k3s HA cluster and secrets encryption

Question

k3s HA cluster and secrets encryption

15 Views Asked by SebastianWi At 29 March 2024 at 11:02

My first steps with kubernetes. I built a "HA cluster" with k3s (like described here: https://docs.k3s.io/datastore/ha-embedded). My 3 nodes are running and I want to encrypt secrets from beginning.

I followed description in https://docs.k3s.io/cli/secrets-encrypt#secrets-encryption-disablere-enable

Enabled secrets encryption on a node with curl -sfL https://get.k3s.io | sh -s - server --secrets-encryption (source: https://docs.k3s.io/security/secrets-encryption)
Encryption status is enabled (with k3s secrets-encrypt status)
Restart k3 service on this node
After enabled encryption my 2 other nodes don't start anymore (hang up). If I disable encryption on node, all nodes will start again as before

My questions:

How can I setup a k3s cluster with secrets encryption?
How can I add new k3s nodes when secrets encryption is enabled?

Thank you in advance!

Original Q&A

There are 1 best solutions below

**SebastianWi** · Answer 1 · 2024-03-30T21:53:16.703000

This worked for me after several tries:

Init k3s cluster NODE-1

curl -sfL https://get.k3s.io | K3S_TOKEN=<YOUR-CLUSTER-TOKEN> sh -s - server --cluster-init --secrets-encryption

Check NODE-1 secrets encryption status with

k3s secrets-encrypt status
# Encryption Status: Enabled

Check NODE-1 cluster flags with (important: cluster-init, secrets-encryption)

nano /etc/systemd/system/k3s.service
# ...
# ExecStart=/usr/local/bin/k3s \
#    server \
#        '--cluster-init' \
#        '--secrets-encryption' \

Join next k3s Server Node NODE-2: Run on NODE-2

curl -sfL https://get.k3s.io | K3S_TOKEN=<YOUR-CLUSTER-TOKEN> sh -s - server --secrets-encryption --server <NODE-1-IP>:6443

same flags as NODE-1 (without cluster-init)
in docs (https://docs.k3s.io/datastore/ha-embedded) I left https in --server <NODE-1-IP>:6443. Join doesn't work with https for me.

Check NODE-2 secrets encryption status with

k3s secrets-encrypt status
# Encryption Status: Enabled

List all k3s cluster nodes

sudo k3s kubectl get nodes
# NAME     STATUS   ROLES                       AGE   VERSION
# NODE-1   Ready    control-plane,etcd,master   46h   v1.28.8+k3s1
# NODE-2   Ready    control-plane,etcd,master   45h   v1.28.8+k3s1

k3s HA cluster and secrets encryption

There are 1 best solutions below

Related Questions in K3S

Trending Questions

Popular # Hahtags

Popular Questions