Add helmchart for rclone as an intermediate s3 proxy

mikeshootzz · mikeshootzz · commit 64a06df081fd · 2026-01-28T17:07:52.000+01:00
This adds a helmchart for rclone as an intermediate encryption proxy.
diff --git a/charts/rcloneproxy/Chart.yaml b/charts/rcloneproxy/Chart.yaml
@@ -0,0 +1,8 @@
+apiVersion: v2
+name: rcloneproxy
+description: A Helm chart for deploying rclone as an intermediate s3 proxy
+type: application
+version: 0.0.1
+maintainers:
+  - name: Schedar Team
+    email: info@vshn.ch
diff --git a/charts/rcloneproxy/templates/_helpers.tpl b/charts/rcloneproxy/templates/_helpers.tpl
@@ -0,0 +1,52 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "rcloneproxy.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "rcloneproxy.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "rcloneproxy.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "rcloneproxy.labels" -}}
+helm.sh/chart: {{ include "rcloneproxy.chart" . }}
+{{ include "rcloneproxy.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "rcloneproxy.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "rcloneproxy.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
diff --git a/charts/rcloneproxy/templates/deployment.yaml b/charts/rcloneproxy/templates/deployment.yaml
@@ -0,0 +1,130 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "rcloneproxy.fullname" . }}
+  labels:
+    {{- include "rcloneproxy.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      {{- include "rcloneproxy.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "rcloneproxy.labels" . | nindent 8 }}
+    spec:
+      initContainers:
+        - name: generate-config
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          command:
+            - /bin/sh
+            - -c
+          args:
+            - |
+              set -e
+              # Obscure the encryption passwords
+              OBSCURED_PASSWORD=$(echo -n "$ENCRYPTION_PASSWORD" | rclone obscure -)
+              OBSCURED_PASSWORD2=$(echo -n "$ENCRYPTION_PASSWORD2" | rclone obscure -)
+
+              # Generate rclone.conf with obscured passwords
+              cat > /config/rclone/rclone.conf <<EOF
+              [target]
+              type = s3
+              provider = Other
+              env_auth = false
+              access_key_id = $BACKEND_ACCESS_KEY_ID
+              secret_access_key = $BACKEND_SECRET_ACCESS_KEY
+              endpoint = $BACKEND_ENDPOINT
+              region = $BACKEND_REGION
+              location_constraint = $BACKEND_REGION
+              force_path_style = true
+
+              [s3-crypt]
+              type = crypt
+              remote = target:$BACKEND_BUCKET
+              filename_encryption = standard
+              directory_name_encryption = true
+              password = $OBSCURED_PASSWORD
+              password2 = $OBSCURED_PASSWORD2
+              EOF
+
+              echo "Generated rclone.conf with obscured passwords"
+          env:
+            - name: BACKEND_ACCESS_KEY_ID
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.backend.secretRef.name }}
+                  key: {{ .Values.backend.secretRef.keys.accessKeyID }}
+            - name: BACKEND_SECRET_ACCESS_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.backend.secretRef.name }}
+                  key: {{ .Values.backend.secretRef.keys.accessKeySecret }}
+            - name: BACKEND_ENDPOINT
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.backend.secretRef.name }}
+                  key: {{ .Values.backend.secretRef.keys.endpoint }}
+            - name: BACKEND_REGION
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.backend.secretRef.name }}
+                  key: {{ .Values.backend.secretRef.keys.region }}
+            - name: BACKEND_BUCKET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.backend.secretRef.name }}
+                  key: {{ .Values.backend.secretRef.keys.bucket }}
+            - name: ENCRYPTION_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "rcloneproxy.fullname" . }}-encryption-plain
+                  key: password
+            - name: ENCRYPTION_PASSWORD2
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "rcloneproxy.fullname" . }}-encryption-plain
+                  key: password2
+          volumeMounts:
+            - name: rclone-config
+              mountPath: /config/rclone
+      containers:
+        - name: {{ .Chart.Name }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          command:
+            - /bin/sh
+            - -c
+          args:
+            - |
+              rclone -vv serve s3 s3-crypt: --addr :{{ .Values.service.port }} --auth-key "${BACKEND_ACCESS_KEY_ID},${BACKEND_SECRET_ACCESS_KEY}"
+          env:
+            - name: RCLONE_CONFIG
+              value: /config/rclone/rclone.conf
+            - name: BACKEND_ACCESS_KEY_ID
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.backend.secretRef.name }}
+                  key: {{ .Values.backend.secretRef.keys.accessKeyID }}
+            - name: BACKEND_SECRET_ACCESS_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.backend.secretRef.name }}
+                  key: {{ .Values.backend.secretRef.keys.accessKeySecret }}
+          ports:
+            - name: s3
+              containerPort: {{ .Values.service.port }}
+              protocol: TCP
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+          volumeMounts:
+            - name: rclone-config
+              mountPath: /config/rclone
+              readOnly: true
+          stdin: true
+          tty: true
+      volumes:
+        - name: rclone-config
+          emptyDir: {}
diff --git a/charts/rcloneproxy/templates/secret.yaml b/charts/rcloneproxy/templates/secret.yaml
@@ -0,0 +1,23 @@
+{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (printf "%s-encryption-plain" (include "rcloneproxy.fullname" .)) -}}
+{{- $encryptionPassword := "" -}}
+{{- $encryptionPassword2 := "" -}}
+{{- if $existingSecret -}}
+  {{- $encryptionPassword = index $existingSecret.data "password" | b64dec -}}
+  {{- $encryptionPassword2 = index $existingSecret.data "password2" | b64dec -}}
+{{- else -}}
+  {{- $encryptionPassword = randAlphaNum 32 -}}
+  {{- $encryptionPassword2 = randAlphaNum 32 -}}
+{{- end -}}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "rcloneproxy.fullname" . }}-encryption-plain
+  labels:
+    {{- include "rcloneproxy.labels" . | nindent 4 }}
+  annotations:
+    helm.sh/resource-policy: keep
+type: Opaque
+stringData:
+  password: "{{ $encryptionPassword }}"
+  password2: "{{ $encryptionPassword2 }}"
diff --git a/charts/rcloneproxy/templates/service.yaml b/charts/rcloneproxy/templates/service.yaml
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "rcloneproxy.fullname" . }}
+  labels:
+    {{- include "rcloneproxy.labels" . | nindent 4 }}
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+    - port: {{ .Values.service.port }}
+      targetPort: s3
+      protocol: TCP
+      name: s3
+  selector:
+    {{- include "rcloneproxy.selectorLabels" . | nindent 4 }}
diff --git a/charts/rcloneproxy/values.yaml b/charts/rcloneproxy/values.yaml
@@ -0,0 +1,45 @@
+image:
+  # -- Image repository for rclone
+  repository: rclone/rclone
+  # -- Configure the image tag. To update to a newer version, use the commit sha from the tagged release
+  tag: "sha-73bcae2"
+  # -- Image pull policy
+  pullPolicy: Always
+
+# -- Number of replicas
+replicaCount: 1
+
+# -- Service configuration
+service:
+  # -- Service type
+  type: ClusterIP
+  # -- Service port (rclone S3 server port)
+  port: 9095
+
+# -- Backend S3 storage configuration
+backend:
+  # -- Reference to an existing secret containing backend S3 credentials
+  secretRef:
+    # -- Name of the secret containing backend credentials
+    name: ""
+    # -- Keys in the secret for each configuration value
+    keys:
+      # -- Key for S3 access key ID
+      accessKeyID: "access-key-id"
+      # -- Key for S3 access key secret
+      accessKeySecret: "access-key-secret"
+      # -- Key for S3 endpoint URL
+      endpoint: "endpoint"
+      # -- Key for S3 region
+      region: "region"
+      # -- Key for S3 bucket name
+      bucket: "bucket"
+
+# -- Resource requests and limits
+resources:
+  requests:
+    memory: "96Mi"
+    cpu: "10m"
+  limits:
+    memory: "128Mi"
+    cpu: "25m"
