Provisioner: Use a bastion node for cluster installation

[based64god]

Exactly what it looks like. Currently, we expose a public IP and port 22 on all nodes, and this is an obvious security risk.

[based64god]

The easiest potential fix here is to just run KET from the bastion. However, the terraform/ket2.0 work would still bring up machines that have firewall settings as if you were creating clusters from outside the cloud provider. Ultimately, you can still edit the firewall/security settings manually after bringing up the cluster, but it's pretty large hassle. This is a significant amount of work to fix, and I think a relatively high priority, considering we're touting this thing as "production grade". Will leave open, but not sure where this is going next.