Using sealed-secrets without controller/operator

[torbenaa]

I am running my workload on an openshift platform, and I cannot install the controller ( RBAC roles insufficient ).

Are there any supported ways of doing pipeline decryption of sealed secrets ? My gitlab runners could potentially execute 'kubeseal --recovery-unseal ....' during deployment - but I am not sure of this is the best way to go ?

Thanks !

[mohamed-essam]

Hi!

I don't think sealed-secrets is the way to go for your specific use case then, I'd say you should use a normal asymmetric encryption program (e.g openssl) with the public key given to devs to seal their keys and the private key stored on your gitlab instance

[torbenaa]

I totally understand - but using openssl or simular to do encryption leaves me with a big chunk of unidentifyable data. I really like the format of the sealed secret :)

Is there any real pitfalls in using kuberseal --recovery-unseal as above ?

[agarcia-oss]

Hi @torbenaa using --recovery-unseal is a possibility.

However, we don't normally encourage this option since you'll need to provide kubeseal with the private key. In normal conditions is always better to keep the private key only in the cluster and avoid exposing yourself to a possible key leak.

So, the advice is, use it with caution! Regards