-
Notifications
You must be signed in to change notification settings - Fork 666
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Offline key and backup worflows #432
Comments
Just a quick answer first; I'll get back at this when I have some more time: The open PR about KMS is to use KMS to do the decryption so that you don't even have to backup your private key in the first place! That's the ideal solution for those people who have access to KMS or similar tools and have the means to properly configure them. The reason that PR is not merged is because it's hard coding KMS and I'm looking for an alternative proposal that makes that interface module while reusing the code from that PR. Back to backing up: So you currently backup your kubernetes cluster? |
@mkmik Thank you for taking the time to read the issue and answer. KMS: Gotcha, I initially thought that it would have been used to store the keys. I don't plan on backing up the cluster as I'm using fluxCD and generate the whole cluster configuration offline using makefiles, helm template and kustomize, not write is allowed by users. The cluster needs to be deterministic in some way. I'm new to this and probably will realize that it is not possible to live without it and then, I will be sad :D |
But yeah, from your answer it seems like the design is whatever workflow that backs up the cluster, this is the way to backup the state of sealed secrets. Which does make sense. |
This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback. |
Due to the lack of activity in the last 7 days since it was marked as "stale", we proceed to close this Issue. Do not hesitate to reopen it later if necessary. |
Hi!
I'm thinking of using this amazing project to store manually-rotated credentials, because it fits nicely with gitops and empower teams to take care of their secrets without the need to have access to anything else, except the public certificate.
There also won't have direct access to the cluster as it will reside in a secure environment that will be only accessible in case of cluster panic.
After reading the docs, issues and testing a little bit, I'd like to know if people have feedbacks on workflows they implemented for two parts:
In the absence of a simple workflow, I will probably go with a long-term certificate so I don't have to deal with manual backup/publish too often -- and switch to more often renewals once infrastructure is in place.
Thank you for the hard work on this! This is amazing.
The text was updated successfully, but these errors were encountered: