kata container upgrade to 3.17.0 and operator upgrade to 0.14.0 (#136)

Signed-off-by: Kumar, Anand <anand.kumar@intel.com>

Author: kumara1-intel

REUSE.toml

@@ -7,7 +7,6 @@ path = [
     ".gitleaksignore",
     "trivy.yaml",
     "ci/**",
-    "trusted-vm/config-6.12.8-142",
     "attestation-verifier/src/upgrades/manifest/supported_versions",
     "attestation-verifier/src/upgrades/tagent/config/v5.0.0_config.tmpl",
     "**.md",

helm/attestation-manager/templates/cleanup-job.yaml

@@ -3,7 +3,7 @@ apiVersion: batch/v1
 kind: Job
 metadata:
   name: cleanup-job-am
-  namespace: {{ .Release.Namespace }}  
+  namespace: {{ .Release.Namespace }}
   annotations:
     "helm.sh/hook": post-delete
     "helm.sh/hook-delete-policy": hook-succeeded

helm/trustagent/charts/factory/templates/_job.tpl

@@ -32,7 +32,7 @@ spec:
             - name: URL
               value: https://{{ .Values.dependentServices.aas }}.{{ .Release.Namespace }}.svc.cluster.local:{{ .Values.service.aas.containerPort }}/aas/v1/version
             - name: VERSION
-              value: {{.Chart.AppVersion }}         
+              value: {{.Chart.AppVersion }}
             - name: DEPENDENT_SERVICE_NAME
               value: {{ .Values.dependentServices.aas }}
             - name: COMPONENT

helm/trustagent/values.yaml

@@ -57,7 +57,7 @@ config:
     /opt/kata/bin/qemu-system-x86_64
     /opt/kata/libexec/virtiofsd
     /opt/kata/share/defaults/kata-containers/configuration-qemu.toml
-    /opt/kata/share/kata-containers/vmlinuz-6.12.20-1.emt3
+    /opt/kata/share/kata-containers/vmlinuz-6.12.33-1.emt3
     /opt/kata/share/kata-containers/trusted-vm.img
     /opt/kata/share/kata-qemu/qemu/bios-256k.bin
     /opt/kata/share/kata-qemu/qemu/efi-virtio.rom

helm/trusted-workload/charts/cc-operator/templates/cc-operator-deployment.yaml

@@ -6650,7 +6650,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: quay.io/confidential-containers/operator:v0.13.0
+        image: quay.io/confidential-containers/operator:v0.14.0
         livenessProbe:
           httpGet:
             path: /healthz

helm/trusted-workload/charts/cc-operator/tests/cc-operator-deployment_test.yaml

@@ -338,7 +338,7 @@ tests:
             value: metadata.namespace
         - equal:
             path: spec.template.spec.containers[0].image
-            value: quay.io/confidential-containers/operator:v0.13.0
+            value: quay.io/confidential-containers/operator:v0.14.0
         - equal:
             path: spec.template.spec.containers[0].livenessProbe.httpGet.path
             value: /healthz

trusted-vm/Makefile

@@ -12,7 +12,7 @@ EDGE_MICROVISOR_COMMIT?="3.0.20250411"
 EDGE_MICROVISOR_SRC_DIR=$(BUILD_DIR)/microvisor_src
 
 KATA_CONTAINERS_SRC=https://github.com/kata-containers/kata-containers.git
-KATA_CONTAINERS_TAG?=3.15.0
+KATA_CONTAINERS_TAG?=3.17.0
 KATA_CONTAINERS_SRC_DIR=$(BUILD_DIR)/kata_src
 
 MAKEFILE_DIR := $(dir $(realpath $(firstword $(MAKEFILE_LIST))))

trusted-vm/tvm-agent/tvm_agent_build.sh

@@ -11,7 +11,7 @@ TVM_AGENT_BUILD_DIR="${PWD}"
 KATA_CONTAINER_DIR="${TVM_AGENT_BUILD_DIR}/kata-containers"
 
 KATA_CONTAINER_GIT_URL="https://github.com/kata-containers/kata-containers.git"
-KATA_CONTAINER_GIT_BRANCH="3.15.0"
+KATA_CONTAINER_GIT_BRANCH="3.17.0"
 
 DOCKER_IMAGE="ubuntu:24.04"
 TVM_AGENT_CLEAN_AFTER_BUILD="yes"

trusted-workload/kata-deploy/patch/3.17.0/0001-Necessary-changes-to-support-kata-deploy-image-for-t.patch

@@ -0,0 +1,105 @@
+From 872bd7a7aceb7ef83ee23e93fa6ff7cf440f5c80 Mon Sep 17 00:00:00 2001
+From: "Jena, Satyabrata" <satyabrata.jena@intel.com>
+Date: Tue, 8 Apr 2025 04:01:30 +0000
+Subject: [PATCH] Necessary changes to support kata-deploy image for
+ trusted-workload.
+
+Signed-off-by: Jena, Satyabrata <satyabrata.jena@intel.com>
+---
+ .../kata-deploy/scripts/kata-deploy.sh        | 30 +++++++++++--------
+ 1 file changed, 17 insertions(+), 13 deletions(-)
+
+diff --git a/tools/packaging/kata-deploy/scripts/kata-deploy.sh b/tools/packaging/kata-deploy/scripts/kata-deploy.sh
+index e765c0d3f..ff8600a93 100755
+--- a/tools/packaging/kata-deploy/scripts/kata-deploy.sh
++++ b/tools/packaging/kata-deploy/scripts/kata-deploy.sh
+@@ -1,8 +1,7 @@
+ #!/usr/bin/env bash
+-# Copyright (c) 2019 Intel Corporation
+-#
+-# SPDX-License-Identifier: Apache-2.0
+ #
++# Copyright (C) 2025 Intel Corporation
++# SPDX-License-Identifier: BSD-3-Clause
+ 
+ set -o errexit
+ set -o pipefail
+@@ -509,8 +508,9 @@ function configure_cri_runtime() {
+ 	elif [ "$1" == "microk8s" ]; then
+ 		host_systemctl restart snap.microk8s.daemon-containerd.service
+ 	else
+-		host_systemctl daemon-reload
+-		host_systemctl restart "$1"
++		#host_systemctl daemon-reload
++		#host_systemctl restart "$1"
++		echo "configure_cri_runtime"
+ 	fi
+ 
+ 	wait_till_node_is_ready
+@@ -697,8 +697,9 @@ function restart_cri_runtime() {
+ 	elif [ "$1" == "microk8s" ]; then
+ 		host_systemctl restart snap.microk8s.daemon-containerd.service
+ 	else
+-		host_systemctl daemon-reload
+-		host_systemctl restart "${runtime}"
++		#host_systemctl daemon-reload
++		#host_systemctl restart "${runtime}"
++		echo "restart_cri_runtime"
+ 	fi
+ }
+ 
+@@ -715,7 +716,7 @@ function cleanup_cri_runtime() {
+ 	[ "${HELM_POST_DELETE_HOOK}" == "false" ] && return
+ 
+ 	# Only run this code in the HELM_POST_DELETE_HOOK
+-	restart_cri_runtime "$1"
++	#restart_cri_runtime "$1"
+ }
+ 
+ function cleanup_crio() {
+@@ -742,10 +743,11 @@ function cleanup_containerd() {
+ 
+ function reset_runtime() {
+ 	kubectl label node "$NODE_NAME" katacontainers.io/kata-runtime-
+-	restart_cri_runtime "$1"
++	#restart_cri_runtime "$1"
+ 
+ 	if [ "$1" == "crio" ] || [ "$1" == "containerd" ]; then
+-		host_systemctl restart kubelet
++		#host_systemctl restart kubelet
++		echo "reset_runtime"
+ 	fi
+ 
+ 	wait_till_node_is_ready
+@@ -891,7 +893,7 @@ function main() {
+ 			fi
+ 
+ 			install_artifacts
+-			configure_cri_runtime "$runtime"
++			#configure_cri_runtime "$runtime"
+ 			kubectl label node "$NODE_NAME" --overwrite katacontainers.io/kata-runtime=true
+ 			;;
+ 		cleanup)
+@@ -913,7 +915,9 @@ function main() {
+ 				fi
+ 			fi
+ 
+-			cleanup_cri_runtime "$runtime"
++			#cleanup_cri_runtime "$runtime"
++
++
+ 			if [ "${HELM_POST_DELETE_HOOK}" == "false" ]; then
+ 				# If we still have any other installation here, it means we'll break them
+ 				# removing the label, so we just don't do it.
+@@ -923,7 +927,7 @@ function main() {
+ 				fi
+ 			fi
+ 			remove_artifacts
+-
++			kubectl label node "$NODE_NAME" confidentialcontainers.org/startuninstall-
+ 			if [ "${HELM_POST_DELETE_HOOK}" == "true" ]; then
+ 				# After everything was cleaned up, there's no reason to continue
+ 				# and sleep forever.  Let's just return success..
+-- 
+2.34.1
+

trusted-workload/kata-deploy/patch/3.17.0/0002-remove-excutable-permission-for-binaries.patch

@@ -0,0 +1,26 @@
+From 5450d3b2103a0f6a3f27235f0c76761c1c257089 Mon Sep 17 00:00:00 2001
+From: "Kumar, Anand" <anand.kumar@intel.com>
+Date: Wed, 21 May 2025 07:22:01 +0000
+Subject: [PATCH] remove excutable permission for binaries
+
+Signed-off-by: Kumar, Anand <anand.kumar@intel.com>
+---
+ tools/packaging/kata-deploy/scripts/kata-deploy.sh | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/packaging/kata-deploy/scripts/kata-deploy.sh b/tools/packaging/kata-deploy/scripts/kata-deploy.sh
+index ff8600a93..4bfdde18e 100755
+--- a/tools/packaging/kata-deploy/scripts/kata-deploy.sh
++++ b/tools/packaging/kata-deploy/scripts/kata-deploy.sh
+@@ -386,7 +386,7 @@ function install_artifacts() {
+ 
+ 	mkdir -p ${host_install_dir}
+ 	cp -au /opt/kata-artifacts/opt/kata/* ${host_install_dir}/
+-	chmod +x ${host_install_dir}/bin/*
++	#chmod +x ${host_install_dir}/bin/*
+ 	[ -d ${host_install_dir}/runtime-rs/bin ] && \
+ 		chmod +x ${host_install_dir}/runtime-rs/bin/*
+ 
+-- 
+2.34.1
+