Update docker UBI image

Signed-off-by: faizanahmad055 <faizan.ahmad55@outlook.com>
Fix pause deployment test
2026-02-14 18:09:50 +00:00 · 2026-01-07 01:02:24 +01:00 · 2026-01-07 00:29:20 +01:00 · 2026-01-07 00:10:28 +01:00 · 2026-01-06 23:50:42 +01:00 · 2026-01-06 22:53:24 +01:00
72 changed files with 4849 additions and 801 deletions
--- a/.github/md_config.json
+++ b/.github/md_config.json
@@ -3,5 +3,6 @@
    {
      "pattern": "^(?!http).+"
    }
-  ]
+  ],
+  "retryOn429": true
 }
--- a/.github/workflows/init-branch-release.yaml
+++ b/.github/workflows/init-branch-release.yaml
@@ -23,7 +23,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@v4.2.2
+        uses: actions/checkout@v5.0.0
        with:
          fetch-depth: 0
          token: ${{ secrets.GITHUB_TOKEN }}
@@ -57,7 +57,7 @@ jobs:
          git diff

      - name: Create pull request
-        uses: peter-evans/create-pull-request@v7.0.6
+        uses: peter-evans/create-pull-request@v7.0.8
        with:
          commit-message: "Bump version to ${{ inputs.TARGET_VERSION }}"
          title: "Bump version to ${{ inputs.TARGET_VERSION }} on ${{ inputs.TARGET_BRANCH }} branch"
--- a/.github/workflows/pull_request-helm.yaml
+++ b/.github/workflows/pull_request-helm.yaml
@@ -26,7 +26,7 @@ jobs:
    steps:

    - name: Check out code
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5
      with:
        ref: ${{github.event.pull_request.head.sha}}
        fetch-depth: 0
@@ -55,7 +55,7 @@ jobs:
    steps:

    - name: Check out code
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5
      with:
        ref: ${{github.event.pull_request.head.sha}}
        fetch-depth: 0
--- a/.github/workflows/pull_request.yaml
+++ b/.github/workflows/pull_request.yaml
@@ -25,7 +25,7 @@ env:

 jobs:
  qa:
-    uses: stakater/.github/.github/workflows/pull_request_doc_qa.yaml@v0.0.131
+    uses: stakater/.github/.github/workflows/pull_request_doc_qa.yaml@v0.0.163
    with:
      MD_CONFIG: .github/md_config.json
      DOC_SRC: README.md
@@ -40,7 +40,7 @@ jobs:
    name: Build
    steps:
    - name: Check out code
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5
      with:
        ref: ${{github.event.pull_request.head.sha}}
        fetch-depth: 0
@@ -57,12 +57,17 @@ jobs:
        charts: deployments/kubernetes/chart/reloader

    - name: Set up Go
-      uses: actions/setup-go@v5
+      uses: actions/setup-go@v6
      with:
        go-version-file: 'go.mod'
        check-latest: true
        cache: true

+    - name: Create timestamp
+      id: prep
+      run: echo "created=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT
+
+
    # Get highest tag and remove any suffixes with '-'
    - name: Get Highest tag
      id: highest_tag
@@ -75,11 +80,7 @@ jobs:
        make install

    - name: Run golangci-lint
-      uses: golangci/golangci-lint-action@v6
-      with:
-        version: latest
-        only-new-issues: false
-        args: --timeout 10m
+      run: make lint

    - name: Helm Lint
      run: |
@@ -104,6 +105,7 @@ jobs:
        kind create cluster
        kubectl cluster-info

+
    - name: Test
      run: make test

@@ -135,7 +137,12 @@ jobs:
        file: ${{ env.DOCKER_FILE_PATH  }}
        pull: true
        push: false
-        build-args: BUILD_PARAMETERS=${{ env.BUILD_PARAMETERS }}
+        build-args: |
+          VERSION=merge-${{ steps.generate_tag.outputs.GIT_TAG }}
+          COMMIT=${{github.event.pull_request.head.sha}}
+          BUILD_DATE=${{ steps.prep.outputs.created }}
+          BUILD_PARAMETERS=${{ env.BUILD_PARAMETERS }}
+        
        cache-to: type=inline
        platforms: linux/amd64,linux/arm,linux/arm64
        tags: |
--- a/.github/workflows/pull_request_docs.yaml
+++ b/.github/workflows/pull_request_docs.yaml
@@ -16,16 +16,17 @@ on:

 jobs:
  qa:
-    uses: stakater/.github/.github/workflows/pull_request_doc_qa.yaml@v0.0.131
+    uses: stakater/.github/.github/workflows/pull_request_doc_qa.yaml@v0.0.163
    with:
      MD_CONFIG: .github/md_config.json
      DOC_SRC: docs
      MD_LINT_CONFIG: .markdownlint.yaml
  build:
-    uses: stakater/.github/.github/workflows/pull_request_container_build.yaml@v0.0.131
+    uses: stakater/.github/.github/workflows/pull_request_container_build.yaml@v0.0.163
    with:
      DOCKER_FILE_PATH: Dockerfile-docs
      CONTAINER_REGISTRY_URL: ghcr.io/stakater
+      PUSH_IMAGE: false
    secrets:
      CONTAINER_REGISTRY_USERNAME: ${{ github.actor }}
      CONTAINER_REGISTRY_PASSWORD: ${{ secrets.GHCR_TOKEN }}
--- a/.github/workflows/push-helm-chart.yaml
+++ b/.github/workflows/push-helm-chart.yaml
@@ -15,7 +15,7 @@ on:

 env:
  HELM_REGISTRY_URL: "https://stakater.github.io/stakater-charts"
-  REGISTRY: ghcr.io
+  REGISTRY: ghcr.io # container registry

 jobs:
  verify-and-push-helm-chart:
@@ -31,7 +31,7 @@ jobs:

    steps:
      - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
        with:
          token: ${{ secrets.PUBLISH_TOKEN }}
          fetch-depth: 0 # otherwise, you will fail to push refs to dest repo
@@ -73,7 +73,7 @@ jobs:
          exit 1

      - name: Install Cosign
-        uses: sigstore/cosign-installer@v3.8.2
+        uses: sigstore/cosign-installer@v4.0.0

      - name: Login to GHCR Registry
        uses: docker/login-action@v3
@@ -106,7 +106,7 @@ jobs:
          commit_email: stakater@gmail.com

      - name: Push new chart tag
-        uses: anothrNick/github-tag-action@1.71.0
+        uses: anothrNick/github-tag-action@1.75.0
        env:
          GITHUB_TOKEN: ${{ secrets.PUBLISH_TOKEN }}
          WITH_V: false
--- a/.github/workflows/push-pr-image.yaml
+++ b/.github/workflows/push-pr-image.yaml
@@ -30,13 +30,13 @@ jobs:
    if: ${{ github.event.label.name == 'build-and-push-pr-image' }}
    steps:
    - name: Check out code
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5
      with:
        ref: ${{github.event.pull_request.head.sha}}
        fetch-depth: 0

    - name: Set up Go
-      uses: actions/setup-go@v5
+      uses: actions/setup-go@v6
      with:
        go-version-file: 'go.mod'
        check-latest: true
@@ -47,11 +47,7 @@ jobs:
        make install

    - name: Run golangci-lint
-      uses: golangci/golangci-lint-action@v6
-      with:
-        version: latest
-        only-new-issues: false
-        args: --timeout 10m
+      run: make lint

    - name: Generate Tags
      id: generate_tag
--- a/.github/workflows/push.yaml
+++ b/.github/workflows/push.yaml
@@ -29,7 +29,7 @@ jobs:

    steps:
      - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
        with:
          token: ${{ secrets.PUBLISH_TOKEN }}
          fetch-depth: 0 # otherwise, you will fail to push refs to dest repo
@@ -42,7 +42,7 @@ jobs:
          version: v3.11.3

      - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
        with:
          go-version-file: 'go.mod'
          check-latest: true
@@ -53,11 +53,7 @@ jobs:
          make install

      - name: Run golangci-lint
-        uses: golangci/golangci-lint-action@v6
-        with:
-          version: latest
-          only-new-issues: false
-          args: --timeout 10m
+        run: make lint

      - name: Install kubectl
        run: |
@@ -91,6 +87,10 @@ jobs:
        with:
          username: ${{ secrets.STAKATER_DOCKERHUB_USERNAME }}
          password: ${{ secrets.STAKATER_DOCKERHUB_PASSWORD }}
+      
+      - name: Create timestamp
+        id: prep
+        run: echo "created=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT

      - name: Generate image repository path for Docker registry
        run: |
@@ -148,7 +148,11 @@ jobs:
          file: ${{ env.DOCKER_FILE_PATH  }}
          pull: true
          push: true
-          build-args: BUILD_PARAMETERS=${{ env.BUILD_PARAMETERS }}
+          build-args: |
+            VERSION=merge-${{ github.event.number }}
+            COMMIT=${{ github.sha }}
+            BUILD_DATE=${{ steps.prep.outputs.created }}
+            BUILD_PARAMETERS=${{ env.BUILD_PARAMETERS }}
          cache-to: type=inline
          platforms: linux/amd64,linux/arm,linux/arm64
          tags: |
@@ -207,7 +211,7 @@ jobs:
            org.opencontainers.image.revision=${{ github.sha }}

      - name: Push Latest Tag
-        uses: anothrNick/github-tag-action@1.71.0
+        uses: anothrNick/github-tag-action@1.75.0
        env:
          GITHUB_TOKEN: ${{ secrets.PUBLISH_TOKEN }}
          WITH_V: false
--- a/.github/workflows/release-helm-chart.yaml
+++ b/.github/workflows/release-helm-chart.yaml
@@ -15,7 +15,7 @@ jobs:

    steps:
      - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
        with:
          fetch-depth: 0

--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -24,7 +24,7 @@ jobs:

    steps:
      - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
        with:
          token: ${{ secrets.PUBLISH_TOKEN }}
          fetch-depth: 0 # otherwise, you will fail to push refs to dest repo
@@ -37,7 +37,7 @@ jobs:
          version: v3.11.3

      - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
        with:
          go-version-file: 'go.mod'
          check-latest: true
@@ -48,11 +48,7 @@ jobs:
          make install

      - name: Run golangci-lint
-        uses: golangci/golangci-lint-action@v6
-        with:
-          version: latest
-          only-new-issues: false
-          args: --timeout 10m
+        run: make lint

      - name: Install kubectl
        run: |
@@ -79,6 +75,10 @@ jobs:
        id: generate_tag
        run: echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_OUTPUT

+      - name: Create timestamp
+        id: prep
+        run: echo "created=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT
+
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3

@@ -106,6 +106,10 @@ jobs:
          platforms: linux/amd64,linux/arm,linux/arm64
          tags: |
            ${{ env.DOCKER_IMAGE_REPOSITORY }}:${{ steps.generate_tag.outputs.RELEASE_VERSION }}
+          build-args: |
+            VERSION=${{ steps.generate_tag.outputs.RELEASE_VERSION }}
+            COMMIT=${{ github.sha }}
+            BUILD_DATE=${{ steps.prep.outputs.created }}
          labels: |
            org.opencontainers.image.source=${{ github.event.repository.clone_url }}
            org.opencontainers.image.created=${{ steps.prep.outputs.created }}
@@ -152,6 +156,10 @@ jobs:
          platforms: linux/amd64,linux/arm,linux/arm64
          tags: |
            ${{ env.GHCR_IMAGE_REPOSITORY }}:${{ steps.generate_tag.outputs.RELEASE_VERSION }},${{ env.GHCR_IMAGE_REPOSITORY }}:latest
+          build-args: |
+            VERSION=${{ steps.generate_tag.outputs.RELEASE_VERSION }}
+            COMMIT=${{ github.sha }}
+            BUILD_DATE=${{ steps.prep.outputs.created }}
          labels: |
            org.opencontainers.image.source=${{ github.event.repository.clone_url }}
            org.opencontainers.image.created=${{ steps.prep.outputs.created }}
--- a/.vale.ini
+++ b/.vale.ini
@@ -1,7 +1,7 @@
 StylesPath = styles
 MinAlertLevel = warning

-Packages = https://github.com/stakater/vale-package/releases/download/v0.0.65/Stakater.zip
+Packages = https://github.com/stakater/vale-package/releases/download/v0.0.87/Stakater.zip
 Vocab = Stakater

 # Only check MarkDown files
--- a/CODE_OF_CONDUCT.md
+++ b/CODE_OF_CONDUCT.md
@@ -1,3 +1,3 @@
 # Code of Conduct

-Reloader follows the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md).
+Reloader follows the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/main/code-of-conduct.md).
--- a/11
+++ b/11
@@ -2,13 +2,17 @@ ARG BUILDER_IMAGE
 ARG BASE_IMAGE

 # Build the manager binary
-FROM --platform=${BUILDPLATFORM} ${BUILDER_IMAGE:-golang:1.24.4} AS builder
+FROM --platform=${BUILDPLATFORM} ${BUILDER_IMAGE:-golang:1.25.5} AS builder

 ARG TARGETOS
 ARG TARGETARCH
 ARG GOPROXY
 ARG GOPRIVATE

+ARG COMMIT
+ARG VERSION
+ARG BUILD_DATE
+
 WORKDIR /workspace

 # Copy the Go Modules manifests
@@ -30,7 +34,10 @@ RUN CGO_ENABLED=0 \
    GOPROXY=${GOPROXY} \
    GOPRIVATE=${GOPRIVATE} \
    GO111MODULE=on \
-    go build -mod=mod -a -o manager main.go
+    go build -ldflags="-s -w -X github.com/stakater/Reloader/pkg/common.Version=${VERSION} \
+         -X github.com/stakater/Reloader/pkg/common.Commit=${COMMIT} \
+         -X github.com/stakater/Reloader/pkg/common.BuildDate=${BUILD_DATE}" \
+        -installsuffix 'static' -mod=mod -a -o manager ./

 # Use distroless as minimal base image to package the manager binary
 # Refer to https://github.com/GoogleContainerTools/distroless for more details
--- a/4
+++ b/4
@@ -1,4 +1,4 @@
-FROM python:3.13-alpine as builder
+FROM python:3.14-alpine as builder

 # set workdir
 RUN mkdir -p $HOME/application
@@ -17,7 +17,7 @@ RUN python theme_common/scripts/combine_mkdocs_config_yaml.py theme_common/mkdoc
 # build the docs
 RUN mkdocs build

-FROM nginxinc/nginx-unprivileged:1.27-alpine as deploy
+FROM nginxinc/nginx-unprivileged:1.29-alpine as deploy
 COPY --from=builder $HOME/application/site/ /usr/share/nginx/html/reloader/
 COPY docs-nginx.conf /etc/nginx/conf.d/default.conf

--- a/Dockerfile.ubi
+++ b/Dockerfile.ubi
@@ -20,7 +20,19 @@ RUN mkdir /image && \
 COPY ubi-build-files-${TARGETARCH}.txt /tmp
 # Copy all the required files from the base UBI image into the image directory
 # As the go binary is not statically compiled this includes everything needed for CGO to work, cacerts, tzdata and RH release files
-RUN tar cf /tmp/files.tar -T /tmp/ubi-build-files-${TARGETARCH}.txt && tar xf /tmp/files.tar -C /image/
+# Filter existing files and exclude temporary entitlement files that may be removed during build
+RUN while IFS= read -r file; do \
+      [ -z "$file" ] && continue; \
+      if [ -e "$file" ] || [ -L "$file" ]; then \
+        echo "$file"; \
+      fi; \
+    done < /tmp/ubi-build-files-${TARGETARCH}.txt > /tmp/existing-files.txt && \
+    if [ -s /tmp/existing-files.txt ]; then \
+      tar -chf /tmp/files.tar --exclude='etc/pki/entitlement-host*' -T /tmp/existing-files.txt 2>&1 | grep -vE "(File removed before we read it|Cannot stat)" || true; \
+      if [ -f /tmp/files.tar ]; then \
+        tar xf /tmp/files.tar -C /image/ 2>/dev/null || true; \
+      fi; \
+    fi

 # Generate a rpm database which contains all the packages that you said were needed in ubi-build-files-*.txt
 RUN rpm --root /image --initdb \
--- a/7
+++ b/7
@@ -41,7 +41,7 @@ YQ ?= $(LOCALBIN)/yq
 KUSTOMIZE_VERSION ?= v5.3.0
 CONTROLLER_TOOLS_VERSION ?= v0.14.0
 ENVTEST_VERSION ?= release-0.17
-GOLANGCI_LINT_VERSION ?= v1.57.2
+GOLANGCI_LINT_VERSION ?= v2.6.1

 YQ_VERSION ?= v4.27.5
 YQ_DOWNLOAD_URL = "https://github.com/mikefarah/yq/releases/download/$(YQ_VERSION)/yq_$(OS)_$(ARCH)"
@@ -75,7 +75,7 @@ $(ENVTEST): $(LOCALBIN)
 .PHONY: golangci-lint
 golangci-lint: $(GOLANGCI_LINT) ## Download golangci-lint locally if necessary.
 $(GOLANGCI_LINT): $(LOCALBIN)
-	$(call go-install-tool,$(GOLANGCI_LINT),github.com/golangci/golangci-lint/cmd/golangci-lint,${GOLANGCI_LINT_VERSION})
+	$(call go-install-tool,$(GOLANGCI_LINT),github.com/golangci/golangci-lint/v2/cmd/golangci-lint,${GOLANGCI_LINT_VERSION})

 # go-install-tool will 'go install' any package with custom target and name of binary, if it doesn't exist
 # $1 - target path with name of binary (ideally with version)
@@ -102,6 +102,9 @@ run:
 build:
 	"$(GOCMD)" build ${GOFLAGS} ${LDFLAGS} -o "${BINARY}"

+lint: golangci-lint ## Run golangci-lint on the codebase
+	$(GOLANGCI_LINT) run ./...
+
 build-image:
 	docker buildx build \
 		--platform ${OS}/${ARCH} \
--- a/README.md
+++ b/README.md
@@ -2,6 +2,7 @@
  <img src="assets/web/reloader.jpg" alt="Reloader" width="40%"/>
 </p>

+[![💖 Sponsor Our Work](https://img.shields.io/badge/Sponsor%20Our%20Work-FF8C00?style=flat-square&logo=github-sponsors&logoColor=white)](https://github.com/sponsors/stakater?utm_source=github&utm_medium=readme&utm_campaign=reloader)
 [![Go Report Card](https://goreportcard.com/badge/github.com/stakater/reloader?style=flat-square)](https://goreportcard.com/report/github.com/stakater/reloader)
 [![Go Doc](https://img.shields.io/badge/godoc-reference-blue.svg?style=flat-square)](https://godoc.org/github.com/stakater/reloader)
 [![Release](https://img.shields.io/github/release/stakater/reloader.svg?style=flat-square)](https://github.com/stakater/reloader/releases/latest)
@@ -12,7 +13,7 @@

 ## 🔁 What is Reloader?

-Reloader is a Kubernetes controller that automatically triggers rollouts of workloads (like Deployments, StatefulSets, and more) whenever referenced `Secrets` or `ConfigMaps` are updated.
+Reloader is a Kubernetes controller that automatically triggers rollouts of workloads (like Deployments, StatefulSets, and more) whenever referenced `Secrets`, `ConfigMaps` or **optionally CSI-mounted secrets** are updated.

 In a traditional Kubernetes setup, updating a `Secret` or `ConfigMap` does not automatically restart or redeploy your workloads. This can lead to stale configurations running in production, especially when dealing with dynamic values like credentials, feature flags, or environment configs.

@@ -153,9 +154,26 @@ This pattern allows fine-grained reload control — workloads only restart if th
 1. ✅ You want to reload a workload only if it references a ConfigMap or Secret that has been explicitly tagged with `reloader.stakater.com/match: "true"`.
 1. ✅ Use this when you want full control over which shared or system-wide resources trigger reloads. Great in multi-tenant clusters or shared configs.

-### 4. ⚙️ Workload-Specific Rollout Strategy
+### ⛔ Resource-Level Ignore Annotation

-By default, Reloader uses the **rollout** strategy — it updates the pod template to trigger a new rollout. This works well in most cases, but it can cause problems if you're using GitOps tools like ArgoCD, which detect this as configuration drift.
+When you need to prevent specific ConfigMaps or Secrets from triggering any reloads, use the ignore annotation on the resource itself:
+
+```yaml
+apiVersion: v1
+kind: ConfigMap  # or Secret
+metadata:
+  name: my-config
+  annotations:
+    reloader.stakater.com/ignore: "true"
+```
+
+This instructs Reloader to skip all reload logic for that resource across all workloads.
+
+### 4. ⚙️ Workload-Specific Rollout Strategy (Argo Rollouts Only)
+
+Note: This is only applicable when using [Argo Rollouts](https://argoproj.github.io/argo-rollouts/). It is ignored for standard Kubernetes `Deployments`, `StatefulSets`, or `DaemonSets`. To use this feature, Argo Rollouts support must be enabled in Reloader (for example via --is-argo-rollouts=true).
+
+By default, Reloader triggers the Argo Rollout controller to perform a standard rollout by updating the pod template. This works well in most cases, however, because this modifies the workload spec, GitOps tools like ArgoCD will detect this as "Configuration Drift" and mark your application as OutOfSync.

 To avoid that, you can switch to the **restart** strategy, which simply restarts the pod without changing the pod template.

@@ -176,6 +194,8 @@ metadata:
 1. You want a quick restart without changing the workload spec
 1. Your platform restricts metadata changes

+This setting affects Argo Rollouts behavior, not Argo CD sync settings.
+
 ### 5. ❗ Annotation Behavior Rules & Compatibility

 - `reloader.stakater.com/auto` and `reloader.stakater.com/search` **cannot be used together** — the `auto` annotation takes precedence.
@@ -189,20 +209,95 @@ metadata:

 Reloader can optionally **send alerts** whenever it triggers a rolling upgrade for a workload (e.g., `Deployment`, `StatefulSet`, etc.).

-These alerts are sent to a configured **webhook endpoint**, which can be a generic receiver or services like Slack or Microsoft Teams.
+These alerts are sent to a configured **webhook endpoint**, which can be a generic receiver or services like Slack, Microsoft Teams or Google Chat.

 To enable this feature, update the `reloader.env.secret` section in your `values.yaml` (when installing via Helm):

 ```yaml
 reloader:
-  env:
-    secret:
-      ALERT_ON_RELOAD: "true"                    # Enable alerting (default: false)
-      ALERT_SINK: "slack"                        # Options: slack, teams, webhook (default: webhook)
-      ALERT_WEBHOOK_URL: "<your-webhook-url>"    # Required if ALERT_ON_RELOAD is true
-      ALERT_ADDITIONAL_INFO: "Triggered by Reloader in staging environment"
+  deployment:
+    env:
+      secret:
+        ALERT_ON_RELOAD: "true"                    # Enable alerting (default: false)
+        ALERT_SINK: "slack"                        # Options: slack, teams, gchat or webhook (default: webhook)
+        ALERT_WEBHOOK_URL: "<your-webhook-url>"    # Required if ALERT_ON_RELOAD is true
+        ALERT_ADDITIONAL_INFO: "Triggered by Reloader in staging environment"
 ```

+### 7. ⏸️ Pause Deployments
+
+This feature allows you to pause rollouts for a deployment for a specified duration, helping to prevent multiple restarts when several ConfigMaps or Secrets are updated in quick succession.
+
+| Annotation                                              | Applies To   | Description                                                                 |
+|---------------------------------------------------------|--------------|-----------------------------------------------------------------------------|
+| `deployment.reloader.stakater.com/pause-period: "5m"`   | Deployment   | Pauses reloads for the specified period (e.g., `5m`, `1h`)                  |
+
+#### How it works
+
+1. Add the `deployment.reloader.stakater.com/pause-period` annotation to your Deployment, specifying the pause duration (e.g., `"5m"` for five minutes).
+1. When a watched ConfigMap or Secret changes, Reloader will still trigger a reload event, but if the deployment is paused, the rollout will have no effect until the pause period has elapsed.
+1. This avoids repeated restarts if multiple resources are updated close together.
+
+#### Use when
+
+1. ✅ Your deployment references multiple ConfigMaps or Secrets that may be updated at the same time.
+1. ✅ You want to minimize unnecessary rollouts and reduce downtime caused by back-to-back configuration changes.
+
+### 8. 🔐 CSI Secret Provider Support
+
+Reloader supports the [Secrets Store CSI Driver](https://secrets-store-csi-driver.sigs.k8s.io/), which allows mounting secrets from external secret stores (like AWS Secrets Manager, Azure Key Vault, HashiCorp Vault) directly into pods.
+Unlike Kubernetes Secret objects, CSI-mounted secrets do not always trigger native Kubernetes update events. Reloader solves this by watching CSI status resources and restarting affected workloads when mounted secret versions change.
+
+#### How it works
+
+When secret rotation is enabled, the Secrets Store CSI Driver updates a Kubernetes resource called: `SecretProviderClassPodStatus`
+
+This resource reflects the currently mounted secret versions for a pod.
+Reloader watches these updates and triggers a rollout when a change is detected.
+
+#### Prerequisites
+
+- Secrets Store CSI Driver must be installed in your cluster
+- Secret rotation enabled in the CSI driver.
+- Enable CSI integration in Reloader: `--enable-csi-integration=true`
+
+#### Annotations for CSI-mounted Secrets
+
+| Annotation                                                                   | Description                                                                                                                 |
+|------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------|
+| `reloader.stakater.com/auto: "true"`                                         | Global Discovery: Automatically discovers and reloads the workload when any mounted ConfigMap or Secret is updated.         |
+| `secretproviderclass.reloader.stakater.com/auto: 'true'`                     | CSI Discovery: Specifically watches for updates to all SecretProviderClasses used by the workload (CSI driver integration). |
+| `secretproviderclass.reloader.stakater.com/reload: "my-secretproviderclass"` | Targeted Reload: Only reloads the workload when the specifically named SecretProviderClass(es) are updated.                 |
+
+Reloader monitors changes at the **per-secret level** by watching the `SecretProviderClassPodStatus`. Make sure each secret you want to monitor is properly defined with a `secretKey` in your `SecretProviderClass`:
+
+```yaml
+apiVersion: secrets-store.csi.x-k8s.io/v1
+kind: SecretProviderClass
+metadata:
+  name: vault-reloader-demo
+  namespace: test
+spec:
+  provider: vault
+  parameters:
+    vaultAddress: "http://vault.vault.svc:8200"
+    vaultSkipTLSVerify: "true"
+    roleName: "demo-role"
+    objects: |
+      - objectName: "password"
+        secretPath: "secret/data/reloader-demo"
+        secretKey: "password"
+```
+
+***Important***: Reloader tracks changes to individual secrets (identified by `secretKey`). If your SecretProviderClass doesn't specify `secretKey` for each object, Reloader may not detect updates correctly.
+
+#### Notes & Limitations
+
+Reloader reacts to CSI status changes, not direct updates to external secret stores
+Secret rotation must be enabled in the CSI driver for updates to be detected
+CSI limitations (such as `subPath` mounts) still apply and may require pod restarts
+If secrets are synced to Kubernetes Secret objects, standard Reloader behavior applies and CSI support may not be required
+
 ## 🚀 Installation

 ### 1. 📦 Helm
@@ -294,13 +389,30 @@ Reloader supports multiple strategies for triggering rolling updates when a watc
 |------|-------------|
 | `--resources-to-ignore=configmaps` | Ignore ConfigMaps (only one type can be ignored at a time) |
 | `--resources-to-ignore=secrets` | Ignore Secrets (cannot combine with configMaps) |
+| `--ignored-workload-types=jobs,cronjobs` | Ignore specific workload types from reload monitoring |
 | `--resource-label-selector=key=value` | Only watch ConfigMaps/Secrets with matching labels |

-> **⚠️ Note:**  
-> Only **one** resource type can be ignored at a time.  
-> Trying to ignore **both `configmaps` and `secrets`** will cause an error in Reloader.  
+> **⚠️ Note:**
+>
+> Only **one** resource type can be ignored at a time.
+> Trying to ignore **both `configmaps` and `secrets`** will cause an error in Reloader.
 > ✅ **Workaround:** Scale the Reloader deployment to `0` replicas if you want to disable it completely.

+**💡 Workload Type Examples:**
+
+```bash
+# Ignore only Jobs
+--ignored-workload-types=jobs
+
+# Ignore only CronJobs
+--ignored-workload-types=cronjobs
+
+# Ignore both (comma-separated)
+--ignored-workload-types=jobs,cronjobs
+```
+
+> **🔧 Use Case:** Ignoring workload types is useful when you don't want certain types of workloads to be automatically reloaded.
+
 #### 3. 🧩 Namespace Filtering

 | Flag | Description |
@@ -321,6 +433,15 @@ These flags allow you to redefine annotation keys used in your workloads or reso
 | `--search-match-annotation` | Overrides `reloader.stakater.com/match` |
 | `--secret-annotation` | Overrides `secret.reloader.stakater.com/reload` |
 | `--configmap-annotation` | Overrides `configmap.reloader.stakater.com/reload` |
+| `--pause-deployment-annotation` | Overrides `deployment.reloader.stakater.com/pause-period` |
+| `--pause-deployment-time-annotation` | Overrides `deployment.reloader.stakater.com/paused-at` |
+
+### 5. 🕷️ Debugging
+
+| Flag | Description |
+|---  |-------------|
+| `--enable-pprof` | Enables `pprof` for profiling |
+| `--pprof-addr` | Address to start `pprof` server on. Default is `:6060` |

 ## Compatibility

@@ -368,17 +489,20 @@ PRs are welcome. In general, we follow the "fork-and-pull" Git workflow:

 ## Release Processes

-_Repository GitHub releases_: As requested by the community in [issue 685](https://github.com/stakater/Reloader/issues/685), Reloader is now based on a manual release process. Releases are no longer done on every merged PR to the main branch, but manually on request.
+*Repository GitHub releases*: As requested by the community in [issue 685](https://github.com/stakater/Reloader/issues/685), Reloader is now based on a manual release process. Releases are no longer done on every merged PR to the main branch, but manually on request.

 To make a GitHub release:

-1. Code owners create a release branch `release-vX.Y.Z`
-1. Code owners run a dispatch mode workflow to automatically generate version and manifests on the release branch
+1. Code owners create a release branch `release-vX.Y.Z` from `master`
+1. Code owners run [Init Release](https://github.com/stakater/Reloader/actions/workflows/init-branch-release.yaml) workflow to automatically generate version and manifests on the release branch
+    - Set the `TARGET_BRANCH` parameter to release branch i.e. `release-vX.Y.Z`
+    - Set the `TARGET_VERSION` to release version without 'v' i.e. `X.Y.Z`
 1. A PR is created to bump the image version on the release branch, example: [PR-798](https://github.com/stakater/Reloader/pull/798)
 1. Code owners create a GitHub release with tag `vX.Y.Z` and target branch `release-vX.Y.Z`, which triggers creation of images
-1. Code owners create a PR to update the Helm chart version, example: [PR-846](https://github.com/stakater/Reloader/pull/846)
+1. Code owners create another branch from `master` and bump the helm chart version as well as Reloader image version.
+    - Code owners create a PR with `release/helm-chart` label, example: [PR-846](https://github.com/stakater/Reloader/pull/846)

-_Repository git tagging_: Push to the main branch will create a merge-image and merge-tag named `merge-${{ github.event.number }}`, for example `merge-800` when pull request number 800 is merged.
+*Repository git tagging*: Push to the main branch will create a merge-image and merge-tag named `merge-${{ github.event.number }}`, for example `merge-800` when pull request number 800 is merged.

 ## Changelog

--- a/2
+++ b/2
@@ -1 +1 @@
-1.1.0
+1.4.12
--- a/deployments/kubernetes/chart/reloader/Chart.yaml
+++ b/deployments/kubernetes/chart/reloader/Chart.yaml
@@ -1,8 +1,8 @@
 apiVersion: v1
 name: reloader
 description: Reloader chart that runs on kubernetes
-version: 2.1.4
-appVersion: v1.4.4
+version: 2.2.7
+appVersion: v1.4.12
 keywords:
  - Reloader
  - kubernetes
--- a/deployments/kubernetes/chart/reloader/README.md
+++ b/deployments/kubernetes/chart/reloader/README.md
@@ -5,6 +5,7 @@ If you have configured helm on your cluster, you can add Reloader to helm from o
 ## Installation

 ```bash
+# Add stakater helm repoository
 helm repo add stakater https://stakater.github.io/stakater-charts

 helm repo update
@@ -14,6 +15,8 @@ helm install stakater/reloader # For helm3 add --generate-name flag or set the r
 helm install {{RELEASE_NAME}} stakater/reloader -n {{NAMESPACE}} --set reloader.watchGlobally=false # By default, Reloader watches in all namespaces. To watch in single namespace, set watchGlobally=false

 helm install stakater/reloader --set reloader.watchGlobally=false --namespace test --generate-name # Install Reloader in `test` namespace which will only watch `Deployments`, `Daemonsets` `Statefulsets` and `Rollouts` in `test` namespace.
+
+helm install stakater/reloader --set reloader.ignoreJobs=true --set reloader.ignoreCronJobs=true --generate-name # Install Reloader ignoring Jobs and CronJobs from reload monitoring
 ```

 ## Uninstalling
@@ -47,16 +50,20 @@ helm uninstall {{RELEASE_NAME}} -n {{NAMESPACE}}
 | `reloader.isOpenshift`              | Enable OpenShift DeploymentConfigs. Valid value are either `true` or `false`                                                                        | boolean     | `false`   |
 | `reloader.ignoreSecrets`            | To ignore secrets. Valid value are either `true` or `false`. Either `ignoreSecrets` or `ignoreConfigMaps` can be ignored, not both at the same time | boolean     | `false`   |
 | `reloader.ignoreConfigMaps`         | To ignore configmaps. Valid value are either `true` or `false`                                                                                      | boolean     | `false`   |
+| `reloader.ignoreJobs`               | To ignore jobs from reload monitoring. Valid value are either `true` or `false`. Translates to `--ignored-workload-types=jobs`                      | boolean     | `false`   |
+| `reloader.ignoreCronJobs`           | To ignore CronJobs from reload monitoring. Valid value are either `true` or `false`. Translates to `--ignored-workload-types=cronjobs`               | boolean     | `false`   |
 | `reloader.reloadOnCreate`           | Enable reload on create events. Valid value are either `true` or `false`                                                                            | boolean     | `false`   |
 | `reloader.reloadOnDelete`           | Enable reload on delete events. Valid value are either `true` or `false`                                                                            | boolean     | `false`   |
 | `reloader.syncAfterRestart`         | Enable sync after Reloader restarts for **Add** events, works only when reloadOnCreate is `true`. Valid value are either `true` or `false`          | boolean     | `false`   |
 | `reloader.reloadStrategy`           | Strategy to trigger resource restart, set to either `default`, `env-vars` or `annotations`                                                          | enumeration | `default` |
 | `reloader.ignoreNamespaces`         | List of comma separated namespaces to ignore, if multiple are provided, they are combined with the AND operator                                     | string      | `""`      |
-| `reloader.namespaceSelector`        | List of comma separated k8s label selectors for namespaces selection. See [LIST and WATCH filtering](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#list-and-watch-filtering) for more details on label-selector                                  | string      | `""`      |
+| `reloader.namespaceSelector`        | List of comma separated k8s label selectors for namespaces selection. The parameter only used when `reloader.watchGlobally` is `true`. See [LIST and WATCH filtering](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#list-and-watch-filtering) for more details on label-selector                                  | string      | `""`      |
 | `reloader.resourceLabelSelector`    | List of comma separated label selectors, if multiple are provided they are combined with the AND operator                                           | string      | `""`      |
 | `reloader.logFormat`                | Set type of log format. Value could be either `json` or `""`                                                                                        | string      | `""`      |
 | `reloader.watchGlobally`            | Allow Reloader to watch in all namespaces (`true`) or just in a single namespace (`false`)                                                          | boolean     | `true`    |
 | `reloader.enableHA`                 | Enable leadership election allowing you to run multiple replicas                                                                                    | boolean     | `false`   |
+| `reloader.enablePProf`              | Enables pprof for profiling | boolean | `false` |
+| `reloader.pprofAddr` | Address to start pprof server on | string | `:6060` |
 | `reloader.readOnlyRootFileSystem`   | Enforce readOnlyRootFilesystem                                                                                                                      | boolean     | `false`   |
 | `reloader.legacy.rbac`              |                                                                                                                                                     | boolean     | `false`   |
 | `reloader.matchLabels`              | Pod labels to match                                                                                                                                 | map         | `{}`      |
@@ -82,7 +89,10 @@ helm uninstall {{RELEASE_NAME}} -n {{NAMESPACE}}
 | `reloader.deployment.resources`                 | Set container requests and limits (e.g. CPU or memory)                                                                                                      | map    | `{}`              |
 | `reloader.deployment.pod.annotations`           | Set annotations for pod                                                                                                                                     | map    | `{}`              |
 | `reloader.deployment.priorityClassName`         | Set priority class for pod in cluster                                                                                                                       | string | `""`              |
+| `reloader.deployment.volumeMounts`              | Mount volume                                                                                                                                                | array  | `[]`              |
+| `reloader.deployment.volumes`                   | Add volume to a pod                                                                                                                                         | array  | `[]`              |

+| `reloader.deployment.dnsConfig`                 | dns configuration for pods                                                                                                                                  | map    | `{}`              |
 ### Other Reloader Parameters

 | Parameter                              | Description                                                     | Type    | Default |
@@ -110,6 +120,10 @@ helm uninstall {{RELEASE_NAME}} -n {{NAMESPACE}}
 - Only one of these resources can be ignored at a time:
  - `ignoreConfigMaps` **or** `ignoreSecrets`
  - Trying to ignore both will cause Helm template compilation errors
+- The `ignoreJobs` and `ignoreCronJobs` flags can be used together or individually
+  - When both are enabled, translates to `--ignored-workload-types=jobs,cronjobs`
+  - When used individually, translates to `--ignored-workload-types=jobs` or `--ignored-workload-types=cronjobs`
+  - These flags prevent Reloader from monitoring and reloading the specified workload types

 ### Special Integrations
 - OpenShift (`DeploymentConfig`) and Argo Rollouts support must be **explicitly enabled**
@@ -118,7 +132,7 @@ helm uninstall {{RELEASE_NAME}} -n {{NAMESPACE}}
 ### OpenShift Considerations
 - Recent OpenShift versions (tested on 4.13.3) require:
  - Users to be in a dynamically assigned UID range
-  - **Solution**: Unset `runAsUser` via `deployment.securityContext.runAsUser=null`
+  - **Solution**: Unset `runAsUser` via `reloader.deployment.securityContext.runAsUser=null`
  - Let OpenShift assign UID automatically during installation

 ### Core Functionality Flags
--- a/deployments/kubernetes/chart/reloader/templates/_helpers.tpl
+++ b/deployments/kubernetes/chart/reloader/templates/_helpers.tpl
@@ -27,12 +27,20 @@ Create chart name and version as used by the chart label.
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
 {{- end }}

-{{- define "reloader-labels.chart" -}}
+{{- define "reloader-match-labels.chart" -}}
 app: {{ template "reloader-fullname" . }}
-chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}"
 release: {{ .Release.Name | quote }}
+{{- end -}}
+
+{{- define "reloader-labels.chart" -}}
+{{ include "reloader-match-labels.chart" . }}
+app.kubernetes.io/name: {{ template "reloader-name" . }}
+app.kubernetes.io/instance: {{ .Release.Name | quote }}
+helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}"
+chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}"
 heritage: {{ .Release.Service | quote }}
 app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- end -}}

 {{/*
@@ -45,10 +53,10 @@ podAntiAffinity:
    podAffinityTerm:
      labelSelector:
        matchExpressions:
-        - key: app
+        - key: app.kubernetes.io/instance
          operator: In
          values:
-          - {{ template "reloader-fullname" . }}
+          - {{ .Release.Name | quote }}
      topologyKey: "kubernetes.io/hostname"
 {{- end -}}

@@ -70,3 +78,28 @@ Create the annotations to support helm3
 meta.helm.sh/release-namespace: {{ .Release.Namespace | quote }}
 meta.helm.sh/release-name: {{ .Release.Name | quote }}
 {{- end -}}
+
+{{/*
+Create the namespace selector if it does not watch globally
+*/}}
+{{- define "reloader-namespaceSelector" -}}
+{{- if and .Values.reloader.watchGlobally .Values.reloader.namespaceSelector -}}
+    {{ .Values.reloader.namespaceSelector }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Normalizes global.imagePullSecrets to a list of objects with name fields.
+Supports both of these in values.yaml:
+  # - name: my-pull-secret
+  # - my-pull-secret
+*/}}
+{{- define "reloader-imagePullSecrets" -}}
+{{- range $s := .Values.global.imagePullSecrets }}
+{{- if kindIs "map" $s }}
+- {{ toYaml $s | nindent 2 | trim }}
+{{- else }}
+- name: {{ $s }}
+{{- end }}
+{{- end }}
+{{- end -}}
--- a/deployments/kubernetes/chart/reloader/templates/clusterrole.yaml
+++ b/deployments/kubernetes/chart/reloader/templates/clusterrole.yaml
@@ -31,7 +31,7 @@ rules:
      - list
      - get
      - watch
-{{- if .Values.reloader.namespaceSelector }}
+{{- if (include "reloader-namespaceSelector" .) }}
  - apiGroups:
      - ""
    resources:
@@ -105,6 +105,17 @@ rules:
      - create
      - get
      - update
+{{- end}}
+{{- if .Values.reloader.enableCSIIntegration }}
+  - apiGroups:
+      - "secrets-store.csi.x-k8s.io"
+    resources:
+      - secretproviderclasspodstatuses
+      - secretproviderclasses
+    verbs:
+      - list
+      - get
+      - watch
 {{- end}}
  - apiGroups:
      - ""
--- a/deployments/kubernetes/chart/reloader/templates/deployment.yaml
+++ b/deployments/kubernetes/chart/reloader/templates/deployment.yaml
@@ -25,8 +25,7 @@ spec:
  revisionHistoryLimit: {{ .Values.reloader.deployment.revisionHistoryLimit }}
  selector:
    matchLabels:
-      app: {{ template "reloader-fullname" . }}
-      release: {{ .Release.Name | quote }}
+{{ include "reloader-match-labels.chart" . | indent 6 }}
 {{- if .Values.reloader.matchLabels }}
 {{ tpl (toYaml .Values.reloader.matchLabels) . | indent 6 }}
 {{- end }}
@@ -45,9 +44,9 @@ spec:
 {{ tpl (toYaml .Values.reloader.matchLabels) . | indent 8 }}
 {{- end }}
    spec:
-      {{- with .Values.global.imagePullSecrets }}
+      {{- if .Values.global.imagePullSecrets }}
      imagePullSecrets:
-        {{- toYaml . | nindent 8 }}
+{{ include "reloader-imagePullSecrets" . | indent 8 }}
      {{- end }}
      {{- if .Values.reloader.deployment.nodeSelector }}
      nodeSelector:
@@ -72,6 +71,10 @@ spec:
      {{- if .Values.reloader.deployment.priorityClassName }}
      priorityClassName: {{ .Values.reloader.deployment.priorityClassName }}
      {{- end }}
+      {{- with .Values.reloader.deployment.dnsConfig }}
+      dnsConfig:
+      {{- toYaml . | nindent 8 }}
+      {{- end }}
      containers:
      {{- if .Values.global.imageRegistry }}
      - image: "{{ .Values.global.imageRegistry }}/{{ .Values.image.name }}:{{ .Values.image.tag }}"
@@ -144,6 +147,15 @@ spec:
            fieldRef:
              fieldPath: metadata.namespace
      {{- end }}
+
+        - name: RELOADER_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+
+        - name: RELOADER_DEPLOYMENT_NAME
+          value: {{ template "reloader-fullname" . }}
+
      {{- if .Values.reloader.enableHA }}
        - name: POD_NAME
          valueFrom:
@@ -198,7 +210,7 @@ spec:
          {{- . | toYaml | nindent 10 }}
          {{- end }}
      {{- end }}
-      {{- if or (.Values.reloader.logFormat) (.Values.reloader.logLevel) (.Values.reloader.ignoreSecrets) (.Values.reloader.ignoreNamespaces) (.Values.reloader.namespaceSelector) (.Values.reloader.resourceLabelSelector) (.Values.reloader.ignoreConfigMaps) (.Values.reloader.custom_annotations) (eq .Values.reloader.isArgoRollouts true) (eq .Values.reloader.reloadOnCreate true) (eq .Values.reloader.reloadOnDelete true) (ne .Values.reloader.reloadStrategy "default") (.Values.reloader.enableHA) (.Values.reloader.autoReloadAll)}}
+      {{- if or (.Values.reloader.logFormat) (.Values.reloader.logLevel) (.Values.reloader.ignoreSecrets) (.Values.reloader.ignoreNamespaces) (include "reloader-namespaceSelector" .) (.Values.reloader.resourceLabelSelector) (.Values.reloader.ignoreConfigMaps) (.Values.reloader.custom_annotations) (eq .Values.reloader.isArgoRollouts true) (eq .Values.reloader.reloadOnCreate true) (eq .Values.reloader.reloadOnDelete true) (ne .Values.reloader.reloadStrategy "default") (.Values.reloader.enableHA) (.Values.reloader.autoReloadAll) (.Values.reloader.ignoreJobs) (.Values.reloader.ignoreCronJobs) (.Values.reloader.enableCSIIntegration)}}
        args:
          {{- if .Values.reloader.logFormat }}
          - "--log-format={{ .Values.reloader.logFormat }}"
@@ -212,15 +224,31 @@ spec:
          {{- if .Values.reloader.ignoreConfigMaps }}
          - "--resources-to-ignore=configMaps"
          {{- end }}
+          {{- if and (.Values.reloader.ignoreJobs) (.Values.reloader.ignoreCronJobs) }}
+          - "--ignored-workload-types=jobs,cronjobs"
+          {{- else if .Values.reloader.ignoreJobs }}
+          - "--ignored-workload-types=jobs"
+          {{- else if .Values.reloader.ignoreCronJobs }}
+          - "--ignored-workload-types=cronjobs"
+          {{- end }}
          {{- if .Values.reloader.ignoreNamespaces }}
          - "--namespaces-to-ignore={{ .Values.reloader.ignoreNamespaces }}"
          {{- end }}
-          {{- if .Values.reloader.namespaceSelector }}
-          - "--namespace-selector={{ .Values.reloader.namespaceSelector }}"
+          {{- if (include "reloader-namespaceSelector" .) }}
+          - "--namespace-selector=\"{{ include "reloader-namespaceSelector" . }}\""
          {{- end }}
          {{- if .Values.reloader.resourceLabelSelector }}
          - "--resource-label-selector={{ .Values.reloader.resourceLabelSelector }}"
          {{- end }}
+          {{- if .Values.reloader.enablePProf }}
+          - "--enable-pprof"
+          {{- if and .Values.reloader.pprofAddr }}
+          - "--pprof-addr={{ .Values.reloader.pprofAddr }}"
+          {{- end }}
+          {{- end }}
+          {{- if .Values.reloader.enableCSIIntegration }}
+          - "--enable-csi-integration=true"
+          {{- end }}
          {{- if .Values.reloader.custom_annotations }}
            {{- if .Values.reloader.custom_annotations.configmap }}
          - "--configmap-annotation"
@@ -249,6 +277,14 @@ spec:
            {{- if .Values.reloader.custom_annotations.match }}
          - "--search-match-annotation"
          - "{{ .Values.reloader.custom_annotations.match }}"
+            {{- end }}
+            {{- if .Values.reloader.custom_annotations.pausePeriod }}
+          - "--pause-deployment-annotation"
+          - "{{ .Values.reloader.custom_annotations.pausePeriod }}"
+            {{- end }}
+            {{- if .Values.reloader.custom_annotations.pauseTime }}
+          - "--pause-deployment-time-annotation"
+          - "{{ .Values.reloader.custom_annotations.pauseTime }}"
            {{- end }}
            {{- if .Values.reloader.webhookUrl }}
          - "--webhook-url"
--- a/deployments/kubernetes/chart/reloader/templates/networkpolicy.yaml
+++ b/deployments/kubernetes/chart/reloader/templates/networkpolicy.yaml
@@ -14,8 +14,7 @@ metadata:
 spec:
  podSelector:
    matchLabels:
-      app: {{ template "reloader-fullname" . }}
-      release: {{ .Release.Name | quote }}
+{{ include "reloader-match-labels.chart" . | indent 6 }}
 {{- if .Values.reloader.matchLabels }}
 {{ tpl (toYaml .Values.reloader.matchLabels) . | indent 6 }}
 {{- end }}
--- a/deployments/kubernetes/chart/reloader/templates/poddisruptionbudget.yaml
+++ b/deployments/kubernetes/chart/reloader/templates/poddisruptionbudget.yaml
@@ -13,5 +13,5 @@ spec:
 {{- end }}
  selector:
    matchLabels:
-      app: {{ template "reloader-fullname" . }}
+      {{ include "reloader-match-labels.chart" . | nindent 6 }}
 {{- end }}
--- a/deployments/kubernetes/chart/reloader/templates/podmonitor.yaml
+++ b/deployments/kubernetes/chart/reloader/templates/podmonitor.yaml
@@ -56,5 +56,5 @@ spec:
    - {{ .Release.Namespace }}
  selector:
    matchLabels:
-      {{ include "reloader-labels.chart" . | nindent 6 }}
+      {{ include "reloader-match-labels.chart" . | nindent 6 }}
 {{- end }}
--- a/deployments/kubernetes/chart/reloader/templates/role.yaml
+++ b/deployments/kubernetes/chart/reloader/templates/role.yaml
@@ -92,6 +92,17 @@ rules:
      - create
      - get
      - update
+{{- end}}
+{{- if .Values.reloader.enableCSIIntegration }}
+  - apiGroups:
+      - "secrets-store.csi.x-k8s.io"
+    resources:
+      - secretproviderclasspodstatuses
+      - secretproviderclasses
+    verbs:
+      - list
+      - get
+      - watch
 {{- end}}
  - apiGroups:
      - ""
@@ -101,3 +112,34 @@ rules:
      - create
      - patch
 {{- end }}
+
+---
+
+{{- if .Values.reloader.rbac.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+{{ include "reloader-helm3.annotations" . | indent 4 }}
+  labels:
+{{ include "reloader-labels.chart" . | indent 4 }}
+{{- if .Values.reloader.rbac.labels }}
+{{ tpl (toYaml .Values.reloader.rbac.labels) . | indent 4 }}
+{{- end }}
+{{- if .Values.reloader.matchLabels }}
+{{ tpl (toYaml .Values.reloader.matchLabels) . | indent 4 }}
+{{- end }}
+  name: {{ template "reloader-fullname" . }}-metadata-role
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - list
+      - get
+      - watch
+      - create
+      - update
+{{- end }}
--- a/deployments/kubernetes/chart/reloader/templates/rolebinding.yaml
+++ b/deployments/kubernetes/chart/reloader/templates/rolebinding.yaml
@@ -27,3 +27,30 @@ subjects:
    name: {{ template "reloader-serviceAccountName" . }}
    namespace: {{ .Values.namespace | default .Release.Namespace }}
 {{- end }}
+
+---
+{{- if .Values.reloader.rbac.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  annotations:
+{{ include "reloader-helm3.annotations" . | indent 4 }}
+  labels:
+{{ include "reloader-labels.chart" . | indent 4 }}
+{{- if .Values.reloader.rbac.labels }}
+{{ tpl (toYaml .Values.reloader.rbac.labels) . | indent 4 }}
+{{- end }}
+{{- if .Values.reloader.matchLabels }}
+{{ tpl (toYaml .Values.reloader.matchLabels) . | indent 4 }}
+{{- end }}
+  name: {{ template "reloader-fullname" . }}-metadata-role-binding
+  namespace: {{ .Values.namespace | default .Release.Namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ template "reloader-fullname" . }}-metadata-role
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "reloader-serviceAccountName" . }}
+    namespace: {{ .Values.namespace | default .Release.Namespace }}
+{{- end }}
--- a/deployments/kubernetes/chart/reloader/templates/serviceaccount.yaml
+++ b/deployments/kubernetes/chart/reloader/templates/serviceaccount.yaml
@@ -2,7 +2,8 @@
 apiVersion: v1
 kind: ServiceAccount
 {{- if .Values.global.imagePullSecrets }}
-imagePullSecrets: {{ toYaml .Values.global.imagePullSecrets | nindent 2 }}
+imagePullSecrets:
+{{ include "reloader-imagePullSecrets" . | indent 2 }}
 {{- end }}
 {{- if hasKey .Values.reloader.serviceAccount "automountServiceAccountToken" }}
 automountServiceAccountToken: {{ .Values.reloader.serviceAccount.automountServiceAccountToken }}
--- a/deployments/kubernetes/chart/reloader/templates/servicemonitor.yaml
+++ b/deployments/kubernetes/chart/reloader/templates/servicemonitor.yaml
@@ -56,5 +56,5 @@ spec:
    - {{ .Release.Namespace }}
  selector:
    matchLabels:
-      {{ include "reloader-labels.chart" . | nindent 6 }}
+      {{ include "reloader-match-labels.chart" . | nindent 6 }}
 {{- end }}
--- a/deployments/kubernetes/chart/reloader/tests/deployment_test.yaml
+++ b/deployments/kubernetes/chart/reloader/tests/deployment_test.yaml
@@ -61,3 +61,44 @@ tests:
            valueFrom:
              fieldRef:
                fieldPath: metadata.name
+
+  - it: sets ignored-workload-types argument when ignoreJobs is true
+    set:
+      reloader:
+        ignoreJobs: true
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].args
+          content: "--ignored-workload-types=jobs"
+
+  - it: sets ignored-workload-types argument when ignoreCronJobs is true
+    set:
+      reloader:
+        ignoreCronJobs: true
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].args
+          content: "--ignored-workload-types=cronjobs"
+
+  - it: sets ignored-workload-types argument when both ignoreJobs and ignoreCronJobs are true
+    set:
+      reloader:
+        ignoreJobs: true
+        ignoreCronJobs: true
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].args
+          content: "--ignored-workload-types=jobs,cronjobs"
+
+  - it: does not set ignored-workload-types argument when both ignoreJobs and ignoreCronJobs are false
+    set:
+      reloader:
+        ignoreJobs: false
+        ignoreCronJobs: false
+    asserts:
+      - notContains:
+          path: spec.template.spec.containers[0].args
+          content: "--ignored-workload-types=jobs"
+      - notContains:
+          path: spec.template.spec.containers[0].args
+          content: "--ignored-workload-types=cronjobs"
--- a/deployments/kubernetes/chart/reloader/values.yaml
+++ b/deployments/kubernetes/chart/reloader/values.yaml
@@ -7,6 +7,8 @@ global:
  imagePullSecrets: []
  #imagePullSecrets:
  #  - name: my-pull-secret
+  #imagePullSecrets:
+  #  - my-pull-secret

 kubernetes:
  host: https://kubernetes.default
@@ -17,7 +19,7 @@ fullnameOverride: ""
 image:
  name: stakater/reloader
  repository: ghcr.io/stakater/reloader
-  tag: v1.4.4
+  tag: v1.4.12
  # digest: sha256:1234567
  pullPolicy: IfNotPresent

@@ -27,7 +29,11 @@ reloader:
  isOpenshift: false
  ignoreSecrets: false
  ignoreConfigMaps: false
+  # Set to true to exclude Job workloads from automatic reload monitoring
+  # Useful when you don't want Jobs to be restarted when their referenced ConfigMaps/Secrets change
  ignoreJobs: false
+  # Set to true to exclude CronJob workloads from automatic reload monitoring
+  # Useful when you don't want CronJobs to be restarted when their referenced ConfigMaps/Secrets change
  ignoreCronJobs: false
  reloadOnCreate: false
  reloadOnDelete: false
@@ -41,6 +47,11 @@ reloader:
  watchGlobally: true
  # Set to true to enable leadership election allowing you to run multiple replicas
  enableHA: false
+  # Set to true to enable pprof for profiling
+  enablePProf: false
+  enableCSIIntegration: false
+  # Address to start pprof server on. Default is ":6060"
+  pprofAddr: ":6060"
  # Set to true if you have a pod security policy that enforces readOnlyRootFilesystem
  readOnlyRootFileSystem: false
  legacy:
@@ -49,6 +60,19 @@ reloader:
  # Set to true to expose a prometheus counter of reloads by namespace (this metric may have high cardinality in clusters with many namespaces)
  enableMetricsByNamespace: false
  deployment:
+    # Specifies the deployment DNS configuration.
+    dnsConfig: {}
+    # nameservers:
+    #   - 1.2.3.4
+    # searches:
+    #   - ns1.svc.cluster-domain.example
+    #   - my.dns.search.suffix
+    # options:
+    #   - name: ndots
+    #     value: "1"
+    #   - name: attempts
+    #     value: "3"
+
    # If you wish to run multiple replicas set reloader.enableHA = true
    replicas: 1

@@ -68,6 +92,9 @@ reloader:
    #             operator: "Exists"
    affinity: {}

+    volumeMounts: []
+    volumes: []
+
    securityContext:
      runAsNonRoot: true
      runAsUser: 65534
@@ -99,14 +126,14 @@ reloader:
    #     whenUnsatisfiable: DoNotSchedule
    #     labelSelector:
    #       matchLabels:
-    #         app: my-app
+    #         app.kubernetes.io/instance: my-app
    topologySpreadConstraints: []

    annotations: {}
    labels:
      provider: stakater
      group: com.stakater.platform
-      version: v1.4.4
+      version: v1.4.12
    # Support for extra environment variables.
    env:
      # Open supports Key value pair as environment variables.
@@ -337,8 +364,4 @@ reloader:
      # are applied during the life of a Pod. Possible values are "Off", "Initial", "Recreate", and "Auto".
      updateMode: Auto

-  volumeMounts: []
-
-  volumes: []
-
  webhookUrl: ""
--- a/deployments/kubernetes/kustomization.yaml
+++ b/deployments/kubernetes/kustomization.yaml
@@ -6,3 +6,4 @@ resources:
  - manifests/clusterrolebinding.yaml
  - manifests/serviceaccount.yaml
  - manifests/deployment.yaml
+  - manifests/role.yaml
--- a/deployments/kubernetes/manifests/deployment.yaml
+++ b/deployments/kubernetes/manifests/deployment.yaml
@@ -17,7 +17,7 @@ spec:
        app: reloader-reloader
    spec:
      containers:
-        - image: "ghcr.io/stakater/reloader:v1.1.0"
+        - image: "ghcr.io/stakater/reloader:v1.4.12"
          imagePullPolicy: IfNotPresent
          name: reloader-reloader
          env:
@@ -31,6 +31,13 @@ spec:
                resourceFieldRef:
                  resource: limits.memory
                  divisor: '1'
+            - name: RELOADER_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+
+            - name: RELOADER_DEPLOYMENT_NAME
+              value: reloader-reloader
          ports:
            - name: http
              containerPort: 9090
--- a/deployments/kubernetes/manifests/role.yaml
+++ b/deployments/kubernetes/manifests/role.yaml
@@ -0,0 +1,32 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: reloader-reloader-metadata-role
+  namespace: default
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - list
+      - get
+      - watch
+      - create
+      - update
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: reloader-reloader-metadata-rolebinding
+  namespace: default
+subjects:
+  - kind: ServiceAccount
+    name: reloader-reloader
+    namespace: default
+roleRef:
+  kind: Role
+  name: reloader-reloader-metadata-role
+  apiGroup: rbac.authorization.k8s.io
--- a/deployments/kubernetes/reloader.yaml
+++ b/deployments/kubernetes/reloader.yaml
@@ -5,6 +5,23 @@ metadata:
  namespace: default
 ---
 apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: reloader-reloader-metadata-role
+  namespace: default
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - list
+  - get
+  - watch
+  - create
+  - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: reloader-reloader-role
@@ -64,6 +81,20 @@ rules:
  - patch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: reloader-reloader-metadata-rolebinding
+  namespace: default
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: reloader-reloader-metadata-role
+subjects:
+- kind: ServiceAccount
+  name: reloader-reloader
+  namespace: default
+---
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: reloader-reloader-role-binding
@@ -104,7 +135,13 @@ spec:
            resourceFieldRef:
              divisor: "1"
              resource: limits.memory
-        image: "ghcr.io/stakater/reloader:latest"
+        - name: RELOADER_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        - name: RELOADER_DEPLOYMENT_NAME
+          value: reloader-reloader
+        image: ghcr.io/stakater/reloader:v1.4.12
        imagePullPolicy: IfNotPresent
        livenessProbe:
          failureThreshold: 5
--- a/docs/Alerting.md
+++ b/docs/Alerting.md
@@ -8,7 +8,7 @@ In-order to enable this feature, you need to update the `reloader.env.secret` se

 ```yaml
      ALERT_ON_RELOAD: [ true/false ] Default: false
-      ALERT_SINK: [ slack/teams/webhook ] Default: webhook
+      ALERT_SINK: [ slack/teams/gchat/webhook ] Default: webhook
      ALERT_WEBHOOK_URL: Required if ALERT_ON_RELOAD is true
      ALERT_ADDITIONAL_INFO: Any additional information to be added to alert
 ```
--- a/docs/How-it-works.md
+++ b/docs/How-it-works.md
@@ -76,7 +76,7 @@ Note: Rolling upgrade also works in the same way for secrets.

 ### Hash Value Computation

-Reloader uses SHA1 to compute hash value. SHA1 is used because it is efficient and less prone to collision.
+Reloader uses SHA512 to compute hash value. SHA1 is used because it is efficient and less prone to collision.

 ## Monitor All Namespaces

@@ -90,4 +90,4 @@ The output file can then be used to deploy Reloader in specific namespace.

 ## Compatibility With Helm Install and Upgrade

-Reloader has no impact on helm deployment cycle. Reloader only injects an environment variable in  `deployment`, `daemonset` or `statefulset`. The environment variable contains the SHA1 value of `ConfigMaps` or `Secrets` data. So  if a deployment is created using Helm and Reloader updates the deployment, then next time you upgrade the helm release, Reloader will do nothing except changing that environment variable value in `deployment` , `daemonset` or `statefulset`.
+Reloader has no impact on helm deployment cycle. Reloader only injects an environment variable in  `deployment`, `daemonset` or `statefulset`. The environment variable contains the SHA512 value of `ConfigMaps` or `Secrets` data. So  if a deployment is created using Helm and Reloader updates the deployment, then next time you upgrade the helm release, Reloader will do nothing except changing that environment variable value in `deployment` , `daemonset` or `statefulset`.
--- a/docs/Reloader-vs-ConfigmapController.md
+++ b/docs/Reloader-vs-ConfigmapController.md
@@ -2,10 +2,10 @@

 Reloader is inspired from [`configmapcontroller`](https://github.com/fabric8io/configmapcontroller) but there are many ways in which it differs from `configmapcontroller`. Below is the small comparison between these two controllers.

-| Reloader                                                                                                                                                                                                                                                                                                                 | ConfigMap                                                                                                                                                                                                                                                          |
-|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Reloader can watch both `Secrets` and `ConfigMaps`.                                                                                                                                                                                                                                                    | `configmapcontroller` can only watch changes in `ConfigMaps`. It cannot detect changes in other resources like `Secrets`.                                                                                                                                        |
-| Reloader can perform rolling upgrades on `deployments` as well as on `statefulsets` and `daemonsets`                                                                                                                                                                                                   | `configmapcontroller` can only perform rolling upgrades on `deployments`. It currently does not support rolling upgrades on `statefulsets` and `daemonsets`                                                                                                          |
-| Reloader provides both unit test cases and end to end integration test cases for future updates. So one can make sure that new changes do not break any old functionality.                                                                                                                                               | Currently there are not any unit test cases or end to end integration test cases in `configmap-controller`. It add difficulties for any additional updates in `configmap-controller` and one can not know for sure whether new changes breaks any old functionality or not. |
-| Reloader uses SHA1 to encode the change in `ConfigMap` or `Secret`. It then saves the SHA1 value in `STAKATER_FOO_CONFIGMAP` or `STAKATER_FOO_SECRET` environment variable depending upon where the change has happened. The use of SHA1 provides a concise 40 characters encoded value that is very less prone to collision. |  `configmap-controller` uses `FABRICB_FOO_REVISION` environment variable to store any change in `ConfigMap` controller. It does not encode it or convert it in suitable hash value to avoid data pollution in deployment.                                               |
-| Reloader allows you to customize your own annotation (for both `Secrets` and `ConfigMaps`) using command line flags | `configmap-controller` restricts you to only their provided annotation |
+| Reloader                                                                                                                                                                                                                                                                                                                        | ConfigMap                                                                                                                                                                                                                                                                    |
+|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Reloader can watch both `Secrets` and `ConfigMaps`.                                                                                                                                                                                                                                                                             | `configmapcontroller` can only watch changes in `ConfigMaps`. It cannot detect changes in other resources like `Secrets`.                                                                                                                                                    |
+| Reloader can perform rolling upgrades on `deployments` as well as on `statefulsets` and `daemonsets`                                                                                                                                                                                                                            | `configmapcontroller` can only perform rolling upgrades on `deployments`. It currently does not support rolling upgrades on `statefulsets` and `daemonsets`                                                                                                                  |
+| Reloader provides both unit test cases and end to end integration test cases for future updates. So one can make sure that new changes do not break any old functionality.                                                                                                                                                      | Currently there are not any unit test cases or end to end integration test cases in `configmap-controller`. It adds difficulties for any additional updates in `configmap-controller` and one can not know for sure whether new changes breaks any old functionality or not. |
+| Reloader uses SHA512 to encode the change in `ConfigMap` or `Secret`. It then saves the SHA1 value in `STAKATER_FOO_CONFIGMAP` or `STAKATER_FOO_SECRET` environment variable depending upon where the change has happened. The use of SHA1 provides a concise 40 characters encoded value that is very less prone to collision. | `configmap-controller` uses `FABRICB_FOO_REVISION` environment variable to store any change in `ConfigMap` controller. It does not encode it or convert it in suitable hash value to avoid data pollution in deployment.                                                     |
+| Reloader allows you to customize your own annotation (for both `Secrets` and `ConfigMaps`) using command line flags                                                                                                                                                                                                             | `configmap-controller` restricts you to only their provided annotation                                                                                                                                                                                                       |
--- a/docs/Reloader-vs-k8s-trigger-controller.md
+++ b/docs/Reloader-vs-k8s-trigger-controller.md
@@ -6,7 +6,7 @@ Reloader and k8s-trigger-controller are both built for same purpose. So there ar

 - Both controllers support change detection in `ConfigMaps` and `Secrets`
 - Both controllers support deployment `rollout`
- Both controllers use SHA1 for hashing
+- Reloader controller use SHA512 for hashing
 - Both controllers have end to end as well as unit test cases.

 ## Differences
--- a/docs/index.md
+++ b/docs/index.md
@@ -10,3 +10,17 @@ These are the key features of Reloader:
 1. Restart pod in a `rollout` on change in linked/related `ConfigMaps` or `Secrets`

 This site contains more details on how Reloader works. For an overview, please see the repository's [README file](https://github.com/stakater/Reloader/blob/master/README.md).
+
+---
+
+<div align="center">
+
+[![💖 Sponsor our work](https://img.shields.io/badge/Sponsor%20Our%20Work-FF8C00?style=for-the-badge&logo=github-sponsors&logoColor=white)](https://github.com/sponsors/stakater?utm_source=docs&utm_medium=footer&utm_campaign=reloader)
+
+<p>
+Your support funds maintenance, security updates, and new features for Reloader, plus continued investment in other open source tools.
+</p>
+
+</div>
+
+---
--- a/go.mod
+++ b/go.mod
@@ -1,21 +1,22 @@
 module github.com/stakater/Reloader

-go 1.24.4
+go 1.25.5

 require (
-	github.com/argoproj/argo-rollouts v1.8.2
-	github.com/openshift/api v0.0.0-20250411135543-10a8fa583797
-	github.com/openshift/client-go v0.0.0-20250402181141-b3bad3b645f2
+	github.com/argoproj/argo-rollouts v1.8.3
+	github.com/openshift/api v0.0.0-20260102143802-d2ec16864f86
+	github.com/openshift/client-go v0.0.0-20251223102348-558b0eef16bc
 	github.com/parnurzeal/gorequest v0.3.0
-	github.com/prometheus/client_golang v1.22.0
+	github.com/prometheus/client_golang v1.23.2
 	github.com/sirupsen/logrus v1.9.3
-	github.com/spf13/cobra v1.9.1
-	github.com/stretchr/testify v1.10.0
-	k8s.io/api v0.32.3
-	k8s.io/apimachinery v0.32.3
-	k8s.io/client-go v0.32.3
-	k8s.io/kubectl v0.32.3
-	k8s.io/utils v0.0.0-20250321185631-1f6e0b77f77e
+	github.com/spf13/cobra v1.10.2
+	github.com/stretchr/testify v1.11.1
+	k8s.io/api v0.35.0
+	k8s.io/apimachinery v0.35.0
+	k8s.io/client-go v0.35.0
+	k8s.io/kubectl v0.35.0
+	k8s.io/utils v0.0.0-20251222233032-718f0e51e6d2
+	sigs.k8s.io/secrets-store-csi-driver v1.5.5
 )

 require (
@@ -24,16 +25,14 @@ require (
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/elazarl/goproxy v0.0.0-20240726154733-8b0c20506380 // indirect
 	github.com/emicklei/go-restful/v3 v3.12.2 // indirect
-	github.com/fxamacker/cbor/v2 v2.8.0 // indirect
-	github.com/go-logr/logr v1.4.2 // indirect
+	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-openapi/jsonpointer v0.21.1 // indirect
 	github.com/go-openapi/jsonreference v0.21.0 // indirect
 	github.com/go-openapi/swag v0.23.1 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang/protobuf v1.5.4 // indirect
-	github.com/google/gnostic-models v0.6.9 // indirect
+	github.com/google/gnostic-models v0.7.0 // indirect
 	github.com/google/go-cmp v0.7.0 // indirect
-	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
@@ -41,41 +40,43 @@ require (
 	github.com/kylelemons/godebug v1.1.0 // indirect
 	github.com/mailru/easyjson v0.9.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
-	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
 	github.com/moul/http2curl v1.0.0 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/prometheus/client_model v0.6.2 // indirect
-	github.com/prometheus/common v0.63.0 // indirect
-	github.com/prometheus/procfs v0.16.0 // indirect
+	github.com/prometheus/common v0.66.1 // indirect
+	github.com/prometheus/procfs v0.16.1 // indirect
 	github.com/smartystreets/goconvey v1.7.2 // indirect
-	github.com/spf13/pflag v1.0.6 // indirect
+	github.com/spf13/pflag v1.0.9 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
-	golang.org/x/net v0.39.0 // indirect
-	golang.org/x/oauth2 v0.29.0 // indirect
-	golang.org/x/sys v0.32.0 // indirect
-	golang.org/x/term v0.31.0 // indirect
-	golang.org/x/text v0.24.0 // indirect
+	go.yaml.in/yaml/v2 v2.4.3 // indirect
+	go.yaml.in/yaml/v3 v3.0.4 // indirect
+	golang.org/x/net v0.47.0 // indirect
+	golang.org/x/oauth2 v0.30.0 // indirect
+	golang.org/x/sys v0.39.0 // indirect
+	golang.org/x/term v0.38.0 // indirect
+	golang.org/x/text v0.32.0 // indirect
 	golang.org/x/time v0.11.0 // indirect
-	google.golang.org/protobuf v1.36.6 // indirect
-	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
+	google.golang.org/protobuf v1.36.8 // indirect
+	gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
-	k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff // indirect
-	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
+	k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 // indirect
+	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
-	sigs.k8s.io/structured-merge-diff/v4 v4.6.0 // indirect
-	sigs.k8s.io/yaml v1.4.0 // indirect
+	sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect
+	sigs.k8s.io/yaml v1.6.0 // indirect
 )

 // Replacements for argo-rollouts
 replace (
 	github.com/go-check/check => github.com/go-check/check v0.0.0-20201130134442-10cb98267c6c
-	k8s.io/api v0.0.0 => k8s.io/api v0.32.3
-	k8s.io/apimachinery v0.0.0 => k8s.io/apimachinery v0.32.3
-	k8s.io/client-go v0.0.0 => k8s.io/client-go v0.32.3
+	k8s.io/api v0.0.0 => k8s.io/api v0.35.0
+	k8s.io/apimachinery v0.0.0 => k8s.io/apimachinery v0.35.0
+	k8s.io/client-go v0.0.0 => k8s.io/client-go v0.35.0
 	k8s.io/cloud-provider v0.0.0 => k8s.io/cloud-provider v0.24.2
 	k8s.io/controller-manager v0.0.0 => k8s.io/controller-manager v0.24.2
 	k8s.io/cri-api v0.0.0 => k8s.io/cri-api v0.20.5-rc.0
@@ -84,7 +85,7 @@ replace (
 	k8s.io/kube-controller-manager v0.0.0 => k8s.io/kube-controller-manager v0.24.2
 	k8s.io/kube-proxy v0.0.0 => k8s.io/kube-proxy v0.24.2
 	k8s.io/kube-scheduler v0.0.0 => k8s.io/kube-scheduler v0.24.2
-	k8s.io/kubectl v0.0.0 => k8s.io/kubectl v0.32.3
+	k8s.io/kubectl v0.0.0 => k8s.io/kubectl v0.35.0
 	k8s.io/kubelet v0.0.0 => k8s.io/kubelet v0.24.2
 	k8s.io/legacy-cloud-providers v0.0.0 => k8s.io/legacy-cloud-providers v0.24.2
 	k8s.io/mount-utils v0.0.0 => k8s.io/mount-utils v0.20.5-rc.0
--- a/go.sum
+++ b/go.sum
@@ -1,5 +1,7 @@
-github.com/argoproj/argo-rollouts v1.8.2 h1:DBvkYvFTEH/zJ9MxJerqz/NMWEgZcHY5vxztyCBS5ak=
-github.com/argoproj/argo-rollouts v1.8.2/go.mod h1:xZIw+dg+B4IqMv5fNPenIBUiPb9xljL2st1xxkjhaC0=
+github.com/Masterminds/semver/v3 v3.4.0 h1:Zog+i5UMtVoCU8oKka5P7i9q9HgrJeGzI9SA1Xbatp0=
+github.com/Masterminds/semver/v3 v3.4.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
+github.com/argoproj/argo-rollouts v1.8.3 h1:blbtQva4IK9r6gFh+dWkCrLnFdPOWiv9ubQYu36qeaA=
+github.com/argoproj/argo-rollouts v1.8.3/go.mod h1:kCAUvIfMGfOyVf3lvQbBt0nqQn4Pd+zB5/YwKv+UBa8=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
@@ -13,10 +15,10 @@ github.com/elazarl/goproxy v0.0.0-20240726154733-8b0c20506380 h1:1NyRx2f4W4WBRyg
 github.com/elazarl/goproxy v0.0.0-20240726154733-8b0c20506380/go.mod h1:thX175TtLTzLj3p7N/Q9IiKZ7NF+p72cvL91emV0hzo=
 github.com/emicklei/go-restful/v3 v3.12.2 h1:DhwDP0vY3k8ZzE0RunuJy8GhNpPL6zqLkDf9B/a0/xU=
 github.com/emicklei/go-restful/v3 v3.12.2/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
-github.com/fxamacker/cbor/v2 v2.8.0 h1:fFtUGXUzXPHTIUdne5+zzMPTfffl3RD5qYnkY40vtxU=
-github.com/fxamacker/cbor/v2 v2.8.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
-github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
-github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM=
+github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-openapi/jsonpointer v0.21.1 h1:whnzv/pNXtK2FbX/W9yJfRmE2gsmkfahjMKB0fZvcic=
 github.com/go-openapi/jsonpointer v0.21.1/go.mod h1:50I1STOfbY1ycR8jGz8DaMeLCdXiI6aDteEdRNNzpdk=
 github.com/go-openapi/jsonreference v0.21.0 h1:Rs+Y7hSXT83Jacb7kFyjn4ijOuVGSvOdF2+tg1TRrwQ=
@@ -27,18 +29,13 @@ github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1v
 github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
-github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
-github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
-github.com/google/gnostic-models v0.6.9 h1:MU/8wDLif2qCXZmzncUQ/BOfxWfthHi63KqpoNbWqVw=
-github.com/google/gnostic-models v0.6.9/go.mod h1:CiWsm0s6BSQd1hRn8/QmxqB6BesYcbSZxsz9b0KuDBw=
-github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/gnostic-models v0.7.0 h1:qwTtogB15McXDaNqTZdzPJRHvaVJlAl+HVQnLmJEJxo=
+github.com/google/gnostic-models v0.7.0/go.mod h1:whL5G0m6dmc5cPxKc5bdKdEN3UjI7OUGxBlw57miDrQ=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
-github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db h1:097atOisP2aRj7vFgYQBbFN4U4JNXUNYpxael3UzMyo=
-github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144=
+github.com/google/pprof v0.0.0-20250403155104-27863c87afa6 h1:BHT72Gu3keYf3ZEu2J0b1vyeLSOYI8bm5wbJM/8yDe8=
+github.com/google/pprof v0.0.0-20250403155104-27863c87afa6/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1 h1:EGx4pi6eqNxGaHF6qqu48+N2wcFQ5qg5FXgOdqsJ5d8=
@@ -66,20 +63,22 @@ github.com/mailru/easyjson v0.9.0/go.mod h1:1+xMtQp2MRNVL/V1bOzuP3aP8VNwRW55fQUt
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
-github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
 github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
+github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee h1:W5t00kpgFdJifH4BDsTlE89Zl93FEloxaWZfGcifgq8=
+github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
 github.com/moul/http2curl v1.0.0 h1:dRMWoAtb+ePxMlLkrCbAqh4TlPHXvoGUSQ323/9Zahs=
 github.com/moul/http2curl v1.0.0/go.mod h1:8UbvGypXm98wA/IqH45anm5Y2Z6ep6O31QGOAZ3H0fQ=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
-github.com/onsi/ginkgo/v2 v2.21.0 h1:7rg/4f3rB88pb5obDgNZrNHrQ4e6WpjonchcpuBRnZM=
-github.com/onsi/ginkgo/v2 v2.21.0/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo=
-github.com/onsi/gomega v1.35.1 h1:Cwbd75ZBPxFSuZ6T+rN/WCb/gOc6YgFBXLlZLhC7Ds4=
-github.com/onsi/gomega v1.35.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog=
-github.com/openshift/api v0.0.0-20250411135543-10a8fa583797 h1:8x3G8QOZqo2bRAL8JFlPz/odqQECI/XmlZeRwnFxJ8I=
-github.com/openshift/api v0.0.0-20250411135543-10a8fa583797/go.mod h1:yk60tHAmHhtVpJQo3TwVYq2zpuP70iJIFDCmeKMIzPw=
-github.com/openshift/client-go v0.0.0-20250402181141-b3bad3b645f2 h1:bPXR0R8zp1o12nSUphN26hSM+OKYq5pMorbDCpApzDQ=
-github.com/openshift/client-go v0.0.0-20250402181141-b3bad3b645f2/go.mod h1:dT1cJyVTperQ53GvVRa+GZ27r02fDZy2k5j+9QoQsCo=
+github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE=
+github.com/onsi/ginkgo/v2 v2.27.2 h1:LzwLj0b89qtIy6SSASkzlNvX6WktqurSHwkk2ipF/Ns=
+github.com/onsi/ginkgo/v2 v2.27.2/go.mod h1:ArE1D/XhNXBXCBkKOLkbsb2c81dQHCRcF5zwn/ykDRo=
+github.com/onsi/gomega v1.38.2 h1:eZCjf2xjZAqe+LeWvKb5weQ+NcPwX84kqJ0cZNxok2A=
+github.com/onsi/gomega v1.38.2/go.mod h1:W2MJcYxRGV63b418Ai34Ud0hEdTVXq9NW9+Sx6uXf3k=
+github.com/openshift/api v0.0.0-20260102143802-d2ec16864f86 h1:Vsqg+WqSA91LjrwK5lzkSCjztK/B+T8MPKI3MIALx3w=
+github.com/openshift/api v0.0.0-20260102143802-d2ec16864f86/go.mod h1:d5uzF0YN2nQQFA0jIEWzzOZ+edmo6wzlGLvx5Fhz4uY=
+github.com/openshift/client-go v0.0.0-20251223102348-558b0eef16bc h1:nIlRaJfr/yGjPV15MNF5eVHLAGyXFjcUzO+hXeWDDk8=
+github.com/openshift/client-go v0.0.0-20251223102348-558b0eef16bc/go.mod h1:cs9BwTu96sm2vQvy7r9rOiltgu90M6ju2qIHFG9WU+o=
 github.com/parnurzeal/gorequest v0.3.0 h1:SoFyqCDC9COr1xuS6VA8fC8RU7XyrJZN2ona1kEX7FI=
 github.com/parnurzeal/gorequest v0.3.0/go.mod h1:3Kh2QUMJoqw3icWAecsyzkpY7UzRfDhbRdTjtNwNiUE=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
@@ -87,16 +86,16 @@ github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINE
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/prometheus/client_golang v1.22.0 h1:rb93p9lokFEsctTys46VnV1kLCDpVZ0a/Y92Vm0Zc6Q=
-github.com/prometheus/client_golang v1.22.0/go.mod h1:R7ljNsLXhuQXYZYtw6GAE9AZg8Y7vEW5scdCXrWRXC0=
+github.com/prometheus/client_golang v1.23.2 h1:Je96obch5RDVy3FDMndoUsjAhG5Edi49h0RJWRi/o0o=
+github.com/prometheus/client_golang v1.23.2/go.mod h1:Tb1a6LWHB3/SPIzCoaDXI4I8UHKeFTEQ1YCr+0Gyqmg=
 github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk=
 github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=
-github.com/prometheus/common v0.63.0 h1:YR/EIY1o3mEFP/kZCD7iDMnLPlGyuU2Gb3HIcXnA98k=
-github.com/prometheus/common v0.63.0/go.mod h1:VVFF/fBIoToEnWRVkYoXEkq3R3paCoxG9PXP74SnV18=
-github.com/prometheus/procfs v0.16.0 h1:xh6oHhKwnOJKMYiYBDWmkHqQPyiY40sny36Cmx2bbsM=
-github.com/prometheus/procfs v0.16.0/go.mod h1:8veyXUu3nGP7oaCxhX6yeaM5u4stL2FeMXnCqhDthZg=
-github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
-github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
+github.com/prometheus/common v0.66.1 h1:h5E0h5/Y8niHc5DlaLlWLArTQI7tMrsfQjHV+d9ZoGs=
+github.com/prometheus/common v0.66.1/go.mod h1:gcaUsgf3KfRSwHY4dIMXLPV0K/Wg1oZ8+SbZk/HH/dA=
+github.com/prometheus/procfs v0.16.1 h1:hZ15bTNuirocR6u0JZ6BAHHmwS1p8B4P6MRqxtzMyRg=
+github.com/prometheus/procfs v0.16.1/go.mod h1:teAbpZRB1iIAJYREa1LsoWUXykVXA1KlTmWl8x/U+Is=
+github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
+github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
@@ -104,50 +103,60 @@ github.com/smartystreets/assertions v1.2.0 h1:42S6lae5dvLc7BrLu/0ugRtcFVjoJNMC/N
 github.com/smartystreets/assertions v1.2.0/go.mod h1:tcbTF8ujkAEcZ8TElKY+i30BzYlVhC/LOxJk7iOWnoo=
 github.com/smartystreets/goconvey v1.7.2 h1:9RBaZCeXEQ3UselpuwUQHltGVXvdwm6cv1hgR6gDIPg=
 github.com/smartystreets/goconvey v1.7.2/go.mod h1:Vw0tHAZW6lzCRk3xgdin6fKYcG+G3Pg9vgXWeJpQFMM=
-github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo=
-github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0=
-github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
-github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/cobra v1.10.2 h1:DMTTonx5m65Ic0GOoRY2c16WCbHxOOw6xxezuLaBpcU=
+github.com/spf13/cobra v1.10.2/go.mod h1:7C1pvHqHw5A4vrJfjNwvOdzYu0Gml16OCs2GRiTUUS4=
+github.com/spf13/pflag v1.0.9 h1:9exaQaMOCwffKiiiYk6/BndUBv+iRViNW+4lEMi0PvY=
+github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
+github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
-github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
+go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=
+go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8=
+go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
+go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.30.0 h1:fDEXFVZ/fmCKProc/yAXXUijritrDzahmwwefnjoPFk=
+golang.org/x/mod v0.30.0/go.mod h1:lAsf5O2EvJeSFMiBxXDki7sCgAxEUcZHXoXMKT4GJKc=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.39.0 h1:ZCu7HMWDxpXpaiKdhzIfaltL9Lp31x/3fCP11bc6/fY=
-golang.org/x/net v0.39.0/go.mod h1:X7NRbYVEA+ewNkCNyJ513WmMdQ3BineSwVtN2zD/d+E=
-golang.org/x/oauth2 v0.29.0 h1:WdYw2tdTK1S8olAzWHdgeqfy+Mtm9XNhv/xJsY65d98=
-golang.org/x/oauth2 v0.29.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
+golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
+golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
+golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
+golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
+golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.32.0 h1:s77OFDvIQeibCmezSnk/q6iAfkdiQaJi4VzroCFrN20=
-golang.org/x/sys v0.32.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
-golang.org/x/term v0.31.0 h1:erwDkOK1Msy6offm1mOgvspSkslFnIGsFnxOKoufg3o=
-golang.org/x/term v0.31.0/go.mod h1:R4BeIy7D95HzImkxGkTW1UQTtP54tio2RyHz7PwK0aw=
+golang.org/x/sys v0.39.0 h1:CvCKL8MeisomCi6qNZ+wbb0DN9E5AATixKsvNtMoMFk=
+golang.org/x/sys v0.39.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/term v0.38.0 h1:PQ5pkm/rLO6HnxFR7N2lJHOZX6Kez5Y1gDSJla6jo7Q=
+golang.org/x/term v0.38.0/go.mod h1:bSEAKrOT1W+VSu9TSCMtoGEOUcKxOKgl3LE5QEF/xVg=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.24.0 h1:dd5Bzh4yt5KYA8f9CJHCP4FB4D51c2c6JvN37xJJkJ0=
-golang.org/x/text v0.24.0/go.mod h1:L8rBsPeo2pSS+xqN0d5u2ikmjtmoJbDBT1b7nHvFCdU=
+golang.org/x/text v0.32.0 h1:ZD01bjUt1FQ9WJ0ClOL5vxgxOI/sVCNgX1YtKwcY0mU=
+golang.org/x/text v0.32.0/go.mod h1:o/rUWzghvpD5TXrTIBuJU77MTaN0ljMWE47kxGJQ7jY=
 golang.org/x/time v0.11.0 h1:/bpjEDfN9tkoN/ryeYHnv5hcMlc8ncjMcM4XBk5NWV0=
 golang.org/x/time v0.11.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@@ -155,44 +164,45 @@ golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.26.0 h1:v/60pFQmzmT9ExmjDv2gGIfi3OqfKoEP6I5+umXlbnQ=
-golang.org/x/tools v0.26.0/go.mod h1:TPVVj70c7JJ3WCazhD8OdXcZg/og+b9+tH/KxylGwH0=
+golang.org/x/tools v0.39.0 h1:ik4ho21kwuQln40uelmciQPp9SipgNDdrafrYA4TmQQ=
+golang.org/x/tools v0.39.0/go.mod h1:JnefbkDPyD8UU2kI5fuf8ZX4/yUeh9W877ZeBONxUqQ=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
-google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
+google.golang.org/protobuf v1.36.8 h1:xHScyCOEuuwZEc6UtSOvPbAT4zRh0xcNRYekJwfqyMc=
+google.golang.org/protobuf v1.36.8/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
-gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4=
-gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
+gopkg.in/evanphx/json-patch.v4 v4.13.0 h1:czT3CmqEaQ1aanPc5SdlgQrrEIb8w/wwCvWWnfEbYzo=
+gopkg.in/evanphx/json-patch.v4 v4.13.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-k8s.io/api v0.32.3 h1:Hw7KqxRusq+6QSplE3NYG4MBxZw1BZnq4aP4cJVINls=
-k8s.io/api v0.32.3/go.mod h1:2wEDTXADtm/HA7CCMD8D8bK4yuBUptzaRhYcYEEYA3k=
-k8s.io/apimachinery v0.32.3 h1:JmDuDarhDmA/Li7j3aPrwhpNBA94Nvk5zLeOge9HH1U=
-k8s.io/apimachinery v0.32.3/go.mod h1:GpHVgxoKlTxClKcteaeuF1Ul/lDVb74KpZcxcmLDElE=
-k8s.io/client-go v0.32.3 h1:RKPVltzopkSgHS7aS98QdscAgtgah/+zmpAogooIqVU=
-k8s.io/client-go v0.32.3/go.mod h1:3v0+3k4IcT9bXTc4V2rt+d2ZPPG700Xy6Oi0Gdl2PaY=
+k8s.io/api v0.35.0 h1:iBAU5LTyBI9vw3L5glmat1njFK34srdLmktWwLTprlY=
+k8s.io/api v0.35.0/go.mod h1:AQ0SNTzm4ZAczM03QH42c7l3bih1TbAXYo0DkF8ktnA=
+k8s.io/apimachinery v0.35.0 h1:Z2L3IHvPVv/MJ7xRxHEtk6GoJElaAqDCCU0S6ncYok8=
+k8s.io/apimachinery v0.35.0/go.mod h1:jQCgFZFR1F4Ik7hvr2g84RTJSZegBc8yHgFWKn//hns=
+k8s.io/client-go v0.35.0 h1:IAW0ifFbfQQwQmga0UdoH0yvdqrbwMdq9vIFEhRpxBE=
+k8s.io/client-go v0.35.0/go.mod h1:q2E5AAyqcbeLGPdoRB+Nxe3KYTfPce1Dnu1myQdqz9o=
 k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
-k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff h1:/usPimJzUKKu+m+TE36gUyGcf03XZEP0ZIKgKj35LS4=
-k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff/go.mod h1:5jIi+8yX4RIb8wk3XwBo5Pq2ccx4FP10ohkbSKCZoK8=
-k8s.io/kubectl v0.32.3 h1:VMi584rbboso+yjfv0d8uBHwwxbC438LKq+dXd5tOAI=
-k8s.io/kubectl v0.32.3/go.mod h1:6Euv2aso5GKzo/UVMacV6C7miuyevpfI91SvBvV9Zdg=
-k8s.io/utils v0.0.0-20250321185631-1f6e0b77f77e h1:KqK5c/ghOm8xkHYhlodbp6i6+r+ChV2vuAuVRdFbLro=
-k8s.io/utils v0.0.0-20250321185631-1f6e0b77f77e/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
-sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE=
-sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
-sigs.k8s.io/randfill v0.0.0-20250304075658-069ef1bbf016/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
+k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 h1:Y3gxNAuB0OBLImH611+UDZcmKS3g6CthxToOb37KgwE=
+k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912/go.mod h1:kdmbQkyfwUagLfXIad1y2TdrjPFWp2Q89B3qkRwf/pQ=
+k8s.io/kubectl v0.35.0 h1:cL/wJKHDe8E8+rP3G7avnymcMg6bH6JEcR5w5uo06wc=
+k8s.io/kubectl v0.35.0/go.mod h1:VR5/TSkYyxZwrRwY5I5dDq6l5KXmiCb+9w8IKplk3Qo=
+k8s.io/utils v0.0.0-20251222233032-718f0e51e6d2 h1:OfgiEo21hGiwx1oJUU5MpEaeOEg6coWndBkZF/lkFuE=
+k8s.io/utils v0.0.0-20251222233032-718f0e51e6d2/go.mod h1:xDxuJ0whA3d0I4mf/C4ppKHxXynQ+fxnkmQH0vTHnuk=
+sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg=
+sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
 sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU=
 sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
-sigs.k8s.io/structured-merge-diff/v4 v4.6.0 h1:IUA9nvMmnKWcj5jl84xn+T5MnlZKThmUW1TdblaLVAc=
-sigs.k8s.io/structured-merge-diff/v4 v4.6.0/go.mod h1:dDy58f92j70zLsuZVuUX5Wp9vtxXpaZnkPGWeqDfCps=
-sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E=
-sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY=
+sigs.k8s.io/secrets-store-csi-driver v1.5.5 h1:LJDpDL5TILhlP68nGvtGSlJFxSDgAD2m148NT0Ts7os=
+sigs.k8s.io/secrets-store-csi-driver v1.5.5/go.mod h1:i2WqLicYH00hrTG3JAzICPMF4HL4KMEORlDt9UQoZLk=
+sigs.k8s.io/structured-merge-diff/v6 v6.3.0 h1:jTijUJbW353oVOd9oTlifJqOGEkUw2jB/fXCbTiQEco=
+sigs.k8s.io/structured-merge-diff/v6 v6.3.0/go.mod h1:M3W8sfWvn2HhQDIbGWj3S099YozAsymCo/wrT5ohRUE=
+sigs.k8s.io/yaml v1.6.0 h1:G8fkbMSAFqgEFgh4b1wmtzDnioxFCUgTZhlbj5P9QYs=
+sigs.k8s.io/yaml v1.6.0/go.mod h1:796bPqUfzR/0jLAl6XjHl3Ck7MiyVv8dbTdyT3/pMf4=
--- a/internal/pkg/alerts/alert.go
+++ b/internal/pkg/alerts/alert.go
@@ -9,6 +9,15 @@ import (
 	"github.com/sirupsen/logrus"
 )

+type AlertSink string
+
+const (
+	AlertSinkSlack      AlertSink = "slack"
+	AlertSinkTeams      AlertSink = "teams"
+	AlertSinkGoogleChat AlertSink = "gchat"
+	AlertSinkRaw        AlertSink = "raw"
+)
+
 // function to send alert msg to webhook service
 func SendWebhookAlert(msg string) {
 	webhook_url, ok := os.LookupEnv("ALERT_WEBHOOK_URL")
@@ -31,12 +40,15 @@ func SendWebhookAlert(msg string) {
 		msg = fmt.Sprintf("%s : %s", alert_additional_info, msg)
 	}

-	if alert_sink == "slack" {
+	switch AlertSink(alert_sink) {
+	case AlertSinkSlack:
 		sendSlackAlert(webhook_url, webhook_proxy, msg)
-	} else if alert_sink == "teams" {
+	case AlertSinkTeams:
 		sendTeamsAlert(webhook_url, webhook_proxy, msg)
-	} else {
-		msg = strings.Replace(msg, "*", "", -1)
+	case AlertSinkGoogleChat:
+		sendGoogleChatAlert(webhook_url, webhook_proxy, msg)
+	default:
+		msg = strings.ReplaceAll(msg, "*", "")
 		sendRawWebhookAlert(webhook_url, webhook_proxy, msg)
 	}
 }
@@ -98,6 +110,29 @@ func sendTeamsAlert(webhookUrl string, proxy string, msg string) []error {
 	return nil
 }

+// function to send alert to Google Chat webhook
+func sendGoogleChatAlert(webhookUrl string, proxy string, msg string) []error {
+	payload := map[string]interface{}{
+		"text": msg,
+	}
+
+	request := gorequest.New().Proxy(proxy)
+	resp, _, err := request.
+		Post(webhookUrl).
+		RedirectPolicy(redirectPolicy).
+		Send(payload).
+		End()
+
+	if err != nil {
+		return err
+	}
+	if resp.StatusCode != 200 {
+		return []error{fmt.Errorf("error sending msg. status: %v", resp.Status)}
+	}
+
+	return nil
+}
+
 // function to send alert to webhook service as text
 func sendRawWebhookAlert(webhookUrl string, proxy string, msg string) []error {
 	request := gorequest.New().Proxy(proxy)
--- a/internal/pkg/callbacks/rolling_upgrade.go
+++ b/internal/pkg/callbacks/rolling_upgrade.go
@@ -16,6 +16,8 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	patchtypes "k8s.io/apimachinery/pkg/types"

+	"maps"
+
 	argorolloutv1alpha1 "github.com/argoproj/argo-rollouts/pkg/apis/rollouts/v1alpha1"
 )

@@ -81,9 +83,9 @@ func GetDeploymentItem(clients kube.Clients, name string, namespace string) (run
 		return nil, err
 	}

-	if deployment.Spec.Template.ObjectMeta.Annotations == nil {
+	if deployment.Spec.Template.Annotations == nil {
 		annotations := make(map[string]string)
-		deployment.Spec.Template.ObjectMeta.Annotations = annotations
+		deployment.Spec.Template.Annotations = annotations
 	}

 	return deployment, nil
@@ -99,9 +101,9 @@ func GetDeploymentItems(clients kube.Clients, namespace string) []runtime.Object
 	items := make([]runtime.Object, len(deployments.Items))
 	// Ensure we always have pod annotations to add to
 	for i, v := range deployments.Items {
-		if v.Spec.Template.ObjectMeta.Annotations == nil {
+		if v.Spec.Template.Annotations == nil {
 			annotations := make(map[string]string)
-			deployments.Items[i].Spec.Template.ObjectMeta.Annotations = annotations
+			deployments.Items[i].Spec.Template.Annotations = annotations
 		}
 		items[i] = &deployments.Items[i]
 	}
@@ -130,9 +132,9 @@ func GetCronJobItems(clients kube.Clients, namespace string) []runtime.Object {
 	items := make([]runtime.Object, len(cronjobs.Items))
 	// Ensure we always have pod annotations to add to
 	for i, v := range cronjobs.Items {
-		if v.Spec.JobTemplate.Spec.Template.ObjectMeta.Annotations == nil {
+		if v.Spec.JobTemplate.Spec.Template.Annotations == nil {
 			annotations := make(map[string]string)
-			cronjobs.Items[i].Spec.JobTemplate.Spec.Template.ObjectMeta.Annotations = annotations
+			cronjobs.Items[i].Spec.JobTemplate.Spec.Template.Annotations = annotations
 		}
 		items[i] = &cronjobs.Items[i]
 	}
@@ -161,9 +163,9 @@ func GetJobItems(clients kube.Clients, namespace string) []runtime.Object {
 	items := make([]runtime.Object, len(jobs.Items))
 	// Ensure we always have pod annotations to add to
 	for i, v := range jobs.Items {
-		if v.Spec.Template.ObjectMeta.Annotations == nil {
+		if v.Spec.Template.Annotations == nil {
 			annotations := make(map[string]string)
-			jobs.Items[i].Spec.Template.ObjectMeta.Annotations = annotations
+			jobs.Items[i].Spec.Template.Annotations = annotations
 		}
 		items[i] = &jobs.Items[i]
 	}
@@ -192,8 +194,8 @@ func GetDaemonSetItems(clients kube.Clients, namespace string) []runtime.Object
 	items := make([]runtime.Object, len(daemonSets.Items))
 	// Ensure we always have pod annotations to add to
 	for i, v := range daemonSets.Items {
-		if v.Spec.Template.ObjectMeta.Annotations == nil {
-			daemonSets.Items[i].Spec.Template.ObjectMeta.Annotations = make(map[string]string)
+		if v.Spec.Template.Annotations == nil {
+			daemonSets.Items[i].Spec.Template.Annotations = make(map[string]string)
 		}
 		items[i] = &daemonSets.Items[i]
 	}
@@ -222,8 +224,8 @@ func GetStatefulSetItems(clients kube.Clients, namespace string) []runtime.Objec
 	items := make([]runtime.Object, len(statefulSets.Items))
 	// Ensure we always have pod annotations to add to
 	for i, v := range statefulSets.Items {
-		if v.Spec.Template.ObjectMeta.Annotations == nil {
-			statefulSets.Items[i].Spec.Template.ObjectMeta.Annotations = make(map[string]string)
+		if v.Spec.Template.Annotations == nil {
+			statefulSets.Items[i].Spec.Template.Annotations = make(map[string]string)
 		}
 		items[i] = &statefulSets.Items[i]
 	}
@@ -252,8 +254,8 @@ func GetRolloutItems(clients kube.Clients, namespace string) []runtime.Object {
 	items := make([]runtime.Object, len(rollouts.Items))
 	// Ensure we always have pod annotations to add to
 	for i, v := range rollouts.Items {
-		if v.Spec.Template.ObjectMeta.Annotations == nil {
-			rollouts.Items[i].Spec.Template.ObjectMeta.Annotations = make(map[string]string)
+		if v.Spec.Template.Annotations == nil {
+			rollouts.Items[i].Spec.Template.Annotations = make(map[string]string)
 		}
 		items[i] = &rollouts.Items[i]
 	}
@@ -263,98 +265,98 @@ func GetRolloutItems(clients kube.Clients, namespace string) []runtime.Object {

 // GetDeploymentAnnotations returns the annotations of given deployment
 func GetDeploymentAnnotations(item runtime.Object) map[string]string {
-	if item.(*appsv1.Deployment).ObjectMeta.Annotations == nil {
-		item.(*appsv1.Deployment).ObjectMeta.Annotations = make(map[string]string)
+	if item.(*appsv1.Deployment).Annotations == nil {
+		item.(*appsv1.Deployment).Annotations = make(map[string]string)
 	}
-	return item.(*appsv1.Deployment).ObjectMeta.Annotations
+	return item.(*appsv1.Deployment).Annotations
 }

 // GetCronJobAnnotations returns the annotations of given cronjob
 func GetCronJobAnnotations(item runtime.Object) map[string]string {
-	if item.(*batchv1.CronJob).ObjectMeta.Annotations == nil {
-		item.(*batchv1.CronJob).ObjectMeta.Annotations = make(map[string]string)
+	if item.(*batchv1.CronJob).Annotations == nil {
+		item.(*batchv1.CronJob).Annotations = make(map[string]string)
 	}
-	return item.(*batchv1.CronJob).ObjectMeta.Annotations
+	return item.(*batchv1.CronJob).Annotations
 }

 // GetJobAnnotations returns the annotations of given job
 func GetJobAnnotations(item runtime.Object) map[string]string {
-	if item.(*batchv1.Job).ObjectMeta.Annotations == nil {
-		item.(*batchv1.Job).ObjectMeta.Annotations = make(map[string]string)
+	if item.(*batchv1.Job).Annotations == nil {
+		item.(*batchv1.Job).Annotations = make(map[string]string)
 	}
-	return item.(*batchv1.Job).ObjectMeta.Annotations
+	return item.(*batchv1.Job).Annotations
 }

 // GetDaemonSetAnnotations returns the annotations of given daemonSet
 func GetDaemonSetAnnotations(item runtime.Object) map[string]string {
-	if item.(*appsv1.DaemonSet).ObjectMeta.Annotations == nil {
-		item.(*appsv1.DaemonSet).ObjectMeta.Annotations = make(map[string]string)
+	if item.(*appsv1.DaemonSet).Annotations == nil {
+		item.(*appsv1.DaemonSet).Annotations = make(map[string]string)
 	}
-	return item.(*appsv1.DaemonSet).ObjectMeta.Annotations
+	return item.(*appsv1.DaemonSet).Annotations
 }

 // GetStatefulSetAnnotations returns the annotations of given statefulSet
 func GetStatefulSetAnnotations(item runtime.Object) map[string]string {
-	if item.(*appsv1.StatefulSet).ObjectMeta.Annotations == nil {
-		item.(*appsv1.StatefulSet).ObjectMeta.Annotations = make(map[string]string)
+	if item.(*appsv1.StatefulSet).Annotations == nil {
+		item.(*appsv1.StatefulSet).Annotations = make(map[string]string)
 	}
-	return item.(*appsv1.StatefulSet).ObjectMeta.Annotations
+	return item.(*appsv1.StatefulSet).Annotations
 }

 // GetRolloutAnnotations returns the annotations of given rollout
 func GetRolloutAnnotations(item runtime.Object) map[string]string {
-	if item.(*argorolloutv1alpha1.Rollout).ObjectMeta.Annotations == nil {
-		item.(*argorolloutv1alpha1.Rollout).ObjectMeta.Annotations = make(map[string]string)
+	if item.(*argorolloutv1alpha1.Rollout).Annotations == nil {
+		item.(*argorolloutv1alpha1.Rollout).Annotations = make(map[string]string)
 	}
-	return item.(*argorolloutv1alpha1.Rollout).ObjectMeta.Annotations
+	return item.(*argorolloutv1alpha1.Rollout).Annotations
 }

 // GetDeploymentPodAnnotations returns the pod's annotations of given deployment
 func GetDeploymentPodAnnotations(item runtime.Object) map[string]string {
-	if item.(*appsv1.Deployment).Spec.Template.ObjectMeta.Annotations == nil {
-		item.(*appsv1.Deployment).Spec.Template.ObjectMeta.Annotations = make(map[string]string)
+	if item.(*appsv1.Deployment).Spec.Template.Annotations == nil {
+		item.(*appsv1.Deployment).Spec.Template.Annotations = make(map[string]string)
 	}
-	return item.(*appsv1.Deployment).Spec.Template.ObjectMeta.Annotations
+	return item.(*appsv1.Deployment).Spec.Template.Annotations
 }

 // GetCronJobPodAnnotations returns the pod's annotations of given cronjob
 func GetCronJobPodAnnotations(item runtime.Object) map[string]string {
-	if item.(*batchv1.CronJob).Spec.JobTemplate.Spec.Template.ObjectMeta.Annotations == nil {
-		item.(*batchv1.CronJob).Spec.JobTemplate.Spec.Template.ObjectMeta.Annotations = make(map[string]string)
+	if item.(*batchv1.CronJob).Spec.JobTemplate.Spec.Template.Annotations == nil {
+		item.(*batchv1.CronJob).Spec.JobTemplate.Spec.Template.Annotations = make(map[string]string)
 	}
-	return item.(*batchv1.CronJob).Spec.JobTemplate.Spec.Template.ObjectMeta.Annotations
+	return item.(*batchv1.CronJob).Spec.JobTemplate.Spec.Template.Annotations
 }

 // GetJobPodAnnotations returns the pod's annotations of given job
 func GetJobPodAnnotations(item runtime.Object) map[string]string {
-	if item.(*batchv1.Job).Spec.Template.ObjectMeta.Annotations == nil {
-		item.(*batchv1.Job).Spec.Template.ObjectMeta.Annotations = make(map[string]string)
+	if item.(*batchv1.Job).Spec.Template.Annotations == nil {
+		item.(*batchv1.Job).Spec.Template.Annotations = make(map[string]string)
 	}
-	return item.(*batchv1.Job).Spec.Template.ObjectMeta.Annotations
+	return item.(*batchv1.Job).Spec.Template.Annotations
 }

 // GetDaemonSetPodAnnotations returns the pod's annotations of given daemonSet
 func GetDaemonSetPodAnnotations(item runtime.Object) map[string]string {
-	if item.(*appsv1.DaemonSet).Spec.Template.ObjectMeta.Annotations == nil {
-		item.(*appsv1.DaemonSet).Spec.Template.ObjectMeta.Annotations = make(map[string]string)
+	if item.(*appsv1.DaemonSet).Spec.Template.Annotations == nil {
+		item.(*appsv1.DaemonSet).Spec.Template.Annotations = make(map[string]string)
 	}
-	return item.(*appsv1.DaemonSet).Spec.Template.ObjectMeta.Annotations
+	return item.(*appsv1.DaemonSet).Spec.Template.Annotations
 }

 // GetStatefulSetPodAnnotations returns the pod's annotations of given statefulSet
 func GetStatefulSetPodAnnotations(item runtime.Object) map[string]string {
-	if item.(*appsv1.StatefulSet).Spec.Template.ObjectMeta.Annotations == nil {
-		item.(*appsv1.StatefulSet).Spec.Template.ObjectMeta.Annotations = make(map[string]string)
+	if item.(*appsv1.StatefulSet).Spec.Template.Annotations == nil {
+		item.(*appsv1.StatefulSet).Spec.Template.Annotations = make(map[string]string)
 	}
-	return item.(*appsv1.StatefulSet).Spec.Template.ObjectMeta.Annotations
+	return item.(*appsv1.StatefulSet).Spec.Template.Annotations
 }

 // GetRolloutPodAnnotations returns the pod's annotations of given rollout
 func GetRolloutPodAnnotations(item runtime.Object) map[string]string {
-	if item.(*argorolloutv1alpha1.Rollout).Spec.Template.ObjectMeta.Annotations == nil {
-		item.(*argorolloutv1alpha1.Rollout).Spec.Template.ObjectMeta.Annotations = make(map[string]string)
+	if item.(*argorolloutv1alpha1.Rollout).Spec.Template.Annotations == nil {
+		item.(*argorolloutv1alpha1.Rollout).Spec.Template.Annotations = make(map[string]string)
 	}
-	return item.(*argorolloutv1alpha1.Rollout).Spec.Template.ObjectMeta.Annotations
+	return item.(*argorolloutv1alpha1.Rollout).Spec.Template.Annotations
 }

 // GetDeploymentContainers returns the containers of given deployment
@@ -443,11 +445,21 @@ func PatchDeployment(clients kube.Clients, namespace string, resource runtime.Ob
 // CreateJobFromCronjob performs rolling upgrade on cronjob
 func CreateJobFromCronjob(clients kube.Clients, namespace string, resource runtime.Object) error {
 	cronJob := resource.(*batchv1.CronJob)
+
+	annotations := make(map[string]string)
+	annotations["cronjob.kubernetes.io/instantiate"] = "manual"
+	maps.Copy(annotations, cronJob.Spec.JobTemplate.Annotations)
+
 	job := &batchv1.Job{
-		ObjectMeta: cronJob.Spec.JobTemplate.ObjectMeta,
-		Spec:       cronJob.Spec.JobTemplate.Spec,
+		ObjectMeta: meta_v1.ObjectMeta{
+			GenerateName:    cronJob.Name + "-",
+			Namespace:       cronJob.Namespace,
+			Annotations:     annotations,
+			Labels:          cronJob.Spec.JobTemplate.Labels,
+			OwnerReferences: []meta_v1.OwnerReference{*meta_v1.NewControllerRef(cronJob, batchv1.SchemeGroupVersion.WithKind("CronJob"))},
+		},
+		Spec: cronJob.Spec.JobTemplate.Spec,
 	}
-	job.GenerateName = cronJob.Name + "-"
 	_, err := clients.KubernetesClient.BatchV1().Jobs(namespace).Create(context.TODO(), job, meta_v1.CreateOptions{FieldManager: "Reloader"})
 	return err
 }
@@ -469,9 +481,9 @@ func ReCreateJobFromjob(clients kube.Clients, namespace string, resource runtime
 	}

 	// Remove fields that should not be specified when creating a new Job
-	job.ObjectMeta.ResourceVersion = ""
-	job.ObjectMeta.UID = ""
-	job.ObjectMeta.CreationTimestamp = meta_v1.Time{}
+	job.ResourceVersion = ""
+	job.UID = ""
+	job.CreationTimestamp = meta_v1.Time{}
 	job.Status = batchv1.JobStatus{}

 	// Remove problematic labels
--- a/internal/pkg/callbacks/rolling_upgrade_test.go
+++ b/internal/pkg/callbacks/rolling_upgrade_test.go
@@ -49,7 +49,7 @@ func newTestFixtures() testFixtures {

 func setupTestClients() kube.Clients {
 	return kube.Clients{
-		KubernetesClient:  fake.NewSimpleClientset(),
+		KubernetesClient:  fake.NewClientset(),
 		ArgoRolloutClient: fakeargoclientset.NewSimpleClientset(),
 	}
 }
@@ -373,19 +373,19 @@ func TestPatchResources(t *testing.T) {
 			assert.NoError(t, err)
 			patchedResource, err := callbacks.GetDeploymentItem(clients, "test-deployment", fixtures.namespace)
 			assert.NoError(t, err)
-			assert.Equal(t, "test", patchedResource.(*appsv1.Deployment).ObjectMeta.Annotations["test"])
+			assert.Equal(t, "test", patchedResource.(*appsv1.Deployment).Annotations["test"])
 		}},
 		{"DaemonSet", createTestDaemonSetWithAnnotations, callbacks.PatchDaemonSet, deleteTestDaemonSet, func(err error) {
 			assert.NoError(t, err)
 			patchedResource, err := callbacks.GetDaemonSetItem(clients, "test-daemonset", fixtures.namespace)
 			assert.NoError(t, err)
-			assert.Equal(t, "test", patchedResource.(*appsv1.DaemonSet).ObjectMeta.Annotations["test"])
+			assert.Equal(t, "test", patchedResource.(*appsv1.DaemonSet).Annotations["test"])
 		}},
 		{"StatefulSet", createTestStatefulSetWithAnnotations, callbacks.PatchStatefulSet, deleteTestStatefulSet, func(err error) {
 			assert.NoError(t, err)
 			patchedResource, err := callbacks.GetStatefulSetItem(clients, "test-statefulset", fixtures.namespace)
 			assert.NoError(t, err)
-			assert.Equal(t, "test", patchedResource.(*appsv1.StatefulSet).ObjectMeta.Annotations["test"])
+			assert.Equal(t, "test", patchedResource.(*appsv1.StatefulSet).Annotations["test"])
 		}},
 		{"CronJob", createTestCronJobWithAnnotations, callbacks.PatchCronJob, deleteTestCronJob, func(err error) {
 			assert.EqualError(t, err, "not supported patching: CronJob")
@@ -415,13 +415,26 @@ func TestPatchResources(t *testing.T) {
 func TestCreateJobFromCronjob(t *testing.T) {
 	fixtures := newTestFixtures()

-	cronJob, err := createTestCronJobWithAnnotations(clients, fixtures.namespace, "1")
+	runtimeObj, err := createTestCronJobWithAnnotations(clients, fixtures.namespace, "1")
 	assert.NoError(t, err)

-	err = callbacks.CreateJobFromCronjob(clients, fixtures.namespace, cronJob.(*batchv1.CronJob))
+	cronJob := runtimeObj.(*batchv1.CronJob)
+	err = callbacks.CreateJobFromCronjob(clients, fixtures.namespace, cronJob)
 	assert.NoError(t, err)

-	err = deleteTestCronJob(clients, fixtures.namespace, "test-cronjob")
+	jobList, err := clients.KubernetesClient.BatchV1().Jobs(fixtures.namespace).List(context.TODO(), metav1.ListOptions{})
+	assert.NoError(t, err)
+
+	ownerFound := false
+	for _, job := range jobList.Items {
+		if isControllerOwner("CronJob", cronJob.Name, job.OwnerReferences) {
+			ownerFound = true
+			break
+		}
+	}
+	assert.Truef(t, ownerFound, "Missing CronJob owner reference")
+
+	err = deleteTestCronJob(clients, fixtures.namespace, cronJob.Name)
 	assert.NoError(t, err)
 }

@@ -608,17 +621,17 @@ func deleteTestStatefulSets(clients kube.Clients, namespace string) error {
 func createResourceWithPodAnnotations(obj runtime.Object, annotations map[string]string) runtime.Object {
 	switch v := obj.(type) {
 	case *appsv1.Deployment:
-		v.Spec.Template.ObjectMeta.Annotations = annotations
+		v.Spec.Template.Annotations = annotations
 	case *appsv1.DaemonSet:
-		v.Spec.Template.ObjectMeta.Annotations = annotations
+		v.Spec.Template.Annotations = annotations
 	case *appsv1.StatefulSet:
-		v.Spec.Template.ObjectMeta.Annotations = annotations
+		v.Spec.Template.Annotations = annotations
 	case *batchv1.CronJob:
-		v.Spec.JobTemplate.Spec.Template.ObjectMeta.Annotations = annotations
+		v.Spec.JobTemplate.Spec.Template.Annotations = annotations
 	case *batchv1.Job:
-		v.Spec.Template.ObjectMeta.Annotations = annotations
+		v.Spec.Template.Annotations = annotations
 	case *argorolloutv1alpha1.Rollout:
-		v.Spec.Template.ObjectMeta.Annotations = annotations
+		v.Spec.Template.Annotations = annotations
 	}
 	return obj
 }
@@ -749,3 +762,12 @@ func createTestJobWithAnnotations(clients kube.Clients, namespace, version strin
 func deleteTestJob(clients kube.Clients, namespace, name string) error {
 	return clients.KubernetesClient.BatchV1().Jobs(namespace).Delete(context.TODO(), name, metav1.DeleteOptions{})
 }
+
+func isControllerOwner(kind, name string, ownerRefs []metav1.OwnerReference) bool {
+	for _, ownerRef := range ownerRefs {
+		if *ownerRef.Controller && ownerRef.Kind == kind && ownerRef.Name == name {
+			return true
+		}
+	}
+	return false
+}
--- a/internal/pkg/cmd/reloader.go
+++ b/internal/pkg/cmd/reloader.go
@@ -5,6 +5,7 @@ import (
 	"errors"
 	"fmt"
 	"net/http"
+	_ "net/http/pprof"
 	"os"
 	"strings"

@@ -14,12 +15,12 @@ import (
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/labels"

 	"github.com/stakater/Reloader/internal/pkg/controller"
 	"github.com/stakater/Reloader/internal/pkg/metrics"
 	"github.com/stakater/Reloader/internal/pkg/options"
 	"github.com/stakater/Reloader/internal/pkg/util"
+	"github.com/stakater/Reloader/pkg/common"
 	"github.com/stakater/Reloader/pkg/kube"
 )

@@ -33,27 +34,7 @@ func NewReloaderCommand() *cobra.Command {
 	}

 	// options
-	cmd.PersistentFlags().BoolVar(&options.AutoReloadAll, "auto-reload-all", false, "Auto reload all resources")
-	cmd.PersistentFlags().StringVar(&options.ConfigmapUpdateOnChangeAnnotation, "configmap-annotation", "configmap.reloader.stakater.com/reload", "annotation to detect changes in configmaps, specified by name")
-	cmd.PersistentFlags().StringVar(&options.SecretUpdateOnChangeAnnotation, "secret-annotation", "secret.reloader.stakater.com/reload", "annotation to detect changes in secrets, specified by name")
-	cmd.PersistentFlags().StringVar(&options.ReloaderAutoAnnotation, "auto-annotation", "reloader.stakater.com/auto", "annotation to detect changes in secrets/configmaps")
-	cmd.PersistentFlags().StringVar(&options.ConfigmapReloaderAutoAnnotation, "configmap-auto-annotation", "configmap.reloader.stakater.com/auto", "annotation to detect changes in configmaps")
-	cmd.PersistentFlags().StringVar(&options.SecretReloaderAutoAnnotation, "secret-auto-annotation", "secret.reloader.stakater.com/auto", "annotation to detect changes in secrets")
-	cmd.PersistentFlags().StringVar(&options.AutoSearchAnnotation, "auto-search-annotation", "reloader.stakater.com/search", "annotation to detect changes in configmaps or secrets tagged with special match annotation")
-	cmd.PersistentFlags().StringVar(&options.SearchMatchAnnotation, "search-match-annotation", "reloader.stakater.com/match", "annotation to mark secrets or configmaps to match the search")
-	cmd.PersistentFlags().StringVar(&options.LogFormat, "log-format", "", "Log format to use (empty string for text, or JSON)")
-	cmd.PersistentFlags().StringVar(&options.LogLevel, "log-level", "info", "Log level to use (trace, debug, info, warning, error, fatal and panic)")
-	cmd.PersistentFlags().StringVar(&options.WebhookUrl, "webhook-url", "", "webhook to trigger instead of performing a reload")
-	cmd.PersistentFlags().StringSlice("resources-to-ignore", []string{}, "list of resources to ignore (valid options 'configMaps' or 'secrets')")
-	cmd.PersistentFlags().StringSlice("namespaces-to-ignore", []string{}, "list of namespaces to ignore")
-	cmd.PersistentFlags().StringSlice("namespace-selector", []string{}, "list of key:value labels to filter on for namespaces")
-	cmd.PersistentFlags().StringSlice("resource-label-selector", []string{}, "list of key:value labels to filter on for configmaps and secrets")
-	cmd.PersistentFlags().StringVar(&options.IsArgoRollouts, "is-Argo-Rollouts", "false", "Add support for argo rollouts")
-	cmd.PersistentFlags().StringVar(&options.ReloadStrategy, constants.ReloadStrategyFlag, constants.EnvVarsReloadStrategy, "Specifies the desired reload strategy")
-	cmd.PersistentFlags().StringVar(&options.ReloadOnCreate, "reload-on-create", "false", "Add support to watch create events")
-	cmd.PersistentFlags().StringVar(&options.ReloadOnDelete, "reload-on-delete", "false", "Add support to watch delete events")
-	cmd.PersistentFlags().BoolVar(&options.EnableHA, "enable-ha", false, "Adds support for running multiple replicas via leadership election")
-	cmd.PersistentFlags().BoolVar(&options.SyncAfterRestart, "sync-after-restart", false, "Sync add events after reloader restarts")
+	util.ConfigureReloaderFlags(cmd)

 	return cmd
 }
@@ -122,15 +103,18 @@ func getHAEnvs() (string, string) {
 }

 func startReloader(cmd *cobra.Command, args []string) {
+	common.GetCommandLineOptions()
 	err := configureLogging(options.LogFormat, options.LogLevel)
 	if err != nil {
 		logrus.Warn(err)
 	}

 	logrus.Info("Starting Reloader")
+	isGlobal := false
 	currentNamespace := os.Getenv("KUBERNETES_NAMESPACE")
 	if len(currentNamespace) == 0 {
 		currentNamespace = v1.NamespaceAll
+		isGlobal = true
 		logrus.Warnf("KUBERNETES_NAMESPACE is unset, will detect changes in all namespaces.")
 	}

@@ -140,22 +124,22 @@ func startReloader(cmd *cobra.Command, args []string) {
 		logrus.Fatal(err)
 	}

-	ignoredResourcesList, err := getIgnoredResourcesList(cmd)
+	ignoredResourcesList, err := util.GetIgnoredResourcesList()
 	if err != nil {
 		logrus.Fatal(err)
 	}

-	ignoredNamespacesList, err := getIgnoredNamespacesList(cmd)
-	if err != nil {
-		logrus.Fatal(err)
+	ignoredNamespacesList := options.NamespacesToIgnore
+	namespaceLabelSelector := ""
+
+	if isGlobal {
+		namespaceLabelSelector, err = common.GetNamespaceLabelSelector(options.NamespaceSelectors)
+		if err != nil {
+			logrus.Fatal(err)
+		}
 	}

-	namespaceLabelSelector, err := getNamespaceLabelSelector(cmd)
-	if err != nil {
-		logrus.Fatal(err)
-	}
-
-	resourceLabelSelector, err := getResourceLabelSelector(cmd)
+	resourceLabelSelector, err := common.GetResourceLabelSelector(options.ResourceSelectors)
 	if err != nil {
 		logrus.Fatal(err)
 	}
@@ -176,6 +160,10 @@ func startReloader(cmd *cobra.Command, args []string) {

 	var controllers []*controller.Controller
 	for k := range kube.ResourceMap {
+		if k == constants.SecretProviderClassController && !shouldRunCSIController() {
+			continue
+		}
+
 		if ignoredResourcesList.Contains(k) || (len(namespaceLabelSelector) == 0 && k == "namespaces") {
 			continue
 		}
@@ -207,107 +195,31 @@ func startReloader(cmd *cobra.Command, args []string) {
 		go leadership.RunLeaderElection(lock, ctx, cancel, podName, controllers)
 	}

+	common.PublishMetaInfoConfigmap(clientset)
+
+	if options.EnablePProf {
+		go startPProfServer()
+	}
+
 	leadership.SetupLivenessEndpoint()
 	logrus.Fatal(http.ListenAndServe(constants.DefaultHttpListenAddr, nil))
 }

-func getIgnoredNamespacesList(cmd *cobra.Command) (util.List, error) {
-	return getStringSliceFromFlags(cmd, "namespaces-to-ignore")
+func startPProfServer() {
+	logrus.Infof("Starting pprof server on %s", options.PProfAddr)
+	if err := http.ListenAndServe(options.PProfAddr, nil); err != nil {
+		logrus.Errorf("Failed to start pprof server: %v", err)
+	}
 }

-func getNamespaceLabelSelector(cmd *cobra.Command) (string, error) {
-	slice, err := getStringSliceFromFlags(cmd, "namespace-selector")
-	if err != nil {
-		logrus.Fatal(err)
+func shouldRunCSIController() bool {
+	if !options.EnableCSIIntegration {
+		logrus.Info("Skipping secretproviderclasspodstatuses controller: EnableCSIIntegration is disabled")
+		return false
 	}
-
-	for i, kv := range slice {
-		// Legacy support for ":" as a delimiter and "*" for wildcard.
-		if strings.Contains(kv, ":") {
-			split := strings.Split(kv, ":")
-			if split[1] == "*" {
-				slice[i] = split[0]
-			} else {
-				slice[i] = split[0] + "=" + split[1]
-			}
-		}
-		// Convert wildcard to valid apimachinery operator
-		if strings.Contains(kv, "=") {
-			split := strings.Split(kv, "=")
-			if split[1] == "*" {
-				slice[i] = split[0]
-			}
-		}
+	if !kube.IsCSIInstalled {
+		logrus.Info("Skipping secretproviderclasspodstatuses controller: CSI CRDs not installed")
+		return false
 	}
-
-	namespaceLabelSelector := strings.Join(slice[:], ",")
-	_, err = labels.Parse(namespaceLabelSelector)
-	if err != nil {
-		logrus.Fatal(err)
-	}
-
-	return namespaceLabelSelector, nil
-}
-
-func getResourceLabelSelector(cmd *cobra.Command) (string, error) {
-	slice, err := getStringSliceFromFlags(cmd, "resource-label-selector")
-	if err != nil {
-		logrus.Fatal(err)
-	}
-
-	for i, kv := range slice {
-		// Legacy support for ":" as a delimiter and "*" for wildcard.
-		if strings.Contains(kv, ":") {
-			split := strings.Split(kv, ":")
-			if split[1] == "*" {
-				slice[i] = split[0]
-			} else {
-				slice[i] = split[0] + "=" + split[1]
-			}
-		}
-		// Convert wildcard to valid apimachinery operator
-		if strings.Contains(kv, "=") {
-			split := strings.Split(kv, "=")
-			if split[1] == "*" {
-				slice[i] = split[0]
-			}
-		}
-	}
-
-	resourceLabelSelector := strings.Join(slice[:], ",")
-	_, err = labels.Parse(resourceLabelSelector)
-	if err != nil {
-		logrus.Fatal(err)
-	}
-
-	return resourceLabelSelector, nil
-}
-
-func getStringSliceFromFlags(cmd *cobra.Command, flag string) ([]string, error) {
-	slice, err := cmd.Flags().GetStringSlice(flag)
-	if err != nil {
-		return nil, err
-	}
-
-	return slice, nil
-}
-
-func getIgnoredResourcesList(cmd *cobra.Command) (util.List, error) {
-
-	ignoredResourcesList, err := getStringSliceFromFlags(cmd, "resources-to-ignore")
-	if err != nil {
-		return nil, err
-	}
-
-	for _, v := range ignoredResourcesList {
-		if v != "configMaps" && v != "secrets" {
-			return nil, fmt.Errorf("'resources-to-ignore' only accepts 'configMaps' or 'secrets', not '%s'", v)
-		}
-	}
-
-	if len(ignoredResourcesList) > 1 {
-		return nil, errors.New("'resources-to-ignore' only accepts 'configMaps' or 'secrets', not both")
-	}
-
-	return ignoredResourcesList, nil
+	return true
 }
--- a/internal/pkg/constants/constants.go
+++ b/internal/pkg/constants/constants.go
@@ -8,6 +8,8 @@ const (
 	ConfigmapEnvVarPostfix = "CONFIGMAP"
 	// SecretEnvVarPostfix is a postfix for secret envVar
 	SecretEnvVarPostfix = "SECRET"
+	// SecretProviderClassEnvVarPostfix is a postfix for secretproviderclasspodstatus envVar
+	SecretProviderClassEnvVarPostfix = "SECRETPROVIDERCLASS"
 	// EnvVarPrefix is a Prefix for environment variable
 	EnvVarPrefix = "STAKATER_"

@@ -22,6 +24,8 @@ const (
 	EnvVarsReloadStrategy = "env-vars"
 	// AnnotationsReloadStrategy instructs Reloader to add pod template annotations to facilitate a restart
 	AnnotationsReloadStrategy = "annotations"
+	// SecretProviderClassController enables support for SecretProviderClassPodStatus resources
+	SecretProviderClassController = "secretproviderclasspodstatuses"
 )

 // Leadership election related consts
--- a/internal/pkg/controller/controller.go
+++ b/internal/pkg/controller/controller.go
@@ -2,9 +2,11 @@ package controller

 import (
 	"fmt"
+	"slices"
 	"time"

 	"github.com/sirupsen/logrus"
+	"github.com/stakater/Reloader/internal/pkg/constants"
 	"github.com/stakater/Reloader/internal/pkg/handler"
 	"github.com/stakater/Reloader/internal/pkg/metrics"
 	"github.com/stakater/Reloader/internal/pkg/options"
@@ -21,7 +23,7 @@ import (
 	"k8s.io/client-go/tools/record"
 	"k8s.io/client-go/util/workqueue"
 	"k8s.io/kubectl/pkg/scheme"
-	"k8s.io/utils/strings/slices"
+	csiv1 "sigs.k8s.io/secrets-store-csi-driver/apis/v1"
 )

 // Controller for checking events
@@ -79,7 +81,12 @@ func NewController(
 		}
 	}

-	listWatcher := cache.NewFilteredListWatchFromClient(client.CoreV1().RESTClient(), resource, namespace, optionsModifier)
+	getterRESTClient, err := getClientForResource(resource, client)
+	if err != nil {
+		return nil, fmt.Errorf("failed to initialize REST client for %s: %w", resource, err)
+	}
+
+	listWatcher := cache.NewFilteredListWatchFromClient(getterRESTClient, resource, namespace, optionsModifier)

 	_, informer := cache.NewInformerWithOptions(cache.InformerOptions{
 		ListerWatcher: listWatcher,
@@ -108,6 +115,8 @@ func (c *Controller) Add(obj interface{}) {
 	case *v1.Namespace:
 		c.addSelectedNamespaceToCache(*object)
 		return
+	case *csiv1.SecretProviderClassPodStatus:
+		return
 	}

 	if options.ReloadOnCreate == "true" {
@@ -122,11 +131,13 @@ func (c *Controller) Add(obj interface{}) {
 }

 func (c *Controller) resourceInIgnoredNamespace(raw interface{}) bool {
-	switch object := raw.(type) {
+	switch obj := raw.(type) {
 	case *v1.ConfigMap:
-		return c.ignoredNamespaces.Contains(object.ObjectMeta.Namespace)
+		return c.ignoredNamespaces.Contains(obj.Namespace)
 	case *v1.Secret:
-		return c.ignoredNamespaces.Contains(object.ObjectMeta.Namespace)
+		return c.ignoredNamespaces.Contains(obj.Namespace)
+	case *csiv1.SecretProviderClassPodStatus:
+		return c.ignoredNamespaces.Contains(obj.Namespace)
 	}
 	return false
 }
@@ -145,6 +156,10 @@ func (c *Controller) resourceInSelectedNamespaces(raw interface{}) bool {
 		if slices.Contains(selectedNamespacesCache, object.GetNamespace()) {
 			return true
 		}
+	case *csiv1.SecretProviderClassPodStatus:
+		if slices.Contains(selectedNamespacesCache, object.GetNamespace()) {
+			return true
+		}
 	}
 	return false
 }
@@ -183,6 +198,9 @@ func (c *Controller) Update(old interface{}, new interface{}) {

 // Delete function to add an object to the queue in case of deleting a resource
 func (c *Controller) Delete(old interface{}) {
+	if _, ok := old.(*csiv1.SecretProviderClassPodStatus); ok {
+		return
+	}

 	if options.ReloadOnDelete == "true" {
 		if !c.resourceInIgnoredNamespace(old) && c.resourceInSelectedNamespaces(old) && secretControllerInitialized && configmapControllerInitialized {
@@ -212,7 +230,7 @@ func (c *Controller) Run(threadiness int, stopCh chan struct{}) {

 	// Wait for all involved caches to be synced, before processing items from the queue is started
 	if !cache.WaitForCacheSync(stopCh, c.informer.HasSynced) {
-		runtime.HandleError(fmt.Errorf("Timed out waiting for caches to sync"))
+		runtime.HandleError(fmt.Errorf("timed out waiting for caches to sync"))
 		return
 	}

@@ -226,9 +244,9 @@ func (c *Controller) Run(threadiness int, stopCh chan struct{}) {

 func (c *Controller) runWorker() {
 	// At this point the controller is fully initialized and we can start processing the resources
-	if c.resource == "secrets" {
+	if c.resource == string(v1.ResourceSecrets) {
 		secretControllerInitialized = true
-	} else if c.resource == "configMaps" {
+	} else if c.resource == string(v1.ResourceConfigMaps) {
 		configmapControllerInitialized = true
 	}

@@ -280,3 +298,14 @@ func (c *Controller) handleErr(err error, key interface{}) {
 	logrus.Errorf("Dropping key out of the queue: %v", err)
 	logrus.Debugf("Dropping the key %q out of the queue: %v", key, err)
 }
+
+func getClientForResource(resource string, coreClient kubernetes.Interface) (cache.Getter, error) {
+	if resource == constants.SecretProviderClassController {
+		csiClient, err := kube.GetCSIClient()
+		if err != nil {
+			return nil, fmt.Errorf("failed to get CSI client: %w", err)
+		}
+		return csiClient.SecretsstoreV1().RESTClient(), nil
+	}
+	return coreClient.CoreV1().RESTClient(), nil
+}
--- a/internal/pkg/controller/controller_test.go
+++ b/internal/pkg/controller/controller_test.go
@@ -15,6 +15,7 @@ import (
 	"github.com/stakater/Reloader/internal/pkg/options"
 	"github.com/stakater/Reloader/internal/pkg/testutil"
 	"github.com/stakater/Reloader/internal/pkg/util"
+	"github.com/stakater/Reloader/pkg/common"
 	"github.com/stakater/Reloader/pkg/kube"
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -25,14 +26,15 @@ import (
 )

 var (
-	clients             = kube.GetClients()
-	namespace           = "test-reloader-" + testutil.RandSeq(5)
-	configmapNamePrefix = "testconfigmap-reloader"
-	secretNamePrefix    = "testsecret-reloader"
-	data                = "dGVzdFNlY3JldEVuY29kaW5nRm9yUmVsb2FkZXI="
-	newData             = "dGVzdE5ld1NlY3JldEVuY29kaW5nRm9yUmVsb2FkZXI="
-	updatedData         = "dGVzdFVwZGF0ZWRTZWNyZXRFbmNvZGluZ0ZvclJlbG9hZGVy"
-	collectors          = metrics.NewCollectors()
+	clients                            = kube.GetClients()
+	namespace                          = "test-reloader-" + testutil.RandSeq(5)
+	configmapNamePrefix                = "testconfigmap-reloader"
+	secretNamePrefix                   = "testsecret-reloader"
+	secretProviderClassPodStatusPrefix = "testsecretproviderclasspodstatus-reloader"
+	data                               = "dGVzdFNlY3JldEVuY29kaW5nRm9yUmVsb2FkZXI="
+	newData                            = "dGVzdE5ld1NlY3JldEVuY29kaW5nRm9yUmVsb2FkZXI="
+	updatedData                        = "dGVzdFVwZGF0ZWRTZWNyZXRFbmNvZGluZ0ZvclJlbG9hZGVy"
+	collectors                         = metrics.NewCollectors()
 )

 const (
@@ -45,6 +47,10 @@ func TestMain(m *testing.M) {

 	logrus.Infof("Creating controller")
 	for k := range kube.ResourceMap {
+		// Don't create controller if CSI provider is not installed
+		if k == "secretproviderclasspodstatuses" && !kube.IsCSIInstalled {
+			continue
+		}
 		if k == "namespaces" {
 			continue
 		}
@@ -94,7 +100,7 @@ func TestControllerUpdatingConfigmapShouldCreatePodAnnotationInDeployment(t *tes
 	// Verifying deployment update
 	logrus.Infof("Verifying pod annotation has been created")
 	shaData := testutil.ConvertResourceToSHA(testutil.ConfigmapResourceType, namespace, configmapName, "www.stakater.com")
-	config := util.Config{
+	config := common.Config{
 		Namespace:    namespace,
 		ResourceName: configmapName,
 		SHAValue:     shaData,
@@ -147,7 +153,7 @@ func TestControllerUpdatingConfigmapShouldAutoCreatePodAnnotationInDeployment(t
 	// Verifying deployment update
 	logrus.Infof("Verifying pod annotation has been created")
 	shaData := testutil.ConvertResourceToSHA(testutil.ConfigmapResourceType, namespace, configmapName, "www.stakater.com")
-	config := util.Config{
+	config := common.Config{
 		Namespace:    namespace,
 		ResourceName: configmapName,
 		SHAValue:     shaData,
@@ -212,7 +218,7 @@ func TestControllerCreatingConfigmapShouldCreatePodAnnotationInDeployment(t *tes
 	// Verifying deployment update
 	logrus.Infof("Verifying pod annotation has been created")
 	shaData := testutil.ConvertResourceToSHA(testutil.ConfigmapResourceType, namespace, configmapName, "www.stakater.com")
-	config := util.Config{
+	config := common.Config{
 		Namespace:    namespace,
 		ResourceName: configmapName,
 		SHAValue:     shaData,
@@ -271,7 +277,7 @@ func TestControllerForUpdatingConfigmapShouldUpdateDeploymentUsingArs(t *testing
 	// Verifying deployment update
 	logrus.Infof("Verifying pod annotation has been updated")
 	shaData := testutil.ConvertResourceToSHA(testutil.ConfigmapResourceType, namespace, configmapName, "aurorasolutions.io")
-	config := util.Config{
+	config := common.Config{
 		Namespace:    namespace,
 		ResourceName: configmapName,
 		SHAValue:     shaData,
@@ -326,7 +332,7 @@ func TestControllerUpdatingConfigmapLabelsShouldNotCreateOrCreatePodAnnotationIn
 	// Verifying deployment update
 	logrus.Infof("Verifying pod annotation has been created")
 	shaData := testutil.ConvertResourceToSHA(testutil.ConfigmapResourceType, namespace, configmapName, "www.google.com")
-	config := util.Config{
+	config := common.Config{
 		Namespace:    namespace,
 		ResourceName: configmapName,
 		SHAValue:     shaData,
@@ -390,7 +396,7 @@ func TestControllerCreatingSecretShouldCreatePodAnnotationInDeployment(t *testin
 	// Verifying Upgrade
 	logrus.Infof("Verifying pod annotation has been created")
 	shaData := testutil.ConvertResourceToSHA(testutil.SecretResourceType, namespace, secretName, newData)
-	config := util.Config{
+	config := common.Config{
 		Namespace:    namespace,
 		ResourceName: secretName,
 		SHAValue:     shaData,
@@ -443,7 +449,7 @@ func TestControllerUpdatingSecretShouldCreatePodAnnotationInDeployment(t *testin
 	// Verifying Upgrade
 	logrus.Infof("Verifying pod annotation has been created")
 	shaData := testutil.ConvertResourceToSHA(testutil.SecretResourceType, namespace, secretName, newData)
-	config := util.Config{
+	config := common.Config{
 		Namespace:    namespace,
 		ResourceName: secretName,
 		SHAValue:     shaData,
@@ -501,7 +507,7 @@ func TestControllerUpdatingSecretShouldUpdatePodAnnotationInDeployment(t *testin
 	// Verifying Upgrade
 	logrus.Infof("Verifying pod annotation has been updated")
 	shaData := testutil.ConvertResourceToSHA(testutil.SecretResourceType, namespace, secretName, updatedData)
-	config := util.Config{
+	config := common.Config{
 		Namespace:    namespace,
 		ResourceName: secretName,
 		SHAValue:     shaData,
@@ -552,7 +558,7 @@ func TestControllerUpdatingSecretLabelsShouldNotCreateOrUpdatePodAnnotationInDep
 	// Verifying Upgrade
 	logrus.Infof("Verifying pod annotation has been created")
 	shaData := testutil.ConvertResourceToSHA(testutil.SecretResourceType, namespace, secretName, data)
-	config := util.Config{
+	config := common.Config{
 		Namespace:    namespace,
 		ResourceName: secretName,
 		SHAValue:     shaData,
@@ -578,6 +584,217 @@ func TestControllerUpdatingSecretLabelsShouldNotCreateOrUpdatePodAnnotationInDep
 	time.Sleep(sleepDuration)
 }

+// Perform rolling upgrade on deployment and create pod annotation var upon updating the secretclassproviderpodstatus
+func TestControllerUpdatingSecretProviderClassPodStatusShouldCreatePodAnnotationInDeployment(t *testing.T) {
+	options.ReloadStrategy = constants.AnnotationsReloadStrategy
+
+	if !kube.IsCSIInstalled {
+		return
+	}
+
+	// Creating secretproviderclass
+	secretproviderclasspodstatusName := secretProviderClassPodStatusPrefix + "-update-" + testutil.RandSeq(5)
+	_, err := testutil.CreateSecretProviderClass(clients.CSIClient, namespace, secretproviderclasspodstatusName, data)
+	if err != nil {
+		t.Errorf("Error while creating the secretproviderclass %v", err)
+	}
+
+	// Creating secretproviderclasspodstatus
+	spcpsClient, err := testutil.CreateSecretProviderClassPodStatus(clients.CSIClient, namespace, secretproviderclasspodstatusName, data)
+	if err != nil {
+		t.Errorf("Error while creating the secretclasssproviderpodstatus %v", err)
+	}
+
+	// Creating deployment
+	_, err = testutil.CreateDeployment(clients.KubernetesClient, secretproviderclasspodstatusName, namespace, true)
+	if err != nil {
+		t.Errorf("Error in deployment creation: %v", err)
+	}
+
+	// Updating secretproviderclasspodstatus for first time
+	updateErr := testutil.UpdateSecretProviderClassPodStatus(spcpsClient, namespace, secretproviderclasspodstatusName, "", newData)
+	if updateErr != nil {
+		t.Errorf("Secretproviderclasspodstatus was not updated")
+	}
+
+	// Verifying deployment update
+	logrus.Infof("Verifying pod annotation has been created")
+	shaData := testutil.ConvertResourceToSHA(testutil.SecretProviderClassPodStatusResourceType, namespace, secretproviderclasspodstatusName, newData)
+	config := common.Config{
+		Namespace:    namespace,
+		ResourceName: secretproviderclasspodstatusName,
+		SHAValue:     shaData,
+		Annotation:   options.SecretProviderClassUpdateOnChangeAnnotation,
+	}
+	deploymentFuncs := handler.GetDeploymentRollingUpgradeFuncs()
+	updated := testutil.VerifyResourceAnnotationUpdate(clients, config, deploymentFuncs)
+	if !updated {
+		t.Errorf("Deployment was not updated")
+	}
+	time.Sleep(sleepDuration)
+
+	// Deleting deployment
+	err = testutil.DeleteDeployment(clients.KubernetesClient, namespace, secretproviderclasspodstatusName)
+	if err != nil {
+		logrus.Errorf("Error while deleting the deployment %v", err)
+	}
+
+	// Deleting secretproviderclass
+	err = testutil.DeleteSecretProviderClass(clients.CSIClient, namespace, secretproviderclasspodstatusName)
+	if err != nil {
+		logrus.Errorf("Error while deleting the secretproviderclass %v", err)
+	}
+
+	// Deleting secretproviderclasspodstatus
+	err = testutil.DeleteSecretProviderClassPodStatus(clients.CSIClient, namespace, secretproviderclasspodstatusName)
+	if err != nil {
+		logrus.Errorf("Error while deleting the secretproviderclasspodstatus %v", err)
+	}
+	time.Sleep(sleepDuration)
+}
+
+// Perform rolling upgrade on deployment and update pod annotation var upon updating the secretproviderclasspodstatus
+func TestControllerUpdatingSecretProviderClassPodStatusShouldUpdatePodAnnotationInDeployment(t *testing.T) {
+	options.ReloadStrategy = constants.AnnotationsReloadStrategy
+
+	if !kube.IsCSIInstalled {
+		return
+	}
+
+	// Creating secretproviderclass
+	secretproviderclasspodstatusName := secretProviderClassPodStatusPrefix + "-update-" + testutil.RandSeq(5)
+	_, err := testutil.CreateSecretProviderClass(clients.CSIClient, namespace, secretproviderclasspodstatusName, data)
+	if err != nil {
+		t.Errorf("Error while creating the secretproviderclass %v", err)
+	}
+
+	// Creating secretproviderclasspodstatus
+	spcpsClient, err := testutil.CreateSecretProviderClassPodStatus(clients.CSIClient, namespace, secretproviderclasspodstatusName, data)
+	if err != nil {
+		t.Errorf("Error while creating the secretclasssproviderpodstatus %v", err)
+	}
+
+	// Creating deployment
+	_, err = testutil.CreateDeployment(clients.KubernetesClient, secretproviderclasspodstatusName, namespace, true)
+	if err != nil {
+		t.Errorf("Error in deployment creation: %v", err)
+	}
+
+	// Updating Secret
+	err = testutil.UpdateSecretProviderClassPodStatus(spcpsClient, namespace, secretproviderclasspodstatusName, "", newData)
+	if err != nil {
+		t.Errorf("Error while updating secretproviderclasspodstatus %v", err)
+	}
+
+	// Updating Secret
+	err = testutil.UpdateSecretProviderClassPodStatus(spcpsClient, namespace, secretproviderclasspodstatusName, "", updatedData)
+	if err != nil {
+		t.Errorf("Error while updating secretproviderclasspodstatus %v", err)
+	}
+
+	// Verifying Upgrade
+	logrus.Infof("Verifying pod annotation has been updated")
+	shaData := testutil.ConvertResourceToSHA(testutil.SecretProviderClassPodStatusResourceType, namespace, secretproviderclasspodstatusName, updatedData)
+	config := common.Config{
+		Namespace:    namespace,
+		ResourceName: secretproviderclasspodstatusName,
+		SHAValue:     shaData,
+		Annotation:   options.SecretProviderClassUpdateOnChangeAnnotation,
+	}
+	deploymentFuncs := handler.GetDeploymentRollingUpgradeFuncs()
+	updated := testutil.VerifyResourceAnnotationUpdate(clients, config, deploymentFuncs)
+	if !updated {
+		t.Errorf("Deployment was not updated")
+	}
+
+	// Deleting Deployment
+	err = testutil.DeleteDeployment(clients.KubernetesClient, namespace, secretproviderclasspodstatusName)
+	if err != nil {
+		logrus.Errorf("Error while deleting the deployment %v", err)
+	}
+
+	// Deleting secretproviderclass
+	err = testutil.DeleteSecretProviderClass(clients.CSIClient, namespace, secretproviderclasspodstatusName)
+	if err != nil {
+		logrus.Errorf("Error while deleting the secretproviderclass %v", err)
+	}
+
+	// Deleting secretproviderclasspodstatus
+	err = testutil.DeleteSecretProviderClassPodStatus(clients.CSIClient, namespace, secretproviderclasspodstatusName)
+	if err != nil {
+		logrus.Errorf("Error while deleting the secretproviderclasspodstatus %v", err)
+	}
+	time.Sleep(sleepDuration)
+
+}
+
+// Do not Perform rolling upgrade on pod and create or update a pod annotation upon updating the label in secretproviderclasspodstatus
+func TestControllerUpdatingSecretProviderClassPodStatusWithSameDataShouldNotCreateOrUpdatePodAnnotationInDeployment(t *testing.T) {
+	options.ReloadStrategy = constants.AnnotationsReloadStrategy
+
+	if !kube.IsCSIInstalled {
+		return
+	}
+
+	// Creating secretproviderclass
+	secretproviderclasspodstatusName := secretProviderClassPodStatusPrefix + "-update-" + testutil.RandSeq(5)
+	_, err := testutil.CreateSecretProviderClass(clients.CSIClient, namespace, secretproviderclasspodstatusName, data)
+	if err != nil {
+		t.Errorf("Error while creating the secretproviderclass %v", err)
+	}
+
+	// Creating secretproviderclasspodstatus
+	spcpsClient, err := testutil.CreateSecretProviderClassPodStatus(clients.CSIClient, namespace, secretproviderclasspodstatusName, data)
+	if err != nil {
+		t.Errorf("Error while creating the secretclasssproviderpodstatus %v", err)
+	}
+
+	// Creating deployment
+	_, err = testutil.CreateDeployment(clients.KubernetesClient, secretproviderclasspodstatusName, namespace, true)
+	if err != nil {
+		t.Errorf("Error in deployment creation: %v", err)
+	}
+
+	err = testutil.UpdateSecretProviderClassPodStatus(spcpsClient, namespace, secretproviderclasspodstatusName, "", data)
+	if err != nil {
+		t.Errorf("Error while updating secretproviderclasspodstatus %v", err)
+	}
+
+	// Verifying Upgrade
+	logrus.Infof("Verifying pod annotation has been created")
+	shaData := testutil.ConvertResourceToSHA(testutil.SecretProviderClassPodStatusResourceType, namespace, secretproviderclasspodstatusName, data)
+	config := common.Config{
+		Namespace:    namespace,
+		ResourceName: secretproviderclasspodstatusName,
+		SHAValue:     shaData,
+		Annotation:   options.SecretProviderClassUpdateOnChangeAnnotation,
+	}
+	deploymentFuncs := handler.GetDeploymentRollingUpgradeFuncs()
+	updated := testutil.VerifyResourceAnnotationUpdate(clients, config, deploymentFuncs)
+	if updated {
+		t.Errorf("Deployment should not be updated by changing in secretproviderclasspodstatus")
+	}
+
+	// Deleting Deployment
+	err = testutil.DeleteDeployment(clients.KubernetesClient, namespace, secretproviderclasspodstatusName)
+	if err != nil {
+		logrus.Errorf("Error while deleting the deployment %v", err)
+	}
+
+	// Deleting secretproviderclass
+	err = testutil.DeleteSecretProviderClass(clients.CSIClient, namespace, secretproviderclasspodstatusName)
+	if err != nil {
+		logrus.Errorf("Error while deleting the secretproviderclass %v", err)
+	}
+
+	// Deleting secretproviderclasspodstatus
+	err = testutil.DeleteSecretProviderClassPodStatus(clients.CSIClient, namespace, secretproviderclasspodstatusName)
+	if err != nil {
+		logrus.Errorf("Error while deleting the secretproviderclasspodstatus %v", err)
+	}
+	time.Sleep(sleepDuration)
+}
+
 // Perform rolling upgrade on DaemonSet and create pod annotation var upon updating the configmap
 func TestControllerUpdatingConfigmapShouldCreatePodAnnotationInDaemonSet(t *testing.T) {
 	options.ReloadStrategy = constants.AnnotationsReloadStrategy
@@ -604,7 +821,7 @@ func TestControllerUpdatingConfigmapShouldCreatePodAnnotationInDaemonSet(t *test
 	// Verifying DaemonSet update
 	logrus.Infof("Verifying pod annotation has been created")
 	shaData := testutil.ConvertResourceToSHA(testutil.ConfigmapResourceType, namespace, configmapName, "www.stakater.com")
-	config := util.Config{
+	config := common.Config{
 		Namespace:    namespace,
 		ResourceName: configmapName,
 		SHAValue:     shaData,
@@ -667,7 +884,7 @@ func TestControllerForUpdatingConfigmapShouldUpdateDaemonSetUsingArs(t *testing.
 	// Verifying DaemonSet update
 	logrus.Infof("Verifying pod annotation has been updated")
 	shaData := testutil.ConvertResourceToSHA(testutil.ConfigmapResourceType, namespace, configmapName, "aurorasolutions.io")
-	config := util.Config{
+	config := common.Config{
 		Namespace:    namespace,
 		ResourceName: configmapName,
 		SHAValue:     shaData,
@@ -720,7 +937,7 @@ func TestControllerUpdatingSecretShouldCreatePodAnnotationInDaemonSet(t *testing
 	// Verifying Upgrade
 	logrus.Infof("Verifying pod annotation has been created")
 	shaData := testutil.ConvertResourceToSHA(testutil.SecretResourceType, namespace, secretName, newData)
-	config := util.Config{
+	config := common.Config{
 		Namespace:    namespace,
 		ResourceName: secretName,
 		SHAValue:     shaData,
@@ -779,7 +996,7 @@ func TestControllerUpdatingSecretShouldUpdatePodAnnotationInDaemonSet(t *testing
 	// Verifying Upgrade
 	logrus.Infof("Verifying pod annotation has been updated")
 	shaData := testutil.ConvertResourceToSHA(testutil.SecretResourceType, namespace, secretName, updatedData)
-	config := util.Config{
+	config := common.Config{
 		Namespace:    namespace,
 		ResourceName: secretName,
 		SHAValue:     shaData,
@@ -830,7 +1047,7 @@ func TestControllerUpdatingSecretLabelsShouldNotCreateOrUpdatePodAnnotationInDae
 	// Verifying Upgrade
 	logrus.Infof("Verifying pod annotation has been created")
 	shaData := testutil.ConvertResourceToSHA(testutil.SecretResourceType, namespace, secretName, data)
-	config := util.Config{
+	config := common.Config{
 		Namespace:    namespace,
 		ResourceName: secretName,
 		SHAValue:     shaData,
@@ -882,7 +1099,7 @@ func TestControllerUpdatingConfigmapShouldCreatePodAnnotationInStatefulSet(t *te
 	// Verifying StatefulSet update
 	logrus.Infof("Verifying pod annotation has been created")
 	shaData := testutil.ConvertResourceToSHA(testutil.ConfigmapResourceType, namespace, configmapName, "www.stakater.com")
-	config := util.Config{
+	config := common.Config{
 		Namespace:    namespace,
 		ResourceName: configmapName,
 		SHAValue:     shaData,
@@ -941,7 +1158,7 @@ func TestControllerForUpdatingConfigmapShouldUpdateStatefulSetUsingArs(t *testin
 	// Verifying StatefulSet update
 	logrus.Infof("Verifying pod annotation has been updated")
 	shaData := testutil.ConvertResourceToSHA(testutil.ConfigmapResourceType, namespace, configmapName, "aurorasolutions.io")
-	config := util.Config{
+	config := common.Config{
 		Namespace:    namespace,
 		ResourceName: configmapName,
 		SHAValue:     shaData,
@@ -994,7 +1211,7 @@ func TestControllerUpdatingSecretShouldCreatePodAnnotationInStatefulSet(t *testi
 	// Verifying Upgrade
 	logrus.Infof("Verifying pod annotation has been created")
 	shaData := testutil.ConvertResourceToSHA(testutil.SecretResourceType, namespace, secretName, newData)
-	config := util.Config{
+	config := common.Config{
 		Namespace:    namespace,
 		ResourceName: secretName,
 		SHAValue:     shaData,
@@ -1046,7 +1263,7 @@ func TestControllerUpdatingConfigmapShouldCreateEnvInDeployment(t *testing.T) {
 	// Verifying deployment update
 	logrus.Infof("Verifying env var has been created")
 	shaData := testutil.ConvertResourceToSHA(testutil.ConfigmapResourceType, namespace, configmapName, "www.stakater.com")
-	config := util.Config{
+	config := common.Config{
 		Namespace:    namespace,
 		ResourceName: configmapName,
 		SHAValue:     shaData,
@@ -1099,7 +1316,7 @@ func TestControllerUpdatingConfigmapShouldAutoCreateEnvInDeployment(t *testing.T
 	// Verifying deployment update
 	logrus.Infof("Verifying env var has been created")
 	shaData := testutil.ConvertResourceToSHA(testutil.ConfigmapResourceType, namespace, configmapName, "www.stakater.com")
-	config := util.Config{
+	config := common.Config{
 		Namespace:    namespace,
 		ResourceName: configmapName,
 		SHAValue:     shaData,
@@ -1164,7 +1381,7 @@ func TestControllerCreatingConfigmapShouldCreateEnvInDeployment(t *testing.T) {
 	// Verifying deployment update
 	logrus.Infof("Verifying env var has been created")
 	shaData := testutil.ConvertResourceToSHA(testutil.ConfigmapResourceType, namespace, configmapName, "www.stakater.com")
-	config := util.Config{
+	config := common.Config{
 		Namespace:    namespace,
 		ResourceName: configmapName,
 		SHAValue:     shaData,
@@ -1223,7 +1440,7 @@ func TestControllerForUpdatingConfigmapShouldUpdateDeploymentUsingErs(t *testing
 	// Verifying deployment update
 	logrus.Infof("Verifying env var has been updated")
 	shaData := testutil.ConvertResourceToSHA(testutil.ConfigmapResourceType, namespace, configmapName, "aurorasolutions.io")
-	config := util.Config{
+	config := common.Config{
 		Namespace:    namespace,
 		ResourceName: configmapName,
 		SHAValue:     shaData,
@@ -1278,7 +1495,7 @@ func TestControllerUpdatingConfigmapLabelsShouldNotCreateOrUpdateEnvInDeployment
 	// Verifying deployment update
 	logrus.Infof("Verifying env var has been created")
 	shaData := testutil.ConvertResourceToSHA(testutil.ConfigmapResourceType, namespace, configmapName, "www.google.com")
-	config := util.Config{
+	config := common.Config{
 		Namespace:    namespace,
 		ResourceName: configmapName,
 		SHAValue:     shaData,
@@ -1342,7 +1559,7 @@ func TestControllerCreatingSecretShouldCreateEnvInDeployment(t *testing.T) {
 	// Verifying Upgrade
 	logrus.Infof("Verifying env var has been created")
 	shaData := testutil.ConvertResourceToSHA(testutil.SecretResourceType, namespace, secretName, newData)
-	config := util.Config{
+	config := common.Config{
 		Namespace:    namespace,
 		ResourceName: secretName,
 		SHAValue:     shaData,
@@ -1395,7 +1612,7 @@ func TestControllerUpdatingSecretShouldCreateEnvInDeployment(t *testing.T) {
 	// Verifying Upgrade
 	logrus.Infof("Verifying env var has been created")
 	shaData := testutil.ConvertResourceToSHA(testutil.SecretResourceType, namespace, secretName, newData)
-	config := util.Config{
+	config := common.Config{
 		Namespace:    namespace,
 		ResourceName: secretName,
 		SHAValue:     shaData,
@@ -1453,7 +1670,7 @@ func TestControllerUpdatingSecretShouldUpdateEnvInDeployment(t *testing.T) {
 	// Verifying Upgrade
 	logrus.Infof("Verifying env var has been updated")
 	shaData := testutil.ConvertResourceToSHA(testutil.SecretResourceType, namespace, secretName, updatedData)
-	config := util.Config{
+	config := common.Config{
 		Namespace:    namespace,
 		ResourceName: secretName,
 		SHAValue:     shaData,
@@ -1504,7 +1721,7 @@ func TestControllerUpdatingSecretLabelsShouldNotCreateOrUpdateEnvInDeployment(t
 	// Verifying Upgrade
 	logrus.Infof("Verifying env var has been created")
 	shaData := testutil.ConvertResourceToSHA(testutil.SecretResourceType, namespace, secretName, data)
-	config := util.Config{
+	config := common.Config{
 		Namespace:    namespace,
 		ResourceName: secretName,
 		SHAValue:     shaData,
@@ -1530,6 +1747,215 @@ func TestControllerUpdatingSecretLabelsShouldNotCreateOrUpdateEnvInDeployment(t
 	time.Sleep(sleepDuration)
 }

+// Perform rolling upgrade on pod and create a env var upon updating the secretproviderclasspodstatus
+func TestControllerUpdatingSecretProviderClassPodStatusShouldCreateEnvInDeployment(t *testing.T) {
+	options.ReloadStrategy = constants.EnvVarsReloadStrategy
+
+	if !kube.IsCSIInstalled {
+		return
+	}
+
+	// Creating secretproviderclass
+	secretproviderclasspodstatusName := secretProviderClassPodStatusPrefix + "-update-" + testutil.RandSeq(5)
+	_, err := testutil.CreateSecretProviderClass(clients.CSIClient, namespace, secretproviderclasspodstatusName, data)
+	if err != nil {
+		t.Errorf("Error while creating the secretproviderclass %v", err)
+	}
+
+	// Creating secretproviderclasspodstatus
+	spcpsClient, err := testutil.CreateSecretProviderClassPodStatus(clients.CSIClient, namespace, secretproviderclasspodstatusName, data)
+	if err != nil {
+		t.Errorf("Error while creating the secretclasssproviderpodstatus %v", err)
+	}
+
+	// Creating deployment
+	_, err = testutil.CreateDeployment(clients.KubernetesClient, secretproviderclasspodstatusName, namespace, true)
+	if err != nil {
+		t.Errorf("Error in deployment creation: %v", err)
+	}
+
+	// Updating Secret
+	err = testutil.UpdateSecretProviderClassPodStatus(spcpsClient, namespace, secretproviderclasspodstatusName, "", newData)
+	if err != nil {
+		t.Errorf("Error while updating secretproviderclasspodstatus %v", err)
+	}
+
+	// Verifying Upgrade
+	logrus.Infof("Verifying env var has been created")
+	shaData := testutil.ConvertResourceToSHA(testutil.SecretProviderClassPodStatusResourceType, namespace, secretproviderclasspodstatusName, newData)
+	config := common.Config{
+		Namespace:    namespace,
+		ResourceName: secretproviderclasspodstatusName,
+		SHAValue:     shaData,
+		Annotation:   options.SecretProviderClassUpdateOnChangeAnnotation,
+	}
+	deploymentFuncs := handler.GetDeploymentRollingUpgradeFuncs()
+	updated := testutil.VerifyResourceEnvVarUpdate(clients, config, constants.SecretProviderClassEnvVarPostfix, deploymentFuncs)
+	if !updated {
+		t.Errorf("Deployment was not updated")
+	}
+
+	// Deleting Deployment
+	err = testutil.DeleteDeployment(clients.KubernetesClient, namespace, secretproviderclasspodstatusName)
+	if err != nil {
+		logrus.Errorf("Error while deleting the deployment %v", err)
+	}
+
+	// Deleting secretproviderclass
+	err = testutil.DeleteSecretProviderClass(clients.CSIClient, namespace, secretproviderclasspodstatusName)
+	if err != nil {
+		logrus.Errorf("Error while deleting the secretproviderclass %v", err)
+	}
+
+	// Deleting secretproviderclasspodstatus
+	err = testutil.DeleteSecretProviderClassPodStatus(clients.CSIClient, namespace, secretproviderclasspodstatusName)
+	if err != nil {
+		logrus.Errorf("Error while deleting the secretproviderclasspodstatus %v", err)
+	}
+	time.Sleep(sleepDuration)
+}
+
+// Perform rolling upgrade on deployment and update env var upon updating the secretproviderclasspodstatus
+func TestControllerUpdatingSecretProviderClassPodStatusShouldUpdateEnvInDeployment(t *testing.T) {
+	options.ReloadStrategy = constants.EnvVarsReloadStrategy
+
+	if !kube.IsCSIInstalled {
+		return
+	}
+
+	// Creating secretproviderclass
+	secretproviderclasspodstatusName := secretProviderClassPodStatusPrefix + "-update-" + testutil.RandSeq(5)
+	_, err := testutil.CreateSecretProviderClass(clients.CSIClient, namespace, secretproviderclasspodstatusName, data)
+	if err != nil {
+		t.Errorf("Error while creating the secretproviderclass %v", err)
+	}
+
+	// Creating secretproviderclasspodstatus
+	spcpsClient, err := testutil.CreateSecretProviderClassPodStatus(clients.CSIClient, namespace, secretproviderclasspodstatusName, data)
+	if err != nil {
+		t.Errorf("Error while creating the secretclasssproviderpodstatus %v", err)
+	}
+
+	// Creating deployment
+	_, err = testutil.CreateDeployment(clients.KubernetesClient, secretproviderclasspodstatusName, namespace, true)
+	if err != nil {
+		t.Errorf("Error in deployment creation: %v", err)
+	}
+
+	// Updating secretproviderclasspodstatus
+	err = testutil.UpdateSecretProviderClassPodStatus(spcpsClient, namespace, secretproviderclasspodstatusName, "", newData)
+	if err != nil {
+		t.Errorf("Error while updating secretproviderclasspodstatus %v", err)
+	}
+
+	// Updating secretproviderclasspodstatus
+	err = testutil.UpdateSecretProviderClassPodStatus(spcpsClient, namespace, secretproviderclasspodstatusName, "", updatedData)
+	if err != nil {
+		t.Errorf("Error while updating secretproviderclasspodstatus %v", err)
+	}
+
+	// Verifying Upgrade
+	logrus.Infof("Verifying env var has been updated")
+	shaData := testutil.ConvertResourceToSHA(testutil.SecretProviderClassPodStatusResourceType, namespace, secretproviderclasspodstatusName, updatedData)
+	config := common.Config{
+		Namespace:    namespace,
+		ResourceName: secretproviderclasspodstatusName,
+		SHAValue:     shaData,
+		Annotation:   options.SecretProviderClassUpdateOnChangeAnnotation,
+	}
+	deploymentFuncs := handler.GetDeploymentRollingUpgradeFuncs()
+	updated := testutil.VerifyResourceEnvVarUpdate(clients, config, constants.SecretProviderClassEnvVarPostfix, deploymentFuncs)
+	if !updated {
+		t.Errorf("Deployment was not updated")
+	}
+
+	// Deleting Deployment
+	err = testutil.DeleteDeployment(clients.KubernetesClient, namespace, secretproviderclasspodstatusName)
+	if err != nil {
+		logrus.Errorf("Error while deleting the deployment %v", err)
+	}
+
+	// Deleting secretproviderclass
+	err = testutil.DeleteSecretProviderClass(clients.CSIClient, namespace, secretproviderclasspodstatusName)
+	if err != nil {
+		logrus.Errorf("Error while deleting the secretproviderclass %v", err)
+	}
+
+	// Deleting secretproviderclasspodstatus
+	err = testutil.DeleteSecretProviderClassPodStatus(clients.CSIClient, namespace, secretproviderclasspodstatusName)
+	if err != nil {
+		logrus.Errorf("Error while deleting the secretproviderclasspodstatus %v", err)
+	}
+	time.Sleep(sleepDuration)
+}
+
+// Do not Perform rolling upgrade on pod and create or update a env var upon updating the label in secretclasssproviderpodstatus
+func TestControllerUpdatingSecretProviderClassPodStatusLabelsShouldNotCreateOrUpdateEnvInDeployment(t *testing.T) {
+	options.ReloadStrategy = constants.EnvVarsReloadStrategy
+
+	if !kube.IsCSIInstalled {
+		return
+	}
+
+	// Creating secretproviderclass
+	secretproviderclasspodstatusName := secretProviderClassPodStatusPrefix + "-update-" + testutil.RandSeq(5)
+	_, err := testutil.CreateSecretProviderClass(clients.CSIClient, namespace, secretproviderclasspodstatusName, data)
+	if err != nil {
+		t.Errorf("Error while creating the secretproviderclass %v", err)
+	}
+
+	// Creating secretproviderclasspodstatus
+	spcpsClient, err := testutil.CreateSecretProviderClassPodStatus(clients.CSIClient, namespace, secretproviderclasspodstatusName, data)
+	if err != nil {
+		t.Errorf("Error while creating the secretclasssproviderpodstatus %v", err)
+	}
+
+	// Creating deployment
+	_, err = testutil.CreateDeployment(clients.KubernetesClient, secretproviderclasspodstatusName, namespace, true)
+	if err != nil {
+		t.Errorf("Error in deployment creation: %v", err)
+	}
+
+	err = testutil.UpdateSecretProviderClassPodStatus(spcpsClient, namespace, secretproviderclasspodstatusName, "test", data)
+	if err != nil {
+		t.Errorf("Error while updating secretproviderclasspodstatus %v", err)
+	}
+
+	// Verifying Upgrade
+	logrus.Infof("Verifying env var has been created")
+	shaData := testutil.ConvertResourceToSHA(testutil.SecretProviderClassPodStatusResourceType, namespace, secretproviderclasspodstatusName, data)
+	config := common.Config{
+		Namespace:    namespace,
+		ResourceName: secretproviderclasspodstatusName,
+		SHAValue:     shaData,
+		Annotation:   options.SecretProviderClassUpdateOnChangeAnnotation,
+	}
+	deploymentFuncs := handler.GetDeploymentRollingUpgradeFuncs()
+	updated := testutil.VerifyResourceEnvVarUpdate(clients, config, constants.SecretProviderClassEnvVarPostfix, deploymentFuncs)
+	if updated {
+		t.Errorf("Deployment should not be updated by changing label in secretproviderclasspodstatus")
+	}
+
+	// Deleting Deployment
+	err = testutil.DeleteDeployment(clients.KubernetesClient, namespace, secretproviderclasspodstatusName)
+	if err != nil {
+		logrus.Errorf("Error while deleting the deployment %v", err)
+	}
+
+	// Deleting secretproviderclass
+	err = testutil.DeleteSecretProviderClass(clients.CSIClient, namespace, secretproviderclasspodstatusName)
+	if err != nil {
+		logrus.Errorf("Error while deleting the secretproviderclass %v", err)
+	}
+
+	// Deleting secretproviderclasspodstatus
+	err = testutil.DeleteSecretProviderClassPodStatus(clients.CSIClient, namespace, secretproviderclasspodstatusName)
+	if err != nil {
+		logrus.Errorf("Error while deleting the secretproviderclasspodstatus %v", err)
+	}
+	time.Sleep(sleepDuration)
+}
+
 // Perform rolling upgrade on DaemonSet and create env var upon updating the configmap
 func TestControllerUpdatingConfigmapShouldCreateEnvInDaemonSet(t *testing.T) {
 	options.ReloadStrategy = constants.EnvVarsReloadStrategy
@@ -1556,7 +1982,7 @@ func TestControllerUpdatingConfigmapShouldCreateEnvInDaemonSet(t *testing.T) {
 	// Verifying DaemonSet update
 	logrus.Infof("Verifying env var has been created")
 	shaData := testutil.ConvertResourceToSHA(testutil.ConfigmapResourceType, namespace, configmapName, "www.stakater.com")
-	config := util.Config{
+	config := common.Config{
 		Namespace:    namespace,
 		ResourceName: configmapName,
 		SHAValue:     shaData,
@@ -1619,7 +2045,7 @@ func TestControllerForUpdatingConfigmapShouldUpdateDaemonSetUsingErs(t *testing.
 	// Verifying DaemonSet update
 	logrus.Infof("Verifying env var has been updated")
 	shaData := testutil.ConvertResourceToSHA(testutil.ConfigmapResourceType, namespace, configmapName, "aurorasolutions.io")
-	config := util.Config{
+	config := common.Config{
 		Namespace:    namespace,
 		ResourceName: configmapName,
 		SHAValue:     shaData,
@@ -1672,7 +2098,7 @@ func TestControllerUpdatingSecretShouldCreateEnvInDaemonSet(t *testing.T) {
 	// Verifying Upgrade
 	logrus.Infof("Verifying env var has been created")
 	shaData := testutil.ConvertResourceToSHA(testutil.SecretResourceType, namespace, secretName, newData)
-	config := util.Config{
+	config := common.Config{
 		Namespace:    namespace,
 		ResourceName: secretName,
 		SHAValue:     shaData,
@@ -1731,7 +2157,7 @@ func TestControllerUpdatingSecretShouldUpdateEnvInDaemonSet(t *testing.T) {
 	// Verifying Upgrade
 	logrus.Infof("Verifying env var has been updated")
 	shaData := testutil.ConvertResourceToSHA(testutil.SecretResourceType, namespace, secretName, updatedData)
-	config := util.Config{
+	config := common.Config{
 		Namespace:    namespace,
 		ResourceName: secretName,
 		SHAValue:     shaData,
@@ -1782,7 +2208,7 @@ func TestControllerUpdatingSecretLabelsShouldNotCreateOrUpdateEnvInDaemonSet(t *
 	// Verifying Upgrade
 	logrus.Infof("Verifying env var has been created")
 	shaData := testutil.ConvertResourceToSHA(testutil.SecretResourceType, namespace, secretName, data)
-	config := util.Config{
+	config := common.Config{
 		Namespace:    namespace,
 		ResourceName: secretName,
 		SHAValue:     shaData,
@@ -1834,7 +2260,7 @@ func TestControllerUpdatingConfigmapShouldCreateEnvInStatefulSet(t *testing.T) {
 	// Verifying StatefulSet update
 	logrus.Infof("Verifying env var has been created")
 	shaData := testutil.ConvertResourceToSHA(testutil.ConfigmapResourceType, namespace, configmapName, "www.stakater.com")
-	config := util.Config{
+	config := common.Config{
 		Namespace:    namespace,
 		ResourceName: configmapName,
 		SHAValue:     shaData,
@@ -1893,7 +2319,7 @@ func TestControllerForUpdatingConfigmapShouldUpdateStatefulSetUsingErs(t *testin
 	// Verifying StatefulSet update
 	logrus.Infof("Verifying env var has been updated")
 	shaData := testutil.ConvertResourceToSHA(testutil.ConfigmapResourceType, namespace, configmapName, "aurorasolutions.io")
-	config := util.Config{
+	config := common.Config{
 		Namespace:    namespace,
 		ResourceName: configmapName,
 		SHAValue:     shaData,
@@ -1946,7 +2372,7 @@ func TestControllerUpdatingSecretShouldCreateEnvInStatefulSet(t *testing.T) {
 	// Verifying Upgrade
 	logrus.Infof("Verifying env var has been created")
 	shaData := testutil.ConvertResourceToSHA(testutil.SecretResourceType, namespace, secretName, newData)
-	config := util.Config{
+	config := common.Config{
 		Namespace:    namespace,
 		ResourceName: secretName,
 		SHAValue:     shaData,
@@ -2004,7 +2430,7 @@ func TestControllerUpdatingSecretShouldUpdateEnvInStatefulSet(t *testing.T) {
 	// Verifying Upgrade
 	logrus.Infof("Verifying env var has been updated")
 	shaData := testutil.ConvertResourceToSHA(testutil.SecretResourceType, namespace, secretName, updatedData)
-	config := util.Config{
+	config := common.Config{
 		Namespace:    namespace,
 		ResourceName: secretName,
 		SHAValue:     shaData,
@@ -2062,7 +2488,7 @@ func TestControllerUpdatingSecretShouldUpdatePodAnnotationInStatefulSet(t *testi
 	// Verifying Upgrade
 	logrus.Infof("Verifying pod annotation has been updated")
 	shaData := testutil.ConvertResourceToSHA(testutil.SecretResourceType, namespace, secretName, updatedData)
-	config := util.Config{
+	config := common.Config{
 		Namespace:    namespace,
 		ResourceName: secretName,
 		SHAValue:     shaData,
@@ -2331,7 +2757,7 @@ func TestController_resourceInNamespaceSelector(t *testing.T) {

 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			fakeClient := fake.NewSimpleClientset()
+			fakeClient := fake.NewClientset()
 			namespace, _ := fakeClient.CoreV1().Namespaces().Create(context.Background(), &tt.fields.namespace, metav1.CreateOptions{})
 			logrus.Infof("created fakeClient namespace for testing = %s", namespace.Name)

@@ -2340,7 +2766,7 @@ func TestController_resourceInNamespaceSelector(t *testing.T) {
 				indexer:           tt.fields.indexer,
 				queue:             tt.fields.queue,
 				informer:          tt.fields.informer,
-				namespace:         tt.fields.namespace.ObjectMeta.Name,
+				namespace:         tt.fields.namespace.Name,
 				namespaceSelector: tt.fields.namespaceSelector,
 			}

--- a/internal/pkg/crypto/sha.go
+++ b/internal/pkg/crypto/sha.go
@@ -1,20 +1,14 @@
 package crypto

 import (
-	"crypto/sha1"
-	"fmt"
-	"io"
-
-	"github.com/sirupsen/logrus"
+	"crypto/sha512"
+	"encoding/hex"
 )

 // GenerateSHA generates SHA from string
+// Always returns a hash value, even for empty strings, to ensure consistent behavior
+// and avoid issues with string matching operations (e.g., strings.Contains(str, "") always returns true)
 func GenerateSHA(data string) string {
-	hasher := sha1.New()
-	_, err := io.WriteString(hasher, data)
-	if err != nil {
-		logrus.Errorf("Unable to write data in hash writer %v", err)
-	}
-	sha := hasher.Sum(nil)
-	return fmt.Sprintf("%x", sha)
+	hash := sha512.Sum512_256([]byte(data))
+	return hex.EncodeToString(hash[:])
 }
--- a/internal/pkg/crypto/sha_test.go
+++ b/internal/pkg/crypto/sha_test.go
@@ -7,9 +7,22 @@ import (
 // TestGenerateSHA generates the sha from given data and verifies whether it is correct or not
 func TestGenerateSHA(t *testing.T) {
 	data := "www.stakater.com"
-	sha := "abd4ed82fb04548388a6cf3c339fd9dc84d275df"
+	sha := "2e9aa975331b22861b4f62b7fcc69b63e001f938361fee3b4ed888adf26a10e3"
 	result := GenerateSHA(data)
 	if result != sha {
 		t.Errorf("Failed to generate SHA")
 	}
 }
+
+// TestGenerateSHAEmptyString verifies that empty string generates a valid hash
+// This ensures consistent behavior and avoids issues with string matching operations
+func TestGenerateSHAEmptyString(t *testing.T) {
+	result := GenerateSHA("")
+	expected := "c672b8d1ef56ed28ab87c3622c5114069bdd3ad7b8f9737498d0c01ecef0967a"
+	if result != expected {
+		t.Errorf("Failed to generate SHA for empty string. Expected: %s, Got: %s", expected, result)
+	}
+	if len(result) != 64 {
+		t.Errorf("SHA hash should be 64 characters long, got %d", len(result))
+	}
+}
--- a/internal/pkg/handler/create.go
+++ b/internal/pkg/handler/create.go
@@ -4,7 +4,7 @@ import (
 	"github.com/sirupsen/logrus"
 	"github.com/stakater/Reloader/internal/pkg/metrics"
 	"github.com/stakater/Reloader/internal/pkg/options"
-	"github.com/stakater/Reloader/internal/pkg/util"
+	"github.com/stakater/Reloader/pkg/common"
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/client-go/tools/record"
 )
@@ -33,13 +33,13 @@ func (r ResourceCreatedHandler) Handle() error {
 }

 // GetConfig gets configurations containing SHA, annotations, namespace and resource name
-func (r ResourceCreatedHandler) GetConfig() (util.Config, string) {
+func (r ResourceCreatedHandler) GetConfig() (common.Config, string) {
 	var oldSHAData string
-	var config util.Config
+	var config common.Config
 	if _, ok := r.Resource.(*v1.ConfigMap); ok {
-		config = util.GetConfigmapConfig(r.Resource.(*v1.ConfigMap))
+		config = common.GetConfigmapConfig(r.Resource.(*v1.ConfigMap))
 	} else if _, ok := r.Resource.(*v1.Secret); ok {
-		config = util.GetSecretConfig(r.Resource.(*v1.Secret))
+		config = common.GetSecretConfig(r.Resource.(*v1.Secret))
 	} else {
 		logrus.Warnf("Invalid resource: Resource should be 'Secret' or 'Configmap' but found, %v", r.Resource)
 	}
--- a/internal/pkg/handler/delete.go
+++ b/internal/pkg/handler/delete.go
@@ -10,7 +10,7 @@ import (
 	"github.com/stakater/Reloader/internal/pkg/metrics"
 	"github.com/stakater/Reloader/internal/pkg/options"
 	"github.com/stakater/Reloader/internal/pkg/testutil"
-	"github.com/stakater/Reloader/internal/pkg/util"
+	"github.com/stakater/Reloader/pkg/common"

 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -42,20 +42,20 @@ func (r ResourceDeleteHandler) Handle() error {
 }

 // GetConfig gets configurations containing SHA, annotations, namespace and resource name
-func (r ResourceDeleteHandler) GetConfig() (util.Config, string) {
+func (r ResourceDeleteHandler) GetConfig() (common.Config, string) {
 	var oldSHAData string
-	var config util.Config
+	var config common.Config
 	if _, ok := r.Resource.(*v1.ConfigMap); ok {
-		config = util.GetConfigmapConfig(r.Resource.(*v1.ConfigMap))
+		config = common.GetConfigmapConfig(r.Resource.(*v1.ConfigMap))
 	} else if _, ok := r.Resource.(*v1.Secret); ok {
-		config = util.GetSecretConfig(r.Resource.(*v1.Secret))
+		config = common.GetSecretConfig(r.Resource.(*v1.Secret))
 	} else {
 		logrus.Warnf("Invalid resource: Resource should be 'Secret' or 'Configmap' but found, %v", r.Resource)
 	}
 	return config, oldSHAData
 }

-func invokeDeleteStrategy(upgradeFuncs callbacks.RollingUpgradeFuncs, item runtime.Object, config util.Config, autoReload bool) InvokeStrategyResult {
+func invokeDeleteStrategy(upgradeFuncs callbacks.RollingUpgradeFuncs, item runtime.Object, config common.Config, autoReload bool) InvokeStrategyResult {
 	if options.ReloadStrategy == constants.AnnotationsReloadStrategy {
 		return removePodAnnotations(upgradeFuncs, item, config, autoReload)
 	}
@@ -63,12 +63,12 @@ func invokeDeleteStrategy(upgradeFuncs callbacks.RollingUpgradeFuncs, item runti
 	return removeContainerEnvVars(upgradeFuncs, item, config, autoReload)
 }

-func removePodAnnotations(upgradeFuncs callbacks.RollingUpgradeFuncs, item runtime.Object, config util.Config, autoReload bool) InvokeStrategyResult {
+func removePodAnnotations(upgradeFuncs callbacks.RollingUpgradeFuncs, item runtime.Object, config common.Config, autoReload bool) InvokeStrategyResult {
 	config.SHAValue = testutil.GetSHAfromEmptyData()
 	return updatePodAnnotations(upgradeFuncs, item, config, autoReload)
 }

-func removeContainerEnvVars(upgradeFuncs callbacks.RollingUpgradeFuncs, item runtime.Object, config util.Config, autoReload bool) InvokeStrategyResult {
+func removeContainerEnvVars(upgradeFuncs callbacks.RollingUpgradeFuncs, item runtime.Object, config common.Config, autoReload bool) InvokeStrategyResult {
 	envVar := getEnvVarName(config.ResourceName, config.Type)
 	container := getContainerUsingResource(upgradeFuncs, item, config, autoReload)

--- a/internal/pkg/handler/handler.go
+++ b/internal/pkg/handler/handler.go
@@ -1,11 +1,9 @@
 package handler

-import (
-	"github.com/stakater/Reloader/internal/pkg/util"
-)
+import "github.com/stakater/Reloader/pkg/common"

 // ResourceHandler handles the creation and update of resources
 type ResourceHandler interface {
 	Handle() error
-	GetConfig() (util.Config, string)
+	GetConfig() (common.Config, string)
 }
--- a/internal/pkg/handler/pause_deployment.go
+++ b/internal/pkg/handler/pause_deployment.go
@@ -0,0 +1,242 @@
+package handler
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"time"
+
+	"github.com/sirupsen/logrus"
+	"github.com/stakater/Reloader/internal/pkg/options"
+	"github.com/stakater/Reloader/pkg/kube"
+	app "k8s.io/api/apps/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	patchtypes "k8s.io/apimachinery/pkg/types"
+)
+
+// Keeps track of currently active timers
+var activeTimers = make(map[string]*time.Timer)
+
+// Returns unique key for the activeTimers map
+func getTimerKey(namespace, deploymentName string) string {
+	return fmt.Sprintf("%s/%s", namespace, deploymentName)
+}
+
+// Checks if a deployment is currently paused
+func IsPaused(deployment *app.Deployment) bool {
+	return deployment.Spec.Paused
+}
+
+// Deployment paused by reloader ?
+func IsPausedByReloader(deployment *app.Deployment) bool {
+	if IsPaused(deployment) {
+		pausedAtAnnotationValue := deployment.Annotations[options.PauseDeploymentTimeAnnotation]
+		return pausedAtAnnotationValue != ""
+	}
+	return false
+}
+
+// Returns the time, the deployment was paused by reloader, nil otherwise
+func GetPauseStartTime(deployment *app.Deployment) (*time.Time, error) {
+	if !IsPausedByReloader(deployment) {
+		return nil, nil
+	}
+
+	pausedAtStr := deployment.Annotations[options.PauseDeploymentTimeAnnotation]
+	parsedTime, err := time.Parse(time.RFC3339, pausedAtStr)
+	if err != nil {
+		return nil, err
+	}
+
+	return &parsedTime, nil
+}
+
+// ParsePauseDuration parses the pause interval value and returns a time.Duration
+func ParsePauseDuration(pauseIntervalValue string) (time.Duration, error) {
+	pauseDuration, err := time.ParseDuration(pauseIntervalValue)
+	if err != nil {
+		logrus.Warnf("Failed to parse pause interval value '%s': %v", pauseIntervalValue, err)
+		return 0, err
+	}
+	return pauseDuration, nil
+}
+
+// Pauses a deployment for a specified duration and creates a timer to resume it
+// after the specified duration
+func PauseDeployment(deployment *app.Deployment, clients kube.Clients, namespace, pauseIntervalValue string) (*app.Deployment, error) {
+	deploymentName := deployment.Name
+	pauseDuration, err := ParsePauseDuration(pauseIntervalValue)
+
+	if err != nil {
+		return nil, err
+	}
+
+	if !IsPaused(deployment) {
+		logrus.Infof("Pausing Deployment '%s' in namespace '%s' for %s", deploymentName, namespace, pauseDuration)
+
+		deploymentFuncs := GetDeploymentRollingUpgradeFuncs()
+
+		pausePatch, err := CreatePausePatch()
+		if err != nil {
+			logrus.Errorf("Failed to create pause patch for deployment '%s': %v", deploymentName, err)
+			return deployment, err
+		}
+
+		err = deploymentFuncs.PatchFunc(clients, namespace, deployment, patchtypes.StrategicMergePatchType, pausePatch)
+
+		if err != nil {
+			logrus.Errorf("Failed to patch deployment '%s' in namespace '%s': %v", deploymentName, namespace, err)
+			return deployment, err
+		}
+
+		updatedDeployment, err := clients.KubernetesClient.AppsV1().Deployments(namespace).Get(context.TODO(), deploymentName, metav1.GetOptions{})
+
+		CreateResumeTimer(deployment, clients, namespace, pauseDuration)
+		return updatedDeployment, err
+	}
+
+	if !IsPausedByReloader(deployment) {
+		logrus.Infof("Deployment '%s' in namespace '%s' already paused", deploymentName, namespace)
+		return deployment, nil
+	}
+
+	// Deployment has already been paused by reloader, check for timer
+	logrus.Debugf("Deployment '%s' in namespace '%s' is already paused by reloader", deploymentName, namespace)
+
+	timerKey := getTimerKey(namespace, deploymentName)
+	_, timerExists := activeTimers[timerKey]
+
+	if !timerExists {
+		logrus.Warnf("Timer does not exist for already paused deployment '%s' in namespace '%s', creating new one",
+			deploymentName, namespace)
+		HandleMissingTimer(deployment, pauseDuration, clients, namespace)
+	}
+	return deployment, nil
+}
+
+// Handles the case where missing timers for deployments that have been paused by reloader.
+// Could occur after new leader election or reloader restart
+func HandleMissingTimer(deployment *app.Deployment, pauseDuration time.Duration, clients kube.Clients, namespace string) {
+	deploymentName := deployment.Name
+	pauseStartTime, err := GetPauseStartTime(deployment)
+	if err != nil {
+		logrus.Errorf("Error parsing pause start time for deployment '%s' in namespace '%s': %v. Resuming deployment immediately",
+			deploymentName, namespace, err)
+		ResumeDeployment(deployment, namespace, clients)
+		return
+	}
+
+	if pauseStartTime == nil {
+		return
+	}
+
+	elapsedPauseTime := time.Since(*pauseStartTime)
+	remainingPauseTime := pauseDuration - elapsedPauseTime
+
+	if remainingPauseTime <= 0 {
+		logrus.Infof("Pause period for deployment '%s' in namespace '%s' has expired. Resuming immediately",
+			deploymentName, namespace)
+		ResumeDeployment(deployment, namespace, clients)
+		return
+	}
+
+	logrus.Infof("Creating missing timer for already paused deployment '%s' in namespace '%s' with remaining time %s",
+		deploymentName, namespace, remainingPauseTime)
+	CreateResumeTimer(deployment, clients, namespace, remainingPauseTime)
+}
+
+// CreateResumeTimer creates a timer to resume the deployment after the specified duration
+func CreateResumeTimer(deployment *app.Deployment, clients kube.Clients, namespace string, pauseDuration time.Duration) {
+	deploymentName := deployment.Name
+	timerKey := getTimerKey(namespace, deployment.Name)
+
+	// Check if there's an existing timer for this deployment
+	if _, exists := activeTimers[timerKey]; exists {
+		logrus.Debugf("Timer already exists for deployment '%s' in namespace '%s', Skipping creation",
+			deploymentName, namespace)
+		return
+	}
+
+	// Create and store the new timer
+	timer := time.AfterFunc(pauseDuration, func() {
+		ResumeDeployment(deployment, namespace, clients)
+	})
+
+	// Add the new timer to the map
+	activeTimers[timerKey] = timer
+
+	logrus.Debugf("Created pause timer for deployment '%s' in namespace '%s' with duration %s",
+		deploymentName, namespace, pauseDuration)
+}
+
+// ResumeDeployment resumes a deployment that has been paused by reloader
+func ResumeDeployment(deployment *app.Deployment, namespace string, clients kube.Clients) {
+	deploymentName := deployment.Name
+
+	currentDeployment, err := clients.KubernetesClient.AppsV1().Deployments(namespace).Get(context.TODO(), deploymentName, metav1.GetOptions{})
+
+	if err != nil {
+		logrus.Errorf("Failed to get deployment '%s' in namespace '%s': %v", deploymentName, namespace, err)
+		return
+	}
+
+	if !IsPausedByReloader(currentDeployment) {
+		logrus.Infof("Deployment '%s' in namespace '%s' not paused by Reloader. Skipping resume", deploymentName, namespace)
+		return
+	}
+
+	deploymentFuncs := GetDeploymentRollingUpgradeFuncs()
+
+	resumePatch, err := CreateResumePatch()
+	if err != nil {
+		logrus.Errorf("Failed to create resume patch for deployment '%s': %v", deploymentName, err)
+		return
+	}
+
+	// Remove the timer
+	timerKey := getTimerKey(namespace, deploymentName)
+	if timer, exists := activeTimers[timerKey]; exists {
+		timer.Stop()
+		delete(activeTimers, timerKey)
+		logrus.Debugf("Removed pause timer for deployment '%s' in namespace '%s'", deploymentName, namespace)
+	}
+
+	err = deploymentFuncs.PatchFunc(clients, namespace, currentDeployment, patchtypes.StrategicMergePatchType, resumePatch)
+
+	if err != nil {
+		logrus.Errorf("Failed to resume deployment '%s' in namespace '%s': %v", deploymentName, namespace, err)
+		return
+	}
+
+	logrus.Infof("Successfully resumed deployment '%s' in namespace '%s'", deploymentName, namespace)
+}
+
+func CreatePausePatch() ([]byte, error) {
+	patchData := map[string]interface{}{
+		"spec": map[string]interface{}{
+			"paused": true,
+		},
+		"metadata": map[string]interface{}{
+			"annotations": map[string]string{
+				options.PauseDeploymentTimeAnnotation: time.Now().Format(time.RFC3339),
+			},
+		},
+	}
+
+	return json.Marshal(patchData)
+}
+
+func CreateResumePatch() ([]byte, error) {
+	patchData := map[string]interface{}{
+		"spec": map[string]interface{}{
+			"paused": false,
+		},
+		"metadata": map[string]interface{}{
+			"annotations": map[string]interface{}{
+				options.PauseDeploymentTimeAnnotation: nil,
+			},
+		},
+	}
+
+	return json.Marshal(patchData)
+}
--- a/internal/pkg/handler/pause_deployment_test.go
+++ b/internal/pkg/handler/pause_deployment_test.go
@@ -0,0 +1,391 @@
+package handler
+
+import (
+	"context"
+	"fmt"
+	"testing"
+	"time"
+
+	"github.com/stakater/Reloader/internal/pkg/options"
+	"github.com/stakater/Reloader/pkg/kube"
+	"github.com/stretchr/testify/assert"
+	appsv1 "k8s.io/api/apps/v1"
+	"k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	testclient "k8s.io/client-go/kubernetes/fake"
+)
+
+func TestIsPaused(t *testing.T) {
+	tests := []struct {
+		name       string
+		deployment *appsv1.Deployment
+		paused     bool
+	}{
+		{
+			name: "paused deployment",
+			deployment: &appsv1.Deployment{
+				Spec: appsv1.DeploymentSpec{
+					Paused: true,
+				},
+			},
+			paused: true,
+		},
+		{
+			name: "unpaused deployment",
+			deployment: &appsv1.Deployment{
+				Spec: appsv1.DeploymentSpec{
+					Paused: false,
+				},
+			},
+			paused: false,
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			result := IsPaused(test.deployment)
+			assert.Equal(t, test.paused, result)
+		})
+	}
+}
+
+func TestIsPausedByReloader(t *testing.T) {
+	tests := []struct {
+		name             string
+		deployment       *appsv1.Deployment
+		pausedByReloader bool
+	}{
+		{
+			name: "paused by reloader",
+			deployment: &appsv1.Deployment{
+				Spec: appsv1.DeploymentSpec{
+					Paused: true,
+				},
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{
+						options.PauseDeploymentTimeAnnotation: time.Now().Format(time.RFC3339),
+					},
+				},
+			},
+			pausedByReloader: true,
+		},
+		{
+			name: "not paused by reloader",
+			deployment: &appsv1.Deployment{
+				Spec: appsv1.DeploymentSpec{
+					Paused: true,
+				},
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{},
+				},
+			},
+			pausedByReloader: false,
+		},
+		{
+			name: "not paused",
+			deployment: &appsv1.Deployment{
+				Spec: appsv1.DeploymentSpec{
+					Paused: false,
+				},
+			},
+			pausedByReloader: false,
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			pausedByReloader := IsPausedByReloader(test.deployment)
+			assert.Equal(t, test.pausedByReloader, pausedByReloader)
+		})
+	}
+}
+
+func TestGetPauseStartTime(t *testing.T) {
+	now := time.Now()
+	nowStr := now.Format(time.RFC3339)
+
+	tests := []struct {
+		name              string
+		deployment        *appsv1.Deployment
+		pausedByReloader  bool
+		expectedStartTime time.Time
+	}{
+		{
+			name: "valid pause time",
+			deployment: &appsv1.Deployment{
+				Spec: appsv1.DeploymentSpec{
+					Paused: true,
+				},
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations: map[string]string{
+						options.PauseDeploymentTimeAnnotation: nowStr,
+					},
+				},
+			},
+			pausedByReloader:  true,
+			expectedStartTime: now,
+		},
+		{
+			name: "not paused by reloader",
+			deployment: &appsv1.Deployment{
+				Spec: appsv1.DeploymentSpec{
+					Paused: false,
+				},
+			},
+			pausedByReloader: false,
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			actualStartTime, err := GetPauseStartTime(test.deployment)
+
+			assert.NoError(t, err)
+
+			if !test.pausedByReloader {
+				assert.Nil(t, actualStartTime)
+			} else {
+				assert.NotNil(t, actualStartTime)
+				assert.WithinDuration(t, test.expectedStartTime, *actualStartTime, time.Second)
+			}
+		})
+	}
+}
+
+func TestParsePauseDuration(t *testing.T) {
+	tests := []struct {
+		name               string
+		pauseIntervalValue string
+		expectedDuration   time.Duration
+		invalidDuration    bool
+	}{
+		{
+			name:               "valid duration",
+			pauseIntervalValue: "10s",
+			expectedDuration:   10 * time.Second,
+			invalidDuration:    false,
+		},
+		{
+			name:               "valid minute duration",
+			pauseIntervalValue: "2m",
+			expectedDuration:   2 * time.Minute,
+			invalidDuration:    false,
+		},
+		{
+			name:               "invalid duration",
+			pauseIntervalValue: "invalid",
+			expectedDuration:   0,
+			invalidDuration:    true,
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			actualDuration, err := ParsePauseDuration(test.pauseIntervalValue)
+
+			if test.invalidDuration {
+				assert.Error(t, err)
+			} else {
+				assert.NoError(t, err)
+				assert.Equal(t, test.expectedDuration, actualDuration)
+			}
+		})
+	}
+}
+
+func TestHandleMissingTimerSimple(t *testing.T) {
+	tests := []struct {
+		name           string
+		deployment     *appsv1.Deployment
+		shouldBePaused bool // Should be unpaused after HandleMissingTimer ?
+	}{
+		{
+			name: "deployment paused by reloader, pause period has expired and no timer",
+			deployment: &appsv1.Deployment{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "test-deployment-1",
+					Annotations: map[string]string{
+						options.PauseDeploymentTimeAnnotation: time.Now().Add(-6 * time.Minute).Format(time.RFC3339),
+						options.PauseDeploymentAnnotation:     "5m",
+					},
+				},
+				Spec: appsv1.DeploymentSpec{
+					Paused: true,
+				},
+			},
+			shouldBePaused: false,
+		},
+		{
+			name: "deployment paused by reloader, pause period expires in the future and no timer",
+			deployment: &appsv1.Deployment{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "test-deployment-2",
+					Annotations: map[string]string{
+						options.PauseDeploymentTimeAnnotation: time.Now().Add(1 * time.Minute).Format(time.RFC3339),
+						options.PauseDeploymentAnnotation:     "5m",
+					},
+				},
+				Spec: appsv1.DeploymentSpec{
+					Paused: true,
+				},
+			},
+			shouldBePaused: true,
+		},
+	}
+
+	for _, test := range tests {
+		// Clean up any timers at the end of the test
+		defer func() {
+			for key, timer := range activeTimers {
+				timer.Stop()
+				delete(activeTimers, key)
+			}
+		}()
+
+		t.Run(test.name, func(t *testing.T) {
+			fakeClient := testclient.NewClientset()
+			clients := kube.Clients{
+				KubernetesClient: fakeClient,
+			}
+
+			_, err := fakeClient.AppsV1().Deployments("default").Create(
+				context.TODO(),
+				test.deployment,
+				metav1.CreateOptions{})
+			assert.NoError(t, err, "Expected no error when creating deployment")
+
+			pauseDuration, _ := ParsePauseDuration(test.deployment.Annotations[options.PauseDeploymentAnnotation])
+			HandleMissingTimer(test.deployment, pauseDuration, clients, "default")
+
+			updatedDeployment, _ := fakeClient.AppsV1().Deployments("default").Get(context.TODO(), test.deployment.Name, metav1.GetOptions{})
+
+			assert.Equal(t, test.shouldBePaused, updatedDeployment.Spec.Paused,
+				"Deployment should have correct paused state after timer expiration")
+
+			if test.shouldBePaused {
+				pausedAtAnnotationValue := updatedDeployment.Annotations[options.PauseDeploymentTimeAnnotation]
+				assert.NotEmpty(t, pausedAtAnnotationValue,
+					"Pause annotation should be present and contain a value when deployment is paused")
+			}
+		})
+	}
+}
+
+func TestPauseDeployment(t *testing.T) {
+	tests := []struct {
+		name               string
+		deployment         *appsv1.Deployment
+		expectedError      bool
+		expectedPaused     bool
+		expectedAnnotation bool // Should have pause time annotation
+		pauseInterval      string
+	}{
+		{
+			name: "deployment without pause annotation",
+			deployment: &appsv1.Deployment{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:        "test-deployment",
+					Annotations: map[string]string{},
+				},
+				Spec: appsv1.DeploymentSpec{
+					Paused: false,
+				},
+			},
+			expectedError:      true,
+			expectedPaused:     false,
+			expectedAnnotation: false,
+			pauseInterval:      "",
+		},
+		{
+			name: "deployment already paused but not by reloader",
+			deployment: &appsv1.Deployment{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "test-deployment",
+					Annotations: map[string]string{
+						options.PauseDeploymentAnnotation: "5m",
+					},
+				},
+				Spec: appsv1.DeploymentSpec{
+					Paused: true,
+				},
+			},
+			expectedError:      false,
+			expectedPaused:     true,
+			expectedAnnotation: false,
+			pauseInterval:      "5m",
+		},
+		{
+			name: "deployment unpaused that needs to be paused by reloader",
+			deployment: &appsv1.Deployment{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: "test-deployment-3",
+					Annotations: map[string]string{
+						options.PauseDeploymentAnnotation: "5m",
+					},
+				},
+				Spec: appsv1.DeploymentSpec{
+					Paused: false,
+				},
+			},
+			expectedError:      false,
+			expectedPaused:     true,
+			expectedAnnotation: true,
+			pauseInterval:      "5m",
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			fakeClient := testclient.NewClientset()
+			clients := kube.Clients{
+				KubernetesClient: fakeClient,
+			}
+
+			_, err := fakeClient.AppsV1().Deployments("default").Create(
+				context.TODO(),
+				test.deployment,
+				metav1.CreateOptions{})
+			assert.NoError(t, err, "Expected no error when creating deployment")
+
+			updatedDeployment, err := PauseDeployment(test.deployment, clients, "default", test.pauseInterval)
+			if test.expectedError {
+				assert.Error(t, err, "Expected an error pausing the deployment")
+				return
+			} else {
+				assert.NoError(t, err, "Expected no error pausing the deployment")
+			}
+
+			assert.Equal(t, test.expectedPaused, updatedDeployment.Spec.Paused,
+				"Deployment should have correct paused state after pause")
+
+			if test.expectedAnnotation {
+				pausedAtAnnotationValue := updatedDeployment.Annotations[options.PauseDeploymentTimeAnnotation]
+				assert.NotEmpty(t, pausedAtAnnotationValue,
+					"Pause annotation should be present and contain a value when deployment is paused")
+			} else {
+				pausedAtAnnotationValue := updatedDeployment.Annotations[options.PauseDeploymentTimeAnnotation]
+				assert.Empty(t, pausedAtAnnotationValue,
+					"Pause annotation should not be present when deployment has not been paused by reloader")
+			}
+		})
+	}
+}
+
+// Simple helper function for test cases
+func FindDeploymentByName(deployments []runtime.Object, deploymentName string) (*appsv1.Deployment, error) {
+	for _, deployment := range deployments {
+		accessor, err := meta.Accessor(deployment)
+		if err != nil {
+			return nil, fmt.Errorf("error getting accessor for item: %v", err)
+		}
+		if accessor.GetName() == deploymentName {
+			deploymentObj, ok := deployment.(*appsv1.Deployment)
+			if !ok {
+				return nil, fmt.Errorf("failed to cast to Deployment")
+			}
+			return deploymentObj, nil
+		}
+	}
+	return nil, fmt.Errorf("deployment '%s' not found", deploymentName)
+}
--- a/internal/pkg/handler/update.go
+++ b/internal/pkg/handler/update.go
@@ -5,8 +5,10 @@ import (
 	"github.com/stakater/Reloader/internal/pkg/metrics"
 	"github.com/stakater/Reloader/internal/pkg/options"
 	"github.com/stakater/Reloader/internal/pkg/util"
+	"github.com/stakater/Reloader/pkg/common"
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/client-go/tools/record"
+	csiv1 "sigs.k8s.io/secrets-store-csi-driver/apis/v1"
 )

 // ResourceUpdatedHandler contains updated objects
@@ -36,17 +38,32 @@ func (r ResourceUpdatedHandler) Handle() error {
 }

 // GetConfig gets configurations containing SHA, annotations, namespace and resource name
-func (r ResourceUpdatedHandler) GetConfig() (util.Config, string) {
-	var oldSHAData string
-	var config util.Config
-	if _, ok := r.Resource.(*v1.ConfigMap); ok {
-		oldSHAData = util.GetSHAfromConfigmap(r.OldResource.(*v1.ConfigMap))
-		config = util.GetConfigmapConfig(r.Resource.(*v1.ConfigMap))
-	} else if _, ok := r.Resource.(*v1.Secret); ok {
-		oldSHAData = util.GetSHAfromSecret(r.OldResource.(*v1.Secret).Data)
-		config = util.GetSecretConfig(r.Resource.(*v1.Secret))
-	} else {
-		logrus.Warnf("Invalid resource: Resource should be 'Secret' or 'Configmap' but found, %v", r.Resource)
+func (r ResourceUpdatedHandler) GetConfig() (common.Config, string) {
+	var (
+		oldSHAData string
+		config     common.Config
+	)
+
+	switch res := r.Resource.(type) {
+	case *v1.ConfigMap:
+		if old, ok := r.OldResource.(*v1.ConfigMap); ok && old != nil {
+			oldSHAData = util.GetSHAfromConfigmap(old)
+		}
+		config = common.GetConfigmapConfig(res)
+
+	case *v1.Secret:
+		if old, ok := r.OldResource.(*v1.Secret); ok && old != nil {
+			oldSHAData = util.GetSHAfromSecret(old.Data)
+		}
+		config = common.GetSecretConfig(res)
+
+	case *csiv1.SecretProviderClassPodStatus:
+		if old, ok := r.OldResource.(*csiv1.SecretProviderClassPodStatus); ok && old != nil && old.Status.Objects != nil {
+			oldSHAData = util.GetSHAfromSecretProviderClassPodStatus(old.Status)
+		}
+		config = common.GetSecretProviderClassPodStatusConfig(res)
+	default:
+		logrus.Warnf("Invalid resource: Resource should be 'Secret', 'Configmap' or 'SecretProviderClassPodStatus' but found, %T", r.Resource)
 	}
 	return config, oldSHAData
 }
--- a/internal/pkg/handler/upgrade.go
+++ b/internal/pkg/handler/upgrade.go
@@ -2,13 +2,12 @@ package handler

 import (
 	"bytes"
+	"context"
 	"encoding/json"
 	"errors"
 	"fmt"
 	"io"
 	"os"
-	"regexp"
-	"strconv"
 	"strings"

 	"github.com/parnurzeal/gorequest"
@@ -20,10 +19,13 @@ import (
 	"github.com/stakater/Reloader/internal/pkg/metrics"
 	"github.com/stakater/Reloader/internal/pkg/options"
 	"github.com/stakater/Reloader/internal/pkg/util"
+	"github.com/stakater/Reloader/pkg/common"
 	"github.com/stakater/Reloader/pkg/kube"
+	app "k8s.io/api/apps/v1"
 	v1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	patchtypes "k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/wait"
@@ -139,7 +141,7 @@ func GetArgoRolloutRollingUpgradeFuncs() callbacks.RollingUpgradeFuncs {
 	}
 }

-func sendUpgradeWebhook(config util.Config, webhookUrl string) error {
+func sendUpgradeWebhook(config common.Config, webhookUrl string) error {
 	logrus.Infof("Changes detected in '%s' of type '%s' in namespace '%s', Sending webhook to '%s'",
 		config.ResourceName, config.Type, config.Namespace, webhookUrl)

@@ -161,7 +163,12 @@ func sendWebhook(url string) (string, []error) {
 		// the reloader seems to retry automatically so no retry logic added
 		return "", err
 	}
-	defer resp.Body.Close()
+	defer func() {
+		closeErr := resp.Body.Close()
+		if closeErr != nil {
+			logrus.Error(closeErr)
+		}
+	}()
 	var buffer bytes.Buffer
 	_, bufferErr := io.Copy(&buffer, resp.Body)
 	if bufferErr != nil {
@@ -170,21 +177,37 @@ func sendWebhook(url string) (string, []error) {
 	return buffer.String(), nil
 }

-func doRollingUpgrade(config util.Config, collectors metrics.Collectors, recorder record.EventRecorder, invoke invokeStrategy) error {
+func doRollingUpgrade(config common.Config, collectors metrics.Collectors, recorder record.EventRecorder, invoke invokeStrategy) error {
 	clients := kube.GetClients()

-	err := rollingUpgrade(clients, config, GetDeploymentRollingUpgradeFuncs(), collectors, recorder, invoke)
+	// Get ignored workload types to avoid listing resources without RBAC permissions
+	ignoredWorkloadTypes, err := util.GetIgnoredWorkloadTypesList()
+	if err != nil {
+		logrus.Errorf("Failed to parse ignored workload types: %v", err)
+		ignoredWorkloadTypes = util.List{} // Continue with empty list if parsing fails
+	}
+
+	err = rollingUpgrade(clients, config, GetDeploymentRollingUpgradeFuncs(), collectors, recorder, invoke)
 	if err != nil {
 		return err
 	}
-	err = rollingUpgrade(clients, config, GetCronJobCreateJobFuncs(), collectors, recorder, invoke)
-	if err != nil {
-		return err
+
+	// Only process CronJobs if they are not ignored
+	if !ignoredWorkloadTypes.Contains("cronjobs") {
+		err = rollingUpgrade(clients, config, GetCronJobCreateJobFuncs(), collectors, recorder, invoke)
+		if err != nil {
+			return err
+		}
 	}
-	err = rollingUpgrade(clients, config, GetJobCreateJobFuncs(), collectors, recorder, invoke)
-	if err != nil {
-		return err
+
+	// Only process Jobs if they are not ignored
+	if !ignoredWorkloadTypes.Contains("jobs") {
+		err = rollingUpgrade(clients, config, GetJobCreateJobFuncs(), collectors, recorder, invoke)
+		if err != nil {
+			return err
+		}
 	}
+
 	err = rollingUpgrade(clients, config, GetDaemonSetRollingUpgradeFuncs(), collectors, recorder, invoke)
 	if err != nil {
 		return err
@@ -204,7 +227,7 @@ func doRollingUpgrade(config util.Config, collectors metrics.Collectors, recorde
 	return nil
 }

-func rollingUpgrade(clients kube.Clients, config util.Config, upgradeFuncs callbacks.RollingUpgradeFuncs, collectors metrics.Collectors, recorder record.EventRecorder, strategy invokeStrategy) error {
+func rollingUpgrade(clients kube.Clients, config common.Config, upgradeFuncs callbacks.RollingUpgradeFuncs, collectors metrics.Collectors, recorder record.EventRecorder, strategy invokeStrategy) error {
 	err := PerformAction(clients, config, upgradeFuncs, collectors, recorder, strategy)
 	if err != nil {
 		logrus.Errorf("Rolling upgrade for '%s' failed with error = %v", config.ResourceName, err)
@@ -213,7 +236,7 @@ func rollingUpgrade(clients kube.Clients, config util.Config, upgradeFuncs callb
 }

 // PerformAction invokes the deployment if there is any change in configmap or secret data
-func PerformAction(clients kube.Clients, config util.Config, upgradeFuncs callbacks.RollingUpgradeFuncs, collectors metrics.Collectors, recorder record.EventRecorder, strategy invokeStrategy) error {
+func PerformAction(clients kube.Clients, config common.Config, upgradeFuncs callbacks.RollingUpgradeFuncs, collectors metrics.Collectors, recorder record.EventRecorder, strategy invokeStrategy) error {
 	items := upgradeFuncs.ItemsFunc(clients, config.Namespace)

 	for _, item := range items {
@@ -250,7 +273,7 @@ func retryOnConflict(backoff wait.Backoff, fn func(_ bool) error) error {
 	return err
 }

-func upgradeResource(clients kube.Clients, config util.Config, upgradeFuncs callbacks.RollingUpgradeFuncs, collectors metrics.Collectors, recorder record.EventRecorder, strategy invokeStrategy, resource runtime.Object, fetchResource bool) error {
+func upgradeResource(clients kube.Clients, config common.Config, upgradeFuncs callbacks.RollingUpgradeFuncs, collectors metrics.Collectors, recorder record.EventRecorder, strategy invokeStrategy, resource runtime.Object, fetchResource bool) error {
 	accessor, err := meta.Accessor(resource)
 	if err != nil {
 		return err
@@ -263,128 +286,84 @@ func upgradeResource(clients kube.Clients, config util.Config, upgradeFuncs call
 			return err
 		}
 	}
+	if config.Type == constants.SecretProviderClassEnvVarPostfix {
+		populateAnnotationsFromSecretProviderClass(clients, &config)
+	}

-	// find correct annotation and update the resource
 	annotations := upgradeFuncs.AnnotationsFunc(resource)
-	annotationValue, found := annotations[config.Annotation]
-	searchAnnotationValue, foundSearchAnn := annotations[options.AutoSearchAnnotation]
-	reloaderEnabledValue, foundAuto := annotations[options.ReloaderAutoAnnotation]
-	typedAutoAnnotationEnabledValue, foundTypedAuto := annotations[config.TypedAutoAnnotation]
-	excludeConfigmapAnnotationValue, foundExcludeConfigmap := annotations[options.ConfigmapExcludeReloaderAnnotation]
-	excludeSecretAnnotationValue, foundExcludeSecret := annotations[options.SecretExcludeReloaderAnnotation]
+	podAnnotations := upgradeFuncs.PodAnnotationsFunc(resource)
+	result := common.ShouldReload(config, upgradeFuncs.ResourceType, annotations, podAnnotations, common.GetCommandLineOptions())

-	if !found && !foundAuto && !foundTypedAuto && !foundSearchAnn {
-		annotations = upgradeFuncs.PodAnnotationsFunc(resource)
-		annotationValue = annotations[config.Annotation]
-		searchAnnotationValue = annotations[options.AutoSearchAnnotation]
-		reloaderEnabledValue = annotations[options.ReloaderAutoAnnotation]
-		typedAutoAnnotationEnabledValue = annotations[config.TypedAutoAnnotation]
-	}
-
-	isResourceExcluded := false
-
-	switch config.Type {
-	case constants.ConfigmapEnvVarPostfix:
-		if foundExcludeConfigmap {
-			isResourceExcluded = checkIfResourceIsExcluded(config.ResourceName, excludeConfigmapAnnotationValue)
-		}
-	case constants.SecretEnvVarPostfix:
-		if foundExcludeSecret {
-			isResourceExcluded = checkIfResourceIsExcluded(config.ResourceName, excludeSecretAnnotationValue)
-		}
-	}
-
-	if isResourceExcluded {
+	if !result.ShouldReload {
+		logrus.Debugf("No changes detected in '%s' of type '%s' in namespace '%s'", config.ResourceName, config.Type, config.Namespace)
 		return nil
 	}

-	strategyResult := InvokeStrategyResult{constants.NotUpdated, nil}
-	reloaderEnabled, _ := strconv.ParseBool(reloaderEnabledValue)
-	typedAutoAnnotationEnabled, _ := strconv.ParseBool(typedAutoAnnotationEnabledValue)
-	if reloaderEnabled || typedAutoAnnotationEnabled || reloaderEnabledValue == "" && typedAutoAnnotationEnabledValue == "" && options.AutoReloadAll {
-		strategyResult = strategy(upgradeFuncs, resource, config, true)
+	strategyResult := strategy(upgradeFuncs, resource, config, result.AutoReload)
+
+	if strategyResult.Result != constants.Updated {
+		return nil
 	}

-	if strategyResult.Result != constants.Updated && annotationValue != "" {
-		values := strings.Split(annotationValue, ",")
-		for _, value := range values {
-			value = strings.TrimSpace(value)
-			re := regexp.MustCompile("^" + value + "$")
-			if re.Match([]byte(config.ResourceName)) {
-				strategyResult = strategy(upgradeFuncs, resource, config, false)
-				if strategyResult.Result == constants.Updated {
-					break
-				}
-			}
-		}
-	}
+	// find correct annotation and update the resource
+	pauseInterval, foundPauseInterval := annotations[options.PauseDeploymentAnnotation]

-	if strategyResult.Result != constants.Updated && searchAnnotationValue == "true" {
-		matchAnnotationValue := config.ResourceAnnotations[options.SearchMatchAnnotation]
-		if matchAnnotationValue == "true" {
-			strategyResult = strategy(upgradeFuncs, resource, config, true)
-		}
-	}
-	if strategyResult.Result == constants.Updated {
-		var err error
-		if upgradeFuncs.SupportsPatch && strategyResult.Patch != nil {
-			err = upgradeFuncs.PatchFunc(clients, config.Namespace, resource, strategyResult.Patch.Type, strategyResult.Patch.Bytes)
+	if foundPauseInterval {
+		deployment, ok := resource.(*app.Deployment)
+		if !ok {
+			logrus.Warnf("Annotation '%s' only applicable for deployments", options.PauseDeploymentAnnotation)
 		} else {
-			err = upgradeFuncs.UpdateFunc(clients, config.Namespace, resource)
+			_, err = PauseDeployment(deployment, clients, config.Namespace, pauseInterval)
+			if err != nil {
+				logrus.Errorf("Failed to pause deployment '%s' in namespace '%s': %v", resourceName, config.Namespace, err)
+				return err
+			}
 		}
+	}

-		if err != nil {
-			message := fmt.Sprintf("Update for '%s' of type '%s' in namespace '%s' failed with error %v", resourceName, upgradeFuncs.ResourceType, config.Namespace, err)
-			logrus.Errorf("Update for '%s' of type '%s' in namespace '%s' failed with error %v", resourceName, upgradeFuncs.ResourceType, config.Namespace, err)
+	if upgradeFuncs.SupportsPatch && strategyResult.Patch != nil {
+		err = upgradeFuncs.PatchFunc(clients, config.Namespace, resource, strategyResult.Patch.Type, strategyResult.Patch.Bytes)
+	} else {
+		err = upgradeFuncs.UpdateFunc(clients, config.Namespace, resource)
+	}

-			collectors.Reloaded.With(prometheus.Labels{"success": "false"}).Inc()
-			collectors.ReloadedByNamespace.With(prometheus.Labels{"success": "false", "namespace": config.Namespace}).Inc()
-			if recorder != nil {
-				recorder.Event(resource, v1.EventTypeWarning, "ReloadFail", message)
-			}
-			return err
-		} else {
-			message := fmt.Sprintf("Changes detected in '%s' of type '%s' in namespace '%s'", config.ResourceName, config.Type, config.Namespace)
-			message += fmt.Sprintf(", Updated '%s' of type '%s' in namespace '%s'", resourceName, upgradeFuncs.ResourceType, config.Namespace)
+	if err != nil {
+		message := fmt.Sprintf("Update for '%s' of type '%s' in namespace '%s' failed with error %v", resourceName, upgradeFuncs.ResourceType, config.Namespace, err)
+		logrus.Errorf("Update for '%s' of type '%s' in namespace '%s' failed with error %v", resourceName, upgradeFuncs.ResourceType, config.Namespace, err)

-			logrus.Infof("Changes detected in '%s' of type '%s' in namespace '%s'; updated '%s' of type '%s' in namespace '%s'", config.ResourceName, config.Type, config.Namespace, resourceName, upgradeFuncs.ResourceType, config.Namespace)
+		collectors.Reloaded.With(prometheus.Labels{"success": "false"}).Inc()
+		collectors.ReloadedByNamespace.With(prometheus.Labels{"success": "false", "namespace": config.Namespace}).Inc()
+		if recorder != nil {
+			recorder.Event(resource, v1.EventTypeWarning, "ReloadFail", message)
+		}
+		return err
+	} else {
+		message := fmt.Sprintf("Changes detected in '%s' of type '%s' in namespace '%s'", config.ResourceName, config.Type, config.Namespace)
+		message += fmt.Sprintf(", Updated '%s' of type '%s' in namespace '%s'", resourceName, upgradeFuncs.ResourceType, config.Namespace)

-			collectors.Reloaded.With(prometheus.Labels{"success": "true"}).Inc()
-			collectors.ReloadedByNamespace.With(prometheus.Labels{"success": "true", "namespace": config.Namespace}).Inc()
-			alert_on_reload, ok := os.LookupEnv("ALERT_ON_RELOAD")
-			if recorder != nil {
-				recorder.Event(resource, v1.EventTypeNormal, "Reloaded", message)
-			}
-			if ok && alert_on_reload == "true" {
-				msg := fmt.Sprintf(
-					"Reloader detected changes in *%s* of type *%s* in namespace *%s*. Hence reloaded *%s* of type *%s* in namespace *%s*",
-					config.ResourceName, config.Type, config.Namespace, resourceName, upgradeFuncs.ResourceType, config.Namespace)
-				alert.SendWebhookAlert(msg)
-			}
+		logrus.Infof("Changes detected in '%s' of type '%s' in namespace '%s'; updated '%s' of type '%s' in namespace '%s'", config.ResourceName, config.Type, config.Namespace, resourceName, upgradeFuncs.ResourceType, config.Namespace)
+
+		collectors.Reloaded.With(prometheus.Labels{"success": "true"}).Inc()
+		collectors.ReloadedByNamespace.With(prometheus.Labels{"success": "true", "namespace": config.Namespace}).Inc()
+		alert_on_reload, ok := os.LookupEnv("ALERT_ON_RELOAD")
+		if recorder != nil {
+			recorder.Event(resource, v1.EventTypeNormal, "Reloaded", message)
+		}
+		if ok && alert_on_reload == "true" {
+			msg := fmt.Sprintf(
+				"Reloader detected changes in *%s* of type *%s* in namespace *%s*. Hence reloaded *%s* of type *%s* in namespace *%s*",
+				config.ResourceName, config.Type, config.Namespace, resourceName, upgradeFuncs.ResourceType, config.Namespace)
+			alert.SendWebhookAlert(msg)
 		}
 	}

 	return nil
 }

-func checkIfResourceIsExcluded(resourceName, excludedResources string) bool {
-	if excludedResources == "" {
-		return false
-	}
-
-	excludedResourcesList := strings.Split(excludedResources, ",")
-	for _, excludedResource := range excludedResourcesList {
-		if strings.TrimSpace(excludedResource) == resourceName {
-			return true
-		}
-	}
-
-	return false
-}
-
 func getVolumeMountName(volumes []v1.Volume, mountType string, volumeName string) string {
 	for i := range volumes {
-		if mountType == constants.ConfigmapEnvVarPostfix {
+		switch mountType {
+		case constants.ConfigmapEnvVarPostfix:
 			if volumes[i].ConfigMap != nil && volumes[i].ConfigMap.Name == volumeName {
 				return volumes[i].Name
 			}
@@ -396,7 +375,7 @@ func getVolumeMountName(volumes []v1.Volume, mountType string, volumeName string
 					}
 				}
 			}
-		} else if mountType == constants.SecretEnvVarPostfix {
+		case constants.SecretEnvVarPostfix:
 			if volumes[i].Secret != nil && volumes[i].Secret.SecretName == volumeName {
 				return volumes[i].Name
 			}
@@ -408,6 +387,10 @@ func getVolumeMountName(volumes []v1.Volume, mountType string, volumeName string
 					}
 				}
 			}
+		case constants.SecretProviderClassEnvVarPostfix:
+			if volumes[i].CSI != nil && volumes[i].CSI.VolumeAttributes["secretProviderClass"] == volumeName {
+				return volumes[i].Name
+			}
 		}
 	}

@@ -433,9 +416,9 @@ func getContainerWithEnvReference(containers []v1.Container, resourceName string
 		for j := range envs {
 			envVarSource := envs[j].ValueFrom
 			if envVarSource != nil {
-				if resourceType == constants.SecretEnvVarPostfix && envVarSource.SecretKeyRef != nil && envVarSource.SecretKeyRef.LocalObjectReference.Name == resourceName {
+				if resourceType == constants.SecretEnvVarPostfix && envVarSource.SecretKeyRef != nil && envVarSource.SecretKeyRef.Name == resourceName {
 					return &containers[i]
-				} else if resourceType == constants.ConfigmapEnvVarPostfix && envVarSource.ConfigMapKeyRef != nil && envVarSource.ConfigMapKeyRef.LocalObjectReference.Name == resourceName {
+				} else if resourceType == constants.ConfigmapEnvVarPostfix && envVarSource.ConfigMapKeyRef != nil && envVarSource.ConfigMapKeyRef.Name == resourceName {
 					return &containers[i]
 				}
 			}
@@ -443,9 +426,9 @@ func getContainerWithEnvReference(containers []v1.Container, resourceName string

 		envsFrom := containers[i].EnvFrom
 		for j := range envsFrom {
-			if resourceType == constants.SecretEnvVarPostfix && envsFrom[j].SecretRef != nil && envsFrom[j].SecretRef.LocalObjectReference.Name == resourceName {
+			if resourceType == constants.SecretEnvVarPostfix && envsFrom[j].SecretRef != nil && envsFrom[j].SecretRef.Name == resourceName {
 				return &containers[i]
-			} else if resourceType == constants.ConfigmapEnvVarPostfix && envsFrom[j].ConfigMapRef != nil && envsFrom[j].ConfigMapRef.LocalObjectReference.Name == resourceName {
+			} else if resourceType == constants.ConfigmapEnvVarPostfix && envsFrom[j].ConfigMapRef != nil && envsFrom[j].ConfigMapRef.Name == resourceName {
 				return &containers[i]
 			}
 		}
@@ -453,7 +436,7 @@ func getContainerWithEnvReference(containers []v1.Container, resourceName string
 	return nil
 }

-func getContainerUsingResource(upgradeFuncs callbacks.RollingUpgradeFuncs, item runtime.Object, config util.Config, autoReload bool) *v1.Container {
+func getContainerUsingResource(upgradeFuncs callbacks.RollingUpgradeFuncs, item runtime.Object, config common.Config, autoReload bool) *v1.Container {
 	volumes := upgradeFuncs.VolumesFunc(item)
 	containers := upgradeFuncs.ContainersFunc(item)
 	initContainers := upgradeFuncs.InitContainersFunc(item)
@@ -467,7 +450,11 @@ func getContainerUsingResource(upgradeFuncs callbacks.RollingUpgradeFuncs, item
 			container = getContainerWithVolumeMount(initContainers, volumeMountName)
 			if container != nil {
 				// if configmap/secret is being used in init container then return the first Pod container to save reloader env
-				return &containers[0]
+				if len(containers) > 0 {
+					return &containers[0]
+				}
+				// No containers available, return nil to avoid crash
+				return nil
 			}
 		} else if container != nil {
 			return container
@@ -480,13 +467,21 @@ func getContainerUsingResource(upgradeFuncs callbacks.RollingUpgradeFuncs, item
 		container = getContainerWithEnvReference(initContainers, config.ResourceName, config.Type)
 		if container != nil {
 			// if configmap/secret is being used in init container then return the first Pod container to save reloader env
-			return &containers[0]
+			if len(containers) > 0 {
+				return &containers[0]
+			}
+			// No containers available, return nil to avoid crash
+			return nil
 		}
 	}

 	// Get the first container if the annotation is related to specified configmap or secret i.e. configmap.reloader.stakater.com/reload
 	if container == nil && !autoReload {
-		return &containers[0]
+		if len(containers) > 0 {
+			return &containers[0]
+		}
+		// No containers available, return nil to avoid crash
+		return nil
 	}

 	return container
@@ -502,16 +497,16 @@ type InvokeStrategyResult struct {
 	Patch  *Patch
 }

-type invokeStrategy func(upgradeFuncs callbacks.RollingUpgradeFuncs, item runtime.Object, config util.Config, autoReload bool) InvokeStrategyResult
+type invokeStrategy func(upgradeFuncs callbacks.RollingUpgradeFuncs, item runtime.Object, config common.Config, autoReload bool) InvokeStrategyResult

-func invokeReloadStrategy(upgradeFuncs callbacks.RollingUpgradeFuncs, item runtime.Object, config util.Config, autoReload bool) InvokeStrategyResult {
+func invokeReloadStrategy(upgradeFuncs callbacks.RollingUpgradeFuncs, item runtime.Object, config common.Config, autoReload bool) InvokeStrategyResult {
 	if options.ReloadStrategy == constants.AnnotationsReloadStrategy {
 		return updatePodAnnotations(upgradeFuncs, item, config, autoReload)
 	}
 	return updateContainerEnvVars(upgradeFuncs, item, config, autoReload)
 }

-func updatePodAnnotations(upgradeFuncs callbacks.RollingUpgradeFuncs, item runtime.Object, config util.Config, autoReload bool) InvokeStrategyResult {
+func updatePodAnnotations(upgradeFuncs callbacks.RollingUpgradeFuncs, item runtime.Object, config common.Config, autoReload bool) InvokeStrategyResult {
 	container := getContainerUsingResource(upgradeFuncs, item, config, autoReload)
 	if container == nil {
 		return InvokeStrategyResult{constants.NoContainerFound, nil}
@@ -519,7 +514,7 @@ func updatePodAnnotations(upgradeFuncs callbacks.RollingUpgradeFuncs, item runti

 	// Generate reloaded annotations. Attaching this to the item's annotation will trigger a rollout
 	// Note: the data on this struct is purely informational and is not used for future updates
-	reloadSource := util.NewReloadSourceFromConfig(config, []string{container.Name})
+	reloadSource := common.NewReloadSourceFromConfig(config, []string{container.Name})
 	annotations, patch, err := createReloadedAnnotations(&reloadSource, upgradeFuncs)
 	if err != nil {
 		logrus.Errorf("Failed to create reloaded annotations for %s! error = %v", config.ResourceName, err)
@@ -532,6 +527,10 @@ func updatePodAnnotations(upgradeFuncs callbacks.RollingUpgradeFuncs, item runti
 		return InvokeStrategyResult{constants.NotUpdated, nil}
 	}

+	if config.Type == constants.SecretProviderClassEnvVarPostfix && secretProviderClassAnnotationReloaded(pa, config) {
+		return InvokeStrategyResult{constants.NotUpdated, nil}
+	}
+
 	for k, v := range annotations {
 		pa[k] = v
 	}
@@ -539,6 +538,11 @@ func updatePodAnnotations(upgradeFuncs callbacks.RollingUpgradeFuncs, item runti
 	return InvokeStrategyResult{constants.Updated, &Patch{Type: patchtypes.StrategicMergePatchType, Bytes: patch}}
 }

+func secretProviderClassAnnotationReloaded(oldAnnotations map[string]string, newConfig common.Config) bool {
+	annotation := oldAnnotations[getReloaderAnnotationKey()]
+	return strings.Contains(annotation, newConfig.ResourceName) && strings.Contains(annotation, newConfig.SHAValue)
+}
+
 func getReloaderAnnotationKey() string {
 	return fmt.Sprintf("%s/%s",
 		constants.ReloaderAnnotationPrefix,
@@ -546,7 +550,7 @@ func getReloaderAnnotationKey() string {
 	)
 }

-func createReloadedAnnotations(target *util.ReloadSource, upgradeFuncs callbacks.RollingUpgradeFuncs) (map[string]string, []byte, error) {
+func createReloadedAnnotations(target *common.ReloadSource, upgradeFuncs callbacks.RollingUpgradeFuncs) (map[string]string, []byte, error) {
 	if target == nil {
 		return nil, nil, errors.New("target is required")
 	}
@@ -581,7 +585,7 @@ func getEnvVarName(resourceName string, typeName string) string {
 	return constants.EnvVarPrefix + util.ConvertToEnvVarName(resourceName) + "_" + typeName
 }

-func updateContainerEnvVars(upgradeFuncs callbacks.RollingUpgradeFuncs, item runtime.Object, config util.Config, autoReload bool) InvokeStrategyResult {
+func updateContainerEnvVars(upgradeFuncs callbacks.RollingUpgradeFuncs, item runtime.Object, config common.Config, autoReload bool) InvokeStrategyResult {
 	envVar := getEnvVarName(config.ResourceName, config.Type)
 	container := getContainerUsingResource(upgradeFuncs, item, config, autoReload)

@@ -589,6 +593,10 @@ func updateContainerEnvVars(upgradeFuncs callbacks.RollingUpgradeFuncs, item run
 		return InvokeStrategyResult{constants.NoContainerFound, nil}
 	}

+	if config.Type == constants.SecretProviderClassEnvVarPostfix && secretProviderClassEnvReloaded(upgradeFuncs.ContainersFunc(item), envVar, config.SHAValue) {
+		return InvokeStrategyResult{constants.NotUpdated, nil}
+	}
+
 	//update if env var exists
 	updateResult := updateEnvVar(container, envVar, config.SHAValue)

@@ -625,6 +633,32 @@ func updateEnvVar(container *v1.Container, envVar string, shaData string) consta
 	return constants.NoEnvVarFound
 }

+func secretProviderClassEnvReloaded(containers []v1.Container, envVar string, shaData string) bool {
+	for _, container := range containers {
+		for _, env := range container.Env {
+			if env.Name == envVar {
+				return env.Value == shaData
+			}
+		}
+	}
+	return false
+}
+
+func populateAnnotationsFromSecretProviderClass(clients kube.Clients, config *common.Config) {
+	obj, err := clients.CSIClient.SecretsstoreV1().SecretProviderClasses(config.Namespace).Get(context.Background(), config.ResourceName, metav1.GetOptions{})
+	annotations := make(map[string]string)
+	if err != nil {
+		if apierrors.IsNotFound(err) {
+			logrus.Warnf("SecretProviderClass '%s' not found in namespace '%s'", config.ResourceName, config.Namespace)
+		} else {
+			logrus.Errorf("Failed to get SecretProviderClass '%s' in namespace '%s': %v", config.ResourceName, config.Namespace, err)
+		}
+	} else if obj.Annotations != nil {
+		annotations = obj.Annotations
+	}
+	config.ResourceAnnotations = annotations
+}
+
 func jsonEscape(toEscape string) (string, error) {
 	bytes, err := json.Marshal(toEscape)
 	if err != nil {
--- a/internal/pkg/handler/upgrade_test.go
+++ b/internal/pkg/handler/upgrade_test.go
--- a/internal/pkg/leadership/leadership_test.go
+++ b/internal/pkg/leadership/leadership_test.go
@@ -16,7 +16,7 @@ import (
 	"github.com/stakater/Reloader/internal/pkg/metrics"
 	"github.com/stakater/Reloader/internal/pkg/options"
 	"github.com/stakater/Reloader/internal/pkg/testutil"
-	"github.com/stakater/Reloader/internal/pkg/util"
+	"github.com/stakater/Reloader/pkg/common"
 	"github.com/stakater/Reloader/pkg/kube"
 )

@@ -159,7 +159,7 @@ func TestRunLeaderElectionWithControllers(t *testing.T) {
 	// Verifying deployment update
 	logrus.Infof("Verifying pod envvars has been created")
 	shaData := testutil.ConvertResourceToSHA(testutil.ConfigmapResourceType, testutil.Namespace, configmapName, "www.stakater.com")
-	config := util.Config{
+	config := common.Config{
 		Namespace:    testutil.Namespace,
 		ResourceName: configmapName,
 		SHAValue:     shaData,
@@ -186,7 +186,7 @@ func TestRunLeaderElectionWithControllers(t *testing.T) {
 	// Verifying that the deployment was not updated as leadership has been lost
 	logrus.Infof("Verifying pod envvars has not been updated")
 	shaData = testutil.ConvertResourceToSHA(testutil.ConfigmapResourceType, testutil.Namespace, configmapName, "www.stakater.com/new")
-	config = util.Config{
+	config = common.Config{
 		Namespace:    testutil.Namespace,
 		ResourceName: configmapName,
 		SHAValue:     shaData,
--- a/internal/pkg/options/flags.go
+++ b/internal/pkg/options/flags.go
@@ -20,16 +20,25 @@ var (
 	// SecretUpdateOnChangeAnnotation is an annotation to detect changes in
 	// secrets specified by name
 	SecretUpdateOnChangeAnnotation = "secret.reloader.stakater.com/reload"
+	// SecretProviderClassUpdateOnChangeAnnotation is an annotation to detect changes in
+	// secretproviderclasses specified by name
+	SecretProviderClassUpdateOnChangeAnnotation = "secretproviderclass.reloader.stakater.com/reload"
 	// ReloaderAutoAnnotation is an annotation to detect changes in secrets/configmaps
 	ReloaderAutoAnnotation = "reloader.stakater.com/auto"
+	// IgnoreResourceAnnotation is an annotation to ignore changes in secrets/configmaps
+	IgnoreResourceAnnotation = "reloader.stakater.com/ignore"
 	// ConfigmapReloaderAutoAnnotation is an annotation to detect changes in configmaps
 	ConfigmapReloaderAutoAnnotation = "configmap.reloader.stakater.com/auto"
 	// SecretReloaderAutoAnnotation is an annotation to detect changes in secrets
 	SecretReloaderAutoAnnotation = "secret.reloader.stakater.com/auto"
+	// SecretProviderClassReloaderAutoAnnotation is an annotation to detect changes in secretproviderclasses
+	SecretProviderClassReloaderAutoAnnotation = "secretproviderclass.reloader.stakater.com/auto"
 	// ConfigmapReloaderAutoAnnotation is a comma separated list of configmaps that excludes detecting changes on cms
 	ConfigmapExcludeReloaderAnnotation = "configmaps.exclude.reloader.stakater.com/reload"
 	// SecretExcludeReloaderAnnotation is a comma separated list of secrets that excludes detecting changes on secrets
 	SecretExcludeReloaderAnnotation = "secrets.exclude.reloader.stakater.com/reload"
+	// SecretProviderClassExcludeReloaderAnnotation is a comma separated list of secret provider classes that excludes detecting changes on secret provider class
+	SecretProviderClassExcludeReloaderAnnotation = "secretproviderclasses.exclude.reloader.stakater.com/reload"
 	// AutoSearchAnnotation is an annotation to detect changes in
 	// configmaps or triggers with the SearchMatchAnnotation
 	AutoSearchAnnotation = "reloader.stakater.com/search"
@@ -38,6 +47,12 @@ var (
 	SearchMatchAnnotation = "reloader.stakater.com/match"
 	// RolloutStrategyAnnotation is an annotation to define rollout update strategy
 	RolloutStrategyAnnotation = "reloader.stakater.com/rollout-strategy"
+	// PauseDeploymentAnnotation is an annotation to define the time period to pause a deployment after
+	// a configmap/secret change has been detected. Valid values are described here: https://pkg.go.dev/time#ParseDuration
+	// only positive values are allowed
+	PauseDeploymentAnnotation = "deployment.reloader.stakater.com/pause-period"
+	// Annotation set by reloader to indicate that the deployment has been paused
+	PauseDeploymentTimeAnnotation = "deployment.reloader.stakater.com/paused-at"
 	// LogFormat is the log format to use (json, or empty string for default)
 	LogFormat = ""
 	// LogLevel is the log level to use (trace, debug, info, warning, error, fatal and panic)
@@ -55,6 +70,23 @@ var (
 	EnableHA = false
 	// Url to send a request to instead of triggering a reload
 	WebhookUrl = ""
+	// EnableCSIIntegration Adds support to watch SecretProviderClassPodStatus and restart deployment based on it
+	EnableCSIIntegration = false
+	// ResourcesToIgnore is a list of resources to ignore when watching for changes
+	ResourcesToIgnore = []string{}
+	// WorkloadTypesToIgnore is a list of workload types to ignore when watching for changes
+	WorkloadTypesToIgnore = []string{}
+	// NamespacesToIgnore is a list of namespace names to ignore when watching for changes
+	NamespacesToIgnore = []string{}
+	// NamespaceSelectors is a list of namespace selectors to watch for changes
+	NamespaceSelectors = []string{}
+	// ResourceSelectors is a list of resource selectors to watch for changes
+	ResourceSelectors = []string{}
+	// EnablePProf enables pprof for profiling
+	EnablePProf = false
+	// PProfAddr is the address to start pprof server on
+	// Default is :6060
+	PProfAddr = ":6060"
 )

 func ToArgoRolloutStrategy(s string) ArgoRolloutStrategy {
--- a/internal/pkg/testutil/kube.go
+++ b/internal/pkg/testutil/kube.go
@@ -5,6 +5,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"math/rand"
+	"os"
 	"sort"
 	"strconv"
 	"strings"
@@ -21,6 +22,7 @@ import (
 	"github.com/stakater/Reloader/internal/pkg/metrics"
 	"github.com/stakater/Reloader/internal/pkg/options"
 	"github.com/stakater/Reloader/internal/pkg/util"
+	"github.com/stakater/Reloader/pkg/common"
 	"github.com/stakater/Reloader/pkg/kube"
 	appsv1 "k8s.io/api/apps/v1"
 	batchv1 "k8s.io/api/batch/v1"
@@ -29,6 +31,9 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes"
 	core_v1 "k8s.io/client-go/kubernetes/typed/core/v1"
+	csiv1 "sigs.k8s.io/secrets-store-csi-driver/apis/v1"
+	csiclient "sigs.k8s.io/secrets-store-csi-driver/pkg/client/clientset/versioned"
+	csiclient_v1 "sigs.k8s.io/secrets-store-csi-driver/pkg/client/clientset/versioned/typed/apis/v1"
 )

 var (
@@ -37,8 +42,31 @@ var (
 	ConfigmapResourceType = "configMaps"
 	// SecretResourceType is a resource type which controller watches for changes
 	SecretResourceType = "secrets"
+	// SecretproviderclasspodstatusResourceType is a resource type which controller watches for changes
+	SecretProviderClassPodStatusResourceType = "secretproviderclasspodstatuses"
+
+	// SkipTestSleeps can be set to true to skip all sleep delays in test utilities
+	// This significantly speeds up tests when using fake clients (which are synchronous)
+	// Set via environment variable RELOADER_SKIP_TEST_SLEEPS=true or in test code
+	SkipTestSleeps = false
 )

+func init() {
+	// Check environment variable to enable fast test mode
+	if os.Getenv("RELOADER_SKIP_TEST_SLEEPS") == "true" {
+		SkipTestSleeps = true
+	}
+}
+
+// TestSleep is a helper that only sleeps if SkipTestSleeps is false
+// This allows tests to run much faster with fake clients while maintaining
+// compatibility with real cluster testing if needed
+func TestSleep(duration time.Duration) {
+	if !SkipTestSleeps {
+		time.Sleep(duration)
+	}
+}
+
 var (
 	Clients             = kube.GetClients()
 	Pod                 = "test-reloader-" + RandSeq(5)
@@ -72,16 +100,16 @@ func DeleteNamespace(namespace string, client kubernetes.Interface) {
 	}
 }

-func getObjectMeta(namespace string, name string, autoReload bool, secretAutoReload bool, configmapAutoReload bool, extraAnnotations map[string]string) metav1.ObjectMeta {
+func getObjectMeta(namespace string, name string, autoReload bool, secretAutoReload bool, configmapAutoReload bool, secretproviderclass bool, extraAnnotations map[string]string) metav1.ObjectMeta {
 	return metav1.ObjectMeta{
 		Name:        name,
 		Namespace:   namespace,
 		Labels:      map[string]string{"firstLabel": "temp"},
-		Annotations: getAnnotations(name, autoReload, secretAutoReload, configmapAutoReload, extraAnnotations),
+		Annotations: getAnnotations(name, autoReload, secretAutoReload, configmapAutoReload, secretproviderclass, extraAnnotations),
 	}
 }

-func getAnnotations(name string, autoReload bool, secretAutoReload bool, configmapAutoReload bool, extraAnnotations map[string]string) map[string]string {
+func getAnnotations(name string, autoReload bool, secretAutoReload bool, configmapAutoReload bool, secretproviderclass bool, extraAnnotations map[string]string) map[string]string {
 	annotations := make(map[string]string)
 	if autoReload {
 		annotations[options.ReloaderAutoAnnotation] = "true"
@@ -92,11 +120,16 @@ func getAnnotations(name string, autoReload bool, secretAutoReload bool, configm
 	if configmapAutoReload {
 		annotations[options.ConfigmapReloaderAutoAnnotation] = "true"
 	}
+	if secretproviderclass {
+		annotations[options.SecretProviderClassReloaderAutoAnnotation] = "true"
+	}

-	if !(len(annotations) > 0) {
+	if len(annotations) == 0 {
 		annotations = map[string]string{
-			options.ConfigmapUpdateOnChangeAnnotation: name,
-			options.SecretUpdateOnChangeAnnotation:    name}
+			options.ConfigmapUpdateOnChangeAnnotation:           name,
+			options.SecretUpdateOnChangeAnnotation:              name,
+			options.SecretProviderClassUpdateOnChangeAnnotation: name,
+		}
 	}
 	for k, v := range extraAnnotations {
 		annotations[k] = v
@@ -175,6 +208,15 @@ func getVolumes(name string) []v1.Volume {
 				},
 			},
 		},
+		{
+			Name: "secretproviderclass",
+			VolumeSource: v1.VolumeSource{
+				CSI: &v1.CSIVolumeSource{
+					Driver:           "secrets-store.csi.k8s.io",
+					VolumeAttributes: map[string]string{"secretProviderClass": name},
+				},
+			},
+		},
 	}
 }

@@ -188,6 +230,10 @@ func getVolumeMounts() []v1.VolumeMount {
 			MountPath: "etc/sec",
 			Name:      "secret",
 		},
+		{
+			MountPath: "etc/spc",
+			Name:      "secretproviderclass",
+		},
 		{
 			MountPath: "etc/projectedconfig",
 			Name:      "projectedconfigmap",
@@ -347,7 +393,7 @@ func getPodTemplateSpecWithInitContainerAndEnv(name string) v1.PodTemplateSpec {
 func GetDeployment(namespace string, deploymentName string) *appsv1.Deployment {
 	replicaset := int32(1)
 	return &appsv1.Deployment{
-		ObjectMeta: getObjectMeta(namespace, deploymentName, false, false, false, map[string]string{}),
+		ObjectMeta: getObjectMeta(namespace, deploymentName, false, false, false, false, map[string]string{}),
 		Spec: appsv1.DeploymentSpec{
 			Selector: &metav1.LabelSelector{
 				MatchLabels: map[string]string{"secondLabel": "temp"},
@@ -366,7 +412,7 @@ func GetDeploymentConfig(namespace string, deploymentConfigName string) *openshi
 	replicaset := int32(1)
 	podTemplateSpecWithVolume := getPodTemplateSpecWithVolumes(deploymentConfigName)
 	return &openshiftv1.DeploymentConfig{
-		ObjectMeta: getObjectMeta(namespace, deploymentConfigName, false, false, false, map[string]string{}),
+		ObjectMeta: getObjectMeta(namespace, deploymentConfigName, false, false, false, false, map[string]string{}),
 		Spec: openshiftv1.DeploymentConfigSpec{
 			Replicas: replicaset,
 			Strategy: openshiftv1.DeploymentStrategy{
@@ -381,7 +427,7 @@ func GetDeploymentConfig(namespace string, deploymentConfigName string) *openshi
 func GetDeploymentWithInitContainer(namespace string, deploymentName string) *appsv1.Deployment {
 	replicaset := int32(1)
 	return &appsv1.Deployment{
-		ObjectMeta: getObjectMeta(namespace, deploymentName, false, false, false, map[string]string{}),
+		ObjectMeta: getObjectMeta(namespace, deploymentName, false, false, false, false, map[string]string{}),
 		Spec: appsv1.DeploymentSpec{
 			Selector: &metav1.LabelSelector{
 				MatchLabels: map[string]string{"secondLabel": "temp"},
@@ -399,7 +445,7 @@ func GetDeploymentWithInitContainer(namespace string, deploymentName string) *ap
 func GetDeploymentWithInitContainerAndEnv(namespace string, deploymentName string) *appsv1.Deployment {
 	replicaset := int32(1)
 	return &appsv1.Deployment{
-		ObjectMeta: getObjectMeta(namespace, deploymentName, true, false, false, map[string]string{}),
+		ObjectMeta: getObjectMeta(namespace, deploymentName, true, false, false, false, map[string]string{}),
 		Spec: appsv1.DeploymentSpec{
 			Selector: &metav1.LabelSelector{
 				MatchLabels: map[string]string{"secondLabel": "temp"},
@@ -416,7 +462,7 @@ func GetDeploymentWithInitContainerAndEnv(namespace string, deploymentName strin
 func GetDeploymentWithEnvVars(namespace string, deploymentName string) *appsv1.Deployment {
 	replicaset := int32(1)
 	return &appsv1.Deployment{
-		ObjectMeta: getObjectMeta(namespace, deploymentName, true, false, false, map[string]string{}),
+		ObjectMeta: getObjectMeta(namespace, deploymentName, true, false, false, false, map[string]string{}),
 		Spec: appsv1.DeploymentSpec{
 			Selector: &metav1.LabelSelector{
 				MatchLabels: map[string]string{"secondLabel": "temp"},
@@ -434,7 +480,7 @@ func GetDeploymentConfigWithEnvVars(namespace string, deploymentConfigName strin
 	replicaset := int32(1)
 	podTemplateSpecWithEnvVars := getPodTemplateSpecWithEnvVars(deploymentConfigName)
 	return &openshiftv1.DeploymentConfig{
-		ObjectMeta: getObjectMeta(namespace, deploymentConfigName, false, false, false, map[string]string{}),
+		ObjectMeta: getObjectMeta(namespace, deploymentConfigName, false, false, false, false, map[string]string{}),
 		Spec: openshiftv1.DeploymentConfigSpec{
 			Replicas: replicaset,
 			Strategy: openshiftv1.DeploymentStrategy{
@@ -448,7 +494,7 @@ func GetDeploymentConfigWithEnvVars(namespace string, deploymentConfigName strin
 func GetDeploymentWithEnvVarSources(namespace string, deploymentName string) *appsv1.Deployment {
 	replicaset := int32(1)
 	return &appsv1.Deployment{
-		ObjectMeta: getObjectMeta(namespace, deploymentName, true, false, false, map[string]string{}),
+		ObjectMeta: getObjectMeta(namespace, deploymentName, true, false, false, false, map[string]string{}),
 		Spec: appsv1.DeploymentSpec{
 			Selector: &metav1.LabelSelector{
 				MatchLabels: map[string]string{"secondLabel": "temp"},
@@ -465,7 +511,7 @@ func GetDeploymentWithEnvVarSources(namespace string, deploymentName string) *ap
 func GetDeploymentWithPodAnnotations(namespace string, deploymentName string, both bool) *appsv1.Deployment {
 	replicaset := int32(1)
 	deployment := &appsv1.Deployment{
-		ObjectMeta: getObjectMeta(namespace, deploymentName, false, false, false, map[string]string{}),
+		ObjectMeta: getObjectMeta(namespace, deploymentName, false, false, false, false, map[string]string{}),
 		Spec: appsv1.DeploymentSpec{
 			Selector: &metav1.LabelSelector{
 				MatchLabels: map[string]string{"secondLabel": "temp"},
@@ -478,19 +524,22 @@ func GetDeploymentWithPodAnnotations(namespace string, deploymentName string, bo
 		},
 	}
 	if !both {
-		deployment.ObjectMeta.Annotations = nil
+		deployment.Annotations = nil
 	}
-	deployment.Spec.Template.ObjectMeta.Annotations = getAnnotations(deploymentName, true, false, false, map[string]string{})
+	deployment.Spec.Template.Annotations = getAnnotations(deploymentName, true, false, false, false, map[string]string{})
 	return deployment
 }

 func GetDeploymentWithTypedAutoAnnotation(namespace string, deploymentName string, resourceType string) *appsv1.Deployment {
 	replicaset := int32(1)
 	var objectMeta metav1.ObjectMeta
-	if resourceType == SecretResourceType {
-		objectMeta = getObjectMeta(namespace, deploymentName, false, true, false, map[string]string{})
-	} else if resourceType == ConfigmapResourceType {
-		objectMeta = getObjectMeta(namespace, deploymentName, false, false, true, map[string]string{})
+	switch resourceType {
+	case SecretResourceType:
+		objectMeta = getObjectMeta(namespace, deploymentName, false, true, false, false, map[string]string{})
+	case ConfigmapResourceType:
+		objectMeta = getObjectMeta(namespace, deploymentName, false, false, true, false, map[string]string{})
+	case SecretProviderClassPodStatusResourceType:
+		objectMeta = getObjectMeta(namespace, deploymentName, false, false, false, true, map[string]string{})
 	}

 	return &appsv1.Deployment{
@@ -513,10 +562,13 @@ func GetDeploymentWithExcludeAnnotation(namespace string, deploymentName string,

 	annotation := map[string]string{}

-	if resourceType == SecretResourceType {
+	switch resourceType {
+	case SecretResourceType:
 		annotation[options.SecretExcludeReloaderAnnotation] = deploymentName
-	} else if resourceType == ConfigmapResourceType {
+	case ConfigmapResourceType:
 		annotation[options.ConfigmapExcludeReloaderAnnotation] = deploymentName
+	case SecretProviderClassPodStatusResourceType:
+		annotation[options.SecretProviderClassExcludeReloaderAnnotation] = deploymentName
 	}

 	return &appsv1.Deployment{
@@ -542,7 +594,7 @@ func GetDeploymentWithExcludeAnnotation(namespace string, deploymentName string,
 // GetDaemonSet provides daemonset for testing
 func GetDaemonSet(namespace string, daemonsetName string) *appsv1.DaemonSet {
 	return &appsv1.DaemonSet{
-		ObjectMeta: getObjectMeta(namespace, daemonsetName, false, false, false, map[string]string{}),
+		ObjectMeta: getObjectMeta(namespace, daemonsetName, false, false, false, false, map[string]string{}),
 		Spec: appsv1.DaemonSetSpec{
 			Selector: &metav1.LabelSelector{
 				MatchLabels: map[string]string{"secondLabel": "temp"},
@@ -557,7 +609,7 @@ func GetDaemonSet(namespace string, daemonsetName string) *appsv1.DaemonSet {

 func GetDaemonSetWithEnvVars(namespace string, daemonSetName string) *appsv1.DaemonSet {
 	return &appsv1.DaemonSet{
-		ObjectMeta: getObjectMeta(namespace, daemonSetName, true, false, false, map[string]string{}),
+		ObjectMeta: getObjectMeta(namespace, daemonSetName, true, false, false, false, map[string]string{}),
 		Spec: appsv1.DaemonSetSpec{
 			Selector: &metav1.LabelSelector{
 				MatchLabels: map[string]string{"secondLabel": "temp"},
@@ -573,7 +625,7 @@ func GetDaemonSetWithEnvVars(namespace string, daemonSetName string) *appsv1.Dae
 // GetStatefulSet provides statefulset for testing
 func GetStatefulSet(namespace string, statefulsetName string) *appsv1.StatefulSet {
 	return &appsv1.StatefulSet{
-		ObjectMeta: getObjectMeta(namespace, statefulsetName, false, false, false, map[string]string{}),
+		ObjectMeta: getObjectMeta(namespace, statefulsetName, false, false, false, false, map[string]string{}),
 		Spec: appsv1.StatefulSetSpec{
 			Selector: &metav1.LabelSelector{
 				MatchLabels: map[string]string{"secondLabel": "temp"},
@@ -589,7 +641,7 @@ func GetStatefulSet(namespace string, statefulsetName string) *appsv1.StatefulSe
 // GetStatefulSet provides statefulset for testing
 func GetStatefulSetWithEnvVar(namespace string, statefulsetName string) *appsv1.StatefulSet {
 	return &appsv1.StatefulSet{
-		ObjectMeta: getObjectMeta(namespace, statefulsetName, true, false, false, map[string]string{}),
+		ObjectMeta: getObjectMeta(namespace, statefulsetName, true, false, false, false, map[string]string{}),
 		Spec: appsv1.StatefulSetSpec{
 			Selector: &metav1.LabelSelector{
 				MatchLabels: map[string]string{"secondLabel": "temp"},
@@ -614,6 +666,42 @@ func GetConfigmap(namespace string, configmapName string, testData string) *v1.C
 	}
 }

+func GetSecretProviderClass(namespace string, secretProviderClassName string, data string) *csiv1.SecretProviderClass {
+	return &csiv1.SecretProviderClass{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      secretProviderClassName,
+			Namespace: namespace,
+		},
+		Spec: csiv1.SecretProviderClassSpec{
+			Provider: "Test",
+			Parameters: map[string]string{
+				"parameter1": data,
+			},
+		},
+	}
+}
+
+func GetSecretProviderClassPodStatus(namespace string, secretProviderClassPodStatusName string, data string) *csiv1.SecretProviderClassPodStatus {
+	return &csiv1.SecretProviderClassPodStatus{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      secretProviderClassPodStatusName,
+			Namespace: namespace,
+		},
+		Status: csiv1.SecretProviderClassPodStatusStatus{
+			PodName:                 "test123",
+			SecretProviderClassName: secretProviderClassPodStatusName,
+			TargetPath:              "/var/lib/kubelet/d8771ddf-935a-4199-a20b-f35f71c1d9e7/volumes/kubernetes.io~csi/secrets-store-inline/mount",
+			Mounted:                 true,
+			Objects: []csiv1.SecretProviderClassObject{
+				{
+					ID:      "parameter1",
+					Version: data,
+				},
+			},
+		},
+	}
+}
+
 // GetConfigmapWithUpdatedLabel provides configmap for testing
 func GetConfigmapWithUpdatedLabel(namespace string, configmapName string, testLabel string, testData string) *v1.ConfigMap {
 	return &v1.ConfigMap{
@@ -640,7 +728,7 @@ func GetSecret(namespace string, secretName string, data string) *v1.Secret {

 func GetCronJob(namespace string, cronJobName string) *batchv1.CronJob {
 	return &batchv1.CronJob{
-		ObjectMeta: getObjectMeta(namespace, cronJobName, false, false, false, map[string]string{}),
+		ObjectMeta: getObjectMeta(namespace, cronJobName, false, false, false, false, map[string]string{}),
 		Spec: batchv1.CronJobSpec{
 			Schedule: "*/5 * * * *", // Run every 5 minutes
 			JobTemplate: batchv1.JobTemplateSpec{
@@ -657,7 +745,7 @@ func GetCronJob(namespace string, cronJobName string) *batchv1.CronJob {

 func GetJob(namespace string, jobName string) *batchv1.Job {
 	return &batchv1.Job{
-		ObjectMeta: getObjectMeta(namespace, jobName, false, false, false, map[string]string{}),
+		ObjectMeta: getObjectMeta(namespace, jobName, false, false, false, false, map[string]string{}),
 		Spec: batchv1.JobSpec{
 			Selector: &metav1.LabelSelector{
 				MatchLabels: map[string]string{"secondLabel": "temp"},
@@ -669,7 +757,7 @@ func GetJob(namespace string, jobName string) *batchv1.Job {

 func GetCronJobWithEnvVar(namespace string, cronJobName string) *batchv1.CronJob {
 	return &batchv1.CronJob{
-		ObjectMeta: getObjectMeta(namespace, cronJobName, true, false, false, map[string]string{}),
+		ObjectMeta: getObjectMeta(namespace, cronJobName, true, false, false, false, map[string]string{}),
 		Spec: batchv1.CronJobSpec{
 			Schedule: "*/5 * * * *", // Run every 5 minutes
 			JobTemplate: batchv1.JobTemplateSpec{
@@ -686,7 +774,7 @@ func GetCronJobWithEnvVar(namespace string, cronJobName string) *batchv1.CronJob

 func GetJobWithEnvVar(namespace string, jobName string) *batchv1.Job {
 	return &batchv1.Job{
-		ObjectMeta: getObjectMeta(namespace, jobName, true, false, false, map[string]string{}),
+		ObjectMeta: getObjectMeta(namespace, jobName, true, false, false, false, map[string]string{}),
 		Spec: batchv1.JobSpec{
 			Selector: &metav1.LabelSelector{
 				MatchLabels: map[string]string{"secondLabel": "temp"},
@@ -733,7 +821,7 @@ func GetResourceSHAFromAnnotation(podAnnotations map[string]string) string {
 		return ""
 	}

-	var last util.ReloadSource
+	var last common.ReloadSource
 	bytes := []byte(annotationJson)
 	err := json.Unmarshal(bytes, &last)
 	if err != nil {
@@ -743,19 +831,26 @@ func GetResourceSHAFromAnnotation(podAnnotations map[string]string) string {
 	return last.Hash
 }

-// ConvertResourceToSHA generates SHA from secret or configmap data
+// ConvertResourceToSHA generates SHA from secret, configmap or secretproviderclasspodstatus data
 func ConvertResourceToSHA(resourceType string, namespace string, resourceName string, data string) string {
 	values := []string{}
-	if resourceType == SecretResourceType {
+	switch resourceType {
+	case SecretResourceType:
 		secret := GetSecret(namespace, resourceName, data)
 		for k, v := range secret.Data {
 			values = append(values, k+"="+string(v[:]))
 		}
-	} else if resourceType == ConfigmapResourceType {
+	case ConfigmapResourceType:
 		configmap := GetConfigmap(namespace, resourceName, data)
 		for k, v := range configmap.Data {
 			values = append(values, k+"="+v)
 		}
+	case SecretProviderClassPodStatusResourceType:
+		secretproviderclasspodstatus := GetSecretProviderClassPodStatus(namespace, resourceName, data)
+		for _, v := range secretproviderclasspodstatus.Status.Objects {
+			values = append(values, v.ID+"="+v.Version)
+		}
+		values = append(values, "SecretProviderClassName="+secretproviderclasspodstatus.Status.SecretProviderClassName)
 	}
 	sort.Strings(values)
 	return crypto.GenerateSHA(strings.Join(values, ";"))
@@ -766,16 +861,35 @@ func CreateConfigMap(client kubernetes.Interface, namespace string, configmapNam
 	logrus.Infof("Creating configmap")
 	configmapClient := client.CoreV1().ConfigMaps(namespace)
 	_, err := configmapClient.Create(context.TODO(), GetConfigmap(namespace, configmapName, data), metav1.CreateOptions{})
-	time.Sleep(3 * time.Second)
+	TestSleep(3 * time.Second)
 	return configmapClient, err
 }

+// CreateSecretProviderClass creates a SecretProviderClass in given namespace and returns the SecretProviderClassInterface
+func CreateSecretProviderClass(client csiclient.Interface, namespace string, secretProviderClassName string, data string) (csiclient_v1.SecretProviderClassInterface, error) {
+	logrus.Infof("Creating SecretProviderClass")
+	secretProviderClassClient := client.SecretsstoreV1().SecretProviderClasses(namespace)
+	_, err := secretProviderClassClient.Create(context.TODO(), GetSecretProviderClass(namespace, secretProviderClassName, data), metav1.CreateOptions{})
+	TestSleep(3 * time.Second)
+	return secretProviderClassClient, err
+}
+
+// CreateSecretProviderClassPodStatus creates a SecretProviderClassPodStatus in given namespace and returns the SecretProviderClassPodStatusInterface
+func CreateSecretProviderClassPodStatus(client csiclient.Interface, namespace string, secretProviderClassPodStatusName string, data string) (csiclient_v1.SecretProviderClassPodStatusInterface, error) {
+	logrus.Infof("Creating SecretProviderClassPodStatus")
+	secretProviderClassPodStatusClient := client.SecretsstoreV1().SecretProviderClassPodStatuses(namespace)
+	secretProviderClassPodStatus := GetSecretProviderClassPodStatus(namespace, secretProviderClassPodStatusName, data)
+	_, err := secretProviderClassPodStatusClient.Create(context.TODO(), secretProviderClassPodStatus, metav1.CreateOptions{})
+	TestSleep(3 * time.Second)
+	return secretProviderClassPodStatusClient, err
+}
+
 // CreateSecret creates a secret in given namespace and returns the SecretInterface
 func CreateSecret(client kubernetes.Interface, namespace string, secretName string, data string) (core_v1.SecretInterface, error) {
 	logrus.Infof("Creating secret")
 	secretClient := client.CoreV1().Secrets(namespace)
 	_, err := secretClient.Create(context.TODO(), GetSecret(namespace, secretName, data), metav1.CreateOptions{})
-	time.Sleep(3 * time.Second)
+	TestSleep(3 * time.Second)
 	return secretClient, err
 }

@@ -790,7 +904,27 @@ func CreateDeployment(client kubernetes.Interface, deploymentName string, namesp
 		deploymentObj = GetDeploymentWithEnvVars(namespace, deploymentName)
 	}
 	deployment, err := deploymentClient.Create(context.TODO(), deploymentObj, metav1.CreateOptions{})
-	time.Sleep(3 * time.Second)
+	TestSleep(3 * time.Second)
+	return deployment, err
+}
+
+// CreateDeployment creates a deployment in given namespace and returns the Deployment
+func CreateDeploymentWithAnnotations(client kubernetes.Interface, deploymentName string, namespace string, additionalAnnotations map[string]string, volumeMount bool) (*appsv1.Deployment, error) {
+	logrus.Infof("Creating Deployment")
+	deploymentClient := client.AppsV1().Deployments(namespace)
+	var deploymentObj *appsv1.Deployment
+	if volumeMount {
+		deploymentObj = GetDeployment(namespace, deploymentName)
+	} else {
+		deploymentObj = GetDeploymentWithEnvVars(namespace, deploymentName)
+	}
+
+	for annotationKey, annotationValue := range additionalAnnotations {
+		deploymentObj.Annotations[annotationKey] = annotationValue
+	}
+
+	deployment, err := deploymentClient.Create(context.TODO(), deploymentObj, metav1.CreateOptions{})
+	TestSleep(3 * time.Second)
 	return deployment, err
 }

@@ -805,7 +939,7 @@ func CreateDeploymentConfig(client appsclient.Interface, deploymentName string,
 		deploymentConfigObj = GetDeploymentConfigWithEnvVars(namespace, deploymentName)
 	}
 	deploymentConfig, err := deploymentConfigsClient.Create(context.TODO(), deploymentConfigObj, metav1.CreateOptions{})
-	time.Sleep(5 * time.Second)
+	TestSleep(5 * time.Second)
 	return deploymentConfig, err
 }

@@ -820,7 +954,7 @@ func CreateDeploymentWithInitContainer(client kubernetes.Interface, deploymentNa
 		deploymentObj = GetDeploymentWithInitContainerAndEnv(namespace, deploymentName)
 	}
 	deployment, err := deploymentClient.Create(context.TODO(), deploymentObj, metav1.CreateOptions{})
-	time.Sleep(3 * time.Second)
+	TestSleep(3 * time.Second)
 	return deployment, err
 }

@@ -830,7 +964,7 @@ func CreateDeploymentWithEnvVarSource(client kubernetes.Interface, deploymentNam
 	deploymentClient := client.AppsV1().Deployments(namespace)
 	deploymentObj := GetDeploymentWithEnvVarSources(namespace, deploymentName)
 	deployment, err := deploymentClient.Create(context.TODO(), deploymentObj, metav1.CreateOptions{})
-	time.Sleep(3 * time.Second)
+	TestSleep(3 * time.Second)
 	return deployment, err

 }
@@ -841,7 +975,7 @@ func CreateDeploymentWithPodAnnotations(client kubernetes.Interface, deploymentN
 	deploymentClient := client.AppsV1().Deployments(namespace)
 	deploymentObj := GetDeploymentWithPodAnnotations(namespace, deploymentName, both)
 	deployment, err := deploymentClient.Create(context.TODO(), deploymentObj, metav1.CreateOptions{})
-	time.Sleep(3 * time.Second)
+	TestSleep(3 * time.Second)
 	return deployment, err
 }

@@ -853,7 +987,7 @@ func CreateDeploymentWithEnvVarSourceAndAnnotations(client kubernetes.Interface,
 	deploymentObj := GetDeploymentWithEnvVarSources(namespace, deploymentName)
 	deploymentObj.Annotations = annotations
 	deployment, err := deploymentClient.Create(context.TODO(), deploymentObj, metav1.CreateOptions{})
-	time.Sleep(3 * time.Second)
+	TestSleep(3 * time.Second)
 	return deployment, err
 }

@@ -863,7 +997,7 @@ func CreateDeploymentWithTypedAutoAnnotation(client kubernetes.Interface, deploy
 	deploymentClient := client.AppsV1().Deployments(namespace)
 	deploymentObj := GetDeploymentWithTypedAutoAnnotation(namespace, deploymentName, resourceType)
 	deployment, err := deploymentClient.Create(context.TODO(), deploymentObj, metav1.CreateOptions{})
-	time.Sleep(3 * time.Second)
+	TestSleep(3 * time.Second)
 	return deployment, err
 }

@@ -887,7 +1021,7 @@ func CreateDaemonSet(client kubernetes.Interface, daemonsetName string, namespac
 		daemonsetObj = GetDaemonSetWithEnvVars(namespace, daemonsetName)
 	}
 	daemonset, err := daemonsetClient.Create(context.TODO(), daemonsetObj, metav1.CreateOptions{})
-	time.Sleep(3 * time.Second)
+	TestSleep(3 * time.Second)
 	return daemonset, err
 }

@@ -902,7 +1036,7 @@ func CreateStatefulSet(client kubernetes.Interface, statefulsetName string, name
 		statefulsetObj = GetStatefulSetWithEnvVar(namespace, statefulsetName)
 	}
 	statefulset, err := statefulsetClient.Create(context.TODO(), statefulsetObj, metav1.CreateOptions{})
-	time.Sleep(3 * time.Second)
+	TestSleep(3 * time.Second)
 	return statefulset, err
 }

@@ -917,7 +1051,7 @@ func CreateCronJob(client kubernetes.Interface, cronJobName string, namespace st
 		cronJobObj = GetCronJobWithEnvVar(namespace, cronJobName)
 	}
 	cronJob, err := cronJobClient.Create(context.TODO(), cronJobObj, metav1.CreateOptions{})
-	time.Sleep(3 * time.Second)
+	TestSleep(3 * time.Second)
 	return cronJob, err
 }

@@ -932,7 +1066,7 @@ func CreateJob(client kubernetes.Interface, jobName string, namespace string, vo
 		jobObj = GetJobWithEnvVar(namespace, jobName)
 	}
 	job, err := jobClient.Create(context.TODO(), jobObj, metav1.CreateOptions{})
-	time.Sleep(3 * time.Second)
+	TestSleep(3 * time.Second)
 	return job, err
 }

@@ -940,7 +1074,7 @@ func CreateJob(client kubernetes.Interface, jobName string, namespace string, vo
 func DeleteDeployment(client kubernetes.Interface, namespace string, deploymentName string) error {
 	logrus.Infof("Deleting Deployment")
 	deploymentError := client.AppsV1().Deployments(namespace).Delete(context.TODO(), deploymentName, metav1.DeleteOptions{})
-	time.Sleep(3 * time.Second)
+	TestSleep(3 * time.Second)
 	return deploymentError
 }

@@ -948,7 +1082,7 @@ func DeleteDeployment(client kubernetes.Interface, namespace string, deploymentN
 func DeleteDeploymentConfig(client appsclient.Interface, namespace string, deploymentConfigName string) error {
 	logrus.Infof("Deleting DeploymentConfig")
 	deploymentConfigError := client.AppsV1().DeploymentConfigs(namespace).Delete(context.TODO(), deploymentConfigName, metav1.DeleteOptions{})
-	time.Sleep(3 * time.Second)
+	TestSleep(3 * time.Second)
 	return deploymentConfigError
 }

@@ -956,7 +1090,7 @@ func DeleteDeploymentConfig(client appsclient.Interface, namespace string, deplo
 func DeleteDaemonSet(client kubernetes.Interface, namespace string, daemonsetName string) error {
 	logrus.Infof("Deleting DaemonSet %s", daemonsetName)
 	daemonsetError := client.AppsV1().DaemonSets(namespace).Delete(context.TODO(), daemonsetName, metav1.DeleteOptions{})
-	time.Sleep(3 * time.Second)
+	TestSleep(3 * time.Second)
 	return daemonsetError
 }

@@ -964,7 +1098,7 @@ func DeleteDaemonSet(client kubernetes.Interface, namespace string, daemonsetNam
 func DeleteStatefulSet(client kubernetes.Interface, namespace string, statefulsetName string) error {
 	logrus.Infof("Deleting StatefulSet %s", statefulsetName)
 	statefulsetError := client.AppsV1().StatefulSets(namespace).Delete(context.TODO(), statefulsetName, metav1.DeleteOptions{})
-	time.Sleep(3 * time.Second)
+	TestSleep(3 * time.Second)
 	return statefulsetError
 }

@@ -972,7 +1106,7 @@ func DeleteStatefulSet(client kubernetes.Interface, namespace string, statefulse
 func DeleteCronJob(client kubernetes.Interface, namespace string, cronJobName string) error {
 	logrus.Infof("Deleting CronJob %s", cronJobName)
 	cronJobError := client.BatchV1().CronJobs(namespace).Delete(context.TODO(), cronJobName, metav1.DeleteOptions{})
-	time.Sleep(3 * time.Second)
+	TestSleep(3 * time.Second)
 	return cronJobError
 }

@@ -980,7 +1114,7 @@ func DeleteCronJob(client kubernetes.Interface, namespace string, cronJobName st
 func DeleteJob(client kubernetes.Interface, namespace string, jobName string) error {
 	logrus.Infof("Deleting Job %s", jobName)
 	jobError := client.BatchV1().Jobs(namespace).Delete(context.TODO(), jobName, metav1.DeleteOptions{})
-	time.Sleep(3 * time.Second)
+	TestSleep(3 * time.Second)
 	return jobError
 }

@@ -994,7 +1128,7 @@ func UpdateConfigMap(configmapClient core_v1.ConfigMapInterface, namespace strin
 		configmap = GetConfigmap(namespace, configmapName, data)
 	}
 	_, updateErr := configmapClient.Update(context.TODO(), configmap, metav1.UpdateOptions{})
-	time.Sleep(3 * time.Second)
+	TestSleep(3 * time.Second)
 	return updateErr
 }

@@ -1008,7 +1142,28 @@ func UpdateSecret(secretClient core_v1.SecretInterface, namespace string, secret
 		secret = GetSecret(namespace, secretName, data)
 	}
 	_, updateErr := secretClient.Update(context.TODO(), secret, metav1.UpdateOptions{})
-	time.Sleep(3 * time.Second)
+	TestSleep(3 * time.Second)
+	return updateErr
+}
+
+// UpdateSecretProviderClassPodStatus updates a secretproviderclasspodstatus in given namespace and returns the error if any
+func UpdateSecretProviderClassPodStatus(spcpsClient csiclient_v1.SecretProviderClassPodStatusInterface, namespace string, spcpsName string, label string, data string) error {
+	logrus.Infof("Updating secretproviderclasspodstatus %q.\n", spcpsName)
+	updatedStatus := GetSecretProviderClassPodStatus(namespace, spcpsName, data).Status
+	secretproviderclasspodstatus, err := spcpsClient.Get(context.TODO(), spcpsName, metav1.GetOptions{})
+	if err != nil {
+		return err
+	}
+	secretproviderclasspodstatus.Status = updatedStatus
+	if label != "" {
+		labels := secretproviderclasspodstatus.Labels
+		if labels == nil {
+			labels = make(map[string]string)
+		}
+		labels["firstLabel"] = label
+	}
+	_, updateErr := spcpsClient.Update(context.TODO(), secretproviderclasspodstatus, metav1.UpdateOptions{})
+	TestSleep(3 * time.Second)
 	return updateErr
 }

@@ -1016,7 +1171,7 @@ func UpdateSecret(secretClient core_v1.SecretInterface, namespace string, secret
 func DeleteConfigMap(client kubernetes.Interface, namespace string, configmapName string) error {
 	logrus.Infof("Deleting configmap %q.\n", configmapName)
 	err := client.CoreV1().ConfigMaps(namespace).Delete(context.TODO(), configmapName, metav1.DeleteOptions{})
-	time.Sleep(3 * time.Second)
+	TestSleep(3 * time.Second)
 	return err
 }

@@ -1024,7 +1179,23 @@ func DeleteConfigMap(client kubernetes.Interface, namespace string, configmapNam
 func DeleteSecret(client kubernetes.Interface, namespace string, secretName string) error {
 	logrus.Infof("Deleting secret %q.\n", secretName)
 	err := client.CoreV1().Secrets(namespace).Delete(context.TODO(), secretName, metav1.DeleteOptions{})
-	time.Sleep(3 * time.Second)
+	TestSleep(3 * time.Second)
+	return err
+}
+
+// DeleteSecretProviderClass deletes a secretproviderclass in given namespace and returns the error if any
+func DeleteSecretProviderClass(client csiclient.Interface, namespace string, secretProviderClassName string) error {
+	logrus.Infof("Deleting secretproviderclass %q.\n", secretProviderClassName)
+	err := client.SecretsstoreV1().SecretProviderClasses(namespace).Delete(context.TODO(), secretProviderClassName, metav1.DeleteOptions{})
+	TestSleep(3 * time.Second)
+	return err
+}
+
+// DeleteSecretProviderClassPodStatus deletes a secretproviderclasspodstatus in given namespace and returns the error if any
+func DeleteSecretProviderClassPodStatus(client csiclient.Interface, namespace string, secretProviderClassPodStatusName string) error {
+	logrus.Infof("Deleting secretproviderclasspodstatus %q.\n", secretProviderClassPodStatusName)
+	err := client.SecretsstoreV1().SecretProviderClassPodStatuses(namespace).Delete(context.TODO(), secretProviderClassPodStatusName, metav1.DeleteOptions{})
+	TestSleep(3 * time.Second)
 	return err
 }

@@ -1038,7 +1209,7 @@ func RandSeq(n int) string {
 }

 // VerifyResourceEnvVarUpdate verifies whether the rolling upgrade happened or not
-func VerifyResourceEnvVarUpdate(clients kube.Clients, config util.Config, envVarPostfix string, upgradeFuncs callbacks.RollingUpgradeFuncs) bool {
+func VerifyResourceEnvVarUpdate(clients kube.Clients, config common.Config, envVarPostfix string, upgradeFuncs callbacks.RollingUpgradeFuncs) bool {
 	items := upgradeFuncs.ItemsFunc(clients, config.Namespace)
 	for _, i := range items {
 		containers := upgradeFuncs.ContainersFunc(i)
@@ -1084,7 +1255,7 @@ func VerifyResourceEnvVarUpdate(clients kube.Clients, config util.Config, envVar
 }

 // VerifyResourceEnvVarRemoved verifies whether the rolling upgrade happened or not and all Envvars SKAKATER_name_CONFIGMAP/SECRET are removed
-func VerifyResourceEnvVarRemoved(clients kube.Clients, config util.Config, envVarPostfix string, upgradeFuncs callbacks.RollingUpgradeFuncs) bool {
+func VerifyResourceEnvVarRemoved(clients kube.Clients, config common.Config, envVarPostfix string, upgradeFuncs callbacks.RollingUpgradeFuncs) bool {
 	items := upgradeFuncs.ItemsFunc(clients, config.Namespace)
 	for _, i := range items {
 		containers := upgradeFuncs.ContainersFunc(i)
@@ -1133,7 +1304,7 @@ func VerifyResourceEnvVarRemoved(clients kube.Clients, config util.Config, envVa
 }

 // VerifyResourceAnnotationUpdate verifies whether the rolling upgrade happened or not
-func VerifyResourceAnnotationUpdate(clients kube.Clients, config util.Config, upgradeFuncs callbacks.RollingUpgradeFuncs) bool {
+func VerifyResourceAnnotationUpdate(clients kube.Clients, config common.Config, upgradeFuncs callbacks.RollingUpgradeFuncs) bool {
 	items := upgradeFuncs.ItemsFunc(clients, config.Namespace)
 	for _, i := range items {
 		podAnnotations := upgradeFuncs.PodAnnotationsFunc(i)
@@ -1178,14 +1349,18 @@ func VerifyResourceAnnotationUpdate(clients kube.Clients, config util.Config, up
 }

 func GetSHAfromEmptyData() string {
-	return crypto.GenerateSHA("")
+	// Use a special marker that represents "deleted" or "empty" state
+	// This ensures we have a distinct, deterministic hash for the delete strategy
+	// Note: We could use GenerateSHA("") which now returns a hash, but using a marker
+	// makes the intent clearer and avoids potential confusion with actual empty data
+	return crypto.GenerateSHA("__RELOADER_EMPTY_DELETE_MARKER__")
 }

 // GetRollout provides rollout for testing
 func GetRollout(namespace string, rolloutName string, annotations map[string]string) *argorolloutv1alpha1.Rollout {
 	replicaset := int32(1)
 	return &argorolloutv1alpha1.Rollout{
-		ObjectMeta: getObjectMeta(namespace, rolloutName, false, false, false, annotations),
+		ObjectMeta: getObjectMeta(namespace, rolloutName, false, false, false, false, annotations),
 		Spec: argorolloutv1alpha1.RolloutSpec{
 			Selector: &metav1.LabelSelector{
 				MatchLabels: map[string]string{"secondLabel": "temp"},
@@ -1202,6 +1377,6 @@ func CreateRollout(client argorollout.Interface, rolloutName string, namespace s
 	rolloutClient := client.ArgoprojV1alpha1().Rollouts(namespace)
 	rolloutObj := GetRollout(namespace, rolloutName, annotations)
 	rollout, err := rolloutClient.Create(context.TODO(), rolloutObj, metav1.CreateOptions{})
-	time.Sleep(3 * time.Second)
+	TestSleep(3 * time.Second)
 	return rollout, err
 }
--- a/internal/pkg/util/util.go
+++ b/internal/pkg/util/util.go
@@ -3,11 +3,17 @@ package util
 import (
 	"bytes"
 	"encoding/base64"
+	"errors"
+	"fmt"
 	"sort"
 	"strings"

+	"github.com/spf13/cobra"
+	"github.com/stakater/Reloader/internal/pkg/constants"
 	"github.com/stakater/Reloader/internal/pkg/crypto"
+	"github.com/stakater/Reloader/internal/pkg/options"
 	v1 "k8s.io/api/core/v1"
+	csiv1 "sigs.k8s.io/secrets-store-csi-driver/apis/v1"
 )

 // ConvertToEnvVarName converts the given text into a usable env var
@@ -52,9 +58,17 @@ func GetSHAfromSecret(data map[string][]byte) string {
 	return crypto.GenerateSHA(strings.Join(values, ";"))
 }

-type List []string
+func GetSHAfromSecretProviderClassPodStatus(data csiv1.SecretProviderClassPodStatusStatus) string {
+	values := []string{}
+	for _, v := range data.Objects {
+		values = append(values, v.ID+"="+v.Version)
+	}
+	values = append(values, "SecretProviderClassName="+data.SecretProviderClassName)
+	sort.Strings(values)
+	return crypto.GenerateSHA(strings.Join(values, ";"))
+}

-type Map map[string]string
+type List []string

 func (l *List) Contains(s string) bool {
 	for _, v := range *l {
@@ -64,3 +78,63 @@ func (l *List) Contains(s string) bool {
 	}
 	return false
 }
+
+func ConfigureReloaderFlags(cmd *cobra.Command) {
+	cmd.PersistentFlags().BoolVar(&options.AutoReloadAll, "auto-reload-all", false, "Auto reload all resources")
+	cmd.PersistentFlags().StringVar(&options.ConfigmapUpdateOnChangeAnnotation, "configmap-annotation", "configmap.reloader.stakater.com/reload", "annotation to detect changes in configmaps, specified by name")
+	cmd.PersistentFlags().StringVar(&options.SecretUpdateOnChangeAnnotation, "secret-annotation", "secret.reloader.stakater.com/reload", "annotation to detect changes in secrets, specified by name")
+	cmd.PersistentFlags().StringVar(&options.ReloaderAutoAnnotation, "auto-annotation", "reloader.stakater.com/auto", "annotation to detect changes in secrets/configmaps")
+	cmd.PersistentFlags().StringVar(&options.ConfigmapReloaderAutoAnnotation, "configmap-auto-annotation", "configmap.reloader.stakater.com/auto", "annotation to detect changes in configmaps")
+	cmd.PersistentFlags().StringVar(&options.SecretReloaderAutoAnnotation, "secret-auto-annotation", "secret.reloader.stakater.com/auto", "annotation to detect changes in secrets")
+	cmd.PersistentFlags().StringVar(&options.AutoSearchAnnotation, "auto-search-annotation", "reloader.stakater.com/search", "annotation to detect changes in configmaps or secrets tagged with special match annotation")
+	cmd.PersistentFlags().StringVar(&options.SearchMatchAnnotation, "search-match-annotation", "reloader.stakater.com/match", "annotation to mark secrets or configmaps to match the search")
+	cmd.PersistentFlags().StringVar(&options.PauseDeploymentAnnotation, "pause-deployment-annotation", "deployment.reloader.stakater.com/pause-period", "annotation to define the time period to pause a deployment after a configmap/secret change has been detected")
+	cmd.PersistentFlags().StringVar(&options.PauseDeploymentTimeAnnotation, "pause-deployment-time-annotation", "deployment.reloader.stakater.com/paused-at", "annotation to indicate when a deployment was paused by Reloader")
+	cmd.PersistentFlags().StringVar(&options.LogFormat, "log-format", "", "Log format to use (empty string for text, or JSON)")
+	cmd.PersistentFlags().StringVar(&options.LogLevel, "log-level", "info", "Log level to use (trace, debug, info, warning, error, fatal and panic)")
+	cmd.PersistentFlags().StringVar(&options.WebhookUrl, "webhook-url", "", "webhook to trigger instead of performing a reload")
+	cmd.PersistentFlags().StringSliceVar(&options.ResourcesToIgnore, "resources-to-ignore", options.ResourcesToIgnore, "list of resources to ignore (valid options 'configMaps' or 'secrets')")
+	cmd.PersistentFlags().StringSliceVar(&options.WorkloadTypesToIgnore, "ignored-workload-types", options.WorkloadTypesToIgnore, "list of workload types to ignore (valid options: 'jobs', 'cronjobs', or both)")
+	cmd.PersistentFlags().StringSliceVar(&options.NamespacesToIgnore, "namespaces-to-ignore", options.NamespacesToIgnore, "list of namespaces to ignore")
+	cmd.PersistentFlags().StringSliceVar(&options.NamespaceSelectors, "namespace-selector", options.NamespaceSelectors, "list of key:value labels to filter on for namespaces")
+	cmd.PersistentFlags().StringSliceVar(&options.ResourceSelectors, "resource-label-selector", options.ResourceSelectors, "list of key:value labels to filter on for configmaps and secrets")
+	cmd.PersistentFlags().StringVar(&options.IsArgoRollouts, "is-Argo-Rollouts", "false", "Add support for argo rollouts")
+	cmd.PersistentFlags().StringVar(&options.ReloadStrategy, constants.ReloadStrategyFlag, constants.EnvVarsReloadStrategy, "Specifies the desired reload strategy")
+	cmd.PersistentFlags().StringVar(&options.ReloadOnCreate, "reload-on-create", "false", "Add support to watch create events")
+	cmd.PersistentFlags().StringVar(&options.ReloadOnDelete, "reload-on-delete", "false", "Add support to watch delete events")
+	cmd.PersistentFlags().BoolVar(&options.EnableHA, "enable-ha", false, "Adds support for running multiple replicas via leadership election")
+	cmd.PersistentFlags().BoolVar(&options.SyncAfterRestart, "sync-after-restart", false, "Sync add events after reloader restarts")
+	cmd.PersistentFlags().BoolVar(&options.EnablePProf, "enable-pprof", false, "Enable pprof for profiling")
+	cmd.PersistentFlags().StringVar(&options.PProfAddr, "pprof-addr", ":6060", "Address to start pprof server on. Default is :6060")
+	cmd.PersistentFlags().BoolVar(&options.EnableCSIIntegration, "enable-csi-integration", false, "Enables CSI integration. Default is :false")
+}
+
+func GetIgnoredResourcesList() (List, error) {
+
+	ignoredResourcesList := options.ResourcesToIgnore // getStringSliceFromFlags(cmd, "resources-to-ignore")
+
+	for _, v := range ignoredResourcesList {
+		if v != "configMaps" && v != "secrets" {
+			return nil, fmt.Errorf("'resources-to-ignore' only accepts 'configMaps' or 'secrets', not '%s'", v)
+		}
+	}
+
+	if len(ignoredResourcesList) > 1 {
+		return nil, errors.New("'resources-to-ignore' only accepts 'configMaps' or 'secrets', not both")
+	}
+
+	return ignoredResourcesList, nil
+}
+
+func GetIgnoredWorkloadTypesList() (List, error) {
+
+	ignoredWorkloadTypesList := options.WorkloadTypesToIgnore
+
+	for _, v := range ignoredWorkloadTypesList {
+		if v != "jobs" && v != "cronjobs" {
+			return nil, fmt.Errorf("'ignored-workload-types' accepts 'jobs', 'cronjobs', or both, not '%s'", v)
+		}
+	}
+
+	return ignoredWorkloadTypesList, nil
+}
--- a/internal/pkg/util/util_test.go
+++ b/internal/pkg/util/util_test.go
@@ -3,6 +3,7 @@ package util
 import (
 	"testing"

+	"github.com/stakater/Reloader/internal/pkg/options"
 	v1 "k8s.io/api/core/v1"
 )

@@ -45,3 +46,141 @@ func TestGetHashFromConfigMap(t *testing.T) {
 		}
 	}
 }
+
+func TestGetIgnoredWorkloadTypesList(t *testing.T) {
+	// Save original state
+	originalWorkloadTypes := options.WorkloadTypesToIgnore
+	defer func() {
+		options.WorkloadTypesToIgnore = originalWorkloadTypes
+	}()
+
+	tests := []struct {
+		name          string
+		workloadTypes []string
+		expectError   bool
+		expected      []string
+	}{
+		{
+			name:          "Both jobs and cronjobs",
+			workloadTypes: []string{"jobs", "cronjobs"},
+			expectError:   false,
+			expected:      []string{"jobs", "cronjobs"},
+		},
+		{
+			name:          "Only jobs",
+			workloadTypes: []string{"jobs"},
+			expectError:   false,
+			expected:      []string{"jobs"},
+		},
+		{
+			name:          "Only cronjobs",
+			workloadTypes: []string{"cronjobs"},
+			expectError:   false,
+			expected:      []string{"cronjobs"},
+		},
+		{
+			name:          "Empty list",
+			workloadTypes: []string{},
+			expectError:   false,
+			expected:      []string{},
+		},
+		{
+			name:          "Invalid workload type",
+			workloadTypes: []string{"invalid"},
+			expectError:   true,
+			expected:      nil,
+		},
+		{
+			name:          "Mixed valid and invalid",
+			workloadTypes: []string{"jobs", "invalid"},
+			expectError:   true,
+			expected:      nil,
+		},
+		{
+			name:          "Duplicate values",
+			workloadTypes: []string{"jobs", "jobs"},
+			expectError:   false,
+			expected:      []string{"jobs", "jobs"},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Set the global option
+			options.WorkloadTypesToIgnore = tt.workloadTypes
+
+			result, err := GetIgnoredWorkloadTypesList()
+
+			if tt.expectError && err == nil {
+				t.Errorf("Expected error but got none")
+			}
+
+			if !tt.expectError && err != nil {
+				t.Errorf("Expected no error but got: %v", err)
+			}
+
+			if !tt.expectError {
+				if len(result) != len(tt.expected) {
+					t.Errorf("Expected %v, got %v", tt.expected, result)
+					return
+				}
+
+				for i, expected := range tt.expected {
+					if i >= len(result) || result[i] != expected {
+						t.Errorf("Expected %v, got %v", tt.expected, result)
+						break
+					}
+				}
+			}
+		})
+	}
+}
+
+func TestListContains(t *testing.T) {
+	tests := []struct {
+		name     string
+		list     List
+		item     string
+		expected bool
+	}{
+		{
+			name:     "List contains item",
+			list:     List{"jobs", "cronjobs"},
+			item:     "jobs",
+			expected: true,
+		},
+		{
+			name:     "List does not contain item",
+			list:     List{"jobs"},
+			item:     "cronjobs",
+			expected: false,
+		},
+		{
+			name:     "Empty list",
+			list:     List{},
+			item:     "jobs",
+			expected: false,
+		},
+		{
+			name:     "Case sensitive matching",
+			list:     List{"jobs", "cronjobs"},
+			item:     "Jobs",
+			expected: false,
+		},
+		{
+			name:     "Multiple occurrences",
+			list:     List{"jobs", "jobs", "cronjobs"},
+			item:     "jobs",
+			expected: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := tt.list.Contains(tt.item)
+			if result != tt.expected {
+				t.Errorf("Expected %v, got %v", tt.expected, result)
+			}
+		})
+	}
+}
--- a/pkg/common/common.go
+++ b/pkg/common/common.go
@@ -0,0 +1,376 @@
+package common
+
+import (
+	"context"
+	"os"
+	"regexp"
+	"strconv"
+	"strings"
+
+	"github.com/sirupsen/logrus"
+	"github.com/stakater/Reloader/internal/pkg/constants"
+	"github.com/stakater/Reloader/internal/pkg/options"
+	"github.com/stakater/Reloader/internal/pkg/util"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/client-go/kubernetes"
+)
+
+type Map map[string]string
+
+type ReloadCheckResult struct {
+	ShouldReload bool
+	AutoReload   bool
+}
+
+// ReloaderOptions contains all configurable options for the Reloader controller.
+// These options control how Reloader behaves when watching for changes in ConfigMaps and Secrets.
+type ReloaderOptions struct {
+	// AutoReloadAll enables automatic reloading of all resources when their corresponding ConfigMaps/Secrets are updated
+	AutoReloadAll bool `json:"autoReloadAll"`
+	// ConfigmapUpdateOnChangeAnnotation is the annotation key used to detect changes in ConfigMaps specified by name
+	ConfigmapUpdateOnChangeAnnotation string `json:"configmapUpdateOnChangeAnnotation"`
+	// SecretUpdateOnChangeAnnotation is the annotation key used to detect changes in Secrets specified by name
+	SecretUpdateOnChangeAnnotation string `json:"secretUpdateOnChangeAnnotation"`
+	// SecretProviderClassUpdateOnChangeAnnotation is the annotation key used to detect changes in SecretProviderClasses specified by name
+	SecretProviderClassUpdateOnChangeAnnotation string `json:"secretProviderClassUpdateOnChangeAnnotation"`
+	// ReloaderAutoAnnotation is the annotation key used to detect changes in any referenced ConfigMaps or Secrets
+	ReloaderAutoAnnotation string `json:"reloaderAutoAnnotation"`
+	// IgnoreResourceAnnotation is the annotation key used to ignore resources from being watched
+	IgnoreResourceAnnotation string `json:"ignoreResourceAnnotation"`
+	// ConfigmapReloaderAutoAnnotation is the annotation key used to detect changes in ConfigMaps only
+	ConfigmapReloaderAutoAnnotation string `json:"configmapReloaderAutoAnnotation"`
+	// SecretReloaderAutoAnnotation is the annotation key used to detect changes in Secrets only
+	SecretReloaderAutoAnnotation string `json:"secretReloaderAutoAnnotation"`
+	// SecretProviderClassReloaderAutoAnnotation is the annotation key used to detect changes in SecretProviderClasses only
+	SecretProviderClassReloaderAutoAnnotation string `json:"secretProviderClassReloaderAutoAnnotation"`
+	// ConfigmapExcludeReloaderAnnotation is the annotation key containing comma-separated list of ConfigMaps to exclude from watching
+	ConfigmapExcludeReloaderAnnotation string `json:"configmapExcludeReloaderAnnotation"`
+	// SecretExcludeReloaderAnnotation is the annotation key containing comma-separated list of Secrets to exclude from watching
+	SecretExcludeReloaderAnnotation string `json:"secretExcludeReloaderAnnotation"`
+	// SecretProviderClassExcludeReloaderAnnotation is the annotation key containing comma-separated list of SecretProviderClasses to exclude from watching
+	SecretProviderClassExcludeReloaderAnnotation string `json:"secretProviderClassExcludeReloaderAnnotation"`
+	// AutoSearchAnnotation is the annotation key used to detect changes in ConfigMaps/Secrets tagged with SearchMatchAnnotation
+	AutoSearchAnnotation string `json:"autoSearchAnnotation"`
+	// SearchMatchAnnotation is the annotation key used to tag ConfigMaps/Secrets to be found by AutoSearchAnnotation
+	SearchMatchAnnotation string `json:"searchMatchAnnotation"`
+	// RolloutStrategyAnnotation is the annotation key used to define the rollout update strategy for workloads
+	RolloutStrategyAnnotation string `json:"rolloutStrategyAnnotation"`
+	// PauseDeploymentAnnotation is the annotation key used to define the time period to pause a deployment after
+	PauseDeploymentAnnotation string `json:"pauseDeploymentAnnotation"`
+	// PauseDeploymentTimeAnnotation is the annotation key used to indicate when a deployment was paused by Reloader
+	PauseDeploymentTimeAnnotation string `json:"pauseDeploymentTimeAnnotation"`
+
+	// LogFormat specifies the log format to use (json, or empty string for default text format)
+	LogFormat string `json:"logFormat"`
+	// LogLevel specifies the log level to use (trace, debug, info, warning, error, fatal, panic)
+	LogLevel string `json:"logLevel"`
+	// IsArgoRollouts indicates whether support for Argo Rollouts is enabled
+	IsArgoRollouts bool `json:"isArgoRollouts"`
+	// ReloadStrategy specifies the strategy used to trigger resource reloads (env-vars or annotations)
+	ReloadStrategy string `json:"reloadStrategy"`
+	// ReloadOnCreate indicates whether to trigger reloads when ConfigMaps/Secrets are created
+	ReloadOnCreate bool `json:"reloadOnCreate"`
+	// ReloadOnDelete indicates whether to trigger reloads when ConfigMaps/Secrets are deleted
+	ReloadOnDelete bool `json:"reloadOnDelete"`
+	// SyncAfterRestart indicates whether to sync add events after Reloader restarts (only works when ReloadOnCreate is true)
+	SyncAfterRestart bool `json:"syncAfterRestart"`
+	// EnableHA indicates whether High Availability mode is enabled with leader election
+	EnableHA bool `json:"enableHA"`
+	// EnableCSIIntegration indicates whether CSI integration is enabled to watch SecretProviderClassPodStatus
+	EnableCSIIntegration bool `json:"enableCSIIntegration"`
+	// WebhookUrl is the URL to send webhook notifications to instead of performing reloads
+	WebhookUrl string `json:"webhookUrl"`
+	// ResourcesToIgnore is a list of resource types to ignore (e.g., "configmaps" or "secrets")
+	ResourcesToIgnore []string `json:"resourcesToIgnore"`
+	// WorkloadTypesToIgnore is a list of workload types to ignore (e.g., "jobs" or "cronjobs")
+	WorkloadTypesToIgnore []string `json:"workloadTypesToIgnore"`
+	// NamespaceSelectors is a list of label selectors to filter namespaces to watch
+	NamespaceSelectors []string `json:"namespaceSelectors"`
+	// ResourceSelectors is a list of label selectors to filter ConfigMaps and Secrets to watch
+	ResourceSelectors []string `json:"resourceSelectors"`
+	// NamespacesToIgnore is a list of namespace names to ignore when watching for changes
+	NamespacesToIgnore []string `json:"namespacesToIgnore"`
+	// EnablePProf enables pprof for profiling
+	EnablePProf bool `json:"enablePProf"`
+	// PProfAddr is the address to start pprof server on
+	PProfAddr string `json:"pprofAddr"`
+}
+
+var CommandLineOptions *ReloaderOptions
+
+func PublishMetaInfoConfigmap(clientset kubernetes.Interface) {
+	namespace := os.Getenv("RELOADER_NAMESPACE")
+	if namespace == "" {
+		logrus.Warn("RELOADER_NAMESPACE is not set, skipping meta info configmap creation")
+		return
+	}
+
+	metaInfo := &MetaInfo{
+		BuildInfo:       *NewBuildInfo(),
+		ReloaderOptions: *GetCommandLineOptions(),
+		DeploymentInfo: metav1.ObjectMeta{
+			Name:      os.Getenv("RELOADER_DEPLOYMENT_NAME"),
+			Namespace: namespace,
+		},
+	}
+
+	configMap := metaInfo.ToConfigMap()
+
+	if _, err := clientset.CoreV1().ConfigMaps(namespace).Get(context.Background(), configMap.Name, metav1.GetOptions{}); err == nil {
+		logrus.Info("Meta info configmap already exists, updating it")
+		_, err = clientset.CoreV1().ConfigMaps(namespace).Update(context.Background(), configMap, metav1.UpdateOptions{})
+		if err != nil {
+			logrus.Warn("Failed to update existing meta info configmap: ", err)
+		}
+		return
+	}
+
+	_, err := clientset.CoreV1().ConfigMaps(namespace).Create(context.Background(), configMap, metav1.CreateOptions{})
+	if err != nil {
+		logrus.Warn("Failed to create meta info configmap: ", err)
+	}
+}
+
+func GetNamespaceLabelSelector(slice []string) (string, error) {
+	for i, kv := range slice {
+		// Legacy support for ":" as a delimiter and "*" for wildcard.
+		if strings.Contains(kv, ":") {
+			split := strings.Split(kv, ":")
+			if split[1] == "*" {
+				slice[i] = split[0]
+			} else {
+				slice[i] = split[0] + "=" + split[1]
+			}
+		}
+		// Convert wildcard to valid apimachinery operator
+		if strings.Contains(kv, "=") {
+			split := strings.Split(kv, "=")
+			if split[1] == "*" {
+				slice[i] = split[0]
+			}
+		}
+	}
+
+	namespaceLabelSelector := strings.Join(slice[:], ",")
+	_, err := labels.Parse(namespaceLabelSelector)
+	if err != nil {
+		logrus.Fatal(err)
+	}
+
+	return namespaceLabelSelector, nil
+}
+
+func GetResourceLabelSelector(slice []string) (string, error) {
+	for i, kv := range slice {
+		// Legacy support for ":" as a delimiter and "*" for wildcard.
+		if strings.Contains(kv, ":") {
+			split := strings.Split(kv, ":")
+			if split[1] == "*" {
+				slice[i] = split[0]
+			} else {
+				slice[i] = split[0] + "=" + split[1]
+			}
+		}
+		// Convert wildcard to valid apimachinery operator
+		if strings.Contains(kv, "=") {
+			split := strings.Split(kv, "=")
+			if split[1] == "*" {
+				slice[i] = split[0]
+			}
+		}
+	}
+
+	resourceLabelSelector := strings.Join(slice[:], ",")
+	_, err := labels.Parse(resourceLabelSelector)
+	if err != nil {
+		logrus.Fatal(err)
+	}
+
+	return resourceLabelSelector, nil
+}
+
+// ShouldReload checks if a resource should be reloaded based on its annotations and the provided options.
+func ShouldReload(config Config, resourceType string, annotations Map, podAnnotations Map, options *ReloaderOptions) ReloadCheckResult {
+
+	// Check if this workload type should be ignored
+	if len(options.WorkloadTypesToIgnore) > 0 {
+		ignoredWorkloadTypes, err := util.GetIgnoredWorkloadTypesList()
+		if err != nil {
+			logrus.Errorf("Failed to parse ignored workload types: %v", err)
+		} else {
+			// Map Kubernetes resource types to CLI-friendly names for comparison
+			var resourceToCheck string
+			switch resourceType {
+			case "Job":
+				resourceToCheck = "jobs"
+			case "CronJob":
+				resourceToCheck = "cronjobs"
+			default:
+				resourceToCheck = resourceType // For other types, use as-is
+			}
+
+			// Check if current resource type should be ignored
+			if ignoredWorkloadTypes.Contains(resourceToCheck) {
+				return ReloadCheckResult{
+					ShouldReload: false,
+				}
+			}
+		}
+	}
+
+	ignoreResourceAnnotatonValue := config.ResourceAnnotations[options.IgnoreResourceAnnotation]
+	if ignoreResourceAnnotatonValue == "true" {
+		return ReloadCheckResult{
+			ShouldReload: false,
+		}
+	}
+
+	annotationValue, found := annotations[config.Annotation]
+	searchAnnotationValue, foundSearchAnn := annotations[options.AutoSearchAnnotation]
+	reloaderEnabledValue, foundAuto := annotations[options.ReloaderAutoAnnotation]
+	typedAutoAnnotationEnabledValue, foundTypedAuto := annotations[config.TypedAutoAnnotation]
+	excludeConfigmapAnnotationValue, foundExcludeConfigmap := annotations[options.ConfigmapExcludeReloaderAnnotation]
+	excludeSecretAnnotationValue, foundExcludeSecret := annotations[options.SecretExcludeReloaderAnnotation]
+	excludeSecretProviderClassProviderAnnotationValue, foundExcludeSecretProviderClass := annotations[options.SecretProviderClassExcludeReloaderAnnotation]
+
+	if !found && !foundAuto && !foundTypedAuto && !foundSearchAnn {
+		annotations = podAnnotations
+		annotationValue = annotations[config.Annotation]
+		searchAnnotationValue = annotations[options.AutoSearchAnnotation]
+		reloaderEnabledValue = annotations[options.ReloaderAutoAnnotation]
+		typedAutoAnnotationEnabledValue = annotations[config.TypedAutoAnnotation]
+	}
+
+	isResourceExcluded := false
+
+	switch config.Type {
+	case constants.ConfigmapEnvVarPostfix:
+		if foundExcludeConfigmap {
+			isResourceExcluded = checkIfResourceIsExcluded(config.ResourceName, excludeConfigmapAnnotationValue)
+		}
+	case constants.SecretEnvVarPostfix:
+		if foundExcludeSecret {
+			isResourceExcluded = checkIfResourceIsExcluded(config.ResourceName, excludeSecretAnnotationValue)
+		}
+
+	case constants.SecretProviderClassEnvVarPostfix:
+		if foundExcludeSecretProviderClass {
+			isResourceExcluded = checkIfResourceIsExcluded(config.ResourceName, excludeSecretProviderClassProviderAnnotationValue)
+		}
+	}
+
+	if isResourceExcluded {
+		return ReloadCheckResult{
+			ShouldReload: false,
+		}
+	}
+
+	values := strings.Split(annotationValue, ",")
+	for _, value := range values {
+		value = strings.TrimSpace(value)
+		re := regexp.MustCompile("^" + value + "$")
+		if re.Match([]byte(config.ResourceName)) {
+			return ReloadCheckResult{
+				ShouldReload: true,
+				AutoReload:   false,
+			}
+		}
+	}
+
+	if searchAnnotationValue == "true" {
+		matchAnnotationValue := config.ResourceAnnotations[options.SearchMatchAnnotation]
+		if matchAnnotationValue == "true" {
+			return ReloadCheckResult{
+				ShouldReload: true,
+				AutoReload:   true,
+			}
+		}
+	}
+
+	reloaderEnabled, _ := strconv.ParseBool(reloaderEnabledValue)
+	typedAutoAnnotationEnabled, _ := strconv.ParseBool(typedAutoAnnotationEnabledValue)
+	if reloaderEnabled || typedAutoAnnotationEnabled || reloaderEnabledValue == "" && typedAutoAnnotationEnabledValue == "" && options.AutoReloadAll {
+		return ReloadCheckResult{
+			ShouldReload: true,
+			AutoReload:   true,
+		}
+	}
+
+	return ReloadCheckResult{
+		ShouldReload: false,
+	}
+}
+
+func checkIfResourceIsExcluded(resourceName, excludedResources string) bool {
+	if excludedResources == "" {
+		return false
+	}
+
+	excludedResourcesList := strings.Split(excludedResources, ",")
+	for _, excludedResource := range excludedResourcesList {
+		if strings.TrimSpace(excludedResource) == resourceName {
+			return true
+		}
+	}
+
+	return false
+}
+
+func init() {
+	GetCommandLineOptions()
+}
+
+func GetCommandLineOptions() *ReloaderOptions {
+	if CommandLineOptions == nil {
+		CommandLineOptions = &ReloaderOptions{}
+	}
+
+	CommandLineOptions.AutoReloadAll = options.AutoReloadAll
+	CommandLineOptions.ConfigmapUpdateOnChangeAnnotation = options.ConfigmapUpdateOnChangeAnnotation
+	CommandLineOptions.SecretUpdateOnChangeAnnotation = options.SecretUpdateOnChangeAnnotation
+	CommandLineOptions.SecretProviderClassUpdateOnChangeAnnotation = options.SecretProviderClassUpdateOnChangeAnnotation
+	CommandLineOptions.ReloaderAutoAnnotation = options.ReloaderAutoAnnotation
+	CommandLineOptions.IgnoreResourceAnnotation = options.IgnoreResourceAnnotation
+	CommandLineOptions.ConfigmapReloaderAutoAnnotation = options.ConfigmapReloaderAutoAnnotation
+	CommandLineOptions.SecretReloaderAutoAnnotation = options.SecretReloaderAutoAnnotation
+	CommandLineOptions.SecretProviderClassReloaderAutoAnnotation = options.SecretProviderClassReloaderAutoAnnotation
+	CommandLineOptions.ConfigmapExcludeReloaderAnnotation = options.ConfigmapExcludeReloaderAnnotation
+	CommandLineOptions.SecretExcludeReloaderAnnotation = options.SecretExcludeReloaderAnnotation
+	CommandLineOptions.SecretProviderClassExcludeReloaderAnnotation = options.SecretProviderClassExcludeReloaderAnnotation
+	CommandLineOptions.AutoSearchAnnotation = options.AutoSearchAnnotation
+	CommandLineOptions.SearchMatchAnnotation = options.SearchMatchAnnotation
+	CommandLineOptions.RolloutStrategyAnnotation = options.RolloutStrategyAnnotation
+	CommandLineOptions.PauseDeploymentAnnotation = options.PauseDeploymentAnnotation
+	CommandLineOptions.PauseDeploymentTimeAnnotation = options.PauseDeploymentTimeAnnotation
+	CommandLineOptions.LogFormat = options.LogFormat
+	CommandLineOptions.LogLevel = options.LogLevel
+	CommandLineOptions.ReloadStrategy = options.ReloadStrategy
+	CommandLineOptions.SyncAfterRestart = options.SyncAfterRestart
+	CommandLineOptions.EnableHA = options.EnableHA
+	CommandLineOptions.EnableCSIIntegration = options.EnableCSIIntegration
+	CommandLineOptions.WebhookUrl = options.WebhookUrl
+	CommandLineOptions.ResourcesToIgnore = options.ResourcesToIgnore
+	CommandLineOptions.WorkloadTypesToIgnore = options.WorkloadTypesToIgnore
+	CommandLineOptions.NamespaceSelectors = options.NamespaceSelectors
+	CommandLineOptions.ResourceSelectors = options.ResourceSelectors
+	CommandLineOptions.NamespacesToIgnore = options.NamespacesToIgnore
+	CommandLineOptions.IsArgoRollouts = parseBool(options.IsArgoRollouts)
+	CommandLineOptions.ReloadOnCreate = parseBool(options.ReloadOnCreate)
+	CommandLineOptions.ReloadOnDelete = parseBool(options.ReloadOnDelete)
+	CommandLineOptions.EnablePProf = options.EnablePProf
+	CommandLineOptions.PProfAddr = options.PProfAddr
+
+	return CommandLineOptions
+}
+
+func parseBool(value string) bool {
+	if value == "" {
+		return false
+	}
+	result, err := strconv.ParseBool(value)
+	if err != nil {
+		return false // Default to false if parsing fails
+	}
+	return result
+}
--- a/pkg/common/common_test.go
+++ b/pkg/common/common_test.go
@@ -0,0 +1,224 @@
+package common
+
+import (
+	"testing"
+
+	"github.com/stakater/Reloader/internal/pkg/options"
+)
+
+func TestShouldReload_IgnoredWorkloadTypes(t *testing.T) {
+	// Save original state
+	originalWorkloadTypes := options.WorkloadTypesToIgnore
+	defer func() {
+		options.WorkloadTypesToIgnore = originalWorkloadTypes
+	}()
+
+	tests := []struct {
+		name                 string
+		ignoredWorkloadTypes []string
+		resourceType         string
+		shouldReload         bool
+		description          string
+	}{
+		{
+			name:                 "Jobs ignored - Job should not reload",
+			ignoredWorkloadTypes: []string{"jobs"},
+			resourceType:         "Job",
+			shouldReload:         false,
+			description:          "When jobs are ignored, Job resources should not be reloaded",
+		},
+		{
+			name:                 "Jobs ignored - CronJob should reload",
+			ignoredWorkloadTypes: []string{"jobs"},
+			resourceType:         "CronJob",
+			shouldReload:         true,
+			description:          "When jobs are ignored, CronJob resources should still be processed",
+		},
+		{
+			name:                 "CronJobs ignored - CronJob should not reload",
+			ignoredWorkloadTypes: []string{"cronjobs"},
+			resourceType:         "CronJob",
+			shouldReload:         false,
+			description:          "When cronjobs are ignored, CronJob resources should not be reloaded",
+		},
+		{
+			name:                 "CronJobs ignored - Job should reload",
+			ignoredWorkloadTypes: []string{"cronjobs"},
+			resourceType:         "Job",
+			shouldReload:         true,
+			description:          "When cronjobs are ignored, Job resources should still be processed",
+		},
+		{
+			name:                 "Both ignored - Job should not reload",
+			ignoredWorkloadTypes: []string{"jobs", "cronjobs"},
+			resourceType:         "Job",
+			shouldReload:         false,
+			description:          "When both are ignored, Job resources should not be reloaded",
+		},
+		{
+			name:                 "Both ignored - CronJob should not reload",
+			ignoredWorkloadTypes: []string{"jobs", "cronjobs"},
+			resourceType:         "CronJob",
+			shouldReload:         false,
+			description:          "When both are ignored, CronJob resources should not be reloaded",
+		},
+		{
+			name:                 "Both ignored - Deployment should reload",
+			ignoredWorkloadTypes: []string{"jobs", "cronjobs"},
+			resourceType:         "Deployment",
+			shouldReload:         true,
+			description:          "When both are ignored, other workload types should still be processed",
+		},
+		{
+			name:                 "None ignored - Job should reload",
+			ignoredWorkloadTypes: []string{},
+			resourceType:         "Job",
+			shouldReload:         true,
+			description:          "When nothing is ignored, all workload types should be processed",
+		},
+		{
+			name:                 "None ignored - CronJob should reload",
+			ignoredWorkloadTypes: []string{},
+			resourceType:         "CronJob",
+			shouldReload:         true,
+			description:          "When nothing is ignored, all workload types should be processed",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Set the ignored workload types
+			options.WorkloadTypesToIgnore = tt.ignoredWorkloadTypes
+
+			// Create minimal test config and options
+			config := Config{
+				ResourceName: "test-resource",
+				Annotation:   "configmap.reloader.stakater.com/reload",
+			}
+
+			annotations := Map{
+				"configmap.reloader.stakater.com/reload": "test-config",
+			}
+
+			// Create ReloaderOptions with the ignored workload types
+			opts := &ReloaderOptions{
+				WorkloadTypesToIgnore:  tt.ignoredWorkloadTypes,
+				AutoReloadAll:          true, // Enable auto-reload to simplify test
+				ReloaderAutoAnnotation: "reloader.stakater.com/auto",
+			}
+
+			// Call ShouldReload
+			result := ShouldReload(config, tt.resourceType, annotations, Map{}, opts)
+
+			// Check the result
+			if result.ShouldReload != tt.shouldReload {
+				t.Errorf("For resource type %s with ignored types %v, expected ShouldReload=%v, got=%v",
+					tt.resourceType, tt.ignoredWorkloadTypes, tt.shouldReload, result.ShouldReload)
+			}
+
+			t.Logf("✓ %s", tt.description)
+		})
+	}
+}
+
+func TestShouldReload_IgnoredWorkloadTypes_ValidationError(t *testing.T) {
+	// Save original state
+	originalWorkloadTypes := options.WorkloadTypesToIgnore
+	defer func() {
+		options.WorkloadTypesToIgnore = originalWorkloadTypes
+	}()
+
+	// Test with invalid workload type - should still continue processing
+	options.WorkloadTypesToIgnore = []string{"invalid"}
+
+	config := Config{
+		ResourceName: "test-resource",
+		Annotation:   "configmap.reloader.stakater.com/reload",
+	}
+
+	annotations := Map{
+		"configmap.reloader.stakater.com/reload": "test-config",
+	}
+
+	opts := &ReloaderOptions{
+		WorkloadTypesToIgnore:  []string{"invalid"},
+		AutoReloadAll:          true, // Enable auto-reload to simplify test
+		ReloaderAutoAnnotation: "reloader.stakater.com/auto",
+	}
+
+	// Should not panic and should continue with normal processing
+	result := ShouldReload(config, "Job", annotations, Map{}, opts)
+
+	// Since validation failed, it should continue with normal processing (should reload)
+	if !result.ShouldReload {
+		t.Errorf("Expected ShouldReload=true when validation fails, got=%v", result.ShouldReload)
+	}
+}
+
+// Test that validates the fix for issue #996
+func TestShouldReload_IssueRBACPermissionFixed(t *testing.T) {
+	// Save original state
+	originalWorkloadTypes := options.WorkloadTypesToIgnore
+	defer func() {
+		options.WorkloadTypesToIgnore = originalWorkloadTypes
+	}()
+
+	tests := []struct {
+		name                 string
+		ignoredWorkloadTypes []string
+		resourceType         string
+		description          string
+	}{
+		{
+			name:                 "Issue #996 - ignoreJobs prevents Job processing",
+			ignoredWorkloadTypes: []string{"jobs"},
+			resourceType:         "Job",
+			description:          "Job resources are skipped entirely, preventing RBAC permission errors",
+		},
+		{
+			name:                 "Issue #996 - ignoreCronJobs prevents CronJob processing",
+			ignoredWorkloadTypes: []string{"cronjobs"},
+			resourceType:         "CronJob",
+			description:          "CronJob resources are skipped entirely, preventing RBAC permission errors",
+		},
+		{
+			name:                 "Issue #996 - both ignored prevent both types",
+			ignoredWorkloadTypes: []string{"jobs", "cronjobs"},
+			resourceType:         "Job",
+			description:          "Job resources are skipped entirely when both types are ignored",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Set the ignored workload types
+			options.WorkloadTypesToIgnore = tt.ignoredWorkloadTypes
+
+			config := Config{
+				ResourceName: "test-resource",
+				Annotation:   "configmap.reloader.stakater.com/reload",
+			}
+
+			annotations := Map{
+				"configmap.reloader.stakater.com/reload": "test-config",
+			}
+
+			opts := &ReloaderOptions{
+				WorkloadTypesToIgnore:  tt.ignoredWorkloadTypes,
+				AutoReloadAll:          true, // Enable auto-reload to simplify test
+				ReloaderAutoAnnotation: "reloader.stakater.com/auto",
+			}
+
+			// Call ShouldReload
+			result := ShouldReload(config, tt.resourceType, annotations, Map{}, opts)
+
+			// Should not reload when workload type is ignored
+			if result.ShouldReload {
+				t.Errorf("Expected ShouldReload=false for ignored workload type %s, got=%v",
+					tt.resourceType, result.ShouldReload)
+			}
+
+			t.Logf("✓ %s", tt.description)
+		})
+	}
+}
--- a/internal/pkg/util/config.go
+++ b/internal/pkg/util/config.go
@@ -1,12 +1,14 @@
-package util
+package common

 import (
 	"github.com/stakater/Reloader/internal/pkg/constants"
 	"github.com/stakater/Reloader/internal/pkg/options"
+	"github.com/stakater/Reloader/internal/pkg/util"
 	v1 "k8s.io/api/core/v1"
+	csiv1 "sigs.k8s.io/secrets-store-csi-driver/apis/v1"
 )

-//Config contains rolling upgrade configuration parameters
+// Config contains rolling upgrade configuration parameters
 type Config struct {
 	Namespace           string
 	ResourceName        string
@@ -15,6 +17,7 @@ type Config struct {
 	TypedAutoAnnotation string
 	SHAValue            string
 	Type                string
+	Labels              map[string]string
 }

 // GetConfigmapConfig provides utility config for configmap
@@ -25,8 +28,9 @@ func GetConfigmapConfig(configmap *v1.ConfigMap) Config {
 		ResourceAnnotations: configmap.Annotations,
 		Annotation:          options.ConfigmapUpdateOnChangeAnnotation,
 		TypedAutoAnnotation: options.ConfigmapReloaderAutoAnnotation,
-		SHAValue:            GetSHAfromConfigmap(configmap),
+		SHAValue:            util.GetSHAfromConfigmap(configmap),
 		Type:                constants.ConfigmapEnvVarPostfix,
+		Labels:              configmap.Labels,
 	}
 }

@@ -38,7 +42,21 @@ func GetSecretConfig(secret *v1.Secret) Config {
 		ResourceAnnotations: secret.Annotations,
 		Annotation:          options.SecretUpdateOnChangeAnnotation,
 		TypedAutoAnnotation: options.SecretReloaderAutoAnnotation,
-		SHAValue:            GetSHAfromSecret(secret.Data),
+		SHAValue:            util.GetSHAfromSecret(secret.Data),
 		Type:                constants.SecretEnvVarPostfix,
+		Labels:              secret.Labels,
+	}
+}
+
+func GetSecretProviderClassPodStatusConfig(podStatus *csiv1.SecretProviderClassPodStatus) Config {
+	// As csi injects SecretProviderClass, we will create config for it instead of SecretProviderClassPodStatus
+	// ResourceAnnotations will be retrieved during PerformAction call
+	return Config{
+		Namespace:           podStatus.Namespace,
+		ResourceName:        podStatus.Status.SecretProviderClassName,
+		Annotation:          options.SecretProviderClassUpdateOnChangeAnnotation,
+		TypedAutoAnnotation: options.SecretProviderClassReloaderAutoAnnotation,
+		SHAValue:            util.GetSHAfromSecretProviderClassPodStatus(podStatus.Status),
+		Type:                constants.SecretProviderClassEnvVarPostfix,
 	}
 }
--- a/pkg/common/metainfo.go
+++ b/pkg/common/metainfo.go
@@ -0,0 +1,129 @@
+package common
+
+import (
+	"encoding/json"
+	"fmt"
+	"runtime"
+	"time"
+
+	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// Version, Commit, and BuildDate are set during the build process
+// using the -X linker flag to inject these values into the binary.
+// They provide metadata about the build version, commit hash, build date, and whether there are
+// uncommitted changes in the source code at the time of build.
+// This information is useful for debugging and tracking the specific build of the Reloader binary.
+var Version = "dev"
+var Commit = "unknown"
+var BuildDate = "unknown"
+
+const (
+	MetaInfoConfigmapName       = "reloader-meta-info"
+	MetaInfoConfigmapLabelKey   = "reloader.stakater.com/meta-info"
+	MetaInfoConfigmapLabelValue = "reloader-oss"
+)
+
+// MetaInfo contains comprehensive metadata about the Reloader instance.
+// This includes build information, configuration options, and deployment details.
+type MetaInfo struct {
+	// BuildInfo contains information about the build version, commit, and compilation details
+	BuildInfo BuildInfo `json:"buildInfo"`
+	// ReloaderOptions contains all the configuration options and flags used by this Reloader instance
+	ReloaderOptions ReloaderOptions `json:"reloaderOptions"`
+	// DeploymentInfo contains metadata about the Kubernetes deployment of this Reloader instance
+	DeploymentInfo metav1.ObjectMeta `json:"deploymentInfo"`
+}
+
+// BuildInfo contains information about the build and version of the Reloader binary.
+// This includes Go version, release version, commit details, and build timestamp.
+type BuildInfo struct {
+	// GoVersion is the version of Go used to compile the binary
+	GoVersion string `json:"goVersion"`
+	// ReleaseVersion is the version tag or branch of the Reloader release
+	ReleaseVersion string `json:"releaseVersion"`
+	// CommitHash is the Git commit hash of the source code used to build this binary
+	CommitHash string `json:"commitHash"`
+	// CommitTime is the timestamp of the Git commit used to build this binary
+	CommitTime time.Time `json:"commitTime"`
+}
+
+func NewBuildInfo() *BuildInfo {
+	metaInfo := &BuildInfo{
+		GoVersion:      runtime.Version(),
+		ReleaseVersion: Version,
+		CommitHash:     Commit,
+		CommitTime:     ParseUTCTime(BuildDate),
+	}
+
+	return metaInfo
+}
+
+func (m *MetaInfo) ToConfigMap() *v1.ConfigMap {
+	return &v1.ConfigMap{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      MetaInfoConfigmapName,
+			Namespace: m.DeploymentInfo.Namespace,
+			Labels: map[string]string{
+				MetaInfoConfigmapLabelKey: MetaInfoConfigmapLabelValue,
+			},
+		},
+		Data: map[string]string{
+			"buildInfo":       toJson(m.BuildInfo),
+			"reloaderOptions": toJson(m.ReloaderOptions),
+			"deploymentInfo":  toJson(m.DeploymentInfo),
+		},
+	}
+}
+
+func NewMetaInfo(configmap *v1.ConfigMap) (*MetaInfo, error) {
+	var buildInfo BuildInfo
+	if val, ok := configmap.Data["buildInfo"]; ok {
+		err := json.Unmarshal([]byte(val), &buildInfo)
+		if err != nil {
+			return nil, fmt.Errorf("failed to unmarshal buildInfo: %w", err)
+		}
+	}
+
+	var reloaderOptions ReloaderOptions
+	if val, ok := configmap.Data["reloaderOptions"]; ok {
+		err := json.Unmarshal([]byte(val), &reloaderOptions)
+		if err != nil {
+			return nil, fmt.Errorf("failed to unmarshal reloaderOptions: %w", err)
+		}
+	}
+
+	var deploymentInfo metav1.ObjectMeta
+	if val, ok := configmap.Data["deploymentInfo"]; ok {
+		err := json.Unmarshal([]byte(val), &deploymentInfo)
+		if err != nil {
+			return nil, fmt.Errorf("failed to unmarshal deploymentInfo: %w", err)
+		}
+	}
+
+	return &MetaInfo{
+		BuildInfo:       buildInfo,
+		ReloaderOptions: reloaderOptions,
+		DeploymentInfo:  deploymentInfo,
+	}, nil
+}
+
+func toJson(data interface{}) string {
+	jsonData, err := json.Marshal(data)
+	if err != nil {
+		return ""
+	}
+	return string(jsonData)
+}
+
+func ParseUTCTime(value string) time.Time {
+	if value == "" {
+		return time.Time{} // Return zero time if value is empty
+	}
+	t, err := time.Parse(time.RFC3339, value)
+	if err != nil {
+		return time.Time{} // Return zero time if parsing fails
+	}
+	return t
+}
--- a/internal/pkg/util/reload_source.go
+++ b/internal/pkg/util/reload_source.go
@@ -1,4 +1,4 @@
-package util
+package common

 import "time"

--- a/pkg/kube/client.go
+++ b/pkg/kube/client.go
@@ -11,6 +11,7 @@ import (
 	"github.com/sirupsen/logrus"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/rest"
+	csiclient "sigs.k8s.io/secrets-store-csi-driver/pkg/client/clientset/versioned"
 )

 // Clients struct exposes interfaces for kubernetes as well as openshift if available
@@ -18,11 +19,14 @@ type Clients struct {
 	KubernetesClient    kubernetes.Interface
 	OpenshiftAppsClient appsclient.Interface
 	ArgoRolloutClient   argorollout.Interface
+	CSIClient           csiclient.Interface
 }

 var (
 	// IsOpenshift is true if environment is Openshift, it is false if environment is Kubernetes
 	IsOpenshift = isOpenshift()
+	// IsCSIEnabled is true if environment has CSI provider installed, otherwise false
+	IsCSIInstalled = isCSIInstalled()
 )

 // GetClients returns a `Clients` object containing both openshift and kubernetes clients with an openshift identifier
@@ -48,10 +52,20 @@ func GetClients() Clients {
 		logrus.Warnf("Unable to create ArgoRollout client error = %v", err)
 	}

+	var csiClient *csiclient.Clientset
+
+	if IsCSIInstalled {
+		csiClient, err = GetCSIClient()
+		if err != nil {
+			logrus.Warnf("Unable to create CSI client error = %v", err)
+		}
+	}
+
 	return Clients{
 		KubernetesClient:    client,
 		OpenshiftAppsClient: appsClient,
 		ArgoRolloutClient:   rolloutClient,
+		CSIClient:           csiClient,
 	}
 }

@@ -63,6 +77,28 @@ func GetArgoRolloutClient() (*argorollout.Clientset, error) {
 	return argorollout.NewForConfig(config)
 }

+func isCSIInstalled() bool {
+	client, err := GetKubernetesClient()
+	if err != nil {
+		logrus.Fatalf("Unable to create Kubernetes client error = %v", err)
+	}
+	_, err = client.RESTClient().Get().AbsPath("/apis/secrets-store.csi.x-k8s.io/v1").Do(context.TODO()).Raw()
+	if err == nil {
+		logrus.Info("CSI provider is installed")
+		return true
+	}
+	logrus.Info("CSI provider is not installed")
+	return false
+}
+
+func GetCSIClient() (*csiclient.Clientset, error) {
+	config, err := getConfig()
+	if err != nil {
+		return nil, err
+	}
+	return csiclient.NewForConfig(config)
+}
+
 func isOpenshift() bool {
 	client, err := GetKubernetesClient()
 	if err != nil {
--- a/pkg/kube/resourcemapper.go
+++ b/pkg/kube/resourcemapper.go
@@ -3,11 +3,13 @@ package kube
 import (
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/runtime"
+	csiv1 "sigs.k8s.io/secrets-store-csi-driver/apis/v1"
 )

 // ResourceMap are resources from where changes are going to be detected
 var ResourceMap = map[string]runtime.Object{
-	"configMaps": &v1.ConfigMap{},
+	"configmaps": &v1.ConfigMap{},
 	"secrets":    &v1.Secret{},
-	"namespaces":    &v1.Namespace{},
+	"namespaces": &v1.Namespace{},
+	"secretproviderclasspodstatuses": &csiv1.SecretProviderClassPodStatus{},
 }
@@ -1 +1 @@
 .1.0
 .4.12