-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for RKE2 secrets encryption keys rotation #35436
Comments
Test cases to validate:
|
How to rotate encryption keysAlthough there will be a UI button to start rotating encryption keys before the
under the Additional test cases
|
Blocked waiting for rke2 and k3s kdm june releases since encryption key rotation is feature gated in KDM. |
Root causeEncryption key rotation did not initially work for rke2/k3s, and plans for etcd only nodes would be in sync and not updated during subsequent reconciliations, which includes What was fixed, or what changes have occurredThe encryption key rotation feature for rke2/k3s has gone through a few iterations in order to reach a working state for all cluster configurations. A fix has been made to ensure that these system-agent plans are run precisely when they need to. Areas or cases that should be testedI've personally tested rke2 & k3s v1.22.11, compiled from source with the required fixes merged in, as well as some testing afterwards. I tested the following cluster configurations using Digital Ocean provisioned nodes.
I personally recommend testing each kubernetes version, both rke2 & k3s, under a variable amount of load (new cluster, >1000 secrets, >1000 secrets and currently adding more, etc.). I also recommend messing with the cluster in various ways, such as deleting a machine. I've tested the standard user case, and the standard user can rotate encryption keys no problem. What areas could experience regressions?N/A Are the repro steps accurate/minimal?Set |
Test Environment:Rancher version: v2.6-head 2c21373 Testing:Tested all scenarios listed here Result
Closing this ticket as testing is complete and issues will be tracked in the tickets listed above. |
Implement support to rotate secrets encryption keys. This will allow the UI equivalent to the following RKE1 UI to be implemented:
Rotate encryption keys:
This requires rancher/rke2#748 implemented on RKE2 side.
The text was updated successfully, but these errors were encountered: