Until now, the default way to authenticate tcloud was a Personal Access Token (PAT): create one in the Console, paste it into tcloud context create, and hope it never ends up in shell history, a dotfile, or a shared screen recording. That works for automation, but it is a poor default for engineers who just want to manage clusters from a laptop.
With tcloud v0.20.0, browser-based OIDC login is the default.
Until now, the default way to authenticate tcloud was a Personal Access Token (PAT): create one in the Console, paste it into tcloud context create, and hope it never ends up in shell history, a dotfile, or a shared screen recording. That works for automation, but it is a poor default for engineers who just want to manage clusters from a laptop.
With tcloud v0.20.0, browser-based OIDC login is the default.
Every API call in your Thalassa Cloud organisation leaves a trace. Audit logs record who did what, when, and from where - VPC changes, Kubernetes cluster updates, KMS crypto operations, secret access, and failed authentication attempts. That trail is essential for incident response, access reviews, and compliance evidence.
Audit logging is enabled by default for every organisation. Entries are immutable: they cannot be modified or deleted through the API. You can browse logs in the console or query them via the audit API, but for compliance archives, SIEM ingestion, or periodic security reviews you often need a bulk export.
Ingress controllers have served Kubernetes well for years, but they bundle concerns that teams often want to separate: platform operators manage the edge, while application developers attach routes to their services. The Kubernetes Gateway API was designed for that approach, and kgateway implements it with Envoy as the data plane.
On Thalassa Cloud Kubernetes, each Gateway you create provisions an Envoy proxy and a LoadBalancer Service backed by a VPC Load Balancer.
Teams running workloads on Thalassa Cloud still had to host DNS with a separate provider. For organisations that use Thalassa for European data sovereignty, that left domain records outside the platform.
We heard from several customers that they prefer managing infrastructure and DNS through a single vendor: the same console, API, and audit trail they already use for VMs, Kubernetes, and load balancers, rather than maintaining zones at a third-party DNS service.
Teams running workloads on Thalassa Cloud often still store credentials with a separate secrets service. Some run OpenBao or HashiCorp Vault themselves — which works, but adds operational overhead on top of the application stack: deployment, upgrades, backup, and ongoing monitoring. Others rely on another third-party tool or vendor. For organisations that use Thalassa for European data sovereignty, that keeps sensitive values outside the platform they chose for compute and storage.
Last year we shared that we were building KMS and Secrets Manager for Thalassa Cloud. Today we are happy to be opening our Key Management Service (KMS) in Early Access.
What is KMS, and why does it matter? A Key Management Service (KMS) is where you create, store, and control the cryptographic keys used across your environment. Applications and platform services call the KMS API to encrypt data, verify signatures, or generate keyed hashes — instead of embedding key material in configuration files or managing crypto libraries per service.
You’ve pushed an image to Thalassa Cloud Container Registry. Now you want your Kubernetes cluster to pull it. Good news: there’s nothing exotic about this. It’s the same imagePullSecrets flow you’d use with any private registry - Docker Hub, ECR, whatever you’ve worked with before.
This post walks you through it step by step, from credentials to a running pod. If you want the full reference, the Kubernetes guide has that covered.