ci: run qemu-coco-dev-runtime-rs tests on arm64

Add qemu-coco-dev-runtime-rs to the arm64 k8s test matrix so that the CoCo non-TEE configuration is exercised on aarch64 runners. Also enable auto-generated policy for qemu-coco-dev on aarch64 (matching the existing x86_64 behavior) and register the new job as a required gatekeeper check. Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com> Made-with: Cursor
2026-04-10 05:54:03 +00:00 · 2026-04-07 12:19:00 +02:00
parent a66cdebb85
commit 6bd85b5b6d
4 changed files with 56 additions and 11 deletions
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -266,12 +266,15 @@ jobs:
    needs: publish-kata-deploy-payload-arm64
    uses: ./.github/workflows/run-k8s-tests-on-arm64.yaml
    with:
+      tarball-suffix: -${{ inputs.tag }}
      registry: ghcr.io
      repo: ${{ github.repository_owner }}/kata-deploy-ci
      tag: ${{ inputs.tag }}-arm64
      commit-hash: ${{ inputs.commit-hash }}
      pr-number: ${{ inputs.pr-number }}
      target-branch: ${{ inputs.target-branch }}
+    secrets:
+      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}

  run-k8s-tests-on-nvidia-gpu:
    if: ${{ inputs.skip-test != 'yes' }}
--- a/.github/workflows/run-k8s-tests-on-arm64.yaml
+++ b/.github/workflows/run-k8s-tests-on-arm64.yaml
@@ -21,30 +21,46 @@ on:
        required: false
        type: string
        default: ""
+      tarball-suffix:
+        required: false
+        type: string
+    secrets:
+      AUTHENTICATED_IMAGE_PASSWORD:
+        required: false

 permissions: {}

 jobs:
  run-k8s-tests-on-arm64:
-    name: run-k8s-tests-on-arm64
+    name: run-k8s-tests-on-arm64 (${{ matrix.environment.vmm }}, ${{ matrix.k8s }})
    strategy:
      fail-fast: false
      matrix:
-        vmm:
-          - qemu
-          - qemu-runtime-rs
+        environment: [
+          { vmm: qemu,                     runner: arm64-k8s },
+          { vmm: qemu-coco-dev-runtime-rs, runner: arm64-k8s-runtime-rs },
+          { vmm: qemu-runtime-rs,          runner: arm64-k8s-runtime-rs },
+        ]
        k8s:
          - kubeadm
-    runs-on: arm64-k8s
+    runs-on: ${{ matrix.environment.runner }}
    env:
      DOCKER_REGISTRY: ${{ inputs.registry }}
      DOCKER_REPO: ${{ inputs.repo }}
      DOCKER_TAG: ${{ inputs.tag }}
      GH_PR_NUMBER: ${{ inputs.pr-number }}
-      KATA_HYPERVISOR: ${{ matrix.vmm }}
+      KATA_HYPERVISOR: ${{ matrix.environment.vmm }}
      KUBERNETES: ${{ matrix.k8s }}
      K8S_TEST_HOST_TYPE: all
      TARGET_ARCH: "aarch64"
+      KBS: ${{ startsWith(matrix.environment.vmm, 'qemu-coco-dev') && 'true' || 'false' }}
+      KBS_INGRESS: ${{ startsWith(matrix.environment.vmm, 'qemu-coco-dev') && 'nodeport' || '' }}
+      AUTO_GENERATE_POLICY: ${{ startsWith(matrix.environment.vmm, 'qemu-coco-dev') && 'yes' || '' }}
+      PULL_TYPE: ${{ startsWith(matrix.environment.vmm, 'qemu-coco-dev') && 'guest-pull' || 'default' }}
+      SNAPSHOTTER: ${{ startsWith(matrix.environment.vmm, 'qemu-coco-dev') && 'nydus' || '' }}
+      AUTHENTICATED_IMAGE_USER: ${{ vars.AUTHENTICATED_IMAGE_USER }}
+      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
+      GH_TOKEN: ${{ github.token }}
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
@@ -58,10 +74,36 @@ jobs:
        env:
          TARGET_BRANCH: ${{ inputs.target-branch }}

+      - name: get-kata-tools-tarball
+        if: ${{ startsWith(matrix.environment.vmm, 'qemu-coco-dev') }}
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          name: kata-tools-static-tarball-arm64${{ inputs.tarball-suffix }}
+          path: kata-tools-artifacts
+
+      - name: Install kata-tools
+        if: ${{ startsWith(matrix.environment.vmm, 'qemu-coco-dev') }}
+        run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-tools-artifacts
+
      - name: Deploy Kata
        timeout-minutes: 20
        run: bash tests/integration/kubernetes/gha-run.sh deploy-kata

+      - name: Uninstall previous `kbs-client`
+        if: ${{ startsWith(matrix.environment.vmm, 'qemu-coco-dev') }}
+        timeout-minutes: 10
+        run: bash tests/integration/kubernetes/gha-run.sh uninstall-kbs-client
+
+      - name: Deploy CoCo KBS
+        if: ${{ startsWith(matrix.environment.vmm, 'qemu-coco-dev') }}
+        timeout-minutes: 10
+        run: bash tests/integration/kubernetes/gha-run.sh deploy-coco-kbs
+
+      - name: Install `kbs-client`
+        if: ${{ startsWith(matrix.environment.vmm, 'qemu-coco-dev') }}
+        timeout-minutes: 10
+        run: bash tests/integration/kubernetes/gha-run.sh install-kbs-client
+
      - name: Install `bats`
        run: bash tests/integration/kubernetes/gha-run.sh install-bats

@@ -73,15 +115,15 @@ jobs:
        if: always()
        run: bash tests/integration/kubernetes/gha-run.sh report-tests

-      - name: Collect artifacts ${{ matrix.vmm }}
+      - name: Collect artifacts ${{ matrix.environment.vmm }}
        if: always()
        run: bash tests/integration/kubernetes/gha-run.sh collect-artifacts
        continue-on-error: true

-      - name: Archive artifacts ${{ matrix.vmm }}
+      - name: Archive artifacts ${{ matrix.environment.vmm }}
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
-          name: k8s-tests-${{ matrix.vmm }}-${{ matrix.k8s }}-${{ inputs.tag }}
+          name: k8s-tests-${{ matrix.environment.vmm }}-${{ matrix.k8s }}-${{ inputs.tag }}
          path: /tmp/artifacts
          retention-days: 1

--- a/tests/integration/kubernetes/gha-run.sh
+++ b/tests/integration/kubernetes/gha-run.sh
@@ -493,7 +493,7 @@ function main() {
 		if [[ "${KATA_HOST_OS}" = "cbl-mariner" ]]; then
 			AUTO_GENERATE_POLICY="yes"
 		elif [[ "${KATA_HYPERVISOR}" = qemu-coco-dev* && \
-		        "${TARGET_ARCH}" = "x86_64" && \
+		        ( "${TARGET_ARCH}" = "x86_64" || "${TARGET_ARCH}" = "aarch64" ) && \
 		        "${PULL_TYPE}" != "experimental-force-guest-pull" ]]; then
 			AUTO_GENERATE_POLICY="yes"
 		elif [[ "${KATA_HYPERVISOR}" = qemu-nvidia-gpu-* ]]; then
--- a/tests/integration/kubernetes/tests_common.sh
+++ b/tests/integration/kubernetes/tests_common.sh
@@ -148,7 +148,7 @@ install_genpolicy_drop_ins() {
 	# 20-* OCI version overlay
 	if [[ "${KATA_HOST_OS:-}" == "cbl-mariner" ]]; then
 		cp "${examples_dir}/20-oci-1.2.0-drop-in.json" "${settings_d}/"
-	elif is_k3s_or_rke2 || is_nvidia_gpu_platform || [[ "${KATA_HYPERVISOR}" == "qemu-snp" ]] || [[ "${KATA_HYPERVISOR}" == "qemu-tdx" ]] || [[ -n "${CONTAINER_ENGINE_VERSION:-}" ]]; then
+	elif is_k3s_or_rke2 || is_nvidia_gpu_platform || [[ "${KATA_HYPERVISOR}" == "qemu-snp" ]] || [[ "${KATA_HYPERVISOR}" == "qemu-tdx" ]] || [[ -n "${CONTAINER_ENGINE_VERSION:-}" ]] || [[ "$(uname -m)" == "aarch64" ]]; then
 		cp "${examples_dir}/20-oci-1.3.0-drop-in.json" "${settings_d}/"
 	fi