docs: update README and add chart configuration reference

- Rewrite README to be more concise with streamlined diagrams
- Add chart/README.md with complete helm values reference
- Link to chart/README.md from main README

Author: ServerSideHannes

README.md

@@ -7,7 +7,7 @@
 <h1 align="center">S3Proxy</h1>
 
 <p align="center">
-  <strong>Transparent encryption for S3. Zero code changes.</strong>
+  <strong>Transparent client-side encryption for S3. Zero code changes.</strong>
 </p>
 
 <p align="center">
@@ -21,23 +21,16 @@
 
 ## Overview
 
-S3's server-side encryption is great, but your cloud provider holds the keys. With S3Proxy, **you** control encryption.
+S3's server-side encryption is great, but your cloud provider holds the keys. S3Proxy sits between your app and S3, encrypting everything **before** it leaves your infrastructure.
 
 ```
-┌─────────────────────────────────────────────────────────────────────────┐
-│                                                                         │
-│    ┌──────────┐         ┌──────────┐         ┌──────────┐              │
-│    │          │  plain  │          │  AES    │          │              │
-│    │ Your App │ ──────▶ │ S3Proxy  │ ──────▶ │   S3     │              │
-│    │          │  data   │          │  256    │          │              │
-│    └──────────┘         └──────────┘         └──────────┘              │
-│                               │                                         │
-│                         ┌─────┴─────┐                                   │
-│                         │  You own  │                                   │
-│                         │ the keys  │                                   │
-│                         └───────────┘                                   │
-│                                                                         │
-└─────────────────────────────────────────────────────────────────────────┘
+┌──────────┐         ┌──────────┐         ┌──────────┐
+│          │  plain  │          │  AES    │          │
+│ Your App │ ──────▶ │ S3Proxy  │ ──────▶ │    S3    │
+│          │  data   │          │  256    │          │
+└──────────┘         └──────────┘         └──────────┘
+                           │
+                     You own the keys.
 ```
 
 <p align="center">
@@ -63,11 +56,11 @@ helm install s3proxy oci://ghcr.io/serversidehannes/s3proxy-python/charts/s3prox
 aws s3 --endpoint-url http://s3proxy-python:4433 cp file.txt s3://bucket/
 ```
 
-> Clients use the **same credentials** configured on the proxy. See [How It Works](#how-it-works).
+That's it. Point any S3 client at the proxy, use the **same credentials** you configured above.
 
 ---
 
-## Tested Integrations
+## Battle-Tested
 
 <p align="center">
   <img src="https://img.shields.io/badge/PostgreSQL_17-336791?style=flat-square&logo=postgresql&logoColor=white" alt="PostgreSQL">
@@ -83,58 +76,27 @@ aws s3 --endpoint-url http://s3proxy-python:4433 cp file.txt s3://bucket/
 | ScyllaDB 6.x | Scylla Operator 1.19 | Scylla Manager |
 | ClickHouse 24.x | Altinity Operator | clickhouse-backup |
 
-All verified: **backup → cluster delete → restore → data integrity check**
+All verified: **backup, cluster delete, restore, data integrity check.**
 
 ---
 
 ## How It Works
 
-### Credential Flow
+**Credential flow** — S3 clients sign requests with their secret key. When S3Proxy encrypts the payload, the body changes and the original signature is invalidated. The proxy re-signs with the same key. Configure credentials once on the proxy, all clients use them.
 
-```
-┌────────────┐   signs request    ┌────────────┐   re-signs      ┌────────────┐
-│            │ ─────────────────▶ │            │ ──────────────▶ │            │
-│   Client   │   (your creds)     │  S3Proxy   │  (same creds)   │    S3      │
-│            │ ◀───────────────── │            │ ◀────────────── │            │
-└────────────┘    decrypted       └────────────┘    encrypted    └────────────┘
-```
-
-S3 clients sign requests with their secret key. When S3Proxy encrypts the payload, it changes the body—invalidating the original signature. The proxy must re-sign, which requires the secret key.
-
-**→ Configure credentials once on the proxy. All clients use those same credentials.**
-
-### Encryption Architecture
+**Envelope encryption** — Your master key derives a KEK (Key Encryption Key). Each object gets a random DEK (Data Encryption Key), encrypted with AES-256-GCM. The DEK is wrapped by the KEK and stored as object metadata. Your master key never touches S3.
 
 ```
-┌─────────────────────────────────────────────────────────────┐
-│                                                             │
-│   Your Master Key                                           │
-│         │                                                   │
-│         ▼                                                   │
-│   ┌───────────┐                                             │
-│   │    KEK    │  Key Encryption Key (derived)               │
-│   └─────┬─────┘                                             │
-│         │ wraps                                             │
-│         ▼                                                   │
-│   ┌───────────┐                                             │
-│   │    DEK    │  Data Encryption Key (random per object)    │
-│   └─────┬─────┘                                             │
-│         │ encrypts                                          │
-│         ▼                                                   │
-│   ┌───────────┐                                             │
-│   │   Data    │  AES-256-GCM                                │
-│   └───────────┘                                             │
-│                                                             │
-└─────────────────────────────────────────────────────────────┘
+Master Key → KEK (derived via SHA-256)
+              └→ wraps DEK (random per object)
+                   └→ encrypts data (AES-256-GCM)
 ```
 
-Your master key never touches S3. DEKs are wrapped and stored as object metadata.
-
 ---
 
 ## Production Deployment
 
-### With External Secrets
+### External Secrets (recommended)
 
 ```bash
 kubectl create secret generic s3proxy-secrets \
@@ -155,9 +117,7 @@ helm install s3proxy oci://ghcr.io/serversidehannes/s3proxy-python/charts/s3prox
 | Gateway | `http://s3-gateway.<ns>` |
 | Ingress | `https://s3proxy.example.com` |
 
-### Health Checks
-
-`GET /healthz` · `GET /readyz`
+Health: `GET /healthz` · `GET /readyz` · Metrics: `GET /metrics`
 
 ---
 
@@ -168,37 +128,28 @@ helm install s3proxy oci://ghcr.io/serversidehannes/s3proxy-python/charts/s3prox
 | `replicaCount` | `3` | Pod replicas |
 | `s3.host` | `s3.amazonaws.com` | S3 endpoint (AWS, MinIO, R2, etc.) |
 | `s3.region` | `us-east-1` | AWS region |
-| `secrets.encryptKey` | — | AES-256 key (32 bytes) |
-| `secrets.awsAccessKeyId` | — | AWS access key |
-| `secrets.awsSecretAccessKey` | — | AWS secret key |
+| `secrets.encryptKey` | — | Encryption key |
 | `secrets.existingSecrets.enabled` | `false` | Use existing K8s secret |
 | `redis-ha.enabled` | `true` | Deploy embedded Redis HA |
-| `gateway.enabled` | `false` | Create `s3-gateway` service |
+| `gateway.enabled` | `false` | Create gateway service |
 | `ingress.enabled` | `false` | Enable ingress |
-| `performance.memoryLimitMb` | `64` | Memory budget for concurrency (Linux only) |
-
-> **Note:** Memory-based concurrency limiting requires Linux. The `malloc_trim` syscall used to release memory back to the OS is not available on macOS.
+| `performance.memoryLimitMb` | `64` | Memory budget for streaming concurrency |
 
-→ [chart/values.yaml](chart/values.yaml) for all options.
+See [chart/README.md](chart/README.md) for all options.
 
 ---
 
 ## FAQ
 
-**Can I use existing unencrypted data?**
-Yes. S3Proxy detects unencrypted objects and returns them as-is. To migrate, copy through the proxy.
+**Can I use existing unencrypted data?** Yes. S3Proxy detects unencrypted objects and returns them as-is. Migrate by copying through the proxy.
 
-**What if I lose my encryption key?**
-Data is unrecoverable. Back up your key.
+**What if I lose my encryption key?** Data is unrecoverable. Back up your key.
 
-**What if Redis fails during multipart upload?**
-Upload fails and must restart. Use `redis-ha.enabled=true` with persistence.
+**What if Redis fails mid-upload?** Upload fails and must restart. Use `redis-ha.enabled=true` with persistence.
 
-**Does it work with MinIO/R2/Spaces?**
-Yes. Set `s3.host` to your endpoint.
+**MinIO / R2 / Spaces?** Yes. Set `s3.host` to your endpoint.
 
-**Presigned URLs?**
-GET works. PUT/POST don't (signature computed over plaintext, but proxy encrypts).
+**Presigned URLs?** GET works. PUT/POST don't — the proxy encrypts the body which invalidates the pre-signed signature.
 
 ---
 

chart/README.md

@@ -0,0 +1,63 @@
+# S3Proxy Helm Chart
+
+## Install
+
+```bash
+helm install s3proxy oci://ghcr.io/serversidehannes/s3proxy-python/charts/s3proxy-python \
+  --set secrets.encryptKey="your-key" \
+  --set secrets.awsAccessKeyId="AKIA..." \
+  --set secrets.awsSecretAccessKey="wJalr..."
+```
+
+## Values
+
+| Value | Default | Description |
+|-------|---------|-------------|
+| `replicaCount` | `3` | Pod replicas |
+| `image.repository` | `ghcr.io/ServerSideHannes/s3proxy-python` | Container image |
+| `image.tag` | `latest` | Image tag |
+| `image.pullPolicy` | `IfNotPresent` | Pull policy |
+| `s3.host` | `s3.amazonaws.com` | S3 endpoint |
+| `s3.region` | `us-east-1` | AWS region |
+| `server.port` | `4433` | Proxy listen port |
+| `server.noTls` | `true` | Disable TLS (in-cluster only) |
+| `performance.memoryLimitMb` | `64` | Memory budget for streaming |
+| `logLevel` | `DEBUG` | Log level |
+| `secrets.encryptKey` | `""` | AES-256 encryption key |
+| `secrets.awsAccessKeyId` | `""` | AWS access key |
+| `secrets.awsSecretAccessKey` | `""` | AWS secret key |
+| `secrets.existingSecrets.enabled` | `false` | Use pre-created K8s secret |
+| `secrets.existingSecrets.name` | `""` | Existing secret name |
+| `secrets.existingSecrets.keys.encryptKey` | `S3PROXY_ENCRYPT_KEY` | Key name in existing secret |
+| `secrets.existingSecrets.keys.awsAccessKeyId` | `AWS_ACCESS_KEY_ID` | Key name in existing secret |
+| `secrets.existingSecrets.keys.awsSecretAccessKey` | `AWS_SECRET_ACCESS_KEY` | Key name in existing secret |
+| `redis-ha.enabled` | `true` | Deploy embedded Redis HA |
+| `redis-ha.replicas` | `1` | Redis replicas |
+| `redis-ha.auth` | `false` | Enable Redis auth |
+| `redis-ha.haproxy.enabled` | `true` | Deploy HAProxy for Redis |
+| `redis-ha.persistentVolume.enabled` | `true` | Persistent storage |
+| `redis-ha.persistentVolume.size` | `10Gi` | Volume size |
+| `externalRedis.url` | `""` | External Redis URL |
+| `externalRedis.uploadTtlHours` | `24` | Upload state TTL |
+| `externalRedis.existingSecret` | `""` | K8s secret with Redis password |
+| `externalRedis.passwordKey` | `redis-password` | Key name in Redis secret |
+| `service.type` | `ClusterIP` | Service type |
+| `service.port` | `4433` | Service port |
+| `ingress.enabled` | `false` | Enable ingress |
+| `ingress.className` | `nginx` | Ingress class |
+| `ingress.annotations` | nginx streaming defaults | Ingress annotations |
+| `ingress.hosts` | `[]` | Ingress hostnames |
+| `ingress.tls` | `[]` | Ingress TLS config |
+| `gateway.enabled` | `false` | ExternalName gateway service |
+| `gateway.serviceName` | `s3-gateway` | Gateway service name |
+| `gateway.ingressService` | `ingress-nginx-controller...` | Target ingress service |
+| `resources.requests.cpu` | `100m` | CPU request |
+| `resources.requests.memory` | `512Mi` | Memory request |
+| `resources.limits.cpu` | `500m` | CPU limit |
+| `resources.limits.memory` | `512Mi` | Memory limit |
+| `nodeSelector` | `{}` | Node selector |
+| `tolerations` | `[]` | Tolerations |
+| `affinity` | `{}` | Affinity rules |
+| `topologySpreadConstraints` | `[]` | Topology spread |
+| `podDisruptionBudget.enabled` | `true` | Enable PDB |
+| `podDisruptionBudget.minAvailable` | `1` | Min available pods |