Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion charts/plane-enterprise/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ description: Meet Plane. An Enterprise software development tool to manage issue

type: application

version: 1.4.1
version: 1.4.2
appVersion: "1.14.1"

home: https://plane.so/
Expand Down
10 changes: 9 additions & 1 deletion charts/plane-enterprise/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -92,9 +92,17 @@
| Setting | Default | Required | Description |
|---|:---:|:---:|---|
| planeVersion | v1.14.1 | Yes | Specifies the version of Plane to be deployed. Copy this from prime.plane.so. |
| airgapped.enabled | false | No | Specifies the airgapped mode the Plane API runs in. |
| license.licenseDomain | plane.example.com | Yes | The fully-qualified domain name (FQDN) in the format `sudomain.domain.tld` or `domain.tld` that the license is bound to. It is also attached to your `ingress` host to access Plane. |


### Air-gapped Settings

| Setting | Default | Required | Description |
|---|:---:|:---:|---|
| airgapped.enabled | false | No | Specifies the airgapped mode the Plane API runs in. |
| airgapped.s3SecretName | "" | No | Name of the Secret that contains the CA certificate (.crt). The Secret must include a data key whose filename matches the basename of `airgapped.s3SecretKey`. Used to override S3’s CA when `airgapped.enabled=true`. Applying this secret looks like: `kubectl -n plane create secret generic plane-s3-ca \ --from-file=s3-custom-ca.crt=/path/to/your/ca.crt` |
| airgapped.s3SecretKey | "" | No | Key name of the secret to load the Custom Root CA from `airgapped.s3SecretName` |

### Postgres

| Setting | Default | Required | Description |
Expand Down
16 changes: 16 additions & 0 deletions charts/plane-enterprise/questions.yml
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,22 @@ questions:
type: string
required: true

- variable: airgapped.enabled
label: "Airgapped Enabled"
type: boolean
default: false
group: "License Setup"
show_subquestion_if: true
subquestions:
- variable: airgapped.s3SecretName
label: "S3 Secret Name"
type: string
default: ""
- variable: airgapped.s3SecretKey
label: "S3 Secret Key"
type: string
default: ""

- variable: services.web.pullPolicy
label: "Web Pull Policy"
type: enum
Expand Down
6 changes: 6 additions & 0 deletions charts/plane-enterprise/templates/config-secrets/app-env.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,11 @@ stringData:
{{- else }}
AMQP_URL: ""
{{ end }}

{{- if and .Values.airgapped.enabled .Values.airgapped.s3SecretName .Values.airgapped.s3SecretKey }}
AWS_CA_BUNDLE: "/s3-custom-ca/{{ .Values.airgapped.s3SecretKey }}"
{{- end }}

{{- end }}
---

Expand All @@ -49,6 +54,7 @@ data:

API_KEY_RATE_LIMIT: {{ .Values.env.api_key_rate_limit | default "60/minute" | quote }}
MINIO_ENDPOINT_SSL: {{ .Values.services.minio.env.minio_endpoint_ssl | default false | ternary "1" "0" | quote }}
USE_STORAGE_PROXY: {{ .Values.env.use_storage_proxy | default false | ternary "1" "0" | quote }}
INTAKE_EMAIL_DOMAIN: {{ .Values.env.email_service_envs.smtp_domain | default "" | quote }}

SENTRY_DSN: {{ .Values.env.sentry_dsn | default "" | quote}}
Expand Down
51 changes: 50 additions & 1 deletion charts/plane-enterprise/templates/workloads/api.deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,15 @@ spec:
annotations:
timestamp: {{ now | quote }}
spec:
{{- if and .Values.airgapped.enabled .Values.airgapped.s3SecretName .Values.airgapped.s3SecretKey }}
volumes:
- name: s3-custom-ca
secret:
secretName: {{ .Values.airgapped.s3SecretName }}
items:
- key: {{ .Values.airgapped.s3SecretKey }}
path: {{ .Values.airgapped.s3SecretKey }}
{{- end }}
containers:
- name: {{ .Release.Name }}-api
imagePullPolicy: {{ .Values.services.api.pullPolicy | default "Always" }}
Expand All @@ -52,8 +61,48 @@ spec:
limits:
memory: {{ .Values.services.api.memoryLimit | default "1000Mi" | quote }}
cpu: {{ .Values.services.api.cpuLimit | default "500m" | quote}}
{{- if and .Values.airgapped.enabled .Values.airgapped.s3SecretName .Values.airgapped.s3SecretKey }}
volumeMounts:
- name: s3-custom-ca
mountPath: /s3-custom-ca
readOnly: true
env:
- name: SSL_CERT_FILE
value: "/etc/ssl/certs/ca-certificates.crt"
- name: SSL_CERT_DIR
value: "/etc/ssl/certs"
- name: REQUESTS_CA_BUNDLE
value: "/etc/ssl/certs/ca-certificates.crt"
- name: CURL_CA_BUNDLE
value: "/etc/ssl/certs/ca-certificates.crt"
{{- end }}
command:
- ./bin/docker-entrypoint-api-ee.sh
- /bin/bash
- -c
- |
set -e

{{- if and .Values.airgapped.enabled .Values.airgapped.s3SecretName }}
echo "Installing custom CA certificates..."

# Ensure ca-certificates directory exists
mkdir -p /usr/local/share/ca-certificates

# Install custom S3 CA if available
S3_CERT_FILE="{{ .Values.airgapped.s3SecretKey }}"
if [ -f "/s3-custom-ca/$S3_CERT_FILE" ]; then
echo "Installing S3 custom CA certificate..."
cp "/s3-custom-ca/$S3_CERT_FILE" "/usr/local/share/ca-certificates/$S3_CERT_FILE"
# Update CA certificates
update-ca-certificates
echo "CA certificates installed successfully"
else
echo "No custom S3 CA certificate found, skipping..."
fi
{{- end }}

# Start the API
exec ./bin/docker-entrypoint-api-ee.sh
envFrom:
- configMapRef:
name: {{ .Release.Name }}-app-vars
Expand Down
8 changes: 8 additions & 0 deletions charts/plane-enterprise/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,12 @@ license:

airgapped:
enabled: false
# The boto module used by API does not use the CA bundles in the container, so we need to
# mount the CA bundle into the API pod by passing it in as an environment
# variable. Should be the full path to the CA bundle file, e.g.
#
s3SecretName: ""
s3SecretKey: ""

ingress:
enabled: true
Expand Down Expand Up @@ -244,6 +250,8 @@ env:
aws_region: ''
aws_s3_endpoint_url: ''

use_storage_proxy: false

secret_key: "60gp0byfz2dvffa45cxl20p1scy9xbpf6d8c5y0geejgkyp1b5"
api_key_rate_limit: "60/minute"

Expand Down