fix

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
cont: fix secret passing
2026-04-10 22:12:35 +00:00 · 2026-04-10 13:31:30 -05:00 · 2026-04-10 13:01:26 -05:00 · 2026-04-10 12:07:51 -05:00 · 2026-04-10 16:40:42 +02:00 · 2026-04-10 10:26:11 +02:00
13 changed files with 78 additions and 61 deletions
--- a/.github/workflows/ci-coco-stability.yaml
+++ b/.github/workflows/ci-coco-stability.yaml
@@ -26,8 +26,8 @@ jobs:
      target-branch: ${{ github.ref_name }}
    secrets:
      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
-      AZ_APPID: ${{ secrets.AZ_APPID }}
-      AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
-      AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
+      AZ_APPID2: ${{ secrets.AZ_APPID2 }}
+      AZ_TENANT_ID2: ${{ secrets.AZ_TENANT_ID2 }}
+      AZ_SUBSCRIPTION_ID2: ${{ secrets.AZ_SUBSCRIPTION_ID2 }}
      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
      KBUILD_SIGN_PIN: ${{ secrets.KBUILD_SIGN_PIN }}
--- a/.github/workflows/ci-devel.yaml
+++ b/.github/workflows/ci-devel.yaml
@@ -21,9 +21,9 @@ jobs:

    secrets:
      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
-      AZ_APPID: ${{ secrets.AZ_APPID }}
-      AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
-      AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
+      AZ_APPID2: ${{ secrets.AZ_APPID2 }}
+      AZ_TENANT_ID2: ${{ secrets.AZ_TENANT_ID2 }}
+      AZ_SUBSCRIPTION_ID2: ${{ secrets.AZ_SUBSCRIPTION_ID2 }}
      CI_HKD_PATH: ${{ secrets.CI_HKD_PATH }}
      ITA_KEY: ${{ secrets.ITA_KEY }}
      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
--- a/.github/workflows/ci-nightly.yaml
+++ b/.github/workflows/ci-nightly.yaml
@@ -25,9 +25,9 @@ jobs:
      extensive-matrix-autogenerated-policy: "yes"
    secrets:
      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
-      AZ_APPID: ${{ secrets.AZ_APPID }}
-      AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
-      AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
+      AZ_APPID2: ${{ secrets.AZ_APPID2 }}
+      AZ_TENANT_ID2: ${{ secrets.AZ_TENANT_ID2 }}
+      AZ_SUBSCRIPTION_ID2: ${{ secrets.AZ_SUBSCRIPTION_ID2 }}
      CI_HKD_PATH: ${{ secrets.CI_HKD_PATH }}
      ITA_KEY: ${{ secrets.ITA_KEY }}
      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
--- a/.github/workflows/ci-on-push.yaml
+++ b/.github/workflows/ci-on-push.yaml
@@ -44,9 +44,9 @@ jobs:
      skip-test: ${{ needs.skipper.outputs.skip_test }}
    secrets:
      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
-      AZ_APPID: ${{ secrets.AZ_APPID }}
-      AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
-      AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
+      AZ_APPID2: ${{ secrets.AZ_APPID2 }}
+      AZ_TENANT_ID2: ${{ secrets.AZ_TENANT_ID2 }}
+      AZ_SUBSCRIPTION_ID2: ${{ secrets.AZ_SUBSCRIPTION_ID2 }}
      CI_HKD_PATH: ${{ secrets.CI_HKD_PATH }}
      ITA_KEY: ${{ secrets.ITA_KEY }}
      QUAY_DEPLOYER_PASSWORD: ${{ secrets.QUAY_DEPLOYER_PASSWORD }}
--- a/.github/workflows/ci-weekly.yaml
+++ b/.github/workflows/ci-weekly.yaml
@@ -19,11 +19,11 @@ on:
      AUTHENTICATED_IMAGE_PASSWORD:
        required: true

-      AZ_APPID:
+      AZ_APPID2:
        required: true
-      AZ_TENANT_ID:
+      AZ_TENANT_ID2:
       required: true
-      AZ_SUBSCRIPTION_ID:
+      AZ_SUBSCRIPTION_ID2:
        required: true
      QUAY_DEPLOYER_PASSWORD:
        required: true
@@ -120,9 +120,9 @@ jobs:
      tarball-suffix: -${{ inputs.tag }}
    secrets:
      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
-      AZ_APPID: ${{ secrets.AZ_APPID }}
-      AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
-      AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
+      AZ_APPID2: ${{ secrets.AZ_APPID2 }}
+      AZ_TENANT_ID2: ${{ secrets.AZ_TENANT_ID2 }}
+      AZ_SUBSCRIPTION_ID2: ${{ secrets.AZ_SUBSCRIPTION_ID2 }}
    permissions:
      contents: read
      id-token: write
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -27,11 +27,11 @@ on:
      AUTHENTICATED_IMAGE_PASSWORD:
        required: true

-      AZ_APPID:
+      AZ_APPID2:
        required: true
-      AZ_TENANT_ID:
+      AZ_TENANT_ID2:
       required: true
-      AZ_SUBSCRIPTION_ID:
+      AZ_SUBSCRIPTION_ID2:
        required: true
      CI_HKD_PATH:
        required: true
@@ -242,9 +242,9 @@ jobs:
      pr-number: ${{ inputs.pr-number }}
      target-branch: ${{ inputs.target-branch }}
    secrets:
-      AZ_APPID: ${{ secrets.AZ_APPID }}
-      AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
-      AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
+      AZ_APPID2: ${{ secrets.AZ_APPID2 }}
+      AZ_TENANT_ID2: ${{ secrets.AZ_TENANT_ID2 }}
+      AZ_SUBSCRIPTION_ID2: ${{ secrets.AZ_SUBSCRIPTION_ID2 }}

  run-k8s-tests-on-free-runner:
    if: ${{ inputs.skip-test != 'yes' }}
@@ -309,9 +309,9 @@ jobs:
      extensive-matrix-autogenerated-policy: ${{ inputs.extensive-matrix-autogenerated-policy }}
    secrets:
      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
-      AZ_APPID: ${{ secrets.AZ_APPID }}
-      AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
-      AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
+      AZ_APPID2: ${{ secrets.AZ_APPID2 }}
+      AZ_TENANT_ID2: ${{ secrets.AZ_TENANT_ID2 }}
+      AZ_SUBSCRIPTION_ID2: ${{ secrets.AZ_SUBSCRIPTION_ID2 }}
      ITA_KEY: ${{ secrets.ITA_KEY }}

  run-k8s-tests-on-zvsi:
--- a/.github/workflows/cleanup-resources.yaml
+++ b/.github/workflows/cleanup-resources.yaml
@@ -23,9 +23,9 @@ jobs:
      - name: Log into Azure
        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
        with:
-          client-id: ${{ secrets.AZ_APPID }}
-          tenant-id: ${{ secrets.AZ_TENANT_ID }}
-          subscription-id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
+          client-id: ${{ secrets.AZ_APPID2 }}
+          tenant-id: ${{ secrets.AZ_TENANT_ID2 }}
+          subscription-id: ${{ secrets.AZ_SUBSCRIPTION_ID2 }}

      - name: Install Python dependencies
        run: |
@@ -35,6 +35,6 @@ jobs:

      - name: Cleanup resources
        env:
-          AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }}
+          AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID2 }}
          CLEANUP_AFTER_HOURS: 24 # Clean up resources created more than this many hours ago.
        run: python3 tests/cleanup_resources.py
--- a/.github/workflows/run-k8s-tests-on-aks.yaml
+++ b/.github/workflows/run-k8s-tests-on-aks.yaml
@@ -26,11 +26,11 @@ on:
        default: ""
    secrets:

-      AZ_APPID:
+      AZ_APPID2:
        required: true
-      AZ_TENANT_ID:
+      AZ_TENANT_ID2:
       required: true
-      AZ_SUBSCRIPTION_ID:
+      AZ_SUBSCRIPTION_ID2:
        required: true


@@ -102,9 +102,9 @@ jobs:
      - name: Log into the Azure account
        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
        with:
-          client-id: ${{ secrets.AZ_APPID }}
-          tenant-id: ${{ secrets.AZ_TENANT_ID }}
-          subscription-id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
+          client-id: ${{ secrets.AZ_APPID2 }}
+          tenant-id: ${{ secrets.AZ_TENANT_ID2 }}
+          subscription-id: ${{ secrets.AZ_SUBSCRIPTION_ID2 }}

      - name: Create AKS cluster
        uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2
@@ -142,9 +142,9 @@ jobs:
        if: always()
        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
        with:
-          client-id: ${{ secrets.AZ_APPID }}
-          tenant-id: ${{ secrets.AZ_TENANT_ID }}
-          subscription-id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
+          client-id: ${{ secrets.AZ_APPID2 }}
+          tenant-id: ${{ secrets.AZ_TENANT_ID2 }}
+          subscription-id: ${{ secrets.AZ_SUBSCRIPTION_ID2 }}

      - name: Delete AKS cluster
        if: always()
--- a/.github/workflows/run-kata-coco-stability-tests.yaml
+++ b/.github/workflows/run-kata-coco-stability-tests.yaml
@@ -26,11 +26,11 @@ on:
        type: string
    secrets:

-      AZ_APPID:
+      AZ_APPID2:
        required: true
-      AZ_TENANT_ID:
+      AZ_TENANT_ID2:
       required: true
-      AZ_SUBSCRIPTION_ID:
+      AZ_SUBSCRIPTION_ID2:
        required: true
      AUTHENTICATED_IMAGE_PASSWORD:
        required: true
@@ -98,9 +98,9 @@ jobs:
      - name: Log into the Azure account
        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
        with:
-          client-id: ${{ secrets.AZ_APPID }}
-          tenant-id: ${{ secrets.AZ_TENANT_ID }}
-          subscription-id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
+          client-id: ${{ secrets.AZ_APPID2 }}
+          tenant-id: ${{ secrets.AZ_TENANT_ID2 }}
+          subscription-id: ${{ secrets.AZ_SUBSCRIPTION_ID2 }}

      - name: Create AKS cluster
        uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2
@@ -150,9 +150,9 @@ jobs:
        if: always()
        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
        with:
-          client-id: ${{ secrets.AZ_APPID }}
-          tenant-id: ${{ secrets.AZ_TENANT_ID }}
-          subscription-id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
+          client-id: ${{ secrets.AZ_APPID2 }}
+          tenant-id: ${{ secrets.AZ_TENANT_ID2 }}
+          subscription-id: ${{ secrets.AZ_SUBSCRIPTION_ID2 }}

      - name: Delete AKS cluster
        if: always()
--- a/.github/workflows/run-kata-coco-tests.yaml
+++ b/.github/workflows/run-kata-coco-tests.yaml
@@ -31,11 +31,11 @@ on:
    secrets:
      AUTHENTICATED_IMAGE_PASSWORD:
        required: true
-      AZ_APPID:
+      AZ_APPID2:
        required: true
-      AZ_TENANT_ID:
+      AZ_TENANT_ID2:
       required: true
-      AZ_SUBSCRIPTION_ID:
+      AZ_SUBSCRIPTION_ID2:
        required: true
      ITA_KEY:
        required: true
--- a/.github/workflows/run-kata-deploy-tests-on-aks.yaml
+++ b/.github/workflows/run-kata-deploy-tests-on-aks.yaml
@@ -22,11 +22,11 @@ on:
        type: string
        default: ""
    secrets:
-      AZ_APPID:
+      AZ_APPID2:
        required: true
-      AZ_TENANT_ID:
+      AZ_TENANT_ID2:
       required: true
-      AZ_SUBSCRIPTION_ID:
+      AZ_SUBSCRIPTION_ID2:
        required: true

 permissions: {}
@@ -77,9 +77,9 @@ jobs:
      - name: Log into the Azure account
        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
        with:
-          client-id: ${{ secrets.AZ_APPID }}
-          tenant-id: ${{ secrets.AZ_TENANT_ID }}
-          subscription-id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
+          client-id: ${{ secrets.AZ_APPID2 }}
+          tenant-id: ${{ secrets.AZ_TENANT_ID2 }}
+          subscription-id: ${{ secrets.AZ_SUBSCRIPTION_ID2 }}

      - name: Create AKS cluster
        uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2
@@ -112,9 +112,9 @@ jobs:
        if: always()
        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
        with:
-          client-id: ${{ secrets.AZ_APPID }}
-          tenant-id: ${{ secrets.AZ_TENANT_ID }}
-          subscription-id: ${{ secrets.AZ_SUBSCRIPTION_ID }}
+          client-id: ${{ secrets.AZ_APPID2 }}
+          tenant-id: ${{ secrets.AZ_TENANT_ID2 }}
+          subscription-id: ${{ secrets.AZ_SUBSCRIPTION_ID2 }}

      - name: Delete AKS cluster
        if: always()
--- a/tools/packaging/kata-deploy/helm-chart/kata-deploy/templates/runtimeclasses.yaml
+++ b/tools/packaging/kata-deploy/helm-chart/kata-deploy/templates/runtimeclasses.yaml
@@ -26,10 +26,22 @@ handler: kata-{{ .shim }}-{{ .root.Values.env.multiInstallSuffix }}
 {{- else }}
 handler: kata-{{ .shim }}
 {{- end }}
+{{- /* Overhead section - controlled by global or per-shim overheadEnabled flag (default: true) */ -}}
+{{- $shimOverheadEnabled := true -}}
+{{- if hasKey .root.Values.runtimeClasses "overheadEnabled" -}}
+{{- $shimOverheadEnabled = .root.Values.runtimeClasses.overheadEnabled -}}
+{{- end -}}
+{{- with .shimConfig.runtimeClass -}}
+{{- if hasKey . "overheadEnabled" -}}
+{{- $shimOverheadEnabled = .overheadEnabled -}}
+{{- end -}}
+{{- end -}}
+{{- if $shimOverheadEnabled }}
 overhead:
  podFixed:
    memory: {{ .config.memory | quote }}
    cpu: {{ .config.cpu | quote }}
+{{- end }}
 scheduling:
  nodeSelector:
    katacontainers.io/kata-runtime: "true"
--- a/tools/packaging/kata-deploy/helm-chart/kata-deploy/values.yaml
+++ b/tools/packaging/kata-deploy/helm-chart/kata-deploy/values.yaml
@@ -69,6 +69,7 @@ snapshotter:
 #       runtimeClass:
 #         nodeSelector:              # extra node selectors added to the RuntimeClass
 #           example.io/feature: "true"
+#         overheadEnabled: true      # enable/disable overhead in RuntimeClass (default: inherits from runtimeClasses.overheadEnabled)
 #         overhead:                  # override pod overhead (falls back to built-in defaults)
 #           memory: "160Mi"
 #           cpu: "250m"
@@ -344,6 +345,10 @@ runtimeClasses:
  enabled: true
  createDefault: false
  defaultName: "kata"
+  # Global switch for overhead in all RuntimeClasses (default: true)
+  # Set to false to disable overhead for all shims globally.
+  # Individual shims can override this via shims.<name>.runtimeClass.overheadEnabled
+  overheadEnabled: true

 env:
  installationPrefix: ""
Author	SHA1	Message	Date
Aurélien Bombo	29d238d676	fix Signed-off-by: Aurélien Bombo <abombo@microsoft.com>	2026-04-10 13:31:30 -05:00
Aurélien Bombo	e692f9f7a1	cont: fix secret passing Signed-off-by: Aurélien Bombo <abombo@microsoft.com>	2026-04-10 13:01:26 -05:00
Aurélien Bombo	e8edef1c92	ci: test new Azure creds Signed-off-by: Aurélien Bombo <abombo@microsoft.com>	2026-04-10 12:07:51 -05:00
Fabiano Fidêncio	1d77c4e60f	Merge pull request #12752 from LizZhang315/add-overheadEnabled helm: add overheadEnabled switch for runtimeclass	2026-04-10 16:40:42 +02:00
LizZhang315	2312f67c9b	helm: add overheadEnabled switch for runtimeclass Add a global and per-shim configurable switch to enable/disable the overhead section in generated RuntimeClasses. This allows users to omit overhead when it's not needed or managed externally. Priority: per-shim > global > default(true). Signed-off-by: LizZhang315 <123134987@qq.com>	2026-04-10 10:26:11 +02:00