- Better understand how Talos server lifecycles work when managed by Sidero and ClusterAPI.
- Determine security best practices.
- Contribute issues and documentation based on what is found.
TBD
It looks like maintenance mode supports siderolink.
Many of the parameters are documented in a constants package.
Search for constants prefixed with KernelParam.
Does this need to be accessible from outside the cluster to be useful? If so, how do we limit access to secrets to only legitimate servers/clients? If not, can we use the SideroLink join token + connection to access it instead?
I think this gets injected into a siderolink kernel parameter by Sidero.
What all does the wireguard connection provide access to?
Can it be used to secure the configdata endpoint?
Does it expire, and can it be rotated?