fixed [Bug][Paperless] Redis password from secret isn't working #5

charts/donetick/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: donetick
 description: Donetick helm chart for Kubernetes
 type: application
-version: 1.0.4
+version: 1.0.5
 appVersion: "v0.1.60"
 maintainers:
   - name: Richard Tomik

charts/donetick/templates/configmap.yaml

@@ -37,11 +37,9 @@ data:
       {{- end }}
       {{- end }}
     jwt:
-      {{- if .Values.config.jwt.existingSecret }}
-      # Secret will be injected from Secret
-      {{- else }}
-      secret: {{ .Values.config.jwt.secret | quote }}
-      {{- end }}
+      # Placeholder value - actual secret injected via DT_JWT_SECRET env var
+      # This placeholder is required for environment variable overrides to work
+      secret: "placeholder"
       session_time: {{ .Values.config.jwt.session_time | quote }}
       max_refresh: {{ .Values.config.jwt.max_refresh | quote }}
     server:

charts/norish/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: norish
 description: Norish helm chart for Kubernetes - A recipe management and meal planning application
 type: application
-version: 0.0.1
+version: 0.0.3
 appVersion: "v0.13.6-beta"
 maintainers:
   - name: Richard Tomik

charts/norish/templates/deployment-app.yaml

@@ -219,6 +219,9 @@ spec:
                   key: google-client-secret
                   {{- end }}
             {{- end }}
+            {{- with .Values.config.extraEnv }}
+            {{- toYaml . | nindent 12 }}
+            {{- end }}
           volumeMounts:
             - name: uploads
               mountPath: /app/uploads

charts/norish/values.yaml

@@ -120,6 +120,18 @@ config:
   # This should match your ingress hostname
   authUrl: "http://norish.domain.com"
 
+  # Extra environment variables
+  # Example:
+  # extraEnv:
+  #   - name: MY_CUSTOM_VAR
+  #     value: "my-value"
+  #   - name: SECRET_VAR
+  #     valueFrom:
+  #       secretKeyRef:
+  #         name: my-secret
+  #         key: secret-key
+  extraEnv: []
+
   # Master encryption key (required)
   # Generate with: openssl rand -base64 32
   # For production, use an existing Kubernetes Secret
@@ -209,7 +221,7 @@ chrome:
     pullPolicy: IfNotPresent
 
   # Chrome port for remote debugging
-  port: 3000
+  port: 9222
 
   # Chrome security context - requires specific capabilities
   securityContext:

charts/paperless-ngx/Chart.yaml

@@ -2,11 +2,11 @@ apiVersion: v2
 name: paperless-ngx
 description: Paperless-ngx helm chart for Kubernetes
 type: application
-version: 0.0.2
-appVersion: "latest"
+version: 0.0.4
+appVersion: "2.20.3"
 maintainers:
   - name: Richard Tomik
-    email: no@m.com
+    email: richard.tomik@proton.me
 keywords:
   - productivity
   - document-management

charts/paperless-ngx/readme.md

@@ -127,12 +127,16 @@ The following table lists the configurable parameters and their default values.
 | Name                                   | Description                                                        | Value               |
 |----------------------------------------|--------------------------------------------------------------------|---------------------|
 | `persistence.data.enabled`            | Enable persistence for data directory                             | `true`              |
+| `persistence.data.existingClaim`      | Use an existing PVC for data directory                            | `""`                |
 | `persistence.data.size`               | Size of data PVC                                                  | `1Gi`               |
 | `persistence.media.enabled`           | Enable persistence for media directory                            | `true`              |
+| `persistence.media.existingClaim`     | Use an existing PVC for media directory                           | `""`                |
 | `persistence.media.size`              | Size of media PVC                                                 | `10Gi`              |
 | `persistence.consume.enabled`         | Enable persistence for consume directory                          | `true`              |
+| `persistence.consume.existingClaim`   | Use an existing PVC for consume directory                         | `""`                |
 | `persistence.consume.size`            | Size of consume PVC                                               | `5Gi`               |
 | `persistence.export.enabled`          | Enable persistence for export directory                           | `true`              |
+| `persistence.export.existingClaim`    | Use an existing PVC for export directory                          | `""`                |
 | `persistence.export.size`             | Size of export PVC                                                | `1Gi`               |
 
 ### Service Parameters
@@ -287,6 +291,37 @@ Paperless-ngx uses several directories:
 
 All directories can be configured with separate PVCs and storage classes.
 
+### Using Existing PVCs
+
+The chart supports using existing PersistentVolumeClaims instead of creating new ones. This is useful for:
+- Migrating from an existing Paperless-ngx deployment
+- Using pre-provisioned storage with specific settings
+- Sharing volumes across deployments
+
+To use an existing PVC, specify the `existingClaim` parameter for the relevant volume:
+
+```yaml
+persistence:
+  data:
+    enabled: true
+    existingClaim: "my-existing-data-pvc"
+  media:
+    enabled: true
+    existingClaim: "my-existing-media-pvc"
+  export:
+    enabled: true
+    existingClaim: ""  # Will create new PVC
+  consume:
+    enabled: true
+    existingClaim: ""  # Will create new PVC
+```
+
+When `existingClaim` is specified:
+- The chart will **NOT** create a new PVC
+- The specified PVC must already exist in the same namespace
+- `storageClass`, `size`, and `accessMode` parameters are ignored for that volume
+- You can mix existing and new PVCs (some volumes with `existingClaim`, others without)
+
 ## Uninstalling the Chart
 
 To uninstall/delete the `paperless-ngx` deployment:

charts/paperless-ngx/templates/_helpers.tpl

@@ -92,17 +92,26 @@ Redis port
 Redis URL
 Constructs the Redis URL with optional authentication.
 Format: redis://[username]:[password]@host:port/database
+When existingSecret is configured, uses environment variable placeholder for password.
 */}}
 {{- define "paperless-ngx.redis.url" -}}
 {{- $host := include "paperless-ngx.redis.host" . }}
 {{- $port := include "paperless-ngx.redis.port" . }}
 {{- $database := .Values.redis.external.database | toString }}
 {{- $username := .Values.redis.external.username | default "" }}
-{{- $password := .Values.redis.external.password | default "" }}
-{{- if and $username $password }}
+{{- if .Values.redis.external.existingSecret }}
+  {{- if $username }}
+{{- printf "redis://%s:$REDIS_PASSWORD@%s:%s/%s" $username $host $port $database }}
+  {{- else }}
+{{- printf "redis://:$REDIS_PASSWORD@%s:%s/%s" $host $port $database }}
+  {{- end }}
+{{- else if .Values.redis.external.password }}
+  {{- $password := .Values.redis.external.password }}
+  {{- if $username }}
 {{- printf "redis://%s:%s@%s:%s/%s" $username $password $host $port $database }}
-{{- else if $password }}
+  {{- else }}
 {{- printf "redis://:%s@%s:%s/%s" $password $host $port $database }}
+  {{- end }}
 {{- else }}
 {{- printf "redis://%s:%s/%s" $host $port $database }}
 {{- end }}

charts/paperless-ngx/templates/deployment.yaml

@@ -73,6 +73,16 @@ spec:
             - name: PAPERLESS_REDIS_PREFIX
               value: {{ .Values.redis.external.prefix | quote }}
             {{- end }}
+
+            # Redis password from secret (if configured)
+            {{- if or .Values.redis.external.existingSecret .Values.redis.external.password }}
+            - name: REDIS_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.redis.external.existingSecret | default (printf "%s-secrets" (include "paperless-ngx.fullname" .)) }}
+                  key: {{ .Values.redis.external.passwordKey | default "redis-password" }}
+            {{- end }}
+
             - name: PAPERLESS_DBHOST
               value: {{ include "paperless-ngx.postgresql.host" . | quote }}
             - name: PAPERLESS_DBPORT
@@ -324,7 +334,7 @@ spec:
         {{- if .Values.persistence.data.enabled }}
         - name: data
           persistentVolumeClaim:
-            claimName: {{ include "paperless-ngx.fullname" . }}-data
+            claimName: {{ if .Values.persistence.data.existingClaim }}{{ .Values.persistence.data.existingClaim }}{{ else }}{{ include "paperless-ngx.fullname" . }}-data{{ end }}
         {{- else }}
         - name: data
           emptyDir: {}
@@ -332,7 +342,7 @@ spec:
         {{- if .Values.persistence.media.enabled }}
         - name: media
           persistentVolumeClaim:
-            claimName: {{ include "paperless-ngx.fullname" . }}-media
+            claimName: {{ if .Values.persistence.media.existingClaim }}{{ .Values.persistence.media.existingClaim }}{{ else }}{{ include "paperless-ngx.fullname" . }}-media{{ end }}
         {{- else }}
         - name: media
           emptyDir: {}
@@ -340,7 +350,7 @@ spec:
         {{- if .Values.persistence.export.enabled }}
         - name: export
           persistentVolumeClaim:
-            claimName: {{ include "paperless-ngx.fullname" . }}-export
+            claimName: {{ if .Values.persistence.export.existingClaim }}{{ .Values.persistence.export.existingClaim }}{{ else }}{{ include "paperless-ngx.fullname" . }}-export{{ end }}
         {{- else }}
         - name: export
           emptyDir: {}
@@ -348,7 +358,7 @@ spec:
         {{- if .Values.persistence.consume.enabled }}
         - name: consume
           persistentVolumeClaim:
-            claimName: {{ include "paperless-ngx.fullname" . }}-consume
+            claimName: {{ if .Values.persistence.consume.existingClaim }}{{ .Values.persistence.consume.existingClaim }}{{ else }}{{ include "paperless-ngx.fullname" . }}-consume{{ end }}
         {{- else }}
         - name: consume
           emptyDir: {}

charts/paperless-ngx/templates/pvc.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.persistence.data.enabled }}
+{{- if and .Values.persistence.data.enabled (not .Values.persistence.data.existingClaim) }}
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
@@ -21,7 +21,7 @@ spec:
 ---
 {{- end }}
 
-{{- if .Values.persistence.media.enabled }}
+{{- if and .Values.persistence.media.enabled (not .Values.persistence.media.existingClaim) }}
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
@@ -44,7 +44,7 @@ spec:
 ---
 {{- end }}
 
-{{- if .Values.persistence.export.enabled }}
+{{- if and .Values.persistence.export.enabled (not .Values.persistence.export.existingClaim) }}
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
@@ -67,7 +67,7 @@ spec:
 ---
 {{- end }}
 
-{{- if .Values.persistence.consume.enabled }}
+{{- if and .Values.persistence.consume.enabled (not .Values.persistence.consume.existingClaim) }}
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:

charts/paperless-ngx/values.yaml

@@ -5,7 +5,7 @@ fullnameOverride: ""
 ## Image settings
 image:
   repository: ghcr.io/paperless-ngx/paperless-ngx
-  tag: "2.18.4"
+  tag: "2.20.3"
   pullPolicy: IfNotPresent
 
 ## Deployment settings
@@ -65,6 +65,7 @@ persistence:
   # Paperless data directory (search index, classification model, etc.)
   data:
     enabled: true
+    existingClaim: ""
     storageClass: ""
     accessMode: ReadWriteOnce
     size: 1Gi
@@ -72,6 +73,7 @@ persistence:
   # Paperless media directory (documents and thumbnails)
   media:
     enabled: true
+    existingClaim: ""
     storageClass: ""
     accessMode: ReadWriteOnce
     size: 10Gi
@@ -79,6 +81,7 @@ persistence:
   # Export directory (for exporting documents)
   export:
     enabled: true
+    existingClaim: ""
     storageClass: ""
     accessMode: ReadWriteOnce
     size: 1Gi
@@ -86,6 +89,7 @@ persistence:
   # Consume directory (for importing documents)
   consume:
     enabled: true
+    existingClaim: ""
     storageClass: ""
     accessMode: ReadWriteOnce
     size: 5Gi

charts/qbittorrent-vpn/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: qbittorrent-vpn
 description: qBittorrent with Gluetun VPN sidecar for Kubernetes
 type: application
-version: 0.0.1
+version: 0.0.2
 appVersion: 5.1.0
 maintainers:
   - name: Richard Tomik

charts/qbittorrent-vpn/readme.md

@@ -222,6 +222,45 @@ gluetun:
     STATUS_FILE: "/tmp/gluetun-status.json"
 ```
 
+### Custom Sidecar Containers
+
+The chart supports adding custom sidecar containers to the pod. This is useful for adding additional functionality like port forwarding management (NATMap), monitoring, or other helper containers.
+
+Sidecars are specified using the standard Kubernetes container specification:
+
+```yaml
+sidecars:
+  - name: natmap
+    image: ghcr.io/muink/natmap:latest
+    imagePullPolicy: IfNotPresent
+    env:
+      - name: GATEWAY
+        value: "10.2.0.1"
+      - name: INTERFACE
+        value: "tun0"
+      - name: INTERVAL
+        value: "30"
+    volumeMounts:
+      - name: config
+        mountPath: /config
+        subPath: natmap
+```
+
+**Common Use Cases:**
+
+1. **NATMap**: Automatically update port forwarding configurations
+2. **Monitoring**: Add monitoring agents or exporters
+3. **Custom Scripts**: Run periodic maintenance or update tasks
+
+**Sharing Volumes:**
+
+Sidecars can access the same volumes as the main containers:
+- `config`: qBittorrent configuration volume
+- `downloads`: Downloads volume
+- `gluetun-config`: Gluetun configuration volume (if enabled)
+
+For the full Kubernetes container specification reference, see the [Kubernetes documentation](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.28/#container-v1-core).
+
 ## Troubleshooting
 
 ### VPN Connection Issues

charts/qbittorrent-vpn/templates/deployment.yaml

@@ -255,7 +255,11 @@ spec:
           
           resources:
             {{- toYaml .Values.qbittorrent.resources | nindent 12 }}
-      
+
+        {{- with .Values.sidecars }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+
       volumes:
         # Create /dev/net/tun as a device
         - name: tun

charts/qbittorrent-vpn/values.yaml

@@ -225,4 +225,21 @@ extraVolumes: []
 
 # Temporary options for development/debugging
 hostNetwork: false
-initContainers: []
+initContainers: []
+
+# Additional sidecar containers
+# This allows you to add custom sidecar containers to the pod
+# Each sidecar is specified using standard Kubernetes container spec
+# Example: Add NATMap for port forwarding with VPN
+# sidecars:
+#   - name: natmap
+#     image: ghcr.io/muink/natmap:latest
+#     env:
+#       - name: GATEWAY
+#         value: "10.2.0.1"
+#       - name: INTERFACE
+#         value: "tun0"
+#     volumeMounts:
+#       - name: config
+#         mountPath: /config
+sidecars: []

charts/values.yaml

@@ -1,84 +0,0 @@
-## Ingress settings
-image:
-  repository: norishapp/norish
-  tag: "v0.13.6-beta"
-  pullPolicy: IfNotPresent
-
-ingress:
-  enabled: true
-  className: "traefik"
-  annotations:
-    traefik.ingress.kubernetes.io/router.entrypoints: websecure
-  hosts:
-    - host: norish.tomik.lat
-      paths:
-        - path: /
-          pathType: Prefix
-  tls:
-    - hosts:
-        - norish.tomik.lat
-
-## Persistence settings
-persistence:
-  enabled: true
-  storageClass: "longhorn"
-  accessMode: ReadWriteOnce
-  size: 5Gi
-
-config:
-  # Application URL (required)
-  # This should match your ingress hostname
-  authUrl: "https://norish.tomik.lat"
-
-  # Master encryption key (required)
-  # Generate with: openssl rand -base64 32
-  # For production, use an existing Kubernetes Secret
-  masterKey:
-    existingSecret: ""        # Name of existing Kubernetes secret
-    secretKey: "master-key"   # Key in the secret where master key is stored
-    value: "cp6eVbe4ddmJxlJCJyux5Nlk39gbJR3M9mWjAqEon1c="                 # Only used if existingSecret is not set (must be 32-byte base64)
-
-  # Authentication provider configuration
-  # Configure ONE provider for initial admin account creation
-  # After first login, manage additional providers via Settings → Admin
-  auth:
-    # OIDC/OAuth2 provider
-    oidc:
-      enabled: true
-      name: "Authentik"
-      issuer: "https://authentik.tomik.lat/application/o/norish/"
-      clientId: "tSQZSJDBs479OVLyEzwDYAVaVYJhQuaFouIRWHyg"
-      clientSecret: "SpCQGIhXXF9iVT6qc37ApPC8epy1ZhukDtPp6Ipy8XqI7HK4LQUJmsbNTGhLaz25rNgM3GUUDo0vqoGe4INiEjiPeQ4tpiokrvnjPQ2tXf8AFCiu79eyFttB7TCEdtfI"
-
-    # GitHub OAuth
-    github:
-      enabled: false
-      clientId: ""
-      clientSecret: ""
-      # Use existing secret for GitHub credentials
-      existingSecret: ""
-      clientIdKey: "github-client-id"
-      clientSecretKey: "github-client-secret"
-
-    # Google OAuth
-    google:
-      enabled: false
-      clientId: ""
-      clientSecret: ""
-      # Use existing secret for Google credentials
-      existingSecret: ""
-      clientIdKey: "google-client-id"
-      clientSecretKey: "google-client-secret"
-
-## External PostgreSQL database configuration (REQUIRED)
-## Norish requires a central PostgreSQL database
-## You must have a PostgreSQL server available before deploying this chart
-database:
-  # Database connection details
-  host: "postgres-cluster-pooler.dbs.svc.cluster.local"                 # Required: PostgreSQL server hostname
-  port: 5432
-  # Use existing secret for database credentials (recommended for production)
-  existingSecret: "norish3-db-credentials"          # Name of existing Kubernetes secret
-  usernameKey: "username"     # Key in the secret for database username
-  passwordKey: "password"     # Key in the secret for database password
-  databaseKey: "database"     # Key in the secret for database name (optional)