Merge pull request #704 from vwfs/bastion_hosts
Add support for bastion hosts
This commit is contained in:
commit
768fe05eea
7 changed files with 67 additions and 1 deletions
1
.gitignore
vendored
1
.gitignore
vendored
|
@ -5,3 +5,4 @@ temp
|
||||||
.idea
|
.idea
|
||||||
*.tfstate
|
*.tfstate
|
||||||
*.tfstate.backup
|
*.tfstate.backup
|
||||||
|
/ssh-bastion.conf
|
|
@ -1,5 +1,7 @@
|
||||||
[ssh_connection]
|
[ssh_connection]
|
||||||
pipelining=True
|
pipelining=True
|
||||||
|
ssh_args = -F ./ssh-bastion.conf -o ControlMaster=auto -o ControlPersist=30m
|
||||||
|
control_path = ~/.ssh/ansible-%%r@%%h:%%p
|
||||||
[defaults]
|
[defaults]
|
||||||
host_key_checking=False
|
host_key_checking=False
|
||||||
gathering = smart
|
gathering = smart
|
||||||
|
|
|
@ -1,4 +1,10 @@
|
||||||
---
|
---
|
||||||
|
- hosts: localhost
|
||||||
|
gather_facts: False
|
||||||
|
roles:
|
||||||
|
- bastion-ssh-config
|
||||||
|
tags: [localhost, bastion]
|
||||||
|
|
||||||
- hosts: all
|
- hosts: all
|
||||||
any_errors_fatal: true
|
any_errors_fatal: true
|
||||||
gather_facts: false
|
gather_facts: false
|
||||||
|
@ -16,7 +22,7 @@
|
||||||
any_errors_fatal: true
|
any_errors_fatal: true
|
||||||
gather_facts: true
|
gather_facts: true
|
||||||
|
|
||||||
- hosts: all:!network-storage
|
- hosts: all:!network-storage:!bastion
|
||||||
any_errors_fatal: true
|
any_errors_fatal: true
|
||||||
roles:
|
roles:
|
||||||
- { role: kubernetes/preinstall, tags: preinstall }
|
- { role: kubernetes/preinstall, tags: preinstall }
|
||||||
|
|
|
@ -57,6 +57,7 @@ The following tags are defined in playbooks:
|
||||||
|--------------------------|---------
|
|--------------------------|---------
|
||||||
| apps | K8s apps definitions
|
| apps | K8s apps definitions
|
||||||
| azure | Cloud-provider Azure
|
| azure | Cloud-provider Azure
|
||||||
|
| bastion | Setup ssh config for bastion
|
||||||
| bootstrap-os | Anything related to host OS configuration
|
| bootstrap-os | Anything related to host OS configuration
|
||||||
| calico | Network plugin Calico
|
| calico | Network plugin Calico
|
||||||
| canal | Network plugin Canal
|
| canal | Network plugin Canal
|
||||||
|
@ -119,3 +120,17 @@ ansible-playbook -i inventory/inventory.ini cluster.yaml \
|
||||||
```
|
```
|
||||||
|
|
||||||
Note: use `--tags` and `--skip-tags` wise and only if you're 100% sure what you're doing.
|
Note: use `--tags` and `--skip-tags` wise and only if you're 100% sure what you're doing.
|
||||||
|
|
||||||
|
Bastion host
|
||||||
|
--------------
|
||||||
|
If you prefer to not make your nodes publicly accessible (nodes with private IPs only),
|
||||||
|
you can use a so called *bastion* host to connect to your nodes. To specify and use a bastion,
|
||||||
|
simply add a line to your inventory, where you have to replace x.x.x.x with the public IP of the
|
||||||
|
bastion host.
|
||||||
|
|
||||||
|
```
|
||||||
|
bastion ansible_ssh_host=x.x.x.x
|
||||||
|
```
|
||||||
|
|
||||||
|
For more information about Ansible and bastion hosts, read
|
||||||
|
[Running Ansible Through an SSH Bastion Host](http://blog.scottlowe.org/2015/12/24/running-ansible-through-ssh-bastion-host/)
|
|
@ -7,6 +7,9 @@
|
||||||
# node5 ansible_ssh_host=95.54.0.16 # ip=10.3.0.5
|
# node5 ansible_ssh_host=95.54.0.16 # ip=10.3.0.5
|
||||||
# node6 ansible_ssh_host=95.54.0.17 # ip=10.3.0.6
|
# node6 ansible_ssh_host=95.54.0.17 # ip=10.3.0.6
|
||||||
|
|
||||||
|
# ## configure a bastion host if your nodes are not publicly reachable
|
||||||
|
# bastion ansible_ssh_host=x.x.x.x
|
||||||
|
|
||||||
# [kube-master]
|
# [kube-master]
|
||||||
# node1
|
# node1
|
||||||
# node2
|
# node2
|
||||||
|
|
18
roles/bastion-ssh-config/tasks/main.yml
Normal file
18
roles/bastion-ssh-config/tasks/main.yml
Normal file
|
@ -0,0 +1,18 @@
|
||||||
|
---
|
||||||
|
- set_fact:
|
||||||
|
has_bastion: "{{ 'bastion' in groups['all'] }}"
|
||||||
|
|
||||||
|
- set_fact:
|
||||||
|
bastion_ip: "{{ hostvars['bastion']['ansible_ssh_host'] }}"
|
||||||
|
when: has_bastion
|
||||||
|
|
||||||
|
# As we are actually running on localhost, the ansible_ssh_user is your local user when you try to use it directly
|
||||||
|
# To figure out the real ssh user, we delegate this task to the bastion and store the ansible_ssh_user in real_user
|
||||||
|
- set_fact:
|
||||||
|
real_user: "{{ ansible_ssh_user }}"
|
||||||
|
delegate_to: bastion
|
||||||
|
when: has_bastion
|
||||||
|
|
||||||
|
- name: create ssh bastion conf
|
||||||
|
become: false
|
||||||
|
template: src=ssh-bastion.conf dest="{{ playbook_dir }}/ssh-bastion.conf"
|
21
roles/bastion-ssh-config/templates/ssh-bastion.conf
Normal file
21
roles/bastion-ssh-config/templates/ssh-bastion.conf
Normal file
|
@ -0,0 +1,21 @@
|
||||||
|
{% if has_bastion %}
|
||||||
|
{% set vars={'hosts': ''} %}
|
||||||
|
{% set user='' %}
|
||||||
|
|
||||||
|
{% for h in groups['all'] %}
|
||||||
|
{% if h != 'bastion' %}
|
||||||
|
{% if vars.update({'hosts': vars['hosts'] + ' ' + hostvars[h]['ansible_ssh_host']}) %}{% endif %}
|
||||||
|
{% endif %}
|
||||||
|
{% endfor %}
|
||||||
|
|
||||||
|
Host {{ bastion_ip }}
|
||||||
|
Hostname {{ bastion_ip }}
|
||||||
|
StrictHostKeyChecking no
|
||||||
|
ControlMaster auto
|
||||||
|
ControlPath ~/.ssh/ansible-%r@%h:%p
|
||||||
|
ControlPersist 5m
|
||||||
|
|
||||||
|
Host {{ vars['hosts'] }}
|
||||||
|
ProxyCommand ssh -W %h:%p {{ real_user }}@{{ bastion_ip }}
|
||||||
|
StrictHostKeyChecking no
|
||||||
|
{% endif %}
|
Loading…
Reference in a new issue