osd service enforces a high level of security by using mutual TLS for authentication and authorization. In this section we will configure mutual TLS by generating the certificates for the servers (
osd) and clients (
We recommend that the configuration of
osd be performed by a cluster owner.
A cluster owner should be a person of authority within an organization, perhaps a director, manager, or senior member of a team. They are responsible for storing the root CA, and distributing the PKI for authorized cluster administrators.
The authorization to use
osctl should be granted to a person responsible for cluster administration.
As a cluster administrator, the user gains access to the out-of-band management tools offered by Talos.
osd, we will need:
- static IP addresses for each node that will participate as a master
- and a root CA
The following steps should be performed by a cluster owner.
Generating the Root CA
The root CA can be generated by running:
osctl gen ca --hours <hours> --organization <organization>
The cluster owner should store the generated private key (
<organization>.key) in a safe place, that only other cluster owners have access to.
The public certificate (
<organization>.crt) should be made available to cluster administrators because, as we will see shortly, it is required to configure
--rsaflag should not be specified for the generation of the
Generating the Identity Certificates
Talos provides automation for generating each node’s certificate.
osctl, we will need:
- the root CA we generated above
- and a certificate signed by the root CA specific to the user
The process for setting up
osctl is done in part between a cluster owner and a user requesting to become a cluster administrator.
Generating the User Certificate
The user requesting cluster administration access runs the following:
osctl gen key --name <user> osctl gen csr --ip 127.0.0.1 --key <user>.key
Now, the cluster owner must generate a certificate from the above CSR. To do this, the user requesting access submits the CSR generated above to the cluster owner, and the cluster owner runs the following:
osctl gen crt --hours <hours> --ca <organization> --csr <user>.csr --name <user>
The generated certificate is then sent to the requesting user using a secure channel.
The Configuration File
With all the above steps done, the new cluster administrator can now create the configuration file for
cat <organization>.crt | base64 cat <user>.crt | base64 cat <user>.key | base64
~/.talos/config with the following contents:
context: <context> contexts: <context>: target: <node-ip> ca: <base 64 encoded root public certificate> crt: <base 64 encoded user public certificate> key: <base 64 encoded user private key>