Update the website regarding moving bastion to within the uni network…

… (#3463) ## Description The university requested that we stop offering bastion as an alternative to using the VPN. We are working with the university for a solution to access by external groups. https://groups.google.com/a/watonomous.ca/g/infrastructure/c/Hi9lOwx8ojc This PR updates the website to reflect this. This includes SSH access instructions and firewall documentation. Before/after: <img width="2032" alt="image" src="https://github.com/user-attachments/assets/b6d09ebc-4c8b-4046-be1d-95b33948ce1a" /> <img width="2032" alt="image" src="https://github.com/user-attachments/assets/b2385223-945d-4b39-8b83-33d03b45399b" /> <img width="2032" alt="image" src="https://github.com/user-attachments/assets/318edb92-ffa3-4986-a02a-a6c6dabff1c8" /> ## Checklist - [x] I have read and understood the [WATcloud Guidelines](https://cloud.watonomous.ca/docs/community-docs/watcloud/guidelines) - [x] I have performed a self-review of my code --------- Co-authored-by: Copilot <[email protected]>
WATonomous · Dec 19, 2024 · 0750def · 0750def
1 parent 9bfef59
commit 0750def
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 5 deletions.
diff --git a/pages/docs/compute-cluster/firewall.mdx b/pages/docs/compute-cluster/firewall.mdx
@@ -1,5 +1,14 @@
+import { Callout } from 'nextra/components'
+
 # Firewall
 
+<Callout type="warning">
+On 2024-12-18, the university requested that we move bastion to behind the firewall due to general security concerns.
+This means that users without access to the UWaterloo campus or VPN will no longer be able to access the cluster.
+We are working with the university to find a solution to this problem.
+In the meantime, materials regarding accessing the bastion host from off-campus are invalid.
+</Callout>
+
 The WATcloud compute cluster is housed at the University of Waterloo. All machines in the cluster are behind the University's firewall.
 In order to connect to the cluster, you must be on the campus network, connected to the University's [VPN][uw-vpn], or use a
 [Bastion](#bastion) as a jump host.

diff --git a/scripts/generate-ssh-info.py b/scripts/generate-ssh-info.py
@@ -47,7 +47,12 @@ def generate_network_graph():
         G.add_node(network["name"], type="network", display_name=f"{network['name'].capitalize()} Network")
 
     for node in chain(login_nodes, bastion_nodes):
-        G.add_node(node["name"], type="host")
+        if node in bastion_nodes:
+            priority = 10 # prefer using bastion nodes
+        else:
+            priority = 5
+
+        G.add_node(node["name"], type="host", priority=priority)
 
         for nn in node["networks"]:
             is_entrypoint = nn["is_accessible_from_internet"]
@@ -120,6 +125,13 @@ def generate_ssh_markdown(hostnames):
         ```
     """).strip()
 
+def path_sort_key(G, path: list[str]):
+    """
+    This function is used to generate a sort key for a path in the network graph.
+    
+    We prefer shorter paths, and paths that go through nodes with higher priority.
+    """
+    return (len(path), ) + tuple(-G.nodes[n].get("priority", 0) for n in path)
 
 def generate_ssh_info():
     G = generate_network_graph()
@@ -138,14 +150,16 @@ def generate_ssh_info():
     ssh_info = {}
     for n, paths in shortest_paths.items():
         ssh_info[n] = {"paths": []}
-        for path in paths:
+        sorted_paths = sorted(paths, key=lambda p: path_sort_key(G, p))
+        for path in sorted_paths:
             assert (
-                len(path) <= 4
-            ), f"Expected at most 4 path nodes (2 hops), got {len(path)}: {path}"
+                len(path) <= 6 # _entrypoint -> host -> network -> host -> network -> host
+            ), f"Expected at most 6 path nodes (4 hops, including networks), got {len(path)}: {path}"
 
             instructions = []
             ssh_host_chain = []
 
+            assert path[0] == "_entrypoint", f"Expected path to start at _entrypoint, got {path[0]}"
             for edge in zip(path, path[1:]):
                 _source, target = edge
 
@@ -171,7 +185,7 @@ def generate_ssh_info():
             ssh_info[n]["paths"].append(
                 {
                     "hops": [
-                        G.nodes[n].get("display_name", n) for n in path if G.nodes[n]["type"] in ["host", "service", "network"]
+                        G.nodes[n].get("display_name", n) for n in path if G.nodes[n]["type"] in ["host", "service"]
                     ],
                     "instructions": instructions,
                 }