Merge pull request #704 from vwfs/bastion_hosts

Add support for bastion hosts
This commit is contained in:
Antoine Legrand 2016-12-17 12:08:49 +01:00 committed by GitHub
commit 768fe05eea
7 changed files with 67 additions and 1 deletions

1
.gitignore vendored
View file

@ -5,3 +5,4 @@ temp
.idea .idea
*.tfstate *.tfstate
*.tfstate.backup *.tfstate.backup
/ssh-bastion.conf

View file

@ -1,5 +1,7 @@
[ssh_connection] [ssh_connection]
pipelining=True pipelining=True
ssh_args = -F ./ssh-bastion.conf -o ControlMaster=auto -o ControlPersist=30m
control_path = ~/.ssh/ansible-%%r@%%h:%%p
[defaults] [defaults]
host_key_checking=False host_key_checking=False
gathering = smart gathering = smart

View file

@ -1,4 +1,10 @@
--- ---
- hosts: localhost
gather_facts: False
roles:
- bastion-ssh-config
tags: [localhost, bastion]
- hosts: all - hosts: all
any_errors_fatal: true any_errors_fatal: true
gather_facts: false gather_facts: false
@ -16,7 +22,7 @@
any_errors_fatal: true any_errors_fatal: true
gather_facts: true gather_facts: true
- hosts: all:!network-storage - hosts: all:!network-storage:!bastion
any_errors_fatal: true any_errors_fatal: true
roles: roles:
- { role: kubernetes/preinstall, tags: preinstall } - { role: kubernetes/preinstall, tags: preinstall }

View file

@ -57,6 +57,7 @@ The following tags are defined in playbooks:
|--------------------------|--------- |--------------------------|---------
| apps | K8s apps definitions | apps | K8s apps definitions
| azure | Cloud-provider Azure | azure | Cloud-provider Azure
| bastion | Setup ssh config for bastion
| bootstrap-os | Anything related to host OS configuration | bootstrap-os | Anything related to host OS configuration
| calico | Network plugin Calico | calico | Network plugin Calico
| canal | Network plugin Canal | canal | Network plugin Canal
@ -119,3 +120,17 @@ ansible-playbook -i inventory/inventory.ini cluster.yaml \
``` ```
Note: use `--tags` and `--skip-tags` wise and only if you're 100% sure what you're doing. Note: use `--tags` and `--skip-tags` wise and only if you're 100% sure what you're doing.
Bastion host
--------------
If you prefer to not make your nodes publicly accessible (nodes with private IPs only),
you can use a so called *bastion* host to connect to your nodes. To specify and use a bastion,
simply add a line to your inventory, where you have to replace x.x.x.x with the public IP of the
bastion host.
```
bastion ansible_ssh_host=x.x.x.x
```
For more information about Ansible and bastion hosts, read
[Running Ansible Through an SSH Bastion Host](http://blog.scottlowe.org/2015/12/24/running-ansible-through-ssh-bastion-host/)

View file

@ -7,6 +7,9 @@
# node5 ansible_ssh_host=95.54.0.16 # ip=10.3.0.5 # node5 ansible_ssh_host=95.54.0.16 # ip=10.3.0.5
# node6 ansible_ssh_host=95.54.0.17 # ip=10.3.0.6 # node6 ansible_ssh_host=95.54.0.17 # ip=10.3.0.6
# ## configure a bastion host if your nodes are not publicly reachable
# bastion ansible_ssh_host=x.x.x.x
# [kube-master] # [kube-master]
# node1 # node1
# node2 # node2

View file

@ -0,0 +1,18 @@
---
- set_fact:
has_bastion: "{{ 'bastion' in groups['all'] }}"
- set_fact:
bastion_ip: "{{ hostvars['bastion']['ansible_ssh_host'] }}"
when: has_bastion
# As we are actually running on localhost, the ansible_ssh_user is your local user when you try to use it directly
# To figure out the real ssh user, we delegate this task to the bastion and store the ansible_ssh_user in real_user
- set_fact:
real_user: "{{ ansible_ssh_user }}"
delegate_to: bastion
when: has_bastion
- name: create ssh bastion conf
become: false
template: src=ssh-bastion.conf dest="{{ playbook_dir }}/ssh-bastion.conf"

View file

@ -0,0 +1,21 @@
{% if has_bastion %}
{% set vars={'hosts': ''} %}
{% set user='' %}
{% for h in groups['all'] %}
{% if h != 'bastion' %}
{% if vars.update({'hosts': vars['hosts'] + ' ' + hostvars[h]['ansible_ssh_host']}) %}{% endif %}
{% endif %}
{% endfor %}
Host {{ bastion_ip }}
Hostname {{ bastion_ip }}
StrictHostKeyChecking no
ControlMaster auto
ControlPath ~/.ssh/ansible-%r@%h:%p
ControlPersist 5m
Host {{ vars['hosts'] }}
ProxyCommand ssh -W %h:%p {{ real_user }}@{{ bastion_ip }}
StrictHostKeyChecking no
{% endif %}