CCv0: Merge main into CCv0 branch

[stevenhorsman]

Merge remote-tracking branch 'upstream/main' into CCv0

Fixes: #5691 Depends-on: github.com/kata-containers/kata-containers#7134

Signed-off-by: stevenhorsman steven@uk.ibm.com

[stevenhorsman]

git diff --stat upstream/main -- . ':!*/vendor/*'
 .ci/ci_job_flags.sh                                |  63 ++-
 .ci/configure_containerd_for_kata.sh               |   4 +
 .ci/configure_crio_for_kata.sh                     |   3 +
 .ci/install_cloud_hypervisor.sh                    |   8 +-
 .ci/install_cni_plugins.sh                         |   2 +-
 .ci/install_kata.sh                                |  20 +
 .ci/install_kata_image.sh                          |  37 +-
 .ci/install_kata_kernel.sh                         |  28 +-
 .ci/install_ovmf_sev.sh                            |  28 ++
 .ci/install_qemu.sh                                |  24 +-
 .ci/install_runtime.sh                             |  71 +--
 .ci/install_td_shim.sh                             |  25 +
 .ci/install_tdvf.sh                                |  24 +
 .ci/install_virtiofsd.sh                           |   2 +-
 .ci/jenkins_job_build.sh                           |  10 +-
 .ci/lib.sh                                         |  40 +-
 .ci/resolve-kata-dependencies.sh                   |  44 +-
 .ci/run.sh                                         |  24 +-
 .ci/setup.sh                                       |   1 +
 .ci/setup_env_ubuntu.sh                            |   4 +-
 .ci/static-checks.sh                               |   9 +-
 .github/workflows/commit-message-check.yaml        |   4 +-
 Makefile                                           |  21 +-
 README.md                                          |  10 +-
 cmd/check-spelling/data/projects.txt               |   1 +
 cmd/github-labels/labels.yaml.in                   |   4 +-
 cmd/pmemctl/pmemctl.sh                             |   2 +-
 functional/kata-monitor/run.sh                     |   1 +
 .../s390x/aa-offline_fs_kbc-resources.json         |   4 +
 .../x86_64/aa-offline_fs_kbc-resources.json        |   4 +
 .../aa-offline_fs_kbc-resources.json.in            |  12 +
 .../fixtures/offline-fs-kbc/auth.json.in           |   7 +
 .../s390x/aa-offline_fs_kbc-resources.json         |   8 +
 .../x86_64/aa-offline_fs_kbc-resources.json        |   8 +
 .../fixtures/quay_verification/s390x/public.gpg    |  41 ++
 .../quay_verification/s390x/signatures.tar         | Bin 0 -> 1930 bytes
 .../fixtures/quay_verification/x86_64/public.gpg   |  30 ++
 .../quay_verification/x86_64/signatures.tar        | Bin 0 -> 2157 bytes
 .../fixtures/registries.d/quay.io.yaml             |   4 +
 integration/confidential/lib.sh                    | 355 ++++++++++++++
 integration/containerd/confidential/agent_api.bats |  82 ++++
 .../containerd/confidential/agent_image.bats       | 148 ++++++
 integration/containerd/confidential/asserts.sh     |  77 +++
 .../fixtures/agent-configuration-no-exec.toml      |  46 ++
 .../confidential/fixtures/container-config.yaml    |  11 +
 .../fixtures/container-config_authenticated.yaml   |   9 +
 .../fixtures/container-config_cosigned-other.yaml  |  11 +
 .../fixtures/container-config_cosigned.yaml        |  11 +
 .../container-config_signed-protected-other.yaml   |  11 +
 .../container-config_unsigned-protected.yaml       |  11 +
 .../container-config_unsigned-unprotected.yaml     |  11 +
 .../confidential/fixtures/pod-config.yaml.in       |  12 +
 integration/containerd/confidential/lib.sh         | 163 +++++++
 integration/containerd/confidential/run_tests.sh   |  21 +
 .../containerd/confidential/tests_common.sh        | 106 ++++
 integration/containerd/cri/integration-tests.sh    |  12 +-
 integration/kubernetes/cleanup_bare_metal_env.sh   |   3 +
 .../kubernetes/confidential/agent_image.bats       | 243 +++++++++
 .../confidential/agent_image_encrypted.bats        |  81 +++
 .../confidential/fixtures/pod-config.yaml.in       |  14 +
 .../confidential/fixtures/service.yaml.in          |  35 ++
 integration/kubernetes/confidential/lib.sh         | 120 +++++
 integration/kubernetes/confidential/sev.bats       | 541 +++++++++++++++++++++
 integration/kubernetes/e2e_conformance/setup.sh    |   2 +-
 integration/kubernetes/tests_common.sh             |   0
 integration/nydus/nydus-sandbox.yaml               |   1 +
 integration/nydus/nydus_tests.sh                   |   2 +
 lib/common.bash                                    | 158 ++++++
 versions.yaml                                      |   7 +-
 69 files changed, 2844 insertions(+), 92 deletions(-)

[stevenhorsman]

/test

[stevenhorsman]

/test

[stevenhorsman]

/test-tdx

[stevenhorsman]

/test

[stevenhorsman]

/test-tdx

[stevenhorsman]

@arronwy - are you able to check if the tdx failures here are caused by bad code in the merge, or infrastructure problems and give any details of the failure if it is the former. Thanks!

[stevenhorsman]

/test

[stevenhorsman]

/test

[stevenhorsman]

/test-fc

[wainersm]

jenkins-ci-ubuntu-20.04_snp-x86_64-cc_snp_cri_containerd_k8s should be ignored.

The firecracker issue, it is not strange I feel I have saw that before. I am trying to remember...

[wainersm]

/test-fc

[stevenhorsman]

jenkins-ci-ubuntu-20.04_snp-x86_64-cc_snp_cri_containerd_k8s should be ignored.

The firecracker issue, it is not strange I feel I have saw that before. I am trying to remember...

I can try unbumping the version to see if that helps, but assuming it passes in main then I'm not sure that would be an issue?

[wainersm]

jenkins-ci-ubuntu-20.04_snp-x86_64-cc_snp_cri_containerd_k8s should be ignored. The firecracker issue, it is not strange I feel I have saw that before. I am trying to remember...

I can try unbumping the version to see if that helps, but assuming it passes in main then I'm not sure that would be an issue?

@ananos mentioned on slack it might be this https://github.com/kata-containers/kata-containers/pull/7042 . I suggested to have the fc job non-required until we fix it.