Merge pull request #1039 from stakater/helm/release-2.2.4

Bump chart

.github/workflows/init-branch-release.yaml

@@ -23,7 +23,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4.2.2
+        uses: actions/checkout@v5.0.0
         with:
           fetch-depth: 0
           token: ${{ secrets.GITHUB_TOKEN }}
@@ -57,7 +57,7 @@ jobs:
           git diff
 
       - name: Create pull request
-        uses: peter-evans/create-pull-request@v7.0.6
+        uses: peter-evans/create-pull-request@v7.0.8
         with:
           commit-message: "Bump version to ${{ inputs.TARGET_VERSION }}"
           title: "Bump version to ${{ inputs.TARGET_VERSION }} on ${{ inputs.TARGET_BRANCH }} branch"

.github/workflows/pull_request-helm.yaml

@@ -26,7 +26,7 @@ jobs:
     steps:
 
     - name: Check out code
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5
       with:
         ref: ${{github.event.pull_request.head.sha}}
         fetch-depth: 0
@@ -55,7 +55,7 @@ jobs:
     steps:
 
     - name: Check out code
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5
       with:
         ref: ${{github.event.pull_request.head.sha}}
         fetch-depth: 0

.github/workflows/pull_request.yaml

@@ -25,7 +25,7 @@ env:
 
 jobs:
   qa:
-    uses: stakater/.github/.github/workflows/pull_request_doc_qa.yaml@v0.0.131
+    uses: stakater/.github/.github/workflows/pull_request_doc_qa.yaml@v0.0.163
     with:
       MD_CONFIG: .github/md_config.json
       DOC_SRC: README.md
@@ -40,7 +40,7 @@ jobs:
     name: Build
     steps:
     - name: Check out code
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5
       with:
         ref: ${{github.event.pull_request.head.sha}}
         fetch-depth: 0
@@ -57,7 +57,7 @@ jobs:
         charts: deployments/kubernetes/chart/reloader
 
     - name: Set up Go
-      uses: actions/setup-go@v5
+      uses: actions/setup-go@v6
       with:
         go-version-file: 'go.mod'
         check-latest: true

.github/workflows/pull_request_docs.yaml

@@ -16,13 +16,13 @@ on:
 
 jobs:
   qa:
-    uses: stakater/.github/.github/workflows/pull_request_doc_qa.yaml@v0.0.134
+    uses: stakater/.github/.github/workflows/pull_request_doc_qa.yaml@v0.0.163
     with:
       MD_CONFIG: .github/md_config.json
       DOC_SRC: docs
       MD_LINT_CONFIG: .markdownlint.yaml
   build:
-    uses: stakater/.github/.github/workflows/pull_request_container_build.yaml@v0.0.134
+    uses: stakater/.github/.github/workflows/pull_request_container_build.yaml@v0.0.163
     with:
       DOCKER_FILE_PATH: Dockerfile-docs
       CONTAINER_REGISTRY_URL: ghcr.io/stakater

.github/workflows/push-helm-chart.yaml

@@ -31,7 +31,7 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           token: ${{ secrets.PUBLISH_TOKEN }}
           fetch-depth: 0 # otherwise, you will fail to push refs to dest repo
@@ -73,7 +73,7 @@ jobs:
           exit 1
 
       - name: Install Cosign
-        uses: sigstore/cosign-installer@v3.8.2
+        uses: sigstore/cosign-installer@v4.0.0
 
       - name: Login to GHCR Registry
         uses: docker/login-action@v3
@@ -106,7 +106,7 @@ jobs:
           commit_email: stakater@gmail.com
 
       - name: Push new chart tag
-        uses: anothrNick/github-tag-action@1.71.0
+        uses: anothrNick/github-tag-action@1.75.0
         env:
           GITHUB_TOKEN: ${{ secrets.PUBLISH_TOKEN }}
           WITH_V: false

.github/workflows/push-pr-image.yaml

@@ -30,13 +30,13 @@ jobs:
     if: ${{ github.event.label.name == 'build-and-push-pr-image' }}
     steps:
     - name: Check out code
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5
       with:
         ref: ${{github.event.pull_request.head.sha}}
         fetch-depth: 0
 
     - name: Set up Go
-      uses: actions/setup-go@v5
+      uses: actions/setup-go@v6
       with:
         go-version-file: 'go.mod'
         check-latest: true

.github/workflows/push.yaml

@@ -29,7 +29,7 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           token: ${{ secrets.PUBLISH_TOKEN }}
           fetch-depth: 0 # otherwise, you will fail to push refs to dest repo
@@ -42,7 +42,7 @@ jobs:
           version: v3.11.3
 
       - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
         with:
           go-version-file: 'go.mod'
           check-latest: true
@@ -215,7 +215,7 @@ jobs:
             org.opencontainers.image.revision=${{ github.sha }}
 
       - name: Push Latest Tag
-        uses: anothrNick/github-tag-action@1.71.0
+        uses: anothrNick/github-tag-action@1.75.0
         env:
           GITHUB_TOKEN: ${{ secrets.PUBLISH_TOKEN }}
           WITH_V: false

.github/workflows/release-helm-chart.yaml

@@ -15,7 +15,7 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
 

.github/workflows/release.yaml

@@ -24,7 +24,7 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           token: ${{ secrets.PUBLISH_TOKEN }}
           fetch-depth: 0 # otherwise, you will fail to push refs to dest repo
@@ -37,7 +37,7 @@ jobs:
           version: v3.11.3
 
       - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
         with:
           go-version-file: 'go.mod'
           check-latest: true

.vale.ini

@@ -1,7 +1,7 @@
 StylesPath = styles
 MinAlertLevel = warning
 
-Packages = https://github.com/stakater/vale-package/releases/download/v0.0.77/Stakater.zip
+Packages = https://github.com/stakater/vale-package/releases/download/v0.0.87/Stakater.zip
 Vocab = Stakater
 
 # Only check MarkDown files

CODE_OF_CONDUCT.md

@@ -1,3 +1,3 @@
 # Code of Conduct
 
-Reloader follows the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md).
+Reloader follows the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/main/code-of-conduct.md).

Dockerfile

@@ -2,7 +2,7 @@ ARG BUILDER_IMAGE
 ARG BASE_IMAGE
 
 # Build the manager binary
-FROM --platform=${BUILDPLATFORM} ${BUILDER_IMAGE:-golang:1.24.4} AS builder
+FROM --platform=${BUILDPLATFORM} ${BUILDER_IMAGE:-golang:1.24.9} AS builder
 
 ARG TARGETOS
 ARG TARGETARCH

Dockerfile-docs

@@ -17,7 +17,7 @@ RUN python theme_common/scripts/combine_mkdocs_config_yaml.py theme_common/mkdoc
 # build the docs
 RUN mkdocs build
 
-FROM nginxinc/nginx-unprivileged:1.27-alpine as deploy
+FROM nginxinc/nginx-unprivileged:1.29-alpine as deploy
 COPY --from=builder $HOME/application/site/ /usr/share/nginx/html/reloader/
 COPY docs-nginx.conf /etc/nginx/conf.d/default.conf
 

README.md

@@ -329,13 +329,30 @@ Reloader supports multiple strategies for triggering rolling updates when a watc
 |------|-------------|
 | `--resources-to-ignore=configmaps` | Ignore ConfigMaps (only one type can be ignored at a time) |
 | `--resources-to-ignore=secrets` | Ignore Secrets (cannot combine with configMaps) |
+| `--ignored-workload-types=jobs,cronjobs` | Ignore specific workload types from reload monitoring |
 | `--resource-label-selector=key=value` | Only watch ConfigMaps/Secrets with matching labels |
 
-> **⚠️ Note:**  
-> Only **one** resource type can be ignored at a time.  
-> Trying to ignore **both `configmaps` and `secrets`** will cause an error in Reloader.  
+> **⚠️ Note:**
+>
+> Only **one** resource type can be ignored at a time.
+> Trying to ignore **both `configmaps` and `secrets`** will cause an error in Reloader.
 > ✅ **Workaround:** Scale the Reloader deployment to `0` replicas if you want to disable it completely.
 
+**💡 Workload Type Examples:**
+
+```bash
+# Ignore only Jobs
+--ignored-workload-types=jobs
+
+# Ignore only CronJobs
+--ignored-workload-types=cronjobs
+
+# Ignore both (comma-separated)
+--ignored-workload-types=jobs,cronjobs
+```
+
+> **🔧 Use Case:** Ignoring workload types is useful when you don't want certain types of workloads to be automatically reloaded.
+
 #### 3. 🧩 Namespace Filtering
 
 | Flag | Description |

VERSION

@@ -1 +1 @@
-1.1.0
+1.4.9

deployments/kubernetes/chart/reloader/Chart.yaml

@@ -1,8 +1,8 @@
 apiVersion: v1
 name: reloader
 description: Reloader chart that runs on kubernetes
-version: 2.2.2
-appVersion: v1.4.7
+version: 2.2.4
+appVersion: v1.4.9
 keywords:
   - Reloader
   - kubernetes

deployments/kubernetes/chart/reloader/README.md

@@ -15,6 +15,8 @@ helm install stakater/reloader # For helm3 add --generate-name flag or set the r
 helm install {{RELEASE_NAME}} stakater/reloader -n {{NAMESPACE}} --set reloader.watchGlobally=false # By default, Reloader watches in all namespaces. To watch in single namespace, set watchGlobally=false
 
 helm install stakater/reloader --set reloader.watchGlobally=false --namespace test --generate-name # Install Reloader in `test` namespace which will only watch `Deployments`, `Daemonsets` `Statefulsets` and `Rollouts` in `test` namespace.
+
+helm install stakater/reloader --set reloader.ignoreJobs=true --set reloader.ignoreCronJobs=true --generate-name # Install Reloader ignoring Jobs and CronJobs from reload monitoring
 ```
 
 ## Uninstalling
@@ -48,6 +50,8 @@ helm uninstall {{RELEASE_NAME}} -n {{NAMESPACE}}
 | `reloader.isOpenshift`              | Enable OpenShift DeploymentConfigs. Valid value are either `true` or `false`                                                                        | boolean     | `false`   |
 | `reloader.ignoreSecrets`            | To ignore secrets. Valid value are either `true` or `false`. Either `ignoreSecrets` or `ignoreConfigMaps` can be ignored, not both at the same time | boolean     | `false`   |
 | `reloader.ignoreConfigMaps`         | To ignore configmaps. Valid value are either `true` or `false`                                                                                      | boolean     | `false`   |
+| `reloader.ignoreJobs`               | To ignore jobs from reload monitoring. Valid value are either `true` or `false`. Translates to `--ignored-workload-types=jobs`                      | boolean     | `false`   |
+| `reloader.ignoreCronJobs`           | To ignore CronJobs from reload monitoring. Valid value are either `true` or `false`. Translates to `--ignored-workload-types=cronjobs`               | boolean     | `false`   |
 | `reloader.reloadOnCreate`           | Enable reload on create events. Valid value are either `true` or `false`                                                                            | boolean     | `false`   |
 | `reloader.reloadOnDelete`           | Enable reload on delete events. Valid value are either `true` or `false`                                                                            | boolean     | `false`   |
 | `reloader.syncAfterRestart`         | Enable sync after Reloader restarts for **Add** events, works only when reloadOnCreate is `true`. Valid value are either `true` or `false`          | boolean     | `false`   |
@@ -59,7 +63,7 @@ helm uninstall {{RELEASE_NAME}} -n {{NAMESPACE}}
 | `reloader.watchGlobally`            | Allow Reloader to watch in all namespaces (`true`) or just in a single namespace (`false`)                                                          | boolean     | `true`    |
 | `reloader.enableHA`                 | Enable leadership election allowing you to run multiple replicas                                                                                    | boolean     | `false`   |
 | `reloader.enablePProf`              | Enables pprof for profiling | boolean | `false` |
-| `reloader.pprofAddr` | Address to start pprof server on | string | `:6060` | 
+| `reloader.pprofAddr` | Address to start pprof server on | string | `:6060` |
 | `reloader.readOnlyRootFileSystem`   | Enforce readOnlyRootFilesystem                                                                                                                      | boolean     | `false`   |
 | `reloader.legacy.rbac`              |                                                                                                                                                     | boolean     | `false`   |
 | `reloader.matchLabels`              | Pod labels to match                                                                                                                                 | map         | `{}`      |
@@ -116,6 +120,10 @@ helm uninstall {{RELEASE_NAME}} -n {{NAMESPACE}}
 - Only one of these resources can be ignored at a time:
   - `ignoreConfigMaps` **or** `ignoreSecrets`
   - Trying to ignore both will cause Helm template compilation errors
+- The `ignoreJobs` and `ignoreCronJobs` flags can be used together or individually
+  - When both are enabled, translates to `--ignored-workload-types=jobs,cronjobs`
+  - When used individually, translates to `--ignored-workload-types=jobs` or `--ignored-workload-types=cronjobs`
+  - These flags prevent Reloader from monitoring and reloading the specified workload types
 
 ### Special Integrations
 - OpenShift (`DeploymentConfig`) and Argo Rollouts support must be **explicitly enabled**

deployments/kubernetes/chart/reloader/templates/deployment.yaml

@@ -155,7 +155,7 @@ spec:
 
         - name: RELOADER_DEPLOYMENT_NAME
           value: {{ template "reloader-fullname" . }}
-          
+
       {{- if .Values.reloader.enableHA }}
         - name: POD_NAME
           valueFrom:
@@ -210,7 +210,7 @@ spec:
           {{- . | toYaml | nindent 10 }}
           {{- end }}
       {{- end }}
-      {{- if or (.Values.reloader.logFormat) (.Values.reloader.logLevel) (.Values.reloader.ignoreSecrets) (.Values.reloader.ignoreNamespaces) (include "reloader-namespaceSelector" .) (.Values.reloader.resourceLabelSelector) (.Values.reloader.ignoreConfigMaps) (.Values.reloader.custom_annotations) (eq .Values.reloader.isArgoRollouts true) (eq .Values.reloader.reloadOnCreate true) (eq .Values.reloader.reloadOnDelete true) (ne .Values.reloader.reloadStrategy "default") (.Values.reloader.enableHA) (.Values.reloader.autoReloadAll)}}
+      {{- if or (.Values.reloader.logFormat) (.Values.reloader.logLevel) (.Values.reloader.ignoreSecrets) (.Values.reloader.ignoreNamespaces) (include "reloader-namespaceSelector" .) (.Values.reloader.resourceLabelSelector) (.Values.reloader.ignoreConfigMaps) (.Values.reloader.custom_annotations) (eq .Values.reloader.isArgoRollouts true) (eq .Values.reloader.reloadOnCreate true) (eq .Values.reloader.reloadOnDelete true) (ne .Values.reloader.reloadStrategy "default") (.Values.reloader.enableHA) (.Values.reloader.autoReloadAll) (.Values.reloader.ignoreJobs) (.Values.reloader.ignoreCronJobs)}}
         args:
           {{- if .Values.reloader.logFormat }}
           - "--log-format={{ .Values.reloader.logFormat }}"
@@ -224,6 +224,13 @@ spec:
           {{- if .Values.reloader.ignoreConfigMaps }}
           - "--resources-to-ignore=configMaps"
           {{- end }}
+          {{- if and (.Values.reloader.ignoreJobs) (.Values.reloader.ignoreCronJobs) }}
+          - "--ignored-workload-types=jobs,cronjobs"
+          {{- else if .Values.reloader.ignoreJobs }}
+          - "--ignored-workload-types=jobs"
+          {{- else if .Values.reloader.ignoreCronJobs }}
+          - "--ignored-workload-types=cronjobs"
+          {{- end }}
           {{- if .Values.reloader.ignoreNamespaces }}
           - "--namespaces-to-ignore={{ .Values.reloader.ignoreNamespaces }}"
           {{- end }}

deployments/kubernetes/chart/reloader/tests/deployment_test.yaml

@@ -61,3 +61,44 @@ tests:
             valueFrom:
               fieldRef:
                 fieldPath: metadata.name
+
+  - it: sets ignored-workload-types argument when ignoreJobs is true
+    set:
+      reloader:
+        ignoreJobs: true
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].args
+          content: "--ignored-workload-types=jobs"
+
+  - it: sets ignored-workload-types argument when ignoreCronJobs is true
+    set:
+      reloader:
+        ignoreCronJobs: true
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].args
+          content: "--ignored-workload-types=cronjobs"
+
+  - it: sets ignored-workload-types argument when both ignoreJobs and ignoreCronJobs are true
+    set:
+      reloader:
+        ignoreJobs: true
+        ignoreCronJobs: true
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].args
+          content: "--ignored-workload-types=jobs,cronjobs"
+
+  - it: does not set ignored-workload-types argument when both ignoreJobs and ignoreCronJobs are false
+    set:
+      reloader:
+        ignoreJobs: false
+        ignoreCronJobs: false
+    asserts:
+      - notContains:
+          path: spec.template.spec.containers[0].args
+          content: "--ignored-workload-types=jobs"
+      - notContains:
+          path: spec.template.spec.containers[0].args
+          content: "--ignored-workload-types=cronjobs"

deployments/kubernetes/chart/reloader/values.yaml

@@ -17,7 +17,7 @@ fullnameOverride: ""
 image:
   name: stakater/reloader
   repository: ghcr.io/stakater/reloader
-  tag: v1.4.7
+  tag: v1.4.9
   # digest: sha256:1234567
   pullPolicy: IfNotPresent
 
@@ -27,7 +27,11 @@ reloader:
   isOpenshift: false
   ignoreSecrets: false
   ignoreConfigMaps: false
+  # Set to true to exclude Job workloads from automatic reload monitoring
+  # Useful when you don't want Jobs to be restarted when their referenced ConfigMaps/Secrets change
   ignoreJobs: false
+  # Set to true to exclude CronJob workloads from automatic reload monitoring
+  # Useful when you don't want CronJobs to be restarted when their referenced ConfigMaps/Secrets change
   ignoreCronJobs: false
   reloadOnCreate: false
   reloadOnDelete: false
@@ -84,7 +88,7 @@ reloader:
     #           - key: "node-role.kubernetes.io/infra-worker"
     #             operator: "Exists"
     affinity: {}
-    
+
     volumeMounts: []
     volumes: []
 
@@ -126,7 +130,7 @@ reloader:
     labels:
       provider: stakater
       group: com.stakater.platform
-      version: v1.4.7
+      version: v1.4.9
     # Support for extra environment variables.
     env:
       # Open supports Key value pair as environment variables.

deployments/kubernetes/manifests/deployment.yaml

@@ -17,7 +17,7 @@ spec:
         app: reloader-reloader
     spec:
       containers:
-        - image: "ghcr.io/stakater/reloader:v1.1.0"
+        - image: "ghcr.io/stakater/reloader:v1.4.9"
           imagePullPolicy: IfNotPresent
           name: reloader-reloader
           env:

deployments/kubernetes/reloader.yaml

@@ -141,7 +141,7 @@ spec:
               fieldPath: metadata.namespace
         - name: RELOADER_DEPLOYMENT_NAME
           value: reloader-reloader
-        image: ghcr.io/stakater/reloader:latest
+        image: ghcr.io/stakater/reloader:v1.4.9
         imagePullPolicy: IfNotPresent
         livenessProbe:
           failureThreshold: 5

go.mod

@@ -1,6 +1,6 @@
 module github.com/stakater/Reloader
 
-go 1.24.4
+go 1.24.9
 
 require (
 	github.com/argoproj/argo-rollouts v1.8.2
@@ -9,13 +9,13 @@ require (
 	github.com/parnurzeal/gorequest v0.3.0
 	github.com/prometheus/client_golang v1.22.0
 	github.com/sirupsen/logrus v1.9.3
-	github.com/spf13/cobra v1.9.1
+	github.com/spf13/cobra v1.10.1
 	github.com/stretchr/testify v1.10.0
 	k8s.io/api v0.32.3
 	k8s.io/apimachinery v0.32.3
 	k8s.io/client-go v0.32.3
 	k8s.io/kubectl v0.32.3
-	k8s.io/utils v0.0.0-20250321185631-1f6e0b77f77e
+	k8s.io/utils v0.0.0-20251002143259-bc988d571ff4
 )
 
 require (
@@ -50,7 +50,7 @@ require (
 	github.com/prometheus/common v0.63.0 // indirect
 	github.com/prometheus/procfs v0.16.0 // indirect
 	github.com/smartystreets/goconvey v1.7.2 // indirect
-	github.com/spf13/pflag v1.0.6 // indirect
+	github.com/spf13/pflag v1.0.9 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	golang.org/x/net v0.39.0 // indirect
 	golang.org/x/oauth2 v0.29.0 // indirect

go.sum

@@ -106,8 +106,12 @@ github.com/smartystreets/goconvey v1.7.2 h1:9RBaZCeXEQ3UselpuwUQHltGVXvdwm6cv1hg
 github.com/smartystreets/goconvey v1.7.2/go.mod h1:Vw0tHAZW6lzCRk3xgdin6fKYcG+G3Pg9vgXWeJpQFMM=
 github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo=
 github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0=
+github.com/spf13/cobra v1.10.1 h1:lJeBwCfmrnXthfAupyUTzJ/J4Nc1RsHC/mSRU2dll/s=
+github.com/spf13/cobra v1.10.1/go.mod h1:7SmJGaTHFVBY0jW4NXGluQoLvhqFQM+6XSKD+P4XaB0=
 github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
 github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/pflag v1.0.9 h1:9exaQaMOCwffKiiiYk6/BndUBv+iRViNW+4lEMi0PvY=
+github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
@@ -185,8 +189,8 @@ k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff h1:/usPimJzUKKu+m+TE36gUy
 k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff/go.mod h1:5jIi+8yX4RIb8wk3XwBo5Pq2ccx4FP10ohkbSKCZoK8=
 k8s.io/kubectl v0.32.3 h1:VMi584rbboso+yjfv0d8uBHwwxbC438LKq+dXd5tOAI=
 k8s.io/kubectl v0.32.3/go.mod h1:6Euv2aso5GKzo/UVMacV6C7miuyevpfI91SvBvV9Zdg=
-k8s.io/utils v0.0.0-20250321185631-1f6e0b77f77e h1:KqK5c/ghOm8xkHYhlodbp6i6+r+ChV2vuAuVRdFbLro=
-k8s.io/utils v0.0.0-20250321185631-1f6e0b77f77e/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 h1:SjGebBtkBqHFOli+05xYbK8YF1Dzkbzn+gDM4X9T4Ck=
+k8s.io/utils v0.0.0-20251002143259-bc988d571ff4/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE=
 sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
 sigs.k8s.io/randfill v0.0.0-20250304075658-069ef1bbf016/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=

internal/pkg/handler/upgrade.go

@@ -172,18 +172,34 @@ func sendWebhook(url string) (string, []error) {
 func doRollingUpgrade(config common.Config, collectors metrics.Collectors, recorder record.EventRecorder, invoke invokeStrategy) error {
 	clients := kube.GetClients()
 
-	err := rollingUpgrade(clients, config, GetDeploymentRollingUpgradeFuncs(), collectors, recorder, invoke)
+	// Get ignored workload types to avoid listing resources without RBAC permissions
+	ignoredWorkloadTypes, err := util.GetIgnoredWorkloadTypesList()
+	if err != nil {
+		logrus.Errorf("Failed to parse ignored workload types: %v", err)
+		ignoredWorkloadTypes = util.List{} // Continue with empty list if parsing fails
+	}
+
+	err = rollingUpgrade(clients, config, GetDeploymentRollingUpgradeFuncs(), collectors, recorder, invoke)
 	if err != nil {
 		return err
 	}
-	err = rollingUpgrade(clients, config, GetCronJobCreateJobFuncs(), collectors, recorder, invoke)
-	if err != nil {
-		return err
+
+	// Only process CronJobs if they are not ignored
+	if !ignoredWorkloadTypes.Contains("cronjobs") {
+		err = rollingUpgrade(clients, config, GetCronJobCreateJobFuncs(), collectors, recorder, invoke)
+		if err != nil {
+			return err
+		}
 	}
-	err = rollingUpgrade(clients, config, GetJobCreateJobFuncs(), collectors, recorder, invoke)
-	if err != nil {
-		return err
+
+	// Only process Jobs if they are not ignored
+	if !ignoredWorkloadTypes.Contains("jobs") {
+		err = rollingUpgrade(clients, config, GetJobCreateJobFuncs(), collectors, recorder, invoke)
+		if err != nil {
+			return err
+		}
 	}
+
 	err = rollingUpgrade(clients, config, GetDaemonSetRollingUpgradeFuncs(), collectors, recorder, invoke)
 	if err != nil {
 		return err

internal/pkg/options/flags.go

@@ -65,6 +65,8 @@ var (
 	WebhookUrl = ""
 	// ResourcesToIgnore is a list of resources to ignore when watching for changes
 	ResourcesToIgnore = []string{}
+	// WorkloadTypesToIgnore is a list of workload types to ignore when watching for changes
+	WorkloadTypesToIgnore = []string{}
 	// NamespacesToIgnore is a list of namespace names to ignore when watching for changes
 	NamespacesToIgnore = []string{}
 	// NamespaceSelectors is a list of namespace selectors to watch for changes

internal/pkg/util/util.go

@@ -83,6 +83,7 @@ func ConfigureReloaderFlags(cmd *cobra.Command) {
 	cmd.PersistentFlags().StringVar(&options.LogLevel, "log-level", "info", "Log level to use (trace, debug, info, warning, error, fatal and panic)")
 	cmd.PersistentFlags().StringVar(&options.WebhookUrl, "webhook-url", "", "webhook to trigger instead of performing a reload")
 	cmd.PersistentFlags().StringSliceVar(&options.ResourcesToIgnore, "resources-to-ignore", options.ResourcesToIgnore, "list of resources to ignore (valid options 'configMaps' or 'secrets')")
+	cmd.PersistentFlags().StringSliceVar(&options.WorkloadTypesToIgnore, "ignored-workload-types", options.WorkloadTypesToIgnore, "list of workload types to ignore (valid options: 'jobs', 'cronjobs', or both)")
 	cmd.PersistentFlags().StringSliceVar(&options.NamespacesToIgnore, "namespaces-to-ignore", options.NamespacesToIgnore, "list of namespaces to ignore")
 	cmd.PersistentFlags().StringSliceVar(&options.NamespaceSelectors, "namespace-selector", options.NamespaceSelectors, "list of key:value labels to filter on for namespaces")
 	cmd.PersistentFlags().StringSliceVar(&options.ResourceSelectors, "resource-label-selector", options.ResourceSelectors, "list of key:value labels to filter on for configmaps and secrets")
@@ -112,3 +113,16 @@ func GetIgnoredResourcesList() (List, error) {
 
 	return ignoredResourcesList, nil
 }
+
+func GetIgnoredWorkloadTypesList() (List, error) {
+
+	ignoredWorkloadTypesList := options.WorkloadTypesToIgnore
+
+	for _, v := range ignoredWorkloadTypesList {
+		if v != "jobs" && v != "cronjobs" {
+			return nil, fmt.Errorf("'ignored-workload-types' accepts 'jobs', 'cronjobs', or both, not '%s'", v)
+		}
+	}
+
+	return ignoredWorkloadTypesList, nil
+}

internal/pkg/util/util_test.go

@@ -3,6 +3,7 @@ package util
 import (
 	"testing"
 
+	"github.com/stakater/Reloader/internal/pkg/options"
 	v1 "k8s.io/api/core/v1"
 )
 
@@ -45,3 +46,141 @@ func TestGetHashFromConfigMap(t *testing.T) {
 		}
 	}
 }
+
+func TestGetIgnoredWorkloadTypesList(t *testing.T) {
+	// Save original state
+	originalWorkloadTypes := options.WorkloadTypesToIgnore
+	defer func() {
+		options.WorkloadTypesToIgnore = originalWorkloadTypes
+	}()
+
+	tests := []struct {
+		name          string
+		workloadTypes []string
+		expectError   bool
+		expected      []string
+	}{
+		{
+			name:          "Both jobs and cronjobs",
+			workloadTypes: []string{"jobs", "cronjobs"},
+			expectError:   false,
+			expected:      []string{"jobs", "cronjobs"},
+		},
+		{
+			name:          "Only jobs",
+			workloadTypes: []string{"jobs"},
+			expectError:   false,
+			expected:      []string{"jobs"},
+		},
+		{
+			name:          "Only cronjobs",
+			workloadTypes: []string{"cronjobs"},
+			expectError:   false,
+			expected:      []string{"cronjobs"},
+		},
+		{
+			name:          "Empty list",
+			workloadTypes: []string{},
+			expectError:   false,
+			expected:      []string{},
+		},
+		{
+			name:          "Invalid workload type",
+			workloadTypes: []string{"invalid"},
+			expectError:   true,
+			expected:      nil,
+		},
+		{
+			name:          "Mixed valid and invalid",
+			workloadTypes: []string{"jobs", "invalid"},
+			expectError:   true,
+			expected:      nil,
+		},
+		{
+			name:          "Duplicate values",
+			workloadTypes: []string{"jobs", "jobs"},
+			expectError:   false,
+			expected:      []string{"jobs", "jobs"},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Set the global option
+			options.WorkloadTypesToIgnore = tt.workloadTypes
+
+			result, err := GetIgnoredWorkloadTypesList()
+
+			if tt.expectError && err == nil {
+				t.Errorf("Expected error but got none")
+			}
+
+			if !tt.expectError && err != nil {
+				t.Errorf("Expected no error but got: %v", err)
+			}
+
+			if !tt.expectError {
+				if len(result) != len(tt.expected) {
+					t.Errorf("Expected %v, got %v", tt.expected, result)
+					return
+				}
+
+				for i, expected := range tt.expected {
+					if i >= len(result) || result[i] != expected {
+						t.Errorf("Expected %v, got %v", tt.expected, result)
+						break
+					}
+				}
+			}
+		})
+	}
+}
+
+func TestListContains(t *testing.T) {
+	tests := []struct {
+		name     string
+		list     List
+		item     string
+		expected bool
+	}{
+		{
+			name:     "List contains item",
+			list:     List{"jobs", "cronjobs"},
+			item:     "jobs",
+			expected: true,
+		},
+		{
+			name:     "List does not contain item",
+			list:     List{"jobs"},
+			item:     "cronjobs",
+			expected: false,
+		},
+		{
+			name:     "Empty list",
+			list:     List{},
+			item:     "jobs",
+			expected: false,
+		},
+		{
+			name:     "Case sensitive matching",
+			list:     List{"jobs", "cronjobs"},
+			item:     "Jobs",
+			expected: false,
+		},
+		{
+			name:     "Multiple occurrences",
+			list:     List{"jobs", "jobs", "cronjobs"},
+			item:     "jobs",
+			expected: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := tt.list.Contains(tt.item)
+			if result != tt.expected {
+				t.Errorf("Expected %v, got %v", tt.expected, result)
+			}
+		})
+	}
+}

pkg/common/common.go

@@ -10,6 +10,7 @@ import (
 	"github.com/sirupsen/logrus"
 	"github.com/stakater/Reloader/internal/pkg/constants"
 	"github.com/stakater/Reloader/internal/pkg/options"
+	"github.com/stakater/Reloader/internal/pkg/util"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/client-go/kubernetes"
@@ -74,6 +75,8 @@ type ReloaderOptions struct {
 	WebhookUrl string `json:"webhookUrl"`
 	// ResourcesToIgnore is a list of resource types to ignore (e.g., "configmaps" or "secrets")
 	ResourcesToIgnore []string `json:"resourcesToIgnore"`
+	// WorkloadTypesToIgnore is a list of workload types to ignore (e.g., "jobs" or "cronjobs")
+	WorkloadTypesToIgnore []string `json:"workloadTypesToIgnore"`
 	// NamespaceSelectors is a list of label selectors to filter namespaces to watch
 	NamespaceSelectors []string `json:"namespaceSelectors"`
 	// ResourceSelectors is a list of label selectors to filter ConfigMaps and Secrets to watch
@@ -182,6 +185,32 @@ func GetResourceLabelSelector(slice []string) (string, error) {
 // ShouldReload checks if a resource should be reloaded based on its annotations and the provided options.
 func ShouldReload(config Config, resourceType string, annotations Map, podAnnotations Map, options *ReloaderOptions) ReloadCheckResult {
 
+	// Check if this workload type should be ignored
+	if len(options.WorkloadTypesToIgnore) > 0 {
+		ignoredWorkloadTypes, err := util.GetIgnoredWorkloadTypesList()
+		if err != nil {
+			logrus.Errorf("Failed to parse ignored workload types: %v", err)
+		} else {
+			// Map Kubernetes resource types to CLI-friendly names for comparison
+			var resourceToCheck string
+			switch resourceType {
+			case "Job":
+				resourceToCheck = "jobs"
+			case "CronJob":
+				resourceToCheck = "cronjobs"
+			default:
+				resourceToCheck = resourceType // For other types, use as-is
+			}
+
+			// Check if current resource type should be ignored
+			if ignoredWorkloadTypes.Contains(resourceToCheck) {
+				return ReloadCheckResult{
+					ShouldReload: false,
+				}
+			}
+		}
+	}
+
 	ignoreResourceAnnotatonValue := config.ResourceAnnotations[options.IgnoreResourceAnnotation]
 	if ignoreResourceAnnotatonValue == "true" {
 		return ReloadCheckResult{
@@ -304,6 +333,7 @@ func GetCommandLineOptions() *ReloaderOptions {
 	CommandLineOptions.EnableHA = options.EnableHA
 	CommandLineOptions.WebhookUrl = options.WebhookUrl
 	CommandLineOptions.ResourcesToIgnore = options.ResourcesToIgnore
+	CommandLineOptions.WorkloadTypesToIgnore = options.WorkloadTypesToIgnore
 	CommandLineOptions.NamespaceSelectors = options.NamespaceSelectors
 	CommandLineOptions.ResourceSelectors = options.ResourceSelectors
 	CommandLineOptions.NamespacesToIgnore = options.NamespacesToIgnore

pkg/common/common_test.go

@@ -0,0 +1,224 @@
+package common
+
+import (
+	"testing"
+
+	"github.com/stakater/Reloader/internal/pkg/options"
+)
+
+func TestShouldReload_IgnoredWorkloadTypes(t *testing.T) {
+	// Save original state
+	originalWorkloadTypes := options.WorkloadTypesToIgnore
+	defer func() {
+		options.WorkloadTypesToIgnore = originalWorkloadTypes
+	}()
+
+	tests := []struct {
+		name                 string
+		ignoredWorkloadTypes []string
+		resourceType         string
+		shouldReload         bool
+		description          string
+	}{
+		{
+			name:                 "Jobs ignored - Job should not reload",
+			ignoredWorkloadTypes: []string{"jobs"},
+			resourceType:         "Job",
+			shouldReload:         false,
+			description:          "When jobs are ignored, Job resources should not be reloaded",
+		},
+		{
+			name:                 "Jobs ignored - CronJob should reload",
+			ignoredWorkloadTypes: []string{"jobs"},
+			resourceType:         "CronJob",
+			shouldReload:         true,
+			description:          "When jobs are ignored, CronJob resources should still be processed",
+		},
+		{
+			name:                 "CronJobs ignored - CronJob should not reload",
+			ignoredWorkloadTypes: []string{"cronjobs"},
+			resourceType:         "CronJob",
+			shouldReload:         false,
+			description:          "When cronjobs are ignored, CronJob resources should not be reloaded",
+		},
+		{
+			name:                 "CronJobs ignored - Job should reload",
+			ignoredWorkloadTypes: []string{"cronjobs"},
+			resourceType:         "Job",
+			shouldReload:         true,
+			description:          "When cronjobs are ignored, Job resources should still be processed",
+		},
+		{
+			name:                 "Both ignored - Job should not reload",
+			ignoredWorkloadTypes: []string{"jobs", "cronjobs"},
+			resourceType:         "Job",
+			shouldReload:         false,
+			description:          "When both are ignored, Job resources should not be reloaded",
+		},
+		{
+			name:                 "Both ignored - CronJob should not reload",
+			ignoredWorkloadTypes: []string{"jobs", "cronjobs"},
+			resourceType:         "CronJob",
+			shouldReload:         false,
+			description:          "When both are ignored, CronJob resources should not be reloaded",
+		},
+		{
+			name:                 "Both ignored - Deployment should reload",
+			ignoredWorkloadTypes: []string{"jobs", "cronjobs"},
+			resourceType:         "Deployment",
+			shouldReload:         true,
+			description:          "When both are ignored, other workload types should still be processed",
+		},
+		{
+			name:                 "None ignored - Job should reload",
+			ignoredWorkloadTypes: []string{},
+			resourceType:         "Job",
+			shouldReload:         true,
+			description:          "When nothing is ignored, all workload types should be processed",
+		},
+		{
+			name:                 "None ignored - CronJob should reload",
+			ignoredWorkloadTypes: []string{},
+			resourceType:         "CronJob",
+			shouldReload:         true,
+			description:          "When nothing is ignored, all workload types should be processed",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Set the ignored workload types
+			options.WorkloadTypesToIgnore = tt.ignoredWorkloadTypes
+
+			// Create minimal test config and options
+			config := Config{
+				ResourceName: "test-resource",
+				Annotation:   "configmap.reloader.stakater.com/reload",
+			}
+
+			annotations := Map{
+				"configmap.reloader.stakater.com/reload": "test-config",
+			}
+
+			// Create ReloaderOptions with the ignored workload types
+			opts := &ReloaderOptions{
+				WorkloadTypesToIgnore:  tt.ignoredWorkloadTypes,
+				AutoReloadAll:          true, // Enable auto-reload to simplify test
+				ReloaderAutoAnnotation: "reloader.stakater.com/auto",
+			}
+
+			// Call ShouldReload
+			result := ShouldReload(config, tt.resourceType, annotations, Map{}, opts)
+
+			// Check the result
+			if result.ShouldReload != tt.shouldReload {
+				t.Errorf("For resource type %s with ignored types %v, expected ShouldReload=%v, got=%v",
+					tt.resourceType, tt.ignoredWorkloadTypes, tt.shouldReload, result.ShouldReload)
+			}
+
+			t.Logf("✓ %s", tt.description)
+		})
+	}
+}
+
+func TestShouldReload_IgnoredWorkloadTypes_ValidationError(t *testing.T) {
+	// Save original state
+	originalWorkloadTypes := options.WorkloadTypesToIgnore
+	defer func() {
+		options.WorkloadTypesToIgnore = originalWorkloadTypes
+	}()
+
+	// Test with invalid workload type - should still continue processing
+	options.WorkloadTypesToIgnore = []string{"invalid"}
+
+	config := Config{
+		ResourceName: "test-resource",
+		Annotation:   "configmap.reloader.stakater.com/reload",
+	}
+
+	annotations := Map{
+		"configmap.reloader.stakater.com/reload": "test-config",
+	}
+
+	opts := &ReloaderOptions{
+		WorkloadTypesToIgnore:  []string{"invalid"},
+		AutoReloadAll:          true, // Enable auto-reload to simplify test
+		ReloaderAutoAnnotation: "reloader.stakater.com/auto",
+	}
+
+	// Should not panic and should continue with normal processing
+	result := ShouldReload(config, "Job", annotations, Map{}, opts)
+
+	// Since validation failed, it should continue with normal processing (should reload)
+	if !result.ShouldReload {
+		t.Errorf("Expected ShouldReload=true when validation fails, got=%v", result.ShouldReload)
+	}
+}
+
+// Test that validates the fix for issue #996
+func TestShouldReload_IssueRBACPermissionFixed(t *testing.T) {
+	// Save original state
+	originalWorkloadTypes := options.WorkloadTypesToIgnore
+	defer func() {
+		options.WorkloadTypesToIgnore = originalWorkloadTypes
+	}()
+
+	tests := []struct {
+		name                 string
+		ignoredWorkloadTypes []string
+		resourceType         string
+		description          string
+	}{
+		{
+			name:                 "Issue #996 - ignoreJobs prevents Job processing",
+			ignoredWorkloadTypes: []string{"jobs"},
+			resourceType:         "Job",
+			description:          "Job resources are skipped entirely, preventing RBAC permission errors",
+		},
+		{
+			name:                 "Issue #996 - ignoreCronJobs prevents CronJob processing",
+			ignoredWorkloadTypes: []string{"cronjobs"},
+			resourceType:         "CronJob",
+			description:          "CronJob resources are skipped entirely, preventing RBAC permission errors",
+		},
+		{
+			name:                 "Issue #996 - both ignored prevent both types",
+			ignoredWorkloadTypes: []string{"jobs", "cronjobs"},
+			resourceType:         "Job",
+			description:          "Job resources are skipped entirely when both types are ignored",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Set the ignored workload types
+			options.WorkloadTypesToIgnore = tt.ignoredWorkloadTypes
+
+			config := Config{
+				ResourceName: "test-resource",
+				Annotation:   "configmap.reloader.stakater.com/reload",
+			}
+
+			annotations := Map{
+				"configmap.reloader.stakater.com/reload": "test-config",
+			}
+
+			opts := &ReloaderOptions{
+				WorkloadTypesToIgnore:  tt.ignoredWorkloadTypes,
+				AutoReloadAll:          true, // Enable auto-reload to simplify test
+				ReloaderAutoAnnotation: "reloader.stakater.com/auto",
+			}
+
+			// Call ShouldReload
+			result := ShouldReload(config, tt.resourceType, annotations, Map{}, opts)
+
+			// Should not reload when workload type is ignored
+			if result.ShouldReload {
+				t.Errorf("Expected ShouldReload=false for ignored workload type %s, got=%v",
+					tt.resourceType, result.ShouldReload)
+			}
+
+			t.Logf("✓ %s", tt.description)
+		})
+	}
+}