From 24e751f6ece2672d54bfa7c8ba7c9434c531eb3c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20K=C3=BChnel?= <kuhnel@google.com>
Date: Mon, 23 Mar 2020 15:34:23 +0100
Subject: [PATCH] updated container and deployment to store ssh keys for github
 uploads

---
 containers/agent-debian-testing-ssd/Dockerfile     |  8 +++++---
 containers/agent-debian-testing-ssd/known_hosts    |  4 ++++
 containers/agent-debian-testing-ssd/start_agent.sh | 12 +++++++++++-
 containers/build_deploy.sh                         |  2 +-
 kubernetes/jenkins.yaml                            |  5 +++++
 5 files changed, 26 insertions(+), 5 deletions(-)
 create mode 100644 containers/agent-debian-testing-ssd/known_hosts

diff --git a/containers/agent-debian-testing-ssd/Dockerfile b/containers/agent-debian-testing-ssd/Dockerfile
index 0c9305e..7e0e2c9 100644
--- a/containers/agent-debian-testing-ssd/Dockerfile
+++ b/containers/agent-debian-testing-ssd/Dockerfile
@@ -3,7 +3,7 @@ FROM debian:testing
 RUN echo "deb [trusted=yes] http://apt.llvm.org/buster/ llvm-toolchain-buster-10 main\n$(cat /etc/apt/sources.list)" > /etc/apt/sources.list;\
     apt-get update ;\
     apt-get install -y --no-install-recommends locales \
-        cmake ninja-build git ca-certificates clang lld ccache python3 build-essential \
+        cmake ninja-build git ca-certificates clang lld ccache python3 build-essential openssh-client\
         clang-tidy clang-format \
         python3-psutil arcanist zip wget \
         openjdk-11-jdk \
@@ -13,8 +13,6 @@ RUN echo "deb [trusted=yes] http://apt.llvm.org/buster/ llvm-toolchain-buster-10
 
 # Make python3 default (needed by git-clang-format and others).
 RUN rm -f /usr/bin/python && ln -s /usr/bin/python3 /usr/bin/python
-# required for openssh server
-RUN mkdir -p /run/sshd
 
 ARG user=jenkins
 ARG group=jenkins
@@ -31,6 +29,10 @@ RUN cd /scripts ;\
 
 COPY start_agent.sh report_results.sh /scripts/
 
+# store SSH known hosts for github, required for ssh authentication
+RUN mkdir -p /home/${user}/.ssh
+COPY known_hosts /home/${user}/.ssh/known_hosts
+
 # install python dependencies for the scripts
 # ADD will checks that contentent of a file has changed.
 ADD "https://raw.githubusercontent.com/google/llvm-premerge-checks/master/scripts/requirements.txt" requirements.txt
diff --git a/containers/agent-debian-testing-ssd/known_hosts b/containers/agent-debian-testing-ssd/known_hosts
new file mode 100644
index 0000000..201cf38
--- /dev/null
+++ b/containers/agent-debian-testing-ssd/known_hosts
@@ -0,0 +1,4 @@
+|1|bJzGXTLCQ4FZRpq+RQu+NfQOugI=|45lSmEMlpfJx7897p2Th4tZj6rM= ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==|1|CA5hL0xfZtRH24/h4PieLzQaV5E=|gEuFUpdJK9mwpp1PH8RFi3DFLis= ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
+|1|K6qo2Wrdv5gQipncPel2cFaNT/w=|k+coolWLGXsJ/oM4G9PBY3GLJQQ= ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
+|1|hIGbHg7+Z8TQrZ/OEiRxa7f9TZs=|h6iCbIE5wV5wjMo4auBXVXgNWtU= ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
+|1|PdWOrYv48xcuktJiKm97UQTg2d0=|zZImMkWTMV8HfZAUv34OvQvKyds= ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==
\ No newline at end of file
diff --git a/containers/agent-debian-testing-ssd/start_agent.sh b/containers/agent-debian-testing-ssd/start_agent.sh
index 1bdb9fb..d8c00d2 100755
--- a/containers/agent-debian-testing-ssd/start_agent.sh
+++ b/containers/agent-debian-testing-ssd/start_agent.sh
@@ -15,6 +15,11 @@
 
 SSD_ROOT="/mnt/disks/ssd0"
 AGENT_ROOT="${SSD_ROOT}/agent"
+SSH_KEY_SOURCE="/github-ssh-key"
+SSH_KEY_TARGET="/home/jenkins/.ssh"
+
+# wipe the local cache on restart
+rm -rf "$SSD_ROOT"
 
 # prepare root folder for Jenkins agent
 mkdir -p "${AGENT_ROOT}"
@@ -24,7 +29,12 @@ chown -R jenkins:jenkins "${AGENT_ROOT}"
 mkdir -p "${CCACHE_PATH}"
 chown -R jenkins:jenkins "${CCACHE_PATH}"
 
-# TODO(kuhnel): wipe the disk(s) on startup
+# copy ssh keys to user jenkins
+mkdir -p ${SSH_KEY_TARGET}
+cp ${SSH_KEY_SOURCE}/* ${SSH_KEY_TARGET}
+chmod 700 ${SSH_KEY_TARGET}
+chmod 600 ${SSH_KEY_TARGET}/*
+chown -R jenkins:jenkins ${SSH_KEY_TARGET}
 
 # start swarm agent as user jenkins
 # description of arguments: https://wiki.jenkins.io/display/JENKINS/Swarm+Plugin
diff --git a/containers/build_deploy.sh b/containers/build_deploy.sh
index afc84f4..93bd09c 100755
--- a/containers/build_deploy.sh
+++ b/containers/build_deploy.sh
@@ -25,6 +25,6 @@ IMAGE_NAME="${1%/}"
 QUALIFIED_NAME="${GCR_HOSTNAME}/${GCP_PROJECT}/${IMAGE_NAME}"
 
 cd "${DIR}/${IMAGE_NAME}"
-docker build --no-cache -t ${IMAGE_NAME} .
+docker build -t ${IMAGE_NAME} .
 docker tag ${IMAGE_NAME} ${QUALIFIED_NAME}
 docker push ${QUALIFIED_NAME}
\ No newline at end of file
diff --git a/kubernetes/jenkins.yaml b/kubernetes/jenkins.yaml
index a832e9d..04f853a 100644
--- a/kubernetes/jenkins.yaml
+++ b/kubernetes/jenkins.yaml
@@ -177,6 +177,8 @@ spec:
           mountPath: /mnt/nfs          
         - name: ssd 
           mountPath: /mnt/disks/ssd0
+        - mountPath: /github-ssh-key
+          name: github-ssh-key
       volumes:
       - name: nfs-pvc
         persistentVolumeClaim:
@@ -186,5 +188,8 @@ spec:
           # directory location on host
           path: /mnt/disks/ssd0
           type: Directory          
+      - name: github-ssh-key
+        secret:
+          secretName: github-ssh-key
       nodeSelector:
         cloud.google.com/gke-nodepool: jenkins-agents
\ No newline at end of file