fix

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
cont: fix secret passing
2026-04-11 06:22:55 +00:00 · 2026-04-10 13:31:30 -05:00 · 2026-04-10 13:01:26 -05:00 · 2026-04-10 12:07:51 -05:00 · 2026-04-10 16:40:42 +02:00 · 2026-04-10 11:01:20 +02:00
29 changed files with 122 additions and 101 deletions
--- a/.github/workflows/ci-coco-stability.yaml
+++ b/.github/workflows/ci-coco-stability.yaml
@@ -26,8 +26,8 @@ jobs:
      target-branch: ${{ github.ref_name }}
    secrets:
      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
-      AZ_APPID: ${{ secrets.AZ_APPID }}
-      AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
-      AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
+      AZ_APPID2: ${{ secrets.AZ_APPID2 }}
+      AZ_TENANT_ID2: ${{ secrets.AZ_TENANT_ID2 }}
+      AZ_SUBSCRIPTION_ID2: ${{ secrets.AZ_SUBSCRIPTION_ID2 }}
      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
      KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}
--- a/.github/workflows/ci-devel.yaml
+++ b/.github/workflows/ci-devel.yaml
@@ -21,9 +21,9 @@ jobs:

    secrets:
      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
-      AZ_APPID: ${{ secrets.AZ_APPID }}
-      AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
-      AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
+      AZ_APPID2: ${{ secrets.AZ_APPID2 }}
+      AZ_TENANT_ID2: ${{ secrets.AZ_TENANT_ID2 }}
+      AZ_SUBSCRIPTION_ID2: ${{ secrets.AZ_SUBSCRIPTION_ID2 }}
      CI_HKD_PATH: ${{ secrets.CI_HKD_PATH }}
      ITA_KEY: ${{ secrets.ITA_KEY }}
      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
--- a/.github/workflows/ci-nightly.yaml
+++ b/.github/workflows/ci-nightly.yaml
@@ -25,9 +25,9 @@ jobs:
      extensive-matrix-autogenerated-policy: "yes"
    secrets:
      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
-      AZ_APPID: ${{ secrets.AZ_APPID }}
-      AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
-      AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
+      AZ_APPID2: ${{ secrets.AZ_APPID2 }}
+      AZ_TENANT_ID2: ${{ secrets.AZ_TENANT_ID2 }}
+      AZ_SUBSCRIPTION_ID2: ${{ secrets.AZ_SUBSCRIPTION_ID2 }}
      CI_HKD_PATH: ${{ secrets.CI_HKD_PATH }}
      ITA_KEY: ${{ secrets.ITA_KEY }}
      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
--- a/.github/workflows/ci-on-push.yaml
+++ b/.github/workflows/ci-on-push.yaml
@@ -44,9 +44,9 @@ jobs:
      skip-test: ${{ needs.skipper.outputs.skip_test }}
    secrets:
      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
-      AZ_APPID: ${{ secrets.AZ_APPID }}
-      AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
-      AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
+      AZ_APPID2: ${{ secrets.AZ_APPID2 }}
+      AZ_TENANT_ID2: ${{ secrets.AZ_TENANT_ID2 }}
+      AZ_SUBSCRIPTION_ID2: ${{ secrets.AZ_SUBSCRIPTION_ID2 }}
      CI_HKD_PATH: ${{ secrets.CI_HKD_PATH }}
      ITA_KEY: ${{ secrets.ITA_KEY }}
      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
--- a/.github/workflows/ci-weekly.yaml
+++ b/.github/workflows/ci-weekly.yaml
@@ -19,11 +19,11 @@ on:
      AUTHENTICATED_IMAGE_PASSWORD:
        required: true

-      AZ_APPID:
+      AZ_APPID2:
        required: true
-      AZ_TENANT_ID:
+      AZ_TENANT_ID2:
       required: true
-      AZ_SUBSCRIPTION_ID:
+      AZ_SUBSCRIPTION_ID2:
        required: true
      QUAY_DEPLOYER_PASSWORD:
        required: true
@@ -120,9 +120,9 @@ jobs:
      tarball-suffix: -${{ inputs.tag }}
    secrets:
      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
-      AZ_APPID: ${{ secrets.AZ_APPID }}
-      AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
-      AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
+      AZ_APPID2: ${{ secrets.AZ_APPID2 }}
+      AZ_TENANT_ID2: ${{ secrets.AZ_TENANT_ID2 }}
+      AZ_SUBSCRIPTION_ID2: ${{ secrets.AZ_SUBSCRIPTION_ID2 }}
    permissions:
      contents: read
      id-token: write
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -27,11 +27,11 @@ on:
      AUTHENTICATED_IMAGE_PASSWORD:
        required: true

-      AZ_APPID:
+      AZ_APPID2:
        required: true
-      AZ_TENANT_ID:
+      AZ_TENANT_ID2:
       required: true
-      AZ_SUBSCRIPTION_ID:
+      AZ_SUBSCRIPTION_ID2:
        required: true
      CI_HKD_PATH:
        required: true
@@ -242,9 +242,9 @@ jobs:
      pr-number: ${{ inputs.pr-number }}
      target-branch: ${{ inputs.target-branch }}
    secrets:
-      AZ_APPID: ${{ secrets.AZ_APPID }}
-      AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
-      AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
+      AZ_APPID2: ${{ secrets.AZ_APPID2 }}
+      AZ_TENANT_ID2: ${{ secrets.AZ_TENANT_ID2 }}
+      AZ_SUBSCRIPTION_ID2: ${{ secrets.AZ_SUBSCRIPTION_ID2 }}

  run-k8s-tests-on-free-runner:
    if: ${{ inputs.skip-test != 'yes' }}
@@ -309,9 +309,9 @@ jobs:
      extensive-matrix-autogenerated-policy: ${{ inputs.extensive-matrix-autogenerated-policy }}
    secrets:
      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
-      AZ_APPID: ${{ secrets.AZ_APPID }}
-      AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
-      AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
+      AZ_APPID2: ${{ secrets.AZ_APPID2 }}
+      AZ_TENANT_ID2: ${{ secrets.AZ_TENANT_ID2 }}
+      AZ_SUBSCRIPTION_ID2: ${{ secrets.AZ_SUBSCRIPTION_ID2 }}
      ITA_KEY: ${{ secrets.ITA_KEY }}

  run-k8s-tests-on-zvsi:
--- a/.github/workflows/cleanup-resources.yaml
+++ b/.github/workflows/cleanup-resources.yaml
@@ -23,9 +23,9 @@ jobs:
      - name: Log into Azure
        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
        with:
-          client-id: ${{ secrets.AZ_APPID }}
-          tenant-id: ${{ secrets.AZ_TENANT_ID }}
-          subscription-id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
+          client-id: ${{ secrets.AZ_APPID2 }}
+          tenant-id: ${{ secrets.AZ_TENANT_ID2 }}
+          subscription-id: ${{ secrets.AZ_SUBSCRIPTION_ID2 }}

      - name: Install Python dependencies
        run: |
@@ -35,6 +35,6 @@ jobs:

      - name: Cleanup resources
        env:
-          AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
+          AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID2 }}
          CLEANUP_AFTER_HOURS: 24 # Clean up resources created more than this many hours ago.
        run: python3 tests/cleanup_resources.py
--- a/.github/workflows/run-k8s-tests-on-aks.yaml
+++ b/.github/workflows/run-k8s-tests-on-aks.yaml
@@ -26,11 +26,11 @@ on:
        default: ""
    secrets:

-      AZ_APPID:
+      AZ_APPID2:
        required: true
-      AZ_TENANT_ID:
+      AZ_TENANT_ID2:
       required: true
-      AZ_SUBSCRIPTION_ID:
+      AZ_SUBSCRIPTION_ID2:
        required: true


@@ -102,9 +102,9 @@ jobs:
      - name: Log into the Azure account
        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
        with:
-          client-id: ${{ secrets.AZ_APPID }}
-          tenant-id: ${{ secrets.AZ_TENANT_ID }}
-          subscription-id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
+          client-id: ${{ secrets.AZ_APPID2 }}
+          tenant-id: ${{ secrets.AZ_TENANT_ID2 }}
+          subscription-id: ${{ secrets.AZ_SUBSCRIPTION_ID2 }}

      - name: Create AKS cluster
        uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2
@@ -142,9 +142,9 @@ jobs:
        if: always()
        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
        with:
-          client-id: ${{ secrets.AZ_APPID }}
-          tenant-id: ${{ secrets.AZ_TENANT_ID }}
-          subscription-id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
+          client-id: ${{ secrets.AZ_APPID2 }}
+          tenant-id: ${{ secrets.AZ_TENANT_ID2 }}
+          subscription-id: ${{ secrets.AZ_SUBSCRIPTION_ID2 }}

      - name: Delete AKS cluster
        if: always()
--- a/.github/workflows/run-kata-coco-stability-tests.yaml
+++ b/.github/workflows/run-kata-coco-stability-tests.yaml
@@ -26,11 +26,11 @@ on:
        type: string
    secrets:

-      AZ_APPID:
+      AZ_APPID2:
        required: true
-      AZ_TENANT_ID:
+      AZ_TENANT_ID2:
       required: true
-      AZ_SUBSCRIPTION_ID:
+      AZ_SUBSCRIPTION_ID2:
        required: true
      AUTHENTICATED_IMAGE_PASSWORD:
        required: true
@@ -98,9 +98,9 @@ jobs:
      - name: Log into the Azure account
        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
        with:
-          client-id: ${{ secrets.AZ_APPID }}
-          tenant-id: ${{ secrets.AZ_TENANT_ID }}
-          subscription-id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
+          client-id: ${{ secrets.AZ_APPID2 }}
+          tenant-id: ${{ secrets.AZ_TENANT_ID2 }}
+          subscription-id: ${{ secrets.AZ_SUBSCRIPTION_ID2 }}

      - name: Create AKS cluster
        uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2
@@ -150,9 +150,9 @@ jobs:
        if: always()
        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
        with:
-          client-id: ${{ secrets.AZ_APPID }}
-          tenant-id: ${{ secrets.AZ_TENANT_ID }}
-          subscription-id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
+          client-id: ${{ secrets.AZ_APPID2 }}
+          tenant-id: ${{ secrets.AZ_TENANT_ID2 }}
+          subscription-id: ${{ secrets.AZ_SUBSCRIPTION_ID2 }}

      - name: Delete AKS cluster
        if: always()
--- a/.github/workflows/run-kata-coco-tests.yaml
+++ b/.github/workflows/run-kata-coco-tests.yaml
@@ -31,11 +31,11 @@ on:
    secrets:
      AUTHENTICATED_IMAGE_PASSWORD:
        required: true
-      AZ_APPID:
+      AZ_APPID2:
        required: true
-      AZ_TENANT_ID:
+      AZ_TENANT_ID2:
       required: true
-      AZ_SUBSCRIPTION_ID:
+      AZ_SUBSCRIPTION_ID2:
        required: true
      ITA_KEY:
        required: true
@@ -53,6 +53,8 @@ jobs:
            vmm: qemu-tdx
          - runner: sev-snp
            vmm: qemu-snp
+          - runner: sev-snp
+            vmm: qemu-snp-runtime-rs
    runs-on: ${{ matrix.runner }}
    env:
      DOCKER_REGISTRY: ${{ inputs.registry }}
--- a/.github/workflows/run-kata-deploy-tests-on-aks.yaml
+++ b/.github/workflows/run-kata-deploy-tests-on-aks.yaml
@@ -22,11 +22,11 @@ on:
        type: string
        default: ""
    secrets:
-      AZ_APPID:
+      AZ_APPID2:
        required: true
-      AZ_TENANT_ID:
+      AZ_TENANT_ID2:
       required: true
-      AZ_SUBSCRIPTION_ID:
+      AZ_SUBSCRIPTION_ID2:
        required: true

 permissions: {}
@@ -77,9 +77,9 @@ jobs:
      - name: Log into the Azure account
        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
        with:
-          client-id: ${{ secrets.AZ_APPID }}
-          tenant-id: ${{ secrets.AZ_TENANT_ID }}
-          subscription-id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
+          client-id: ${{ secrets.AZ_APPID2 }}
+          tenant-id: ${{ secrets.AZ_TENANT_ID2 }}
+          subscription-id: ${{ secrets.AZ_SUBSCRIPTION_ID2 }}

      - name: Create AKS cluster
        uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2
@@ -112,9 +112,9 @@ jobs:
        if: always()
        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
        with:
-          client-id: ${{ secrets.AZ_APPID }}
-          tenant-id: ${{ secrets.AZ_TENANT_ID }}
-          subscription-id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
+          client-id: ${{ secrets.AZ_APPID2 }}
+          tenant-id: ${{ secrets.AZ_TENANT_ID2 }}
+          subscription-id: ${{ secrets.AZ_SUBSCRIPTION_ID2 }}

      - name: Delete AKS cluster
        if: always()
--- a/src/runtime-rs/Makefile
+++ b/src/runtime-rs/Makefile
@@ -26,23 +26,14 @@ ARCH_DIR = arch
 ARCH_FILE_SUFFIX = -options.mk
 ARCH_FILE = $(ARCH_DIR)/$(ARCH)$(ARCH_FILE_SUFFIX)

-ifeq ($(ARCH), s390x)
+UNSUPPORTED_ARCHS := s390x powerpc64le riscv64gc
+
+ifeq ($(filter $(ARCH), $(UNSUPPORTED_ARCHS)),$(ARCH))
 default: runtime show-header
 test:
-	@echo "s390x is not currently supported"
+	@echo "$(ARCH) is not currently supported"
 	exit 0
 install: install-runtime install-configs
-else ifeq ($(ARCH), powerpc64le)
-default: runtime show-header
-test:
-	@echo "powerpc64le is not currently supported"
-	exit 0
-install: install-runtime install-configs
-else ifeq ($(ARCH), riscv64gc)
-default: runtime show-header
-test:
-	@echo "RISC-V 64 is not currently supported"
-	exit 0
 else
 ##TARGET default: build code
 default: runtime show-header
--- a/src/runtime/go.mod
+++ b/src/runtime/go.mod
@@ -1,7 +1,7 @@
 module github.com/kata-containers/kata-containers/src/runtime

 // Keep in sync with version in versions.yaml
-go 1.25.8
+go 1.25.9

 // WARNING: Do NOT use `replace` directives as those break dependabot:
 // https://github.com/kata-containers/kata-containers/issues/11020
--- a/src/tools/csi-kata-directvolume/go.mod
+++ b/src/tools/csi-kata-directvolume/go.mod
@@ -1,7 +1,7 @@
 module kata-containers/csi-kata-directvolume

 // Keep in sync with version in versions.yaml
-go 1.25.8
+go 1.25.9

 // WARNING: Do NOT use `replace` directives as those break dependabot:
 // https://github.com/kata-containers/kata-containers/issues/11020
--- a/src/tools/log-parser/go.mod
+++ b/src/tools/log-parser/go.mod
@@ -1,7 +1,7 @@
 module github.com/kata-containers/kata-containers/src/tools/log-parser

 // Keep in sync with version in versions.yaml
-go 1.25.8
+go 1.25.9

 require (
 	github.com/BurntSushi/toml v1.1.0
--- a/tests/gha-run-k8s-common.sh
+++ b/tests/gha-run-k8s-common.sh
@@ -635,7 +635,7 @@ function helm_helper() {
 					base_values_file="${helm_chart_dir}/try-kata-nvidia-gpu.values.yaml"
 				fi
 				;;
-			qemu-snp|qemu-tdx|qemu-se|qemu-se-runtime-rs|qemu-cca|qemu-coco-dev|qemu-coco-dev-runtime-rs)
+			qemu-snp|qemu-snp-runtime-rs|qemu-tdx|qemu-se|qemu-se-runtime-rs|qemu-cca|qemu-coco-dev|qemu-coco-dev-runtime-rs)
 				# Use TEE example file
 				if [[ -f "${helm_chart_dir}/try-kata-tee.values.yaml" ]]; then
 					base_values_file="${helm_chart_dir}/try-kata-tee.values.yaml"
--- a/tests/go.mod
+++ b/tests/go.mod
@@ -1,7 +1,7 @@
 module github.com/kata-containers/tests

 // Keep in sync with version in versions.yaml
-go 1.25.8
+go 1.25.9

 // WARNING: Do NOT use `replace` directives as those break dependabot:
 // https://github.com/kata-containers/kata-containers/issues/11020
--- a/tests/integration/kubernetes/confidential_common.sh
+++ b/tests/integration/kubernetes/confidential_common.sh
@@ -11,7 +11,7 @@ source "${BATS_TEST_DIRNAME}/../../common.bash"
 load "${BATS_TEST_DIRNAME}/confidential_kbs.sh"

 SUPPORTED_GPU_TEE_HYPERVISORS=("qemu-nvidia-gpu-snp" "qemu-nvidia-gpu-tdx")
-SUPPORTED_TEE_HYPERVISORS=("qemu-snp" "qemu-tdx" "qemu-se" "qemu-se-runtime-rs" "${SUPPORTED_GPU_TEE_HYPERVISORS[@]}")
+SUPPORTED_TEE_HYPERVISORS=("qemu-snp" "qemu-snp-runtime-rs" "qemu-tdx" "qemu-se" "qemu-se-runtime-rs" "${SUPPORTED_GPU_TEE_HYPERVISORS[@]}")
 SUPPORTED_NON_TEE_HYPERVISORS=("qemu-coco-dev" "qemu-coco-dev-runtime-rs")

 function setup_unencrypted_confidential_pod() {
@@ -36,7 +36,7 @@ function get_remote_command_per_hypervisor() {
 		qemu-se*)
 			echo "cd /sys/firmware/uv; cat prot_virt_guest | grep 1"
 			;;
-		qemu-snp)
+		qemu-snp|qemu-snp-runtime-rs)
 			echo "dmesg | grep \"Memory Encryption Features active:.*SEV-SNP\""
 			;;
 		qemu-tdx)
--- a/tests/integration/kubernetes/gha-run.sh
+++ b/tests/integration/kubernetes/gha-run.sh
@@ -187,7 +187,7 @@ function deploy_kata() {

 	# Workaround to avoid modifying the workflow yaml files
 	case "${KATA_HYPERVISOR}" in
-		qemu-tdx|qemu-snp|qemu-nvidia-gpu-*)
+		qemu-tdx|qemu-snp|qemu-snp-runtime-rs|qemu-nvidia-gpu-*)
 			USE_EXPERIMENTAL_SETUP_SNAPSHOTTER=true
 			SNAPSHOTTER="nydus"
 			EXPERIMENTAL_FORCE_GUEST_PULL=false
@@ -447,7 +447,7 @@ function cleanup() {
 }

 function deploy_snapshotter() {
-	if [[ "${KATA_HYPERVISOR}" == "qemu-tdx" || "${KATA_HYPERVISOR}" == "qemu-snp" ]]; then
+	if [[ "${KATA_HYPERVISOR}" == "qemu-tdx" || "${KATA_HYPERVISOR}" == "qemu-snp" || "${KATA_HYPERVISOR}" == "qemu-snp-runtime-rs" ]]; then
 	       echo "[Skip] ${SNAPSHOTTER} is pre-installed in the TEE machine"
 	       return
 	fi
@@ -461,7 +461,7 @@ function deploy_snapshotter() {
 }

 function cleanup_snapshotter() {
-	if [[ "${KATA_HYPERVISOR}" == "qemu-tdx" || "${KATA_HYPERVISOR}" == "qemu-snp" ]]; then
+	if [[ "${KATA_HYPERVISOR}" == "qemu-tdx" || "${KATA_HYPERVISOR}" == "qemu-snp" || "${KATA_HYPERVISOR}" == "qemu-snp-runtime-rs" ]]; then
 	       echo "[Skip] ${SNAPSHOTTER} is pre-installed in the TEE machine"
 	       return
 	fi
--- a/tests/integration/kubernetes/k8s-confidential-attestation.bats
+++ b/tests/integration/kubernetes/k8s-confidential-attestation.bats
@@ -146,15 +146,22 @@ setup() {
 	kbs_set_cpu0_resource_policy

 	# get measured artifacts from qemu command line of previous test
+	# Go runtime logs: "launching <path> with: [<args>]"
+	# runtime-rs logs: "qemu args: <args>"
 	log_line=$(sudo journalctl -r -x -t kata | grep -m 1 'launching.*qemu.*with:' || true)
-	qemu_cmd=$(echo "$log_line" | sed 's/.*with: \[\(.*\)\]".*/\1/')
+	if [[ -n "$log_line" ]]; then
+		qemu_cmd=$(echo "$log_line" | sed 's/.*with: \[\(.*\)\]".*/\1/')
+	else
+		log_line=$(sudo journalctl -r -x -t kata | grep -m 1 'qemu args:' || true)
+		qemu_cmd=$(echo "$log_line" | sed 's/.*qemu args: //')
+	fi
 	[[ -n "$qemu_cmd" ]] || { echo "Could not find QEMU command line"; return 1; }

 	kernel_path=$(echo "$qemu_cmd" | grep -oP -- '-kernel \K[^ ]+')
 	initrd_path=$(echo "$qemu_cmd" | grep -oP -- '-initrd \K[^ ]+' || true)
 	firmware_path=$(echo "$qemu_cmd" | grep -oP -- '-bios \K[^ ]+')
 	vcpu_count=$(echo "$qemu_cmd" | grep -oP -- '-smp \K\d+')
-	append=$(echo "$qemu_cmd" | sed -n 's/.*-append \(.*\) -bios.*/\1/p')
+	append=$(echo "$qemu_cmd" | grep -oP -- '-append \K.*?(?= -(smp|bios) )')
 	# Remove escape backslashes for quotes from output for dm-mod.create parameters
 	append="${append//\\\"/\"}"

--- a/tests/integration/kubernetes/k8s-cpu-ns.bats
+++ b/tests/integration/kubernetes/k8s-cpu-ns.bats
@@ -15,7 +15,7 @@ setup() {
 	[ "${KATA_HYPERVISOR}" == "qemu-se-runtime-rs" ] && skip "Requires CPU hotplug which isn't supported on ${KATA_HYPERVISOR} yet"
 	[[ "${KATA_HYPERVISOR}" == qemu-coco-dev* ]] && skip "Requires CPU hotplug which disabled by static_sandbox_resource_mgmt"
 	( [ "${KATA_HYPERVISOR}" == "qemu-tdx" ] || [ "${KATA_HYPERVISOR}" == "qemu-snp" ] || \
-		[ "${KATA_HYPERVISOR}" == "qemu-se" ] ) \
+		[ "${KATA_HYPERVISOR}" == "qemu-snp-runtime-rs" ] || [ "${KATA_HYPERVISOR}" == "qemu-se" ] ) \
 		&& skip "TEEs do not support memory / CPU hotplug"

 	pod_name="constraints-cpu-test"
@@ -121,7 +121,7 @@ teardown() {
 	[ "${KATA_HYPERVISOR}" == "qemu-se-runtime-rs" ] && skip "Requires CPU hotplug which isn't supported on ${KATA_HYPERVISOR} yet"
 	[[ "${KATA_HYPERVISOR}" == qemu-coco-dev* ]] && skip "Requires CPU hotplug which disabled by static_sandbox_resource_mgmt"
 	( [ "${KATA_HYPERVISOR}" == "qemu-tdx" ] || [ "${KATA_HYPERVISOR}" == "qemu-snp" ] || \
-		[ "${KATA_HYPERVISOR}" == "qemu-se" ] ) \
+		[ "${KATA_HYPERVISOR}" == "qemu-snp-runtime-rs" ] || [ "${KATA_HYPERVISOR}" == "qemu-se" ] ) \
 		&& skip "TEEs do not support memory / CPU hotplug"

 	# Debugging information
--- a/tests/integration/kubernetes/k8s-measured-rootfs.bats
+++ b/tests/integration/kubernetes/k8s-measured-rootfs.bats
@@ -9,14 +9,18 @@ load "${BATS_TEST_DIRNAME}/../../common.bash"
 load "${BATS_TEST_DIRNAME}/lib.sh"
 load "${BATS_TEST_DIRNAME}/tests_common.sh"

-# Currently only the Go runtime provides the config path used here.
-# If a Rust hypervisor runs this test, mirror the enabling_hypervisor
-# pattern in tests/common.bash to select the correct runtime-rs config.
-shim_config_file="/opt/kata/share/defaults/kata-containers/configuration-${KATA_HYPERVISOR}.toml"
+case "${KATA_HYPERVISOR}" in
+	*-runtime-rs)
+		shim_config_file="/opt/kata/share/defaults/kata-containers/runtime-rs/runtimes/${KATA_HYPERVISOR}/configuration-${KATA_HYPERVISOR}.toml"
+		;;
+	*)
+		shim_config_file="/opt/kata/share/defaults/kata-containers/runtimes/${KATA_HYPERVISOR}/configuration-${KATA_HYPERVISOR}.toml"
+		;;
+esac

 check_and_skip() {
 	case "${KATA_HYPERVISOR}" in
-		qemu-tdx|qemu-coco-dev|qemu-snp)
+		qemu-tdx|qemu-coco-dev|qemu-snp|qemu-snp-runtime-rs)
 			if [ "$(uname -m)" == "s390x" ]; then
 				skip "measured rootfs tests not implemented for s390x"
 			fi
--- a/tests/integration/kubernetes/setup.sh
+++ b/tests/integration/kubernetes/setup.sh
@@ -138,7 +138,7 @@ add_runtime_handler_annotations() {
 	fi

 	case "${KATA_HYPERVISOR}" in
-		qemu-coco-dev | qemu-snp | qemu-tdx | qemu-coco-dev-runtime-rs)
+		qemu-coco-dev | qemu-snp | qemu-snp-runtime-rs | qemu-tdx | qemu-coco-dev-runtime-rs)
 			info "Add runtime handler annotations for ${KATA_HYPERVISOR}"
 			local handler_value="kata-${KATA_HYPERVISOR}"
 			for K8S_TEST_YAML in runtimeclass_workloads_work/*.yaml
--- a/tests/integration/kubernetes/tests_common.sh
+++ b/tests/integration/kubernetes/tests_common.sh
@@ -82,7 +82,7 @@ auto_generate_policy_enabled() {

 is_coco_platform() {
 	case "${KATA_HYPERVISOR}" in
-		"qemu-tdx"|"qemu-snp"|"qemu-coco-dev"|"qemu-coco-dev-runtime-rs"|"qemu-nvidia-gpu-tdx"|"qemu-nvidia-gpu-snp")
+		"qemu-tdx"|"qemu-snp"|"qemu-snp-runtime-rs"|"qemu-coco-dev"|"qemu-coco-dev-runtime-rs"|"qemu-nvidia-gpu-tdx"|"qemu-nvidia-gpu-snp")
 			return 0
 			;;
 		*)
@@ -148,7 +148,7 @@ install_genpolicy_drop_ins() {
 	# 20-* OCI version overlay
 	if [[ "${KATA_HOST_OS:-}" == "cbl-mariner" ]]; then
 		cp "${examples_dir}/20-oci-1.2.0-drop-in.json" "${settings_d}/"
-	elif is_k3s_or_rke2 || is_nvidia_gpu_platform || [[ "${KATA_HYPERVISOR}" == "qemu-snp" ]] || [[ "${KATA_HYPERVISOR}" == "qemu-tdx" ]] || [[ -n "${CONTAINER_ENGINE_VERSION:-}" ]]; then
+	elif is_k3s_or_rke2 || is_nvidia_gpu_platform || [[ "${KATA_HYPERVISOR}" == "qemu-snp" ]] || [[ "${KATA_HYPERVISOR}" == "qemu-snp-runtime-rs" ]] || [[ "${KATA_HYPERVISOR}" == "qemu-tdx" ]] || [[ -n "${CONTAINER_ENGINE_VERSION:-}" ]]; then
 		cp "${examples_dir}/20-oci-1.3.0-drop-in.json" "${settings_d}/"
 	fi

@@ -340,7 +340,7 @@ hard_coded_policy_tests_enabled() {
 	# CI is testing hard-coded policies just on a the platforms listed here. Outside of CI,
 	# users can enable testing of the same policies (plus the auto-generated policies) by
 	# specifying AUTO_GENERATE_POLICY=yes.
-	local -r enabled_hypervisors=("qemu-coco-dev" "qemu-snp" "qemu-tdx" "qemu-coco-dev-runtime-rs")
+	local -r enabled_hypervisors=("qemu-coco-dev" "qemu-snp" "qemu-snp-runtime-rs" "qemu-tdx" "qemu-coco-dev-runtime-rs")
 	for enabled_hypervisor in "${enabled_hypervisors[@]}"
 	do
 		if [[ "${enabled_hypervisor}" == "${KATA_HYPERVISOR}" ]]; then
--- a/tests/metrics/cmd/checkmetrics/go.mod
+++ b/tests/metrics/cmd/checkmetrics/go.mod
@@ -1,7 +1,7 @@
 module example.com/m

 // Keep in sync with version in versions.yaml
-go 1.25.8
+go 1.25.9

 require (
 	github.com/BurntSushi/toml v1.3.2
--- a/tools/packaging/kata-deploy/helm-chart/kata-deploy/templates/runtimeclasses.yaml
+++ b/tools/packaging/kata-deploy/helm-chart/kata-deploy/templates/runtimeclasses.yaml
@@ -26,10 +26,22 @@ handler: kata-{{ .shim }}-{{ .root.Values.env.multiInstallSuffix }}
 {{- else }}
 handler: kata-{{ .shim }}
 {{- end }}
+{{- /* Overhead section - controlled by global or per-shim overheadEnabled flag (default: true) */ -}}
+{{- $shimOverheadEnabled := true -}}
+{{- if hasKey .root.Values.runtimeClasses "overheadEnabled" -}}
+{{- $shimOverheadEnabled = .root.Values.runtimeClasses.overheadEnabled -}}
+{{- end -}}
+{{- with .shimConfig.runtimeClass -}}
+{{- if hasKey . "overheadEnabled" -}}
+{{- $shimOverheadEnabled = .overheadEnabled -}}
+{{- end -}}
+{{- end -}}
+{{- if $shimOverheadEnabled }}
 overhead:
  podFixed:
    memory: {{ .config.memory | quote }}
    cpu: {{ .config.cpu | quote }}
+{{- end }}
 scheduling:
  nodeSelector:
    katacontainers.io/kata-runtime: "true"
--- a/tools/packaging/kata-deploy/helm-chart/kata-deploy/values.yaml
+++ b/tools/packaging/kata-deploy/helm-chart/kata-deploy/values.yaml
@@ -69,6 +69,7 @@ snapshotter:
 #       runtimeClass:
 #         nodeSelector:              # extra node selectors added to the RuntimeClass
 #           example.io/feature: "true"
+#         overheadEnabled: true      # enable/disable overhead in RuntimeClass (default: inherits from runtimeClasses.overheadEnabled)
 #         overhead:                  # override pod overhead (falls back to built-in defaults)
 #           memory: "160Mi"
 #           cpu: "250m"
@@ -344,6 +345,10 @@ runtimeClasses:
  enabled: true
  createDefault: false
  defaultName: "kata"
+  # Global switch for overhead in all RuntimeClasses (default: true)
+  # Set to false to disable overhead for all shims globally.
+  # Individual shims can override this via shims.<name>.runtimeClass.overheadEnabled
+  overheadEnabled: true

 env:
  installationPrefix: ""
--- a/tools/testing/kata-webhook/go.mod
+++ b/tools/testing/kata-webhook/go.mod
@@ -1,7 +1,7 @@
 module module-path

 // Keep in sync with version in versions.yaml
-go 1.25.8
+go 1.25.9

 require (
 	github.com/sirupsen/logrus v1.9.3
--- a/versions.yaml
+++ b/versions.yaml
@@ -470,12 +470,12 @@ languages:
    description: "Google's 'go' language"
    notes: "'version' is the default minimum version used by this project."
    # When updating this, also update in go.mod files.
-    version: "1.25.8"
+    version: "1.25.9"
    meta:
      description: |
        'newest-version' is the latest version known to work when
        building Kata
-      newest-version: "1.25.8"
+      newest-version: "1.25.9"

  rust:
    description: "Rust language"
Author	SHA1	Message	Date
Aurélien Bombo	29d238d676	fix Signed-off-by: Aurélien Bombo <abombo@microsoft.com>	2026-04-10 13:31:30 -05:00
Aurélien Bombo	e692f9f7a1	cont: fix secret passing Signed-off-by: Aurélien Bombo <abombo@microsoft.com>	2026-04-10 13:01:26 -05:00
Aurélien Bombo	e8edef1c92	ci: test new Azure creds Signed-off-by: Aurélien Bombo <abombo@microsoft.com>	2026-04-10 12:07:51 -05:00
Fabiano Fidêncio	1d77c4e60f	Merge pull request #12752 from LizZhang315/add-overheadEnabled helm: add overheadEnabled switch for runtimeclass	2026-04-10 16:40:42 +02:00
Fabiano Fidêncio	fd6375d8d5	Merge pull request #12806 from kata-containers/topic/ci-run-runtime-rs-on-SNP ci: Run qemu-snp-runtime-rs tests in the CI	2026-04-10 11:01:20 +02:00
LizZhang315	2312f67c9b	helm: add overheadEnabled switch for runtimeclass Add a global and per-shim configurable switch to enable/disable the overhead section in generated RuntimeClasses. This allows users to omit overhead when it's not needed or managed externally. Priority: per-shim > global > default(true). Signed-off-by: LizZhang315 <123134987@qq.com>	2026-04-10 10:26:11 +02:00
Fabiano Fidêncio	218077506b	Merge pull request #12769 from RuoqingHe/runtime-rs-allow-install-on-riscv runtime-rs: Allow installation on RISC-V platforms	2026-04-10 10:24:40 +02:00
Fabiano Fidêncio	dca89485f0	Merge pull request #12802 from stevenhorsman/bump-golang-1.25.9 versions: bump golang to 1.25.9	2026-04-10 06:50:35 +02:00
Fabiano Fidêncio	5e1ab0aa7d	tests: Support runtime-rs QEMU cmdline format in attestation test The k8s-confidential-attestation test extracts the QEMU command line from journal logs to compute the SNP launch measurement. It only matched the Go runtime's log format ("launching <path> with: [<args>]"), but runtime-rs logs differently ("qemu args: <args>"). Handle both formats so the test works with qemu-snp-runtime-rs. Made-with: Cursor Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>	2026-04-09 16:35:08 +02:00
Fabiano Fidêncio	3b155ab0b1	ci: Run runtime-rs tests for SNP As we're in the process to stabilise runtime-rs for the coming 4.0.0 release, we better start running as many tests as possible with that. Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>	2026-04-09 16:35:08 +02:00
stevenhorsman	31f9a5461b	versions: bump golang to 1.25.9 Bump the go version to resolve CVEs: - GO-2026-4947 - GO-2026-4946 - GO-2026-4870 - GO-2026-4869 - GO-2026-4865 - GO-2026-4864 Signed-off-by: stevenhorsman <steven@uk.ibm.com>	2026-04-09 08:59:40 +01:00
Ruoqing He	98ee385220	runtime-rs: Consolidate unsupported arch Consolidate arch we don't support at the moment, and avoid hard coding error messages per arch. Signed-off-by: Ruoqing He <ruoqing.he@lingcage.com>	2026-04-09 04:18:50 +00:00
Ruoqing He	26ffe1223b	runtime-rs: Allow install on riscv64 platform runtime-rs works with QEMU on RISC-V platforms, let's enable installation on RISC-V. Signed-off-by: Ruoqing He <ruoqing.he@lingcage.com>	2026-04-09 04:18:50 +00:00