K3S secret-encryption feature enhancement to support - decrypt all secrets, Rotating a decryption key

[vakrat1]

Hi
We'd like to use the --secrets-encryption option to decrypt the Secrets we create on our K3S deployed cluster.
According to the documentation, the K3s impl will do the following:

• Generate an AES-CBC key
• Generate an encryption config file with the generated key
• Pass the config to the KubeAPI as encryption-provider-config

Once enabled any created secret will be encrypted with this key

We have a use case, that while Upgrading our system we might also upgrade the K3S version/deployment.
What would happen to the AES-CBC key in that case ? Would it be regenerated ? If that so, would it mean that we need to decrypt all our Secrets first.

Is it possible to disable the --secrets-encryption and rely on K3S to decrypt all the Secrets resources?

Another issue is the option to Rotating a decryption key - is it possible to rotate the AES-CBC key ?
We need it in order for being compatible with security regulations.

Bottom line, we need to know if we could have access to the encryption config file that is being generated by the K3S to manipulate its configuration (both the key and the order of the providers)

Tnx

[brandond]

This is being tracked under #3407

[stale]

This repository uses a bot to automatically label issues which have not had any activity (commit/comment/label) for 180 days. This helps us manage the community issues better. If the issue is still relevant, please add a comment to the issue so the bot can remove the label and we know it is still valid. If it is no longer relevant (or possibly fixed in the latest release), the bot will automatically close the issue in 14 days. Thank you for your contributions.