make production bastions in gprd

This issue is to track MVP for bastion in gprd.

Minimal criteria selected from the longer meta:

all bastion nodes should have health checks (gitlab-cookbooks/gitlab-openssh!7 (merged))
all bastion nodes should have same ssh host keys (gitlab-cookbooks/gitlab-openssh!7 (merged))
all bastion nodes should have all users (https://dev.gitlab.org/cookbooks/chef-repo/merge_requests/1852/diffs)
~~[ ] all users on bastion nodes except production team should not be able to connect interactively~~ removed from scope. I'm refusing to iterate on something that can block our ssh accesses until I have proper tests, and that will be after migration, no earlier. WIP with context is here: https://gitlab.com/gitlab-cookbooks/gitlab_users/merge_requests/42
short runbook/documentation on what exact modifications users should add to their .ssh/configs to use bastion (runbooks!550 (merged))

This will allow us to start using the bastions and close direct ssh access (when takeoff is tested on GCP!), and iterate on improvements in post failover work.

Edited Apr 13, 2018 by Ilya Frolov

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information