Add root CA automatically from Talos to the source controller #1982
Description
Description
Summary
When using Talos with a custom root CA (e.g. for an internal proxy), the Talos nodes correctly trust the custom certificate authority via TrustedRootsConfig. However, the source controller does not automatically use the Talos root CA or proxy settings and currently provides no clear way to inject a custom root CA.
It would be helpful if the source controller automatically inherited the Talos machine configuration’s trusted roots and proxy settings.
Current Setup
In Talos, I configure a custom root CA for our internal proxy using:
apiVersion: v1alpha1
kind: TrustedRootsConfig
name: custom-ca
certificates: |-
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----This works as expected for the Talos nodes themselves.
Problem
The source controller:
- Requires its own proxy configuration.
- Does not appear to automatically trust the custom root CA configured in Talos.
- Does not provide an obvious way to inject or reference the Talos
TrustedRootsConfig.
As a result, connections from the source controller that go through the proxy fail due to untrusted certificate errors.
Expected Behavior
-
The source controller should automatically use:
- The trusted root CAs configured in the Talos machine configuration.
- The proxy settings defined in the Talos machine configuration.
OR
-
Provide a clear and documented way to:
- Inject additional trusted root CAs.
- Configure proxy settings in a way that aligns with Talos system configuration.
Why This Is Important
In environments with internal proxies and private PKI, configuring custom root CAs is common. Having to separately configure trust and proxy settings for controllers adds operational complexity and increases the risk of misconfiguration.
Aligning the source controller with Talos machine configuration would:
- Reduce duplication of configuration.
- Improve consistency.
- Simplify secure enterprise setups.