From 7a798ebb20e0f8735d70c67208153430435aabd2 Mon Sep 17 00:00:00 2001
From: Ethan Mosbaugh <ethan@replicated.com>
Date: Mon, 22 Dec 2025 06:29:19 -0800
Subject: [PATCH 1/2] fix(kurl): do not overwrite encryption key when there is
 a server error

---
 deploy/kurl/kotsadm/template/base/install.sh | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/deploy/kurl/kotsadm/template/base/install.sh b/deploy/kurl/kotsadm/template/base/install.sh
index e86b41d000..99ac83aed0 100644
--- a/deploy/kurl/kotsadm/template/base/install.sh
+++ b/deploy/kurl/kotsadm/template/base/install.sh
@@ -290,7 +290,9 @@ function kotsadm_api_encryption_key() {
     local src="$DIR/addons/kotsadm/$KOTSADM_VERSION"
     local dst="$DIR/kustomize/kotsadm"
 
-    local API_ENCRYPTION=$(kubernetes_secret_value default kotsadm-encryption encryptionKey)
+    local API_ENCRYPTION_ENCODED API_ENCRYPTION
+    API_ENCRYPTION_ENCODED=$(kubectl -n default get secret kotsadm-encryption -ojsonpath="{ .data.encryptionKey }" 2>/dev/null)
+    API_ENCRYPTION=$(echo "$API_ENCRYPTION_ENCODED" | base64 --decode)
 
     if [ -z "$API_ENCRYPTION" ]; then
         # 24 byte key + 12 byte nonce, base64 encoded. This is separate from the base64 encoding used

From 1b5e50f7d13205b94c62515aa07de0efc8891527 Mon Sep 17 00:00:00 2001
From: Ethan Mosbaugh <ethan@replicated.com>
Date: Mon, 22 Dec 2025 06:47:51 -0800
Subject: [PATCH 2/2] f

---
 deploy/kurl/kotsadm/template/base/install.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/deploy/kurl/kotsadm/template/base/install.sh b/deploy/kurl/kotsadm/template/base/install.sh
index 99ac83aed0..1407b6dfb3 100644
--- a/deploy/kurl/kotsadm/template/base/install.sh
+++ b/deploy/kurl/kotsadm/template/base/install.sh
@@ -291,7 +291,7 @@ function kotsadm_api_encryption_key() {
     local dst="$DIR/kustomize/kotsadm"
 
     local API_ENCRYPTION_ENCODED API_ENCRYPTION
-    API_ENCRYPTION_ENCODED=$(kubectl -n default get secret kotsadm-encryption -ojsonpath="{ .data.encryptionKey }" 2>/dev/null)
+    API_ENCRYPTION_ENCODED=$(kubectl -n default get secret kotsadm-encryption --ignore-not-found -ojsonpath="{ .data.encryptionKey }")
     API_ENCRYPTION=$(echo "$API_ENCRYPTION_ENCODED" | base64 --decode)
 
     if [ -z "$API_ENCRYPTION" ]; then