Bind gce ssh key to prow (#1999)

Author: krzyzacy

prow/Makefile

@@ -16,7 +16,7 @@ all: build fmt vet test
 
 
 HOOK_VERSION       = 0.84
-LINE_VERSION       = 0.77
+LINE_VERSION       = 0.78
 SINKER_VERSION     = 0.5
 DECK_VERSION       = 0.16
 SPLICE_VERSION     = 0.15
@@ -44,6 +44,10 @@ JENKINS_ADDRESS_FILE = ${HOME}/jenkins-address
 # Service account key for bootstrap jobs.
 SERVICE_ACCOUNT_FILE = ${HOME}/service-account.json
 
+# GCE ssh key for gce-e2e jobs
+SSH_KEY_PRIVATE = ${HOME}/ssh-private
+SSH_KEY_PUBLIC = ${HOME}/ssh-public
+
 # Should probably move this to a script or something.
 create-cluster:
 	gcloud -q container --project "$(PROJECT)" clusters create "$(CLUSTER)" --zone "$(ZONE)" --machine-type n1-standard-4 --num-nodes 4 --node-labels=role=prow --scopes "https://www.googleapis.com/auth/compute","https://www.googleapis.com/auth/devstorage.full_control","https://www.googleapis.com/auth/logging.write","https://www.googleapis.com/auth/servicecontrol","https://www.googleapis.com/auth/service.management" --network "default" --enable-cloud-logging --enable-cloud-monitoring
@@ -52,6 +56,7 @@ create-cluster:
 	kubectl create secret generic oauth-token --from-file=oauth=$(OAUTH_SECRET_FILE)
 	kubectl create secret generic jenkins-token --from-file=jenkins=$(JENKINS_SECRET_FILE)
 	kubectl create secret generic service-account --from-file=service-account.json=$(SERVICE_ACCOUNT_FILE)
+	kubectl create secret generic ssh-key-secret --from-file=ssh-private=$(SSH_KEY_PRIVATE) --from-file=ssh-public=$(SSH_KEY_PUBLIC)
 	kubectl create configmap jenkins-address --from-file=jenkins-address=$(JENKINS_ADDRESS_FILE)
 	kubectl create configmap config --from-file=config=config.yaml
 	kubectl create configmap plugins --from-file=plugins=plugins.yaml

prow/cluster/hook_deployment.yaml

@@ -41,7 +41,7 @@ spec:
         - "--github-bot-name=k8s-ci-robot"
         env:
         - name: LINE_IMAGE
-          value: "gcr.io/k8s-prow/line:0.77"
+          value: "gcr.io/k8s-prow/line:0.78"
         - name: DRY_RUN
           value: "false"
         ports:

prow/cluster/horologium_deployment.yaml

@@ -33,7 +33,7 @@ spec:
         image: gcr.io/k8s-prow/horologium:0.0
         env:
         - name: LINE_IMAGE
-          value: "gcr.io/k8s-prow/line:0.77"
+          value: "gcr.io/k8s-prow/line:0.78"
         - name: DRY_RUN
           value: "false"
         volumeMounts:

prow/cluster/splice_deployment.yaml

@@ -24,7 +24,7 @@ spec:
         - -log-json
         env:
         - name: LINE_IMAGE
-          value: "gcr.io/k8s-prow/line:0.77"
+          value: "gcr.io/k8s-prow/line:0.78"
         - name: DRY_RUN
           value: "false"
       volumes:

prow/cmd/line/main.go

@@ -233,7 +233,7 @@ func fields(c *testClient) logrus.Fields {
 // necessary.
 // We modify the pod's spec to have the build parameters such as PR number
 // passed in as environment variables. We also include the service account
-// secret.
+// secret and gce ssh keys.
 func (c *testClient) TestKubernetes() error {
 	logrus.WithFields(fields(c)).Info("Starting pod.")
 	buildID := getBuildID(*totURL, c.JobName)
@@ -301,13 +301,26 @@ func (c *testClient) TestKubernetes() error {
 				Name:  "GOOGLE_APPLICATION_CREDENTIALS",
 				Value: "/etc/service-account/service-account.json",
 			},
+			kube.EnvVar{
+				Name:  "JENKINS_GCE_SSH_PRIVATE_KEY_FILE",
+				Value: "/etc/ssh-key-secret/ssh-private.json",
+			},
+			kube.EnvVar{
+				Name:  "JENKINS_GCE_SSH_PUBLIC_KEY_FILE",
+				Value: "/etc/ssh-key-secret/ssh-public.json",
+			},
 		)
 		spec.Containers[i].VolumeMounts = append(spec.Containers[i].VolumeMounts,
 			kube.VolumeMount{
 				Name:      "service",
 				MountPath: "/etc/service-account",
 				ReadOnly:  true,
 			},
+			kube.VolumeMount{
+				Name:      "ssh",
+				MountPath: "/etc/ssh-key-secret",
+				ReadOnly:  true,
+			},
 			kube.VolumeMount{
 				Name:      "cache-ssd",
 				MountPath: "/root/.cache",
@@ -329,6 +342,12 @@ func (c *testClient) TestKubernetes() error {
 				Name: "service-account",
 			},
 		},
+		kube.Volume{
+			Name: "ssh",
+			Secret: &kube.SecretSource{
+				Name: "ssh-key-secret",
+			},
+		},
 		kube.Volume{
 			Name: "cache-ssd",
 			HostPath: &kube.HostPathSource{