sealed-secrets API ValidateSealedSecret missing certURL Option #1208
Comments
|
hi @rowi1de For security reason, the only way to validate the secret is to consume the endpoint exposed by the controller. If we want to do it offline, we need the private key to validate the secret. It is not a good idea to provide a feature like this, because it is not a good practice to export or to consume the private keys outside the controller. We are accepting to use the private keys outside the cluster only in disaster situations. For example, you need to do a backup of your keys decrypting the secrets. But to validate the sealed secrets, we don't think that it is a good idea thinking in security reasons. Thanks Álvaro |
Hey @alvneiayu, Thanks for the answer 👌🏻 the explanation makes totally sense from a security point of view. However now I wonder why the validation fails if the certificate can’t be fetched internally? I was under the assumption fetching the certificate is always about the Public Key for encryption reasons and the private key is purely internal and only accessible by that controller itself? Kind Regards |
|
hi @rowi1de What is the error that you are reproducing trying to validate the sealed secrets? Could you show me logs, please? I mean, the validation process is consuming and endpoint to validate your Sealed Secrets and your public certificate is consumed also by the kubeseal though an endpoint exposed by the controller. Then validation and fetch certificate processes need the endpoints accessible in the controller to complete successfully the process. If you are reproducing problem fetching the certificate, it seems that you are having connectivity problem with the controller and you will suffer also errors validating the sealed secrets. Thanks Álvaro |
Yes, the certificate you fetch is the public key, which is used to encrypt the secrets. However, to validate an encrypted secret what you need is the private key. The validation process works by trying to decrypt the secret using the private key. What You can't validate a Sealed Secret without the private key. |
2023/06/01 11:22:56 Connection to sealed secrets with (Namespace: infrastructure / ServiceName: sealed-secrets)
2023/06/01 11:22:56 Setup sealer: cannot fetch certificate: error trying to reach service: Address is not allowedThe problem is not a core problem of sealed-secrets probably, but the issue can happen on AWS EKS with different network interface providers .e.g. calico |
|
This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback. |
|
Due to the lack of activity in the last 7 days since it was marked as "stale", we proceed to close this Issue. Do not hesitate to reopen it later if necessary. |
Which component:
kubeseal
Describe the bug
Using the validate function will result in an error when the service to fetch the certificate is not reachable
To Reproduce
Use AWS EKS with calico
Expected behavior
Additional context
sealed-secrets/pkg/kubeseal/kubeseal.go
Line 245 in 67c2699
Similar to #1206
The text was updated successfully, but these errors were encountered: