[gfloyd]

This looks like a really cool project. I'm excited to see it develop.

How would authentication work with configuration management? I see that new nodes are authenticated with a one-time token generated from the auth server, but that seems like it could be tricky to implement in a dynamic cluster (like an AWS auto scaling group).

[alexk]

Thanks! One time provisioning token helps node to connect and get a host certificate signed by the right CA key. All further authentication happens using OpenSSH host certificates. This also means that new nodes can simply join the cluster as long as they have the right certs, not using provisioning tokens at all. This allows you to have an external authority bootstrapping new nodes without talking to existing auth server.