You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Fix register a key using secret creationTimestamp instead of certificate validity timestamp (#1681)
<!--
Before you open the request please review the following guidelines and
tips to help it be more easily integrated:
- Describe the scope of your change - i.e. what the change does.
- Describe any known limitations with your change.
- Please run any tests or examples that can exercise your modified code.
Thank you for contributing! We will try to test and integrate the change
as soon as we can, but be aware we have many GitHub repositories to
manage and can't immediately respond to every request. There is no need
to bump or check in on a pull request (it will clutter the discussion of
the request).
Also don't be worried if the request is closed or not integrated
sometimes the priorities of Bitnami might not match the priorities of
the pull request. Don't fret, the open source community thrives on forks
and GitHub makes it easy to keep your changes in a forked repo.
-->
**Description of the change**
Register a key and order it based on its secret creation timestamp
instead of its cert starting validity (NotBefore attribute)
<!-- Describe the scope of your change - i.e. what the change does. -->
**Benefits**
<!-- What benefits will be realized by the code change? -->
In case we are bringing our own certificate, if the certificate is
created before sealed secret installation but applied after the
installation, still the latest certificate used will be the certificate
installed by sealed secret during its initialization instead of the
latest secret certificate created.
**Possible drawbacks**
<!-- Describe any known limitations with your change -->
**Applicable issues**
<!-- Enter any applicable Issues here (You can reference an issue using
#) -->
- fixes # #1639
**Additional information**
<!-- If there's anything else that's important and relevant to your pull
request, mention that information here.-->
---------
Signed-off-by: Jérôme GARCIA <[email protected]>
Signed-off-by: Sybernatus <[email protected]>
Signed-off-by: Jérôme GARCIA <[email protected]>
Copy file name to clipboardExpand all lines: README.md
+12
Original file line number
Diff line number
Diff line change
@@ -620,6 +620,18 @@ It doesn't help that this feature has been historically called "key rotation", w
620
620
Sealed secrets are not automatically rotated and old keys are not deleted
621
621
when new keys are generated. Old `SealedSecret` resources can be still decrypted (that's because old sealing keys are not deleted).
622
622
623
+
### Key registry init priority order
624
+
625
+
When the controller starts, it will initialize the key registry. The most recent key is used to seal secrets. By default, this certificate is chosen based on the NotBefore attribute of the certificate. If you want to change the priority order of the keys in the registry, you can use the `--key-order-priority` flag.
626
+
627
+
The `--key-order-priority` flag accepts the following values:
628
+
- `CertNotBefore`: (default) The key registry will be ordered based on the NotBefore attribute of the key certificate.
629
+
- `SecretCreationTimestamp`: The key registry will be ordered based on the creation timestamp of the secret.
630
+
631
+
This flag influences the public key used to encrypt secrets and the certificate retrieved by `kubeseal --fetch-cert`.
632
+
633
+
634
+
623
635
### User secret rotation
624
636
625
637
The *sealing key* renewal and SealedSecret rotation are **not a substitute** for rotating your actual secrets.
fs.StringVar(&f.MyCN, "my-cn", "", "Common name to be used as issuer/subject DN in generated certificate.")
37
38
38
39
fs.DurationVar(&f.KeyRenewPeriod, "key-renew-period", defaultKeyRenewPeriod, "New key generation period (automatic rotation deactivated if 0)")
40
+
fs.StringVar(&f.KeyOrderPriority, "key-order-priority", defaultKeyOrderPriority, "Ordering of keys based on NotBefore certificate attribute or secret creation timestamp.")
39
41
fs.BoolVar(&f.AcceptV1Data, "accept-deprecated-v1-data", true, "Accept deprecated V1 data field.")
40
42
fs.StringVar(&f.KeyCutoffTime, "key-cutoff-time", "", "Create a new key if latest one is older than this cutoff time. RFC1123 format with numeric timezone expected.")
41
43
fs.BoolVar(&f.NamespaceAll, "all-namespaces", true, "Scan all namespaces or only the current namespace (default=true).")
0 commit comments