rancher-docs/scripts/Downloads/Untitled.txt

When setting up an airgap environment, it may be useful to run RKE through a bastion server. This can be helpful if you want to keep your RKE config or SSH keys on your local machine. This requires that the bastion server is accessible from the outside world, and has access to port 22 (SSH) on your airgapped nodes. 

local RKE (via port 22 over internet) -> bastion
bastion (via port 22 over internal network) -> airgap_node_1, airgap_node_2, airgap_node3 

To enable running RKE through a bastion server, add the following to your RKE yaml config:

```
bastion_host:
    address: 18.224.54.35 # public IP of the bastion server
    user: ubuntu
    port: 22
    ssh_key_path: /path/to/ssh/key
```

Full ex: 
```
bastion_host:
    address: 18.224.54.35 # public IP of the bastion server
    user: ubuntu
    port: 22
    ssh_key_path: /path/to/ssh/key
nodes:
 - address: 172.31.6.15 # private IP of airgapped node
   user: ubuntu
   role: [ "controlplane", "etcd", "worker" ]
   ssh_key_path: /path/to/ssh/key
 - address: 172.31.12.84 # private IP of airgapped node
   user: ubuntu
   role: [ "controlplane", "etcd", "worker" ]
   ssh_key_path: /path/to/ssh/key
 - address: 172.31.15.78 # private IP of airgapped node
   user: ubuntu
   role: [ "controlplane", "etcd", "worker" ]
   ssh_key_path: /path/to/ssh/key
private_registries:
 - url: <registry url>
   user: <username>
   password: <password>
   is_default: true
 ```

  Running `rke up` will provision the k8s cluster through the bastion server, and provide the resulting kube_config. However, it's important to note that as your nodes are not accessible via a public IP, the machine you run `kubectl` from in later steps must be able to reach your airgapped nodes through the addresses provided. This may require moving the resulting kube_config after it is created.