Talos Custom CA using Intermediate.

[SoulKyu]

Description

Hello,
We are trying to setup a cluster with an existing PKI featuring a root CA and one intermediate CA per use case (etcd, kubernetes, front-proxy).

We were able to import everything with --from-kubernetes-pki and bootstrap the cluster.

Logs

Clients from pods are not able to validate the API server certificate :

2025-08-28 13:43:50,223 - ERROR - unable to create user role binding :: HTTPSConnectionPool(host='10.16.128.1', port=443): Max retries exceeded with url: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get issuer certificate (_ssl.c:1010)')))

Our debug

It seems like the root CA is missing, and we confirmed from talos source code that the root CA is not properly loaded.

We have found that on this file : internal/app/machined/pkg/controllers/k8s/control_plane_static_pod.go

    builder := argsbuilder.Args{
        "allocate-node-cidrs":              "true",
        "bind-address":                     "127.0.0.1",
        "cluster-cidr":                     strings.Join(cfg.PodCIDRs, ","),
        "service-cluster-ip-range":         strings.Join(cfg.ServiceCIDRs, ","),
    ->  "cluster-signing-cert-file":        filepath.Join(constants.KubernetesControllerManagerSecretsDir, "ca.crt"),
        "cluster-signing-key-file":         filepath.Join(constants.KubernetesControllerManagerSecretsDir, "ca.key"),
        "controllers":                      "*,tokencleaner",
        "configure-cloud-routes":           "false",
        "kubeconfig":                       filepath.Join(constants.KubernetesControllerManagerSecretsDir, "kubeconfig"),
        "authentication-kubeconfig":        filepath.Join(constants.KubernetesControllerManagerSecretsDir, "kubeconfig"),
        "authorization-kubeconfig":         filepath.Join(constants.KubernetesControllerManagerSecretsDir, "kubeconfig"),
        "leader-elect":                     "true",
    ->  "root-ca-file":                     filepath.Join(constants.KubernetesControllerManagerSecretsDir, "ca.crt"),
        "service-account-private-key-file": filepath.Join(constants.KubernetesControllerManagerSecretsDir, "service-account.key"),
        "profiling":                        "false",
        "tls-min-version":                  "VersionTLS13",
    }

As we can see, cluster-signing-cert-file is forced to be equal to root-ca-file. On our PKI, we have an intermediate CA so those arguments should not be the same.

What happens on our Kubernetes cluster :

On some on-premise cluster without Talos, we are able to configure both args with different certs.

Is this an actual limitation of Talos CA ? Did we miss somethings maybe ? We already have the same setup working on kubeadm clusters.

From our point of view, it could be nice if we could overwrite these parameters.

Thanks you so much for your help

Environment

• Talos version: v1.10.6
• Kubernetes version: v1.33.1
• Platform: metal (x86_64 - Proxmox VM)

[smira]

There is no support for this flow right now in Talos Linux.

The idea is to use always per-cluster unique PKI, which is more secure than trying to link it some CA which is shared.

[ribetm]

Which means we can't migrate our existing cluster to Talos ? If it's a known limitation it would be useful to document it in the Migrating from kubeadm page.

[smira]

Please open a PR to make any updates to the docs.