At $job, we use an SSH bastion host to connect to our cloud environment. This made using Test Kitchen a bit annoying. My previous way of getting Test Kitchen to work involved putting a ProxyCommand into my ~/.ssh/config, which worked, sometimes, but was still annoying.

Eventually I stumbled into a completely undocumented function of test kitchen which solves this exact problem.

ssh_gateway

Turns out that kitchen has support for SSH bastion hosts built in, it’s just not documented anywhere. Here’s what you need in your .kitchen.yml:

---
driver:
  name: ec2
  associate_public_ip: false
  interface: private

transport:
  ssh_key: /path/to/id_rsa-aws
  username: ubuntu
  ssh_gateway: bastion.foo.com
  ssh_gateway_username: ubuntu

This lets you SSH to the private IP of the VM you are testing against, with the SSH connection going through the bastion host.

It should already be obvious, but ssh_gateway is the IP or hostname of your bastion host, and ssh_gateway_username is the username used for SSH to the bastion. In my use case, the bastion host and the private VM I’m testing against use the same SSH key, so I didn’t get into a scenario where the bastion key is different from the private VM key, YMMV there.