Add cloudbuild tests for NPD health monitoring

launcher/cloudbuild.yaml

@@ -228,6 +228,20 @@ steps:
     gcloud builds submit --config=test_memory_monitoring.yaml --region us-west1 \
       --substitutions _IMAGE_NAME=${OUTPUT_IMAGE_PREFIX}-hardened-${OUTPUT_IMAGE_SUFFIX},_IMAGE_PROJECT=${PROJECT_ID}
     exit
+- name: 'gcr.io/cloud-builders/gcloud'
+  id: HealthMonitoringTests
+  waitFor: ['HardenedImageBuild']
+  env:
+  - 'OUTPUT_IMAGE_PREFIX=$_OUTPUT_IMAGE_PREFIX'
+  - 'OUTPUT_IMAGE_SUFFIX=$_OUTPUT_IMAGE_SUFFIX'
+  - 'PROJECT_ID=$PROJECT_ID'
+  script: |
+    #!/usr/bin/env bash
+    cd launcher/image/test
+    echo "running health monitoring tests on ${OUTPUT_IMAGE_PREFIX}-hardened-${OUTPUT_IMAGE_SUFFIX}"
+    gcloud builds submit --config=test_health_monitoring.yaml --region us-west1 \
+      --substitutions _IMAGE_NAME=${OUTPUT_IMAGE_PREFIX}-hardened-${OUTPUT_IMAGE_SUFFIX},_IMAGE_PROJECT=${PROJECT_ID}
+    exit
 - name: 'gcr.io/cloud-builders/gcloud'
   id: ODAWithSignedContainerTest
   waitFor: ['HardenedImageBuild']

launcher/image/test/scripts/test_launchpolicy_health_monitoring.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+set -euo pipefail
+source util/read_serial.sh
+
+# Allow VM some time to boot and write to serial console.
+sleep 120
+
+SERIAL_OUTPUT=$(read_serial $1 $2)
+if echo $SERIAL_OUTPUT | grep -q "$3"
+then
+    echo "- Health monitoring launch policy verified"
+else
+    echo "FAILED: Health monitoring launch policy verification"
+    echo 'TEST FAILED' > /workspace/status.txt
+    echo $SERIAL_OUTPUT
+fi

launcher/image/test/test_health_monitoring.yaml

@@ -0,0 +1,97 @@
+substitutions:
+  '_IMAGE_NAME': ''
+  '_IMAGE_PROJECT': ''
+  '_CLEANUP': 'true'
+  '_VM_NAME_PREFIX': 'health-monitoring'
+  '_ZONE': 'us-west1-a'
+  '_WORKLOAD_IMAGE': 'us-west1-docker.pkg.dev/confidential-space-images-dev/cs-integ-test-images/allmonitoring:latest'
+
+steps:
+- name: 'gcr.io/cloud-builders/gcloud'
+  id: CreateVMAllMonitoringEnabled
+  entrypoint: 'bash'
+  env:
+  - 'BUILD_ID=$BUILD_ID'
+  args: ['create_vm.sh','-i', '${_IMAGE_NAME}',
+          '-p', '${_IMAGE_PROJECT}',
+          '-m', 'tee-image-reference=${_WORKLOAD_IMAGE},tee-monitoring-enable=all',
+          '-n', '${_VM_NAME_PREFIX}-enable-${BUILD_ID}',
+          '-z', '${_ZONE}',
+        ]
+  waitFor: ['-']  # The '-' indicates that this step begins immediately.
+- name: 'gcr.io/cloud-builders/gcloud'
+  id: CheckAllMonitoringEnabled
+  entrypoint: 'bash'
+  # Search a regex pattern that ensures all monitoring is enabled and measured into COS event logs.
+  args: ['scripts/test_memory_monitoring.sh', '${_VM_NAME_PREFIX}-enable-${BUILD_ID}', '${_ZONE}', 'Health Monitoring is enabled by the VM operator.*All health monitoring metrics enabled']
+  waitFor: ['CreateVMAllMonitoringEnabled']
+- name: 'gcr.io/cloud-builders/gcloud'
+  id: CleanUpVMAllMonitoringEnabled
+  entrypoint: 'bash'
+  env:
+  - 'CLEANUP=$_CLEANUP'
+  args: ['cleanup.sh', '${_VM_NAME_PREFIX}-enable-${BUILD_ID}', '${_ZONE}']
+  waitFor: ['CheckAllMonitoringEnabled']
+
+- name: 'gcr.io/cloud-builders/gcloud'
+  id: CreateVMMemoryOnlyMonitoringEnabled
+  entrypoint: 'bash'
+  env:
+  - 'BUILD_ID=$BUILD_ID'
+  args: ['create_vm.sh','-i', '${_IMAGE_NAME}',
+          '-p', '${_IMAGE_PROJECT}',
+          '-m', 'tee-image-reference=${_WORKLOAD_IMAGE},tee-monitoring-enable=memoryonly',
+          '-n', '${_VM_NAME_PREFIX}-mem-${BUILD_ID}',
+          '-z', '${_ZONE}',
+        ]
+  waitFor: ['-']  # The '-' indicates that this step begins immediately.
+- name: 'gcr.io/cloud-builders/gcloud'
+  id: CheckMemoryOnlyMonitoringEnabled
+  entrypoint: 'bash'
+  # Search a regex pattern that ensures all monitoring is enabled and measured into COS event logs.
+  args: ['scripts/test_memory_monitoring.sh', '${_VM_NAME_PREFIX}-mem-${BUILD_ID}', '${_ZONE}', 'memory/bytes_used enabled']
+  waitFor: ['CreateVMMemoryOnlyMonitoringEnabled']
+- name: 'gcr.io/cloud-builders/gcloud'
+  id: CleanUpVMMemoryOnlyMonitoringEnabled
+  entrypoint: 'bash'
+  env:
+  - 'CLEANUP=$_CLEANUP'
+  args: ['cleanup.sh', '${_VM_NAME_PREFIX}-mem-${BUILD_ID}', '${_ZONE}']
+  waitFor: ['CheckMemoryOnlyMonitoringEnabled']
+
+- name: 'gcr.io/cloud-builders/gcloud'
+  id: CreateVMMonitoringDisabled
+  entrypoint: 'bash'
+  env:
+  - 'BUILD_ID=$BUILD_ID'
+  args: ['create_vm.sh','-i', '${_IMAGE_NAME}',
+          '-p', '${_IMAGE_PROJECT}',
+          '-m', 'tee-image-reference=${_WORKLOAD_IMAGE},tee-monitoring-enable=none',
+          '-n', '${_VM_NAME_PREFIX}-disable-${BUILD_ID}',
+          '-z', '${_ZONE}',
+        ]
+  waitFor: ['-']  # The '-' indicates that this step begins immediately.
+- name: 'gcr.io/cloud-builders/gcloud'
+  id: CheckMonitoringDisabled
+  entrypoint: 'bash'
+  # Search a regex pattern that ensures monitoring is disabled and measured into COS event logs.
+  args: ['scripts/test_memory_monitoring.sh', '${_VM_NAME_PREFIX}-disable-${BUILD_ID}', '${_ZONE}', 'Health Monitoring is disabled']
+  waitFor: ['CreateVMMonitoringDisabled']
+- name: 'gcr.io/cloud-builders/gcloud'
+  id: CleanUpVMMonitoringDisabled
+  entrypoint: 'bash'
+  env:
+  - 'CLEANUP=$_CLEANUP'
+  args: ['cleanup.sh', '${_VM_NAME_PREFIX}-disable-${BUILD_ID}', '${_ZONE}']
+  waitFor: ['CheckMonitoringDisabled']
+# Must come after cleanup.
+- name: 'gcr.io/cloud-builders/gcloud'
+  id: CheckFailure
+  entrypoint: 'bash'
+  env:
+  - 'BUILD_ID=$BUILD_ID'
+  args: ['check_failure.sh']
+
+options:
+  pool:
+    name: 'projects/confidential-space-images-dev/locations/us-west1/workerPools/cs-image-build-vpc'

launcher/image/test/test_launchpolicy_cloudbuild.yaml

@@ -12,7 +12,11 @@ substitutions:
   '_WORKLOAD_IMAGE_CMD': 'us-west1-docker.pkg.dev/confidential-space-images-dev/cs-integ-test-images/launchpolicycmd:latest'
   '_WORKLOAD_IMAGE_MEMORY_MONITOR_NEVER': 'us-west1-docker.pkg.dev/confidential-space-images-dev/cs-integ-test-images/memorymonitoringnever:latest'
   '_WORKLOAD_IMAGE_MEMORY_MONITOR_DEBUG': 'us-west1-docker.pkg.dev/confidential-space-images-dev/cs-integ-test-images/memorymonitoringdebug:latest'
+  '_WORKLOAD_IMAGE_HEALTH_MONITOR_NEVER': 'us-west1-docker.pkg.dev/confidential-space-images-dev/cs-integ-test-images/allmonitoringnone:latest'
+  '_WORKLOAD_IMAGE_HEALTH_MONITOR_DEBUG': 'us-west1-docker.pkg.dev/confidential-space-images-dev/cs-integ-test-images/allmonitoringdebug:latest'
+  '_WORKLOAD_IMAGE_HEALTH_MONITOR_MEMORY': 'us-west1-docker.pkg.dev/confidential-space-images-dev/cs-integ-test-images/allmonitoringmemory:latest'
   '_MEMORY_MONITOR_VM_NAME_PREFIX': 'memory-monitor'
+  '_HEALTH_MONITOR_VM_NAME_PREFIX': 'health-monitor'
 steps:
 - name: 'gcr.io/cloud-builders/gcloud'
   id: CreateVMLogOverride
@@ -194,6 +198,81 @@ steps:
   args: ['cleanup.sh', '${_MEMORY_MONITOR_VM_NAME_PREFIX}-never-${BUILD_ID}', '${_ZONE}']
   waitFor: ['MemoryMonitorNeverTest']
 
+- name: 'gcr.io/cloud-builders/gcloud'
+  id: CreateVMHealthMonitorDebugOnly
+  entrypoint: 'bash'
+  env:
+  - 'BUILD_ID=$BUILD_ID'
+  args: ['create_vm.sh','-i', '${_HARDENED_IMAGE_NAME}',
+          '-p', '${_IMAGE_PROJECT}',
+          '-m', 'tee-image-reference=${_WORKLOAD_IMAGE_HEALTH_MONITOR_DEBUG},tee-monitoring-enable=all',
+          '-n', '${_HEALTH_MONITOR_VM_NAME_PREFIX}-debugonly-${BUILD_ID}',
+          '-z', '${_ZONE}',
+        ]
+  waitFor: ['-']  # The '-' indicates that this step begins immediately.
+- name: 'gcr.io/cloud-builders/gcloud'
+  id: HealthMonitorDebugOnlyTest
+  entrypoint: 'bash'
+  args: ['scripts/test_launchpolicy_health_monitoring.sh', '${_HEALTH_MONITOR_VM_NAME_PREFIX}-debugonly-${BUILD_ID}', '${_ZONE}', "'none' monitoring allowed on hardened environment.*'all' monitoring allowed on debug environment"]
+  waitFor: ['CreateVMHealthMonitorDebugOnly']
+- name: 'gcr.io/cloud-builders/gcloud'
+  id: CleanUpHealthMonitorDebugOnly
+  entrypoint: 'bash'
+  env:
+  - 'CLEANUP=$_CLEANUP'
+  args: ['cleanup.sh', '${_HEALTH_MONITOR_VM_NAME_PREFIX}-debugonly-${BUILD_ID}', '${_ZONE}']
+  waitFor: ['HealthMonitorDebugOnlyTest']
+
+- name: 'gcr.io/cloud-builders/gcloud'
+  id: CreateVMHealthMonitorNever
+  entrypoint: 'bash'
+  env:
+  - 'BUILD_ID=$BUILD_ID'
+  args: ['create_vm.sh','-i', '${_HARDENED_IMAGE_NAME}',
+          '-p', '${_IMAGE_PROJECT}',
+          '-m', 'tee-image-reference=${_WORKLOAD_IMAGE_HEALTH_MONITOR_NEVER},tee-monitoring-enable=all',
+          '-n', '${_HEALTH_MONITOR_VM_NAME_PREFIX}-never-${BUILD_ID}',
+          '-z', '${_ZONE}',
+        ]
+  waitFor: ['-']  # The '-' indicates that this step begins immediately.
+- name: 'gcr.io/cloud-builders/gcloud'
+  id: HealthMonitorNeverTest
+  entrypoint: 'bash'
+  args: ['scripts/test_launchpolicy_health_monitoring.sh', '${_HEALTH_MONITOR_VM_NAME_PREFIX}-never-${BUILD_ID}', '${_ZONE}', "'none' monitoring allowed on hardened environment.*'none' monitoring allowed on debug environment"]
+  waitFor: ['CreateVMHealthMonitorNever']
+- name: 'gcr.io/cloud-builders/gcloud'
+  id: CleanUpHealthMonitorNever
+  entrypoint: 'bash'
+  env:
+  - 'CLEANUP=$_CLEANUP'
+  args: ['cleanup.sh', '${_HEALTH_MONITOR_VM_NAME_PREFIX}-never-${BUILD_ID}', '${_ZONE}']
+  waitFor: ['HealthMonitorNeverTest']
+
+- name: 'gcr.io/cloud-builders/gcloud'
+  id: CreateVMHealthMonitorMemory
+  entrypoint: 'bash'
+  env:
+  - 'BUILD_ID=$BUILD_ID'
+  args: ['create_vm.sh','-i', '${_HARDENED_IMAGE_NAME}',
+          '-p', '${_IMAGE_PROJECT}',
+          '-m', 'tee-image-reference=${_WORKLOAD_IMAGE_HEALTH_MONITOR_MEMORY},tee-monitoring-enable=all',
+          '-n', '${_HEALTH_MONITOR_VM_NAME_PREFIX}-mem-${BUILD_ID}',
+          '-z', '${_ZONE}',
+        ]
+  waitFor: ['-']  # The '-' indicates that this step begins immediately.
+- name: 'gcr.io/cloud-builders/gcloud'
+  id: HealthMonitorMemoryTest
+  entrypoint: 'bash'
+  args: ['scripts/test_launchpolicy_health_monitoring.sh', '${_HEALTH_MONITOR_VM_NAME_PREFIX}-mem-${BUILD_ID}', '${_ZONE}', "'memoryonly' monitoring allowed on hardened environment.*'memoryonly' monitoring allowed on debug environment"]
+  waitFor: ['CreateVMHealthMonitorMemory']
+- name: 'gcr.io/cloud-builders/gcloud'
+  id: CleanUpHealthMonitorMemory
+  entrypoint: 'bash'
+  env:
+  - 'CLEANUP=$_CLEANUP'
+  args: ['cleanup.sh', '${_HEALTH_MONITOR_VM_NAME_PREFIX}-mem-${BUILD_ID}', '${_ZONE}']
+  waitFor: ['HealthMonitorMemoryTest']
+
 # Must come after cleanup.
 - name: 'gcr.io/cloud-builders/gcloud'
   id: CheckFailure

launcher/image/testworkloads/allmonitoring/Dockerfile

@@ -0,0 +1,15 @@
+# From current directory:
+# GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -o main ../basic
+# gcloud builds submit --tag us-west1-docker.pkg.dev/confidential-space-images-dev/cs-integ-test-images/allmonitoring:latest --project confidential-space-images-dev
+FROM alpine
+
+COPY main /
+
+ENV env_bar="val_bar"
+
+LABEL "tee.launch_policy.hardened_monitoring"="ALL"
+LABEL "tee.launch_policy.debug_monitoring"="ALL"
+
+ENTRYPOINT ["/main"]
+
+CMD ["arg_foo"]

launcher/image/testworkloads/allmonitoringdebug/Dockerfile

@@ -0,0 +1,15 @@
+# From current directory:
+# GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -o main ../basic
+# gcloud builds submit --tag us-west1-docker.pkg.dev/confidential-space-images-dev/cs-integ-test-images/allmonitoringdebug:latest --project confidential-space-images-dev
+FROM alpine
+
+COPY main /
+
+ENV env_bar="val_bar"
+
+LABEL "tee.launch_policy.hardened_monitoring"="NONE"
+LABEL "tee.launch_policy.debug_monitoring"="ALL"
+
+ENTRYPOINT ["/main"]
+
+CMD ["arg_foo"]

launcher/image/testworkloads/allmonitoringmemoryonly/Dockerfile

@@ -0,0 +1,15 @@
+# From current directory:
+# GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -o main ../basic
+# gcloud builds submit --tag us-west1-docker.pkg.dev/confidential-space-images-dev/cs-integ-test-images/allmonitoringmemory:latest --project confidential-space-images-dev
+FROM alpine
+
+COPY main /
+
+ENV env_bar="val_bar"
+
+LABEL "tee.launch_policy.hardened_monitoring"="MEMORYONLY"
+LABEL "tee.launch_policy.debug_monitoring"="MEMORYONLY"
+
+ENTRYPOINT ["/main"]
+
+CMD ["arg_foo"]

launcher/image/testworkloads/allmonitoringnone/Dockerfile

@@ -0,0 +1,15 @@
+# From current directory:
+# GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -o main ../basic
+# gcloud builds submit --tag us-west1-docker.pkg.dev/confidential-space-images-dev/cs-integ-test-images/allmonitoringnone:latest --project confidential-space-images-dev
+FROM alpine
+
+COPY main /
+
+ENV env_bar="val_bar"
+
+LABEL "tee.launch_policy.hardened_monitoring"="NONE"
+LABEL "tee.launch_policy.debug_monitoring"="NONE"
+
+ENTRYPOINT ["/main"]
+
+CMD ["arg_foo"]

launcher/spec/launch_policy.go

@@ -155,6 +155,7 @@ func configureMonitoringPolicy(imageLabels map[string]string, launchPolicy *Laun
 		if err != nil {
 			return fmt.Errorf("invalid monitoring type for hardened image: %v", err)
 		}
+		logger.Info(fmt.Sprintf("'%s' monitoring allowed on hardened environment", launchPolicy.HardenedImageMonitoring))
 	} else {
 		launchPolicy.HardenedImageMonitoring = None
 	}
@@ -164,6 +165,7 @@ func configureMonitoringPolicy(imageLabels map[string]string, launchPolicy *Laun
 		if err != nil {
 			return fmt.Errorf("invalid monitoring type for debug image: %v", err)
 		}
+		logger.Info(fmt.Sprintf("'%s' monitoring allowed on debug environment", launchPolicy.DebugImageMonitoring))
 	} else {
 		launchPolicy.DebugImageMonitoring = MemoryOnly
 	}