enhance SSH feature avoid oidc disturb msg

[tedteng]

Describe the bug

The implement PR #221 block SSH feature since start from gardenctl v19,v21. v22(master)

So far the impcat we can aware of is SSH feature, not sure others. if the user use SSH feature with ODIC, it will break SSH feature which not able to access host.

This ticket will tracking AWS, GCP, Azure

• AWS

• GCP

• Azure

To Reproduce
Steps to reproduce the behavior:

1. Which target was set 'gardenctl get target'
2. Which command was entered [e.g. 'gardenctl show vpn-seed']
3. What was the output of the command

Expected behavior
A clear and concise description of what you expected to happen.

Screenshots
If applicable, add screenshots to help explain your problem.

Gardenctl Version (please complete the following information):

• v19
• v21
• v22 / Github master

Additional context
Add any other context about the problem here.

[tedteng]

I am working on AWS currently

[tedteng]

During the refactoring operate method also lead to ExecCmd. which we have another issue #352.
I will not use ExecCmd in operate.go , refactoring case aws

case "aws":
		accessKeyID := []byte(secret.Data["accessKeyID"])
		secretAccessKey := []byte(secret.Data["secretAccessKey"])
		parts := strings.Fields(arguments)
		cmd := exec.Command("aws", parts...)
		newEnv := append(os.Environ(), "AWS_ACCESS_KEY_ID="+string(accessKeyID[:]), "AWS_SECRET_ACCESS_KEY="+string(secretAccessKey[:]), "AWS_DEFAULT_REGION="+region, "AWS_DEFAULT_OUTPUT=text")
		cmd.Env = newEnv
		out, err := cmd.CombinedOutput()
		if err != nil {
			log.Fatalf("cmd.Run() failed with %s\n", err)
		}
		return (strings.TrimSpace(string(out[:])))

in draft PR. continue refactoring ssh_aws.go

[tedteng]

I am planning work on GCP

[tedteng]

AWS, GCP, Azure all done and pass. will verify aliyun and openstack whether had impacted due to operte.go refactoring.

GCP:
gg ssh shoot--i333878--gcp-gcp-001-worker-k41j4-z1-5584688648-l4dvd                                       Kubeconfig under path /Users/i333878/.garden/cache/canary/projects/i333878/gcp-gcp-001/kubeconfig.yaml contains auth provider configurations that could contain malicious code. Please only continue if you have verified it to be uncritical
Kubeconfig under path /Users/i333878/.garden/cache/canary/projects/i333878/gcp-gcp-001/kubeconfig.yaml contains exec configurations that could contain malicious code. Please only continue if you have verified it to be uncritical
Kubeconfig under path /Users/i333878/.garden/cache/canary/projects/i333878/gcp-gcp-001/kubeconfig.yaml contains auth provider configurations that could contain malicious code. Please only continue if you have verified it to be uncritical

Warning:
Be aware that you are entering an untrusted environment!
Do not enter credentials or sensitive data within the ssh session that cluster owners should not have access to.

Kubeconfig under path /Users/i333878/.garden/cache/canary/projects/i333878/gcp-gcp-001/kubeconfig.yaml contains exec configurations that could contain malicious code. Please only continue if you have verified it to be uncritical
Downloaded id_rsa key
Check Public IP

(1/4) Fetching data from target shoot cluster
Kubeconfig under path /Users/i333878/.garden/cache/canary/projects/i333878/gcp-gcp-001/kubeconfig.yaml contains exec configurations that could contain malicious code. Please only continue if you have verified it to be uncritical
Activated service account credentials for: [gardener-shoot-operator-dev@sap-se-gcp-scp-k8s-dev.iam.gserviceaccount.com]
Updated property [core/account].
Kubeconfig under path /Users/i333878/.garden/cache/canary/projects/i333878/gcp-gcp-001/kubeconfig.yaml contains exec configurations that could contain malicious code. Please only continue if you have verified it to be uncritical
Activated service account credentials for: [gardener-shoot-operator-dev@sap-se-gcp-scp-k8s-dev.iam.gserviceaccount.com]
Updated property [core/account].
Data fetched from target shoot cluster.

(2/4) Setting up bastion host firewall rule
Add ssh rule
Kubeconfig under path /Users/i333878/.garden/cache/canary/projects/i333878/gcp-gcp-001/kubeconfig.yaml contains exec configurations that could contain malicious code. Please only continue if you have verified it to be uncritical
Activated service account credentials for: [gardener-shoot-operator-dev@sap-se-gcp-scp-k8s-dev.iam.gserviceaccount.com]
Updated property [core/account].
Creating firewall...
....Created [https://www.googleapis.com/compute/v1/projects/sap-se-gcp-scp-k8s-dev/global/firewalls/shoot--i333878--gcp-gcp-001-allow-ssh-access].
done.
NAME                                          NETWORK                      DIRECTION  PRIORITY  ALLOW   DENY  DISABLED
shoot--i333878--gcp-gcp-001-allow-ssh-access  shoot--i333878--gcp-gcp-001  INGRESS    1000      tcp:22        False
(3/4) Creating bastion host
Create bastion host
Kubeconfig under path /Users/i333878/.garden/cache/canary/projects/i333878/gcp-gcp-001/kubeconfig.yaml contains exec configurations that could contain malicious code. Please only continue if you have verified it to be uncritical
Activated service account credentials for: [gardener-shoot-operator-dev@sap-se-gcp-scp-k8s-dev.iam.gserviceaccount.com]
Updated property [core/account].
Created [https://www.googleapis.com/compute/v1/projects/sap-se-gcp-scp-k8s-dev/zones/europe-west1-b/instances/shoot--i333878--gcp-gcp-001-bastions].
NAME                                  ZONE            MACHINE_TYPE   PREEMPTIBLE  INTERNAL_IP  EXTERNAL_IP    STATUS
shoot--i333878--gcp-gcp-001-bastions  europe-west1-b  n1-standard-1               10.250.0.3   35.233.21.174  RUNNING
Kubeconfig under path /Users/i333878/.garden/cache/canary/projects/i333878/gcp-gcp-001/kubeconfig.yaml contains exec configurations that could contain malicious code. Please only continue if you have verified it to be uncritical
Activated service account credentials for: [gardener-shoot-operator-dev@sap-se-gcp-scp-k8s-dev.iam.gserviceaccount.com]
Updated property [core/account].
Kubeconfig under path /Users/i333878/.garden/cache/canary/projects/i333878/gcp-gcp-001/kubeconfig.yaml contains exec configurations that could contain malicious code. Please only continue if you have verified it to be uncritical
Activated service account credentials for: [gardener-shoot-operator-dev@sap-se-gcp-scp-k8s-dev.iam.gserviceaccount.com]
Updated property [core/account].
Instance State: RUNNING
Kubeconfig under path /Users/i333878/.garden/cache/canary/projects/i333878/gcp-gcp-001/kubeconfig.yaml contains auth provider configurations that could contain malicious code. Please only continue if you have verified it to be uncritical
Activated service account credentials for: [gardener-shoot-operator-dev@sap-se-gcp-scp-k8s-dev.iam.gserviceaccount.com]
Updated property [core/account].
Waiting 45 seconds until ports are open.
ssh -i/Users/i333878/.garden/cache/canary/projects/i333878/gcp-gcp-001/key -oProxyCommand=ssh -W%h:%p -i/Users/i333878/.garden/cache/canary/projects/i333878/gcp-gcp-001/key -oIdentitiesOnly=yes -oStrictHostKeyChecking=no [email protected] gardener@shoot--i333878--gcp-gcp-001-worker-k41j4-z1-5584688648-l4dvd -oIdentitiesOnly=yes -oStrictHostKeyChecking=no
Warning: Permanently added '35.233.21.174' (ECDSA) to the list of known hosts.
Warning: Permanently added 'shoot--i333878--gcp-gcp-001-worker-k41j4-z1-5584688648-l4dvd' (ED25519) to the list of known hosts.
  ____               _              _     _                  
 / ___| __ _ _ __ __| | ___ _ __   | |    _ _ __  _   ___  __
| |  _ / _` | '__/ _` |/ _ \ '_ \  | |   | | '_ \| | | \ \/ /
| |_| | (_| | | | (_| |  __/ | | | | |___| | | | | |_| |>  < 
 \____|\__,_|_|  \__,_|\___|_| |_| |_____|_|_| |_|\__,_/_/\_\
Garden Linux 11 (based on Debian GNU/Linux 11)               

Welcome to shoot--i333878--gcp-gcp-001-worker-k41j4-z1-5584688648-l4dvd.c.sap-se-gcp-scp-k8s-dev.internal  Thu Oct  8 06:27:16 UTC 2020
Linux #1 SMP Debian 5.4.19-1 (2020-02-13) x86_64 up 52 minutes
Load:  0.15, 0.20, 0.25 of 2CPUs  no iowait  no steal time
Free:  RAM 58.14%  Disk / 92.16% /usr 28.15% /boot/efi 100.00% 

ens4        10.250.0.2/32  fe80::4001:aff:fefa:2/64  
tunl0       100.96.0.1/32                            


The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
$ exit
Connection to shoot--i333878--gcp-gcp-001-worker-k41j4-z1-5584688648-l4dvd closed.
(4/4) Cleanup
Cleaning up bastion host configurations...

Starting cleanup

  (1/2) Cleaning up bastion host instance
Kubeconfig under path /Users/i333878/.garden/cache/canary/projects/i333878/gcp-gcp-001/kubeconfig.yaml contains exec configurations that could contain malicious code. Please only continue if you have verified it to be uncritical
Activated service account credentials for: [gardener-shoot-operator-dev@sap-se-gcp-scp-k8s-dev.iam.gserviceaccount.com]
Updated property [core/account].
Deleted [https://www.googleapis.com/compute/v1/projects/sap-se-gcp-scp-k8s-dev/zones/europe-west1-b/instances/shoot--i333878--gcp-gcp-001-bastions].
  (2/2) Close SSH Port on Node.
Close SSH Port on Node.
Kubeconfig under path /Users/i333878/.garden/cache/canary/projects/i333878/gcp-gcp-001/kubeconfig.yaml contains auth provider configurations that could contain malicious code. Please only continue if you have verified it to be uncritical
Activated service account credentials for: [gardener-shoot-operator-dev@sap-se-gcp-scp-k8s-dev.iam.gserviceaccount.com]
Updated property [core/account].
Deleted [https://www.googleapis.com/compute/v1/projects/sap-se-gcp-scp-k8s-dev/global/firewalls/shoot--i333878--gcp-gcp-001-allow-ssh-access].
Bastion host configurations successfully cleaned up.



Azure
gg ssh shoot--i333878--az-az-001-worker-bt6i6-z3-598c94d869-l68d2
Kubeconfig under path /Users/i333878/.garden/cache/canary/projects/i333878/az-az-001/kubeconfig.yaml contains exec configurations that could contain malicious code. Please only continue if you have verified it to be uncritical
Kubeconfig under path /Users/i333878/.garden/cache/canary/projects/i333878/az-az-001/kubeconfig.yaml contains exec configurations that could contain malicious code. Please only continue if you have verified it to be uncritical
Kubeconfig under path /Users/i333878/.garden/cache/canary/projects/i333878/az-az-001/kubeconfig.yaml contains exec configurations that could contain malicious code. Please only continue if you have verified it to be uncritical

Warning:
Be aware that you are entering an untrusted environment!
Do not enter credentials or sensitive data within the ssh session that cluster owners should not have access to.

Kubeconfig under path /Users/i333878/.garden/cache/canary/projects/i333878/az-az-001/kubeconfig.yaml contains exec configurations that could contain malicious code. Please only continue if you have verified it to be uncritical
Downloaded id_rsa key
Check Public IP

(1/4) Fetching data from target shoot cluster
Kubeconfig under path /Users/i333878/.garden/cache/canary/projects/i333878/az-az-001/kubeconfig.yaml contains exec configurations that could contain malicious code. Please only continue if you have verified it to be uncritical
Standard
Data fetched from target shoot cluster.

(2/4) Configuring Azure
Opened SSH Port.
Kubeconfig under path /Users/i333878/.garden/cache/canary/projects/i333878/az-az-001/kubeconfig.yaml contains auth provider configurations that could contain malicious code. Please only continue if you have verified it to be uncritical

Create public ip
Kubeconfig under path /Users/i333878/.garden/cache/canary/projects/i333878/az-az-001/kubeconfig.yaml contains exec configurations that could contain malicious code. Please only continue if you have verified it to be uncritical
Kubeconfig under path /Users/i333878/.garden/cache/canary/projects/i333878/az-az-001/kubeconfig.yaml contains exec configurations that could contain malicious code. Please only continue if you have verified it to be uncritical
20.54.46.21
Waiting 5 s until public ip is available.

Add public ip to nic

Kubeconfig under path /Users/i333878/.garden/cache/canary/projects/i333878/az-az-001/kubeconfig.yaml contains exec configurations that could contain malicious code. Please only continue if you have verified it to be uncritical
Waiting 30 seconds until ports are open.
(3/4) Establishing SSH connection

Warning: Permanently added '20.54.46.21' (ED25519) to the list of known hosts.
  ____               _              _     _                  
 / ___| __ _ _ __ __| | ___ _ __   | |    _ _ __  _   ___  __
| |  _ / _` | '__/ _` |/ _ \ '_ \  | |   | | '_ \| | | \ \/ /
| |_| | (_| | | | (_| |  __/ | | | | |___| | | | | |_| |>  < 
 \____|\__,_|_|  \__,_|\___|_| |_| |_____|_|_| |_|\__,_/_/\_\
Garden Linux 11 (based on Debian GNU/Linux 11)               

Welcome to shoot--i333878--az-az-001-worker-bt6i6-z3-598c94d869-l68d2.ku0di1l4wfdutovlmztclf00lc.fx.internal.cloudapp.net  Thu Oct  8 07:48:24 UTC 2020
Linux #1 SMP Debian 5.4.19-1 (2020-02-13) x86_64 up 1 hour, 10 minutes
Load:  0.72, 1.62, 2.09 of 1CPUs  2.25% iowait  no steal time
Free:  RAM 6.14%  Disk / 92.54% /usr 28.08% /boot/efi 100.00% /mnt/resource 94.37% 

eth0       10.250.0.4/16  fe80::20d:3aff:fedc:d470/64  


The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Oct  8 07:38:57 2020 from 180.166.22.232
$ exit
Connection to 20.54.46.21 closed.

(4/4) Cleanup

  (1/3) Remove SSH rule
Kubeconfig under path /Users/i333878/.garden/cache/canary/projects/i333878/az-az-001/kubeconfig.yaml contains exec configurations that could contain malicious code. Please only continue if you have verified it to be uncritical

  (2/3) Remove public ip from nic
Kubeconfig under path /Users/i333878/.garden/cache/canary/projects/i333878/az-az-001/kubeconfig.yaml contains auth provider configurations that could contain malicious code. Please only continue if you have verified it to be uncritical

  (3/3) Delete public ip
Kubeconfig under path /Users/i333878/.garden/cache/canary/projects/i333878/az-az-001/kubeconfig.yaml contains exec configurations that could contain malicious code. Please only continue if you have verified it to be uncritical

Configuration successfully cleaned up.

[tedteng]

I think the ticker ready review as #373 openstack not able to ssh and alicloud failure ssh either. #372.
So far AWS, GCP, Azure all good ssh after refactor