Angus Lees

I think the solution here requires preserving both the old and new CA key for some overlapping period during the renewal. This also means publishing a "caBundle" rather than just...

Interesting use case - makes sense. Previously I had considered multiple key support to be important for key rotation, but this implies we will want other keys that persist indefinitely...

@mellena1 right, your case above is covered by the existing namespace verification when decrypting. See everywhere that mentions "namespace" in the README (in Usage and Details sections) ;) I would...

Thanks for the report. Yep, the input is assumed to only be a single document, not a full YAML stream atm. We can change that, but obviously that would only...

(This is also a question phrased as a bug report. I'd like to know why we need the rootfs DiffIDs, and why it should be in the config object, as...

After a lengthy [irc discussion](http://ircbot.wl.linuxfoundation.org/eavesdrop/%23opencontainers/%23opencontainers.2018-03-27.log.html), I've learned: - @stevvooe is very patient :) - The image config includes `rootfs` because 1. the historically important runtime implementation used the hash of...

The suggestion is still to drop rootfs to ignored. The recognition above is that that will break existing clients and so requires some sort of deprecation/notification process. > Should this...

Sounds reasonable. Just to put it out there, I think you've described a "push" pod update mechanism. Another approach might be "pull": The operator could notify the sidecars when the...

Following the title of this issue, it would be great if locksmithctl called out to a separate tool, and rebooted iff that tool exited 0 (for example). I'd like to...

Agreed, the focus should be on whether killing+restarting this container would help. This isn't a substitute for more comprehensive monitoring. A quite reasonable first step is to do no extra...