From 001a756970084eadf8f793304dedec192179dbe6 Mon Sep 17 00:00:00 2001
From: Jan Safranek <jsafrane@redhat.com>
Date: Fri, 26 Jul 2019 18:19:51 +0200
Subject: [PATCH 1/3] Run ssh bastion during openshift-test

---
 .../cluster-launch-installer-e2e.yaml         | 72 +++++++++----------
 1 file changed, 35 insertions(+), 37 deletions(-)

diff --git a/ci-operator/templates/openshift/installer/cluster-launch-installer-e2e.yaml b/ci-operator/templates/openshift/installer/cluster-launch-installer-e2e.yaml
index 079bdc92cfb79..cc8ba9dbc9fbd 100644
--- a/ci-operator/templates/openshift/installer/cluster-launch-installer-e2e.yaml
+++ b/ci-operator/templates/openshift/installer/cluster-launch-installer-e2e.yaml
@@ -144,9 +144,39 @@ objects:
           oc create -f /tmp/cluster/insights-live.yaml || true
         fi
 
-        # set up cloud-provider-specific env vars
-        export KUBE_SSH_BASTION="$( oc --insecure-skip-tls-verify get node -l node-role.kubernetes.io/master -o 'jsonpath={.items[0].status.addresses[?(@.type=="ExternalIP")].address}' ):22"
+        # set up SSH for the e2e tests + for this script
+        function setup_ssh_bastion() {
+          echo "Setting up ssh bastion"
+          mkdir -p ~/.ssh || true
+          cp "${KUBE_SSH_KEY_PATH}" ~/.ssh/id_rsa
+          chmod 0600 ~/.ssh/id_rsa
+          if ! whoami &> /dev/null; then
+            if [ -w /etc/passwd ]; then
+              echo "${USER_NAME:-default}:x:$(id -u):0:${USER_NAME:-default} user:${HOME}:/sbin/nologin" >> /etc/passwd
+            fi
+          fi
+          curl https://raw.githubusercontent.com/eparis/ssh-bastion/master/deploy/deploy.sh | bash
+          for i in $(seq 0 60)
+          do
+            BASTION_HOST=$(oc get service -n "${SSH_BASTION_NAMESPACE}" ssh-bastion -o jsonpath='{.status.loadBalancer.ingress[0].hostname}')
+            if [ ! -z "${BASTION_HOST}" ]; then break; fi
+            sleep 10
+          done
+        }
+
+        function bastion_ssh() {
+          retry 60 \
+            ssh -o LogLevel=error -o ConnectionAttempts=100 -o ConnectTimeout=30 -o StrictHostKeyChecking=no \
+                -o ProxyCommand="ssh -A -o StrictHostKeyChecking=no -o LogLevel=error -o ServerAliveInterval=30 -o ConnectionAttempts=100 -o ConnectTimeout=30 -W %h:%p core@${BASTION_HOST} 2>/dev/null" \
+                $@
+        }
+
+        export SSH_BASTION_NAMESPACE="testing-ssh-bastion"
         export KUBE_SSH_KEY_PATH=/tmp/cluster/ssh-privatekey
+        setup_ssh_bastion
+        export KUBE_SSH_BASTION="${BASTION_HOST}:22"
+
+        # set up cloud-provider-specific env vars
         if [[ "${CLUSTER_TYPE}" == "gcp" ]]; then
           export GOOGLE_APPLICATION_CREDENTIALS="/tmp/cluster/gce.json"
           export KUBE_SSH_USER=cloud-user
@@ -212,32 +242,6 @@ objects:
           if [ "${RETRY_IGNORE_EXIT_CODE}" != "" ]; then return 0; else return "${rc}"; fi
         }
 
-        function setup_ssh_bastion() {
-          echo "Setting up ssh bastion"
-          mkdir -p ~/.ssh || true
-          cp "${KUBE_SSH_KEY_PATH}" ~/.ssh/id_rsa
-          chmod 0600 ~/.ssh/id_rsa
-          if ! whoami &> /dev/null; then
-            if [ -w /etc/passwd ]; then
-              echo "${USER_NAME:-default}:x:$(id -u):0:${USER_NAME:-default} user:${HOME}:/sbin/nologin" >> /etc/passwd
-            fi
-          fi
-          curl https://raw.githubusercontent.com/eparis/ssh-bastion/master/deploy/deploy.sh | bash
-          for i in $(seq 0 60)
-          do
-            BASTION_HOST=$(oc get service -n openshift-ssh-bastion ssh-bastion -o jsonpath='{.status.loadBalancer.ingress[0].hostname}')
-            if [ ! -z "${BASTION_HOST}" ]; then break; fi
-            sleep 10
-          done
-        }
-
-        function bastion_ssh() {
-          retry 60 \
-            ssh -o LogLevel=error -o ConnectionAttempts=100 -o ConnectTimeout=30 -o StrictHostKeyChecking=no \
-                -o ProxyCommand="ssh -A -o StrictHostKeyChecking=no -o LogLevel=error -o ServerAliveInterval=30 -o ConnectionAttempts=100 -o ConnectTimeout=30 -W %h:%p core@${BASTION_HOST} 2>/dev/null" \
-                $@
-        }
-
         function restore-cluster-state() {
           echo "Placing file /etc/rollback-test with contents A"
           cat > /tmp/machineconfig.yaml <<'EOF'
@@ -268,7 +272,6 @@ objects:
 
           wait_for_machineconfigpool_to_apply
 
-          setup_ssh_bastion
 
           echo "Make etcd backup on first master - /usr/local/bin/etcd-snapshot-backup.sh"
           FIRST_MASTER=$(oc get node -l node-role.kubernetes.io/master= -o name | head -n1 | cut -d '/' -f 2)
@@ -343,17 +346,12 @@ objects:
 
           if [[ "${rc}" == "1" ]]; then exit 1; fi
 
-          echo "Removing ssh-bastion"
-          oc delete project openshift-ssh-bastion
-
           echo "Remove existing openshift-apiserver pods"
           # This would ensure "Pod 'openshift-apiserver/apiserver-xxx' is not healthy: container openshift-apiserver has restarted more than 5 times" test won't fail
           oc delete pod --all -n openshift-apiserver
         }
 
         function recover-from-etcd-quorum-loss() {
-          setup_ssh_bastion
-
           # Machine API won't let the user to destroy the node which runs the controller
           echo "Finding two masters to destroy"
           MAPI_POD=$(oc get pod -l k8s-app=controller -n openshift-machine-api --no-headers -o name)
@@ -516,9 +514,6 @@ objects:
             retry 10 oc wait pod/etcd-member-${master} -n openshift-etcd --for condition=Ready
           done
 
-          echo "Removing ssh-bastion"
-          retry 10 oc delete project openshift-ssh-bastion
-
           echo "Scale etcd-quorum guard"
           retry 10 oc scale --replicas=3 deployment.apps/etcd-quorum-guard -n openshift-machine-config-operator
 
@@ -850,6 +845,9 @@ objects:
           mkdir -p /tmp/artifacts/must-gather
           queue /tmp/artifacts/must-gather/must-gather.log oc --insecure-skip-tls-verify adm must-gather --dest-dir /tmp/artifacts/must-gather
 
+          echo "Removing ssh-bastion ..."
+          queue /dev/null oc --insecure-skip-tls-verify --request-timeout=5s delete project testing-ssh-bastion
+
           echo "Waiting for logs ..."
           wait
 

From 918122ea9a9a9c1b7467c04591a0e70aa8440744 Mon Sep 17 00:00:00 2001
From: Jan Safranek <jsafrane@redhat.com>
Date: Fri, 26 Jul 2019 18:19:51 +0200
Subject: [PATCH 2/3] Use IP address of sshbastion service on Azure

---
 .../openshift/installer/cluster-launch-installer-e2e.yaml    | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/ci-operator/templates/openshift/installer/cluster-launch-installer-e2e.yaml b/ci-operator/templates/openshift/installer/cluster-launch-installer-e2e.yaml
index cc8ba9dbc9fbd..695fb3288d462 100644
--- a/ci-operator/templates/openshift/installer/cluster-launch-installer-e2e.yaml
+++ b/ci-operator/templates/openshift/installer/cluster-launch-installer-e2e.yaml
@@ -158,8 +158,13 @@ objects:
           curl https://raw.githubusercontent.com/eparis/ssh-bastion/master/deploy/deploy.sh | bash
           for i in $(seq 0 60)
           do
+            # AWS fills only .hostname of a service
             BASTION_HOST=$(oc get service -n "${SSH_BASTION_NAMESPACE}" ssh-bastion -o jsonpath='{.status.loadBalancer.ingress[0].hostname}')
             if [ ! -z "${BASTION_HOST}" ]; then break; fi
+            # Azure fills only .ip of a service. Use it as bastion host.
+            BASTION_HOST=$(oc get service -n "${SSH_BASTION_NAMESPACE}" ssh-bastion -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
+            if [ ! -z "${BASTION_HOST}" ]; then break; fi
+            echo "Waiting for SSH bastion load balancer service"
             sleep 10
           done
         }

From f66d49467f0c134cadfca923ed85bc3a1b5698ec Mon Sep 17 00:00:00 2001
From: Jan Safranek <jsafrane@redhat.com>
Date: Fri, 26 Jul 2019 18:23:21 +0200
Subject: [PATCH 3/3] Fix bash issues in SSH bastion setup

---
 .../openshift/installer/cluster-launch-installer-e2e.yaml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/ci-operator/templates/openshift/installer/cluster-launch-installer-e2e.yaml b/ci-operator/templates/openshift/installer/cluster-launch-installer-e2e.yaml
index 695fb3288d462..19c2cebfe0cb6 100644
--- a/ci-operator/templates/openshift/installer/cluster-launch-installer-e2e.yaml
+++ b/ci-operator/templates/openshift/installer/cluster-launch-installer-e2e.yaml
@@ -147,11 +147,11 @@ objects:
         # set up SSH for the e2e tests + for this script
         function setup_ssh_bastion() {
           echo "Setting up ssh bastion"
-          mkdir -p ~/.ssh || true
+          mkdir -p ~/.ssh
           cp "${KUBE_SSH_KEY_PATH}" ~/.ssh/id_rsa
           chmod 0600 ~/.ssh/id_rsa
           if ! whoami &> /dev/null; then
-            if [ -w /etc/passwd ]; then
+            if [[ -w /etc/passwd ]]; then
               echo "${USER_NAME:-default}:x:$(id -u):0:${USER_NAME:-default} user:${HOME}:/sbin/nologin" >> /etc/passwd
             fi
           fi
@@ -160,10 +160,10 @@ objects:
           do
             # AWS fills only .hostname of a service
             BASTION_HOST=$(oc get service -n "${SSH_BASTION_NAMESPACE}" ssh-bastion -o jsonpath='{.status.loadBalancer.ingress[0].hostname}')
-            if [ ! -z "${BASTION_HOST}" ]; then break; fi
+            if [[ -n "${BASTION_HOST}" ]]; then break; fi
             # Azure fills only .ip of a service. Use it as bastion host.
             BASTION_HOST=$(oc get service -n "${SSH_BASTION_NAMESPACE}" ssh-bastion -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
-            if [ ! -z "${BASTION_HOST}" ]; then break; fi
+            if [[ -n "${BASTION_HOST}" ]]; then break; fi
             echo "Waiting for SSH bastion load balancer service"
             sleep 10
           done