feat(bp-reloader): umbrella chart for security layer

Catalyst Blueprint umbrella chart for reloader — security/policy layer. Pinned upstream + appVersion verified against the helm index on 2026-04-30. ServiceMonitor disabled per BLUEPRINT-AUTHORING.md §11.2. Solo-Sovereign defaults; per-Sovereign overlays bump to HA later. Part of security-stack umbrellas batch 3.
2026-04-30 06:04:36 +02:00 · 2026-04-30 06:04:36 +02:00 · b73167b88b
commit b73167b88b
parent b25e863bd4
4 changed files with 119 additions and 0 deletions
--- a/platform/reloader/blueprint.yaml
+++ b/platform/reloader/blueprint.yaml
@ -0,0 +1,13 @@
+apiVersion: catalyst.openova.io/v1
+kind: Blueprint
+metadata:
+  name: reloader
+  labels:
+    catalyst.openova.io/section: pts-3-3-security-and-policy
+spec:
+  version: 1.0.0
+  card:
+    title: Reloader
+    family: guardian
+    description: Watches ConfigMap/Secret changes and triggers rolling restarts of dependent Deployments/StatefulSets/DaemonSets. Lets bp-* workloads pick up rotated secrets and rotated TLS material without manual rollouts.
+    docs: https://github.com/stakater/Reloader
--- a/platform/reloader/chart/.helmignore
+++ b/platform/reloader/chart/.helmignore
@ -0,0 +1 @@
+*.yaml.bak
--- a/platform/reloader/chart/Chart.yaml
+++ b/platform/reloader/chart/Chart.yaml
@ -0,0 +1,29 @@
+apiVersion: v2
+name: bp-reloader
+description: |
+  Catalyst Blueprint umbrella chart for Stakater Reloader. Depends on the
+  upstream `reloader` chart (stakater/stakater-charts) as a Helm subchart
+  so `helm dependency build` pulls the upstream payload into this artifact.
+  Catalyst-curated values flow into the upstream subchart under the
+  `reloader:` key in values.yaml.
+
+  Reloader is the secret/configmap-rotation glue across Catalyst — when
+  bp-cert-manager rotates TLS, when ESO syncs a rotated secret from
+  bp-openbao, or when an operator edits a ConfigMap, Reloader triggers a
+  rolling restart of the dependent workloads marked with
+  `reloader.stakater.com/auto: "true"` (or per-resource annotations).
+type: application
+version: 1.0.0
+appVersion: "v1.4.16"
+keywords: [catalyst, blueprint, reloader, configmap, secret, rotation, security]
+maintainers:
+  - name: OpenOva Catalyst
+    email: catalyst@openova.io
+
+# Pinned to stakater/reloader 2.2.11 (appVersion v1.4.16) — current stable
+# on 2026-04-29. Per docs/INVIOLABLE-PRINCIPLES.md #4 (never hardcode) the
+# version is operator-bumpable via PR + Blueprint release.
+dependencies:
+  - name: reloader
+    version: "2.2.11"
+    repository: "https://stakater.github.io/stakater-charts"
--- a/platform/reloader/chart/values.yaml
+++ b/platform/reloader/chart/values.yaml
@ -0,0 +1,76 @@
+# Catalyst Blueprint umbrella metadata — the upstream chart is resolved as
+# a Helm subchart via Chart.yaml `dependencies:`. Catalyst-curated values
+# under the `reloader:` key flow into the upstream subchart unchanged.
+#
+# Per docs/INVIOLABLE-PRINCIPLES.md #4 (never hardcode), every operationally-
+# meaningful value is configurable; cluster overlays in clusters/<sovereign>/
+# may override any of these without rebuilding the Blueprint OCI artifact.
+
+catalystBlueprint:
+  upstream:
+    chart: reloader
+    version: "2.2.11"
+    repo: "https://stakater.github.io/stakater-charts"
+
+# ─── Upstream chart values (subchart key: reloader) ──────────────────────
+reloader:
+  # Reloader controller — single replica (the upstream chart uses leader
+  # election when scaled, but a single-pod restart only delays a rotation
+  # by ≤30s in practice).
+  reloader:
+    replicaCount: 1
+
+    # Pin upstream image tag — DO NOT use floating tags per
+    # docs/INVIOLABLE-PRINCIPLES.md.
+    deployment:
+      image:
+        name: ghcr.io/stakater/reloader
+        tag: "v1.4.16"
+        pullPolicy: IfNotPresent
+
+      resources:
+        requests:
+          cpu: 50m
+          memory: 64Mi
+        limits:
+          cpu: 200m
+          memory: 256Mi
+
+      # Cluster-wide watch — Reloader watches every namespace by default.
+      # Per-Sovereign overlays MAY narrow via `--namespaces-to-watch`.
+      env:
+        open: []
+
+      # SecurityContext — non-root.
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 65532
+        readOnlyRootFilesystem: true
+        allowPrivilegeEscalation: false
+        capabilities:
+          drop: ["ALL"]
+
+    # Reload strategy — `env-vars` (sets a checksum env var that triggers a
+    # rollout) is upstream default; `annotations` mode is also supported.
+    reloadStrategy: "env-vars"
+
+    # ServiceMonitor — DEFAULT FALSE per docs/BLUEPRINT-AUTHORING.md §11.2.
+    serviceMonitor:
+      enabled: false
+
+    # RBAC — chart manages its own ClusterRole + ServiceAccount.
+    rbac:
+      enabled: true
+    serviceAccount:
+      create: true
+
+    # Watchers — both ConfigMaps and Secrets, the default Catalyst posture.
+    watchGlobally: true
+    isOpenshift: false
+
+# ─── Catalyst overlay values (consumed by templates/ in this chart) ──────
+# Reserved for Catalyst-side overlays (NetworkPolicy) added in a follow-up
+# PR once bp-reloader is consumed in clusters/_template/.
+reloaderOverlay:
+  networkPolicy:
+    enabled: false