From 65482ab665a1f7e306f11adeb71bc13bfb61bee2 Mon Sep 17 00:00:00 2001
From: Dustin Specker <v-dspecker@microsoft.com>
Date: Thu, 12 May 2022 14:39:26 -0500
Subject: [PATCH] accept ssh diffie-hellman-group1-sha1 and update cert-manager

openssh-client, etc. updated and might not accept these algos by
default. Cirros images should probably be updated at some point to
use a new SSH server.

Update cert-manager to 1.8.0 because [1] changed `deploy-k8s.sh`
to use Kubernetes 1.23 instead of 1.19.

This broke cert-manager as ca-injector had an error of:

Error: error registering secret controller: no matches for kind
"MutatingWebhookConfiguration" in version
"admissionregistration.k8s.io/v1beta1"

This is because admissionregistration.k8s.io/v1beta1 no longer exists
in Kubernetes 1.23.

Upgrade cert-manager so it uses admissionregistration.k8s.io/v1 instead.

1 - https://review.opendev.org/c/openstack/openstack-helm-infra/+/840691

Change-Id: I5ea204bbcd7add2f787df79ac1d996842f4d1fcc
---
 tools/deployment/developer/common/900-use-it.sh | 9 +++++++--
 tools/scripts/tls/cert-manager.sh               | 2 +-
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/tools/deployment/developer/common/900-use-it.sh b/tools/deployment/developer/common/900-use-it.sh
index dc47340a5b..9f95fc7ffc 100755
--- a/tools/deployment/developer/common/900-use-it.sh
+++ b/tools/deployment/developer/common/900-use-it.sh
@@ -87,9 +87,14 @@ function wait_for_ssh_port {
 }
 wait_for_ssh_port $FLOATING_IP
 
+# accept diffie-hellman-group1-sha1 algo for SSH (cirros image should probably be updated to replace this)
+echo "    KexAlgorithms +diffie-hellman-group1-sha1" | sudo tee -a /etc/ssh/ssh_config
+
 # SSH into the VM and check it can reach the outside world
-ssh-keyscan "$FLOATING_IP" >> ~/.ssh/known_hosts
-ssh -i ${HOME}/.ssh/osh_key cirros@${FLOATING_IP} ping -q -c 1 -W 2 ${OSH_BR_EX_ADDR%/*}
+# note: ssh-keyscan should be re-enabled to prevent skip host key checking
+#   ssh-keyscan does not use ssh_config so ignore host key checking for now
+#ssh-keyscan "$FLOATING_IP" >> ~/.ssh/known_hosts
+ssh -o "StrictHostKeyChecking no" -i ${HOME}/.ssh/osh_key cirros@${FLOATING_IP} ping -q -c 1 -W 2 ${OSH_BR_EX_ADDR%/*}
 
 # Check the VM can reach the metadata server
 ssh -i ${HOME}/.ssh/osh_key cirros@${FLOATING_IP} curl --verbose --connect-timeout 5 169.254.169.254
diff --git a/tools/scripts/tls/cert-manager.sh b/tools/scripts/tls/cert-manager.sh
index 5e6e709c9e..75646f1bd5 100755
--- a/tools/scripts/tls/cert-manager.sh
+++ b/tools/scripts/tls/cert-manager.sh
@@ -2,7 +2,7 @@
 
 set -eux
 
-: ${CERT_MANAGER_VERSION:="v1.2.0"}
+: ${CERT_MANAGER_VERSION:="v1.8.0"}
 
 cert_path="/etc/openstack-helm"
 ca_cert_root="$cert_path/certs/ca"