Marko Mikulicic

btw, if you use the (still experimental and opt-in) key-rotation feature (#137), then having two replicas does get in the way because each will periodically create a new secret and...

@drewboswell that's interesting; can you please share your measurements? how many secrets, how much time to converge, which version, etc? (that would help with priorization)

Not currently, but it is an interesting feature! It could be modeled as a generalization of the "managed" secrets annotation, which allows sealed secrets controller to overwrite an existing secret....

the ticket has been closed by a bot, fwiw; I still think this is a nice feature; I don't have the bandwidth but I'll be happy to discuss design with...

I like the gRPC option. I think the sidecar approach is particularly useful because it allows to trivially decouple the crypto modules from the project itself. would you envision creating...

> but why do a socket if you can bind to 127.0.0.1? because this means other sidecars (possibly injected by mutating webhook) would also share the network namespace and thus...

> And then having an initContainer only, that puts the provider binary at a well-known directory (drop-in directory style) and spawning the process is handled by sealed-secrets. problems: * if...

Currently we have a dummy schema in the `schema-v1alpha1.yaml` file: ``` openAPIV3Schema: type: object properties: spec: type: object x-kubernetes-preserve-unknown-fields: true status: x-kubernetes-preserve-unknown-fields: true ``` It's shared by the jsonnet and...

Can somebody TL;DR me why `x-kubernetes-preserve-unknown-fields: true` wouldn't work nowadays in the `encryptedData` sub-object?

Awsome! will take a look there!