K8s workloads are redeployed when their dependent secrets change
Both chef and kubernetes managed workloads currently use GMKS-encrypted files in GCS buckets as a single source of truth for secrets. This might change in the future, but in the interest of taking small steps during the k8s migration it might be wise to see if we can get away with building a workflow around this.
These files are updated from developer workstations using <chef-repo>/bin/gkms-vault-edit
. When these scripts are run, master deployment pipelines could (should?) be triggered for the monorepos gitlab-com and gitlab-helmfiles, and helm releases that are upgraded in these pipelines should fetch the latest values of these GKMS secrets.
From a slack conversation with @ggillies.