Enrollment and Secrets
When you enroll a cluster in Zen Mesh, zen-lock protects every piece of sensitive material. Here's how the enrollment flow uses zen-lock step by step.
The Enrollment Bundle
When you click Get install command in the dashboard, the control plane generates an enrollment bundle. This bundle contains:
| Field | Purpose | Protection |
|---|---|---|
| Tenant ID | Identifies your Zen Mesh account | Not secret — embedded in bundle |
| Cluster ID | Identifies your specific cluster | Not secret — embedded in bundle |
| Enrollment credentials | Proves cluster identity to control plane | age-encrypted |
| HMAC key | Signs events delivered to your cluster | age-encrypted |
| mTLS CA certificate | Root of trust for internal TLS | age-encrypted |
The bundle is encrypted with an age public key. Only the corresponding private key (held by the control plane) can decrypt it.
Step-by-Step Flow
What Gets Stored Where
| Secret | Storage | Plaintext Exists? |
|---|---|---|
| Enrollment bundle | K8s Secret (base64 of age ciphertext) | Only during agent startup |
| mTLS private key | zen-lock CRD (age ciphertext) | Only in egress pod memory |
| HMAC signing key | zen-lock CRD (age ciphertext) | Only in egress pod memory |
| SPIFFE/SPIRE certs | Short-lived, in-memory | Never persisted |
Bundle Expiration
Enrollment bundles expire after 30 minutes. If the bundle expires before you run the install command:
- The old bundle is cryptographically invalid
- Click Regenerate in the dashboard
- A fresh bundle is created with new credentials
- The old bundle is invalidated
This prevents stale enrollment bundles from being reused.
After Enrollment
Once the cluster is enrolled, zen-lock continues managing secrets automatically:
- Certificate rotation: mTLS certs are rotated before expiry
- Key rotation: HMAC keys are rotated on a schedule
- Orphan cleanup: Ephemeral K8s Secrets are cleaned up when pods terminate
You never need to manually manage these secrets.