https://rancher.com/ logo
Title
a

ambitious-telephone-71317

04/12/2023, 4:10 PM
The documentation states that
aes-cbc
secret encryption provider is enabled by default. What exactly are the steps to use a different provider say
kms
instead on an existing node? If there is documentation for this can someone point me to it? For context I understand that the EncryptionConfiguration needs to change. But what else is involved there? Should I remove the existing
aes-cbc
section from the existing config? If yes, would key rotation still work (since i assume i need to re-encrypt using the new provider)?
c

creamy-pencil-82913

04/12/2023, 4:13 PM
use --kube-apiserver-arg=encryption-provider-config=/path/to/config to pass the apiserver your own custom config file, as documented here: https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/
If you do that, you forfeit all ability to have rke2 manage the encryption config.
👍 1
a

ambitious-telephone-71317

04/12/2023, 4:25 PM
I tried that without much success. I am not sure if Its a bug. I posted an issue about it in the Harvester repo, with logs included. I am not sure if this a Harvester or RKE2 issue. https://github.com/harvester/harvester/issues/3765
c

creamy-pencil-82913

04/12/2023, 4:27 PM
Your syntax is wrong
kube-apiserver-extra-mount
is a RKE2 config option, not an arg to be passed to the apiserver. It should be something like:
kube-apiserver-arg:
  - encryption-provider-config=/<path-to>/encryption-config.yaml
kube-apiserver-extra-mount:
  - /var/run/kmsplugin:/var/run/kmsplugin
1
also note that if you’re using a kms plugin you’ll probably need to mount that binary into the apiserver pod as well - I’m assuming /var/run/kmsplugin is a path that the binary will use, not the path containing the plugin itself?
2
a

ambitious-telephone-71317

04/12/2023, 4:56 PM
Okay wow that seemed to solve it. Thanks so much!
kube-apiserver-extra-mount
is a RKE2 config option, not an arg to be passed to the apiserver.
This was not super clear to me
c

creamy-pencil-82913

04/12/2023, 4:59 PM
Have you looked at the rke2 docs? https://docs.rke2.io/reference/server_config
between that page, and the list of valid apiserver args in the upstream docs, it should be pretty clear what are args for rke2 and what are args for the apiserver https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/
I imagine if you looked at the apiserver pod logs, it was probably crashing out and complaining about an unknown arg as well
a

ambitious-telephone-71317

04/13/2023, 11:04 AM
It is clear in retrospect, so I didn't really mean that as feedback that the documentation is lacking/wrong when it came to the flag. But I myself am very new to kubernetes so after workind on this deployment for a few days, some focus got lost and I didn't notice that detail.