Add image tests for the experiments binary

cloudbuild.yaml

@@ -64,6 +64,22 @@ steps:
       --substitutions _BASE_IMAGE=${base_image},_OUTPUT_IMAGE_FAMILY=${OUTPUT_IMAGE_FAMILY},_OUTPUT_IMAGE_NAME=${OUTPUT_IMAGE_PREFIX}-hardened-${OUTPUT_IMAGE_SUFFIX},_IMAGE_ENV=hardened,_CS_LICENSE=projects/confidential-space-images/global/licenses/confidential-space,_BUCKET_NAME=${BUCKET_NAME}
     exit
 
+- name: 'gcr.io/cloud-builders/gcloud'
+  id: ExperimentsTests
+  waitFor: ['DebugImageBuild']
+  env:
+  - 'OUTPUT_IMAGE_PREFIX=$_OUTPUT_IMAGE_PREFIX'
+  - 'OUTPUT_IMAGE_SUFFIX=$_OUTPUT_IMAGE_SUFFIX'
+  - 'PROJECT_ID=$PROJECT_ID'
+  script: |
+    #!/usr/bin/env bash
+
+    cd launcher/image/test
+    echo "running experiments client tests on ${OUTPUT_IMAGE_PREFIX}-debug-${OUTPUT_IMAGE_SUFFIX}"
+    gcloud builds submit --config=test_experiments_client.yaml --region us-west1 \
+      --substitutions _IMAGE_NAME=${OUTPUT_IMAGE_PREFIX}-debug-${OUTPUT_IMAGE_SUFFIX},_IMAGE_PROJECT=${PROJECT_ID}
+    exit
+
 - name: 'gcr.io/cloud-builders/gcloud'
   id: DebugImageTests
   waitFor: ['DebugImageBuild']

launcher/image/test/scripts/test_experiment_value.sh

@@ -0,0 +1,21 @@
+ #!/bin/bash
+set -euo pipefail
+source util/read_serial.sh
+
+# This test requires the workload to run and print
+# corresponding messages to the serial console.
+SERIAL_OUTPUT=$(read_serial $2 $3) 
+print_serial=false
+
+if echo $SERIAL_OUTPUT | grep -q "EnableTestFeatureForImage:$1"
+then
+    echo "- test experiment verified $1"
+else
+    echo "FAILED: experiment status expected to be $1"
+    echo "TEST FAILED. Test experiment status expected to be $1" > /workspace/status.txt
+    print_serial=true
+fi
+
+if $print_serial; then
+    echo $SERIAL_OUTPUT
+fi

launcher/image/test/test_experiments_client.yaml

@@ -0,0 +1,40 @@
+substitutions:
+  '_IMAGE_NAME': ''
+  '_IMAGE_PROJECT': ''
+  '_CLEANUP': 'true'
+  '_VM_NAME_PREFIX': 'cs-experiments-test'
+  '_ZONE': 'us-central1-a'
+  '_WORKLOAD_IMAGE': 'us-west1-docker.pkg.dev/confidential-space-images-dev/cs-integ-test-images/basic-test:latest'
+steps:
+- name: 'gcr.io/cloud-builders/gcloud'
+  id: CreateVM
+  entrypoint: 'bash'
+  env:
+  - 'BUILD_ID=$BUILD_ID'
+  args: ['create_vm.sh','-i', '${_IMAGE_NAME}',
+          '-p', '${_IMAGE_PROJECT}',
+          '-m', 'tee-image-reference=${_WORKLOAD_IMAGE},tee-container-log-redirect=true',
+          '-n', '${_VM_NAME_PREFIX}-${BUILD_ID}',
+          '-z', '${_ZONE}',
+        ]
+- name: 'gcr.io/cloud-builders/gcloud'
+  id: TestExperimentTrue
+  entrypoint: 'bash'
+  args: ['scripts/test_experiment_value.sh', "true", '${_VM_NAME_PREFIX}-${BUILD_ID}', '${_ZONE}']
+- name: 'gcr.io/cloud-builders/gcloud'
+  id: CleanUp
+  entrypoint: 'bash'
+  env:
+  - 'CLEANUP=$_CLEANUP'
+  args: ['cleanup.sh', '${_VM_NAME_PREFIX}-${BUILD_ID}', '${_ZONE}']
+# Must come after cleanup.
+- name: 'gcr.io/cloud-builders/gcloud'
+  id: CheckFailure
+  entrypoint: 'bash'
+  env:
+  - 'BUILD_ID=$BUILD_ID'
+  args: ['check_failure.sh']
+
+options:
+  pool:
+    name: 'projects/confidential-space-images-dev/locations/us-west1/workerPools/cs-image-build-vpc'

launcher/image/test/util/read_serial.sh

@@ -11,6 +11,7 @@ read_serial() {
   timeout="10 minute"
   endtime=$(date -ud "$timeout" +%s)
 
+  echo "Reading serial console..."
   while [ -s /workspace/next_start.txt ]; do
     if [[ $(date -u +%s) -ge $endtime ]]; then
       echo "timed out reading serial console" 

launcher/spec/launch_policy.go

@@ -28,13 +28,14 @@ func toLogRedirectPolicy(s string) (logRedirectPolicy, error) {
 
 	if s == "always" {
 		return always, nil
-	} else if s == "never" {
+	}
+	if s == "never" {
 		return never, nil
-	} else if s == "debugonly" {
+	}
+	if s == "debugonly" {
 		return debugOnly, nil
-	} else {
-		return 0, fmt.Errorf("not a valid LogRedirectPolicy %s (must be one of [always, never, debugonly])", s)
 	}
+	return 0, fmt.Errorf("not a valid LogRedirectPolicy %s (must be one of [always, never, debugonly])", s)
 }
 
 const (