Distinct roles separation:
* Stateful auth server, it is stateful and exposes SSH
authentication endpoint to the cluster
* Stateless ssh node, it connects to the auth server
to authenticate access requests
* Stateless cp node, it provides web portal to access
the cluster and update users keys
Provisioning:
* Auth server automatically sets itself up on the first start,
no need to explicitly set encryption keys and authority certs
* SSH node connects to the Auth server to provision host private keys
and sertificates using special SSH provisioning key issued by
the auth server