Skip to content
/ kubeseal-reencrypt Public

This repository contains the implementation plan and code for the kubeseal reencrypt feature, which automates the process of re-encrypting all SealedSecrets in a Kubernetes cluster

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

AB-Rhman/kubeseal-reencrypt

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
cmd/kubeseal
cmd/kubeseal
 
 
pkg
pkg
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 

Repository files navigation

kubeseal-reencrypt

This repository contains the implementation plan and code for the kubeseal reencrypt feature, which automates the process of re-encrypting all SealedSecrets in a Kubernetes cluster.

Overview

The kubeseal reencrypt command is a new feature that extends the kubeseal CLI to automatically re-encrypt all SealedSecrets in a cluster using the latest public key. This is particularly useful after a sealing key rotation.

Implementation Details

Core Components

  1. Command Line Interface

    • New reencrypt subcommand in kubeseal
    • Support for various flags and options
    • Progress reporting and logging

  2. SealedSecret Discovery

    • Kubernetes API client for listing SealedSecrets
    • Support for namespace filtering and label selectors
    • Pagination for large clusters

  3. Key Management

    • Fetch active public keys from the controller
    • Identify the latest public key
    • Secure handling of private keys

  4. Re-encryption Process

    • Decrypt using existing private keys
    • Re-encrypt using latest public key
    • Update SealedSecret objects

  5. Logging and Reporting

    • Detailed progress logging
    • Error reporting and summary
    • Export capabilities

Usage

# Re-encrypt all SealedSecrets in all namespaces
kubeseal reencrypt --all-namespaces

# Re-encrypt in a specific namespace
kubeseal reencrypt --namespace my-app

# Dry run mode
kubeseal reencrypt --all-namespaces --dry-run

# Generate detailed report
kubeseal reencrypt --all-namespaces --report reencrypt-report.json

Flags

  • --all-namespaces: Process SealedSecrets in all namespaces
  • --namespace: Target a specific namespace
  • --label-selector: Filter SealedSecrets by label
  • --dry-run: Show what would be changed without applying
  • --concurrency: Number of parallel operations
  • --log-file: Path to write logs
  • --report: Output format for summary report

Security Considerations

  1. Private keys never leave the cluster
  2. Short-lived, least-privilege pods for decryption
  3. Secure cleanup of temporary resources
  4. Audit logging for all operations

Performance Optimizations

  1. Parallel processing with configurable concurrency
  2. Efficient API pagination
  3. Batch updates for large clusters
  4. Progress tracking and resumability

Development Status

This is a work in progress. The implementation follows the plan outlined in the documentation.

Contributing

Please refer to the contribution guidelines for details on our code of conduct and the process for submitting pull requests.

License

This project is licensed under the Apache License 2.0 - see the LICENSE file for details.

About

This repository contains the implementation plan and code for the kubeseal reencrypt feature, which automates the process of re-encrypting all SealedSecrets in a Kubernetes cluster

Topics

golang cobra-cli kubeseal

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Languages