Hi

What we try to achieve is to be able to manually update the key on the controller and not rely on the automatic key renewal. We have our own credentials cycling process and we want to know what key pair is used to encrypt the sealed secrets.

We setup the controller with the --key-renew-period=0 flag to disable the key renewal. We then retrieve the current key pair via this command and store them in our infrastructure.

Now we see the following workaround to make the manual key renewal working:

1. Backup the key as described here
2. Create a new key pair and add the Base64 encoded private and public key pair to the tls.key and tls.crt entries of the backuped master.json
3. Reencrypt all sealed secrets via kubeseal --cert new-key-pair.pub --re-encrypt < old-sealed-secret.json > new-sealed-secret.json
4. Restore the master.json with the new key pair, restart the controller and then push all new encrypted sealed secrets.

Would that process work or do you see a better solution? Does step 3. work with reencrypting a sealed secret with a specified certificate via --cert?

Thanks in advance!