DO-NOT-MERGE: only build and test arm64

Comment out all non-arm64 builds and tests to save CI resources while
iterating on arm64 qemu-coco-dev-runtime-rs support.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
Made-with: Cursor

.github/workflows/build-kata-static-tarball-arm64.yaml

@@ -43,6 +43,7 @@ jobs:
           - agent
           - busybox
           - cloud-hypervisor
+          - coco-guest-components
           - firecracker
           - kernel
           - kernel-debug
@@ -51,6 +52,7 @@ jobs:
           - kernel-cca-confidential
           - nydus
           - ovmf
+          - pause-image
           - qemu
           - virtiofsd
     env:
@@ -151,6 +153,7 @@ jobs:
       matrix:
         asset:
           - rootfs-image
+          - rootfs-image-confidential
           - rootfs-image-nvidia-gpu
           - rootfs-initrd
     steps:
@@ -216,7 +219,9 @@ jobs:
       matrix:
         asset:
           - busybox
+          - coco-guest-components
           - kernel-nvidia-gpu-modules
+          - pause-image
     steps:
       - uses: geekyeggo/delete-artifact@f275313e70c08f6120db482d7a6b98377786765b # v5.1.0
         with:
@@ -288,6 +293,7 @@ jobs:
           ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
           TARGET_BRANCH: ${{ inputs.target-branch }}
           RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
+          MEASURED_ROOTFS: yes
 
       - name: store-artifact shim-v2
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
@@ -297,6 +303,116 @@ jobs:
           retention-days: 15
           if-no-files-found: error
 
+  build-tools-asset:
+    name: build-tools-asset
+    runs-on: ubuntu-24.04-arm
+    permissions:
+      contents: read
+      packages: write
+    strategy:
+      matrix:
+        asset:
+          - agent-ctl
+          - genpolicy
+          - kata-ctl
+          - kata-manager
+          - trace-forwarder
+        stage:
+          - ${{ inputs.stage }}
+    steps:
+      - name: Login to Kata Containers quay.io
+        if: ${{ inputs.push-to-registry == 'yes' }}
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        with:
+          registry: quay.io
+          username: ${{ vars.QUAY_DEPLOYER_USERNAME }}
+          password: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
+
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          ref: ${{ inputs.commit-hash }}
+          fetch-depth: 0 # This is needed in order to keep the commit ids history
+          persist-credentials: false
+
+      - name: Rebase atop of the latest target branch
+        run: |
+          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
+        env:
+          TARGET_BRANCH: ${{ inputs.target-branch }}
+
+      - name: Build ${{ matrix.asset }}
+        id: build
+        run: |
+          make "${KATA_ASSET}-tarball"
+          build_dir=$(readlink -f build)
+          # store-artifact does not work with symlink
+          mkdir -p kata-tools-build && cp "${build_dir}"/kata-static-"${KATA_ASSET}"*.tar.* kata-tools-build/.
+        env:
+          KATA_ASSET: ${{ matrix.asset }}
+          TAR_OUTPUT: ${{ matrix.asset }}.tar.gz
+          PUSH_TO_REGISTRY: ${{ inputs.push-to-registry }}
+          ARTEFACT_REGISTRY: ghcr.io
+          ARTEFACT_REGISTRY_USERNAME: ${{ github.actor }}
+          ARTEFACT_REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
+          TARGET_BRANCH: ${{ inputs.target-branch }}
+          RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
+
+      - name: store-artifact ${{ matrix.asset }}
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: kata-tools-artifacts-arm64-${{ matrix.asset }}${{ inputs.tarball-suffix }}
+          path: kata-tools-build/kata-static-${{ matrix.asset }}.tar.zst
+          retention-days: 15
+          if-no-files-found: error
+
+  create-kata-tools-tarball:
+    name: create-kata-tools-tarball
+    runs-on: ubuntu-24.04-arm
+    needs: [build-tools-asset]
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          ref: ${{ inputs.commit-hash }}
+          fetch-depth: 0
+          fetch-tags: true
+          persist-credentials: false
+      - name: Rebase atop of the latest target branch
+        run: |
+          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
+        env:
+          TARGET_BRANCH: ${{ inputs.target-branch }}
+      - name: get-artifacts
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          pattern: kata-tools-artifacts-arm64-*${{ inputs.tarball-suffix }}
+          path: kata-tools-artifacts
+          merge-multiple: true
+      - name: merge-artifacts
+        run: |
+          ./tools/packaging/kata-deploy/local-build/kata-deploy-merge-builds.sh kata-tools-artifacts versions.yaml kata-tools-static.tar.zst
+        env:
+          RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
+      - name: Check kata-tools tarball size (GitHub release asset limit)
+        run: |
+          # https://docs.github.com/en/repositories/releasing-projects-on-github/about-releases#storage-and-bandwidth-quotas
+          GITHUB_ASSET_MAX_BYTES=2147483648
+          tarball_size=$(stat -c "%s" kata-tools-static.tar.zst)
+          if [[ "${tarball_size}" -ge "${GITHUB_ASSET_MAX_BYTES}" ]]; then
+            echo "::error::tarball size (${tarball_size} bytes) >= GitHub release asset limit (${GITHUB_ASSET_MAX_BYTES} bytes)"
+            exit 1
+          fi
+          echo "tarball size: ${tarball_size} bytes"
+      - name: store-artifacts
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: kata-tools-static-tarball-arm64${{ inputs.tarball-suffix }}
+          path: kata-tools-static.tar.zst
+          retention-days: 15
+          if-no-files-found: error
+
   create-kata-tarball:
     name: create-kata-tarball
     runs-on: ubuntu-24.04-arm

.github/workflows/ci.yaml

@@ -47,37 +47,37 @@ on:
 permissions: {}
 
 jobs:
-  build-kata-static-tarball-amd64:
-    permissions:
-      contents: read
-      packages: write
-      id-token: write
-      attestations: write
-    uses: ./.github/workflows/build-kata-static-tarball-amd64.yaml
-    with:
-      tarball-suffix: -${{ inputs.tag }}
-      commit-hash: ${{ inputs.commit-hash }}
-      target-branch: ${{ inputs.target-branch }}
-    secrets:
-      KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}
-
-  publish-kata-deploy-payload-amd64:
-    needs: build-kata-static-tarball-amd64
-    permissions:
-      contents: read
-      packages: write
-    uses: ./.github/workflows/publish-kata-deploy-payload.yaml
-    with:
-      tarball-suffix: -${{ inputs.tag }}
-      registry: ghcr.io
-      repo: ${{ github.repository_owner }}/kata-deploy-ci
-      tag: ${{ inputs.tag }}-amd64
-      commit-hash: ${{ inputs.commit-hash }}
-      target-branch: ${{ inputs.target-branch }}
-      runner: ubuntu-22.04
-      arch: amd64
-    secrets:
-      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
+#  build-kata-static-tarball-amd64:
+#    permissions:
+#      contents: read
+#      packages: write
+#      id-token: write
+#      attestations: write
+#    uses: ./.github/workflows/build-kata-static-tarball-amd64.yaml
+#    with:
+#      tarball-suffix: -${{ inputs.tag }}
+#      commit-hash: ${{ inputs.commit-hash }}
+#      target-branch: ${{ inputs.target-branch }}
+#    secrets:
+#      KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}
+#
+#  publish-kata-deploy-payload-amd64:
+#    needs: build-kata-static-tarball-amd64
+#    permissions:
+#      contents: read
+#      packages: write
+#    uses: ./.github/workflows/publish-kata-deploy-payload.yaml
+#    with:
+#      tarball-suffix: -${{ inputs.tag }}
+#      registry: ghcr.io
+#      repo: ${{ github.repository_owner }}/kata-deploy-ci
+#      tag: ${{ inputs.tag }}-amd64
+#      commit-hash: ${{ inputs.commit-hash }}
+#      target-branch: ${{ inputs.target-branch }}
+#      runner: ubuntu-22.04
+#      arch: amd64
+#    secrets:
+#      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
 
   build-kata-static-tarball-arm64:
     permissions:
@@ -111,347 +111,350 @@ jobs:
     secrets:
       QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
 
-  build-kata-static-tarball-s390x:
-    permissions:
-      contents: read
-      packages: write
-      id-token: write
-      attestations: write
-    uses: ./.github/workflows/build-kata-static-tarball-s390x.yaml
-    with:
-      tarball-suffix: -${{ inputs.tag }}
-      commit-hash: ${{ inputs.commit-hash }}
-      target-branch: ${{ inputs.target-branch }}
-    secrets:
-      CI_HKD_PATH: ${{ secrets.ci_hkd_path }}
-      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
-
-  build-kata-static-tarball-ppc64le:
-    permissions:
-      contents: read
-      packages: write
-    uses: ./.github/workflows/build-kata-static-tarball-ppc64le.yaml
-    with:
-      tarball-suffix: -${{ inputs.tag }}
-      commit-hash: ${{ inputs.commit-hash }}
-      target-branch: ${{ inputs.target-branch }}
-    secrets:
-      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
-
-  publish-kata-deploy-payload-s390x:
-    needs: build-kata-static-tarball-s390x
-    permissions:
-      contents: read
-      packages: write
-    uses: ./.github/workflows/publish-kata-deploy-payload.yaml
-    with:
-      tarball-suffix: -${{ inputs.tag }}
-      registry: ghcr.io
-      repo: ${{ github.repository_owner }}/kata-deploy-ci
-      tag: ${{ inputs.tag }}-s390x
-      commit-hash: ${{ inputs.commit-hash }}
-      target-branch: ${{ inputs.target-branch }}
-      runner: ubuntu-24.04-s390x
-      arch: s390x
-    secrets:
-      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
-
-  publish-kata-deploy-payload-ppc64le:
-    needs: build-kata-static-tarball-ppc64le
-    permissions:
-      contents: read
-      packages: write
-    uses: ./.github/workflows/publish-kata-deploy-payload.yaml
-    with:
-      tarball-suffix: -${{ inputs.tag }}
-      registry: ghcr.io
-      repo: ${{ github.repository_owner }}/kata-deploy-ci
-      tag: ${{ inputs.tag }}-ppc64le
-      commit-hash: ${{ inputs.commit-hash }}
-      target-branch: ${{ inputs.target-branch }}
-      runner: ubuntu-24.04-ppc64le
-      arch: ppc64le
-    secrets:
-      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
-
-  build-and-publish-tee-confidential-unencrypted-image:
-    name: build-and-publish-tee-confidential-unencrypted-image
-    permissions:
-      contents: read
-      packages: write
-    runs-on: ubuntu-22.04
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          ref: ${{ inputs.commit-hash }}
-          fetch-depth: 0
-          persist-credentials: false
-
-      - name: Rebase atop of the latest target branch
-        run: |
-          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
-        env:
-          TARGET_BRANCH: ${{ inputs.target-branch }}
-
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
-
-      - name: Login to Kata Containers ghcr.io
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Docker build and push
-        uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0
-        with:
-          tags: ghcr.io/kata-containers/test-images:unencrypted-${{ inputs.pr-number }}
-          push: true
-          context: tests/integration/kubernetes/runtimeclass_workloads/confidential/unencrypted/
-          platforms: linux/amd64, linux/s390x
-          file: tests/integration/kubernetes/runtimeclass_workloads/confidential/unencrypted/Dockerfile
-
-  run-kata-monitor-tests:
-    if: ${{ inputs.skip-test != 'yes' }}
-    needs: build-kata-static-tarball-amd64
-    uses: ./.github/workflows/run-kata-monitor-tests.yaml
-    with:
-      tarball-suffix: -${{ inputs.tag }}
-      commit-hash: ${{ inputs.commit-hash }}
-      target-branch: ${{ inputs.target-branch }}
-
-  run-k8s-tests-on-aks:
-    if: ${{ inputs.skip-test != 'yes' }}
-    needs: publish-kata-deploy-payload-amd64
-    uses: ./.github/workflows/run-k8s-tests-on-aks.yaml
-
-    permissions:
-      contents: read
-      id-token: write # Used for OIDC access to log into Azure
-    with:
-      tarball-suffix: -${{ inputs.tag }}
-      registry: ghcr.io
-      repo: ${{ github.repository_owner }}/kata-deploy-ci
-      tag: ${{ inputs.tag }}-amd64
-      commit-hash: ${{ inputs.commit-hash }}
-      pr-number: ${{ inputs.pr-number }}
-      target-branch: ${{ inputs.target-branch }}
-    secrets:
-      AZ_APPID: ${{ secrets.AZ_APPID }}
-      AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
-      AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
-
-  run-k8s-tests-on-free-runner:
-    if: ${{ inputs.skip-test != 'yes' }}
-    needs: publish-kata-deploy-payload-amd64
-    permissions:
-      contents: read
-    uses: ./.github/workflows/run-k8s-tests-on-free-runner.yaml
-    with:
-      tarball-suffix: -${{ inputs.tag }}
-      registry: ghcr.io
-      repo: ${{ github.repository_owner }}/kata-deploy-ci
-      tag: ${{ inputs.tag }}-amd64
-      commit-hash: ${{ inputs.commit-hash }}
-      pr-number: ${{ inputs.pr-number }}
-      target-branch: ${{ inputs.target-branch }}
+#  build-kata-static-tarball-s390x:
+#    permissions:
+#      contents: read
+#      packages: write
+#      id-token: write
+#      attestations: write
+#    uses: ./.github/workflows/build-kata-static-tarball-s390x.yaml
+#    with:
+#      tarball-suffix: -${{ inputs.tag }}
+#      commit-hash: ${{ inputs.commit-hash }}
+#      target-branch: ${{ inputs.target-branch }}
+#    secrets:
+#      CI_HKD_PATH: ${{ secrets.ci_hkd_path }}
+#      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
+#
+#  build-kata-static-tarball-ppc64le:
+#    permissions:
+#      contents: read
+#      packages: write
+#    uses: ./.github/workflows/build-kata-static-tarball-ppc64le.yaml
+#    with:
+#      tarball-suffix: -${{ inputs.tag }}
+#      commit-hash: ${{ inputs.commit-hash }}
+#      target-branch: ${{ inputs.target-branch }}
+#    secrets:
+#      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
+#
+#  publish-kata-deploy-payload-s390x:
+#    needs: build-kata-static-tarball-s390x
+#    permissions:
+#      contents: read
+#      packages: write
+#    uses: ./.github/workflows/publish-kata-deploy-payload.yaml
+#    with:
+#      tarball-suffix: -${{ inputs.tag }}
+#      registry: ghcr.io
+#      repo: ${{ github.repository_owner }}/kata-deploy-ci
+#      tag: ${{ inputs.tag }}-s390x
+#      commit-hash: ${{ inputs.commit-hash }}
+#      target-branch: ${{ inputs.target-branch }}
+#      runner: ubuntu-24.04-s390x
+#      arch: s390x
+#    secrets:
+#      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
+#
+#  publish-kata-deploy-payload-ppc64le:
+#    needs: build-kata-static-tarball-ppc64le
+#    permissions:
+#      contents: read
+#      packages: write
+#    uses: ./.github/workflows/publish-kata-deploy-payload.yaml
+#    with:
+#      tarball-suffix: -${{ inputs.tag }}
+#      registry: ghcr.io
+#      repo: ${{ github.repository_owner }}/kata-deploy-ci
+#      tag: ${{ inputs.tag }}-ppc64le
+#      commit-hash: ${{ inputs.commit-hash }}
+#      target-branch: ${{ inputs.target-branch }}
+#      runner: ubuntu-24.04-ppc64le
+#      arch: ppc64le
+#    secrets:
+#      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
+#
+#  build-and-publish-tee-confidential-unencrypted-image:
+#    name: build-and-publish-tee-confidential-unencrypted-image
+#    permissions:
+#      contents: read
+#      packages: write
+#    runs-on: ubuntu-22.04
+#    steps:
+#      - name: Checkout code
+#        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+#        with:
+#          ref: ${{ inputs.commit-hash }}
+#          fetch-depth: 0
+#          persist-credentials: false
+#
+#      - name: Rebase atop of the latest target branch
+#        run: |
+#          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
+#        env:
+#          TARGET_BRANCH: ${{ inputs.target-branch }}
+#
+#      - name: Set up QEMU
+#        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+#
+#      - name: Set up Docker Buildx
+#        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
+#
+#      - name: Login to Kata Containers ghcr.io
+#        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+#        with:
+#          registry: ghcr.io
+#          username: ${{ github.actor }}
+#          password: ${{ secrets.GITHUB_TOKEN }}
+#
+#      - name: Docker build and push
+#        uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0
+#        with:
+#          tags: ghcr.io/kata-containers/test-images:unencrypted-${{ inputs.pr-number }}
+#          push: true
+#          context: tests/integration/kubernetes/runtimeclass_workloads/confidential/unencrypted/
+#          platforms: linux/amd64, linux/s390x
+#          file: tests/integration/kubernetes/runtimeclass_workloads/confidential/unencrypted/Dockerfile
+#
+#  run-kata-monitor-tests:
+#    if: ${{ inputs.skip-test != 'yes' }}
+#    needs: build-kata-static-tarball-amd64
+#    uses: ./.github/workflows/run-kata-monitor-tests.yaml
+#    with:
+#      tarball-suffix: -${{ inputs.tag }}
+#      commit-hash: ${{ inputs.commit-hash }}
+#      target-branch: ${{ inputs.target-branch }}
+#
+#  run-k8s-tests-on-aks:
+#    if: ${{ inputs.skip-test != 'yes' }}
+#    needs: publish-kata-deploy-payload-amd64
+#    uses: ./.github/workflows/run-k8s-tests-on-aks.yaml
+#
+#    permissions:
+#      contents: read
+#      id-token: write # Used for OIDC access to log into Azure
+#    with:
+#      tarball-suffix: -${{ inputs.tag }}
+#      registry: ghcr.io
+#      repo: ${{ github.repository_owner }}/kata-deploy-ci
+#      tag: ${{ inputs.tag }}-amd64
+#      commit-hash: ${{ inputs.commit-hash }}
+#      pr-number: ${{ inputs.pr-number }}
+#      target-branch: ${{ inputs.target-branch }}
+#    secrets:
+#      AZ_APPID: ${{ secrets.AZ_APPID }}
+#      AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
+#      AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
+#
+#  run-k8s-tests-on-free-runner:
+#    if: ${{ inputs.skip-test != 'yes' }}
+#    needs: publish-kata-deploy-payload-amd64
+#    permissions:
+#      contents: read
+#    uses: ./.github/workflows/run-k8s-tests-on-free-runner.yaml
+#    with:
+#      tarball-suffix: -${{ inputs.tag }}
+#      registry: ghcr.io
+#      repo: ${{ github.repository_owner }}/kata-deploy-ci
+#      tag: ${{ inputs.tag }}-amd64
+#      commit-hash: ${{ inputs.commit-hash }}
+#      pr-number: ${{ inputs.pr-number }}
+#      target-branch: ${{ inputs.target-branch }}
 
   run-k8s-tests-on-arm64:
     if: ${{ inputs.skip-test != 'yes' }}
     needs: publish-kata-deploy-payload-arm64
     uses: ./.github/workflows/run-k8s-tests-on-arm64.yaml
     with:
+      tarball-suffix: -${{ inputs.tag }}
       registry: ghcr.io
       repo: ${{ github.repository_owner }}/kata-deploy-ci
       tag: ${{ inputs.tag }}-arm64
       commit-hash: ${{ inputs.commit-hash }}
       pr-number: ${{ inputs.pr-number }}
       target-branch: ${{ inputs.target-branch }}
-
-  run-k8s-tests-on-nvidia-gpu:
-    if: ${{ inputs.skip-test != 'yes' }}
-    needs: publish-kata-deploy-payload-amd64
-    uses: ./.github/workflows/run-k8s-tests-on-nvidia-gpu.yaml
-    with:
-      tarball-suffix: -${{ inputs.tag }}
-      registry: ghcr.io
-      repo: ${{ github.repository_owner }}/kata-deploy-ci
-      tag: ${{ inputs.tag }}-amd64
-      commit-hash: ${{ inputs.commit-hash }}
-      pr-number: ${{ inputs.pr-number }}
-      target-branch: ${{ inputs.target-branch }}
-    secrets:
-      NGC_API_KEY: ${{ secrets.NGC_API_KEY }}
-
-
-  run-kata-coco-tests:
-    if: ${{ inputs.skip-test != 'yes' }}
-    needs:
-     - publish-kata-deploy-payload-amd64
-     - build-and-publish-tee-confidential-unencrypted-image
-    uses: ./.github/workflows/run-kata-coco-tests.yaml
-    permissions:
-      contents: read
-      id-token: write # Used for OIDC access to log into Azure
-    with:
-      tarball-suffix: -${{ inputs.tag }}
-      registry: ghcr.io
-      repo: ${{ github.repository_owner }}/kata-deploy-ci
-      tag: ${{ inputs.tag }}-amd64
-      commit-hash: ${{ inputs.commit-hash }}
-      pr-number: ${{ inputs.pr-number }}
-      target-branch: ${{ inputs.target-branch }}
-      extensive-matrix-autogenerated-policy: ${{ inputs.extensive-matrix-autogenerated-policy }}
-    secrets:
-      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
-      AZ_APPID: ${{ secrets.AZ_APPID }}
-      AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
-      AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
-      ITA_KEY: ${{ secrets.ITA_KEY }}
-
-  run-k8s-tests-on-zvsi:
-    if: ${{ inputs.skip-test != 'yes' }}
-    needs: [publish-kata-deploy-payload-s390x, build-and-publish-tee-confidential-unencrypted-image]
-    uses: ./.github/workflows/run-k8s-tests-on-zvsi.yaml
-    with:
-      registry: ghcr.io
-      repo: ${{ github.repository_owner }}/kata-deploy-ci
-      tag: ${{ inputs.tag }}-s390x
-      commit-hash: ${{ inputs.commit-hash }}
-      pr-number: ${{ inputs.pr-number }}
-      target-branch: ${{ inputs.target-branch }}
     secrets:
       AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
 
-  run-k8s-tests-on-ppc64le:
-    if: ${{ inputs.skip-test != 'yes' }}
-    needs: publish-kata-deploy-payload-ppc64le
-    uses: ./.github/workflows/run-k8s-tests-on-ppc64le.yaml
-    with:
-      registry: ghcr.io
-      repo: ${{ github.repository_owner }}/kata-deploy-ci
-      tag: ${{ inputs.tag }}-ppc64le
-      commit-hash: ${{ inputs.commit-hash }}
-      pr-number: ${{ inputs.pr-number }}
-      target-branch: ${{ inputs.target-branch }}
-
-  run-kata-deploy-tests:
-    if: ${{ inputs.skip-test != 'yes' }}
-    needs: [publish-kata-deploy-payload-amd64]
-    uses: ./.github/workflows/run-kata-deploy-tests.yaml
-    with:
-      registry: ghcr.io
-      repo: ${{ github.repository_owner }}/kata-deploy-ci
-      tag: ${{ inputs.tag }}-amd64
-      commit-hash: ${{ inputs.commit-hash }}
-      pr-number: ${{ inputs.pr-number }}
-      target-branch: ${{ inputs.target-branch }}
-
-  run-basic-amd64-tests:
-    if: ${{ inputs.skip-test != 'yes' }}
-    needs: build-kata-static-tarball-amd64
-    uses: ./.github/workflows/basic-ci-amd64.yaml
-    with:
-      tarball-suffix: -${{ inputs.tag }}
-      commit-hash: ${{ inputs.commit-hash }}
-      target-branch: ${{ inputs.target-branch }}
-
-  run-basic-s390x-tests:
-    if: ${{ inputs.skip-test != 'yes' }}
-    needs: build-kata-static-tarball-s390x
-    uses: ./.github/workflows/basic-ci-s390x.yaml
-    with:
-      tarball-suffix: -${{ inputs.tag }}
-      commit-hash: ${{ inputs.commit-hash }}
-      target-branch: ${{ inputs.target-branch }}
-
-  run-cri-containerd-amd64:
-    if: ${{ inputs.skip-test != 'yes' }}
-    needs: build-kata-static-tarball-amd64
-    strategy:
-      fail-fast: false
-      matrix:
-        params: [
-          { containerd_version: lts,    vmm: clh              },
-          { containerd_version: lts,    vmm: dragonball       },
-          { containerd_version: lts,    vmm: qemu             },
-          { containerd_version: lts,    vmm: cloud-hypervisor },
-          { containerd_version: lts,    vmm: qemu-runtime-rs  },
-          { containerd_version: active, vmm: clh              },
-          { containerd_version: active, vmm: dragonball       },
-          { containerd_version: active, vmm: qemu             },
-          { containerd_version: active, vmm: cloud-hypervisor },
-          { containerd_version: active, vmm: qemu-runtime-rs  },
-         ]
-    uses: ./.github/workflows/run-cri-containerd-tests.yaml
-    with:
-      tarball-suffix: -${{ inputs.tag }}
-      commit-hash: ${{ inputs.commit-hash }}
-      target-branch: ${{ inputs.target-branch }}
-      runner: ubuntu-22.04
-      arch: amd64
-      containerd_version: ${{ matrix.params.containerd_version }}
-      vmm: ${{ matrix.params.vmm }}
-
-  run-cri-containerd-s390x:
-    if: ${{ inputs.skip-test != 'yes' }}
-    needs: build-kata-static-tarball-s390x
-    strategy:
-      fail-fast: false
-      matrix:
-        params: [
-          { containerd_version: active, vmm: qemu            },
-          { containerd_version: active, vmm: qemu-runtime-rs },
-         ]
-    uses: ./.github/workflows/run-cri-containerd-tests.yaml
-    with:
-      tarball-suffix: -${{ inputs.tag }}
-      commit-hash: ${{ inputs.commit-hash }}
-      target-branch: ${{ inputs.target-branch }}
-      runner: s390x-large
-      arch: s390x
-      containerd_version: ${{ matrix.params.containerd_version }}
-      vmm: ${{ matrix.params.vmm }}
-
-  run-cri-containerd-tests-ppc64le:
-    if: ${{ inputs.skip-test != 'yes' }}
-    needs: build-kata-static-tarball-ppc64le
-    strategy:
-      fail-fast: false
-      matrix:
-        params: [
-          { containerd_version: active, vmm: qemu },
-         ]
-    uses: ./.github/workflows/run-cri-containerd-tests.yaml
-    with:
-      tarball-suffix: -${{ inputs.tag }}
-      commit-hash: ${{ inputs.commit-hash }}
-      target-branch: ${{ inputs.target-branch }}
-      runner: ppc64le-small
-      arch: ppc64le
-      containerd_version: ${{ matrix.params.containerd_version }}
-      vmm: ${{ matrix.params.vmm }}
-
-  run-cri-containerd-tests-arm64:
-    if: false
-    needs: build-kata-static-tarball-arm64
-    strategy:
-      fail-fast: false
-      matrix:
-        params: [
-          { containerd_version: active, vmm: qemu },
-         ]
-    uses: ./.github/workflows/run-cri-containerd-tests.yaml
-    with:
-      tarball-suffix: -${{ inputs.tag }}
-      commit-hash: ${{ inputs.commit-hash }}
-      target-branch: ${{ inputs.target-branch }}
-      runner: arm64-non-k8s
-      arch: arm64
-      containerd_version: ${{ matrix.params.containerd_version }}
-      vmm: ${{ matrix.params.vmm }}
+#  run-k8s-tests-on-nvidia-gpu:
+#    if: ${{ inputs.skip-test != 'yes' }}
+#    needs: publish-kata-deploy-payload-amd64
+#    uses: ./.github/workflows/run-k8s-tests-on-nvidia-gpu.yaml
+#    with:
+#      tarball-suffix: -${{ inputs.tag }}
+#      registry: ghcr.io
+#      repo: ${{ github.repository_owner }}/kata-deploy-ci
+#      tag: ${{ inputs.tag }}-amd64
+#      commit-hash: ${{ inputs.commit-hash }}
+#      pr-number: ${{ inputs.pr-number }}
+#      target-branch: ${{ inputs.target-branch }}
+#    secrets:
+#      NGC_API_KEY: ${{ secrets.NGC_API_KEY }}
+#
+#
+#  run-kata-coco-tests:
+#    if: ${{ inputs.skip-test != 'yes' }}
+#    needs:
+#     - publish-kata-deploy-payload-amd64
+#     - build-and-publish-tee-confidential-unencrypted-image
+#    uses: ./.github/workflows/run-kata-coco-tests.yaml
+#    permissions:
+#      contents: read
+#      id-token: write # Used for OIDC access to log into Azure
+#    with:
+#      tarball-suffix: -${{ inputs.tag }}
+#      registry: ghcr.io
+#      repo: ${{ github.repository_owner }}/kata-deploy-ci
+#      tag: ${{ inputs.tag }}-amd64
+#      commit-hash: ${{ inputs.commit-hash }}
+#      pr-number: ${{ inputs.pr-number }}
+#      target-branch: ${{ inputs.target-branch }}
+#      extensive-matrix-autogenerated-policy: ${{ inputs.extensive-matrix-autogenerated-policy }}
+#    secrets:
+#      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
+#      AZ_APPID: ${{ secrets.AZ_APPID }}
+#      AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
+#      AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
+#      ITA_KEY: ${{ secrets.ITA_KEY }}
+#
+#  run-k8s-tests-on-zvsi:
+#    if: ${{ inputs.skip-test != 'yes' }}
+#    needs: [publish-kata-deploy-payload-s390x, build-and-publish-tee-confidential-unencrypted-image]
+#    uses: ./.github/workflows/run-k8s-tests-on-zvsi.yaml
+#    with:
+#      registry: ghcr.io
+#      repo: ${{ github.repository_owner }}/kata-deploy-ci
+#      tag: ${{ inputs.tag }}-s390x
+#      commit-hash: ${{ inputs.commit-hash }}
+#      pr-number: ${{ inputs.pr-number }}
+#      target-branch: ${{ inputs.target-branch }}
+#    secrets:
+#      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
+#
+#  run-k8s-tests-on-ppc64le:
+#    if: ${{ inputs.skip-test != 'yes' }}
+#    needs: publish-kata-deploy-payload-ppc64le
+#    uses: ./.github/workflows/run-k8s-tests-on-ppc64le.yaml
+#    with:
+#      registry: ghcr.io
+#      repo: ${{ github.repository_owner }}/kata-deploy-ci
+#      tag: ${{ inputs.tag }}-ppc64le
+#      commit-hash: ${{ inputs.commit-hash }}
+#      pr-number: ${{ inputs.pr-number }}
+#      target-branch: ${{ inputs.target-branch }}
+#
+#  run-kata-deploy-tests:
+#    if: ${{ inputs.skip-test != 'yes' }}
+#    needs: [publish-kata-deploy-payload-amd64]
+#    uses: ./.github/workflows/run-kata-deploy-tests.yaml
+#    with:
+#      registry: ghcr.io
+#      repo: ${{ github.repository_owner }}/kata-deploy-ci
+#      tag: ${{ inputs.tag }}-amd64
+#      commit-hash: ${{ inputs.commit-hash }}
+#      pr-number: ${{ inputs.pr-number }}
+#      target-branch: ${{ inputs.target-branch }}
+#
+#  run-basic-amd64-tests:
+#    if: ${{ inputs.skip-test != 'yes' }}
+#    needs: build-kata-static-tarball-amd64
+#    uses: ./.github/workflows/basic-ci-amd64.yaml
+#    with:
+#      tarball-suffix: -${{ inputs.tag }}
+#      commit-hash: ${{ inputs.commit-hash }}
+#      target-branch: ${{ inputs.target-branch }}
+#
+#  run-basic-s390x-tests:
+#    if: ${{ inputs.skip-test != 'yes' }}
+#    needs: build-kata-static-tarball-s390x
+#    uses: ./.github/workflows/basic-ci-s390x.yaml
+#    with:
+#      tarball-suffix: -${{ inputs.tag }}
+#      commit-hash: ${{ inputs.commit-hash }}
+#      target-branch: ${{ inputs.target-branch }}
+#
+#  run-cri-containerd-amd64:
+#    if: ${{ inputs.skip-test != 'yes' }}
+#    needs: build-kata-static-tarball-amd64
+#    strategy:
+#      fail-fast: false
+#      matrix:
+#        params: [
+#          { containerd_version: lts,    vmm: clh              },
+#          { containerd_version: lts,    vmm: dragonball       },
+#          { containerd_version: lts,    vmm: qemu             },
+#          { containerd_version: lts,    vmm: cloud-hypervisor },
+#          { containerd_version: lts,    vmm: qemu-runtime-rs  },
+#          { containerd_version: active, vmm: clh              },
+#          { containerd_version: active, vmm: dragonball       },
+#          { containerd_version: active, vmm: qemu             },
+#          { containerd_version: active, vmm: cloud-hypervisor },
+#          { containerd_version: active, vmm: qemu-runtime-rs  },
+#         ]
+#    uses: ./.github/workflows/run-cri-containerd-tests.yaml
+#    with:
+#      tarball-suffix: -${{ inputs.tag }}
+#      commit-hash: ${{ inputs.commit-hash }}
+#      target-branch: ${{ inputs.target-branch }}
+#      runner: ubuntu-22.04
+#      arch: amd64
+#      containerd_version: ${{ matrix.params.containerd_version }}
+#      vmm: ${{ matrix.params.vmm }}
+#
+#  run-cri-containerd-s390x:
+#    if: ${{ inputs.skip-test != 'yes' }}
+#    needs: build-kata-static-tarball-s390x
+#    strategy:
+#      fail-fast: false
+#      matrix:
+#        params: [
+#          { containerd_version: active, vmm: qemu            },
+#          { containerd_version: active, vmm: qemu-runtime-rs },
+#         ]
+#    uses: ./.github/workflows/run-cri-containerd-tests.yaml
+#    with:
+#      tarball-suffix: -${{ inputs.tag }}
+#      commit-hash: ${{ inputs.commit-hash }}
+#      target-branch: ${{ inputs.target-branch }}
+#      runner: s390x-large
+#      arch: s390x
+#      containerd_version: ${{ matrix.params.containerd_version }}
+#      vmm: ${{ matrix.params.vmm }}
+#
+#  run-cri-containerd-tests-ppc64le:
+#    if: ${{ inputs.skip-test != 'yes' }}
+#    needs: build-kata-static-tarball-ppc64le
+#    strategy:
+#      fail-fast: false
+#      matrix:
+#        params: [
+#          { containerd_version: active, vmm: qemu },
+#         ]
+#    uses: ./.github/workflows/run-cri-containerd-tests.yaml
+#    with:
+#      tarball-suffix: -${{ inputs.tag }}
+#      commit-hash: ${{ inputs.commit-hash }}
+#      target-branch: ${{ inputs.target-branch }}
+#      runner: ppc64le-small
+#      arch: ppc64le
+#      containerd_version: ${{ matrix.params.containerd_version }}
+#      vmm: ${{ matrix.params.vmm }}
+#
+#  run-cri-containerd-tests-arm64:
+#    if: false
+#    needs: build-kata-static-tarball-arm64
+#    strategy:
+#      fail-fast: false
+#      matrix:
+#        params: [
+#          { containerd_version: active, vmm: qemu },
+#         ]
+#    uses: ./.github/workflows/run-cri-containerd-tests.yaml
+#    with:
+#      tarball-suffix: -${{ inputs.tag }}
+#      commit-hash: ${{ inputs.commit-hash }}
+#      target-branch: ${{ inputs.target-branch }}
+#      runner: arm64-non-k8s
+#      arch: arm64
+#      containerd_version: ${{ matrix.params.containerd_version }}
+#      vmm: ${{ matrix.params.vmm }}

.github/workflows/run-k8s-tests-on-arm64.yaml

@@ -21,30 +21,49 @@ on:
         required: false
         type: string
         default: ""
+      tarball-suffix:
+        required: false
+        type: string
+    secrets:
+      AUTHENTICATED_IMAGE_PASSWORD:
+        required: false
 
 permissions: {}
 
 jobs:
   run-k8s-tests-on-arm64:
-    name: run-k8s-tests-on-arm64
+    name: run-k8s-tests-on-arm64 (${{ matrix.environment.vmm }}, ${{ matrix.k8s }})
     strategy:
       fail-fast: false
       matrix:
-        vmm:
-          - qemu
-          - qemu-runtime-rs
+        environment: [
+          { vmm: qemu,                     runner: arm64-k8s },
+          { vmm: qemu-coco-dev-runtime-rs, runner: arm64-k8s-runtime-rs },
+          { vmm: qemu-runtime-rs,          runner: arm64-k8s-runtime-rs },
+        ]
         k8s:
           - kubeadm
-    runs-on: arm64-k8s
+    runs-on: ${{ matrix.environment.runner }}
+    environment:
+      name: ci
+      deployment: false
     env:
       DOCKER_REGISTRY: ${{ inputs.registry }}
       DOCKER_REPO: ${{ inputs.repo }}
       DOCKER_TAG: ${{ inputs.tag }}
       GH_PR_NUMBER: ${{ inputs.pr-number }}
-      KATA_HYPERVISOR: ${{ matrix.vmm }}
+      KATA_HYPERVISOR: ${{ matrix.environment.vmm }}
       KUBERNETES: ${{ matrix.k8s }}
       K8S_TEST_HOST_TYPE: all
       TARGET_ARCH: "aarch64"
+      KBS: ${{ startsWith(matrix.environment.vmm, 'qemu-coco-dev') && 'true' || 'false' }}
+      KBS_INGRESS: ${{ startsWith(matrix.environment.vmm, 'qemu-coco-dev') && 'nodeport' || '' }}
+      AUTO_GENERATE_POLICY: ${{ startsWith(matrix.environment.vmm, 'qemu-coco-dev') && 'yes' || '' }}
+      PULL_TYPE: ${{ startsWith(matrix.environment.vmm, 'qemu-coco-dev') && 'guest-pull' || 'default' }}
+      SNAPSHOTTER: ${{ startsWith(matrix.environment.vmm, 'qemu-coco-dev') && 'nydus' || '' }}
+      AUTHENTICATED_IMAGE_USER: ${{ vars.AUTHENTICATED_IMAGE_USER }}
+      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
+      GH_TOKEN: ${{ github.token }}
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -58,10 +77,36 @@ jobs:
         env:
           TARGET_BRANCH: ${{ inputs.target-branch }}
 
+      - name: get-kata-tools-tarball
+        if: ${{ startsWith(matrix.environment.vmm, 'qemu-coco-dev') }}
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          name: kata-tools-static-tarball-arm64${{ inputs.tarball-suffix }}
+          path: kata-tools-artifacts
+
+      - name: Install kata-tools
+        if: ${{ startsWith(matrix.environment.vmm, 'qemu-coco-dev') }}
+        run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-tools-artifacts
+
       - name: Deploy Kata
         timeout-minutes: 20
         run: bash tests/integration/kubernetes/gha-run.sh deploy-kata
 
+      - name: Uninstall previous `kbs-client`
+        if: ${{ startsWith(matrix.environment.vmm, 'qemu-coco-dev') }}
+        timeout-minutes: 10
+        run: bash tests/integration/kubernetes/gha-run.sh uninstall-kbs-client
+
+      - name: Deploy CoCo KBS
+        if: ${{ startsWith(matrix.environment.vmm, 'qemu-coco-dev') }}
+        timeout-minutes: 10
+        run: bash tests/integration/kubernetes/gha-run.sh deploy-coco-kbs
+
+      - name: Install `kbs-client`
+        if: ${{ startsWith(matrix.environment.vmm, 'qemu-coco-dev') }}
+        timeout-minutes: 10
+        run: bash tests/integration/kubernetes/gha-run.sh install-kbs-client
+
       - name: Install `bats`
         run: bash tests/integration/kubernetes/gha-run.sh install-bats
 
@@ -73,15 +118,15 @@ jobs:
         if: always()
         run: bash tests/integration/kubernetes/gha-run.sh report-tests
 
-      - name: Collect artifacts ${{ matrix.vmm }}
+      - name: Collect artifacts ${{ matrix.environment.vmm }}
         if: always()
         run: bash tests/integration/kubernetes/gha-run.sh collect-artifacts
         continue-on-error: true
 
-      - name: Archive artifacts ${{ matrix.vmm }}
+      - name: Archive artifacts ${{ matrix.environment.vmm }}
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
-          name: k8s-tests-${{ matrix.vmm }}-${{ matrix.k8s }}-${{ inputs.tag }}
+          name: k8s-tests-${{ matrix.environment.vmm }}-${{ matrix.k8s }}-${{ inputs.tag }}
           path: /tmp/artifacts
           retention-days: 1
 

docs/helm-configuration.md

@@ -109,7 +109,7 @@ Includes:
 - `qemu-se-runtime-rs` - IBM Secure Execution for Linux (SEL) Rust runtime (s390x)
 - `qemu-cca` - Arm Confidential Compute Architecture (arm64)
 - `qemu-coco-dev` - Confidential Containers development (amd64, s390x)
-- `qemu-coco-dev-runtime-rs` - Confidential Containers development Rust runtime (amd64, s390x)
+- `qemu-coco-dev-runtime-rs` - Confidential Containers development Rust runtime (amd64, arm64, s390x)
 
 ### [`try-kata-nvidia-gpu.values.yaml`](https://github.com/kata-containers/kata-containers/blob/main/tools/packaging/kata-deploy/helm-chart/kata-deploy/try-kata-nvidia-gpu.values.yaml)
 

tests/gha-run-k8s-common.sh

@@ -713,10 +713,14 @@ function helm_helper() {
 						yq -i ".shims.${shim}.enabled = true" "${values_yaml}"
 						yq -i ".shims.${shim}.supportedArches = [\"amd64\", \"arm64\", \"s390x\"]" "${values_yaml}"
 						;;
-					qemu-coco-dev|qemu-coco-dev-runtime-rs)
+					qemu-coco-dev)
 						yq -i ".shims.${shim}.enabled = true" "${values_yaml}"
 						yq -i ".shims.${shim}.supportedArches = [\"amd64\", \"s390x\"]" "${values_yaml}"
 						;;
+					qemu-coco-dev-runtime-rs)
+						yq -i ".shims.${shim}.enabled = true" "${values_yaml}"
+						yq -i ".shims.${shim}.supportedArches = [\"amd64\", \"arm64\", \"s390x\"]" "${values_yaml}"
+						;;
 					qemu-nvidia-gpu)
 						yq -i ".shims.${shim}.enabled = true" "${values_yaml}"
 						yq -i ".shims.${shim}.supportedArches = [\"amd64\", \"arm64\"]" "${values_yaml}"

tests/integration/kubernetes/gha-run.sh

@@ -493,7 +493,7 @@ function main() {
 		if [[ "${KATA_HOST_OS}" = "cbl-mariner" ]]; then
 			AUTO_GENERATE_POLICY="yes"
 		elif [[ "${KATA_HYPERVISOR}" = qemu-coco-dev* && \
-		        "${TARGET_ARCH}" = "x86_64" && \
+		        ( "${TARGET_ARCH}" = "x86_64" || "${TARGET_ARCH}" = "aarch64" ) && \
 		        "${PULL_TYPE}" != "experimental-force-guest-pull" ]]; then
 			AUTO_GENERATE_POLICY="yes"
 		elif [[ "${KATA_HYPERVISOR}" = qemu-nvidia-gpu-* ]]; then

tests/integration/kubernetes/tests_common.sh

@@ -148,7 +148,7 @@ install_genpolicy_drop_ins() {
 	# 20-* OCI version overlay
 	if [[ "${KATA_HOST_OS:-}" == "cbl-mariner" ]]; then
 		cp "${examples_dir}/20-oci-1.2.0-drop-in.json" "${settings_d}/"
-	elif is_k3s_or_rke2 || is_nvidia_gpu_platform || [[ "${KATA_HYPERVISOR}" == "qemu-snp" ]] || [[ "${KATA_HYPERVISOR}" == "qemu-tdx" ]] || [[ -n "${CONTAINER_ENGINE_VERSION:-}" ]]; then
+	elif is_k3s_or_rke2 || is_nvidia_gpu_platform || [[ "${KATA_HYPERVISOR}" == "qemu-snp" ]] || [[ "${KATA_HYPERVISOR}" == "qemu-tdx" ]] || [[ -n "${CONTAINER_ENGINE_VERSION:-}" ]] || [[ "$(uname -m)" == "aarch64" ]]; then
 		cp "${examples_dir}/20-oci-1.3.0-drop-in.json" "${settings_d}/"
 	fi
 

tools/packaging/kata-deploy/binary/src/config.rs

@@ -719,7 +719,7 @@ fn parse_custom_runtimes() -> Result<Vec<CustomRuntime>> {
 fn get_default_shims_for_arch(arch: &str) -> &'static str {
     match arch {
         "x86_64" => "clh cloud-hypervisor dragonball fc qemu qemu-coco-dev qemu-coco-dev-runtime-rs qemu-runtime-rs qemu-nvidia-gpu qemu-nvidia-gpu-snp qemu-nvidia-gpu-tdx qemu-snp qemu-snp-runtime-rs qemu-tdx qemu-tdx-runtime-rs",
-        "aarch64" => "clh cloud-hypervisor dragonball fc qemu qemu-runtime-rs qemu-nvidia-gpu qemu-cca",
+        "aarch64" => "clh cloud-hypervisor dragonball fc qemu qemu-coco-dev-runtime-rs qemu-runtime-rs qemu-nvidia-gpu qemu-cca",
         "s390x" => "qemu qemu-runtime-rs qemu-se qemu-se-runtime-rs qemu-coco-dev qemu-coco-dev-runtime-rs",
         "ppc64le" => "qemu",
         _ => "qemu", // Fallback to qemu for unknown architectures

tools/packaging/kata-deploy/helm-chart/kata-deploy/try-kata-tee.values.yaml

@@ -135,6 +135,7 @@ shims:
     enabled: true
     supportedArches:
       - amd64
+      - arm64
       - s390x
     allowedHypervisorAnnotations: []
     containerd:

tools/packaging/kata-deploy/helm-chart/kata-deploy/values.yaml

@@ -307,6 +307,7 @@ shims:
     enabled: ~
     supportedArches:
       - amd64
+      - arm64
       - s390x
     allowedHypervisorAnnotations: []
     containerd:

tools/packaging/kata-deploy/local-build/Makefile

@@ -60,6 +60,7 @@ BASE_TARBALLS = serial-targets \
 	shim-v2-tarball \
 	virtiofsd-tarball
 BASE_SERIAL_TARBALLS = rootfs-image-tarball \
+	rootfs-image-confidential-tarball \
 	rootfs-cca-confidential-image-tarball \
 	rootfs-cca-confidential-initrd-tarball \
 	rootfs-initrd-tarball

tools/packaging/kata-deploy/local-build/kata-deploy-binaries.sh

@@ -719,6 +719,11 @@ install_kernel() {
 			export MEASURED_ROOTFS="no"
 			extra_cmd="-x"
 			;;
+		aarch64)
+			export CONFIDENTIAL_GUEST="yes"
+			export MEASURED_ROOTFS="yes"
+			extra_cmd="-x"
+			;;
 		x86_64)
 			export CONFIDENTIAL_GUEST="yes"
 			export MEASURED_ROOTFS="yes"

tools/packaging/kernel/build-kernel.sh

@@ -578,8 +578,11 @@ install_kata() {
 	if [[ ${gpu_vendor} != "" ]]; then
 		suffix="-${gpu_vendor}-gpu${suffix}"
 	elif [[ ${conf_guest} != "" ]]; then
-		# CCA on aarch64 uses -confidential suffix; x86_64/s390x unified kernel does not
-		if [[ "${arch_target}" == "aarch64" ]]; then
+		# CCA kernel on aarch64 needs a -confidential suffix to coexist
+		# with the unified kernel; the regular kernel with -x does not
+		# get the suffix (matching x86_64/s390x unified kernel behavior).
+		# CCA builds are identified by -H (linux_headers) being set.
+		if [[ "${arch_target}" == "aarch64" ]] && [[ -n "${linux_headers}" ]]; then
 			suffix="-${conf_guest}${suffix}"
 		fi
 	fi

tools/packaging/static-build/tools/Dockerfile

@@ -61,10 +61,21 @@ RUN ARCH=$(uname -m) && \
     rm /tmp/oras.tar.gz && \
     oras version
 
-# Tools only build for x86_64
-RUN rustup target add x86_64-unknown-linux-musl
+RUN ARCH=$(uname -m) && \
+    case "${ARCH}" in \
+        x86_64) MUSL_TARGET="x86_64-unknown-linux-musl" ;; \
+        aarch64) MUSL_TARGET="aarch64-unknown-linux-musl" ;; \
+        *) echo "Unsupported architecture: ${ARCH}" && exit 1 ;; \
+    esac && \
+    rustup target add "${MUSL_TARGET}"
 
-RUN kernelname=$(uname -s | tr '[:upper:]' '[:lower:]'); \
-    curl -fsSOL "https://go.dev/dl/go${GO_TOOLCHAIN}.${kernelname}-amd64.tar.gz" && \
-    tar -C "${GO_HOME}" -xzf "go${GO_TOOLCHAIN}.${kernelname}-amd64.tar.gz" && \
-    rm "go${GO_TOOLCHAIN}.${kernelname}-amd64.tar.gz"
+RUN ARCH=$(uname -m) && \
+    case "${ARCH}" in \
+        x86_64) GO_ARCH="amd64" ;; \
+        aarch64) GO_ARCH="arm64" ;; \
+        *) echo "Unsupported architecture: ${ARCH}" && exit 1 ;; \
+    esac && \
+    kernelname=$(uname -s | tr '[:upper:]' '[:lower:]') && \
+    curl -fsSOL "https://go.dev/dl/go${GO_TOOLCHAIN}.${kernelname}-${GO_ARCH}.tar.gz" && \
+    tar -C "${GO_HOME}" -xzf "go${GO_TOOLCHAIN}.${kernelname}-${GO_ARCH}.tar.gz" && \
+    rm "go${GO_TOOLCHAIN}.${kernelname}-${GO_ARCH}.tar.gz"