From 84cf6fbe835db908dc340cf976edaf62c294d65b Mon Sep 17 00:00:00 2001
From: Aivars Sterns <Atoms@users.noreply.github.com>
Date: Fri, 27 Oct 2017 14:18:39 +0300
Subject: [PATCH] change ssh_args/bastion configuration (#1883)
---
ansible.cfg | 4 ++--
contrib/terraform/aws/README.md | 5 +++--
roles/bastion-ssh-config/templates/ssh-bastion.conf | 4 +---
roles/kubespray-defaults/defaults/main.yaml | 5 +++++
4 files changed, 11 insertions(+), 7 deletions(-)
diff --git a/ansible.cfg b/ansible.cfg
index 181262cc6..81c6d7c16 100644
--- a/ansible.cfg
+++ b/ansible.cfg
@@ -1,7 +1,6 @@
[ssh_connection]
pipelining=True
-ansible_ssh_common_args = -o ControlMaster=auto -o ControlPersist=30m -o ConnectionAttempts=100
-#ansible_ssh_common_args = -F {{ inventory_dir|quote }}/ssh-bastion.conf -o ControlMaster=auto -o ControlPersist=30m -o ConnectionAttempts=100
+ssh_args = -o ControlMaster=auto -o ControlPersist=30m -o ConnectionAttempts=100 -o UserKnownHostsFile=/dev/null
#control_path = ~/.ssh/ansible-%%r@%%h:%%p
[defaults]
host_key_checking=False
@@ -12,3 +11,4 @@ stdout_callback = skippy
library = ./library
callback_whitelist = profile_tasks
roles_path = roles:$VIRTUAL_ENV/usr/local/share/kubespray/roles:$VIRTUAL_ENV/usr/local/share/ansible/roles
+deprecation_warnings=False
diff --git a/contrib/terraform/aws/README.md b/contrib/terraform/aws/README.md
index d0d63f7e3..5d47dd43f 100644
--- a/contrib/terraform/aws/README.md
+++ b/contrib/terraform/aws/README.md
@@ -36,9 +36,10 @@ terraform apply -var-file=credentials.tfvars -var 'loadbalancer_apiserver_addres
- Terraform automatically creates an Ansible Inventory file called `hosts` with the created infrastructure in the directory `inventory`
-- Ansible will automatically generate an ssh config file for your bastion hosts. To make use of it, make sure you have a line in your `ansible.cfg` file that looks like the following:
+- Ansible will automatically generate an ssh config file for your bastion hosts. To connect to hosts with ssh using bastion host use generated ssh-bastion.conf.
+ Ansible automatically detects bastion and changes ssh_args
```commandline
-ssh_args = -F ./ssh-bastion.conf -o ControlMaster=auto -o ControlPersist=30m
+ssh -F ./ssh-bastion.conf user@$ip
```
- Once the infrastructure is created, you can run the kubespray playbooks and supply inventory/hosts with the `-i` flag.
diff --git a/roles/bastion-ssh-config/templates/ssh-bastion.conf b/roles/bastion-ssh-config/templates/ssh-bastion.conf
index d2a914e59..3f2a69ef1 100644
--- a/roles/bastion-ssh-config/templates/ssh-bastion.conf
+++ b/roles/bastion-ssh-config/templates/ssh-bastion.conf
@@ -16,7 +16,5 @@ Host {{ bastion_ip }}
ControlPersist 5m
Host {{ vars['hosts'] }}
- ProxyCommand ssh -W %h:%p {{ real_user }}@{{ bastion_ip }} {% if ansible_ssh_private_key_file is defined %}-i {{ ansible_ssh_private_key_file }}{% endif %}
-
- StrictHostKeyChecking no
+ ProxyCommand ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -W %h:%p {{ real_user }}@{{ bastion_ip }} {% if ansible_ssh_private_key_file is defined %}-i {{ ansible_ssh_private_key_file }}{% endif %}
{% endif %}
diff --git a/roles/kubespray-defaults/defaults/main.yaml b/roles/kubespray-defaults/defaults/main.yaml
index ed011beaf..7fbcb8485 100644
--- a/roles/kubespray-defaults/defaults/main.yaml
+++ b/roles/kubespray-defaults/defaults/main.yaml
@@ -2,6 +2,11 @@
## Required for bootstrap-os/preinstall/download roles and setting facts
# Valid bootstrap options (required): ubuntu, coreos, centos, none
bootstrap_os: none
+
+# Use proxycommand if bastion host is in group all
+# This change obseletes editing ansible.cfg file depending on bastion existance
+ansible_ssh_common_args: "{% if 'bastion' in groups['all'] %} -o ProxyCommand='ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -W %h:%p {{ ansible_user }}@{{hostvars['bastion']['ansible_host']}} ' {% endif %}"
+
kube_api_anonymous_auth: false
# Default value, but will be set to true automatically if detected
--
GitLab