Merge pull request #1077 from stakater/bugfix/fix-ubi-image

Fix ubi image build failure

.github/md_config.json

@@ -3,5 +3,6 @@
     {
       "pattern": "^(?!http).+"
     }
-  ]
+  ],
+  "retryOn429": true
 }

.github/workflows/init-branch-release.yaml

@@ -23,7 +23,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4.2.2
+        uses: actions/checkout@v5.0.0
         with:
           fetch-depth: 0
           token: ${{ secrets.GITHUB_TOKEN }}
@@ -57,7 +57,7 @@ jobs:
           git diff
 
       - name: Create pull request
-        uses: peter-evans/create-pull-request@v7.0.6
+        uses: peter-evans/create-pull-request@v7.0.8
         with:
           commit-message: "Bump version to ${{ inputs.TARGET_VERSION }}"
           title: "Bump version to ${{ inputs.TARGET_VERSION }} on ${{ inputs.TARGET_BRANCH }} branch"

.github/workflows/pull_request-helm.yaml

@@ -26,7 +26,7 @@ jobs:
     steps:
 
     - name: Check out code
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5
       with:
         ref: ${{github.event.pull_request.head.sha}}
         fetch-depth: 0
@@ -55,7 +55,7 @@ jobs:
     steps:
 
     - name: Check out code
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5
       with:
         ref: ${{github.event.pull_request.head.sha}}
         fetch-depth: 0

.github/workflows/pull_request.yaml

@@ -25,7 +25,7 @@ env:
 
 jobs:
   qa:
-    uses: stakater/.github/.github/workflows/pull_request_doc_qa.yaml@v0.0.131
+    uses: stakater/.github/.github/workflows/pull_request_doc_qa.yaml@v0.0.163
     with:
       MD_CONFIG: .github/md_config.json
       DOC_SRC: README.md
@@ -40,7 +40,7 @@ jobs:
     name: Build
     steps:
     - name: Check out code
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5
       with:
         ref: ${{github.event.pull_request.head.sha}}
         fetch-depth: 0
@@ -57,7 +57,7 @@ jobs:
         charts: deployments/kubernetes/chart/reloader
 
     - name: Set up Go
-      uses: actions/setup-go@v5
+      uses: actions/setup-go@v6
       with:
         go-version-file: 'go.mod'
         check-latest: true
@@ -80,11 +80,7 @@ jobs:
         make install
 
     - name: Run golangci-lint
-      uses: golangci/golangci-lint-action@v6
-      with:
-        version: latest
-        only-new-issues: false
-        args: --timeout 10m
+      run: make lint
 
     - name: Helm Lint
       run: |

.github/workflows/pull_request_docs.yaml

@@ -16,13 +16,13 @@ on:
 
 jobs:
   qa:
-    uses: stakater/.github/.github/workflows/pull_request_doc_qa.yaml@v0.0.134
+    uses: stakater/.github/.github/workflows/pull_request_doc_qa.yaml@v0.0.163
     with:
       MD_CONFIG: .github/md_config.json
       DOC_SRC: docs
       MD_LINT_CONFIG: .markdownlint.yaml
   build:
-    uses: stakater/.github/.github/workflows/pull_request_container_build.yaml@v0.0.134
+    uses: stakater/.github/.github/workflows/pull_request_container_build.yaml@v0.0.163
     with:
       DOCKER_FILE_PATH: Dockerfile-docs
       CONTAINER_REGISTRY_URL: ghcr.io/stakater

.github/workflows/push-helm-chart.yaml

@@ -31,7 +31,7 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           token: ${{ secrets.PUBLISH_TOKEN }}
           fetch-depth: 0 # otherwise, you will fail to push refs to dest repo
@@ -73,7 +73,7 @@ jobs:
           exit 1
 
       - name: Install Cosign
-        uses: sigstore/cosign-installer@v3.8.2
+        uses: sigstore/cosign-installer@v4.0.0
 
       - name: Login to GHCR Registry
         uses: docker/login-action@v3
@@ -106,7 +106,7 @@ jobs:
           commit_email: stakater@gmail.com
 
       - name: Push new chart tag
-        uses: anothrNick/github-tag-action@1.71.0
+        uses: anothrNick/github-tag-action@1.75.0
         env:
           GITHUB_TOKEN: ${{ secrets.PUBLISH_TOKEN }}
           WITH_V: false

.github/workflows/push-pr-image.yaml

@@ -30,13 +30,13 @@ jobs:
     if: ${{ github.event.label.name == 'build-and-push-pr-image' }}
     steps:
     - name: Check out code
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5
       with:
         ref: ${{github.event.pull_request.head.sha}}
         fetch-depth: 0
 
     - name: Set up Go
-      uses: actions/setup-go@v5
+      uses: actions/setup-go@v6
       with:
         go-version-file: 'go.mod'
         check-latest: true
@@ -47,11 +47,7 @@ jobs:
         make install
 
     - name: Run golangci-lint
-      uses: golangci/golangci-lint-action@v6
-      with:
-        version: latest
-        only-new-issues: false
-        args: --timeout 10m
+      run: make lint
 
     - name: Generate Tags
       id: generate_tag

.github/workflows/push.yaml

@@ -29,7 +29,7 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           token: ${{ secrets.PUBLISH_TOKEN }}
           fetch-depth: 0 # otherwise, you will fail to push refs to dest repo
@@ -42,7 +42,7 @@ jobs:
           version: v3.11.3
 
       - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
         with:
           go-version-file: 'go.mod'
           check-latest: true
@@ -53,11 +53,7 @@ jobs:
           make install
 
       - name: Run golangci-lint
-        uses: golangci/golangci-lint-action@v6
-        with:
-          version: latest
-          only-new-issues: false
-          args: --timeout 10m
+        run: make lint
 
       - name: Install kubectl
         run: |
@@ -215,7 +211,7 @@ jobs:
             org.opencontainers.image.revision=${{ github.sha }}
 
       - name: Push Latest Tag
-        uses: anothrNick/github-tag-action@1.71.0
+        uses: anothrNick/github-tag-action@1.75.0
         env:
           GITHUB_TOKEN: ${{ secrets.PUBLISH_TOKEN }}
           WITH_V: false

.github/workflows/release-helm-chart.yaml

@@ -15,7 +15,7 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
 

.github/workflows/release.yaml

@@ -24,7 +24,7 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           token: ${{ secrets.PUBLISH_TOKEN }}
           fetch-depth: 0 # otherwise, you will fail to push refs to dest repo
@@ -37,7 +37,7 @@ jobs:
           version: v3.11.3
 
       - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
         with:
           go-version-file: 'go.mod'
           check-latest: true
@@ -48,11 +48,7 @@ jobs:
           make install
 
       - name: Run golangci-lint
-        uses: golangci/golangci-lint-action@v6
-        with:
-          version: latest
-          only-new-issues: false
-          args: --timeout 10m
+        run: make lint
 
       - name: Install kubectl
         run: |

.vale.ini

@@ -1,7 +1,7 @@
 StylesPath = styles
 MinAlertLevel = warning
 
-Packages = https://github.com/stakater/vale-package/releases/download/v0.0.77/Stakater.zip
+Packages = https://github.com/stakater/vale-package/releases/download/v0.0.87/Stakater.zip
 Vocab = Stakater
 
 # Only check MarkDown files

CODE_OF_CONDUCT.md

@@ -1,3 +1,3 @@
 # Code of Conduct
 
-Reloader follows the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/master/code-of-conduct.md).
+Reloader follows the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/main/code-of-conduct.md).

Dockerfile

@@ -2,7 +2,7 @@ ARG BUILDER_IMAGE
 ARG BASE_IMAGE
 
 # Build the manager binary
-FROM --platform=${BUILDPLATFORM} ${BUILDER_IMAGE:-golang:1.24.4} AS builder
+FROM --platform=${BUILDPLATFORM} ${BUILDER_IMAGE:-golang:1.25.5} AS builder
 
 ARG TARGETOS
 ARG TARGETARCH

Dockerfile-docs

@@ -1,4 +1,4 @@
-FROM python:3.13-alpine as builder
+FROM python:3.14-alpine as builder
 
 # set workdir
 RUN mkdir -p $HOME/application
@@ -17,7 +17,7 @@ RUN python theme_common/scripts/combine_mkdocs_config_yaml.py theme_common/mkdoc
 # build the docs
 RUN mkdocs build
 
-FROM nginxinc/nginx-unprivileged:1.27-alpine as deploy
+FROM nginxinc/nginx-unprivileged:1.29-alpine as deploy
 COPY --from=builder $HOME/application/site/ /usr/share/nginx/html/reloader/
 COPY docs-nginx.conf /etc/nginx/conf.d/default.conf
 

Dockerfile.ubi

@@ -3,7 +3,7 @@ ARG BASE_IMAGE
 
 FROM --platform=${BUILDPLATFORM} ${BUILDER_IMAGE} AS SRC
 
-FROM ${BASE_IMAGE:-registry.access.redhat.com/ubi9/ubi:latest} AS ubi
+FROM ${BASE_IMAGE:-registry.access.redhat.com/ubi9/ubi:9.7} AS ubi
 ARG TARGETARCH
 
 
@@ -20,7 +20,21 @@ RUN mkdir /image && \
 COPY ubi-build-files-${TARGETARCH}.txt /tmp
 # Copy all the required files from the base UBI image into the image directory
 # As the go binary is not statically compiled this includes everything needed for CGO to work, cacerts, tzdata and RH release files
-RUN tar cf /tmp/files.tar -T /tmp/ubi-build-files-${TARGETARCH}.txt && tar xf /tmp/files.tar -C /image/
+# Filter existing files and exclude temporary entitlement files that may be removed during build
+RUN while IFS= read -r file; do \
+      [ -z "$file" ] && continue; \
+      if [ -e "$file" ] || [ -L "$file" ]; then \
+        echo "$file"; \
+      fi; \
+    done < /tmp/ubi-build-files-${TARGETARCH}.txt > /tmp/existing-files.txt && \
+    if [ -s /tmp/existing-files.txt ]; then \
+      tar -chf /tmp/files.tar --exclude='etc/pki/entitlement-host*' -T /tmp/existing-files.txt 2>&1 | grep -vE "(File removed before we read it|Cannot stat)" || true; \
+      if [ -f /tmp/files.tar ]; then \
+        tar xf /tmp/files.tar -C /image/ 2>/dev/null || true; \
+        rm -f /tmp/files.tar; \
+      fi; \
+    fi && \
+    rm -f /tmp/existing-files.txt
 
 # Generate a rpm database which contains all the packages that you said were needed in ubi-build-files-*.txt
 RUN rpm --root /image --initdb \

Makefile

@@ -41,7 +41,7 @@ YQ ?= $(LOCALBIN)/yq
 KUSTOMIZE_VERSION ?= v5.3.0
 CONTROLLER_TOOLS_VERSION ?= v0.14.0
 ENVTEST_VERSION ?= release-0.17
-GOLANGCI_LINT_VERSION ?= v1.57.2
+GOLANGCI_LINT_VERSION ?= v2.6.1
 
 YQ_VERSION ?= v4.27.5
 YQ_DOWNLOAD_URL = "https://github.com/mikefarah/yq/releases/download/$(YQ_VERSION)/yq_$(OS)_$(ARCH)"
@@ -75,7 +75,7 @@ $(ENVTEST): $(LOCALBIN)
 .PHONY: golangci-lint
 golangci-lint: $(GOLANGCI_LINT) ## Download golangci-lint locally if necessary.
 $(GOLANGCI_LINT): $(LOCALBIN)
-	$(call go-install-tool,$(GOLANGCI_LINT),github.com/golangci/golangci-lint/cmd/golangci-lint,${GOLANGCI_LINT_VERSION})
+	$(call go-install-tool,$(GOLANGCI_LINT),github.com/golangci/golangci-lint/v2/cmd/golangci-lint,${GOLANGCI_LINT_VERSION})
 
 # go-install-tool will 'go install' any package with custom target and name of binary, if it doesn't exist
 # $1 - target path with name of binary (ideally with version)
@@ -102,6 +102,9 @@ run:
 build:
 	"$(GOCMD)" build ${GOFLAGS} ${LDFLAGS} -o "${BINARY}"
 
+lint: golangci-lint ## Run golangci-lint on the codebase
+	$(GOLANGCI_LINT) run ./...
+
 build-image:
 	docker buildx build \
 		--platform ${OS}/${ARCH} \

README.md

@@ -211,12 +211,13 @@ To enable this feature, update the `reloader.env.secret` section in your `values
 
 ```yaml
 reloader:
-  env:
-    secret:
-      ALERT_ON_RELOAD: "true"                    # Enable alerting (default: false)
-      ALERT_SINK: "slack"                        # Options: slack, teams, gchat or webhook (default: webhook)
-      ALERT_WEBHOOK_URL: "<your-webhook-url>"    # Required if ALERT_ON_RELOAD is true
-      ALERT_ADDITIONAL_INFO: "Triggered by Reloader in staging environment"
+  deployment:
+    env:
+      secret:
+        ALERT_ON_RELOAD: "true"                    # Enable alerting (default: false)
+        ALERT_SINK: "slack"                        # Options: slack, teams, gchat or webhook (default: webhook)
+        ALERT_WEBHOOK_URL: "<your-webhook-url>"    # Required if ALERT_ON_RELOAD is true
+        ALERT_ADDITIONAL_INFO: "Triggered by Reloader in staging environment"
 ```
 
 ### 7. ⏸️ Pause Deployments
@@ -329,13 +330,30 @@ Reloader supports multiple strategies for triggering rolling updates when a watc
 |------|-------------|
 | `--resources-to-ignore=configmaps` | Ignore ConfigMaps (only one type can be ignored at a time) |
 | `--resources-to-ignore=secrets` | Ignore Secrets (cannot combine with configMaps) |
+| `--ignored-workload-types=jobs,cronjobs` | Ignore specific workload types from reload monitoring |
 | `--resource-label-selector=key=value` | Only watch ConfigMaps/Secrets with matching labels |
 
-> **⚠️ Note:**  
-> Only **one** resource type can be ignored at a time.  
-> Trying to ignore **both `configmaps` and `secrets`** will cause an error in Reloader.  
+> **⚠️ Note:**
+>
+> Only **one** resource type can be ignored at a time.
+> Trying to ignore **both `configmaps` and `secrets`** will cause an error in Reloader.
 > ✅ **Workaround:** Scale the Reloader deployment to `0` replicas if you want to disable it completely.
 
+**💡 Workload Type Examples:**
+
+```bash
+# Ignore only Jobs
+--ignored-workload-types=jobs
+
+# Ignore only CronJobs
+--ignored-workload-types=cronjobs
+
+# Ignore both (comma-separated)
+--ignored-workload-types=jobs,cronjobs
+```
+
+> **🔧 Use Case:** Ignoring workload types is useful when you don't want certain types of workloads to be automatically reloaded.
+
 #### 3. 🧩 Namespace Filtering
 
 | Flag | Description |
@@ -416,11 +434,14 @@ _Repository GitHub releases_: As requested by the community in [issue 685](https
 
 To make a GitHub release:
 
-1. Code owners create a release branch `release-vX.Y.Z`
-1. Code owners run a dispatch mode workflow to automatically generate version and manifests on the release branch
+1. Code owners create a release branch `release-vX.Y.Z` from `master`
+1. Code owners run [Init Release](https://github.com/stakater/Reloader/actions/workflows/init-branch-release.yaml) workflow to automatically generate version and manifests on the release branch
+    - Set the `TARGET_BRANCH` parameter to release branch i.e. `release-vX.Y.Z`
+    - Set the `TARGET_VERSION` to release version without 'v' i.e. `X.Y.Z`
 1. A PR is created to bump the image version on the release branch, example: [PR-798](https://github.com/stakater/Reloader/pull/798)
 1. Code owners create a GitHub release with tag `vX.Y.Z` and target branch `release-vX.Y.Z`, which triggers creation of images
-1. Code owners create a PR to update the Helm chart version, example: [PR-846](https://github.com/stakater/Reloader/pull/846)
+1. Code owners create another branch from `master` and bump the helm chart version as well as Reloader image version.
+    - Code owners create a PR with `release/helm-chart` label, example: [PR-846](https://github.com/stakater/Reloader/pull/846)
 
 _Repository git tagging_: Push to the main branch will create a merge-image and merge-tag named `merge-${{ github.event.number }}`, for example `merge-800` when pull request number 800 is merged.
 

VERSION

@@ -1 +1 @@
-1.1.0
+1.4.12

deployments/kubernetes/chart/reloader/Chart.yaml

@@ -1,8 +1,8 @@
 apiVersion: v1
 name: reloader
 description: Reloader chart that runs on kubernetes
-version: 2.2.1
-appVersion: v1.4.6
+version: 2.2.7
+appVersion: v1.4.12
 keywords:
   - Reloader
   - kubernetes

deployments/kubernetes/chart/reloader/README.md

@@ -5,6 +5,7 @@ If you have configured helm on your cluster, you can add Reloader to helm from o
 ## Installation
 
 ```bash
+# Add stakater helm repoository
 helm repo add stakater https://stakater.github.io/stakater-charts
 
 helm repo update
@@ -14,6 +15,8 @@ helm install stakater/reloader # For helm3 add --generate-name flag or set the r
 helm install {{RELEASE_NAME}} stakater/reloader -n {{NAMESPACE}} --set reloader.watchGlobally=false # By default, Reloader watches in all namespaces. To watch in single namespace, set watchGlobally=false
 
 helm install stakater/reloader --set reloader.watchGlobally=false --namespace test --generate-name # Install Reloader in `test` namespace which will only watch `Deployments`, `Daemonsets` `Statefulsets` and `Rollouts` in `test` namespace.
+
+helm install stakater/reloader --set reloader.ignoreJobs=true --set reloader.ignoreCronJobs=true --generate-name # Install Reloader ignoring Jobs and CronJobs from reload monitoring
 ```
 
 ## Uninstalling
@@ -47,6 +50,8 @@ helm uninstall {{RELEASE_NAME}} -n {{NAMESPACE}}
 | `reloader.isOpenshift`              | Enable OpenShift DeploymentConfigs. Valid value are either `true` or `false`                                                                        | boolean     | `false`   |
 | `reloader.ignoreSecrets`            | To ignore secrets. Valid value are either `true` or `false`. Either `ignoreSecrets` or `ignoreConfigMaps` can be ignored, not both at the same time | boolean     | `false`   |
 | `reloader.ignoreConfigMaps`         | To ignore configmaps. Valid value are either `true` or `false`                                                                                      | boolean     | `false`   |
+| `reloader.ignoreJobs`               | To ignore jobs from reload monitoring. Valid value are either `true` or `false`. Translates to `--ignored-workload-types=jobs`                      | boolean     | `false`   |
+| `reloader.ignoreCronJobs`           | To ignore CronJobs from reload monitoring. Valid value are either `true` or `false`. Translates to `--ignored-workload-types=cronjobs`               | boolean     | `false`   |
 | `reloader.reloadOnCreate`           | Enable reload on create events. Valid value are either `true` or `false`                                                                            | boolean     | `false`   |
 | `reloader.reloadOnDelete`           | Enable reload on delete events. Valid value are either `true` or `false`                                                                            | boolean     | `false`   |
 | `reloader.syncAfterRestart`         | Enable sync after Reloader restarts for **Add** events, works only when reloadOnCreate is `true`. Valid value are either `true` or `false`          | boolean     | `false`   |
@@ -58,7 +63,7 @@ helm uninstall {{RELEASE_NAME}} -n {{NAMESPACE}}
 | `reloader.watchGlobally`            | Allow Reloader to watch in all namespaces (`true`) or just in a single namespace (`false`)                                                          | boolean     | `true`    |
 | `reloader.enableHA`                 | Enable leadership election allowing you to run multiple replicas                                                                                    | boolean     | `false`   |
 | `reloader.enablePProf`              | Enables pprof for profiling | boolean | `false` |
-| `reloader.pprofAddr` | Address to start pprof server on | string | `:6060` | 
+| `reloader.pprofAddr` | Address to start pprof server on | string | `:6060` |
 | `reloader.readOnlyRootFileSystem`   | Enforce readOnlyRootFilesystem                                                                                                                      | boolean     | `false`   |
 | `reloader.legacy.rbac`              |                                                                                                                                                     | boolean     | `false`   |
 | `reloader.matchLabels`              | Pod labels to match                                                                                                                                 | map         | `{}`      |
@@ -115,6 +120,10 @@ helm uninstall {{RELEASE_NAME}} -n {{NAMESPACE}}
 - Only one of these resources can be ignored at a time:
   - `ignoreConfigMaps` **or** `ignoreSecrets`
   - Trying to ignore both will cause Helm template compilation errors
+- The `ignoreJobs` and `ignoreCronJobs` flags can be used together or individually
+  - When both are enabled, translates to `--ignored-workload-types=jobs,cronjobs`
+  - When used individually, translates to `--ignored-workload-types=jobs` or `--ignored-workload-types=cronjobs`
+  - These flags prevent Reloader from monitoring and reloading the specified workload types
 
 ### Special Integrations
 - OpenShift (`DeploymentConfig`) and Argo Rollouts support must be **explicitly enabled**
@@ -123,7 +132,7 @@ helm uninstall {{RELEASE_NAME}} -n {{NAMESPACE}}
 ### OpenShift Considerations
 - Recent OpenShift versions (tested on 4.13.3) require:
   - Users to be in a dynamically assigned UID range
-  - **Solution**: Unset `runAsUser` via `deployment.securityContext.runAsUser=null`
+  - **Solution**: Unset `runAsUser` via `reloader.deployment.securityContext.runAsUser=null`
   - Let OpenShift assign UID automatically during installation
 
 ### Core Functionality Flags

deployments/kubernetes/chart/reloader/templates/_helpers.tpl

@@ -87,3 +87,19 @@ Create the namespace selector if it does not watch globally
     {{ .Values.reloader.namespaceSelector }}
 {{- end -}}
 {{- end -}}
+
+{{/*
+Normalizes global.imagePullSecrets to a list of objects with name fields.
+Supports both of these in values.yaml:
+  # - name: my-pull-secret
+  # - my-pull-secret
+*/}}
+{{- define "reloader-imagePullSecrets" -}}
+{{- range $s := .Values.global.imagePullSecrets }}
+{{- if kindIs "map" $s }}
+- {{ toYaml $s | nindent 2 | trim }}
+{{- else }}
+- name: {{ $s }}
+{{- end }}
+{{- end }}
+{{- end -}}

deployments/kubernetes/chart/reloader/templates/deployment.yaml

@@ -44,9 +44,9 @@ spec:
 {{ tpl (toYaml .Values.reloader.matchLabels) . | indent 8 }}
 {{- end }}
     spec:
-      {{- with .Values.global.imagePullSecrets }}
+      {{- if .Values.global.imagePullSecrets }}
       imagePullSecrets:
-        {{- toYaml . | nindent 8 }}
+{{ include "reloader-imagePullSecrets" . | indent 8 }}
       {{- end }}
       {{- if .Values.reloader.deployment.nodeSelector }}
       nodeSelector:
@@ -155,7 +155,7 @@ spec:
 
         - name: RELOADER_DEPLOYMENT_NAME
           value: {{ template "reloader-fullname" . }}
-          
+
       {{- if .Values.reloader.enableHA }}
         - name: POD_NAME
           valueFrom:
@@ -210,7 +210,7 @@ spec:
           {{- . | toYaml | nindent 10 }}
           {{- end }}
       {{- end }}
-      {{- if or (.Values.reloader.logFormat) (.Values.reloader.logLevel) (.Values.reloader.ignoreSecrets) (.Values.reloader.ignoreNamespaces) (include "reloader-namespaceSelector" .) (.Values.reloader.resourceLabelSelector) (.Values.reloader.ignoreConfigMaps) (.Values.reloader.custom_annotations) (eq .Values.reloader.isArgoRollouts true) (eq .Values.reloader.reloadOnCreate true) (eq .Values.reloader.reloadOnDelete true) (ne .Values.reloader.reloadStrategy "default") (.Values.reloader.enableHA) (.Values.reloader.autoReloadAll)}}
+      {{- if or (.Values.reloader.logFormat) (.Values.reloader.logLevel) (.Values.reloader.ignoreSecrets) (.Values.reloader.ignoreNamespaces) (include "reloader-namespaceSelector" .) (.Values.reloader.resourceLabelSelector) (.Values.reloader.ignoreConfigMaps) (.Values.reloader.custom_annotations) (eq .Values.reloader.isArgoRollouts true) (eq .Values.reloader.reloadOnCreate true) (eq .Values.reloader.reloadOnDelete true) (ne .Values.reloader.reloadStrategy "default") (.Values.reloader.enableHA) (.Values.reloader.autoReloadAll) (.Values.reloader.ignoreJobs) (.Values.reloader.ignoreCronJobs)}}
         args:
           {{- if .Values.reloader.logFormat }}
           - "--log-format={{ .Values.reloader.logFormat }}"
@@ -224,6 +224,13 @@ spec:
           {{- if .Values.reloader.ignoreConfigMaps }}
           - "--resources-to-ignore=configMaps"
           {{- end }}
+          {{- if and (.Values.reloader.ignoreJobs) (.Values.reloader.ignoreCronJobs) }}
+          - "--ignored-workload-types=jobs,cronjobs"
+          {{- else if .Values.reloader.ignoreJobs }}
+          - "--ignored-workload-types=jobs"
+          {{- else if .Values.reloader.ignoreCronJobs }}
+          - "--ignored-workload-types=cronjobs"
+          {{- end }}
           {{- if .Values.reloader.ignoreNamespaces }}
           - "--namespaces-to-ignore={{ .Values.reloader.ignoreNamespaces }}"
           {{- end }}
@@ -273,7 +280,7 @@ spec:
           - "{{ .Values.reloader.custom_annotations.pausePeriod }}"
             {{- end }}
             {{- if .Values.reloader.custom_annotations.pauseTime }}
-          - "--pause-deployment-annotation"
+          - "--pause-deployment-time-annotation"
           - "{{ .Values.reloader.custom_annotations.pauseTime }}"
             {{- end }}
             {{- if .Values.reloader.webhookUrl }}

deployments/kubernetes/chart/reloader/templates/serviceaccount.yaml

@@ -2,7 +2,8 @@
 apiVersion: v1
 kind: ServiceAccount
 {{- if .Values.global.imagePullSecrets }}
-imagePullSecrets: {{ toYaml .Values.global.imagePullSecrets | nindent 2 }}
+imagePullSecrets:
+{{ include "reloader-imagePullSecrets" . | indent 2 }}
 {{- end }}
 {{- if hasKey .Values.reloader.serviceAccount "automountServiceAccountToken" }}
 automountServiceAccountToken: {{ .Values.reloader.serviceAccount.automountServiceAccountToken }}

deployments/kubernetes/chart/reloader/tests/deployment_test.yaml

@@ -61,3 +61,44 @@ tests:
             valueFrom:
               fieldRef:
                 fieldPath: metadata.name
+
+  - it: sets ignored-workload-types argument when ignoreJobs is true
+    set:
+      reloader:
+        ignoreJobs: true
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].args
+          content: "--ignored-workload-types=jobs"
+
+  - it: sets ignored-workload-types argument when ignoreCronJobs is true
+    set:
+      reloader:
+        ignoreCronJobs: true
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].args
+          content: "--ignored-workload-types=cronjobs"
+
+  - it: sets ignored-workload-types argument when both ignoreJobs and ignoreCronJobs are true
+    set:
+      reloader:
+        ignoreJobs: true
+        ignoreCronJobs: true
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].args
+          content: "--ignored-workload-types=jobs,cronjobs"
+
+  - it: does not set ignored-workload-types argument when both ignoreJobs and ignoreCronJobs are false
+    set:
+      reloader:
+        ignoreJobs: false
+        ignoreCronJobs: false
+    asserts:
+      - notContains:
+          path: spec.template.spec.containers[0].args
+          content: "--ignored-workload-types=jobs"
+      - notContains:
+          path: spec.template.spec.containers[0].args
+          content: "--ignored-workload-types=cronjobs"

deployments/kubernetes/chart/reloader/values.yaml

@@ -7,6 +7,8 @@ global:
   imagePullSecrets: []
   #imagePullSecrets:
   #  - name: my-pull-secret
+  #imagePullSecrets:
+  #  - my-pull-secret
 
 kubernetes:
   host: https://kubernetes.default
@@ -17,7 +19,7 @@ fullnameOverride: ""
 image:
   name: stakater/reloader
   repository: ghcr.io/stakater/reloader
-  tag: v1.4.6
+  tag: v1.4.12
   # digest: sha256:1234567
   pullPolicy: IfNotPresent
 
@@ -27,7 +29,11 @@ reloader:
   isOpenshift: false
   ignoreSecrets: false
   ignoreConfigMaps: false
+  # Set to true to exclude Job workloads from automatic reload monitoring
+  # Useful when you don't want Jobs to be restarted when their referenced ConfigMaps/Secrets change
   ignoreJobs: false
+  # Set to true to exclude CronJob workloads from automatic reload monitoring
+  # Useful when you don't want CronJobs to be restarted when their referenced ConfigMaps/Secrets change
   ignoreCronJobs: false
   reloadOnCreate: false
   reloadOnDelete: false
@@ -84,7 +90,7 @@ reloader:
     #           - key: "node-role.kubernetes.io/infra-worker"
     #             operator: "Exists"
     affinity: {}
-    
+
     volumeMounts: []
     volumes: []
 
@@ -126,7 +132,7 @@ reloader:
     labels:
       provider: stakater
       group: com.stakater.platform
-      version: v1.4.6
+      version: v1.4.12
     # Support for extra environment variables.
     env:
       # Open supports Key value pair as environment variables.

deployments/kubernetes/manifests/deployment.yaml

@@ -17,7 +17,7 @@ spec:
         app: reloader-reloader
     spec:
       containers:
-        - image: "ghcr.io/stakater/reloader:v1.1.0"
+        - image: "ghcr.io/stakater/reloader:v1.4.12"
           imagePullPolicy: IfNotPresent
           name: reloader-reloader
           env:

deployments/kubernetes/reloader.yaml

@@ -141,7 +141,7 @@ spec:
               fieldPath: metadata.namespace
         - name: RELOADER_DEPLOYMENT_NAME
           value: reloader-reloader
-        image: ghcr.io/stakater/reloader:latest
+        image: ghcr.io/stakater/reloader:v1.4.12
         imagePullPolicy: IfNotPresent
         livenessProbe:
           failureThreshold: 5

go.mod

@@ -1,21 +1,21 @@
 module github.com/stakater/Reloader
 
-go 1.24.4
+go 1.25.5
 
 require (
-	github.com/argoproj/argo-rollouts v1.8.2
+	github.com/argoproj/argo-rollouts v1.8.3
 	github.com/openshift/api v0.0.0-20250411135543-10a8fa583797
 	github.com/openshift/client-go v0.0.0-20250402181141-b3bad3b645f2
 	github.com/parnurzeal/gorequest v0.3.0
 	github.com/prometheus/client_golang v1.22.0
 	github.com/sirupsen/logrus v1.9.3
-	github.com/spf13/cobra v1.9.1
+	github.com/spf13/cobra v1.10.1
 	github.com/stretchr/testify v1.10.0
 	k8s.io/api v0.32.3
 	k8s.io/apimachinery v0.32.3
 	k8s.io/client-go v0.32.3
 	k8s.io/kubectl v0.32.3
-	k8s.io/utils v0.0.0-20250321185631-1f6e0b77f77e
+	k8s.io/utils v0.0.0-20251002143259-bc988d571ff4
 )
 
 require (
@@ -50,7 +50,7 @@ require (
 	github.com/prometheus/common v0.63.0 // indirect
 	github.com/prometheus/procfs v0.16.0 // indirect
 	github.com/smartystreets/goconvey v1.7.2 // indirect
-	github.com/spf13/pflag v1.0.6 // indirect
+	github.com/spf13/pflag v1.0.9 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	golang.org/x/net v0.39.0 // indirect
 	golang.org/x/oauth2 v0.29.0 // indirect

go.sum

@@ -1,5 +1,5 @@
-github.com/argoproj/argo-rollouts v1.8.2 h1:DBvkYvFTEH/zJ9MxJerqz/NMWEgZcHY5vxztyCBS5ak=
-github.com/argoproj/argo-rollouts v1.8.2/go.mod h1:xZIw+dg+B4IqMv5fNPenIBUiPb9xljL2st1xxkjhaC0=
+github.com/argoproj/argo-rollouts v1.8.3 h1:blbtQva4IK9r6gFh+dWkCrLnFdPOWiv9ubQYu36qeaA=
+github.com/argoproj/argo-rollouts v1.8.3/go.mod h1:kCAUvIfMGfOyVf3lvQbBt0nqQn4Pd+zB5/YwKv+UBa8=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
@@ -104,10 +104,10 @@ github.com/smartystreets/assertions v1.2.0 h1:42S6lae5dvLc7BrLu/0ugRtcFVjoJNMC/N
 github.com/smartystreets/assertions v1.2.0/go.mod h1:tcbTF8ujkAEcZ8TElKY+i30BzYlVhC/LOxJk7iOWnoo=
 github.com/smartystreets/goconvey v1.7.2 h1:9RBaZCeXEQ3UselpuwUQHltGVXvdwm6cv1hgR6gDIPg=
 github.com/smartystreets/goconvey v1.7.2/go.mod h1:Vw0tHAZW6lzCRk3xgdin6fKYcG+G3Pg9vgXWeJpQFMM=
-github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo=
-github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0=
-github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
-github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/cobra v1.10.1 h1:lJeBwCfmrnXthfAupyUTzJ/J4Nc1RsHC/mSRU2dll/s=
+github.com/spf13/cobra v1.10.1/go.mod h1:7SmJGaTHFVBY0jW4NXGluQoLvhqFQM+6XSKD+P4XaB0=
+github.com/spf13/pflag v1.0.9 h1:9exaQaMOCwffKiiiYk6/BndUBv+iRViNW+4lEMi0PvY=
+github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
@@ -185,8 +185,8 @@ k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff h1:/usPimJzUKKu+m+TE36gUy
 k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff/go.mod h1:5jIi+8yX4RIb8wk3XwBo5Pq2ccx4FP10ohkbSKCZoK8=
 k8s.io/kubectl v0.32.3 h1:VMi584rbboso+yjfv0d8uBHwwxbC438LKq+dXd5tOAI=
 k8s.io/kubectl v0.32.3/go.mod h1:6Euv2aso5GKzo/UVMacV6C7miuyevpfI91SvBvV9Zdg=
-k8s.io/utils v0.0.0-20250321185631-1f6e0b77f77e h1:KqK5c/ghOm8xkHYhlodbp6i6+r+ChV2vuAuVRdFbLro=
-k8s.io/utils v0.0.0-20250321185631-1f6e0b77f77e/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 h1:SjGebBtkBqHFOli+05xYbK8YF1Dzkbzn+gDM4X9T4Ck=
+k8s.io/utils v0.0.0-20251002143259-bc988d571ff4/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE=
 sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
 sigs.k8s.io/randfill v0.0.0-20250304075658-069ef1bbf016/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=

internal/pkg/alerts/alert.go

@@ -9,6 +9,15 @@ import (
 	"github.com/sirupsen/logrus"
 )
 
+type AlertSink string
+
+const (
+	AlertSinkSlack      AlertSink = "slack"
+	AlertSinkTeams      AlertSink = "teams"
+	AlertSinkGoogleChat AlertSink = "gchat"
+	AlertSinkRaw        AlertSink = "raw"
+)
+
 // function to send alert msg to webhook service
 func SendWebhookAlert(msg string) {
 	webhook_url, ok := os.LookupEnv("ALERT_WEBHOOK_URL")
@@ -31,14 +40,15 @@ func SendWebhookAlert(msg string) {
 		msg = fmt.Sprintf("%s : %s", alert_additional_info, msg)
 	}
 
-	if alert_sink == "slack" {
+	switch AlertSink(alert_sink) {
+	case AlertSinkSlack:
 		sendSlackAlert(webhook_url, webhook_proxy, msg)
-	} else if alert_sink == "teams" {
+	case AlertSinkTeams:
 		sendTeamsAlert(webhook_url, webhook_proxy, msg)
-	} else if alert_sink == "gchat" {
+	case AlertSinkGoogleChat:
 		sendGoogleChatAlert(webhook_url, webhook_proxy, msg)
-	} else {
-		msg = strings.Replace(msg, "*", "", -1)
+	default:
+		msg = strings.ReplaceAll(msg, "*", "")
 		sendRawWebhookAlert(webhook_url, webhook_proxy, msg)
 	}
 }

internal/pkg/callbacks/rolling_upgrade.go

@@ -83,9 +83,9 @@ func GetDeploymentItem(clients kube.Clients, name string, namespace string) (run
 		return nil, err
 	}
 
-	if deployment.Spec.Template.ObjectMeta.Annotations == nil {
+	if deployment.Spec.Template.Annotations == nil {
 		annotations := make(map[string]string)
-		deployment.Spec.Template.ObjectMeta.Annotations = annotations
+		deployment.Spec.Template.Annotations = annotations
 	}
 
 	return deployment, nil
@@ -101,9 +101,9 @@ func GetDeploymentItems(clients kube.Clients, namespace string) []runtime.Object
 	items := make([]runtime.Object, len(deployments.Items))
 	// Ensure we always have pod annotations to add to
 	for i, v := range deployments.Items {
-		if v.Spec.Template.ObjectMeta.Annotations == nil {
+		if v.Spec.Template.Annotations == nil {
 			annotations := make(map[string]string)
-			deployments.Items[i].Spec.Template.ObjectMeta.Annotations = annotations
+			deployments.Items[i].Spec.Template.Annotations = annotations
 		}
 		items[i] = &deployments.Items[i]
 	}
@@ -132,9 +132,9 @@ func GetCronJobItems(clients kube.Clients, namespace string) []runtime.Object {
 	items := make([]runtime.Object, len(cronjobs.Items))
 	// Ensure we always have pod annotations to add to
 	for i, v := range cronjobs.Items {
-		if v.Spec.JobTemplate.Spec.Template.ObjectMeta.Annotations == nil {
+		if v.Spec.JobTemplate.Spec.Template.Annotations == nil {
 			annotations := make(map[string]string)
-			cronjobs.Items[i].Spec.JobTemplate.Spec.Template.ObjectMeta.Annotations = annotations
+			cronjobs.Items[i].Spec.JobTemplate.Spec.Template.Annotations = annotations
 		}
 		items[i] = &cronjobs.Items[i]
 	}
@@ -163,9 +163,9 @@ func GetJobItems(clients kube.Clients, namespace string) []runtime.Object {
 	items := make([]runtime.Object, len(jobs.Items))
 	// Ensure we always have pod annotations to add to
 	for i, v := range jobs.Items {
-		if v.Spec.Template.ObjectMeta.Annotations == nil {
+		if v.Spec.Template.Annotations == nil {
 			annotations := make(map[string]string)
-			jobs.Items[i].Spec.Template.ObjectMeta.Annotations = annotations
+			jobs.Items[i].Spec.Template.Annotations = annotations
 		}
 		items[i] = &jobs.Items[i]
 	}
@@ -194,8 +194,8 @@ func GetDaemonSetItems(clients kube.Clients, namespace string) []runtime.Object
 	items := make([]runtime.Object, len(daemonSets.Items))
 	// Ensure we always have pod annotations to add to
 	for i, v := range daemonSets.Items {
-		if v.Spec.Template.ObjectMeta.Annotations == nil {
-			daemonSets.Items[i].Spec.Template.ObjectMeta.Annotations = make(map[string]string)
+		if v.Spec.Template.Annotations == nil {
+			daemonSets.Items[i].Spec.Template.Annotations = make(map[string]string)
 		}
 		items[i] = &daemonSets.Items[i]
 	}
@@ -224,8 +224,8 @@ func GetStatefulSetItems(clients kube.Clients, namespace string) []runtime.Objec
 	items := make([]runtime.Object, len(statefulSets.Items))
 	// Ensure we always have pod annotations to add to
 	for i, v := range statefulSets.Items {
-		if v.Spec.Template.ObjectMeta.Annotations == nil {
-			statefulSets.Items[i].Spec.Template.ObjectMeta.Annotations = make(map[string]string)
+		if v.Spec.Template.Annotations == nil {
+			statefulSets.Items[i].Spec.Template.Annotations = make(map[string]string)
 		}
 		items[i] = &statefulSets.Items[i]
 	}
@@ -254,8 +254,8 @@ func GetRolloutItems(clients kube.Clients, namespace string) []runtime.Object {
 	items := make([]runtime.Object, len(rollouts.Items))
 	// Ensure we always have pod annotations to add to
 	for i, v := range rollouts.Items {
-		if v.Spec.Template.ObjectMeta.Annotations == nil {
-			rollouts.Items[i].Spec.Template.ObjectMeta.Annotations = make(map[string]string)
+		if v.Spec.Template.Annotations == nil {
+			rollouts.Items[i].Spec.Template.Annotations = make(map[string]string)
 		}
 		items[i] = &rollouts.Items[i]
 	}
@@ -265,98 +265,98 @@ func GetRolloutItems(clients kube.Clients, namespace string) []runtime.Object {
 
 // GetDeploymentAnnotations returns the annotations of given deployment
 func GetDeploymentAnnotations(item runtime.Object) map[string]string {
-	if item.(*appsv1.Deployment).ObjectMeta.Annotations == nil {
-		item.(*appsv1.Deployment).ObjectMeta.Annotations = make(map[string]string)
+	if item.(*appsv1.Deployment).Annotations == nil {
+		item.(*appsv1.Deployment).Annotations = make(map[string]string)
 	}
-	return item.(*appsv1.Deployment).ObjectMeta.Annotations
+	return item.(*appsv1.Deployment).Annotations
 }
 
 // GetCronJobAnnotations returns the annotations of given cronjob
 func GetCronJobAnnotations(item runtime.Object) map[string]string {
-	if item.(*batchv1.CronJob).ObjectMeta.Annotations == nil {
-		item.(*batchv1.CronJob).ObjectMeta.Annotations = make(map[string]string)
+	if item.(*batchv1.CronJob).Annotations == nil {
+		item.(*batchv1.CronJob).Annotations = make(map[string]string)
 	}
-	return item.(*batchv1.CronJob).ObjectMeta.Annotations
+	return item.(*batchv1.CronJob).Annotations
 }
 
 // GetJobAnnotations returns the annotations of given job
 func GetJobAnnotations(item runtime.Object) map[string]string {
-	if item.(*batchv1.Job).ObjectMeta.Annotations == nil {
-		item.(*batchv1.Job).ObjectMeta.Annotations = make(map[string]string)
+	if item.(*batchv1.Job).Annotations == nil {
+		item.(*batchv1.Job).Annotations = make(map[string]string)
 	}
-	return item.(*batchv1.Job).ObjectMeta.Annotations
+	return item.(*batchv1.Job).Annotations
 }
 
 // GetDaemonSetAnnotations returns the annotations of given daemonSet
 func GetDaemonSetAnnotations(item runtime.Object) map[string]string {
-	if item.(*appsv1.DaemonSet).ObjectMeta.Annotations == nil {
-		item.(*appsv1.DaemonSet).ObjectMeta.Annotations = make(map[string]string)
+	if item.(*appsv1.DaemonSet).Annotations == nil {
+		item.(*appsv1.DaemonSet).Annotations = make(map[string]string)
 	}
-	return item.(*appsv1.DaemonSet).ObjectMeta.Annotations
+	return item.(*appsv1.DaemonSet).Annotations
 }
 
 // GetStatefulSetAnnotations returns the annotations of given statefulSet
 func GetStatefulSetAnnotations(item runtime.Object) map[string]string {
-	if item.(*appsv1.StatefulSet).ObjectMeta.Annotations == nil {
-		item.(*appsv1.StatefulSet).ObjectMeta.Annotations = make(map[string]string)
+	if item.(*appsv1.StatefulSet).Annotations == nil {
+		item.(*appsv1.StatefulSet).Annotations = make(map[string]string)
 	}
-	return item.(*appsv1.StatefulSet).ObjectMeta.Annotations
+	return item.(*appsv1.StatefulSet).Annotations
 }
 
 // GetRolloutAnnotations returns the annotations of given rollout
 func GetRolloutAnnotations(item runtime.Object) map[string]string {
-	if item.(*argorolloutv1alpha1.Rollout).ObjectMeta.Annotations == nil {
-		item.(*argorolloutv1alpha1.Rollout).ObjectMeta.Annotations = make(map[string]string)
+	if item.(*argorolloutv1alpha1.Rollout).Annotations == nil {
+		item.(*argorolloutv1alpha1.Rollout).Annotations = make(map[string]string)
 	}
-	return item.(*argorolloutv1alpha1.Rollout).ObjectMeta.Annotations
+	return item.(*argorolloutv1alpha1.Rollout).Annotations
 }
 
 // GetDeploymentPodAnnotations returns the pod's annotations of given deployment
 func GetDeploymentPodAnnotations(item runtime.Object) map[string]string {
-	if item.(*appsv1.Deployment).Spec.Template.ObjectMeta.Annotations == nil {
-		item.(*appsv1.Deployment).Spec.Template.ObjectMeta.Annotations = make(map[string]string)
+	if item.(*appsv1.Deployment).Spec.Template.Annotations == nil {
+		item.(*appsv1.Deployment).Spec.Template.Annotations = make(map[string]string)
 	}
-	return item.(*appsv1.Deployment).Spec.Template.ObjectMeta.Annotations
+	return item.(*appsv1.Deployment).Spec.Template.Annotations
 }
 
 // GetCronJobPodAnnotations returns the pod's annotations of given cronjob
 func GetCronJobPodAnnotations(item runtime.Object) map[string]string {
-	if item.(*batchv1.CronJob).Spec.JobTemplate.Spec.Template.ObjectMeta.Annotations == nil {
-		item.(*batchv1.CronJob).Spec.JobTemplate.Spec.Template.ObjectMeta.Annotations = make(map[string]string)
+	if item.(*batchv1.CronJob).Spec.JobTemplate.Spec.Template.Annotations == nil {
+		item.(*batchv1.CronJob).Spec.JobTemplate.Spec.Template.Annotations = make(map[string]string)
 	}
-	return item.(*batchv1.CronJob).Spec.JobTemplate.Spec.Template.ObjectMeta.Annotations
+	return item.(*batchv1.CronJob).Spec.JobTemplate.Spec.Template.Annotations
 }
 
 // GetJobPodAnnotations returns the pod's annotations of given job
 func GetJobPodAnnotations(item runtime.Object) map[string]string {
-	if item.(*batchv1.Job).Spec.Template.ObjectMeta.Annotations == nil {
-		item.(*batchv1.Job).Spec.Template.ObjectMeta.Annotations = make(map[string]string)
+	if item.(*batchv1.Job).Spec.Template.Annotations == nil {
+		item.(*batchv1.Job).Spec.Template.Annotations = make(map[string]string)
 	}
-	return item.(*batchv1.Job).Spec.Template.ObjectMeta.Annotations
+	return item.(*batchv1.Job).Spec.Template.Annotations
 }
 
 // GetDaemonSetPodAnnotations returns the pod's annotations of given daemonSet
 func GetDaemonSetPodAnnotations(item runtime.Object) map[string]string {
-	if item.(*appsv1.DaemonSet).Spec.Template.ObjectMeta.Annotations == nil {
-		item.(*appsv1.DaemonSet).Spec.Template.ObjectMeta.Annotations = make(map[string]string)
+	if item.(*appsv1.DaemonSet).Spec.Template.Annotations == nil {
+		item.(*appsv1.DaemonSet).Spec.Template.Annotations = make(map[string]string)
 	}
-	return item.(*appsv1.DaemonSet).Spec.Template.ObjectMeta.Annotations
+	return item.(*appsv1.DaemonSet).Spec.Template.Annotations
 }
 
 // GetStatefulSetPodAnnotations returns the pod's annotations of given statefulSet
 func GetStatefulSetPodAnnotations(item runtime.Object) map[string]string {
-	if item.(*appsv1.StatefulSet).Spec.Template.ObjectMeta.Annotations == nil {
-		item.(*appsv1.StatefulSet).Spec.Template.ObjectMeta.Annotations = make(map[string]string)
+	if item.(*appsv1.StatefulSet).Spec.Template.Annotations == nil {
+		item.(*appsv1.StatefulSet).Spec.Template.Annotations = make(map[string]string)
 	}
-	return item.(*appsv1.StatefulSet).Spec.Template.ObjectMeta.Annotations
+	return item.(*appsv1.StatefulSet).Spec.Template.Annotations
 }
 
 // GetRolloutPodAnnotations returns the pod's annotations of given rollout
 func GetRolloutPodAnnotations(item runtime.Object) map[string]string {
-	if item.(*argorolloutv1alpha1.Rollout).Spec.Template.ObjectMeta.Annotations == nil {
-		item.(*argorolloutv1alpha1.Rollout).Spec.Template.ObjectMeta.Annotations = make(map[string]string)
+	if item.(*argorolloutv1alpha1.Rollout).Spec.Template.Annotations == nil {
+		item.(*argorolloutv1alpha1.Rollout).Spec.Template.Annotations = make(map[string]string)
 	}
-	return item.(*argorolloutv1alpha1.Rollout).Spec.Template.ObjectMeta.Annotations
+	return item.(*argorolloutv1alpha1.Rollout).Spec.Template.Annotations
 }
 
 // GetDeploymentContainers returns the containers of given deployment
@@ -481,9 +481,9 @@ func ReCreateJobFromjob(clients kube.Clients, namespace string, resource runtime
 	}
 
 	// Remove fields that should not be specified when creating a new Job
-	job.ObjectMeta.ResourceVersion = ""
-	job.ObjectMeta.UID = ""
-	job.ObjectMeta.CreationTimestamp = meta_v1.Time{}
+	job.ResourceVersion = ""
+	job.UID = ""
+	job.CreationTimestamp = meta_v1.Time{}
 	job.Status = batchv1.JobStatus{}
 
 	// Remove problematic labels

internal/pkg/callbacks/rolling_upgrade_test.go

@@ -373,19 +373,19 @@ func TestPatchResources(t *testing.T) {
 			assert.NoError(t, err)
 			patchedResource, err := callbacks.GetDeploymentItem(clients, "test-deployment", fixtures.namespace)
 			assert.NoError(t, err)
-			assert.Equal(t, "test", patchedResource.(*appsv1.Deployment).ObjectMeta.Annotations["test"])
+			assert.Equal(t, "test", patchedResource.(*appsv1.Deployment).Annotations["test"])
 		}},
 		{"DaemonSet", createTestDaemonSetWithAnnotations, callbacks.PatchDaemonSet, deleteTestDaemonSet, func(err error) {
 			assert.NoError(t, err)
 			patchedResource, err := callbacks.GetDaemonSetItem(clients, "test-daemonset", fixtures.namespace)
 			assert.NoError(t, err)
-			assert.Equal(t, "test", patchedResource.(*appsv1.DaemonSet).ObjectMeta.Annotations["test"])
+			assert.Equal(t, "test", patchedResource.(*appsv1.DaemonSet).Annotations["test"])
 		}},
 		{"StatefulSet", createTestStatefulSetWithAnnotations, callbacks.PatchStatefulSet, deleteTestStatefulSet, func(err error) {
 			assert.NoError(t, err)
 			patchedResource, err := callbacks.GetStatefulSetItem(clients, "test-statefulset", fixtures.namespace)
 			assert.NoError(t, err)
-			assert.Equal(t, "test", patchedResource.(*appsv1.StatefulSet).ObjectMeta.Annotations["test"])
+			assert.Equal(t, "test", patchedResource.(*appsv1.StatefulSet).Annotations["test"])
 		}},
 		{"CronJob", createTestCronJobWithAnnotations, callbacks.PatchCronJob, deleteTestCronJob, func(err error) {
 			assert.EqualError(t, err, "not supported patching: CronJob")
@@ -621,17 +621,17 @@ func deleteTestStatefulSets(clients kube.Clients, namespace string) error {
 func createResourceWithPodAnnotations(obj runtime.Object, annotations map[string]string) runtime.Object {
 	switch v := obj.(type) {
 	case *appsv1.Deployment:
-		v.Spec.Template.ObjectMeta.Annotations = annotations
+		v.Spec.Template.Annotations = annotations
 	case *appsv1.DaemonSet:
-		v.Spec.Template.ObjectMeta.Annotations = annotations
+		v.Spec.Template.Annotations = annotations
 	case *appsv1.StatefulSet:
-		v.Spec.Template.ObjectMeta.Annotations = annotations
+		v.Spec.Template.Annotations = annotations
 	case *batchv1.CronJob:
-		v.Spec.JobTemplate.Spec.Template.ObjectMeta.Annotations = annotations
+		v.Spec.JobTemplate.Spec.Template.Annotations = annotations
 	case *batchv1.Job:
-		v.Spec.Template.ObjectMeta.Annotations = annotations
+		v.Spec.Template.Annotations = annotations
 	case *argorolloutv1alpha1.Rollout:
-		v.Spec.Template.ObjectMeta.Annotations = annotations
+		v.Spec.Template.Annotations = annotations
 	}
 	return obj
 }

internal/pkg/controller/controller.go

@@ -124,9 +124,9 @@ func (c *Controller) Add(obj interface{}) {
 func (c *Controller) resourceInIgnoredNamespace(raw interface{}) bool {
 	switch object := raw.(type) {
 	case *v1.ConfigMap:
-		return c.ignoredNamespaces.Contains(object.ObjectMeta.Namespace)
+		return c.ignoredNamespaces.Contains(object.Namespace)
 	case *v1.Secret:
-		return c.ignoredNamespaces.Contains(object.ObjectMeta.Namespace)
+		return c.ignoredNamespaces.Contains(object.Namespace)
 	}
 	return false
 }
@@ -212,7 +212,7 @@ func (c *Controller) Run(threadiness int, stopCh chan struct{}) {
 
 	// Wait for all involved caches to be synced, before processing items from the queue is started
 	if !cache.WaitForCacheSync(stopCh, c.informer.HasSynced) {
-		runtime.HandleError(fmt.Errorf("Timed out waiting for caches to sync"))
+		runtime.HandleError(fmt.Errorf("timed out waiting for caches to sync"))
 		return
 	}
 
@@ -226,9 +226,9 @@ func (c *Controller) Run(threadiness int, stopCh chan struct{}) {
 
 func (c *Controller) runWorker() {
 	// At this point the controller is fully initialized and we can start processing the resources
-	if c.resource == "secrets" {
+	if c.resource == string(v1.ResourceSecrets) {
 		secretControllerInitialized = true
-	} else if c.resource == "configMaps" {
+	} else if c.resource == string(v1.ResourceConfigMaps) {
 		configmapControllerInitialized = true
 	}
 

internal/pkg/controller/controller_test.go

@@ -2341,7 +2341,7 @@ func TestController_resourceInNamespaceSelector(t *testing.T) {
 				indexer:           tt.fields.indexer,
 				queue:             tt.fields.queue,
 				informer:          tt.fields.informer,
-				namespace:         tt.fields.namespace.ObjectMeta.Name,
+				namespace:         tt.fields.namespace.Name,
 				namespaceSelector: tt.fields.namespaceSelector,
 			}
 

internal/pkg/handler/pause_deployment_test.go

@@ -9,7 +9,6 @@ import (
 	"github.com/stakater/Reloader/internal/pkg/options"
 	"github.com/stakater/Reloader/pkg/kube"
 	"github.com/stretchr/testify/assert"
-	app "k8s.io/api/apps/v1"
 	appsv1 "k8s.io/api/apps/v1"
 	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -374,14 +373,14 @@ func TestPauseDeployment(t *testing.T) {
 }
 
 // Simple helper function for test cases
-func FindDeploymentByName(deployments []runtime.Object, deploymentName string) (*app.Deployment, error) {
+func FindDeploymentByName(deployments []runtime.Object, deploymentName string) (*appsv1.Deployment, error) {
 	for _, deployment := range deployments {
 		accessor, err := meta.Accessor(deployment)
 		if err != nil {
 			return nil, fmt.Errorf("error getting accessor for item: %v", err)
 		}
 		if accessor.GetName() == deploymentName {
-			deploymentObj, ok := deployment.(*app.Deployment)
+			deploymentObj, ok := deployment.(*appsv1.Deployment)
 			if !ok {
 				return nil, fmt.Errorf("failed to cast to Deployment")
 			}

internal/pkg/handler/upgrade.go

@@ -160,7 +160,12 @@ func sendWebhook(url string) (string, []error) {
 		// the reloader seems to retry automatically so no retry logic added
 		return "", err
 	}
-	defer resp.Body.Close()
+	defer func() {
+		closeErr := resp.Body.Close()
+		if closeErr != nil {
+			logrus.Error(closeErr)
+		}
+	}()
 	var buffer bytes.Buffer
 	_, bufferErr := io.Copy(&buffer, resp.Body)
 	if bufferErr != nil {
@@ -172,18 +177,34 @@ func sendWebhook(url string) (string, []error) {
 func doRollingUpgrade(config common.Config, collectors metrics.Collectors, recorder record.EventRecorder, invoke invokeStrategy) error {
 	clients := kube.GetClients()
 
-	err := rollingUpgrade(clients, config, GetDeploymentRollingUpgradeFuncs(), collectors, recorder, invoke)
+	// Get ignored workload types to avoid listing resources without RBAC permissions
+	ignoredWorkloadTypes, err := util.GetIgnoredWorkloadTypesList()
+	if err != nil {
+		logrus.Errorf("Failed to parse ignored workload types: %v", err)
+		ignoredWorkloadTypes = util.List{} // Continue with empty list if parsing fails
+	}
+
+	err = rollingUpgrade(clients, config, GetDeploymentRollingUpgradeFuncs(), collectors, recorder, invoke)
 	if err != nil {
 		return err
 	}
-	err = rollingUpgrade(clients, config, GetCronJobCreateJobFuncs(), collectors, recorder, invoke)
-	if err != nil {
-		return err
+
+	// Only process CronJobs if they are not ignored
+	if !ignoredWorkloadTypes.Contains("cronjobs") {
+		err = rollingUpgrade(clients, config, GetCronJobCreateJobFuncs(), collectors, recorder, invoke)
+		if err != nil {
+			return err
+		}
 	}
-	err = rollingUpgrade(clients, config, GetJobCreateJobFuncs(), collectors, recorder, invoke)
-	if err != nil {
-		return err
+
+	// Only process Jobs if they are not ignored
+	if !ignoredWorkloadTypes.Contains("jobs") {
+		err = rollingUpgrade(clients, config, GetJobCreateJobFuncs(), collectors, recorder, invoke)
+		if err != nil {
+			return err
+		}
 	}
+
 	err = rollingUpgrade(clients, config, GetDaemonSetRollingUpgradeFuncs(), collectors, recorder, invoke)
 	if err != nil {
 		return err
@@ -334,7 +355,8 @@ func upgradeResource(clients kube.Clients, config common.Config, upgradeFuncs ca
 
 func getVolumeMountName(volumes []v1.Volume, mountType string, volumeName string) string {
 	for i := range volumes {
-		if mountType == constants.ConfigmapEnvVarPostfix {
+		switch mountType {
+		case constants.ConfigmapEnvVarPostfix:
 			if volumes[i].ConfigMap != nil && volumes[i].ConfigMap.Name == volumeName {
 				return volumes[i].Name
 			}
@@ -346,7 +368,7 @@ func getVolumeMountName(volumes []v1.Volume, mountType string, volumeName string
 					}
 				}
 			}
-		} else if mountType == constants.SecretEnvVarPostfix {
+		case constants.SecretEnvVarPostfix:
 			if volumes[i].Secret != nil && volumes[i].Secret.SecretName == volumeName {
 				return volumes[i].Name
 			}
@@ -383,9 +405,9 @@ func getContainerWithEnvReference(containers []v1.Container, resourceName string
 		for j := range envs {
 			envVarSource := envs[j].ValueFrom
 			if envVarSource != nil {
-				if resourceType == constants.SecretEnvVarPostfix && envVarSource.SecretKeyRef != nil && envVarSource.SecretKeyRef.LocalObjectReference.Name == resourceName {
+				if resourceType == constants.SecretEnvVarPostfix && envVarSource.SecretKeyRef != nil && envVarSource.SecretKeyRef.Name == resourceName {
 					return &containers[i]
-				} else if resourceType == constants.ConfigmapEnvVarPostfix && envVarSource.ConfigMapKeyRef != nil && envVarSource.ConfigMapKeyRef.LocalObjectReference.Name == resourceName {
+				} else if resourceType == constants.ConfigmapEnvVarPostfix && envVarSource.ConfigMapKeyRef != nil && envVarSource.ConfigMapKeyRef.Name == resourceName {
 					return &containers[i]
 				}
 			}
@@ -393,9 +415,9 @@ func getContainerWithEnvReference(containers []v1.Container, resourceName string
 
 		envsFrom := containers[i].EnvFrom
 		for j := range envsFrom {
-			if resourceType == constants.SecretEnvVarPostfix && envsFrom[j].SecretRef != nil && envsFrom[j].SecretRef.LocalObjectReference.Name == resourceName {
+			if resourceType == constants.SecretEnvVarPostfix && envsFrom[j].SecretRef != nil && envsFrom[j].SecretRef.Name == resourceName {
 				return &containers[i]
-			} else if resourceType == constants.ConfigmapEnvVarPostfix && envsFrom[j].ConfigMapRef != nil && envsFrom[j].ConfigMapRef.LocalObjectReference.Name == resourceName {
+			} else if resourceType == constants.ConfigmapEnvVarPostfix && envsFrom[j].ConfigMapRef != nil && envsFrom[j].ConfigMapRef.Name == resourceName {
 				return &containers[i]
 			}
 		}

internal/pkg/options/flags.go

@@ -65,6 +65,8 @@ var (
 	WebhookUrl = ""
 	// ResourcesToIgnore is a list of resources to ignore when watching for changes
 	ResourcesToIgnore = []string{}
+	// WorkloadTypesToIgnore is a list of workload types to ignore when watching for changes
+	WorkloadTypesToIgnore = []string{}
 	// NamespacesToIgnore is a list of namespace names to ignore when watching for changes
 	NamespacesToIgnore = []string{}
 	// NamespaceSelectors is a list of namespace selectors to watch for changes

internal/pkg/testutil/kube.go

@@ -94,7 +94,7 @@ func getAnnotations(name string, autoReload bool, secretAutoReload bool, configm
 		annotations[options.ConfigmapReloaderAutoAnnotation] = "true"
 	}
 
-	if !(len(annotations) > 0) {
+	if len(annotations) == 0 {
 		annotations = map[string]string{
 			options.ConfigmapUpdateOnChangeAnnotation: name,
 			options.SecretUpdateOnChangeAnnotation:    name}
@@ -479,18 +479,19 @@ func GetDeploymentWithPodAnnotations(namespace string, deploymentName string, bo
 		},
 	}
 	if !both {
-		deployment.ObjectMeta.Annotations = nil
+		deployment.Annotations = nil
 	}
-	deployment.Spec.Template.ObjectMeta.Annotations = getAnnotations(deploymentName, true, false, false, map[string]string{})
+	deployment.Spec.Template.Annotations = getAnnotations(deploymentName, true, false, false, map[string]string{})
 	return deployment
 }
 
 func GetDeploymentWithTypedAutoAnnotation(namespace string, deploymentName string, resourceType string) *appsv1.Deployment {
 	replicaset := int32(1)
 	var objectMeta metav1.ObjectMeta
-	if resourceType == SecretResourceType {
+	switch resourceType {
+	case SecretResourceType:
 		objectMeta = getObjectMeta(namespace, deploymentName, false, true, false, map[string]string{})
-	} else if resourceType == ConfigmapResourceType {
+	case ConfigmapResourceType:
 		objectMeta = getObjectMeta(namespace, deploymentName, false, false, true, map[string]string{})
 	}
 
@@ -514,9 +515,10 @@ func GetDeploymentWithExcludeAnnotation(namespace string, deploymentName string,
 
 	annotation := map[string]string{}
 
-	if resourceType == SecretResourceType {
+	switch resourceType {
+	case SecretResourceType:
 		annotation[options.SecretExcludeReloaderAnnotation] = deploymentName
-	} else if resourceType == ConfigmapResourceType {
+	case ConfigmapResourceType:
 		annotation[options.ConfigmapExcludeReloaderAnnotation] = deploymentName
 	}
 
@@ -747,12 +749,13 @@ func GetResourceSHAFromAnnotation(podAnnotations map[string]string) string {
 // ConvertResourceToSHA generates SHA from secret or configmap data
 func ConvertResourceToSHA(resourceType string, namespace string, resourceName string, data string) string {
 	values := []string{}
-	if resourceType == SecretResourceType {
+	switch resourceType {
+	case SecretResourceType:
 		secret := GetSecret(namespace, resourceName, data)
 		for k, v := range secret.Data {
 			values = append(values, k+"="+string(v[:]))
 		}
-	} else if resourceType == ConfigmapResourceType {
+	case ConfigmapResourceType:
 		configmap := GetConfigmap(namespace, resourceName, data)
 		for k, v := range configmap.Data {
 			values = append(values, k+"="+v)

internal/pkg/util/util.go

@@ -83,6 +83,7 @@ func ConfigureReloaderFlags(cmd *cobra.Command) {
 	cmd.PersistentFlags().StringVar(&options.LogLevel, "log-level", "info", "Log level to use (trace, debug, info, warning, error, fatal and panic)")
 	cmd.PersistentFlags().StringVar(&options.WebhookUrl, "webhook-url", "", "webhook to trigger instead of performing a reload")
 	cmd.PersistentFlags().StringSliceVar(&options.ResourcesToIgnore, "resources-to-ignore", options.ResourcesToIgnore, "list of resources to ignore (valid options 'configMaps' or 'secrets')")
+	cmd.PersistentFlags().StringSliceVar(&options.WorkloadTypesToIgnore, "ignored-workload-types", options.WorkloadTypesToIgnore, "list of workload types to ignore (valid options: 'jobs', 'cronjobs', or both)")
 	cmd.PersistentFlags().StringSliceVar(&options.NamespacesToIgnore, "namespaces-to-ignore", options.NamespacesToIgnore, "list of namespaces to ignore")
 	cmd.PersistentFlags().StringSliceVar(&options.NamespaceSelectors, "namespace-selector", options.NamespaceSelectors, "list of key:value labels to filter on for namespaces")
 	cmd.PersistentFlags().StringSliceVar(&options.ResourceSelectors, "resource-label-selector", options.ResourceSelectors, "list of key:value labels to filter on for configmaps and secrets")
@@ -112,3 +113,16 @@ func GetIgnoredResourcesList() (List, error) {
 
 	return ignoredResourcesList, nil
 }
+
+func GetIgnoredWorkloadTypesList() (List, error) {
+
+	ignoredWorkloadTypesList := options.WorkloadTypesToIgnore
+
+	for _, v := range ignoredWorkloadTypesList {
+		if v != "jobs" && v != "cronjobs" {
+			return nil, fmt.Errorf("'ignored-workload-types' accepts 'jobs', 'cronjobs', or both, not '%s'", v)
+		}
+	}
+
+	return ignoredWorkloadTypesList, nil
+}

internal/pkg/util/util_test.go

@@ -3,6 +3,7 @@ package util
 import (
 	"testing"
 
+	"github.com/stakater/Reloader/internal/pkg/options"
 	v1 "k8s.io/api/core/v1"
 )
 
@@ -45,3 +46,141 @@ func TestGetHashFromConfigMap(t *testing.T) {
 		}
 	}
 }
+
+func TestGetIgnoredWorkloadTypesList(t *testing.T) {
+	// Save original state
+	originalWorkloadTypes := options.WorkloadTypesToIgnore
+	defer func() {
+		options.WorkloadTypesToIgnore = originalWorkloadTypes
+	}()
+
+	tests := []struct {
+		name          string
+		workloadTypes []string
+		expectError   bool
+		expected      []string
+	}{
+		{
+			name:          "Both jobs and cronjobs",
+			workloadTypes: []string{"jobs", "cronjobs"},
+			expectError:   false,
+			expected:      []string{"jobs", "cronjobs"},
+		},
+		{
+			name:          "Only jobs",
+			workloadTypes: []string{"jobs"},
+			expectError:   false,
+			expected:      []string{"jobs"},
+		},
+		{
+			name:          "Only cronjobs",
+			workloadTypes: []string{"cronjobs"},
+			expectError:   false,
+			expected:      []string{"cronjobs"},
+		},
+		{
+			name:          "Empty list",
+			workloadTypes: []string{},
+			expectError:   false,
+			expected:      []string{},
+		},
+		{
+			name:          "Invalid workload type",
+			workloadTypes: []string{"invalid"},
+			expectError:   true,
+			expected:      nil,
+		},
+		{
+			name:          "Mixed valid and invalid",
+			workloadTypes: []string{"jobs", "invalid"},
+			expectError:   true,
+			expected:      nil,
+		},
+		{
+			name:          "Duplicate values",
+			workloadTypes: []string{"jobs", "jobs"},
+			expectError:   false,
+			expected:      []string{"jobs", "jobs"},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Set the global option
+			options.WorkloadTypesToIgnore = tt.workloadTypes
+
+			result, err := GetIgnoredWorkloadTypesList()
+
+			if tt.expectError && err == nil {
+				t.Errorf("Expected error but got none")
+			}
+
+			if !tt.expectError && err != nil {
+				t.Errorf("Expected no error but got: %v", err)
+			}
+
+			if !tt.expectError {
+				if len(result) != len(tt.expected) {
+					t.Errorf("Expected %v, got %v", tt.expected, result)
+					return
+				}
+
+				for i, expected := range tt.expected {
+					if i >= len(result) || result[i] != expected {
+						t.Errorf("Expected %v, got %v", tt.expected, result)
+						break
+					}
+				}
+			}
+		})
+	}
+}
+
+func TestListContains(t *testing.T) {
+	tests := []struct {
+		name     string
+		list     List
+		item     string
+		expected bool
+	}{
+		{
+			name:     "List contains item",
+			list:     List{"jobs", "cronjobs"},
+			item:     "jobs",
+			expected: true,
+		},
+		{
+			name:     "List does not contain item",
+			list:     List{"jobs"},
+			item:     "cronjobs",
+			expected: false,
+		},
+		{
+			name:     "Empty list",
+			list:     List{},
+			item:     "jobs",
+			expected: false,
+		},
+		{
+			name:     "Case sensitive matching",
+			list:     List{"jobs", "cronjobs"},
+			item:     "Jobs",
+			expected: false,
+		},
+		{
+			name:     "Multiple occurrences",
+			list:     List{"jobs", "jobs", "cronjobs"},
+			item:     "jobs",
+			expected: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := tt.list.Contains(tt.item)
+			if result != tt.expected {
+				t.Errorf("Expected %v, got %v", tt.expected, result)
+			}
+		})
+	}
+}

pkg/common/common.go

@@ -10,6 +10,7 @@ import (
 	"github.com/sirupsen/logrus"
 	"github.com/stakater/Reloader/internal/pkg/constants"
 	"github.com/stakater/Reloader/internal/pkg/options"
+	"github.com/stakater/Reloader/internal/pkg/util"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/client-go/kubernetes"
@@ -74,6 +75,8 @@ type ReloaderOptions struct {
 	WebhookUrl string `json:"webhookUrl"`
 	// ResourcesToIgnore is a list of resource types to ignore (e.g., "configmaps" or "secrets")
 	ResourcesToIgnore []string `json:"resourcesToIgnore"`
+	// WorkloadTypesToIgnore is a list of workload types to ignore (e.g., "jobs" or "cronjobs")
+	WorkloadTypesToIgnore []string `json:"workloadTypesToIgnore"`
 	// NamespaceSelectors is a list of label selectors to filter namespaces to watch
 	NamespaceSelectors []string `json:"namespaceSelectors"`
 	// ResourceSelectors is a list of label selectors to filter ConfigMaps and Secrets to watch
@@ -182,6 +185,32 @@ func GetResourceLabelSelector(slice []string) (string, error) {
 // ShouldReload checks if a resource should be reloaded based on its annotations and the provided options.
 func ShouldReload(config Config, resourceType string, annotations Map, podAnnotations Map, options *ReloaderOptions) ReloadCheckResult {
 
+	// Check if this workload type should be ignored
+	if len(options.WorkloadTypesToIgnore) > 0 {
+		ignoredWorkloadTypes, err := util.GetIgnoredWorkloadTypesList()
+		if err != nil {
+			logrus.Errorf("Failed to parse ignored workload types: %v", err)
+		} else {
+			// Map Kubernetes resource types to CLI-friendly names for comparison
+			var resourceToCheck string
+			switch resourceType {
+			case "Job":
+				resourceToCheck = "jobs"
+			case "CronJob":
+				resourceToCheck = "cronjobs"
+			default:
+				resourceToCheck = resourceType // For other types, use as-is
+			}
+
+			// Check if current resource type should be ignored
+			if ignoredWorkloadTypes.Contains(resourceToCheck) {
+				return ReloadCheckResult{
+					ShouldReload: false,
+				}
+			}
+		}
+	}
+
 	ignoreResourceAnnotatonValue := config.ResourceAnnotations[options.IgnoreResourceAnnotation]
 	if ignoreResourceAnnotatonValue == "true" {
 		return ReloadCheckResult{
@@ -304,6 +333,7 @@ func GetCommandLineOptions() *ReloaderOptions {
 	CommandLineOptions.EnableHA = options.EnableHA
 	CommandLineOptions.WebhookUrl = options.WebhookUrl
 	CommandLineOptions.ResourcesToIgnore = options.ResourcesToIgnore
+	CommandLineOptions.WorkloadTypesToIgnore = options.WorkloadTypesToIgnore
 	CommandLineOptions.NamespaceSelectors = options.NamespaceSelectors
 	CommandLineOptions.ResourceSelectors = options.ResourceSelectors
 	CommandLineOptions.NamespacesToIgnore = options.NamespacesToIgnore

pkg/common/common_test.go

@@ -0,0 +1,224 @@
+package common
+
+import (
+	"testing"
+
+	"github.com/stakater/Reloader/internal/pkg/options"
+)
+
+func TestShouldReload_IgnoredWorkloadTypes(t *testing.T) {
+	// Save original state
+	originalWorkloadTypes := options.WorkloadTypesToIgnore
+	defer func() {
+		options.WorkloadTypesToIgnore = originalWorkloadTypes
+	}()
+
+	tests := []struct {
+		name                 string
+		ignoredWorkloadTypes []string
+		resourceType         string
+		shouldReload         bool
+		description          string
+	}{
+		{
+			name:                 "Jobs ignored - Job should not reload",
+			ignoredWorkloadTypes: []string{"jobs"},
+			resourceType:         "Job",
+			shouldReload:         false,
+			description:          "When jobs are ignored, Job resources should not be reloaded",
+		},
+		{
+			name:                 "Jobs ignored - CronJob should reload",
+			ignoredWorkloadTypes: []string{"jobs"},
+			resourceType:         "CronJob",
+			shouldReload:         true,
+			description:          "When jobs are ignored, CronJob resources should still be processed",
+		},
+		{
+			name:                 "CronJobs ignored - CronJob should not reload",
+			ignoredWorkloadTypes: []string{"cronjobs"},
+			resourceType:         "CronJob",
+			shouldReload:         false,
+			description:          "When cronjobs are ignored, CronJob resources should not be reloaded",
+		},
+		{
+			name:                 "CronJobs ignored - Job should reload",
+			ignoredWorkloadTypes: []string{"cronjobs"},
+			resourceType:         "Job",
+			shouldReload:         true,
+			description:          "When cronjobs are ignored, Job resources should still be processed",
+		},
+		{
+			name:                 "Both ignored - Job should not reload",
+			ignoredWorkloadTypes: []string{"jobs", "cronjobs"},
+			resourceType:         "Job",
+			shouldReload:         false,
+			description:          "When both are ignored, Job resources should not be reloaded",
+		},
+		{
+			name:                 "Both ignored - CronJob should not reload",
+			ignoredWorkloadTypes: []string{"jobs", "cronjobs"},
+			resourceType:         "CronJob",
+			shouldReload:         false,
+			description:          "When both are ignored, CronJob resources should not be reloaded",
+		},
+		{
+			name:                 "Both ignored - Deployment should reload",
+			ignoredWorkloadTypes: []string{"jobs", "cronjobs"},
+			resourceType:         "Deployment",
+			shouldReload:         true,
+			description:          "When both are ignored, other workload types should still be processed",
+		},
+		{
+			name:                 "None ignored - Job should reload",
+			ignoredWorkloadTypes: []string{},
+			resourceType:         "Job",
+			shouldReload:         true,
+			description:          "When nothing is ignored, all workload types should be processed",
+		},
+		{
+			name:                 "None ignored - CronJob should reload",
+			ignoredWorkloadTypes: []string{},
+			resourceType:         "CronJob",
+			shouldReload:         true,
+			description:          "When nothing is ignored, all workload types should be processed",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Set the ignored workload types
+			options.WorkloadTypesToIgnore = tt.ignoredWorkloadTypes
+
+			// Create minimal test config and options
+			config := Config{
+				ResourceName: "test-resource",
+				Annotation:   "configmap.reloader.stakater.com/reload",
+			}
+
+			annotations := Map{
+				"configmap.reloader.stakater.com/reload": "test-config",
+			}
+
+			// Create ReloaderOptions with the ignored workload types
+			opts := &ReloaderOptions{
+				WorkloadTypesToIgnore:  tt.ignoredWorkloadTypes,
+				AutoReloadAll:          true, // Enable auto-reload to simplify test
+				ReloaderAutoAnnotation: "reloader.stakater.com/auto",
+			}
+
+			// Call ShouldReload
+			result := ShouldReload(config, tt.resourceType, annotations, Map{}, opts)
+
+			// Check the result
+			if result.ShouldReload != tt.shouldReload {
+				t.Errorf("For resource type %s with ignored types %v, expected ShouldReload=%v, got=%v",
+					tt.resourceType, tt.ignoredWorkloadTypes, tt.shouldReload, result.ShouldReload)
+			}
+
+			t.Logf("✓ %s", tt.description)
+		})
+	}
+}
+
+func TestShouldReload_IgnoredWorkloadTypes_ValidationError(t *testing.T) {
+	// Save original state
+	originalWorkloadTypes := options.WorkloadTypesToIgnore
+	defer func() {
+		options.WorkloadTypesToIgnore = originalWorkloadTypes
+	}()
+
+	// Test with invalid workload type - should still continue processing
+	options.WorkloadTypesToIgnore = []string{"invalid"}
+
+	config := Config{
+		ResourceName: "test-resource",
+		Annotation:   "configmap.reloader.stakater.com/reload",
+	}
+
+	annotations := Map{
+		"configmap.reloader.stakater.com/reload": "test-config",
+	}
+
+	opts := &ReloaderOptions{
+		WorkloadTypesToIgnore:  []string{"invalid"},
+		AutoReloadAll:          true, // Enable auto-reload to simplify test
+		ReloaderAutoAnnotation: "reloader.stakater.com/auto",
+	}
+
+	// Should not panic and should continue with normal processing
+	result := ShouldReload(config, "Job", annotations, Map{}, opts)
+
+	// Since validation failed, it should continue with normal processing (should reload)
+	if !result.ShouldReload {
+		t.Errorf("Expected ShouldReload=true when validation fails, got=%v", result.ShouldReload)
+	}
+}
+
+// Test that validates the fix for issue #996
+func TestShouldReload_IssueRBACPermissionFixed(t *testing.T) {
+	// Save original state
+	originalWorkloadTypes := options.WorkloadTypesToIgnore
+	defer func() {
+		options.WorkloadTypesToIgnore = originalWorkloadTypes
+	}()
+
+	tests := []struct {
+		name                 string
+		ignoredWorkloadTypes []string
+		resourceType         string
+		description          string
+	}{
+		{
+			name:                 "Issue #996 - ignoreJobs prevents Job processing",
+			ignoredWorkloadTypes: []string{"jobs"},
+			resourceType:         "Job",
+			description:          "Job resources are skipped entirely, preventing RBAC permission errors",
+		},
+		{
+			name:                 "Issue #996 - ignoreCronJobs prevents CronJob processing",
+			ignoredWorkloadTypes: []string{"cronjobs"},
+			resourceType:         "CronJob",
+			description:          "CronJob resources are skipped entirely, preventing RBAC permission errors",
+		},
+		{
+			name:                 "Issue #996 - both ignored prevent both types",
+			ignoredWorkloadTypes: []string{"jobs", "cronjobs"},
+			resourceType:         "Job",
+			description:          "Job resources are skipped entirely when both types are ignored",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Set the ignored workload types
+			options.WorkloadTypesToIgnore = tt.ignoredWorkloadTypes
+
+			config := Config{
+				ResourceName: "test-resource",
+				Annotation:   "configmap.reloader.stakater.com/reload",
+			}
+
+			annotations := Map{
+				"configmap.reloader.stakater.com/reload": "test-config",
+			}
+
+			opts := &ReloaderOptions{
+				WorkloadTypesToIgnore:  tt.ignoredWorkloadTypes,
+				AutoReloadAll:          true, // Enable auto-reload to simplify test
+				ReloaderAutoAnnotation: "reloader.stakater.com/auto",
+			}
+
+			// Call ShouldReload
+			result := ShouldReload(config, tt.resourceType, annotations, Map{}, opts)
+
+			// Should not reload when workload type is ignored
+			if result.ShouldReload {
+				t.Errorf("Expected ShouldReload=false for ignored workload type %s, got=%v",
+					tt.resourceType, result.ShouldReload)
+			}
+
+			t.Logf("✓ %s", tt.description)
+		})
+	}
+}

pkg/kube/resourcemapper.go

@@ -7,7 +7,7 @@ import (
 
 // ResourceMap are resources from where changes are going to be detected
 var ResourceMap = map[string]runtime.Object{
-	"configMaps": &v1.ConfigMap{},
+	"configmaps": &v1.ConfigMap{},
 	"secrets":    &v1.Secret{},
-	"namespaces":    &v1.Namespace{},
+	"namespaces": &v1.Namespace{},
 }