From ee573ed972d45c9dc5464f9075bd2130da9a09a2 Mon Sep 17 00:00:00 2001 From: Kaleb Elwert Date: Fri, 26 Mar 2021 00:48:43 -0700 Subject: [PATCH] Allow connecting to bastion via non-standard SSH port (#7396) * Allow connecting to bastion via non-standard port * Fix bastion connection when ansible_port is not provided (cherry picked from commit 6fa3565dacb2f48d3f98b062ae631069ed18848b) --- roles/bastion-ssh-config/tasks/main.yml | 3 ++- roles/bastion-ssh-config/templates/ssh-bastion.conf | 2 +- roles/kubespray-defaults/defaults/main.yaml | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/roles/bastion-ssh-config/tasks/main.yml b/roles/bastion-ssh-config/tasks/main.yml index cf558087cd6..c6158dbce7c 100644 --- a/roles/bastion-ssh-config/tasks/main.yml +++ b/roles/bastion-ssh-config/tasks/main.yml @@ -1,7 +1,8 @@ --- -- name: set bastion host IP +- name: set bastion host IP and port set_fact: bastion_ip: "{{ hostvars[groups['bastion'][0]]['ansible_host'] | d(hostvars[groups['bastion'][0]]['ansible_ssh_host']) }}" + bastion_port: "{{ hostvars[groups['bastion'][0]]['ansible_port'] | d(hostvars[groups['bastion'][0]]['ansible_ssh_port']) | d(22) }}" delegate_to: localhost connection: local diff --git a/roles/bastion-ssh-config/templates/ssh-bastion.conf b/roles/bastion-ssh-config/templates/ssh-bastion.conf index b460d6ba372..bd5f49c45ef 100644 --- a/roles/bastion-ssh-config/templates/ssh-bastion.conf +++ b/roles/bastion-ssh-config/templates/ssh-bastion.conf @@ -15,4 +15,4 @@ Host {{ bastion_ip }} ControlPersist 5m Host {{ vars['hosts'] }} - ProxyCommand ssh -F /dev/null -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -W %h:%p {{ real_user }}@{{ bastion_ip }} {% if ansible_ssh_private_key_file is defined %}-i {{ ansible_ssh_private_key_file }}{% endif %} + ProxyCommand ssh -F /dev/null -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -W %h:%p -p {{ bastion_port }} {{ real_user }}@{{ bastion_ip }} {% if ansible_ssh_private_key_file is defined %}-i {{ ansible_ssh_private_key_file }}{% endif %} diff --git a/roles/kubespray-defaults/defaults/main.yaml b/roles/kubespray-defaults/defaults/main.yaml index 1812c27f68f..b860bd80ce9 100644 --- a/roles/kubespray-defaults/defaults/main.yaml +++ b/roles/kubespray-defaults/defaults/main.yaml @@ -1,7 +1,7 @@ --- # Use proxycommand if bastion host is in group all # This change obseletes editing ansible.cfg file depending on bastion existence -ansible_ssh_common_args: "{% if 'bastion' in groups['all'] %} -o ProxyCommand='ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -W %h:%p {{ hostvars['bastion']['ansible_user'] }}@{{ hostvars['bastion']['ansible_host'] }} {% if ansible_ssh_private_key_file is defined %}-i {{ ansible_ssh_private_key_file }}{% endif %} ' {% endif %}" +ansible_ssh_common_args: "{% if 'bastion' in groups['all'] %} -o ProxyCommand='ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -W %h:%p -p {{ hostvars['bastion']['ansible_port'] | default(22) }} {{ hostvars['bastion']['ansible_user'] }}@{{ hostvars['bastion']['ansible_host'] }} {% if ansible_ssh_private_key_file is defined %}-i {{ ansible_ssh_private_key_file }}{% endif %} ' {% endif %}" # selinux state preinstall_selinux_state: permissive