-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[v1.28] Secrets Encryption V3 #8111
Conversation
Codecov ReportPatch coverage:
Additional details and impacted files@@ Coverage Diff @@
## master #8111 +/- ##
==========================================
+ Coverage 47.51% 51.48% +3.96%
==========================================
Files 144 144
Lines 14614 14709 +95
==========================================
+ Hits 6944 7573 +629
+ Misses 6577 5937 -640
- Partials 1093 1199 +106
Flags with carried forward coverage won't be shown. Click here to find out more.
☔ View full report in Codecov by Sentry. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
minor whitespace nits but LGTM otherwise.
Do we want to put in any checks to confirm that all the apiservers are on a version that supports this before using it, or are we OK just assuming that the user won't do anything boneheaded?
Its a bit of a chicken-and-egg problem. We can't find out which version the apiserver is before its running, and we cant know to not supply the flag without the version. I think this is just going to have to be "document it well". |
I mean, we know that the local apiserver will be running, I am thinking about other apiservers in the cluster if the user for some reason tries to do this on a mixed-version cluster where some of the nodes support hot reloading and some do not. But that's probably a corner case not worth worrying about. |
@brandond The new commit should cover the mixed-version edge case. |
Rebase with 1.28 PR now in master, E2E should now pass as the |
Signed-off-by: Derek Nola <derek.nola@suse.com>
Signed-off-by: Derek Nola <derek.nola@suse.com>
Signed-off-by: Derek Nola <derek.nola@suse.com>
Signed-off-by: Derek Nola <derek.nola@suse.com>
Signed-off-by: Derek Nola <derek.nola@suse.com>
Signed-off-by: Derek Nola <derek.nola@suse.com>
Proposed Changes
k3s secrets-encrypt rotate-keys
is now Experimental, and adds, rotates, and reencrypts secrets all in one command.k3s secrets-encrypt enable
on HA clusters that do not have--secrets-encryption
server flags.secretsencryption_old
(likely will remove old test in future PR)Types of Changes
Feature Improvement
Verification
Use the new Secrets Encryption E2E test
OR
--secrets-encryption
k3s secrets-encrypt rotate-keys
reencrypt_finished
to be the state ink3s secrets-encrypt status
Testing
Changed existing E2E test
Linked Issues
#7760
User-Facing Change
Further Comments