Support e2e testing via a bastion host for SSH commands

[smarterclayton]

Issue: e2e tests should succeed even if nodes are not publicly available from where the tests are run

Until we port the remaining e2e tests to use exec host pods instead of SSH, it should be possible to use bastion host when clusters don't expose public IPs for nodes. Testers can use the KUBE_SSH_BASTION environment variable set to a host:port to specify the host that the tests will use as a jump host.

If KUBE_SSH_BASTION is specified, the test will first connect to the bastion using SSH and the provider private key, then establish a tunnel from the bastion to the target node by its IP. If the node has an external IP, the external IP must be routable from the bastion.

Also support KUBE_SSH_KEY_PATH so there is a single cross-provider env var for setting the full path to the private key, which simplifies testing multiple clouds from the same infra.

/kind bug

e2e tests that require SSH may be used against clusters that have nodes without external IP addresses by setting the environment variable `KUBE_SSH_BASTION` to the `host:port` of a machine that is allowed to SSH to those nodes.  The same private key that the test would use is used for the bastion host.  The test connects to the bastion and then tunnels another SSH connection to the node.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: smarterclayton

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• test/OWNERS [smarterclayton]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[smarterclayton]

@kubernetes/sig-testing-pr-reviews we have configurations that have private nodes and I would like to ensure that e2e tests running as prow jobs on a k8s cluster can reach into those other clusters to do the full e2e suite

[smarterclayton]

/retest

[smarterclayton]

/retest

[smarterclayton]

This is a more complete solution for #68792

[smarterclayton]

/retest

…

On Thu, Jan 10, 2019 at 6:10 PM Kubernetes Prow Robot < ***@***.***> wrote: @smarterclayton <https://github.com/smarterclayton>: The following tests *failed*, say /retest to rerun them all: Test name Commit Details Rerun command pull-kubernetes-integration 88cac12 <88cac12> link <https://gubernator.k8s.io/build/kubernetes-jenkins/pr-logs/pull/72286/pull-kubernetes-integration/40880/> /test pull-kubernetes-integration pull-kubernetes-e2e-kops-aws 88cac12 <88cac12> link <https://gubernator.k8s.io/build/kubernetes-jenkins/pr-logs/pull/72286/pull-kubernetes-e2e-kops-aws/118909/> /test pull-kubernetes-e2e-kops-aws Full PR test history <https://gubernator.k8s.io/pr/72286>. Your PR dashboard <https://gubernator.k8s.io/pr/smarterclayton>. Please help us cut down on flakes by linking to <https://git.k8s.io/community/contributors/devel/flaky-tests.md#filing-issues-for-flaky-tests> an open issue <https://github.com/kubernetes/kubernetes/issues?q=is:issue+is:open> when you hit one in your PR. Instructions for interacting with me using PR comments are available here <https://git.k8s.io/community/contributors/guide/pull-requests.md>. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra <https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:> repository. I understand the commands that are listed here <https://go.k8s.io/bot-commands>. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#72286 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABG_p-eq2s_hsDkz7yzPovpGu_ezIX8uks5vB8h8gaJpZM4ZfGrH> .

[smarterclayton]

/retest

[smarterclayton]

@kubernetes/sig-node-pr-reviews need some eyes on this - nodes shouldn't be required to have external SSH access, and I think we're starting to get to the point where we shouldn't assume the e2e tests run from inside the security zone of a cluster. A bastion is reasonably simple with go-ssh (have been running this code in openshift for a while) and the code path is isolated so that if someone does hit bugs in this new path it doesn't impact others.

[rphillips]

would be nice to have the constants at the top of the file

[smarterclayton]

the code in this case is a copy of sshutil.RunSSHCommand and I'm trying to keep the structure of the method consistent (can't reuse the constant across two packages since we don't want to expose it)

[rphillips]

is it ok to buffer the entire stdout/stderr into memory? We may want to put the data into a limited buffer.

[smarterclayton]

This is no different than the other SSH stub, but generally yes, this is for test code only and the usage is constraint. We also dump the full output to the build logs, which is a disincentive to use this for a chatty channel.

So it's not great, but it's consistent with our existing flow, but in the future we should improve this structure (these are convenience commands that aren't really designed for anything other than quick and dirty testing).

[rphillips]

just return err here

[smarterclayton]

this was a straight move, would prefer not to change the code.

[rphillips]

/lgtm

[rphillips]

/retest