is there an example laying around showing how to get the hash of a secret that I create with a pulumi resources so I can use it as a label/annotation to roll my pod deployment when it's value is updated?

not with a secret, but something like this? https://github.com/jaxxstorm/pulumi-examples/blob/2519023cd4f22acd564783f6f4445a44dd82df65/typescript/aws/eks-platform/metricbeat/index.ts#L51

Hmm, yeah that gives me an idea thank you

likely you do not want to be putting an unencrypted secret value in your deployment annotation. it defeats the purpose of using the secret. Pulumi will automatically reroll the deployment pods when a secret is updated if it's connected in a certain way. I forget exactly but I think it's if you reference the secret object inside the deployment (e.g. through env var assignment) and the secret doesn't have an explicit name assigned or something like that

@steep-toddler-94095 I would not use a base64 encoded version of the secret in the deployment for those exact concerns.

Oh yeah sorry i misinterpreted your original message!

I wonder if the failure to roll pods is due to using k8s helm release rather than a deployment spec natively in pulumi which limits this behavior