resolve comments

linglingye001 · linglingye001 · commit d3c739a2b921 · 2023-09-21T08:01:20.000Z
diff --git a/articles/azure-app-configuration/reference-kubernetes-provider.md b/articles/azure-app-configuration/reference-kubernetes-provider.md
@@ -90,7 +90,7 @@ The `spec.keyValues.keyVaults` property has the following child properties.
 |---|---|---|---|
 |target|The destination of the retrieved secrets in Kubernetes|true|object|
 |auth|The authentication method to access Key Vaults|false|object|
-|refresh|The settings for refreshing data from Key Vaults. If the property is absent, data from Key Vaults will not be refreshed|false|object|
+|refresh|The settings for refreshing data from Key Vaults. If the property is absent, data from Key Vaults will not be refreshed unless the corresponding Key Vault references are reloaded|false|object|
 
 The `spec.keyValues.keyVaults.target` property has the following child property.
 
@@ -293,9 +293,11 @@ spec:
     trimKeyPrefixes: [prefix1, prefix2]
 ```
 
-### Key Vault references
+### Dynamic configuration refresh
 
-The following sample instructs using a service principal to authenticate with a specific vault and a user-assigned managed identity for all other vaults.
+Setting the `spec.keyValues.refresh` property enables dynamic configuration data refresh in ConfigMap and Secret by monitoring designated key-values. The provider periodically polls the key-values, if there is any value change, provider triggers ConfigMap and Secret refresh in accordance with the present data in Azure App Configuration.
+
+The following sample instructs monitoring two key-values with 1 minute polling interval.
 
 ``` yaml
 apiVersion: azconfig.io/v1beta1
@@ -309,21 +311,22 @@ spec:
   keyValues:
     selectors:
       - keyFilter: app1*
-    keyVaults:
-      target:
-        secretName: secret-created-by-appconfig-provider
-      auth:
-        managedIdentityClientId: <your-user-assigned-managed-identity-client-id>
-        vaults:
-          - uri: <your-key-vault-uri>
-            servicePrincipalReference: <name-of-secret-containing-service-principal-credentials>
+        labelFilter: common
+      - keyFilter: app1*
+        labelFilter: development
+    refresh:
+      interval: 1m
+      monitoring:
+        keyValues:
+          - key: sentinelKey
+            label: common
+          - key: sentinelKey
+            label: development
 ```
 
-### Dynamic configuration refresh
-
-Setting the `spec.keyValues.refresh` property enables dynamic configuration data refresh in ConfigMap and Secret by monitoring designated key-values. The provider periodically polls the key-values, if there is any value change, provider triggers ConfigMap and Secret refresh in accordance with the present data in Azure App Configuration.
+### Key Vault references
 
-The following sample instructs monitoring two key-values with 1 minute polling interval.
+The following sample instructs using a service principal to authenticate with a specific vault and a user-assigned managed identity for all other vaults.
 
 ``` yaml
 apiVersion: azconfig.io/v1beta1
@@ -337,23 +340,21 @@ spec:
   keyValues:
     selectors:
       - keyFilter: app1*
-        labelFilter: common
-      - keyFilter: app1*
-        labelFilter: development
-    refresh:
-      interval: 1m
-      monitoring:
-        keyValues:
-          - key: sentinelKey
-            label: common
-          - key: sentinelKey
-            label: development
+    keyVaults:
+      target:
+        secretName: secret-created-by-appconfig-provider
+      auth:
+        managedIdentityClientId: <your-user-assigned-managed-identity-client-id>
+        vaults:
+          - uri: <your-key-vault-uri>
+            servicePrincipalReference: <name-of-secret-containing-service-principal-credentials>
 ```
 
 ### Periodically reload KeyVault secrets
-Setting `spec.keyValues.keyVaults.refresh` property enables the provider periodically reload the latest version secrets from Azure Key Vault, and update the values for associated data items in generated Kubernetes secret accordingly. 
 
-The following sample instructs secret refresh with 10 minutes reloading interval. 
+Refreshing secrets from Key Vaults usually requires reloading the corresponding Key Vault references from Azure App Configuration. However, with the `spec.keyValues.keyVaults.refresh` property, you can refresh the secrets from Key Vault independently. This is especially useful for ensuring that your workload automatically picks up any updated secrets from Key Vault during secret rotation. Note that to load the latest version of a secret, the Key Vault reference must not be a versioned secret.
+
+The following sample refreshes all non-versioned secrets from Key Vault every hour.
 
 ``` yaml
 apiVersion: azconfig.io/v1beta1
@@ -374,7 +375,7 @@ spec:
       auth:
         managedIdentityClientId: <your-user-assigned-managed-identity-client-id>
       refresh:
-        interval: 10m
+        interval: 1h
 ```
 
 ### Consume ConfigMap
