This message was deleted.
# rke2
a
This message was deleted.
c
use --kube-apiserver-arg=encryption-provider-config=/path/to/config to pass the apiserver your own custom config file, as documented here: https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/
If you do that, you forfeit all ability to have rke2 manage the encryption config.
👍 1
a
I tried that without much success. I am not sure if Its a bug. I posted an issue about it in the Harvester repo, with logs included. I am not sure if this a Harvester or RKE2 issue. https://github.com/harvester/harvester/issues/3765
c
Your syntax is wrong
kube-apiserver-extra-mount
is a RKE2 config option, not an arg to be passed to the apiserver. It should be something like:
Copy code
kube-apiserver-arg:
  - encryption-provider-config=/<path-to>/encryption-config.yaml
kube-apiserver-extra-mount:
  - /var/run/kmsplugin:/var/run/kmsplugin
1
also note that if you’re using a kms plugin you’ll probably need to mount that binary into the apiserver pod as well - I’m assuming /var/run/kmsplugin is a path that the binary will use, not the path containing the plugin itself?
2
a
Okay wow that seemed to solve it. Thanks so much!
kube-apiserver-extra-mount
is a RKE2 config option, not an arg to be passed to the apiserver.
This was not super clear to me
c
Have you looked at the rke2 docs? https://docs.rke2.io/reference/server_config
between that page, and the list of valid apiserver args in the upstream docs, it should be pretty clear what are args for rke2 and what are args for the apiserver https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/
I imagine if you looked at the apiserver pod logs, it was probably crashing out and complaining about an unknown arg as well
a
It is clear in retrospect, so I didn't really mean that as feedback that the documentation is lacking/wrong when it came to the flag. But I myself am very new to kubernetes so after workind on this deployment for a few days, some focus got lost and I didn't notice that detail.