Merge pull request #78 from makeplane/external-secrets

External secrets

Author: danciaclara

mint.json

@@ -98,6 +98,7 @@
               "self-hosting/govern/integrations/gitlab"
             ]
         },
+        "self-hosting/govern/external-secrets",
         "self-hosting/govern/reverse-proxy",
         "self-hosting/telemetry"
       ]

self-hosting/govern/external-secrets.mdx

@@ -0,0 +1,193 @@
+---
+title: Configure external secrets for Kubernetes deployments
+sidebarTitle: External secrets
+---
+
+This guide explains how to integrate Plane with external secret management solutions, enabling secure and centralized management of sensitive configuration data. The examples provided cover AWS Secrets Manager and HashiCorp Vault integrations, but you can adapt these patterns to your preferred secret management solution.
+
+## AWS Secrets Manager
+
+1. Create a dedicated IAM user (e.g., `external-secret-access-user`). You can uncheck **Console Access Required**.
+2. Generate `ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` and keep them handy.
+3. Note the user's ARN for later use (format: `arn:aws:iam::<account-id>:user/<user-name>`).
+
+4. Create IAM policy (e.g., `external-secret-access-policy`) with the following JSON:
+
+    ```json
+    {
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+        "Effect": "Allow",
+        "Action": [
+            "secretsmanager:GetResourcePolicy",
+            "secretsmanager:GetSecretValue",
+            "secretsmanager:DescribeSecret",
+            "secretsmanager:ListSecretVersionIds"
+        ],
+        "Resource": [
+            "arn:aws:secretsmanager:<REGION>:<ACCOUNT-ID>:secret:*"
+        ]
+        }
+    ]
+    }
+    ```
+    Replace `<REGION>` and `<ACCOUNT-ID>` with your AWS region and account ID.
+
+5. Create IAM role (e.g., external-secret-access-role) with the following trust relationship:
+
+    ```json
+    {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Effect": "Allow",
+                "Principal": {
+                    "AWS": "<IAM-USER-ARN>"
+                },
+                "Action": "sts:AssumeRole"
+            }
+        ]
+    }
+    ```
+
+    Replace `<IAM-USER-ARN>` with the ARN of the user created in step 1.   
+
+6. Attach the AWS IAM policy created in step 4 to the IAM role.
+
+7. Create secrets in AWS Secrets Manager with your Plane configuration values. For example, store RabbitMQ credentials with a name   like `prod/secrets/rabbitmq`.
+
+    |Key|Value|
+    |-------|--------|
+    |RABBITMQ_DEFAULT_USER|plane|
+    |RABBITMQ_DEFAULT_PASS|plane123|
+
+    Follow this pattern to manage all the [environment variables](/self-hosting/methods/kubernetes#external-secrets-config) in AWS Secrets Manager.
+
+8. Create a Kubernetes secret containing AWS credentials in your application namespace:
+    ```sh
+    kubectl create secret generic aws-creds-secret \
+    --from-literal=access-key=<AWS_ACCESS_KEY_ID> \
+    --from-literal=secret-access-key=<AWS_SECRET_ACCESS_KEY> \
+    -n <application_namespace>
+    ```
+
+9. Apply the following YAML to create a ClusterSecretStore resource:
+    ```yaml
+    apiVersion: external-secrets.io/v1beta1
+    kind: ClusterSecretStore
+    metadata:
+    name: cluster-aws-secretsmanager
+    spec:
+    provider:
+        aws:
+        service: SecretsManager
+        role: arn:aws:iam::<ACCOUNT-ID>:role/<IAM ROLE>
+        region: eu-west-1
+        auth:
+            secretRef:
+            accessKeyIDSecretRef:
+                name: aws-creds-secret
+                key: access-key
+            secretAccessKeySecretRef:
+                name: aws-creds-secret
+                key: secret-access-key
+    ```
+    Replace `<ACCOUNT-ID>` and `<IAM ROLE>` with your AWS account ID and the role name created in Step 5.
+
+10. Create an ExternalSecret resource to fetch secrets from AWS and create a corresponding Kubernetes secret:
+    ```yaml
+    apiVersion: external-secrets.io/v1beta1
+    kind: ExternalSecret
+    metadata:
+    name: secret
+    namespace: <application_namespace>
+    spec:
+    refreshInterval: 1m
+    secretStoreRef:
+        name: cluster-aws-secretsmanager # ClusterSecretStore name
+        kind: ClusterSecretStore
+    target:
+        name: rabbitmq-secret # Target Kubernetes secret name
+        creationPolicy: Owner
+    data:
+        - secretKey: RABBITMQ_DEFAULT_USER # Specifies the key name for the secret value in the Kubernetes secret.
+        remoteRef:
+            key: prod/secrets/rabbitmq # Specifies the name to the secret in the AWS Secrets Manager
+            property: RABBITMQ_DEFAULT_USER # Specifies the name of the secret property to retrieve from the AWS Secrets Manager
+        - secretKey: RABBITMQ_DEFAULT_PASS
+        remoteRef:
+            key: prod/secrets/rabbitmq
+            property: RABBITMQ_DEFAULT_PASS
+    ```
+
+Make sure to set all [environment variables](/self-hosting/methods/kubernetes#external-secrets-config) in the AWS Secrets Manager, and then access them via ExternalSecret resources in your Kubernetes cluster.
+
+## HashiCorp Vault
+
+1. Access the Vault UI at `https://<vault-domain>/`.
+
+2. Set up a KV secrets engine if not already configured.
+
+3. Create a secret with your Plane configuration values (e.g., `secrets/rabbitmq_secrets`). For this example, we're setting up RabbitMQ credentials:
+
+    |Key|Value|
+    |-------|--------|
+    |RABBITMQ_DEFAULT_USER|plane|
+    |RABBITMQ_DEFAULT_PASS|plane123|
+
+    Follow this pattern to manage all the other [environment variables](/self-hosting/methods/kubernetes#external-secrets-config) in the Vault.
+
+4. Create a Kubernetes secret containing your Vault token in your application namespace:
+    ```sh
+    kubectl create secret generic vault-token -n <application_namespace> --from-literal=token=<VAULT-TOKEN>
+    ```
+
+5. Apply the following YAML to create a ClusterSecretStore resource:
+    ```yaml
+    #  cluster-store.yaml 
+    apiVersion: external-secrets.io/v1beta1
+    kind: ClusterSecretStore 
+    metadata:
+    name: vault-backend
+    spec:
+    provider:
+        vault: 
+        server: "https://<vault-domain>" #the address of your vault instance
+        path: "secrets" #path for accessing the secrets
+        version: "v2" #Vault API version
+        auth:
+            tokenSecretRef:
+            name: "vault-token" #Use a k8s secret called vault-token
+            key: "token" #Use this key to access the vault token
+    ```
+
+    Replace `<vault-domain>` with your Vault server address.
+
+6. Create an ExternalSecret resource to fetch secrets from Vault and create a corresponding Kubernetes secret:
+    ```yaml
+    apiVersion: external-secrets.io/v1beta1
+    kind: ExternalSecret
+    metadata:
+    name: rabbitmq-external-secrets
+    namespace: <application_namespace> # application-namespace
+    spec:
+    refreshInterval: "1m" 
+    secretStoreRef:
+        name: vault-backend # ClusterSecretStore name
+        kind: ClusterSecretStore
+    target: 
+        name: rabbitmq-secret # Target Kubernetes secret name
+        creationPolicy: Owner 
+    data: 
+        - secretKey: RABBITMQ_DEFAULT_USER # Specifies the key name for the secret value stored in the Kubernetes secret.
+        remoteRef:
+            key: secrets/data/rabbitmq_secrets # Specifies the name to the secret in the Vault secret store.
+            property: RABBITMQ_DEFAULT_USER # Specifies the name of the secret property to retrieve from the Vault secret store.
+        - secretKey: RABBITMQ_DEFAULT_PASS
+        remoteRef:
+            key: secrets/data/rabbitmq_secrets
+            property: RABBITMQ_DEFAULT_PASS
+    ```
+
+Follow this pattern to manage all the environment variables in the Vault, then access them via ExternalSecret resources in your Kubernetes cluster.

self-hosting/methods/kubernetes.mdx

@@ -227,14 +227,40 @@ If you want to upgrade to a paid plan, see [Plan upgrades](https://docs.plane.so
     | services.worker.memoryLimit | 1000Mi |  |  Every deployment in kubernetes can be set to use the maximum memory they are allowed to use. This key sets the memory limit for this deployment to use.|
     | services.worker.cpuLimit | 500m |  | Every deployment in kubernetes can be set to use the maximum cpu they are allowed to use. This key sets the cpu limit for this deployment to use.|
 
-    #### Beat-Worker deployment
+    #### Beat-Worker Deployment
 
     | Setting | Default | Required | Description |
     |---|:---:|:---:|---|
     | services.beatworker.replicas | 1 | Yes | Kubernetes helps you with scaling up or down the deployments. You can run 1 or more pods for each deployment. This key helps you set up the number of replicas you want to run for this deployment. It must be >=1 |
     | services.beatworker.memoryLimit | 1000Mi |  |  Every deployment in kubernetes can be set to use the maximum memory they are allowed to use. This key sets the memory limit for this deployment to use.|
     | services.beatworker.cpuLimit | 500m |  | Every deployment in kubernetes can be set to use the maximum cpu they are allowed to use. This key sets the cpu limit for this deployment to use.|
 
+    #### External Secrets Config
+
+    To configure the external secrets for your application, you need to define specific environment variables for each secret category. Below is a list of the required secrets and their respective environment variables. See [External secrets](/self-hosting/govern/external-secrets) for setup details. 
+
+    | Secret Name | Env Var Name | Required | Description | Example Value |
+    |--- |:---|:---|:---|:---|
+    | rabbitmq_existingSecret     | `RABBITMQ_DEFAULT_USER`  | Required if `rabbitmq.local_setup=true` | The default RabbitMQ user                    | `plane`      |
+    |                      | `RABBITMQ_DEFAULT_PASS`  | Required if `rabbitmq.local_setup=true` | The default RabbitMQ password                | `plane`      |
+    | pgdb_existingSecret         | `POSTGRES_PASSWORD`      | Required if `postgres.local_setup=true` | Password for PostgreSQL database             | `plane`   |
+    |                      | `POSTGRES_DB`            | Required if `postgres.local_setup=true` | Name of the PostgreSQL database              | `plane`      |
+    |                      | `POSTGRES_USER`          | Required if `postgres.local_setup=true` | PostgreSQL user                              | `plane`       |
+    |  doc_store_existingSecret                 | `USE_MINIO`              | Yes | Flag to enable MinIO as the storage backend  | `1`         |
+    |                      | `MINIO_ROOT_USER`        | Yes | MinIO root user                              | `admin`    |
+    |     | `MINIO_ROOT_PASSWORD`    | Yes | MinIO root password                          | `password`    |
+    |                      | `AWS_ACCESS_KEY_ID`      | Yes | AWS Access Key ID                            | `your_aws_key`       |
+    |                      | `AWS_SECRET_ACCESS_KEY`  | Yes | AWS Secret Access Key                        | `your_aws_secret`    |
+    |                      | `AWS_S3_BUCKET_NAME`     | Yes | AWS S3 Bucket Name                           | `your_bucket_name`   |
+    |                      | `AWS_S3_ENDPOINT_URL`    | Yes | Endpoint URL for AWS S3 or MinIO             | `http://plane-minio.plane-ns.svc.cluster.local:9000`  |
+    |                      | `AWS_REGION`             | Optional | AWS region where your S3 bucket is located   | `your_aws_region`    |
+    |                      | `FILE_SIZE_LIMIT`        | Yes | Limit for file uploads in your system        | `5MB`               |
+    | app_env_existingSecret      | `SECRET_KEY`             | Yes | Random secret key                            | `60gp0byfz2dvffa45cxl20p1scy9xbpf6d8c5y0geejgkyp1b5`  |
+    |                      | `REDIS_URL`              | Yes | Redis URL                                    | `redis://plane-redis.plane-ns.svc.cluster.local:6379/`  |
+    |                      | `DATABASE_URL`           | Yes | PostgreSQL connection URL                    | **k8s service example**: `postgresql://plane:[email protected]:5432/plane` <br/> <br/>**external service example**: `postgresql://username:password@your-db-host:5432/plane` |
+    |                      | `AMQP_URL`               | Yes | RabbitMQ connection URL                      | **k8s service example**: `amqp://plane:[email protected]:5672/`  <br/> <br/> **external service example**: `amqp://username:password@your-rabbitmq-host:5672/` |
+
+    
     #### Ingress and SSL Setup
 
     | Setting | Default | Required | Description |
@@ -450,6 +476,31 @@ If you want to upgrade to a paid plan, see [Plan upgrades](https://docs.plane.so
         | beatworker.cpuLimit | 500m |  | Every deployment in kubernetes can be set to use the maximum cpu they are allowed to use. This key sets the cpu limit for this deployment to use.|
         | beatworker.image| makeplane/plane-backend |  | This deployment needs a preconfigured docker image to function. Docker image name is provided by the owner and must not be changed for this deployment |
 
+        #### External Secrets Config
+
+        To configure the external secrets for your application, you need to define specific environment variables for each secret category. Below is a list of the required secrets and their respective environment variables. See [External secrets](/self-hosting/govern/external-secrets) for setup details. 
+
+        | Secret Name | Env Var Name | Required | Description | Example Value |
+        |--- |:---|:---|:---|:---|
+        | rabbitmq_existingSecret     | `RABBITMQ_DEFAULT_USER`  | Required if `rabbitmq.local_setup=true` | The default RabbitMQ user                    | `plane`      |
+        |                      | `RABBITMQ_DEFAULT_PASS`  | Required if `rabbitmq.local_setup=true` | The default RabbitMQ password                | `plane`      |
+        | pgdb_existingSecret         | `POSTGRES_PASSWORD`      | Required if `postgres.local_setup=true` | Password for PostgreSQL database             | `plane`   |
+        |                      | `POSTGRES_DB`            | Required if `postgres.local_setup=true` | Name of the PostgreSQL database              | `plane`      |
+        |                      | `POSTGRES_USER`          | Required if `postgres.local_setup=true` | PostgreSQL user                              | `plane`       |
+        |  doc_store_existingSecret                 | `USE_MINIO`              | Yes | Flag to enable MinIO as the storage backend  | `1`         |
+        |                      | `MINIO_ROOT_USER`        | Yes | MinIO root user                              | `admin`    |
+        |     | `MINIO_ROOT_PASSWORD`    | Yes | MinIO root password                          | `password`    |
+        |                      | `AWS_ACCESS_KEY_ID`      | Yes | AWS Access Key ID                            | `your_aws_key`       |
+        |                      | `AWS_SECRET_ACCESS_KEY`  | Yes | AWS Secret Access Key                        | `your_aws_secret`    |
+        |                      | `AWS_S3_BUCKET_NAME`     | Yes | AWS S3 Bucket Name                           | `your_bucket_name`   |
+        |                      | `AWS_S3_ENDPOINT_URL`    | Yes | Endpoint URL for AWS S3 or MinIO             | `http://plane-minio.plane-ns.svc.cluster.local:9000`  |
+        |                      | `AWS_REGION`             | Optional | AWS region where your S3 bucket is located   | `your_aws_region`    |
+        |                      | `FILE_SIZE_LIMIT`        | Yes | Limit for file uploads in your system        | `5MB`               |
+        | app_env_existingSecret      | `SECRET_KEY`             | Yes | Random secret key                            | `60gp0byfz2dvffa45cxl20p1scy9xbpf6d8c5y0geejgkyp1b5`  |
+        |                      | `REDIS_URL`              | Yes | Redis URL                                    | `redis://plane-redis.plane-ns.svc.cluster.local:6379/`  |
+        |                      | `DATABASE_URL`           | Yes | PostgreSQL connection URL                    | **k8s service example**: `postgresql://plane:[email protected]:5432/plane` <br/> <br/>**external service example**: `postgresql://username:password@your-db-host:5432/plane` |
+        |                      | `AMQP_URL`               | Yes | RabbitMQ connection URL                      | **k8s service example**: `amqp://plane:[email protected]:5672/`  <br/> <br/> **external service example**: `amqp://username:password@your-rabbitmq-host:5672/` |
+
         #### Ingress and SSL Setup
 
         | Setting | Default | Required | Description |