
Reloader is a Kubernetes controller that automatically triggers rollouts of workloads (like Deployments, StatefulSets, and more) whenever referenced Secrets, ConfigMaps or optionally CSI-mounted secrets are updated.
In a traditional Kubernetes setup, updating a Secret or ConfigMap does not automatically restart or redeploy your workloads. This can lead to stale configurations running in production, especially when dealing with dynamic values like credentials, feature flags, or environment configs.
Reloader bridges that gap by ensuring your workloads stay in sync with configuration changes — automatically and safely.
📚 Full documentation is available at Stakater documentation site
flowchart LR
ExternalSecret -->|Creates| Secret
SealedSecret -->|Creates| Secret
Certificate -->|Creates| Secret
Secret -->|Watched by| Reloader
ConfigMap -->|Watched by| Reloader
Reloader -->|Triggers Rollout| Deployment
Reloader -->|Triggers Rollout| DeploymentConfig
Reloader -->|Triggers Rollout| Daemonset
Reloader -->|Triggers Rollout| Statefulset
Reloader -->|Triggers Rollout| ArgoRollout
Reloader -->|Triggers Job| CronJob
Reloader -->|Sends Notification| Slack,Teams,Webhook
ExternalSecret, SealedSecret, or Certificate from cert-manager can create or manage Kubernetes Secrets — but they can also be created manually or delivered through GitOps workflows.Secrets and ConfigMaps are watched by Reloader.Reloader OSS is free and production-proven with 24B+ downloads.
For teams with stricter requirements:
| Need | Enterprise |
|---|---|
| CVE-free, signed images with SBOM | ✅ |
| SLA-backed support from Kubernetes experts | ✅ |
| Artifact provenance for compliance audits | ✅ |
| Dedicated escalation path | ✅ |
→ Contact Sales for info about Reloader Enterprise.
Follow any of this installation options.
To enable automatic reload for a Deployment:
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-app
annotations:
reloader.stakater.com/auto: "true"
spec:
template:
metadata:
labels:
app: my-app
spec:
containers:
- name: app
image: your-image
envFrom:
- configMapRef:
name: my-config
- secretRef:
name: my-secret
This tells Reloader to watch the ConfigMap and Secret referenced in this deployment. When either is updated, it will trigger a rollout.
Reloader supports multiple annotation-based controls to let you customize when and how your Kubernetes workloads are reloaded upon changes in Secrets or ConfigMaps.
Kubernetes does not trigger pod restarts when a referenced Secret or ConfigMap is updated. Reloader bridges this gap by watching for changes and automatically performing rollouts — but it gives you full control via annotations, so you can:
search + match)Use these annotations to automatically restart the workload when referenced Secrets or ConfigMaps change.
| Annotation | Description |
|---|---|
reloader.stakater.com/auto: "true" |
Reloads workload when any referenced ConfigMap or Secret changes |
secret.reloader.stakater.com/auto: "true" |
Reloads only when referenced Secret(s) change |
configmap.reloader.stakater.com/auto: "true" |
Reloads only when referenced ConfigMap(s) change |
These annotations allow you to manually define which ConfigMaps or Secrets should trigger a reload, regardless of whether they're used in the pod spec.
| Annotation | Description |
|---|---|
secret.reloader.stakater.com/reload: "my-secret" |
Reloads when specific Secret(s) change, regardless of how they're used |
configmap.reloader.stakater.com/reload: "my-config" |
Reloads when specific ConfigMap(s) change, regardless of how they're used |
This pattern allows fine-grained reload control — workloads only restart if the Secret/ConfigMap is both:
match: true| Annotation | Applies To | Description |
|---|---|---|
reloader.stakater.com/search: "true" |
Workload | Enables search mode (only reloads if matching secrets/configMaps are found) |
reloader.stakater.com/match: "true" |
ConfigMap/Secret | Marks the config/secret as eligible for reload in search mode |
reloader.stakater.com/search: "true"reloader.stakater.com/match: "true"volumeMount, etc.)reloader.stakater.com/match: "true".When you need to prevent specific ConfigMaps or Secrets from triggering any reloads, use the ignore annotation on the resource itself:
apiVersion: v1
kind: ConfigMap # or Secret
metadata:
name: my-config
annotations:
reloader.stakater.com/ignore: "true"
This instructs Reloader to skip all reload logic for that resource across all workloads.
Note: This is only applicable when using Argo Rollouts. It is ignored for standard Kubernetes Deployments, StatefulSets, or DaemonSets. To use this feature, Argo Rollouts support must be enabled in Reloader (for example via --is-argo-rollouts=true).
By default, Reloader triggers the Argo Rollout controller to perform a standard rollout by updating the pod template. This works well in most cases, however, because this modifies the workload spec, GitOps tools like ArgoCD will detect this as "Configuration Drift" and mark your application as OutOfSync.
To avoid that, you can switch to the restart strategy, which simply restarts the pod without changing the pod template.
metadata:
annotations:
reloader.stakater.com/rollout-strategy: "restart"
| Value | Behavior |
|---|---|
rollout (default) |
Updates pod template metadata to trigger a rollout |
restart |
Deletes the pod to restart it without patching the template |
✅ Use restart if:
This setting affects Argo Rollouts behavior, not Argo CD sync settings.
reloader.stakater.com/auto and reloader.stakater.com/search cannot be used together — the auto annotation takes precedence.auto and its typed versions (secret.reloader.stakater.com/auto, configmap.reloader.stakater.com/auto) are used, only one needs to be true to trigger a reload.reloader.stakater.com/auto: "false" explicitly disables reload for that workload.--auto-reload-all is enabled on the controller:auto: "true" unless they explicitly set it to "false"."false".Reloader can optionally send alerts whenever it triggers a rolling upgrade for a workload (e.g., Deployment, StatefulSet, etc.).
These alerts are sent to a configured webhook endpoint, which can be a generic receiver or services like Slack, Microsoft Teams or Google Chat.
To enable this feature, update the reloader.env.secret section in your values.yaml (when installing via Helm):
reloader:
deployment:
env:
secret:
ALERT_ON_RELOAD: "true" # Enable alerting (default: false)
ALERT_SINK: "slack" # Options: slack, teams, gchat or webhook (default: webhook)
ALERT_WEBHOOK_URL: "<your-webhook-url>" # Required if ALERT_ON_RELOAD is true
ALERT_ADDITIONAL_INFO: "Triggered by Reloader in staging environment"
This feature allows you to pause rollouts for a deployment for a specified duration, helping to prevent multiple restarts when several ConfigMaps or Secrets are updated in quick succession.
| Annotation | Applies To | Description |
|---|---|---|
deployment.reloader.stakater.com/pause-period: "5m" |
Deployment | Pauses reloads for the specified period (e.g., 5m, 1h) |
deployment.reloader.stakater.com/pause-period annotation to your Deployment, specifying the pause duration (e.g., "5m" for five minutes).Reloader supports the Secrets Store CSI Driver, which allows mounting secrets from external secret stores (like AWS Secrets Manager, Azure Key Vault, HashiCorp Vault) directly into pods. Unlike Kubernetes Secret objects, CSI-mounted secrets do not always trigger native Kubernetes update events. Reloader solves this by watching CSI status resources and restarting affected workloads when mounted secret versions change.
When secret rotation is enabled, the Secrets Store CSI Driver updates a Kubernetes resource called: `SecretProviderClassP
$ claude mcp add Reloader \
-- python -m otcore.mcp_server <graph>