From b9fd8237b92ecbd39dea033f09138c8587209bd3 Mon Sep 17 00:00:00 2001
From: Malte Poll <mp@edgeless.systems>
Date: Thu, 1 Dec 2022 15:43:40 +0100
Subject: [PATCH] manual e2e tests: Add option to keep embedded measurements
 (#698)

---
 .../actions/constellation_create/action.yml   | 30 +++++++++++++++----
 .github/actions/e2e_test/action.yml           |  4 +++
 .github/docs/release.md                       | 20 +++++++------
 .github/workflows/e2e-test-manual-macos.yml   |  6 ++++
 .github/workflows/e2e-test-manual.yml         |  6 ++++
 5 files changed, 52 insertions(+), 14 deletions(-)

diff --git a/.github/actions/constellation_create/action.yml b/.github/actions/constellation_create/action.yml
index 221e8f5ce..8c59eed4b 100644
--- a/.github/actions/constellation_create/action.yml
+++ b/.github/actions/constellation_create/action.yml
@@ -23,6 +23,9 @@ inputs:
   kubernetesVersion:
     description: "Kubernetes version to create the cluster from."
     required: false
+  keepMeasurements:
+    default: "false"
+    description: "Keep measurements embedded in the CLI."
   #
   # GCP specific inputs
   #
@@ -74,15 +77,13 @@ runs:
             (.provider | select(. | has(\"azure\")).azure.userAssignedIdentity) = \"${{ inputs.azureUserAssignedIdentity }}\" |
             (.provider | select(. | has(\"azure\")).azure.resourceGroup) = \"${{ inputs.azureResourceGroup }}\" |
             (.provider | select(. | has(\"azure\")).azure.appClientID) = \"${{ inputs.azureClientID }}\" |
-            (.provider | select(. | has(\"azure\")).azure.clientSecretValue) = \"${{ inputs.azureClientSecret }}\" |
-            (.provider | select(. | has(\"azure\")).azure.measurements) = {15:{\"expected\":\"0000000000000000000000000000000000000000000000000000000000000000\",\"warnOnly\":false}}" \
+            (.provider | select(. | has(\"azure\")).azure.clientSecretValue) = \"${{ inputs.azureClientSecret }}\"" \
           constellation-conf.yaml
 
         yq eval -i \
           "(.provider | select(. | has(\"gcp\")).gcp.project) = \"${{ inputs.gcpProject }}\" |
             (.provider | select(. | has(\"gcp\")).gcp.region) = \"europe-west3\" |
             (.provider | select(. | has(\"gcp\")).gcp.zone) = \"europe-west3-b\" |
-            (.provider | select(. | has(\"gcp\")).gcp.measurements) = {15:{\"expected\":\"0000000000000000000000000000000000000000000000000000000000000000\",\"warnOnly\":false}} |
             (.provider | select(. | has(\"gcp\")).gcp.serviceAccountKeyPath) = \"serviceAccountKey.json\"" \
           constellation-conf.yaml
 
@@ -90,14 +91,33 @@ runs:
           "(.provider | select(. | has(\"aws\")).aws.region) = \"eu-central-1\" |
             (.provider | select(. | has(\"aws\")).aws.zone) = \"eu-central-1a\" |
             (.provider | select(. | has(\"aws\")).aws.iamProfileControlPlane) = \"e2e_test_control_plane_instance_profile\" |
-            (.provider | select(. | has(\"aws\")).aws.iamProfileWorkerNodes) = \"e2e_test_worker_node_instance_profile\" |
-            (.provider | select(. | has(\"aws\")).aws.measurements) = {15:{\"expected\":\"0000000000000000000000000000000000000000000000000000000000000000\",\"warnOnly\":false}}" \
+            (.provider | select(. | has(\"aws\")).aws.iamProfileWorkerNodes) = \"e2e_test_worker_node_instance_profile\"" \
           constellation-conf.yaml
 
         if [ ${{ inputs.kubernetesVersion != '' }} = true ]; then
           yq eval -i "(.kubernetesVersion) = ${{ inputs.kubernetesVersion }}" constellation-conf.yaml
         fi
 
+    - name: Remove embedded measurements
+      shell: bash
+      if: ${{ inputs.keepMeasurements == 'false' }}
+      run: |
+        yq eval -i \
+          "(.provider | select(. | has(\"aws\")).aws.measurements) = {15:{\"expected\":\"0000000000000000000000000000000000000000000000000000000000000000\",\"warnOnly\":false}}" \
+          constellation-conf.yaml
+
+        yq eval -i \
+          "(.provider | select(. | has(\"azure\")).azure.measurements) = {15:{\"expected\":\"0000000000000000000000000000000000000000000000000000000000000000\",\"warnOnly\":false}}" \
+          constellation-conf.yaml
+
+        yq eval -i \
+          "(.provider | select(. | has(\"gcp\")).gcp.measurements) = {15:{\"expected\":\"0000000000000000000000000000000000000000000000000000000000000000\",\"warnOnly\":false}}"\
+          constellation-conf.yaml
+
+        yq eval -i \
+          "(.provider | select(. | has(\"qemu\")).qemu.measurements) = {15:{\"expected\":\"0000000000000000000000000000000000000000000000000000000000000000\",\"warnOnly\":false}}" \
+          constellation-conf.yaml
+
     - name: Set image
       shell: bash
       env:
diff --git a/.github/actions/e2e_test/action.yml b/.github/actions/e2e_test/action.yml
index 9b15bd7cb..e8180136e 100644
--- a/.github/actions/e2e_test/action.yml
+++ b/.github/actions/e2e_test/action.yml
@@ -26,6 +26,9 @@ inputs:
   kubernetesVersion:
     description: "Kubernetes version to create the cluster from."
     required: false
+  keepMeasurements:
+    default: "false"
+    description: "Keep measurements embedded in the CLI."
   gcpProject:
     description: "The GCP project to deploy Constellation in."
     required: false
@@ -149,6 +152,7 @@ runs:
         osImage: ${{ inputs.osImage }}
         isDebugImage: ${{ inputs.isDebugImage }}
         kubernetesVersion: ${{ inputs.kubernetesVersion }}
+        keepMeasurements: ${{ inputs.keepMeasurements }}
         azureSubscription: ${{ inputs.azureSubscription }}
         azureTenant: ${{ inputs.azureTenant }}
         azureClientID: ${{ inputs.azureClientID }}
diff --git a/.github/docs/release.md b/.github/docs/release.md
index 3d613778a..983c2e7e9 100644
--- a/.github/docs/release.md
+++ b/.github/docs/release.md
@@ -71,23 +71,25 @@ This checklist will prepare `v1.3.0` from `v1.2.0`. Adjust your version numbers
         gh workflow run build-os-image.yml --ref release/v$minor -F debug=false -F imageVersion=v$ver
         ```
 
-    11. Run manual E2E tests using [Linux](/.github/workflows/e2e-test-manual.yml) and [macOS](/.github/workflows/e2e-test-manual-macos.yml) to confirm functionality and stability.
+    11. [Generate measurements](/.github/workflows/generate-measurements.yml) for the images.
 
         ```sh
-        gh workflow run e2e-test-manual.yml --ref release/v$minor -F cloudProvider=azure -F machineType=Standard_DC4as_v5 -F test="sonobuoy full" -F osImage=v$ver -F isDebugImage=false
-        gh workflow run e2e-test-manual-macos.yml --ref release/v$minor -F cloudProvider=azure -F machineType=Standard_DC4as_v5 -F test="sonobuoy full" -F osImage=v$ver -F isDebugImage=false
-        gh workflow run e2e-test-manual.yml --ref release/v$minor -F cloudProvider=gcp -F machineType=n2d-standard-4 -F test="sonobuoy full" -F osImage=v$ver -F isDebugImage=false
-        gh workflow run e2e-test-manual-macos.yml --ref release/v$minor -F cloudProvider=gcp -F machineType=n2d-standard-4 -F test="sonobuoy full" -F osImage=v$ver -F isDebugImage=false
+        gh workflow run generate-measurements.yml --ref release/v$minor -F osImage=v$ver -F isDebugImage=false -F signMeasurements=true
         ```
 
-    12. [Generate measurements](/.github/workflows/generate-measurements.yml) for the images.
+    12. Update expected measurements in [`measurements.go`](/internal/attestation/measurements/measurements.go) using the generated measurements from step 12 and **push your changes**.
+
+    13. Run manual E2E tests using [Linux](/.github/workflows/e2e-test-manual.yml) and [macOS](/.github/workflows/e2e-test-manual-macos.yml) to confirm functionality and stability.
 
         ```sh
-           gh workflow run generate-measurements.yml --ref release/v$minor -F osImage=v$ver -F isDebugImage=false -F signMeasurements=true
+        gh workflow run e2e-test-manual.yml --ref release/v$minor -F cloudProvider=aws -F test="sonobuoy full" -F osImage=v$ver -F isDebugImage=false -F keepMeasurements=true
+        gh workflow run e2e-test-manual-macos.yml --ref release/v$minor -F cloudProvider=aws -F test="sonobuoy full" -F osImage=v$ver -F isDebugImage=false -F keepMeasurements=true
+        gh workflow run e2e-test-manual.yml --ref release/v$minor -F cloudProvider=azure -F test="sonobuoy full" -F osImage=v$ver -F isDebugImage=false -F keepMeasurements=true
+        gh workflow run e2e-test-manual-macos.yml --ref release/v$minor -F cloudProvider=azure -F test="sonobuoy full" -F osImage=v$ver -F isDebugImage=false -F keepMeasurements=true
+        gh workflow run e2e-test-manual.yml --ref release/v$minor -F cloudProvider=gcp -F test="sonobuoy full" -F osImage=v$ver -F isDebugImage=false -F keepMeasurements=true
+        gh workflow run e2e-test-manual-macos.yml --ref release/v$minor -F cloudProvider=gcp -F test="sonobuoy full" -F osImage=v$ver -F isDebugImage=false -F keepMeasurements=true
         ```
 
-    13. Update expected measurements in [`measurements.go`](/internal/attestation/measurements/measurements.go) using the generated measurements from step 12 and **push your changes**.
-
     14. Create a new tag on this release branch.
 
         ```sh
diff --git a/.github/workflows/e2e-test-manual-macos.yml b/.github/workflows/e2e-test-manual-macos.yml
index 043a65001..aad5737c8 100644
--- a/.github/workflows/e2e-test-manual-macos.yml
+++ b/.github/workflows/e2e-test-manual-macos.yml
@@ -33,6 +33,11 @@ on:
         description: "Kubernetes version to create the cluster from."
         default: "1.24"
         required: true
+      keepMeasurements:
+        description: "Keep measurements embedded in the CLI."
+        type: boolean
+        default: false
+        required: false
       osImage:
         description: "Full name of OS image (CSP independent image version UID)."
         type: string
@@ -139,6 +144,7 @@ jobs:
           gcpClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }}
           test: ${{ github.event.inputs.test }}
           kubernetesVersion: ${{ github.event.inputs.kubernetesVersion }}
+          keepMeasurements: ${{ github.event.inputs.keepMeasurements }}
           azureSubscription: ${{ secrets.AZURE_E2E_SUBSCRIPTION_ID }}
           azureTenant: ${{ secrets.AZURE_E2E_TENANT_ID }}
           azureClientID: ${{ secrets.AZURE_E2E_CLIENT_ID }}
diff --git a/.github/workflows/e2e-test-manual.yml b/.github/workflows/e2e-test-manual.yml
index 6bc686313..7c760b4b8 100644
--- a/.github/workflows/e2e-test-manual.yml
+++ b/.github/workflows/e2e-test-manual.yml
@@ -34,6 +34,11 @@ on:
         description: "Kubernetes version to create the cluster from."
         default: "1.24"
         required: true
+      keepMeasurements:
+        description: "Keep measurements embedded in the CLI."
+        type: boolean
+        default: false
+        required: false
       osImage:
         description: "Full name of OS image (CSP independent image version UID)."
         type: string
@@ -135,6 +140,7 @@ jobs:
           gcpClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }}
           test: ${{ github.event.inputs.test }}
           kubernetesVersion: ${{ github.event.inputs.kubernetesVersion }}
+          keepMeasurements: ${{ github.event.inputs.keepMeasurements }}
           azureSubscription: ${{ secrets.AZURE_E2E_SUBSCRIPTION_ID }}
           azureTenant: ${{ secrets.AZURE_E2E_TENANT_ID }}
           azureClientID: ${{ secrets.AZURE_E2E_CLIENT_ID }}