New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create equivalent to knife-ec2 --ssh-gateway in kitchen-ec2 #249
Comments
Could you set something up in your
|
@jjasghar Yes I could do this but I am trying to automate for both other developers and CI/CD steps and it would be nice if this was just built in so I don't have to write to config file every time. The other thing is it would be nice to not have to associate DNS record with created test hosts it could just point to random private ip each time. |
@ellery44 Just trying to clarify this, are you asking for kitchen-ec2 to stand up a bastion/gateway host for each and every test run, or to use an existing Bastion/Gateway based on a configuration variable? |
No just to be able to specify a bastion host in your .kitchen.yml like so
Then under the hood it would do something like
Would this be possible? Then I could set up test hosts in my private subnets and expose a web server in my safe isolated subnet which only allows connections from specific IP's/other hosts |
OK, I'm not adverse to this as a proposal, although I do tend to agree with @jjasghar that there is already a mechanism within SSH itself to do this and we should probably use that instead of re-inventing the wheel. From the man page (http://linux.die.net/man/5/ssh_config):
So you could create a
This would ensure that any connections for the subnet inside your VPC would be routed via your bastion host. As I say, I'm not against this, I'd just rather not re-invent the wheel :) |
Hi sorry I dropped off this for a bit. I don't feel as if it is reinventing the wheel the tunneling is already built into SSH spec its more just how it is configured to run. I think it would be improvement to have this just work with this project. If you believe it should be done in ssh config maybe an automated step to set it up for you would be cool appending it onto the local ssh config? |
I've create this one to Test-Kitchen project: test-kitchen/test-kitchen#829 |
OK, coming back around to this now. @iiro if test-kitchen/test-kitchen#426 gets merged, is there any reason why this command wouldn't filter down from Test Kitchen and allow @ellery44 to access the bastions that way? If we're going to get the functionality upstream (and I'm happy to add my +1's to it!) then I'd prefer to adopt that approach instead of writing our own and making the documentation even more verbose! :) |
test-kitchen/test-kitchen#1091 implements transport:
name: ssh
ssh_gateway: <gateway>
ssh_gateway_username: <username at the gateway> I havent used this before, but Im about to. if i have issues with it ill try to post back here. edit: jk im not gonna use this because inspec doesnt yet support ssh_gateway options. seems like just setting ProxyCommand in your ssh config file is the only way to make this work for all related tools. |
Support for this was merged upstream and that is where anything "transport" related would also need to be done so closing this issue out as kitchen support is complete here. |
The proper security model for connecting via ssh to secure instance is through a bastion host. It would be a really cool feature if we could specify an existing bastion host to tunnel ssh connections through and execute chef commands in our .kitchen.yml file. I need to use a feature like this and I saw someone else had posted on a chef forum with no replies so I thought id write it up here as well.
The text was updated successfully, but these errors were encountered: