Skip to content

[INFRA-422] - chore(plane-enterprise): placeholder defaults for signing secrets (PI/LIVE/HMAC) #254

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
akshat5302 wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[INFRA-422] - chore(plane-enterprise): placeholder defaults for signing secrets (PI/LIVE/HMAC) #254

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion charts/plane-enterprise/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ description: Meet Plane. An Enterprise software development tool to manage issue

type: application

version: 2.6.2
version: 2.6.3
appVersion: "2.6.3"

home: https://plane.so/
Expand Down
6 changes: 3 additions & 3 deletions charts/plane-enterprise/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -453,7 +453,7 @@ securityContext:
| env.live_sentry_dsn | | | (optional) Live service deployment comes with some of the preconfigured integration. Sentry is one among those. Here user can set the Sentry provided DSN for this integration. |
| env.live_sentry_environment | | | (optional) Live service deployment comes with some of the preconfigured integration. Sentry is one among those. Here user can set the Sentry environment name (as configured in Sentry) for this integration. |
| env.live_sentry_traces_sample_rate | | | (optional) Live service deployment comes with some of the preconfigured integration. Sentry is one among those. Here user can set the Sentry trace sample rate (as configured in Sentry) for this integration. |
| env.live_server_secret_key | htbqvBJAgpm9bzvf3r4urJer0ENReatceh | | Live Server Secret Key |
| env.live_server_secret_key | change-to-top-secret | | Live Server Secret Key |
| env.external_iframely_url | "" | | External Iframely service URL. If provided, the local Iframely deployment will be skipped and the live service will use this external URL |
| services.live.assign_cluster_ip | false | | Set it to `true` if you want to assign `ClusterIP` to the service |
| services.live.nodeSelector | {} | | This key allows you to set the node selector for the deployment of `live`. This is useful when you want to run the deployment on specific nodes in your Kubernetes cluster. |
Expand Down Expand Up @@ -565,7 +565,7 @@ securityContext:
| services.pi.annotations | {} | | Custom annotations to add to the Plane AI (PI) API deployment. |
| env.pg_pi_db_name | plane_pi | | PostgreSQL database name used by Plane AI (PI) when `postgres.local_setup=true`. |
| env.pg_pi_db_remote_url | "" | | PostgreSQL connection URL for Plane AI (PI) when using a remote database. Required when `postgres.local_setup=false` and Plane AI (PI) is enabled. |
| env.pi_envs.internal_secret | tyfvfqvBJAgpm9bzvf3r4urJer0Ehfdubk | | Internal secret used by Plane AI (PI) for OAuth and internal APIs. |
| env.pi_envs.internal_secret | change-to-top-secret | | Internal secret used by Plane AI (PI) for OAuth and internal APIs. |
| env.pi_envs.plane_api_host | "" | | Override for the Plane API host URL used by Plane AI (PI). Defaults to the license domain. |
| env.pi_envs.cors_allowed_origins | "" | | CORS allowed origins for Plane AI (PI) API. Defaults to the license domain. |
| env.pi_envs.log_level | DEBUG | | Log level for Plane AI (PI) API (e.g. DEBUG, INFO, WARNING, ERROR). |
Expand Down Expand Up @@ -835,7 +835,7 @@ To configure the external secrets for your application, you need to define speci
| pi_api_env_existingSecret | `PLANE_PI_DATABASE_URL` | Yes (if `services.pi.enabled=true`) | PostgreSQL connection URL for Plane AI (PI) database | **k8s service example**: `postgresql://plane:plane@plane-pgdb.plane-ns.svc.cluster.local/plane_pi` <br> <br>**external**: `postgresql://username:password@your-db-host:5432/plane_pi` |
| | `AMQP_URL` | Yes (if `services.pi.enabled=true`) | RabbitMQ connection URL | **k8s service example**: `amqp://plane:plane@plane-rabbitmq.plane-ns.svc.cluster.local:5672/` <br> <br> **external**: `amqp://username:password@your-rabbitmq-host:5672/` |
| | `AES_SECRET_KEY` | Yes (if `services.pi.enabled=true`) | AES secret key for Plane AI (PI) | `dsOdt7YrvxsTIFJ37pOaEVvLxN8KGBCr` (or your own value) |
| | `PI_INTERNAL_SECRET` | Yes (if `services.pi.enabled=true`) | Internal secret used by Plane AI (PI) for OAuth and internal APIs | `tyfvfqvBJAgpm9bzvf3r4urJer0Ehfdubk` (or your own value) |
| | `PI_INTERNAL_SECRET` | Yes (if `services.pi.enabled=true`) | Internal secret used by Plane AI (PI) for OAuth and internal APIs | `change-to-top-secret` (or your own value) |
| | `OPENAI_API_KEY` | required if `services.pi.ai_providers.openai.enabled` is `true` | OpenAI API key | `your_openai_api_key` |
| | `CLAUDE_API_KEY` | required if `services.pi.ai_providers.claude.enabled` is `true` | Claude API key | `your_claude_api_key` |
| | `GROQ_API_KEY` | required if `services.pi.ai_providers.groq.enabled` is `true` | Groq API key | `your_groq_api_key` |
Expand Down
4 changes: 2 additions & 2 deletions charts/plane-enterprise/questions.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -261,7 +261,7 @@ questions:
- variable: env.live_server_secret_key
label: "Live Server Secret Key"
type: string
default: "htbqvBJAgpm9bzvf3r4urJer0ENReatceh"
default: "change-to-top-secret"

- variable: services.silo.enabled
label: "Install Silo Service"
Expand Down Expand Up @@ -870,7 +870,7 @@ questions:
- variable: env.pi_envs.internal_secret
label: "Plane AI (PI) Internal Secret"
type: string
default: "tyfvfqvBJAgpm9bzvf3r4urJer0Ehfdubk"
default: "change-to-top-secret"
- variable: env.pi_envs.log_level
label: "Log Level"
type: string
Expand Down
4 changes: 2 additions & 2 deletions charts/plane-enterprise/templates/config-secrets/app-env.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,8 @@ metadata:
stringData:
SECRET_KEY: {{ .Values.env.secret_key | default "60gp0byfz2dvffa45cxl20p1scy9xbpf6d8c5y0geejgkyp1b5" | quote }}
AES_SECRET_KEY: {{ .Values.env.silo_envs.aes_secret_key | default "dsOdt7YrvxsTIFJ37pOaEVvLxN8KGBCr" | quote }}
LIVE_SERVER_SECRET_KEY: {{ .Values.env.live_server_secret_key | default "htbqvBJAgpm9bzvf3r4urJer0ENReatceh" | quote }}
PI_INTERNAL_SECRET: {{ .Values.env.pi_envs.internal_secret | default "tyfvfqvBJAgpm9bzvf3r4urJer0Ehfdubk" | quote }}
LIVE_SERVER_SECRET_KEY: {{ .Values.env.live_server_secret_key | default "change-to-top-secret" | quote }}
PI_INTERNAL_SECRET: {{ .Values.env.pi_envs.internal_secret | default "change-to-top-secret" | quote }}
Comment on lines +14 to +15

@coderabbitai coderabbitai Bot Jun 23, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Block installs that still use placeholder signing secrets.

Line 14 and Line 15 still allow rendering a known shared secret (change-to-top-secret) when operators forget to override values. That keeps token/signature secrets predictable at deploy time.

Suggested fail-fast guard 
+{{- $liveSecret := required "env.live_server_secret_key is required and must not use the placeholder" .Values.env.live_server_secret_key -}}
+{{- if eq $liveSecret "change-to-top-secret" -}}
+{{- fail "env.live_server_secret_key must be changed from the placeholder" -}}
+{{- end -}}
+{{- $piInternal := required "env.pi_envs.internal_secret is required and must not use the placeholder" .Values.env.pi_envs.internal_secret -}}
+{{- if eq $piInternal "change-to-top-secret" -}}
+{{- fail "env.pi_envs.internal_secret must be changed from the placeholder" -}}
+{{- end -}}
-  LIVE_SERVER_SECRET_KEY: {{ .Values.env.live_server_secret_key | default "change-to-top-secret" | quote }}
-  PI_INTERNAL_SECRET: {{ .Values.env.pi_envs.internal_secret | default "change-to-top-secret" | quote }}
+  LIVE_SERVER_SECRET_KEY: {{ $liveSecret | quote }}
+  PI_INTERNAL_SECRET: {{ $piInternal | quote }}

Apply the same guard pattern to charts/plane-enterprise/templates/config-secrets/live-env.yaml (Line 9), charts/plane-enterprise/templates/config-secrets/pi-api-env.yaml (Line 66), and charts/plane-enterprise/templates/config-secrets/silo.yaml (Line 10) for consistency.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
LIVE_SERVER_SECRET_KEY: {{ .Values.env.live_server_secret_key | default "change-to-top-secret" | quote }}
PI_INTERNAL_SECRET: {{ .Values.env.pi_envs.internal_secret | default "change-to-top-secret" | quote }}
{{- $liveSecret := required "env.live_server_secret_key is required and must not use the placeholder" .Values.env.live_server_secret_key -}}
{{- if eq $liveSecret "change-to-top-secret" -}}
{{- fail "env.live_server_secret_key must be changed from the placeholder" -}}
{{- end -}}
{{- $piInternal := required "env.pi_envs.internal_secret is required and must not use the placeholder" .Values.env.pi_envs.internal_secret -}}
{{- if eq $piInternal "change-to-top-secret" -}}
{{- fail "env.pi_envs.internal_secret must be changed from the placeholder" -}}
{{- end -}}
LIVE_SERVER_SECRET_KEY: {{ $liveSecret | quote }}
PI_INTERNAL_SECRET: {{ $piInternal | quote }}
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@charts/plane-enterprise/templates/config-secrets/app-env.yaml` around lines
14 - 15, Add fail-fast validation guards to prevent Helm chart rendering when
placeholder signing secrets are still in use. For LIVE_SERVER_SECRET_KEY and
PI_INTERNAL_SECRET in app-env.yaml (lines 14-15), apply a guard that detects
when the default "change-to-top-secret" value is being used and fails the
deployment. Apply the identical guard pattern to LIVE_SERVER_SECRET_KEY in
charts/plane-enterprise/templates/config-secrets/live-env.yaml (line 9),
PI_INTERNAL_SECRET in
charts/plane-enterprise/templates/config-secrets/pi-api-env.yaml (line 66), and
SILO_SECRET_KEY in charts/plane-enterprise/templates/config-secrets/silo.yaml
(line 10) to ensure consistency across all secret configuration files and
prevent accidental deployments with known placeholder values.


{{- if .Values.services.redis.local_setup }}
REDIS_URL: "redis://{{ .Release.Name }}-redis.{{ .Release.Namespace }}.svc.cluster.local:6379/"
Expand Down
2 changes: 1 addition & 1 deletion charts/plane-enterprise/templates/config-secrets/live-env.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ metadata:
namespace: {{ .Release.Namespace }}
name: {{ .Release.Name }}-live-secrets
stringData:
LIVE_SERVER_SECRET_KEY: {{ .Values.env.live_server_secret_key | default "htbqvBJAgpm9bzvf3r4urJer0ENReatceh" | quote }}
LIVE_SERVER_SECRET_KEY: {{ .Values.env.live_server_secret_key | default "change-to-top-secret" | quote }}
{{- if .Values.services.redis.local_setup }}
REDIS_URL: "redis://{{ .Release.Name }}-redis.{{ .Release.Namespace }}.svc.cluster.local:6379/"
{{- else }}
Expand Down
2 changes: 1 addition & 1 deletion charts/plane-enterprise/templates/config-secrets/pi-api-env.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@ stringData:

AES_SECRET_KEY: {{ .Values.env.silo_envs.aes_secret_key | default "dsOdt7YrvxsTIFJ37pOaEVvLxN8KGBCr" | quote }}

PI_INTERNAL_SECRET: {{ .Values.env.pi_envs.internal_secret | default "tyfvfqvBJAgpm9bzvf3r4urJer0Ehfdubk" | quote }}
PI_INTERNAL_SECRET: {{ .Values.env.pi_envs.internal_secret | default "change-to-top-secret" | quote }}
{{- end }}
---

Expand Down
2 changes: 1 addition & 1 deletion charts/plane-enterprise/templates/config-secrets/silo.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ metadata:
namespace: {{ .Release.Namespace }}
name: {{ .Release.Name }}-silo-secrets
stringData:
SILO_HMAC_SECRET_KEY: {{ .Values.env.silo_envs.hmac_secret_key | default "gzb7MRLr0FoN129NyWARZEs84P9LzQ" | quote }}
SILO_HMAC_SECRET_KEY: {{ .Values.env.silo_envs.hmac_secret_key | default "change-to-top-secret" | quote }}
AES_SECRET_KEY: {{ .Values.env.silo_envs.aes_secret_key | default "dsOdt7YrvxsTIFJ37pOaEVvLxN8KGBCr" | quote }}

{{- if .Values.services.postgres.local_setup }}
Expand Down
6 changes: 3 additions & 3 deletions charts/plane-enterprise/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -564,7 +564,7 @@ env:
live_sentry_dsn: ""
live_sentry_environment: ""
live_sentry_traces_sample_rate: ""
live_server_secret_key: "htbqvBJAgpm9bzvf3r4urJer0ENReatceh"
live_server_secret_key: "change-to-top-secret"
external_iframely_url: ""

silo_envs:
Expand All @@ -574,7 +574,7 @@ env:
batch_size: 100
mq_prefetch_count: 1
request_interval: 400
hmac_secret_key: 'gzb7MRLr0FoN129NyWARZEs84P9LzQ'
hmac_secret_key: 'change-to-top-secret'
aes_secret_key: 'dsOdt7YrvxsTIFJ37pOaEVvLxN8KGBCr'
cors_allowed_origins: ''

Expand Down Expand Up @@ -617,7 +617,7 @@ env:
plane_api_host: ''
follower_postgres_uri: ''
cors_allowed_origins: ''
internal_secret: 'tyfvfqvBJAgpm9bzvf3r4urJer0Ehfdubk'
internal_secret: 'change-to-top-secret'
log_level: 'DEBUG'

celery:
Expand Down