https://rancher.com/ logo
Title
c

cool-ocean-71403

06/22/2022, 8:45 AM
INSTALL_K3S_EXEC="--secrets-encryption"
or
INSTALL_K3S_EXEC="--secrets-encryption=true"
or
INSTALL_K3S_EXEC="--secrets-encryption true"
which one is the correct syntax to enable secrets encryption? The k3s docs have a mixed combination of the first two. A bit confused here to which one is actually working.
h

high-waitress-66594

06/22/2022, 6:45 PM
though in general, i would be wary of using
INSTALL_K3S_EXEC="--secrets-encryption true"
c

cool-ocean-71403

06/22/2022, 6:50 PM
INSTALL_K3S_EXEC="--secrets-encryption true"
this command fails executing as far as I can tell.
h

high-waitress-66594

06/22/2022, 6:51 PM
if you typed such out on the cli it should be fine
e.g.
k3s server --secrets-encryption true
but that is beside the point for your question and use case, i assume
c

cool-ocean-71403

06/22/2022, 6:53 PM
So basically for booleans I am good to go with
INSTALL_K3S_EXEC="--secrets-encryption"
just setting them like this right?
h

high-waitress-66594

06/22/2022, 6:54 PM
that said, consider leveraging the
/etc/rancher/k3s/config.yaml
for an overall better configuration experience
yeah
c

cool-ocean-71403

06/22/2022, 6:56 PM
export INSTALL_K3S_EXEC="--kube-apiserver-arg='audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log' --kube-apiserver-arg='audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml'"
What about passing strings like this inside the env variable?
h

high-waitress-66594

06/22/2022, 6:57 PM
should work iirc, but it depends on how you are getting the envvar to the install script
i prefer to leverage
/etc/rancher/k3s/config.yaml
config when i can (easy to devops, makes for a simpler install invocation
c

cool-ocean-71403

06/22/2022, 7:00 PM
/etc/rancher/k3s/config.yaml
I have no idea how to write all these commands into the yaml file. The docs only shows two simple examples.
h

high-waitress-66594

06/22/2022, 7:01 PM
can you link me the doc you are using?
c

cool-ocean-71403

06/22/2022, 7:03 PM
yes that one
h

high-waitress-66594

06/22/2022, 7:04 PM
yeah i see what you mean. you kind of have to know the internal type used for args though iirc the parsing does try to be forgiving (particularly with string arrays)
that said, the
kube-*-arg
flags take string array values while most other stuff is just strings
anyhow, go with whatever you are most comfortable with!
don't let me nerd-snipe you
c

cool-ocean-71403

06/22/2022, 7:06 PM
ok so for integer and booleans I should not use "", and rest of it just wrap around double quotes right?
h

high-waitress-66594

06/22/2022, 7:07 PM
yeah that should get your most of the way with even complex config
c

cool-ocean-71403

06/22/2022, 7:08 PM
No, your solution is far better but I am trying to implement the k3s CIS hardening parameters also and am confused how to properly implement those things. K3S is not giving me any error if it is not parsing any parameters also. So very hard to debug what is getting ignored from my INSTALL_K3S_EXEC list.
Does the config yaml have any particular order of in which I have to provide the parameters? Or just lay down everything as shown in the example from top to bottom and try executing?
h

high-waitress-66594

06/22/2022, 7:13 PM
ah, well for that, worst case is you can inspect what k3s thinks the runtime config is by inspecting the node annotations
<http://k3s.io/node-args|k3s.io/node-args>
and
<http://k3s.io/node-env|k3s.io/node-env>
nah, order isnt important. it is a straight-forward translation of all k3s flags as top level items in the yaml
c

cool-ocean-71403

06/22/2022, 7:15 PM
got it. thanks a lot for the info. am trying to create the yaml then. better to visualize and manage.
👍 1
h

high-waitress-66594

06/22/2022, 7:15 PM
anyhow, while i no longer work for suse/rancher i was a dev on this project and hope i have been helpful. if you are still stuck please do ping me here (i'm gonna switch to a diff screen. if i am unresponsive try tagging me)
👍 1
c

cool-ocean-71403

06/22/2022, 7:16 PM
Thanks a lot for the help. Really appreciate it. I will let you know how it goes.