1204 Commits

Author SHA1 Message Date
Fabiano Fidêncio
05f836ea23 Merge pull request #13038 from stevenhorsman/move-k8s-measured-rootfs
ci: Move measure-rootfs to run on TEE PRs
2026-05-18 17:29:25 +02:00
Hyounggyu Choi
f6fce19e01 Merge pull request #13062 from BbolroC/skip-coco-test-with-no-reference-values-ibm-sel
test: skip CDH resource test for qemu-se without reference values
2026-05-18 14:47:50 +02:00
Hyounggyu Choi
540986bc8f test: skip CDH resource test for qemu-se without reference values
Since gc and trustee were bumped (#13046), the test
"Cannot get CDH resource when affirming policy is set without reference values"
has started failing for IBM SEL.

The attestation policy for IBM SEL returns an "affirming"
result whenever the claim can be parsed successfully,
meaning the evidence verification succeeds. As a result,
the negative test above always produces a positive result.

Skip this negative test for IBM SEL environments
(e.g. qemu-se*).

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2026-05-18 08:40:16 +02:00
Dan Mihai
ddc36060d2 gha: k8s: reject unsupported KATA_HYPERVISOR values
Exit early with an error message instead of starting kata-deploy if
the value of KATA_HYPERVISOR is not expected during CI.

For example: "cloud-hypervisor" was renamed recently to
"clh-runtime-rs" and user scripts depending on the old name were
getting tangled in kata-deploy instead of just rejecting the old
value quickly.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2026-05-16 01:04:31 +00:00
Dan Mihai
0f3df5d1e4 Merge pull request #13025 from manuelh-dev/mahuber/img-pull-policy
tests: generate guest-pull image pull agent security policies
2026-05-15 14:09:00 -07:00
Fabiano Fidêncio
c19bdbf23b tests: nvidia-nim: use trusted storage templates for runtime-rs
Now that runtime-rs supports block-encrypted emptyDir volumes, remove
the no-trusted-storage workaround templates and the is_runtime_rs
branching in the NIM test. Runtime-rs now uses the same TEE templates
as the Go runtime with emptyDir + PVC at 48Gi memory, instead of the
128Gi workaround that compensated for lacking trusted storage.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
Assisted-by: Cursor <cursoragent@cursor.com>
2026-05-14 22:56:11 +02:00
Fabiano Fidêncio
54aaa1ea2a tests: enable trusted ephemeral storage for runtime-rs
Remove the runtime-rs skip from the trusted ephemeral data storage
test now that runtime-rs implements block-encrypted emptyDir volumes.

Also remove the genpolicy drop-in that disabled encrypted_emptydir
for runtime-rs and the corresponding copy logic in tests_common.sh.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
Assisted-by: Cursor <cursoragent@cursor.com>
2026-05-14 22:56:11 +02:00
Manuel Huber
ed4233bf91 rootfs: cdh: Update CDH to new version
Update CDH to a newer version and:
- adjust the NVIDIA root filesystem build to reflect the change from
  using libcryptsetup to using the cryptsetup binary.
- adjust image-pull test cases to conduct parallel write operations
  on the /dev/trusted_store backed guest image pull location since
  issue #12721 has been solved on CDH side.

Fixes #12721

Signed-off-by: Manuel Huber <manuelh@nvidia.com>
2026-05-13 20:20:45 +02:00
stevenhorsman
5c55726d11 tests/k8s: Update measured-rootfs image
Try and switch the docker nginx image to our versions.yaml
one so we avoid rate limit issues

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2026-05-13 17:17:48 +01:00
stevenhorsman
2870f7c2dd ci: Move measure-rootfs to run on TEE PRs
k8s-measured-rootfs only runs on confidential runtime,
so we should move it into the subset on tests that run on TEEs

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2026-05-13 17:01:50 +01:00
Dan Mihai
3799473041 Merge pull request #13010 from microsoft/danmihai1/label-references
genpolicy: support env variable values sourced from metadata.labels values
2026-05-12 15:41:11 -07:00
Manuel Huber
da4307efb7 tests: generate policies for guest-pull images
Replace guest-pull image allow-all placeholders with explicit
auto-generated policies for each generated pod manifest.

Generate policy after the final YAML edits so initdata and image
pull secrets are represented in the policy inputs.

Assisted-by: OpenAI Codex <codex@openai.com>
Signed-off-by: Manuel Huber <manuelh@nvidia.com>
2026-05-12 15:03:15 -07:00
Manuel Huber
6a274b5110 tests: seed auto-generated policy from initdata
Teach auto_generate_policy to reuse a cc_init_data annotation by
decoding it into the temporary default-initdata.toml file.

This lets tests preserve CDH initdata while genpolicy appends the
generated agent security policy for the workload.

Assisted-by: OpenAI Codex <codex@openai.com>
Signed-off-by: Manuel Huber <manuelh@nvidia.com>
2026-05-12 15:03:14 -07:00
Manuel Huber
e774b13c95 tests: share genpolicy registry auth setup helper
Move the Docker auth setup into common.bash so tests beyond the
NVIDIA runner can provide credentials for genpolicy image pulls.

Make the registry, username, password and output directory explicit
while preserving the nvcr.io setup used by the NIM tests.

Assisted-by: OpenAI Codex <codex@openai.com>
Signed-off-by: Manuel Huber <manuelh@nvidia.com>
2026-05-12 15:03:14 -07:00
Manuel Huber
c265e4905f tests: nvidia: avoid NIM journal dumps on success
BATS_TEST_COMPLETED is per-test and remains empty in teardown_file.
Track file-level state so successful NIM runs skip the journal dump
while setup or test failures still include node diagnostics.

Signed-off-by: Manuel Huber <manuelh@nvidia.com>
2026-05-10 09:10:01 -07:00
Manuel Huber
1c081ff434 tests: nvidia: place NIM service into namespace
Place the NIM service into our test namespace. We are still observing
various situations where for some reasons, the NIM service appears in
the default namespace in our CI.

Signed-off-by: Manuel Huber <manuelh@nvidia.com>
2026-05-10 07:36:23 +00:00
Fabiano Fidêncio
f7be57efe2 Merge pull request #13007 from manuelh-dev/mahuber/dbg-nim-svc
tests: nvidia: Wait for NIM operator pod and print
2026-05-08 20:58:51 +02:00
Manuel Huber
714adec3f8 tests: nvidia: Wait for NIM operator pod and print
Wait for the NIM operator pod to run before deploying NIM services.
Add a temporary debug function to print resource placement into the
different namespaces. Remove this function again when the NIM tests
are stabilized.

Signed-off-by: Manuel Huber <manuelh@nvidia.com>
2026-05-08 06:27:48 +00:00
Ubuntu
b95be5332a genpolicy: env variables from metadata.labels
Add basic genpolicy support for container environment variables sourced
from metadata.labels.

In this implementation, the relevant labels must be available as input
to the policy tool. This is slightly different from the way variables
sourced from metadata.annotations are treated by the tool: when the
relevant annotation is not available as input, the generated Policy
allows any value. Depending on metadata.labels use cases that we might
encounter maybe the labels will be handled the same way as the
annotations in the future.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2026-05-07 23:35:56 +00:00
Dan Mihai
39b9c318e2 tests: k8s: merge two policy-pod test cases
One of these test cases was a subset of the other, so remove that
redundancy.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2026-05-07 22:39:23 +00:00
Fabiano Fidêncio
0f3160276b ci: k8s: skip no-op Helm uninstall on free runners
In cleanup_kata_deploy, bail out early when no kata-deploy Helm release
exists so baremetal-* pre-deploy cleanup on fresh clusters does not
block on helm uninstall --wait (up to 10m).

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
Assisted-by: Cursor <cursoragent@cursor.com>
2026-05-07 13:40:55 +02:00
Fabiano Fidêncio
19c194aa94 ci: Add runtime-rs GPU shims to NVIDIA GPU CI workflow
Add qemu-nvidia-gpu-runtime-rs and qemu-nvidia-gpu-snp-runtime-rs to
the NVIDIA GPU test matrix so CI covers the new runtime-rs shims.

Introduce a `coco` boolean field in each matrix entry and use it for
all CoCo-related conditionals (KBS, snapshotter, KBS deploy/cleanup
steps). This replaces fragile name-string comparisons that were already
broken for the runtime-rs variants: `nvidia-gpu (runtime-rs)` was
incorrectly getting KBS steps, and `nvidia-gpu-snp (runtime-rs)` was
not getting the right env vars.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
2026-05-07 10:33:26 +02:00
Dan Mihai
fcee4864e7 genpolicy: ignore additional PodAffinity fields
1. Ignore PodAffinity's preferredDuringSchedulingIgnoredDuringExecution.
2. Ignore additional PodAffinityTerm fields.
3. Add basic tests for the new fields.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2026-05-06 01:38:02 +00:00
Dan Mihai
b6349f50ab genpolicy: ignore preemptionPolicy
Ignore the pod preemptionPolicy field from input YAML - irrelevant
for building the Policy.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2026-05-06 00:35:27 +00:00
Dan Mihai
9f4a7a9d55 Merge pull request #12978 from microsoft/danmihai1/empty-env-var
genpolicy: support empty environment variables
2026-05-05 14:10:35 -07:00
Dan Mihai
99dd897814 genpolicy: support empty environment variables
K8s supports them, so genpolicy should support them too.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2026-05-05 18:53:25 +00:00
Fabiano Fidêncio
29e63c21a1 tests: k8s-cron-job: set runtimeClassName to kata
The cron-job test workload was missing `runtimeClassName: kata`, which
meant the cron job was not actually being executed under the Kata
runtime, defeating the purpose of the test.

Set it explicitly, consistent with the sibling `job.yaml` workload.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2026-05-05 11:21:05 +02:00
Dan Mihai
0a6dc2fae0 ci: mariner: use OCI version 1.2.1
Mariner moved from version 1.2.0 to version 1.2.1.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2026-05-05 02:23:30 +00:00
Fabiano Fidêncio
8c3c7aa871 ci: Drop ITA_KEY usage from CI workflows
The ITA_KEY secret was conditionally passed to TDX jobs for Intel
Trust Authority attestation, but it is no longer needed. Remove it
from all workflow files and the test helper export.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2026-05-03 18:05:51 +02:00
Aurélien Bombo
f3dc71a770 Revert "tests: k8s: policy: improve settings selection for runtime-rs hypervisors"
This reverts commit cafdd278ba.
2026-04-28 10:58:01 -05:00
Aurélien Bombo
e4fbddb91a ci: rename cloud-hypervisor to clh-runtime-rs
This aligns on qemu-runtime-rs and makes more sense.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2026-04-28 10:58:01 -05:00
Saul Paredes
7c8df3b9e6 Revert "test: temp skip failing tests on AKS"
This reverts commit 90e94ab305.
2026-04-27 09:36:51 -07:00
Saul Paredes
3273c4e1cc Revert "ci: Skip tests not working with k8s 1.36.0"
This reverts commit df68536cd6.
2026-04-27 08:08:27 -07:00
Saul Paredes
51f234cb56 tests: describe pods deployment when testing deployment output
For k8s 1.36.0, the events of a pod are no longer included in the "kubectl describe pod"
output when describing a deployment. Describe using the "app" label instead.

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
2026-04-27 08:07:58 -07:00
Mikko Ylinen
9cccfb5cb5 tests: align qemu-tdx kbs tests to use Trustee AS
No need to deviate from how other CoCo targets use Trustee and
enables us to add more tests (e.g., RVPS) that ITA Trustee implemention
does not support.

Signed-off-by: Mikko Ylinen <mikko.ylinen@intel.com>
2026-04-25 22:53:15 +02:00
Fabiano Fidêncio
df68536cd6 ci: Skip tests not working with k8s 1.36.0
At first we thought this only happened with AKS, but it seems this is a
change in k8s 1.36.0 as the tests now started failing outside of AKS as
well.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2026-04-25 08:56:42 +02:00
Fabiano Fidêncio
e6c6aad7af ci: k8s: temporarily remove smb tests
All the CIs are failing on the tests and in order to avoid blocking
upstream while allowing enough time for the developers to properly fix
it, let's just not execute the test.

This commit should be reverted once a fix is proposed.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2026-04-24 21:13:23 +02:00
Aurélien Bombo
15296fc9fe Merge pull request #12374 from microsoft/cameronbaird/add-cifs
kernel: add required configs for CIFS support
2026-04-24 10:42:09 -05:00
Fabiano Fidêncio
011e0178e1 tests: Fix shellcheck issues in nydus_tests.sh
Fix shellcheck warnings and notes identified by running
shellcheck --severity=style.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2026-04-24 08:14:08 +02:00
Fabiano Fidêncio
1161249197 tests: Fix shellcheck issues in gha-run.sh
Fix shellcheck warnings and notes identified by running
shellcheck --severity=style.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2026-04-24 08:14:08 +02:00
Fabiano Fidêncio
ccfe25096f tests: Fix shellcheck issues in gha-run.sh
Fix shellcheck warnings and notes identified by running
shellcheck --severity=style.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2026-04-24 08:14:08 +02:00
Fabiano Fidêncio
f58fcfe088 tests: Fix shellcheck issues in tests_common.sh
Fix shellcheck warnings and notes identified by running
shellcheck --severity=style.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2026-04-24 08:14:08 +02:00
Fabiano Fidêncio
0c42a1e0b0 tests: Fix shellcheck issues in setup.sh
Fix shellcheck warnings and notes identified by running
shellcheck --severity=style.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2026-04-24 08:14:08 +02:00
Fabiano Fidêncio
65b24cf119 tests: Fix shellcheck issues in run_kubernetes_tests.sh
Fix shellcheck warnings and notes identified by running
shellcheck --severity=style.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2026-04-24 08:14:08 +02:00
Fabiano Fidêncio
b4bf94d508 tests: Fix shellcheck issues in lib.sh
Fix shellcheck warnings and notes identified by running
shellcheck --severity=style.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2026-04-24 08:14:08 +02:00
Fabiano Fidêncio
dc0f5e96bc tests: Fix shellcheck issues in gha-run.sh
Fix shellcheck warnings and notes identified by running
shellcheck --severity=style.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2026-04-24 08:14:08 +02:00
Fabiano Fidêncio
4a65b8602d tests: Fix shellcheck issues in filter_k8s_test.sh
Fix shellcheck warnings and notes identified by running
shellcheck --severity=style.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2026-04-24 08:14:08 +02:00
Fabiano Fidêncio
400923efac tests: Fix shellcheck issues in confidential_common.sh
Fix shellcheck warnings and notes identified by running
shellcheck --severity=style.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2026-04-24 08:14:08 +02:00
Fabiano Fidêncio
24b00204b9 tests: Fix shellcheck issues in gha-run.sh
Fix shellcheck warnings and notes identified by running
shellcheck --severity=style.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2026-04-24 08:14:08 +02:00
Fabiano Fidêncio
27e74919a7 tests: Fix shellcheck issues in integration-tests.sh
Fix shellcheck warnings and notes identified by running
shellcheck --severity=style.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2026-04-24 08:14:07 +02:00