HelmRelease rollout of pod when secret is changed

[DimitarSpiroskiAtPW]

Hello,

I would like to know if Flux offers some way to enforce a rollout of a deployment when a secret which is bound to an env value is updated.

I have 2 repositories. One stores the HelmChart, and the other one is the flux-fleet repository which has the following structure:

apps/
  base/app-one/
      kustomization.yaml
      helm-release.yaml
      git-repo-that-contains-chart.yaml
   prod/
     kustomization.yaml
     secret.yaml
     app-one-values.yaml
 clusters/
    prod/
       flux-system/
       apps.yaml

The secret at apps/prod/secret.yaml is encrypted with sops, and clusters/prod/apps.yaml has the decryption configured for that.

When I update the secret at apps/prod/secret.yaml it will trigger flux to reconcile, and I can see that the helm upgrade is called as some hooks are called. However, there is no rollout for the deployment where this secret is used as an env var ( the old pod remains running ).

From my current understanding there are 2 potential solutions:

1. Use Reloader
2. Inject the secrets in the values.yaml and load them like that ( I would have to modify to Helm chart to not use env vars from secrets but instead literals. https://fluxcd.io/flux/guides/helmreleases/#refer-to-values-in-secret-generated-with-kustomize-and-sops

Is there another option?

I would like to avoid using Reloader just to avoid having one more moving part in the machine.

I am new to k8s, so maybe I'm mistaken, but my understanding is that it is better to use secrets , and to avoid confidential information from going through the values.yaml file like in the second option.

What is the recommended best practice for such scenario?