add proxy/bastion for connection

[lilyLuLiu]

https://github.com/adrianriobo/deliverest/issues/9

[adrianriobo]

same as before

[adrianriobo]

I think the if [[ -n "${PROXY_HOST}" && -n "${PROXY_USERNAME}" ]]; then should have its own if...

As one thing is the proxy settings which would be added on the scp part, also here I am just seeing the proxy host and username but it probably would require a private key.

The second part is the if for the target host, if it uses a private key it directly uses the scp -i option if not and it will connect though a pass it uses the sshpass.

But as you see in both cases if we set proxy those settings should be there

[adrianriobo]

Same as before

[adrianriobo]

Only see PROXY_USERNAME and PROXY_HOST, still missing PROXY_PRIVATE_KEY

Unfortunately do not see an easy option (i.e for target host -i) to set the private key for proxy, it seems you would need to create a config file: ~/.ssh/config

And template it with the envs:

Host proxy_host
    HostName proxy_host
    User proxy_user
    IdentityFile /path/to/private_key_for_proxy

Host target_host
    HostName target_host
    User target_user
    IdentityFile /path/to/private_key_for_target
    ProxyJump proxy_host

[adrianriobo]

When you add the private key, I would ask you to test this and comment on the test is successful here 🙏

If you want for testing this without the testing farm stuff as that may complicate things we can use mapt (ask me for this) to spin an airgap machine that will output all the details for both bastion (proxy) and target host so you can use them for testing this.

[lilyLuLiu]

@adrianriobo , I designed that deliverset offers two options for SSH connection:
(1) provide an SSH Config file: proxy can only be used this way.
(2) provide target username and password/key.
What do you think?

[adrianriobo]

I am fine with it, but still if user pass an private key for target host and a private key for proxy you probably would need to compose the conf file no?

[lilyLuLiu]

@adrianriobo my plan is the user pass the config file to deliverset, instead of deliverset compose the config file. What do you think?

[adrianriobo]

@lilyLuLiu I would prefer the other way around, here are some thoughts on why:

• If you force the user to create the file outside that would be a breaking change non backward compatible (and this is used across several teams ...so it could create issues or even dismiss the usage of deliverest)

• As a direct consecuence instead of having 1 place with the logic you would split it forcing tekton to have a place for creating the file, gh action another one... and so on

• The requirement for the file is due to the underlaying ssh client ... that would force a hard dependecy on the usage of deliverst... people should not need to know the client being used ..as long as they pass basic info the setup should be made internally ... what happens if we build a new version of deliverest which contains a new version of open ssh with some change on the format of the file? As the file creation has been delegated to external users...they would need to track the version know about the change on the file and apply everywhere + deal with how they create the file based on the deliverest version they are using (and they could be use different ones depending on the component)

[lilyLuLiu]

@adrianriobo Thanks for the explanation.
I have re-submitted the code that supports bastion with parameters. Could you review it when you have time?

[adrianriobo]

Sure let me go through it

[adrianriobo]

Did you try this with mapt on airgap scenario?

[adrianriobo]

In general and just if testing was ok LGTM

[lilyLuLiu]

@adrianriobo verified with mapt arigap scenario.