Skip to content

feat(talosctl): add --skip-verify flag to skip TLS certificate verification #12652

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
kvaps wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat(talosctl): add --skip-verify flag to skip TLS certificate verification #12652

kvaps wants to merge 1 commit into from
+124 −0

Conversation

@kvaps
Copy link
Contributor

@kvaps kvaps commented Jan 23, 2026

Summary

Add global --skip-verify flag that disables TLS server certificate verification while preserving client certificate authentication.

This is useful when connecting to nodes via IP addresses not listed in the server certificate's SANs (e.g., NAT, VPN, port-forwarding scenarios).

Changes

  • Add SkipVerify field to global.Args struct
  • Add WithClientSkipVerify method that creates TLS connection with InsecureSkipVerify: true but preserves client certificate
  • Add --skip-verify global flag to all commands
  • Update commands that support --insecure to also check for --skip-verify:
    • apply-config
    • get
    • meta write/delete
    • reset
    • upgrade
    • version
    • wipe disk

Difference from --insecure

  • --insecure: Uses maintenance mode API without client authentication
  • --skip-verify: Uses normal authenticated API but skips server certificate verification

Test plan

  • Run talosctl get members --skip-verify -n <ip> against a node with mismatched SAN
  • Run talosctl apply-config --skip-verify -n <ip> -f config.yaml
  • Verify client authentication still works (commands fail without valid talosconfig)

@github-project-automation github-project-automation bot moved this to To Do in Planning Jan 23, 2026
@smira
Copy link
Member

smira commented Jan 23, 2026

As much as I see the problem, I don't like the idea of including this into talosctl. This leads to a risk of submitting sensitive data to a malicious actor pretending to be Talos API.

@kvaps kvaps marked this pull request as ready for review January 23, 2026 16:46
@talos-bot talos-bot moved this from To Do to In Review in Planning Jan 23, 2026
@kvaps kvaps mentioned this pull request Jan 23, 2026
Merged
4 tasks
@kvaps
feat(talosctl): add --skip-verify flag to skip TLS certificate verifi…
f2c9c7b 
…cation

Add global --skip-verify flag that disables TLS server certificate
verification while preserving client certificate authentication.

This is useful when connecting to nodes via IP addresses not listed
in the server certificate's SANs (NAT, VPN, port-forwarding scenarios).

Changes:
- Add SkipVerify field to global.Args struct
- Add WithClientSkipVerify method for TLS with InsecureSkipVerify
- Add --skip-verify global flag to all commands
- Update commands that support --insecure to also check --skip-verify

Signed-off-by: Andrei Kvapil <[email protected]>
@kvaps kvaps force-pushed the feat/skip-verify-flag branch from c0fb51f to f2c9c7b Compare January 23, 2026 18:34
@kvaps kvaps mentioned this pull request Jan 23, 2026
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

Planning
Status: In Review

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kvaps @smira