Skip to content

chore: Add s3 custom CA airgapped support #153

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
mguptahub merged 22 commits into from
Sep 10, 2025
Merged

chore: Add s3 custom CA airgapped support #153

Show file tree
Hide file tree
Changes from 7 commits
Commits
Show all changes
22 commits
Select commit Hold shift + click to select a range
6971cea
Merge pull request #144 from makeplane/develop
mguptahub Aug 1, 2025
3927af9
Merge pull request #146 from makeplane/develop
mguptahub Aug 1, 2025
dd11e05
Merge pull request #149 from makeplane/develop
twtaylor Aug 7, 2025
ce3782d
chore: Bump version to 1.3.4-rc3 and enhance airgapped support
twtaylor Aug 22, 2025
ce372cb
chore: coderabbit suggestions
twtaylor Aug 28, 2025
8a7679e
chore: README updates
twtaylor Aug 28, 2025
fed4085
chore: more doc
twtaylor Aug 28, 2025
d36af6f
feat: use new API variables
twtaylor Aug 28, 2025
52d6139
feat: basing on top of dev
twtaylor Aug 29, 2025
d9d7fc6
release: Plane-EE:`v1.4.0` #155
sriramveeraghanta Sep 2, 2025
b7164c0
feat: enhance airgapped support in API deployment
twtaylor Sep 4, 2025
64d4c78
feat: doc updates, changing from initContainer which wont work for ai…
twtaylor Sep 4, 2025
0a884e3
chore: bumping version
twtaylor Sep 4, 2025
a31934c
[INFRA-236] Plane-EE: Update Plane version to v1.14.1 in configuratio…
akshat5302 Sep 8, 2025
5d598db
Merge branch 'master' of github.com:makeplane/helm-charts into airgap…
mguptahub Sep 9, 2025
ee44a31
feat: enhance airgapped configuration and documentation
mguptahub Sep 9, 2025
7a9fb30
fix: empty volume configuration for airgapped deployment
twtaylor Sep 9, 2025
4a72ffb
fix: streamline s3SecretKey handling in api.deployment.yaml
twtaylor Sep 10, 2025
701a46e
feat: add airgapped configuration options and update documentation
akshat5302 Sep 10, 2025
640329b
fix: reset s3SecretName and s3SecretKey to empty in values.yaml for a…
akshat5302 Sep 10, 2025
3c8aabe
fix: remove default comment for s3SecretName in values.yaml to clarif…
akshat5302 Sep 10, 2025
3b2c051
fix: update api.deployment.yaml to include s3SecretKey in airgapped c…
akshat5302 Sep 10, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion charts/plane-enterprise/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ description: Meet Plane. An Enterprise software development tool to manage issue
type: application

version: 1.4.0
appVersion: "1.14.0"
appVersion: "v1.14.0-rc6"

home: https://plane.so/
icon: https://plane.so/favicon/favicon-32x32.png
Expand Down
2 changes: 2 additions & 0 deletions charts/plane-enterprise/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,8 @@
|---|:---:|:---:|---|
| planeVersion | v1.14.0 | Yes | Specifies the version of Plane to be deployed. Copy this from prime.plane.so. |
| airgapped.enabled | false | No | Specifies the airgapped mode the Plane API runs in. |
| airgapped.s3CrtFileLocation | "/s3-custom-ca/s3-custom-ca.crt" | No | Path inside the container to the CA certificate file used for S3 (Boto). Effective when `airgapped.enabled=true` and `airgapped.s3SecretName` is set. |
| airgapped.s3SecretName | "" | No | Name of the Secret that contains the CA certificate (.crt). The Secret must include a data key whose filename matches the basename of `airgapped.s3CrtFileLocation` (default: `s3-custom-ca.crt`). Used to override S3’s CA when `airgapped.enabled=true`. |
| license.licenseDomain | plane.example.com | Yes | The fully-qualified domain name (FQDN) in the format `sudomain.domain.tld` or `domain.tld` that the license is bound to. It is also attached to your `ingress` host to access Plane. |

### Postgres
Expand Down
5 changes: 5 additions & 0 deletions charts/plane-enterprise/templates/config-secrets/app-env.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,8 +49,13 @@ data:

API_KEY_RATE_LIMIT: {{ .Values.env.api_key_rate_limit | default "60/minute" | quote }}
MINIO_ENDPOINT_SSL: {{ .Values.services.minio.env.minio_endpoint_ssl | default false | ternary "1" "0" | quote }}
USE_STORAGE_PROXY: {{ .Values.services.minio.use_storage_proxy | default false | ternary "1" "0" | quote }}
INTAKE_EMAIL_DOMAIN: {{ .Values.env.email_service_envs.smtp_domain | default "" | quote }}

{{- if and .Values.airgapped.enabled .Values.airgapped.s3SecretName }}
AWS_CA_BUNDLE: {{ .Values.airgapped.s3CrtFileLocation | default "/s3-custom-ca/s3-custom-ca.crt" | quote }}
{{- end }}

SENTRY_DSN: {{ .Values.env.sentry_dsn | default "" | quote}}
SENTRY_ENVIRONMENT: {{ .Values.env.sentry_environment | default "" | quote}}
DEBUG: "0"
Expand Down
73 changes: 73 additions & 0 deletions charts/plane-enterprise/templates/workloads/api.deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,64 @@ spec:
annotations:
timestamp: {{ now | quote }}
spec:
volumes:
{{- if and .Values.airgapped.enabled .Values.airgapped.s3SecretName }}
- name: s3-custom-ca
secret:
secretName: {{ .Values.airgapped.s3SecretName }}
items:
- key: {{ (.Values.airgapped.s3CrtFileLocation | default "/s3-custom-ca/s3-custom-ca.crt") | base }}
path: {{ (.Values.airgapped.s3CrtFileLocation | default "/s3-custom-ca/s3-custom-ca.crt") | base }}
{{- end }}
- name: ca-certificates
emptyDir: {}
initContainers:
- name: install-ca-certs
image: ubuntu:22.04
command:
- /bin/bash
- -c
- |
set -e
echo "Installing custom CA certificates..."

# Install ca-certificates package and create directories
apt-get update && apt-get install -y ca-certificates
mkdir -p /shared-certs

# Copy existing system CA certificates to shared directory
if [ -d /etc/ssl/certs ]; then
cp -r /etc/ssl/certs/* /shared-certs/ 2>/dev/null || true
fi

# Ensure ca-certificates directory exists
mkdir -p /usr/local/share/ca-certificates

# Install custom S3 CA if available
{{- if and .Values.airgapped.enabled .Values.airgapped.s3SecretName }}
S3_CERT_FILE="{{ (.Values.airgapped.s3CrtFileLocation | default "s3-custom-ca.crt") | base }}"
if [ -f "/s3-custom-ca/$S3_CERT_FILE" ]; then
echo "Installing S3 custom CA certificate..."
cp "/s3-custom-ca/$S3_CERT_FILE" /usr/local/share/ca-certificates/s3-custom-ca.crt
cp "/s3-custom-ca/$S3_CERT_FILE" /shared-certs/s3-custom-ca.crt
fi
{{- end }}

# Update CA certificates
update-ca-certificates

# Copy updated system certificates to shared volume
cp -r /etc/ssl/certs/* /shared-certs/ 2>/dev/null || true

echo "CA certificates installed successfully"
volumeMounts:
{{- if and .Values.airgapped.enabled .Values.airgapped.s3SecretName }}
- name: s3-custom-ca
mountPath: /s3-custom-ca
readOnly: true
{{- end }}
- name: ca-certificates
mountPath: /shared-certs
containers:
- name: {{ .Release.Name }}-api
imagePullPolicy: {{ .Values.services.api.pullPolicy | default "Always" }}
Expand All @@ -52,6 +110,21 @@ spec:
limits:
memory: {{ .Values.services.api.memoryLimit | default "1000Mi" | quote }}
cpu: {{ .Values.services.api.cpuLimit | default "500m" | quote}}
volumeMounts:
- name: ca-certificates
mountPath: /etc/ssl/certs
readOnly: true
{{- if and .Values.airgapped.enabled .Values.airgapped.s3SecretName }}
Copy link
Contributor

@coderabbitai coderabbitai bot Sep 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Guard against empty CA volume replacing system certs.

Mounting /etc/ssl/certs from emptyDir means a failed/broken init step yields no trust store. The refactor above adds a sanity check; keep that to fail fast. Alternatively, only mount the single bundle file instead of the whole directory.

-          - name: ca-certificates
-            mountPath: /etc/ssl/certs
+          - name: ca-certificates
+            mountPath: /etc/ssl/certs/ca-certificates.crt
+            subPath: ca-certificates.crt
             readOnly: true

env:
- name: SSL_CERT_FILE
value: "/etc/ssl/certs/ca-certificates.crt"
- name: SSL_CERT_DIR
value: "/etc/ssl/certs"
- name: REQUESTS_CA_BUNDLE
value: "/etc/ssl/certs/ca-certificates.crt"
- name: CURL_CA_BUNDLE
value: "/etc/ssl/certs/ca-certificates.crt"
{{- end }}
command:
- ./bin/docker-entrypoint-api-ee.sh
envFrom:
Expand Down
9 changes: 9 additions & 0 deletions charts/plane-enterprise/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,14 @@ license:

airgapped:
enabled: false
# The boto module used by API does not use the CA bundles in the container, so we need to
# mount the CA bundle into the API pod by passing it in as an environment
# variable. Should be the full path to the CA bundle file, e.g.
# "/s3-custom-ca/s3-custom-ca.crt"
s3CrtFileLocation: "/s3-custom-ca/s3-custom-ca.crt"
# The Secret must contain a data key whose name matches the filename in s3CrtFileLocation
# (default: "s3-custom-ca.crt").
s3SecretName: ""

ingress:
enabled: true
Expand Down Expand Up @@ -68,6 +76,7 @@ services:
root_user: admin
root_password: password
assign_cluster_ip: false
use_storage_proxy: false
env:
minio_endpoint_ssl: false

Expand Down