From 433eb1dc53a7732ff59f448f10c59b67ee7a3be7 Mon Sep 17 00:00:00 2001 From: Alexander Block Date: Fri, 9 Dec 2016 10:38:17 +0100 Subject: [PATCH 1/3] Add support for bastion hosts --- .gitignore | 1 + ansible.cfg | 2 ++ cluster.yml | 7 ++++++- inventory/inventory.example | 3 +++ roles/bastion-ssh-config/tasks/main.yml | 18 ++++++++++++++++ .../templates/ssh-bastion.conf | 21 +++++++++++++++++++ 6 files changed, 51 insertions(+), 1 deletion(-) create mode 100644 roles/bastion-ssh-config/tasks/main.yml create mode 100644 roles/bastion-ssh-config/templates/ssh-bastion.conf diff --git a/.gitignore b/.gitignore index 506313fe0..8eae4884b 100644 --- a/.gitignore +++ b/.gitignore @@ -5,3 +5,4 @@ temp .idea *.tfstate *.tfstate.backup +/ssh-bastion.conf \ No newline at end of file diff --git a/ansible.cfg b/ansible.cfg index f0e4ef652..86e1d6a22 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -1,5 +1,7 @@ [ssh_connection] pipelining=True +ssh_args = -F ./ssh-bastion.conf -o ControlMaster=auto -o ControlPersist=30m +control_path = ~/.ssh/ansible-%%r@%%h:%%p [defaults] host_key_checking=False gathering = smart diff --git a/cluster.yml b/cluster.yml index 6f8e63505..98862aa13 100644 --- a/cluster.yml +++ b/cluster.yml @@ -1,4 +1,9 @@ --- +- hosts: localhost + gather_facts: False + roles: + - bastion-ssh-config + - hosts: all any_errors_fatal: true gather_facts: false @@ -16,7 +21,7 @@ any_errors_fatal: true gather_facts: true -- hosts: all:!network-storage +- hosts: all:!network-storage:!bastion any_errors_fatal: true roles: - { role: kubernetes/preinstall, tags: preinstall } diff --git a/inventory/inventory.example b/inventory/inventory.example index ab085ad4a..c08e84ae6 100644 --- a/inventory/inventory.example +++ b/inventory/inventory.example @@ -7,6 +7,9 @@ # node5 ansible_ssh_host=95.54.0.16 # ip=10.3.0.5 # node6 ansible_ssh_host=95.54.0.17 # ip=10.3.0.6 +# ## configure a bastion host if your nodes are not publicly reachable +# bastion ansible_ssh_host=xxx.xxx.xxx.xxx + # [kube-master] # node1 # node2 diff --git a/roles/bastion-ssh-config/tasks/main.yml b/roles/bastion-ssh-config/tasks/main.yml new file mode 100644 index 000000000..d1aae5ca8 --- /dev/null +++ b/roles/bastion-ssh-config/tasks/main.yml @@ -0,0 +1,18 @@ +--- +- set_fact: + has_bastion: "{{ 'bastion' in groups['all'] }}" + +- set_fact: + bastion_ip: "{{ hostvars['bastion']['ansible_ssh_host'] }}" + when: has_bastion + +# As we are actually running on localhost, the ansible_ssh_user is your local user when you try to use it directly +# To figure out the real ssh user, we delegate this task to the bastion and store the ansible_ssh_user in real_user +- set_fact: + real_user: "{{ ansible_ssh_user }}" + delegate_to: bastion + when: has_bastion + +- name: create ssh bastion conf + become: false + template: src=ssh-bastion.conf dest="{{ playbook_dir }}/ssh-bastion.conf" diff --git a/roles/bastion-ssh-config/templates/ssh-bastion.conf b/roles/bastion-ssh-config/templates/ssh-bastion.conf new file mode 100644 index 000000000..6bcc65dad --- /dev/null +++ b/roles/bastion-ssh-config/templates/ssh-bastion.conf @@ -0,0 +1,21 @@ +{% if has_bastion %} +{% set vars={'hosts': ''} %} +{% set user='' %} + +{% for h in groups['all'] %} +{% if h != 'bastion' %} +{% if vars.update({'hosts': vars['hosts'] + ' ' + hostvars[h]['ansible_ssh_host']}) %}{% endif %} +{% endif %} +{% endfor %} + +Host {{ bastion_ip }} + Hostname {{ bastion_ip }} + StrictHostKeyChecking no + ControlMaster auto + ControlPath ~/.ssh/ansible-%r@%h:%p + ControlPersist 5m + +Host {{ vars['hosts'] }} + ProxyCommand ssh -W %h:%p {{ real_user }}@{{ bastion_ip }} + StrictHostKeyChecking no +{% endif %} \ No newline at end of file From e2dc876d773b328087e0654072b986fa0a55ef9d Mon Sep 17 00:00:00 2001 From: Alexander Block Date: Fri, 9 Dec 2016 10:57:50 +0100 Subject: [PATCH 2/3] Add documentation about bastion hosts --- docs/ansible.md | 14 ++++++++++++++ inventory/inventory.example | 2 +- 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/docs/ansible.md b/docs/ansible.md index bed95f108..ff7eb1d9d 100644 --- a/docs/ansible.md +++ b/docs/ansible.md @@ -119,3 +119,17 @@ ansible-playbook -i inventory/inventory.ini cluster.yaml \ ``` Note: use `--tags` and `--skip-tags` wise and only if you're 100% sure what you're doing. + +Bastion host +-------------- +If you prefer to not make your nodes publicly accessible (nodes with private IPs only), +you can use a so called *bastion* host to connect to your nodes. To specify and use a bastion, +simply add a line to your inventory, where you have to replace x.x.x.x with the public IP of the +bastion host. + +``` +bastion ansible_ssh_host=x.x.x.x +``` + +For more information about Ansible and bastion hosts, read +[Running Ansible Through an SSH Bastion Host](http://blog.scottlowe.org/2015/12/24/running-ansible-through-ssh-bastion-host/) \ No newline at end of file diff --git a/inventory/inventory.example b/inventory/inventory.example index c08e84ae6..1d10cdce0 100644 --- a/inventory/inventory.example +++ b/inventory/inventory.example @@ -8,7 +8,7 @@ # node6 ansible_ssh_host=95.54.0.17 # ip=10.3.0.6 # ## configure a bastion host if your nodes are not publicly reachable -# bastion ansible_ssh_host=xxx.xxx.xxx.xxx +# bastion ansible_ssh_host=x.x.x.x # [kube-master] # node1 From 176e95d9898786533c4239b87d9399e865b9fe21 Mon Sep 17 00:00:00 2001 From: Alexander Block Date: Mon, 12 Dec 2016 14:53:33 +0100 Subject: [PATCH 3/3] Add tags for bastion-ssh-config --- cluster.yml | 1 + docs/ansible.md | 1 + 2 files changed, 2 insertions(+) diff --git a/cluster.yml b/cluster.yml index 98862aa13..3fb5def9d 100644 --- a/cluster.yml +++ b/cluster.yml @@ -3,6 +3,7 @@ gather_facts: False roles: - bastion-ssh-config + tags: [localhost, bastion] - hosts: all any_errors_fatal: true diff --git a/docs/ansible.md b/docs/ansible.md index ff7eb1d9d..38fb21056 100644 --- a/docs/ansible.md +++ b/docs/ansible.md @@ -57,6 +57,7 @@ The following tags are defined in playbooks: |--------------------------|--------- | apps | K8s apps definitions | azure | Cloud-provider Azure +| bastion | Setup ssh config for bastion | bootstrap-os | Anything related to host OS configuration | calico | Network plugin Calico | canal | Network plugin Canal