Minor updates

Author: danciaclara

api-reference/inbox-issue/overview.mdx

@@ -8,7 +8,7 @@ title: Overview
 We are deprecating all `/api/v1/.../inbox-issues/` endpoints in favor of `/api/v1/.../intake-issues/`.
 
 **End of support**  
-28th February 2025
+31st March 2025
 
 **What you need to do**  
 To ensure uninterrupted service, replace all `/inbox-issues/` references with `/intake-issues/` in your codebase before the support end date.

api-reference/intake-issue/overview.mdx

@@ -8,7 +8,7 @@ title: Overview
 We are deprecating all `/api/v1/.../inbox-issues/` endpoints in favor of `/api/v1/.../intake-issues/`.
 
 **End of support**  
-28th February 2025
+31st March 2025
 
 **What you need to do**  
 To ensure uninterrupted service, replace all `/inbox-issues/` references with `/intake-issues/` in your codebase before the support end date.

mint.json

@@ -69,6 +69,7 @@
       "pages": [
         "self-hosting/methods/docker-compose",
         "self-hosting/methods/kubernetes",
+        "self-hosting/methods/docker-swarm",
         "self-hosting/methods/portainer"
       ]
     },
@@ -99,6 +100,7 @@
               "self-hosting/govern/integrations/gitlab"
             ]
         },
+        "self-hosting/govern/external-secrets",
         "self-hosting/govern/reverse-proxy",
         "self-hosting/telemetry"
       ]

self-hosting/govern/external-secrets.mdx

@@ -0,0 +1,193 @@
+---
+title: Configure external secrets for Kubernetes deployments
+sidebarTitle: External secrets
+---
+
+This guide explains how to integrate Plane with external secret management solutions, enabling secure and centralized management of sensitive configuration data. The examples provided cover AWS Secrets Manager and HashiCorp Vault integrations, but you can adapt these patterns to your preferred secret management solution.
+
+## AWS Secrets Manager
+
+1. Create a dedicated IAM user (e.g., `external-secret-access-user`). You can uncheck **Console Access Required**.
+2. Generate `ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` and keep them handy.
+3. Note the user's ARN for later use (format: `arn:aws:iam::<account-id>:user/<user-name>`).
+
+4. Create IAM policy (e.g., `external-secret-access-policy`) with the following JSON:
+
+    ```json
+    {
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+        "Effect": "Allow",
+        "Action": [
+            "secretsmanager:GetResourcePolicy",
+            "secretsmanager:GetSecretValue",
+            "secretsmanager:DescribeSecret",
+            "secretsmanager:ListSecretVersionIds"
+        ],
+        "Resource": [
+            "arn:aws:secretsmanager:<REGION>:<ACCOUNT-ID>:secret:*"
+        ]
+        }
+    ]
+    }
+    ```
+    Replace `<REGION>` and `<ACCOUNT-ID>` with your AWS region and account ID.
+
+5. Create IAM role (e.g., external-secret-access-role) with the following trust relationship:
+
+    ```json
+    {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Effect": "Allow",
+                "Principal": {
+                    "AWS": "<IAM-USER-ARN>"
+                },
+                "Action": "sts:AssumeRole"
+            }
+        ]
+    }
+    ```
+
+    Replace `<IAM-USER-ARN>` with the ARN of the user created in step 1.   
+
+6. Attach the AWS IAM policy created in step 4 to the IAM role.
+
+7. Create secrets in AWS Secrets Manager with your Plane configuration values. For example, store RabbitMQ credentials with a name   like `prod/secrets/rabbitmq`.
+
+    |Key|Value|
+    |-------|--------|
+    |RABBITMQ_DEFAULT_USER|plane|
+    |RABBITMQ_DEFAULT_PASS|plane123|
+
+    Follow this pattern to manage all the [environment variables](/self-hosting/methods/kubernetes#external-secrets-config) in AWS Secrets Manager.
+
+8. Create a Kubernetes secret containing AWS credentials in your application namespace:
+    ```sh
+    kubectl create secret generic aws-creds-secret \
+    --from-literal=access-key=<AWS_ACCESS_KEY_ID> \
+    --from-literal=secret-access-key=<AWS_SECRET_ACCESS_KEY> \
+    -n <application_namespace>
+    ```
+
+9. Apply the following YAML to create a ClusterSecretStore resource:
+    ```yaml
+    apiVersion: external-secrets.io/v1beta1
+    kind: ClusterSecretStore
+    metadata:
+    name: cluster-aws-secretsmanager
+    spec:
+    provider:
+        aws:
+        service: SecretsManager
+        role: arn:aws:iam::<ACCOUNT-ID>:role/<IAM ROLE>
+        region: eu-west-1
+        auth:
+            secretRef:
+            accessKeyIDSecretRef:
+                name: aws-creds-secret
+                key: access-key
+            secretAccessKeySecretRef:
+                name: aws-creds-secret
+                key: secret-access-key
+    ```
+    Replace `<ACCOUNT-ID>` and `<IAM ROLE>` with your AWS account ID and the role name created in Step 5.
+
+10. Create an ExternalSecret resource to fetch secrets from AWS and create a corresponding Kubernetes secret:
+    ```yaml
+    apiVersion: external-secrets.io/v1beta1
+    kind: ExternalSecret
+    metadata:
+    name: secret
+    namespace: <application_namespace>
+    spec:
+    refreshInterval: 1m
+    secretStoreRef:
+        name: cluster-aws-secretsmanager # ClusterSecretStore name
+        kind: ClusterSecretStore
+    target:
+        name: rabbitmq-secret # Target Kubernetes secret name
+        creationPolicy: Owner
+    data:
+        - secretKey: RABBITMQ_DEFAULT_USER # Specifies the key name for the secret value in the Kubernetes secret.
+        remoteRef:
+            key: prod/secrets/rabbitmq # Specifies the name to the secret in the AWS Secrets Manager
+            property: RABBITMQ_DEFAULT_USER # Specifies the name of the secret property to retrieve from the AWS Secrets Manager
+        - secretKey: RABBITMQ_DEFAULT_PASS
+        remoteRef:
+            key: prod/secrets/rabbitmq
+            property: RABBITMQ_DEFAULT_PASS
+    ```
+
+Make sure to set all [environment variables](/self-hosting/methods/kubernetes#external-secrets-config) in the AWS Secrets Manager, and then access them via ExternalSecret resources in your Kubernetes cluster.
+
+## HashiCorp Vault
+
+1. Access the Vault UI at `https://<vault-domain>/`.
+
+2. Set up a KV secrets engine if not already configured.
+
+3. Create a secret with your Plane configuration values (e.g., `secrets/rabbitmq_secrets`). For this example, we're setting up RabbitMQ credentials:
+
+    |Key|Value|
+    |-------|--------|
+    |RABBITMQ_DEFAULT_USER|plane|
+    |RABBITMQ_DEFAULT_PASS|plane123|
+
+    Follow this pattern to manage all the other [environment variables](/self-hosting/methods/kubernetes#external-secrets-config) in the Vault.
+
+4. Create a Kubernetes secret containing your Vault token in your application namespace:
+    ```sh
+    kubectl create secret generic vault-token -n <application_namespace> --from-literal=token=<VAULT-TOKEN>
+    ```
+
+5. Apply the following YAML to create a ClusterSecretStore resource:
+    ```yaml
+    #  cluster-store.yaml 
+    apiVersion: external-secrets.io/v1beta1
+    kind: ClusterSecretStore 
+    metadata:
+    name: vault-backend
+    spec:
+    provider:
+        vault: 
+        server: "https://<vault-domain>" #the address of your vault instance
+        path: "secrets" #path for accessing the secrets
+        version: "v2" #Vault API version
+        auth:
+            tokenSecretRef:
+            name: "vault-token" #Use a k8s secret called vault-token
+            key: "token" #Use this key to access the vault token
+    ```
+
+    Replace `<vault-domain>` with your Vault server address.
+
+6. Create an ExternalSecret resource to fetch secrets from Vault and create a corresponding Kubernetes secret:
+    ```yaml
+    apiVersion: external-secrets.io/v1beta1
+    kind: ExternalSecret
+    metadata:
+    name: rabbitmq-external-secrets
+    namespace: <application_namespace> # application-namespace
+    spec:
+    refreshInterval: "1m" 
+    secretStoreRef:
+        name: vault-backend # ClusterSecretStore name
+        kind: ClusterSecretStore
+    target: 
+        name: rabbitmq-secret # Target Kubernetes secret name
+        creationPolicy: Owner 
+    data: 
+        - secretKey: RABBITMQ_DEFAULT_USER # Specifies the key name for the secret value stored in the Kubernetes secret.
+        remoteRef:
+            key: secrets/data/rabbitmq_secrets # Specifies the name to the secret in the Vault secret store.
+            property: RABBITMQ_DEFAULT_USER # Specifies the name of the secret property to retrieve from the Vault secret store.
+        - secretKey: RABBITMQ_DEFAULT_PASS
+        remoteRef:
+            key: secrets/data/rabbitmq_secrets
+            property: RABBITMQ_DEFAULT_PASS
+    ```
+
+Follow this pattern to manage all the environment variables in the Vault, then access them via ExternalSecret resources in your Kubernetes cluster.

self-hosting/manage/prime-cli.mdx

@@ -32,7 +32,7 @@ Bring up the Prime CLI with ```sudo prime-cli``` from any directory on your mach
 
 - `healthcheck` is another useful utility that lets you see the status and errors, if any, of all running services
 
-- `repair` fixes your Plane install for common errors automatically.
+- `repair` automatically diagnoses and fixes common errors in your Plane instance. This command also resets all configuration values in the plane.env file to their defaults. 
 
 - `update-cli` downloads and installs the latest version of Prime CLI.
     <Tip>

self-hosting/methods/docker-swarm.mdx

@@ -0,0 +1,58 @@
+---
+title: Docker Swarm
+---
+
+This guide shows you the steps to deploy a self-hosted instance of the Plane Commercial Edition using Docker Swarm.
+
+## Install Plane
+
+### Prerequisites
+   - Before you get started, make sure you have a Docker Swarm environment set up and ready to go. 
+   - Your setup should support either amd64 or arm64 architectures.
+
+### Procedure
+
+1. **Download the required depoyment files**  
+    - `docker-compose.yml` – Defines Plane's services and dependencies.
+        ```bash
+        curl -fsSL https://prime.plane.so/releases/<plane-version>/docker-compose.yml -o docker-compose.yml
+        ```
+    - `variables.env` – Stores environment variables for your deployment.
+        ```bash
+        curl -fsSL https://prime.plane.so/releases/<plane-version>/variables.env -o plane.env
+        ```
+    <Warning>
+    The `<plane-version>` value should be v1.8.2 or higher.
+    </Warning>
+
+2. **Configure environment variables**  
+    Before deploying, edit the `variables.env` file in your preferred text editor and update the following values:
+
+    - `DOMAIN_NAME` – (required) Your application's domain name.
+    - `SITE_ADDRESS` – (required) The full domain name (FQDN) of your instance.
+    - `MACHINE_SIGNATURE` – (required) A unique identifier for your machine. You can generate this by running below code in terminal:
+        ```sh
+        sed -i 's/MACHINE_SIGNATURE=.*/MACHINE_SIGNATURE='$(openssl rand -hex 16)'/' plane.env 
+        ```
+    - `CERT_EMAIL` – (optional) Email address for SSL certificate generation (only needed if you're setting up HTTPS).
+
+3. **Configure external DB, Redis, and RabbitMQ**
+    <Warning>
+    When self-hosting Plane for production use, it is strongly recommended to configure external database and storage. This ensures that your data remains secure and accessible even if the local machine crashes or encounters hardware issues. Relying solely on local storage for these components increases the risk of data loss and service disruption.
+    </Warning>
+   - `DATABASE_URL` – Connection string for your external database.
+   - `REDIS_URL` – Connection string for your external Redis instance.
+   - `AMQP_URL` – Connection string for your external RabbitMQ server.
+
+
+3. **Load the environment variables**
+    ```bash
+    set -o allexport; source <path-to variables.env>; set +o allexport;
+    ```
+
+4. **Deploy the stack**
+    ```bash
+    docker stack deploy -c <path-to docker-compose.yml> plane
+    ```
+
+That's it! This will deploy Plane as a Swarm stack, and your instance should be accessible on your configured domain.