Plane-EE: Add extraEnv to support proxy endpoints

[akshat5302]

Description

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• Feature (non-breaking change which adds functionality)
• Improvement (change that would cause existing functionality to not work as expected)
• Code refactoring
• Performance improvements
• Documentation update

Screenshots and Media (if applicable)

Test Scenarios

References

Summary by CodeRabbit

• New Features

  • Global extraEnv added to pass environment variables (e.g., proxy settings) to workloads.
  • Optional per-workload env injection enabled across services (web, api, workers, DBs, etc.).
  • API conditionally restores CA-related env vars when airgapped S3 credentials are configured.

• Refactor

  • MinIO bucket job container configuration standardized.
  • Deployment scheduling hints replaced by per-service labels/annotations; environment handling unified.

• Chores

  • Chart version bumped to 1.6.0.

[coderabbitai]

Walkthrough

Adds a global .Values.extraEnv and conditionally injects its env: entries into many workload templates. Adjusts api.deployment.yaml to conditionally set CA-related env vars for airgapped S3, refactors the MinIO bucket Job container to use image_mc and updated command/args, and bumps chart version.

Changes

Cohort / File(s)	Summary
Global values charts/plane-enterprise/values.yaml	Adds new public extraEnv list (commented examples like HTTP_PROXY/HTTPS_PROXY/NO_PROXY) to supply additional env vars across workloads.
Deployments: extraEnv injection charts/plane-enterprise/templates/workloads/admin.deployment.yaml, charts/plane-enterprise/templates/workloads/automation-consumer.deployment.yaml, charts/plane-enterprise/templates/workloads/beat-worker.deployment.yaml, charts/plane-enterprise/templates/workloads/email.deployment.yaml, charts/plane-enterprise/templates/workloads/iframely.deployment.yaml, charts/plane-enterprise/templates/workloads/live.deployment.yaml, charts/plane-enterprise/templates/workloads/outbox-poller.deployment.yaml, charts/plane-enterprise/templates/workloads/silo.deployment.yaml, charts/plane-enterprise/templates/workloads/space.deployment.yaml, charts/plane-enterprise/templates/workloads/web.deployment.yaml, charts/plane-enterprise/templates/workloads/worker.deployment.yaml	Each deployment conditionally adds an env: block rendering toYaml .Values.extraEnv (nindent appropriately) when .Values.extraEnv is set; existing envFrom and other fields preserved.
Jobs / StatefulSets: extraEnv injection charts/plane-enterprise/templates/workloads/migrator.job.yaml, charts/plane-enterprise/templates/workloads/monitor.stateful.yaml, charts/plane-enterprise/templates/workloads/postgres.stateful.yaml, charts/plane-enterprise/templates/workloads/rabbitmq.stateful.yaml, charts/plane-enterprise/templates/workloads/redis.stateful.yaml	Containers receive a conditional env: block populated from .Values.extraEnv when provided; Postgres consolidates PGDATA into an env block alongside envFrom. Other pod spec fields unchanged.
API deployment: airgapped CA envs + extraEnv charts/plane-enterprise/templates/workloads/api.deployment.yaml	Removes unconditional CA env vars and reintroduces them conditionally when airgapped is true and S3 secret name/key present; also adds conditional .Values.extraEnv injection.
MinIO bucket job refactor charts/plane-enterprise/templates/workloads/minio.stateful.yaml	Replaces static container fields with a dynamic container using name: {{ .Release.Name }}-minio-bucket, image: {{ .Values.services.minio.image_mc }}, imagePullPolicy: Always, updated command/args for mc, and optional env: from .Values.extraEnv; retains envFrom and other Job settings.
Chart version charts/plane-enterprise/Chart.yaml	Bumps chart version from 1.5.0 to 1.6.0.
README / service metadata charts/plane-enterprise/README.md	Replaces per-service nodeSelector, tolerations, and affinity blocks with per-service labels and annotations entries across multiple services (diff contains conflict markers).

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant U as Helm User
  participant H as Helm (Templates)
  participant K as Kubernetes API
  participant P as Pod/Container

  U->>H: helm install/upgrade with values.yaml
  H->>H: Evaluate .Values.extraEnv
  alt extraEnv provided
    H->>K: Render manifests including env: (extraEnv)
  else no extraEnv
    H->>K: Render manifests without extra env block
  end
  K->>P: Start containers with resulting env configuration

Loading

sequenceDiagram
  autonumber
  participant V as Values
  participant T as api.deployment.yaml
  participant K as Kubernetes
  participant C as API Container

  V->>T: airgapped=true and s3 secret present?
  alt airgapped && s3 secret present
    T->>K: Include CA-related env vars (SSL_CERT_*, REQUESTS_CA_BUNDLE, CURL_CA_BUNDLE)
  else
    T->>K: Do not include CA-related env vars
  end
  T->>K: Optionally include extraEnv if set
  K->>C: Run API container with final env

Loading

sequenceDiagram
  autonumber
  participant H as Helm
  participant K as Kubernetes
  participant J as MinIO Bucket Job
  participant M as MinIO

  H->>K: Apply Job with updated container (image_mc, command/args)
  K->>J: Start Job pod
  J->>J: Load envFrom secrets and optional extraEnv
  J->>M: Execute mc commands (config, bucket)
  J-->>K: Job completes

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

I twitch my whiskers, charts in sight,
Extra vars tucked in for the night,
CA wakes only when airgaps bite,
MinIO hops, commands take flight,
Rabbit cheers — deploy goes bright! 🐇✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title concisely reflects the primary change of adding the extraEnv configuration to support proxy endpoints within the Plane-EE Helm charts, matching the updates across values.yaml and deployment templates. It is specific to the main feature, avoids unnecessary details, and clearly communicates the intent to teammates reviewing the history.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch add-https-proxy

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9cab6c0 and 30e435c.

📒 Files selected for processing (1)

• charts/plane-enterprise/README.md (1 hunks)

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (2)

charts/plane-enterprise/templates/workloads/redis.stateful.yaml (1)

48-51: LGTM – correct conditional env block/indentation.

Same note as elsewhere: ensure .Values.extraEnv is a list of EnvVar items.

charts/plane-enterprise/templates/workloads/rabbitmq.stateful.yaml (1)

53-56: LGTM – safe conditional env insertion.

Same schema caveat for .Values.extraEnv as noted earlier.

🧹 Nitpick comments (3)

charts/plane-enterprise/templates/workloads/iframely.deployment.yaml (1)

57-60: Conditional extra env injection looks correct (indentation, placement).

Please ensure .Values.extraEnv is a list of Kubernetes EnvVar objects (- name: FOO\n value: bar). If it’s a map, K8s will reject the manifest. Consider adding a brief example in values.yaml and optionally supporting extraEnvFrom for ConfigMap/Secret refs, or a shared helper (e.g., include "plane.extraEnv").

charts/plane-enterprise/templates/workloads/silo.deployment.yaml (1)

86-89: LGTM – consistent with pattern across workloads.

Minor: consider whether initContainers (e.g., wait-for-rabbitmq) also need proxy env; if yes, mirror extraEnv there.

charts/plane-enterprise/templates/workloads/api.deployment.yaml (1)

113-126: Avoid emitting env: null when no entries

If both the airgapped CA block and extraEnv are absent, this template still renders env: with no list items, which serializes to env: null. While Kubernetes usually tolerates it, it is cleaner (and safer for validation tooling) to omit the field altogether. Wrap the whole block in a single guard and reuse the computed condition inside.

-        env:
-          {{- if and .Values.airgapped.enabled .Values.airgapped.s3SecretName .Values.airgapped.s3SecretKey }}
+        {{- $hasAirgapCA := and .Values.airgapped.enabled .Values.airgapped.s3SecretName .Values.airgapped.s3SecretKey }}
+        {{- if or $hasAirgapCA .Values.extraEnv }}
+        env:
+          {{- if $hasAirgapCA }}
           - name: SSL_CERT_FILE
             value: "/etc/ssl/certs/ca-certificates.crt"
@@
-          {{- if .Values.extraEnv }}
-          {{- toYaml .Values.extraEnv | nindent 10 }}
-          {{- end }}
+          {{- if .Values.extraEnv }}
+          {{- toYaml .Values.extraEnv | nindent 10 }}
+          {{- end }}
+        {{- end }}

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 20b1165 and bdc53e4.

📒 Files selected for processing (19)

• charts/plane-enterprise/templates/workloads/admin.deployment.yaml (1 hunks)
• charts/plane-enterprise/templates/workloads/api.deployment.yaml (1 hunks)
• charts/plane-enterprise/templates/workloads/automation-consumer.deployment.yaml (1 hunks)
• charts/plane-enterprise/templates/workloads/beat-worker.deployment.yaml (1 hunks)
• charts/plane-enterprise/templates/workloads/email.deployment.yaml (1 hunks)
• charts/plane-enterprise/templates/workloads/iframely.deployment.yaml (1 hunks)
• charts/plane-enterprise/templates/workloads/live.deployment.yaml (1 hunks)
• charts/plane-enterprise/templates/workloads/migrator.job.yaml (1 hunks)
• charts/plane-enterprise/templates/workloads/minio.stateful.yaml (2 hunks)
• charts/plane-enterprise/templates/workloads/monitor.stateful.yaml (1 hunks)
• charts/plane-enterprise/templates/workloads/outbox-poller.deployment.yaml (1 hunks)
• charts/plane-enterprise/templates/workloads/postgres.stateful.yaml (1 hunks)
• charts/plane-enterprise/templates/workloads/rabbitmq.stateful.yaml (1 hunks)
• charts/plane-enterprise/templates/workloads/redis.stateful.yaml (1 hunks)
• charts/plane-enterprise/templates/workloads/silo.deployment.yaml (1 hunks)
• charts/plane-enterprise/templates/workloads/space.deployment.yaml (1 hunks)
• charts/plane-enterprise/templates/workloads/web.deployment.yaml (1 hunks)
• charts/plane-enterprise/templates/workloads/worker.deployment.yaml (1 hunks)
• charts/plane-enterprise/values.yaml (1 hunks)

🔇 Additional comments (4)

charts/plane-enterprise/templates/workloads/postgres.stateful.yaml (1)

49-54: PGDATA + extraEnv merged under env is good.

Layout is valid; PGDATA precedes optional extraEnv entries with correct nindent. No issues.

charts/plane-enterprise/templates/workloads/admin.deployment.yaml (1)

56-59: LGTM – clean extraEnv injection.

Indentation and placement are correct; no conflicts with existing envFrom.

charts/plane-enterprise/templates/workloads/email.deployment.yaml (1)

79-82: LGTM – proper conditional env block.

If proxies are the main use case, ensure NO_PROXY defaults cover cluster domains (e.g., .svc, .cluster.local, namespace svc names).

charts/plane-enterprise/templates/workloads/worker.deployment.yaml (1)

50-53: LGTM – matches the global pattern.

No ordering issues with envFrom; indentation is correct.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

charts/plane-enterprise/values.yaml (1)

391-399: Good default: extraEnv empty with commented examples

Prevents accidental proxying on fresh installs. Consider adding a note in README suggesting typical NO_PROXY entries (kubernetes.default.svc,.svc,.cluster.local,) and lowercase variants (http_proxy/https_proxy/no_proxy) for broader tooling compatibility.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between bdc53e4 and c0a5496.

📒 Files selected for processing (2)

• charts/plane-enterprise/templates/workloads/api.deployment.yaml (1 hunks)
• charts/plane-enterprise/values.yaml (1 hunks)

[coderabbitai]

🛠️ Refactor suggestion | 🟠 Major

Align airgapped gating; keep env merge behavior intentional

• The env block correctly merges CA vars with .Values.extraEnv. Note: env entries override envFrom on name collisions (intended?).
• Inconsistency: env gating uses and ... s3SecretName s3SecretKey but the install-CA command earlier checks only s3SecretName. Align both to require the key as well to avoid running the CA setup when only the secret name is set.

Apply this diff to the script gating (earlier in the file):

-            {{- if and .Values.airgapped.enabled .Values.airgapped.s3SecretName }}
+            {{- if and .Values.airgapped.enabled .Values.airgapped.s3SecretName .Values.airgapped.s3SecretKey }}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	{{- if or .Values.extraEnv (and .Values.airgapped.enabled .Values.airgapped.s3SecretName .Values.airgapped.s3SecretKey) }}
	env:
	{{- if and .Values.airgapped.enabled .Values.airgapped.s3SecretName .Values.airgapped.s3SecretKey }}
	- name: SSL_CERT_FILE
	value: "/etc/ssl/certs/ca-certificates.crt"
	- name: SSL_CERT_DIR
	value: "/etc/ssl/certs"
	- name: REQUESTS_CA_BUNDLE
	value: "/etc/ssl/certs/ca-certificates.crt"
	- name: CURL_CA_BUNDLE
	value: "/etc/ssl/certs/ca-certificates.crt"
	{{- end }}
	{{- if .Values.extraEnv }}
	{{- toYaml .Values.extraEnv | nindent 10 }}
	{{- end }}
	{{- end }}
	{{- if and .Values.airgapped.enabled .Values.airgapped.s3SecretName .Values.airgapped.s3SecretKey }}

🤖 Prompt for AI Agents

In charts/plane-enterprise/templates/workloads/api.deployment.yaml around lines
114 to 129, the airgapped gating for injecting CA env vars uses both
.Values.airgapped.s3SecretName and .Values.airgapped.s3SecretKey, but an earlier
install-CA command only checks .Values.airgapped.s3SecretName; update that
earlier conditional to require both s3SecretName and s3SecretKey (i.e., change
its guard from checking only s3SecretName to and .Values.airgapped.s3SecretName
.Values.airgapped.s3SecretKey) so the CA setup and env injection are aligned,
and leave the env merge behavior (explicit env entries plus .Values.extraEnv)
unchanged.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

charts/plane-enterprise/README.md (1)

493-498: Document the expected env var object structure.

Consider adding a brief example (- name: HTTP_PROXY, value: https://...) so users know the list should contain name/value (or valueFrom) maps. That removes guesswork when wiring proxy variables.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d3adc03 and 9cab6c0.

📒 Files selected for processing (1)

• charts/plane-enterprise/README.md (1 hunks)