Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Program managed sealed secret in GitOps environment (using ArgoCD) #1468

Open
lanore78 opened this issue Feb 21, 2024 · 0 comments
Open

Program managed sealed secret in GitOps environment (using ArgoCD) #1468

lanore78 opened this issue Feb 21, 2024 · 0 comments
Assignees
@agarcia-oss
Labels
triage Issues/PRs that need to be reviewed

Comments

@lanore78
Copy link

Which component:
kubeseal

Is your feature request related to a problem? Please describe.
in my situation.

  • Currently, we are operating a service that periodically generate bunch of secret manifest files and push it to a git repository.
  • And, there is a ArgoCd application that sync the git repository to kubernetes clusters.
  • Each secret contains access keys for a customer.
  • This got security problem.

So, we just found sealed-secrets and so far we almost finished to apply sealed secret.
Problem is.

  • The generated sealed-secret always changed even though the access key doens't changed.
    • We are using kubeseal raw mode to seal.
  • This causes ArgoCd events (Synced -> OutOfSync -> Synced), and which make us diffult to distinguish real alert.

Describe the solution you'd like

  • Provides a encryption options which generate same result with same input.
    • I agree that this could be lower security level, but it may be good options to someone who can take the risk.

Describe alternatives you've considered

  • Nothing.

Additional context
Screen shot of kubeseal raw mode. Results are different with same input
image

This is our code used to run kubeseal in a java program.

public class SealUtils {
    private final static Logger LOGGER = LoggerFactory.getLogger(ManifestGenerationService.class);

    public static String seal(String plainText, String namespace, String secretName, String certPath) {
        String command = "kubeseal";
        String[] arguments = {"--raw", "--cert", certPath, "--namespace", namespace, "--name", secretName};

        CommandLine cmdLine = new CommandLine(command);
        cmdLine.addArguments(arguments);

        InputStream inputStream = new java.io.ByteArrayInputStream(plainText.getBytes());
        ByteArrayOutputStream outputStream = new ByteArrayOutputStream();

        DefaultExecutor executor = new DefaultExecutor();

        ExecuteStreamHandler streamHandler = new PumpStreamHandler(outputStream, null, inputStream);
        executor.setStreamHandler(streamHandler);

        try {
            executor.execute(cmdLine);
            String result = outputStream.toString();

            return result;
        } catch (ExecuteException e) {
            LOGGER.error("Failed to seal plainText. Exit code: " + e.getExitValue(), e);
        } catch (IOException e) {
            LOGGER.error("Failed to seal plainText(IOException). Exit code: " + e);
        }

        return "";
    }
}
@lanore78 lanore78 added the triage Issues/PRs that need to be reviewed label Feb 21, 2024
@agarcia-oss agarcia-oss self-assigned this Feb 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@agarcia-oss agarcia-oss

Labels
triage Issues/PRs that need to be reviewed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@agarcia-oss @lanore78