Infrastructure Key Management

Introduction

An Infrastructure Key is a key comprising private and/or public keys (SSH keys) used when provisioning and communicating with infrastructure. Infrastructure keys are managed by TNC-O (Brent), which provides REST APIs to manage them. The keys themselves are not exposed north-bound of Brent, only their names see resource descriptor key properties. Brent will dynamically substitute any key names in properties with the real key (public and private portions, if defined) before sending the key material over an SSH HTTP connection to Resource drivers.

There are two types of infrastructure key:

• shared: these form a global pool of infrastructure keys that are created using Brent REST APIs and can be shared between resource instances.
• resource instance: these are generated by infrastructure and are linked to the resource instance that created them (so that they will be removed when the resource instance is removed).

The structure of an infrastructure key is:

• id: this is generated by Brent
• name: the name of the infrastructure key. For shared keys, this is provided when the key is created using the REST APIs. For resource instance infrastructure keys, this is provided with the key material sent back by the driver. This is mandatory.
• description: a description for the infrastructure key.
• privateKey: private key portion of the infrastructure key, stored securely at rest by Brent.
• publicKey: public key portion of the infrastructure key.

Note that either or both privateKey and publicKey can be provided.

Use Cases

TNC-O infrastructure keys support a number of use cases:

• Provisioning (compute) infrastructure, such as VMs, with pre-defined SSH keys from the shared infrastructure key pool at infrastructure instantiation time. Note that this is dependant on the capabilities of the underlying VIM technology, and whether it supports the provisioning of new SSH keys from existing key material provided by TNC-O.
• Storing SSH keys in TNC-O that have been generated during provisioning of infrastructure (e.g. VMs) by a Resource driver. They can be stored either as per-resource keys, or in the shared infrastructure key pool so that the keys can be used to provision other infrastructure.

In both cases, the storage of infrastructure keys in TNC-O allows TNC-O to securely communicate with infrastructure.

REST API

See the Infrastructure Keys API Definition.