Infrastructure keys

Infrastructure keys are a way of being able to pass sensitive key information, for example, SSH keys, around in instance properties (properties that are defined in the resource and assembly descriptors), without exposing their content. They are managed by the resource manager, Brent, which persists them encrypted in the database, and are not exposed north of Brent. Only their name is present in the instance properties, that is, the value of an instance property of type key is the name of an infrastructure key, which is substituted by Brent in real time before being passed down into the drivers.

An infrastructure key is a key that comprises private or public keys (SSH keys), or both, used when provisioning and communicating with infrastructure. Infrastructure keys are managed by the orchestration component (Brent), which provides REST APIs to manage them. The keys themselves are not exposed north-bound of Brent, only their names. Brent dynamically substitutes any key names in properties with the real key (public and private portions, if defined). Brent then sends the key material over an SSH HTTP connection to the resource drivers.

There are two types of infrastructure key:
  1. shared: These keys form a global pool of infrastructure keys that are created by using the Brent REST APIs and can be shared between resource instances.
  2. resource instance: These keys are generated by infrastructure and are linked to the resource instance that created them (so that they are removed when the resource instance is removed).
The structure of an infrastructure key is:
  • id: Generated by Brent
  • name: The name of the infrastructure key. For shared keys, this is provided when the key is created by using the REST APIs. For resource instance infrastructure keys, this is provided with the key material sent back by the driver. This is mandatory.
  • description: A description for the infrastructure key.
  • privateKey: Private key portion of the infrastructure key, which is stored securely at rest by Brent.
  • publicKey: Public key portion of the infrastructure key.

Note either or both privateKey and publicKey can be provided.

Use cases

Orchestration infrastructure keys support a number of use cases:
  • Provisioning (compute) infrastructure, such as VMs, with pre-defined SSH keys from the shared infrastructure key pool at infrastructure instantiation time. Note this depends on the capabilities of the underlying VIM technology, and whether it supports the provisioning of new SSH keys from existing key material that is provided by the orchestration component.
  • Storing SSH keys generated during provisioning of infrastructure (for example, VMs) by a resource driver in the orchestration component. They can be stored either as per-resource keys, or in the shared infrastructure key pool so that the keys can be used to provision other infrastructure.

In both cases, the storage of infrastructure keys in the orchestration component allows it to securely communicate with infrastructure.

REST API

For more information, see Infrastructure keys.