This step relies on the kube-apiserver's ability to decrypt secrets with the old key and then re-encrypt them with the new one.
The following command retrieves all secrets and forces the kube-apiserver to replace them, triggering re-encryption with the new primary key.
Re-encrypt Existing Secrets
This command re-encrypts all secrets, including system secrets. It's recommended that this be performed in a controlled maintenance window.