public/rancher-docs
1
0
Fork 0
mirror of https://github.com/rancher/rancher-docs.git synced 2026-05-16 18:13:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #3879 from jiaqiluo/fix-rke1-docs

Browse Source 
fix a couple of mistakes around key rotation in rke1 docs
This commit is contained in:
Jen Travinski
2022-02-16 10:51:33 -05:00
committed by GitHub
parent af662115b7 248a8a26b1
commit d9be7af34b
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
content/rke/latest/en/config-options/secrets-encryption/_index.md
+2 -2
View File
@@ -106,14 +106,14 @@ OPTIONS:
This command will perform the following actions:
- Generate a new random 32-byte encryption key
- Generate a new provider configuration with the new key as the first provider and the second key as the second provider. When the secrets are rewritten, the first key will be used to encrypt the data on the write operation, while the second key (the old key) will be used to decrypt the stored data during the the read operation
- Generate a new provider configuration with the new key as the first provider and the old key as the second provider. When the secrets are rewritten, the first key will be used to encrypt the data on the write operation, while the second key (the old key) will be used to decrypt the stored data during the the read operation
- Deploy the new provider configuration to all `controlplane` nodes and restart the `kube-apiserver`
- Rewrite all secrets. This process will re-encrypt all the secrets with the new key.
- Update the configuration to remove the old key and restart the `kube-apiserver`
### Rotating Keys by Disabling and Re-enabling Encryption in cluster.yml
For a cluster with encryption enabled, you can rotate the encryption keys by updating `cluster.yml`. If you enable and re-enable the data encryption in the `cluster.yml`, RKE will not reuse old keys. Instead, it will generate new keys every time, yielding the same result as a key rotation with the RKE CLI.
For a cluster with encryption enabled, you can rotate the encryption keys by updating `cluster.yml`. If you disable and re-enable the data encryption in the `cluster.yml`, RKE will not reuse old keys. Instead, it will generate new keys every time, yielding the same result as a key rotation with the RKE CLI.
# Custom At-Rest Data Encryption Configuration
With managed configuration, RKE provides the user with a very simple way to enable and disable encryption with minimal interaction and configuration. However, it doesn't allow for any customization to the configuration.