reseal-kubeseal

reseal.sh

#!/bin/bash
set -euo pipefail

OUT_DIR="./resealed"
CERT="./sealed-secrets.crt"

mkdir -p "$OUT_DIR"

kubeseal --controller-name=sealed-secrets \
  --controller-namespace=sealed-secrets \
  --fetch-cert > "$CERT"

find . -type f \( -iname "*.yaml" -o -iname "*.yml" -o -iname "*.json" \) -print0 \
  | while IFS= read -r -d '' file; do
    if ! grep -qE '"kind": ?"SealedSecret"|kind: ?SealedSecret' "$file"; then
      continue
    fi

    name=$(yq e '.metadata.name' "$file" 2>/dev/null || jq -r '.metadata.name' "$file" 2>/dev/null)
    namespace=$(yq e '.metadata.namespace' "$file" 2>/dev/null || jq -r '.metadata.namespace' "$file" 2>/dev/null)

    if [[ -z "$name" || -z "$namespace" ]]; then
      echo "⚠️  Could not parse name/namespace from '$file'. Skipping."
      continue
    fi

    echo "🔍 Processing $name in $namespace from '$file'"

    if ! kubectl get secret "$name" -n "$namespace" &>/dev/null; then
      echo "⚠️  Secret $name not found in namespace $namespace. Skipping."
      continue
    fi

    kubectl get secret "$name" -n "$namespace" -o yaml > /tmp/secret.yaml

    kubeseal \
      --cert "$CERT" \
      --format yaml \
      < /tmp/secret.yaml > "$OUT_DIR/$name.yaml"

    echo "✅ Resealed: $OUT_DIR/$name.yaml"
done

echo "🎉 Done. All resealed secrets saved in $OUT_DIR"