From 5c0ff6314533f1a8120bc07a9c0b469cb51341a2 Mon Sep 17 00:00:00 2001 From: akshat5302 Date: Tue, 23 Jun 2026 14:17:08 +0530 Subject: [PATCH] chore(plane-enterprise): use placeholder defaults for signing secrets Replace the shipped baked-in defaults for PI_INTERNAL_SECRET, LIVE_SERVER_SECRET_KEY and SILO_HMAC_SECRET_KEY with the placeholder "change-to-top-secret" so installs don't silently share identical signing keys. Updated across templates, values.yaml, questions.yml and README. AES_SECRET_KEY and Django SECRET_KEY are intentionally left unchanged - rotating those is a breaking change for already-encrypted/hashed data. Chart bumped to 2.6.3. --- charts/plane-enterprise/Chart.yaml | 2 +- charts/plane-enterprise/README.md | 6 +++--- charts/plane-enterprise/questions.yml | 4 ++-- .../plane-enterprise/templates/config-secrets/app-env.yaml | 4 ++-- .../plane-enterprise/templates/config-secrets/live-env.yaml | 2 +- .../templates/config-secrets/pi-api-env.yaml | 2 +- charts/plane-enterprise/templates/config-secrets/silo.yaml | 2 +- charts/plane-enterprise/values.yaml | 6 +++--- 8 files changed, 14 insertions(+), 14 deletions(-) diff --git a/charts/plane-enterprise/Chart.yaml b/charts/plane-enterprise/Chart.yaml index 5a4c9758..a84088ad 100644 --- a/charts/plane-enterprise/Chart.yaml +++ b/charts/plane-enterprise/Chart.yaml @@ -5,7 +5,7 @@ description: Meet Plane. An Enterprise software development tool to manage issue type: application -version: 2.6.2 +version: 2.6.3 appVersion: "2.6.3" home: https://plane.so/ diff --git a/charts/plane-enterprise/README.md b/charts/plane-enterprise/README.md index 7cb14971..fd8f01d1 100644 --- a/charts/plane-enterprise/README.md +++ b/charts/plane-enterprise/README.md @@ -453,7 +453,7 @@ securityContext: | env.live_sentry_dsn | | | (optional) Live service deployment comes with some of the preconfigured integration. Sentry is one among those. Here user can set the Sentry provided DSN for this integration. | | env.live_sentry_environment | | | (optional) Live service deployment comes with some of the preconfigured integration. Sentry is one among those. Here user can set the Sentry environment name (as configured in Sentry) for this integration. | | env.live_sentry_traces_sample_rate | | | (optional) Live service deployment comes with some of the preconfigured integration. Sentry is one among those. Here user can set the Sentry trace sample rate (as configured in Sentry) for this integration. | -| env.live_server_secret_key | htbqvBJAgpm9bzvf3r4urJer0ENReatceh | | Live Server Secret Key | +| env.live_server_secret_key | change-to-top-secret | | Live Server Secret Key | | env.external_iframely_url | "" | | External Iframely service URL. If provided, the local Iframely deployment will be skipped and the live service will use this external URL | | services.live.assign_cluster_ip | false | | Set it to `true` if you want to assign `ClusterIP` to the service | | services.live.nodeSelector | {} | | This key allows you to set the node selector for the deployment of `live`. This is useful when you want to run the deployment on specific nodes in your Kubernetes cluster. | @@ -565,7 +565,7 @@ securityContext: | services.pi.annotations | {} | | Custom annotations to add to the Plane AI (PI) API deployment. | | env.pg_pi_db_name | plane_pi | | PostgreSQL database name used by Plane AI (PI) when `postgres.local_setup=true`. | | env.pg_pi_db_remote_url | "" | | PostgreSQL connection URL for Plane AI (PI) when using a remote database. Required when `postgres.local_setup=false` and Plane AI (PI) is enabled. | -| env.pi_envs.internal_secret | tyfvfqvBJAgpm9bzvf3r4urJer0Ehfdubk | | Internal secret used by Plane AI (PI) for OAuth and internal APIs. | +| env.pi_envs.internal_secret | change-to-top-secret | | Internal secret used by Plane AI (PI) for OAuth and internal APIs. | | env.pi_envs.plane_api_host | "" | | Override for the Plane API host URL used by Plane AI (PI). Defaults to the license domain. | | env.pi_envs.cors_allowed_origins | "" | | CORS allowed origins for Plane AI (PI) API. Defaults to the license domain. | | env.pi_envs.log_level | DEBUG | | Log level for Plane AI (PI) API (e.g. DEBUG, INFO, WARNING, ERROR). | @@ -835,7 +835,7 @@ To configure the external secrets for your application, you need to define speci | pi_api_env_existingSecret | `PLANE_PI_DATABASE_URL` | Yes (if `services.pi.enabled=true`) | PostgreSQL connection URL for Plane AI (PI) database | **k8s service example**: `postgresql://plane:plane@plane-pgdb.plane-ns.svc.cluster.local/plane_pi`

**external**: `postgresql://username:password@your-db-host:5432/plane_pi` | | | `AMQP_URL` | Yes (if `services.pi.enabled=true`) | RabbitMQ connection URL | **k8s service example**: `amqp://plane:plane@plane-rabbitmq.plane-ns.svc.cluster.local:5672/`

**external**: `amqp://username:password@your-rabbitmq-host:5672/` | | | `AES_SECRET_KEY` | Yes (if `services.pi.enabled=true`) | AES secret key for Plane AI (PI) | `dsOdt7YrvxsTIFJ37pOaEVvLxN8KGBCr` (or your own value) | -| | `PI_INTERNAL_SECRET` | Yes (if `services.pi.enabled=true`) | Internal secret used by Plane AI (PI) for OAuth and internal APIs | `tyfvfqvBJAgpm9bzvf3r4urJer0Ehfdubk` (or your own value) | +| | `PI_INTERNAL_SECRET` | Yes (if `services.pi.enabled=true`) | Internal secret used by Plane AI (PI) for OAuth and internal APIs | `change-to-top-secret` (or your own value) | | | `OPENAI_API_KEY` | required if `services.pi.ai_providers.openai.enabled` is `true` | OpenAI API key | `your_openai_api_key` | | | `CLAUDE_API_KEY` | required if `services.pi.ai_providers.claude.enabled` is `true` | Claude API key | `your_claude_api_key` | | | `GROQ_API_KEY` | required if `services.pi.ai_providers.groq.enabled` is `true` | Groq API key | `your_groq_api_key` | diff --git a/charts/plane-enterprise/questions.yml b/charts/plane-enterprise/questions.yml index 7429d97c..14606723 100644 --- a/charts/plane-enterprise/questions.yml +++ b/charts/plane-enterprise/questions.yml @@ -261,7 +261,7 @@ questions: - variable: env.live_server_secret_key label: "Live Server Secret Key" type: string - default: "htbqvBJAgpm9bzvf3r4urJer0ENReatceh" + default: "change-to-top-secret" - variable: services.silo.enabled label: "Install Silo Service" @@ -870,7 +870,7 @@ questions: - variable: env.pi_envs.internal_secret label: "Plane AI (PI) Internal Secret" type: string - default: "tyfvfqvBJAgpm9bzvf3r4urJer0Ehfdubk" + default: "change-to-top-secret" - variable: env.pi_envs.log_level label: "Log Level" type: string diff --git a/charts/plane-enterprise/templates/config-secrets/app-env.yaml b/charts/plane-enterprise/templates/config-secrets/app-env.yaml index c3e14746..7ced7c0f 100644 --- a/charts/plane-enterprise/templates/config-secrets/app-env.yaml +++ b/charts/plane-enterprise/templates/config-secrets/app-env.yaml @@ -11,8 +11,8 @@ metadata: stringData: SECRET_KEY: {{ .Values.env.secret_key | default "60gp0byfz2dvffa45cxl20p1scy9xbpf6d8c5y0geejgkyp1b5" | quote }} AES_SECRET_KEY: {{ .Values.env.silo_envs.aes_secret_key | default "dsOdt7YrvxsTIFJ37pOaEVvLxN8KGBCr" | quote }} - LIVE_SERVER_SECRET_KEY: {{ .Values.env.live_server_secret_key | default "htbqvBJAgpm9bzvf3r4urJer0ENReatceh" | quote }} - PI_INTERNAL_SECRET: {{ .Values.env.pi_envs.internal_secret | default "tyfvfqvBJAgpm9bzvf3r4urJer0Ehfdubk" | quote }} + LIVE_SERVER_SECRET_KEY: {{ .Values.env.live_server_secret_key | default "change-to-top-secret" | quote }} + PI_INTERNAL_SECRET: {{ .Values.env.pi_envs.internal_secret | default "change-to-top-secret" | quote }} {{- if .Values.services.redis.local_setup }} REDIS_URL: "redis://{{ .Release.Name }}-redis.{{ .Release.Namespace }}.svc.cluster.local:6379/" diff --git a/charts/plane-enterprise/templates/config-secrets/live-env.yaml b/charts/plane-enterprise/templates/config-secrets/live-env.yaml index 8786a72e..3bf1e3e8 100644 --- a/charts/plane-enterprise/templates/config-secrets/live-env.yaml +++ b/charts/plane-enterprise/templates/config-secrets/live-env.yaml @@ -6,7 +6,7 @@ metadata: namespace: {{ .Release.Namespace }} name: {{ .Release.Name }}-live-secrets stringData: - LIVE_SERVER_SECRET_KEY: {{ .Values.env.live_server_secret_key | default "htbqvBJAgpm9bzvf3r4urJer0ENReatceh" | quote }} + LIVE_SERVER_SECRET_KEY: {{ .Values.env.live_server_secret_key | default "change-to-top-secret" | quote }} {{- if .Values.services.redis.local_setup }} REDIS_URL: "redis://{{ .Release.Name }}-redis.{{ .Release.Namespace }}.svc.cluster.local:6379/" {{- else }} diff --git a/charts/plane-enterprise/templates/config-secrets/pi-api-env.yaml b/charts/plane-enterprise/templates/config-secrets/pi-api-env.yaml index 8e91879d..030dd4fa 100644 --- a/charts/plane-enterprise/templates/config-secrets/pi-api-env.yaml +++ b/charts/plane-enterprise/templates/config-secrets/pi-api-env.yaml @@ -63,7 +63,7 @@ stringData: AES_SECRET_KEY: {{ .Values.env.silo_envs.aes_secret_key | default "dsOdt7YrvxsTIFJ37pOaEVvLxN8KGBCr" | quote }} - PI_INTERNAL_SECRET: {{ .Values.env.pi_envs.internal_secret | default "tyfvfqvBJAgpm9bzvf3r4urJer0Ehfdubk" | quote }} + PI_INTERNAL_SECRET: {{ .Values.env.pi_envs.internal_secret | default "change-to-top-secret" | quote }} {{- end }} --- diff --git a/charts/plane-enterprise/templates/config-secrets/silo.yaml b/charts/plane-enterprise/templates/config-secrets/silo.yaml index cd5ed7cc..42960ac5 100644 --- a/charts/plane-enterprise/templates/config-secrets/silo.yaml +++ b/charts/plane-enterprise/templates/config-secrets/silo.yaml @@ -7,7 +7,7 @@ metadata: namespace: {{ .Release.Namespace }} name: {{ .Release.Name }}-silo-secrets stringData: - SILO_HMAC_SECRET_KEY: {{ .Values.env.silo_envs.hmac_secret_key | default "gzb7MRLr0FoN129NyWARZEs84P9LzQ" | quote }} + SILO_HMAC_SECRET_KEY: {{ .Values.env.silo_envs.hmac_secret_key | default "change-to-top-secret" | quote }} AES_SECRET_KEY: {{ .Values.env.silo_envs.aes_secret_key | default "dsOdt7YrvxsTIFJ37pOaEVvLxN8KGBCr" | quote }} {{- if .Values.services.postgres.local_setup }} diff --git a/charts/plane-enterprise/values.yaml b/charts/plane-enterprise/values.yaml index 6913c4be..46d5eb26 100644 --- a/charts/plane-enterprise/values.yaml +++ b/charts/plane-enterprise/values.yaml @@ -564,7 +564,7 @@ env: live_sentry_dsn: "" live_sentry_environment: "" live_sentry_traces_sample_rate: "" - live_server_secret_key: "htbqvBJAgpm9bzvf3r4urJer0ENReatceh" + live_server_secret_key: "change-to-top-secret" external_iframely_url: "" silo_envs: @@ -574,7 +574,7 @@ env: batch_size: 100 mq_prefetch_count: 1 request_interval: 400 - hmac_secret_key: 'gzb7MRLr0FoN129NyWARZEs84P9LzQ' + hmac_secret_key: 'change-to-top-secret' aes_secret_key: 'dsOdt7YrvxsTIFJ37pOaEVvLxN8KGBCr' cors_allowed_origins: '' @@ -617,7 +617,7 @@ env: plane_api_host: '' follower_postgres_uri: '' cors_allowed_origins: '' - internal_secret: 'tyfvfqvBJAgpm9bzvf3r4urJer0Ehfdubk' + internal_secret: 'change-to-top-secret' log_level: 'DEBUG' celery: