I encountered the secret update problem too. I have a secret rotation playbook that stops the Docker services stack, removes the secrets, recreates under the same name, and restarts the Docker services stack. The community.docker Ansible module does all the lifting there.
My CI runs as a container in that stack too, so in Jenkins I have an init.d Groovy script to establish Jenkins Credentials from the current Swarm secrets.
My CI runs as a container in that stack too, so in Jenkins I have an init.d Groovy script to establish Jenkins Credentials from the current Swarm secrets.