We were doing "if - else if - else", while bash expects "if - elif -
else", and that should never have happened in the first place, but it
happend as part of b8b73939eaFixes: #7422
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
This will help folks to debug / understand what's been passed to the
kata-deploy.sh script.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Let's allow the daemonset to create the runtimeclasses, which will
decrease one manual step a user of kata-deploy should take, and also
help us in the Confidential Containers land as the Operator can just
delegate it to this script.
Fixes: #7409
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
This can be easily done as there was no official release with the
previous values.
The reason we're doing so is because when using `yq` to replace the
value, even when forcing `--tag '!!str' "yes"`, the content is placed
without quotes, causing errors in our CI.
While here, we're also removing the fallback value for DEBUG, as it is
**always** set in the kata-deploy.yaml file.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
This will make things simpler to only create the handlers defined by the
kata-deploy user.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
This will become handy in the near future, as we want to have separate
enrties for each file, while still keeping this one.
Having the entries sorted will make our lives easier to test those are
always in sync.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
On main we will not have this problem as we can easily configure which
shims will be installed according to an environment variable passed to
the kata-deploy.yaml file.
However, on CCV0, at least for now, we better keep the list of shims
separated by architecture, as we've found out that s390x CoCo Operator
CI is breaking because we try to install a shim that's not even built
for that architecture (dragonball).
Fixes: #7422
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
This is another piece that got dropped as part of
6f552b010c and is causing regressions on
the operator tests.
Fixes: #7422
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
We need the executable bit set because it is preserved into the
runtime-payload-ci image.
Fixes: #7460
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
This is to change a prefix from `confidential-containers` to `kata` for IBM SE image build.
Fixes: #7444
Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
Now that the shim-v2 for CCv0 has been rebuilt with the correct path,
let's re-enable the cache.
Fixes: #7422
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Let's re-enabled caching for the following components, as those were
rebuilt with the new prefix:
* cc-rootfs-image
* cc-rootfs-initrd
* cc-tdx-rootfs-image
* cc-tdx-td-shim
* cc-sev-rootfs-initrd
"cc-se-image" was part of the list, but we never had a target for it.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
We should not return, in case cache is not used, before actually
downloading the root_hash_*.txt provided by the other components,
otherwise the job used to do the caching will always fail.
Fixes: #7422
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Otherwise we'd have to build the component every single time as the main
version is different from the CC one.
Fixes: #7422
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Otherwise we'd have to build the component every single time as the main
version is different from the CC one.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Otherwise we'd have to build the component every single time as the main
version is different from the CC one.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Otherwise we'd have to build the component every single time as the main
version is different from the CC one.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
kata-deploy-binaries.sh uses the last commit in
tools/packaging/static-build/kernel for its version check, while the cache
generation uses tools/packaging/kernel. Use tools/packaging/static-build/kernel
as $kata_config_version is already part of the version string and covers any
changes to tools/packaging/kernel.
Fixes: #7403
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
The SEV kernel cache calls create_cache_asset() twice, once for the kernel and
once for modules. Both calls need to use the same version string, otherwise the
second call overwrites the "latest" file of the first one and the cache is not
used.
Fixes: #7403
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
Instead of hardcoding shims as part of the script, let's ensure we can
allow them to be created based on environment variables passed to the
daemonset.
This change brings no functionality change as the default values in the
daemonset are exactly what has been used as part of the scripts.
Fixes: #7407
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
`module_dir` has been passed to the function but was never assigned to a
var, leading to errors when trying to use it.
Fixes: #7416
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
(cherry picked from commit d4eba36980)
We must use "edk2-staging-tdx" instead of "edk2-tdx". The reason for
that is versions diverging between main and CCv0.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
As we're building SEV kernel from the main branch, we can stop relying
on the path produced by the one from the CCv0 branch (which is now
removed).
Fixes: #7422
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Let's just rely on whatever we have on main. The big execption here is
TDVF, but we have a big note saying to not update the version n this
branch.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
We can just rely on the hypervisors builds from `main`, with the TDX one
being the only discrepancy here.
However, we have a big note in the versions.yaml to **not** update the
TDX hypervisor versions on this branch, so we should be good.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
`module_dir` has been passed to the function but was never assigned to a
var, leading to errors when trying to use it.
Fixes: #7416
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
kata-debug is a tool that is used as part of the Kata Containers CI to gather
information from the node, in order to help debugging issues with Kata
Containers.
As one can imagine, this can be expanded and used outside of the CI context,
and any contribution back to the script is very much welcome.
The resulting container is stored at the [Kata Containers quay.io
space](https://quay.io/repository/kata-containers/kata-debug) and can
be used as shown below:
```sh
kubectl debug $NODE_NAME -it --image=quay.io/kata-containers/kata-debug:latest
```
Fixes: #7397
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
We need to correctly get the full path of the versions.yaml file as part
of the merge-builds.sh script, as we do a `pushd` there and that leads
to a fail merging the artefacts as the `versions.yaml` file does not
exists in that path.
Fixes: #7405
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Any change in the script used to build the kernel should invalidate the
cache.
Fixes: #7403
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
Let's make things simpler to figure out which version of Kata
Containers has been deployed, and also which artefacts come with it.
This will help us immensely in the future, for the TEEs use case, so we
can easily know whether we can deploy a specific guest kernel for a
specific host kernel.
Fixes: #7394
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
We've not been using nor shipping this kernel for a very long time.
Regardless, we're leaving behind the logic in the kernel scripts to
build it, in case it becomes necessary in the future.
Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
The k8s.gcr.io is deprecated for a while now and has been redirected to
registry.k8s.io. However on some bare-metal machines in our testing
pools that redirection is not working, so let's just replace the
registries.
Fixes#6461
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
