rancher
[BUG] Unable to provision RKE1 cluster with custom configuration for secret encryption
Rancher Server Setup
- Rancher version: v2.9-ed8725676a615b0fb6851957f4295dad6593fb89-head
- Installation option (Docker install/Helm Chart):
- Helm install k3s v1.26.6+k3s1
- Proxy/Cert Details: self-signed
Information about the Cluster
- Kubernetes version: v1.27.8-rancher2-2
- Cluster Type (Local/Downstream): Downstream RKE1 digital ocean
User Information Admin
Describe the bug RKE1 secrets encryption no longer accepts a custom configuration.
To Reproduce Create an RKE1 cluster in UI Use 'edit as yaml' option to add secrets encryption with a custom configurationa s documented here
Result The custom configuration resources are not saved.
Expected Result
Screenshots
Request:
Response:
Additional context The same instructions worked on 2.7.0
Hi @kinarashah can you take a look at this for our 2.9-Next scope?
I think this is related to https://github.com/rancher/rancher/issues/44140, changes to encryption secret fields were merged in v2.7.1 so it makes sense that it works in v2.7.0.
This is the intended behavior of the secrets migrator functionality, which rather than update the cluster.management.cattle.io/v3 object to reference secrets, it was decided to use norman to intercept the create/update request and stuff the sensitive information into secrets before it is committed to k8s, so the only place the data is exposed is within the api request to the v3 endpoint. The cluster object is "reassembled" before use within Rancher, pulling the secrets and creating the cluster object as it would have been, but a GET request for the cluster object will never return those sensitive values.
@mantis-toboggan-md , could you please review the explanation in https://github.com/rancher/rancher/issues/44264#issuecomment-2182968247 and close the issue if this makes sense?
