# Copyright 2025 syzkaller project authors. All rights reserved.
# Use of this source code is governed by Apache 2 LICENSE that can be found in the LICENSE file.

apiVersion: argoproj.io/v1alpha1
kind: WorkflowTemplate
metadata:
  name: fuzz-step-template
spec:
  templates:
    - name: fuzz-step
      inputs:
        parameters:
          - name: base-build-id
            value: ""
          - name: patched-build-id
            value: ""
        artifacts:
          - name: base-kernel
            path: /base
          - name: patched-kernel
            path: /patched
          - name: config
            path: /tmp/config.json
      timeout: 4h
      container:
        image: ${IMAGE_PREFIX}fuzz-step:${IMAGE_TAG}
        imagePullPolicy: IfNotPresent
        command: ["/bin/fuzz-step"]
        args: [
          "--config", "/tmp/config.json",
          "--session", "{{workflow.parameters.session-id}}",
          "--base_build", "{{inputs.parameters.base-build-id}}",
          "--patched_build", "{{inputs.parameters.patched-build-id}}",
          "--time", "3h",
          "--workdir", "/workdir",
          "--vv", "1"
          ]
        resources:
          requests:
            cpu: 24
            memory: 48G
          limits:
            cpu: 30
            memory: 64G
        volumeMounts:
        - name: workdir
          mountPath: /workdir
        - name: dev-kvm
          mountPath: /dev/kvm
        # Needed for /dev/kvm.
        # TODO: there's a "device plugin" mechanism in k8s that can share it more safely.
        securityContext:
          privileged: true
      volumes:
        - name: workdir
          emptyDir: {}
        - name: output
          emptyDir: {}
        - name: dev-kvm
          hostPath:
            path: /dev/kvm
            type: CharDevice