arch_bastion - sk4zuzu/one-deploy GitHub Wiki

Deploying via a Bastion Host

In some cases, direct access from the Ansible controller to targets in the inventory is difficult or impossible. For these scenarios one-deploy provides the bastion role, which allows you to build a custom SSH configurations from your inventory, then provision your hosts automatically through an SSH jump host.

Preparing the Inventory

To enable the bastion role you need to add several parameters to your inventory file:

all:
  vars:
    env_name: n1
    ansible_ssh_common_args: -F inventory/.one-deploy/bastion.d/n1
    ansible_user: ubuntu
    one_vip: 10.2.50.86

The variable env_name is used to distinguish between different OpenNebula clusters. The argument -F inventory/.one-deploy/bastion.d/n1 points to the pre-generated SSH config that will be used later by all plays during provisioning.

bastion:
  hosts:
    n1: { ansible_host: 10.2.50.123 }

frontend:
  hosts:
    n1a1: { ansible_host: n1a1 }
    n1a2: { ansible_host: n1a2 }
    n1a3: { ansible_host: n1a3 }

node:
  hosts:
    n1b1: { ansible_host: n1b1 }
    n1b2: { ansible_host: n1b2 }

grafana:
  hosts:
    n1a1: { ansible_host: n1a1 }

The bastion group should contain a single host accessible from your Ansible controller. This host can be one of the Front-ends, or something completely outside the cluster.

SSH Configs

You can manage multiple clusters from a single inventory directory:

one-deploy$ find inventory/.one-deploy/ -type f
inventory/.one-deploy/bastion.d/n2
inventory/.one-deploy/bastion.d/n1
inventory/.one-deploy/bastion

Looking at inventory/.one-deploy/bastion.d/n1, the resulting SSH config is simple and straightforward:


Host n1
  Hostname 10.2.50.123
  User ubuntu
  StrictHostKeyChecking no
  UserKnownHostsFile /dev/null
  ForwardAgent yes


# one_vip
Host 10.2.50.86
  Hostname 10.2.50.86
  User ubuntu
  StrictHostKeyChecking no
  UserKnownHostsFile /dev/null
  ForwardAgent yes
  ProxyJump n1


Host n1a1
  Hostname n1a1
  User ubuntu
  StrictHostKeyChecking no
  UserKnownHostsFile /dev/null
  ForwardAgent yes
  ProxyJump n1

Host n1a2
  Hostname n1a2
  User ubuntu
  StrictHostKeyChecking no
  UserKnownHostsFile /dev/null
  ForwardAgent yes
  ProxyJump n1

Host n1a3
  Hostname n1a3
  User ubuntu
  StrictHostKeyChecking no
  UserKnownHostsFile /dev/null
  ForwardAgent yes
  ProxyJump n1

Host n1b1
  Hostname n1b1
  User ubuntu
  StrictHostKeyChecking no
  UserKnownHostsFile /dev/null
  ForwardAgent yes
  ProxyJump n1

Host n1b2
  Hostname n1b2
  User ubuntu
  StrictHostKeyChecking no
  UserKnownHostsFile /dev/null
  ForwardAgent yes
  ProxyJump n1

SSH Keys

For this to work, the main requirement is that you can connect to the bastion host and then further to all host specified in the inventory. The easiest way to achieve this is to use ssh-agent, but you can also store private keys inside the bastion host (if you must).