sealed-secrets used with GitOps

[tuxpeople]

Hi

My understanding of sealed-secrets is like this:

1. I deploy sealed-secrets
2. I use kubeseal to seal my secrets
3. I apply the sealed secrets into my cluster
4. In the cluster, they get converted into "normal" secrets to be used
5. sealed-secrets automatically rotates the key. The newest key is used by kubeseal to create new sealed secrets, whilst the old keys are still available to decrypt old sealed secrets.

Assuming this is correct, I'm not sure how this works together with GitOps. Maybe I just don't see it :-)

Assuming I'm using Flux for GitOps. I've sealed-secrets in my git repo to be deployed by Flux. I also have my encrypted secrets there. Everything is working smoothly like described above. What I don't understand is the following: If I reoinstall my cluster and adding my flux gitrepo again, a new "instance" of sealed-secrets get's deployed into my new cluster. This new instance of sealed-secrets does not have the old keys of the former instance, right? How would this new instance be able du decrypt the secrets generated earlier with the "old" instance of sealed-secrets?

Br
Thomas

[harry643]

Hey @tuxpeople, your new deployment of the sealed-secrets controller/operator wouldn't be able to decrypt existing SealedSecrets, so you have to get the olds keys into the new cluster (you can automate this).

These quotes from the docs will help you:

[sealing keys] are just normal k8s secrets living in the same namespace where the sealed secret controller lives.

and

you can share the same sealing key among a few clusters so that you can apply exactly the same sealed secret in multiple clusters.

This should mean you can extract the sealing keys from the cluster using the oc command-line tool and use them however you like.

More here: https://github.com/bitnami-labs/sealed-secrets#manual-key-management-advanced