name: CI | Run kata coco tests on: workflow_call: inputs: registry: required: true type: string repo: required: true type: string tag: required: true type: string pr-number: required: true type: string commit-hash: required: false type: string target-branch: required: false type: string default: "" jobs: run-k8s-tests-on-tdx: strategy: fail-fast: false matrix: vmm: - qemu-tdx snapshotter: - nydus pull-type: - guest-pull runs-on: tdx env: DOCKER_REGISTRY: ${{ inputs.registry }} DOCKER_REPO: ${{ inputs.repo }} DOCKER_TAG: ${{ inputs.tag }} PR_NUMBER: ${{ inputs.pr-number }} KATA_HYPERVISOR: ${{ matrix.vmm }} KUBERNETES: "vanilla" USING_NFD: "true" KBS: "true" K8S_TEST_HOST_TYPE: "baremetal" KBS_INGRESS: "nodeport" SNAPSHOTTER: ${{ matrix.snapshotter }} PULL_TYPE: ${{ matrix.pull-type }} AUTHENTICATED_IMAGE_USER: ${{ secrets.AUTHENTICATED_IMAGE_USER }} AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }} steps: - uses: actions/checkout@v4 with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 - name: Rebase atop of the latest target branch run: | ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch" env: TARGET_BRANCH: ${{ inputs.target-branch }} - name: Deploy Snapshotter timeout-minutes: 5 run: bash tests/integration/kubernetes/gha-run.sh deploy-snapshotter - name: Deploy Kata timeout-minutes: 10 run: bash tests/integration/kubernetes/gha-run.sh deploy-kata-tdx - name: Uninstall previous `kbs-client` timeout-minutes: 10 run: bash tests/integration/kubernetes/gha-run.sh uninstall-kbs-client - name: Deploy CoCo KBS timeout-minutes: 10 run: bash tests/integration/kubernetes/gha-run.sh deploy-coco-kbs - name: Install `kbs-client` timeout-minutes: 10 run: bash tests/integration/kubernetes/gha-run.sh install-kbs-client - name: Run tests timeout-minutes: 50 run: bash tests/integration/kubernetes/gha-run.sh run-tests - name: Delete kata-deploy if: always() run: bash tests/integration/kubernetes/gha-run.sh cleanup-tdx - name: Delete Snapshotter if: always() run: bash tests/integration/kubernetes/gha-run.sh cleanup-snapshotter - name: Delete CoCo KBS if: always() run: bash tests/integration/kubernetes/gha-run.sh delete-coco-kbs run-k8s-tests-on-sev: strategy: fail-fast: false matrix: vmm: - qemu-sev snapshotter: - nydus pull-type: - guest-pull runs-on: sev env: DOCKER_REGISTRY: ${{ inputs.registry }} DOCKER_REPO: ${{ inputs.repo }} DOCKER_TAG: ${{ inputs.tag }} PR_NUMBER: ${{ inputs.pr-number }} KATA_HYPERVISOR: ${{ matrix.vmm }} KUBECONFIG: /home/kata/.kube/config KUBERNETES: "vanilla" USING_NFD: "false" K8S_TEST_HOST_TYPE: "baremetal" SNAPSHOTTER: ${{ matrix.snapshotter }} PULL_TYPE: ${{ matrix.pull-type }} AUTHENTICATED_IMAGE_USER: ${{ secrets.AUTHENTICATED_IMAGE_USER }} AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }} steps: - uses: actions/checkout@v4 with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 - name: Rebase atop of the latest target branch run: | ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch" env: TARGET_BRANCH: ${{ inputs.target-branch }} - name: Deploy Snapshotter timeout-minutes: 5 run: bash tests/integration/kubernetes/gha-run.sh deploy-snapshotter - name: Deploy Kata timeout-minutes: 10 run: bash tests/integration/kubernetes/gha-run.sh deploy-kata-sev - name: Run tests timeout-minutes: 50 run: bash tests/integration/kubernetes/gha-run.sh run-tests - name: Delete kata-deploy if: always() run: bash tests/integration/kubernetes/gha-run.sh cleanup-sev - name: Delete Snapshotter if: always() run: bash tests/integration/kubernetes/gha-run.sh cleanup-snapshotter run-k8s-tests-sev-snp: strategy: fail-fast: false matrix: vmm: - qemu-snp snapshotter: - nydus pull-type: - guest-pull runs-on: sev-snp env: DOCKER_REGISTRY: ${{ inputs.registry }} DOCKER_REPO: ${{ inputs.repo }} DOCKER_TAG: ${{ inputs.tag }} PR_NUMBER: ${{ inputs.pr-number }} KATA_HYPERVISOR: ${{ matrix.vmm }} KUBECONFIG: /home/kata/.kube/config KUBERNETES: "vanilla" USING_NFD: "false" KBS: "true" KBS_INGRESS: "nodeport" K8S_TEST_HOST_TYPE: "baremetal" SNAPSHOTTER: ${{ matrix.snapshotter }} PULL_TYPE: ${{ matrix.pull-type }} AUTHENTICATED_IMAGE_USER: ${{ secrets.AUTHENTICATED_IMAGE_USER }} AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }} steps: - uses: actions/checkout@v4 with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 - name: Rebase atop of the latest target branch run: | ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch" env: TARGET_BRANCH: ${{ inputs.target-branch }} - name: Deploy Snapshotter timeout-minutes: 5 run: bash tests/integration/kubernetes/gha-run.sh deploy-snapshotter - name: Deploy Kata timeout-minutes: 10 run: bash tests/integration/kubernetes/gha-run.sh deploy-kata-snp - name: Uninstall previous `kbs-client` timeout-minutes: 10 run: bash tests/integration/kubernetes/gha-run.sh uninstall-kbs-client - name: Deploy CoCo KBS timeout-minutes: 10 run: bash tests/integration/kubernetes/gha-run.sh deploy-coco-kbs - name: Install `kbs-client` timeout-minutes: 10 run: bash tests/integration/kubernetes/gha-run.sh install-kbs-client - name: Run tests timeout-minutes: 50 run: bash tests/integration/kubernetes/gha-run.sh run-tests - name: Delete kata-deploy if: always() run: bash tests/integration/kubernetes/gha-run.sh cleanup-snp - name: Delete Snapshotter if: always() run: bash tests/integration/kubernetes/gha-run.sh cleanup-snapshotter - name: Delete CoCo KBS if: always() run: bash tests/integration/kubernetes/gha-run.sh delete-coco-kbs # Generate jobs for testing CoCo on non-TEE environments run-k8s-tests-coco-nontee: strategy: fail-fast: false matrix: vmm: - qemu-coco-dev snapshotter: - nydus pull-type: - guest-pull runs-on: ubuntu-22.04 env: DOCKER_REGISTRY: ${{ inputs.registry }} DOCKER_REPO: ${{ inputs.repo }} DOCKER_TAG: ${{ inputs.tag }} GH_PR_NUMBER: ${{ inputs.pr-number }} KATA_HOST_OS: ${{ matrix.host_os }} KATA_HYPERVISOR: ${{ matrix.vmm }} # Some tests rely on that variable to run (or not) KBS: "true" # Set the KBS ingress handler (empty string disables handling) KBS_INGRESS: "aks" KUBERNETES: "vanilla" PULL_TYPE: ${{ matrix.pull-type }} AUTHENTICATED_IMAGE_USER: ${{ secrets.AUTHENTICATED_IMAGE_USER }} AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }} SNAPSHOTTER: ${{ matrix.snapshotter }} USING_NFD: "false" steps: - uses: actions/checkout@v4 with: ref: ${{ inputs.commit-hash }} fetch-depth: 0 - name: Rebase atop of the latest target branch run: | ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch" env: TARGET_BRANCH: ${{ inputs.target-branch }} - name: Download Azure CLI run: bash tests/integration/kubernetes/gha-run.sh install-azure-cli - name: Log into the Azure account run: bash tests/integration/kubernetes/gha-run.sh login-azure env: AZ_APPID: ${{ secrets.AZ_APPID }} AZ_PASSWORD: ${{ secrets.AZ_PASSWORD }} AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }} AZ_SUBSCRIPTION_ID: ${{ secrets.AZ_SUBSCRIPTION_ID }} - name: Create AKS cluster timeout-minutes: 10 run: bash tests/integration/kubernetes/gha-run.sh create-cluster - name: Install `bats` run: bash tests/integration/kubernetes/gha-run.sh install-bats - name: Install `kubectl` run: bash tests/integration/kubernetes/gha-run.sh install-kubectl - name: Download credentials for the Kubernetes CLI to use them run: bash tests/integration/kubernetes/gha-run.sh get-cluster-credentials - name: Deploy Snapshotter timeout-minutes: 5 run: bash tests/integration/kubernetes/gha-run.sh deploy-snapshotter - name: Deploy Kata timeout-minutes: 10 run: bash tests/integration/kubernetes/gha-run.sh deploy-kata-aks - name: Deploy CoCo KBS timeout-minutes: 10 run: bash tests/integration/kubernetes/gha-run.sh deploy-coco-kbs - name: Install `kbs-client` timeout-minutes: 10 run: bash tests/integration/kubernetes/gha-run.sh install-kbs-client - name: Run tests timeout-minutes: 60 run: bash tests/integration/kubernetes/gha-run.sh run-tests - name: Delete AKS cluster if: always() run: bash tests/integration/kubernetes/gha-run.sh delete-cluster