confidential-containers
diff --git a/‎.github/actions/install-chart/action.yaml‎
Lines changed: 92 additions & 0 deletions b/‎.github/actions/install-chart/action.yaml‎
Lines changed: 92 additions & 0 deletions
diff --git a/‎.github/actions/run-test-pod/action.yaml‎
Lines changed: 141 additions & 0 deletions b/‎.github/actions/run-test-pod/action.yaml‎
Lines changed: 141 additions & 0 deletions
diff --git a/‎.github/actions/setup-k8s-k0s/action.yaml‎
Lines changed: 64 additions & 0 deletions b/‎.github/actions/setup-k8s-k0s/action.yaml‎
Lines changed: 64 additions & 0 deletions
diff --git a/‎.github/actions/setup-k8s-k3s/action.yaml‎
Lines changed: 58 additions & 0 deletions b/‎.github/actions/setup-k8s-k3s/action.yaml‎
Lines changed: 58 additions & 0 deletions
@@ -0,0 +1,92 @@
+name: Install Helm Chart
+description: Install the Confidential Containers Helm chart with various configurations
+
+inputs:
+  release-name:
+    description: 'Helm release name'
+    required: false
+    default: 'coco'
+  namespace:
+    description: 'Kubernetes namespace'
+    required: false
+    default: 'kube-system'
+  extra-args:
+    description: 'Extra Helm install arguments (e.g., --set flags)'
+    required: false
+    default: ''
+  values-file:
+    description: 'Path to values file (optional)'
+    required: false
+    default: ''
+  wait-timeout:
+    description: 'Timeout for helm install --wait'
+    required: false
+    default: '15m'
+
+outputs:
+  installed:
+    description: 'Whether installation succeeded'
+    value: ${{ steps.install.outputs.result }}
+
+runs:
+  using: composite
+  steps:
+    - name: Update Helm dependencies
+      shell: bash
+      run: |
+        echo "📦 Updating Helm dependencies..."
+        helm dependency update
+        echo "✅ Dependencies updated"
+
+    - name: Validate chart
+      shell: bash
+      run: |
+        echo "🔍 Validating chart..."
+        helm lint .
+        echo "✅ Chart is valid"
+
+    - name: Install chart
+      id: install
+      shell: bash
+      run: |
+        echo "🚀 Installing chart: ${{ inputs.release-name }}"
+        echo "   Namespace: ${{ inputs.namespace }}"
+        echo "   Extra args: ${{ inputs.extra-args }}"
+        if [ -n "${{ inputs.values-file }}" ]; then
+          echo "   Values file: ${{ inputs.values-file }}"
+        fi
+        
+        INSTALL_CMD="helm install ${{ inputs.release-name }} . \
+          --namespace ${{ inputs.namespace }} \
+          --create-namespace \
+          --wait \
+          --timeout ${{ inputs.wait-timeout }} \
+          --debug"
+        
+        if [ -n "${{ inputs.values-file }}" ]; then
+          INSTALL_CMD="$INSTALL_CMD -f ${{ inputs.values-file }}"
+        fi
+        
+        if [ -n "${{ inputs.extra-args }}" ]; then
+          INSTALL_CMD="$INSTALL_CMD ${{ inputs.extra-args }}"
+        fi
+        
+        echo "Running: $INSTALL_CMD"
+        
+        if eval $INSTALL_CMD; then
+          echo "✅ Chart installed successfully"
+          echo "result=success" >> $GITHUB_OUTPUT
+        else
+          echo "❌ Chart installation failed"
+          echo "result=failed" >> $GITHUB_OUTPUT
+          exit 1
+        fi
+
+    - name: Show installation status
+      shell: bash
+      run: |
+        echo "📊 Installation status for ${{ inputs.release-name }}:"
+        helm list -n ${{ inputs.namespace }}
+        echo ""
+        echo "📋 Kubernetes resources:"
+        kubectl get all -n ${{ inputs.namespace }} -l app.kubernetes.io/instance=${{ inputs.release-name }}
@@ -0,0 +1,141 @@
+name: Run Test Pod
+description: Deploy and verify a test pod using Kata runtime
+
+inputs:
+  runtime-class:
+    description: 'RuntimeClass to use for the test pod'
+    required: true
+  namespace:
+    description: 'Kubernetes namespace for test pod'
+    required: false
+    default: 'default'
+  pod-name:
+    description: 'Name of the test pod'
+    required: false
+    default: 'kata-test-pod'
+  timeout:
+    description: 'Timeout for pod to become ready'
+    required: false
+    default: '5m'
+
+outputs:
+  pod-status:
+    description: 'Final status of the test pod'
+    value: ${{ steps.check-status.outputs.status }}
+
+runs:
+  using: composite
+  steps:
+    - name: Create test pod
+      shell: bash
+      run: |
+        echo "🚀 Creating test pod with RuntimeClass: ${{ inputs.runtime-class }}"
+        
+        cat > /tmp/test-pod.yaml <<EOF
+        apiVersion: v1
+        kind: Pod
+        metadata:
+          name: ${{ inputs.pod-name }}
+          namespace: ${{ inputs.namespace }}
+          labels:
+            app: kata-test
+        spec:
+          runtimeClassName: ${{ inputs.runtime-class }}
+          containers:
+          - name: test
+            image: docker.io/library/busybox:latest
+            command: ['sh', '-c', 'echo "Hello from Kata Containers!" && sleep 30']
+          restartPolicy: Never
+        EOF
+        
+        kubectl apply -f /tmp/test-pod.yaml
+        echo "✅ Test pod created"
+
+    - name: Wait for pod
+      shell: bash
+      run: |
+        echo "⏳ Waiting for pod to start (timeout: ${{ inputs.timeout }})..."
+        
+        # Wait for pod to be scheduled
+        for i in {1..30}; do
+          POD_PHASE=$(kubectl get pod ${{ inputs.pod-name }} -n ${{ inputs.namespace }} -o jsonpath='{.status.phase}' 2>/dev/null || echo "NotFound")
+          echo "  Attempt $i/30: Pod phase is: $POD_PHASE"
+          
+          if [ "$POD_PHASE" = "Running" ] || [ "$POD_PHASE" = "Succeeded" ]; then
+            echo "✅ Pod is in $POD_PHASE state"
+            break
+          elif [ "$POD_PHASE" = "Failed" ]; then
+            echo "❌ Pod failed"
+            break
+          fi
+          
+          sleep 10
+        done
+
+    - name: Check pod status
+      id: check-status
+      shell: bash
+      run: |
+        echo "🔍 Checking final pod status..."
+        
+        kubectl get pod ${{ inputs.pod-name }} -n ${{ inputs.namespace }}
+        
+        POD_PHASE=$(kubectl get pod ${{ inputs.pod-name }} -n ${{ inputs.namespace }} -o jsonpath='{.status.phase}')
+        
+        echo ""
+        echo "Pod phase: $POD_PHASE"
+        
+        if [ "$POD_PHASE" = "Running" ] || [ "$POD_PHASE" = "Succeeded" ]; then
+          echo "✅ Pod reached $POD_PHASE state successfully"
+          echo "status=success" >> $GITHUB_OUTPUT
+        else
+          echo "❌ Pod did not reach Running/Succeeded state (current: $POD_PHASE)"
+          echo "status=failed" >> $GITHUB_OUTPUT
+        fi
+
+    - name: Show pod details
+      shell: bash
+      run: |
+        echo "📋 Pod details:"
+        kubectl describe pod ${{ inputs.pod-name }} -n ${{ inputs.namespace }}
+
+    - name: Show pod logs
+      shell: bash
+      run: |
+        echo "📋 Pod logs:"
+        kubectl logs ${{ inputs.pod-name }} -n ${{ inputs.namespace }} || echo "No logs available yet"
+
+    - name: Verify Kata runtime is used
+      shell: bash
+      run: |
+        echo "🔍 Verifying Kata runtime is actually being used..."
+        
+        # Get the node the pod is running on
+        NODE=$(kubectl get pod ${{ inputs.pod-name }} -n ${{ inputs.namespace }} -o jsonpath='{.spec.nodeName}')
+        echo "Pod is running on node: $NODE"
+        
+        # In kind, we can check the container runtime via docker
+        if command -v docker &> /dev/null; then
+          echo ""
+          echo "Container processes on the node:"
+          docker exec ${NODE} ps aux | grep -E "containerd|qemu" | head -10 || true
+        fi
+        
+        # Check RuntimeClass in pod spec
+        RUNTIME_CLASS=$(kubectl get pod ${{ inputs.pod-name }} -n ${{ inputs.namespace }} -o jsonpath='{.spec.runtimeClassName}')
+        echo ""
+        echo "Pod RuntimeClass: $RUNTIME_CLASS"
+        
+        if [ "$RUNTIME_CLASS" = "${{ inputs.runtime-class }}" ]; then
+          echo "✅ Pod is using the correct RuntimeClass"
+        else
+          echo "⚠️  Pod RuntimeClass mismatch"
+        fi
+
+    - name: Cleanup test pod
+      if: always()
+      shell: bash
+      run: |
+        echo "🗑️  Cleaning up test pod..."
+        kubectl delete pod ${{ inputs.pod-name }} -n ${{ inputs.namespace }} --ignore-not-found=true
+        echo "✅ Test pod cleaned up"
@@ -0,0 +1,64 @@
+name: 'Setup K0s Kubernetes'
+description: 'Install K0s Kubernetes distribution'
+inputs:
+  extra-params:
+    description: 'Extra parameters to pass to k0s install'
+    required: false
+    default: ''
+runs:
+  using: 'composite'
+  steps:
+    - name: Install K0s
+      shell: bash
+      run: |
+        echo "📦 Installing K0s..."
+        curl -sSLf https://get.k0s.sh | sudo sh
+        
+        # Install k0s controller
+        sudo k0s install controller --single ${{ inputs.extra-params }}
+        
+        # kube-router uses :8080 for metrics, which causes issues in k0s 1.30.0+
+        # Change metricsPort to :9999 to avoid conflicts
+        sudo mkdir -p /etc/k0s
+        k0s config create | sudo tee /etc/k0s/k0s.yaml
+        sudo sed -i -e "s/metricsPort: 8080/metricsPort: 9999/g" /etc/k0s/k0s.yaml
+        
+        sudo k0s start
+        
+        echo "⏳ Waiting for K0s to be ready..."
+        sleep 120
+    
+    - name: Setup kubectl
+      shell: bash
+      run: |
+        echo "🔧 Setting up kubectl..."
+        
+        # Download the kubectl binary into /usr/bin
+        ARCH=$(uname -m)
+        case "${ARCH}" in
+          x86_64) ARCH="amd64" ;;
+          aarch64) ARCH="arm64" ;;
+        esac
+        
+        kubectl_version=$(sudo k0s kubectl version 2>/dev/null | grep "Client Version" | sed -e 's/Client Version: //')
+        sudo curl -fL --progress-bar -o /usr/bin/kubectl https://dl.k8s.io/release/"${kubectl_version}"/bin/linux/"${ARCH}"/kubectl
+        sudo chmod +x /usr/bin/kubectl
+        
+        mkdir -p ~/.kube
+        sudo cp /var/lib/k0s/pki/admin.conf ~/.kube/config
+        sudo chown "${USER}":"${USER}" ~/.kube/config
+        
+        echo "✅ kubectl installed: $(kubectl version --client --short)"
+    
+    - name: Verify cluster
+      shell: bash
+      run: |
+        echo "🔍 Verifying K0s cluster..."
+        kubectl get nodes
+        kubectl get pods -A
+        
+        # Wait for system pods to be ready
+        echo "⏳ Waiting for system pods..."
+        kubectl wait --for=condition=Ready pods --all -n kube-system --timeout=5m || true
+        
+        echo "✅ K0s cluster is ready!"
@@ -0,0 +1,58 @@
+name: 'Setup K3s Kubernetes'
+description: 'Install K3s Kubernetes distribution'
+inputs:
+  extra-params:
+    description: 'Extra parameters to pass to k3s installer'
+    required: false
+    default: ''
+runs:
+  using: 'composite'
+  steps:
+    - name: Install K3s
+      shell: bash
+      run: |
+        echo "📦 Installing K3s..."
+        curl -sfL https://get.k3s.io | sh -s - --write-kubeconfig-mode 644 ${{ inputs.extra-params }}
+        
+        echo "⏳ Waiting for K3s to be ready..."
+        sleep 120
+    
+    - name: Setup kubectl
+      shell: bash
+      run: |
+        echo "🔧 Setting up kubectl..."
+        
+        # Download the kubectl binary into /usr/bin and remove /usr/local/bin/kubectl
+        # We need to do this to avoid hitting issues like:
+        # error: open /etc/rancher/k3s/k3s.yaml.lock: permission denied
+        # Which happens because k3s links `/usr/local/bin/kubectl` to `/usr/local/bin/k3s`,
+        # and that does extra stuff that vanilla `kubectl` doesn't do.
+        
+        ARCH=$(uname -m)
+        case "${ARCH}" in
+          x86_64) ARCH="amd64" ;;
+          aarch64) ARCH="arm64" ;;
+        esac
+        
+        kubectl_version=$(/usr/local/bin/k3s kubectl version --client=true 2>/dev/null | grep "Client Version" | sed -e 's/Client Version: //' -e 's/+k3s[0-9]\+//')
+        sudo curl -fL --progress-bar -o /usr/bin/kubectl https://dl.k8s.io/release/"${kubectl_version}"/bin/linux/"${ARCH}"/kubectl
+        sudo chmod +x /usr/bin/kubectl
+        sudo rm -rf /usr/local/bin/kubectl
+        
+        mkdir -p ~/.kube
+        cp /etc/rancher/k3s/k3s.yaml ~/.kube/config
+        
+        echo "✅ kubectl installed: $(kubectl version --client --short)"
+    
+    - name: Verify cluster
+      shell: bash
+      run: |
+        echo "🔍 Verifying K3s cluster..."
+        kubectl get nodes
+        kubectl get pods -A
+        
+        # Wait for system pods to be ready
+        echo "⏳ Waiting for system pods..."
+        kubectl wait --for=condition=Ready pods --all -n kube-system --timeout=5m
+        
+        echo "✅ K3s cluster is ready!"