Program managed sealed secret in GitOps environment (using ArgoCD)
lanore78 opened this issue · comments
lanore78 commented
Which component:
kubeseal
Is your feature request related to a problem? Please describe.
in my situation.
- Currently, we are operating a service that periodically generate bunch of secret manifest files and push it to a git repository.
- And, there is a ArgoCd application that sync the git repository to kubernetes clusters.
- Each secret contains access keys for a customer.
- This got security problem.
So, we just found sealed-secrets and so far we almost finished to apply sealed secret.
Problem is.
- The generated sealed-secret always changed even though the access key doens't changed.
- We are using kubeseal raw mode to seal.
- This causes ArgoCd events (Synced -> OutOfSync -> Synced), and which make us diffult to distinguish real alert.
Describe the solution you'd like
- Provides a encryption options which generate same result with same input.
- I agree that this could be lower security level, but it may be good options to someone who can take the risk.
Describe alternatives you've considered
- Nothing.
Additional context
Screen shot of kubeseal raw mode. Results are different with same input
This is our code used to run kubeseal in a java program.
public class SealUtils {
private final static Logger LOGGER = LoggerFactory.getLogger(ManifestGenerationService.class);
public static String seal(String plainText, String namespace, String secretName, String certPath) {
String command = "kubeseal";
String[] arguments = {"--raw", "--cert", certPath, "--namespace", namespace, "--name", secretName};
CommandLine cmdLine = new CommandLine(command);
cmdLine.addArguments(arguments);
InputStream inputStream = new java.io.ByteArrayInputStream(plainText.getBytes());
ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
DefaultExecutor executor = new DefaultExecutor();
ExecuteStreamHandler streamHandler = new PumpStreamHandler(outputStream, null, inputStream);
executor.setStreamHandler(streamHandler);
try {
executor.execute(cmdLine);
String result = outputStream.toString();
return result;
} catch (ExecuteException e) {
LOGGER.error("Failed to seal plainText. Exit code: " + e.getExitValue(), e);
} catch (IOException e) {
LOGGER.error("Failed to seal plainText(IOException). Exit code: " + e);
}
return "";
}
}