From 0014e7498d09c235abf55e0e1e106d05b3359d8c Mon Sep 17 00:00:00 2001
From: Richard Tomik <richard.tomik@unicorn.com>
Date: Fri, 19 Dec 2025 10:39:07 +0100
Subject: [PATCH] resolved  [Bug][Paperless] Redis password from secret isn't
 working #5

---
 charts/paperless-ngx/Chart.yaml               |  2 +-
 charts/paperless-ngx/templates/_helpers.tpl   | 48 ++++++++++++-------
 .../paperless-ngx/templates/deployment.yaml   | 21 ++++----
 charts/paperless-ngx/templates/secret.yaml    |  1 +
 charts/paperless-ngx/values.yaml              |  6 ++-
 5 files changed, 48 insertions(+), 30 deletions(-)

diff --git a/charts/paperless-ngx/Chart.yaml b/charts/paperless-ngx/Chart.yaml
index 72912f9..c3fa055 100644
--- a/charts/paperless-ngx/Chart.yaml
+++ b/charts/paperless-ngx/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: paperless-ngx
 description: Paperless-ngx helm chart for Kubernetes
 type: application
-version: 0.0.4
+version: 0.0.5
 appVersion: "2.20.3"
 maintainers:
   - name: Richard Tomik
diff --git a/charts/paperless-ngx/templates/_helpers.tpl b/charts/paperless-ngx/templates/_helpers.tpl
index 5bbf949..b070716 100644
--- a/charts/paperless-ngx/templates/_helpers.tpl
+++ b/charts/paperless-ngx/templates/_helpers.tpl
@@ -89,30 +89,42 @@ Redis port
 {{- end }}
 
 {{/*
-Redis URL
-Constructs the Redis URL with optional authentication.
-Format: redis://[username]:[password]@host:port/database
-When existingSecret is configured, uses environment variable placeholder for password.
+Redis URL (for non-authenticated Redis)
+Constructs the Redis URL without authentication.
+Format: redis://host:port/database
 */}}
-{{- define "paperless-ngx.redis.url" -}}
+{{- define "paperless-ngx.redis.url.noauth" -}}
+{{- $host := include "paperless-ngx.redis.host" . }}
+{{- $port := include "paperless-ngx.redis.port" . }}
+{{- $database := .Values.redis.external.database | toString }}
+{{- printf "redis://%s:%s/%s" $host $port $database }}
+{{- end }}
+
+{{/*
+Check if Redis authentication is configured
+Returns true if either existingSecret or password is set
+*/}}
+{{- define "paperless-ngx.redis.hasAuth" -}}
+{{- if or .Values.redis.external.existingSecret .Values.redis.external.password }}
+{{- "true" }}
+{{- end }}
+{{- end }}
+
+{{/*
+Redis URL with authentication (for secret generation)
+Constructs the Redis URL with password interpolation for use in secrets.
+This uses the actual password value when building the secret.
+Format: redis://[username]:[password]@host:port/database
+*/}}
+{{- define "paperless-ngx.redis.url.withPassword" -}}
 {{- $host := include "paperless-ngx.redis.host" . }}
 {{- $port := include "paperless-ngx.redis.port" . }}
 {{- $database := .Values.redis.external.database | toString }}
 {{- $username := .Values.redis.external.username | default "" }}
-{{- if .Values.redis.external.existingSecret }}
-  {{- if $username }}
-{{- printf "redis://%s:$REDIS_PASSWORD@%s:%s/%s" $username $host $port $database }}
-  {{- else }}
-{{- printf "redis://:$REDIS_PASSWORD@%s:%s/%s" $host $port $database }}
-  {{- end }}
-{{- else if .Values.redis.external.password }}
-  {{- $password := .Values.redis.external.password }}
-  {{- if $username }}
+{{- $password := .Values.redis.external.password | default "" }}
+{{- if $username }}
 {{- printf "redis://%s:%s@%s:%s/%s" $username $password $host $port $database }}
-  {{- else }}
-{{- printf "redis://:%s@%s:%s/%s" $password $host $port $database }}
-  {{- end }}
 {{- else }}
-{{- printf "redis://%s:%s/%s" $host $port $database }}
+{{- printf "redis://:%s@%s:%s/%s" $password $host $port $database }}
 {{- end }}
 {{- end }}
\ No newline at end of file
diff --git a/charts/paperless-ngx/templates/deployment.yaml b/charts/paperless-ngx/templates/deployment.yaml
index 9197146..fb04325 100644
--- a/charts/paperless-ngx/templates/deployment.yaml
+++ b/charts/paperless-ngx/templates/deployment.yaml
@@ -67,20 +67,21 @@ spec:
           {{- end }}
           env:
             # Required services
+            {{- if include "paperless-ngx.redis.hasAuth" . }}
+            # When Redis has authentication, read the full URL from secret
             - name: PAPERLESS_REDIS
-              value: {{ include "paperless-ngx.redis.url" . | quote }}
-            {{- if .Values.redis.external.prefix }}
-            - name: PAPERLESS_REDIS_PREFIX
-              value: {{ .Values.redis.external.prefix | quote }}
-            {{- end }}
-
-            # Redis password from secret (if configured)
-            {{- if or .Values.redis.external.existingSecret .Values.redis.external.password }}
-            - name: REDIS_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: {{ .Values.redis.external.existingSecret | default (printf "%s-secrets" (include "paperless-ngx.fullname" .)) }}
-                  key: {{ .Values.redis.external.passwordKey | default "redis-password" }}
+                  key: {{ .Values.redis.external.urlKey | default "redis-url" }}
+            {{- else }}
+            # When Redis has no authentication, use the simple URL
+            - name: PAPERLESS_REDIS
+              value: {{ include "paperless-ngx.redis.url.noauth" . | quote }}
+            {{- end }}
+            {{- if .Values.redis.external.prefix }}
+            - name: PAPERLESS_REDIS_PREFIX
+              value: {{ .Values.redis.external.prefix | quote }}
             {{- end }}
 
             - name: PAPERLESS_DBHOST
diff --git a/charts/paperless-ngx/templates/secret.yaml b/charts/paperless-ngx/templates/secret.yaml
index 09e7cbe..cd562f1 100644
--- a/charts/paperless-ngx/templates/secret.yaml
+++ b/charts/paperless-ngx/templates/secret.yaml
@@ -32,6 +32,7 @@ data:
   {{- end }}
   {{- if and .Values.redis.external.password (not .Values.redis.external.existingSecret) }}
   {{ .Values.redis.external.passwordKey | default "redis-password" }}: {{ .Values.redis.external.password | b64enc }}
+  {{ .Values.redis.external.urlKey | default "redis-url" }}: {{ include "paperless-ngx.redis.url.withPassword" . | b64enc }}
   {{- end }}
   {{- if and .Values.config.admin.user (not .Values.config.admin.existingSecret) }}
   {{ .Values.config.admin.userKey | default "admin-user" }}: {{ .Values.config.admin.user | b64enc }}
diff --git a/charts/paperless-ngx/values.yaml b/charts/paperless-ngx/values.yaml
index ca64a56..fc267ca 100644
--- a/charts/paperless-ngx/values.yaml
+++ b/charts/paperless-ngx/values.yaml
@@ -165,9 +165,13 @@ redis:
     # Authentication (leave empty if Redis has no auth)
     username: ""  # Optional: Redis username (Redis 6.0+)
     # Use existingSecret for credentials if Redis has auth
+    # NOTE: When using existingSecret, the secret MUST contain a key with the full Redis URL
+    #       Format: redis://[username]:[password]@host:port/database
     existingSecret: ""
-    passwordKey: "redis-password"
+    urlKey: "redis-url"  # Key in existingSecret containing the full Redis URL
+    passwordKey: "redis-password"  # Key in existingSecret for password (for compatibility)
     # Or set password directly (leave empty if no auth)
+    # When using plain password, the full Redis URL will be auto-generated in the secret
     password: ""
     # Optional: Prefix for Redis keys and channels
     # Useful for sharing one Redis server among multiple Paperless instances