mirror of
https://github.com/kata-containers/kata-containers.git
synced 2026-07-01 22:50:54 +00:00
Merge pull request #13107 from kata-containers/topic/kata-monitor-ship-image-as-part-of-the-release
kata-monitor: ship as a standalone multi-arch image starting with 3.32.0
This commit is contained in:
127
.github/workflows/ci.yaml
vendored
127
.github/workflows/ci.yaml
vendored
@@ -65,12 +65,12 @@ jobs:
|
||||
secrets:
|
||||
KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}
|
||||
|
||||
publish-kata-deploy-payload-amd64:
|
||||
publish-kata-deploy-image-amd64:
|
||||
needs: build-kata-static-tarball-amd64
|
||||
permissions:
|
||||
contents: read
|
||||
packages: write
|
||||
uses: ./.github/workflows/publish-kata-deploy-payload.yaml
|
||||
uses: ./.github/workflows/publish-kata-images.yaml
|
||||
with:
|
||||
tarball-suffix: -${{ inputs.tag }}
|
||||
registry: ghcr.io
|
||||
@@ -83,6 +83,25 @@ jobs:
|
||||
secrets:
|
||||
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
|
||||
|
||||
publish-kata-monitor-image-amd64:
|
||||
needs: build-kata-static-tarball-amd64
|
||||
permissions:
|
||||
contents: read
|
||||
packages: write
|
||||
uses: ./.github/workflows/publish-kata-images.yaml
|
||||
with:
|
||||
tarball-suffix: -${{ inputs.tag }}
|
||||
registry: ghcr.io
|
||||
repo: ${{ github.repository_owner }}/kata-monitor-ci
|
||||
tag: ${{ inputs.tag }}-amd64
|
||||
commit-hash: ${{ inputs.commit-hash }}
|
||||
target-branch: ${{ inputs.target-branch }}
|
||||
runner: ubuntu-22.04
|
||||
arch: amd64
|
||||
image-kind: monitor
|
||||
secrets:
|
||||
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
|
||||
|
||||
build-kata-static-tarball-arm64:
|
||||
permissions:
|
||||
contents: read
|
||||
@@ -97,12 +116,12 @@ jobs:
|
||||
secrets:
|
||||
KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}
|
||||
|
||||
publish-kata-deploy-payload-arm64:
|
||||
publish-kata-deploy-image-arm64:
|
||||
needs: build-kata-static-tarball-arm64
|
||||
permissions:
|
||||
contents: read
|
||||
packages: write
|
||||
uses: ./.github/workflows/publish-kata-deploy-payload.yaml
|
||||
uses: ./.github/workflows/publish-kata-images.yaml
|
||||
with:
|
||||
tarball-suffix: -${{ inputs.tag }}
|
||||
registry: ghcr.io
|
||||
@@ -115,6 +134,25 @@ jobs:
|
||||
secrets:
|
||||
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
|
||||
|
||||
publish-kata-monitor-image-arm64:
|
||||
needs: build-kata-static-tarball-arm64
|
||||
permissions:
|
||||
contents: read
|
||||
packages: write
|
||||
uses: ./.github/workflows/publish-kata-images.yaml
|
||||
with:
|
||||
tarball-suffix: -${{ inputs.tag }}
|
||||
registry: ghcr.io
|
||||
repo: ${{ github.repository_owner }}/kata-monitor-ci
|
||||
tag: ${{ inputs.tag }}-arm64
|
||||
commit-hash: ${{ inputs.commit-hash }}
|
||||
target-branch: ${{ inputs.target-branch }}
|
||||
runner: ubuntu-24.04-arm
|
||||
arch: arm64
|
||||
image-kind: monitor
|
||||
secrets:
|
||||
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
|
||||
|
||||
build-kata-static-tarball-s390x:
|
||||
permissions:
|
||||
contents: read
|
||||
@@ -141,12 +179,12 @@ jobs:
|
||||
secrets:
|
||||
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
|
||||
|
||||
publish-kata-deploy-payload-s390x:
|
||||
publish-kata-deploy-image-s390x:
|
||||
needs: build-kata-static-tarball-s390x
|
||||
permissions:
|
||||
contents: read
|
||||
packages: write
|
||||
uses: ./.github/workflows/publish-kata-deploy-payload.yaml
|
||||
uses: ./.github/workflows/publish-kata-images.yaml
|
||||
with:
|
||||
tarball-suffix: -${{ inputs.tag }}
|
||||
registry: ghcr.io
|
||||
@@ -159,12 +197,31 @@ jobs:
|
||||
secrets:
|
||||
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
|
||||
|
||||
publish-kata-deploy-payload-ppc64le:
|
||||
publish-kata-monitor-image-s390x:
|
||||
needs: build-kata-static-tarball-s390x
|
||||
permissions:
|
||||
contents: read
|
||||
packages: write
|
||||
uses: ./.github/workflows/publish-kata-images.yaml
|
||||
with:
|
||||
tarball-suffix: -${{ inputs.tag }}
|
||||
registry: ghcr.io
|
||||
repo: ${{ github.repository_owner }}/kata-monitor-ci
|
||||
tag: ${{ inputs.tag }}-s390x
|
||||
commit-hash: ${{ inputs.commit-hash }}
|
||||
target-branch: ${{ inputs.target-branch }}
|
||||
runner: ubuntu-24.04-s390x
|
||||
arch: s390x
|
||||
image-kind: monitor
|
||||
secrets:
|
||||
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
|
||||
|
||||
publish-kata-deploy-image-ppc64le:
|
||||
needs: build-kata-static-tarball-ppc64le
|
||||
permissions:
|
||||
contents: read
|
||||
packages: write
|
||||
uses: ./.github/workflows/publish-kata-deploy-payload.yaml
|
||||
uses: ./.github/workflows/publish-kata-images.yaml
|
||||
with:
|
||||
tarball-suffix: -${{ inputs.tag }}
|
||||
registry: ghcr.io
|
||||
@@ -177,6 +234,25 @@ jobs:
|
||||
secrets:
|
||||
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
|
||||
|
||||
publish-kata-monitor-image-ppc64le:
|
||||
needs: build-kata-static-tarball-ppc64le
|
||||
permissions:
|
||||
contents: read
|
||||
packages: write
|
||||
uses: ./.github/workflows/publish-kata-images.yaml
|
||||
with:
|
||||
tarball-suffix: -${{ inputs.tag }}
|
||||
registry: ghcr.io
|
||||
repo: ${{ github.repository_owner }}/kata-monitor-ci
|
||||
tag: ${{ inputs.tag }}-ppc64le
|
||||
commit-hash: ${{ inputs.commit-hash }}
|
||||
target-branch: ${{ inputs.target-branch }}
|
||||
runner: ubuntu-24.04-ppc64le
|
||||
arch: ppc64le
|
||||
image-kind: monitor
|
||||
secrets:
|
||||
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
|
||||
|
||||
build-and-publish-tee-confidential-unencrypted-image:
|
||||
name: build-and-publish-tee-confidential-unencrypted-image
|
||||
permissions:
|
||||
@@ -221,16 +297,31 @@ jobs:
|
||||
|
||||
run-kata-monitor-tests:
|
||||
if: ${{ inputs.skip-test != 'yes' }}
|
||||
needs: build-kata-static-tarball-amd64
|
||||
needs: [build-kata-static-tarball-amd64, publish-kata-monitor-image-amd64]
|
||||
uses: ./.github/workflows/run-kata-monitor-tests.yaml
|
||||
with:
|
||||
tarball-suffix: -${{ inputs.tag }}
|
||||
commit-hash: ${{ inputs.commit-hash }}
|
||||
target-branch: ${{ inputs.target-branch }}
|
||||
kata-monitor-image: ghcr.io/${{ github.repository_owner }}/kata-monitor-ci:${{ inputs.tag }}-amd64
|
||||
|
||||
run-kata-monitor-k8s-tests:
|
||||
if: ${{ inputs.skip-test != 'yes' }}
|
||||
needs: [publish-kata-deploy-image-amd64, publish-kata-monitor-image-amd64]
|
||||
uses: ./.github/workflows/run-kata-monitor-k8s-tests.yaml
|
||||
with:
|
||||
registry: ghcr.io
|
||||
repo: ${{ github.repository_owner }}/kata-deploy-ci
|
||||
tag: ${{ inputs.tag }}-amd64
|
||||
pr-number: ${{ inputs.pr-number }}
|
||||
commit-hash: ${{ inputs.commit-hash }}
|
||||
target-branch: ${{ inputs.target-branch }}
|
||||
kata-monitor-image-reference: ghcr.io/${{ github.repository_owner }}/kata-monitor-ci
|
||||
kata-monitor-image-tag: ${{ inputs.tag }}-amd64
|
||||
|
||||
run-k8s-tests-on-aks:
|
||||
if: ${{ inputs.skip-test != 'yes' }}
|
||||
needs: publish-kata-deploy-payload-amd64
|
||||
needs: publish-kata-deploy-image-amd64
|
||||
uses: ./.github/workflows/run-k8s-tests-on-aks.yaml
|
||||
|
||||
permissions:
|
||||
@@ -251,7 +342,7 @@ jobs:
|
||||
|
||||
run-k8s-tests-on-free-runner:
|
||||
if: ${{ inputs.skip-test != 'yes' }}
|
||||
needs: publish-kata-deploy-payload-amd64
|
||||
needs: publish-kata-deploy-image-amd64
|
||||
permissions:
|
||||
contents: read
|
||||
uses: ./.github/workflows/run-k8s-tests-on-free-runner.yaml
|
||||
@@ -266,7 +357,7 @@ jobs:
|
||||
|
||||
run-k8s-tests-on-arm64:
|
||||
if: ${{ inputs.skip-test != 'yes' }}
|
||||
needs: publish-kata-deploy-payload-arm64
|
||||
needs: publish-kata-deploy-image-arm64
|
||||
uses: ./.github/workflows/run-k8s-tests-on-arm64.yaml
|
||||
with:
|
||||
registry: ghcr.io
|
||||
@@ -279,7 +370,7 @@ jobs:
|
||||
run-kata-coco-tests-on-arm64:
|
||||
if: ${{ inputs.skip-test != 'yes' }}
|
||||
needs:
|
||||
- publish-kata-deploy-payload-arm64
|
||||
- publish-kata-deploy-image-arm64
|
||||
- build-and-publish-tee-confidential-unencrypted-image
|
||||
uses: ./.github/workflows/run-kata-coco-tests-arm64-k8s.yaml
|
||||
with:
|
||||
@@ -295,7 +386,7 @@ jobs:
|
||||
|
||||
run-k8s-tests-on-nvidia-gpu:
|
||||
if: ${{ inputs.skip-test != 'yes' }}
|
||||
needs: publish-kata-deploy-payload-amd64
|
||||
needs: publish-kata-deploy-image-amd64
|
||||
uses: ./.github/workflows/run-k8s-tests-on-nvidia-gpu.yaml
|
||||
with:
|
||||
tarball-suffix: -${{ inputs.tag }}
|
||||
@@ -313,7 +404,7 @@ jobs:
|
||||
run-kata-coco-tests:
|
||||
if: ${{ inputs.skip-test != 'yes' }}
|
||||
needs:
|
||||
- publish-kata-deploy-payload-amd64
|
||||
- publish-kata-deploy-image-amd64
|
||||
- build-and-publish-tee-confidential-unencrypted-image
|
||||
uses: ./.github/workflows/run-kata-coco-tests.yaml
|
||||
permissions:
|
||||
@@ -337,7 +428,7 @@ jobs:
|
||||
|
||||
run-k8s-tests-on-zvsi:
|
||||
if: ${{ inputs.skip-test != 'yes' }}
|
||||
needs: [publish-kata-deploy-payload-s390x, build-and-publish-tee-confidential-unencrypted-image]
|
||||
needs: [publish-kata-deploy-image-s390x, build-and-publish-tee-confidential-unencrypted-image]
|
||||
uses: ./.github/workflows/run-k8s-tests-on-zvsi.yaml
|
||||
with:
|
||||
registry: ghcr.io
|
||||
@@ -351,7 +442,7 @@ jobs:
|
||||
|
||||
run-k8s-tests-on-ppc64le:
|
||||
if: ${{ inputs.skip-test != 'yes' }}
|
||||
needs: publish-kata-deploy-payload-ppc64le
|
||||
needs: publish-kata-deploy-image-ppc64le
|
||||
uses: ./.github/workflows/run-k8s-tests-on-ppc64le.yaml
|
||||
with:
|
||||
registry: ghcr.io
|
||||
@@ -363,7 +454,7 @@ jobs:
|
||||
|
||||
run-kata-deploy-tests:
|
||||
if: ${{ inputs.skip-test != 'yes' }}
|
||||
needs: [publish-kata-deploy-payload-amd64]
|
||||
needs: [publish-kata-deploy-image-amd64]
|
||||
uses: ./.github/workflows/run-kata-deploy-tests.yaml
|
||||
with:
|
||||
registry: ghcr.io
|
||||
|
||||
128
.github/workflows/payload-after-push.yaml
vendored
128
.github/workflows/payload-after-push.yaml
vendored
@@ -67,12 +67,12 @@ jobs:
|
||||
secrets:
|
||||
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
|
||||
|
||||
publish-kata-deploy-payload-amd64:
|
||||
publish-kata-deploy-image-amd64:
|
||||
needs: build-assets-amd64
|
||||
permissions:
|
||||
contents: read
|
||||
packages: write
|
||||
uses: ./.github/workflows/publish-kata-deploy-payload.yaml
|
||||
uses: ./.github/workflows/publish-kata-images.yaml
|
||||
with:
|
||||
commit-hash: ${{ github.sha }}
|
||||
registry: quay.io
|
||||
@@ -81,15 +81,16 @@ jobs:
|
||||
target-branch: ${{ github.ref_name }}
|
||||
runner: ubuntu-22.04
|
||||
arch: amd64
|
||||
image-kind: deploy
|
||||
secrets:
|
||||
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
|
||||
|
||||
publish-kata-deploy-payload-arm64:
|
||||
publish-kata-deploy-image-arm64:
|
||||
needs: build-assets-arm64
|
||||
permissions:
|
||||
contents: read
|
||||
packages: write
|
||||
uses: ./.github/workflows/publish-kata-deploy-payload.yaml
|
||||
uses: ./.github/workflows/publish-kata-images.yaml
|
||||
with:
|
||||
commit-hash: ${{ github.sha }}
|
||||
registry: quay.io
|
||||
@@ -98,15 +99,16 @@ jobs:
|
||||
target-branch: ${{ github.ref_name }}
|
||||
runner: ubuntu-24.04-arm
|
||||
arch: arm64
|
||||
image-kind: deploy
|
||||
secrets:
|
||||
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
|
||||
|
||||
publish-kata-deploy-payload-s390x:
|
||||
publish-kata-deploy-image-s390x:
|
||||
needs: build-assets-s390x
|
||||
permissions:
|
||||
contents: read
|
||||
packages: write
|
||||
uses: ./.github/workflows/publish-kata-deploy-payload.yaml
|
||||
uses: ./.github/workflows/publish-kata-images.yaml
|
||||
with:
|
||||
commit-hash: ${{ github.sha }}
|
||||
registry: quay.io
|
||||
@@ -115,15 +117,16 @@ jobs:
|
||||
target-branch: ${{ github.ref_name }}
|
||||
runner: s390x
|
||||
arch: s390x
|
||||
image-kind: deploy
|
||||
secrets:
|
||||
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
|
||||
|
||||
publish-kata-deploy-payload-ppc64le:
|
||||
publish-kata-deploy-image-ppc64le:
|
||||
needs: build-assets-ppc64le
|
||||
permissions:
|
||||
contents: read
|
||||
packages: write
|
||||
uses: ./.github/workflows/publish-kata-deploy-payload.yaml
|
||||
uses: ./.github/workflows/publish-kata-images.yaml
|
||||
with:
|
||||
commit-hash: ${{ github.sha }}
|
||||
registry: quay.io
|
||||
@@ -132,6 +135,79 @@ jobs:
|
||||
target-branch: ${{ github.ref_name }}
|
||||
runner: ubuntu-24.04-ppc64le
|
||||
arch: ppc64le
|
||||
image-kind: deploy
|
||||
secrets:
|
||||
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
|
||||
|
||||
publish-kata-monitor-image-amd64:
|
||||
needs: build-assets-amd64
|
||||
permissions:
|
||||
contents: read
|
||||
packages: write
|
||||
uses: ./.github/workflows/publish-kata-images.yaml
|
||||
with:
|
||||
commit-hash: ${{ github.sha }}
|
||||
registry: quay.io
|
||||
repo: kata-containers/kata-monitor-ci
|
||||
tag: kata-monitor-latest-amd64
|
||||
target-branch: ${{ github.ref_name }}
|
||||
runner: ubuntu-22.04
|
||||
arch: amd64
|
||||
image-kind: monitor
|
||||
secrets:
|
||||
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
|
||||
|
||||
publish-kata-monitor-image-arm64:
|
||||
needs: build-assets-arm64
|
||||
permissions:
|
||||
contents: read
|
||||
packages: write
|
||||
uses: ./.github/workflows/publish-kata-images.yaml
|
||||
with:
|
||||
commit-hash: ${{ github.sha }}
|
||||
registry: quay.io
|
||||
repo: kata-containers/kata-monitor-ci
|
||||
tag: kata-monitor-latest-arm64
|
||||
target-branch: ${{ github.ref_name }}
|
||||
runner: ubuntu-24.04-arm
|
||||
arch: arm64
|
||||
image-kind: monitor
|
||||
secrets:
|
||||
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
|
||||
|
||||
publish-kata-monitor-image-s390x:
|
||||
needs: build-assets-s390x
|
||||
permissions:
|
||||
contents: read
|
||||
packages: write
|
||||
uses: ./.github/workflows/publish-kata-images.yaml
|
||||
with:
|
||||
commit-hash: ${{ github.sha }}
|
||||
registry: quay.io
|
||||
repo: kata-containers/kata-monitor-ci
|
||||
tag: kata-monitor-latest-s390x
|
||||
target-branch: ${{ github.ref_name }}
|
||||
runner: s390x
|
||||
arch: s390x
|
||||
image-kind: monitor
|
||||
secrets:
|
||||
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
|
||||
|
||||
publish-kata-monitor-image-ppc64le:
|
||||
needs: build-assets-ppc64le
|
||||
permissions:
|
||||
contents: read
|
||||
packages: write
|
||||
uses: ./.github/workflows/publish-kata-images.yaml
|
||||
with:
|
||||
commit-hash: ${{ github.sha }}
|
||||
registry: quay.io
|
||||
repo: kata-containers/kata-monitor-ci
|
||||
tag: kata-monitor-latest-ppc64le
|
||||
target-branch: ${{ github.ref_name }}
|
||||
runner: ubuntu-24.04-ppc64le
|
||||
arch: ppc64le
|
||||
image-kind: monitor
|
||||
secrets:
|
||||
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
|
||||
|
||||
@@ -141,7 +217,7 @@ jobs:
|
||||
permissions:
|
||||
contents: read
|
||||
packages: write
|
||||
needs: [publish-kata-deploy-payload-amd64, publish-kata-deploy-payload-arm64, publish-kata-deploy-payload-s390x, publish-kata-deploy-payload-ppc64le]
|
||||
needs: [publish-kata-deploy-image-amd64, publish-kata-deploy-image-arm64, publish-kata-deploy-image-s390x, publish-kata-deploy-image-ppc64le]
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
||||
@@ -162,6 +238,40 @@ jobs:
|
||||
KATA_DEPLOY_IMAGE_TAGS: "kata-containers-latest"
|
||||
KATA_DEPLOY_REGISTRIES: "quay.io/kata-containers/kata-deploy-ci"
|
||||
|
||||
publish-kata-monitor-manifest:
|
||||
name: publish-kata-monitor-manifest
|
||||
runs-on: ubuntu-22.04
|
||||
permissions:
|
||||
contents: read
|
||||
packages: write
|
||||
needs: [publish-kata-monitor-image-amd64, publish-kata-monitor-image-arm64, publish-kata-monitor-image-s390x, publish-kata-monitor-image-ppc64le]
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
||||
with:
|
||||
persist-credentials: false
|
||||
|
||||
- name: Login to Kata Containers ghcr.io
|
||||
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
|
||||
with:
|
||||
registry: ghcr.io
|
||||
username: ${{ github.actor }}
|
||||
password: ${{ secrets.GITHUB_TOKEN }}
|
||||
|
||||
- name: Login to Kata Containers quay.io
|
||||
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
|
||||
with:
|
||||
registry: quay.io
|
||||
username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
|
||||
password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
|
||||
|
||||
- name: Push multi-arch monitor manifest
|
||||
run: |
|
||||
./tools/packaging/release/release.sh publish-multiarch-manifest
|
||||
env:
|
||||
KATA_DEPLOY_IMAGE_TAGS: "kata-monitor-latest"
|
||||
KATA_DEPLOY_REGISTRIES: "quay.io/kata-containers/kata-monitor-ci ghcr.io/${{ github.repository_owner }}/kata-monitor-ci"
|
||||
|
||||
upload-helm-chart-tarball:
|
||||
name: upload-helm-chart-tarball
|
||||
needs: publish-manifest
|
||||
|
||||
113
.github/workflows/publish-kata-deploy-payload.yaml
vendored
113
.github/workflows/publish-kata-deploy-payload.yaml
vendored
@@ -1,113 +0,0 @@
|
||||
name: CI | Publish kata-deploy payload
|
||||
on:
|
||||
workflow_call:
|
||||
inputs:
|
||||
tarball-suffix:
|
||||
required: false
|
||||
type: string
|
||||
registry:
|
||||
required: true
|
||||
type: string
|
||||
repo:
|
||||
required: true
|
||||
type: string
|
||||
tag:
|
||||
required: true
|
||||
type: string
|
||||
commit-hash:
|
||||
required: false
|
||||
type: string
|
||||
target-branch:
|
||||
required: false
|
||||
type: string
|
||||
default: ""
|
||||
runner:
|
||||
default: 'ubuntu-22.04'
|
||||
description: The runner to execute the workflow on. Defaults to 'ubuntu-22.04'.
|
||||
required: false
|
||||
type: string
|
||||
arch:
|
||||
description: The arch of the tarball.
|
||||
required: true
|
||||
type: string
|
||||
secrets:
|
||||
QUAY_DEPLOYER_PASSWORD:
|
||||
required: true
|
||||
|
||||
concurrency:
|
||||
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-${{ inputs.arch }}-publish-deploy
|
||||
cancel-in-progress: true
|
||||
|
||||
permissions: {}
|
||||
|
||||
jobs:
|
||||
kata-payload:
|
||||
name: kata-payload
|
||||
permissions:
|
||||
contents: read
|
||||
packages: write
|
||||
runs-on: ${{ inputs.runner }}
|
||||
steps:
|
||||
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
||||
with:
|
||||
ref: ${{ inputs.commit-hash }}
|
||||
fetch-depth: 0
|
||||
persist-credentials: false
|
||||
|
||||
- name: Remove unnecessary directories to free up space
|
||||
run: |
|
||||
sudo rm -rf /usr/local/.ghcup
|
||||
sudo rm -rf /opt/hostedtoolcache/CodeQL
|
||||
sudo rm -rf /usr/local/lib/android
|
||||
sudo rm -rf /usr/share/dotnet
|
||||
sudo rm -rf /opt/ghc
|
||||
sudo rm -rf /usr/local/share/boost
|
||||
sudo rm -rf /usr/lib/jvm
|
||||
sudo rm -rf /usr/share/swift
|
||||
sudo rm -rf /usr/local/share/powershell
|
||||
sudo rm -rf /usr/local/julia*
|
||||
sudo rm -rf /opt/az
|
||||
sudo rm -rf /usr/local/share/chromium
|
||||
sudo rm -rf /opt/microsoft
|
||||
sudo rm -rf /opt/google
|
||||
sudo rm -rf /usr/lib/firefox
|
||||
|
||||
- name: Rebase atop of the latest target branch
|
||||
run: |
|
||||
./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
|
||||
env:
|
||||
TARGET_BRANCH: ${{ inputs.target-branch }}
|
||||
|
||||
- name: get-kata-artifacts for ${{ inputs.arch }}
|
||||
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
|
||||
with:
|
||||
pattern: kata-artifacts-${{ inputs.arch }}-*${{ inputs.tarball-suffix }}
|
||||
path: tools/packaging/kata-deploy/local-build/build
|
||||
merge-multiple: true
|
||||
|
||||
- name: Login to Kata Containers quay.io
|
||||
if: ${{ inputs.registry == 'quay.io' }}
|
||||
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
|
||||
with:
|
||||
registry: quay.io
|
||||
username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
|
||||
password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
|
||||
|
||||
- name: Login to Kata Containers ghcr.io
|
||||
if: ${{ inputs.registry == 'ghcr.io' }}
|
||||
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
|
||||
with:
|
||||
registry: ghcr.io
|
||||
username: ${{ github.actor }}
|
||||
password: ${{ secrets.GITHUB_TOKEN }}
|
||||
|
||||
- name: build-and-push-kata-payload for ${{ inputs.arch }}
|
||||
id: build-and-push-kata-payload
|
||||
env:
|
||||
REGISTRY: ${{ inputs.registry }}
|
||||
REPO: ${{ inputs.repo }}
|
||||
TAG: ${{ inputs.tag }}
|
||||
run: |
|
||||
./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
|
||||
"${REGISTRY}/${REPO}" \
|
||||
"${TAG}"
|
||||
214
.github/workflows/publish-kata-images.yaml
vendored
Normal file
214
.github/workflows/publish-kata-images.yaml
vendored
Normal file
@@ -0,0 +1,214 @@
|
||||
name: CI | publish-kata-images
|
||||
on:
|
||||
workflow_call:
|
||||
inputs:
|
||||
tarball-suffix:
|
||||
required: false
|
||||
type: string
|
||||
registry:
|
||||
required: true
|
||||
type: string
|
||||
repo:
|
||||
required: true
|
||||
type: string
|
||||
tag:
|
||||
required: true
|
||||
type: string
|
||||
tags:
|
||||
description: Space-separated list of tags; overrides `tag` when set.
|
||||
required: false
|
||||
type: string
|
||||
default: ""
|
||||
tag-suffix:
|
||||
description: Optional suffix appended to each tag (for example, -amd64).
|
||||
required: false
|
||||
type: string
|
||||
default: ""
|
||||
commit-hash:
|
||||
required: false
|
||||
type: string
|
||||
target-branch:
|
||||
required: false
|
||||
type: string
|
||||
default: ""
|
||||
runner:
|
||||
default: 'ubuntu-22.04'
|
||||
description: The runner to execute the workflow on. Defaults to 'ubuntu-22.04'.
|
||||
required: false
|
||||
type: string
|
||||
arch:
|
||||
description: The arch of the tarball.
|
||||
required: true
|
||||
type: string
|
||||
image-kind:
|
||||
description: Image kind to publish (`deploy` or `monitor`).
|
||||
required: false
|
||||
type: string
|
||||
default: deploy
|
||||
image-kinds-json:
|
||||
description: JSON list of image kinds, e.g. ["deploy","monitor"].
|
||||
required: false
|
||||
type: string
|
||||
default: ""
|
||||
artifact-name:
|
||||
description: Optional artifact name to download instead of a pattern.
|
||||
required: false
|
||||
type: string
|
||||
default: ""
|
||||
push:
|
||||
description: Whether to push image(s) to registry.
|
||||
required: false
|
||||
type: string
|
||||
default: "true"
|
||||
secrets:
|
||||
QUAY_DEPLOYER_PASSWORD:
|
||||
required: true
|
||||
|
||||
concurrency:
|
||||
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-${{ inputs.arch }}-${{ inputs.repo }}-${{ inputs.tag }}-${{ inputs.image-kind }}-publish-image
|
||||
cancel-in-progress: true
|
||||
|
||||
permissions: {}
|
||||
|
||||
jobs:
|
||||
publish:
|
||||
name: kata-image
|
||||
permissions:
|
||||
contents: read
|
||||
packages: write
|
||||
runs-on: ${{ inputs.runner }}
|
||||
strategy:
|
||||
matrix:
|
||||
image-kind: ${{ fromJson(inputs.image-kinds-json != '' && inputs.image-kinds-json || format('["{0}"]', inputs.image-kind)) }}
|
||||
steps:
|
||||
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
||||
with:
|
||||
ref: ${{ inputs.commit-hash }}
|
||||
fetch-depth: 0
|
||||
persist-credentials: false
|
||||
|
||||
- name: Remove unnecessary directories to free up space
|
||||
run: |
|
||||
sudo rm -rf /usr/local/.ghcup
|
||||
sudo rm -rf /opt/hostedtoolcache/CodeQL
|
||||
sudo rm -rf /usr/local/lib/android
|
||||
sudo rm -rf /usr/share/dotnet
|
||||
sudo rm -rf /opt/ghc
|
||||
sudo rm -rf /usr/local/share/boost
|
||||
sudo rm -rf /usr/lib/jvm
|
||||
sudo rm -rf /usr/share/swift
|
||||
sudo rm -rf /usr/local/share/powershell
|
||||
sudo rm -rf /usr/local/julia*
|
||||
sudo rm -rf /opt/az
|
||||
sudo rm -rf /usr/local/share/chromium
|
||||
sudo rm -rf /opt/microsoft
|
||||
sudo rm -rf /opt/google
|
||||
sudo rm -rf /usr/lib/firefox
|
||||
|
||||
- name: Rebase atop of the latest target branch
|
||||
run: |
|
||||
./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
|
||||
env:
|
||||
TARGET_BRANCH: ${{ inputs.target-branch }}
|
||||
|
||||
- name: get-kata-artifacts for ${{ inputs.arch }}
|
||||
if: ${{ inputs.artifact-name == '' && matrix.image-kind == 'deploy' }}
|
||||
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
|
||||
with:
|
||||
pattern: kata-artifacts-${{ inputs.arch }}-*${{ inputs.tarball-suffix }}
|
||||
path: tools/packaging/kata-deploy/local-build/build
|
||||
merge-multiple: true
|
||||
|
||||
- name: get-kata-static-tarball for ${{ inputs.arch }}
|
||||
if: ${{ inputs.artifact-name == '' && matrix.image-kind == 'monitor' }}
|
||||
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
|
||||
with:
|
||||
name: kata-static-tarball-${{ inputs.arch }}${{ inputs.tarball-suffix }}
|
||||
path: tools/packaging/kata-deploy/local-build/build
|
||||
|
||||
- name: get-kata-artifact by name for ${{ inputs.arch }}
|
||||
if: ${{ inputs.artifact-name != '' }}
|
||||
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
|
||||
with:
|
||||
name: ${{ inputs.artifact-name }}
|
||||
path: tools/packaging/kata-deploy/local-build/build
|
||||
|
||||
- name: Set up Docker Buildx
|
||||
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
|
||||
|
||||
- name: Login to Kata Containers quay.io
|
||||
if: ${{ inputs.registry == 'quay.io' && inputs.push == 'true' }}
|
||||
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
|
||||
with:
|
||||
registry: quay.io
|
||||
username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
|
||||
password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
|
||||
|
||||
- name: Login to Kata Containers ghcr.io
|
||||
if: ${{ (inputs.registry == 'ghcr.io' || inputs.registry == 'quay.io') && inputs.push == 'true' }}
|
||||
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
|
||||
with:
|
||||
registry: ghcr.io
|
||||
username: ${{ github.actor }}
|
||||
password: ${{ secrets.GITHUB_TOKEN }}
|
||||
|
||||
- name: build-and-push image for ${{ inputs.arch }}
|
||||
id: build-and-push-kata-payload
|
||||
env:
|
||||
REGISTRY: ${{ inputs.registry }}
|
||||
REPO: ${{ inputs.repo }}
|
||||
TAG: ${{ inputs.tag }}
|
||||
TAGS: ${{ inputs.tags }}
|
||||
TAG_SUFFIX: ${{ inputs.tag-suffix }}
|
||||
IMAGE_KIND: ${{ matrix.image-kind }}
|
||||
PUSH_IMAGE: ${{ inputs.push }}
|
||||
run: |
|
||||
if [ "${TAGS}" != "" ]; then
|
||||
tags="${TAGS}"
|
||||
else
|
||||
tags="${TAG}"
|
||||
fi
|
||||
|
||||
case "${IMAGE_KIND}" in
|
||||
deploy)
|
||||
for t in ${tags}; do
|
||||
final_tag="${t}${TAG_SUFFIX}"
|
||||
./tools/packaging/kata-deploy/local-build/kata-deploy-build-and-upload-payload.sh \
|
||||
"${REGISTRY}/${REPO}" \
|
||||
"${final_tag}"
|
||||
done
|
||||
;;
|
||||
monitor)
|
||||
registries="${REGISTRY}"
|
||||
if [ "${REGISTRY}" = "quay.io" ]; then
|
||||
registries="quay.io ghcr.io"
|
||||
fi
|
||||
|
||||
build_dir="tools/packaging/kata-deploy/local-build/build"
|
||||
monitor_tarball="${build_dir}/kata-static.tar.zst"
|
||||
|
||||
if [ ! -f "${monitor_tarball}" ] && [ -f "${build_dir}/kata-static-shim-v2-go.tar.zst" ]; then
|
||||
# Backward compatibility with older artifacts.
|
||||
monitor_tarball="${build_dir}/kata-static-shim-v2-go.tar.zst"
|
||||
fi
|
||||
|
||||
if [ ! -f "${monitor_tarball}" ]; then
|
||||
echo "Neither kata-static.tar.zst nor kata-static-shim-v2-go.tar.zst found" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
for r in ${registries}; do
|
||||
for t in ${tags}; do
|
||||
final_tag="${t}${TAG_SUFFIX}"
|
||||
./tools/packaging/kata-monitor/build-and-upload-from-tarball.sh \
|
||||
"${r}/${REPO}:${final_tag}" \
|
||||
"${monitor_tarball}" \
|
||||
"${PUSH_IMAGE}"
|
||||
done
|
||||
done
|
||||
;;
|
||||
*)
|
||||
echo "Invalid image-kind: ${IMAGE_KIND}" >&2
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
111
.github/workflows/release-kata-images.yaml
vendored
Normal file
111
.github/workflows/release-kata-images.yaml
vendored
Normal file
@@ -0,0 +1,111 @@
|
||||
name: release-kata-images
|
||||
on:
|
||||
workflow_call:
|
||||
inputs:
|
||||
registries:
|
||||
description: "Space-separated list of registries to push to."
|
||||
required: false
|
||||
type: string
|
||||
default: "quay.io/kata-containers/kata-monitor ghcr.io/kata-containers/kata-monitor"
|
||||
secrets:
|
||||
QUAY_DEPLOYER_PASSWORD:
|
||||
required: true
|
||||
|
||||
concurrency:
|
||||
group: ${{ github.workflow }}-${{ github.ref }}-kata-monitor-release
|
||||
cancel-in-progress: false
|
||||
|
||||
permissions: {}
|
||||
|
||||
jobs:
|
||||
resolve-tags:
|
||||
name: Resolve image tags
|
||||
runs-on: ubuntu-22.04
|
||||
outputs:
|
||||
tags: ${{ steps.tags.outputs.tags }}
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
||||
with:
|
||||
persist-credentials: false
|
||||
|
||||
- name: Resolve tags
|
||||
id: tags
|
||||
run: |
|
||||
tag=$(echo "${GITHUB_REF}" | cut -d/ -f3-)
|
||||
if [ "${tag}" = "main" ]; then
|
||||
tag=$(./tools/packaging/release/release.sh release-version)
|
||||
echo "tags=${tag} latest" >> "$GITHUB_OUTPUT"
|
||||
else
|
||||
echo "tags=${tag}" >> "$GITHUB_OUTPUT"
|
||||
fi
|
||||
|
||||
publish-monitor:
|
||||
needs: resolve-tags
|
||||
permissions:
|
||||
contents: read
|
||||
packages: write
|
||||
strategy:
|
||||
matrix:
|
||||
include:
|
||||
- arch: amd64
|
||||
tag_suffix: -amd64
|
||||
runner: ubuntu-22.04
|
||||
- arch: arm64
|
||||
tag_suffix: -arm64
|
||||
runner: ubuntu-24.04-arm
|
||||
- arch: s390x
|
||||
tag_suffix: -s390x
|
||||
runner: ubuntu-24.04-s390x
|
||||
- arch: ppc64le
|
||||
tag_suffix: -ppc64le
|
||||
runner: ubuntu-24.04-ppc64le
|
||||
uses: ./.github/workflows/publish-kata-images.yaml
|
||||
with:
|
||||
commit-hash: ${{ github.sha }}
|
||||
registry: quay.io
|
||||
repo: kata-containers/kata-monitor
|
||||
tag: latest
|
||||
tags: ${{ needs.resolve-tags.outputs.tags }}
|
||||
tag-suffix: ${{ matrix.tag_suffix }}
|
||||
runner: ${{ matrix.runner }}
|
||||
arch: ${{ matrix.arch }}
|
||||
image-kind: monitor
|
||||
secrets:
|
||||
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
|
||||
|
||||
publish-multi-arch-manifest:
|
||||
name: Publish multi-arch manifest
|
||||
needs: [resolve-tags, publish-monitor]
|
||||
runs-on: ubuntu-22.04
|
||||
permissions:
|
||||
contents: read
|
||||
packages: write
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
||||
with:
|
||||
persist-credentials: false
|
||||
|
||||
- name: Login to Kata Containers ghcr.io
|
||||
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
|
||||
with:
|
||||
registry: ghcr.io
|
||||
username: ${{ github.actor }}
|
||||
password: ${{ secrets.GITHUB_TOKEN }}
|
||||
|
||||
- name: Login to Kata Containers quay.io
|
||||
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
|
||||
with:
|
||||
registry: quay.io
|
||||
username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
|
||||
password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
|
||||
|
||||
- name: Publish multi-arch manifest
|
||||
env:
|
||||
TAGS: ${{ needs.resolve-tags.outputs.tags }}
|
||||
REGISTRIES: ${{ inputs.registries }}
|
||||
run: |
|
||||
KATA_DEPLOY_IMAGE_TAGS="${TAGS}" \
|
||||
KATA_DEPLOY_REGISTRIES="${REGISTRIES}" \
|
||||
./tools/packaging/release/release.sh publish-multiarch-manifest
|
||||
12
.github/workflows/release.yaml
vendored
12
.github/workflows/release.yaml
vendored
@@ -81,6 +81,16 @@ jobs:
|
||||
secrets:
|
||||
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
|
||||
|
||||
publish-kata-monitor-image:
|
||||
name: publish-kata-monitor-image
|
||||
needs: [build-and-push-assets-amd64, build-and-push-assets-arm64, build-and-push-assets-s390x, build-and-push-assets-ppc64le]
|
||||
permissions:
|
||||
contents: read
|
||||
packages: write
|
||||
uses: ./.github/workflows/release-kata-images.yaml
|
||||
secrets:
|
||||
QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
|
||||
|
||||
publish-multi-arch-images:
|
||||
name: publish-multi-arch-images
|
||||
runs-on: ubuntu-22.04
|
||||
@@ -295,7 +305,7 @@ jobs:
|
||||
|
||||
publish-release:
|
||||
name: publish-release
|
||||
needs: [ build-and-push-assets-amd64, build-and-push-assets-arm64, build-and-push-assets-s390x, build-and-push-assets-ppc64le, publish-multi-arch-images, upload-multi-arch-static-tarball, upload-versions-yaml, upload-cargo-vendored-tarball, upload-libseccomp-tarball ]
|
||||
needs: [ build-and-push-assets-amd64, build-and-push-assets-arm64, build-and-push-assets-s390x, build-and-push-assets-ppc64le, publish-multi-arch-images, publish-kata-monitor-image, upload-multi-arch-static-tarball, upload-versions-yaml, upload-cargo-vendored-tarball, upload-libseccomp-tarball ]
|
||||
runs-on: ubuntu-22.04
|
||||
permissions:
|
||||
contents: write # needed for the `gh release` commands
|
||||
|
||||
110
.github/workflows/run-kata-monitor-k8s-tests.yaml
vendored
Normal file
110
.github/workflows/run-kata-monitor-k8s-tests.yaml
vendored
Normal file
@@ -0,0 +1,110 @@
|
||||
name: CI | Run kata-monitor k8s tests
|
||||
on:
|
||||
workflow_call:
|
||||
inputs:
|
||||
registry:
|
||||
description: Registry of the kata-deploy image under test.
|
||||
required: true
|
||||
type: string
|
||||
repo:
|
||||
description: Repository of the kata-deploy image under test.
|
||||
required: true
|
||||
type: string
|
||||
tag:
|
||||
description: Tag of the kata-deploy image under test.
|
||||
required: true
|
||||
type: string
|
||||
pr-number:
|
||||
required: true
|
||||
type: string
|
||||
commit-hash:
|
||||
required: false
|
||||
type: string
|
||||
target-branch:
|
||||
required: false
|
||||
type: string
|
||||
default: ""
|
||||
kata-monitor-image-reference:
|
||||
description: Registry/repo of the kata-monitor image to exercise.
|
||||
required: true
|
||||
type: string
|
||||
kata-monitor-image-tag:
|
||||
description: Tag of the kata-monitor image to exercise.
|
||||
required: true
|
||||
type: string
|
||||
|
||||
concurrency:
|
||||
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-kata-monitor-k8s
|
||||
cancel-in-progress: true
|
||||
|
||||
permissions: {}
|
||||
|
||||
jobs:
|
||||
run-kata-monitor-k8s-tests:
|
||||
name: run-kata-monitor-k8s-tests
|
||||
strategy:
|
||||
fail-fast: false
|
||||
matrix:
|
||||
vmm:
|
||||
- qemu
|
||||
k8s:
|
||||
- vanilla
|
||||
concurrency:
|
||||
group: ${{ github.workflow }}-run-kata-monitor-k8s-tests-${{ github.event.pull_request.number || github.ref }}-${{ toJSON(matrix) }}
|
||||
cancel-in-progress: true
|
||||
runs-on: ubuntu-24.04
|
||||
env:
|
||||
DOCKER_REGISTRY: ${{ inputs.registry }}
|
||||
DOCKER_REPO: ${{ inputs.repo }}
|
||||
DOCKER_TAG: ${{ inputs.tag }}
|
||||
GH_PR_NUMBER: ${{ inputs.pr-number }}
|
||||
KATA_HYPERVISOR: ${{ matrix.vmm }}
|
||||
KUBERNETES: ${{ matrix.k8s }}
|
||||
CONTAINER_ENGINE: containerd
|
||||
CONTAINER_ENGINE_VERSION: active
|
||||
KATA_MONITOR_IMAGE_REFERENCE: ${{ inputs.kata-monitor-image-reference }}
|
||||
KATA_MONITOR_IMAGE_TAG: ${{ inputs.kata-monitor-image-tag }}
|
||||
GH_TOKEN: ${{ github.token }}
|
||||
steps:
|
||||
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
||||
with:
|
||||
ref: ${{ inputs.commit-hash }}
|
||||
fetch-depth: 0
|
||||
persist-credentials: false
|
||||
|
||||
- name: Rebase atop of the latest target branch
|
||||
run: |
|
||||
./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
|
||||
env:
|
||||
TARGET_BRANCH: ${{ inputs.target-branch }}
|
||||
|
||||
- name: Remove unnecessary directories to free up space
|
||||
run: |
|
||||
sudo rm -rf /usr/local/.ghcup
|
||||
sudo rm -rf /opt/hostedtoolcache/CodeQL
|
||||
sudo rm -rf /usr/local/lib/android
|
||||
sudo rm -rf /usr/share/dotnet
|
||||
sudo rm -rf /opt/ghc
|
||||
sudo rm -rf /usr/local/share/boost
|
||||
sudo rm -rf /usr/lib/jvm
|
||||
sudo rm -rf /usr/share/swift
|
||||
sudo rm -rf /usr/local/share/powershell
|
||||
sudo rm -rf /usr/local/julia*
|
||||
sudo rm -rf /opt/az
|
||||
sudo rm -rf /usr/local/share/chromium
|
||||
sudo rm -rf /opt/microsoft
|
||||
sudo rm -rf /opt/google
|
||||
sudo rm -rf /usr/lib/firefox
|
||||
|
||||
- name: Deploy ${{ matrix.k8s }}
|
||||
run: bash tests/functional/kata-deploy/gha-run.sh deploy-k8s
|
||||
|
||||
- name: Install `bats`
|
||||
run: bash tests/functional/kata-deploy/gha-run.sh install-bats
|
||||
|
||||
- name: Run tests
|
||||
run: bash tests/functional/kata-monitor/gha-run.sh run-helm-tests
|
||||
|
||||
- name: Report tests
|
||||
if: always()
|
||||
run: bash tests/functional/kata-monitor/gha-run.sh report-helm-tests
|
||||
26
.github/workflows/run-kata-monitor-tests.yaml
vendored
26
.github/workflows/run-kata-monitor-tests.yaml
vendored
@@ -12,6 +12,14 @@ on:
|
||||
required: false
|
||||
type: string
|
||||
default: ""
|
||||
kata-monitor-image:
|
||||
description: >-
|
||||
Container image reference for kata-monitor to be exercised by
|
||||
the tests. When unset the tests fall back to running the
|
||||
kata-monitor binary installed from the kata-static tarball.
|
||||
required: false
|
||||
type: string
|
||||
default: ""
|
||||
|
||||
concurrency:
|
||||
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-kata-monitor
|
||||
@@ -28,24 +36,18 @@ jobs:
|
||||
vmm:
|
||||
- qemu
|
||||
container_engine:
|
||||
- crio
|
||||
- containerd
|
||||
# TODO: enable when https://github.com/kata-containers/kata-containers/issues/9853 is fixed
|
||||
#include:
|
||||
# - container_engine: containerd
|
||||
# containerd_version: latest
|
||||
exclude:
|
||||
# TODO: enable with containerd when https://github.com/kata-containers/kata-containers/issues/9761 is fixed
|
||||
- container_engine: containerd
|
||||
vmm: qemu
|
||||
containerd_version:
|
||||
- active
|
||||
concurrency:
|
||||
group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-${{ toJSON(matrix) }}
|
||||
cancel-in-progress: true
|
||||
runs-on: ubuntu-22.04
|
||||
env:
|
||||
CONTAINER_ENGINE: ${{ matrix.container_engine }}
|
||||
#CONTAINERD_VERSION: ${{ matrix.containerd_version }}
|
||||
CONTAINERD_VERSION: ${{ matrix.containerd_version }}
|
||||
KATA_HYPERVISOR: ${{ matrix.vmm }}
|
||||
KATA_MONITOR_IMAGE: ${{ inputs.kata-monitor-image }}
|
||||
steps:
|
||||
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
||||
with:
|
||||
@@ -73,5 +75,9 @@ jobs:
|
||||
- name: Install kata
|
||||
run: bash tests/functional/kata-monitor/gha-run.sh install-kata kata-artifacts
|
||||
|
||||
- name: Pre-pull kata-monitor image
|
||||
if: ${{ inputs.kata-monitor-image != '' }}
|
||||
run: sudo docker pull "${KATA_MONITOR_IMAGE}"
|
||||
|
||||
- name: Run kata-monitor tests
|
||||
run: bash tests/functional/kata-monitor/gha-run.sh run
|
||||
|
||||
@@ -46,6 +46,13 @@ For a quick evaluation, you can check out [this how to](../how-to/how-to-set-pro
|
||||
|
||||
### Kata monitor
|
||||
|
||||
Starting with Kata Containers 3.32.0, the `kata-monitor` binary is also published as a standalone, multi-arch container image alongside every release:
|
||||
|
||||
- Released image: `quay.io/kata-containers/kata-monitor:<release-version>` (mirrored to `ghcr.io/kata-containers/kata-monitor`). The `latest` tag always points at the most recent release.
|
||||
- Testing image (tracking `main`): `quay.io/kata-containers/kata-monitor-ci:latest` (mirrored to `ghcr.io/kata-containers/kata-monitor-ci`).
|
||||
|
||||
See the [how-to on running `kata-monitor` in a Kubernetes cluster](../how-to/how-to-set-prometheus-in-k8s.md) for a complete deployment example.
|
||||
|
||||
The `kata-monitor` management agent should be started on each node where the Kata containers runtime is installed. `kata-monitor` will:
|
||||
|
||||
> **Note**: a *node* running Kata containers will be either a single host system or a worker node belonging to a K8s cluster capable of running Kata pods.
|
||||
|
||||
@@ -23,12 +23,19 @@ spec:
|
||||
annotations:
|
||||
prometheus.io/scrape: "true"
|
||||
spec:
|
||||
hostNetwork: true
|
||||
containers:
|
||||
- name: kata-monitor
|
||||
image: quay.io/kata-containers/kata-monitor:2.0.0
|
||||
# The `kata-monitor` image is published as part of every Kata
|
||||
# Containers release starting with 3.32.0. Pinning to a specific
|
||||
# release tag (e.g. `3.32.0`) is strongly recommended for
|
||||
# production deployments. Use
|
||||
# `quay.io/kata-containers/kata-monitor-ci:latest` to track the
|
||||
# tip of `main`.
|
||||
image: quay.io/kata-containers/kata-monitor:latest
|
||||
args:
|
||||
- -listen-address=0.0.0.0:8090
|
||||
- -log-level=debug
|
||||
- -runtime-endpoint=unix:///run/containerd/containerd.sock
|
||||
ports:
|
||||
- containerPort: 8090
|
||||
resources:
|
||||
@@ -39,23 +46,19 @@ spec:
|
||||
cpu: 200m
|
||||
memory: 300Mi
|
||||
volumeMounts:
|
||||
- name: containerdtask
|
||||
mountPath: /run/containerd/io.containerd.runtime.v2.task/
|
||||
readOnly: true
|
||||
- name: containerdsocket
|
||||
mountPath: /run/containerd/containerd.sock
|
||||
- name: containerd-sock
|
||||
mountPath: /run/containerd
|
||||
readOnly: true
|
||||
- name: sbs
|
||||
mountPath: /run/vc/sbs/
|
||||
readOnly: true
|
||||
terminationGracePeriodSeconds: 30
|
||||
volumes:
|
||||
- name: containerdtask
|
||||
- name: containerd-sock
|
||||
hostPath:
|
||||
path: /run/containerd/io.containerd.runtime.v2.task/
|
||||
- name: containerdsocket
|
||||
hostPath:
|
||||
path: /run/containerd/containerd.sock
|
||||
path: /run/containerd
|
||||
type: Directory
|
||||
- name: sbs
|
||||
hostPath:
|
||||
path: /run/vc/sbs/
|
||||
type: DirectoryOrCreate
|
||||
|
||||
@@ -49,6 +49,14 @@ go_gc_duration_seconds{quantile="0.75"} 0.000229911
|
||||
|
||||
## Configure `kata-monitor`
|
||||
|
||||
`kata-monitor` is published as a standalone, multi-arch container image as
|
||||
part of every Kata Containers release. Two flavours are available:
|
||||
|
||||
| Image | Purpose |
|
||||
|---|---|
|
||||
| `quay.io/kata-containers/kata-monitor:<release-version>` (also mirrored to `ghcr.io/kata-containers/kata-monitor`) | Released image, built and pushed by the Kata Containers release workflow. A `latest` tag tracks the most recent release. |
|
||||
| `quay.io/kata-containers/kata-monitor-ci:latest` (also mirrored to `ghcr.io/kata-containers/kata-monitor-ci`) | Testing image, rebuilt and pushed from every commit landing on `main`. Use this only for evaluation against unreleased changes. |
|
||||
|
||||
`kata-monitor` can be started on the cluster as follows:
|
||||
|
||||
```
|
||||
@@ -57,6 +65,12 @@ $ kubectl apply -f https://raw.githubusercontent.com/kata-containers/kata-contai
|
||||
|
||||
This will create a new namespace `kata-system` and a `daemonset` in it.
|
||||
|
||||
> **Note**: The bundled `daemonset` uses `quay.io/kata-containers/kata-monitor:latest`.
|
||||
> For production deployments, pin the image to a specific release tag
|
||||
> (e.g. `quay.io/kata-containers/kata-monitor:3.32.0`) matching the Kata
|
||||
> Containers version installed on your nodes. The dedicated
|
||||
> `kata-monitor` image is published starting with Kata Containers 3.32.0.
|
||||
|
||||
Once the `daemonset` is running, Prometheus should discover `kata-monitor` as a target. You can open `http://<hostIP>:30909/service-discovery` and find `kubernetes-pods` under the `Service Discovery` list
|
||||
|
||||
|
||||
|
||||
@@ -1089,6 +1089,19 @@ function install_cri_containerd() {
|
||||
| sudo tee /etc/containerd/config.toml > /dev/null
|
||||
ensure_containerd_conf_d_rootful_api_sockets
|
||||
|
||||
# Drop a default /etc/crictl.yaml pointing at the freshly-installed
|
||||
# containerd socket so crictl does not probe — and warn loudly about
|
||||
# — the legacy default endpoints (dockershim, CRI-O, cri-dockerd) on
|
||||
# every invocation. cri-tools v1.30+ deprecated the implicit default
|
||||
# endpoint discovery, which means every crictl call without this
|
||||
# config emits noisy validation errors for sockets that do not exist
|
||||
# on the runner.
|
||||
sudo tee /etc/crictl.yaml > /dev/null <<-EOF
|
||||
runtime-endpoint: unix:///run/containerd/containerd.sock
|
||||
image-endpoint: unix:///run/containerd/containerd.sock
|
||||
timeout: 10
|
||||
EOF
|
||||
|
||||
# Always write the service file pointing at the just-installed binary and
|
||||
# reload systemd so the correct binary is used on the next start.
|
||||
# The runner image may have a pre-installed containerd unit pointing at a
|
||||
@@ -1129,12 +1142,26 @@ EOF
|
||||
sudo systemctl daemon-reload
|
||||
}
|
||||
|
||||
# base_version: The version to be intalled in the ${major}.${minor} format
|
||||
# Installs cri-tools (crictl). When a base_version (${major}.${minor}) is
|
||||
# supplied the matching latest patch release is used; otherwise — and this is
|
||||
# the default in CI — the absolute latest stable release published on GitHub
|
||||
# is fetched. cri-tools is intentionally not pinned in versions.yaml so we
|
||||
# always exercise a crictl that speaks current CRI protocol revisions.
|
||||
function install_cri_tools() {
|
||||
base_version="${1}"
|
||||
base_version="${1:-}"
|
||||
|
||||
project="kubernetes-sigs/cri-tools"
|
||||
version=$(get_latest_patch_release_from_a_github_project "${project}" "${base_version}")
|
||||
if [[ -n "${base_version}" ]]; then
|
||||
version=$(get_latest_patch_release_from_a_github_project "${project}" "${base_version}")
|
||||
else
|
||||
version=$(curl \
|
||||
${GH_TOKEN:+--header "Authorization: Bearer ${GH_TOKEN}"} \
|
||||
--fail-with-body \
|
||||
--show-error \
|
||||
--silent \
|
||||
"https://api.github.com/repos/${project}/releases/latest" \
|
||||
| jq -r .tag_name)
|
||||
fi
|
||||
|
||||
tarball_name="crictl-${version}-linux-$("${repo_root_dir}"/tests/kata-arch.sh -g).tar.gz"
|
||||
|
||||
|
||||
@@ -33,35 +33,26 @@ function install_dependencies() {
|
||||
|
||||
ensure_yq
|
||||
|
||||
# Dependency list of projects that we can install them
|
||||
# Dependency list of projects that we can install
|
||||
# directly from their releases on GitHub:
|
||||
# - cri-tools
|
||||
# - containerd
|
||||
# - cri-container-cni release tarball already includes CNI plugins
|
||||
cri_tools_version=$(get_from_kata_deps ".externals.critools.latest")
|
||||
# - runc
|
||||
# - cni-plugins
|
||||
declare -a github_deps
|
||||
github_deps[0]="cri_tools:${cri_tools_version}"
|
||||
# shellcheck disable=SC2154
|
||||
case "${CONTAINER_ENGINE}" in
|
||||
containerd)
|
||||
# shellcheck disable=SC2154
|
||||
github_deps[1]="cri_containerd:$(get_from_kata_deps ".externals.containerd.${CONTAINERD_VERSION}")"
|
||||
github_deps[2]="runc:$(get_from_kata_deps ".externals.runc.latest")"
|
||||
github_deps[3]="cni_plugins:$(get_from_kata_deps ".externals.cni-plugins.version")"
|
||||
;;
|
||||
crio)
|
||||
github_deps[1]="cni_plugins:$(get_from_kata_deps ".externals.cni-plugins.version")"
|
||||
;;
|
||||
esac
|
||||
github_deps[0]="cri_containerd:$(get_from_kata_deps ".externals.containerd.${CONTAINERD_VERSION}")"
|
||||
github_deps[1]="runc:$(get_from_kata_deps ".externals.runc.latest")"
|
||||
github_deps[2]="cni_plugins:$(get_from_kata_deps ".externals.cni-plugins.version")"
|
||||
|
||||
for github_dep in "${github_deps[@]}"; do
|
||||
IFS=":" read -r -a dep <<< "${github_dep}"
|
||||
"install_${dep[0]}" "${dep[1]}"
|
||||
done
|
||||
|
||||
if [[ "${CONTAINER_ENGINE}" = "crio" ]]; then
|
||||
install_crio "${cri_tools_version#v}"
|
||||
fi
|
||||
# cri-tools is resolved at install time to the absolute latest
|
||||
# release, so it is not pinned via versions.yaml.
|
||||
install_cri_tools
|
||||
}
|
||||
|
||||
function run() {
|
||||
@@ -69,7 +60,20 @@ function run() {
|
||||
info "Running cri-containerd tests using ${KATA_HYPERVISOR} hypervisor"
|
||||
|
||||
enabling_hypervisor
|
||||
bash -c "${kata_monitor_dir}/kata-monitor-tests.sh"
|
||||
bash "${kata_monitor_dir}/kata-monitor-tests.sh"
|
||||
}
|
||||
|
||||
function run_helm_tests() {
|
||||
# shellcheck disable=SC2154
|
||||
info "Running kata-monitor helm-chart tests"
|
||||
|
||||
pushd "${kata_monitor_dir}"
|
||||
bash run-kata-monitor-helm-tests.sh
|
||||
popd
|
||||
}
|
||||
|
||||
function report_helm_tests() {
|
||||
report_bats_tests "${kata_monitor_dir}"
|
||||
}
|
||||
|
||||
function main() {
|
||||
@@ -78,6 +82,8 @@ function main() {
|
||||
install-dependencies) install_dependencies ;;
|
||||
install-kata) install_kata ;;
|
||||
run) run ;;
|
||||
run-helm-tests) run_helm_tests ;;
|
||||
report-helm-tests) report_helm_tests ;;
|
||||
*) >&2 die "Invalid argument" ;;
|
||||
esac
|
||||
}
|
||||
|
||||
@@ -27,7 +27,13 @@ readonly MONITOR_MIN_METRICS_NUM=200
|
||||
readonly TIMEOUT="20s"
|
||||
CONTAINER_ENGINE=${CONTAINER_ENGINE:-"containerd"}
|
||||
CRICTL_RUNTIME=${CRICTL_RUNTIME:-"kata"}
|
||||
# When KATA_MONITOR_IMAGE is set, kata-monitor runs inside that container
|
||||
# image instead of as an on-disk binary. This is what CI does — it
|
||||
# validates the actual image we ship. Manual runs without the env var
|
||||
# keep the previous behaviour of executing ${KATA_MONITOR_BIN}.
|
||||
KATA_MONITOR_IMAGE="${KATA_MONITOR_IMAGE:-}"
|
||||
KATA_MONITOR_BIN="${KATA_MONITOR_BIN:-$(command -v kata-monitor || true)}"
|
||||
readonly KATA_MONITOR_CONTAINER_NAME="kata-monitor-test"
|
||||
KATA_MONITOR_PID=""
|
||||
TMPATH=$(mktemp -d -t kata-monitor-test-XXXXXXXXX)
|
||||
METRICS_FILE="${TMPATH}/metrics.txt"
|
||||
@@ -83,11 +89,59 @@ cleanup() {
|
||||
stop_workload
|
||||
stop_workload "${RUNC_CID}" "${RUNC_POD_ID}"
|
||||
|
||||
stop_kata_monitor
|
||||
|
||||
rm -rf "${TMPATH}"
|
||||
}
|
||||
|
||||
start_kata_monitor() {
|
||||
local args="$1"
|
||||
|
||||
if [[ -n "${KATA_MONITOR_IMAGE}" ]]; then
|
||||
# `--network host` keeps the default 127.0.0.1:8090 bind
|
||||
# reachable from the host-side test code without having to
|
||||
# publish a port. Mount /run/containerd so the monitor can
|
||||
# reach containerd's CRI socket, plus the kata sandbox base
|
||||
# path for the per-sandbox shim-monitor sockets.
|
||||
|
||||
# Ensure /run/vc/sbs/ exists on the host so the readonly mount
|
||||
# does not fail before the first kata sandbox is created.
|
||||
sudo mkdir -p /run/vc/sbs
|
||||
|
||||
# shellcheck disable=SC2086
|
||||
sudo docker run --rm -d \
|
||||
--name "${KATA_MONITOR_CONTAINER_NAME}" \
|
||||
--network host \
|
||||
-v /run/containerd:/run/containerd:ro \
|
||||
-v /run/vc/sbs:/run/vc/sbs:ro \
|
||||
"${KATA_MONITOR_IMAGE}" \
|
||||
${args} --log-level trace > /dev/null
|
||||
# Stream container logs into the same file the binary path
|
||||
# writes to, so error_with_msg's dump works identically in
|
||||
# both modes. The redirect target lives under our own
|
||||
# ${TMPATH}, so SC2024 (sudo doesn't affect redirects) is a
|
||||
# false positive here.
|
||||
# shellcheck disable=SC2024
|
||||
sudo docker logs -f "${KATA_MONITOR_CONTAINER_NAME}" \
|
||||
> "${MONITOR_LOG_FILE}" 2>&1 &
|
||||
return
|
||||
fi
|
||||
|
||||
[[ ! -x "${KATA_MONITOR_BIN}" ]] && error_with_msg "kata-monitor binary not found"
|
||||
# shellcheck disable=SC2024,SC2086
|
||||
sudo "${KATA_MONITOR_BIN}" ${args} --log-level trace > "${MONITOR_LOG_FILE}" 2>&1 &
|
||||
KATA_MONITOR_PID="$!"
|
||||
}
|
||||
|
||||
stop_kata_monitor() {
|
||||
if [[ -n "${KATA_MONITOR_IMAGE}" ]]; then
|
||||
sudo docker stop "${KATA_MONITOR_CONTAINER_NAME}" > /dev/null 2>&1 || true
|
||||
return
|
||||
fi
|
||||
|
||||
[[ -n "${KATA_MONITOR_PID}" ]] \
|
||||
&& [[ -d "/proc/${KATA_MONITOR_PID}" ]] \
|
||||
&& kill -9 "${KATA_MONITOR_PID}"
|
||||
|
||||
rm -rf "${TMPATH}"
|
||||
}
|
||||
|
||||
create_sandbox_json() {
|
||||
@@ -243,15 +297,13 @@ main() {
|
||||
###########################
|
||||
title "start kata-monitor"
|
||||
|
||||
[[ ! -x "${KATA_MONITOR_BIN}" ]] && error_with_msg "kata-monitor binary not found"
|
||||
|
||||
[[ "${CONTAINER_ENGINE}" = "crio" ]] && args="--runtime-endpoint /run/crio/crio.sock"
|
||||
|
||||
CURRENT_TASK="start kata-monitor"
|
||||
# shellcheck disable=SC2024,SC2086
|
||||
sudo "${KATA_MONITOR_BIN}" ${args} --log-level trace > "${MONITOR_LOG_FILE}" 2>&1 &
|
||||
KATA_MONITOR_PID="$!"
|
||||
echo_ok "${CURRENT_TASK} (${KATA_MONITOR_PID})"
|
||||
start_kata_monitor "${args}"
|
||||
if [[ -n "${KATA_MONITOR_IMAGE}" ]]; then
|
||||
echo_ok "${CURRENT_TASK} (image ${KATA_MONITOR_IMAGE})"
|
||||
else
|
||||
echo_ok "${CURRENT_TASK} (pid ${KATA_MONITOR_PID})"
|
||||
fi
|
||||
|
||||
###########################
|
||||
title "kata-monitor cache update checks"
|
||||
|
||||
233
tests/functional/kata-monitor/kata-monitor.bats
Normal file
233
tests/functional/kata-monitor/kata-monitor.bats
Normal file
@@ -0,0 +1,233 @@
|
||||
#!/usr/bin/env bats
|
||||
#
|
||||
# Copyright (c) 2026 NVIDIA Corporation
|
||||
#
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
#
|
||||
# kata-monitor helm chart functional test.
|
||||
#
|
||||
# Validates that the optional kata-monitor DaemonSet shipped by the
|
||||
# kata-deploy helm chart actually rolls out, exercises the per-PR
|
||||
# kata-monitor image, and exposes per-sandbox Prometheus metrics for a
|
||||
# live kata pod.
|
||||
#
|
||||
# Required environment variables (mirroring kata-deploy.bats):
|
||||
# DOCKER_REGISTRY - Registry for kata-deploy image
|
||||
# DOCKER_REPO - Repository name for kata-deploy image
|
||||
# DOCKER_TAG - kata-deploy image tag to test
|
||||
# KATA_HYPERVISOR - Hypervisor to test (qemu, ...)
|
||||
# KUBERNETES - K8s distribution (k3s, k0s, ...)
|
||||
# KATA_MONITOR_IMAGE_REFERENCE - Registry/repo for the kata-monitor image
|
||||
# KATA_MONITOR_IMAGE_TAG - kata-monitor image tag to test
|
||||
#
|
||||
|
||||
load "${BATS_TEST_DIRNAME}/../../common.bash"
|
||||
repo_root_dir="${BATS_TEST_DIRNAME}/../../../"
|
||||
load "${repo_root_dir}/tests/gha-run-k8s-common.sh"
|
||||
|
||||
# Reuse the helm install/uninstall helpers maintained alongside the
|
||||
# kata-deploy bats tests.
|
||||
source "${BATS_TEST_DIRNAME}/../kata-deploy/lib/helm-deploy.bash"
|
||||
|
||||
# Cache update polling interval is short on the monitor side; 30s is
|
||||
# generous enough to absorb both the cache refresh and any apiserver
|
||||
# proxy latency without dragging the test runtime up.
|
||||
KATA_MONITOR_CACHE_TIMEOUT_S="${KATA_MONITOR_CACHE_TIMEOUT_S:-30}"
|
||||
|
||||
# Pod name used to give kata-monitor a real sandbox to surface metrics
|
||||
# about. Kept fixed so teardown can clean it up unconditionally.
|
||||
KATA_MONITOR_PROBE_POD="kata-monitor-probe"
|
||||
|
||||
setup() {
|
||||
ensure_helm
|
||||
|
||||
: "${KATA_MONITOR_IMAGE_REFERENCE:?KATA_MONITOR_IMAGE_REFERENCE must be set}"
|
||||
: "${KATA_MONITOR_IMAGE_TAG:?KATA_MONITOR_IMAGE_TAG must be set}"
|
||||
}
|
||||
|
||||
# Hit `path` (e.g. /metrics or /sandboxes) on one of the kata-monitor
|
||||
# pods via the apiserver pod-proxy. Stdout is the response body; stderr
|
||||
# / non-zero exit propagate kubectl failures.
|
||||
kata_monitor_get() {
|
||||
local path="$1"
|
||||
local pod
|
||||
|
||||
pod="$(kubectl -n "${HELM_NAMESPACE}" get pods \
|
||||
-l app.kubernetes.io/name=kata-monitor \
|
||||
-o jsonpath='{.items[0].metadata.name}')"
|
||||
[[ -n "${pod}" ]] || { echo "no kata-monitor pod found" >&2; return 1; }
|
||||
|
||||
kubectl -n "${HELM_NAMESPACE}" get --raw \
|
||||
"/api/v1/namespaces/${HELM_NAMESPACE}/pods/${pod}:8090/proxy${path}"
|
||||
}
|
||||
|
||||
# Block until `predicate` returns 0 against the fresh /metrics output,
|
||||
# or until ${KATA_MONITOR_CACHE_TIMEOUT_S} elapses. The predicate is a
|
||||
# bash function name receiving the metrics body on stdin.
|
||||
wait_for_metrics() {
|
||||
local predicate="$1"
|
||||
local body
|
||||
local deadline=$((SECONDS + KATA_MONITOR_CACHE_TIMEOUT_S))
|
||||
|
||||
while (( SECONDS < deadline )); do
|
||||
if body="$(kata_monitor_get /metrics 2>/dev/null)" \
|
||||
&& printf '%s' "${body}" | "${predicate}"; then
|
||||
return 0
|
||||
fi
|
||||
sleep 1
|
||||
done
|
||||
|
||||
echo "Timed out waiting for kata-monitor /metrics predicate '${predicate}'" >&2
|
||||
echo "Last response was:" >&2
|
||||
printf '%s\n' "${body:-<none>}" | head -50 >&2
|
||||
return 1
|
||||
}
|
||||
|
||||
predicate_has_running_shim() {
|
||||
# Match `kata_monitor_running_shim_count <N>` where N >= 1.
|
||||
grep -E '^kata_monitor_running_shim_count [1-9][0-9]* *$' >/dev/null
|
||||
}
|
||||
|
||||
predicate_no_running_shim() {
|
||||
grep -E '^kata_monitor_running_shim_count 0 *$' >/dev/null
|
||||
}
|
||||
|
||||
predicate_has_shim_metric() {
|
||||
# Any kata_shim_* metric line with a non-empty sandbox_id label is
|
||||
# enough to prove the per-sandbox scrape path works end-to-end.
|
||||
grep -E '^kata_shim_[a-z_]+\{[^}]*sandbox_id="[0-9a-f-]+' >/dev/null
|
||||
}
|
||||
|
||||
@test "kata-monitor helm chart rolls out and exposes per-sandbox metrics" {
|
||||
pushd "${repo_root_dir}"
|
||||
|
||||
local helm_timeout="${KATA_DEPLOY_TIMEOUT:-600s}"
|
||||
local rollout_timeout="${KATA_MONITOR_ROLLOUT_TIMEOUT:-300s}"
|
||||
|
||||
echo "Installing kata-deploy with monitor.enabled=true ..."
|
||||
echo " kata-monitor image: ${KATA_MONITOR_IMAGE_REFERENCE}:${KATA_MONITOR_IMAGE_TAG}"
|
||||
|
||||
HELM_TIMEOUT="${helm_timeout}" deploy_kata "" \
|
||||
--set monitor.enabled=true \
|
||||
--set "monitor.image.reference=${KATA_MONITOR_IMAGE_REFERENCE}" \
|
||||
--set "monitor.image.tag=${KATA_MONITOR_IMAGE_TAG}"
|
||||
|
||||
echo ""
|
||||
echo "::group::kata-monitor DaemonSet rollout"
|
||||
kubectl -n "${HELM_NAMESPACE}" rollout status ds/kata-monitor \
|
||||
--timeout="${rollout_timeout}"
|
||||
echo "::endgroup::"
|
||||
|
||||
kubectl -n "${HELM_NAMESPACE}" wait pod \
|
||||
-l app.kubernetes.io/name=kata-monitor \
|
||||
--for=condition=Ready --timeout="${rollout_timeout}"
|
||||
|
||||
# Enabling monitor.enabled=true in the same chart deploys kata-monitor
|
||||
# alongside kata-deploy, and kata-deploy reconfigures and restarts
|
||||
# containerd as part of installing kata. That bounce drops the first
|
||||
# kata-monitor instance's containerd connection and costs it a one-off
|
||||
# restart, which is expected and not a regression. Now that kata-deploy
|
||||
# is Ready (so containerd is settled), restart the DaemonSet and assert
|
||||
# the fresh pods stay up without restarts — a genuine crash loop (e.g.
|
||||
# the recent glibc/musl mismatch) still fails here because it would
|
||||
# never reach Ready or would keep restarting.
|
||||
kubectl -n "${HELM_NAMESPACE}" rollout restart ds/kata-monitor
|
||||
kubectl -n "${HELM_NAMESPACE}" rollout status ds/kata-monitor \
|
||||
--timeout="${rollout_timeout}"
|
||||
|
||||
echo ""
|
||||
echo "::group::kata-monitor pods"
|
||||
kubectl -n "${HELM_NAMESPACE}" get pods -l app.kubernetes.io/name=kata-monitor -o wide
|
||||
echo "::endgroup::"
|
||||
|
||||
kubectl -n "${HELM_NAMESPACE}" wait pod \
|
||||
-l app.kubernetes.io/name=kata-monitor \
|
||||
--for=condition=Ready --timeout="${rollout_timeout}"
|
||||
|
||||
local restarts
|
||||
restarts="$(kubectl -n "${HELM_NAMESPACE}" get pods \
|
||||
-l app.kubernetes.io/name=kata-monitor \
|
||||
-o jsonpath='{range .items[*]}{.status.containerStatuses[0].restartCount}{"\n"}{end}')"
|
||||
while IFS= read -r r; do
|
||||
[[ -z "${r}" ]] && continue
|
||||
[[ "${r}" -eq 0 ]] || {
|
||||
echo "kata-monitor pod restarted ${r} time(s) after containerd settled; failing"
|
||||
return 1
|
||||
}
|
||||
done <<< "${restarts}"
|
||||
|
||||
# Give kata-monitor something real to surface metrics about: a kata
|
||||
# pod that just sleeps. Reuses the same image as kata-deploy.bats's
|
||||
# verification pod for cache-warmth on the runner.
|
||||
local probe_yaml
|
||||
probe_yaml=$(mktemp)
|
||||
cat > "${probe_yaml}" <<EOF
|
||||
apiVersion: v1
|
||||
kind: Pod
|
||||
metadata:
|
||||
name: ${KATA_MONITOR_PROBE_POD}
|
||||
spec:
|
||||
runtimeClassName: kata-${KATA_HYPERVISOR}
|
||||
restartPolicy: Never
|
||||
nodeSelector:
|
||||
katacontainers.io/kata-runtime: "true"
|
||||
containers:
|
||||
- name: probe
|
||||
image: quay.io/kata-containers/alpine-bash-curl:latest
|
||||
imagePullPolicy: IfNotPresent
|
||||
command: ["sh", "-c", "sleep 600"]
|
||||
EOF
|
||||
|
||||
echo ""
|
||||
echo "Creating kata probe pod ..."
|
||||
kubectl apply -f "${probe_yaml}"
|
||||
rm -f "${probe_yaml}"
|
||||
|
||||
kubectl wait "pod/${KATA_MONITOR_PROBE_POD}" \
|
||||
--for=condition=Ready --timeout=300s
|
||||
|
||||
echo ""
|
||||
echo "::group::Probe pod status"
|
||||
kubectl get "pod/${KATA_MONITOR_PROBE_POD}" -o wide
|
||||
echo "::endgroup::"
|
||||
|
||||
# Now the per-sandbox assertions. Wait for the monitor's cache to
|
||||
# pick the probe up, then prove a shim metric actually lands in the
|
||||
# scrape body.
|
||||
wait_for_metrics predicate_has_running_shim
|
||||
wait_for_metrics predicate_has_shim_metric
|
||||
echo "kata-monitor /metrics surfaced the probe sandbox"
|
||||
|
||||
# /sandboxes is the second public endpoint of kata-monitor; confirm
|
||||
# it lists at least one sandbox while the probe pod is alive.
|
||||
local sandboxes
|
||||
sandboxes="$(kata_monitor_get /sandboxes)"
|
||||
echo "::group::/sandboxes response"
|
||||
printf '%s\n' "${sandboxes}"
|
||||
echo "::endgroup::"
|
||||
[[ -n "${sandboxes//[[:space:]]/}" ]] || {
|
||||
echo "/sandboxes returned empty body" >&2
|
||||
return 1
|
||||
}
|
||||
|
||||
# Tear the probe pod down and prove kata-monitor's cache flushes
|
||||
# the sandbox out — mirrors is_sandbox_missing_iterate in the
|
||||
# host-level test.
|
||||
echo ""
|
||||
echo "Deleting probe pod and asserting cache invalidates ..."
|
||||
kubectl delete "pod/${KATA_MONITOR_PROBE_POD}" --wait=true --timeout=60s
|
||||
|
||||
wait_for_metrics predicate_no_running_shim
|
||||
echo "kata-monitor /metrics dropped the probe sandbox after deletion"
|
||||
|
||||
popd
|
||||
}
|
||||
|
||||
teardown() {
|
||||
# Best-effort cleanup — the @test deletes the probe pod on the
|
||||
# happy path, but a failure between create and delete would leave
|
||||
# it behind.
|
||||
kubectl delete "pod/${KATA_MONITOR_PROBE_POD}" --ignore-not-found --wait=false 2>/dev/null || true
|
||||
|
||||
uninstall_kata
|
||||
}
|
||||
26
tests/functional/kata-monitor/run-kata-monitor-helm-tests.sh
Normal file
26
tests/functional/kata-monitor/run-kata-monitor-helm-tests.sh
Normal file
@@ -0,0 +1,26 @@
|
||||
#!/bin/bash
|
||||
#
|
||||
# Copyright (c) 2026 NVIDIA Corporation
|
||||
#
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
#
|
||||
|
||||
set -e
|
||||
set -o pipefail
|
||||
|
||||
kata_monitor_dir=$(dirname "$(readlink -f "$0")")
|
||||
# shellcheck source=/dev/null
|
||||
source "${kata_monitor_dir}/../../common.bash"
|
||||
|
||||
# Setting to "yes" enables fail fast, stopping execution at the first failed test.
|
||||
export BATS_TEST_FAIL_FAST="${BATS_TEST_FAIL_FAST:-no}"
|
||||
|
||||
if [[ -n "${KATA_MONITOR_HELM_TEST_UNION:-}" ]]; then
|
||||
KATA_MONITOR_HELM_TEST_UNION=("${KATA_MONITOR_HELM_TEST_UNION}")
|
||||
else
|
||||
KATA_MONITOR_HELM_TEST_UNION=( \
|
||||
"kata-monitor.bats" \
|
||||
)
|
||||
fi
|
||||
|
||||
run_bats_tests "${kata_monitor_dir}" KATA_MONITOR_HELM_TEST_UNION
|
||||
@@ -51,19 +51,21 @@ function install_dependencies() {
|
||||
# directly from their releases on GitHub:
|
||||
# - containerd
|
||||
# - cri-container-cni release tarball already includes CNI plugins
|
||||
# - cri-tools
|
||||
declare -a github_deps
|
||||
# shellcheck disable=SC2154
|
||||
github_deps[0]="cri_containerd:$(get_from_kata_deps ".externals.containerd.${CONTAINERD_VERSION}")"
|
||||
github_deps[1]="cri_tools:$(get_from_kata_deps ".externals.critools.latest")"
|
||||
github_deps[2]="runc:$(get_from_kata_deps ".externals.runc.latest")"
|
||||
github_deps[3]="cni_plugins:$(get_from_kata_deps ".externals.cni-plugins.version")"
|
||||
github_deps[1]="runc:$(get_from_kata_deps ".externals.runc.latest")"
|
||||
github_deps[2]="cni_plugins:$(get_from_kata_deps ".externals.cni-plugins.version")"
|
||||
|
||||
for github_dep in "${github_deps[@]}"; do
|
||||
IFS=":" read -r -a dep <<< "${github_dep}"
|
||||
"install_${dep[0]}" "${dep[1]}"
|
||||
done
|
||||
|
||||
# cri-tools is resolved at install time to the absolute latest
|
||||
# release, so it is not pinned via versions.yaml.
|
||||
install_cri_tools
|
||||
|
||||
# Clone containerd as we'll need to build it in order to run the tests
|
||||
# base_version: The version to be intalled in the ${major}.${minor} format
|
||||
clone_cri_containerd "$(get_from_kata_deps ".externals.containerd.${CONTAINERD_VERSION}")"
|
||||
|
||||
@@ -33,22 +33,24 @@ function install_dependencies() {
|
||||
# directly from their releases on GitHub:
|
||||
# - containerd
|
||||
# - cri-container-cni release tarball already includes CNI plugins
|
||||
# - cri-tools
|
||||
# - nydus
|
||||
# - nydus-snapshotter
|
||||
declare -a github_deps
|
||||
# shellcheck disable=SC2154
|
||||
github_deps[0]="cri_containerd:$(get_from_kata_deps ".externals.containerd.${CONTAINERD_VERSION}")"
|
||||
github_deps[1]="cri_tools:$(get_from_kata_deps ".externals.critools.latest")"
|
||||
github_deps[2]="nydus:$(get_from_kata_deps ".externals.nydus.version")"
|
||||
github_deps[3]="nydus_snapshotter:$(get_from_kata_deps ".externals.nydus-snapshotter.version")"
|
||||
github_deps[4]="runc:$(get_from_kata_deps ".externals.runc.latest")"
|
||||
github_deps[5]="cni_plugins:$(get_from_kata_deps ".externals.cni-plugins.version")"
|
||||
github_deps[1]="nydus:$(get_from_kata_deps ".externals.nydus.version")"
|
||||
github_deps[2]="nydus_snapshotter:$(get_from_kata_deps ".externals.nydus-snapshotter.version")"
|
||||
github_deps[3]="runc:$(get_from_kata_deps ".externals.runc.latest")"
|
||||
github_deps[4]="cni_plugins:$(get_from_kata_deps ".externals.cni-plugins.version")"
|
||||
|
||||
for github_dep in "${github_deps[@]}"; do
|
||||
IFS=":" read -r -a dep <<< "${github_dep}"
|
||||
"install_${dep[0]}" "${dep[1]}"
|
||||
done
|
||||
|
||||
# cri-tools is resolved at install time to the absolute latest
|
||||
# release, so it is not pinned via versions.yaml.
|
||||
install_cri_tools
|
||||
}
|
||||
|
||||
function run() {
|
||||
|
||||
@@ -375,6 +375,22 @@ When reference already contains "@" (digest) or tag is empty, use reference as-i
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
kata-monitor image reference for optional monitor DaemonSet.
|
||||
Supports tag (reference:tag) and digest (reference@sha256:...) formats.
|
||||
When reference contains "@" (digest), use reference as-is; otherwise use
|
||||
reference:tag (tag defaults to Chart.AppVersion).
|
||||
*/}}
|
||||
{{- define "kata-deploy.monitorImage" -}}
|
||||
{{- $ref := .Values.monitor.image.reference -}}
|
||||
{{- $tag := default .Chart.AppVersion .Values.monitor.image.tag | toString -}}
|
||||
{{- if contains "@" $ref -}}
|
||||
{{- $ref -}}
|
||||
{{- else -}}
|
||||
{{- printf "%s:%s" $ref $tag -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Get snapshotter setup list from structured config
|
||||
*/}}
|
||||
|
||||
@@ -0,0 +1,69 @@
|
||||
{{- if .Values.monitor.enabled }}
|
||||
apiVersion: apps/v1
|
||||
kind: DaemonSet
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/name: kata-monitor
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
name: kata-monitor
|
||||
namespace: {{ .Release.Namespace }}
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: kata-monitor
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/name: kata-monitor
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
annotations:
|
||||
prometheus.io/scrape: "true"
|
||||
spec:
|
||||
{{- with .Values.imagePullSecrets }}
|
||||
imagePullSecrets:
|
||||
{{- toYaml . | nindent 6 }}
|
||||
{{- end }}
|
||||
{{- with .Values.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.tolerations }}
|
||||
tolerations:
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- with .Values.priorityClassName }}
|
||||
priorityClassName: {{ . | quote }}
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: kata-monitor
|
||||
image: {{ include "kata-deploy.monitorImage" . }}
|
||||
imagePullPolicy: {{ .Values.imagePullPolicy }}
|
||||
securityContext:
|
||||
{{- toYaml .Values.monitor.securityContext | nindent 10 }}
|
||||
args:
|
||||
- -listen-address={{ .Values.monitor.listenAddress }}
|
||||
- -log-level={{ .Values.monitor.logLevel }}
|
||||
- -runtime-endpoint={{ .Values.monitor.runtimeEndpoint }}
|
||||
ports:
|
||||
- containerPort: {{ .Values.monitor.port }}
|
||||
resources:
|
||||
{{- toYaml .Values.monitor.resources | nindent 10 }}
|
||||
volumeMounts:
|
||||
- name: containerd-sock
|
||||
mountPath: /run/containerd
|
||||
readOnly: true
|
||||
- name: sbs
|
||||
mountPath: /run/vc/sbs/
|
||||
readOnly: true
|
||||
terminationGracePeriodSeconds: 30
|
||||
volumes:
|
||||
- name: containerd-sock
|
||||
hostPath:
|
||||
path: /run/containerd
|
||||
type: Directory
|
||||
- name: sbs
|
||||
hostPath:
|
||||
path: /run/vc/sbs/
|
||||
type: DirectoryOrCreate
|
||||
{{- end }}
|
||||
@@ -10,6 +10,27 @@ kubectlImage:
|
||||
reference: quay.io/kata-containers/kubectl
|
||||
tag: latest
|
||||
|
||||
monitor:
|
||||
enabled: false
|
||||
image:
|
||||
reference: quay.io/kata-containers/kata-monitor
|
||||
tag: ""
|
||||
listenAddress: "0.0.0.0:8090"
|
||||
runtimeEndpoint: "unix:///run/containerd/containerd.sock"
|
||||
logLevel: "info"
|
||||
port: 8090
|
||||
securityContext:
|
||||
privileged: false
|
||||
runAsUser: 0
|
||||
runAsGroup: 0
|
||||
resources:
|
||||
limits:
|
||||
cpu: 200m
|
||||
memory: 300Mi
|
||||
requests:
|
||||
cpu: 200m
|
||||
memory: 300Mi
|
||||
|
||||
k8sDistribution: "k8s" # k8s, k3s, rke2, k0s, microk8s
|
||||
|
||||
# Containerd configuration overrides
|
||||
|
||||
@@ -1,28 +1,74 @@
|
||||
# Copyright (c) 2020 Eric Ernst
|
||||
# Copyright (c) 2026 NVIDIA
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
ARG GO_VERSION
|
||||
FROM golang:${GO_VERSION}-alpine AS builder
|
||||
#
|
||||
# Build context: extracted kata-static shim-v2-go tarball root.
|
||||
#
|
||||
# Expected file in context:
|
||||
# ./opt/kata/bin/kata-monitor
|
||||
#
|
||||
# The kata-monitor binary is built inside an Ubuntu (glibc) toolchain
|
||||
# as part of the shim-v2-go static build, so it is dynamically linked
|
||||
# against glibc. We assemble its runtime dependencies via `ldd` from
|
||||
# a glibc base image and copy them into a distroless/static runtime
|
||||
# image, matching the same pattern used by
|
||||
# tools/packaging/kata-deploy/Dockerfile.
|
||||
|
||||
RUN apk add --no-cache bash curl git make build-base
|
||||
WORKDIR /go/src/github.com/kata-containers/kata-containers/src/runtime
|
||||
# Stage 1: discover and copy the glibc libraries the binary needs.
|
||||
# hadolint ignore=DL3007
|
||||
FROM debian:trixie-slim AS runtime-assembler
|
||||
|
||||
COPY src/runtime/go.* .
|
||||
RUN --mount=type=cache,target=/go/pkg/mod \
|
||||
--mount=type=cache,target=/root/.cache/go-build \
|
||||
go mod download
|
||||
SHELL ["/bin/bash", "-o", "pipefail", "-c"]
|
||||
|
||||
COPY . /go/src/github.com/kata-containers/kata-containers
|
||||
RUN --mount=type=cache,target=/go/pkg/mod \
|
||||
--mount=type=cache,target=/root/.cache/go-build \
|
||||
make SKIP_GO_VERSION_CHECK=true monitor
|
||||
COPY opt/kata/bin/kata-monitor /tmp/kata-monitor
|
||||
|
||||
# run tests
|
||||
RUN --mount=type=cache,target=/go/pkg/mod \
|
||||
--mount=type=cache,target=/root/.cache/go-build \
|
||||
cd pkg/kata-monitor/ && go test -c -o /tmp/tests
|
||||
RUN /tmp/tests
|
||||
RUN \
|
||||
set -eux; \
|
||||
mkdir -p /output/lib /output/lib64; \
|
||||
echo "Libraries needed by kata-monitor on $(uname -m):"; \
|
||||
ldd /tmp/kata-monitor || true; \
|
||||
# Copy each shared library reported by ldd ("=>" lines).
|
||||
ldd /tmp/kata-monitor 2>/dev/null | grep "=>" | awk '{print $3}' | sort -u | \
|
||||
while read -r lib; do \
|
||||
if [ -n "${lib}" ] && [ -f "${lib}" ]; then \
|
||||
dest_dir="/output$(dirname "${lib}")"; \
|
||||
mkdir -p "${dest_dir}"; \
|
||||
cp -Ln "${lib}" "${dest_dir}/" || true; \
|
||||
echo " Copied lib: ${lib}"; \
|
||||
fi; \
|
||||
done; \
|
||||
# Copy the dynamic linker too: ldd does not include it in the "=>"
|
||||
# lines. Cover all four target architectures:
|
||||
# x86_64 -> /lib64/ld-linux-x86-64.so.2
|
||||
# aarch64 -> /lib/ld-linux-aarch64.so.1
|
||||
# s390x -> /lib/ld64.so.1
|
||||
# ppc64le -> /lib64/ld64.so.2
|
||||
for ld in /lib*/ld-linux-*.so.* /lib*/ld64.so.*; do \
|
||||
[ -f "${ld}" ] || continue; \
|
||||
dest_dir="/output$(dirname "${ld}")"; \
|
||||
mkdir -p "${dest_dir}"; \
|
||||
cp -Ln "${ld}" "${dest_dir}/" || true; \
|
||||
echo " Copied linker: ${ld}"; \
|
||||
done
|
||||
|
||||
# Stage 2: final distroless image.
|
||||
#
|
||||
# We deliberately track the rolling `latest` tag rather than pinning a
|
||||
# digest. distroless/static-debian13 publishes no semver tags and is
|
||||
# rebuilt frequently to pick up base-image CVE fixes, so following
|
||||
# `latest` keeps the kata-monitor runtime on the newest patched base.
|
||||
# The image only carries the handful of glibc libraries we copy in plus
|
||||
# the kata-monitor binary, so the blast radius of an unexpected base
|
||||
# bump is tiny. hadolint's "pin the version" check is therefore not
|
||||
# something we want here.
|
||||
# hadolint ignore=DL3007
|
||||
FROM gcr.io/distroless/static-debian13:latest
|
||||
|
||||
COPY --from=runtime-assembler /output/lib/ /lib/
|
||||
COPY --from=runtime-assembler /output/lib64/ /lib64/
|
||||
COPY opt/kata/bin/kata-monitor /usr/bin/kata-monitor
|
||||
|
||||
EXPOSE 8090
|
||||
|
||||
FROM alpine:3.14
|
||||
COPY --from=builder /go/src/github.com/kata-containers/kata-containers/src/runtime/kata-monitor /usr/bin/kata-monitor
|
||||
CMD ["-h"]
|
||||
ENTRYPOINT ["/usr/bin/kata-monitor"]
|
||||
CMD ["--help"]
|
||||
|
||||
71
tools/packaging/kata-monitor/build-and-upload-from-tarball.sh
Executable file
71
tools/packaging/kata-monitor/build-and-upload-from-tarball.sh
Executable file
@@ -0,0 +1,71 @@
|
||||
#!/usr/bin/env bash
|
||||
#
|
||||
# Copyright (c) 2026 NVIDIA
|
||||
#
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
#
|
||||
|
||||
set -o errexit
|
||||
set -o nounset
|
||||
set -o pipefail
|
||||
|
||||
script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
||||
repo_root_dir="$(cd "${script_dir}/../../.." && pwd)"
|
||||
|
||||
image_ref="${1:?image ref is required (e.g. quay.io/org/repo:tag)}"
|
||||
source_tarball="${2:?path to kata-static.tar.zst is required}"
|
||||
push_image="${3:-true}"
|
||||
|
||||
case "$(uname -m)" in
|
||||
x86_64) platform_arch="amd64" ;;
|
||||
aarch64) platform_arch="arm64" ;;
|
||||
s390x) platform_arch="s390x" ;;
|
||||
ppc64le) platform_arch="ppc64le" ;;
|
||||
*) echo "Unsupported architecture: $(uname -m)" >&2; exit 1 ;;
|
||||
esac
|
||||
|
||||
tmpdir="$(mktemp -d)"
|
||||
cleanup() {
|
||||
rm -rf "${tmpdir}"
|
||||
}
|
||||
trap cleanup EXIT
|
||||
|
||||
# Extract only kata-monitor from the source tarball.
|
||||
monitor_entry=""
|
||||
while IFS= read -r entry; do
|
||||
case "${entry}" in
|
||||
opt/kata/bin/kata-monitor|./opt/kata/bin/kata-monitor)
|
||||
monitor_entry="${entry}"
|
||||
break
|
||||
;;
|
||||
esac
|
||||
done < <(tar --zstd -tf "${source_tarball}")
|
||||
|
||||
if [[ -z "${monitor_entry}" ]]; then
|
||||
echo "kata-monitor binary entry not found in ${source_tarball}" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
tar --zstd -xf "${source_tarball}" -C "${tmpdir}" "${monitor_entry}"
|
||||
monitor_entry="${monitor_entry#./}"
|
||||
monitor_binary="${tmpdir}/${monitor_entry}"
|
||||
|
||||
if [[ ! -f "${monitor_binary}" ]]; then
|
||||
echo "kata-monitor binary extraction failed from ${source_tarball}" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
chmod +x "${monitor_binary}"
|
||||
|
||||
push_flag=()
|
||||
if [[ "${push_image}" == "true" ]]; then
|
||||
push_flag+=(--push)
|
||||
fi
|
||||
|
||||
docker buildx build \
|
||||
--platform "linux/${platform_arch}" \
|
||||
--provenance false --sbom false \
|
||||
-f "${repo_root_dir}/tools/packaging/kata-monitor/Dockerfile" \
|
||||
--tag "${image_ref}" \
|
||||
"${push_flag[@]}" \
|
||||
"${tmpdir}"
|
||||
@@ -315,14 +315,6 @@ externals:
|
||||
minimum: "v1.7"
|
||||
latest: "v2.3"
|
||||
|
||||
critools:
|
||||
description: "CLI tool for Container Runtime Interface (CRI)"
|
||||
url: "https://github.com/kubernetes-sigs/cri-tools"
|
||||
version: "1.23.0"
|
||||
# As we don't want to disrupt what we have on the `tests` repo, let's
|
||||
# create a "latest" entry and use that for the GitHub actions tests.
|
||||
latest: "v1.29"
|
||||
|
||||
runc:
|
||||
description: "CLI tool for spawning and running containers"
|
||||
url: "https://github.com/opencontainers/runc"
|
||||
|
||||
Reference in New Issue
Block a user