DataDog · maycmlee · Apr 20, 2026
@@ -360,6 +360,33 @@ bootstrap:
 
 {{% /collapse-content %}}
 
+## Refresh secrets at runtime
+
+The Observability Pipelines Worker resolves secrets on startup and when its configuration is reloaded. To pick up rotated secret values without restarting the Worker, send a `SIGHUP` signal to trigger a topology reload. On reload, the Worker re-resolves all secret identifiers against the configured backend and applies the new values to the running topology.
+
+**Note**: If a rotated secret has an invalid value, the reload fails. To limit the blast radius, Datadog recommends rolling the reload one node at a time and verifying Worker health before continuing.
+
+{{< tabs >}}
+{{% tab "Docker or Linux" %}}
+Send `SIGHUP` to the Worker process:
+
+```shell
+kill -HUP <worker_pid>
+```
+
+{{% /tab %}}
+{{% tab "Kubernetes" %}}
+Send `SIGHUP` to the Worker process inside each pod:
+
+```shell
+kubectl exec <pod_name> -- kill -HUP 1
+```
+
+Repeat for each Worker pod, one at a time, and verify Worker health between pods.
+
+{{% /tab %}}
+{{< /tabs >}}
+
 ## Further reading
 
 {{< partial name="whats-next/whats-next.html" >}}