This message was deleted.
# k3sa
adamant-kite-43734
03/31/2023, 7:58 PMThis message was deleted.
c
creamy-pencil-82913
03/31/2023, 8:19 PMhowdy!
no, I haven’t heard of that… the encryption config file is stored in the bootstrap key along with the certs and such, so if the node comes up with the correct cluster CAs it should also come up with the same secrets encryption config. What symptoms are you seeing? Can you cat the encryption config file on the different nodes and compare the content?
m
modern-island-11920
03/31/2023, 8:58 PMso yeah, comparing the configs, they keys are different. logs look like this:
Copy code
Mar 31 20:49:29 ip-10-10-11-206 k3s[8438]: W0331 20:49:29.108204 8438 reflector.go:424] storage/cacher.go:/secrets: failed to list *core.Secret: unable to transform key "/registry/secrets/kube-system/i-01db15558336bc664.node-password.k3s": invalid padding on input
Mar 31 20:49:29 ip-10-10-11-206 k3s[8438]: E0331 20:49:29.108227 8438 cacher.go:440] cacher (*core.Secret): unexpected ListAndWatch error: failed to list *core.Secret: unable to transform key "/registry/secrets/kube-system/i-01db15558336bc664.node-password.k3s": invalid padding on input; reinitializing...
Mar 31 20:49:29 ip-10-10-11-206 k3s[8438]: E0331 20:49:29.785882 8438 available_controller.go:524] <http://v1beta1.metrics.k8s.io|v1beta1.metrics.k8s.io> failed with: Operation cannot be fulfilled on <http://apiservices.apiregistration.k8s.io|apiservices.apiregistration.k8s.io> "<http://v1beta1.metrics.k8s.io|v1beta1.metrics.k8s.io>": the object has been modified; please apply your changes to the latest version and try againmodern-island-11920
03/31/2023, 8:59 PM...i should say, we do have darren and he's going to investigate, so i dont necessarily need to burn a bunch of your time. was more just curious if it was a known issue
c
creamy-pencil-82913
03/31/2023, 9:17 PMthat is odd. I know there are some race conditions around multiple servers initializing the SQL DB when first creating the cluster, but I’ve not seen anything where just the secrets encryption config getting out of sync, later on when adding new server.
m
modern-island-11920
03/31/2023, 9:40 PMright on. we're probably doing something wrong. ill let ya know
modern-island-11920
03/31/2023, 9:43 PMon a cooler note: we have a pretty cool k3s setup going. in aws and using their karpenter tool for autoscaling, their webhook identity tool for injecting iam roles into pods.
its a beautiful monster
c
creamy-pencil-82913
03/31/2023, 9:51 PMBefore I came here I used to run kiam on all our clusters to handle mapping pods to IAM roles, it was super handy. I’m always surprised that more people don’t do that. It’s nice that they have a first-party tool to do that now.
m
modern-island-11920
03/31/2023, 9:51 PMyeah, works well
modern-island-11920
03/31/2023, 10:42 PMwe did repro and darren root caused:
This is a bug in k3s. I found the root issue. What happens is that if you enable secrets encryption after the fact (not first boot) the encryption key is never saved in the bootstrap data. This issue isn’t seen in etcd setups because they copy files from peers not from DB. But this is an issue even with etcd because if all nodes are lost you lose the encryption key because it never got saved.
modern-island-11920
03/31/2023, 10:43 PMme, follow up:
so even daishan's suggested work around of scaling CP down to 1 node and back up would not have worked around?
Darren:
No. Because the bootstrap data is rarely updated. You’d have to scale to one node and then run key rotate
modern-island-11920
03/31/2023, 10:43 PMBut it’s scale to one node where the one node has to be the one working.
c
creamy-pencil-82913
03/31/2023, 10:45 PMahh yeah that’s listed as not supported in the docs, because we know it’s not handled right
https://docs.k3s.io/cli/secrets-encrypt#encryption-key-rotation
Starting K3s without encryption and enabling it at a later time is currently not supported.
creamy-pencil-82913
03/31/2023, 10:45 PMsorry I figured you’d ruled that out
m
modern-island-11920
03/31/2023, 10:45 PMright on. yeah, just missed that
c
creamy-pencil-82913
03/31/2023, 10:48 PMthat is probably fixable if you want to open an issue about it, I think we just didn’t want to have to worry about it. Especially since most of the folks that are using secrets encryption are doing so in rke2 where it’s hardcoded on and we can rely on it being enabled from the start.
m
modern-island-11920
03/31/2023, 10:54 PMgotcha. yeah, ill open an issue. thanks for the quick responses.
mountain biking weather up there yet?
c
creamy-pencil-82913
04/01/2023, 1:00 AMhaha not quite. It’s been a cold and fairly wet last half of spring and winter. We keep getting snow down into the foothills and it’s keeping the trails covered or muddy.
c
clever-air-65544
04/02/2023, 1:37 PMPatches welcome Craig 😂
🫡 1
clever-air-65544
04/02/2023, 1:37 PM(not often I get to do that to my own former manager, can't blame me)
57 Views