Skip to content

Plane-EE: Add aes secret key #100

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
mguptahub merged 2 commits into from
May 8, 2025
Merged

Plane-EE: Add aes secret key #100

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
008c559
chore: bump version to 1.2.1 and add AES secret key configuration
akshat5302 May 8, 2025
9d0cc3a
docs: update README to include AES Secret Key configuration
akshat5302 May 8, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion charts/plane-enterprise/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ description: Meet Plane. An Enterprise software development tool to manage issue

type: application

version: 1.2.0
version: 1.2.1
appVersion: "1.9.1"

home: https://plane.so/
Expand Down
1 change: 1 addition & 0 deletions charts/plane-enterprise/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -267,6 +267,7 @@
| env.silo_envs.sentry_environment | | | Sentry Environment |
| env.silo_envs.sentry_traces_sample_rate | | | Sentry Traces Sample Rate |
| env.silo_envs.hmac_secret_key | <random-32-bit-string> | | HMAC Secret Key |
| env.silo_envs.aes_secret_key | "dsOdt7YrvxsTIFJ37pOaEVvLxN8KGBCr" | | AES Secret Key |


### Worker Deployment
Expand Down
4 changes: 4 additions & 0 deletions charts/plane-enterprise/questions.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -249,6 +249,10 @@ questions:
label: "Silo HMAC Secret Key"
type: string
default: ""
- variable: env.silo_envs.aes_secret_key
label: "Silo AES Secret Key"
type: string
default: "dsOdt7YrvxsTIFJ37pOaEVvLxN8KGBCr"
- variable: env.silo_envs.cors_allowed_origins
label: "Silo CORS Allowed Origins"
type: string
Expand Down
1 change: 1 addition & 0 deletions charts/plane-enterprise/templates/config-secrets/app-env.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ metadata:
name: {{ .Release.Name }}-app-secrets
stringData:
SECRET_KEY: {{ .Values.env.secret_key | default "60gp0byfz2dvffa45cxl20p1scy9xbpf6d8c5y0geejgkyp1b5" | quote }}
AES_SECRET_KEY: {{ .Values.env.silo_envs.aes_secret_key | default "dsOdt7YrvxsTIFJ37pOaEVvLxN8KGBCr" | quote }}
LIVE_SERVER_SECRET_KEY: {{ .Values.env.live_server_secret_key | default "htbqvBJAgpm9bzvf3r4urJer0ENReatceh" | quote }}

{{- if .Values.services.redis.local_setup }}
Expand Down
2 changes: 2 additions & 0 deletions charts/plane-enterprise/templates/config-secrets/silo.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,8 @@ stringData:
SILO_HMAC_SECRET_KEY: {{ randAlphaNum 32 | quote }}
{{- end }}

AES_SECRET_KEY: {{ .Values.env.silo_envs.aes_secret_key | default "dsOdt7YrvxsTIFJ37pOaEVvLxN8KGBCr" | quote }}

Comment on lines +18 to +19
Copy link
Contributor

@coderabbitai coderabbitai bot May 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Avoid Static Fallback for AES Secret

Similar to SILO_HMAC_SECRET_KEY, the AES key should not default to a hardcoded constant. Use Helm’s randAlphaNum or require the user to supply it to ensure secrecy:

-  AES_SECRET_KEY: {{ .Values.env.silo_envs.aes_secret_key | default "dsOdt7YrvxsTIFJ37pOaEVvLxN8KGBCr" | quote }}
+  AES_SECRET_KEY: {{ .Values.env.silo_envs.aes_secret_key | default (randAlphaNum 32) | quote }}

{{- if .Values.services.postgres.local_setup }}
DATABASE_URL: "postgresql://{{ .Values.env.pgdb_username }}:{{ .Values.env.pgdb_password }}@{{ .Release.Name }}-pgdb.{{ .Release.Namespace }}.svc.{{ .Values.env.default_cluster_domain | default "cluster.local" }}/{{ .Values.env.pgdb_name }}"
{{- else if .Values.env.pgdb_remote_url }}
Expand Down
1 change: 1 addition & 0 deletions charts/plane-enterprise/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -204,4 +204,5 @@ env:
mq_prefetch_count: 1
request_interval: 400
hmac_secret_key: ''
aes_secret_key: 'dsOdt7YrvxsTIFJ37pOaEVvLxN8KGBCr'
Copy link
Contributor

@coderabbitai coderabbitai bot May 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Remove Hardcoded Default Secret

Embedding a static AES key in values.yaml poses a security risk. It's recommended to default this value to empty (forcing users to provide their own) or to generate a random key at deployment time rather than checking in a fixed secret.

Suggest:

-    aes_secret_key: 'dsOdt7YrvxsTIFJ37pOaEVvLxN8KGBCr'
+    aes_secret_key: ''  # Required: provide a secure AES key

Or leverage Helm functions (e.g., randAlphaNum) in the templates to auto-generate one if none is supplied.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
aes_secret_key: 'dsOdt7YrvxsTIFJ37pOaEVvLxN8KGBCr'
aes_secret_key: '' # Required: provide a secure AES key
🧰 Tools
🪛 Gitleaks (8.21.2)

207-207: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

cors_allowed_origins: ''