Giters

bitnami-labs / sealed-secrets

A Kubernetes controller and tool for one-way encrypted Secrets

Home Page:https://sealed-secrets.netlify.app/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Program managed sealed secret in GitOps environment (using ArgoCD)

lanore78 opened this issue · comments

commented

Which component:
kubeseal

Is your feature request related to a problem? Please describe.
in my situation.

  • Currently, we are operating a service that periodically generate bunch of secret manifest files and push it to a git repository.
  • And, there is a ArgoCd application that sync the git repository to kubernetes clusters.
  • Each secret contains access keys for a customer.
  • This got security problem.

So, we just found sealed-secrets and so far we almost finished to apply sealed secret.
Problem is.

  • The generated sealed-secret always changed even though the access key doens't changed.
    • We are using kubeseal raw mode to seal.
  • This causes ArgoCd events (Synced -> OutOfSync -> Synced), and which make us diffult to distinguish real alert.

Describe the solution you'd like

  • Provides a encryption options which generate same result with same input.
    • I agree that this could be lower security level, but it may be good options to someone who can take the risk.

Describe alternatives you've considered

  • Nothing.

Additional context
Screen shot of kubeseal raw mode. Results are different with same input
image

This is our code used to run kubeseal in a java program.

public class SealUtils {
    private final static Logger LOGGER = LoggerFactory.getLogger(ManifestGenerationService.class);

    public static String seal(String plainText, String namespace, String secretName, String certPath) {
        String command = "kubeseal";
        String[] arguments = {"--raw", "--cert", certPath, "--namespace", namespace, "--name", secretName};

        CommandLine cmdLine = new CommandLine(command);
        cmdLine.addArguments(arguments);

        InputStream inputStream = new java.io.ByteArrayInputStream(plainText.getBytes());
        ByteArrayOutputStream outputStream = new ByteArrayOutputStream();

        DefaultExecutor executor = new DefaultExecutor();

        ExecuteStreamHandler streamHandler = new PumpStreamHandler(outputStream, null, inputStream);
        executor.setStreamHandler(streamHandler);

        try {
            executor.execute(cmdLine);
            String result = outputStream.toString();

            return result;
        } catch (ExecuteException e) {
            LOGGER.error("Failed to seal plainText. Exit code: " + e.getExitValue(), e);
        } catch (IOException e) {
            LOGGER.error("Failed to seal plainText(IOException). Exit code: " + e);
        }

        return "";
    }
}