Commit Graph

61 Commits

Author SHA1 Message Date
Fabiano Fidêncio
5beb1af202 tests: Pass EXPERIMENTAL_FORCE_GUEST_PULL to the test
Right now we have only been passing the env var to the deployment
script, but we really need to pass it to the tests script as well.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-11-18 14:46:48 +01:00
stevenhorsman
79082171ca workflows: Add Delete AKS cluster timeout
When testing this branch, on several occasions the Delete
AKS cluster step has hung for multiple hours, so add a timeout
to prevent this.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-11-13 14:18:43 +00:00
stevenhorsman
0335012824 tests/k8s: Enable tests for qemu-coco-dev-runtime-rs
Add the runtime class to the non-tee tests and
enable it to run in the test code

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-11-13 14:18:43 +00:00
Fabiano Fidêncio
a04cdbc40f tests: Enforce qemu-coco-dev for experimental_force_guest_pull
The fact that we were not explicitly setting the VMM was leading to us
testing with the default runtime class (qemu). :-/

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-11-12 16:07:05 +01:00
Fabiano Fidêncio
1bc873397b tests: Use NFD as part of the tests
As we have the ability to deploy NFD as a sub-chart of our chart, let's
make sure we test it during our CI.

We had to increase the timeout values, where we had timeouts set, to
deploy / undeploy kata, as now NFD is also deployed / undeployed.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-10-31 16:30:13 +01:00
Fabiano Fidêncio
59883a2d99 actions: Remove unused USING_NFD
There's no reason to keep the env var / input as it's never been used
and now kata-deploy detects automatically whether NFD is deployed or
not.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-10-28 21:24:27 +01:00
Aurélien Bombo
b7f542443e ci: Always refresh OIDC token before cluster deletion
This forces OIDC token refresh even if the tests step failed, so that we
also have proper credentials to delete the cluster in that case.

I first noticed the original issue here:
https://github.com/kata-containers/kata-containers/actions/runs/18659064688/job/53215379040?pr=11950

Fixes: #11953

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-10-21 09:35:52 -05:00
Fabiano Fidêncio
e782d1ad50 ci: k8s: Test experimental_force_guest_pull
Now that we have added the ability to deploy kata-containers with
experimental_force_guest_pull configured, let's make sure we test it to
avoid any kind of regressions.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-10-10 20:08:10 +02:00
Fabiano Fidêncio
06a3bbdd44 ci: k8s: coco: Add "Report tests" step
For some reason we didn't have the "Report tests" step as part of the
TEE jobs. This step immensely helps to check which tests are failing and
why, so let's add it while touching the workflow.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-10-10 09:51:59 +02:00
Fabiano Fidêncio
a1f90fe350 tests: k8s: Unify k8s TEE tests
There's no reason to have the code duplication between the SNP / TDX
tests for CoCo, as those are basically using the same configuration
nowadays.

Note that for the TEEs case, as the nydus-snapshotter is deployed by the
admin, once, instead of deploying it on every run ... I'm actually
removing the nydus-snapshotter steps so we make it clear that those
steps are not performed by the CI.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-10-10 09:51:59 +02:00
Fabiano Fidêncio
3418cedacc ci: Add tests for erofs-snapshotter (for coco-qemu-dev)
erofs-snapshotter can be used to leverage sharing the image from the
host to the guest without the need of a shared filesystem (such as
virtio-fs or virtio-9p).

This case is ideal for Confidential Computing enabled on Kata
Containers, and we can immensely benefit from this snapshotter, thus
let's test it as soon as possible so we can find issues, report bugs,
and ask for enhancement requests.

There are at least a few things that we know for sure to be problematic
now:
* Policy has to be adjusted to the erofs-snapshotter
* There is no support for signed nor encrypted images
* Tests that use the KBS are disabled for now

Even with the limitations, I do believe we should be testing the
snapshoitter, so we can team up and get those limitations addressed.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-10-08 10:34:09 +02:00
Fabiano Fidêncio
f994bacf6c tests: coco: Use the new way to set up nydus snapshotter
Let's rely on kata-deploy setting up the nydus snapshotter for us,
instead of doing this with external code.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-10-07 10:32:46 +02:00
Aurélien Bombo
433e59de1f gha: zizmor: fix "workflow or action definition without a name" error
This fixes that error everywhere by adding a `name:` field to all jobs that
were missing it. We keep the same name as the job ID to ensure no
disturbance to the required job names.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-09-25 23:34:40 -05:00
Aurélien Bombo
f39517a18a ci: aks: Refresh OIDC token in case access token expired
It's possible that tests take a long time to run and hence that the access
token expires before we delete the cluster. In this case `az cli` will try
to refresh the access token using the OIDC token (which will have
definitely also expired because its lifetime is ~5 minutes).

To address this we refresh the OIDC token manually instead. Automatic
refresh isn't supported per Azure/azure-cli#28708.

Fixes: #11758

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-09-04 12:44:02 -05:00
stevenhorsman
f79e453313 workflows: Tighten up workflow permissions
Since the previous tightening a few workflow updates have
gone in and the zizmor job isn't flagging them as issues,
so address this to remove potential attack vectors

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-08-22 14:13:21 +01:00
Aurélien Bombo
96f1d95de5 gha: Remove unnecessary install-azure-cli step
az cli is already installed by the azure/login action.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-07-30 10:42:56 -05:00
Steve Horsman
967f66f677 Merge pull request #11380 from arvindskumar99/sev-deprecation
Sev deprecation
2025-07-09 11:38:13 +01:00
Wainer dos Santos Moschetta
e4da3b84a3 workflows: adopting azure/setup-kubectl
There are workflows that rely on `az aks install-cli` to get kubectl
installed. There is a well-known problem on install-cli, related with
API usage rate limit, that has recently caused the command to fail
quite often.

This is replacing install-cli with the azure/setup-kubectl github
action which has no such as rate limit problem.

While here, removed the install_cli() function from gha-run-k8s-common.sh
so avoid developers using it by mistake in the future.

Fixes #11463
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
2025-07-08 15:15:54 -03:00
Arvind Kumar
ecac3d2d28 runtime: Removing runtime logic for SEV
Removing runtime SEV functionality,
such as the kbs, ovmf, VMSA handling,
and SEV configs as part of deprecating
SEV from kata.

Co-authored-by: Adithya Krishnan Kannan <AdithyaKrishnan.Kannan@amd.com>
Signed-off-by: Arvind Kumar <arvinkum@amd.com>
2025-07-07 11:17:32 -05:00
stevenhorsman
9d3b9fb438 workflows: Pin action hashes
Pin Github owned actions to specific hashes as recommended
as tags are mutable see https://pin-gh-actions.kammel.dev/.
This one of the recommendations that scorecard gives us.

Note this was generated with `frizbee actions`

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-06-21 08:14:13 +01:00
Steve Horsman
64c95cb996 Merge pull request #11389 from kata-containers/checkout-persist-credentials-false
workflows: Set persist-credentials: false on checkout
2025-06-16 09:58:22 +01:00
stevenhorsman
99e70100c7 workflows: Set persist-credentials: false on checkout
By default the checkout action leave the credentials
in the checked-out repo's `.git/config`, which means
they could get exposed. Use persist-credentials: false
to prevent this happening.

Note: static-checks.yaml does use git diff after the checkout,
but the git docs state that git diff is just local, so doesn't
need authentication.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-06-10 10:33:41 +01:00
Aurélien Bombo
9dd3807467 ci: Use OIDC to log into Azure
This completely eliminates the Azure secret from the repo, following the below
guidance:

https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-azure

The federated identity is scoped to the `ci` environment, meaning:

 * I had to specify this environment in some YAMLs. I don't believe there's any
   downside to this.
 * As previously, the CI works seamlessly both from PRs and in the manual
   workflow.

I also deleted the tools/packaging/kata-deploy/action folder as it doesn't seem
to be used anymore, and it contains a reference to the secret.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-06-06 15:26:10 -05:00
stevenhorsman
66ef1c1198 workflows: Replace secrets: inherit
Having secrets unconditionally being inherited is
bad practice, so update the workflows to only pass
through the minimal secrets that are needed

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-06-06 09:56:46 +01:00
stevenhorsman
2eda21180a workflows: Switch AUTHENTICATED_IMAGE_USER to var
AUTHENTICATED_IMAGE_USER isn't sensitive, so
update the secret for a var to simplify the workflows

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-06-06 09:49:14 +01:00
stevenhorsman
088e97075c workflow: Add top-level permissions
Set:
```
permissions:
  contents: read
```
as the default top-level permissions explicitly
to conform to recommended security practices e.g.
https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions
2025-05-28 19:34:28 +01:00
Wainer dos Santos Moschetta
80a816db9d workflows/run-k8s-tests-coco-nontee: add step to report tests
Run `gha-run.sh report-tests` to generate the report of the tests.

Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
2025-05-20 14:43:38 -03:00
Wainer dos Santos Moschetta
460c3394dd gha: run CoCo non-TEE tests on "all" host type
By running on "all" host type there are two consequences:

1) run the "normal" tests too (until now, it's only "small" tests), so
   increasing the coverage
2) create AKS cluster with larger VMs. This is a new requirement due to
   the current ingress controller for the KBS service eating too much
   vCPUs and lefting only few for the tests (resulting on failures)

Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
2025-04-28 12:08:31 -03:00
Aurélien Bombo
a678046d13 gha: Pin third-party actions to commit hashes
A popular third-party action has recently been compromised [1][2] and
the attacker managed to point multiple git version tags to a malicious
commit containing code to exfiltrate secrets.

This PR follows GitHub's recommendation [3] to pin third-party actions
to a full-length commit hash, to mitigate such attacks.

Hopefully actionlint starts warning about this soon [4].

 [1] https://www.cve.org/CVERecord?id=CVE-2025-30066
 [2] https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised
 [3] https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions
 [4] https://github.com/rhysd/actionlint/pull/436

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-03-19 13:52:49 -05:00
Adithya Krishnan Kannan
6cc5b79507 CI: Deprecate SEV
Phase 1 of Issue #10840
AMD has deprecated SEV support on
Kata Containers, and going forward,
SNP will be the only AMD feature
supported. As a first step in this
deprecation process, we are removing
the SEV CI workflow from the test suite
to unblock the CI.

Will be adding future commits to
remove redundant SEV code paths.

Signed-Off-By: Adithya Krishnan Kannan <AdithyaKrishnan.Kannan@amd.com>
2025-02-13 12:20:21 -06:00
Fabiano Fidêncio
23cb5bb6c2 ci: Only use the Ubuntu TDX machine in the CI
We've been hitting issues with the CentOS 9 Stream machine, which Intel
doesn't have cycles to debug.

After raising this up in the Confidential Containers community meeting
we got the green light from Red Hat (Ariel Adam) to just disable the CI
based on CentOS 9 Stream for now.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2025-02-10 12:50:16 +01:00
Ruoqing He
373a388844 ci: Retry on failure of Create AKS cluster
The `Create AKS cluster` step in `run-k8s-tests-on-aks.yaml` is likely
to fail fail since we are trying to issue `PUT` to `aks` in a relatively
high frequency, while the `aks` end has it's limit on `bucket-size` and
`refill-rate`, documented here [1].

Use `nick-fields/retry@v3` to retry in 10 seconds after request fail,
based on observations that AKS were request 7, or 8 second delays
before retry as part of their 429 response

[1] https://learn.microsoft.com/en-us/azure/aks/quotas-skus-regions#throttling-limits-on-aks-resource-provider-apis

Fixes: #10772

Signed-off-by: Ruoqing He <heruoqing@iscas.ac.cn>
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-01-22 13:24:51 +00:00
Aurélien Bombo
0d70dc31c1 ci: Unify on $GH_PR_NUMBER environment variable
While working on #10559, I realized that some parts of the codebase use
$GH_PR_NUMBER, while other parts use $PR_NUMBER.

Notably, in that PR, since I used $GH_PR_NUMBER for CoCo non-TEE tests
without realizing that TEE tests use $PR_NUMBER, the tests on that PR
fail on TEEs:

https://github.com/kata-containers/kata-containers/actions/runs/12818127344/job/35744760351?pr=10559#step:10:45

  ...
  44      error: error parsing STDIN: error converting YAML to JSON: yaml: line 90: mapping values are not allowed in this context
  ...
  135               image: ghcr.io/kata-containers/csi-kata-directvolume:
  ...

So let's unify on $GH_PR_NUMBER so that this issue doesn't repro in the
future: I replaced all instances of PR_NUMBER with GH_PR_NUMBER.

Note that since some test scripts also refer to that variable, the CI
for this PR will fail (would have also happened with the converse
substitution), hence I'm not adding the ok-to-test label and we should
force-merge this after review.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-01-17 10:53:08 -06:00
stevenhorsman
d4bd314d52 workflows: linting: Fix incorrect properties
These properties are currently invalid, so either
fix, or remove them

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2024-12-06 13:50:12 +00:00
Aurélien Bombo
16a91fccbe Merge pull request #10561 from sprt/csi-driver-ci
coco: ci: Lay groundwork for compiling and publishing CSI driver image [1/x]
2024-11-27 10:26:45 -06:00
Aurélien Bombo
5e4990bcf5 coco: ci: Add no-op steps to deploy CSI driver
This adds no-op steps that'll be used to deploy and clean up the CSI driver
used for testing.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2024-11-21 16:08:06 -06:00
Adithya Krishnan Kannan
ef367d81f2 ci: Re-enable SNP CI
We've debugged the SNP Node and we
wish to test the fixes on GHA.

Signed-Off-By: Adithya Krishnan Kannan <AdithyaKrishnan.Kannan@amd.com>
2024-11-18 11:11:27 -06:00
Fabiano Fidêncio
6a9266124b Merge pull request #10501 from kata-containers/topic/ci-split-tests
ci: tdx: Split jobs to run in 2 different machines
2024-11-14 17:24:50 +01:00
Fabiano Fidêncio
9b3fe0c747 ci: tdx: Adjust workflows to use different machines
This will be helpful in order to increase the OS coverage (we'll be
using both Ubuntu 24.04 and CentOS 9 Stream), while also reducing the
amount spent on the tests (as one machine will only run attestation
related tests, and the other the tests that do *not* require
attestation).

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2024-11-14 15:52:00 +01:00
Adithya Krishnan Kannan
439a1336b5 ci: Temporarily skip SNP CI
As discussed in the CI working group,
we are temporarily skipping the SNP CI
to unblock the remaining workflow.
Will revert after fixing the SNP runner.

Signed-Off-By: Adithya Krishnan Kannan <AdithyaKrishnan.Kannan@amd.com>
2024-11-13 11:44:16 -06:00
Fabiano Fidêncio
72979d7f30 workflows: Use AUTO_GENERATE_POLICY for qemu-coco-dev
By the moment we're testing it also with qemu-coco-dev, it becomes
easier for a developer without access to TEE to also test it locally.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2024-11-06 10:47:08 +01:00
Dan Mihai
1a4928e710 gha: enable AUTO_GENERATE_POLICY where needed
The behavior of Kata CI doesn't change.

For local testing using kubernetes/gha-run.sh:

1. Before these changes:
- AUTO_GENERATE_POLICY=yes was always used by the users of SEV, SNP,
  TDX, or KATA_HOST_OS=cbl-mariner.

2. After these changes:
- Users of SEV, SNP, TDX, or KATA_HOST_OS=cbl-mariner must specify
  AUTO_GENERATE_POLICY=yes if they want to auto-generate policy.
- These users have the option to test just using hard-coded policies
  (e.g., using the default policy built into the Guest rootfs) by
  using AUTO_GENERATE_POLICY=no. AUTO_GENERATE_POLICY=no is the default
  value of this env variable.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2024-10-02 23:20:33 +00:00
Gabriela Cervantes
d91979d7fa gha: Add ita_key as a github secret
This PR adds ita_key as a github secret at the kata coco tests yaml workflow.

Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
2024-09-27 17:15:22 +02:00
Gabriela Cervantes
49b3a0faa3 gha: Increase timeout to run k8s tests on TDX
This PR increases the timeout to run k8s tests for Kata CoCo TDX
to avoid the random failures of timeout.

Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
2024-09-19 17:15:47 +00:00
Aurélien Bombo
de98e467b4 ci: Use ubuntu-22.04 instead of ubuntu-latest
22.04 is the default today:
23da668261/README.md

Being more specific will avoid unexpected errors when Github updates the
default.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2024-08-27 16:44:39 +00:00
ChengyuZhu6
2b44e9427c gha: Increase timeout to run CoCo tests
This PR increases the timeout for running the CoCo tests to avoid random failures.
These failures occur when the action `Run tests` times out after 30 minutes, causing the CI to fail.

Fixes: #10062

Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com>
2024-07-24 12:31:38 +08:00
Gabriela Cervantes
b6b8524ab7 gha: Increase timeout to run CoCo TDX tests
This PR increases the timeout to run the CoCo TDX tests in order
to avoid the random failures on TDX saying that
The action 'Run tests' has timed out after 30 minutes and making
the GHA job fail.

Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com>
2024-07-10 16:06:07 +00:00
Niteesh Dubey
e7b4e5e386 gha: add SNP attestation test
This tests the attestation of SNP guest.

Signed-off-by: Niteesh Dubey <niteesh@us.ibm.com>
2024-07-09 17:14:26 +00:00
stevenhorsman
d8961cbd4a workflow: coco: Add auth registry secret
- Add the `AUTHENTICATED_IMAGE_USER` and
`AUTHENTICATED_IMAGE_PASSWORD` repository secrets as env vars
to the coco tests, so we can use them to pull an images from
and authenticated registry for testing

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2024-06-25 11:11:02 +01:00
Fabiano Fidêncio
2bab0f31d7 ci: tdx: Re-enable TDX CI
Now, using vanilla kubernetes, let's re-enable the TDX CI and hope it
becomes more stable than it used to be.

The cleanup-snapshotter is now taking ~4 minutes, and that matches with
the other platforms, mainly considering there's a sum of 210 seconds
sleep in the process.

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2024-06-19 20:08:28 +02:00