/tests/integration/kubernetes/k8s-policy-deployment.bats +++ b/tests/integration/kubernetes/k8s-policy-deployment.bats @@ -11,6 +11,7 @@ load "${BATS_TEST_DIRNAME}/tests_common.sh" setup() { auto_generate_policy_enabled || skip "Auto-generated policy tests are disabled." + [[ "$(uname -m)" == "x86_64" ]] || skip "Image used in the tests is not multi-arch." setup_common || die "setup_common failed" deployment_name="policy-redis-deployment" @@ -60,6 +61,7 @@ test_deployment_policy_error() { teardown() { auto_generate_policy_enabled || skip "Auto-generated policy tests are disabled." + [[ "$(uname -m)" == "x86_64" ]] || skip "Image used in the tests is not multi-arch." # Pod debugging information. Don't print the "Message:" line because it contains a truncated policy log. info "Pod ${deployment_name}:"