From cfd57bf5ef5615b22b6c246e3743daba5fe68f18 Mon Sep 17 00:00:00 2001
From: May Lee <may.lee@datadoghq.com>
Date: Mon, 20 Apr 2026 17:19:57 -0400
Subject: [PATCH] updates

---
 .../configuration/secrets_management.md       | 27 +++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/content/en/observability_pipelines/configuration/secrets_management.md b/content/en/observability_pipelines/configuration/secrets_management.md
index 48eff8b4395..90283e174ac 100644
--- a/content/en/observability_pipelines/configuration/secrets_management.md
+++ b/content/en/observability_pipelines/configuration/secrets_management.md
@@ -360,6 +360,33 @@ bootstrap:
 
 {{% /collapse-content %}}
 
+## Refresh secrets at runtime
+
+The Observability Pipelines Worker resolves secrets on startup and when its configuration is reloaded. To pick up rotated secret values without restarting the Worker, send a `SIGHUP` signal to trigger a topology reload. On reload, the Worker re-resolves all secret identifiers against the configured backend and applies the new values to the running topology.
+
+**Note**: If a rotated secret has an invalid value, the reload fails. To limit the blast radius, Datadog recommends rolling the reload one node at a time and verifying Worker health before continuing.
+
+{{< tabs >}}
+{{% tab "Docker or Linux" %}}
+Send `SIGHUP` to the Worker process:
+
+```shell
+kill -HUP <worker_pid>
+```
+
+{{% /tab %}}
+{{% tab "Kubernetes" %}}
+Send `SIGHUP` to the Worker process inside each pod:
+
+```shell
+kubectl exec <pod_name> -- kill -HUP 1
+```
+
+Repeat for each Worker pod, one at a time, and verify Worker health between pods.
+
+{{% /tab %}}
+{{< /tabs >}}
+
 ## Further reading
 
 {{< partial name="whats-next/whats-next.html" >}}