From dd60e0897adcdb5eaed50b8a2b1a27a6c238ac6b Mon Sep 17 00:00:00 2001 From: "Dennis J. Bell" Date: Wed, 8 Aug 2018 12:02:18 -0700 Subject: [PATCH] Allow Bastion-style Multi-homing Jumpboxen can now be multihomed, creating a bastion host that spans outside (default) and inside networks. This should work well for people who isolate their Genesis environments via NAT devices. --- MANUAL.md | 8 ++++++++ ci/release_notes.md | 4 ++++ hooks/addon | 8 ++++---- hooks/blueprint | 6 +++++- hooks/info | 5 +++-- hooks/post-deploy | 5 +++-- manifests/bastion.yml | 10 ++++++++++ 7 files changed, 37 insertions(+), 9 deletions(-) create mode 100644 ci/release_notes.md create mode 100644 manifests/bastion.yml diff --git a/MANUAL.md b/MANUAL.md index 2f0ff3d..b048a6a 100644 --- a/MANUAL.md +++ b/MANUAL.md @@ -76,6 +76,14 @@ params: # Available Features +- `bastion` - Dual-home a jumpbox, turning it into a _bastion_ + host that straddles two networks. + + Activating this feature also activates the following parameters: + + - `inside_network` - The name of the network to add a secondary, + inside network interface. This paremeter is **required**. + - `openvpn` - Provides an OpenVPN server, giving users access to the internal infrastructure without requiring an SSH session. Instead, users will be issued an X.509 identity certificate which diff --git a/ci/release_notes.md b/ci/release_notes.md new file mode 100644 index 0000000..3724ebc --- /dev/null +++ b/ci/release_notes.md @@ -0,0 +1,4 @@ +# Bug Fixes + +* Properly handles jumpboxes with more than one IP, defaulting to the internal + IP for ssh and who addon. diff --git a/hooks/addon b/hooks/addon index 0e75fba..be65b9e 100755 --- a/hooks/addon +++ b/hooks/addon @@ -1,8 +1,8 @@ #!/bin/bash set -eu vault="secret/$GENESIS_VAULT_PREFIX" - -ip=$(bosh vms --json | jq -r '.Tables[0].Rows[0].ips') +declare -a ips +ips=( $(bosh vms --json | jq -r '.Tables[0].Rows[0].ips') ) list() { echo "The following addons are defined:" @@ -162,11 +162,11 @@ inventory) ;; ssh) - exec ssh $ip "$@" + exec ssh ${ips[0]} "$@" ;; who) - exec ssh $ip -- who + exec ssh ${ips[0]} -- who ;; *) diff --git a/hooks/blueprint b/hooks/blueprint index 52a8204..692a705 100755 --- a/hooks/blueprint +++ b/hooks/blueprint @@ -3,7 +3,7 @@ set -eu declare -a merge -validate_features openvpn \ +validate_features openvpn bastion \ proxy azure shield # defunct merge=( manifests/jumpbox.yml ) @@ -14,6 +14,10 @@ for want in ${GENESIS_REQUESTED_FEATURES[@]}; do merge+=( manifests/addons/$want.yml ) ;; + bastion) + merge+=( manifests/bastion.yml ) + ;; + shield) echo >&2 "The Jumpbox Genesis Kit no longer supplies a 'shield' feature flag." echo >&2 "If you wish to back up this jumpbox, please switch to using BOSH" diff --git a/hooks/info b/hooks/info index 407592c..4bd904c 100755 --- a/hooks/info +++ b/hooks/info @@ -1,5 +1,6 @@ #!/bin/bash set -eu -ip=$(bosh vms --json | jq -r '.Tables[0].Rows[0].ips') +declare -a ips +ips=( $(bosh vms --json | jq -r '.Tables[0].Rows[0].ips') ) -describe "jumpbox ip: #C{$ip}" +describe "jumpbox ip(s): #C{${ips[*]}}" diff --git a/hooks/post-deploy b/hooks/post-deploy index edf179d..b4b1fef 100755 --- a/hooks/post-deploy +++ b/hooks/post-deploy @@ -2,7 +2,8 @@ set -eu if [[ $GENESIS_DEPLOY_RC == 0 ]]; then - ip=$(bosh vms --json | jq -r '.Tables[0].Rows[0].ips') + declare -a ips + ips=( $(bosh vms --json | jq -r '.Tables[0].Rows[0].ips') ) echo; echo; describe "#M{$GENESIS_ENVIRONMENT} Jumpbox deployed!" @@ -17,6 +18,6 @@ if [[ $GENESIS_DEPLOY_RC == 0 ]]; then echo echo "or:" echo - describe " #W{ssh ${ip}}" + describe " #W{ssh ${ips[0]}}" echo fi diff --git a/manifests/bastion.yml b/manifests/bastion.yml new file mode 100644 index 0000000..9a6cf72 --- /dev/null +++ b/manifests/bastion.yml @@ -0,0 +1,10 @@ +--- +params: + inside_network: (( param "Please specify the name of the Bastion Network from your cloud-config" )) + +instance_groups: + - name: jumpbox + networks: + - (( inline )) + - default: [dns, gateway] + - name: (( grab params.inside_network ))