Skip to content

Bring-your-own-certificate - controller does not fetch latest key imported #1639

@sybernatus

Description

@sybernatus

Which component:
The name (and version) of the affected component (controller or kubeseal)

  • kubeseal: v0.27.1
  • controller: v0.26.3

Describe the bug
We followed the documentation bring-your-own-certificate

While importing our own key on the controller under the test-key secret name, the new key is taken into account by the controller once we restarted it:

time=2024-11-20T13:52:11.023Z level=INFO msg="registered private key" secretname=test-key
time=2024-11-20T13:52:11.024Z level=INFO msg="registered private key" secretname=sealed-secrets-keymqbn8
time=2024-11-20T13:52:11.024Z level=INFO msg="registered private key" secretname=sealed-secrets-keyqm6bb

Even if this is the newest key (kubectl get secret):

sealed-secrets-keymqbn8   kubernetes.io/tls          2      10d
sealed-secrets-keyqm6bb   kubernetes.io/tls          2      10d
test-key                  kubernetes.io/tls          2      13m

The controller continue to retrieve an old public key using --fetch-cert argument. It seems to be randomly taken at each controller restart.
This is causing re-encrypting our secrets because there is no way to tell kubeseal to always use the latest key to re-encrypt the sealed secrets.

To Reproduce
Steps to reproduce the behaviour:

  • Follow the procedure bring-your-own-certificate until Deleting the controller Pod is needed to pick the new keys
  • launch kubeseal --fetch-cert and compare it to the public key in the newly created secret.

Expected behavior

  • the controller should retrieve only the latest public certificate (as it is the most relevant certificate to encrypt secret)

Version of Kubernetes:

  • Output of kubectl version:
v1.28.10

Additional context

Today our workaround is:

  • to get public key from our secret deployed
  • to get the name of a sealed secret on the cluster & the secret name inside
  • to get the secret associated using the name
  • to seal this secret using the public key

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions