Commit Graph

15798 Commits

Author SHA1 Message Date
Fabiano Fidêncio
404e212102 tests: kata-deploy: Use helm_helper()
With this we switch to fully testing with helm, instead of testimg with
the kustomizations (which will soon be removed).

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2025-03-26 13:30:15 +01:00
Fabiano Fidêncio
f7976a40e4 tests: Create a helm_helper() common function
Let's use what we have in the k8s functional tests to create a common
function to deploy kata containers using our helm charts.  This will
help us immensely in the kata-deploy testing side in the near future.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2025-03-26 13:30:11 +01:00
Fabiano Fidêncio
eb884d33a8 tests: k8s: Export all the default env vars on gha-run.sh
This is not strictly needed, but it does help a lot when setting up a
cluster manually, while still relying on those scripts.

While here, let's also ensure the assignment is between quotes, to make
shellchecker happier.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2025-03-26 13:23:16 +01:00
Saul Paredes
ae5c587efc
Merge pull request #11074 from Sumynwa/sumsharma/genpolicy_test
genpolicy: Refactor tests to allow different request types in a testcases json.
2025-03-25 12:38:19 -07:00
Sumedh Sharma
3406df9133 genpolicy: Refactor tests to add different request types in testcases json
This commit introduces changes to add test data for multiple request
type in a single testcases.json file. This allows for stateful testing,
for ex: enable testing ExecProcessRequest using policy state set after testing
a CreateContainerRequest.

Fixes #11073.

Signed-off-by: Sumedh Sharma <sumsharma@microsoft.com>
2025-03-25 13:52:17 +05:30
Mikko Ylinen
85f3391bcf runtime: qemu: add support to use TDX QGS via Unix Domain Sockets
TDX Quote Generation Service (QGS) signs TDREPORT sent to it from
Qemu (GetQuote hypercall). Qemu needs quote-generation-socket
address configured for IPC.

Currently, Kata govmm only enables vsock based IPC for QGS but
QGS supports Unix Domain Sockets too which works well for host
process to process IPC (Qemu <-> QGS).

The QGS configuration to enable UDS is to run the service with "-port=0"
parameter. The same works well here too: setting
"tdx_quote_generation_service_socket_port=0" let's users to enable
UDS based IPC.

The socket path is fixed in QGS and cannot be configured: when "-port=0"
is used, the socket appears in /var/run/tdx-qgs/qgs.socket.

Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
2025-03-25 10:18:40 +02:00
RuoqingHe
7a704453b6
Merge pull request #11075 from microsoft/danmihai1/genpolicy-debug-build
genpolicy: add support for BUILD_TYPE=debug
2025-03-25 14:59:15 +08:00
RuoqingHe
5d68600c06
Merge pull request #11010 from stevenhorsman/metrics-containerd-debugging
metrics: Test improvements
2025-03-25 11:38:28 +08:00
Dan Mihai
15c9035254 genpolicy: add support for BUILD_TYPE=debug
Use "cargo build --release" when BUILD_TYPE was not specified, or when
BUILD_TYPE=release. The default "cargo build" behavior is to build in
debug mode.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2025-03-24 16:10:20 +00:00
RuoqingHe
f6a1c6d0e0
Merge pull request #11069 from kimullaa/exit-if-action-is-invalid
kata-deploy: return exit code for invalid argument
2025-03-24 09:40:39 +08:00
Shunsuke Kimura
e5d7414c33 kata-deploy: Return exit code for invalid argument
It hangs when invalid arguments are specified.

```bash
kata-deploy-6sr2p:/# /opt/kata-artifacts/scripts/kata-deploy.sh xxx
Action:
* xxx
...
Usage: /opt/kata-artifacts/scripts/kata-deploy.sh [install/cleanup/reset]
ERROR: invalid arguments
...
^C <- hang
```

I changed it to behave the same as when there are no arguments.

```bash
kata-deploy-6sr2p:/# /opt/kata-artifacts/scripts/kata-deploy.sh
Usage: /opt/kata-artifacts/scripts/kata-deploy.sh [install/cleanup/reset]
ERROR: invalid arguments
kata-deploy-6sr2p:/# echo $?
1
```

Fixes: #11068

Signed-off-by: Shunsuke Kimura <pbrehpuum@gmail.com>
2025-03-22 21:32:38 +09:00
Aurélien Bombo
17baa6199b
Merge pull request #11061 from RuoqingHe/2025-03-21-generalize-non-kvm
ci: Generalize `GITHUB_RUNNER_CI_ARM64`
2025-03-21 15:23:51 -05:00
Fupan Li
4b93176225 runtime-rs: update the protobuf to 3.7.1
Since some files generated by protobuf were share between
runtime-rs and kata agent, and the kata agent's dependency
image-rs dependened protobuf@3.7.1, thus we'd better to keep
the protobuf version aligned between runtime-rs and agent,
otherwise, we couldn't compile the runtime-rs and agent
at the same time.

Fixes: https://github.com/kata-containers/kata-containers/issues/10650

Signed-off-by: Fupan Li <fupan.lfp@antgroup.com>
2025-03-21 17:46:12 +08:00
Ruoqing He
5e81f67ceb ci: Generalize GITHUB_RUNNER_CI_ARM64
`GITHUB_RUNNER_CI_ARM64` is turned on for self hosted runners without
virtualization to skipped those tests depend on virtualization. This may
happen to other archs/runners as well, let's generalize it to
`GITHUB_RUNNER_CI_NON_VIRT` so we can reuse it on other archs.

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
2025-03-21 09:49:44 +08:00
RuoqingHe
e84f7c2c4b
Merge pull request #11046 from mythi/drop-dcap-libs
build: drop libtdx-attest
2025-03-21 09:23:33 +08:00
Dan Mihai
835c6814d7 tests: k8s/tests_common: avoid using regex
More straightforward implementation of hard_coded_policy_tests_enabled,
that avoids ShellCheck warning:

warning: Remove quotes from right-hand side of =~ to match as a regex rather than literally. [SC2076]

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2025-03-20 22:23:19 +00:00
Dan Mihai
d83b8349a2 tests: policy: avoid using caller's variable
Fix unintended use of caller's variable. Use the corresponding function
parameter instead. ShellCheck:

warning: policy_settings_dir is referenced but not assigned. [SC2154]

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2025-03-20 19:02:29 +00:00
Dan Mihai
59a70a2b28 tests: k8s/tests_common: avoid masking return values
Avoid masking command return values by declaring and only then assigning.

ShellCheck:

warning: Declare and assign separately to avoid masking return values. [SC2155]

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2025-03-20 19:02:29 +00:00
Dan Mihai
b895e3b3e5 tests: k8s/tests_common.sh: add variable assignments
Pick the the values exported by other scripts. ShellCheck:

warning: AUTO_GENERATE_POLICY is referenced but not assigned. [SC2154]

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2025-03-20 19:02:29 +00:00
Dan Mihai
0f4de1c94a tests: tests_common: remove useless assignment
ShellCheck:

warning: This assignment is only seen by the forked process. [SC2097]
warning: This expansion will not see the mentioned assignment. [SC2098]

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2025-03-20 19:02:29 +00:00
Dan Mihai
9c0d069ac7 tests: tests_common: prevent globbing and word splitting
ShellCheck:

note: Double quote to prevent globbing and word splitting. [SC2086]

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2025-03-20 19:02:28 +00:00
Dan Mihai
15961b03f7 tests: k8s/tests_common.sh: -n instead of ! -z
ShellCheck:

note: Use -n instead of ! -z. [SC2236]

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2025-03-20 19:02:28 +00:00
Dan Mihai
4589dc96ef tests: k8s/tests_common.sh: add double quoting
ShellCheck:

note: Prefer double quoting even when variables don't contain special characters. [SC2248]

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2025-03-20 19:02:28 +00:00
Dan Mihai
cc5f8d31d2 tests: k8s/tests_common.sh: add braces
ShellCheck: add braces around variable references:

note: Prefer putting braces around variable references even when not strictly required. [SC2250]

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2025-03-20 19:02:28 +00:00
Dan Mihai
0d3f9fcee1 tests: tests_common: export variables used externally
ShellCheck: export variables used outside of tests_common.sh - e.g.,

warning: timeout appears unused. Verify use (or export if used externally). [SC2034]

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2025-03-20 19:02:28 +00:00
Dan Mihai
5df43ffc7c tests: k8s/tests_common.sh: Prefer [[ ]] over [ ]
Replace [ ] with [[ ]] as advised by shellcheck:

note: Prefer [[ ]] over [ ] for tests in Bash/Ksh. [SC2292]

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2025-03-20 19:02:28 +00:00
Dan Mihai
f79fabab24
Merge pull request #11024 from microsoft/danmihai1/empty-exec-output
tests: k8s: retry "kubectl exec" on empty output
2025-03-20 11:03:08 -07:00
stevenhorsman
70d32afbb7 ci: Remove metrics tests from required list
The metrics tests haven't been stable, or required through
github for many week now, so update the required-tests.yaml
list to re-sync

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-03-20 16:03:03 +00:00
stevenhorsman
607b27fd7f ci: Update static-checks strings
With the refactor in #10948 the names of
the static checks has changed, so update these.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-03-20 13:45:57 +00:00
Mikko Ylinen
f52a565834 build: drop libtdx-attest
with the latest CoCo guest-components, tdx-attester no longer
depends on libtdx attest. Stop installing it to the rootfs.

Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
2025-03-20 10:45:30 +02:00
Steve Horsman
c0632f847f
Merge pull request #11043 from stevenhorsman/3.15.0-release
release: Bump version to 3.15.0
2025-03-20 07:38:20 +00:00
Greg Kurz
e19b81225c
Merge pull request #11045 from kata-containers/sprt/fix-gha-tag
security: ci: Pin third-party actions to commit hashes
2025-03-20 08:14:06 +01:00
Aurélien Bombo
a678046d13 gha: Pin third-party actions to commit hashes
A popular third-party action has recently been compromised [1][2] and
the attacker managed to point multiple git version tags to a malicious
commit containing code to exfiltrate secrets.

This PR follows GitHub's recommendation [3] to pin third-party actions
to a full-length commit hash, to mitigate such attacks.

Hopefully actionlint starts warning about this soon [4].

 [1] https://www.cve.org/CVERecord?id=CVE-2025-30066
 [2] https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised
 [3] https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions
 [4] https://github.com/rhysd/actionlint/pull/436

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-03-19 13:52:49 -05:00
stevenhorsman
fad248ef09 release: Bump version to 3.15.0
Bump VERSION and helm-chart versions

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-03-19 17:28:06 +00:00
Fabiano Fidêncio
a6e5d28a15
Merge pull request #11055 from stevenhorsman/bump-github.com/containerd/containerd/v1.7.27
runtime: Update github.com/containerd/containerd
2025-03-19 18:19:10 +01:00
stevenhorsman
cb7c599180 runtime: Switch from deprecated tracer
`go.opentelemetry.io/otel/trace.NewNoopTracerProvider`
is deprectated now, so switch to
`go.opentelemetry.io/otel/trace/noop.NewTracerProvider`

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-03-19 14:22:06 +00:00
stevenhorsman
8f22b07aba runtime: Update github.com/containerd/containerd
Update to 1.7.27 to resolve CVE-2024-40635

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-03-19 13:48:04 +00:00
Lukáš Doktor
d708866b2a
ci.ocp: shellcheck various fixes
various manual fixes.

Related to: #10951

Signed-off-by: Lukáš Doktor <ldoktor@redhat.com>
2025-03-19 12:26:28 +01:00
Lukáš Doktor
7e11489daf
ci: shellcheck - collection of fixes
manual fixes of various issues.

Related to: #10951

Signed-off-by: Lukáš Doktor <ldoktor@redhat.com>
2025-03-19 12:26:23 +01:00
Lukáš Doktor
f62e08998c
ci: shellcheck - remove unused argument
the "-a" argument was introduced with this tool but never was actually
used.

Related to: #10951

Signed-off-by: Lukáš Doktor <ldoktor@redhat.com>
2025-03-19 12:26:19 +01:00
Lukáš Doktor
02deb1d782
ci: shellcheck SC2248
SC2248 (style): Prefer double quoting even when variables don't contain
special characters, might result in arguments difference, shouldn't in
our cases.

Related to: #10951

Signed-off-by: Lukáš Doktor <ldoktor@redhat.com>
2025-03-19 12:26:16 +01:00
Lukáš Doktor
d80e7c7644
ci: shellcheck SC2155
SC2155 (warning): Declare and assign separately to avoid masking return
values, should be harmless.

Related to: #10951

Signed-off-by: Lukáš Doktor <ldoktor@redhat.com>
2025-03-19 12:26:12 +01:00
Lukáš Doktor
6552ac41e0
ci: shellcheck SC2086
SC2086 Double quote to prevent globbing and word splitting, might break
places where we deliberately use word splitting, but we are not using it
here.

Related to: #10951

Signed-off-by: Lukáš Doktor <ldoktor@redhat.com>
2025-03-19 12:26:08 +01:00
Lukáš Doktor
154a4ddc00
ci: shellcheck SC2292
SC2292 (style): Prefer [[ ]] over [ ] for tests in Bash/Ksh. This might
result in different handling of globs and some ops which we don't use.

Related to: #10951

Signed-off-by: Lukáš Doktor <ldoktor@redhat.com>
2025-03-19 12:26:03 +01:00
Lukáš Doktor
667e26036c
ci: shellcheck SC2250
Treat the SC2250 require-variable-braces in CI. There are no functional
changes.

Related to: #10951

Signed-off-by: Lukáš Doktor <ldoktor@redhat.com>
2025-03-19 12:25:44 +01:00
Zvonko Kaiser
d37d9feee9
Merge pull request #11035 from kata-containers/sprt/fix-dependabot
security: ci: Remove `replace` directives in go.mod files
2025-03-18 12:43:46 -04:00
Steve Horsman
ba5b0777b5
Merge pull request #11002 from fitzthum/bump-gc-0130
Bump Trustee and Guest Components for coco v0.13.0
2025-03-17 16:31:23 +00:00
RuoqingHe
36d2dee3a4
Merge pull request #11042 from RuoqingHe/runtime-rs-riscv
runtime-rs: Support and enable build on riscv64
2025-03-17 21:42:15 +08:00
Ruoqing He
cb7508ffdc ci: Enable runtime-rs component build-check on riscv64
`runtime-rs` is now buildable and testable on riscv64 platforms, enable
`build-check` on `runtime-rs`.

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
2025-03-17 17:38:59 +08:00
Steve Horsman
f308cbba93
Merge pull request #11015 from AdithyaKrishnan/main
CI: Mark SNP as a Required test
2025-03-17 09:27:28 +00:00