decrypt secrets encrypted with custom TLS certificate of expired validity

[antonmatsiuk]

I have a confusing regarding Bring your own certificate process.

We have our certificate/key pair generated with openssl which validity expires soon. There are a bunch of secrets encrypted with this certificate in several clusters. We want to rotate the cert/key pair but reencryption of the old secrets with the new certificate will take time. Two questions regarding this process:

1. Will sealed-secrets controller still be able to decrypt the secrets encrypted with the old certificate after the certificate expiration? Or will it throw the error since the certificate is expired?
2. How to add the new TLS key/pair while still keeping the old key/pair in the controller to decrypt the old secrets? We use secretName parameter to reference the key and it's not possible to reference a list of keys with this parameter.

[antonmatsiuk]

If someone is interested, I have performed the tests for the scenarios described above. The answers are:

Will sealed-secrets controller still be able to decrypt the secrets encrypted with the old certificate after the certificate expiration?

No, it will throw an error: "error: failed to encrypt using an expired certificate"

How to add the new TLS key/pair while still keeping the old key/pair in the controller to decrypt the old secrets?

Create a new TLS key/pair and reference it in secretName of the Helm release, update the Helm release.

To decrypt the secrets with the old expired certificate, do not remove the old certificate from the cluster and keep sealedsecrets.bitnami.com/sealed-secrets-key: active label on it. The sealed-secret-controller will continue to decrypt the secrets encrypted with the expired certificate, although it's not directly referenced in the Helm release.