Quickstart

Reloader is a tool that allows to trigger kubernetes manifests updates based on events from different sources:

• GCP Pubsub
• AWS SQS
• Azure EventGrid
• Hashicorp Vault audit Logs
• Generic Webhook
• TCP Socket
• Kubernetes Secret
• Kubernetes ConfigMap

With it, it is possible to trigger manifest changes to multiple destinations:

• ExternalSecret
• Deployments
• PushSecret
• WorkflowRunTemplate

Installing Reloader

Install a manifest bundle

Install the manifest in your desired cluster with kubectl apply:

VERSION=<reloader_version>
curl -L https://github.com/external-secrets/reloader/releases/download/$VERSION/bundle.yaml | kubectl apply -f -

Configure Reloading Deployments on Secret Changes

cat << EOF | kubectl apply -f -
apiVersion: reloader.external-secrets.io/v1alpha1
## Config is a Cluster Scoped resource for reloader configuration
kind: Config
metadata:
  name: reloader-sample
  labels:
    app.kubernetes.io/name: reloader
spec:
  notificationSources:
    - type: KubernetesSecret
      kubernetesSecret:
        ## Watch secrets internal to the cluster
        serverURL: https://kubernetes.default.svc
  destinationsToWatch:
    - type: Deployment
      deployment:
        labelSelectors:
          matchLabels: {}
EOF

Testing it out

Let's first create two deployments and a Secret:

cat << EOF | kubectl apply -f -
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: one
  name: one
spec:
  replicas: 1
  selector:
    matchLabels:
      app: one
  template:
    metadata:
      labels:
        app: one
    spec:
      containers:
      - command:
        - sh
        - -c
        - sleep 3600
        env:
        - name: TEST
          valueFrom:
            secretKeyRef:
              key: token
              name: test
        image: ubuntu
        imagePullPolicy: Always
        name: ubuntu
---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: two
  name: two
spec:
  replicas: 1
  selector:
    matchLabels:
      app: two
  template:
    metadata:
      labels:
        app: two
    spec:
      containers:
      - command:
        - sh
        - -c
        - sleep 3600
        env:
        - name: TEST
          valueFrom:
            secretKeyRef:
              key: token
              name: test
        image: ubuntu
        imagePullPolicy: Always
        name: ubuntu
---
apiVersion: v1
kind: Secret
metadata:
  name: test
data:
  token: dGhpcy1pcy1hLXRva2Vu # this-is-a-token
EOF

Now, let's rotate the secret value:

kubectl patch secret test -p '{"data":{"token":"bmV3LXRva2VuLXZhbHVl"}}'

Now watch deployments get restarted in sequence and enjoy!!

Other notes

Install with Helm Chart

Note

The helm chart below is an example for the community to use as a baseline. It isn't part of our release and should not be considered ready for production use.

In reloader repositories, a sample helm chart is contained to help you install it with different tooling. In order to use it, you can simply do:

git clone https://github.com/external-secrets/reloader
helm install reloader -n reloader --create-namespace ./examples/helm-chart/reloader

Next Steps

• Choose a notification source that will trigger secret rotations for you
• Configure the notification source and get your secrets rotating
• Configure the destination you want to use
• Make your rotation event driven!

Support

For any bugs or feature requests, you can go to GitHub.

If you need support for your specific use case, contact us via Slack.