I'm currently exploring the use of SealedSecrets and have a specific question regarding its functionality. Can I use the --re-encrypt flag in conjunction with the --cert flag? Specifically, I'm interested in knowing if it's possible to use a custom public key along with a private key to re-encrypt.

In my experience, when I use --re-encrypt on Cluster 1 with a --cert pointing to a public key from Cluster 2, it seems to work seamlessly. I don't receive any errors from the controller, which suggests that this combination might be valid. However, I wanted to confirm if this is the expected behavior and if there are any potential issues or limitations I should be aware of when using these flags together.

Thanks for your time and assistance.

hi @BlueCog

No, you can't use the --cert flag to re-encrypt. However, if your new certificate is on the cluster, using kubeseal --re-encrypt should re-encrypt the secret with the latest certificate.

If you want to use your own certificate with --re-encrypt, we suggest you to create a secret with your certificates as the controller is doing and with the --re-encrypt you will be able to re-encrypt the secret with your own certificate.

Álvaro

Hello @alvneiayu thanks for getting back to me.

In reaction to you:

No, you can't use the --cert flag to re-encrypt. However, if your new certificate is on the cluster, using kubeseal --re-encrypt should re-encrypt the secret with the latest certificate.

In this case the secret will be re-encrypted with the primary private key right? So it won't use any (extra) custom public key i've implemented myself.

The case here is:

• automatic key rotation is active
• extra custom private keys are active (with self hosted public certs)

I'd like to re-encrypt with any of the extra custom private keys...

If you want to use your own certificate with --re-encrypt, we suggest you to create a secret with your certificates as the controller is doing and with the --re-encrypt you will be able to re-encrypt the secret with your own certificate.

In this case multiple private key's are active in the controller (see above). So I don't have control over which certificate/private key would be used via the --re-encrypt method.

Is my assumption correct that --re-encrypt only works if there is 1 private key active? So that if I want to re-encrypt with a custom private key I have to re recreate the secret entirely?

hi @BlueCog

Yes, if you have multiple certificates, the controller will always use the latest one or the newest one to re-encrypt your secret. If you applied a newest certificate or your own certificate as a secret, you will always use the newest one. You can verify what is the certificate that you are using doing a --fetch-cert.

No, you have control to encrypt it (latest one) but to decrypt no, the controller has a registry with all the private keys applied and the controller will check with all the private keys to decrypt it.

In summary:

• To encrypt: You will use the latest one certificate applied or created by the controller
• To decrypt: The controller will check with all the private keys in your cluster. The controller will try to decrypt with the the new one and so on.

Álvaro

Ok thanks.

So to be complete (see my original starting question above):

It is not possible to use --re-encrypt for a specific (custom) private key and certificate.

Please make this more clear in the documentation or even the error message.

error: invalid configuration: no configuration has been provided, try setting KUBERNETES_MASTER environment variable

This error message is not really clear that those two flags do not work together.