I am trying to configure the kube-apiserver so that it uses encryption to configure secrets in my minikube cluster.

For that, I have followed the documentation on kubernetes.io but got stuck at step 3 that says

Set the --encryption-provider-config flag on the kube-apiserver to point to the location of the config file.

I have discovered the option --extra-config on minikube start and have tried starting my setup using

minikube start --extra-config=apiserver.encryption-provider-config=encryptionConf.yaml

but naturally it doesn't work as encryptionConf.yaml is located in my local file system and not in the pod that's spun up by minikube. The error minikube log gives me is

error: error opening encryption provider configuration file "encryptionConf.yaml": open encryptionConf.yaml: no such file or directory

What is the best practice to get the encryption configuration file onto the kube-apiserver? Or is minikube perhaps the wrong tool to try out these kinds of things?

2 Answers

Aman Juneja On

Based on drivers used some directories are mounted on to your minikube VM. Check this link - https://kubernetes.io/docs/setup/minikube/#mounted-host-folders

Also ~/.minikube/files is also mounted into the VM at /files. So you can keep your files there and use that path for API server config

Patrick On

I found the solution myself in this GitHub issue where they have a similar issue for passing a configuration file. The comment that helped me was the slightly hacky solution that made use of the fact that the directory /var/lib/localkube/certs/ from the minikube VM is mounted into the apiserver.

So my final solution was to run

minikube mount .:/var/lib/minikube/certs/hack

where in the current directory I had my encryptionConf.yaml and then start minikube like so

minikube start --extra-config=apiserver.encryption-provider-config=/var/lib/minikube/certs/hack/encryptionConf.yaml