You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It sounds like if you have Vault rotating its transit encryption key, and you enforce that Vault would only keep say 5 old key versions in its active keyring, then you'd need to re-encrypt all Kubernetes secrets before the 5th transit encryption key is pushed to archive (out of active keyring) and no longer can do decryption.
Am I right in thinking you could simply do this via a cron job on a host with kubectl and --all-namespace access to force reapply all secrets in Kubernetes?
I'd think this would then force Vault to decrypt all secrets, and then re-encrypt the new secrets (replace of same ones), which effectively gets you freshly encrypted secrets?
Is this the correct method for re-encrypting kubernetes secrets via the Vault KMS provider?
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
It sounds like if you have Vault rotating its transit encryption key, and you enforce that Vault would only keep say 5 old key versions in its active keyring, then you'd need to re-encrypt all Kubernetes secrets before the 5th transit encryption key is pushed to archive (out of active keyring) and no longer can do decryption.
Am I right in thinking you could simply do this via a cron job on a host with kubectl and --all-namespace access to force reapply all secrets in Kubernetes?
kubectl get secrets --all-namespaces -o json | kubectl replace -f -
I'd think this would then force Vault to decrypt all secrets, and then re-encrypt the new secrets (replace of same ones), which effectively gets you freshly encrypted secrets?
Is this the correct method for re-encrypting kubernetes secrets via the Vault KMS provider?
Beta Was this translation helpful? Give feedback.
All reactions