Enable on RKE

Enable the KMS Provider Plgin

Create the KMS provider plugin file

trousseau-vault-encryptionconfiguration.yml

---
kind: EncryptionConfiguration
apiVersion: apiserver.config.k8s.io/v1
resources:
  - resources:
      - secrets
    providers:
      - kms:
          name: trousseau-vault-plugin
          endpoint: unix:///opt/trousseau-kms/vaultkms.socket
          cachesize: 1000
      - identity: {} 

RKE 1

TBA

RKE 2

RKE2 Encryption at Rest

By default, a RKE2 installation includes the encryption at rest of secrets using a aesgcm or aescbc (see Kubernetes Secrets Management for more details).

If you plan to enable Trousseau on an existing RKE2 deployment please consider the specific section.

Create a RKE configuration file /etc/rancher/rke2/config.yaml

trousseau-rke2-config.yml

---
kube-apiserver-arg:
  - "--encryption-provider-config=/var/lib/rancher/rke2/server/cred/trousseau-vault-encryptionconfiguration.yml" 
kube-apiserver-extra-mount:
  - "/opt/vault-kms:/opt/vault-kms"
tls-san:
  - FQDN      # replace with your cluster FQDN like cluster.mydomain.io or my.cluster.local

* Creating the Trousseau DaemonSet file trousseau-vault-daemonset.yml in the /var/lib/rancher/rke2/server/manifests/ folder for RKE2 to pick it up automatically.
* Create the trousseau-vault-encryptionconfiguration.yml in the /var/lib/rancher/rke2/server/cred/ folder. * Verify the Trousseau's deployment status

kubectl get pod -n kube-system

* Restart your API server only of Trousseau is up and running for at least 60 seconds without any restart.

systemctl restart rke2-server