Giters

bitnami-labs / sealed-secrets

A Kubernetes controller and tool for one-way encrypted Secrets

Home Page:https://sealed-secrets.netlify.app/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Kubeseal --re-encrypt with local certificates

gvermoen opened this issue · comments

commented

Which component:
Kubeseal 0.25.0

Is your feature request related to a problem? Please describe.
Not having access to the k8s cluster with kubeseal is a problem when resealing secrets. I do have access to the old and new master seal keys (backup in another secrets vault), but there is no way to provide them to the kubeseal --re-encrypt command.

Describe the solution you'd like
I would like to be able to provide old and new master keys when re-encrypting, like so:
kubeseal --re-encrypt --decrypt-cert old.pem --encrypt-cert new.pem -o yaml < sealed-secret.yaml > resealed-secret.yaml

Another option would be to have the possibility to decrypt a sealed-secret with the current --cert flag:
kubeseal --decrypt --cert old.pem -o yaml < sealed-secret.yaml > original-secret.yaml
Then I can use the existing functionality to encrypt it again with the new master sealing key:
kubeseal --cert new.pem --format yaml < original-secret.yaml > resealed-secret.yaml

Describe alternatives you've considered
Currently I cannot use the re-encrypt functionality, so the only option is to use the original secret and encrypt it with the new master seal key. However this is not convenient as I dont have access to the originals either (they are not in git).

commented

Sorry, didn't read well enough. It is possible to decrypt with the kubeseal --recovery-unseal --recovery-private-key flags

https://github.com/bitnami-labs/sealed-secrets?tab=readme-ov-file#can-i-decrypt-my-secrets-offline-with-a-backup-key