Can we have an exclude option introduced that can be configured at deployment/sts level

[rajivml]

Could we introduce an "exclude" option that can be configured at the deployment and statefulset level? This option would allow us to specify a list of secret and configmap names for which we do not want to trigger a rolling restart.

Use case: We are a platform team responsible for ensuring best practices across 30+ teams within our organization.

When updating certain secrets, such as istio-secret-configmap, we want to enforce a rolling restart of all deployments, so service teams don't need to manually include this secret under the annotation configmap.reloader.stakater.com/reload.

However, for other secrets, like kerberos-token-secret, we want to provide service teams with the flexibility to determine whether a rolling restart is necessary, depending on whether the SDK they use supports hot reloading. In such cases, teams would indicate this by adding the relevant secret name under configmap.reloader.stakater.com/reload.

• We can't use secret.reloader.stakater.com/auto: "true" as this will act on all referenced cm's and secrets
• Currently, we use the annotation configmap.reloader.stakater.com/reload, but the issue with this approach is that, for secrets like istio-secret-configmap, where we want to enforce a mandatory rolling restart, we have to update all Helm charts that correspond to all service teams
• A label-based approach does not work because, for some secrets/configmaps, we want to give users the flexibility to decide whether a deployment or statefulset requires a rolling restart.

This problem could be resolved by introducing an annotation like configmap.exclude.reloader.stakater.com/reload, where service teams can simply list the secrets/cm's for which they do not want to trigger a rolling restart