This message was deleted Rancher Users #rke2

Join Slack

This message was deleted.

# rke2

adamant-kite-43734

01/26/2024, 10:05 PM

This message was deleted.

colossal-spring-98913

01/26/2024, 10:08 PM

Its one of the first files in the directory too

Copy code

root@rke2-master-0:~# ls -larth /var/lib/rancher/rke2/agent/pod-manifests/
total 44K
-rw-r--r-- 1 root root 1.4K Jan 26 20:43 encryption-config-generator.yaml
-rw------- 1 root root 3.4K Jan 26 20:44 etcd.yaml
-rw------- 1 root root  10K Jan 26 20:59 kube-apiserver.yaml
-rw------- 1 root root 2.8K Jan 26 20:59 kube-scheduler.yaml
-rw------- 1 root root 5.8K Jan 26 20:59 kube-controller-manager.yaml
-rw------- 1 root root 3.8K Jan 26 20:59 cloud-controller-manager.yaml
drwxr-xr-x 7 root root 4.0K Jan 26 20:59 ..
drwxr-xr-x 2 root root 4.0K Jan 26 20:59 .

creamy-pencil-82913

01/26/2024, 10:36 PM

no… what is the static pod doing that you can’t coordinate using the same process that is dropping the pod manifest?

creamy-pencil-82913

01/26/2024, 10:37 PM

the kubelet just syncs all the static pods basically simultaneously, there is no concept of dependencies between them. That’s the sort of thing that would normally be handled as part of scheduling, before it got to being scheduled. if it was coming from the apiserver.

colossal-spring-98913

01/26/2024, 10:57 PM

Yeah I guess i just need to drop the initial encryption config in place instead of a static pod

colossal-spring-98913

01/26/2024, 10:57 PM

thanks!

colossal-spring-98913

01/26/2024, 10:58 PM

The static pod fetches encryption keys from vault and does rotations - I guess I need to re-think this design for the initial state

creamy-pencil-82913

01/26/2024, 11:45 PM

for something like vault, the proper way to do that would probably be to use their KMS provider. Not to try to shoehorn in static key retrieval from vault.

colossal-spring-98913

01/26/2024, 11:51 PM

Yup! And that’s the path I’m gonna head down now

2 Views

Open in Slack

Previous Next