Rebase upstream v0.14.0

.github/workflows/ccruntime_e2e.yaml

@@ -22,8 +22,8 @@ jobs:
         runtimeclass:
           - "kata-qemu"
         instance:
-          - "ubuntu-20.04"
           - "ubuntu-22.04"
+          - "ubuntu-24.04"
           - "s390x-large"
           - "tdx"
           - "sev-snp"

.github/workflows/docker-publish-latest-on-merge.yaml

@@ -61,10 +61,10 @@ jobs:
       # Build and push Docker image with Buildx
       # https://github.com/docker/build-push-action
       - name: Build and push Docker image
-        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6
+        uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 # v6
         with:
           context: .
           push: true
-          platforms: linux/amd64,linux/s390x,linux/arm64
+          platforms: linux/amd64,linux/s390x,linux/arm64,linux/ppc64le
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}

.github/workflows/docker-publish-on-tag.yaml

@@ -58,10 +58,10 @@ jobs:
       # Build and push Docker image with Buildx (don't push on PR)
       # https://github.com/docker/build-push-action
       - name: Build and push Docker image
-        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6
+        uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 # v6
         with:
           context: .
           push: ${{ github.event_name != 'pull_request' }}
-          platforms: linux/amd64,linux/s390x,linux/arm64
+          platforms: linux/amd64,linux/s390x,linux/arm64,linux/ppc64le
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}

.github/workflows/lib-codeql.yaml

@@ -25,11 +25,11 @@ jobs:
         check-latest: true
 
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@45775bd8235c68ba998cffa5171334d58593da47 # v3
+      uses: github/codeql-action/init@28deaeda66b76a05916b6923827895f2b14ab387 # v3
       with:
         languages: 'go'
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@45775bd8235c68ba998cffa5171334d58593da47 # v3
+      uses: github/codeql-action/analyze@28deaeda66b76a05916b6923827895f2b14ab387 # v3
       with:
         category: "/language:go"

config/mirror/README.md

@@ -0,0 +1,3 @@
+# Operator using Mirror of Alibaba Cloud
+
+For some users who may encounter the problem of being unable to access `quay.io` when deploying CoCo, this image mirror provided by Alibaba Cloud can be useful. This can greatly speed up the image pulling speed in some regions.

config/mirror/default/kustomization.yaml

@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+bases:
+- ../../default
+
+images:
+- name: quay.io/confidential-containers/operator
+  newName: registry-cn-hangzhou.ack.aliyuncs.com/dev/coco-operator

config/mirror/release/kustomization.yaml

@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+bases:
+- ../../release
+
+images:
+- name: quay.io/confidential-containers/operator
+  newName: registry-cn-hangzhou.ack.aliyuncs.com/dev/coco-operator

config/mirror/samples/ccruntime/default/kustomization.yaml

@@ -0,0 +1,11 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- ../../../../samples/ccruntime/default
+
+images:
+- name: quay.io/confidential-containers/reqs-payload
+  newName: registry-cn-hangzhou.ack.aliyuncs.com/dev/coco-reqs-payload
+- name: quay.io/kata-containers/kata-deploy-ci
+  newName: registry-cn-hangzhou.ack.aliyuncs.com/dev/coco-kata-deploy-ci

config/mirror/samples/ccruntime/peer-pods/kustomization.yaml

@@ -0,0 +1,11 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- ../../../../samples/ccruntime/peer-pods
+
+images:
+- name: quay.io/confidential-containers/reqs-payload
+  newName: registry-cn-hangzhou.ack.aliyuncs.com/dev/coco-reqs-payload
+- name: quay.io/kata-containers/kata-deploy-ci
+  newName: registry-cn-hangzhou.ack.aliyuncs.com/dev/coco-kata-deploy-ci

config/release/kustomization.yaml

@@ -4,4 +4,4 @@ resources:
 # newTag points to the latest release image and must be updated before tagging a new release
 images:
 - name: quay.io/confidential-containers/operator
-  newTag: v0.13.0
+  newTag: v0.14.0

config/samples/ccruntime/default/kustomization.yaml

@@ -8,10 +8,9 @@ resources:
 
 images:
 - name: quay.io/confidential-containers/reqs-payload
-  newTag: latest
+  newTag: 4ad2b8ea64b919d977b1d3fab488333283ea05d9
 - name: quay.io/kata-containers/kata-deploy
-  newName: quay.io/kata-containers/kata-deploy-ci
-  newTag: kata-containers-latest
+  newTag: 3.17.0
 
 patches:
 - patch: |-

config/samples/ccruntime/peer-pods/kustomization.yaml

@@ -9,10 +9,9 @@ resources:
 
 images:
 - name: quay.io/confidential-containers/reqs-payload
-  newTag: latest
+  newTag: 4ad2b8ea64b919d977b1d3fab488333283ea05d9
 - name: quay.io/kata-containers/kata-deploy
-  newName: quay.io/kata-containers/kata-deploy-ci
-  newTag: kata-containers-latest
+  newTag: 3.17.0
 
 
 patches:
@@ -33,6 +32,6 @@ patches:
         # containerd v1.7+ running.  If you know for sure that's not
         # the case, please, set this variable to `true`
         - name: "INSTALL_OFFICIAL_CONTAINERD"
-          value: "false"
+          value: "true"
   target:
     kind: CcRuntime

config/samples/ccruntime/s390x/kustomization.yaml

@@ -8,10 +8,9 @@ resources:
 
 images:
 - name: quay.io/confidential-containers/reqs-payload
-  newTag: latest
+  newTag: 4ad2b8ea64b919d977b1d3fab488333283ea05d9
 - name: quay.io/kata-containers/kata-deploy
-  newName: quay.io/kata-containers/kata-deploy-ci
-  newTag: kata-containers-latest
+  newTag: 3.17.0
 
 patches:
 - patch: |-

config/samples/enclave-cc/base/ccruntime-enclave-cc.yaml

@@ -9,7 +9,7 @@ spec:
       node.kubernetes.io/worker: ""
   config:
     installType: bundle
-    payloadImage: quay.io/confidential-containers/runtime-payload-ci:enclave-cc-HW-cc-kbc-latest
+    payloadImage: quay.io/confidential-containers/runtime-payload:enclave-cc-HW-cc-kbc-v0.11.0
     installDoneLabel:
       confidentialcontainers.org/enclave-cc: "true"
     uninstallDoneLabel:

config/samples/enclave-cc/hw/kustomization.yaml

@@ -8,4 +8,4 @@ nameSuffix: -sgx-mode-hw
 
 images:
 - name: quay.io/confidential-containers/reqs-payload
-  newTag: latest
+  newTag: 4ad2b8ea64b919d977b1d3fab488333283ea05d9

config/samples/enclave-cc/sim/kustomization.yaml

@@ -4,7 +4,7 @@ resources:
 nameSuffix: -sgx-mode-sim
 
 images:
-- name: quay.io/confidential-containers/runtime-payload-ci
-  newTag: enclave-cc-SIM-sample-kbc-latest
+- name: quay.io/confidential-containers/runtime-payload
+  newTag: enclave-cc-SIM-sample-kbc-v0.11.0
 - name: quay.io/confidential-containers/reqs-payload
-  newTag: latest
+  newTag: 4ad2b8ea64b919d977b1d3fab488333283ea05d9

docs/INSTALL.md

@@ -18,6 +18,10 @@ export RELEASE_VERSION=<RELEASE_VERSION>
 kubectl apply -k "github.com/confidential-containers/operator/config/release?ref=${RELEASE_VERSION}"
 ```
 
+> [!TIP] 
+> Some regions may not be able to access the `quay.io` repository. You can use the following address after `-k`
+> `"github.com/confidential-containers/operator/config/mirror/release?ref=${RELEASE_VERSION}"`
+
 While also managing certain cluster-wide resources, the operator primarily deploys resources within the confidential-containers-system namespace.
 
 
@@ -96,6 +100,10 @@ desired [release tag](https://github.com/confidential-containers/operator/tags):
 kubectl apply -k github.com/confidential-containers/operator/config/samples/ccruntime/default?ref=${RELEASE_VERSION}
 ```
 
+> [!TIP] 
+> Some regions may not be able to access the `quay.io` repository. You can use the following address after `-k`
+> `"github.com/confidential-containers/operator/config/mirror/samples/ccruntime/default?ref=${RELEASE_VERSION}"`
+
 Wait until each pod has the `STATUS` as `Running`:
 
 ```
@@ -167,6 +175,15 @@ kubectl delete -k github.com/confidential-containers/operator/config/samples/ccr
 kubectl delete -k "github.com/confidential-containers/operator/config/release?ref=${RELEASE_VERSION}"
 ```
 
+## Troubleshooting
+Something not working? [Go here](https://confidentialcontainers.org/docs/troubleshooting/)
+
+
+## Next steps
+
+- [Take coco-dev, no confidential hardware required, for a spin](https://github.com/confidential-containers/confidential-containers/blob/main/guides/coco-dev.md)
+
+
 ## Advanced Topics
 
 - [How to install confidential containers with IBM Secure Execution](https://github.com/confidential-containers/confidential-containers/blob/main/guides/ibm-se.md)

docs/PEERPODS.md

@@ -75,6 +75,10 @@ stringData:
 kubectl create -k config/samples/ccruntime/peerpods
 ```
 
+> [!TIP] 
+> Some regions may not be able to access the `quay.io` repository. You can use the following path after `-k`
+> `config/mirror/samples/ccruntime/peerpods`
+
 ## Uninstalling Operator
 
 Ensure KUBECONFIG points to target Kubernetes cluster

install/pre-install-payload/payload.sh

@@ -11,7 +11,7 @@ official_containerd_repo=${official_containerd_repo:-"https://github.com/contain
 vfio_gpu_containerd_repo=${vfio_gpu_containerd_repo:-"https://github.com/confidential-containers/containerd"}
 nydus_snapshotter_repo=${nydus_snapshotter_repo:-"https://github.com/containerd/nydus-snapshotter"}
 extra_docker_manifest_flags="${extra_docker_manifest_flags:-}"
-archs=${pre_install_payload_archs:-"linux/amd64 linux/s390x linux/arm64"}
+archs=${pre_install_payload_archs:-"linux/amd64 linux/s390x linux/arm64 linux/ppc64le"}
 
 registry="${registry:-quay.io/confidential-containers/reqs-payload}"
 
@@ -29,6 +29,10 @@ function setup_env_for_arch() {
 			kernel_arch="aarch64"
 			golang_arch="arm64"
 			;;
+		"linux/ppc64le")
+			kernel_arch="powerpc"
+			golang_arch="ppc64le"
+			;;
 		*) echo "$1 is not supported" >/dev/stderr && exit 1 ;;
 	esac
 }