configs/encryption-config.yaml is missing

[schaurian]

configs/encryption-config.yaml is missing

[JanoschDeurer]

Looks like it was removed here:

https://github.com/kelseyhightower/kubernetes-the-hard-way/commit/a9cb5f7ba50b3ed496a18a09c273941f80c6375a#diff-404b56b95be0b6ab7483e7e18d8941ca7e9b472842d844874d25b97ed14b2b2dL19-L32

For anyone also doing this right now, this was the old content of the file:

kind: EncryptionConfig
apiVersion: v1
resources:
  - resources:
      - secrets
    providers:
      - aescbc:
          keys:
            - name: key1
              secret: ${ENCRYPTION_KEY}
      - identity: {}

[Stabalmo]

You have coulde to use this part https://github.com/kelseyhightower/kubernetes-the-hard-way/blob/1.21.0/docs/06-data-encryption-keys.md#the-encryption-config-file

You need to create a file yourself

[MonkadelicD]

@Stabalmo The provided command uses envsubst to create encryption-config.yaml using configs/encryption-config.yaml. The file is not present in configs.

As @JanoschDeurer stated, the instruction to create encryption-config.yaml was changed from a heredoc to using envsubst to copy configs/encryption-config.yaml to encryption-config.yaml using while replacing ${ENCRYPTION_KEY} with the value assigned from the previous command.

I think the encryption-config.yaml file should already be in the configs directory from the git repo or the instruction to create it should be added back in as a preceeding step and changing the output to the config directory instead of the current directory.

At line 17, add:

Create the encryption-config.yaml template file:

cat > configs/encryption-config.yaml <<EOF
kind: EncryptionConfig
apiVersion: v1
resources:
  - resources:
      - secrets
    providers:
      - aescbc:
          keys:
            - name: key1
              secret: ${ENCRYPTION_KEY}
      - identity: {}
EOF

[chiukapoor]

RCA

It seems like the file was removed because it was added in .gitignore by @kelseyhightower to make sure if a user is pushing changes to the repo the encryption-config.yaml file with actual ENCRYPTION_KEY is not pushed.

In recent https://github.com/kelseyhightower/kubernetes-the-hard-way/pull/767 while moving to arm64 the actual configs/encryption-config.yaml file couldn't be pushed because of .gitignore https://github.com/kelseyhightower/kubernetes-the-hard-way/blob/a9cb5f7ba50b3ed496a18a09c273941f80c6375a/.gitignore#L11

Solution

I have created the PR https://github.com/kelseyhightower/kubernetes-the-hard-way/pull/780 to address this issue by adding the configs/encryption-config.yaml file and update .gitignore accordingly

[manialav]

Looks like it was removed here:

a9cb5f7#diff-404b56b95be0b6ab7483e7e18d8941ca7e9b472842d844874d25b97ed14b2b2dL19-L32

For anyone also doing this right now, this was the old content of the file:

kind: EncryptionConfig
apiVersion: v1
resources:
  - resources:
      - secrets
    providers:
      - aescbc:
          keys:
            - name: key1
              secret: ${ENCRYPTION_KEY}
      - identity: {}

Thanks for this one. However mine did not work and needed to be written like this: kind: EncryptionConfiguration

[F-Sidney]

I findally got it worked with this content for version v1.28:

kind: EncryptionConfiguration
apiVersion: apiserver.config.k8s.io/v1
resources:
  - resources:
      - secrets
    providers:
      - aescbc:
          keys:
            - name: key1
              secret: ${ENCRYPTION_KEY}
      - identity: {}

the important changes are those: kind: EncryptionConfig --> EncryptionConfiguration apiVersion: v1 --> apiserver.config.k8s.io/v1