k3s-io
Support enabling secrets encryption after a cluster has been created
Is your feature request related to a problem? Please describe. Secrets encryption isn't supported for existing clusters. Has to be turned on when the cluster is created. This is documented: https://docs.k3s.io/cli/secrets-encrypt#encryption-key-rotation
Starting K3s without encryption and enabling it at a later time is currently not supported.
So, this is just to ask for that to be supported (after talking with @brandond in rancher user slack).
Describe the solution you'd like Don't have anything to add to this section.
Describe alternatives you've considered One possibility could be to just to do a better job of not supporting it. We got our cluster pretty hosed by flipping this on. Each server came up with a different encryption key, which caused madness trying to encrypt and decrypt secrets.
oh, this is a little misleading other area of the docs: https://docs.k3s.io/security/secrets-encryption
implies you can do it
Ah indeed. In once place we say
Secrets-encryption cannot be enabled on an existing server without restarting it.
while another says
Starting K3s without encryption and enabling it at a later time is currently not supported.
Functionally, single-servers cluster do currently work if you enable it later, but due to lack of proper support for updating the encryption config in the boostrap data, things will break if you try to do so on a multi-server cluster.
Hello, just wanted to clarify enabling secrets-encryption on live k3s cluster is still not supported, right?
