diff --git a/README.md b/README.md
index 8a19390..7fab7fb 100644
--- a/README.md
+++ b/README.md
@@ -154,6 +154,34 @@ replaced:
 +   --set 'prometheus.metrics.serviceMonitor.tlsConfig.keyFile=/etc/prometheus/tls/tls.key'
 ```
 
+#### TLS certificate rotation
+
+If Reposilite uses TLS certificates that are mounted as a secret in the container file system like the example
+[above](#tls-authentication-and-encryption), the exporter will not automatically apply them when the TLS certificates
+are rotated. Such a rotation can be for example triggered, when the [cert-manager](https://cert-manager.io/) issues new
+TLS certificates before expiring.
+
+Until Reposilite does not support rotating TLS certificate a workaround can be applied. For example stakater's
+[reloader](https://github.com/stakater/Reloader) controller can be used to trigger a rolling update. The following
+annotation must be added to instruct the reloader controller to trigger a rolling update, when the mounted configMaps
+and secrets have been changed.
+
+```yaml
+deployment:
+  annotations:
+    reloader.stakater.com/auto: "true"
+```
+
+Instead of triggering a rolling update for configMap and secret resources, this action can also be defined for
+individual items. For example, when the secret named `prometheus-postgresql-exporter-http` is mounted and the reloader
+controller should only listen for changes of this secret:
+
+```yaml
+deployment:
+  annotations:
+    secret.reloader.stakater.com/reload: "prometheus-postgresql-exporter-http"
+```
+
 #### Grafana dashboard
 
 The helm chart includes Grafana dashboards. These can be deployed as a configMap by activating Grafana integration. It