[INFRA-420] - feat(plane-enterprise): decouple custom S3 CA from airgapped mode

[akshat5302]

What & why

Custom CA certificates for object storage / S3-compatible endpoints were only mounted when airgapped.enabled=true. Non-airgapped customers whose storage endpoint presents a certificate signed by a private/internal CA had no way to make Plane trust it without falsely enabling airgapped mode.

This decouples custom-CA support from airgapped mode and moves it to a dedicated top-level customCA section, while keeping the old airgapped.* keys working as a fallback.

Changes

• _helpers.tpl
  • plane.s3CAEnabled no longer requires .Values.airgapped.enabled; it's true whenever certs are configured under customCA.* or airgapped.*.
  • New plane.s3CAProjectedSources resolver centralizes precedence and normalizes the single-secret form into the list shape.
  • s3CAVolumes / s3CANodeVolumes rewritten to use the resolver (removes duplicated airgapped-only logic).
• values.yaml — new customCA section (s3Secrets, s3SecretName, s3SecretKey); airgapped.s3* marked deprecated fallback.
• questions.yml — new "Custom CA Setup" group for the Rancher form.
• README.md — new "Custom CA Certificates" section + updated migration/backward-compat notes.
• Chart.yaml — 2.6.1 → 2.7.0.

Resolution precedence: customCA.s3Secrets → customCA single secret → airgapped.s3Secrets → airgapped single secret.

Not changed

No deployment/job templates were touched — all 8 CA-consuming workloads (silo, api, worker, live, pi-*) use the shared helpers, so they inherit the new behavior automatically. The remaining airgapped.enabled references (monitor startup command, airgapped env/config) are genuine airgapped-mode behavior and intentionally left as-is.

Backward compatibility

Existing configs under airgapped.s3Secrets / airgapped.s3SecretName+s3SecretKey continue to work unchanged — no migration required on upgrade.

Testing

• helm lint — passes.
• helm template verified across: customCA list (multi-secret), customCA single-secret, legacy airgapped fallback, precedence (customCA wins), and disabled (no CA volume rendered).

Summary by CodeRabbit

• New Features

  • Added customCA configuration for custom CA certificates, independent of airgapped.enabled.

• Chores

  • Updated Helm chart version to 2.7.0.

• Documentation

  • Updated configuration documentation with new custom CA certificate settings and migration guidance for legacy airgapped.s3* parameters.

[makeplane]

Linked to Plane Work Item(s)

• (INFRA-420) plane-enterprise: decouple custom S3/CA certificate support from airgapped mode

This comment was auto-generated by Plane

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 684aa0ce-ff48-4e72-a7af-423699231c0f

📥 Commits

Reviewing files that changed from the base of the PR and between 728c9d9 and 329682f.

📒 Files selected for processing (4)

• charts/plane-enterprise/Chart.yaml
• charts/plane-enterprise/README.md
• charts/plane-enterprise/templates/_helpers.tpl
• charts/plane-enterprise/values.yaml

---

Walkthrough

The PR introduces a new top-level customCA Helm values section for specifying custom CA certificates for S3/object-storage endpoints, decoupled from airgapped.enabled. A new plane.s3CAProjectedSources helper normalizes secret resolution with explicit precedence across customCA and legacy airgapped keys. README docs and migration guidance are updated, and the chart version is bumped to 2.7.0.

Changes

Custom CA Certificate Configuration

Layer / File(s)	Summary
customCA values contract and helper template logic charts/plane-enterprise/values.yaml, charts/plane-enterprise/templates/_helpers.tpl	Adds a top-level customCA: section with s3Secrets, s3SecretName, s3SecretKey keys; marks airgapped.s3* as deprecated fallbacks. Updates plane.s3CAEnabled to check both customCA and airgapped keys without requiring airgapped.enabled. Adds plane.s3CAProjectedSources to compute projected-volume sources with four-level precedence. Wires both plane.s3CAVolumes and plane.s3CANodeVolumes to delegate to the new helper.
README custom CA docs and migration guide charts/plane-enterprise/README.md	Marks airgapped.s3* table entries as deprecated, adds a "Custom CA Certificates" section documenting customCA.* settings, resolution precedence, and an example YAML, and replaces the old backward-compatibility subsection with a migration guide from airgapped.s3Secrets to customCA.s3Secrets.
Chart version bump charts/plane-enterprise/Chart.yaml	Updates version from 2.6.1 to 2.7.0.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested reviewers

• mguptahub

Poem

🐰 Hop, hop! The certs now roam free,
No longer caged by airgapped's decree.
customCA blooms at the top of the chart,
With precedence logic—a well-crafted art.
Version 2.7.0, off we go! 🎉

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: decoupling custom S3 CA certificate support from airgapped mode in the Plane Helm chart. It is concise, uses proper formatting with a ticket reference, and accurately reflects the primary objective of the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/custom-ca-decouple-airgapped

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}