diff --git a/docs/self-hosting/govern/advanced-search.md b/docs/self-hosting/govern/advanced-search.md index 8a23685..e26a783 100644 --- a/docs/self-hosting/govern/advanced-search.md +++ b/docs/self-hosting/govern/advanced-search.md @@ -12,7 +12,7 @@ Plane uses OpenSearch to provide advanced search capabilities across your worksp You'll need: -- An OpenSearch 2.x instance (self-hosted or managed service like AWS OpenSearch). +- An OpenSearch instance running version 2.19 or later (self-hosted or managed service like AWS OpenSearch). ## What you get with advanced search diff --git a/docs/self-hosting/govern/plane-ai.md b/docs/self-hosting/govern/plane-ai.md index 5642b64..ca96c4b 100644 --- a/docs/self-hosting/govern/plane-ai.md +++ b/docs/self-hosting/govern/plane-ai.md @@ -14,7 +14,7 @@ For an overview of what Plane AI can do, see the [Plane AI](https://docs.plane.s You'll need: -- An OpenSearch 2.x instance (self-hosted or AWS OpenSearch) configured for [advanced search](/self-hosting/govern/advanced-search). +- An OpenSearch instance running version 2.19 or later (self-hosted or AWS OpenSearch) configured for [advanced search](/self-hosting/govern/advanced-search). - At least one LLM provider API key or a custom OpenAI-compatible endpoint. - At least one embedding model configured in OpenSearch. diff --git a/docs/self-hosting/methods/airgapped-edition-kubernetes.md b/docs/self-hosting/methods/airgapped-edition-kubernetes.md index b8a7fa3..dc08a76 100644 --- a/docs/self-hosting/methods/airgapped-edition-kubernetes.md +++ b/docs/self-hosting/methods/airgapped-edition-kubernetes.md @@ -88,8 +88,11 @@ Consider these alternatives: airgapped: enabled: true # Must be TRUE for airgapped installations # If using custom root CA for S3 storage - s3SecretName: "s3-custom-ca" - s3SecretKey: "s3-custom-ca.crt" + s3Secrets: + - name: plane-s3-ca + key: s3-custom-ca.crt + - name: plane-s3-ca-2 + key: s3-custom-ca-2.crt ``` **Service images:** diff --git a/docs/self-hosting/methods/clone-docker-images.md b/docs/self-hosting/methods/clone-docker-images.md index e3dc45c..1e3d89b 100644 --- a/docs/self-hosting/methods/clone-docker-images.md +++ b/docs/self-hosting/methods/clone-docker-images.md @@ -76,7 +76,7 @@ Set your version and destination registry before copying images. ```bash # Set your Plane version -export APP_RELEASE_VERSION="v2.1.0" # Replace with your desired version +export APP_RELEASE_VERSION="v2.4.0" # Replace with your desired version # Set your destination registry export DESTINATION_REGISTRY="your-registry.io/your-namespace" @@ -188,7 +188,7 @@ Create a file named `copy-plane-images.sh`: set -e # Configuration -APP_RELEASE_VERSION="${APP_RELEASE_VERSION:-v2.1.0}" +APP_RELEASE_VERSION="${APP_RELEASE_VERSION:-v2.4.0}" DESTINATION_REGISTRY="${DESTINATION_REGISTRY}" if [ -z "$DESTINATION_REGISTRY" ]; then diff --git a/docs/self-hosting/methods/download-config.md b/docs/self-hosting/methods/download-config.md index 8285e41..18434a0 100644 --- a/docs/self-hosting/methods/download-config.md +++ b/docs/self-hosting/methods/download-config.md @@ -20,7 +20,7 @@ curl "https://prime.plane.so/api/v2/setup/?version=&airgapped= ``` ::: warning -When configuring the PLANE_VERSION environment variable, **do not** set it to `stable`. Always specify the latest version number (e.g., `1.8.0`). Using `stable` can lead to unexpected issues. +When configuring the PLANE_VERSION environment variable, **do not** set it to `stable`. Always specify the latest version number (e.g., `2.4.0`). Using `stable` can lead to unexpected issues. ::: 3. Add the Plane helm chart repo. @@ -50,67 +50,64 @@ When configuring the PLANE_VERSION environment variable, **do not** set it to `s helm repo add plane https://helm.plane.so/ ``` -4. Use one of the following ways to deploy Plane: - **Quick setup**: - This is the fastest way to deploy Plane with the default settings. This will create stateful deployments for Postgres, Redis/Valkey, and Minio with a persistent volume claim using the `longhorn` storage class. This also sets up the Ingress routes for you using `nginx` ingress class. To customize these settings, see the [Custom ingress routes](#custom-ingress-routes). - - Run the following command to deploy Plane: - - ```bash - helm install plane-app plane/plane-enterprise \ - --create-namespace \ - --namespace plane \ - --set license.licenseDomain=${DOMAIN_NAME} \ - --set license.licenseServer=https://prime.plane.so \ - --set planeVersion=${PLANE_VERSION} \ - --set ingress.enabled=true \ - --set ingress.ingressClass=nginx \ - --set env.storageClass=longhorn \ - --timeout 10m \ - --wait \ - --wait-for-jobs - ``` - - ::: info - This is the minimum required to set up Plane Commercial edition. You can change the default namespace from `plane`, the default app name from `plane-app`, the default storage class from `longhorn`, and the default ingress class from `nginx` to whatever you would like to.

- You can also pass other settings referring to the **Configuration Settings** toggle section below. - ::: +4. Use one of the following ways to deploy Plane: + - **Quick setup**: + This is the fastest way to deploy Plane with the default settings. This will create stateful deployments for Postgres, Redis/Valkey, and Minio with a persistent volume claim using the `longhorn` storage class. This also sets up the Ingress routes for you using `nginx` ingress class. To customize these settings, see the [Custom ingress routes](#custom-ingress-routes). + + Run the following command to deploy Plane: + + ``` + helm upgrade --install plane-app plane/plane-enterprise \ + --create-namespace \ + --namespace plane \ + --set license.licenseDomain=${DOMAIN_NAME} \ + --set license.licenseServer=https://prime.plane.so \ + --set planeVersion=${PLANE_VERSION} \ + --set ingress.enabled=true \ + --set ingress.ingressClass=nginx \ + --set env.storageClass=longhorn \ + --timeout 10m \ + --wait \ + --wait-for-jobs + ``` + + ::: info + This is the minimum required to set up Plane Commercial edition. You can change the default namespace from `plane`, the default app name from `plane-app`, the default storage class from `longhorn`, and the default ingress class from `nginx` to whatever you would like to.

+ To use a custom StorageClass, add `--set env.storageClass=` to the command above.

+ You can also pass other settings referring to the **Configuration Settings** toggle section below. + ::: + - **Advanced setup**: + ::: warning When self-hosting Plane for production use, it is strongly recommended to configure [external database and storage](/self-hosting/methods/kubernetes#configuration-settings). This ensures that your data remains secure and accessible even if the local machine crashes or encounters hardware issues. Relying solely on local storage for these components increases the risk of data loss and service disruption. ::: - For more control over your setup, follow the steps below: - - i. Run the script below to download the `values.yaml` file and and edit using any editor like Vim or Nano. + For more control over your setup, follow the steps below: - ```bash - helm show values plane/plane-enterprise > values.yaml - vi values.yaml - ``` + i. Run the script below to download the `values.yaml` file and edit using any editor like Vim or Nano. - Make sure you set the required environment variables listed below: - - `planeVersion: v2.2.1` - - `license.licenseDomain: ` - - `license.licenseServer: https://prime.plane.so` - - `ingress.enabled: ` - - `ingress.ingressClass: ` - - `env.storageClass: ` + Make sure you set the required environment variables listed below: + - `planeVersion: v2.4.0` + - `license.licenseDomain: ` + - `license.licenseServer: https://prime.plane.so` + - `ingress.enabled: ` + - `ingress.ingressClass: ` + - `env.storageClass: ` - See the **Configuration settings** toggle section for more details. + See the **Configuration settings** toggle section for more details. - ii. After saving the `values.yaml` file, run the following command to deploy Plane: + ```bash + helm upgrade --install plane-app plane/plane-enterprise \ + --create-namespace \ + --namespace plane \ + -f values.yaml \ + --timeout 10m \ + --wait \ + --wait-for-jobs + ``` - ```bash - helm install plane-app plane/plane-enterprise \ - --create-namespace \ - --namespace plane \ - -f values.yaml \ - --timeout 10m \ - --wait \ - --wait-for-jobs - ``` - - iii. If you've purchased a paid plan, [activate your license key](/self-hosting/manage/manage-licenses/activate-pro-and-business#activate-your-license) to unlock premium features. + ii. If you've purchased a paid plan, [activate your license key](/self-hosting/manage/manage-licenses/activate-pro-and-business#activate-your-license) to unlock premium features. ## Configuration settings @@ -118,16 +115,61 @@ helm repo add plane https://helm.plane.so/ | Setting | Default | Required | Description | | --------------------- | :-----------------: | :------: | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| planeVersion | v2.2.1 | Yes | Specifies the version of Plane to be deployed. Copy this from `prime.plane.so.` | +| planeVersion | v2.4.0 | Yes | Specifies the version of Plane to be deployed. Copy this from prime.plane.so. | | license.licenseDomain | 'plane.example.com' | Yes | The fully-qualified domain name (FQDN) in the format `sudomain.domain.tld` or `domain.tld` that the license is bound to. It is also attached to your `ingress` host to access Plane. | -#### Airgapped settings +### Airgapped Settings + +| Setting | Default | Required | Description | +| ---------------------- | :-----: | :------: | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| airgapped.enabled | false | No | Enable airgapped mode for the Plane API. | +| airgapped.s3Secrets | [] | No | List of Kubernetes Secrets containing CA certificates to install. Each entry requires `name` (Secret name) and `key` (filename in the Secret). Example: `kubectl -n plane create secret generic plane-s3-ca --from-file=s3-custom-ca.crt=/path/to/ca.crt`. Supports multiple certs (e.g. S3 + internal CA). Available in v2.4.0 and later. | +| airgapped.s3SecretName | "" | No | **Deprecated**
Name of a single Kubernetes Secret containing the S3 CA cert. Used only when `s3Secrets` is empty. Use `s3Secrets` instead. | +| airgapped.s3SecretKey | "" | No | **Deprecated**
Key (filename) of the cert file inside the Secret. Used only when `s3Secrets` is empty. Set together with `airgapped.s3SecretName`. Use `s3Secrets` instead. | + +#### CA certificate configuration (For airgapped deployments only) + +Plane supports custom CA certificates for connecting to S3-compatible storage and other internal services in airgapped environments. + +- **New deployments:** Use `airgapped.s3Secrets` as shown in the table above. +- **Existing deployments using `s3SecretName` and `s3SecretKey`:** Your configuration still works. Migrate only if you need to use multiple CA certificates. + +#### Migrating to the new configuration + +:::warning +Requires Plane v2.4.0 or later. +::: + +The new `s3Secrets` configuration supports multiple CA certificates, useful if you need to trust certificates from different sources (e.g., S3 endpoint CA and internal PKI). If you only need a single certificate, migration is optional. + +To migrate: -| Setting | Default | Required | Description | -| ---------------------- | :-----: | :------: | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| airgapped.enabled | false | No | Specifies the airgapped mode the Plane API runs in. | -| airgapped.s3SecretName | "" | No | Name of the Secret that contains the CA certificate (.crt). The Secret must include a data key whose filename matches the basename of `airgapped.s3SecretKey` (default: `s3-custom-ca.crt`). Used to override S3’s CA when `airgapped.enabled=true`. Applying this secret looks like: `kubectl -n plane create secret generic plane-s3-ca \ --from-file=s3-custom-ca.crt=/path/to/your/ca.crt` | -| airgapped.s3SecretKey | "" | No | Key name of the secret to load the Custom Root CA from `airgapped.s3SecretName` | +1. Add your existing secret to the `s3Secrets` list: + +```yaml +airgapped: + enabled: true + s3Secrets: + - name: plane-s3-ca # your existing s3SecretName value + key: s3-custom-ca.crt # your existing s3SecretKey value + + + # s3SecretName and s3SecretKey can be removed after migration +``` + +2. Remove `s3SecretName` and `s3SecretKey` from your values file. + +3. Upgrade your Helm release. + +#### Docker Registry + +| Setting | Default | Required | Description | +| ----------------------------- | :-----------------: | :------: | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| dockerRegistry.enabled | false | No | Enable to configure image pull secrets for pulling images from a private docker registry. When enabled, you can either provide credentials to create a new secret or use an existing Kubernetes secret. | +| dockerRegistry.existingSecret | | No | Name of an existing Kubernetes secret containing docker registry credentials. When specified, the chart will use this secret for `imagePullSecrets` instead of creating a new one. The secret should be of type `kubernetes.io/dockerconfigjson`. If left empty, credentials below will be used to create a new secret. | +| dockerRegistry.registry | index.docker.io/v1/ | No | Docker registry URL. Only used when `dockerRegistry.existingSecret` is empty. | +| dockerRegistry.loginid | | No | Login ID / Username for the docker registry. Only used when `dockerRegistry.existingSecret` is empty. | +| dockerRegistry.password | | No | Password or Token for the docker registry. Only used when `dockerRegistry.existingSecret` is empty. | #### Postgres @@ -141,31 +183,30 @@ helm repo add plane https://helm.plane.so/ | env.pgdb_username | plane | | Database credentials are requried to access the hosted stateful deployment of `postgres`. Use this key to set the username for the stateful deployment. | | env.pgdb_password | plane | | Database credentials are requried to access the hosted stateful deployment of `postgres`. Use this key to set the password for the stateful deployment. | | env.pgdb_name | plane | | Database name to be used while setting up stateful deployment of `Postgres` | -| services.postgres.assign_cluster_ip | false | | This key allows you to set the node selector for the stateful deployment of postgres. This is useful when you want to run the deployment on specific nodes in your Kubernetes cluster. | -| services.postgres.nodeSelector | {} | | Set it to `true` if you want to assign `ClusterIP` to the service | +| services.postgres.assign_cluster_ip | false | | Set it to `true` if you want to assign `ClusterIP` to the service | +| services.postgres.nodeSelector | {} | | This key allows you to set the node selector for the stateful deployment of postgres. This is useful when you want to run the deployment on specific nodes in your Kubernetes cluster. | | services.postgres.tolerations | [] | | This key allows you to set the tolerations for the stateful deployment of postgres. This is useful when you want to run the deployment on nodes with specific taints in your Kubernetes cluster. | | services.postgres.affinity | {} | | This key allows you to set the affinity rules for the stateful deployment of postgres. This is useful when you want to control how pods are scheduled on nodes in your Kubernetes cluster. | -| services.postgres.labels | {} | | Set it to `true` if you want to assign `ClusterIP` to the service | -| services.postgres.nodeSelector | {} | | This key allows you to set custom labels for the stateful deployment of postgres. This is useful for organizing and selecting resources in your Kubernetes cluster. | +| services.postgres.labels | {} | | This key allows you to set custom labels for the stateful deployment of postgres. This is useful for organizing and selecting resources in your Kubernetes cluster. | | services.postgres.annotations | {} | | This key allows you to set custom annotations for the stateful deployment of postgres. This is useful for adding metadata or configuration hints to your resources. | | env.pgdb_remote_url | | | Users can also decide to use the remote hosted database and link to Plane deployment. Ignoring all the above keys, set `services.postgres.local_setup` to `false` and set this key with remote connection url. | #### Redis/Valkey Setup -| Setting | Default | Required | Description | -| -------------------------------- | :--------------------------: | :------: | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| services.redis.local_setup | true | | Plane uses `redis` to cache the session authentication and other static data. This database can be hosted within kubernetes as part of helm chart deployment or can be used as hosted service remotely (e.g. aws rds or similar services). Set this to `true` when you choose to setup stateful deployment of `redis`. Mark it as `false` when using a remotely hosted database | -| services.redis.image | `valkey/valkey:7.2.5-alpine` | | Using this key, user must provide the docker image name to setup the stateful deployment of `redis`. (must be set when `services.redis.local_setup=true`) | -| services.redis.pullPolicy | IfNotPresent | | Using this key, user can set the pull policy for the stateful deployment of redis. (must be set when services.redis.local_setup=true) | -| services.redis.servicePort | 6379 | | This key sets the default port number to be used while setting up stateful deployment of `redis`. | -| services.redis.volumeSize | 500Mi | | While setting up the stateful deployment, while creating the persistant volume, volume allocation size need to be provided. This key helps you set the volume allocation size. Unit of this value must be in Mi (megabyte) or Gi (gigabyte) | -| services.redis.assign_cluster_ip | false | | Set it to `true` if you want to assign `ClusterIP` to the service | -| services.redis.nodeSelector | 0 | | This key allows you to set the node selector for the stateful deployment of redis. This is useful when you want to run the deployment on specific nodes in your Kubernetes cluster. | -| services.redis.tolerations | [] | | This key allows you to set the tolerations for the stateful deployment of redis. This is useful when you want to run the deployment on nodes with specific taints in your Kubernetes cluster. | -| services.redis.affinity | {} | | This key allows you to set the affinity rules for the stateful deployment of redis. This is useful when you want to control how pods are scheduled on nodes in your Kubernetes cluster. | -| services.redis.labels | {} | | This key allows you to set custom labels for the stateful deployment of redis. This is useful for organizing and selecting resources in your Kubernetes cluster. | -| services.redis.annotations | {} | | This key allows you to set custom annotations for the stateful deployment of redis. This is useful for adding metadata or configuration hints to your resources. | -| env.remote_redis_url | | | Users can also decide to use the remote hosted database and link to Plane deployment. Ignoring all the above keys, set `services.redis.local_setup` to `false` and set this key with remote connection url. | +| Setting | Default | Required | Description | +| -------------------------------- | :---------------------------: | :------: | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| services.redis.local_setup | true | | Plane uses `redis` to cache the session authentication and other static data. This database can be hosted within kubernetes as part of helm chart deployment or can be used as hosted service remotely (e.g. aws rds or similar services). Set this to `true` when you choose to setup stateful deployment of `redis`. Mark it as `false` when using a remotely hosted database | +| services.redis.image | `valkey/valkey:7.2.11-alpine` | | Using this key, user must provide the docker image name to setup the stateful deployment of `redis`. (must be set when `services.redis.local_setup=true`) | +| services.redis.pullPolicy | IfNotPresent | | Using this key, user can set the pull policy for the stateful deployment of redis. (must be set when services.redis.local_setup=true) | +| services.redis.servicePort | 6379 | | This key sets the default port number to be used while setting up stateful deployment of `redis`. | +| services.redis.volumeSize | 500Mi | | While setting up the stateful deployment, while creating the persistant volume, volume allocation size need to be provided. This key helps you set the volume allocation size. Unit of this value must be in Mi (megabyte) or Gi (gigabyte) | +| services.redis.assign_cluster_ip | false | | Set it to `true` if you want to assign `ClusterIP` to the service | +| services.redis.nodeSelector | {} | | This key allows you to set the node selector for the stateful deployment of redis. This is useful when you want to run the deployment on specific nodes in your Kubernetes cluster. | +| services.redis.tolerations | [] | | This key allows you to set the tolerations for the stateful deployment of redis. This is useful when you want to run the deployment on nodes with specific taints in your Kubernetes cluster. | +| services.redis.affinity | {} | | This key allows you to set the affinity rules for the stateful deployment of redis. This is useful when you want to control how pods are scheduled on nodes in your Kubernetes cluster. | +| services.redis.labels | {} | | This key allows you to set custom labels for the stateful deployment of redis. This is useful for organizing and selecting resources in your Kubernetes cluster. | +| services.redis.annotations | {} | | This key allows you to set custom annotations for the stateful deployment of redis. This is useful for adding metadata or configuration hints to your resources. | +| env.remote_redis_url | | | Users can also decide to use the remote hosted database and link to Plane deployment. Ignoring all the above keys, set `services.redis.local_setup` to `false` and set this key with remote connection url. | #### RabbitMQ Setup @@ -187,30 +228,57 @@ helm repo add plane https://helm.plane.so/ | services.rabbitmq.annotations | {} | | This key allows you to set custom annotations for the stateful deployment of rabbitmq. This is useful for adding metadata or configuration hints to your resources. | | services.rabbitmq.external_rabbitmq_url | | | Users can also decide to use the remote hosted service and link to Plane deployment. Ignoring all the above keys, set `services.rabbitmq.local_setup` to `false` and set this key with remote connection url. | +#### OpenSearch Setup + +| Setting | Default | Required | Description | +| ------------------------------------- | :--------------------------------: | :------: | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| services.opensearch.local_setup | false | | Plane uses `opensearch` as the search and analytics engine. This can be hosted within kubernetes as part of helm chart deployment or can be used as hosted service remotely (e.g. AWS OpenSearch Service or similar services). Set this to `true` when you choose to setup stateful deployment of `opensearch`. Mark it as `false` when using a remotely hosted service | +| services.opensearch.image | opensearchproject/opensearch:3.3.2 | | Using this key, user must provide the docker image name to setup the stateful deployment of `opensearch`. (must be set when `services.opensearch.local_setup=true`) | +| services.opensearch.pullPolicy | IfNotPresent | | Using this key, user can set the pull policy for the stateful deployment of `opensearch`. (must be set when `services.opensearch.local_setup=true`) | +| services.opensearch.servicePort | 9200 | | This key sets the default port number to be used while setting up stateful deployment of `opensearch`. | +| services.opensearch.volumeSize | 5Gi | | While setting up the stateful deployment, while creating the persistant volume, volume allocation size need to be provided. Unit of this value must be in Mi (megabyte) or Gi (gigabyte) | +| services.opensearch.username | plane | | Credentials are required to access the hosted stateful deployment of `opensearch`. Use this key to set the username for the stateful deployment. | +| services.opensearch.password | Secure@Pass#123!%^&\* | | Credentials are required to access the hosted stateful deployment of `opensearch`. Use this key to set the password. **Password Complexity Requirements:** Must be at least 8 characters long and contain at least one uppercase letter, one lowercase letter, one digit, and one special character (e.g., `!@#$%^&*`). | +| services.opensearch.memoryLimit | 3Gi | | Every deployment in kubernetes can be set to use maximum memory they are allowed to use. This key sets the memory limit for this deployment to use. | +| services.opensearch.cpuLimit | 750m | | Every deployment in kubernetes can be set to use maximum cpu they are allowed to use. This key sets the cpu limit for this deployment to use. | +| services.opensearch.memoryRequest | 2Gi | | Every deployment in kubernetes can be set to use minimum memory they are allowed to use. This key sets the memory request for this deployment to use. | +| services.opensearch.cpuRequest | 500m | | Every deployment in kubernetes can be set to use minimum cpu they are allowed to use. This key sets the cpu request for this deployment to use. | +| services.opensearch.assign_cluster_ip | false | | Set it to `true` if you want to assign `ClusterIP` to the service | +| services.opensearch.nodeSelector | {} | | This key allows you to set the node selector for the stateful deployment of opensearch. This is useful when you want to run the deployment on specific nodes in your Kubernetes cluster. | +| services.opensearch.tolerations | [] | | This key allows you to set the tolerations for the stateful deployment of opensearch. This is useful when you want to run the deployment on nodes with specific taints in your Kubernetes cluster. | +| services.opensearch.affinity | {} | | This key allows you to set the affinity rules for the stateful deployment of opensearch. This is useful when you want to control how pods are scheduled on nodes in your Kubernetes cluster. | +| services.opensearch.labels | {} | | This key allows you to set custom labels for the stateful deployment of opensearch. This is useful for organizing and selecting resources in your Kubernetes cluster. | +| services.opensearch.annotations | {} | | This key allows you to set custom annotations for the stateful deployment of opensearch. This is useful for adding metadata or configuration hints to your resources. | +| env.opensearch_remote_url | | | Users can also decide to use the remote hosted service and link to Plane deployment. Set `services.opensearch.local_setup` to `false` and set this key with remote connection url. | +| env.opensearch_remote_username | | | Username for remote OpenSearch service. Required when `services.opensearch.local_setup=false` and `env.opensearch_remote_url` is set. Note: This is not a secret and should be configured in values.yaml, not in external secrets. | +| env.opensearch_remote_password | | | Password for remote OpenSearch service. Required when `services.opensearch.local_setup=false` and `env.opensearch_remote_url` is set. Can be configured in values.yaml or provided via external secrets (`opensearch_existingSecret` with `OPENSEARCH_PASSWORD`). **Password Complexity Requirements:** Must be at least 8 characters long and contain at least one uppercase letter, one lowercase letter, one digit, and one special character. | +| env.opensearch_index_prefix | plane\_ | | Prefix to be used for OpenSearch indices. This helps organize indices in a multi-tenant or multi-environment setup. | + #### Doc Store (Minio\/S3) Setup -| Setting | Default | Required | Description | -| ------------------------------------- | :-----------------------: | :------: | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| services.minio.local_setup | true | | Plane uses `minio` as the default file storage drive. This storage can be hosted within kubernetes as part of helm chart deployment or can be used as hosted service remotely (e.g. aws S3 or similar services). Set this to `true` when you choose to setup stateful deployment of `minio`. Mark it as `false` when using a remotely hosted database | -| services.minio.image | minio/minio:latest | | Using this key, user must provide the docker image name to setup the stateful deployment of `minio`. (must be set when `services.minio.local_setup=true`) | -| services.minio.image_mc | minio/mc:latest | | Using this key, user must provide the docker image name to setup the job deployment of `minio client`. (must be set when `services.minio.local_setup=true`) | -| services.minio.pullPolicy | services.minio.pullPolicy | | Using this key, user can set the pull policy for the stateful deployment of minio. (must be set when services.minio.local_setup=true) | -| services.minio.volumeSize | 3Gi | | While setting up the stateful deployment, while creating the persistant volume, volume allocation size need to be provided. This key helps you set the volume allocation size. Unit of this value must be in Mi (megabyte) or Gi (gigabyte) | -| services.minio.root_user | admin | | Storage credentials are requried to access the hosted stateful deployment of `minio`. Use this key to set the username for the stateful deployment. | -| services.minio.root_password | password | | Storage credentials are requried to access the hosted stateful deployment of `minio`. Use this key to set the password for the stateful deployment. | -| services.minio.env.minio_endpoint_ssl | false | | (Optional) Env to enforce HTTPS when connecting to minio uploads bucket | -| env.docstore_bucket | uploads | Yes | Storage bucket name is required as part of configuration. This is where files will be uploaded irrespective of if you are using `Minio` or external `S3` (or compatible) storage service | -| env.doc_upload_size_limit | 5242880 | Yes | Document Upload Size Limit (default to 5Mb) | -| services.minio.assign_cluster_ip | false | | Set it to `true` if you want to assign `ClusterIP` to the service | -| services.minio.nodeSelector | {} | | This key allows you to set the node selector for the stateful deployment of minio. This is useful when you want to run the deployment on specific nodes in your Kubernetes cluster. | -| services.minio.tolerations | [] | | This key allows you to set the tolerations for the stateful deployment of minio. This is useful when you want to run the deployment on nodes with specific taints in your Kubernetes cluster. | -| services.minio.affinity | {} | | This key allows you to set the affinity rules for the stateful deployment of minio. This is useful when you want to control how pods are scheduled on nodes in your Kubernetes cluster. | -| services.minio.labels | {} | | This key allows you to set custom labels for the stateful deployment of minio. This is useful for organizing and selecting resources in your Kubernetes cluster. | -| services.minio.annotations | {} | | This key allows you to set custom annotations for the stateful deployment of minio. This is useful for adding metadata or configuration hints to your resources. | -| env.aws_access_key | | | External `S3` (or compatible) storage service provides `access key` for the application to connect and do the necessary upload or download operations. To be provided when `services.minio.local_setup=false` | -| env.aws_secret_access_key | | | External `S3` (or compatible) storage service provides `secret access key` for the application to connect and do the necessary upload or download operations. To be provided when `services.minio.local_setup=false` | -| env.aws_region | | | External `S3` (or compatible) storage service providers creates any buckets in user selected region. This is also shared with the user as `region` for the application to connect and do the necessary upload or download operations. To be provided when `services.minio.local_setup=false` | -| env.aws_s3_endpoint_url | | | External `S3` (or compatible) storage service providers shares a `endpoint_url` for the integration purpose for the application to connect and do the necessary upload or download operations. To be provided when `services.minio.local_setup=false` | +| Setting | Default | Required | Description | +| ------------------------------------- | :----------------: | :------: | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| services.minio.local_setup | true | | Plane uses `minio` as the default file storage drive. This storage can be hosted within kubernetes as part of helm chart deployment or can be used as hosted service remotely (e.g. aws S3 or similar services). Set this to `true` when you choose to setup stateful deployment of `minio`. Mark it as `false` when using a remotely hosted database | +| services.minio.image | minio/minio:latest | | Using this key, user must provide the docker image name to setup the stateful deployment of `minio`. (must be set when `services.minio.local_setup=true`) | +| services.minio.image_mc | minio/mc:latest | | Using this key, user must provide the docker image name to setup the job deployment of `minio client`. (must be set when `services.minio.local_setup=true`) | +| services.minio.pullPolicy | IfNotPresent | | Using this key, user can set the pull policy for the stateful deployment of minio. (must be set when services.minio.local_setup=true) | +| services.minio.volumeSize | 3Gi | | While setting up the stateful deployment, while creating the persistant volume, volume allocation size need to be provided. This key helps you set the volume allocation size. Unit of this value must be in Mi (megabyte) or Gi (gigabyte) | +| services.minio.root_user | admin | | Storage credentials are requried to access the hosted stateful deployment of `minio`. Use this key to set the username for the stateful deployment. | +| services.minio.root_password | password | | Storage credentials are requried to access the hosted stateful deployment of `minio`. Use this key to set the password for the stateful deployment. | +| services.minio.env.minio_endpoint_ssl | false | | (Optional) Env to enforce HTTPS when connecting to minio uploads bucket | +| env.docstore_bucket | uploads | Yes | Storage bucket name is required as part of configuration. This is where files will be uploaded irrespective of if you are using `Minio` or external `S3` (or compatible) storage service | +| env.doc_upload_size_limit | 5242880 | Yes | Document Upload Size Limit (default to 5Mb) | +| services.minio.assign_cluster_ip | false | | Set it to `true` if you want to assign `ClusterIP` to the service | +| services.minio.nodeSelector | {} | | This key allows you to set the node selector for the stateful deployment of minio. This is useful when you want to run the deployment on specific nodes in your Kubernetes cluster. | +| services.minio.tolerations | [] | | This key allows you to set the tolerations for the stateful deployment of minio. This is useful when you want to run the deployment on nodes with specific taints in your Kubernetes cluster. | +| services.minio.affinity | {} | | This key allows you to set the affinity rules for the stateful deployment of minio. This is useful when you want to control how pods are scheduled on nodes in your Kubernetes cluster. | +| services.minio.labels | {} | | This key allows you to set custom labels for the stateful deployment of minio. This is useful for organizing and selecting resources in your Kubernetes cluster. | +| services.minio.annotations | {} | | This key allows you to set custom annotations for the stateful deployment of minio. This is useful for adding metadata or configuration hints to your resources. | +| env.aws_access_key | | | External `S3` (or compatible) storage service provides `access key` for the application to connect and do the necessary upload or download operations. To be provided when `services.minio.local_setup=false` | +| env.aws_secret_access_key | | | External `S3` (or compatible) storage service provides `secret access key` for the application to connect and do the necessary upload or download operations. To be provided when `services.minio.local_setup=false` | +| env.aws_region | | | External `S3` (or compatible) storage service providers creates any buckets in user selected region. This is also shared with the user as `region` for the application to connect and do the necessary upload or download operations. To be provided when `services.minio.local_setup=false` | +| env.aws_s3_endpoint_url | | | External `S3` (or compatible) storage service providers shares a `endpoint_url` for the integration purpose for the application to connect and do the necessary upload or download operations. To be provided when `services.minio.local_setup=false` | +| env.use_storage_proxy | false | | When set to `true`, all S3 (or compatible) file GET requests from the browser are proxied through Plane's API service instead of accessing the S3 endpoint directly. Enable this if your storage endpoint is not accessible publicly or you want to control download access through the API. | #### Web Deployment @@ -321,6 +389,7 @@ helm repo add plane https://helm.plane.so/ | env.sentry_dsn | | | (optional) API service deployment comes with some of the preconfigured integration. Sentry is one among those. Here user can set the Sentry-provided DSN for this integration. | | env.sentry_environment | | | (optional) API service deployment comes with some of the preconfigured integration. Sentry is one among those. Here user can set the Sentry environment name (as configured in Sentry) for this integration. | | env.api_key_rate_limit | 60/minute | | (optional) User can set the maximum number of requests the API can handle in a given time frame. | +| env.web_url | | | (optional) Custom Web URL for the application. If not set, it will be auto-generated based on the license domain and SSL settings. | | services.api.assign_cluster_ip | false | | Set it to `true` if you want to assign `ClusterIP` to the service | | services.api.nodeSelector | {} | | This key allows you to set the node selector for the deployment of api. This is useful when you want to run the deployment on specific nodes in your Kubernetes cluster. | | services.api.tolerations | [] | | This key allows you to set the tolerations for the deployment of api. This is useful when you want to run the deployment on nodes with specific taints in your Kubernetes cluster. | @@ -366,6 +435,60 @@ helm repo add plane https://helm.plane.so/ | env.silo_envs.hmac_secret_key | <random-32-bit-string> | | HMAC Secret Key | | env.silo_envs.aes_secret_key | "dsOdt7YrvxsTIFJ37pOaEVvLxN8KGBCr" | | AES Secret Key | +#### Plane AI deployment + +| Setting | Default | Required | Description | +| -------------------------------- | :----------------------------------------------: | :------: | ---------------------------------------------------------------------------------------------------------------------------------------- | +| services.pi.enabled | false | No | Set to `true` to enable the Plane AI service and its API, worker, beat, and migrator workloads. | +| services.pi.replicas | 1 | Yes | Number of replicas for the Plane AI API deployment. It must be >=1. | +| services.pi.memoryLimit | 1000Mi | | Memory limit for the Plane AI API deployment. | +| services.pi.cpuLimit | 500m | | CPU limit for the Plane AI API deployment. | +| services.pi.memoryRequest | 50Mi | | Memory request for the Plane AI API deployment. | +| services.pi.cpuRequest | 50m | | CPU request for the Plane AI API deployment. | +| services.pi.image | artifacts.plane.so/makeplane/plane-pi-commercial | | Docker image for the Plane AI service. | +| services.pi.pullPolicy | Always | | Image pull policy for the Plane AI deployment. | +| services.pi.assign_cluster_ip | false | | Set it to `true` if you want to assign `ClusterIP` to the Plane AI API service. | +| services.pi.nodeSelector | {} | | Node selector for the Plane AI API deployment. | +| services.pi.tolerations | [] | | Tolerations for the Plane AI API deployment. | +| services.pi.affinity | {} | | Affinity rules for the Plane AI API deployment. | +| services.pi.labels | {} | | Custom labels to add to the Plane AI API deployment. | +| services.pi.annotations | {} | | Custom annotations to add to the Plane AI API deployment. | +| env.pg_pi_db_name | plane_pi | | PostgreSQL database name used by Plane AI when `postgres.local_setup=true`. | +| env.pg_pi_db_remote_url | "" | | PostgreSQL connection URL for Plane AI when using a remote database. Required when `postgres.local_setup=false` and Plane AI is enabled. | +| env.pi_envs.internal_secret | tyfvfqvBJAgpm9bzvf3r4urJer0Ehfdubk | | Internal secret used by Plane AI for OAuth and internal APIs. | +| env.pi_envs.plane_api_host | "" | | Override for the Plane API host URL used by Plane AI. Defaults to the license domain. | +| env.pi_envs.cors_allowed_origins | "" | | CORS allowed origins for Plane AI API. Defaults to the license domain. | + +#### Plane AI Worker Deployment + +| Setting | Default | Required | Description | +| -------------------------------- | :-----: | :------: | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| services.pi_worker.replicas | 1 | Yes | Kubernetes helps you with scaling up/down the deployments. You can run 1 or more pods for the Plane AI worker. This key helps you set the number of replicas. It must be >=1. | +| services.pi_worker.memoryLimit | 1000Mi | | Every deployment in kubernetes can be set to use maximum memory they are allowed to use. This key sets the memory limit for the Plane AI worker deployment to use. | +| services.pi_worker.cpuLimit | 500m | | Every deployment in kubernetes can be set to use maximum cpu they are allowed to use. This key sets the cpu limit for the Plane AI worker deployment to use. | +| services.pi_worker.memoryRequest | 50Mi | | Every deployment in kubernetes can be set to use minimum memory they are allowed to use. This key sets the memory request for the Plane AI worker deployment to use. | +| services.pi_worker.cpuRequest | 50m | | Every deployment in kubernetes can be set to use minimum cpu they are allowed to use. This key sets the cpu request for the Plane AI worker deployment to use. | +| services.pi_worker.nodeSelector | {} | | This key allows you to set the node selector for the deployment of `pi_worker`. This is useful when you want to run the deployment on specific nodes in your Kubernetes cluster. | +| services.pi_worker.tolerations | [] | | This key allows you to set the tolerations for the deployment of `pi_worker`. This is useful when you want to run the deployment on nodes with specific taints in your Kubernetes cluster. | +| services.pi_worker.affinity | {} | | This key allows you to set the affinity rules for the deployment of `pi_worker`. This is useful when you want to control how pods are scheduled on nodes in your Kubernetes cluster. | +| services.pi_worker.labels | {} | | Custom labels to add to the Plane AI worker deployment | +| services.pi_worker.annotations | {} | | Custom annotations to add to the Plane AI worker deployment | + +#### Plane AI Beat-Worker Deployment + +| Setting | Default | Required | Description | +| ------------------------------------- | :-----: | :------: | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| services.pi_beat_worker.replicas | 1 | Yes | Kubernetes helps you with scaling up/down the deployments. You can run 1 or more pods for the Plane AI beat-worker. This key helps you set the number of replicas. It must be >=1. | +| services.pi_beat_worker.memoryLimit | 1000Mi | | Every deployment in kubernetes can be set to use maximum memory they are allowed to use. This key sets the memory limit for the Plane AI beat-worker deployment to use. | +| services.pi_beat_worker.cpuLimit | 500m | | Every deployment in kubernetes can be set to use maximum cpu they are allowed to use. This key sets the cpu limit for the Plane AI beat-worker deployment to use. | +| services.pi_beat_worker.memoryRequest | 50Mi | | Every deployment in kubernetes can be set to use minimum memory they are allowed to use. This key sets the memory request for the Plane AI beat-worker deployment to use. | +| services.pi_beat_worker.cpuRequest | 50m | | Every deployment in kubernetes can be set to use minimum cpu they are allowed to use. This key sets the cpu request for the Plane AI beat-worker deployment to use. | +| services.pi_beat_worker.nodeSelector | {} | | This key allows you to set the node selector for the deployment of `pi_beat_worker`. This is useful when you want to run the deployment on specific nodes in your Kubernetes cluster. | +| services.pi_beat_worker.tolerations | [] | | This key allows you to set the tolerations for the deployment of `pi_beat_worker`. This is useful when you want to run the deployment on nodes with specific taints in your Kubernetes cluster. | +| services.pi_beat_worker.affinity | {} | | This key allows you to set the affinity rules for the deployment of `pi_beat_worker`. This is useful when you want to control how pods are scheduled on nodes in your Kubernetes cluster. | +| services.pi_beat_worker.labels | {} | | Custom labels to add to the Plane AI beat-worker deployment | +| services.pi_beat_worker.annotations | {} | | Custom annotations to add to the Plane AI beat-worker deployment | + #### Worker Deployment | Setting | Default | Required | Description | @@ -399,7 +522,7 @@ helm repo add plane https://helm.plane.so/ #### Email Service Deployment | Setting | Default | Required | Description | -| ------------------------------------ | --------------------------------------------- | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --- | --- | --- | +| ------------------------------------ | --------------------------------------------- | -------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | services.email_service.enabled | false | | Set to `true` to enable the email service deployment | | services.email_service.replicas | 1 | | Number of replicas for the email service deployment | | services.email_service.memoryLimit | 1000Mi | | Memory limit for the email service deployment | @@ -413,7 +536,11 @@ helm repo add plane https://helm.plane.so/ | services.email_service.affinity | {} | | This key allows you to set the affinity rules for the deployment of `email_service`. This is useful when you want to control how pods are scheduled on nodes in your Kubernetes cluster. | | services.email_service.labels | {} | | Custom labels to add to the email service deployment | | services.email_service.annotations | {} | | Custom annotations to add to the email service deployment | -| env.email_service_envs.smtp_domain | | Yes | The SMTP Domain to be used with email service | | | | +| env.email_service_envs.smtp_domain | | Yes | The SMTP Domain to be used with email service | + +::: info +When the email service is enabled, the cert-issuer will be automatically created to handle TLS certificates for the email service. +::: #### Outbox Poller Service Deployment @@ -491,40 +618,56 @@ helm repo add plane https://helm.plane.so/ To configure the external secrets for your application, you need to define specific environment variables for each secret category. Below is a list of the required secrets and their respective environment variables. -| Secret Name | Env Var Name | Required | Description | Example Value | -| ------------------------ | --------------------- | ----------------------------------------------------------- | ------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| rabbitmq_existingSecret | RABBITMQ_DEFAULT_USER | Required if `rabbitmq.local_setup=true` | The default RabbitMQ user | plane | -| | RABBITMQ_DEFAULT_PASS | Required if `rabbitmq.local_setup=true` | The default RabbitMQ password | plane | -| pgdb_existingSecret | POSTGRES_PASSWORD | Required if `postgres.local_setup=true` | Password for PostgreSQL database | plane | -| | POSTGRES_DB | Required if `postgres.local_setup=true` | Name of the PostgreSQL database | plane | -| | POSTGRES_USER | Required if `postgres.local_setup=true` | PostgreSQL user | plane | -| doc_store_existingSecret | USE_MINIO | Yes | Flag to enable MinIO as the storage backend | 1 | -| | MINIO_ROOT_USER | Yes | MinIO root user | admin | -| | MINIO_ROOT_PASSWORD | Yes | MinIO root password | password | -| | AWS_ACCESS_KEY_ID | Yes | AWS Access Key ID | your_aws_key | -| | AWS_SECRET_ACCESS_KEY | Yes | AWS Secret Access Key | your_aws_secret | -| | AWS_S3_BUCKET_NAME | Yes | AWS S3 Bucket Name | your_bucket_name | -| | AWS_S3_ENDPOINT_URL | Yes | Endpoint URL for AWS S3 or MinIO | `http://plane-minio.plane-ns.svc.cluster.local:9000` | -| | AWS_REGION | Optional | AWS region where your S3 bucket is located | your_aws_region | -| | FILE_SIZE_LIMIT | Yes | Limit for file uploads in your system | 5MB | -| app_env_existingSecret | SECRET_KEY | Yes | Random secret key | 60gp0byfz2dvffa45cxl20p1scy9xbpf6d8c5y0geejgkyp1b5 | -| | REDIS_URL | Yes | Redis URL | `redis://plane-redis.plane-ns.svc.cluster.local:6379/` | -| | DATABASE_URL | Yes | PostgreSQL connection URL | k8s service example: `postgresql://plane:plane@plane-pgdb.plane-ns.svc.cluster.local:5432/plane` external service example: `postgresql://username:password@your-db-host:5432/plane` | -| | AMQP_URL | Yes | RabbitMQ connection URL | k8s service example: `amqp://plane:plane@plane-rabbitmq.plane-ns.svc.cluster.local:5672/` external service example: `amqp://username:password@your-rabbitmq-host:5672/` | -| live_env_existingSecret | REDIS_URL | Yes | Redis URL | `redis://plane-redis.plane-ns.svc.cluster.local:6379/` | -| silo_env_existingSecret | SILO_HMAC_SECRET_KEY | Yes | Silo HMAC secret Key | `` | -| | REDIS_URL | Yes | Redis URL | redis://plane-redis.plane-ns.svc.cluster.local:6379/ | -| | DATABASE_URL | Yes | PostgreSQL connection URL | k8s service example: postgresql://plane:plane@plane-pgdb.plane-ns.svc.cluster.local:5432/plane external service example: postgresql://username:password@your-db-host:5432/plane | -| | AMQP_URL | Yes | RabbitMQ connection URL | k8s service example: amqp://plane:plane@plane-rabbitmq.plane-ns.svc.cluster.local:5672/ external service example: amqp://username:password@your-rabbitmq-host:5672/ | -| | GITHUB_APP_NAME | Required if services.silo.connectors.github.enabled is true | GitHub app name | your_github_app_name | -| | GITHUB_APP_ID | Required if services.silo.connectors.github.enabled is true | GitHub app ID | your_github_app_id | -| | GITHUB_CLIENT_ID | Required if services.silo.connectors.github.enabled is true | GitHub client ID | your_github_client_id | -| | GITHUB_CLIENT_SECRET | Required if services.silo.connectors.github.enabled is true | GitHub client secret key | your_github_client_secret_key | -| | GITHUB_PRIVATE_KEY | Required if services.silo.connectors.github.enabled is true | GitHub private key | your_github_private_key | -| | SLACK_CLIENT_ID | Required if services.silo.connectors.slack.enabled is true | Slack client ID | your_slack_client_id | -| | SLACK_CLIENT_SECRET | Required if services.silo.connectors.slack.enabled is true | Slack client secret key | your_slack_client_secret_key | -| | GITLAB_CLIENT_ID | Required if services.silo.connectors.gitlab.enabled is true | GitLab client ID | your_gitlab_client_id | -| | GITLAB_CLIENT_SECRET | Required if services.silo.connectors.gitlab.enabled is true | GitLab client secret key | your_gitlab_client_secret_key | +| Secret Name | Env Var Name | Required | Description | Example Value | +| ------------------------- | --------------------------------- | ---------------------------------------------------------------------- | ----------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| rabbitmq_existingSecret | RABBITMQ_DEFAULT_USER | Required if `rabbitmq.local_setup=true` | The default RabbitMQ user | plane | +| | RABBITMQ_DEFAULT_PASS | Required if `rabbitmq.local_setup=true` | The default RabbitMQ password | plane | +| pgdb_existingSecret | POSTGRES_PASSWORD | Required if `postgres.local_setup=true` | Password for PostgreSQL database | plane | +| | POSTGRES_DB | Required if `postgres.local_setup=true` | Name of the PostgreSQL database | plane | +| | POSTGRES_USER | Required if `postgres.local_setup=true` | PostgreSQL user | plane | +| opensearch_existingSecret | OPENSEARCH_ENABLED | Yes | Flag to enable OpenSearch | 1 (enabled) or 0 (disabled) | +| | OPENSEARCH_URL | Required if OpenSearch is enabled | OpenSearch connection URL | **k8s service example:** `http://plane-opensearch.plane-ns.svc.cluster.local:9200` **external service example:** `https://your-opensearch-host:9200` | +| | OPENSEARCH_USERNAME | Required if OpenSearch is enabled | Username for OpenSearch | **local setup:** plane **remote setup:** your_remote_username | +| | OPENSEARCH_PASSWORD | Required if OpenSearch is enabled | Password for OpenSearch | **local setup:** Secure@Pass#123!%^&\* **remote setup:** your_remote_password | +| | OPENSEARCH_INITIAL_ADMIN_PASSWORD | Required if `opensearch.local_setup=true` | Initial admin password for local OpenSearch | Secure@Pass#123!%^&\* | +| | OPENSEARCH_INDEX_PREFIX | Optional | Prefix for OpenSearch indices | plane\_ | +| doc_store_existingSecret | USE_MINIO | Yes | Flag to enable MinIO as the storage backend | 1 | +| | MINIO_ROOT_USER | Yes | MinIO root user | admin | +| | MINIO_ROOT_PASSWORD | Yes | MinIO root password | password | +| | AWS_ACCESS_KEY_ID | Yes | AWS Access Key ID | your_aws_key | +| | AWS_SECRET_ACCESS_KEY | Yes | AWS Secret Access Key | your_aws_secret | +| | AWS_S3_BUCKET_NAME | Yes | AWS S3 Bucket Name | your_bucket_name | +| | AWS_S3_ENDPOINT_URL | Yes | Endpoint URL for AWS S3 or MinIO | `http://plane-minio.plane-ns.svc.cluster.local:9000` | +| | AWS_REGION | Optional | AWS region where your S3 bucket is located | your_aws_region | +| | FILE_SIZE_LIMIT | Yes | Limit for file uploads in your system | 5MB | +| app_env_existingSecret | SECRET_KEY | Yes | Random secret key | 60gp0byfz2dvffa45cxl20p1scy9xbpf6d8c5y0geejgkyp1b5 | +| | REDIS_URL | Yes | Redis URL | `redis://plane-redis.plane-ns.svc.cluster.local:6379/` | +| | DATABASE_URL | Yes | PostgreSQL connection URL | k8s service example: `postgresql://plane:plane@plane-pgdb.plane-ns.svc.cluster.local:5432/plane` external service example: `postgresql://username:password@your-db-host:5432/plane` | +| | AMQP_URL | Yes | RabbitMQ connection URL | k8s service example: `amqp://plane:plane@plane-rabbitmq.plane-ns.svc.cluster.local:5672/` external service example: `amqp://username:password@your-rabbitmq-host:5672/` | +| live_env_existingSecret | REDIS_URL | Yes | Redis URL | `redis://plane-redis.plane-ns.svc.cluster.local:6379/` | +| silo_env_existingSecret | SILO_HMAC_SECRET_KEY | Yes | Silo HMAC secret Key | `` | +| | REDIS_URL | Yes | Redis URL | redis://plane-redis.plane-ns.svc.cluster.local:6379/ | +| | DATABASE_URL | Yes | PostgreSQL connection URL | k8s service example: postgresql://plane:plane@plane-pgdb.plane-ns.svc.cluster.local:5432/plane external service example: postgresql://username:password@your-db-host:5432/plane | +| | AMQP_URL | Yes | RabbitMQ connection URL | k8s service example: amqp://plane:plane@plane-rabbitmq.plane-ns.svc.cluster.local:5672/ external service example: amqp://username:password@your-rabbitmq-host:5672/ | +| | GITHUB_APP_NAME | Required if `services.silo.connectors.github.enabled` is true | GitHub app name | your_github_app_name | +| | GITHUB_APP_ID | Required if `services.silo.connectors.github.enabled` is true | GitHub app ID | your_github_app_id | +| | GITHUB_CLIENT_ID | Required if `services.silo.connectors.github.enabled` is true | GitHub client ID | your_github_client_id | +| | GITHUB_CLIENT_SECRET | Required if `services.silo.connectors.github.enabled` is true | GitHub client secret key | your_github_client_secret_key | +| | GITHUB_PRIVATE_KEY | Required if `services.silo.connectors.github.enabled` is true | GitHub private key | your_github_private_key | +| | SLACK_CLIENT_ID | Required if `services.silo.connectors.slack.enabled` is true | Slack client ID | your_slack_client_id | +| | SLACK_CLIENT_SECRET | Required if `services.silo.connectors.slack.enabled` is true | Slack client secret key | your_slack_client_secret_key | +| | GITLAB_CLIENT_ID | Required if `services.silo.connectors.gitlab.enabled` is true | GitLab client ID | your_gitlab_client_id | +| | GITLAB_CLIENT_SECRET | Required if `services.silo.connectors.gitlab.enabled` is true | GitLab client secret key | your_gitlab_client_secret_key | +| pi_api_env_existingSecret | PLANE_PI_DATABASE_URL | Required if `services.pi.enabled=true` | PostgreSQL connection URL for Plane AI database | **k8s service example**: `postgresql://plane:plane@plane-pgdb.plane-ns.svc.cluster.local/plane_pi`

**external**: `postgresql://username:password@your-db-host:5432/plane_pi` | +| | AMQP_URL | Required if `services.pi.enabled=true` | RabbitMQ connection URL | **k8s service example**: `amqp://plane:plane@plane-rabbitmq.plane-ns.svc.cluster.local:5672/`

**external**: `amqp://username:password@your-rabbitmq-host:5672/` | +| | AES_SECRET_KEY | Required if `services.pi.enabled=true` | AES secret key for Plane AI | dsOdt7YrvxsTIFJ37pOaEVvLxN8KGBCr (or your own value) | +| | OPENAI_API_KEY | required if `services.pi.ai_providers.openai.enabled` is true | OpenAI API key | your_openai_api_key | +| | CLAUDE_API_KEY | required if `services.pi.ai_providers.claude.enabled` is true | Claude API key | your_claude_api_key | +| | GROQ_API_KEY | required if `services.pi.ai_providers.groq.enabled` is true | Groq API key | your_groq_api_key | +| | COHERE_API_KEY | required if `services.pi.ai_providers.cohere.enabled` is true | Cohere API key | your_cohere_api_key | +| | CUSTOM_LLM_API_KEY | required if `services.pi.ai_providers.custom_llm.enabled` is true | Custom LLM API key | your_custom_llm_api_key | +| | BR_AWS_SECRET_ACCESS_KEY | required if `services.pi.ai_providers.embedding_model.enabled` is true | AWS secret for embedding model | your_aws_secret_access_key | +| | BR_AWS_SESSION_TOKEN | required if embedding model uses temporary credentials | AWS session token for embedding model | your_aws_session_token | #### Ingress and SSL Setup @@ -538,7 +681,7 @@ To configure the external secrets for your application, you need to define speci | ssl.createIssuer | false | | Kubernets cluster setup supports creating issuer type resource. After deployment, this is step towards creating secure access to the ingress url. Issuer is required for you generate SSL certifiate. Kubernetes can be configured to use any of the certificate authority to generate SSL (depending on CertManager configuration). Set it to true to create the issuer. Applicable only when ingress.enabled=true | | ssl.issuer | http | | CertManager configuration allows user to create issuers using http or any of the other DNS Providers like cloudflare, digitalocean, etc. As of now Plane supports http, cloudflare, digitalocean | | ssl.token | | | To create issuers using DNS challenge, set the issuer api token of dns provider like cloudflare or digitalocean (not required for http) | -| ssl.server | | | Issuer creation configuration need the certificate generation authority server url. Default URL is the Let's Encrypt server | +| ssl.server | https://acme-v02.api.letsencrypt.org/directory | | Issuer creation configuration need the certificate generation authority server url. Default URL is the Let's Encrypt server | | ssl.email | plane@example.com | | Certificate generation authority needs a valid email id before generating certificate. Required when ssl.createIssuer=true | | ssl.generateCerts | false | | After creating the issuers, user can still not create the certificate untill sure of configuration. Setting this to true will try to generate SSL certificate and associate with ingress. Applicable only when ingress.enabled=true and ssl.createIssuer=true | | ssl.tls_secret_name | | | If you have a custom TLS secret name, set this to the name of the secret. Applicable only when ingress.enabled=true and ssl.createIssuer=false | @@ -558,16 +701,20 @@ To configure the external secrets for your application, you need to define speci ## Custom Ingress Routes -If you are planning to use 3rd party ingress providers, here is the available route configuration - -| Host | Path | Service | -| ----------------------- | :-----------: | ----------------------------------------- | --------------------------------------------------------------------------- | -| plane.example.com | `/` | `` | -| plane.example.com | `/spaces/*` | `` | -| plane.example.com | `/god-mode/*` | `` | -| plane.example.com | `/live/*` | `` | -| plane.example.com | `/api/*` | `` | -| plane.example.com | `/auth/*` | `` | -| plane.example.com | `/uploads/*` | `` | -| plane-minio.example.com | `/` | `` | -| plane-mq.example.com | `/` | `` | (Optional) if using local setup, this will enable management console access | +If you are planning to use 3rd party ingress providers, here is the available route configuration. + +| Host | Path | Service | Required | +| ----------------------- | :-------------: | --------------------------------------- | :-------------------------------------------------------------------------- | +| plane.example.com | / | | Yes | +| plane.example.com | /spaces/\* | | Yes | +| plane.example.com | /god-mode/\* | | Yes | +| plane.example.com | /live/\* | | Yes | +| plane.example.com | /silo/\* | | Yes (if `services.silo.enabled=true` ) | +| plane.example.com | /pi/\* | | Yes (if `services.pi.enabled=true`) | +| plane.example.com | /api/\* | | Yes | +| plane.example.com | /auth/\* | | Yes | +| plane.example.com | /graphql/\* | | Yes | +| plane.example.com | /marketplace/\* | | Yes | +| plane.example.com | /uploads/\* | | Yes (Only if using local setup) | +| plane-minio.example.com | / | | (Optional) if using local setup, this will enable minio console access | +| plane-mq.example.com | / | | (Optional) if using local setup, this will enable management console access | diff --git a/docs/self-hosting/methods/kubernetes.md b/docs/self-hosting/methods/kubernetes.md index 457570e..9e42c96 100644 --- a/docs/self-hosting/methods/kubernetes.md +++ b/docs/self-hosting/methods/kubernetes.md @@ -31,7 +31,7 @@ Ensure you use use the latest Helm chart version. 2. Set the following environment variables: ```bash -PLANE_VERSION=v2.3.1 +PLANE_VERSION=v2.4.0 ``` ```bash @@ -39,7 +39,7 @@ DOMAIN_NAME= ``` ::: warning -When configuring the PLANE_VERSION environment variable, **do not** set it to `stable`. Always specify the latest version number (e.g., `2.3.1`). Using `stable` can lead to unexpected issues. +When configuring the PLANE_VERSION environment variable, **do not** set it to `stable`. Always specify the latest version number (e.g., `2.4.0`). Using `stable` can lead to unexpected issues. ::: 3. Add the Plane helm chart repo. @@ -86,7 +86,7 @@ helm repo add plane https://helm.plane.so/ i. Run the script below to download the `values.yaml` file and edit using any editor like Vim or Nano. Make sure you set the required environment variables listed below: - - `planeVersion: v2.3.1` + - `planeVersion: v2.4.0` - `license.licenseDomain: ` - `license.licenseServer: https://prime.plane.so` - `ingress.enabled: ` @@ -113,16 +113,51 @@ helm repo add plane https://helm.plane.so/ | Setting | Default | Required | Description | | --------------------- | :-----------------: | :------: | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| planeVersion | v2.3.1 | Yes | Specifies the version of Plane to be deployed. Copy this from prime.plane.so. | +| planeVersion | v2.4.0 | Yes | Specifies the version of Plane to be deployed. Copy this from prime.plane.so. | | license.licenseDomain | 'plane.example.com' | Yes | The fully-qualified domain name (FQDN) in the format `sudomain.domain.tld` or `domain.tld` that the license is bound to. It is also attached to your `ingress` host to access Plane. | -#### Airgapped settings +### Airgapped Settings -| Setting | Default | Required | Description | -| ---------------------- | :-----: | :------: | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -| airgapped.enabled | false | No | Specifies the airgapped mode the Plane API runs in. | -| airgapped.s3SecretName | "" | No | Name of the Secret that contains the CA certificate (.crt). The Secret must include a data key whose filename matches the basename of `airgapped.s3SecretKey` (default: `s3-custom-ca.crt`). Used to override S3’s CA when `airgapped.enabled=true`. Applying this secret looks like: `kubectl -n plane create secret generic plane-s3-ca \ --from-file=s3-custom-ca.crt=/path/to/your/ca.crt` | -| airgapped.s3SecretKey | "" | No | Key name of the secret to load the Custom Root CA from `airgapped.s3SecretName` | +| Setting | Default | Required | Description | +| ---------------------- | :-----: | :------: | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| airgapped.enabled | false | No | Enable airgapped mode for the Plane API. | +| airgapped.s3Secrets | [] | No | List of Kubernetes Secrets containing CA certificates to install. Each entry requires `name` (Secret name) and `key` (filename in the Secret). Example: `kubectl -n plane create secret generic plane-s3-ca --from-file=s3-custom-ca.crt=/path/to/ca.crt`. Supports multiple certs (e.g. S3 + internal CA). Available in v2.4.0 and later. | +| airgapped.s3SecretName | "" | No | **Deprecated**
Name of a single Kubernetes Secret containing the S3 CA cert. Used only when `s3Secrets` is empty. Use `s3Secrets` instead. | +| airgapped.s3SecretKey | "" | No | **Deprecated**
Key (filename) of the cert file inside the Secret. Used only when `s3Secrets` is empty. Set together with `airgapped.s3SecretName`. Use `s3Secrets` instead. | + +#### CA certificate configuration (For airgapped deployments only) + +Plane supports custom CA certificates for connecting to S3-compatible storage and other internal services in airgapped environments. + +- **New deployments:** Use `airgapped.s3Secrets` as shown in the table above. +- **Existing deployments using `s3SecretName` and `s3SecretKey`:** Your configuration still works. Migrate only if you need to use multiple CA certificates. + +#### Migrating to the new configuration + +:::warning +Requires Plane v2.4.0 or later. +::: + +The new `s3Secrets` configuration supports multiple CA certificates, useful if you need to trust certificates from different sources (e.g., S3 endpoint CA and internal PKI). If you only need a single certificate, migration is optional. + +To migrate: + +1. Add your existing secret to the `s3Secrets` list: + +```yaml +airgapped: + enabled: true + s3Secrets: + - name: plane-s3-ca # your existing s3SecretName value + key: s3-custom-ca.crt # your existing s3SecretKey value + + + # s3SecretName and s3SecretKey can be removed after migration +``` + +2. Remove `s3SecretName` and `s3SecretKey` from your values file. + +3. Upgrade your Helm release. #### Docker Registry diff --git a/docs/self-hosting/methods/podman-quadlets.md b/docs/self-hosting/methods/podman-quadlets.md index b9163e6..56b3ec0 100644 --- a/docs/self-hosting/methods/podman-quadlets.md +++ b/docs/self-hosting/methods/podman-quadlets.md @@ -47,7 +47,7 @@ Before we start, make sure you've got these covered: ```bash mkdir podman-quadlets - curl -fsSL https://prime.plane.so/releases/v2.3.1/podman-quadlets.tar.gz -o podman-quadlets.tar.gz + curl -fsSL https://prime.plane.so/releases/v2.4.0/podman-quadlets.tar.gz -o podman-quadlets.tar.gz tar -xvzf podman-quadlets.tar.gz -C podman-quadlets ```