e2e/runtime-rs-tmp: init

katexochen · katexochen · commit d8a36d50b30a · 2026-04-02T13:56:49.000+02:00
Temporary test for runtime-rs that checks the debug shell is started.
diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml
@@ -55,6 +55,7 @@ jobs:
         ${{
           (inputs.test-name == 'badaml-sandbox' && 'badaml-sandbox') ||
           (inputs.test-name == 'badaml-vuln' && 'badaml-vuln') ||
+          (inputs.test-name == 'runtime-rs-tmp' && 'runtime-rs') ||
           'base'
         }}
     steps:
diff --git a/.github/workflows/e2e_manual.yml b/.github/workflows/e2e_manual.yml
@@ -28,6 +28,7 @@ on:
           - policy
           - proxy
           - regression
+          - runtime-rs-tmp
           - servicemesh
           - vault
           - volumestatefulset
diff --git a/.github/workflows/e2e_nightly.yml b/.github/workflows/e2e_nightly.yml
@@ -67,6 +67,7 @@ jobs:
           - policy
           - proxy
           - regression
+          - runtime-rs-tmp
           - servicemesh
           - vault
           - volumestatefulset
diff --git a/.github/workflows/e2e_runtime_rs.yml b/.github/workflows/e2e_runtime_rs.yml
@@ -0,0 +1,48 @@
+name: e2e test runtime-rs
+
+on:
+  pull_request:
+    paths:
+      - overlays/sets/runtime-rs.nix
+      - packages/by-name/kata/runtime/**
+      - packages/by-name/kata/runtime-rs/**
+      - e2e/runtime-rs-tmp/**
+
+jobs:
+  tests:
+    strategy:
+      matrix:
+        platform:
+          - name: Metal-QEMU-SNP
+            runner: SNP
+            self-hosted: true
+          - name: Metal-QEMU-TDX
+            runner: TDX
+            self-hosted: true
+          - name: Metal-QEMU-SNP-GPU
+            runner: SNP-GPU
+            self-hosted: true
+          - name: Metal-QEMU-TDX-GPU
+            runner: TDX-GPU
+            self-hosted: true
+        test-name:
+          - runtime-rs-tmp
+      fail-fast: false
+    name: "${{ matrix.platform.name }}"
+    uses: ./.github/workflows/e2e.yml
+    with:
+      skip-undeploy: false
+      test-name: ${{ matrix.test-name }}
+      platform: ${{ matrix.platform.name }}
+      runner: ${{ matrix.platform.runner }}
+      self-hosted: ${{ matrix.platform.self-hosted }}
+      debug-shell: true
+    secrets:
+      GITHUB_TOKEN_IN: ${{ secrets.GITHUB_TOKEN }}
+      CACHIX_AUTH_TOKEN: ${{ secrets.CACHIX_AUTH_TOKEN }}
+      NUNKI_CI_COMMIT_PUSH_PR: ${{ secrets.NUNKI_CI_COMMIT_PUSH_PR }}
+      TEAMS_CI_WEBHOOK: ${{ secrets.TEAMS_CI_WEBHOOK }}
+      CONTRAST_GHCR_READ: ${{ secrets.CONTRAST_GHCR_READ }}
+    permissions:
+      contents: read
+      packages: write
diff --git a/e2e/runtime-rs-tmp/runtimers_test.go b/e2e/runtime-rs-tmp/runtimers_test.go
@@ -0,0 +1,54 @@
+// Copyright 2026 Edgeless Systems GmbH
+// SPDX-License-Identifier: BUSL-1.1
+
+package runtimerstmp
+
+import (
+	"context"
+	"flag"
+	"os"
+	"testing"
+	"time"
+
+	"github.com/edgelesssys/contrast/e2e/internal/contrasttest"
+	"github.com/edgelesssys/contrast/internal/kuberesource"
+	"github.com/edgelesssys/contrast/internal/manifest"
+	"github.com/edgelesssys/contrast/internal/platforms"
+	"github.com/stretchr/testify/require"
+)
+
+// TODO: remove when runtime-rs is fully integrated.
+// Right now there are some failures left, so we only test that we can start up a container.
+// Remove the test and use openssl and other tests when ready.
+
+func TestRuntimeRS(t *testing.T) {
+	platform, err := platforms.FromString(contrasttest.Flags.PlatformStr)
+	require.NoError(t, err)
+
+	ct := contrasttest.New(t)
+
+	require.True(t, contrasttest.Flags.InsecureEnableDebugShell, "the --insecure-enable-debug-shell-access flag must be set to true to extract the initrd start address")
+
+	runtimeHandler, err := manifest.RuntimeHandler(platform)
+	require.NoError(t, err)
+	resources := kuberesource.CoordinatorBundle()
+	resources = kuberesource.PatchRuntimeHandlers(resources, runtimeHandler)
+	resources = kuberesource.AddPortForwarders(resources)
+	ct.Init(t, resources)
+
+	require.True(t, t.Run("generate", ct.Generate), "contrast generate needs to succeed for subsequent tests")
+	require.True(t, t.Run("apply", ct.Apply), "Kubernetes resources need to be applied for subsequent tests")
+
+	// 'set' currently errors because of wrong measurements, but the debugshell init container should come up.
+	require.True(t, t.Run("wait for debugshell", func(t *testing.T) {
+		ctx, cancel := context.WithTimeout(t.Context(), ct.FactorPlatformTimeout(2*time.Minute))
+		defer cancel()
+		require.NoError(t, ct.Kubeclient.WaitForContainer(ctx, ct.Namespace, "coordinator-0", "contrast-debug-shell"))
+	}), "debugshell start must succeed for subsequent tests")
+}
+
+func TestMain(m *testing.M) {
+	contrasttest.RegisterFlags()
+	flag.Parse()
+	os.Exit(m.Run())
+}
diff --git a/packages/by-name/contrast/e2e/package.nix b/packages/by-name/contrast/e2e/package.nix
@@ -81,6 +81,7 @@ buildGoModule {
     "e2e/proxy"
     "e2e/regression"
     "e2e/release"
+    "e2e/runtime-rs-tmp"
     "e2e/servicemesh"
     "e2e/vault"
     "e2e/volumestatefulset"
