Channels
extensions
rancher-extensions
supermicro-sixsq
ozt
os
one-point-x
rio
onlinemeetup
v16-v21-migration
events
onlinetraining
training-1220
training-0110
training-0124
k3s-contributor
submariner
storage
k3os
windows
ci-cd
theranchcast
rfed_ara
nederlands
ukranian
danish
training-0131
masterclass
training-0207
training-0214
terraform-controller
epinio
phillydotnet
swarm
rancher-wrangler
deutsch
russian
chinese
mesos
français
japanese
arm
longhorn-dev
terraform-provider-rke
service-mesh
azure
gcp
academy
random
elemental
espanol
lima
harvester-dev
portugues
kubernetes
kim
hypper
kubewarden
opni
logging
neuvector-security
rancher-setup
developer
office-hours
mexico
cabpr
rke
vsphere
longhorn-storage
k3s
k3d
terraform-provider-rancher2
fleet
amazon
harvester
rke2
s3gw
hobbyfarm
rancher-desktop
general
Title
a
ambitious-telephone-71317
04/12/2023, 4:10 PMThe documentation states that
aes-cbckmsaes-cbcc
creamy-pencil-82913
04/12/2023, 4:13 PMuse --kube-apiserver-arg=encryption-provider-config=/path/to/config to pass the apiserver your own custom config file, as documented here: https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/
If you do that, you forfeit all ability to have rke2 manage the encryption config.
👍 1
a
ambitious-telephone-71317
04/12/2023, 4:25 PMI tried that without much success. I am not sure if Its a bug. I posted an issue about it in the Harvester repo, with logs included. I am not sure if this a Harvester or RKE2 issue.
https://github.com/harvester/harvester/issues/3765
c
creamy-pencil-82913
04/12/2023, 4:27 PMYour syntax is wrong
kube-apiserver-extra-mountkube-apiserver-arg:
- encryption-provider-config=/<path-to>/encryption-config.yaml
kube-apiserver-extra-mount:
- /var/run/kmsplugin:/var/run/kmsplugin✅ 1
also note that if you’re using a kms plugin you’ll probably need to mount that binary into the apiserver pod as well - I’m assuming /var/run/kmsplugin is a path that the binary will use, not the path containing the plugin itself?
✅ 2
a
ambitious-telephone-71317
04/12/2023, 4:56 PMOkay wow that seemed to solve it. Thanks so much!
This was not super clear to meis a RKE2 config option, not an arg to be passed to the apiserver.kube-apiserver-extra-mount
c
creamy-pencil-82913
04/12/2023, 4:59 PMHave you looked at the rke2 docs? https://docs.rke2.io/reference/server_config
between that page, and the list of valid apiserver args in the upstream docs, it should be pretty clear what are args for rke2 and what are args for the apiserver
https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/
I imagine if you looked at the apiserver pod logs, it was probably crashing out and complaining about an unknown arg as well
a
ambitious-telephone-71317
04/13/2023, 11:04 AMIt is clear in retrospect, so I didn't really mean that as feedback that the documentation is lacking/wrong when it came to the flag. But I myself am very new to kubernetes so after workind on this deployment for a few days, some focus got lost and I didn't notice that detail.