Edit

opencenter secrets keys check

Check encryption key expiration status

Synopsis

Check the expiration status of encryption keys across clusters.

This command monitors Age and SSH key expiration to help maintain security through proactive key rotation. It displays:

  • Days until expiration for each key

  • Warning indicators for keys expiring within threshold (default: 14 days)

  • Error indicators for expired keys

  • Key metadata (cluster, type, fingerprint, creation date)

Keys are tracked in the key registry with default expiration policies: • Age keys: 90 days • SSH keys: 180 days

Use --all to check all clusters, or --cluster to check a specific cluster. The --warn-days flag controls the warning threshold.

opencenter secrets keys check [flags]

Examples

  # Check keys for all clusters
  opencenter secrets keys check --all

  # Check keys for specific cluster
  opencenter secrets keys check --cluster my-cluster

  # Check with custom warning threshold (30 days)
  opencenter secrets keys check --all --warn-days 30

  # Output in JSON format for automation
  opencenter secrets keys check --all --output json

Options

      --all              Check keys for all clusters
      --cluster string   Check keys for specific cluster
  -h, --help             help for check
      --output string    Output format: text or json (default "text")
      --warn-days int    Warning threshold in days (default 14)

SEE ALSO

  • opencenter_secrets_keys.md[opencenter secrets keys] - Manage SOPS encryption keys

Auto generated by spf13/cobra on 28-Apr-2026