[INFRA-422] - chore(plane-enterprise): placeholder defaults for signing secrets (PI/LIVE/HMAC)

[akshat5302]

What & why

Follow-up to #253 (INFRA-421), which merged only the PI_INTERNAL_SECRET ConfigMap→Secret move. The chart still ships identical baked-in defaults for several signing secrets, so every install shares the same keys unless overridden.

This replaces those defaults with an obvious "change me" placeholder.

Secret	Old default	New default
PI_INTERNAL_SECRET	tyfvfqv…	change-to-top-secret
LIVE_SERVER_SECRET_KEY	htbqv…	change-to-top-secret
SILO_HMAC_SECRET_KEY	gzb7…	change-to-top-secret

Intentionally left unchanged

• AES_SECRET_KEY — rotating the AES key breaks already-encrypted data, so it must not change silently via a chart default.
• Django SECRET_KEY — same rationale (hashing/encryption of existing data).

Changes

• templates/config-secrets/{app-env,live-env,silo,pi-api-env}.yaml — placeholder defaults for the three signing secrets.
• values.yaml, questions.yml — matching defaults.
• README.md — placeholder values reflected in the values reference.
• Chart.yaml — 2.6.2 → 2.6.3.

Notes

• Each secret is still driven by a single values key, so app/silo/pi stay in sync.
• Behaviour change: installs relying on the old baked-in defaults must now set their own values for these three secrets (that's the point).

Testing

• helm lint — passes.
• Verified the three signing secrets render as change-to-top-secret while AES_SECRET_KEY and SECRET_KEY keep their original defaults.
• The placeholder signing secrets were validated runtime-safe in an earlier live deploy (full stack Ready, HTTP 200).

Summary by CodeRabbit

• New Features

  • Chart version updated to 2.6.3 with aligned application version.

• Documentation

  • Updated configuration examples to use standardized placeholder values for secret fields across deployment guides and configuration tables.

• Chores

  • Standardized default secret placeholders in Helm chart configuration files for improved consistency.

[coderabbitai]

Walkthrough

The chart version is bumped from 2.6.2 to 2.6.3. Three previously hardcoded secret default values (live_server_secret_key, hmac_secret_key, internal_secret) are replaced with the placeholder string change-to-top-secret across values.yaml, four Kubernetes Secret templates, questions.yml, and README.md.

Changes

Secret Placeholder Cleanup and Chart Version Bump

Layer / File(s)	Summary
Secret default placeholder replacement charts/plane-enterprise/values.yaml, charts/plane-enterprise/templates/config-secrets/app-env.yaml, charts/plane-enterprise/templates/config-secrets/live-env.yaml, charts/plane-enterprise/templates/config-secrets/pi-api-env.yaml, charts/plane-enterprise/templates/config-secrets/silo.yaml, charts/plane-enterprise/questions.yml, charts/plane-enterprise/README.md	Hardcoded secret defaults for LIVE_SERVER_SECRET_KEY, PI_INTERNAL_SECRET, and SILO_HMAC_SECRET_KEY are replaced with change-to-top-secret in default values, all four Kubernetes Secret templates, Rancher questions defaults, and README example tables.
Chart version bump charts/plane-enterprise/Chart.yaml	version incremented from 2.6.2 to 2.6.3.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• makeplane/helm-charts#231: Also bumps version/appVersion in charts/plane-enterprise/Chart.yaml in the same pattern as this PR.
• makeplane/helm-charts#247: Bumps charts/plane-enterprise/Chart.yaml version/appVersion to 2.6.3, directly overlapping with this PR's chart metadata change.
• makeplane/helm-charts#253: Modifies charts/plane-enterprise/templates/config-secrets/pi-api-env.yaml around the same PI_INTERNAL_SECRET field updated in this PR.

Suggested reviewers

• pratapalakshmi

Poem

🐇 No more secrets hiding in plain sight,
The placeholder hops in, shining bright.
change-to-top-secret guards every key,
From live to silo, as safe as can be.
Version bumped — 2.6.3 is here! 🎉

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: replacing hardcoded default signing secret values with placeholder defaults in the plane-enterprise chart. It references the related issue (INFRA-422) and clearly conveys the scope and purpose of the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/placeholder-signing-secret-defaults

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[makeplane]

Linked to Plane Work Item(s)

• (INFRA-422) plane-enterprise: placeholder defaults for signing secrets (PI/LIVE/HMAC)

References

• (INFRA-421) plane-enterprise: move PI_INTERNAL_SECRET from ConfigMap to Secret

This comment was auto-generated by Plane

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

charts/plane-enterprise/README.md (1)

456-456: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Make these placeholders explicitly “must override” in docs.

Line 456 and Line 568 now show a known placeholder secret, but the table does not clearly communicate that this value is unsafe for real deployments. Please mark them as required when corresponding services are enabled (or add a prominent warning in the description).

Also applies to: 568-568

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@charts/plane-enterprise/README.md` at line 456, The documentation table
contains placeholder secret values like "change-to-top-secret" for parameters
such as env.live_server_secret_key (and the corresponding parameter at line 568)
that are not clearly marked as requiring override for real deployments. Update
the description column in the table for these secret parameters to explicitly
indicate they are placeholders that must be changed for production use, either
by adding "REQUIRED - must override" language or by including a prominent
warning that these default values are unsafe and must be replaced in real
deployments.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@charts/plane-enterprise/templates/config-secrets/app-env.yaml`:
- Around line 14-15: Add fail-fast validation guards to prevent Helm chart
rendering when placeholder signing secrets are still in use. For
LIVE_SERVER_SECRET_KEY and PI_INTERNAL_SECRET in app-env.yaml (lines 14-15),
apply a guard that detects when the default "change-to-top-secret" value is
being used and fails the deployment. Apply the identical guard pattern to
LIVE_SERVER_SECRET_KEY in
charts/plane-enterprise/templates/config-secrets/live-env.yaml (line 9),
PI_INTERNAL_SECRET in
charts/plane-enterprise/templates/config-secrets/pi-api-env.yaml (line 66), and
SILO_SECRET_KEY in charts/plane-enterprise/templates/config-secrets/silo.yaml
(line 10) to ensure consistency across all secret configuration files and
prevent accidental deployments with known placeholder values.

---

Nitpick comments:
In `@charts/plane-enterprise/README.md`:
- Line 456: The documentation table contains placeholder secret values like
"change-to-top-secret" for parameters such as env.live_server_secret_key (and
the corresponding parameter at line 568) that are not clearly marked as
requiring override for real deployments. Update the description column in the
table for these secret parameters to explicitly indicate they are placeholders
that must be changed for production use, either by adding "REQUIRED - must
override" language or by including a prominent warning that these default values
are unsafe and must be replaced in real deployments.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 91ab2451-e345-45c8-b20e-af6f8bfed368

📥 Commits

Reviewing files that changed from the base of the PR and between f38dfca and 5c0ff63.

📒 Files selected for processing (8)

• charts/plane-enterprise/Chart.yaml
• charts/plane-enterprise/README.md
• charts/plane-enterprise/questions.yml
• charts/plane-enterprise/templates/config-secrets/app-env.yaml
• charts/plane-enterprise/templates/config-secrets/live-env.yaml
• charts/plane-enterprise/templates/config-secrets/pi-api-env.yaml
• charts/plane-enterprise/templates/config-secrets/silo.yaml
• charts/plane-enterprise/values.yaml

[coderabbitai]

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Block installs that still use placeholder signing secrets.

Line 14 and Line 15 still allow rendering a known shared secret (change-to-top-secret) when operators forget to override values. That keeps token/signature secrets predictable at deploy time.

Suggested fail-fast guard

+{{- $liveSecret := required "env.live_server_secret_key is required and must not use the placeholder" .Values.env.live_server_secret_key -}}
+{{- if eq $liveSecret "change-to-top-secret" -}}
+{{- fail "env.live_server_secret_key must be changed from the placeholder" -}}
+{{- end -}}
+{{- $piInternal := required "env.pi_envs.internal_secret is required and must not use the placeholder" .Values.env.pi_envs.internal_secret -}}
+{{- if eq $piInternal "change-to-top-secret" -}}
+{{- fail "env.pi_envs.internal_secret must be changed from the placeholder" -}}
+{{- end -}}
-  LIVE_SERVER_SECRET_KEY: {{ .Values.env.live_server_secret_key | default "change-to-top-secret" | quote }}
-  PI_INTERNAL_SECRET: {{ .Values.env.pi_envs.internal_secret | default "change-to-top-secret" | quote }}
+  LIVE_SERVER_SECRET_KEY: {{ $liveSecret | quote }}
+  PI_INTERNAL_SECRET: {{ $piInternal | quote }}

Apply the same guard pattern to charts/plane-enterprise/templates/config-secrets/live-env.yaml (Line 9), charts/plane-enterprise/templates/config-secrets/pi-api-env.yaml (Line 66), and charts/plane-enterprise/templates/config-secrets/silo.yaml (Line 10) for consistency.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	LIVE_SERVER_SECRET_KEY: {{ .Values.env.live_server_secret_key | default "change-to-top-secret" | quote }}
	PI_INTERNAL_SECRET: {{ .Values.env.pi_envs.internal_secret | default "change-to-top-secret" | quote }}
	{{- $liveSecret := required "env.live_server_secret_key is required and must not use the placeholder" .Values.env.live_server_secret_key -}}
	{{- if eq $liveSecret "change-to-top-secret" -}}
	{{- fail "env.live_server_secret_key must be changed from the placeholder" -}}
	{{- end -}}
	{{- $piInternal := required "env.pi_envs.internal_secret is required and must not use the placeholder" .Values.env.pi_envs.internal_secret -}}
	{{- if eq $piInternal "change-to-top-secret" -}}
	{{- fail "env.pi_envs.internal_secret must be changed from the placeholder" -}}
	{{- end -}}
	LIVE_SERVER_SECRET_KEY: {{ $liveSecret | quote }}
	PI_INTERNAL_SECRET: {{ $piInternal | quote }}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@charts/plane-enterprise/templates/config-secrets/app-env.yaml` around lines
14 - 15, Add fail-fast validation guards to prevent Helm chart rendering when
placeholder signing secrets are still in use. For LIVE_SERVER_SECRET_KEY and
PI_INTERNAL_SECRET in app-env.yaml (lines 14-15), apply a guard that detects
when the default "change-to-top-secret" value is being used and fails the
deployment. Apply the identical guard pattern to LIVE_SERVER_SECRET_KEY in
charts/plane-enterprise/templates/config-secrets/live-env.yaml (line 9),
PI_INTERNAL_SECRET in
charts/plane-enterprise/templates/config-secrets/pi-api-env.yaml (line 66), and
SILO_SECRET_KEY in charts/plane-enterprise/templates/config-secrets/silo.yaml
(line 10) to ensure consistency across all secret configuration files and
prevent accidental deployments with known placeholder values.