talos icon indicating copy to clipboard operation
talos copied to clipboard

Published 20 hours ago verified publisher icon siderolabs

Talos API access through an authentication proxy

Open smira opened this issue 3 years ago • 2 comments
trafficstars

  • server CA validation: might be nothing, if the server CA is publicly trusted
  • several client authentication schemes:
    • (as it is today): client cert + key
    • Basic Auth
    • no auth (for development purposes)
    • other types auth (TBD)
  • optional cluster field to target a specific cluster behind a proxy
  • endpoint becomes endpoint of the authentication proxy

talosconfig today:

    talos-default-457:
        endpoints:
            - 172.20.0.2
        ca: LS0tLS1CRUdJTiBDRV
        crt: LS0tLS1CRUd
        key: LS0t

talosconfig for going through an auth proxy:

    talos-via-proxy:
        endpoints:
            - [https://]auth.proxy:453  # scheme is optional, `grpc://` for HTTP/2 h2c
        ca: LS0tLS1CRUdJTiBDRV # optional
        auth:
           basic:
              username: XYZ
              password: UIO
        cluster: my-lovely-cluster-1

talosctl new flags:

  • --cluster flag

smira avatar Jul 28 '22 15:07 smira

Currently talosctl has port 50000 hardcoded for accessing the api. Even without additional options for client authentication it would be useful if endpoints could be fully specified by the user e.g. talosctl stats --endpoints my-cluster-behind-a-loadbalancer:443 --nodes my-node

stereobutter avatar Aug 06 '22 10:08 stereobutter

This will be available as part of the work here.

smira avatar Aug 08 '22 11:08 smira