adamant-kite-43734
03/31/2023, 7:58 PMcreamy-pencil-82913
03/31/2023, 8:19 PMmodern-island-11920
03/31/2023, 8:58 PMMar 31 20:49:29 ip-10-10-11-206 k3s[8438]: W0331 20:49:29.108204 8438 reflector.go:424] storage/cacher.go:/secrets: failed to list *core.Secret: unable to transform key "/registry/secrets/kube-system/i-01db15558336bc664.node-password.k3s": invalid padding on input
Mar 31 20:49:29 ip-10-10-11-206 k3s[8438]: E0331 20:49:29.108227 8438 cacher.go:440] cacher (*core.Secret): unexpected ListAndWatch error: failed to list *core.Secret: unable to transform key "/registry/secrets/kube-system/i-01db15558336bc664.node-password.k3s": invalid padding on input; reinitializing...
Mar 31 20:49:29 ip-10-10-11-206 k3s[8438]: E0331 20:49:29.785882 8438 available_controller.go:524] <http://v1beta1.metrics.k8s.io|v1beta1.metrics.k8s.io> failed with: Operation cannot be fulfilled on <http://apiservices.apiregistration.k8s.io|apiservices.apiregistration.k8s.io> "<http://v1beta1.metrics.k8s.io|v1beta1.metrics.k8s.io>": the object has been modified; please apply your changes to the latest version and try again
modern-island-11920
03/31/2023, 8:59 PMcreamy-pencil-82913
03/31/2023, 9:17 PMmodern-island-11920
03/31/2023, 9:40 PMmodern-island-11920
03/31/2023, 9:43 PMcreamy-pencil-82913
03/31/2023, 9:51 PMmodern-island-11920
03/31/2023, 9:51 PMmodern-island-11920
03/31/2023, 10:42 PMThis is a bug in k3s. I found the root issue. What happens is that if you enable secrets encryption after the fact (not first boot) the encryption key is never saved in the bootstrap data. This issue isn’t seen in etcd setups because they copy files from peers not from DB. But this is an issue even with etcd because if all nodes are lost you lose the encryption key because it never got saved.
modern-island-11920
03/31/2023, 10:43 PMNo. Because the bootstrap data is rarely updated. You’d have to scale to one node and then run key rotate
modern-island-11920
03/31/2023, 10:43 PMBut it’s scale to one node where the one node has to be the one working.
creamy-pencil-82913
03/31/2023, 10:45 PMStarting K3s without encryption and enabling it at a later time is currently not supported.
creamy-pencil-82913
03/31/2023, 10:45 PMmodern-island-11920
03/31/2023, 10:45 PMcreamy-pencil-82913
03/31/2023, 10:48 PMmodern-island-11920
03/31/2023, 10:54 PMcreamy-pencil-82913
04/01/2023, 1:00 AMclever-air-65544
04/02/2023, 1:37 PMclever-air-65544
04/02/2023, 1:37 PM