Restart Deployment On Secret Change

 1apiVersion: kyverno.io/v1
 2kind: ClusterPolicy
 3metadata:
 4  name: restart-deployment-on-secret-change
 5  annotations:
 6    policies.kyverno.io/title: Restart Deployment On Secret Change
 7    policies.kyverno.io/category: other
 8    policies.kyverno.io/severity: medium
 9    policies.kyverno.io/subject: Deployment
10    kyverno.io/kyverno-version: 1.7.0
11    policies.kyverno.io/minversion: 1.7.0
12    kyverno.io/kubernetes-version: "1.23"
13    policies.kyverno.io/description: >-
14      If Secrets are mounted in ways which do not naturally allow updates to
15      be live refreshed it may be necessary to modify a Deployment. This policy
16      watches a Secret and if it changes will write an annotation
17      to one or more target Deployments thus triggering a new rollout and thereby
18      refreshing the referred Secret. It may be necessary to grant additional privileges
19      to the Kyverno ServiceAccount, via one of the existing ClusterRoleBindings or a new
20      one, so it can modify Deployments.      
21spec:
22  mutateExistingOnPolicyUpdate: false
23  rules:
24  - name: update-secret
25    match:
26      any:
27      - resources:
28          kinds:
29          - Secret
30          names:
31          - mysecret
32          namespaces:
33          - default
34    preconditions:
35      all:
36      - key: "{{request.operation || 'BACKGROUND'}}"
37        operator: Equals
38        value: UPDATE
39    mutate:
40      targets:
41        - apiVersion: apps/v1
42          kind: Deployment
43          name: busybox
44          namespace: default
45      patchStrategicMerge:
46        spec:
47          template:
48            metadata:
49              annotations:
50                ops.corp.com/triggerrestart: "{{request.object.metadata.resourceVersion}}"