alena1108 · October 31, 2019 18:53
diff --git a/custom encryption b/custom encryption
 To rotate custom config
 ==================================

 - you add the new key to the config, in the first place in the keys list. Do not remove the old key. It will be second in the list
 - Run rke up, this will deploy the config, and rewrite the secrets with the new key
 - remove the old key from the config
 - run rke up, this will remove the old key from the config on the servers..

 * Note that you can't use the same key name!
 * No manual steps are needed. RkE will handle secrets re-encryption

 To disable custom config
 ===================================
 Assuming your custom config was enabled in the following way:

 ```
 services:
  kube-api:
    secrets_encryption_config:
      enabled: true
      custom_config:
        apiVersion: apiserver.config.k8s.io/v1
        kind: EncryptionConfiguration
        resources:
        - resources:
          - secrets
          providers:
          - aescbc:
              keys:
              - name: k-fw5hn
                secret: RTczRjFDODMwQzAyMDVBREU4NDJBMUZFNDhCNzM5N0I=
          - identity: {}
 ```
 you do the following 

 1) Move identity: {} to the top of the providers list, so your config looks as follows:

 ```
 services:
  kube-api:
    secrets_encryption_config:
      enabled: true
      custom_config:
        apiVersion: apiserver.config.k8s.io/v1
        kind: EncryptionConfiguration
        resources:
        - resources:
          - secrets
          providers:
          - identity: {}
          - aescbc:
              keys:
              - name: k-fw5hn
                secret: RTczRjFDODMwQzAyMDVBREU4NDJBMUZFNDhCNzM5N0I=
 ```
 2) Run rke up
 3) Remove secrets_encryption_config directive from cluster.yml
 4) Run rke up. Your secrets will be decrypted after that.

 No manual steps on rke are required.



 If you got yourself into a bad situation and changed your custom config key
 ==========================================
 * Make sure to preserve your old config just in case
 * Update cluster to use old config. Run rke up.

 No manual steps on rke are required.

 Or take etcd backup! Before changing the encryption config. Just in case.
	To rotate custom config
	==================================

	- you add the new key to the config, in the first place in the keys list. Do not remove the old key. It will be second in the list
	- Run rke up, this will deploy the config, and rewrite the secrets with the new key
	- remove the old key from the config
	- run rke up, this will remove the old key from the config on the servers..

	* Note that you can't use the same key name!
	* No manual steps are needed. RkE will handle secrets re-encryption

	To disable custom config
	===================================
	Assuming your custom config was enabled in the following way:

	```
	services:
	kube-api:
	secrets_encryption_config:
	enabled: true
	custom_config:
	apiVersion: apiserver.config.k8s.io/v1
	kind: EncryptionConfiguration
	resources:
	- resources:
	- secrets
	providers:
	- aescbc:
	keys:
	- name: k-fw5hn
	secret: RTczRjFDODMwQzAyMDVBREU4NDJBMUZFNDhCNzM5N0I=
	- identity: {}
	```
	you do the following

	1) Move identity: {} to the top of the providers list, so your config looks as follows:

	```
	services:
	kube-api:
	secrets_encryption_config:
	enabled: true
	custom_config:
	apiVersion: apiserver.config.k8s.io/v1
	kind: EncryptionConfiguration
	resources:
	- resources:
	- secrets
	providers:
	- identity: {}
	- aescbc:
	keys:
	- name: k-fw5hn
	secret: RTczRjFDODMwQzAyMDVBREU4NDJBMUZFNDhCNzM5N0I=
	```
	2) Run rke up
	3) Remove secrets_encryption_config directive from cluster.yml
	4) Run rke up. Your secrets will be decrypted after that.

	No manual steps on rke are required.



	If you got yourself into a bad situation and changed your custom config key
	==========================================
	* Make sure to preserve your old config just in case
	* Update cluster to use old config. Run rke up.

	No manual steps on rke are required.

	Or take etcd backup! Before changing the encryption config. Just in case.