MCPcopy Index your code
hub / github.com/stakater/Reloader

github.com/stakater/Reloader @chart-v2.2.14 sqlite

repository ↗ · DeepWiki ↗ · release chart-v2.2.14 ↗
967 symbols 3,374 edges 103 files 583 documented · 60%
README

Reloader

💖 Sponsor Our Work Go Report Card Go Doc Release GitHub tag Docker Pulls GitHub Stars license

🔁 What is Reloader?

Reloader is a Kubernetes controller that automatically triggers rollouts of workloads (like Deployments, StatefulSets, and more) whenever referenced Secrets, ConfigMaps or optionally CSI-mounted secrets are updated.

In a traditional Kubernetes setup, updating a Secret or ConfigMap does not automatically restart or redeploy your workloads. This can lead to stale configurations running in production, especially when dealing with dynamic values like credentials, feature flags, or environment configs.

Reloader bridges that gap by ensuring your workloads stay in sync with configuration changes — automatically and safely.

📚 Full documentation is available at Stakater documentation site

🚀 Why Reloader?

  • Zero manual restarts: No need to manually rollout workloads after config/secret changes.
  • 🔒 Secure by design: Ensure your apps always use the most up-to-date credentials or tokens.
  • 🛠️ Flexible: Works with all major workload types — Deployment, StatefulSet, Daemonset, ArgoRollout, and more.
  • Fast feedback loop: Ideal for CI/CD pipelines where secrets/configs change frequently.
  • 🔄 Out-of-the-box integration: Just label your workloads and let Reloader do the rest.

🔧 How It Works?

flowchart LR
  ExternalSecret -->|Creates| Secret
  SealedSecret -->|Creates| Secret
  Certificate -->|Creates| Secret
  Secret -->|Watched by| Reloader
  ConfigMap -->|Watched by| Reloader

  Reloader -->|Triggers Rollout| Deployment
  Reloader -->|Triggers Rollout| DeploymentConfig
  Reloader -->|Triggers Rollout| Daemonset
  Reloader -->|Triggers Rollout| Statefulset
  Reloader -->|Triggers Rollout| ArgoRollout
  Reloader -->|Triggers Job| CronJob
  Reloader -->|Sends Notification| Slack,Teams,Webhook
  • Sources like ExternalSecret, SealedSecret, or Certificate from cert-manager can create or manage Kubernetes Secrets — but they can also be created manually or delivered through GitOps workflows.
  • Secrets and ConfigMaps are watched by Reloader.
  • When changes are detected, Reloader automatically triggers a rollout of the associated workloads, ensuring your app always runs with the latest configuration.

🏢 Reloader Enterprise

Reloader OSS is free and production-proven with 24B+ downloads.

For teams with stricter requirements:

Need Enterprise
CVE-free, signed images with SBOM
SLA-backed support from Kubernetes experts
Artifact provenance for compliance audits
Dedicated escalation path

Contact Sales for info about Reloader Enterprise.

⚡ Quick Start

1. Install Reloader

Follow any of this installation options.

2. Annotate Your Workload

To enable automatic reload for a Deployment:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-app
  annotations:
    reloader.stakater.com/auto: "true"
spec:
  template:
    metadata:
      labels:
        app: my-app
    spec:
      containers:
        - name: app
          image: your-image
          envFrom:
            - configMapRef:
                name: my-config
            - secretRef:
                name: my-secret

This tells Reloader to watch the ConfigMap and Secret referenced in this deployment. When either is updated, it will trigger a rollout.

🧩 Usage

Reloader supports multiple annotation-based controls to let you customize when and how your Kubernetes workloads are reloaded upon changes in Secrets or ConfigMaps.

Kubernetes does not trigger pod restarts when a referenced Secret or ConfigMap is updated. Reloader bridges this gap by watching for changes and automatically performing rollouts — but it gives you full control via annotations, so you can:

  • Reload all resources by default
  • Restrict reloads to only Secrets or only ConfigMaps
  • Watch only specific resources
  • Use opt-in via tagging (search + match)
  • Exclude workloads you don’t want to reload

1. 🔁 Automatic Reload (Default)

Use these annotations to automatically restart the workload when referenced Secrets or ConfigMaps change.

Annotation Description
reloader.stakater.com/auto: "true" Reloads workload when any referenced ConfigMap or Secret changes
secret.reloader.stakater.com/auto: "true" Reloads only when referenced Secret(s) change
configmap.reloader.stakater.com/auto: "true" Reloads only when referenced ConfigMap(s) change

2. 📛 Named Resource Reload (Specific Resource Annotations)

These annotations allow you to manually define which ConfigMaps or Secrets should trigger a reload, regardless of whether they're used in the pod spec.

Annotation Description
secret.reloader.stakater.com/reload: "my-secret" Reloads when specific Secret(s) change, regardless of how they're used
configmap.reloader.stakater.com/reload: "my-config" Reloads when specific ConfigMap(s) change, regardless of how they're used

Use when

  1. ✅ This is useful in tightly scoped scenarios where config is shared but reloads are only relevant in certain cases.
  2. ✅ Use this when you know exactly which resource(s) matter and want to avoid auto-discovery or searching altogether.

3. 🎯 Targeted Reload (Match + Search Annotations)

This pattern allows fine-grained reload control — workloads only restart if the Secret/ConfigMap is both:

  1. Referenced by the workload
  2. Explicitly annotated with match: true
Annotation Applies To Description
reloader.stakater.com/search: "true" Workload Enables search mode (only reloads if matching secrets/configMaps are found)
reloader.stakater.com/match: "true" ConfigMap/Secret Marks the config/secret as eligible for reload in search mode

How it works

  1. The workload must have: reloader.stakater.com/search: "true"
  2. The ConfigMap or Secret must have: reloader.stakater.com/match: "true"
  3. The resource (ConfigMap or Secret) must also be referenced in the workload (via env, volumeMount, etc.)

Use when

  1. ✅ You want to reload a workload only if it references a ConfigMap or Secret that has been explicitly tagged with reloader.stakater.com/match: "true".
  2. ✅ Use this when you want full control over which shared or system-wide resources trigger reloads. Great in multi-tenant clusters or shared configs.

⛔ Resource-Level Ignore Annotation

When you need to prevent specific ConfigMaps or Secrets from triggering any reloads, use the ignore annotation on the resource itself:

apiVersion: v1
kind: ConfigMap  # or Secret
metadata:
  name: my-config
  annotations:
    reloader.stakater.com/ignore: "true"

This instructs Reloader to skip all reload logic for that resource across all workloads.

4. ⚙️ Workload-Specific Rollout Strategy (Argo Rollouts Only)

Note: This is only applicable when using Argo Rollouts. It is ignored for standard Kubernetes Deployments, StatefulSets, or DaemonSets. To use this feature, Argo Rollouts support must be enabled in Reloader (for example via --is-argo-rollouts=true).

By default, Reloader triggers the Argo Rollout controller to perform a standard rollout by updating the pod template. This works well in most cases, however, because this modifies the workload spec, GitOps tools like ArgoCD will detect this as "Configuration Drift" and mark your application as OutOfSync.

To avoid that, you can switch to the restart strategy, which simply restarts the pod without changing the pod template.

metadata:
  annotations:
    reloader.stakater.com/rollout-strategy: "restart"
Value Behavior
rollout (default) Updates pod template metadata to trigger a rollout
restart Deletes the pod to restart it without patching the template

✅ Use restart if:

  1. You're using GitOps and want to avoid drift
  2. You want a quick restart without changing the workload spec
  3. Your platform restricts metadata changes

This setting affects Argo Rollouts behavior, not Argo CD sync settings.

5. ❗ Annotation Behavior Rules & Compatibility

  • reloader.stakater.com/auto and reloader.stakater.com/search cannot be used together — the auto annotation takes precedence.
  • If both auto and its typed versions (secret.reloader.stakater.com/auto, configmap.reloader.stakater.com/auto) are used, only one needs to be true to trigger a reload.
  • Setting reloader.stakater.com/auto: "false" explicitly disables reload for that workload.
  • If --auto-reload-all is enabled on the controller:
    • All workloads are treated as if they have auto: "true" unless they explicitly set it to "false".
    • Missing or unrecognized annotation values are treated as "false".

6. 🔔 Alerting on Reload

Reloader can optionally send alerts whenever it triggers a rolling upgrade for a workload (e.g., Deployment, StatefulSet, etc.).

These alerts are sent to a configured webhook endpoint, which can be a generic receiver or services like Slack, Microsoft Teams or Google Chat.

To enable this feature, update the reloader.env.secret section in your values.yaml (when installing via Helm):

reloader:
  deployment:
    env:
      secret:
        ALERT_ON_RELOAD: "true"                    # Enable alerting (default: false)
        ALERT_SINK: "slack"                        # Options: slack, teams, gchat or webhook (default: webhook)
        ALERT_WEBHOOK_URL: "<your-webhook-url>"    # Required if ALERT_ON_RELOAD is true
        ALERT_ADDITIONAL_INFO: "Triggered by Reloader in staging environment"

7. ⏸️ Pause Deployments

This feature allows you to pause rollouts for a deployment for a specified duration, helping to prevent multiple restarts when several ConfigMaps or Secrets are updated in quick succession.

Annotation Applies To Description
deployment.reloader.stakater.com/pause-period: "5m" Deployment Pauses reloads for the specified period (e.g., 5m, 1h)

How it works

  1. Add the deployment.reloader.stakater.com/pause-period annotation to your Deployment, specifying the pause duration (e.g., "5m" for five minutes).
  2. When a watched ConfigMap or Secret changes, Reloader will still trigger a reload event, but if the deployment is paused, the rollout will have no effect until the pause period has elapsed.
  3. This avoids repeated restarts if multiple resources are updated close together.

Use when

  1. ✅ Your deployment references multiple ConfigMaps or Secrets that may be updated at the same time.
  2. ✅ You want to minimize unnecessary rollouts and reduce downtime caused by back-to-back configuration changes.

8. 🔐 CSI Secret Provider Support

Reloader supports the Secrets Store CSI Driver, which allows mounting secrets from external secret stores (like AWS Secrets Manager, Azure Key Vault, HashiCorp Vault) directly into pods. Unlike Kubernetes Secret objects, CSI-mounted secrets do not always trigger native Kubernetes update events. Reloader solves this by watching CSI status resources and restarting affected workloads when mounted secret versions change.

How it works

When secret rotation is enabled, the Secrets Store CSI Driver updates a Kubernetes resource called: `SecretProviderClassP

Extension points exported contracts — how you extend this code

Runner (Interface)
Runner defines the interface for test scenarios. [13 implementers]
test/loadtest/internal/scenarios/scenarios.go
WorkloadAdapter (Interface)
WorkloadAdapter provides a unified interface for all workload types. This allows tests to be parameterized across differ [7 …
test/e2e/utils/workload_adapter.go
ResourceHandler (Interface)
ResourceHandler handles the creation and update of resources [4 implementers]
internal/pkg/handler/handler.go
Pausable (Interface)
Pausable is implemented by workloads that support pause/unpause. Currently only Deployment supports this capability. [1 …
test/e2e/utils/workload_adapter.go
TimedHandler (Interface)
TimedHandler is a handler that tracks when it was enqueued [4 implementers]
internal/pkg/handler/handler.go
Recreatable (Interface)
Recreatable is implemented by workloads that are recreated instead of updated. Currently only Job supports this capabili [1 …
test/e2e/utils/workload_adapter.go
ItemFunc (FuncType)
ItemFunc is a generic function to return a specific resource in given namespace
internal/pkg/callbacks/rolling_upgrade.go
JobTriggerer (Interface)
JobTriggerer is implemented by workloads that trigger jobs on reload. Currently only CronJob supports this capability. [1 …
test/e2e/utils/workload_adapter.go

Core symbols most depended-on inside this repo

Create
called by 121
test/e2e/utils/workload_adapter.go
WaitReady
called by 121
test/e2e/utils/workload_adapter.go
Run
called by 109
test/loadtest/internal/scenarios/scenarios.go
WaitReloaded
called by 107
test/e2e/utils/workload_adapter.go
Get
called by 105
test/e2e/utils/workload_adapter.go
RandName
called by 100
test/e2e/utils/rand.go
CreateConfigMap
called by 90
test/e2e/utils/resources.go
Delete
called by 79
test/e2e/utils/workload_adapter.go

Shape

Function 640
Method 219
Struct 65
FuncType 26
TypeAlias 9
Interface 8

Languages

Go100%

Modules by API surface

internal/pkg/testutil/kube.go76 symbols
test/loadtest/internal/scenarios/scenarios.go74 symbols
internal/pkg/callbacks/rolling_upgrade.go67 symbols
test/e2e/utils/resources.go66 symbols
internal/pkg/callbacks/rolling_upgrade_test.go47 symbols
internal/pkg/handler/upgrade.go31 symbols
test/e2e/utils/workload_adapter.go30 symbols
test/e2e/utils/conditions.go25 symbols
test/loadtest/internal/cmd/report.go22 symbols
internal/pkg/metrics/prometheus.go20 symbols
internal/pkg/handler/handlers_test.go19 symbols
test/loadtest/internal/prometheus/prometheus.go18 symbols

Dependencies from manifests, versioned

4d63.com/gocheckcompilerdirectivesv1.3.0 · 1×
4d63.com/gochecknoglobalsv0.2.2 · 1×
codeberg.org/chavacava/garifv0.2.0 · 1×
codeberg.org/polyfloyd/go-errorlintv1.9.0 · 1×
dev.gaijin.team/go/exhaustruct/v4v4.0.0 · 1×
dev.gaijin.team/go/golibv0.6.0 · 1×
github.com/4meepo/tagalignv1.4.3 · 1×
github.com/Abirdcfly/dupwordv0.1.7 · 1×
github.com/AdminBenni/iota-mixingv1.0.0 · 1×
github.com/AlwxSin/noinlineerrv1.0.5 · 1×
github.com/Antonboom/errnamev1.1.1 · 1×
github.com/Antonboom/nilnilv1.1.1 · 1×

For agents

$ claude mcp add Reloader \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact