From dbfbac259f65058608a0062c45da9468390637ff Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hans=20J=C3=B6rg=20Wieland?= Date: Sun, 23 Nov 2025 15:01:44 +0100 Subject: [PATCH 1/6] feat: replace with list value --- charts/plane-enterprise/values.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/charts/plane-enterprise/values.yaml b/charts/plane-enterprise/values.yaml index cd44316..f4dc97b 100644 --- a/charts/plane-enterprise/values.yaml +++ b/charts/plane-enterprise/values.yaml @@ -16,8 +16,7 @@ airgapped: # mount the CA bundle into the API pod by passing it in as an environment # variable. Should be the full path to the CA bundle file, e.g. # - s3SecretName: "" - s3SecretKey: "" + s3Secrets: [] ingress: enabled: true From e0b5abad0c370905e3d380e22edebf25763fa6ea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hans=20J=C3=B6rg=20Wieland?= Date: Sun, 23 Nov 2025 15:02:18 +0100 Subject: [PATCH 2/6] feat: Use projected volume and update script to work with multiple certificates --- .../templates/workloads/api.deployment.yaml | 44 ++++++++++--------- .../workloads/worker.deployment.yaml | 42 ++++++++++-------- 2 files changed, 47 insertions(+), 39 deletions(-) diff --git a/charts/plane-enterprise/templates/workloads/api.deployment.yaml b/charts/plane-enterprise/templates/workloads/api.deployment.yaml index 44367aa..c661c70 100644 --- a/charts/plane-enterprise/templates/workloads/api.deployment.yaml +++ b/charts/plane-enterprise/templates/workloads/api.deployment.yaml @@ -40,14 +40,18 @@ spec: annotations: timestamp: {{ now | quote }} spec: - {{- if and .Values.airgapped.enabled .Values.airgapped.s3SecretName .Values.airgapped.s3SecretKey }} + {{- if and .Values.airgapped.enabled .Values.airgapped.s3Secrets }} volumes: - name: s3-custom-ca - secret: - secretName: {{ .Values.airgapped.s3SecretName }} - items: - - key: {{ .Values.airgapped.s3SecretKey }} - path: {{ .Values.airgapped.s3SecretKey }} + projected: + sources: + {{- range .Values.airgapped.s3Secrets }} + - secret: + name: {{ .name }} + items: + - key: {{ .key }} + path: {{ .key }} + {{- end }} {{- end }} containers: - name: {{ .Release.Name }}-api @@ -62,7 +66,7 @@ spec: limits: memory: {{ .Values.services.api.memoryLimit | default "1000Mi" | quote }} cpu: {{ .Values.services.api.cpuLimit | default "500m" | quote}} - {{- if and .Values.airgapped.enabled .Values.airgapped.s3SecretName .Values.airgapped.s3SecretKey }} + {{- if and .Values.airgapped.enabled .Values.airgapped.s3Secrets }} volumeMounts: - name: s3-custom-ca mountPath: /s3-custom-ca @@ -73,18 +77,18 @@ spec: - -c - | set -e - - {{- if and .Values.airgapped.enabled .Values.airgapped.s3SecretName }} + + {{- if and .Values.airgapped.enabled .Values.airgapped.s3Secrets }} echo "Installing custom CA certificates..." - + # Ensure ca-certificates directory exists mkdir -p /usr/local/share/ca-certificates - - # Install custom S3 CA if available - S3_CERT_FILE="{{ .Values.airgapped.s3SecretKey }}" - if [ -f "/s3-custom-ca/$S3_CERT_FILE" ]; then - echo "Installing S3 custom CA certificate..." - cp "/s3-custom-ca/$S3_CERT_FILE" "/usr/local/share/ca-certificates/$S3_CERT_FILE" + + # Install custom S3 CA certs if available + if [ "$(ls -A /s3-custom-ca)" ]; then + echo "Found certificates in /s3-custom-ca. Installing..." + # Copy all files from the mount to the system folder + cp /s3-custom-ca/* /usr/local/share/ca-certificates/ # Update CA certificates update-ca-certificates echo "CA certificates installed successfully" @@ -92,7 +96,7 @@ spec: echo "No custom S3 CA certificate found, skipping..." fi {{- end }} - + # Start the API exec ./bin/docker-entrypoint-api-ee.sh envFrom: @@ -111,9 +115,9 @@ spec: optional: false {{- end }} - {{- if or .Values.extraEnv (and .Values.airgapped.enabled .Values.airgapped.s3SecretName .Values.airgapped.s3SecretKey) }} + {{- if or .Values.extraEnv (and .Values.airgapped.enabled .Values.airgapped.s3Secrets) }} env: - {{- if and .Values.airgapped.enabled .Values.airgapped.s3SecretName .Values.airgapped.s3SecretKey }} + {{- if and .Values.airgapped.enabled .Values.airgapped.s3Secrets }} - name: SSL_CERT_FILE value: "/etc/ssl/certs/ca-certificates.crt" - name: SSL_CERT_DIR @@ -140,4 +144,4 @@ spec: {{- include "plane.podScheduling" .Values.services.api }} serviceAccount: {{ .Release.Name }}-srv-account serviceAccountName: {{ .Release.Name }}-srv-account ---- \ No newline at end of file +--- diff --git a/charts/plane-enterprise/templates/workloads/worker.deployment.yaml b/charts/plane-enterprise/templates/workloads/worker.deployment.yaml index 99a8fbf..657f286 100644 --- a/charts/plane-enterprise/templates/workloads/worker.deployment.yaml +++ b/charts/plane-enterprise/templates/workloads/worker.deployment.yaml @@ -17,14 +17,18 @@ spec: annotations: timestamp: {{ now | quote }} spec: - {{- if and .Values.airgapped.enabled .Values.airgapped.s3SecretName .Values.airgapped.s3SecretKey }} + {{- if and .Values.airgapped.enabled .Values.airgapped.s3Secrets }} volumes: - name: s3-custom-ca - secret: - secretName: {{ .Values.airgapped.s3SecretName }} - items: - - key: {{ .Values.airgapped.s3SecretKey }} - path: {{ .Values.airgapped.s3SecretKey }} + projected: + sources: + {{- range .Values.airgapped.s3Secrets }} + - secret: + name: {{ .name }} + items: + - key: {{ .key }} + path: {{ .key }} + {{- end }} {{- end }} containers: - name: {{ .Release.Name }}-worker @@ -39,7 +43,7 @@ spec: limits: memory: {{ .Values.services.worker.memoryLimit | default "1000Mi" | quote }} cpu: {{ .Values.services.worker.cpuLimit | default "500m" | quote}} - {{- if and .Values.airgapped.enabled .Values.airgapped.s3SecretName .Values.airgapped.s3SecretKey }} + {{- if and .Values.airgapped.enabled .Values.airgapped.s3Secrets }} volumeMounts: - name: s3-custom-ca mountPath: /s3-custom-ca @@ -50,18 +54,18 @@ spec: - -c - | set -e - - {{- if and .Values.airgapped.enabled .Values.airgapped.s3SecretName .Values.airgapped.s3SecretKey }} + + {{- if and .Values.airgapped.enabled .Values.airgapped.s3Secrets }} echo "Installing custom CA certificates..." - + # Ensure ca-certificates directory exists mkdir -p /usr/local/share/ca-certificates - + # Install custom S3 CA if available - S3_CERT_FILE="{{ .Values.airgapped.s3SecretKey }}" - if [ -f "/s3-custom-ca/$S3_CERT_FILE" ]; then - echo "Installing S3 custom CA certificate..." - cp "/s3-custom-ca/$S3_CERT_FILE" "/usr/local/share/ca-certificates/$S3_CERT_FILE" + if [ "$(ls -A /s3-custom-ca)" ]; then + echo "Found certificates in /s3-custom-ca. Installing..." + # Copy all files from the mount to the system folder + cp /s3-custom-ca/* /usr/local/share/ca-certificates/ # Update CA certificates update-ca-certificates echo "CA certificates installed successfully" @@ -69,7 +73,7 @@ spec: echo "No custom S3 CA certificate found, skipping..." fi {{- end }} - + # Start the worker exec ./bin/docker-entrypoint-worker.sh envFrom: @@ -88,9 +92,9 @@ spec: optional: false {{- end }} - {{- if or .Values.extraEnv (and .Values.airgapped.enabled .Values.airgapped.s3SecretName .Values.airgapped.s3SecretKey) }} + {{- if or .Values.extraEnv (and .Values.airgapped.enabled .Values.airgapped.s3Secrets) }} env: - {{- if and .Values.airgapped.enabled .Values.airgapped.s3SecretName .Values.airgapped.s3SecretKey }} + {{- if and .Values.airgapped.enabled .Values.airgapped.s3Secrets }} - name: SSL_CERT_FILE value: "/etc/ssl/certs/ca-certificates.crt" - name: SSL_CERT_DIR @@ -108,4 +112,4 @@ spec: {{- include "plane.podScheduling" .Values.services.worker }} serviceAccount: {{ .Release.Name }}-srv-account serviceAccountName: {{ .Release.Name }}-srv-account ---- \ No newline at end of file +--- From 6d8eaa1b0ec8c0b84f7793be68f42a8eb80bb9eb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hans=20J=C3=B6rg=20Wieland?= Date: Sun, 23 Nov 2025 15:02:41 +0100 Subject: [PATCH 3/6] fix: Should point to the system generated ca-certificates file --- .../plane-enterprise/templates/config-secrets/app-env.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/plane-enterprise/templates/config-secrets/app-env.yaml b/charts/plane-enterprise/templates/config-secrets/app-env.yaml index 0d8d113..4d5c95d 100644 --- a/charts/plane-enterprise/templates/config-secrets/app-env.yaml +++ b/charts/plane-enterprise/templates/config-secrets/app-env.yaml @@ -32,8 +32,8 @@ stringData: AMQP_URL: "" {{ end }} - {{- if and .Values.airgapped.enabled .Values.airgapped.s3SecretName .Values.airgapped.s3SecretKey }} - AWS_CA_BUNDLE: "/s3-custom-ca/{{ .Values.airgapped.s3SecretKey }}" + {{- if and .Values.airgapped.enabled .Values.airgapped.s3Secrets }} + AWS_CA_BUNDLE: "/etc/ssl/certs/ca-certificates.crt" {{- end }} {{- end }} @@ -78,4 +78,4 @@ data: CORS_ALLOWED_ORIGINS: "http://{{ .Values.license.licenseDomain }},https://{{ .Values.license.licenseDomain }},{{ .Values.env.cors_allowed_origins }}" {{- else}} CORS_ALLOWED_ORIGINS: "http://{{ .Values.license.licenseDomain }},https://{{ .Values.license.licenseDomain }}" - {{- end }} \ No newline at end of file + {{- end }} From cff016a7be8f64c79fa17d016cea2b0e628b4c42 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hans=20J=C3=B6rg=20Wieland?= Date: Sun, 23 Nov 2025 15:03:04 +0100 Subject: [PATCH 4/6] docs: Update docs related to CA certs, remove whitespaces --- charts/plane-enterprise/README.md | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/charts/plane-enterprise/README.md b/charts/plane-enterprise/README.md index 7305f38..8228a52 100644 --- a/charts/plane-enterprise/README.md +++ b/charts/plane-enterprise/README.md @@ -98,11 +98,10 @@ ### Air-gapped Settings -| Setting | Default | Required | Description | -| ---------------------- | :-----: | :------: | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| airgapped.enabled | false | No | Specifies the airgapped mode the Plane API runs in. | -| airgapped.s3SecretName | "" | No | Name of the Secret that contains the CA certificate (.crt). The Secret must include a data key whose filename matches the basename of `airgapped.s3SecretKey`. Used to override S3’s CA when `airgapped.enabled=true`. Applying this secret looks like: `kubectl -n plane create secret generic plane-s3-ca \ --from-file=s3-custom-ca.crt=/path/to/your/ca.crt` | -| airgapped.s3SecretKey | "" | No | Key name of the secret to load the Custom Root CA from `airgapped.s3SecretName` | +| Setting | Default | Required | Description | +|-----------------------|:-------:| :------: |----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| airgapped.enabled | false | No | Specifies the airgapped mode the Plane API runs in. | +| airgapped.s3Secrets | [] | No | List of Kubernetes Secrets containing CA certificates to install. Each item in the list must contain a `name` (the Secret name) and a `key` (the file key inside the Secret). Applying a secret looks like: `kubectl -n plane create secret generic plane-s3-ca \ --from-file=s3-custom-ca.crt=/path/to/your/ca.crt` | ### Postgres @@ -184,7 +183,7 @@ | env.aws_access_key | | | External `S3` (or compatible) storage service provides `access key` for the application to connect and do the necessary upload/download operations. To be provided when `services.minio.local_setup=false` | | env.aws_secret_access_key | | | External `S3` (or compatible) storage service provides `secret access key` for the application to connect and do the necessary upload/download operations. To be provided when `services.minio.local_setup=false` | | env.aws_region | | | External `S3` (or compatible) storage service providers creates any buckets in user selected region. This is also shared with the user as `region` for the application to connect and do the necessary upload/download operations. To be provided when `services.minio.local_setup=false` | -| env.aws_s3_endpoint_url | | | External `S3` (or compatible) storage service providers shares a `endpoint_url` for the integration purpose for the application to connect and do the necessary upload/download operations. To be provided when `services.minio.local_setup=false` | +| env.aws_s3_endpoint_url | | | External `S3` (or compatible) storage service providers shares a `endpoint_url` for the integration purpose for the application to connect and do the necessary upload/download operations. To be provided when `services.minio.local_setup=false` | | env.use_storage_proxy | false | | When set to `true`, all S3 (or compatible) file GET requests from the browser are proxied through Plane's API service instead of accessing the S3 endpoint directly. Enable this if your storage endpoint is not accessible publicly or you want to control/download access through the API. Default is `false`. | ### Web Deployment @@ -317,9 +316,9 @@ | services.silo.assign_cluster_ip | false | | Set it to `true` if you want to assign `ClusterIP` to the service | | services.silo.nodeSelector | {} | | This key allows you to set the node selector for the deployment of `silo`. This is useful when you want to run the deployment on specific nodes in your Kubernetes cluster. | | services.silo.tolerations | [] | | This key allows you to set the tolerations for the deployment of `silo`. This is useful when you want to run the deployment on nodes with specific taints in your Kubernetes cluster. | -| services.silo.affinity | {} | | This key allows you to set the affinity rules for the deployment of `silo`. This is useful when you want to control how pods are scheduled on nodes in your Kubernetes cluster. | +| services.silo.affinity | {} | | This key allows you to set the affinity rules for the deployment of `silo`. This is useful when you want to control how pods are scheduled on nodes in your Kubernetes cluster. | | services.silo.labels | {} | | Custom labels to add to the silo deployment | -| services.silo.annotations | {} | | Custom annotations to add to the silo deployment | +| services.silo.annotations | {} | | Custom annotations to add to the silo deployment | | services.silo.connectors.slack.enabled | false | | Slack Integration | | services.silo.connectors.slack.client_id | "" | required if `services.silo.connectors.slack.enabled` is `true` | Slack Client ID | | services.silo.connectors.slack.client_secret | "" | required if `services.silo.connectors.slack.enabled` is `true` | Slack Client Secret | @@ -337,11 +336,11 @@ | env.silo_envs.request_interval | 400 | | Request interval for Silo | | env.silo_envs.sentry_dsn | | | Sentry DSN | | env.silo_envs.sentry_environment | | | Sentry Environment | -| env.silo_envs.sentry_traces_sample_rate | | | Sentry Traces Sample Rate | +| env.silo_envs.sentry_traces_sample_rate | | | Sentry Traces Sample Rate | | env.silo_envs.hmac_secret_key | <random-32-bit-string> | | HMAC Secret Key | | env.silo_envs.aes_secret_key | "dsOdt7YrvxsTIFJ37pOaEVvLxN8KGBCr" | | AES Secret Key | - + ### Worker Deployment | Setting | Default | Required | Description | From 1fbc3db55d9feee8d61454eab0ad6a9191568b01 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hans=20J=C3=B6rg=20Wieland?= Date: Sun, 23 Nov 2025 15:03:13 +0100 Subject: [PATCH 5/6] chore: Update questions to match new values --- charts/plane-enterprise/questions.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/plane-enterprise/questions.yml b/charts/plane-enterprise/questions.yml index 63bd2ae..78271b8 100644 --- a/charts/plane-enterprise/questions.yml +++ b/charts/plane-enterprise/questions.yml @@ -87,11 +87,11 @@ questions: group: "License Setup" show_subquestion_if: true subquestions: - - variable: airgapped.s3SecretName + - variable: airgapped.s3Secrets[0].name label: "S3 Secret Name" type: string default: "" - - variable: airgapped.s3SecretKey + - variable: airgapped.s3Secrets[0].key label: "S3 Secret Key" type: string default: "" From a7ffb9287289fdeb204f90f2bf04f91b7f59db25 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hans=20J=C3=B6rg=20Wieland?= Date: Sun, 23 Nov 2025 15:03:22 +0100 Subject: [PATCH 6/6] chore: chart version bump --- charts/plane-enterprise/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/plane-enterprise/Chart.yaml b/charts/plane-enterprise/Chart.yaml index c3959d2..cca6a06 100644 --- a/charts/plane-enterprise/Chart.yaml +++ b/charts/plane-enterprise/Chart.yaml @@ -5,7 +5,7 @@ description: Meet Plane. An Enterprise software development tool to manage issue type: application -version: 1.6.5 +version: 1.6.6 appVersion: "1.17.0" home: https://plane.so/