add key vault refresh feature

linglingye001 · linglingye001 · commit 348a44957715 · 2023-08-31T05:54:45.000Z
diff --git a/articles/azure-app-configuration/reference-kubernetes-provider.md b/articles/azure-app-configuration/reference-kubernetes-provider.md
@@ -46,7 +46,7 @@ The `spec.keyValues` has the following child properties. The `spec.keyValues.key
 |selectors|The list of selectors for key-value filtering|false|object array|
 |trimKeyPrefixes|The list of key prefixes to be trimmed|false|string array|
 |keyVaults|The settings for Key Vault references|conditional|object|
-|refresh|The settings for refreshing the key-values in ConfigMap or Secret|false|object|
+|refresh|The settings for refreshing the key-values in ConfigMap|false|object|
 
 If the `spec.keyValues.selectors` property isn't set, all key-values with no label will be downloaded. It contains an array of *selector* objects, which have the following child properties.
 
@@ -61,6 +61,7 @@ The `spec.keyValues.keyVaults` property has the following child properties.
 |---|---|---|---|
 |target|The destination of resolved Key Vault references in Kubernetes|true|object|
 |auth|The authentication method to access Key Vaults|false|object|
+|refresh|The settings for refreshing the data in Secret|false|object|
 
 The `spec.keyValues.keyVaults.target` property has the following child property.
 
@@ -84,12 +85,18 @@ The authentication method of each *vault* can be specified with the following pr
 |managedIdentityClientId|The client ID of a user-assigned managed identity used for authentication with a vault|false|string|
 |servicePrincipalReference|The name of the Kubernetes Secret that contains the credentials of a service principal used for authentication with a vault|false|string|
 
+The `spec.keyValues.keyVaults.refresh` property has the following child property.
+
+|Name|Description|Required|Type|
+|---|---|---|---|
+|interval|The interval for Secret's refresh, must be greater than 1 minute|false|duration string|
+
 The `spec.keyValues.refresh` property has the following child properties.
 
 |Name|Description|Required|Type|
 |---|---|---|---|
 |monitoring|The key-values that are monitored by the provider, provider automatically refreshes the ConfigMap or Secret if value change in any designated key-value|true|object|
-|interval|The interval for refreshing, default value is 30 seconds, must be greater than 1 second|false|duration string|
+|interval|The interval for ConfigMap's refresh, default value is 30 seconds, must be greater than 1 second|true|duration string|
 
 The `spec.keyValues.refresh.monitoring.keyValues` is an array of objects, which have the following child properties.
 
@@ -254,11 +261,12 @@ spec:
             servicePrincipalReference: <name-of-secret-containing-service-principal-credentials>
 ```
 
-### Dynamically refresh ConfigMap and Secret
+### Dynamic configuration
+#### Refresh ConfigMap
 
-Setting the `spec.keyValues.refresh` property enables dynamic configuration data refresh in ConfigMap and Secret by monitoring designated key-values. The provider periodically polls the key-values, if there is any value change, provider triggers ConfigMap and Secret refresh in accordance with the present data in Azure App Configuration.
+Setting the `spec.keyValues.refresh` property enables dynamic configuration data refresh in ConfigMap by monitoring designated key-values. The provider periodically polls the key-values, if there is any value change, provider triggers ConfigMap refresh in accordance with the present data in Azure App Configuration.
 
-The following sample instructs monitoring two key-values with 1 minute polling interval.
+The following sample instructs monitoring two key-values with 1 minute refresh interval.
 
 ``` yaml
 apiVersion: azconfig.io/v1beta1
@@ -283,4 +291,37 @@ spec:
             label: common
           - key: sentinelKey
             label: development
+```
+
+#### Refresh Secret
+Setting `spec.keyValues.keyVaults.refresh` property enables dynamic data refresh in Secret. Any refresh operation triggered by refresh interval will only update the value for a Key Vault secret with latest version. And refresh operation triggered by monitored key-values will make provider poll the key-values, ensuring consistency between Secret's data and Azure App Configuration. 
+
+The following sample instructs monitoring one key-value with different refresh interval for ConfigMap and Secret.
+
+``` yaml
+apiVersion: azconfig.io/v1beta1
+kind: AzureAppConfigurationProvider
+metadata:
+  name: appconfigurationprovider-sample
+spec:
+  endpoint: <your-app-configuration-store-endpoint>
+  target:
+    configMapName: configmap-created-by-appconfig-provider
+  keyValues:
+    selectors:
+      - keyFilter: app1*
+        labelFilter: common
+    refresh:
+      interval: 1m
+      monitoring:
+        keyValues:
+          - key: sentinelKey
+            label: common
+    keyVaults:
+      target:
+        secretName: secret-created-by-appconfig-provider
+      auth:
+        managedIdentityClientId: <your-user-assigned-managed-identity-client-id>
+      refresh:
+        interval: 10m
 ```
