[BUG] Reloader fails to reload pods on first ConfigMap update by trust-manager unless --reload-on-create=true is set #984
Description
Describe the bug
Reloader doesn't reload pod associated with a configMap when the configMap is being modified for the first time by trust-manager, unless --reload-on-create=true is defined.
Though, it reloads pods without issues for subsequent values overwrites by trust manager, only the first modification on the configMap by trust-manager fails to trigger a reload by Reloader.
To Reproduce
$ kubectl apply an empty configMap, then make trust-manager override this configMap with new values
Expected behavior
Reloader should detect a change in the configMap as soon as trust manager modifies it
Environment
- Kubernetes/OpenShift Version: v1.31.7
Additional context
At first we kubectl apply an empty configMap:
$ kubectl get cm ca-bundle-exploration-externals -o yaml
apiVersion: v1
data:
ca-externals.crt: ' '
kind: ConfigMap
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"v1","data":{"ca-externals.crt":" "},"kind":"ConfigMap","metadata":{"annotations":{},"name":"ca-bundle-exploration-externals","namespace":"default"}}
creationTimestamp: "2025-07-29T13:39:47Z"
name: ca-bundle-exploration-externals
namespace: default
resourceVersion: "17921903"
uid: fae9a394-7ec5-4be4-9745-80920443c28c
Then we trigger trust-manager, which overrides the empty configMap with new values (reload doesn't happen here, unless --reload-on-create=true is passed):
$ kubectl get cm ca-bundle-exploration-externals -o yaml
apiVersion: v1
data:
ca-externals.crt: |-
-----BEGIN CERTIFICATE-----
[EDITED]
[CERT A]
[EDITED]
-----END CERTIFICATE-----
kind: ConfigMap
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"v1","data":{"ca-externals.crt":" "},"kind":"ConfigMap","metadata":{"annotations":{},"name":"ca-bundle-exploration-externals","namespace":"default"}}
trust.cert-manager.io/hash: cd98349a90a704071cb8ab855c5e6509a365ecd32f70637a8c3ba8299833ce35
creationTimestamp: "2025-07-29T13:39:47Z"
labels:
app.kubernetes.io/component: exploration
trust.cert-manager.io/bundle: ca-bundle-exploration-externals
name: ca-bundle-exploration-externals
namespace: argonos-explo
ownerReferences:
- apiVersion: trust.cert-manager.io/v1alpha1
blockOwnerDeletion: true
controller: true
kind: Bundle
name: ca-bundle-exploration-externals
uid: 632f81ac-0595-496f-a80c-e180d38d61ec
resourceVersion: "17925074"
uid: fae9a394-7ec5-4be4-9745-80920443c28c
We trigger trust-manager with different input value to get new values in the configMap : reload happens here (with ot without --reload-on-create=true)
$ kubectl get cm ca-bundle-exploration-externals -o yaml
apiVersion: v1
data:
ca-externals.crt: |-
-----BEGIN CERTIFICATE-----
[EDITED]
[CERT B]
[EDITED]
-----END CERTIFICATE-----
kind: ConfigMap
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"v1","data":{"ca-externals.crt":" "},"kind":"ConfigMap","metadata":{"annotations":{},"name":"ca-bundle-exploration-externals","namespace":"default"}}
trust.cert-manager.io/hash: 32e4392fe99a33eea980b2eba3cb18c8b1f6eee727bc8c3ec190725a5997bba2
creationTimestamp: "2025-07-29T13:39:47Z"
labels:
app.kubernetes.io/component: exploration
trust.cert-manager.io/bundle: ca-bundle-exploration-externals
name: ca-bundle-exploration-externals
namespace: argonos-explo
ownerReferences:
- apiVersion: trust.cert-manager.io/v1alpha1
blockOwnerDeletion: true
controller: true
kind: Bundle
name: ca-bundle-exploration-externals
uid: 632f81ac-0595-496f-a80c-e180d38d61ec
resourceVersion: "17926470"
uid: fae9a394-7ec5-4be4-9745-80920443c28c
- Even though the resource UID doesn't change, which indicates that the resource was not deleted by trust-manager,
--reload-on-create=trueis necessary for a reload to happen.