-
Notifications
You must be signed in to change notification settings - Fork 28
[INFRA-317] Update Plane-EE Helm Chart to version v2.3.0
#212
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: master
Are you sure you want to change the base?
Changes from all commits
c7becb8
77349ef
c39e66f
53bf94f
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,51 @@ | ||
| {{- if .Values.podIdentity.enabled }} | ||
| EKS Pod Identity (out-of-band) configuration | ||
|
|
||
| This chart configures the Kubernetes `ServiceAccount` name as: | ||
| {{ printf "%s-srv-account" .Release.Name }} | ||
|
|
||
| 1. Ensure the Pod Identity agent addon is installed: | ||
| eksctl create addon --cluster {{ default "<CLUSTER_NAME>" .Values.podIdentity.clusterName }} --name eks-pod-identity-agent | ||
|
|
||
| 2. Create the Pod Identity association: | ||
| eksctl create podidentityassociation \ | ||
| --cluster {{ default "<CLUSTER_NAME>" .Values.podIdentity.clusterName }} \ | ||
| --namespace {{ default .Release.Namespace .Values.podIdentity.namespace }} \ | ||
| --service-account-name {{ default (printf "%s-srv-account" .Release.Name) .Values.podIdentity.serviceAccountName }} \ | ||
| --role-arn {{ default "<ROLE_ARN>" .Values.podIdentity.roleArn }} | ||
|
|
||
| Alternative (AWS CLI): | ||
| aws eks create-pod-identity-association \ | ||
| --cluster-name {{ default "<CLUSTER_NAME>" .Values.podIdentity.clusterName }} \ | ||
| --namespace {{ default .Release.Namespace .Values.podIdentity.namespace }} \ | ||
| --service-account {{ default (printf "%s-srv-account" .Release.Name) .Values.podIdentity.serviceAccountName }} \ | ||
| --role-arn {{ default "<ROLE_ARN>" .Values.podIdentity.roleArn }} | ||
|
|
||
| Important: | ||
| - Pod Identity associations are managed outside of Helm/Kubernetes manifests (for example via `eksctl` / AWS APIs). | ||
| - Pod Identity is not configured purely by ServiceAccount annotations in this setup. | ||
| {{- else }} | ||
| IRSA configuration (IAM Roles for Service Accounts) | ||
|
|
||
| To enable AWS permissions for this chart's ServiceAccount: | ||
| - set `irsa.roleArn`, or | ||
| - set `serviceAccount.annotations` / `irsa.annotations` with `eks.amazonaws.com/role-arn`. | ||
|
|
||
| This chart's ServiceAccount name is: | ||
| {{ printf "%s-srv-account" .Release.Name }} | ||
| {{- end }} | ||
|
|
||
| --- | ||
| ## Secret ARN driven env wiring | ||
|
|
||
| This chart conditionally renders AWS Secrets Manager ARN-related env vars (for example `AMAZONMQ_SECRET_ARN`, `ELASTICACHE_SECRET_ARN`, `RDS_SECRET_ARN`) and the corresponding `*_KEY` mappings only when the ARN values (and the required key-name values) are provided. | ||
|
|
||
| To verify what will be rendered for your current values, run: | ||
|
|
||
| ```sh | ||
| helm template <RELEASE_NAME> ./charts/plane-enterprise \ | ||
| --namespace <NAMESPACE> \ | ||
| -f <YOUR_VALUES_YAML> | \ | ||
| rg -n "AMAZONMQ_SECRET_ARN|ELASTICACHE_SECRET_ARN|RDS_SECRET_ARN|RABBITMQ_(USER_KEY|PASSWORD_KEY)|RDS_DB_(HOST_KEY|NAME_KEY|PASSWORD_KEY|PORT_KEY|USERNAME_KEY)|FOLLOWER_RDS_DB_(HOST_KEY|NAME_KEY|PASSWORD_KEY|PORT_KEY|USERNAME_KEY)|MODEL_CUSTOM_LLM_API_KEY" | ||
| ``` | ||
|
|
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -11,6 +11,17 @@ stringData: | |
| LIVE_SERVER_SECRET_KEY: {{ .Values.env.live_server_secret_key | default "htbqvBJAgpm9bzvf3r4urJer0ENReatceh" | quote }} | ||
| PI_INTERNAL_SECRET: {{ .Values.env.pi_envs.internal_secret | default "tyfvfqvBJAgpm9bzvf3r4urJer0Ehfdubk" | quote }} | ||
|
|
||
| # AWS Secrets Manager ARNs (consumed by workloads via envFrom plane-app-secrets) | ||
| {{- if and (not (empty .Values.env.apiSecrets.amazonmq_secret_arn)) (not (empty .Values.env.rabbitmq_user_key)) (not (empty .Values.env.rabbitmq_password_key)) }} | ||
| AMAZONMQ_SECRET_ARN: {{ .Values.env.apiSecrets.amazonmq_secret_arn | quote }} | ||
| {{- end }} | ||
| {{- if and (not (empty .Values.env.apiSecrets.elasticache_secret_arn)) (not (empty .Values.env.redis_auth_token_key)) }} | ||
| ELASTICACHE_SECRET_ARN: {{ .Values.env.apiSecrets.elasticache_secret_arn | quote }} | ||
| {{- end }} | ||
| {{- if and (not (empty .Values.env.apiSecrets.rds_secret_arn)) (not (empty .Values.env.rds_db_host_key)) (not (empty .Values.env.rds_db_name_key)) (not (empty .Values.env.rds_db_password_key)) (not (empty .Values.env.rds_db_port_key)) (not (empty .Values.env.rds_db_username_key)) }} | ||
| RDS_SECRET_ARN: {{ .Values.env.apiSecrets.rds_secret_arn | quote }} | ||
| {{- end }} | ||
|
|
||
| {{- if .Values.services.redis.local_setup }} | ||
| REDIS_URL: "redis://{{ .Release.Name }}-redis.{{ .Release.Namespace }}.svc.cluster.local:6379/" | ||
| {{- else }} | ||
|
|
@@ -91,3 +102,31 @@ data: | |
| {{- else}} | ||
| CORS_ALLOWED_ORIGINS: "http://{{ .Values.license.licenseDomain }},https://{{ .Values.license.licenseDomain }}" | ||
| {{- end }} | ||
|
|
||
| # Secret cache TTL for the credentials provider used by the app. | ||
| AWS_SECRET_CACHE_TTL: {{ .Values.env.aws_secret_cache_ttl | default "300" | quote }} | ||
|
|
||
| # Runner base URL used by the automation runner integration. | ||
| {{- if .Values.env.runner_base_url }} | ||
| RUNNER_BASE_URL: {{ .Values.env.runner_base_url | quote }} | ||
| {{- else }} | ||
| RUNNER_BASE_URL: "http://plane-node-runner.{{ .Release.Namespace }}.svc.cluster.local:3000" | ||
| {{- end }} | ||
|
Comment on lines
+109
to
+114
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🧩 Analysis chain🏁 Script executed: #!/bin/bash
# Check if node-runner service is defined in this chart with a fixed or release-based name
rg -n "node-runner" --type yaml charts/plane-enterprise/Repository: makeplane/helm-charts Length of output: 224 🏁 Script executed: # Check service definitions and deployments to understand the naming pattern
fd "service" charts/plane-enterprise/templates/ -type f | head -20Repository: makeplane/helm-charts Length of output: 235 🏁 Script executed: # Look for other service URL patterns in app-env.yaml to compare naming conventions
rg -A 2 "Release.Name" charts/plane-enterprise/templates/config-secrets/app-env.yaml | head -40Repository: makeplane/helm-charts Length of output: 1917 🏁 Script executed: # Check if there are any node-runner related deployments or services
fd . charts/plane-enterprise/templates/ -type f -exec rg -l "runner" {} \;Repository: makeplane/helm-charts Length of output: 235 🏁 Script executed: # Check values.yaml for runner configuration and service definitions
head -100 charts/plane-enterprise/values.yaml | grep -A 10 -B 10 "runner\|Runner" || rg -C 5 "runner.*service\|node.runner" charts/plane-enterprise/values.yaml | head -50Repository: makeplane/helm-charts Length of output: 47 🏁 Script executed: # Check if node-runner has deployment templates in this chart
find charts/plane-enterprise/templates -type f -name "*runner*" -o -type f -name "*node*"Repository: makeplane/helm-charts Length of output: 47 🏁 Script executed: # Look for Chart.yaml or dependencies that might reference node-runner
rg -i "dependencies|node-runner" charts/plane-enterprise/Chart.yamlRepository: makeplane/helm-charts Length of output: 47 🏁 Script executed: # Check if there's a separate node-runner chart
ls -la charts/ | grep -i runnerRepository: makeplane/helm-charts Length of output: 47 🏁 Script executed: # Check the values.yaml file for runner-related configuration
grep -n "runner" charts/plane-enterprise/values.yamlRepository: makeplane/helm-charts Length of output: 158 🏁 Script executed: # Look at the complete context of RUNNER_BASE_URL in app-env.yaml
sed -n '100,120p' charts/plane-enterprise/templates/config-secrets/app-env.yamlRepository: makeplane/helm-charts Length of output: 1126 🏁 Script executed: # Check if there are any other references to "plane-node-runner" in the entire chart
rg "plane-node-runner" charts/plane-enterprise/Repository: makeplane/helm-charts Length of output: 220 🏁 Script executed: # Check if there's any documentation about plane-node-runner in README or docs
find charts/plane-enterprise -name "*.md" -o -name "*.txt" -o -name "*.rst" | xargs grep -l "node-runner\|runner" 2>/dev/nullRepository: makeplane/helm-charts Length of output: 49 🏁 Script executed: # Check the git history to see if there's context about this naming choice
git log --oneline -n 30 -- charts/plane-enterprise/templates/config-secrets/app-env.yaml 2>/dev/null | head -10Repository: makeplane/helm-charts Length of output: 108 🏁 Script executed: # Look at the entire values.yaml section about services to understand the architecture
sed -n '480,510p' charts/plane-enterprise/values.yamlRepository: makeplane/helm-charts Length of output: 850 Hardcoded service name doesn't follow release-name convention. The default 🤖 Prompt for AI Agents |
||
|
|
||
| # AWS Secrets Manager key mappings (key names, not the secret ARNs). | ||
| {{- if and (not (empty .Values.env.apiSecrets.elasticache_secret_arn)) (not (empty .Values.env.redis_auth_token_key)) }} | ||
| REDIS_AUTH_TOKEN_KEY: {{ .Values.env.redis_auth_token_key | quote }} | ||
| {{- end }} | ||
|
|
||
| {{- if and (not (empty .Values.env.apiSecrets.amazonmq_secret_arn)) (not (empty .Values.env.rabbitmq_user_key)) (not (empty .Values.env.rabbitmq_password_key)) }} | ||
| RABBITMQ_USER_KEY: {{ .Values.env.rabbitmq_user_key | quote }} | ||
| RABBITMQ_PASSWORD_KEY: {{ .Values.env.rabbitmq_password_key | quote }} | ||
| {{- end }} | ||
|
|
||
| {{- if and (not (empty .Values.env.apiSecrets.rds_secret_arn)) (not (empty .Values.env.rds_db_host_key)) (not (empty .Values.env.rds_db_name_key)) (not (empty .Values.env.rds_db_password_key)) (not (empty .Values.env.rds_db_port_key)) (not (empty .Values.env.rds_db_username_key)) }} | ||
| RDS_DB_HOST_KEY: {{ .Values.env.rds_db_host_key | quote }} | ||
| RDS_DB_NAME_KEY: {{ .Values.env.rds_db_name_key | quote }} | ||
| RDS_DB_PASSWORD_KEY: {{ .Values.env.rds_db_password_key | quote }} | ||
| RDS_DB_PORT_KEY: {{ .Values.env.rds_db_port_key | quote }} | ||
| RDS_DB_USERNAME_KEY: {{ .Values.env.rds_db_username_key | quote }} | ||
| {{- end }} | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Redis hosted-service example uses the wrong AWS service name
Line 160 references “aws rds” for Redis; this should be Redis-specific (e.g., AWS ElastiCache/MemoryDB) to avoid operator confusion.
🤖 Prompt for AI Agents