rancher/rke
1
0
Fork 0
mirror of https://github.com/rancher/rke.git synced 2025-09-17 15:40:07 +00:00
Code Issues Releases Wiki Activity

Problem:

Browse Source 
RKE will panic if we enable rotate_encryption_key but disable secrets_encryption_config when creating a cluster. The panic happens because RKE tries to use the rkeConfig, which does not exist. The rkeConfig will be made after the rke up command succeeds.
Solution:
Skip the rotateEncryptionKey operation when creating a new cluster. Also, In this case, keys are just made for the first time, so there is no need to rotate them.
This commit is contained in:
Jiaqi Luo
2022-02-16 17:37:53 -07:00
parent 995461240c
commit 9395426834
2 changed files with 5 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
cmd/encryption.go
View File

@@ -91,7 +91,7 @@ func RotateEncryptionKey(
return APIURL, caCrt, clientCert, clientKey, nil, fmt.Errorf("can't rotate encryption keys: Key Rotation is not supported with custom configuration") return APIURL, caCrt, clientCert, clientKey, nil, fmt.Errorf("can't rotate encryption keys: Key Rotation is not supported with custom configuration")
} }
if !kubeCluster.IsEncryptionEnabled() { if !kubeCluster.IsEncryptionEnabled() {
return APIURL, caCrt, clientCert, clientKey, nil, fmt.Errorf("can't rotate encryption keys: Encryption Configuration is disabled") return APIURL, caCrt, clientCert, clientKey, nil, fmt.Errorf("can't rotate encryption keys: Encryption Configuration is disabled. Please disable rotate_encryption_key and run rke up again")
} }
kubeCluster.Certificates = rkeFullState.DesiredState.CertificatesBundle kubeCluster.Certificates = rkeFullState.DesiredState.CertificatesBundle

3
cmd/up.go
View File

@@ -104,8 +104,11 @@ func ClusterUp(ctx context.Context, dialersOptions hosts.DialersOptions, flags c
} }
// if we need to rotate the encryption key, do so and then return // if we need to rotate the encryption key, do so and then return
if kubeCluster.RancherKubernetesEngineConfig.RotateEncryptionKey { if kubeCluster.RancherKubernetesEngineConfig.RotateEncryptionKey {
// rotate the encryption key only when updating an existing cluster
if clusterState.CurrentState.RancherKubernetesEngineConfig != nil {
return RotateEncryptionKey(ctx, clusterState.CurrentState.RancherKubernetesEngineConfig.DeepCopy(), dialersOptions, flags) return RotateEncryptionKey(ctx, clusterState.CurrentState.RancherKubernetesEngineConfig.DeepCopy(), dialersOptions, flags)
} }
}
log.Infof(ctx, "Building Kubernetes cluster") log.Infof(ctx, "Building Kubernetes cluster")
err = kubeCluster.SetupDialers(ctx, dialersOptions) err = kubeCluster.SetupDialers(ctx, dialersOptions)