From 55d1ce83772540eb7ecbca5f517724023344ea50 Mon Sep 17 00:00:00 2001
From: Richard Tomik <richard.tomik@unicorn.com>
Date: Fri, 19 Dec 2025 09:00:28 +0100
Subject: [PATCH] fixed [Bug][Paperless] Redis password from secret isn't
 working #5

---
 charts/donetick/Chart.yaml                     |  2 +-
 charts/donetick/templates/configmap.yaml       |  8 +++-----
 charts/paperless-ngx/Chart.yaml                |  4 ++--
 charts/paperless-ngx/templates/_helpers.tpl    | 15 ++++++++++++---
 charts/paperless-ngx/templates/deployment.yaml | 10 ++++++++++
 charts/paperless-ngx/values.yaml               |  2 +-
 6 files changed, 29 insertions(+), 12 deletions(-)

diff --git a/charts/donetick/Chart.yaml b/charts/donetick/Chart.yaml
index 07fe498..5d0add2 100644
--- a/charts/donetick/Chart.yaml
+++ b/charts/donetick/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: donetick
 description: Donetick helm chart for Kubernetes
 type: application
-version: 1.0.4
+version: 1.0.5
 appVersion: "v0.1.60"
 maintainers:
   - name: Richard Tomik
diff --git a/charts/donetick/templates/configmap.yaml b/charts/donetick/templates/configmap.yaml
index a640551..5a7450c 100644
--- a/charts/donetick/templates/configmap.yaml
+++ b/charts/donetick/templates/configmap.yaml
@@ -37,11 +37,9 @@ data:
       {{- end }}
       {{- end }}
     jwt:
-      {{- if .Values.config.jwt.existingSecret }}
-      # Secret will be injected from Secret
-      {{- else }}
-      secret: {{ .Values.config.jwt.secret | quote }}
-      {{- end }}
+      # Placeholder value - actual secret injected via DT_JWT_SECRET env var
+      # This placeholder is required for environment variable overrides to work
+      secret: "placeholder"
       session_time: {{ .Values.config.jwt.session_time | quote }}
       max_refresh: {{ .Values.config.jwt.max_refresh | quote }}
     server:
diff --git a/charts/paperless-ngx/Chart.yaml b/charts/paperless-ngx/Chart.yaml
index c81b1e9..72912f9 100644
--- a/charts/paperless-ngx/Chart.yaml
+++ b/charts/paperless-ngx/Chart.yaml
@@ -2,8 +2,8 @@ apiVersion: v2
 name: paperless-ngx
 description: Paperless-ngx helm chart for Kubernetes
 type: application
-version: 0.0.3
-appVersion: "latest"
+version: 0.0.4
+appVersion: "2.20.3"
 maintainers:
   - name: Richard Tomik
     email: richard.tomik@proton.me
diff --git a/charts/paperless-ngx/templates/_helpers.tpl b/charts/paperless-ngx/templates/_helpers.tpl
index 3388147..5bbf949 100644
--- a/charts/paperless-ngx/templates/_helpers.tpl
+++ b/charts/paperless-ngx/templates/_helpers.tpl
@@ -92,17 +92,26 @@ Redis port
 Redis URL
 Constructs the Redis URL with optional authentication.
 Format: redis://[username]:[password]@host:port/database
+When existingSecret is configured, uses environment variable placeholder for password.
 */}}
 {{- define "paperless-ngx.redis.url" -}}
 {{- $host := include "paperless-ngx.redis.host" . }}
 {{- $port := include "paperless-ngx.redis.port" . }}
 {{- $database := .Values.redis.external.database | toString }}
 {{- $username := .Values.redis.external.username | default "" }}
-{{- $password := .Values.redis.external.password | default "" }}
-{{- if and $username $password }}
+{{- if .Values.redis.external.existingSecret }}
+  {{- if $username }}
+{{- printf "redis://%s:$REDIS_PASSWORD@%s:%s/%s" $username $host $port $database }}
+  {{- else }}
+{{- printf "redis://:$REDIS_PASSWORD@%s:%s/%s" $host $port $database }}
+  {{- end }}
+{{- else if .Values.redis.external.password }}
+  {{- $password := .Values.redis.external.password }}
+  {{- if $username }}
 {{- printf "redis://%s:%s@%s:%s/%s" $username $password $host $port $database }}
-{{- else if $password }}
+  {{- else }}
 {{- printf "redis://:%s@%s:%s/%s" $password $host $port $database }}
+  {{- end }}
 {{- else }}
 {{- printf "redis://%s:%s/%s" $host $port $database }}
 {{- end }}
diff --git a/charts/paperless-ngx/templates/deployment.yaml b/charts/paperless-ngx/templates/deployment.yaml
index 7dbe03d..9197146 100644
--- a/charts/paperless-ngx/templates/deployment.yaml
+++ b/charts/paperless-ngx/templates/deployment.yaml
@@ -73,6 +73,16 @@ spec:
             - name: PAPERLESS_REDIS_PREFIX
               value: {{ .Values.redis.external.prefix | quote }}
             {{- end }}
+
+            # Redis password from secret (if configured)
+            {{- if or .Values.redis.external.existingSecret .Values.redis.external.password }}
+            - name: REDIS_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.redis.external.existingSecret | default (printf "%s-secrets" (include "paperless-ngx.fullname" .)) }}
+                  key: {{ .Values.redis.external.passwordKey | default "redis-password" }}
+            {{- end }}
+
             - name: PAPERLESS_DBHOST
               value: {{ include "paperless-ngx.postgresql.host" . | quote }}
             - name: PAPERLESS_DBPORT
diff --git a/charts/paperless-ngx/values.yaml b/charts/paperless-ngx/values.yaml
index a717bbf..ca64a56 100644
--- a/charts/paperless-ngx/values.yaml
+++ b/charts/paperless-ngx/values.yaml
@@ -5,7 +5,7 @@ fullnameOverride: ""
 ## Image settings
 image:
   repository: ghcr.io/paperless-ngx/paperless-ngx
-  tag: "2.18.4"
+  tag: "2.20.3"
   pullPolicy: IfNotPresent
 
 ## Deployment settings