diff --git a/.github/workflows/ccruntime_e2e.yaml b/.github/workflows/ccruntime_e2e.yaml index 4ac170e9..76d2eef4 100644 --- a/.github/workflows/ccruntime_e2e.yaml +++ b/.github/workflows/ccruntime_e2e.yaml @@ -22,8 +22,8 @@ jobs: runtimeclass: - "kata-qemu" instance: - - "ubuntu-20.04" - "ubuntu-22.04" + - "ubuntu-24.04" - "s390x-large" - "tdx" - "sev-snp" diff --git a/.github/workflows/docker-publish-latest-on-merge.yaml b/.github/workflows/docker-publish-latest-on-merge.yaml index fc0dbc85..747b9d79 100644 --- a/.github/workflows/docker-publish-latest-on-merge.yaml +++ b/.github/workflows/docker-publish-latest-on-merge.yaml @@ -61,10 +61,10 @@ jobs: # Build and push Docker image with Buildx # https://github.com/docker/build-push-action - name: Build and push Docker image - uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6 + uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 # v6 with: context: . push: true - platforms: linux/amd64,linux/s390x,linux/arm64 + platforms: linux/amd64,linux/s390x,linux/arm64,linux/ppc64le tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} diff --git a/.github/workflows/docker-publish-on-tag.yaml b/.github/workflows/docker-publish-on-tag.yaml index f1ac41a6..6eed0af2 100644 --- a/.github/workflows/docker-publish-on-tag.yaml +++ b/.github/workflows/docker-publish-on-tag.yaml @@ -58,10 +58,10 @@ jobs: # Build and push Docker image with Buildx (don't push on PR) # https://github.com/docker/build-push-action - name: Build and push Docker image - uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6 + uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 # v6 with: context: . push: ${{ github.event_name != 'pull_request' }} - platforms: linux/amd64,linux/s390x,linux/arm64 + platforms: linux/amd64,linux/s390x,linux/arm64,linux/ppc64le tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} diff --git a/.github/workflows/lib-codeql.yaml b/.github/workflows/lib-codeql.yaml index e10d31b9..96f99efd 100644 --- a/.github/workflows/lib-codeql.yaml +++ b/.github/workflows/lib-codeql.yaml @@ -25,11 +25,11 @@ jobs: check-latest: true - name: Initialize CodeQL - uses: github/codeql-action/init@45775bd8235c68ba998cffa5171334d58593da47 # v3 + uses: github/codeql-action/init@28deaeda66b76a05916b6923827895f2b14ab387 # v3 with: languages: 'go' - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@45775bd8235c68ba998cffa5171334d58593da47 # v3 + uses: github/codeql-action/analyze@28deaeda66b76a05916b6923827895f2b14ab387 # v3 with: category: "/language:go" diff --git a/config/mirror/README.md b/config/mirror/README.md new file mode 100644 index 00000000..d5c9329d --- /dev/null +++ b/config/mirror/README.md @@ -0,0 +1,3 @@ +# Operator using Mirror of Alibaba Cloud + +For some users who may encounter the problem of being unable to access `quay.io` when deploying CoCo, this image mirror provided by Alibaba Cloud can be useful. This can greatly speed up the image pulling speed in some regions. diff --git a/config/mirror/default/kustomization.yaml b/config/mirror/default/kustomization.yaml new file mode 100644 index 00000000..a65d48ff --- /dev/null +++ b/config/mirror/default/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +bases: +- ../../default + +images: +- name: quay.io/confidential-containers/operator + newName: registry-cn-hangzhou.ack.aliyuncs.com/dev/coco-operator \ No newline at end of file diff --git a/config/mirror/release/kustomization.yaml b/config/mirror/release/kustomization.yaml new file mode 100644 index 00000000..3bc6ed0e --- /dev/null +++ b/config/mirror/release/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +bases: +- ../../release + +images: +- name: quay.io/confidential-containers/operator + newName: registry-cn-hangzhou.ack.aliyuncs.com/dev/coco-operator \ No newline at end of file diff --git a/config/mirror/samples/ccruntime/default/kustomization.yaml b/config/mirror/samples/ccruntime/default/kustomization.yaml new file mode 100644 index 00000000..18c62e58 --- /dev/null +++ b/config/mirror/samples/ccruntime/default/kustomization.yaml @@ -0,0 +1,11 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- ../../../../samples/ccruntime/default + +images: +- name: quay.io/confidential-containers/reqs-payload + newName: registry-cn-hangzhou.ack.aliyuncs.com/dev/coco-reqs-payload +- name: quay.io/kata-containers/kata-deploy-ci + newName: registry-cn-hangzhou.ack.aliyuncs.com/dev/coco-kata-deploy-ci \ No newline at end of file diff --git a/config/mirror/samples/ccruntime/peer-pods/kustomization.yaml b/config/mirror/samples/ccruntime/peer-pods/kustomization.yaml new file mode 100644 index 00000000..c5fc8e57 --- /dev/null +++ b/config/mirror/samples/ccruntime/peer-pods/kustomization.yaml @@ -0,0 +1,11 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: +- ../../../../samples/ccruntime/peer-pods + +images: +- name: quay.io/confidential-containers/reqs-payload + newName: registry-cn-hangzhou.ack.aliyuncs.com/dev/coco-reqs-payload +- name: quay.io/kata-containers/kata-deploy-ci + newName: registry-cn-hangzhou.ack.aliyuncs.com/dev/coco-kata-deploy-ci \ No newline at end of file diff --git a/config/release/kustomization.yaml b/config/release/kustomization.yaml index e548d009..019d9663 100644 --- a/config/release/kustomization.yaml +++ b/config/release/kustomization.yaml @@ -4,4 +4,4 @@ resources: # newTag points to the latest release image and must be updated before tagging a new release images: - name: quay.io/confidential-containers/operator - newTag: v0.13.0 + newTag: v0.14.0 diff --git a/config/samples/ccruntime/default/kustomization.yaml b/config/samples/ccruntime/default/kustomization.yaml index 197946c9..e6d13907 100644 --- a/config/samples/ccruntime/default/kustomization.yaml +++ b/config/samples/ccruntime/default/kustomization.yaml @@ -8,10 +8,9 @@ resources: images: - name: quay.io/confidential-containers/reqs-payload - newTag: latest + newTag: 4ad2b8ea64b919d977b1d3fab488333283ea05d9 - name: quay.io/kata-containers/kata-deploy - newName: quay.io/kata-containers/kata-deploy-ci - newTag: kata-containers-latest + newTag: 3.17.0 patches: - patch: |- diff --git a/config/samples/ccruntime/peer-pods/kustomization.yaml b/config/samples/ccruntime/peer-pods/kustomization.yaml index fc8dc7ae..abbc0c7b 100644 --- a/config/samples/ccruntime/peer-pods/kustomization.yaml +++ b/config/samples/ccruntime/peer-pods/kustomization.yaml @@ -9,10 +9,9 @@ resources: images: - name: quay.io/confidential-containers/reqs-payload - newTag: latest + newTag: 4ad2b8ea64b919d977b1d3fab488333283ea05d9 - name: quay.io/kata-containers/kata-deploy - newName: quay.io/kata-containers/kata-deploy-ci - newTag: kata-containers-latest + newTag: 3.17.0 patches: @@ -33,6 +32,6 @@ patches: # containerd v1.7+ running. If you know for sure that's not # the case, please, set this variable to `true` - name: "INSTALL_OFFICIAL_CONTAINERD" - value: "false" + value: "true" target: kind: CcRuntime diff --git a/config/samples/ccruntime/s390x/kustomization.yaml b/config/samples/ccruntime/s390x/kustomization.yaml index 046a8a54..099b9a49 100644 --- a/config/samples/ccruntime/s390x/kustomization.yaml +++ b/config/samples/ccruntime/s390x/kustomization.yaml @@ -8,10 +8,9 @@ resources: images: - name: quay.io/confidential-containers/reqs-payload - newTag: latest + newTag: 4ad2b8ea64b919d977b1d3fab488333283ea05d9 - name: quay.io/kata-containers/kata-deploy - newName: quay.io/kata-containers/kata-deploy-ci - newTag: kata-containers-latest + newTag: 3.17.0 patches: - patch: |- diff --git a/config/samples/enclave-cc/base/ccruntime-enclave-cc.yaml b/config/samples/enclave-cc/base/ccruntime-enclave-cc.yaml index 396cace3..b7225e03 100644 --- a/config/samples/enclave-cc/base/ccruntime-enclave-cc.yaml +++ b/config/samples/enclave-cc/base/ccruntime-enclave-cc.yaml @@ -9,7 +9,7 @@ spec: node.kubernetes.io/worker: "" config: installType: bundle - payloadImage: quay.io/confidential-containers/runtime-payload-ci:enclave-cc-HW-cc-kbc-latest + payloadImage: quay.io/confidential-containers/runtime-payload:enclave-cc-HW-cc-kbc-v0.11.0 installDoneLabel: confidentialcontainers.org/enclave-cc: "true" uninstallDoneLabel: diff --git a/config/samples/enclave-cc/hw/kustomization.yaml b/config/samples/enclave-cc/hw/kustomization.yaml index 3e0608d5..d52377f3 100644 --- a/config/samples/enclave-cc/hw/kustomization.yaml +++ b/config/samples/enclave-cc/hw/kustomization.yaml @@ -8,4 +8,4 @@ nameSuffix: -sgx-mode-hw images: - name: quay.io/confidential-containers/reqs-payload - newTag: latest + newTag: 4ad2b8ea64b919d977b1d3fab488333283ea05d9 diff --git a/config/samples/enclave-cc/sim/kustomization.yaml b/config/samples/enclave-cc/sim/kustomization.yaml index 4b58e1ad..c02d9f57 100644 --- a/config/samples/enclave-cc/sim/kustomization.yaml +++ b/config/samples/enclave-cc/sim/kustomization.yaml @@ -4,7 +4,7 @@ resources: nameSuffix: -sgx-mode-sim images: -- name: quay.io/confidential-containers/runtime-payload-ci - newTag: enclave-cc-SIM-sample-kbc-latest +- name: quay.io/confidential-containers/runtime-payload + newTag: enclave-cc-SIM-sample-kbc-v0.11.0 - name: quay.io/confidential-containers/reqs-payload - newTag: latest + newTag: 4ad2b8ea64b919d977b1d3fab488333283ea05d9 diff --git a/docs/INSTALL.md b/docs/INSTALL.md index 4ef190e9..d885395b 100644 --- a/docs/INSTALL.md +++ b/docs/INSTALL.md @@ -18,6 +18,10 @@ export RELEASE_VERSION= kubectl apply -k "github.com/confidential-containers/operator/config/release?ref=${RELEASE_VERSION}" ``` +> [!TIP] +> Some regions may not be able to access the `quay.io` repository. You can use the following address after `-k` +> `"github.com/confidential-containers/operator/config/mirror/release?ref=${RELEASE_VERSION}"` + While also managing certain cluster-wide resources, the operator primarily deploys resources within the confidential-containers-system namespace. @@ -96,6 +100,10 @@ desired [release tag](https://github.com/confidential-containers/operator/tags): kubectl apply -k github.com/confidential-containers/operator/config/samples/ccruntime/default?ref=${RELEASE_VERSION} ``` +> [!TIP] +> Some regions may not be able to access the `quay.io` repository. You can use the following address after `-k` +> `"github.com/confidential-containers/operator/config/mirror/samples/ccruntime/default?ref=${RELEASE_VERSION}"` + Wait until each pod has the `STATUS` as `Running`: ``` @@ -167,6 +175,15 @@ kubectl delete -k github.com/confidential-containers/operator/config/samples/ccr kubectl delete -k "github.com/confidential-containers/operator/config/release?ref=${RELEASE_VERSION}" ``` +## Troubleshooting +Something not working? [Go here](https://confidentialcontainers.org/docs/troubleshooting/) + + +## Next steps + +- [Take coco-dev, no confidential hardware required, for a spin](https://github.com/confidential-containers/confidential-containers/blob/main/guides/coco-dev.md) + + ## Advanced Topics - [How to install confidential containers with IBM Secure Execution](https://github.com/confidential-containers/confidential-containers/blob/main/guides/ibm-se.md) diff --git a/docs/PEERPODS.md b/docs/PEERPODS.md index 0584a461..538e4e8e 100644 --- a/docs/PEERPODS.md +++ b/docs/PEERPODS.md @@ -75,6 +75,10 @@ stringData: kubectl create -k config/samples/ccruntime/peerpods ``` +> [!TIP] +> Some regions may not be able to access the `quay.io` repository. You can use the following path after `-k` +> `config/mirror/samples/ccruntime/peerpods` + ## Uninstalling Operator Ensure KUBECONFIG points to target Kubernetes cluster diff --git a/install/pre-install-payload/payload.sh b/install/pre-install-payload/payload.sh index f0f0a9f7..790954ec 100755 --- a/install/pre-install-payload/payload.sh +++ b/install/pre-install-payload/payload.sh @@ -11,7 +11,7 @@ official_containerd_repo=${official_containerd_repo:-"https://github.com/contain vfio_gpu_containerd_repo=${vfio_gpu_containerd_repo:-"https://github.com/confidential-containers/containerd"} nydus_snapshotter_repo=${nydus_snapshotter_repo:-"https://github.com/containerd/nydus-snapshotter"} extra_docker_manifest_flags="${extra_docker_manifest_flags:-}" -archs=${pre_install_payload_archs:-"linux/amd64 linux/s390x linux/arm64"} +archs=${pre_install_payload_archs:-"linux/amd64 linux/s390x linux/arm64 linux/ppc64le"} registry="${registry:-quay.io/confidential-containers/reqs-payload}" @@ -29,6 +29,10 @@ function setup_env_for_arch() { kernel_arch="aarch64" golang_arch="arm64" ;; + "linux/ppc64le") + kernel_arch="powerpc" + golang_arch="ppc64le" + ;; *) echo "$1 is not supported" >/dev/stderr && exit 1 ;; esac }