From f0971c8f144b3e5ea9821c84de6461d3a66fa118 Mon Sep 17 00:00:00 2001
From: Alex Wu <wuale@google.com>
Date: Mon, 24 Jun 2024 08:56:20 -0700
Subject: [PATCH] Add mounts Cloud Build test

---
 launcher/image/test/test_mounts.yaml          | 143 ++++++++++++++++++
 .../image/testworkloads/mounts/Dockerfile     |   1 +
 .../testworkloads/mounts/print_mounts.sh      |   7 +-
 3 files changed, 147 insertions(+), 4 deletions(-)
 create mode 100644 launcher/image/test/test_mounts.yaml

diff --git a/launcher/image/test/test_mounts.yaml b/launcher/image/test/test_mounts.yaml
new file mode 100644
index 00000000..f15be087
--- /dev/null
+++ b/launcher/image/test/test_mounts.yaml
@@ -0,0 +1,143 @@
+substitutions:
+  '_HARDENED_IMAGE_NAME': ''
+  '_IMAGE_PROJECT': ''
+  '_CLEANUP': 'true'
+  '_VM_NAME_PREFIX': 'cs-mounts-test'
+  '_ZONE': 'us-central1-a'
+  '_WORKLOAD_IMAGE': 'us-west1-docker.pkg.dev/confidential-space-images-dev/cs-integ-test-images/basic_test:latest'
+
+steps:
+- name: 'gcr.io/cloud-builders/gcloud'
+  id: CreateVMRedirectAll
+  entrypoint: 'bash'
+  env:
+  - 'BUILD_ID=$BUILD_ID'
+  args: ['create_vm.sh','-i', '${_HARDENED_IMAGE_NAME}',
+          '-p', '${_IMAGE_PROJECT}',
+          '-m', 'tee-image-reference=${_WORKLOAD_IMAGE},tee-container-log-redirect=true',
+          '-n', '${_VM_NAME_PREFIX}-${BUILD_ID}-all',
+          '-z', '${_ZONE}',
+        ]
+- name: 'gcr.io/cloud-builders/gcloud'
+  id: LogAllCheckSerialTest
+  entrypoint: 'bash'
+  args: ['scripts/test_log_redirect.sh', 'serial', 'true', '${_VM_NAME_PREFIX}-${BUILD_ID}-all', '${_ZONE}']
+  waitFor: ['CreateVMRedirectAll']
+- name: 'gcr.io/cloud-builders/gcloud'
+  id: LogAllCheckCloudLoggingTest
+  entrypoint: 'bash'
+  env:
+  - 'PROJECT_ID=$PROJECT_ID'
+  args: ['scripts/test_log_redirect.sh', 'cloud_logging', 'true', '${_VM_NAME_PREFIX}-${BUILD_ID}-all', '${_ZONE}']
+  waitFor: ['CreateVMRedirectAll']
+- name: 'gcr.io/cloud-builders/gcloud'
+  id: CleanUpLogAllTest
+  entrypoint: 'bash'
+  env:
+  - 'CLEANUP=$_CLEANUP'
+  args: ['cleanup.sh', '${_VM_NAME_PREFIX}-${BUILD_ID}-all', '${_ZONE}']
+  waitFor: ['LogAllCheckSerialTest', 'LogAllCheckCloudLoggingTest']
+
+- name: 'gcr.io/cloud-builders/gcloud'
+  id: CreateVMRedirectSerial
+  entrypoint: 'bash'
+  env:
+  - 'BUILD_ID=$BUILD_ID'
+  args: ['create_vm.sh','-i', '${_HARDENED_IMAGE_NAME}',
+          '-p', '${_IMAGE_PROJECT}',
+          '-m', 'tee-image-reference=${_WORKLOAD_IMAGE},tee-container-log-redirect=serial',
+          '-n', '${_VM_NAME_PREFIX}-${BUILD_ID}-serial',
+          '-z', '${_ZONE}',
+        ]
+  waitFor: ['-']
+- name: 'gcr.io/cloud-builders/gcloud'
+  id: LogSerialCheckSerialTest
+  entrypoint: 'bash'
+  args: ['scripts/test_log_redirect.sh', 'serial', 'true', '${_VM_NAME_PREFIX}-${BUILD_ID}-serial', '${_ZONE}']
+  waitFor: ['CreateVMRedirectSerial']
+- name: 'gcr.io/cloud-builders/gcloud'
+  id: LogSerialCheckCloudLoggingTest
+  entrypoint: 'bash'
+  env:
+  - 'PROJECT_ID=$PROJECT_ID'
+  args: ['scripts/test_log_redirect.sh', 'cloud_logging', 'false', '${_VM_NAME_PREFIX}-${BUILD_ID}-serial', '${_ZONE}']
+  waitFor: ['CreateVMRedirectSerial']
+- name: 'gcr.io/cloud-builders/gcloud'
+  id: CleanUpLogSerialTest
+  entrypoint: 'bash'
+  env:
+  - 'CLEANUP=$_CLEANUP'
+  args: ['cleanup.sh', '${_VM_NAME_PREFIX}-${BUILD_ID}-serial', '${_ZONE}']
+  waitFor: ['LogSerialCheckCloudLoggingTest', 'LogSerialCheckCloudLoggingTest']
+
+- name: 'gcr.io/cloud-builders/gcloud'
+  id: CreateVMRedirectCloudLogging
+  entrypoint: 'bash'
+  env:
+  - 'BUILD_ID=$BUILD_ID'
+  args: ['create_vm.sh','-i', '${_HARDENED_IMAGE_NAME}',
+          '-p', '${_IMAGE_PROJECT}',
+          '-m', 'tee-image-reference=${_WORKLOAD_IMAGE},tee-container-log-redirect=cloud_logging',
+          '-n', '${_VM_NAME_PREFIX}-${BUILD_ID}-clog',
+          '-z', '${_ZONE}',
+        ]
+  waitFor: ['-']
+- name: 'gcr.io/cloud-builders/gcloud'
+  id: LogCloudLoggingCheckSerialTest
+  entrypoint: 'bash'
+  args: ['scripts/test_log_redirect.sh', 'serial', 'false', '${_VM_NAME_PREFIX}-${BUILD_ID}-clog', '${_ZONE}']
+  waitFor: ['CreateVMRedirectCloudLogging']
+- name: 'gcr.io/cloud-builders/gcloud'
+  id: LogCloudLoggingCheckCloudLoggingTest
+  entrypoint: 'bash'
+  env:
+  - 'PROJECT_ID=$PROJECT_ID'
+  args: ['scripts/test_log_redirect.sh', 'cloud_logging', 'true', '${_VM_NAME_PREFIX}-${BUILD_ID}-clog', '${_ZONE}']
+  waitFor: ['CreateVMRedirectCloudLogging']
+- name: 'gcr.io/cloud-builders/gcloud'
+  id: CleanUpLogCloudLoggingTest
+  entrypoint: 'bash'
+  env:
+  - 'CLEANUP=$_CLEANUP'
+  args: ['cleanup.sh', '${_VM_NAME_PREFIX}-${BUILD_ID}-clog', '${_ZONE}']
+  waitFor: ['LogCloudLoggingCheckSerialTest', 'LogCloudLoggingCheckCloudLoggingTest']
+
+- name: 'gcr.io/cloud-builders/gcloud'
+  id: CreateVMRedirectNone
+  entrypoint: 'bash'
+  env:
+  - 'BUILD_ID=$BUILD_ID'
+  args: ['create_vm.sh','-i', '${_HARDENED_IMAGE_NAME}',
+          '-p', '${_IMAGE_PROJECT}',
+          '-m', 'tee-image-reference=${_WORKLOAD_IMAGE},tee-container-log-redirect=false',
+          '-n', '${_VM_NAME_PREFIX}-${BUILD_ID}-none',
+          '-z', '${_ZONE}',
+        ]
+  waitFor: ['-']
+- name: 'gcr.io/cloud-builders/gcloud'
+  id: LogNoneCheckSerialTest
+  entrypoint: 'bash'
+  args: ['scripts/test_log_redirect.sh', 'serial', 'false', '${_VM_NAME_PREFIX}-${BUILD_ID}-none', '${_ZONE}']
+  waitFor: ['CreateVMRedirectNone']
+- name: 'gcr.io/cloud-builders/gcloud'
+  id: LogNoneCheckCloudLoggingTest
+  entrypoint: 'bash'
+  env:
+  - 'PROJECT_ID=$PROJECT_ID'
+  args: ['scripts/test_log_redirect.sh', 'cloud_logging', 'false', '${_VM_NAME_PREFIX}-${BUILD_ID}-none', '${_ZONE}']
+  waitFor: ['CreateVMRedirectNone']
+- name: 'gcr.io/cloud-builders/gcloud'
+  id: CleanUpLogNoneTest
+  entrypoint: 'bash'
+  env:
+  - 'CLEANUP=$_CLEANUP'
+  args: ['cleanup.sh', '${_VM_NAME_PREFIX}-${BUILD_ID}-none', '${_ZONE}']
+  waitFor: ['LogNoneCheckSerialTest', 'LogNoneCheckCloudLoggingTest']
+
+# Must come after cleanup.
+- name: 'gcr.io/cloud-builders/gcloud'
+  id: CheckFailure
+  entrypoint: 'bash'
+  env:
+  - 'BUILD_ID=$BUILD_ID'
+  args: ['check_failure.sh']
diff --git a/launcher/image/testworkloads/mounts/Dockerfile b/launcher/image/testworkloads/mounts/Dockerfile
index 2f5ca00a..ebeed4a9 100644
--- a/launcher/image/testworkloads/mounts/Dockerfile
+++ b/launcher/image/testworkloads/mounts/Dockerfile
@@ -5,6 +5,7 @@ FROM alpine
 COPY print_mounts.sh /
 
 LABEL "tee.launch_policy.log_redirect"="always"
+LABEL "tee.launch_policy.allow_mount_destination"="/run/tmp:/var/tmp:/tmp"
 
 ENTRYPOINT ["/print_mounts.sh"]
 
diff --git a/launcher/image/testworkloads/mounts/print_mounts.sh b/launcher/image/testworkloads/mounts/print_mounts.sh
index 3b3c75ad..5409b16d 100755
--- a/launcher/image/testworkloads/mounts/print_mounts.sh
+++ b/launcher/image/testworkloads/mounts/print_mounts.sh
@@ -3,7 +3,6 @@
 df -h
 
 ls -lathr /
-
-ls -lathr /my-new-disk
-
-mkdir /my-new-disk/sldifj
\ No newline at end of file
+ls -lathr /run/tmp
+ls -lathr /var/tmp
+ls -lathr /tmp