The osd service enforces a high level of security by using mutual TLS for authentication and authorization. In this section we will configure mutual TLS by generating the certificates for the servers (osd) and clients (osctl).

Cluster Owners

We recommend that the configuration of osd be performed by a cluster owner. A cluster owner should be a person of authority within an organization, perhaps a director, manager, or senior member of a team. They are responsible for storing the root CA, and distributing the PKI for authorized cluster administrators.

Cluster Administrators

The authorization to use osctl should be granted to a person responsible for cluster administration. As a cluster administrator, the user gains access to the out-of-band management tools offered by Talos.

Configuring osd

To configure osd, we will need:

  • static IP addresses for each node that will participate as a master
  • and a root CA

The following steps should be performed by a cluster owner.

Generating the Root CA

The root CA can be generated by running:

osctl gen ca --hours <hours> --organization <organization>

The cluster owner should store the generated private key (<organization>.key) in a safe place, that only other cluster owners have access to. The public certificate (<organization>.crt) should be made available to cluster administrators because, as we will see shortly, it is required to configure osctl.

Note: The --rsa flag should not be specified for the generation of the osd CA.

Generating the Identity Certificates

Talos provides automation for generating each node’s certificate.

Configuring osctl

To configure osctl, we will need:

  • the root CA we generated above
  • and a certificate signed by the root CA specific to the user

The process for setting up osctl is done in part between a cluster owner and a user requesting to become a cluster administrator.

Generating the User Certificate

The user requesting cluster administration access runs the following:

osctl gen key --name <user>
osctl gen csr --ip --key <user>.key

Now, the cluster owner must generate a certificate from the above CSR. To do this, the user requesting access submits the CSR generated above to the cluster owner, and the cluster owner runs the following:

osctl gen crt --hours <hours> --ca <organization> --csr <user>.csr --name <user>

The generated certificate is then sent to the requesting user using a secure channel.

The Configuration File

With all the above steps done, the new cluster administrator can now create the configuration file for osctl.

cat <organization>.crt | base64
cat <user>.crt | base64
cat <user>.key | base64

Now, create ~/.talos/config with the following contents:

context: <context>
    target: <node-ip>
    ca: <base 64 encoded root public certificate>
    crt: <base 64 encoded user public certificate>
    key: <base 64 encoded user private key>