Skip to content

Encryption at Rest secret created in wrong cluster (seed) causes cluster creation to hang #7717

New issue
New issue
Open
#7718
Open
Encryption at Rest secret created in wrong cluster (seed) causes cluster creation to hang#7717
#7718
Assignees
adoi
Labels
backport-neededDenotes a PR or issue that has not been fully backported.customer-requestkind/bugCategorizes issue or PR as related to a bug.sig/uiDenotes a PR or issue as being assigned to SIG UI.
@adoi

Description

@adoi
adoi
opened on Nov 28, 2025

What happened

When creating a cluster with Encryption at Rest enabled via the API/UI, the encryption secret is created in the seed cluster's kubermatic namespace (which doesn't exist in shared environments). It should be created in the master cluster's kubermatic namespace. This causes the cluster to get stuck in the Creating phase because the encryption-secret-synchronizer controller expects the secret in the master cluster.

Expected behavior

The encryption secret should be created in the master cluster's kubermatic namespace. The encryption secret synchronizer will then sync it to the appropriate seed cluster.

How to reproduce

  1. Deploy KKP with separate master and seed clusters
  2. Create a new user cluster with EAR enabled
  3. The cluster gets stuck at Creating phase

Current workaround

Manually create the encryption secret in the master cluster's kubermatic namespace.

Metadata

Metadata

Assignees

Labels

backport-neededDenotes a PR or issue that has not been fully backported.customer-requestkind/bugCategorizes issue or PR as related to a bug.sig/uiDenotes a PR or issue as being assigned to SIG UI.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions