tests/zedagent: add zedagent integration test suite

Adds an Eden testscript suite under tests/zedagent/ that exercises the
zedagent microservice end-to-end against a live EVE instance: device
info, metrics, app/NI info, attestation FSM, and the /config/-ingest
paths consulted at boot. Ten scenarios in two manifests.

eden.zedagent.tests.txt (eight tests, run against an onboarded EVE):
device_info_completeness, config_items_and_status, maintenance_mode,
app_metrics_detail, network_instance_info_metrics, attest_flow (skips
without eve.tpm), bootstrap_config_item_ingest,
global_config_file_ingest. The two /config-ingest scenarios stage a
bootstrap-config.pb or GlobalConfig/global.json after the device is
onboarded, freeze /persist/checkpoint so zedagent cannot recreate
lastconfig, and reboot. bootstrap_config_item_ingest polls
/run/zedagent/ConfigItemValueMap/global.json for its marker (which
survives because adam echoes the same configItems back).
global_config_file_ingest greps the newlog for the
"/config/GlobalConfig contains:" notice instead, because
parseConfigItems on adam's first fetch rebuilds globalConfig from
defaults+adam's-items and wipes any item adam doesn't push — the log
line is the only persistent signal.

eden.zedagent-preonboard.tests.txt (two tests, each owns its full eden
lifecycle — stop, wipe, eden setup with --eve-bootstrap-file or
--eve-config-dir, eden start, no onboard):
bootstrap_config_item_ingest_preonboard,
global_config_file_ingest_preonboard. With adam never learning the
device exists, /config-sourced ConfigItemValueMap stays authoritative
throughout the verification window — no controller-takeover race, no
log-grep fallback needed.

debug.enable.ssh rides inside the staged config in both preonboard
tests and gates sshd's iptables open via SSHAuthorizedKeys. SSH
readiness doubles as the bug-class canary for the
lf-edge/eve#5584/#5775 cert-chain regression class: a zedagent that
rejects the bootstrap pb (or fails to apply GlobalConfig) leaves
SSHAuthorizedKeys unset and the test times out — a loud, race-free
signal.

zedagent_test.go provides TestInfo, TestMetric, and TestFlowLog
helpers that the testscripts invoke via the `test` command. The
preonboard scenarios use preonboard-template.json from PR #1165's
tests/network/testdata/. The post-onboard suite was validated against
a QEMU-based coverage-instrumented EVE; the six baseline scenarios
plus the two /config-ingest tests achieve substantially higher
cmd/zedagent coverage than the unit tests alone.

Signed-off-by: eriknordmark <erik@zededa.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: eriknordmark

tests/zedagent/Makefile

@@ -0,0 +1,59 @@
+DEBUG ?= "debug"
+
+HOSTARCH ?= $(shell uname -m)
+HOSTOS ?= $(shell uname -s | tr A-Z a-z)
+
+override HOSTARCH := $(subst aarch64,arm64,$(subst x86_64,amd64,$(HOSTARCH)))
+
+ARCH ?= $(HOSTARCH)
+OS ?= $(HOSTOS)
+
+override ARCH := $(subst aarch64,arm64,$(subst x86_64,amd64,$(ARCH)))
+
+WORKDIR ?= $(CURDIR)/../../dist
+TESTDIR := tests/$(shell basename $(CURDIR))
+BINDIR := $(WORKDIR)/bin
+DATADIR := $(WORKDIR)/$(TESTDIR)/
+BIN := eden
+LOCALBIN := $(BINDIR)/$(BIN)-$(OS)-$(ARCH)
+TESTNAME := eden.zedagent
+TESTBIN := $(TESTNAME).test
+TESTSCN := $(TESTNAME).tests.txt
+LOCALTESTBIN := $(TESTBIN)-$(OS)-$(ARCH)
+
+.DEFAULT_GOAL := help
+
+clean:
+	rm -rf $(LOCALTESTBIN) $(BINDIR)/$(TESTBIN) $(WORKDIR)/$(TESTSCN) $(CURDIR)/$(TESTBIN) $(BINDIR)/$(TESTBIN)
+
+$(BINDIR):
+	mkdir -p $@
+$(DATADIR):
+	mkdir -p $@
+
+test:
+	$(LOCALBIN) test $(CURDIR) -v $(DEBUG)
+
+build: setup
+
+testbin: $(TESTBIN)
+$(LOCALTESTBIN): $(BINDIR) *.go
+	CGO_ENABLED=0 GOOS=$(OS) GOARCH=$(ARCH) go test -c -ldflags "-s -w" -o $@ *.go
+
+$(TESTBIN): $(LOCALTESTBIN)
+	ln -sf $(LOCALTESTBIN) $(CURDIR)/$(TESTBIN)
+
+setup: testbin $(BINDIR) $(DATADIR)
+	cp -a $(LOCALTESTBIN) $(CURDIR)/$(TESTBIN) $(BINDIR)
+	cp -a *.tests.txt testdata $(DATADIR)
+
+.PHONY: test build setup clean all testbin
+
+help:
+	@echo "zedagent eden integration tests"
+	@echo
+	@echo "Targets:"
+	@echo "   build   build test binary"
+	@echo "   setup   build and stage test binary + data"
+	@echo "   test    run tests against a running EVE instance"
+	@echo "   clean   remove build artifacts"

tests/zedagent/eden.zedagent-preonboard.tests.txt

@@ -0,0 +1,2 @@
+eden.escript.test -test.run TestEdenScripts/bootstrap_config_item_ingest_preonboard
+eden.escript.test -test.run TestEdenScripts/global_config_file_ingest_preonboard

tests/zedagent/eden.zedagent.tests.txt

@@ -0,0 +1,7 @@
+eden.escript.test -test.run TestEdenScripts/device_info_completeness
+eden.escript.test -test.run TestEdenScripts/config_items_and_status
+eden.escript.test -test.run TestEdenScripts/network_instance_info_metrics
+eden.escript.test -test.run TestEdenScripts/app_metrics_detail
+eden.escript.test -test.run TestEdenScripts/maintenance_mode
+eden.escript.test -test.run TestEdenScripts/global_config_file_ingest
+eden.escript.test -test.run TestEdenScripts/bootstrap_config_item_ingest

tests/zedagent/testdata/app_metrics_detail.txt

@@ -0,0 +1,65 @@
+# Test: per-app and per-volume metrics detail
+#
+# Deploys an app with an attached volume, waits for it to run, then verifies
+# that zedagent publishes non-trivial per-app and per-volume metrics.
+#
+# Covers: handleDiskMetricCreate/Modify/Impl/Delete (DiskMetric from volumemgr),
+#         handleAppDiskMetricCreate/lookupAppDiskMetric (AppDiskMetric),
+#         createVolumeInstanceMetrics, getVolumeResourcesMetrics,
+#         fillStorageDiskMetrics, fillStorageChildrenMetrics,
+#         PublishAppInfoToZedCloud, addUserSwInfo,
+#         PublishVolumeToZedCloud, PublishContentInfoToZedCloud.
+
+{{$info   := "test eden.zedagent.test -test.v -test.run TestInfo"}}
+{{$metric := "test eden.zedagent.test -test.v -test.run TestMetric"}}
+{{$app    := "test eden.app.test -test.v"}}
+
+! test eden.reboot.test -test.v -timewait=45m -reboot=0 -count=1 &
+
+# Pre-cleanup: remove stale pod from a previous failed run and wait for EVE to confirm gone.
+exec sh -c 'EDEN_HOME=$EDEN_HOME eden pod delete zagent-vm-t1 2>/dev/null || true'
+test eden.app.test -test.v -timewait 5m - zagent-vm-t1
+
+# Deploy an app with a volume so disk metrics are generated.
+# --volume-size causes volumemgr to create a persistent volume and publish DiskMetric.
+eden -t 1m pod deploy --memory 256MB --volume-size=100MB -n zagent-vm-t1 docker://nginx
+stdout 'deploy pod zagent-vm-t1'
+{{$app}} -timewait 20m RUNNING zagent-vm-t1
+
+# --- app info (PublishAppInfoToZedCloud / addUserSwInfo) ---
+# ZInfoApp for our app must be present with a non-empty appID.
+eden eve epoch &
+{{$info}} -timewait 5m 'InfoContent.ainfo.appID:.+'
+stdout 'AppID'
+
+# --- per-app metrics (DiskMetric -> handleDiskMetricImpl -> publishMetrics) ---
+# ZMetricMsg.am contains per-app-instance metrics; cpu.total should be > 0.
+{{$metric}} -timewait 5m 'am.AppID:.+'
+stdout 'cpu'
+
+# --- disk metrics (handleDiskMetricImpl) ---
+# Global disk metric must show at least one disk path.
+{{$metric}} -timewait 5m 'MetricContent.dm.disk.mountPath:.+'
+stdout 'disk'
+
+# --- cleanup ---
+eden -t 1m pod delete zagent-vm-t1
+stdout 'app zagent-vm-t1 delete done'
+{{$app}} -timewait 10m - zagent-vm-t1
+stdout 'no app with zagent-vm-t1 found'
+
+exec sh kill_watchdog.sh
+wait
+
+# Test's config. file
+-- eden-config.yml --
+test:
+    controller: adam://{{EdenConfig "adam.ip"}}:{{EdenConfig "adam.port"}}
+    eve:
+      {{EdenConfig "eve.name"}}:
+        onboard-cert: {{EdenConfigPath "eve.cert"}}
+        serial: "{{EdenConfig "eve.serial"}}"
+        model: {{EdenConfig "eve.devmodel"}}
+
+-- kill_watchdog.sh --
+pkill -f "eden.reboot.test" || true

tests/zedagent/testdata/attest_flow.txt

@@ -0,0 +1,65 @@
+# Test: remote attestation flow (TPM required)
+#
+# Verifies that zedagent completes the attestation FSM on a TPM-equipped device:
+# nonce request → quote → escrow receipt → COMPLETE state.
+# Also verifies that the PCR status is published in ZInfoDevice and that
+# forcing a re-attestation cycle exercises the retry path.
+#
+# Covers: attestModuleStart, handleAttestQuoteCreate/Modify/Impl/Delete,
+#         handleEncryptedKeyFromDeviceCreate/Modify/Delete,
+#         publishAttestNonce, publishEncryptedKeyFromController,
+#         storeIntegrityToken, readIntegrityToken,
+#         restartAttestation, recordAttestationTry,
+#         SendAttestQuote (VerifierImpl), SendAttestEscrow (VerifierImpl).
+#
+# PREREQUISITE: eve.tpm must be "true" in the eden config.
+
+{{$tpm := EdenConfig "eve.tpm"}}
+{{if (ne $tpm "true")}}
+skip
+{{end}}
+
+{{$info := "test eden.zedagent.test -test.v -test.run TestInfo"}}
+
+# Trigger a fresh device info publish.
+eden eve epoch &
+
+# --- attestation state complete ---
+# ZInfoDevice.attestState should reach ATTEST_STATE_COMPLETE after successful FSM.
+# Give it up to 10 minutes for the full nonce/quote/escrow cycle.
+{{$info}} -timewait 10m \
+    'InfoContent.dinfo.attestState:ATTEST_STATE_COMPLETE'
+stdout 'ATTEST_STATE_COMPLETE'
+
+# --- PCR status populated ---
+# On a TPM device, pcrStatus must be set (RUNNING or PASS).
+{{$info}} -timewait 5m \
+    'InfoContent.dinfo.pcrStatus:.+'
+stdout 'InfoContent.dinfo.pcrStatus'
+
+# --- integrity token persisted ---
+# Verify the token was written to disk by zedagent (storeIntegrityToken).
+exec -t 1m bash check_integrity_token.sh
+stdout 'integrity_token_present'
+
+wait
+
+# Test's config. file
+-- eden-config.yml --
+test:
+    controller: adam://{{EdenConfig "adam.ip"}}:{{EdenConfig "adam.port"}}
+    eve:
+      {{EdenConfig "eve.name"}}:
+        onboard-cert: {{EdenConfigPath "eve.cert"}}
+        serial: "{{EdenConfig "eve.serial"}}"
+        model: {{EdenConfig "eve.devmodel"}}
+
+-- check_integrity_token.sh --
+EDEN={{EdenConfig "eden.root"}}/{{EdenConfig "eden.bin-dist"}}/{{EdenConfig "eden.eden-bin"}}
+# storeIntegrityToken writes to /persist/status/zedagent/IntegrityToken/
+if $EDEN eve ssh ls /persist/status/zedagent/IntegrityToken/ 2>/dev/null | grep -q .; then
+    echo "integrity_token_present"
+    exit 0
+fi
+echo "integrity_token_missing"
+exit 1