search

siderolabs / talos

Talos Linux is a modern Linux distribution built for Kubernetes.
https://www.talos.dev
Mozilla Public License 2.0
5.75k stars 463 forks source link

Allow configuration of custom CAs via the machine configuration #8867

Open flpajany opened 1 month ago

flpajany commented 1 month ago

Feature Request

A mean to add a custom Certification Authority to the trusted CA certificates used by talos images to make them able to connect to a Omni server on prem that as been certified by that custom CA.

Description

I am using Omni On Prem on a VM and inside our network, our tls certificates are delivered by a private custom CA. So to be able to connect to Omni through https, the talos kernel which is using a specific parameter (siderolinks) needs to trust the certificate annonced by Omni. For that, the CA certificate must be trusted inside the talos image at boot time.

I know that it is possible to build a custom image for talos but I think it is not really a convenient way to manage images and upgrades on a large scale (in a "industrial" way).

That's why I would like very much to be able to add the certificates of a custom CA in the trusted certificates list at boot time or through image factory for example ?

It would be great.

Thanks, Regards

smira commented 1 month ago

Machine config document:

kind: CertificateChainOfTrustConfig
name: my-enterprise-ca
spec:
  ca: |
    ---- BEGIN CERTIFICATE ---
    ....
    ---- END CERTIFICATE ---