Skip to main content
Reloader is a tool that allows to trigger kubernetes manifests updates based on events from different sources: With it, it is possible to trigger manifest changes to multiple destinations: And many more to come!

Installing Reloader

Install a manifest bundle

  • Install the manifest in your desired cluster with kubectl apply
VERSION=<reloader_version>
curl -L https://github.com/external-secrets-inc/reloader/releases/download/$VERSION/bundle.yaml | kubectl apply -f -

Configure Reloading Deployments on Secret Changes

cat << EOF | kubectl apply -f -
apiVersion: reloader.external-secrets.io/v1alpha1
## Config is a Cluster Scoped resource for reloader configuration
kind: Config
metadata:
  name: reloader-sample
  labels:
    app.kubernetes.io/name: reloader
spec:
  notificationSources:
    - type: KubernetesSecret
      kubernetesSecret:
        ## Watch secrets internal to the cluster
        serverURL: https://kubernetes.default.svc
  destinationsToWatch:
    - type: Deployment
      deployment:
        labelSelectors:
          matchLabels: {}
EOF

Testing it out

Let’s first create two deployments and a Secret: 
cat << EOF | kubectl apply -f -
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: one
  name: one
spec:
  replicas: 1
  selector:
    matchLabels:
      app: one
  template:
    metadata:
      labels:
        app: one
    spec:
      containers:
      - command:
        - sh
        - -c
        - sleep 3600
        env:
        - name: TEST
          valueFrom:
            secretKeyRef:
              key: token
              name: test
        image: ubuntu
        imagePullPolicy: Always
        name: ubuntu
---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: two
  name: two
spec:
  replicas: 1
  selector:
    matchLabels:
      app: two
  template:
    metadata:
      labels:
        app: two
    spec:
      containers:
      - command:
        - sh
        - -c
        - sleep 3600
        env:
        - name: TEST
          valueFrom:
            secretKeyRef:
              key: token
              name: test
        image: ubuntu
        imagePullPolicy: Always
        name: ubuntu
---
apiVersion: v1
kind: Secret
metadata:
  name: test
data:
  token: dGhpcy1pcy1hLXRva2Vu # this-is-a-token
EOF
Now, let’s rotate the secret value: 
kubectl patch secret test -p '{"data":{"token":"bmV3LXRva2VuLXZhbHVl"}}'
Now watch deployments get restarted in sequence and enjoy!!

Other notes

Install with Helm Chart

Note: The helm chart below is an example for the community to use as a baseline. It isn’t part of our release and should not be considered ready for production use.
In reloader repositories, a sample helm chart is contained to help you install it with different tooling. In order to use it, you can simply do: 
git clone https://github.com/external-secrets-inc/reloader
helm install reloader -n reloader --create-namespace ./examples/helm-chart/reloader

Next Steps

  • Choose a notification source that will trigger secret rotations for you
  • Configure the notification source and get your secrets rotating
  • Configure the destination you want to use
  • Make your rotation event driven!

Support

For any bugs or feature requests, you can go to github. If you need support for you specific use case, contact us via slack or book a call.