Kubespray with bastion and custom SSH port + agent forwarding

Question

Is it possible to use Kubespray with Bastion but on custom port and with agent forwarding? If it is not supported, what changes does one need to do?

Answer 1

Always, since you can configure that at three separate levels: via the host user's ~/.ssh/config, via the entire playbook with group_vars, or as inline config (that is, on the command line or in the inventory file).

The ssh config is hopefully straightforward:

Host 1.2.* *.example.com # or whatever pattern matches the target instances
  ProxyJump someuser@some-bastion:1234
  # and then the Agent should happen automatically, unless you mean
  # ForwardAgent yes

I'll speak to the inline config next, since it's a little simpler:

ansible-playbook -i whatever \
    -e '{"ansible_ssh_common_args": "-o ProxyJump=\"someuser@jump-host:1234\""}' \
    cluster.yaml

or via the inventory in the same way:

master-host-0 ansible_host=1.2.3.4 ansible_ssh_common_args="-o ProxyJump='someuser@jump-host:1234'"

or via group_vars, which you can either add to an existing group_vars/all.yml, or if it doesn't exist then create that group_vars directory containing the all.yml file as a child of the directory containing your inventory file

If you have more complex ssh config than you wish to encode in the inventory/command-line/group_vars, you can also instruct the ansible-invoked ssh to use a dedicated config file via the ansible_ssh_extra_args variable:

ansible-playbook -e '{"ansible_ssh_extra_args": "-F /path/to/special/ssh_config"}' ...

Answer 2

In my case where I needed to access the hosts on particular ports, I just had to modify the host's ~/.ssh/config to be:

Host 10.40.45.102
  ForwardAgent yes
  User root
  ProxyCommand ssh -W %h:%p -p 44057 [email protected]

Host 10.40.45.104
  ForwardAgent yes
  User root
  ProxyCommand ssh -W %h:%p -p 44058 [email protected]

Where 10.40.* was the internal IPs.