From 6bd85b5b6d8aae0527965e61863794c09ca72486 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= <ffidencio@nvidia.com>
Date: Tue, 7 Apr 2026 12:19:00 +0200
Subject: [PATCH] ci: run qemu-coco-dev-runtime-rs tests on arm64
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add qemu-coco-dev-runtime-rs to the arm64 k8s test matrix so that the
CoCo non-TEE configuration is exercised on aarch64 runners.

Also enable auto-generated policy for qemu-coco-dev on aarch64 (matching
the existing x86_64 behavior) and register the new job as a required
gatekeeper check.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
Made-with: Cursor
---
 .github/workflows/ci.yaml                     |  3 +
 .github/workflows/run-k8s-tests-on-arm64.yaml | 60 ++++++++++++++++---
 tests/integration/kubernetes/gha-run.sh       |  2 +-
 tests/integration/kubernetes/tests_common.sh  |  2 +-
 4 files changed, 56 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index ec557b1cc5..17d476c8f8 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -266,12 +266,15 @@ jobs:
     needs: publish-kata-deploy-payload-arm64
     uses: ./.github/workflows/run-k8s-tests-on-arm64.yaml
     with:
+      tarball-suffix: -${{ inputs.tag }}
       registry: ghcr.io
       repo: ${{ github.repository_owner }}/kata-deploy-ci
       tag: ${{ inputs.tag }}-arm64
       commit-hash: ${{ inputs.commit-hash }}
       pr-number: ${{ inputs.pr-number }}
       target-branch: ${{ inputs.target-branch }}
+    secrets:
+      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
 
   run-k8s-tests-on-nvidia-gpu:
     if: ${{ inputs.skip-test != 'yes' }}
diff --git a/.github/workflows/run-k8s-tests-on-arm64.yaml b/.github/workflows/run-k8s-tests-on-arm64.yaml
index 1a4c81ecc5..4614cb2b93 100644
--- a/.github/workflows/run-k8s-tests-on-arm64.yaml
+++ b/.github/workflows/run-k8s-tests-on-arm64.yaml
@@ -21,30 +21,46 @@ on:
         required: false
         type: string
         default: ""
+      tarball-suffix:
+        required: false
+        type: string
+    secrets:
+      AUTHENTICATED_IMAGE_PASSWORD:
+        required: false
 
 permissions: {}
 
 jobs:
   run-k8s-tests-on-arm64:
-    name: run-k8s-tests-on-arm64
+    name: run-k8s-tests-on-arm64 (${{ matrix.environment.vmm }}, ${{ matrix.k8s }})
     strategy:
       fail-fast: false
       matrix:
-        vmm:
-          - qemu
-          - qemu-runtime-rs
+        environment: [
+          { vmm: qemu,                     runner: arm64-k8s },
+          { vmm: qemu-coco-dev-runtime-rs, runner: arm64-k8s-runtime-rs },
+          { vmm: qemu-runtime-rs,          runner: arm64-k8s-runtime-rs },
+        ]
         k8s:
           - kubeadm
-    runs-on: arm64-k8s
+    runs-on: ${{ matrix.environment.runner }}
     env:
       DOCKER_REGISTRY: ${{ inputs.registry }}
       DOCKER_REPO: ${{ inputs.repo }}
       DOCKER_TAG: ${{ inputs.tag }}
       GH_PR_NUMBER: ${{ inputs.pr-number }}
-      KATA_HYPERVISOR: ${{ matrix.vmm }}
+      KATA_HYPERVISOR: ${{ matrix.environment.vmm }}
       KUBERNETES: ${{ matrix.k8s }}
       K8S_TEST_HOST_TYPE: all
       TARGET_ARCH: "aarch64"
+      KBS: ${{ startsWith(matrix.environment.vmm, 'qemu-coco-dev') && 'true' || 'false' }}
+      KBS_INGRESS: ${{ startsWith(matrix.environment.vmm, 'qemu-coco-dev') && 'nodeport' || '' }}
+      AUTO_GENERATE_POLICY: ${{ startsWith(matrix.environment.vmm, 'qemu-coco-dev') && 'yes' || '' }}
+      PULL_TYPE: ${{ startsWith(matrix.environment.vmm, 'qemu-coco-dev') && 'guest-pull' || 'default' }}
+      SNAPSHOTTER: ${{ startsWith(matrix.environment.vmm, 'qemu-coco-dev') && 'nydus' || '' }}
+      AUTHENTICATED_IMAGE_USER: ${{ vars.AUTHENTICATED_IMAGE_USER }}
+      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
+      GH_TOKEN: ${{ github.token }}
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -58,10 +74,36 @@ jobs:
         env:
           TARGET_BRANCH: ${{ inputs.target-branch }}
 
+      - name: get-kata-tools-tarball
+        if: ${{ startsWith(matrix.environment.vmm, 'qemu-coco-dev') }}
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          name: kata-tools-static-tarball-arm64${{ inputs.tarball-suffix }}
+          path: kata-tools-artifacts
+
+      - name: Install kata-tools
+        if: ${{ startsWith(matrix.environment.vmm, 'qemu-coco-dev') }}
+        run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-tools-artifacts
+
       - name: Deploy Kata
         timeout-minutes: 20
         run: bash tests/integration/kubernetes/gha-run.sh deploy-kata
 
+      - name: Uninstall previous `kbs-client`
+        if: ${{ startsWith(matrix.environment.vmm, 'qemu-coco-dev') }}
+        timeout-minutes: 10
+        run: bash tests/integration/kubernetes/gha-run.sh uninstall-kbs-client
+
+      - name: Deploy CoCo KBS
+        if: ${{ startsWith(matrix.environment.vmm, 'qemu-coco-dev') }}
+        timeout-minutes: 10
+        run: bash tests/integration/kubernetes/gha-run.sh deploy-coco-kbs
+
+      - name: Install `kbs-client`
+        if: ${{ startsWith(matrix.environment.vmm, 'qemu-coco-dev') }}
+        timeout-minutes: 10
+        run: bash tests/integration/kubernetes/gha-run.sh install-kbs-client
+
       - name: Install `bats`
         run: bash tests/integration/kubernetes/gha-run.sh install-bats
 
@@ -73,15 +115,15 @@ jobs:
         if: always()
         run: bash tests/integration/kubernetes/gha-run.sh report-tests
 
-      - name: Collect artifacts ${{ matrix.vmm }}
+      - name: Collect artifacts ${{ matrix.environment.vmm }}
         if: always()
         run: bash tests/integration/kubernetes/gha-run.sh collect-artifacts
         continue-on-error: true
 
-      - name: Archive artifacts ${{ matrix.vmm }}
+      - name: Archive artifacts ${{ matrix.environment.vmm }}
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
-          name: k8s-tests-${{ matrix.vmm }}-${{ matrix.k8s }}-${{ inputs.tag }}
+          name: k8s-tests-${{ matrix.environment.vmm }}-${{ matrix.k8s }}-${{ inputs.tag }}
           path: /tmp/artifacts
           retention-days: 1
 
diff --git a/tests/integration/kubernetes/gha-run.sh b/tests/integration/kubernetes/gha-run.sh
index 6055005d64..173b0b5d33 100755
--- a/tests/integration/kubernetes/gha-run.sh
+++ b/tests/integration/kubernetes/gha-run.sh
@@ -493,7 +493,7 @@ function main() {
 		if [[ "${KATA_HOST_OS}" = "cbl-mariner" ]]; then
 			AUTO_GENERATE_POLICY="yes"
 		elif [[ "${KATA_HYPERVISOR}" = qemu-coco-dev* && \
-		        "${TARGET_ARCH}" = "x86_64" && \
+		        ( "${TARGET_ARCH}" = "x86_64" || "${TARGET_ARCH}" = "aarch64" ) && \
 		        "${PULL_TYPE}" != "experimental-force-guest-pull" ]]; then
 			AUTO_GENERATE_POLICY="yes"
 		elif [[ "${KATA_HYPERVISOR}" = qemu-nvidia-gpu-* ]]; then
diff --git a/tests/integration/kubernetes/tests_common.sh b/tests/integration/kubernetes/tests_common.sh
index eda214a4ba..18479687d2 100644
--- a/tests/integration/kubernetes/tests_common.sh
+++ b/tests/integration/kubernetes/tests_common.sh
@@ -148,7 +148,7 @@ install_genpolicy_drop_ins() {
 	# 20-* OCI version overlay
 	if [[ "${KATA_HOST_OS:-}" == "cbl-mariner" ]]; then
 		cp "${examples_dir}/20-oci-1.2.0-drop-in.json" "${settings_d}/"
-	elif is_k3s_or_rke2 || is_nvidia_gpu_platform || [[ "${KATA_HYPERVISOR}" == "qemu-snp" ]] || [[ "${KATA_HYPERVISOR}" == "qemu-tdx" ]] || [[ -n "${CONTAINER_ENGINE_VERSION:-}" ]]; then
+	elif is_k3s_or_rke2 || is_nvidia_gpu_platform || [[ "${KATA_HYPERVISOR}" == "qemu-snp" ]] || [[ "${KATA_HYPERVISOR}" == "qemu-tdx" ]] || [[ -n "${CONTAINER_ENGINE_VERSION:-}" ]] || [[ "$(uname -m)" == "aarch64" ]]; then
 		cp "${examples_dir}/20-oci-1.3.0-drop-in.json" "${settings_d}/"
 	fi