Kubernetes Ingress Bastion

This launches an SSH bastion that utilizes Vault for authenticating the present SSH certificates. Shell sessions cannot be started directly in the bastion, but the bastion can be used as a proxy to private network resources.

Providers

The following providers are needed by this module:

aws (5.39.1)
kubectl (2.0.4)
kubernetes (2.27.0)
random (3.6.0)
tls (4.0.5)
vault (3.25.0)

Required Inputs

The following input variables are required:

bastion_domains

Description: The domain names of the bastion

Type: list(string)

Optional Inputs

The following input variables are optional (have default values):

bastion_image_version

Description: The version of the image to use for the deployment

Type: string

Default: "17b5034568b63f0a777bc1f5b7ef907c0e00fa2a"

bastion_port

Description: The port the bastion should use for the ssh server

Type: number

Default: 45459

enhanced_ha_enabled

Description: Whether to add extra high-availability scheduling constraints at the trade-off of increased cost

Type: bool

Default: true

panfactum_scheduler_enabled

Description: Whether to use the Panfactum pod scheduler with enhanced bin-packing

Type: bool

Default: true

pull_through_cache_enabled

Description: Whether to use the ECR pull through cache for the deployed images

Type: bool

Default: true

ssh_cert_lifetime_seconds

Description: The lifetime of SSH certs provisioned by Vault

Type: number

Default: 28800

vpa_enabled

Description: Whether the VPA resources should be enabled

Type: bool

Default: true

Outputs

The following outputs are exported:

bastion_domains

Description: The domains the SSH server is available on

bastion_host_public_key

Description: The bastion host's public key for mutual verification

bastion_port

Description: The port the SSH server is available on in each domain

Usage

No notes