In Kubernetes I have a Deployment that uses a secret and injects them as environment variables:
apiVersion: apps/v1
kind: Deployment
...
envFrom:
- secretRef:
name: api-env
I need to update some of the environment variables, so I deleted the secret api-env
and created it again with the updated values.
How do I trigger the deployment to update itself with the new env secrets without any downtime?
I see a few alternatives, in order of viability:
kubectl rollout restart deployment $deploymentname
: this will restart pods incrementally without causing downtime.For older versions: Updating the deployment template will trigger a rollout. From this issue: kubectl patch deployment mydeployment -p '{"spec":{"template":{"spec":{"containers":[{"name":"mycontainer","env":[{"name":"RESTART_","value":"'$(date +%s)'"}]}]}}}}'
Mount secrets on volumes instead of as environment variables, as Mounted Secrets are updated automatically
One approach is to consider the Secret/Configmap as immutable and when creating a new one changing the deployment to point to it.