From bf37ad958a51dd593523c6c811012c665a3f3285 Mon Sep 17 00:00:00 2001
From: Daniel Hougaard <daniel@infisical.com>
Date: Mon, 20 Oct 2025 15:54:51 +0400
Subject: [PATCH] feat(helm/infisical-core): auto-reload

---
 helm-charts/infisical-standalone-postgres/CHANGELOG.md     | 5 +++++
 helm-charts/infisical-standalone-postgres/Chart.lock       | 7 +++++--
 helm-charts/infisical-standalone-postgres/Chart.yaml       | 6 +++++-
 .../infisical-standalone-postgres/templates/infisical.yaml | 3 +++
 .../templates/schema-migration-job.yaml                    | 4 ++++
 helm-charts/infisical-standalone-postgres/values.yaml      | 7 +++++--
 6 files changed, 27 insertions(+), 5 deletions(-)

diff --git a/helm-charts/infisical-standalone-postgres/CHANGELOG.md b/helm-charts/infisical-standalone-postgres/CHANGELOG.md
index f94f800735..ac6906de3a 100644
--- a/helm-charts/infisical-standalone-postgres/CHANGELOG.md
+++ b/helm-charts/infisical-standalone-postgres/CHANGELOG.md
@@ -1,3 +1,8 @@
+## 1.7.2 (October 20, 2025)
+Changes:
+* Added automatic reloading support for the Infisical deployment when the `infisical.kubeSecretRef` kubernetes secret changes.
+  * Configurable by `reloader.enabled: true|false`. Defaults to `true`.
+
 ## 1.7.1 (October 10, 2025)
 
 Changes:
diff --git a/helm-charts/infisical-standalone-postgres/Chart.lock b/helm-charts/infisical-standalone-postgres/Chart.lock
index 993acf0a96..ef1f9371ba 100644
--- a/helm-charts/infisical-standalone-postgres/Chart.lock
+++ b/helm-charts/infisical-standalone-postgres/Chart.lock
@@ -8,5 +8,8 @@ dependencies:
 - name: redis
   repository: oci://registry-1.docker.io/bitnamicharts
   version: 18.14.1
-digest: sha256:57a18fb5258fc153d27b633f6570104c7628af651f08f3ae7e1cf8920c2c31fa
-generated: "2025-09-30T18:44:50.303037+04:00"
+- name: reloader
+  repository: https://stakater.github.io/stakater-charts
+  version: 2.2.3
+digest: sha256:cdaf2a4056a24633b7bbcafb72c8c6fd1c0e8d75a9ceb016917906f83db1e6b0
+generated: "2025-10-20T13:56:11.25867+04:00"
diff --git a/helm-charts/infisical-standalone-postgres/Chart.yaml b/helm-charts/infisical-standalone-postgres/Chart.yaml
index e7069532f9..543043843d 100644
--- a/helm-charts/infisical-standalone-postgres/Chart.yaml
+++ b/helm-charts/infisical-standalone-postgres/Chart.yaml
@@ -7,7 +7,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.7.1
+version: 1.7.2
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
@@ -28,3 +28,7 @@ dependencies:
     version: 18.14.1
     repository: oci://registry-1.docker.io/bitnamicharts
     condition: redis.enabled
+  - name: reloader
+    version: 2.2.3
+    repository: https://stakater.github.io/stakater-charts
+    condition: reloader.enabled
diff --git a/helm-charts/infisical-standalone-postgres/templates/infisical.yaml b/helm-charts/infisical-standalone-postgres/templates/infisical.yaml
index 11ebb8f3d2..49e7626ddb 100644
--- a/helm-charts/infisical-standalone-postgres/templates/infisical.yaml
+++ b/helm-charts/infisical-standalone-postgres/templates/infisical.yaml
@@ -4,6 +4,9 @@ kind: Deployment
 metadata:
   name: {{ include "infisical.fullname" . }}
   annotations:
+    {{- if .Values.reloader.enabled }}
+    secret.reloader.stakater.com/reload: {{ $infisicalValues.kubeSecretRef }}
+    {{- end }}
     updatedAt: {{ now | date "2006-01-01 MST 15:04:05" | quote }}
     {{- with $infisicalValues.deploymentAnnotations }}
     {{- toYaml . | nindent 4 }}
diff --git a/helm-charts/infisical-standalone-postgres/templates/schema-migration-job.yaml b/helm-charts/infisical-standalone-postgres/templates/schema-migration-job.yaml
index 8280b98a34..a887ae37bd 100644
--- a/helm-charts/infisical-standalone-postgres/templates/schema-migration-job.yaml
+++ b/helm-charts/infisical-standalone-postgres/templates/schema-migration-job.yaml
@@ -15,6 +15,10 @@ spec:
         app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
         app.kubernetes.io/instance: {{ .Release.Name | quote }}
         helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+      {{- if .Values.reloader.enabled }}
+      annotations:
+        secret.reloader.stakater.com/reload: {{ $infisicalValues.kubeSecretRef }}
+      {{- end }}
     spec:
       serviceAccountName: {{ include "infisical.serviceAccountName" . }}
     {{- if $infisicalValues.image.imagePullSecrets }}
diff --git a/helm-charts/infisical-standalone-postgres/values.yaml b/helm-charts/infisical-standalone-postgres/values.yaml
index 078c84e783..770b4f5b8a 100644
--- a/helm-charts/infisical-standalone-postgres/values.yaml
+++ b/helm-charts/infisical-standalone-postgres/values.yaml
@@ -118,8 +118,7 @@ ingress:
   # -- Custom annotations for ingress resource
   annotations: {}
   # -- TLS settings for HTTPS access
-  tls:
-    []
+  tls: []
     # -- TLS secret name for HTTPS
     # - secretName: letsencrypt-prod
     # -- Domain name to associate with the TLS certificate
@@ -184,3 +183,7 @@ redis:
 
   # -- Redis deployment type (e.g., standalone or cluster)
   architecture: standalone
+
+# -- Reloader is used to reload the Infisical instance when the Kubernetes secret referenced by `infisical.kubeSecretRef` is updated
+reloader:
+  enabled: true