https://a-cup-of.coffee/tags/go/Recent content in go on A cup of coffeeHugo -- gohugo.ioCopyright © 2024Fri, 10 Apr 2026 00:00:00 +0200https://a-cup-of.coffee/blog/talosctl-oidc/Fri, 10 Apr 2026 00:00:00 +0200https://a-cup-of.coffee/blog/talosctl-oidc/If you follow my blog regularly, you know I have a genuine fondness for Talos Linux. It’s the OS I recommend without hesitation for running Kubernetes: immutable, minimalist, SSH-free, with a gRPC API for all administration. In short, it’s what a cloud-native OS should be. But there’s one thing that has always bothered me a little: authentication. Talos uses mTLS (mutual TLS) to protect its API. In practice, for a user to run talosctl, they need a client certificate signed by the Talos CA.