ambitious-telephone-71317
04/12/2023, 4:10 PMaes-cbc
secret encryption provider is enabled by default. What exactly are the steps to use a different provider say kms
instead on an existing node? If there is documentation for this can someone point me to it?
For context I understand that the EncryptionConfiguration needs to change. But what else is involved there? Should I remove the existing aes-cbc
section from the existing config? If yes, would key rotation still work (since i assume i need to re-encrypt using the new provider)?creamy-pencil-82913
04/12/2023, 4:13 PMambitious-telephone-71317
04/12/2023, 4:25 PMcreamy-pencil-82913
04/12/2023, 4:27 PMkube-apiserver-extra-mount
is a RKE2 config option, not an arg to be passed to the apiserver. It should be something like:
kube-apiserver-arg:
- encryption-provider-config=/<path-to>/encryption-config.yaml
kube-apiserver-extra-mount:
- /var/run/kmsplugin:/var/run/kmsplugin
ambitious-telephone-71317
04/12/2023, 4:56 PMThis was not super clear to meis a RKE2 config option, not an arg to be passed to the apiserver.kube-apiserver-extra-mount
creamy-pencil-82913
04/12/2023, 4:59 PMambitious-telephone-71317
04/13/2023, 11:04 AM