diff --git a/charts/plane-enterprise/Chart.yaml b/charts/plane-enterprise/Chart.yaml index af12904f..38a2e3b7 100644 --- a/charts/plane-enterprise/Chart.yaml +++ b/charts/plane-enterprise/Chart.yaml @@ -5,8 +5,8 @@ description: Meet Plane. An Enterprise software development tool to manage issue type: application -version: 1.4.0 -appVersion: "1.14.0" +version: 1.4.2 +appVersion: "1.14.1" home: https://plane.so/ icon: https://plane.so/favicon/favicon-32x32.png diff --git a/charts/plane-enterprise/README.md b/charts/plane-enterprise/README.md index a1d746d7..138fff6a 100644 --- a/charts/plane-enterprise/README.md +++ b/charts/plane-enterprise/README.md @@ -11,7 +11,7 @@ Copy the format of constants below, paste it on Terminal to start setting environment variables, set values for each variable, and hit ENTER or RETURN. ```bash - PLANE_VERSION=v1.14.0 # or the last released version + PLANE_VERSION=v1.14.1 # or the last released version DOMAIN_NAME= ``` @@ -65,7 +65,7 @@ ``` Make sure you set the minimum required values as below. - - `planeVersion: v1.14.0 ` + - `planeVersion: v1.14.1 ` - `license.licenseDomain: ` - `ingress.enabled: ` - `ingress.ingressClass: ` @@ -91,10 +91,18 @@ | Setting | Default | Required | Description | |---|:---:|:---:|---| -| planeVersion | v1.14.0 | Yes | Specifies the version of Plane to be deployed. Copy this from prime.plane.so. | -| airgapped.enabled | false | No | Specifies the airgapped mode the Plane API runs in. | +| planeVersion | v1.14.1 | Yes | Specifies the version of Plane to be deployed. Copy this from prime.plane.so. | | license.licenseDomain | plane.example.com | Yes | The fully-qualified domain name (FQDN) in the format `sudomain.domain.tld` or `domain.tld` that the license is bound to. It is also attached to your `ingress` host to access Plane. | + +### Air-gapped Settings + +| Setting | Default | Required | Description | +|---|:---:|:---:|---| +| airgapped.enabled | false | No | Specifies the airgapped mode the Plane API runs in. | +| airgapped.s3SecretName | "" | No | Name of the Secret that contains the CA certificate (.crt). The Secret must include a data key whose filename matches the basename of `airgapped.s3SecretKey`. Used to override S3’s CA when `airgapped.enabled=true`. Applying this secret looks like: `kubectl -n plane create secret generic plane-s3-ca \ --from-file=s3-custom-ca.crt=/path/to/your/ca.crt` | +| airgapped.s3SecretKey | "" | No | Key name of the secret to load the Custom Root CA from `airgapped.s3SecretName` | + ### Postgres | Setting | Default | Required | Description | diff --git a/charts/plane-enterprise/questions.yml b/charts/plane-enterprise/questions.yml index a840759f..fc724743 100644 --- a/charts/plane-enterprise/questions.yml +++ b/charts/plane-enterprise/questions.yml @@ -20,7 +20,7 @@ questions: - variable: planeVersion label: Plane Version (Docker Image Tag) type: string - default: v1.14.0 + default: v1.14.1 required: true group: "Docker Registry" subquestions: @@ -80,6 +80,22 @@ questions: type: string required: true +- variable: airgapped.enabled + label: "Airgapped Enabled" + type: boolean + default: false + group: "License Setup" + show_subquestion_if: true + subquestions: + - variable: airgapped.s3SecretName + label: "S3 Secret Name" + type: string + default: "" + - variable: airgapped.s3SecretKey + label: "S3 Secret Key" + type: string + default: "" + - variable: services.web.pullPolicy label: "Web Pull Policy" type: enum diff --git a/charts/plane-enterprise/templates/config-secrets/app-env.yaml b/charts/plane-enterprise/templates/config-secrets/app-env.yaml index 413c14e1..0d8d1137 100644 --- a/charts/plane-enterprise/templates/config-secrets/app-env.yaml +++ b/charts/plane-enterprise/templates/config-secrets/app-env.yaml @@ -31,6 +31,11 @@ stringData: {{- else }} AMQP_URL: "" {{ end }} + + {{- if and .Values.airgapped.enabled .Values.airgapped.s3SecretName .Values.airgapped.s3SecretKey }} + AWS_CA_BUNDLE: "/s3-custom-ca/{{ .Values.airgapped.s3SecretKey }}" + {{- end }} + {{- end }} --- @@ -49,6 +54,7 @@ data: API_KEY_RATE_LIMIT: {{ .Values.env.api_key_rate_limit | default "60/minute" | quote }} MINIO_ENDPOINT_SSL: {{ .Values.services.minio.env.minio_endpoint_ssl | default false | ternary "1" "0" | quote }} + USE_STORAGE_PROXY: {{ .Values.env.use_storage_proxy | default false | ternary "1" "0" | quote }} INTAKE_EMAIL_DOMAIN: {{ .Values.env.email_service_envs.smtp_domain | default "" | quote }} SENTRY_DSN: {{ .Values.env.sentry_dsn | default "" | quote}} diff --git a/charts/plane-enterprise/templates/workloads/api.deployment.yaml b/charts/plane-enterprise/templates/workloads/api.deployment.yaml index bec8cf11..50cee39e 100644 --- a/charts/plane-enterprise/templates/workloads/api.deployment.yaml +++ b/charts/plane-enterprise/templates/workloads/api.deployment.yaml @@ -39,6 +39,15 @@ spec: annotations: timestamp: {{ now | quote }} spec: + {{- if and .Values.airgapped.enabled .Values.airgapped.s3SecretName .Values.airgapped.s3SecretKey }} + volumes: + - name: s3-custom-ca + secret: + secretName: {{ .Values.airgapped.s3SecretName }} + items: + - key: {{ .Values.airgapped.s3SecretKey }} + path: {{ .Values.airgapped.s3SecretKey }} + {{- end }} containers: - name: {{ .Release.Name }}-api imagePullPolicy: {{ .Values.services.api.pullPolicy | default "Always" }} @@ -52,8 +61,48 @@ spec: limits: memory: {{ .Values.services.api.memoryLimit | default "1000Mi" | quote }} cpu: {{ .Values.services.api.cpuLimit | default "500m" | quote}} + {{- if and .Values.airgapped.enabled .Values.airgapped.s3SecretName .Values.airgapped.s3SecretKey }} + volumeMounts: + - name: s3-custom-ca + mountPath: /s3-custom-ca + readOnly: true + env: + - name: SSL_CERT_FILE + value: "/etc/ssl/certs/ca-certificates.crt" + - name: SSL_CERT_DIR + value: "/etc/ssl/certs" + - name: REQUESTS_CA_BUNDLE + value: "/etc/ssl/certs/ca-certificates.crt" + - name: CURL_CA_BUNDLE + value: "/etc/ssl/certs/ca-certificates.crt" + {{- end }} command: - - ./bin/docker-entrypoint-api-ee.sh + - /bin/bash + - -c + - | + set -e + + {{- if and .Values.airgapped.enabled .Values.airgapped.s3SecretName }} + echo "Installing custom CA certificates..." + + # Ensure ca-certificates directory exists + mkdir -p /usr/local/share/ca-certificates + + # Install custom S3 CA if available + S3_CERT_FILE="{{ .Values.airgapped.s3SecretKey }}" + if [ -f "/s3-custom-ca/$S3_CERT_FILE" ]; then + echo "Installing S3 custom CA certificate..." + cp "/s3-custom-ca/$S3_CERT_FILE" "/usr/local/share/ca-certificates/$S3_CERT_FILE" + # Update CA certificates + update-ca-certificates + echo "CA certificates installed successfully" + else + echo "No custom S3 CA certificate found, skipping..." + fi + {{- end }} + + # Start the API + exec ./bin/docker-entrypoint-api-ee.sh envFrom: - configMapRef: name: {{ .Release.Name }}-app-vars diff --git a/charts/plane-enterprise/values.yaml b/charts/plane-enterprise/values.yaml index c5d72417..77305761 100644 --- a/charts/plane-enterprise/values.yaml +++ b/charts/plane-enterprise/values.yaml @@ -1,4 +1,4 @@ -planeVersion: v1.14.0 +planeVersion: v1.14.1 dockerRegistry: enabled: false @@ -12,6 +12,12 @@ license: airgapped: enabled: false + # The boto module used by API does not use the CA bundles in the container, so we need to + # mount the CA bundle into the API pod by passing it in as an environment + # variable. Should be the full path to the CA bundle file, e.g. + # + s3SecretName: "" + s3SecretKey: "" ingress: enabled: true @@ -244,6 +250,8 @@ env: aws_region: '' aws_s3_endpoint_url: '' + use_storage_proxy: false + secret_key: "60gp0byfz2dvffa45cxl20p1scy9xbpf6d8c5y0geejgkyp1b5" api_key_rate_limit: "60/minute"