Dockerfile.upi.ci: Drop pip+pyopenssl installs

[cgwalters]

We shouldn't need this anymore, see
https://cloud.google.com/sdk/crypto

We have a larger conflict here because the gcloud sdk wants
python2, azure wants python3.

Something changed in the pip CDN that broke our use of the
older pip.

(hopefully)
Closes: #4783

[cgwalters]

/test e2e-gcp

[cgwalters]

/test e2e-gcp-upi

[staebler]

Thanks for this, @cgwalters.

[staebler]

Here is a link to the PR giving some detail regarding why we are explicitly using an old pip version.
#4656

[cgwalters]

Ah OK yep from that PR:

With the current code, yum install pyopenssl is used to install
the openssl package that gcloud sdk needs to signurl which has
stopped working because gcloud is not able to pick up the package.

And that's almost certainly because RHEL8 switched to python3 by default, but gcloud is python2. This PR explicitly still installs for python2, so should still work. (But I didn't explicitly test the gcloud parts, trying that out now)

EDIT: done, gcloud compute instances list works fine.

[cgwalters]

One thing that would probably help at some point is to have separate per-infra UPI CI containers so that we're not mashing together all the aws, gcp, azure, matchbox etc tooling.

[cgwalters]

Err wait, if I oc image info registry.ci.openshift.org/ocp/4.8:base it clearly shows rhel8...ah...I see the Prow config explicitly overrides it to be rhel7, making Dockerfile a lie. Fun...

[cgwalters]

OK compounding this it's not even clear to me that we need pyopenssl anymore, see https://cloud.google.com/sdk/crypto

[cgwalters]

/test e2e-gcp-upi

[staebler]

OK compounding this it's not even clear to me that we need pyopenssl anymore, see https://cloud.google.com/sdk/crypto

Currently, pyopenssl is needed when we call gcloud signurl. See https://github.com/openshift/release/blob/f47ec3d4fdee7275cacc83eddde4606a447c0f1c/ci-operator/templates/openshift/installer/cluster-launch-installer-upi-e2e.yaml#L1800. As far as I can tell, we are using a json private key rather than a p12 private key, but pyopenssl is still required.

This is the error when pyopenssl is not installed.

CommandException: The signurl command requires the pyopenssl library (try pip install pyopenssl or easy_install pyopenssl)

[staebler]

Fun times.

~/installer /output
/bin/bash: line 41: pip: command not found
pip is not installed: installing
Traceback (most recent call last):
  File "<string>", line 1, in <module>
AssertionError
python < 3, installing pip<21
/bin/python: No module named ensurepip
Searching for pip<21
Reading https://pypi.python.org/simple/pip/
Best match: pip 20.3.4
Downloading https://files.pythonhosted.org/packages/53/7f/55721ad0501a9076dbc354cc8c63ffc2d6f1ef360f49ad0fbcce19d68538/pip-20.3.4.tar.gz#sha256=6773934e5f5fc3eaa8c5a44949b5b924fc122daa0a8aa9f80c835b4ca2a543fc
error: https://files.pythonhosted.org/packages/53/7f/55721ad0501a9076dbc354cc8c63ffc2d6f1ef360f49ad0fbcce19d68538/pip-20.3.4.tar.gz#sha256=6773934e5f5fc3eaa8c5a44949b5b924fc122daa0a8aa9f80c835b4ca2a543fc hostname 'files.pythonhosted.org' doesn't match either of 'r.ssl.fastly.net', '*.catchpoint.com', '*.cnn.io', '*.dollarshaveclub.com', '*.eater.com', '*.fastly.picmonkey.com', '*.files.saymedia-content.com', '*.ft.com', '*.meetupstatic.com', '*.nfl.com', '*.pagar.me', '*.picmonkey.com', '*.realself.com', '*.sbnation.com', '*.shakr.com', '*.streamable.com', '*.surfly.com', '*.theverge.com', '*.thrillist.com', '*.vox-cdn.com', '*.vox.com', '*.voxmedia.com', 'eater.com', 'ft.com', 'i.gse.io', 'picmonkey.com', 'realself.com', 'static.wixstatic.com', 'streamable.com', 'surfly.com', 'theverge.com', 'vox-cdn.com', 'vox.com', 'www.joyent.com'

https://github.com/openshift/release/blob/411786a644ee9a98e802b651d2ae74303e6c3817/ci-operator/step-registry/upi/conf/gcp/upi-conf-gcp-commands.sh#L46

[staebler]

I'm fine with leaving e2e-gcp-upi broken (for now). There are a lot of things blocked on this error.

[cgwalters]

Ah. Uggh.

Well...I dunno. I think we could plow forward with trying to port this to rhel8, where everything is better maintained?

[staebler]

/lgtm

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: staebler

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [staebler]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[cgwalters]

One thing that's definitely going on here is the RHEL Python maintainers have been trying to ditch python2 for a long time, and then RHEL7 is even older. There it's moved to a SCL which would require running everything else in the context of that scl which would get awkward.

Testing out rhel8 things seem to work much better (as I was originally doing) in a registry.redhat.io/ubi8/ubi:latest shell it just works to yum -y install python2 && pip-2 install pyopenssl.

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[staebler]

The UPI CI image is not used for the e2e-aws-upgrade job.
/override ci/prow/e2e-aws-upgrade

[openshift-ci-robot]

@staebler: Overrode contexts on behalf of staebler: ci/prow/e2e-aws-upgrade

Details

In response to this:

The UPI CI image is not used for the e2e-aws-upgrade job.
/override ci/prow/e2e-aws-upgrade

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[openshift-ci]

@cgwalters: The following tests failed, say /retest to rerun all failed tests:

Test name	Commit	Details	Rerun command
ci/prow/e2e-gcp	8c4022f9692b4a134c210b695b7365a36b2ddd68	link	/test e2e-gcp
ci/prow/e2e-metal-ipi-ovn-ipv6	d9789808f9d48ca718d7ddbf04b3fd8fd2bfcd9c	link	/test e2e-metal-ipi-ovn-ipv6
ci/prow/e2e-crc	d9789808f9d48ca718d7ddbf04b3fd8fd2bfcd9c	link	/test e2e-crc
ci/prow/e2e-openstack	9aeadb0	link	/test e2e-openstack
ci/prow/e2e-aws-workers-rhel7	9aeadb0	link	/test e2e-aws-workers-rhel7
ci/prow/e2e-libvirt	9aeadb0	link	/test e2e-libvirt
ci/prow/e2e-gcp-upi	9aeadb0	link	/test e2e-gcp-upi
ci/prow/e2e-aws-upgrade	9aeadb0	link	/test e2e-aws-upgrade

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[cgwalters]

#4785