Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disabling encryptionProviders doesn't decrypt Secrets automatically #3097

Open
xmudrii opened this issue Mar 25, 2024 Discussed in #3095 · 3 comments
Open

Disabling encryptionProviders doesn't decrypt Secrets automatically #3097

xmudrii opened this issue Mar 25, 2024 Discussed in #3095 · 3 comments
Labels
kind/feature Categorizes issue or PR as related to a new feature. priority/normal Not that urgent, but is important sig/cluster-management Denotes a PR or issue as being assigned to SIG Cluster Management.

Comments

@xmudrii
Copy link
Member

xmudrii commented Mar 25, 2024

Discussed in #3095

Originally posted by clickersmudge March 25, 2024
Hi,
I would like to report an error.

When I run a new installation of KubeOne with the configuration.

kubeone.yaml

apiVersion: kubeone.k8c.io/v1beta2
kind: KubeOneCluster
versions:
    kubernetes: "v1.27.11"
clusterNetwork:
    cni:
        canal:
            mtu: 1400
cloudProvider:
    hetzner: {}
    external: true
features:
    encryptionProviders:
        enable: true

Everything works.

However, when I change

features:
    encryptionProviders:
        enable: false

and run

kubeone apply --credentials credentials.yaml --manifest kubeone.yaml --tfjson tf.json --force-upgrade

I have an error

WARN[15:17:26 CET] Retrying task...                             
INFO[15:17:26 CET] Creating machine-controller credentials secret... 
WARN[15:17:26 CET] Task failed, error was: kubernetes: getting *v1.Secret kube-system/kubeone-machine-controller-credentials
Internal error occurred: identity transformer tried to read encrypted data 
WARN[15:18:42 CET] Retrying task...                             
INFO[15:18:42 CET] Creating machine-controller credentials secret... 
WARN[15:18:42 CET] Task failed, error was: kubernetes: getting *v1.Secret kube-system/kubeone-machine-controller-credentials
Internal error occurred: identity transformer tried to read encrypted data 
WARN[15:20:27 CET] Retrying task...                             
INFO[15:20:28 CET] Creating machine-controller credentials secret... 
WARN[15:20:28 CET] Task failed, error was: kubernetes: getting *v1.Secret kube-system/kubeone-machine-controller-credentials
Internal error occurred: identity transformer tried to read encrypted data 
WARN[15:22:56 CET] Retrying task...                             
INFO[15:22:56 CET] Creating machine-controller credentials secret... 
WARN[15:22:56 CET] Task failed, error was: kubernetes: getting *v1.Secret kube-system/kubeone-machine-controller-credentials
Internal error occurred: identity transformer tried to read encrypted data

obraz
@xmudrii xmudrii changed the title Encryption/Decryption problem Disabling encryptionProviders doesn't decrypt Secrets automatically Mar 25, 2024
@xmudrii xmudrii added kind/feature Categorizes issue or PR as related to a new feature. priority/normal Not that urgent, but is important sig/cluster-management Denotes a PR or issue as being assigned to SIG Cluster Management. labels Mar 25, 2024
@xmudrii
Copy link
Member Author

xmudrii commented Mar 25, 2024

I see two options:

  • Automatically decrypt Secrets upon disabling encryptionProviders
  • if not possible, warn users to manually decrypt Secrets and provide instructions for that

@xmudrii
Copy link
Member Author

xmudrii commented Mar 25, 2024

Also relevant to #3096

@clickersmudge
Copy link

Probably also revelant to #3098

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature Categorizes issue or PR as related to a new feature. priority/normal Not that urgent, but is important sig/cluster-management Denotes a PR or issue as being assigned to SIG Cluster Management.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@xmudrii @clickersmudge