Hello, the metadata service should use https. Without it, it becomes risky to query public_keys.

Referring to this service by the way

for example, this repo https://github.com/benpye/alpine-droplet builds an alpine custom image that can be uploaded to Digital Ocean. I notice that it queries the metadata service to populate but has to do it over http.

if there was a MITM they could modify the results to include their own key. Unless this is a secure endpoint how could you trust any data returned from the metadata service?

Can digital ocean make this service available via a subdomain or url? This would allow HTTPS and make scripts like the one above more secure. It would also give digital ocean the flexibility to change the service IP if needed without breaking scripts.