On Thu, Dec 12, 2024 at 9:27 PM Jonathan Rosser < jonathan.rosser@rd.bbc.co.uk> wrote: I made a proof-of-concept for nova instance identity documents here
https://github.com/bbc/nova/commit/382984a3a23032c96089cb5877a55e425db7cee4 inspired by the AWS implementation.
Unfortunatley I have never had time to take this any further.
Thanks for the example code -- I think this is now at least two alternative implementations that I've seen, which definitely indicates "market demand" in my mind. As one of the main perpetrators of Nova's metadata and vendordata implementations, I definitely prefer the "in nova" approach you've taken here. It seems much less fragile than something external to nova. I also think that adding a URL / file to the metadata is a relatively safe operation, especially now that we're no longer pretending to be EC2 in metadata like we did back in the day. That said, I think your PR also surfaces the hard bit here without providing a strong solution -- in order to sign the identity document, we need a way for every hypervisor to have access to a private key and its password. That's true if we go the JWT route (which I'd have to think more about), or if we simply provide a JSON file with a signature in a separate URL / file (which is how EC2 does this). I am concerned about schemes which place that secret on every hypervisor because if it leaks we'd have a pretty big problem. I can think of alternative schemes though: * we could generate this document and its signature somewhere more central and then ship it around in the database. I am not sure where that central place would be though. * we could build out a PKI tree in the deployment, with perhaps each hypervisor having an intermediate certificate hanging off the "deployment root certificate". However, either of those schemes is going to be a lot more code than the actual metadata implementation itself. There are some similar things happening already -- certificates for libvirt TLS and the not-yet-landed certificates for SPICE console connections spring to mind, but in general Nova assumes those are created during deployment and managed externally. Sorry to create more problems than I'm solving, but I think my thinking might be iterating down to "this looks useful, but fiddly to implement". Cheers, Michael