Agents should use public/private keypair to validate/authenticate API requests Razeedash-api

[mckaymic]

Instead of using an org API key and cluster ID to authenticate API calls from watchkeeper and clustersubscription to the API a public/private key pair should be used.

1. During cluster attach process generate a new token to use for the new cluster. This gets stored in the cluster document and will be included in the install URL. This is unique to this 1 cluster
2. clustersubscription is installed onto the cluster. It looks for a public/private keypair in the razee-identity secret. If it's not there generate a new keypair.
3. clustersubscription makes an API call to the server. In the API call the client public key is passed to the server along with the cluster token. The public key is stored in the cluster document and the token is removed. Once the token is removed the cluster public key can no longer be set (unless the re-attach cluster API is used which will generate a new token)
4. All future calls from watchkeeper and clustersubscription will be signed with the private key on the cluster and verified with the public key on the server.

[mckaymic]

Signatures can be done with the Node Crypto Sign and Verify classes https://nodejs.org/api/crypto.html#crypto_class_sign

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[carrolp]

Razeedash-api is using standard apikey (aka 'org key') for auth, with key rotation. No desire to move to a more complicated / less standard approach. Closing as 'wontfix'