Encrypt Kubernetes secrets in etcd

This guide is for kubeadm where etcd runs in a static pod. On the master create the following file (if folder is not there, create it) /etc/kubernetes/etcd/enc.yaml:

apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
- resources:
  - secrets
  providers:
  - aescbc:
      keys:
      - name: key1
        secret: {{ BASE_64_ENCODED_SECRET }}
  - identity: {}

Generate secret and put it in above file in {{ BASE_64_ENCODED_SECRET }}:

head -c 32 /dev/urandom | base64

Set the --encryption-provider-config flag on the kube-apiserver to point to the location of the config file. So, edit /etc/kubernetes/manifests/kube-apiserver.yaml and add:

...
spec:
  containers:
  - command:
    - kube-apiserver
...
    - --encryption-provider-config=/etc/kubernetes/etcd/enc.yaml  # add this line
...
    volumeMounts:
    ...
    - name: etcdenc                       # add this line
      mountPath: /etc/kubernetes/etcd     # add this line
      readonly: true                      # add this line
    ...
  volumes:
...
  - name: etcdenc                         # add this line
    hostPath:                             # add this line
      path: /etc/kubernetes/etcd          # add this line
      type: DirectoryOrCreate             # add this line
...

Save and wait until the API server will restart.
Test - by creating a secret and dumping the contents.
Next, Recreate all secrets after enabling etcd encryption in Kubernetes