Allow Bastion-style Multi-homing

Jumpboxen can now be multihomed, creating a bastion host that spans outside (default) and inside networks. This should work well for people who isolate their Genesis environments via NAT devices.
genesis-community · Aug 8, 2018 · dd60e08 · dd60e08
1 parent 916f3a8
commit dd60e08
Show file tree

Hide file tree

Showing 7 changed files with 37 additions and 9 deletions.
diff --git a/MANUAL.md b/MANUAL.md
@@ -76,6 +76,14 @@ params:
 
 # Available Features
 
+- `bastion` - Dual-home a jumpbox, turning it into a _bastion_
+  host that straddles two networks.
+
+  Activating this feature also activates the following parameters:
+
+  - `inside_network` - The name of the network to add a secondary,
+    inside network interface.  This paremeter is **required**.
+
 - `openvpn` - Provides an OpenVPN server, giving users access to
   the internal infrastructure without requiring an SSH session.
   Instead, users will be issued an X.509 identity certificate which

diff --git a/ci/release_notes.md b/ci/release_notes.md
@@ -0,0 +1,4 @@
+# Bug Fixes
+
+* Properly handles jumpboxes with more than one IP, defaulting to the internal
+  IP for ssh and who addon.
diff --git a/hooks/addon b/hooks/addon
@@ -1,8 +1,8 @@
 #!/bin/bash
 set -eu
 vault="secret/$GENESIS_VAULT_PREFIX"
-
-ip=$(bosh vms --json | jq -r '.Tables[0].Rows[0].ips')
+declare -a ips
+ips=( $(bosh vms --json | jq -r '.Tables[0].Rows[0].ips') )
 
 list() {
   echo "The following addons are defined:"
@@ -162,11 +162,11 @@ inventory)
   ;;
 
 ssh)
-  exec ssh $ip "$@"
+  exec ssh ${ips[0]} "$@"
   ;;
 
 who)
-  exec ssh $ip -- who
+  exec ssh ${ips[0]} -- who
   ;;
 
 *)

diff --git a/hooks/blueprint b/hooks/blueprint
@@ -3,7 +3,7 @@ set -eu
 
 declare -a merge
 
-validate_features openvpn \
+validate_features openvpn bastion \
                   proxy azure shield # defunct
 
 merge=( manifests/jumpbox.yml )
@@ -14,6 +14,10 @@ for want in ${GENESIS_REQUESTED_FEATURES[@]}; do
     merge+=( manifests/addons/$want.yml )
     ;;
 
+  bastion)
+    merge+=( manifests/bastion.yml )
+    ;;
+
   shield)
     echo >&2 "The Jumpbox Genesis Kit no longer supplies a 'shield' feature flag."
     echo >&2 "If you wish to back up this jumpbox, please switch to using BOSH"

diff --git a/hooks/info b/hooks/info
@@ -1,5 +1,6 @@
 #!/bin/bash
 set -eu
-ip=$(bosh vms --json | jq -r '.Tables[0].Rows[0].ips')
+declare -a ips
+ips=( $(bosh vms --json | jq -r '.Tables[0].Rows[0].ips') )
 
-describe "jumpbox ip: #C{$ip}"
+describe "jumpbox ip(s): #C{${ips[*]}}"
diff --git a/hooks/post-deploy b/hooks/post-deploy
@@ -2,7 +2,8 @@
 set -eu
 
 if [[ $GENESIS_DEPLOY_RC == 0 ]]; then
-  ip=$(bosh vms --json | jq -r '.Tables[0].Rows[0].ips')
+  declare -a ips
+  ips=( $(bosh vms --json | jq -r '.Tables[0].Rows[0].ips') )
 
       echo; echo;
   describe "#M{$GENESIS_ENVIRONMENT} Jumpbox deployed!"
@@ -17,6 +18,6 @@ if [[ $GENESIS_DEPLOY_RC == 0 ]]; then
       echo
       echo "or:"
       echo
-  describe "  #W{ssh ${ip}}"
+  describe "  #W{ssh ${ips[0]}}"
       echo
 fi
diff --git a/manifests/bastion.yml b/manifests/bastion.yml
@@ -0,0 +1,10 @@
+---
+params:
+  inside_network: (( param "Please specify the name of the Bastion Network from your cloud-config" ))
+
+instance_groups:
+  - name: jumpbox
+    networks:
+      - (( inline ))
+      - default: [dns, gateway]
+      - name: (( grab params.inside_network ))