Add first-class support for TLS on the controller’s HTTP endpoints (health + metrics), ideally without requiring external post-render patches.

Concrete asks (any of these would solve it; ordered by preference):

• Native TLS support in the Reloader container
  • New Helm values such as:
    • reloader.tls.enabled: true
    • reloader.tls.secretName: <k8s secret containing tls.crt/tls.key>
    • reloader.tls.port: 9443 (or allow overriding existing port)
  • When enabled:
    • container listens on HTTPS
    • livenessProbe/readinessProbe can set httpGet.scheme: HTTPS
    • metrics endpoint is served over HTTPS
• Chart-level sidecar injection support (if native TLS is not desired)
  • Add a values hook like:
    • reloader.deployment.extraContainers
    • reloader.deployment.extraVolumes
    • reloader.deployment.extraVolumeMounts
  • Provide an example TLS-proxy sidecar configuration (nginx/envoy) in docs
  • Allow chart to wire probes and service/podMonitor to the sidecar port when tlsProxy.enabled: true
• Monitoring objects TLS support
  • Ensure podMonitor/serviceMonitor can be configured to scrape via HTTPS (scheme: https, optional tlsConfig fields).