Merge pull request #179 from a13x5/bastion-cfg

Add bastion configuration for AWS templates

docs/aws/cluster-parameters.md

@@ -15,3 +15,38 @@ clusterawsadm ami list
 ```
 
 For details, see [Pre-built Kubernetes AMIs](https://cluster-api-aws.sigs.k8s.io/topics/images/built-amis.html).
+
+## SSH access to cluster nodes
+
+To access the nodes using the SSH protocol, several things should be configured:
+
+- An SSH key added in the region where you want to deploy the cluster
+- Bastion host is enabled
+
+### SSH keys
+
+Only one SSH key is supported and it should be added in AWS prior to creating
+the `Deployment` object. The name of the key should then be placed under `.spec.config.sshKeyName`.
+
+The same SSH key will be used for all machines and a bastion host.
+
+To enable bastion you should add `.spec.config.bastion.enabled` option in the
+`Deployment` object to `true`.
+
+Full list of the bastion configuration options could be fould in [CAPA docs](https://cluster-api-aws.sigs.k8s.io/crd/#infrastructure.cluster.x-k8s.io/v1beta1.Bastion).
+
+The resulting `Deployment` can look like this:
+
+```yaml
+apiVersion: hmc.mirantis.com/v1alpha1
+kind: Deployment
+metadata:
+  name: cluster-1
+spec:
+  template: aws-standalone-cp
+  config:
+    sshKeyName: foobar
+    bastion:
+      enabled: true
+...
+```

templates/aws-hosted-cp/templates/awscluster.yaml

@@ -15,4 +15,11 @@ spec:
     {{- with .Values.subnets }}
     subnets:
       {{- toYaml . | nindent 6 }}
-    {{- end }}
+    {{- end }}
+  {{- if not (quote .Values.sshKeyName | empty) }}
+  sshKeyName: {{ .Values.sshKeyName | quote }}
+  {{- end }}
+  {{- with .Values.bastion }}
+  bastion:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}

templates/aws-hosted-cp/templates/awsmachinetemplate.yaml

@@ -18,9 +18,6 @@ spec:
       additionalSecurityGroups:
         - id: {{ $id }}
       {{- end }}
-      {{- if not (quote .Values.sshKeyName | empty) }}
-      sshKeyName: {{ .Values.sshKeyName | quote }}
-      {{- end }}
       publicIP: {{ .Values.publicIP }}
       rootVolume:
         size: {{ .Values.rootVolumeSize }}

templates/aws-hosted-cp/values.schema.json

@@ -83,6 +83,30 @@
       "minItems": 1,
       "uniqueItems": true
     },
+    "bastion": {
+      "type": "object",
+      "description": "The configuration of the bastion host",
+      "required": [],
+      "properties": {
+          "enabled": {
+              "type": "boolean"
+          },
+          "disableIngressRules": {
+              "type": "boolean"
+          },
+          "allowedCIDRBlocks": {
+              "type": "array",
+              "items": {},
+              "uniqueItems": true
+          },
+          "instanceType": {
+              "type": "string"
+          },
+          "ami": {
+              "type": "string"
+          }
+      }
+    },
     "amiID": {
       "description": "The ID of Amazon Machine Image",
       "type": "string"

templates/aws-hosted-cp/values.yaml

@@ -17,7 +17,12 @@ publicIP: false
 subnets:
   - id: ""
     availabilityZone: ""
-
+bastion:
+  enabled: false
+  disableIngressRules: false
+  allowedCIDRBlocks: []
+  instanceType: t2.micro
+  ami: ""
 # AWS machines parameters
 amiID: ""
 iamInstanceProfile: control-plane.cluster-api-provider-aws.sigs.k8s.io

templates/aws-standalone-cp/templates/awscluster.yaml

@@ -15,3 +15,10 @@ spec:
         protocol: tcp
         fromPort: 9443
         toPort: 9443
+  {{- if not (quote .Values.sshKeyName | empty) }}
+  sshKeyName: {{ .Values.sshKeyName | quote }}
+  {{- end }}
+  {{- with .Values.bastion }}
+  bastion:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}

templates/aws-standalone-cp/templates/awsmachinetemplate-controlplane.yaml

@@ -14,9 +14,6 @@ spec:
         # Makes CAPA use k0s bootstrap cloud-init directly and not via SSM
         # Simplifies the VPC setup as we do not need custom SSM endpoints etc.
         insecureSkipSecretsManager: true
-      {{- if not (quote .Values.sshKeyName | empty) }}
-      sshKeyName: {{ .Values.sshKeyName | quote }}
-      {{- end }}
       publicIP: {{ .Values.publicIP }}
       rootVolume:
         size: {{ .Values.controlPlane.rootVolumeSize }}

templates/aws-standalone-cp/templates/awsmachinetemplate-worker.yaml

@@ -14,9 +14,6 @@ spec:
         # Makes CAPA use k0s bootstrap cloud-init directly and not via SSM
         # Simplifies the VPC setup as we do not need custom SSM endpoints etc.
         insecureSkipSecretsManager: true
-      {{- if not (quote .Values.sshKeyName | empty) }}
-      sshKeyName: {{ .Values.sshKeyName | quote }}
-      {{- end }}
       publicIP: {{ .Values.publicIP }}
       rootVolume:
         size: {{ .Values.worker.rootVolumeSize }}

templates/aws-standalone-cp/values.schema.json

@@ -61,6 +61,30 @@
       "description": "Specifies whether the instance should get a public IP",
       "type": "boolean"
     },
+    "bastion": {
+      "type": "object",
+      "description": "The configuration of the bastion host",
+      "required": [],
+      "properties": {
+          "enabled": {
+              "type": "boolean"
+          },
+          "disableIngressRules": {
+              "type": "boolean"
+          },
+          "allowedCIDRBlocks": {
+              "type": "array",
+              "items": {},
+              "uniqueItems": true
+          },
+          "instanceType": {
+              "type": "string"
+          },
+          "ami": {
+              "type": "string"
+          }
+      }
+    },
     "controlPlane": {
       "description": "The configuration of the control plane machines",
       "type": "object",

templates/aws-standalone-cp/values.yaml

@@ -14,7 +14,12 @@ clusterNetwork:
 region: ""
 sshKeyName: ""
 publicIP: false
-
+bastion:
+  enabled: false
+  disableIngressRules: false
+  allowedCIDRBlocks: []
+  instanceType: t2.micro
+  ami: ""
 # AWS machines parameters
 controlPlane:
   amiID: ""