---
title: "osd"
date: 2018-11-03T17:14:49-07:00
draft: false
weight: 10
menu:
  docs:
    identifier: "osd-configuration"
    parent: 'configuration'
    weight: 10
---

The `osd` service enforces a high level of security by using mutual TLS for authentication and authorization. In this section we will configure mutual TLS by generating the certificates for the servers (`osd`) and clients (`osctl`).

### Cluster Owners

We recommend that the configuration of `osd` be performed by a cluster owner.
A cluster owner should be a person of authority within an organization, perhaps a director, manager, or senior member of a team. They are responsible for storing the root CA, and distributing the PKI for authorized cluster administrators.

### Cluster Administrators

The authorization to use `osctl` should be granted to a person responsible for cluster administration.
As a cluster administrator, the user gains access to the out-of-band management tools offered by Talos.

## Configuring `osd`

To configure `osd`, we will need:

- static IP addresses for each node that will participate as a master
- and a root CA

The following steps should be performed by a cluster owner.

### Generating the Root CA

The root CA can be generated by running:

```bash
osctl gen ca --hours <hours> --organization <organization>
```

The cluster owner should store the generated private key (`<organization>.key`) in a safe place, that only other cluster owners have access to.
The public certificate (`<organization>.crt`) should be made available to cluster administrators because, as we will see shortly, it is required to configure `osctl`.

{{% note %}}The `--rsa` flag should _not_ be specified for the generation of the `osd` CA.{{% /note %}}

### Generating the Identity Certificates

Talos provides automation for generating each node's certificate.

## Configuring `osctl`

To configure `osctl`, we will need:

- the root CA we generated above
- and a certificate signed by the root CA specific to the user

The process for setting up `osctl` is done in part between a cluster owner and a user requesting to become a cluster administrator.

### Generating the User Certificate

The user requesting cluster administration access runs the following:

```bash
osctl gen key --name <user>
osctl gen csr --ip 127.0.0.1 --key <user>.key
```

Now, the cluster owner must generate a certificate from the above CSR.
To do this, the user requesting access submits the CSR generated above to the cluster owner, and the cluster owner runs the following:

```bash
osctl gen crt --hours <hours> --ca <organization> --csr <user>.csr --name <user>
```

The generated certificate is then sent to the requesting user using a secure channel.

### The Configuration File

With all the above steps done, the new cluster administrator can now create the configuration file for `osctl`.

```bash
cat <organization>.crt | base64
cat <user>.crt | base64
cat <user>.key | base64
```

Now, create `~/.talos/config` with the following contents:

```yaml
context: <context>
contexts:
  <context>:
    target: <node-ip>
    ca: <base 64 encoded root public certificate>
    crt: <base 64 encoded user public certificate>
    key: <base 64 encoded user private key>
```