Make login user of bastion host configurable

examples/terraform/aws-private/README.md

@@ -21,6 +21,7 @@ Follow the [issue #337](https://github.com/kubermatic/kubeone/issues/337) for mo
 | ssh\_public\_key\_file | SSH public key file | string | `"~/.ssh/id_rsa.pub"` | no |
 | ssh\_username | SSH user, used only in output | string | `"root"` | no |
 | bastion\_port | Bastion SSH port | string | `"22"` | no |
+| bastion\_user | Bastion SSH username | string | `"root"` | no |
 | subnet\_netmask\_bits | default 8 bits in /16 CIDR, makes it /24 subnetworks | string | `"8"` | no |
 | subnet\_offset | subnet offset (from main VPC cidr_block) number to be cut | string | `"0"` | no |
 | vpc\_id | VPC to use ('default' for default VPC) | string | `"default"` | no |
@@ -35,4 +36,3 @@ Follow the [issue #337](https://github.com/kubermatic/kubeone/issues/337) for mo
 | kubeone\_bastion |  |
 | kubeone\_hosts | Control plane endpoints to SSH to |
 | kubeone\_workers | Workers definitions, that will be transformed into MachineDeployment object |
-

examples/terraform/aws-private/output.tf

@@ -42,6 +42,7 @@ output "kubeone_hosts" {
       ssh_user             = var.ssh_username
       bastion              = aws_instance.bastion.public_ip
       bastion_port         = var.bastion_port
+      bastion_user         = var.bastion_user
     }
   }
 }
@@ -147,4 +148,3 @@ output "kubeone_workers" {
     }
   }
 }
-

examples/terraform/aws-private/variables.tf

@@ -58,6 +58,11 @@ variable "bastion_port" {
   default     = 22
 }
 
+variable "bastion_user" {
+  description = "Bastion SSH username"
+  default     = "root"
+}
+
 variable "dist_upgrade_on_boot" {
   description = "run worker upgrade distribution on boot"
   default     = false
@@ -99,4 +104,3 @@ variable "ami" {
   default     = ""
   description = "AMI ID, use it to fixate control-plane AMI in order to avoid force-recreation it at later times"
 }
-

pkg/apis/kubeone/types.go

@@ -63,6 +63,7 @@ type HostConfig struct {
 	SSHAgentSocket    string `json:"sshAgentSocket"`
 	Bastion           string `json:"bastion"`
 	BastionPort       int    `json:"bastionPort"`
+	BastionUser       string `json:"bastionUser"`
 	Hostname          string `json:"hostname"`
 
 	// Information populated at the runtime

pkg/apis/kubeone/v1alpha1/defaults.go

@@ -150,4 +150,7 @@ func defaultHostConfig(obj *HostConfig) {
 	if obj.BastionPort == 0 {
 		obj.BastionPort = 22
 	}
+	if obj.BastionUser == "" {
+		obj.BastionUser = "root"
+	}
 }

pkg/apis/kubeone/v1alpha1/types.go

@@ -63,6 +63,7 @@ type HostConfig struct {
 	SSHAgentSocket    string `json:"sshAgentSocket"`
 	Bastion           string `json:"bastion"`
 	BastionPort       int    `json:"bastionPort"`
+	BastionUser       string `json:"bastionUser"`
 	Hostname          string `json:"hostname"`
 
 	// Information populated at the runtime

pkg/cmd/config.go

@@ -450,7 +450,7 @@ features:
   podSecurityPolicy:
     enable: {{ .EnablePodSecurityPolicy }}
   # Enables and configures audit log backend.
-  # More info: https://kubernetes.io/docs/tasks/debug-application-cluster/audit/#log-backend  
+  # More info: https://kubernetes.io/docs/tasks/debug-application-cluster/audit/#log-backend
   staticAuditLog:
     enable: {{ .EnableStaticAuditLog }}
     config:
@@ -528,6 +528,7 @@ features:
 #   privateAddress: '172.18.0.1'
 #   bastion: '4.3.2.1'
 #   bastionPort: 22  # can be left out if using the default (22)
+#   bastionUser: 'root'  # can be left out if using the default ('root')
 #   sshPort: 22 # can be left out if using the default (22)
 #   sshUsername: ubuntu
 #   # You usually want to configure either a private key OR an

pkg/ssh/connection.go

@@ -56,6 +56,7 @@ type Opts struct {
 	Timeout     time.Duration
 	Bastion     string
 	BastionPort int
+	BastionUser string
 }
 
 func validateOptions(o Opts) (Opts, error) {
@@ -89,6 +90,10 @@ func validateOptions(o Opts) (Opts, error) {
 		o.BastionPort = 22
 	}
 
+	if o.BastionUser == "" {
+		o.BastionUser = "root"
+	}
+
 	if o.Timeout == 0 {
 		o.Timeout = 60 * time.Second
 	}
@@ -165,6 +170,7 @@ func NewConnection(o Opts) (Connection, error) {
 	if o.Bastion != "" {
 		targetHost = o.Bastion
 		targetPort = strconv.Itoa(o.BastionPort)
+		sshConfig.User = o.BastionUser
 	}
 
 	// do not use fmt.Sprintf() to allow proper IPv6 handling if hostname is an IP address
@@ -189,6 +195,7 @@ func NewConnection(o Opts) (Connection, error) {
 		return nil, errors.Wrapf(err, "could not establish connection to %s", endpointBehindBastion)
 	}
 
+	sshConfig.User = o.Username
 	ncc, chans, reqs, err := ssh.NewClientConn(conn, endpointBehindBastion, sshConfig)
 	if err != nil {
 		return nil, errors.Wrapf(err, "could not establish connection to %s", endpointBehindBastion)

pkg/ssh/connector.go

@@ -53,6 +53,7 @@ func (c *Connector) Connect(node kubeoneapi.HostConfig) (Connection, error) {
 			Timeout:     10 * time.Second,
 			Bastion:     node.Bastion,
 			BastionPort: node.BastionPort,
+			BastionUser: node.BastionUser,
 		}
 
 		conn, err = NewConnection(opts)

pkg/terraform/config.go

@@ -37,6 +37,7 @@ type controlPlane struct {
 	SSHAgentSocket    string   `json:"ssh_agent_socket"`
 	Bastion           string   `json:"bastion"`
 	BastionPort       int      `json:"bastion_port"`
+	BastionUser       string   `json:"bastion_user"`
 }
 
 // Config represents configuration in the terraform output format
@@ -186,6 +187,7 @@ func newHostConfig(id int, publicIP, privateIP, hostname string, cp controlPlane
 		SSHAgentSocket:    cp.SSHAgentSocket,
 		Bastion:           cp.Bastion,
 		BastionPort:       cp.BastionPort,
+		BastionUser:       cp.BastionUser,
 	}
 }