diff --git a/swh/templates/loaders/deployment.yaml b/swh/templates/loaders/deployment.yaml
index d22b503..a845183 100644
--- a/swh/templates/loaders/deployment.yaml
+++ b/swh/templates/loaders/deployment.yaml
@@ -1,104 +1,108 @@
 {{ if .Values.loaders.enabled -}}
+{{- $configurationChecksum := include (print $.Template.BasePath "/loaders/configmap.yaml") . -}}
 {{- range $loader_type, $deployment_config := .Values.loaders.deployments -}}
 {{- $loader_name := ( print "loader-" $loader_type ) -}}
 
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: {{ $loader_name }}
   namespace: {{ $.Values.namespace }}
   labels:
     app: {{ $loader_name }}
 spec:
   selector:
     matchLabels:
       app: {{ $loader_name }}
   strategy:
     type: RollingUpdate
     rollingUpdate:
       maxSurge: 1
   template:
     metadata:
       labels:
         app: {{ $loader_name }}
+      annotations:
+        # Force a rollout upgrade if the configuration changes
+        checksum/config: {{ $configurationChecksum | sha256sum }}
     spec:
       {{- if $.Values.loaders.affinity }}
       affinity:
         {{ toYaml $.Values.loaders.affinity | nindent 8 }}
       {{- end }}
       containers:
       - name: loaders
         image: {{ $.Values.swh_loaders_image }}:{{ $.Values.swh_loaders_image_version }}
         imagePullPolicy: Always
         command:
           - /entrypoint.sh
         resources:
           requests:
             memory: {{ get $deployment_config "requestedMemory" | default "512Mi" }}
             cpu: {{ get $deployment_config "requestedCpu" | default "500m" }}
           limits:
             memory: "4000Mi"
             cpu: "1200m"
         lifecycle:
           preStop:
            exec:
              command: ["kill", "1"]
         env:
         - name: STATSD_HOST
           value: {{ $.Values.statsdExternalHost | default "prometheus-statsd-exporter" }}
         - name: STATSD_PORT
           value: {{ $.Values.statsdPort | default "9125" | quote }}
         - name: CONCURRENCY
           value: "1"
         - name: MAX_TASKS_PER_CHILD
           value: "5"
         - name: LOGLEVEL
           value: "INFO"
         - name: SWH_CONFIG_FILENAME
           # FIXME: built by entrypoint.sh, determine how to properly declare this
           value: /tmp/config.yml
         - name: SWH_SENTRY_ENVIRONMENT
           value: {{ $.Values.sentry.environment }}
         - name: SWH_MAIN_PACKAGE
           value: {{ get $deployment_config "sentrySwhPackage" }}
         - name: SWH_SENTRY_DSN
           valueFrom:
             secretKeyRef:
               name: {{ $loader_name }}-sentry-secrets
               key: sentry-dsn
               # 'name' secret must exist & include key "host"
               optional: false
         - name: RABBITMQ_HOST
           valueFrom:
             secretKeyRef:
               name: amqp-access-credentials
               key: host
               # 'name' secret must exist & include key "host"
               optional: false
         volumeMounts:
           - name: config
             mountPath: /etc/softwareheritage/config.yml
             subPath: config.yml
             readOnly: true
           - name: config
             mountPath: /entrypoint.sh
             subPath: entrypoint.sh
             readOnly: true
           - name: metadata-fetcher-credentials
             mountPath: /etc/credentials/metadata-fetcher
             readOnly: true
           - mountPath: /tmp
             name: tmp-volume
       volumes:
         - name: config
           configMap:
             name: {{ $loader_name }}
             defaultMode: 0777
         - name: tmp-volume
           emptyDir: {}
         - name: metadata-fetcher-credentials
           secret:
             secretName: metadata-fetcher-credentials
 {{ end }}
 {{- end -}}