Browser OIDC login for tcloud CLI

cli security
2026-07-07
By Thalassa Cloud

Until now, the default way to authenticate tcloud was a Personal Access Token (PAT): create one in the Console, paste it into tcloud context create, and hope it never ends up in shell history, a dotfile, or a shared screen recording. That works for automation, but it is a poor default for engineers who just want to manage clusters from a laptop. With tcloud v0.20.0, browser-based OIDC login is the default.

Latest Posts

Browser OIDC login for tcloud CLI

2026-07-07
Until now, the default way to authenticate tcloud was a Personal Access Token (PAT): create one in the Console, paste it into tcloud context create, and hope it never ends up in shell history, a dotfile, or a shared screen recording. That works for automation, but it is a poor default for engineers who just want to manage clusters from a laptop. With tcloud v0.20.0, browser-based OIDC login is the default.

Exporting audit logs for compliance and security review

2026-06-25
Every API call in your Thalassa Cloud organisation leaves a trace. Audit logs record who did what, when, and from where - VPC changes, Kubernetes cluster updates, KMS crypto operations, secret access, and failed authentication attempts. That trail is essential for incident response, access reviews, and compliance evidence. Audit logging is enabled by default for every organisation. Entries are immutable: they cannot be modified or deleted through the API. You can browse logs in the console or query them via the audit API, but for compliance archives, SIEM ingestion, or periodic security reviews you often need a bulk export.

Secrets Manager now available in Early Access

Teams running workloads on Thalassa Cloud often still store credentials with a separate secrets service. Some run OpenBao or HashiCorp Vault themselves — which works, but adds operational overhead on top of the application stack: deployment, upgrades, backup, and ongoing monitoring. Others rely on another third-party tool or vendor. For organisations that use Thalassa for European data sovereignty, that keeps sensitive values outside the platform they chose for compute and storage.

Thalassa Cloud Launches Key Management Service in Early Access

Last year we shared that we were building KMS and Secrets Manager for Thalassa Cloud. Today we are happy to be opening our Key Management Service (KMS) in Early Access. What is KMS, and why does it matter? A Key Management Service (KMS) is where you create, store, and control the cryptographic keys used across your environment. Applications and platform services call the KMS API to encrypt data, verify signatures, or generate keyed hashes — instead of embedding key material in configuration files or managing crypto libraries per service.

Kubernetes Cluster provisioning, without hardcoded secrets

You can deploy a Kubernetes cluster in 5 minutes using GitLab CI and Terraform—without storing any secrets in your pipeline. This guide shows you how to use OIDC (OpenID Connect) for secure authentication and deploy a production-ready cluster. By the end, you’ll have a working pipeline that creates and manages your Kubernetes cluster automatically. Why Use OIDC? Usually, CI/CD pipelines need API tokens stored as secrets. This causes problems. You must manually rotate tokens, which is easy to forget.

CVE-2026-31431 (Copy Fail): patched Kubernetes images on Thalassa Cloud

CVE-2026-31431, known as Copy Fail, is a Linux kernel local privilege escalation affecting a wide range of kernels from 2017 until distributors ship the fix. On Kubernetes Clusters that may execute potentially malicious workloads (i.g. third party container images), the vulnerability may facilitate container escape scenarios (from a pod to the host). Utilising microVMs or other isolated runtime classes may mitigate impact. Thalassa Cloud Kubernetes images v1.34.7-1 and v1.35.4-1 include kernel module updates that address CVE-2026-31431 by applying the recommended mitigation from Canonical for Ubuntu.

Bootstrap workload identity with tcloud. GitHub, GitLab, and Kubernetes

We want to eliminate static secrets wherever it is practical. Long-lived tokens in Git variables, copied into Terraform backends, or baked into cluster manifests rot slowly, leak easily, and rarely map cleanly to who actually called the API. Workload identity federation is a better default: a platform OIDC identity proves this pipeline or this service account ran the job, and Thalassa issues short-lived access in exchange. The tcloud iam workload-identity-federation bootstrap command is one piece of that puzzle.