From 0750def9662826ec029be80a45dba615fbf52a07 Mon Sep 17 00:00:00 2001
From: Ben Zhang <ben-z@users.noreply.github.com>
Date: Wed, 18 Dec 2024 21:32:08 -0800
Subject: [PATCH] Update the website regarding moving bastion to within the uni
 network (#3463)

## Description

The university requested that we stop offering bastion as an alternative
to using the VPN. We are working with the university for a solution to
access by external groups.

https://groups.google.com/a/watonomous.ca/g/infrastructure/c/Hi9lOwx8ojc

This PR updates the website to reflect this. This includes SSH access
instructions and firewall documentation.

Before/after:

<img width="2032" alt="image"
src="https://github.com/user-attachments/assets/b6d09ebc-4c8b-4046-be1d-95b33948ce1a"
/>


<img width="2032" alt="image"
src="https://github.com/user-attachments/assets/b2385223-945d-4b39-8b83-33d03b45399b"
/>


<img width="2032" alt="image"
src="https://github.com/user-attachments/assets/318edb92-ffa3-4986-a02a-a6c6dabff1c8"
/>


## Checklist
- [x] I have read and understood the [WATcloud
Guidelines](https://cloud.watonomous.ca/docs/community-docs/watcloud/guidelines)
- [x] I have performed a self-review of my code

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 pages/docs/compute-cluster/firewall.mdx |  9 +++++++++
 scripts/generate-ssh-info.py            | 24 +++++++++++++++++++-----
 2 files changed, 28 insertions(+), 5 deletions(-)

diff --git a/pages/docs/compute-cluster/firewall.mdx b/pages/docs/compute-cluster/firewall.mdx
index a2d9267..c4e56e3 100644
--- a/pages/docs/compute-cluster/firewall.mdx
+++ b/pages/docs/compute-cluster/firewall.mdx
@@ -1,5 +1,14 @@
+import { Callout } from 'nextra/components'
+
 # Firewall
 
+<Callout type="warning">
+On 2024-12-18, the university requested that we move bastion to behind the firewall due to general security concerns.
+This means that users without access to the UWaterloo campus or VPN will no longer be able to access the cluster.
+We are working with the university to find a solution to this problem.
+In the meantime, materials regarding accessing the bastion host from off-campus are invalid.
+</Callout>
+
 The WATcloud compute cluster is housed at the University of Waterloo. All machines in the cluster are behind the University's firewall.
 In order to connect to the cluster, you must be on the campus network, connected to the University's [VPN][uw-vpn], or use a
 [Bastion](#bastion) as a jump host.
diff --git a/scripts/generate-ssh-info.py b/scripts/generate-ssh-info.py
index f1fa21f..ab29e35 100644
--- a/scripts/generate-ssh-info.py
+++ b/scripts/generate-ssh-info.py
@@ -47,7 +47,12 @@ def generate_network_graph():
         G.add_node(network["name"], type="network", display_name=f"{network['name'].capitalize()} Network")
 
     for node in chain(login_nodes, bastion_nodes):
-        G.add_node(node["name"], type="host")
+        if node in bastion_nodes:
+            priority = 10 # prefer using bastion nodes
+        else:
+            priority = 5
+
+        G.add_node(node["name"], type="host", priority=priority)
 
         for nn in node["networks"]:
             is_entrypoint = nn["is_accessible_from_internet"]
@@ -120,6 +125,13 @@ def generate_ssh_markdown(hostnames):
         ```
     """).strip()
 
+def path_sort_key(G, path: list[str]):
+    """
+    This function is used to generate a sort key for a path in the network graph.
+    
+    We prefer shorter paths, and paths that go through nodes with higher priority.
+    """
+    return (len(path), ) + tuple(-G.nodes[n].get("priority", 0) for n in path)
 
 def generate_ssh_info():
     G = generate_network_graph()
@@ -138,14 +150,16 @@ def generate_ssh_info():
     ssh_info = {}
     for n, paths in shortest_paths.items():
         ssh_info[n] = {"paths": []}
-        for path in paths:
+        sorted_paths = sorted(paths, key=lambda p: path_sort_key(G, p))
+        for path in sorted_paths:
             assert (
-                len(path) <= 4
-            ), f"Expected at most 4 path nodes (2 hops), got {len(path)}: {path}"
+                len(path) <= 6 # _entrypoint -> host -> network -> host -> network -> host
+            ), f"Expected at most 6 path nodes (4 hops, including networks), got {len(path)}: {path}"
 
             instructions = []
             ssh_host_chain = []
 
+            assert path[0] == "_entrypoint", f"Expected path to start at _entrypoint, got {path[0]}"
             for edge in zip(path, path[1:]):
                 _source, target = edge
 
@@ -171,7 +185,7 @@ def generate_ssh_info():
             ssh_info[n]["paths"].append(
                 {
                     "hops": [
-                        G.nodes[n].get("display_name", n) for n in path if G.nodes[n]["type"] in ["host", "service", "network"]
+                        G.nodes[n].get("display_name", n) for n in path if G.nodes[n]["type"] in ["host", "service"]
                     ],
                     "instructions": instructions,
                 }