feat(commands): add --skip-verify flag to skip TLS certificate verification

[kvaps]

Summary

• Add global --skip-verify flag that disables TLS server certificate verification while preserving client certificate authentication
• Useful when connecting to nodes via IP addresses not listed in the server certificate's SANs (NAT, VPN, port-forwarding scenarios)
• Supported in apply and template commands

link upstream PR siderolabs/talos#12652

Test plan

• Test talm apply with --skip-verify flag against node with mismatched certificate
• Test talm template with --skip-verify flag
• Verify client certificate authentication still works with --skip-verify

Summary by CodeRabbit

• New Features

  • Added --skip-verify flag to bypass TLS certificate verification while maintaining client certificate authentication.

• Chores

  • Modernized dependency graph with updates to Kubernetes, AWS SDK v2, etcd, OpenTelemetry, and various runtime tooling.
  • Replaced Talos dependency with cozystack fork to incorporate specific fixes.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Warning

Rate limit exceeded

@kvaps has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 17 minutes and 57 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

📝 Walkthrough

Walkthrough

This PR introduces TLS certificate verification skipping via a new --skip-verify flag, adds client initialization wrappers for conditional certificate handling, refactors the apply command structure from a curried to a direct function signature, and updates project dependencies including Kubernetes libraries, AWS SDK modules, and adds a fork replacement for Talos.

Changes

Cohort / File(s)	Summary
Dependency Management go.mod	Updated Kubernetes API/apimachinery dependencies from indirect to direct; bumped AWS SDK v2 modules (config, imds, kms) and smithy-go; upgraded runtime tooling dependencies (cosi-project, docker, etcd, OpenTelemetry); adjusted siderolabs modules; added Talos fork replacement directive pointing to cozystack/talos with associated machinery updates.
TLS Skip Verification Feature main.go	Added persistent --skip-verify boolean flag to root command, bound to commands.GlobalArgs.SkipVerify for bypassing TLS certificate verification.
Client Initialization Wrappers pkg/commands/root.go	Introduced WithClientSkipVerify() method to initialize Talos client with disabled TLS verification; added WithClientAuto() method for conditional routing between skip-verify and standard client paths based on GlobalArgs.SkipVerify state.
Command Routing & Documentation pkg/commands/template.go, pkg/commands/talosctl_wrapper.go	Added conditional branch in template command to route through WithClientSkipVerify when skip-verify is enabled; documented --skip-verify support in talosctl wrapper with inline comments.
Command Refactoring pkg/commands/apply.go	Restructured apply command entry point from curried function returning handler to direct error-returning function; reorganized control flow to include inline context initialization, file expansion, secret path resolution, engine configuration building, and integrated error handling without higher-order function wrapping.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 A flag flies high to skip the walls,
Where certificates once blocked our calls,
Client wrappers dance with choice so true,
Commands refactored, shiny and new,
Dependencies bumped through the modern dew! 🌟

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 66.67% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and concisely describes the main change: adding a --skip-verify flag for TLS certificate verification, which is the primary objective of this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello @kvaps, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request enhances the command-line interface by introducing a --skip-verify flag, allowing users to bypass TLS server certificate validation when connecting to nodes. This is crucial for environments with non-standard network configurations where certificate SANs might not match the connection endpoints. The change is implemented across relevant commands like apply and template, ensuring that client authentication remains intact. Alongside this new functionality, the PR also includes a comprehensive update of Go dependencies and integrates a custom fork of the Talos library to leverage specific upstream fixes.

Highlights

• New Feature: --skip-verify flag: Introduced a global --skip-verify flag that disables TLS server certificate verification while preserving client certificate authentication. This flag is supported in apply and template commands.
• Use Cases for --skip-verify: The --skip-verify flag is particularly useful in scenarios where nodes are accessed via IP addresses not listed in the server certificate's Subject Alternative Names (SANs), such as NAT, VPN, or port-forwarding setups.
• Dependency Updates: Numerous Go module dependencies have been updated to their latest versions, including various AWS SDK components, container runtime libraries, etcd client libraries, and OpenTelemetry packages.
• Talos Fork Integration: The project now uses a forked version of the siderolabs/talos library (github.com/cozystack/talos) to incorporate specific fixes, including support for --k8s-endpoint and --skip-verify.
• Client Wrapper Enhancements: New client wrapper functions (WithClientSkipVerify, WithClientAuto) have been added to pkg/commands/root.go to facilitate the conditional handling of TLS verification based on the new flag.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

The pull request successfully introduces the --skip-verify flag, allowing users to disable TLS certificate verification while maintaining client authentication. This feature is well-integrated into the apply and template commands, and new client helper functions (WithClientSkipVerify, WithClientAuto) have been added to facilitate this. Dependency updates are also included, notably a fork of the siderolabs/talos library to incorporate specific fixes related to the new functionality.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@pkg/commands/template.go`:
- Around line 110-112: The --skip-verify flag isn't applied in the file/in-place
path because templateWithFiles still wraps operations with WithClient or
WithClientMaintenance; update the loop inside templateWithFiles to check
GlobalArgs.SkipVerify and call WithClientSkipVerify (or the maintenance
equivalent) instead of WithClient/WithClientMaintenance when true, ensuring the
same conditional used in the non-file path (the code that currently returns
WithClientSkipVerify(templateFunc(args))) is mirrored in the templateWithFiles
loop so skip-verify takes effect for --file/--in-place flows.