The deployment not only applies software updates via the manifest, it also deploys configuration changes. For plain text properties, updating the environment variables will trigger Kubernetes to automatically restart the container and hence, reload the configuration.
Secrets however are stored in a different way, and when they change Kubernetes does not know to restart the containers using this value, so from the configuration example the REGISTRY_KEY is a secret, but the REGISTRY_KEY_SHA is plain text
target aks_work_space name_space REGISTRY_KEY REGISTRY_KEY_SHA
TEST aks_prep test $env:REGISTRY_KEY FD6346C8432462ED2DBA6...
PROD aks_prod prod $env:REGISTRY_KEY CA3CBB1998E86F3237CA1...
Write the REGISTRY_KEY_SHA
aa a container environment variable, so that when SHA changes, the container is automatically restarted to pick up the environment variable change, and hence the corresponding secret is also reloaded.
env {
name = "REGISTRY_KEY_SHA"
value = var.REGISTRY_KEY_SHA
}
An additional benefit of this approach is that when diagnosing an issue, the SHA can be used as an indicative secret verification.