Sync upstream (4b9dcf24) — needs conflict resolution#51
Open
cloud-api-adaptor-upstream-sync[bot] wants to merge 87 commits into
Open
Sync upstream (4b9dcf24) — needs conflict resolution#51cloud-api-adaptor-upstream-sync[bot] wants to merge 87 commits into
cloud-api-adaptor-upstream-sync[bot] wants to merge 87 commits into
Conversation
Move the cluster provisioning to BYOM to remove the dependency on the deprecated Docker provider. Signed-off-by: Amulyam24 <amulmek1@in.ibm.com>
This commit adds extensive unit test coverage for the libvirt cloud provider, while preserving all existing tests from the main branch. New unit tests added (using mocks): - TestGetGuestForArchType (6 subtests) - TestLookupMachine (5 subtests) - TestGetCanonicalMachineName (7 subtests) - TestCreateCloudInitISO (3 subtests) - TestGetLaunchSecurityTypeInvalidURI - TestCreateDomainXMLs390xWithMocks (mock-based unit test) - TestCreateDomainXMLaarch64WithMocks (mock-based unit test) - TestCreateDomainXMLx86_64 (3 subtests) - TestCreateDomainXML (3 subtests) - TestVerifyDomainXMLIOMMU (4 subtests) - Combined TestCreateDomainXMLs390x and TestCreateDomainXMLaarch64 into TestCreateDomainXMLArchitectures - Combined TestCreateDomainXMLs390xWithMocks and TestCreateDomainXMLaarch64WithMocks into TestCreateDomainXMLArchitecturesWithMocks - Improves code maintainability and reduces duplication Signed-off-by: Chathurya Adapa <Adapa.Chathurya1@ibm.com> Assisted-by: IBM Bob <noreply@ibm.com>
- Refactor TestCloudInit to use verifyISOContents helper and tabular format - Combined TestCreateCloudInitWithEmptyData, TestCreateCloudInitWithLargeData, TestCreateCloudInitWithSpecialCharacters, and TestCreateCloudInitVerifyVendorData into TestCreateCloudInitVariations - Add TestCreateCloudInitErrorHandling for boundary condition testing - All tests now use verifyISOContents helper for consistent ISO validation - Improves code maintainability and reduces duplication Signed-off-by: Chathurya Adapa <Adapa.Chathurya1@ibm.com> Assisted-by: IBM Bob <noreply@ibm.com>
- Add tests for Manager.ParseCmd() flag registration - Add tests for Manager configuration with values - Add tests for Manager.LoadEnv() and GetConfig() - Add tests for Manager.NewProvider() with valid/invalid configs - Add tests for default constants validation - Add tests for launch security, firmware, and data directory configuration - Covers all Manager initialization and configuration scenarios Signed-off-by: Chathurya Adapa <Adapa.Chathurya1@ibm.com> Assisted-by: IBM Bob <noreply@ibm.com>
Bumps [github.com/containerd/containerd](https://github.com/containerd/containerd) from 1.7.29 to 1.7.32. - [Release notes](https://github.com/containerd/containerd/releases) - [Changelog](https://github.com/containerd/containerd/blob/main/RELEASES.md) - [Commits](containerd/containerd@v1.7.29...v1.7.32) --- updated-dependencies: - dependency-name: github.com/containerd/containerd dependency-version: 1.7.32 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
Now that agent-ctl tags based on sha, we can switch to use the main kata-containers version, rather than having a separate one. Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Bump components to match the kata 3.31.0 release Assisted-by: IBM Bob Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Update to pick up the 3.31.0 release Assisted-by: IBM Bob Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Pin kata-deploy to the 3.31.0 version in prep of the 0.21.0 release Assisted-by: IBM Bob Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Bumps [zizmorcore/zizmor-action](https://github.com/zizmorcore/zizmor-action) from 0.5.3 to 0.5.6. - [Release notes](https://github.com/zizmorcore/zizmor-action/releases) - [Commits](zizmorcore/zizmor-action@b1d7e1f...5f14fd0) --- updated-dependencies: - dependency-name: zizmorcore/zizmor-action dependency-version: 0.5.6 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bump the go module to remediate CVEs: - GO-2026-5026 - GO-2026-4883 Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Bump the go module to remediate CVEs: - GO-2026-5013 - GO-2026-5017 - GO-2026-5018 - GO-2026-5019 - GO-2026-5020 Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Update the helm charts with the latest image of CAA Signed-off-by: stevenhorsman <steven@uk.ibm.com>
But the appVersion to 0.21 to match the release and bump the version in peer-pods, peerpod-ctrl and webhook Signed-off-by: stevenhorsman <steven@uk.ibm.com>
The `kubectl apply` of the cert-manager manifest occasionally fails with an etcd timeout: ``` Error from server: error when creating ".../cert-manager.yaml": etcdserver: request timed out. ``` The manifest creates a large batch of resources (6 CRDs, RBAC, deployments, webhook configs) in a single apply, and individual writes can occasionally exceed the API server's request timeout under transient cluster load. Wrap the apply in a retry loop (3 attempts, 10s backoff). `kubectl apply` is idempotent, so retrying after a partial failure simply creates the missing resources without disturbing the ones already applied. On the observed failing run, everything except (likely) the last webhook config got created, and the retry will fill in the gap. For `kubectl wait`, the Endpoints object isn't created by the cert-manager manifest directly. It's created by the kube-controller-manager's endpoints controller after the Service is created and once matching pods exist. Right after `kubectl apply` returns, there's a brief window where the Service exists but its Endpoints object hasn't been populated yet. The apply just finished, so `kubectl wait` raced ahead of the controller. Assisted-by: IBM Bob Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
The podvm-ubuntu-mkosi job calls podvm_mkosi_ubuntu.yaml which requires artifact-metadata: write permission for the actions/attest@v4.1.0 action to write attestation metadata. Without this permission, the workflow fails with "The nested job 'build-image' is requesting 'artifact-metadata: write', but is only allowed 'artifact-metadata: none'." This matches the permission already granted to the podvm-mkosi job on line 84. Signed-off-by: stevenhorsman <steven@uk.ibm.com> Generated-By: IBM Bob Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Also added MKOSI_VERSION environment variable to image build steps in both podvm_mkosi.yaml and podvm_mkosi_ubuntu.yaml workflows to ensure the mkosi version from versions.yaml is explicitly passed to make commands, maintaining consistency with the binaries build step. Signed-off-by: stevenhorsman <steven@uk.ibm.com> Generated-By: IBM Bob
The image target was calling mkosi with '--image system' argument which is not supported in mkosi v26, causing build failures with: "mkosi: error: argument verb: invalid Verb value: 'system'" This argument was a remnant from mkosi v22 that wasn't removed during the v26 upgrade. The image-debug and image-sftp targets were already correct, so this change aligns the image target with them. Fixes the s390x production image builds. Signed-off-by: stevenhorsman <steven@uk.ibm.com> Generated-By: IBM Bob
The cross-build script was failing on ARM64 native builds because it compared ARCH=arm64 with uname -m=aarch64, which didn't match, causing it to incorrectly attempt cross-compilation and fail with: "E: Unable to locate package qemu-system-aarch64" Added replacement pattern to handle this Co-authored-by: Magnus Kulke <magnuskulke@microsoft.com> Signed-off-by: stevenhorsman <steven@uk.ibm.com> Generated-By: IBM Bob
Implement IRSA support for the AWS provider to enable workload identity authentication on EKS, eliminating the need for static credentials stored in Kubernetes secrets. NewEC2Client now supports three authentication methods: 1. Static credentials (AWS_ACCESS_KEY_ID + AWS_SECRET_ACCESS_KEY) 2. Shared AWS profile (AWS_PROFILE, currently, only non-containerized CAA binary execution is supported) 3. Default credential chain (for IRSA support) The default credential chain automatically supports IRSA via AWS_WEB_IDENTITY_TOKEN_FILE and AWS_ROLE_ARN Entrypoint validation updated to accept either: - Both AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY (static credentials) - AWS_WEB_IDENTITY_TOKEN_FILE and AWS_ROLE_ARN (IRSA) Fixes: confidential-containers#3027 Signed-off-by: Snir Schreiber <ssheribe@redhat.com> Assisted-by: Claude AI
Add unit tests to verify the two authentication paths in NewEC2Client: 1. Static credentials (AWS_ACCESS_KEY_ID + AWS_SECRET_ACCESS_KEY) 2. Default credential chain (IRSA, IMDS, environment variables, etc.) Tests cover: - Static credentials path with both access key and secret key - Default credential chain path when no static credentials provided - Partial credentials (only access key) falls through to default chain Assisted-by: Claude AI Signed-off-by: Snir Schreiber <ssheribe@redhat.com>
Added comprehensive guide for configuring IRSA with cloud-api-adaptor and peerpod-ctrl on Amazon EKS. The guide covers: - IAM trust policy configuration - Kubernetes service account annotations - Deployment configuration examples - Troubleshooting steps Assisted-by: Claude AI Signed-off-by: Snir Schreiber <ssheribe@redhat.com>
It looks like when the arm "support" for podvm builds was added, it wasn't updated to use the native arm runner, so update this, for simpler workflows Signed-off-by: stevenhorsman <steven@uk.ibm.com>
In case we want to support cross-compilation in future e.g. for local dev, fix up the logic. The cross-build script was using architecture names directly as QEMU package names, but Debian/Ubuntu package names don't always match: - x86_64 → qemu-system-x86 (not qemu-system-x86_64) - aarch64 → qemu-system-arm (not qemu-system-aarch64) - s390x → qemu-system-s390x (matches) Added architecture-to-package mapping for Debian/Ubuntu systems to use correct package names. Package names verified against Ubuntu 24.04. Signed-off-by: stevenhorsman <steven@uk.ibm.com> Assisted-by: IBM Bob
As we are doing a 0.21.1 release, we should update the charts to match this version. Signed-off-by: stevenhorsman <steven@uk.ibm.com>
This reverts commit a1633eb. Signed-off-by: stevenhorsman <steven@uk.ibm.com>
This reverts commit 02bb592. Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Update the CITATION.cff for the 0.21.1 release Signed-off-by: stevenhorsman <steven@uk.ibm.com>
debian:trixie-slim ships without CA certificates. The dev build got them transitively via openssh-client, but the release build only installed iptables, causing Go TLS verification to fail against ec2.<region>.amazonaws.com with x509: certificate signed by unknown authority. Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>
Bumps [actions/stale](https://github.com/actions/stale) from 10.2.0 to 10.3.0. - [Release notes](https://github.com/actions/stale/releases) - [Changelog](https://github.com/actions/stale/blob/main/CHANGELOG.md) - [Commits](actions/stale@b5d41d4...eb5cf3a) --- updated-dependencies: - dependency-name: actions/stale dependency-version: 10.3.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Update documentation to reflect removal of packer-based builds and replace packer build instructions with mkosi-based instructions Generated-by: IBM Bob Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Azure is using mkosi image now, so update the old log trace Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Bumps the libvirt group with 2 updates in the /src/cloud-api-adaptor directory: [libvirt.org/go/libvirt](https://gitlab.com/libvirt/libvirt-go-module) and [libvirt.org/go/libvirtxml](https://gitlab.com/libvirt/libvirt-go-xml-module). Bumps the libvirt group with 2 updates in the /src/cloud-providers directory: [libvirt.org/go/libvirt](https://gitlab.com/libvirt/libvirt-go-module) and [libvirt.org/go/libvirtxml](https://gitlab.com/libvirt/libvirt-go-xml-module). Updates `libvirt.org/go/libvirt` from 1.11010.0 to 1.12003.0 - [Commits](https://gitlab.com/libvirt/libvirt-go-module/compare/v1.11010.0...v1.12003.0) Updates `libvirt.org/go/libvirtxml` from 1.11010.0 to 1.12002.0 - [Commits](https://gitlab.com/libvirt/libvirt-go-xml-module/compare/v1.11010.0...v1.12002.0) Updates `libvirt.org/go/libvirt` from 1.11010.0 to 1.12003.0 - [Commits](https://gitlab.com/libvirt/libvirt-go-module/compare/v1.11010.0...v1.12003.0) Updates `libvirt.org/go/libvirtxml` from 1.11010.0 to 1.12002.0 - [Commits](https://gitlab.com/libvirt/libvirt-go-xml-module/compare/v1.11010.0...v1.12002.0) Updates `libvirt.org/go/libvirt` from 1.11010.0 to 1.12003.0 - [Commits](https://gitlab.com/libvirt/libvirt-go-module/compare/v1.11010.0...v1.12003.0) Updates `libvirt.org/go/libvirtxml` from 1.11010.0 to 1.12002.0 - [Commits](https://gitlab.com/libvirt/libvirt-go-xml-module/compare/v1.11010.0...v1.12002.0) Updates `libvirt.org/go/libvirt` from 1.11010.0 to 1.12003.0 - [Commits](https://gitlab.com/libvirt/libvirt-go-module/compare/v1.11010.0...v1.12003.0) Updates `libvirt.org/go/libvirtxml` from 1.11010.0 to 1.12002.0 - [Commits](https://gitlab.com/libvirt/libvirt-go-xml-module/compare/v1.11010.0...v1.12002.0) --- updated-dependencies: - dependency-name: libvirt.org/go/libvirt dependency-version: 1.12003.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: libvirt - dependency-name: libvirt.org/go/libvirt dependency-version: 1.12003.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: libvirt - dependency-name: libvirt.org/go/libvirtxml dependency-version: 1.12002.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: libvirt - dependency-name: libvirt.org/go/libvirtxml dependency-version: 1.12002.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: libvirt ... Signed-off-by: dependabot[bot] <support@github.com>
Set zizmor-action to have `advanced-security: false`, so it will not upload results to Advanced Security, and will instead print them to the console for job reporting. Also turn on zizmor github annotations to try and highlight any issues in code being actively updated. Drive-by: bump runner to ubuntu-24.04 to stay more up-to-date Signed-off-by: stevenhorsman <steven@uk.ibm.com>
At least for amd64 and arm64 artifacts we should make sure that the builds weren't done on self-hosted runners. Signed-off-by: Magnus Kulke <magnuskulke@microsoft.com>
Bump go version and dockerfiles to resolve CVEs: - GO-2026-5037 - GO-2026-5038 - GO-2026-5039 Assisted-by: IBM Bob Signed-off-by: stevenhorsman <steven@uk.ibm.com>
The workflows are dead code. azure e2e tests will have to be rebuilt based on existing libvirt and aws ci machinery. Signed-off-by: Magnus Kulke <magnuskulke@microsoft.com>
…l-containers#3132) * refactor: merge podvm mkosi tree --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Implements comprehensive yet focused unit tests for the libvirt provider implementation with emphasis on maintainability and clarity. Test coverage includes: - Provider initialization with various configurations - IP address handling (multiple, empty, nil) - Instance creation with custom specs and launch security - Instance deletion with error cases (empty ID) - Configuration validation for all required fields - Cloud config generation error handling Tests covered: - TestNewProvider: Provider creation with invalid URI - TestGetIPs: IP address retrieval scenarios - TestDeleteInstanceEmptyID: Empty instanceID validation - TestCreateInstanceCloudConfigError: Cloud config error handling - TestProviderConfigVerifier: Configuration validation - TestTeardown: Provider cleanup All tests are unit tests that run without requiring libvirt environment, ensuring consistent test coverage across all environments. Signed-off-by: Chathurya Adapa <Adapa.Chathurya1@ibm.com> Assisted-by: IBM Bob <noreply@ibm.com>
Enable virtio-balloon for s390x by changing MemBalloon Model from "none" to "virtio" with IOMMU driver support. This matches the aarch64 implementation and brings s390x to feature parity with other architectures. The virtio-balloon driver is architecture-independent and s390x's virtio-ccw transport supports all virtio devices. IOMMU is required for s390x virtio devices. This enables dynamic memory reclamation from peer pod VMs, improving resource utilization on s390x hosts. Assisted-by: IBM Bob <noreply@ibm.com> Signed-off-by: Ajay Victor <ajvictor@in.ibm.com>
Implements transparent block volume support for confidential containers running as Peer Pods. The CSI block driver writes volume metadata (mountInfo.json) that the cloud-api-adaptor reads at pod creation time. Volumes are attached as managed disks to the PodVM and detected inside the guest by probing provider-specific device paths with a sysfs HCTL fallback. Signed-off-by: Mohammed Adnan <muhammedadnan50007@gmail.com>
Move inputs.podvm_image to PODVM_IMAGE environment variable to prevent code injection. Also add quotes around PODVM_IMAGE variable to fix shellcheck SC2086. Remove template expansion from line 188 to prevent code injection. Signed-off-by: siddaram-sonnagi <siddaram.sonnagi@ibm.com>
Move template expressions to environment variables to prevent code injection. Changes: - inputs.registry → REGISTRY (line 170) - inputs.arch → ARCH (line 174) - inputs.image_tag → IMAGE_TAG (lines 179, 180) Signed-off-by: siddaram-sonnagi <siddaram.sonnagi@ibm.com>
Fix template injection in three more workflows: - azure-e2e-test.yml:159 - Move matrix.parameters.jitter to JITTER env var - build.yaml:57 - Move matrix.type to BUILD_TYPE env var - test-images.yaml:60 - Move matrix.targets to MATRIX_TARGET env var These changes prevent code injection via template expansion by moving untrusted inputs to environment variables instead of inline expansion. Signed-off-by: siddaram-sonnagi <siddaram.sonnagi@ibm.com>
Fix workflow security issues identified by zizmor scan: 1. Added job names to 7 workflows (Notices) - actionlint.yaml: run-actionlint job - build.yaml: webhook and cloud-provider jobs - e2e_on_pull.yaml: authorize job - e2e_run_all.yaml: libvirt_e2e_arch_prep job - podvm_smoketest.yaml: build and test jobs - test-images.yaml: list-dockerfiles job 2. Added concurrency limits to 4 workflows (Warnings) - podvm_mkosi.yaml - podvm_smoketest.yaml - scorecard.yaml - test-images.yaml 3. Added explanatory comments for permissions in 13 instances (Warnings) - daily-e2e-tests.yaml - e2e_on_pull.yaml - e2e_run_all.yaml (4 instances) - lib-codeql.yaml - lint.yaml - podvm_publish.yaml - publish_images_on_push.yaml (2 instances) - release.yaml (2 instances) - scorecard.yaml - test-images.yaml - webhook_image.yaml 4. Fixed secrets environment issue (Warning) - test-images.yaml: Added production environment for secret access These changes improve workflow security and clarity without affecting functionality. Signed-off-by: siddaram-sonnagi <siddaram.sonnagi@ibm.com>
Without an explicit <cpu> element, the guest CPU has no named model contract. host-model causes libvirt to resolve the best matching IBM Z model (e.g. gen17a on z17), ensuring live migration safety between hosts of the same generation, full feature support of the respective generation, and consistent behaviour with the x86_64 and aarch64 implementations. Also adds CPU mode assertions to TestCreateDomainXMLArchitecturesWithMocks for s390x and aarch64. Assisted-by: IBM Bob <noreply@ibm.com> Signed-off-by: Ajay Victor <ajvictor@in.ibm.com>
… updates Bumps the aws-sdk-go-v2 group with 6 updates in the /src/cloud-api-adaptor directory: | Package | From | To | | --- | --- | --- | | [github.com/aws/aws-sdk-go-v2](https://github.com/aws/aws-sdk-go-v2) | `1.41.7` | `1.41.12` | | [github.com/aws/aws-sdk-go-v2/config](https://github.com/aws/aws-sdk-go-v2) | `1.32.17` | `1.32.23` | | [github.com/aws/aws-sdk-go-v2/service/ec2](https://github.com/aws/aws-sdk-go-v2) | `1.299.1` | `1.305.2` | | [github.com/aws/aws-sdk-go-v2/service/eks](https://github.com/aws/aws-sdk-go-v2) | `1.83.0` | `1.84.5` | | [github.com/aws/aws-sdk-go-v2/service/iam](https://github.com/aws/aws-sdk-go-v2) | `1.53.10` | `1.54.3` | | [github.com/aws/aws-sdk-go-v2/service/s3](https://github.com/aws/aws-sdk-go-v2) | `1.100.1` | `1.103.2` | Bumps the aws-sdk-go-v2 group with 3 updates in the /src/cloud-providers directory: [github.com/aws/aws-sdk-go-v2](https://github.com/aws/aws-sdk-go-v2), [github.com/aws/aws-sdk-go-v2/config](https://github.com/aws/aws-sdk-go-v2) and [github.com/aws/aws-sdk-go-v2/service/ec2](https://github.com/aws/aws-sdk-go-v2). Updates `github.com/aws/aws-sdk-go-v2` from 1.41.7 to 1.41.12 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](aws/aws-sdk-go-v2@v1.41.7...v1.41.12) Updates `github.com/aws/aws-sdk-go-v2/config` from 1.32.17 to 1.32.23 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](aws/aws-sdk-go-v2@config/v1.32.17...config/v1.32.23) Updates `github.com/aws/aws-sdk-go-v2/service/ec2` from 1.299.1 to 1.305.2 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](aws/aws-sdk-go-v2@service/ec2/v1.299.1...service/ec2/v1.305.2) Updates `github.com/aws/aws-sdk-go-v2/service/eks` from 1.83.0 to 1.84.5 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](aws/aws-sdk-go-v2@service/s3/v1.83.0...service/eks/v1.84.5) Updates `github.com/aws/aws-sdk-go-v2/service/iam` from 1.53.10 to 1.54.3 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](aws/aws-sdk-go-v2@service/ecs/v1.53.10...service/s3/v1.54.3) Updates `github.com/aws/aws-sdk-go-v2/service/s3` from 1.100.1 to 1.103.2 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](aws/aws-sdk-go-v2@service/s3/v1.100.1...service/s3/v1.103.2) Updates `github.com/aws/aws-sdk-go-v2` from 1.41.7 to 1.41.12 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](aws/aws-sdk-go-v2@v1.41.7...v1.41.12) Updates `github.com/aws/aws-sdk-go-v2/config` from 1.32.17 to 1.32.23 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](aws/aws-sdk-go-v2@config/v1.32.17...config/v1.32.23) Updates `github.com/aws/aws-sdk-go-v2/service/ec2` from 1.299.1 to 1.305.2 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](aws/aws-sdk-go-v2@service/ec2/v1.299.1...service/ec2/v1.305.2) Updates `github.com/aws/aws-sdk-go-v2/credentials` from 1.19.16 to 1.19.22 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](aws/aws-sdk-go-v2@credentials/v1.19.16...credentials/v1.19.22) Updates `github.com/aws/aws-sdk-go-v2/feature/ec2/imds` from 1.18.23 to 1.18.28 - [Release notes](https://github.com/aws/aws-sdk-go-v2/releases) - [Commits](aws/aws-sdk-go-v2@config/v1.18.23...config/v1.18.28) --- updated-dependencies: - dependency-name: github.com/aws/aws-sdk-go-v2 dependency-version: 1.41.12 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: aws-sdk-go-v2 - dependency-name: github.com/aws/aws-sdk-go-v2/config dependency-version: 1.32.23 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: aws-sdk-go-v2 - dependency-name: github.com/aws/aws-sdk-go-v2/service/ec2 dependency-version: 1.305.2 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: aws-sdk-go-v2 - dependency-name: github.com/aws/aws-sdk-go-v2/service/eks dependency-version: 1.84.5 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: aws-sdk-go-v2 - dependency-name: github.com/aws/aws-sdk-go-v2/service/iam dependency-version: 1.54.3 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: aws-sdk-go-v2 - dependency-name: github.com/aws/aws-sdk-go-v2/service/s3 dependency-version: 1.103.2 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: aws-sdk-go-v2 - dependency-name: github.com/aws/aws-sdk-go-v2 dependency-version: 1.41.12 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: aws-sdk-go-v2 - dependency-name: github.com/aws/aws-sdk-go-v2/config dependency-version: 1.32.23 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: aws-sdk-go-v2 - dependency-name: github.com/aws/aws-sdk-go-v2/service/ec2 dependency-version: 1.305.2 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: aws-sdk-go-v2 - dependency-name: github.com/aws/aws-sdk-go-v2/credentials dependency-version: 1.19.22 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: aws-sdk-go-v2 - dependency-name: github.com/aws/aws-sdk-go-v2/feature/ec2/imds dependency-version: 1.18.28 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: aws-sdk-go-v2 ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.36.0 to 4.36.2. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@7211b7c...8aad20d) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.36.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.2 to 6.0.3. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@de0fac2...df4cb1c) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.3 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
The podvm_mkosi.yaml workflow's concurrency group didn't vary based on inputs, causing builds with different architectures to cancel each other when called from e2e_run_all.yaml. Updated the concurrency group to include all inputs using toJSON(), ensuring each unique combination of inputs gets its own concurrency group. Update podvm_mkosi_ubuntu.yaml to match for robustness Generated-By: IBM Bob Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Tests cover: - newStreamIO constructor validation - Read operations (successful, error, partial, empty) - Write operations (successful, error, partial, empty) - Close operations (successful, error, specific error) Uses mock stream implementation to isolate and test streamIO behavior without requiring actual libvirt connections. Signed-off-by: Chathurya Adapa <Adapa.Chathurya1@ibm.com> Assisted-by: IBM Bob noreply@ibm.com
As this warning is the last zizmor issue we have, should we just ignore it as we have an issue to track this and that means if there are any other issues introduced we are more likely to notice them rather than the zizmor check always being failing? Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Bumps the ibm-sdk group with 3 updates in the /src/cloud-api-adaptor directory: [github.com/IBM/go-sdk-core/v5](https://github.com/IBM/go-sdk-core), [github.com/IBM/vpc-go-sdk](https://github.com/IBM/vpc-go-sdk) and [github.com/IBM/ibm-cos-sdk-go](https://github.com/IBM/ibm-cos-sdk-go). Bumps the ibm-sdk group with 4 updates in the /src/cloud-providers directory: [github.com/IBM/go-sdk-core/v5](https://github.com/IBM/go-sdk-core), [github.com/IBM/vpc-go-sdk](https://github.com/IBM/vpc-go-sdk), [github.com/IBM-Cloud/power-go-client](https://github.com/IBM-Cloud/power-go-client) and [github.com/IBM/platform-services-go-sdk](https://github.com/IBM/platform-services-go-sdk). Updates `github.com/IBM/go-sdk-core/v5` from 5.21.2 to 5.21.4 - [Release notes](https://github.com/IBM/go-sdk-core/releases) - [Changelog](https://github.com/IBM/go-sdk-core/blob/main/CHANGELOG.md) - [Commits](IBM/go-sdk-core@v5.21.2...v5.21.4) Updates `github.com/IBM/vpc-go-sdk` from 0.83.2 to 0.85.0 - [Release notes](https://github.com/IBM/vpc-go-sdk/releases) - [Changelog](https://github.com/IBM/vpc-go-sdk/blob/master/CHANGELOG.md) - [Commits](IBM/vpc-go-sdk@v0.83.2...v0.85.0) Updates `github.com/IBM/ibm-cos-sdk-go` from 1.14.0 to 1.14.1 - [Release notes](https://github.com/IBM/ibm-cos-sdk-go/releases) - [Changelog](https://github.com/IBM/ibm-cos-sdk-go/blob/master/CHANGELOG.md) - [Commits](IBM/ibm-cos-sdk-go@v1.14.0...v1.14.1) Updates `github.com/IBM/go-sdk-core/v5` from 5.21.2 to 5.21.4 - [Release notes](https://github.com/IBM/go-sdk-core/releases) - [Changelog](https://github.com/IBM/go-sdk-core/blob/main/CHANGELOG.md) - [Commits](IBM/go-sdk-core@v5.21.2...v5.21.4) Updates `github.com/IBM/vpc-go-sdk` from 0.83.2 to 0.85.0 - [Release notes](https://github.com/IBM/vpc-go-sdk/releases) - [Changelog](https://github.com/IBM/vpc-go-sdk/blob/master/CHANGELOG.md) - [Commits](IBM/vpc-go-sdk@v0.83.2...v0.85.0) Updates `github.com/IBM/go-sdk-core/v5` from 5.21.2 to 5.21.4 - [Release notes](https://github.com/IBM/go-sdk-core/releases) - [Changelog](https://github.com/IBM/go-sdk-core/blob/main/CHANGELOG.md) - [Commits](IBM/go-sdk-core@v5.21.2...v5.21.4) Updates `github.com/IBM/vpc-go-sdk` from 0.83.2 to 0.85.0 - [Release notes](https://github.com/IBM/vpc-go-sdk/releases) - [Changelog](https://github.com/IBM/vpc-go-sdk/blob/master/CHANGELOG.md) - [Commits](IBM/vpc-go-sdk@v0.83.2...v0.85.0) Updates `github.com/IBM-Cloud/power-go-client` from 1.15.0 to 1.16.0 - [Release notes](https://github.com/IBM-Cloud/power-go-client/releases) - [Commits](IBM-Cloud/power-go-client@v1.15.0...v1.16.0) Updates `github.com/IBM/go-sdk-core/v5` from 5.21.2 to 5.21.4 - [Release notes](https://github.com/IBM/go-sdk-core/releases) - [Changelog](https://github.com/IBM/go-sdk-core/blob/main/CHANGELOG.md) - [Commits](IBM/go-sdk-core@v5.21.2...v5.21.4) Updates `github.com/IBM/platform-services-go-sdk` from 0.97.4 to 0.99.1 - [Release notes](https://github.com/IBM/platform-services-go-sdk/releases) - [Changelog](https://github.com/IBM/platform-services-go-sdk/blob/main/CHANGELOG.md) - [Commits](IBM/platform-services-go-sdk@v0.97.4...v0.99.1) Updates `github.com/IBM/vpc-go-sdk` from 0.83.2 to 0.85.0 - [Release notes](https://github.com/IBM/vpc-go-sdk/releases) - [Changelog](https://github.com/IBM/vpc-go-sdk/blob/master/CHANGELOG.md) - [Commits](IBM/vpc-go-sdk@v0.83.2...v0.85.0) --- updated-dependencies: - dependency-name: github.com/IBM/go-sdk-core/v5 dependency-version: 5.21.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: ibm-sdk - dependency-name: github.com/IBM/vpc-go-sdk dependency-version: 0.85.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: ibm-sdk - dependency-name: github.com/IBM/ibm-cos-sdk-go dependency-version: 1.14.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: ibm-sdk - dependency-name: github.com/IBM/go-sdk-core/v5 dependency-version: 5.21.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: ibm-sdk - dependency-name: github.com/IBM/vpc-go-sdk dependency-version: 0.85.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: ibm-sdk - dependency-name: github.com/IBM/go-sdk-core/v5 dependency-version: 5.21.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: ibm-sdk - dependency-name: github.com/IBM/vpc-go-sdk dependency-version: 0.85.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: ibm-sdk - dependency-name: github.com/IBM-Cloud/power-go-client dependency-version: 1.16.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: ibm-sdk - dependency-name: github.com/IBM/go-sdk-core/v5 dependency-version: 5.21.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: ibm-sdk - dependency-name: github.com/IBM/platform-services-go-sdk dependency-version: 0.99.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: ibm-sdk - dependency-name: github.com/IBM/vpc-go-sdk dependency-version: 0.85.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: ibm-sdk ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [go.mongodb.org/mongo-driver](https://github.com/mongodb/mongo-go-driver) from 1.17.6 to 1.17.7. - [Release notes](https://github.com/mongodb/mongo-go-driver/releases) - [Commits](mongodb/mongo-go-driver@v1.17.6...v1.17.7) --- updated-dependencies: - dependency-name: go.mongodb.org/mongo-driver dependency-version: 1.17.7 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
The smoke_test.sh script was using an incorrect OVMF boot configuration that fails on Ubuntu 24.04 hosts. The simple `--boot loader=` format doesn't work with the OVMF_CODE_4M.fd firmware that is default on Ubuntu 24.04. This commit updates the boot configuration to use the proper pflash format with readonly loader and nvram template, which is required for UEFI boot with the 4M OVMF firmware. This fixes the error: ERROR internal error: process exited while connecting to monitor: qemu: could not load PC BIOS '/usr/share/OVMF/OVMF_CODE_4M.fd' Generated-by: IBM Bob Signed-off-by: stevenhorsman <steven@uk.ibm.com>
Bumps [github.com/containerd/containerd](https://github.com/containerd/containerd) from 1.7.32 to 1.7.33. - [Release notes](https://github.com/containerd/containerd/releases) - [Changelog](https://github.com/containerd/containerd/blob/main/RELEASES.md) - [Commits](containerd/containerd@v1.7.32...v1.7.33) --- updated-dependencies: - dependency-name: github.com/containerd/containerd dependency-version: 1.7.33 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
Add Uint64WithEnv to FlagRegistrar to support uint64-typed flags with environment variable fallback. Follows the same pattern as the existing UintWithEnv, IntWithEnv, and Float64WithEnv helpers. Silent fallback to the hardcoded default on invalid env var input is consistent with all other *WithEnv methods. Assisted-by: IBM Bob <noreply@ibm.com> Signed-off-by: Ajay Victor <ajvictor@in.ibm.com>
Add a --root-disk-size flag (env: LIBVIRT_ROOT_DISK_SIZE) that controls the root disk size in GiB for podVMs. Defaults to 10 GiB when unset or zero, preserving existing behaviour. The value flows from Config.RootDiskSize through vmConfig into createVolume(), which compares it against the backing image capacity and uses whichever is larger, preventing a volume that is smaller than its backing store. Also fixes a unit mismatch in createVolume(): the parameter was previously named volSize and compared directly against baseVolumeInfo.Capacity (bytes) without conversion, making any non-default size incorrect. The parameter is now named volSizeGiB and explicitly converted to bytes before comparison. The defaulting, capacity sizing, and bounds validation logic are each extracted into pure helper functions (normalizeRootDiskSize, volumeCapacityBytes, validateRootDiskSize) so they can be tested without a live libvirt connection. Tests call production helpers directly rather than duplicating their logic. Assisted-by: IBM Bob <noreply@ibm.com> Signed-off-by: Ajay Victor <ajvictor@in.ibm.com>
The AST extractor silently dropped any *WithEnv registration whose method name was not in its hard-coded switch, and could not resolve typed numeric constants like uint64(10) because both exprToLiteral and exprToString only handled *ast.BasicLit and *ast.Ident. Two fixes: - Add Uint64WithEnv to the recognised method switch so it is included in chart generation output. - Add a *ast.CallExpr case to both exprToLiteral and exprToString that unwraps single-argument type conversions (e.g. uint64(10)) and recurses on the inner literal. Regenerate libvirt.yaml via make sync-chart-values to include the new LIBVIRT_ROOT_DISK_SIZE entry with default "10". Assisted-by: IBM Bob <noreply@ibm.com> Signed-off-by: Ajay Victor <ajvictor@in.ibm.com>
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes using default effort and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 4b9dcf2. Configure here.
| # We're pinning the runner to 22.04 b/c libvirt struggles with the | ||
| # OVMF_CODE_4M firmware that is default on 24.04. | ||
| runs-on: 'ubuntu-22.04' | ||
| runs-on: 'ubuntu-24.04' |
There was a problem hiding this comment.
Ubuntu smoketest wrong runner
Medium Severity
The Ubuntu podvm smoke test job now runs on ubuntu-24.04, while the Fedora smoke test in podvm_smoketest.yaml still pins ubuntu-22.04 because libvirt struggles with default OVMF on 24.04. That mismatch can break or flake Ubuntu image smoke tests on the newer runner.
Reviewed by Cursor Bugbot for commit 4b9dcf2. Configure here.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.


Upstream sync — manual merge needed
Upstream has new commits to merge into
cohere, but there are conflicts.Upstream HEAD:
4b9dcf24How to resolve
The sync branch already contains the upstream commits (it points at
origin/main). To make it mergeable intocohere,merge cohere into the sync branch and resolve conflicts there:
Your IDE will show the native merge conflict UI with accept-theirs /
accept-ours / accept-both options for each conflict. Once the push
succeeds, the PR will become mergeable.
Review checklist
Note
High Risk
Dropping the docker provider, Azure e2e/podvm CI, CSI wrapper publish paths, and Packer podvm flows is a major regression risk for anyone still relying on those; e2e and release coverage shifts to mkosi/ubuntu podvm only.
Overview
This sync brings upstream main into the fork and is a large CI and packaging reshuffle rather than a small patch.
Removed capabilities and automation: The docker cloud provider (code, Helm provider, kind/e2e workflow, and dev
BUILTIN_CLOUD_PROVIDERSentry) is deleted. Packer-based podvm image builds (AWS packer templates,hack/packer-check.sh, Makefilepodvm-*Docker targets) and the CSI wrapper component (workflows, release/publish jobs, docs) are removed. Azure-specific callable workflows for podvm image build, release, and full e2e are deleted entirely.PodVM build path: CI and dev notes now use
src/cloud-api-adaptor/podvminstead ofpodvm-mkosi, withmake podvm-binaries/ mkosi image targets. The generic podvm_builder / podvm_binaries / podvm image pipelines are dropped frome2e_run_allandpodvm_publishin favor of podvm_mkosi and podvm_mkosi_ubuntu only; Fedora mkosi workflow no longer builds/publishes a docker-provider OCI image.CI hygiene: Widespread bumps to actions/checkout, Docker build/login/push actions, CodeQL, zizmor, and stale; added concurrency on several workflows; permission blocks get inline comments; build drops the csi-wrapper matrix job; lint drops the Packer check job; PR e2e no longer runs on
test_e2e_docker.Misc: Release/docs/README updated for mkosi-only podvm and without CSI/docker; CITATION.cff bumped to 0.21.1; CAA Dockerfile base images and ca-certificates install updated; govulncheck skips modules with no Go packages.
Reviewed by Cursor Bugbot for commit 4b9dcf2. Bugbot is set up for automated code reviews on this repo. Configure here.