eparis · eparis · Jul 2, 2019 · Jul 1, 2019
diff --git a/README.md b/README.md
@@ -2,6 +2,8 @@
 An ssh-bastion pod to make access to openshift clusters easy
 
 1. Make sure that `oc` is configured to talk to the cluster
+1. (Optionally configure namespace where the bastion will run: `export SSH_BASTION_NAMESPACE=openshift-ssh-bastion`.
+   `openshift-ssh-bastion` is used by default.)
 1. Run: `curl https://raw.githubusercontent.com/eparis/ssh-bastion/master/deploy/deploy.sh | bash`
 1. ssh as core to/through the bastion.
 1. The bastion address can be found by running `oc get service -n openshift-ssh-bastion ssh-bastion -o jsonpath='{.status.loadBalancer.ingress[0].hostname}'`

diff --git a/deploy/clusterrolebinding.yaml b/deploy/clusterrolebinding.yaml
diff --git a/deploy/deploy.sh b/deploy/deploy.sh
@@ -2,6 +2,11 @@
 
 set -e
 
+# Configuration via env. variables:
+# Namespace where the bastion should run. The namespace will be created.
+SSH_BASTION_NAMESPACE="${SSH_BASTION_NAMESPACE:-openshift-ssh-bastion}"
+
+# Directory with bastion yaml files. Can be either local directory or http(s) URL.
 BASEDIR="${BASEDIR:-https://raw.githubusercontent.com/eparis/ssh-bastion/master/deploy}"
 
 clean_up () {
@@ -43,24 +48,35 @@ AcceptEnv XMODIFIERS
 Subsystem	sftp	/usr/libexec/openssh/sftp-server
 ' > ${CONFIGFILE}
 
-    oc create -n openshift-ssh-bastion secret generic ssh-host-keys --from-file="ssh_host_rsa_key=${RSATMP},ssh_host_ecdsa_key=${ECDSATMP},ssh_host_ed25519_key=${ED25519TMP},sshd_config=${CONFIGFILE}"
+    oc create -n ${SSH_BASTION_NAMESPACE} secret generic ssh-host-keys --from-file="ssh_host_rsa_key=${RSATMP},ssh_host_ecdsa_key=${ECDSATMP},ssh_host_ed25519_key=${ED25519TMP},sshd_config=${CONFIGFILE}"
 }
 
-oc apply -f ${BASEDIR}/namespace.yaml
-oc apply -f ${BASEDIR}/service.yaml
-oc get -n openshift-ssh-bastion secret ssh-host-keys &>/dev/null || create_host_keys
-oc apply -f ${BASEDIR}/serviceaccount.yaml 
-oc apply -f ${BASEDIR}/role.yaml 
-oc apply -f ${BASEDIR}/rolebinding.yaml 
+# Non-namespaced objects
+oc apply -f - <<EOF
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: ${SSH_BASTION_NAMESPACE}
+  labels:
+    openshift.io/run-level: "0"
+EOF
 oc apply -f ${BASEDIR}/clusterrole.yaml
-oc apply -f ${BASEDIR}/clusterrolebinding.yaml
-oc apply -f ${BASEDIR}/deployment.yaml
+# using oc apply to modifty any already existing clusterrolebinding
+oc create clusterrolebinding ssh-bastion --clusterrole=ssh-bastion --user=system:serviceaccount:${SSH_BASTION_NAMESPACE}:ssh-bastion -o yaml --dry-run | oc apply -f -
+
+# Namespaced objects
+oc -n "${SSH_BASTION_NAMESPACE}" apply -f ${BASEDIR}/service.yaml
+oc get -n "${SSH_BASTION_NAMESPACE}" secret ssh-host-keys &>/dev/null || create_host_keys
+oc -n "${SSH_BASTION_NAMESPACE}" apply -f ${BASEDIR}/serviceaccount.yaml
+oc -n "${SSH_BASTION_NAMESPACE}" apply -f ${BASEDIR}/role.yaml
+oc -n "${SSH_BASTION_NAMESPACE}" apply -f ${BASEDIR}/rolebinding.yaml
+oc -n "${SSH_BASTION_NAMESPACE}" apply -f ${BASEDIR}/deployment.yaml
 
 retry=120
 while [ $retry -ge 0 ]
 do
     retry=$(($retry-1))
-    bastion_host=$(oc get service -n openshift-ssh-bastion ssh-bastion -o jsonpath='{.status.loadBalancer.ingress[0].hostname}')
+    bastion_host=$(oc get service -n ${SSH_BASTION_NAMESPACE} ssh-bastion -o jsonpath='{.status.loadBalancer.ingress[0].hostname}')
     if [ -z ${bastion_host} ]; then
         sleep 1
     else

diff --git a/deploy/deployment.yaml b/deploy/deployment.yaml
@@ -4,7 +4,6 @@ metadata:
   labels:
     run: ssh-bastion
   name: ssh-bastion
-  namespace: openshift-ssh-bastion
 spec:
   replicas: 1
   selector:

diff --git a/deploy/namespace.yaml b/deploy/namespace.yaml
diff --git a/deploy/role.yaml b/deploy/role.yaml
@@ -2,7 +2,6 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: ssh-bastion
-  namespace: openshift-ssh-bastion
 rules:
 - apiGroups:
   - security.openshift.io

diff --git a/deploy/rolebinding.yaml b/deploy/rolebinding.yaml
@@ -4,7 +4,6 @@ metadata:
   annotations:
     openshift.io/description: Allows ssh-pod to run as root
   name: ssh-bastion
-  namespace: openshift-ssh-bastion
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role

diff --git a/deploy/service.yaml b/deploy/service.yaml
@@ -4,7 +4,6 @@ metadata:
   labels:
     run: ssh-bastion
   name: ssh-bastion
-  namespace: openshift-ssh-bastion
 spec:
   externalTrafficPolicy: Local
   ports:

diff --git a/deploy/serviceaccount.yaml b/deploy/serviceaccount.yaml
@@ -2,4 +2,3 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: ssh-bastion
-  namespace: openshift-ssh-bastion
diff --git a/ssh.sh b/ssh.sh
@@ -1,3 +1,3 @@
 #!/bin/bash
 
-ssh -t -o StrictHostKeyChecking=no -o ProxyCommand='ssh -A -o StrictHostKeyChecking=no -o ServerAliveInterval=30 -W %h:%p core@$(oc get service -n openshift-ssh-bastion ssh-bastion -o jsonpath="{.status.loadBalancer.ingress[0].hostname}")' core@$1 "sudo -i"
+ssh -t -o StrictHostKeyChecking=no -o ProxyCommand='ssh -A -o StrictHostKeyChecking=no -o ServerAliveInterval=30 -W %h:%p core@$(oc get service --all-namespaces -l run=ssh-bastion -o jsonpath="{.items[0].status.loadBalancer.ingress[0].hostname}")' core@$1 "sudo -i"