hashicorp · benjamin-lykins · Nov 4, 2025 · Nov 4, 2025 · Nov 11, 2025 · Nov 12, 2025
@@ -219,6 +219,12 @@ func (a *Agent) ListKeys() (*KeyringResponse, error) {
 	return &resp, nil
 }
 
+// Reload requests the agent to reload its configuration.
+func (a *Agent) Reload() error {
+	_, err := a.client.put("/v1/agent/reload", nil, nil, nil)
+	return err
+}
+
 // InstallKey installs a key in the keyrings of all the serf members
 func (a *Agent) InstallKey(key string) (*KeyringResponse, error) {
 	args := KeyringRequest{

@@ -1530,6 +1530,7 @@ func (a *Agent) ShouldReload(newConfig *Config) (agent, http bool) {
 // Reload handles configuration changes for the agent. Provides a method that
 // is easier to unit test, as this action is invoked via SIGHUP.
 func (a *Agent) Reload(newConfig *Config) error {
+	a.logger.Debug("starting reload of agent")
 	a.configLock.Lock()
 	defer a.configLock.Unlock()
 

@@ -564,6 +564,52 @@ func (s *HTTPServer) listServers(resp http.ResponseWriter, req *http.Request) (i
 	return peers, nil
 }
 
+type reloadResponse struct {
+	Message string `json:"message"`
+}
+
+func (s *HTTPServer) AgentReloadRequest(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
+	if req.Method != http.MethodPut && req.Method != http.MethodPost {
+		return nil, CodedError(405, ErrInvalidMethod)
+	}
+
+	aclObj, err := s.ResolveToken(req)
+	if err != nil {
+		return nil, err
+	}
+	if !aclObj.AllowAgentWrite() {
+		return nil, structs.ErrPermissionDenied
+	}
+
+	currConf := s.agent.GetConfig().Copy()
+
+	newConf := DefaultConfig()
+
+	for _, path := range currConf.Files {
+		if path == "" {
+			continue
+		}
+		if cfgFromFile, err := LoadConfig(path); err != nil {
+			s.logger.Error("failed to load config", "config", path, "error", err, "path", "/v1/agent/reload", "method", req.Method)
+			return nil, CodedError(400, error.Error(err))
+		} else if cfgFromFile != nil {
+			newConf = newConf.Merge(cfgFromFile)
+		}
+	}
+
+	newConf.Files = append([]string(nil), currConf.Files...)
+
+	if err := s.agent.Reload(newConf); err != nil {
+		return nil, CodedError(400, err.Error())
+	}
+
+	response := reloadResponse{
+		Message: "agent configuration reloaded",
+	}
+
+	return response, nil
+}
+
 func (s *HTTPServer) updateServers(resp http.ResponseWriter, req *http.Request) (interface{}, error) {
 	client := s.agent.Client()
 	if client == nil {

@@ -2277,3 +2277,91 @@ func TestHTTP_AgentSchedulerWorkerConfigRequest_Client(t *testing.T) {
 		})
 	}
 }
+func TestHTTP_AgentReload(t *testing.T) {
+	ci.Parallel(t)
+
+	t.Run("invalid method", func(t *testing.T) {
+		httpTest(t, nil, func(s *TestAgent) {
+			req, err := http.NewRequest(http.MethodGet, "/v1/agent/reload", nil)
+			require.NoError(t, err)
+			respW := httptest.NewRecorder()
+
+			_, err = s.Server.AgentReloadRequest(respW, req)
+			require.Error(t, err)
+			httpErr, ok := err.(HTTPCodedError)
+			require.True(t, ok)
+			require.Equal(t, 405, httpErr.Code())
+		})
+	})
+
+	t.Run("valid put request", func(t *testing.T) {
+		httpTest(t, nil, func(s *TestAgent) {
+			req, err := http.NewRequest(http.MethodPut, "/v1/agent/reload", nil)
+			require.NoError(t, err)
+			respW := httptest.NewRecorder()
+
+			obj, err := s.Server.AgentReloadRequest(respW, req)
+			require.NoError(t, err)
+			require.NotNil(t, obj)
+
+			response, ok := obj.(map[string]string)
+			require.True(t, ok)
+			require.Equal(t, "reload signaled", response["message"])
+		})
+	})
+}
+
+func TestHTTP_AgentReload_ACL(t *testing.T) {
+	ci.Parallel(t)
+	require := require.New(t)
+
+	httpACLTest(t, nil, func(s *TestAgent) {
+		state := s.Agent.server.State()
+
+		// Make the HTTP request
+		req, err := http.NewRequest(http.MethodPut, "/v1/agent/reload", nil)
+		require.Nil(err)
+
+		// Try request without a token and expect failure
+		{
+			respW := httptest.NewRecorder()
+			_, err := s.Server.AgentReloadRequest(respW, req)
+			require.NotNil(err)
+			require.Equal(err.Error(), structs.ErrPermissionDenied.Error())
+		}
+
+		// Try request with an invalid token and expect failure
+		{
+			respW := httptest.NewRecorder()
+			token := mock.CreatePolicyAndToken(t, state, 1005, "invalid", mock.NodePolicy(acl.PolicyWrite))
+			setToken(req, token)
+			_, err := s.Server.AgentReloadRequest(respW, req)
+			require.NotNil(err)
+			require.Equal(err.Error(), structs.ErrPermissionDenied.Error())
+		}
+
+		// Try request with a read token and expect failure
+		{
+			respW := httptest.NewRecorder()
+			token := mock.CreatePolicyAndToken(t, state, 1006, "read", mock.AgentPolicy(acl.PolicyRead))
+			setToken(req, token)
+			_, err := s.Server.AgentReloadRequest(respW, req)
+			require.NotNil(err)
+			require.Equal(err.Error(), structs.ErrPermissionDenied.Error())
+		}
+
+		// Try request with a valid write token
+		{
+			respW := httptest.NewRecorder()
+			token := mock.CreatePolicyAndToken(t, state, 1007, "valid", mock.AgentPolicy(acl.PolicyWrite))
+			setToken(req, token)
+			obj, err := s.Server.AgentReloadRequest(respW, req)
+			require.Nil(err)
+			require.NotNil(obj)
+
+			response, ok := obj.(map[string]string)
+			require.True(ok)
+			require.Equal("reload signaled", response["message"])
+		}
+	})
+}
@@ -93,6 +93,7 @@ type RPCer interface {
 	Stats() map[string]map[string]string
 	GetConfig() *Config
 	GetMetricsSink() *metrics.InmemSink
+	Reload(*Config) error
 }
 
 // HTTPServer is used to wrap an Agent and expose it over an HTTP interface
@@ -464,6 +465,7 @@ func (s *HTTPServer) registerHandlers(enableDebug bool) {
 	s.mux.HandleFunc("/v1/agent/keyring/", s.wrap(s.KeyringOperationRequest))
 	s.mux.HandleFunc("/v1/agent/health", s.wrap(s.HealthRequest))
 	s.mux.HandleFunc("/v1/agent/host", s.wrap(s.AgentHostRequest))
+	s.mux.HandleFunc("/v1/agent/reload", s.wrap(s.AgentReloadRequest))
 
 	// Register our service registration handlers.
 	s.mux.HandleFunc("/v1/services", s.wrap(s.ServiceRegistrationListRequest))