Verify clients in maintenance mode

[stereobutter]

Feature Request

Optionally verify client requests to maintenance API using client certificates.

Description

Currently when a talos node is in maintenance mode anyone with network access to the machine can apply configuration to the node. This is at odds with common zero-trust guidelines/best practices and it would be great if maintenance mode could optionally verify clients similar to the regular API.

An idea for a possible implementation I had is via a kernel command line parameter e.g. talos.maintenance-mode-client-CA=<CA key used to verify clients> that gets used by the maintenance API to verify clients.

On the client side the user would just create a talosconfig with an appropriate crt and key (and ca for verifying the maintenance API) and use the regular talosctl apply command.

[smira]

It might be easier to establish a SideroLink tunnel back to the management plane. Talos automatically restricts maintenance mode API to SideroLink addresses only.

[stereobutter]

BTW the use case im interested in is single node talos/k8s as edge devices.

[smira]

Yes, SideroLink is even better in this case. You can use Omni which bundles all of that, or just do your own SideroLink management endpoint.

[rothgar]

This issue isn't planned because our recommended approach would be to use Omni with a siderolink to verify nodes that are booted. With siderolink nodes have a shared secret with Omni and the API is not reachable outside of the tunnel.