Offline key and backup worflows

[tehmoon]

Hi!

I'm thinking of using this amazing project to store manually-rotated credentials, because it fits nicely with gitops and empower teams to take care of their secrets without the need to have access to anything else, except the public certificate.

There also won't have direct access to the cluster as it will reside in a secure environment that will be only accessible in case of cluster panic.

After reading the docs, issues and testing a little bit, I'd like to know if people have feedbacks on workflows they implemented for two parts:

• Automated certificate publishing: The docs talk about a public URL being accessible, in my case I was thinking of a kubernetes job that would either export the key to an s3 bucket, I think it would be super easy to do this using the awscli official image (credentials being in sealed secrets themselves and in vault in a future release).
• Automated backups: This one is tricky because we're talking about doing backups of private keys, I'm thinking about storing this AWS KMS, does anybody tried the same workflow? I saw there was an opened PR on this, but I think it would be possible to do the same as publishing the certificate using kubernetes job, but instead, publish this to KMS.

In the absence of a simple workflow, I will probably go with a long-term certificate so I don't have to deal with manual backup/publish too often -- and switch to more often renewals once infrastructure is in place.

Thank you for the hard work on this! This is amazing.

[mkmik]

Just a quick answer first; I'll get back at this when I have some more time:

The open PR about KMS is to use KMS to do the decryption so that you don't even have to backup your private key in the first place! That's the ideal solution for those people who have access to KMS or similar tools and have the means to properly configure them.

The reason that PR is not merged is because it's hard coding KMS and I'm looking for an alternative proposal that makes that interface module while reusing the code from that PR.

Back to backing up:

So you currently backup your kubernetes cluster?

[tehmoon]

@mkmik Thank you for taking the time to read the issue and answer.

KMS: Gotcha, I initially thought that it would have been used to store the keys.

I don't plan on backing up the cluster as I'm using fluxCD and generate the whole cluster configuration offline using makefiles, helm template and kustomize, not write is allowed by users. The cluster needs to be deterministic in some way. I'm new to this and probably will realize that it is not possible to live without it and then, I will be sad :D

[tehmoon]

But yeah, from your answer it seems like the design is whatever workflow that backs up the cluster, this is the way to backup the state of sealed secrets. Which does make sense.

[github-actions]

This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.

[github-actions]

Due to the lack of activity in the last 7 days since it was marked as "stale", we proceed to close this Issue. Do not hesitate to reopen it later if necessary.