feat: add implementation of paperless s3 backup

Author: pascalinthecloud

.gitignore

@@ -0,0 +1,6 @@
+# Helm-related files
+*.tgz
+*.lock
+.chart-releaser.yaml
+.release.yaml
+.local.values.yaml

charts/helm-paperless-s3-backup/Chart.yaml

@@ -1,24 +1,6 @@
 apiVersion: v2
 name: helm-paperless-s3-backup
 description: A Helm chart for Kubernetes
-
-# A chart can be either an 'application' or a 'library' chart.
-#
-# Application charts are a collection of templates that can be packaged into versioned archives
-# to be deployed.
-#
-# Library charts provide useful utilities or functions for the chart developer. They're included as
-# a dependency of application charts to inject those utilities and functions into the rendering
-# pipeline. Library charts do not define any templates and therefore cannot be deployed.
 type: application
-
-# This is the chart version. This version number should be incremented each time you make changes
-# to the chart and its templates, including the app version.
-# Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.0
-
-# This is the version number of the application being deployed. This version number should be
-# incremented each time you make changes to the application. Versions are not expected to
-# follow Semantic Versioning. They should reflect the version the application is using.
-# It is recommended to use it with quotes.
+version: 0.1.1
 appVersion: "1.16.0"

charts/helm-paperless-s3-backup/templates/NOTES.txt

@@ -0,0 +1,65 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+    name: {{ .Release.Name }}-config
+data:
+  backup.sh: |
+    #!/bin/sh
+    set -e
+
+    # Log functions
+    log() {
+      local level="$1"
+      local message="$2"
+      echo "[${level}] ${message}"
+    }
+    info()  { log "INFO" "$1"; }
+    warn()  { log "WARN" "$1"; }
+    error() { log "ERROR" "$1"; }
+
+    # Validate environment variables
+    : "${S3_SSE_KEY:?$(error 'Environment variable S3_SSE_KEY not set')}"
+    : "${S3_BUCKET:?$(error 'Environment variable S3_BUCKET not set')}"
+    : "${S3_ENDPOINT:?$(error 'Environment variable S3_ENDPOINT not set')}"
+    : "${S3_REGION:?$(error 'Environment variable S3_REGION not set')}"
+
+    # Get the paperless pod name & container name
+    PAPERLESS_POD=$(kubectl get pod -n $PAPERLESS_NAMESPACE -l app=$PAPERLESS_APP -o jsonpath="{.items[0].metadata.name}")
+
+    # Set the timestamp and file name
+    TIMESTAMP=$(date +%Y-%m-%d_%H-%M-%S)
+    FILE_NAME="paperless-backup-$TIMESTAMP"
+
+    # Import the key
+    S3_SSE_C_PATH="/mnt/backup/.sse-c.key"
+    echo $S3_SSE_KEY | xxd -r -p > $S3_SSE_C_PATH
+
+    info "Creating backup with document exporter..."
+    kubectl exec ${PAPERLESS_POD} --container $PAPERLESS_CONTAINER_NAME -- \
+      document_exporter \
+        --use-folder-prefix \
+        --zip \
+        --zip-name ${FILE_NAME} \
+        ../export
+    
+    info "Copy backup zip to this pod..."
+    kubectl cp \
+      --container="${PAPERLESS_CONTAINER_NAME}" \
+      ${PAPERLESS_POD}:../export/${FILE_NAME}.zip \
+      /mnt/backup/${FILE_NAME}.zip
+
+    info "Unzipping backup file..."
+    7z x /mnt/backup/paperless-backup-*.zip -o/mnt/backup/export/
+
+    info "Uploading backup to S3..."
+    aws s3 sync \
+      /mnt/backup/export \
+      s3://$S3_BUCKET \
+      --endpoint-url $S3_ENDPOINT \
+      --region $S3_REGION \
+      --sse-c AES256 \
+      --sse-c-key fileb://$S3_SSE_C_PATH
+    
+    info "Cleaning up backup file..."
+    kubectl exec ${PAPERLESS_POD} --container ${PAPERLESS_CONTAINER_NAME} -- \
+      bash -c "rm /usr/src/paperless/export/${FILE_NAME}.zip"

charts/helm-paperless-s3-backup/templates/_helpers.tpl

@@ -0,0 +1,53 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: {{ .Release.Name }}-cronjob
+spec:
+  schedule: "{{ .Values.cron }}"
+  successfulJobsHistoryLimit: 2
+  failedJobsHistoryLimit: 2
+  jobTemplate:
+    spec:
+      backoffLimit: 2
+      template:
+        metadata:
+          name: {{ .Release.Name }}
+          labels:
+            app: {{ .Release.Name }}
+        spec:
+          serviceAccountName: {{ .Release.Name }}
+          restartPolicy: OnFailure
+
+          containers:
+            - name: paperless-backup
+              image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
+              command: ["bash", "-c", "/opt/paperless-s3-backup/backup.sh"]
+              envFrom:
+                - secretRef:
+                    name: {{ .Release.Name }}-secret
+              securityContext:
+                runAsUser: 34
+                seccompProfile:
+                  type: RuntimeDefault
+                allowPrivilegeEscalation: false
+                runAsNonRoot: true
+                capabilities:
+                  drop:
+                    - ALL
+              volumeMounts:
+                - name: backup-volume
+                  mountPath: /mnt/backup
+                - name: backup-script
+                  mountPath: /opt/paperless-s3-backup/backup.sh
+                  subPath: backup.sh
+                  
+          volumes:
+            - name: backup-volume
+              emptyDir: {}
+            - name: backup-script
+              configMap:
+                name: {{ .Release.Name }}-config
+                items:
+                  - key: backup.sh
+                    path: backup.sh
+                defaultMode: 0555