Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

To the metadata servers? They presumably hold keys to access all kinds of backend systems anyway. The certs don't require any additional trust. There must already be infrastructure in place for deploying said keys.


yes and no. when doing stuff like this you will always have a chicken and egg problem.


You could also do a hybrid where each machine gets a volume with an x509 cert and key only root has access to which can then be used to mTLS to a network service (which can then manage the certs)

That'd be a hybrid of cloud init data volume and network service


you could, the problem with this approach is how do you manage these volumes and the infrastructure around it. How do you get the keys on that volume?

Usually, this trust is established when the machine is built the first time and it gets an identity and a cert assigned to it. You have the same problems (of how you control the infra and ensure that you and only you can do this on the network).


The hypervisor or VM provisioning system can set it up. With something like certs you can just drop a <1mb iso on the host for each VM

The cert only needs to prove the VM is who it says it is

>ensure that you and only you can do this on the network You've already solved that with your VM provisioning system

If you're talking about physical/hardware, you can take more liberties with the network since it can be isolated during the initial provisioning step




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: