Revert "values: simplify shim config using disableAll option"

beraldoleal · fidencio · commit a5b259c28473 · 2026-02-05T18:38:01.000+01:00
This reverts commit 5da715f. disableAll doesn't work correctly with Helm overrides. The option causes RuntimeClass leaks when using Helm value overrides due to deep merge behavior. Reverting to explicit shim disables. Related: #52 Signed-off-by: Beraldo Leal <bleal@redhat.com>
diff --git a/values.yaml b/values.yaml
@@ -91,9 +91,8 @@ kata-as-coco-runtime:
     setup: ["nydus"]
 
   # TEE (Trusted Execution Environment) shims configuration
-  # Only enable the shims we want to expose
+  # Only enable the shims we want to expose, explicitly disable all others
   shims:
-    disableAll: true
     # Enabled shims - TEE shims we want to expose
     qemu-snp:
       enabled: true
@@ -181,6 +180,25 @@ kata-as-coco-runtime:
         httpsProxy: ""
         noProxy: ""
 
+    # Kata runtimes that are not for TEE
+    clh:
+      enabled: false
+
+    cloud-hypervisor:
+      enabled: false
+
+    dragonball:
+      enabled: false
+
+    fc:
+      enabled: false
+
+    qemu:
+      enabled: false
+
+    qemu-runtime-rs:
+      enabled: false
+
   # RuntimeClasses configuration
   runtimeClasses:
     enabled: true
diff --git a/values/kata-alibabacloud-tdx.yaml b/values/kata-alibabacloud-tdx.yaml
@@ -16,9 +16,8 @@ kata-as-coco-runtime:
     setup: ["nydus"]
 
   # TEE (Trusted Execution Environment) shims configuration
-  # Only enable the shims we want to expose
+  # Only enable the shims we want to expose, explicitly disable all others
   shims:
-    disableAll: true
     qemu-tdx:
       enabled: true
       supportedArches:
@@ -46,6 +45,30 @@ kata-as-coco-runtime:
         httpsProxy: ""
         noProxy: ""
 
+    qemu-snp:
+      enabled: false
+
+    qemu-coco-dev-runtime-rs:
+      enabled: false
+
+    qemu-cca:
+      enabled: false
+
+    qemu-se:
+      enabled: false
+
+    qemu-se-runtime-rs:
+      enabled: false
+
+    qemu-nvidia-gpu:
+      enabled: false
+
+    qemu-nvidia-gpu-tdx:
+      enabled: false
+
+    qemu-nvidia-gpu-snp:
+      enabled: false
+
   # RuntimeClasses configuration
   runtimeClasses:
     enabled: true
diff --git a/values/kata-remote.yaml b/values/kata-remote.yaml
@@ -9,6 +9,39 @@ kata-as-coco-runtime:
   imagePullPolicy: Always
   k8sDistribution: k8s
 
-  # Disable all local shims - peer-pods uses the remote shim only
   shims:
-    disableAll: true
+    qemu-snp:
+      enabled: false
+
+    qemu-tdx:
+      enabled: false
+
+    qemu-se:
+      enabled: false
+
+    qemu-se-runtime-rs:
+      enabled: false
+
+    qemu-coco-dev:
+      enabled: false
+
+    qemu-coco-dev-runtime-rs:
+      enabled: false
+
+    clh:
+      enabled: false
+
+    cloud-hypervisor:
+      enabled: false
+
+    dragonball:
+      enabled: false
+
+    fc:
+      enabled: false
+
+    qemu:
+      enabled: false
+
+    qemu-runtime-rs:
+      enabled: false
diff --git a/values/kata-s390x.yaml b/values/kata-s390x.yaml
@@ -17,9 +17,8 @@ kata-as-coco-runtime:
     setup: ["nydus"]
 
   # TEE (Trusted Execution Environment) shims configuration
-  # Only enable the shims we want to expose
+  # Only enable the shims we want to expose, explicitly disable all others
   shims:
-    disableAll: true
     # Enabled shims - TEE shims we want to expose
     qemu-se:
       enabled: true
@@ -79,6 +78,25 @@ kata-as-coco-runtime:
         httpsProxy: ""
         noProxy: ""
 
+    # Kata runtimes that are not for TEE
+    clh:
+      enabled: false
+
+    cloud-hypervisor:
+      enabled: false
+
+    dragonball:
+      enabled: false
+
+    fc:
+      enabled: false
+
+    qemu:
+      enabled: false
+
+    qemu-runtime-rs:
+      enabled: false
+
   # RuntimeClasses configuration
   runtimeClasses:
     enabled: true
