Commit Graph

1193 Commits

Author SHA1 Message Date
Hyounggyu Choi
540986bc8f test: skip CDH resource test for qemu-se without reference values
Since gc and trustee were bumped (#13046), the test
"Cannot get CDH resource when affirming policy is set without reference values"
has started failing for IBM SEL.

The attestation policy for IBM SEL returns an "affirming"
result whenever the claim can be parsed successfully,
meaning the evidence verification succeeds. As a result,
the negative test above always produces a positive result.

Skip this negative test for IBM SEL environments
(e.g. qemu-se*).

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2026-05-18 08:40:16 +02:00
Manuel Huber
ed4233bf91 rootfs: cdh: Update CDH to new version
Update CDH to a newer version and:
- adjust the NVIDIA root filesystem build to reflect the change from
  using libcryptsetup to using the cryptsetup binary.
- adjust image-pull test cases to conduct parallel write operations
  on the /dev/trusted_store backed guest image pull location since
  issue #12721 has been solved on CDH side.

Fixes #12721

Signed-off-by: Manuel Huber <manuelh@nvidia.com>
2026-05-13 20:20:45 +02:00
Dan Mihai
3799473041 Merge pull request #13010 from microsoft/danmihai1/label-references
genpolicy: support env variable values sourced from metadata.labels values
2026-05-12 15:41:11 -07:00
Manuel Huber
c265e4905f tests: nvidia: avoid NIM journal dumps on success
BATS_TEST_COMPLETED is per-test and remains empty in teardown_file.
Track file-level state so successful NIM runs skip the journal dump
while setup or test failures still include node diagnostics.

Signed-off-by: Manuel Huber <manuelh@nvidia.com>
2026-05-10 09:10:01 -07:00
Manuel Huber
1c081ff434 tests: nvidia: place NIM service into namespace
Place the NIM service into our test namespace. We are still observing
various situations where for some reasons, the NIM service appears in
the default namespace in our CI.

Signed-off-by: Manuel Huber <manuelh@nvidia.com>
2026-05-10 07:36:23 +00:00
Fabiano Fidêncio
f7be57efe2 Merge pull request #13007 from manuelh-dev/mahuber/dbg-nim-svc
tests: nvidia: Wait for NIM operator pod and print
2026-05-08 20:58:51 +02:00
Manuel Huber
714adec3f8 tests: nvidia: Wait for NIM operator pod and print
Wait for the NIM operator pod to run before deploying NIM services.
Add a temporary debug function to print resource placement into the
different namespaces. Remove this function again when the NIM tests
are stabilized.

Signed-off-by: Manuel Huber <manuelh@nvidia.com>
2026-05-08 06:27:48 +00:00
Ubuntu
b95be5332a genpolicy: env variables from metadata.labels
Add basic genpolicy support for container environment variables sourced
from metadata.labels.

In this implementation, the relevant labels must be available as input
to the policy tool. This is slightly different from the way variables
sourced from metadata.annotations are treated by the tool: when the
relevant annotation is not available as input, the generated Policy
allows any value. Depending on metadata.labels use cases that we might
encounter maybe the labels will be handled the same way as the
annotations in the future.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2026-05-07 23:35:56 +00:00
Dan Mihai
39b9c318e2 tests: k8s: merge two policy-pod test cases
One of these test cases was a subset of the other, so remove that
redundancy.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2026-05-07 22:39:23 +00:00
Fabiano Fidêncio
0f3160276b ci: k8s: skip no-op Helm uninstall on free runners
In cleanup_kata_deploy, bail out early when no kata-deploy Helm release
exists so baremetal-* pre-deploy cleanup on fresh clusters does not
block on helm uninstall --wait (up to 10m).

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
Assisted-by: Cursor <cursoragent@cursor.com>
2026-05-07 13:40:55 +02:00
Fabiano Fidêncio
19c194aa94 ci: Add runtime-rs GPU shims to NVIDIA GPU CI workflow
Add qemu-nvidia-gpu-runtime-rs and qemu-nvidia-gpu-snp-runtime-rs to
the NVIDIA GPU test matrix so CI covers the new runtime-rs shims.

Introduce a `coco` boolean field in each matrix entry and use it for
all CoCo-related conditionals (KBS, snapshotter, KBS deploy/cleanup
steps). This replaces fragile name-string comparisons that were already
broken for the runtime-rs variants: `nvidia-gpu (runtime-rs)` was
incorrectly getting KBS steps, and `nvidia-gpu-snp (runtime-rs)` was
not getting the right env vars.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
2026-05-07 10:33:26 +02:00
Dan Mihai
fcee4864e7 genpolicy: ignore additional PodAffinity fields
1. Ignore PodAffinity's preferredDuringSchedulingIgnoredDuringExecution.
2. Ignore additional PodAffinityTerm fields.
3. Add basic tests for the new fields.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2026-05-06 01:38:02 +00:00
Dan Mihai
b6349f50ab genpolicy: ignore preemptionPolicy
Ignore the pod preemptionPolicy field from input YAML - irrelevant
for building the Policy.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2026-05-06 00:35:27 +00:00
Dan Mihai
9f4a7a9d55 Merge pull request #12978 from microsoft/danmihai1/empty-env-var
genpolicy: support empty environment variables
2026-05-05 14:10:35 -07:00
Dan Mihai
99dd897814 genpolicy: support empty environment variables
K8s supports them, so genpolicy should support them too.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2026-05-05 18:53:25 +00:00
Fabiano Fidêncio
29e63c21a1 tests: k8s-cron-job: set runtimeClassName to kata
The cron-job test workload was missing `runtimeClassName: kata`, which
meant the cron job was not actually being executed under the Kata
runtime, defeating the purpose of the test.

Set it explicitly, consistent with the sibling `job.yaml` workload.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2026-05-05 11:21:05 +02:00
Dan Mihai
0a6dc2fae0 ci: mariner: use OCI version 1.2.1
Mariner moved from version 1.2.0 to version 1.2.1.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2026-05-05 02:23:30 +00:00
Fabiano Fidêncio
8c3c7aa871 ci: Drop ITA_KEY usage from CI workflows
The ITA_KEY secret was conditionally passed to TDX jobs for Intel
Trust Authority attestation, but it is no longer needed. Remove it
from all workflow files and the test helper export.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2026-05-03 18:05:51 +02:00
Aurélien Bombo
f3dc71a770 Revert "tests: k8s: policy: improve settings selection for runtime-rs hypervisors"
This reverts commit cafdd278ba.
2026-04-28 10:58:01 -05:00
Aurélien Bombo
e4fbddb91a ci: rename cloud-hypervisor to clh-runtime-rs
This aligns on qemu-runtime-rs and makes more sense.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2026-04-28 10:58:01 -05:00
Saul Paredes
7c8df3b9e6 Revert "test: temp skip failing tests on AKS"
This reverts commit 90e94ab305.
2026-04-27 09:36:51 -07:00
Saul Paredes
3273c4e1cc Revert "ci: Skip tests not working with k8s 1.36.0"
This reverts commit df68536cd6.
2026-04-27 08:08:27 -07:00
Saul Paredes
51f234cb56 tests: describe pods deployment when testing deployment output
For k8s 1.36.0, the events of a pod are no longer included in the "kubectl describe pod"
output when describing a deployment. Describe using the "app" label instead.

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
2026-04-27 08:07:58 -07:00
Mikko Ylinen
9cccfb5cb5 tests: align qemu-tdx kbs tests to use Trustee AS
No need to deviate from how other CoCo targets use Trustee and
enables us to add more tests (e.g., RVPS) that ITA Trustee implemention
does not support.

Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
2026-04-25 22:53:15 +02:00
Fabiano Fidêncio
df68536cd6 ci: Skip tests not working with k8s 1.36.0
At first we thought this only happened with AKS, but it seems this is a
change in k8s 1.36.0 as the tests now started failing outside of AKS as
well.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2026-04-25 08:56:42 +02:00
Fabiano Fidêncio
e6c6aad7af ci: k8s: temporarily remove smb tests
All the CIs are failing on the tests and in order to avoid blocking
upstream while allowing enough time for the developers to properly fix
it, let's just not execute the test.

This commit should be reverted once a fix is proposed.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2026-04-24 21:13:23 +02:00
Aurélien Bombo
15296fc9fe Merge pull request #12374 from microsoft/cameronbaird/add-cifs
kernel: add required configs for CIFS support
2026-04-24 10:42:09 -05:00
Fabiano Fidêncio
011e0178e1 tests: Fix shellcheck issues in nydus_tests.sh
Fix shellcheck warnings and notes identified by running
shellcheck --severity=style.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2026-04-24 08:14:08 +02:00
Fabiano Fidêncio
1161249197 tests: Fix shellcheck issues in gha-run.sh
Fix shellcheck warnings and notes identified by running
shellcheck --severity=style.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2026-04-24 08:14:08 +02:00
Fabiano Fidêncio
ccfe25096f tests: Fix shellcheck issues in gha-run.sh
Fix shellcheck warnings and notes identified by running
shellcheck --severity=style.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2026-04-24 08:14:08 +02:00
Fabiano Fidêncio
f58fcfe088 tests: Fix shellcheck issues in tests_common.sh
Fix shellcheck warnings and notes identified by running
shellcheck --severity=style.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2026-04-24 08:14:08 +02:00
Fabiano Fidêncio
0c42a1e0b0 tests: Fix shellcheck issues in setup.sh
Fix shellcheck warnings and notes identified by running
shellcheck --severity=style.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2026-04-24 08:14:08 +02:00
Fabiano Fidêncio
65b24cf119 tests: Fix shellcheck issues in run_kubernetes_tests.sh
Fix shellcheck warnings and notes identified by running
shellcheck --severity=style.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2026-04-24 08:14:08 +02:00
Fabiano Fidêncio
b4bf94d508 tests: Fix shellcheck issues in lib.sh
Fix shellcheck warnings and notes identified by running
shellcheck --severity=style.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2026-04-24 08:14:08 +02:00
Fabiano Fidêncio
dc0f5e96bc tests: Fix shellcheck issues in gha-run.sh
Fix shellcheck warnings and notes identified by running
shellcheck --severity=style.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2026-04-24 08:14:08 +02:00
Fabiano Fidêncio
4a65b8602d tests: Fix shellcheck issues in filter_k8s_test.sh
Fix shellcheck warnings and notes identified by running
shellcheck --severity=style.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2026-04-24 08:14:08 +02:00
Fabiano Fidêncio
400923efac tests: Fix shellcheck issues in confidential_common.sh
Fix shellcheck warnings and notes identified by running
shellcheck --severity=style.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2026-04-24 08:14:08 +02:00
Fabiano Fidêncio
24b00204b9 tests: Fix shellcheck issues in gha-run.sh
Fix shellcheck warnings and notes identified by running
shellcheck --severity=style.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2026-04-24 08:14:08 +02:00
Fabiano Fidêncio
27e74919a7 tests: Fix shellcheck issues in integration-tests.sh
Fix shellcheck warnings and notes identified by running
shellcheck --severity=style.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2026-04-24 08:14:07 +02:00
Fabiano Fidêncio
c04dcb9c2f tests: Fix shellcheck issues in gha-run.sh
Fix shellcheck warnings and notes identified by running
shellcheck --severity=style.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2026-04-24 08:14:07 +02:00
Cameron Baird
9da088f06e ci: Introduce smb server test
Add k8s-smb-volume.bats which stands up a SMB server and a SMB client
(in kata pod).

Verifies that a CIFS SMB volumn can be mounted in the kata VM.

Signed-off-by: Cameron Baird <cameronbaird@microsoft.com>
2026-04-23 21:04:46 -05:00
Saul Paredes
90e94ab305 test: temp skip failing tests on AKS
"kubectl describe" output has been recently updated in AKS,
and this change in behaviour no longer allows us to assess these tests correctly.

failing tests: https://github.com/kata-containers/kata-containers/actions/runs/24809935437/job/72613854358#step:13:609

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
2026-04-23 14:36:57 -07:00
Fabiano Fidêncio
fccfd4dec7 tests: remove orphan vfio.yaml k8s workload manifest
This manifest is not referenced by any .bats test file and
is effectively dead code.

Made-with: Cursor
Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2026-04-23 08:46:12 +02:00
Fabiano Fidêncio
c380c4c1d2 tests: remove unreferenced stdio integration tests
The tests/integration/stdio/ directory has a gha-run.sh script
but no workflow in .github/workflows/ references it, so these
tests never run in CI.

Made-with: Cursor
Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2026-04-23 08:46:12 +02:00
Saul Paredes
cafdd278ba tests: k8s: policy: improve settings selection for runtime-rs hypervisors
"cloud-hypervisor" is also a runtime-rs hypervisor. So we need to include it in the settings selection logic.

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
2026-04-21 14:08:27 -07:00
Saul Paredes
baf0f16804 ci: k8s-tests: test mariner and runtime-rs
Disable policy tests when using mariner and runtime-rs. These are not supported yet.

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
2026-04-21 14:08:21 -07:00
Fabiano Fidêncio
1c2d5cb57d Merge pull request #12848 from kata-containers/sprt/fix-block-vol-test
tests: make k8s-block-volume more robust
2026-04-21 11:27:43 +02:00
Dan Mihai
b2ea9a8fc6 Merge pull request #12460 from microsoft/danmihai1/k8s-openvpn-runtime
tests: annotations for all k8s-openvpn yaml files
2026-04-20 09:47:02 -07:00
stevenhorsman
c75c432c01 ci: Update TEE scope
`k8s-confidential.bats` technically doesn't need attestation, but only runs
on TEE hardware, so include it in the attestation list so we can test it in PRs

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2026-04-20 09:36:10 +01:00
stevenhorsman
7179e92142 tests/confidentials: Remove pointless skip
The skip conditional is wrong, but it's not needed as the setup
and teardown only allow confidential hardware anyway

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2026-04-20 09:36:10 +01:00