Add SSH_ROUTE metadata for intelligent host routing · df16f2e

Add SSH_ROUTE metadata for intelligent host routing
Browse files

bogdan committed 2 weeks ago

- Mark local infrastructure hosts with route=local
- Update SSH config generator to emit SetEnv SSH_ROUTE
- Update wrapper to check SSH_ROUTE and skip jump for local hosts
- is-baobab, is-mazeri etc now connect directly without j1 routing
- nextgen hosts will be marked with route=nextgen in next steps

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

main

1 parent b78e78d

commit df16f2e

Showing 3 changed files with 31 additions and 3 deletions

+7 -3

inventory/hosts-local.yaml

View

@@ -143,13 +143,17 @@ groups:
         user: bogdan
 
   legacy_infrastructure:
-    description: Legacy xdev.ro and mondo-byte.ro historical servers (active)
+    description: Legacy xdev.ro and mondo-byte.ro historical servers (local direct access)
+    defaults:
+      route: local
     hosts:
-      # xdev.ro hosts
+      # xdev.ro hosts - entry point
       is_jumper:
         aliases: [is-jumper, is-vpn-gw]
         hostname: 192.168.2.100
         user: root
+        proxy_jump: none
+      # xdev.ro local network hosts (accessed via is-jumper)
       is_mazeri:
         aliases: [is-mazeri]
         hostname: 192.168.2.102
@@ -186,7 +190,7 @@ groups:
         aliases: [is-nasturel]
         hostname: 192.168.2.144
         user: sshd
-      # mondo-byte.ro hosts
+      # mondo-byte.ro hosts (accessed via is-jumper)
       mt_rabit:
         aliases: [mt-rabit]
         hostname: 89.32.216.4


+15 -0

scripts/ssh-wrapper.sh

View

@@ -94,6 +94,7 @@ resolve_target_from_config() {
     local target=$1
     local default_user=${USER:-${LOGNAME:-}}
     local user_override=""
+    local target_route=""
 
     case "$target" in
         *@*)
@@ -113,6 +114,20 @@ resolve_target_from_config() {
 
     resolve_ssh_config "$target" || return 1
 
+    # Check for SSH_ROUTE in config
+    while IFS= read -r line; do
+        case "$line" in
+            setenv\ SSH_ROUTE=*)
+                target_route=${line#setenv SSH_ROUTE=}
+                ;;
+        esac
+    done < <("$real_ssh" ${ssh_config_args[@]+"${ssh_config_args[@]}"} -G "$target" 2>/dev/null)
+
+    # If route is "local", no jump needed
+    if [[ "$target_route" == "local" ]]; then
+        return 1
+    fi
+
     if [[ -n "$user_override" ]]; then
         target_user=$user_override
     fi


+9 -0

tools/generate-configs.py

View

@@ -80,11 +80,18 @@ def host_block(aliases, hostname, user=None, port=None, extra=None):
     if port:
         lines.append(f"    Port {port}")
     auth = (extra or {}).pop("auth", None)
+    proxy_jump = (extra or {}).pop("proxy_jump", None)
+    route = (extra or {}).pop("route", None)
+
+    if route:
+        lines.append(f"    SetEnv SSH_ROUTE={route}")
     if auth == "password_interactive":
         lines.append("    SetEnv NG_SSH_AUTH=password-interactive")
         lines.append("    BatchMode no")
         lines.append("    PreferredAuthentications keyboard-interactive,password")
         lines.append("    PubkeyAuthentication no")
+    if proxy_jump and proxy_jump != "none":
+        lines.append(f"    ProxyJump {proxy_jump}")
     for key, value in (extra or {}).items():
         lines.append(f"    {key} {value}")
     lines.append("")
@@ -189,6 +196,8 @@ def emit_hosts_for_group(data, group, target, defaults):
         extra = {}
         if item.get("auth"):
             extra["auth"] = item["auth"]
+        if item.get("route"):
+            extra["route"] = item["route"]
         user = item.get("user")
         port = item.get("port")
         if company_managed_rule(data, target, aliases, user, port):


	@@ -143,13 +143,17 @@ groups:
143	143	user: bogdan
144	144
145	145	legacy_infrastructure:
146		- description: Legacy xdev.ro and mondo-byte.ro historical servers (active)
	146	+ description: Legacy xdev.ro and mondo-byte.ro historical servers (local direct access)
	147	+ defaults:
	148	+ route: local
147	149	hosts:
148		- # xdev.ro hosts
	150	+ # xdev.ro hosts - entry point
149	151	is_jumper:
150	152	aliases: [is-jumper, is-vpn-gw]
151	153	hostname: 192.168.2.100
152	154	user: root
	155	+ proxy_jump: none
	156	+ # xdev.ro local network hosts (accessed via is-jumper)
153	157	is_mazeri:
154	158	aliases: [is-mazeri]
155	159	hostname: 192.168.2.102
	@@ -186,7 +190,7 @@ groups:
186	190	aliases: [is-nasturel]
187	191	hostname: 192.168.2.144
188	192	user: sshd
189		- # mondo-byte.ro hosts
	193	+ # mondo-byte.ro hosts (accessed via is-jumper)
190	194	mt_rabit:
191	195	aliases: [mt-rabit]
192	196	hostname: 89.32.216.4

	@@ -94,6 +94,7 @@ resolve_target_from_config() {
94	94	local target=$1
95	95	local default_user=${USER:-${LOGNAME:-}}
96	96	local user_override=""
	97	+ local target_route=""
97	98
98	99	case "$target" in
99	100	@)
	@@ -113,6 +114,20 @@ resolve_target_from_config() {
113	114
114	115	resolve_ssh_config "$target" \|\| return 1
115	116
	117	+ # Check for SSH_ROUTE in config
	118	+ while IFS= read -r line; do
	119	+ case "$line" in
	120	+ setenv\ SSH_ROUTE=*)
	121	+ target_route=${line#setenv SSH_ROUTE=}
	122	+ ;;
	123	+ esac
	124	+ done < <("$real_ssh" ${ssh_config_args[@]+"${ssh_config_args[@]}"} -G "$target" 2>/dev/null)
	125	+
	126	+ # If route is "local", no jump needed
	127	+ if [[ "$target_route" == "local" ]]; then
	128	+ return 1
	129	+ fi
	130	+
116	131	if [[ -n "$user_override" ]]; then
117	132	target_user=$user_override
118	133	fi

	@@ -80,11 +80,18 @@ def host_block(aliases, hostname, user=None, port=None, extra=None):
80	80	if port:
81	81	lines.append(f" Port {port}")
82	82	auth = (extra or {}).pop("auth", None)
	83	+ proxy_jump = (extra or {}).pop("proxy_jump", None)
	84	+ route = (extra or {}).pop("route", None)
	85	+
	86	+ if route:
	87	+ lines.append(f" SetEnv SSH_ROUTE={route}")
83	88	if auth == "password_interactive":
84	89	lines.append(" SetEnv NG_SSH_AUTH=password-interactive")
85	90	lines.append(" BatchMode no")
86	91	lines.append(" PreferredAuthentications keyboard-interactive,password")
87	92	lines.append(" PubkeyAuthentication no")
	93	+ if proxy_jump and proxy_jump != "none":
	94	+ lines.append(f" ProxyJump {proxy_jump}")
88	95	for key, value in (extra or {}).items():
89	96	lines.append(f" {key} {value}")
90	97	lines.append("")
	@@ -189,6 +196,8 @@ def emit_hosts_for_group(data, group, target, defaults):
189	196	extra = {}
190	197	if item.get("auth"):
191	198	extra["auth"] = item["auth"]
	199	+ if item.get("route"):
	200	+ extra["route"] = item["route"]
192	201	user = item.get("user")
193	202	port = item.get("port")
194	203	if company_managed_rule(data, target, aliases, user, port):