feat: add README for helm-paperless-s3-backup chart and update configuration options

Author: pascalinthecloud

README.md

@@ -0,0 +1,82 @@
+# Helm Chart: Paperless S3 Backup
+
+This Helm chart deploys a CronJob to back up Paperless NGX documents to an S3-compatible storage with optional sse -c encryption.
+
+## Installation
+
+To install with custom values:
+
+```bash
+helm install paperless-backup ./helm-paperless-s3-backup -f values.yaml -n <NAMESPACE>
+```
+
+## Configuration
+
+### Values
+
+| Key                | Default Value        | Description |
+|--------------------|---------------------|-------------|
+| `cron`            | `"0 4 * * 0"`       | Cron schedule for backups (UTC) |
+| `image.repository` | `pascaaal/docker-awscli-gpg` | Backup container image repository |
+| `image.tag`       | `v1.0.7`            | Container image tag |
+| `s3.accessKey`    | `""`                | S3 Access Key ID |
+| `s3.secretKey`    | `""`                | S3 Secret Access Key |
+| `s3.bucket`       | `""`                | Target S3 bucket name |
+| `s3.endpoint`     | `""`                | S3 endpoint including `https://` |
+| `s3.region`       | `""`                | S3 region |
+| `s3.sseKey`       | `""`                | 32-byte hex key for server-side encryption (SSE-C) |
+| `paperless.namespace` | `""`           | Namespace of Paperless deployment |
+| `paperless.app`   | `""`                | Label of the Paperless pod |
+| `paperless.container_name` | `""`      | Paperless container name |
+
+## Example `values.yaml`
+
+```yaml
+cron: "0 3 * * *"
+
+image:
+  repository: pascaaal/docker-awscli-gpg
+  tag: v1.0.7
+
+s3:
+  accessKey: "your-access-key"
+  secretKey: "your-secret-key"
+  bucket: "your-backup-bucket"
+  endpoint: "https://s3.example.com"
+  region: "us-east-1"
+  sseKey: "your-32-byte-hex-key" # encryption is enabled, when key is set
+
+paperless:
+  namespace: "paperless"
+  app: "paperless"
+  container_name: "paperless-container"
+```
+
+## Generate encryption key
+```bash
+openssl rand -hex 32
+```
+
+## Decrypt backup
+```bash
+export S3_SSE_KEY=154cd74642087d8d8d36c9136b89fb10b42a745c12108092895de44ed03518c0
+echo $S3_SSE_KEY | xxd -r -p > .sse-c.key
+aws s3 sync s3://<BUCKET_NAME> . --endpoint-url https://<ENDPOINT_URL> --sse-c AES256 --sse-c-key fileb://.sse-c.key
+```
+
+## View logs
+```bash
+kubectl logs -l app=paperless-backup -n <NAMESPACE> -c paperless-backup
+```
+## Uninstallation
+
+To remove the deployment:
+
+```bash
+helm uninstall paperless-backup
+```
+
+## Notes
+- Ensure that the S3 credentials have appropriate permissions to write to the bucket.
+- Treat your encryption key like your car keys—lose it, and you’re not going anywhere… especially not to your backups! 🚗🔑
+

charts/helm-paperless-s3-backup/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: helm-paperless-s3-backup
-description: A Helm chart for Kubernetes
+description: A Helm chart for automating Paperless NGX backups to a S3 bucket in Kubernetes with optional encryption.
 type: application
-version: 0.1.1
-appVersion: "1.16.0"
+version: 0.2.0
+appVersion: "1.0.7"

charts/helm-paperless-s3-backup/templates/configmap.yaml

@@ -18,7 +18,6 @@ data:
     error() { log "ERROR" "$1"; }
 
     # Validate environment variables
-    : "${S3_SSE_KEY:?$(error 'Environment variable S3_SSE_KEY not set')}"
     : "${S3_BUCKET:?$(error 'Environment variable S3_BUCKET not set')}"
     : "${S3_ENDPOINT:?$(error 'Environment variable S3_ENDPOINT not set')}"
     : "${S3_REGION:?$(error 'Environment variable S3_REGION not set')}"
@@ -30,9 +29,11 @@ data:
     TIMESTAMP=$(date +%Y-%m-%d_%H-%M-%S)
     FILE_NAME="paperless-backup-$TIMESTAMP"
 
-    # Import the key
-    S3_SSE_C_PATH="/mnt/backup/.sse-c.key"
-    echo $S3_SSE_KEY | xxd -r -p > $S3_SSE_C_PATH
+    # Import the key if S3_SSE_KEY is set
+    if [ -n "$S3_SSE_KEY" ]; then
+        S3_SSE_C_PATH="/mnt/backup/.sse-c.key"
+        echo "$S3_SSE_KEY" | xxd -r -p > "$S3_SSE_C_PATH"
+    fi
 
     info "Creating backup with document exporter..."
     kubectl exec ${PAPERLESS_POD} --container $PAPERLESS_CONTAINER_NAME -- \
@@ -52,13 +53,14 @@ data:
     7z x /mnt/backup/paperless-backup-*.zip -o/mnt/backup/export/
 
     info "Uploading backup to S3..."
-    aws s3 sync \
-      /mnt/backup/export \
-      s3://$S3_BUCKET \
-      --endpoint-url $S3_ENDPOINT \
-      --region $S3_REGION \
-      --sse-c AES256 \
-      --sse-c-key fileb://$S3_SSE_C_PATH
+    CMD="aws s3 sync /mnt/backup/export s3://$S3_BUCKET --endpoint-url $S3_ENDPOINT --region $S3_REGION"
+
+    if [ -n "$S3_SSE_KEY" ]; then
+      CMD="$CMD --sse-c AES256 --sse-c-key fileb://$S3_SSE_C_PATH"
+      info "Using server-side encryption with customer-provided key"
+    fi
+
+    eval "$CMD"
     
     info "Cleaning up backup file..."
     kubectl exec ${PAPERLESS_POD} --container ${PAPERLESS_CONTAINER_NAME} -- \

charts/helm-paperless-s3-backup/values.yaml

@@ -12,7 +12,7 @@ s3:
   bucket: ""
   endpoint: "" # including https://
   region: ""
-  sseKey: "" # 32 bytes hex key (openssl rand -hex 32) for server-side encryption
+  sseKey: "" # 32 bytes hex key (openssl rand -hex 32) for server-side encryption (encprytion enabled when set)
 
 paperless:
   namespace: ""