From 87b25c5078cffe70af3053ad20a981283965c620 Mon Sep 17 00:00:00 2001
From: John Gardiner Myers <jgmyers@proofpoint.com>
Date: Sun, 11 Jul 2021 12:08:45 -0700
Subject: [PATCH] Provide more information on rotating secrets

---
 docs/operations/rotate-secrets.md | 24 +++++++++++++++++++++---
 1 file changed, 21 insertions(+), 3 deletions(-)

diff --git a/docs/operations/rotate-secrets.md b/docs/operations/rotate-secrets.md
index 296e05251f..36f42e5eb7 100644
--- a/docs/operations/rotate-secrets.md
+++ b/docs/operations/rotate-secrets.md
@@ -150,7 +150,7 @@ Kubernetes API.
 
 To roll back this change, distribute the previous kubeconfig `certificate-authority-data`.
 
-## Rotating encryptionconfig
+## Rotating the API Server encryptionconfig
 
 See [the Kubernetes documentation](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/#rotating-a-decryption-key)
 for information on how to gracefully rotate keys in the encryptionconfig.
@@ -158,9 +158,27 @@ for information on how to gracefully rotate keys in the encryptionconfig.
 Use `kops create secret encryptionconfig --force` to update the encryptionconfig secret.
 Following that, use `kops update cluster --yes` and `kops rolling-update cluster --yes`.
 
-## Rotating other secrets
+## Rotating the Cilium IPSec keys
 
-[TODO: cilium_encryptionconfig, dockerconfig, weave_encryptionconfig]
+See the Cilium documentation for information on how to gracefully rotate the Cilium IPSec keys.
+
+Use `kops create secret ciliumpassword --force` to update the cilium-ipsec-keys secret.
+Following that, use `kops update cluster --yes` and `kops rolling-update cluster --yes`.
+
+## Rotating the Docker secret
+
+[TODO]
+
+Use `kops create secret dockerconfig --force` to update the Docker secret.
+Following that, use `kops update cluster --yes` and `kops rolling-update cluster --yes`.
+
+## Rotating the Weave password
+
+It is not possible to rotate the Weave password without a disruptive partition of the Weave network.
+As of the writing of this document, this is a limitation of Weave itself.
+
+Use `kops create secret weavepassword --force` to update the Docker secret.
+Following that, use `kops update cluster --yes` and `kops rolling-update cluster --cloudonly --yes`.
 
 ## Legacy procedure