Add Stakater Reloader wrapper for OpenShift and CSI.

Ship stakater/reloader 2.2.11 as a vendored dependency with defaults for
cluster-wide watch, OpenShift, HA, and Secrets Store CSI integration so CI
can lint without pulling charts at runtime.

Co-authored-by: Cursor <cursoragent@cursor.com>

Author: Martin Jackson

.gitignore

@@ -2,8 +2,9 @@
 # Edit at https://www.toptal.com/developers/gitignore?templates=helm,vim,linux
 
 ### Helm ###
-# Chart dependencies
+# Chart dependencies (vendored subcharts are tracked for CI without registry pulls)
 **/charts/*.tgz
+!charts/reloader-*.tgz
 
 ### Linux ###
 *~

Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: reloader
+  repository: https://stakater.github.io/stakater-charts
+  version: 2.2.11
+digest: sha256:09bd15e46f5b5c09da317bda9dfe5dd4b74e5e2aecd8271e8e66eaabfd0df521
+generated: "2026-05-15T14:05:20.156502347-05:00"

Chart.yaml

@@ -1,6 +1,23 @@
 apiVersion: v2
-description: A Helm chart to serve as the Validated Patterns Template
+name: vp-stakater-reloader
+description: >-
+  Wrapper Helm chart for Stakater Reloader with defaults for cluster-wide
+  OpenShift, ConfigMap/Secret watching, and Secrets Store CSI integration.
+type: application
+version: 0.1.0
 keywords:
-  - pattern
-name: vp-template
-version: 0.0.1
+  - reloader
+  - openshift
+  - validated-patterns
+  - secrets-store-csi
+home: https://github.com/stakater/Reloader
+sources:
+  - https://github.com/stakater/Reloader
+icon: https://raw.githubusercontent.com/stakater/Reloader/master/assets/web/reloader-round-100px.png
+maintainers:
+  - name: Validated Patterns
+# Bump the dependency version below to pick up new stakater/reloader chart releases.
+dependencies:
+  - name: reloader
+    version: 2.2.11
+    repository: https://stakater.github.io/stakater-charts

Makefile

@@ -14,6 +14,10 @@ help: ## This help message
 	@echo "Pattern: $(NAME)"
 	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n"} /^(\s|[a-zA-Z_0-9-])+:.*?##/ { printf "  \033[36m%-35s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)
 
+.PHONY: helm-deps
+helm-deps: ## Downloads subchart dependencies (updates Chart.lock and charts/*.tgz)
+	helm dependency update
+
 .PHONY: helm-lint
 helm-lint: ## Runs helm lint against the chart
 	helm lint .

README.md

@@ -1,13 +1,93 @@
-# vp-template
+# vp-stakater-reloader
 
-![Version: 0.0.1](https://img.shields.io/badge/Version-0.0.1-informational?style=flat-square)
+![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 
-A Helm chart to serve as the Validated Patterns Template
+Wrapper Helm chart for Stakater Reloader with defaults for cluster-wide OpenShift, ConfigMap/Secret watching, and Secrets Store CSI integration.
 
-This chart is used to serve as the template for Validated Patterns Charts
+## Prerequisites
 
-## Notable changes
+- Helm 3 or later
+- OpenShift (or Kubernetes) cluster
+- Optional: [Secrets Store CSI Driver](https://secrets-store-csi-driver.sigs.k8s.io/) and its CRDs if you rely on CSI-backed secret rotation (Reloader watches those APIs when `reloader.reloader.enableCSIIntegration` is true)
 
----
+## Install
 
+Add this chart (or your chart repo) and install into a dedicated namespace, for example `reloader`:
+
+```bash
+helm install reloader /path/to/vp-stakater-reloader-chart \
+  --namespace reloader \
+  --create-namespace
+```
+
+### OpenShift UID / SCC (recommended)
+
+Upstream Reloader defaults `runAsUser: 65534`. On OpenShift 4.13+, Stakater recommends letting the namespace SCC assign the UID. Helm value merging keeps that default unless you clear the key explicitly:
+
+```bash
+helm install reloader /path/to/vp-stakater-reloader-chart \
+  --namespace reloader \
+  --create-namespace \
+  --set reloader.reloader.deployment.securityContext.runAsUser=null
+```
+
+### Maximum automation (`autoReloadAll`)
+
+This chart sets `reloader.reloader.autoReloadAll` to `false` so workloads opt in via Reloader annotations. To reload on ConfigMap/Secret changes by default (opt out with `reloader.stakater.com/auto: "false"` on a workload), set:
+
+```bash
+--set reloader.reloader.autoReloadAll=true
+```
+
+## Upstream documentation
+
+- [Reloader OSS documentation](https://docs.stakater.com/reloader/)
+- [Annotations reference](https://docs.stakater.com/reloader/1.4/reference/annotations.html)
+
+## Maintainer tasks
+
+Refresh the vendored subchart after editing `Chart.yaml` dependencies:
+
+```bash
+make helm-deps
+```
+
+**Homepage:** <https://github.com/stakater/Reloader>
+
+## Maintainers
+
+| Name | Email | Url |
+| ---- | ------ | --- |
+| Validated Patterns |  |  |
+
+## Source Code
+
+* <https://github.com/stakater/Reloader>
+
+## Requirements
+
+| Repository | Name | Version |
+|------------|------|---------|
+| https://stakater.github.io/stakater-charts | reloader | 2.2.11 |
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| reloader.reloader.autoReloadAll | bool | `false` | Reload on ConfigMap or Secret changes by default; opt out per workload via Reloader annotations |
+| reloader.reloader.deployment.replicas | int | `2` | Number of controller replicas (requires enableHA when greater than 1) |
+| reloader.reloader.deployment.securityContext.runAsNonRoot | bool | `true` | Run as non-root |
+| reloader.reloader.deployment.securityContext.seccompProfile.type | string | `"RuntimeDefault"` | Seccomp profile for the pod |
+| reloader.reloader.enableCSIIntegration | bool | `true` | Watch Secrets Store CSI SecretProviderClass and SecretProviderClassPodStatus resources |
+| reloader.reloader.enableHA | bool | `true` | Enable leader election for multiple replicas |
+| reloader.reloader.ignoreConfigMaps | bool | `false` | Ignore ConfigMaps when true (cannot be true together with ignoreSecrets) |
+| reloader.reloader.ignoreCronJobs | bool | `false` | Exclude CronJobs from reload monitoring |
+| reloader.reloader.ignoreJobs | bool | `false` | Exclude Jobs from reload monitoring |
+| reloader.reloader.ignoreSecrets | bool | `false` | Ignore Secrets when true (cannot be true together with ignoreConfigMaps) |
+| reloader.reloader.isOpenshift | bool | `true` | Enable OpenShift DeploymentConfig RBAC when the API exists |
+| reloader.reloader.reloadOnCreate | bool | `true` | Trigger rollouts when new ConfigMaps or Secrets appear |
+| reloader.reloader.syncAfterRestart | bool | `true` | With HA, reconcile after leader restart (pairs with reloadOnCreate) |
+| reloader.reloader.watchGlobally | bool | `true` | Cluster-wide watch of all namespaces |
+
+----------------------------------------------
 Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2)

README.md.gotmpl

@@ -5,9 +5,53 @@
 
 {{ template "chart.description" . }}
 
-This chart is used to serve as the template for Validated Patterns Charts
+## Prerequisites
 
-## Notable changes
+- Helm 3 or later
+- OpenShift (or Kubernetes) cluster
+- Optional: [Secrets Store CSI Driver](https://secrets-store-csi-driver.sigs.k8s.io/) and its CRDs if you rely on CSI-backed secret rotation (Reloader watches those APIs when `reloader.reloader.enableCSIIntegration` is true)
+
+## Install
+
+Add this chart (or your chart repo) and install into a dedicated namespace, for example `reloader`:
+
+```bash
+helm install reloader /path/to/vp-stakater-reloader-chart \
+  --namespace reloader \
+  --create-namespace
+```
+
+### OpenShift UID / SCC (recommended)
+
+Upstream Reloader defaults `runAsUser: 65534`. On OpenShift 4.13+, Stakater recommends letting the namespace SCC assign the UID. Helm value merging keeps that default unless you clear the key explicitly:
+
+```bash
+helm install reloader /path/to/vp-stakater-reloader-chart \
+  --namespace reloader \
+  --create-namespace \
+  --set reloader.reloader.deployment.securityContext.runAsUser=null
+```
+
+### Maximum automation (`autoReloadAll`)
+
+This chart sets `reloader.reloader.autoReloadAll` to `false` so workloads opt in via Reloader annotations. To reload on ConfigMap/Secret changes by default (opt out with `reloader.stakater.com/auto: "false"` on a workload), set:
+
+```bash
+--set reloader.reloader.autoReloadAll=true
+```
+
+## Upstream documentation
+
+- [Reloader OSS documentation](https://docs.stakater.com/reloader/)
+- [Annotations reference](https://docs.stakater.com/reloader/1.4/reference/annotations.html)
+
+## Maintainer tasks
+
+Refresh the vendored subchart after editing `Chart.yaml` dependencies:
+
+```bash
+make helm-deps
+```
 
 {{ template "chart.homepageLine" . }}
 

charts/reloader-2.2.11.tgz

@@ -1 +1,35 @@
----
+# All keys under reloader are passed to the stakater reloader subchart dependency.
+reloader:
+  reloader:
+    # -- Cluster-wide watch of all namespaces
+    watchGlobally: true
+    # -- Enable OpenShift DeploymentConfig RBAC when the API exists
+    isOpenshift: true
+    # -- Watch Secrets Store CSI SecretProviderClass and SecretProviderClassPodStatus resources
+    enableCSIIntegration: true
+    # -- Ignore ConfigMaps when true (cannot be true together with ignoreSecrets)
+    ignoreConfigMaps: false
+    # -- Ignore Secrets when true (cannot be true together with ignoreConfigMaps)
+    ignoreSecrets: false
+    # -- Exclude Jobs from reload monitoring
+    ignoreJobs: false
+    # -- Exclude CronJobs from reload monitoring
+    ignoreCronJobs: false
+    # -- Reload on ConfigMap or Secret changes by default; opt out per workload via Reloader annotations
+    autoReloadAll: false
+    # -- Enable leader election for multiple replicas
+    enableHA: true
+    # -- Trigger rollouts when new ConfigMaps or Secrets appear
+    reloadOnCreate: true
+    # -- With HA, reconcile after leader restart (pairs with reloadOnCreate)
+    syncAfterRestart: true
+    deployment:
+      # -- Number of controller replicas (requires enableHA when greater than 1)
+      replicas: 2
+      # -- Pod securityContext; on OpenShift 4.13+ also pass --set reloader.reloader.deployment.securityContext.runAsUser=null
+      securityContext:
+        # -- Run as non-root
+        runAsNonRoot: true
+        seccompProfile:
+          # -- Seccomp profile for the pod
+          type: RuntimeDefault