hi, i have a question regarding best practices using pulumi to provision & manage infrastructure.
say i have 300 bare metal machines or VPSs (not from cloud providers like GCP), i need to provide authentication credentials for pulumi to ssh into and manage those instances. then i need to manually generate 300 keypairs, right.
now, what's the best way to pass those key pairs around the team?
05/24/2021, 12:15 AM
I'm not sure to understand the value of having this many ssh keys. The management overhead is going to be a nightmare. Instead you could use signed SSH keys for your team and Pulumi which would greatly reduce your number of keys.
The gist is all your servers/vps know the ssh key "certificate authority" and implicitly trust a user/pulumi connection when presented with a correctly signed SSH key.
Netflix did something on this few years ago and the project is called "Bless". Users/Pulumi only get short-lived SSH keys.
05/24/2021, 12:34 AM
it's worth pointing out at this stage: Pulumi's support for managing things at the operating system layer comes as an artifact of a mechanism called dynamic providers - these providers were not originally designed for OS management, although it is possible.
We generally recommend handing over operating system provisioning to another configuraiton management tool like puppet or ansible
05/24/2021, 12:58 AM
Yes, that's an excellent point
05/26/2021, 3:58 AM
thanks, appreciate your insights. lm research more on this.