diff --git a/docs/aws/cluster-parameters.md b/docs/aws/cluster-parameters.md index 38108b856..74024256e 100644 --- a/docs/aws/cluster-parameters.md +++ b/docs/aws/cluster-parameters.md @@ -15,3 +15,38 @@ clusterawsadm ami list ``` For details, see [Pre-built Kubernetes AMIs](https://cluster-api-aws.sigs.k8s.io/topics/images/built-amis.html). + +## SSH access to cluster nodes + +To access the nodes using the SSH protocol, several things should be configured: + +- An SSH key added in the region where you want to deploy the cluster +- Bastion host is enabled + +### SSH keys + +Only one SSH key is supported and it should be added in AWS prior to creating +the `Deployment` object. The name of the key should then be placed under `.spec.config.sshKeyName`. + +The same SSH key will be used for all machines and a bastion host. + +To enable bastion you should add `.spec.config.bastion.enabled` option in the +`Deployment` object to `true`. + +Full list of the bastion configuration options could be fould in [CAPA docs](https://cluster-api-aws.sigs.k8s.io/crd/#infrastructure.cluster.x-k8s.io/v1beta1.Bastion). + +The resulting `Deployment` can look like this: + +```yaml +apiVersion: hmc.mirantis.com/v1alpha1 +kind: Deployment +metadata: + name: cluster-1 +spec: + template: aws-standalone-cp + config: + sshKeyName: foobar + bastion: + enabled: true +... +``` diff --git a/templates/aws-hosted-cp/templates/awscluster.yaml b/templates/aws-hosted-cp/templates/awscluster.yaml index d9063699e..c6dc896fc 100644 --- a/templates/aws-hosted-cp/templates/awscluster.yaml +++ b/templates/aws-hosted-cp/templates/awscluster.yaml @@ -15,4 +15,11 @@ spec: {{- with .Values.subnets }} subnets: {{- toYaml . | nindent 6 }} - {{- end }} \ No newline at end of file + {{- end }} + {{- if not (quote .Values.sshKeyName | empty) }} + sshKeyName: {{ .Values.sshKeyName | quote }} + {{- end }} + {{- with .Values.bastion }} + bastion: + {{- toYaml . | nindent 4 }} + {{- end }} diff --git a/templates/aws-hosted-cp/templates/awsmachinetemplate.yaml b/templates/aws-hosted-cp/templates/awsmachinetemplate.yaml index b54567db8..c805360c9 100644 --- a/templates/aws-hosted-cp/templates/awsmachinetemplate.yaml +++ b/templates/aws-hosted-cp/templates/awsmachinetemplate.yaml @@ -18,9 +18,6 @@ spec: additionalSecurityGroups: - id: {{ $id }} {{- end }} - {{- if not (quote .Values.sshKeyName | empty) }} - sshKeyName: {{ .Values.sshKeyName | quote }} - {{- end }} publicIP: {{ .Values.publicIP }} rootVolume: size: {{ .Values.rootVolumeSize }} diff --git a/templates/aws-hosted-cp/values.schema.json b/templates/aws-hosted-cp/values.schema.json index a502eecbd..e3d1a8e86 100644 --- a/templates/aws-hosted-cp/values.schema.json +++ b/templates/aws-hosted-cp/values.schema.json @@ -83,6 +83,30 @@ "minItems": 1, "uniqueItems": true }, + "bastion": { + "type": "object", + "description": "The configuration of the bastion host", + "required": [], + "properties": { + "enabled": { + "type": "boolean" + }, + "disableIngressRules": { + "type": "boolean" + }, + "allowedCIDRBlocks": { + "type": "array", + "items": {}, + "uniqueItems": true + }, + "instanceType": { + "type": "string" + }, + "ami": { + "type": "string" + } + } + }, "amiID": { "description": "The ID of Amazon Machine Image", "type": "string" diff --git a/templates/aws-hosted-cp/values.yaml b/templates/aws-hosted-cp/values.yaml index c8aa9bf7e..6ac15bf0f 100644 --- a/templates/aws-hosted-cp/values.yaml +++ b/templates/aws-hosted-cp/values.yaml @@ -17,7 +17,12 @@ publicIP: false subnets: - id: "" availabilityZone: "" - +bastion: + enabled: false + disableIngressRules: false + allowedCIDRBlocks: [] + instanceType: t2.micro + ami: "" # AWS machines parameters amiID: "" iamInstanceProfile: control-plane.cluster-api-provider-aws.sigs.k8s.io diff --git a/templates/aws-standalone-cp/templates/awscluster.yaml b/templates/aws-standalone-cp/templates/awscluster.yaml index 3c2dae2c3..f797a8c20 100644 --- a/templates/aws-standalone-cp/templates/awscluster.yaml +++ b/templates/aws-standalone-cp/templates/awscluster.yaml @@ -15,3 +15,10 @@ spec: protocol: tcp fromPort: 9443 toPort: 9443 + {{- if not (quote .Values.sshKeyName | empty) }} + sshKeyName: {{ .Values.sshKeyName | quote }} + {{- end }} + {{- with .Values.bastion }} + bastion: + {{- toYaml . | nindent 4 }} + {{- end }} diff --git a/templates/aws-standalone-cp/templates/awsmachinetemplate-controlplane.yaml b/templates/aws-standalone-cp/templates/awsmachinetemplate-controlplane.yaml index 69246a0fa..f7324368d 100644 --- a/templates/aws-standalone-cp/templates/awsmachinetemplate-controlplane.yaml +++ b/templates/aws-standalone-cp/templates/awsmachinetemplate-controlplane.yaml @@ -14,9 +14,6 @@ spec: # Makes CAPA use k0s bootstrap cloud-init directly and not via SSM # Simplifies the VPC setup as we do not need custom SSM endpoints etc. insecureSkipSecretsManager: true - {{- if not (quote .Values.sshKeyName | empty) }} - sshKeyName: {{ .Values.sshKeyName | quote }} - {{- end }} publicIP: {{ .Values.publicIP }} rootVolume: size: {{ .Values.controlPlane.rootVolumeSize }} diff --git a/templates/aws-standalone-cp/templates/awsmachinetemplate-worker.yaml b/templates/aws-standalone-cp/templates/awsmachinetemplate-worker.yaml index b22fc18ca..f04e42e72 100644 --- a/templates/aws-standalone-cp/templates/awsmachinetemplate-worker.yaml +++ b/templates/aws-standalone-cp/templates/awsmachinetemplate-worker.yaml @@ -14,9 +14,6 @@ spec: # Makes CAPA use k0s bootstrap cloud-init directly and not via SSM # Simplifies the VPC setup as we do not need custom SSM endpoints etc. insecureSkipSecretsManager: true - {{- if not (quote .Values.sshKeyName | empty) }} - sshKeyName: {{ .Values.sshKeyName | quote }} - {{- end }} publicIP: {{ .Values.publicIP }} rootVolume: size: {{ .Values.worker.rootVolumeSize }} diff --git a/templates/aws-standalone-cp/values.schema.json b/templates/aws-standalone-cp/values.schema.json index e62d6525e..fcc77751a 100644 --- a/templates/aws-standalone-cp/values.schema.json +++ b/templates/aws-standalone-cp/values.schema.json @@ -61,6 +61,30 @@ "description": "Specifies whether the instance should get a public IP", "type": "boolean" }, + "bastion": { + "type": "object", + "description": "The configuration of the bastion host", + "required": [], + "properties": { + "enabled": { + "type": "boolean" + }, + "disableIngressRules": { + "type": "boolean" + }, + "allowedCIDRBlocks": { + "type": "array", + "items": {}, + "uniqueItems": true + }, + "instanceType": { + "type": "string" + }, + "ami": { + "type": "string" + } + } + }, "controlPlane": { "description": "The configuration of the control plane machines", "type": "object", diff --git a/templates/aws-standalone-cp/values.yaml b/templates/aws-standalone-cp/values.yaml index 653f544de..d4ae5a344 100644 --- a/templates/aws-standalone-cp/values.yaml +++ b/templates/aws-standalone-cp/values.yaml @@ -14,7 +14,12 @@ clusterNetwork: region: "" sshKeyName: "" publicIP: false - +bastion: + enabled: false + disableIngressRules: false + allowedCIDRBlocks: [] + instanceType: t2.micro + ami: "" # AWS machines parameters controlPlane: amiID: ""