https://rancher.com/ logo
#general
Title
# general
i

icy-yak-43924

09/15/2022, 8:38 PM
What is the correct process to override the rke2 encryption configuration? After using systemctl start rke2-server.service, I then disabled the secrets-encrypt, then used crictl to stop the container, then tried to use "rke2 server --kube-apiserver-arg=encryption-provider-config=/var/lib/rancher/rke2/server/cred/secrets-encrypt.yaml" however the server fails to start again.
c

creamy-pencil-82913

09/15/2022, 8:47 PM
I then disabled the secrets-encrypt
How did you do that exactly? First of all its hardcoded on, second if you turn it off when it’s been previously enabled, everything will break because the apiserver will not be able to decrypt any of the secrets.
then used crictl to stop the container
which container did you stop? You shouldn’t poke at the control-plane static pods directly. Those should only be managed by rke2. If you change the RKE2 configuration and restart the rke2-server service, the pod configuration will be regenerated and the new configuration applied.
The officially approved way to disable it is to use the secrets-encrypt command: https://docs.rke2.io/subcommands/#secrets-encrypt
If you want to edit the config file yourself, you can do so, but it is not currently supported.
i

icy-yak-43924

09/15/2022, 9:11 PM
I used the secrets-encrypt disable subcommand, and then restarted the api-server, I want to use a kms or vault but can't seem to add them to the encryption-configuration.json that is why I was trying to overwrite it with my own
c

creamy-pencil-82913

09/15/2022, 9:48 PM
I don’t believe we’ve tested that
9 Views