Provide automated way of updating pods leveraging generated SSO secrets

[mjnagel]

Is your feature request related to a problem? Please describe.

Currently Grafana and NeuVector in uds-core mount secrets that are generated by pepr. If these secrets were to update due to (for example) a client id change or other field update, the pods mounting them would need to be cycled.

This can be (and as of https://github.com/defenseunicorns/uds-core/pull/351 is being) done using actions to annotate pods with a checksum of the secret. Then on updates if the secret has changed, the checksum will, resulting in a cycling of the pod.

While this does work, for neuvector specifically, anything on top of uds-core (or even Grafana) would have to build their own bespoke action to handle this.

Describe the solution you'd like

This seems like a viable place to leverage pepr/operator intelligence to auto-cycle things for us (maybe handled the same checksum way, maybe just directly cycled). Two potential paths I can think of:

• Provide an optional field in the spec for a selector of pods that leverage the secret
• Automatically look up places the secret is used (env/volumes)

Describe alternatives you've considered

• Leave this to the end user/actions + document?
• Something else with pepr/default actions?

[Racer159]

This is something that SWF is interested in as well - not just for SSO secrets but out config secrets as well (e.g. the one hooking up Postgres or Object Storage) - if UDS Core had a way to watch secrets and run rollout restarts on Pods or checksum and annotate or another mechanism that would be :man_cook: :kiss: )