ci: target Azure CLH runtimes directly in AKS tests

Switch AKS Mariner matrix entries to clh-azure handlers and remove the
temporary host-OS based helm value overrides.

Update integration test wiring and required test labels so CI tracks the
new runtime names.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>

.github/workflows/run-k8s-tests-on-aks.yaml

@@ -47,21 +47,21 @@ jobs:
       matrix:
         include:
           - host_os: cbl-mariner
-            vmm: clh
+            vmm: clh-azure
             instance-type: small
             genpolicy-pull-method: oci-distribution
           - host_os: cbl-mariner
-            vmm: clh
+            vmm: clh-azure
             instance-type: small
             genpolicy-pull-method: containerd
           - host_os: cbl-mariner
-            vmm: clh
+            vmm: clh-azure
             instance-type: normal
           - host_os: cbl-mariner
-            vmm: clh-runtime-rs
+            vmm: clh-azure-runtime-rs
             instance-type: small
           - host_os: cbl-mariner
-            vmm: clh-runtime-rs
+            vmm: clh-azure-runtime-rs
             instance-type: normal
     concurrency:
       group: ${{ github.workflow }}-${{ github.job }}-${{ github.event.pull_request.number || github.ref }}-run-k8s-tests-aks-${{ toJSON(matrix) }}

tests/common.bash

@@ -596,7 +596,7 @@ function enabling_hypervisor() {
 	declare -r CONTAINERD_SHIM_KATA="/usr/local/bin/containerd-shim-kata-${KATA_HYPERVISOR}-v2"
 
 	case "${KATA_HYPERVISOR}" in
-		dragonball|clh-runtime-rs|qemu-runtime-rs|qemu-se-runtime-rs)
+		dragonball|clh-runtime-rs|clh-azure-runtime-rs|qemu-runtime-rs|qemu-se-runtime-rs)
 			sudo ln -sf "${KATA_DIR}/runtime-rs/bin/containerd-shim-kata-v2" "${CONTAINERD_SHIM_KATA}"
 			declare -r CONFIG_DIR="${KATA_DIR}/share/defaults/kata-containers/runtime-rs"
 			;;

tests/gha-run-k8s-common.sh

@@ -26,7 +26,6 @@ HELM_CREATE_RUNTIME_CLASSES="${HELM_CREATE_RUNTIME_CLASSES:-}"
 HELM_CREATE_DEFAULT_RUNTIME_CLASS="${HELM_CREATE_DEFAULT_RUNTIME_CLASS:-}"
 HELM_DEBUG="${HELM_DEBUG:-}"
 HELM_DEFAULT_SHIM="${HELM_DEFAULT_SHIM:-}"
-HELM_HOST_OS="${HELM_HOST_OS:-}"
 HELM_IMAGE_REFERENCE="${HELM_IMAGE_REFERENCE:-}"
 HELM_IMAGE_TAG="${HELM_IMAGE_TAG:-}"
 HELM_K8S_DISTRIBUTION="${HELM_K8S_DISTRIBUTION:-}"
@@ -712,17 +711,18 @@ function helm_helper() {
 	# Enable node-feature-discovery deployment
 	yq -i ".node-feature-discovery.enabled = true" "${values_yaml}"
 
-	# Do not enable on cbl-mariner yet, as the deployment is failing on those
-	if [[ "${HELM_HOST_OS}" == "cbl-mariner" ]]; then
-		yq -i ".node-feature-discovery.enabled = false" "${values_yaml}"
-	fi
-
 	# Do not enable on nvidia-gpu-* tests, as it'll be deployed by the GPU operator
 	if [[ "${KATA_HYPERVISOR}" == *"nvidia-gpu"* ]]; then
 		yq -i ".node-feature-discovery.enabled = false" "${values_yaml}"
 		yq -i ".runtimeClasses.createDefault = true" "${values_yaml}"
 	fi
 
+	# Azure CLH jobs run on CBL-Mariner AKS nodes; keep NFD disabled to avoid
+	# virtualization gating preventing kata-deploy pod creation.
+	if [[ "${KATA_HYPERVISOR}" == *azure* ]]; then
+		yq -i ".node-feature-discovery.enabled = false" "${values_yaml}"
+	fi
+
 	if [[ -z "${HELM_IMAGE_REFERENCE}" ]]; then
 		die "HELM_IMAGE_REFERENCE environment variable cannot be empty."
 	fi
@@ -961,8 +961,6 @@ function helm_helper() {
 		[[ -n "${HELM_CREATE_RUNTIME_CLASSES}" ]] && yq -i ".runtimeClasses.enabled = ${HELM_CREATE_RUNTIME_CLASSES}" "${values_yaml}"
 		[[ -n "${HELM_CREATE_DEFAULT_RUNTIME_CLASS}" ]] && yq -i ".runtimeClasses.createDefault = ${HELM_CREATE_DEFAULT_RUNTIME_CLASS}" "${values_yaml}"
 
-		# Legacy env.* settings that don't have structured equivalents yet
-		[[ -n "${HELM_HOST_OS}" ]] && yq -i ".env.hostOS=\"${HELM_HOST_OS}\"" "${values_yaml}"
 	fi
 
 	# Enable verification during deployment if HELM_VERIFY_DEPLOYMENT is set

tests/hypervisor_helpers.sh

@@ -15,7 +15,9 @@ FIRECRACKER_HYPERVISORS=("firecracker" "fc")
 
 ALL_HYPERVISORS=(
 	"clh"
+	"clh-azure"
 	"clh-runtime-rs"
+	"clh-azure-runtime-rs"
 	"dragonball"
 	"qemu"
 	"qemu-runtime-rs"

tests/integration/kubernetes/gha-run.sh

@@ -199,7 +199,7 @@ function deploy_kata() {
 	fi
 
 	ANNOTATIONS="default_vcpus"
-	if [[ "${KATA_HOST_OS}" = "cbl-mariner" ]]; then
+	if [[ "${KATA_HYPERVISOR}" == *azure* ]]; then
 		ANNOTATIONS="image kernel default_vcpus cc_init_data"
 	fi
 	if [[ "${KATA_HYPERVISOR}" = "qemu" ]]; then
@@ -216,11 +216,6 @@ function deploy_kata() {
 		PULL_TYPE_MAPPING="${KATA_HYPERVISOR}:${PULL_TYPE}"
 	fi
 
-	HOST_OS=""
-	if [[ "${KATA_HOST_OS}" = "cbl-mariner" ]]; then
-		HOST_OS="${KATA_HOST_OS}"
-	fi
-
 	# nydus and erofs are always deployed by kata-deploy; set this unconditionally
 	# based on the snapshotter so that all architectures and hypervisors work
 	# without needing per-workflow USE_EXPERIMENTAL_SETUP_SNAPSHOTTER overrides.
@@ -246,7 +241,6 @@ function deploy_kata() {
 	export HELM_PULL_TYPE_MAPPING="${PULL_TYPE_MAPPING}"
 	export HELM_EXPERIMENTAL_SETUP_SNAPSHOTTER="${EXPERIMENTAL_SETUP_SNAPSHOTTER}"
 	export HELM_EXPERIMENTAL_FORCE_GUEST_PULL="${EXPERIMENTAL_FORCE_GUEST_PULL}"
-	export HELM_HOST_OS="${HOST_OS}"
 	helm_helper
 }
 
@@ -316,7 +310,7 @@ function run_tests() {
 		echo "start_time=${start_time}" >> "${GITHUB_ENV}"
 	fi
 
-	if [[ "${KATA_HYPERVISOR}" = "clh-runtime-rs" ]] && [[ "${SNAPSHOTTER}" = "devmapper" ]]; then
+	if [[ "${KATA_HYPERVISOR}" =~ ^clh(-azure)?-runtime-rs$ ]] && [[ "${SNAPSHOTTER}" = "devmapper" ]]; then
 		if [[ -n "${GITHUB_ENV}" ]]; then
 			KATA_TEST_VERBOSE=true
 			export KATA_TEST_VERBOSE

tools/testing/gatekeeper/required-tests.yaml

@@ -77,11 +77,11 @@ mapping:
       - Kata Containers CI / kata-containers-ci-on-push / run-cri-containerd-tests-amd64 (lts, qemu) / run-cri-containerd-amd64 (lts, qemu)
       - Kata Containers CI / kata-containers-ci-on-push / run-cri-containerd-tests-s390x (active, qemu) / run-cri-containerd-s390x (active, qemu)
       #- Kata Containers CI / kata-containers-ci-on-push / run-k8s-tests-on-arm64 / run-k8s-tests-on-arm64 (qemu, kubeadm)
-      - Kata Containers CI / kata-containers-ci-on-push / run-k8s-tests-on-aks / run-k8s-tests (cbl-mariner, clh, normal)
-      - Kata Containers CI / kata-containers-ci-on-push / run-k8s-tests-on-aks / run-k8s-tests (cbl-mariner, clh, small, containerd)
-      - Kata Containers CI / kata-containers-ci-on-push / run-k8s-tests-on-aks / run-k8s-tests (cbl-mariner, clh, small, oci-distribution)
-      - Kata Containers CI / kata-containers-ci-on-push / run-k8s-tests-on-aks / run-k8s-tests (cbl-mariner, clh-runtime-rs, small)
-      - Kata Containers CI / kata-containers-ci-on-push / run-k8s-tests-on-aks / run-k8s-tests (cbl-mariner, clh-runtime-rs, normal)
+      - Kata Containers CI / kata-containers-ci-on-push / run-k8s-tests-on-aks / run-k8s-tests (cbl-mariner, clh-azure, normal)
+      - Kata Containers CI / kata-containers-ci-on-push / run-k8s-tests-on-aks / run-k8s-tests (cbl-mariner, clh-azure, small, containerd)
+      - Kata Containers CI / kata-containers-ci-on-push / run-k8s-tests-on-aks / run-k8s-tests (cbl-mariner, clh-azure, small, oci-distribution)
+      - Kata Containers CI / kata-containers-ci-on-push / run-k8s-tests-on-aks / run-k8s-tests (cbl-mariner, clh-azure-runtime-rs, small)
+      - Kata Containers CI / kata-containers-ci-on-push / run-k8s-tests-on-aks / run-k8s-tests (cbl-mariner, clh-azure-runtime-rs, normal)
       - Kata Containers CI / kata-containers-ci-on-push / run-k8s-tests-on-free-runner / run-k8s-tests (clh, lts)
       - Kata Containers CI / kata-containers-ci-on-push / run-k8s-tests-on-free-runner / run-k8s-tests (clh, active)
       - Kata Containers CI / kata-containers-ci-on-push / run-k8s-tests-on-free-runner / run-k8s-tests (dragonball, lts)
@@ -111,7 +111,6 @@ mapping:
     names:
       # ci-on-push.yaml (ci.yaml)
       - Kata Containers CI / kata-containers-ci-on-push / build-and-publish-tee-confidential-unencrypted-image
-      - Kata Containers CI / kata-containers-ci-on-push / build-kata-static-tarball-amd64 / build-asset (cloud-hypervisor-glibc, test)
       - Kata Containers CI / kata-containers-ci-on-push / build-kata-static-tarball-amd64 / build-asset (cloud-hypervisor, test)
       - Kata Containers CI / kata-containers-ci-on-push / build-kata-static-tarball-amd64 / build-asset (firecracker, test)
       - Kata Containers CI / kata-containers-ci-on-push / build-kata-static-tarball-amd64 / build-asset (kernel-dragonball-experimental, test)