release paperless ngx 0.0.2 fixed bug with redis configuration

Merge branch 'main' of https://github.com/rtomik/helm-charts
edited example
2026-04-13 13:40:44 +00:00 · 2025-10-26 18:28:25 +01:00 · 2025-10-13 09:27:00 +02:00 · 2025-10-13 09:26:54 +02:00 · 2025-10-11 14:40:57 +02:00 · 2025-10-11 14:29:26 +02:00
11 changed files with 155 additions and 33 deletions
--- a/charts/donetick/Chart.yaml
+++ b/charts/donetick/Chart.yaml
@ -2,7 +2,7 @@ apiVersion: v2
 name: donetick
 description: Donetick helm chart for Kubernetes
 type: application
-version: 1.0.3
+version: 1.0.4
 appVersion: "v0.1.60"
 maintainers:
  - name: Richard Tomik
--- a/charts/donetick/templates/configmap.yaml
+++ b/charts/donetick/templates/configmap.yaml
@ -22,19 +22,18 @@ data:
      {{- if .Values.config.database.migration_retry }}
      migration_retry: {{ .Values.config.database.migration_retry }}
      {{- end }}
      migration_timeout: {{ .Values.config.database.migration_timeout | default "300s" | quote }}
      {{- if eq .Values.config.database.type "postgres" }}
      {{- if not .Values.config.database.secrets.existingSecret }}
      host: {{ .Values.config.database.host | quote }}
      port: {{ .Values.config.database.port }}
      name: {{ .Values.config.database.name | quote }}
      {{- if not .Values.config.database.secrets.existingSecret }}
      user: {{ .Values.config.database.user | quote }}
      password: {{ .Values.config.database.password | quote }}
      name: {{ .Values.config.database.name | quote }}
      {{- else }}
-      # Database host, port, and name from values, credentials from Secret
+      # Reference environment variables for database credentials
-      host: {{ .Values.config.database.host | quote }}
+      user: "$DT_DATABASE_USER"
-      port: {{ .Values.config.database.port }}
+      password: "$DT_DATABASE_PASSWORD"
      name: {{ .Values.config.database.name | quote }}
      # Username and password will be injected via environment variables from Secret
      {{- end }}
      {{- end }}
    jwt:
--- a/charts/donetick/templates/deployment.yaml
+++ b/charts/donetick/templates/deployment.yaml
@ -88,15 +88,44 @@ spec:
            - name: {{ .name }}
              value: {{ .value | quote }}
          {{- end }}
-          {{- if or .Values.config.jwt.existingSecret .Values.config.oauth2.existingSecret .Values.config.database.secrets.existingSecret }}
+            # Database configuration environment variables
-            # Secret-based environment variables
+            {{- if eq .Values.config.database.type "postgres" }}
            - name: DT_DATABASE_TYPE
              value: "postgres"
            - name: DT_DATABASE_HOST
              value: {{ .Values.config.database.host | quote }}
            - name: DT_DATABASE_PORT
              value: {{ .Values.config.database.port | quote }}
            - name: DT_DATABASE_NAME
              value: {{ .Values.config.database.name | quote }}
            {{- if .Values.config.database.secrets.existingSecret }}
            - name: DT_DATABASE_USER
              valueFrom:
                secretKeyRef:
                  name: {{ .Values.config.database.secrets.existingSecret }}
                  key: {{ .Values.config.database.secrets.userKey }}
            - name: DT_DATABASE_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: {{ .Values.config.database.secrets.existingSecret }}
                  key: {{ .Values.config.database.secrets.passwordKey }}
            {{- end }}
            {{- else }}
            - name: DT_DATABASE_TYPE
              value: {{ .Values.config.database.type | quote }}
            {{- end }}
            # JWT configuration
            {{- if .Values.config.jwt.existingSecret }}
            - name: DT_JWT_SECRET
              valueFrom:
                secretKeyRef:
                  name: {{ .Values.config.jwt.existingSecret }}
                  key: {{ .Values.config.jwt.secretKey }}
            {{- else }}
            - name: DT_JWT_SECRET
              value: {{ .Values.config.jwt.secret | quote }}
            {{- end }}
            # OAuth2 configuration
            {{- if .Values.config.oauth2.existingSecret }}
            - name: DT_OAUTH2_CLIENT_ID
              valueFrom:
@ -109,19 +138,6 @@ spec:
                  name: {{ .Values.config.oauth2.existingSecret }}
                  key: {{ .Values.config.oauth2.clientSecretKey }}
            {{- end }}
            {{- if and .Values.config.database.secrets.existingSecret (eq .Values.config.database.type "postgres") }}
            - name: DT_DB_USER
              valueFrom:
                secretKeyRef:
                  name: {{ .Values.config.database.secrets.existingSecret }}
                  key: {{ .Values.config.database.secrets.userKey }}
            - name: DT_DB_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: {{ .Values.config.database.secrets.existingSecret }}
                  key: {{ .Values.config.database.secrets.passwordKey }}
            {{- end }}
          {{- end }}
          {{- with .Values.extraEnv }}
            {{- toYaml . | nindent 12 }}
          {{- end }}
--- a/charts/donetick/values.yaml
+++ b/charts/donetick/values.yaml
@ -107,10 +107,10 @@ resources: {}
 probes:
  startup:
    enabled: true
-    initialDelaySeconds: 10
+    initialDelaySeconds: 30
-    periodSeconds: 10
+    periodSeconds: 15
-    timeoutSeconds: 5
+    timeoutSeconds: 15
-    failureThreshold: 30
+    failureThreshold: 80
    successThreshold: 1
    path: /health
  liveness:
@ -157,6 +157,7 @@ config:
    # Migration options
    migration_skip: false  # Set to true to skip database migrations
    migration_retry: 3     # Number of retries for failed migrations
    migration_timeout: "600s"  # Timeout for database migrations (default: 10 minutes)
    # These are only required for postgres
    host: ""
--- a/charts/mealie/templates/pvc.yaml
+++ b/charts/mealie/templates/pvc.yaml
@ -18,4 +18,10 @@ spec:
  resources:
    requests:
      storage: {{ .Values.persistence.size | quote }}
-{{- end }}
+  {{- if .Values.persistence.selector }}
  {{- with .Values.persistence.selector }}
  selector:
    {{- toYaml . | nindent 4 }}
  {{- end }}
  {{- end }}
 {{- end }}
--- a/charts/paperless-ngx/Chart.yaml
+++ b/charts/paperless-ngx/Chart.yaml
@ -2,7 +2,7 @@ apiVersion: v2
 name: paperless-ngx
 description: Paperless-ngx helm chart for Kubernetes
 type: application
-version: 0.0.1
+version: 0.0.2
 appVersion: "latest"
 maintainers:
  - name: Richard Tomik
--- a/charts/paperless-ngx/readme.md
+++ b/charts/paperless-ngx/readme.md
@ -32,6 +32,13 @@ Paperless-ngx requires PostgreSQL 11+ as its database backend. Ensure you have:
 Redis is required for background task processing. Ensure you have:
 - A Redis server accessible from the cluster
 - Connection details configured in values.yaml
 - Optional: Redis authentication credentials (username/password)
 - Optional: Redis key prefix for sharing one Redis server among multiple Paperless instances
 The chart supports all Redis authentication methods:
 - No authentication: `redis://host:port/database`
 - Password only (requirepass): `redis://:password@host:port/database`
 - Username and password (Redis 6.0+ ACL): `redis://username:password@host:port/database`
 ## Installing the Chart
@ -86,6 +93,11 @@ The following table lists the configurable parameters and their default values.
 | `redis.external.host`                 | External Redis host                                                | `redis.default.svc.cluster.local`        |
 | `redis.external.port`                 | External Redis port                                                | `6379`                                    |
 | `redis.external.database`             | External Redis database number                                     | `0`                                       |
 | `redis.external.username`             | Redis username (Redis 6.0+ with ACL)                               | `""`                                      |
 | `redis.external.password`             | Redis password (leave empty if no auth required)                   | `""`                                      |
 | `redis.external.existingSecret`       | Existing secret with Redis credentials                             | `""`                                      |
 | `redis.external.passwordKey`          | Key in existing secret for Redis password                          | `redis-password`                          |
 | `redis.external.prefix`               | Prefix for Redis keys/channels (for multi-instance)                | `""`                                      |
 ### Security Configuration
@ -166,14 +178,27 @@ config:
    existingSecret: "paperless-admin-secrets"
 postgresql:
  # External PostgreSQL connection details
  external:
-    host: "postgresql.database.svc.cluster.local"
+    enabled: true
-    existingSecret: "paperless-db-secrets"
+    host: "postgres-cluster-pooler.dbs.svc.cluster.local"
    port: 5432
    database: "paperless"
    username: "paperless"
    # Use existingSecret for credentials
    existingSecret: "paperless-db-credentials"
    passwordKey: "password"
 redis:
  external:
    host: "redis.cache.svc.cluster.local"
    port: 6379
    database: 0
    # Use existingSecret for Redis credentials
    existingSecret: "paperless-redis-credentials"
    passwordKey: "password"
    # Optional: Use prefix to share Redis among multiple instances
    prefix: "paperless-prod"
 ingress:
  enabled: true
@ -193,13 +218,63 @@ ingress:
 helm install paperless-ngx . -f values-production.yaml
 ```
 ### Redis Authentication Examples
 #### Redis with Password Only (requirepass)
 ```bash
 helm install paperless-ngx . \
  --set redis.external.host=redis.example.com \
  --set redis.external.password=myredispassword
 ```
 Or with existing secret:
 ```yaml
 redis:
  external:
    host: "redis.example.com"
    existingSecret: "redis-auth-secret"
    passwordKey: "redis-password"
 ```
 #### Redis with Username and Password (Redis 6.0+ ACL)
 ```bash
 helm install paperless-ngx . \
  --set redis.external.host=redis.example.com \
  --set redis.external.username=paperless-user \
  --set redis.external.password=myredispassword
 ```
 #### Multiple Paperless Instances on One Redis Server
 Use the `prefix` parameter to avoid key collisions:
 ```yaml
 # Instance 1
 redis:
  external:
    host: "shared-redis.example.com"
    password: "sharedpassword"
    prefix: "paperless-prod"
 # Instance 2
 redis:
  external:
    host: "shared-redis.example.com"
    password: "sharedpassword"
    prefix: "paperless-staging"
 ```
 ## Security Considerations
-1. **Use external secrets** for production deployments to store sensitive data like database passwords and the Django secret key.
+1. **Use external secrets** for production deployments to store sensitive data like database passwords, Redis passwords, and the Django secret key.
 2. **Set a proper PAPERLESS_URL** when exposing the application externally.
 3. **Configure ALLOWED_HOSTS** to restrict which hosts can access the application.
 4. **Use HTTPS** when exposing the application to the internet.
-5. **Container Security**: The container runs as root initially to allow s6-overlay to set up the runtime environment, then drops privileges to UID 1000. This is required for the Paperless-ngx Docker image to function properly.
+5. **Secure Redis**: Always use authentication (password or username/password) for Redis in production environments. Use `existingSecret` instead of plain text passwords.
 6. **Container Security**: The container runs as root initially to allow s6-overlay to set up the runtime environment, then drops privileges to UID 1000. This is required for the Paperless-ngx Docker image to function properly.
 ## Volumes and Data
--- a/charts/paperless-ngx/templates/_helpers.tpl
+++ b/charts/paperless-ngx/templates/_helpers.tpl
@ -90,10 +90,20 @@ Redis port
 {{/*
 Redis URL
 Constructs the Redis URL with optional authentication.
 Format: redis://[username]:[password]@host:port/database
 */}}
 {{- define "paperless-ngx.redis.url" -}}
 {{- $host := include "paperless-ngx.redis.host" . }}
 {{- $port := include "paperless-ngx.redis.port" . }}
 {{- $database := .Values.redis.external.database | toString }}
 {{- $username := .Values.redis.external.username | default "" }}
 {{- $password := .Values.redis.external.password | default "" }}
 {{- if and $username $password }}
 {{- printf "redis://%s:%s@%s:%s/%s" $username $password $host $port $database }}
 {{- else if $password }}
 {{- printf "redis://:%s@%s:%s/%s" $password $host $port $database }}
 {{- else }}
 {{- printf "redis://%s:%s/%s" $host $port $database }}
 {{- end }}
 {{- end }}
--- a/charts/paperless-ngx/templates/deployment.yaml
+++ b/charts/paperless-ngx/templates/deployment.yaml
@ -69,6 +69,10 @@ spec:
            # Required services
            - name: PAPERLESS_REDIS
              value: {{ include "paperless-ngx.redis.url" . | quote }}
            {{- if .Values.redis.external.prefix }}
            - name: PAPERLESS_REDIS_PREFIX
              value: {{ .Values.redis.external.prefix | quote }}
            {{- end }}
            - name: PAPERLESS_DBHOST
              value: {{ include "paperless-ngx.postgresql.host" . | quote }}
            - name: PAPERLESS_DBPORT
--- a/charts/paperless-ngx/templates/secret.yaml
+++ b/charts/paperless-ngx/templates/secret.yaml
@ -5,6 +5,9 @@
 {{- if not .Values.postgresql.external.existingSecret -}}
  {{- $needsSecret = true -}}
 {{- end -}}
 {{- if and .Values.redis.external.password (not .Values.redis.external.existingSecret) -}}
  {{- $needsSecret = true -}}
 {{- end -}}
 {{- if and .Values.config.admin.user (not .Values.config.admin.existingSecret) -}}
  {{- $needsSecret = true -}}
 {{- end -}}
@ -27,6 +30,9 @@ data:
  {{- if not .Values.postgresql.external.existingSecret }}
  {{ .Values.postgresql.external.passwordKey | default "postgresql-password" }}: {{ .Values.postgresql.external.password | default "paperless" | b64enc }}
  {{- end }}
  {{- if and .Values.redis.external.password (not .Values.redis.external.existingSecret) }}
  {{ .Values.redis.external.passwordKey | default "redis-password" }}: {{ .Values.redis.external.password | b64enc }}
  {{- end }}
  {{- if and .Values.config.admin.user (not .Values.config.admin.existingSecret) }}
  {{ .Values.config.admin.userKey | default "admin-user" }}: {{ .Values.config.admin.user | b64enc }}
  {{ .Values.config.admin.passwordKey | default "admin-password" }}: {{ .Values.config.admin.password | default "changeme" | b64enc }}
--- a/charts/paperless-ngx/values.yaml
+++ b/charts/paperless-ngx/values.yaml
@ -158,11 +158,16 @@ redis:
    host: "redis.default.svc.cluster.local"
    port: 6379
    database: 0
    # Authentication (leave empty if Redis has no auth)
    username: ""  # Optional: Redis username (Redis 6.0+)
    # Use existingSecret for credentials if Redis has auth
    existingSecret: ""
    passwordKey: "redis-password"
    # Or set password directly (leave empty if no auth)
    password: ""
    # Optional: Prefix for Redis keys and channels
    # Useful for sharing one Redis server among multiple Paperless instances
    prefix: ""
 ## Paperless-ngx Configuration
 config:
Author	SHA1	Message	Date
Richard Tomik	4cb45e3013	release paperless ngx 0.0.2 fixed bug with redis configuration	2025-10-26 18:28:25 +01:00
Richard Tomik	e65df72663	Merge branch 'main' of https://github.com/rtomik/helm-charts	2025-10-13 09:27:00 +02:00
Richard Tomik	33f865a892	edited example	2025-10-13 09:26:54 +02:00
Richard Tomik	2ecf4aeec0	Merge pull request #1 from piontec/add-pvc-selector chg: add support for PVC selector	2025-10-11 14:40:57 +02:00
Richard Tomik	720a81d343	fixed bug with external postgresql v 1.0.4	2025-10-11 14:29:26 +02:00
Łukasz Piątkowski	c9b25918d5	chg: add support for PVC selector	2025-10-01 15:03:41 +02:00