How to auto restart pod/Deployment on update of a secret from Azure Key Vault

Question

I have a AzureKeyVaultSecret object yaml. I don't want to use output tag to sync my secret from Azure Key Vault to Kubernetes. How can I automatically get my pod/Deployment/StatefulSet to restart when the secret in AKV(Azure key vault) is changed/updated.

Answer 1

To perform this task, you need an event. So you can trigger function/logic app as soon as there is change in secret.

To restart the deployment, you can use this client library available in all languages: https://github.com/kubernetes-client

C# client library: https://github.com/kubernetes-client/csharp See example to restart the deployment: https://github.com/kubernetes-client/csharp/tree/master/examples/restart

You can consume k8s API into azure function itself.

Answer 2

This is going to be a multi-step scenario. Key Vault can be configured to send a message to an Event Hub when a secret changes:

https://learn.microsoft.com/en-us/azure/key-vault/general/event-grid-overview

You can configure a Function App or a Logic App to listen to the event hub and respond accordingly.

https://learn.microsoft.com/en-us/azure/connectors/connectors-create-api-azure-event-hubs

https://learn.microsoft.com/en-us/azure/azure-functions/functions-bindings-event-hubs

The responding app can then perform the actions that you need to have happen - restart the pod/deployment/statefulset using powershell/CLI/ARM or whatever the correct method is.

https://learn.microsoft.com/en-us/azure/aks/start-stop-cluster