Updating Secret from Pod

I have a scenario where I need to pass some custom encryption keys to the pods created by deployment. All Pods (containers) sharing the same keys but the keys can periodically change. If I have for example 3 replicas of the container, in one of them the keys might change but this change must be updated on other 2 pods. I am using Secret to store the keys and the question is: is there a way to update from a container the secret so it will be available for all pods?

If you update the secret, the change will propagate to all the pods that reference it (See the “Mounted Secrets are updated automatically” section of the guide on using secrets). This does require that your app re-read them after update (io-notify). One other alternative that is commonly done is to hash the secret (or configmap where its more commonly done) and apply the hash as a label or annotation. When you update the secret, the hash will change and it will trigger a redeploy.