Thalassa Cloud Thalassa Cloud
Sign in Sign up

Thalassa Cloud Launches Key Management Service in Early Access

kms security
2026-06-11
By Thalassa Cloud
Last year we shared that we were building KMS and Secrets Manager for Thalassa Cloud. Today we are happy to be opening our Key Management Service (KMS) in Early Access. What is KMS, and why does it matter? A Key Management Service (KMS) is where you create, store, and control the cryptographic keys used across your environment. Applications and platform services call the KMS API to encrypt data, verify signatures, or generate keyed hashes — instead of embedding key material in configuration files or managing crypto libraries per service.
Read article

Topics

Latest Posts

RSS Feed

Thalassa Cloud Launches Key Management Service in Early Access

2026-06-11
Last year we shared that we were building KMS and Secrets Manager for Thalassa Cloud. Today we are happy to be opening our Key Management Service (KMS) in Early Access. What is KMS, and why does it matter? A Key Management Service (KMS) is where you create, store, and control the cryptographic keys used across your environment. Applications and platform services call the KMS API to encrypt data, verify signatures, or generate keyed hashes — instead of embedding key material in configuration files or managing crypto libraries per service.

Working with Thalassa Container Registry from Kubernetes

2026-06-11
You’ve pushed an image to Thalassa Cloud Container Registry. Now you want your Kubernetes cluster to pull it. Good news: there’s nothing exotic about this. It’s the same imagePullSecrets flow you’d use with any private registry - Docker Hub, ECR, whatever you’ve worked with before. This post walks you through it step by step, from credentials to a running pod. If you want the full reference, the Kubernetes guide has that covered.

Kubernetes Cluster provisioning, without hardcoded secrets

2026-05-27
You can deploy a Kubernetes cluster in 5 minutes using GitLab CI and Terraform—without storing any secrets in your pipeline. This guide shows you how to use OIDC (OpenID Connect) for secure authentication and deploy a production-ready cluster. By the end, you’ll have a working pipeline that creates and manages your Kubernetes cluster automatically. Why Use OIDC? Usually, CI/CD pipelines need API tokens stored as secrets. This causes problems. You must manually rotate tokens, which is easy to forget.

CVE-2026-31431 (Copy Fail): patched Kubernetes images on Thalassa Cloud

2026-05-01
CVE-2026-31431, known as Copy Fail, is a Linux kernel local privilege escalation affecting a wide range of kernels from 2017 until distributors ship the fix. On Kubernetes Clusters that may execute potentially malicious workloads (i.g. third party container images), the vulnerability may facilitate container escape scenarios (from a pod to the host). Utilising microVMs or other isolated runtime classes may mitigate impact. Thalassa Cloud Kubernetes images v1.34.7-1 and v1.35.4-1 include kernel module updates that address CVE-2026-31431 by applying the recommended mitigation from Canonical for Ubuntu.

Bootstrap workload identity with tcloud. GitHub, GitLab, and Kubernetes

2026-03-24
We want to eliminate static secrets wherever it is practical. Long-lived tokens in Git variables, copied into Terraform backends, or baked into cluster manifests rot slowly, leak easily, and rarely map cleanly to who actually called the API. Workload identity federation is a better default: a platform OIDC identity proves this pipeline or this service account ran the job, and Thalassa issues short-lived access in exchange. The tcloud iam workload-identity-federation bootstrap command is one piece of that puzzle.

IaaS controller: Manage Thalassa Cloud Infrastructure from Kubernetes

2026-03-22
We’re launching the Thalassa Cloud IaaS Controller in beta. It is a Kubernetes controller that extends the API with Custom Resource Definitions (CRDs) for Thalassa Cloud Infrastructure as a Service. You define VPCs, subnets, NAT gateways, route tables and routes, security groups, target groups, and VPC peering connections as Kubernetes resources; the controller reconciles them against the Thalassa IaaS API so cloud state matches what you commit-kubectl, standard RBAC, and GitOps (Argo CD, Flux, and similar) all apply.

Running WASM on Thalassa Kubernetes Service with RuntimeClass

2026-03-15
We’ve added WebAssembly (WASM) support to our Kubernetes service. A RuntimeClass for WASM is automatically provisioned on every cluster, so you can run WASM workloads alongside your containers without any extra setup. This post explains how it works and how to use it. Why run WASM on Kubernetes? WebAssembly gives you a portable, sandboxed execution environment. WASM modules are typically much smaller than container images, start very quickly, and run with strong isolation.