resolved [Bug][Paperless] Redis password from secret isn't working #5

charts/donetick/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: donetick
 description: Donetick helm chart for Kubernetes
 type: application
-version: 1.0.5
+version: 1.0.6
 appVersion: "v0.1.60"
 maintainers:
   - name: Richard Tomik

charts/donetick/templates/configmap.yaml

@@ -37,9 +37,11 @@ data:
       {{- end }}
       {{- end }}
     jwt:
-      # Placeholder value - actual secret injected via DT_JWT_SECRET env var
+      {{- if .Values.config.jwt.existingSecret }}
-      # This placeholder is required for environment variable overrides to work
+      # Secret will be injected from Secret
-      secret: "placeholder"
+      {{- else }}
+      secret: {{ .Values.config.jwt.secret | quote }}
+      {{- end }}
       session_time: {{ .Values.config.jwt.session_time | quote }}
       max_refresh: {{ .Values.config.jwt.max_refresh | quote }}
     server:

charts/paperless-ngx/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: paperless-ngx
 description: Paperless-ngx helm chart for Kubernetes
 type: application
-version: 0.0.4
+version: 0.0.5
 appVersion: "2.20.3"
 maintainers:
   - name: Richard Tomik

charts/paperless-ngx/templates/_helpers.tpl

@@ -89,30 +89,42 @@ Redis port
 {{- end }}
 
 {{/*
-Redis URL
+Redis URL (for non-authenticated Redis)
-Constructs the Redis URL with optional authentication.
+Constructs the Redis URL without authentication.
-Format: redis://[username]:[password]@host:port/database
+Format: redis://host:port/database
-When existingSecret is configured, uses environment variable placeholder for password.
 */}}
-{{- define "paperless-ngx.redis.url" -}}
+{{- define "paperless-ngx.redis.url.noauth" -}}
+{{- $host := include "paperless-ngx.redis.host" . }}
+{{- $port := include "paperless-ngx.redis.port" . }}
+{{- $database := .Values.redis.external.database | toString }}
+{{- printf "redis://%s:%s/%s" $host $port $database }}
+{{- end }}
+
+{{/*
+Check if Redis authentication is configured
+Returns true if either existingSecret or password is set
+*/}}
+{{- define "paperless-ngx.redis.hasAuth" -}}
+{{- if or .Values.redis.external.existingSecret .Values.redis.external.password }}
+{{- "true" }}
+{{- end }}
+{{- end }}
+
+{{/*
+Redis URL with authentication (for secret generation)
+Constructs the Redis URL with password interpolation for use in secrets.
+This uses the actual password value when building the secret.
+Format: redis://[username]:[password]@host:port/database
+*/}}
+{{- define "paperless-ngx.redis.url.withPassword" -}}
 {{- $host := include "paperless-ngx.redis.host" . }}
 {{- $port := include "paperless-ngx.redis.port" . }}
 {{- $database := .Values.redis.external.database | toString }}
 {{- $username := .Values.redis.external.username | default "" }}
-{{- if .Values.redis.external.existingSecret }}
+{{- $password := .Values.redis.external.password | default "" }}
-  {{- if $username }}
+{{- if $username }}
-{{- printf "redis://%s:$REDIS_PASSWORD@%s:%s/%s" $username $host $port $database }}
-  {{- else }}
-{{- printf "redis://:$REDIS_PASSWORD@%s:%s/%s" $host $port $database }}
-  {{- end }}
-{{- else if .Values.redis.external.password }}
-  {{- $password := .Values.redis.external.password }}
-  {{- if $username }}
 {{- printf "redis://%s:%s@%s:%s/%s" $username $password $host $port $database }}
-  {{- else }}
-{{- printf "redis://:%s@%s:%s/%s" $password $host $port $database }}
-  {{- end }}
 {{- else }}
-{{- printf "redis://%s:%s/%s" $host $port $database }}
+{{- printf "redis://:%s@%s:%s/%s" $password $host $port $database }}
 {{- end }}
 {{- end }}

charts/paperless-ngx/templates/deployment.yaml

@@ -67,20 +67,21 @@ spec:
           {{- end }}
           env:
             # Required services
+            {{- if include "paperless-ngx.redis.hasAuth" . }}
+            # When Redis has authentication, read the full URL from secret
             - name: PAPERLESS_REDIS
-              value: {{ include "paperless-ngx.redis.url" . | quote }}
-            {{- if .Values.redis.external.prefix }}
-            - name: PAPERLESS_REDIS_PREFIX
-              value: {{ .Values.redis.external.prefix | quote }}
-            {{- end }}
-
-            # Redis password from secret (if configured)
-            {{- if or .Values.redis.external.existingSecret .Values.redis.external.password }}
-            - name: REDIS_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: {{ .Values.redis.external.existingSecret | default (printf "%s-secrets" (include "paperless-ngx.fullname" .)) }}
-                  key: {{ .Values.redis.external.passwordKey | default "redis-password" }}
+                  key: {{ .Values.redis.external.urlKey | default "redis-url" }}
+            {{- else }}
+            # When Redis has no authentication, use the simple URL
+            - name: PAPERLESS_REDIS
+              value: {{ include "paperless-ngx.redis.url.noauth" . | quote }}
+            {{- end }}
+            {{- if .Values.redis.external.prefix }}
+            - name: PAPERLESS_REDIS_PREFIX
+              value: {{ .Values.redis.external.prefix | quote }}
             {{- end }}
 
             - name: PAPERLESS_DBHOST

charts/paperless-ngx/templates/secret.yaml

@@ -32,6 +32,7 @@ data:
   {{- end }}
   {{- if and .Values.redis.external.password (not .Values.redis.external.existingSecret) }}
   {{ .Values.redis.external.passwordKey | default "redis-password" }}: {{ .Values.redis.external.password | b64enc }}
+  {{ .Values.redis.external.urlKey | default "redis-url" }}: {{ include "paperless-ngx.redis.url.withPassword" . | b64enc }}
   {{- end }}
   {{- if and .Values.config.admin.user (not .Values.config.admin.existingSecret) }}
   {{ .Values.config.admin.userKey | default "admin-user" }}: {{ .Values.config.admin.user | b64enc }}

charts/paperless-ngx/values.yaml

@@ -165,9 +165,13 @@ redis:
     # Authentication (leave empty if Redis has no auth)
     username: ""  # Optional: Redis username (Redis 6.0+)
     # Use existingSecret for credentials if Redis has auth
+    # NOTE: When using existingSecret, the secret MUST contain a key with the full Redis URL
+    #       Format: redis://[username]:[password]@host:port/database
     existingSecret: ""
-    passwordKey: "redis-password"
+    urlKey: "redis-url"  # Key in existingSecret containing the full Redis URL
+    passwordKey: "redis-password"  # Key in existingSecret for password (for compatibility)
     # Or set password directly (leave empty if no auth)
+    # When using plain password, the full Redis URL will be auto-generated in the secret
     password: ""
     # Optional: Prefix for Redis keys and channels
     # Useful for sharing one Redis server among multiple Paperless instances