Back Merge Master to Develop

[akshat5302]

Summary by CodeRabbit

• Chores

  • Upgraded the application to version 1.1.5.

• New Features

  • Introduced dedicated management for sensitive "silo" configuration data.
  • Added conditional support for injecting secure configuration into various service deployments, ensuring enhanced flexibility and robust security handling when the silo service is enabled.

[coderabbitai]

Walkthrough

This pull request updates the plane-enterprise Helm chart. It bumps the application version from 1.1.4 to 1.1.5 and introduces a new Kubernetes Secret resource for the silo service. Conditional logic is added across multiple workload YAML files to include references to the new secret ({{ .Release.Name }}-silo-secrets) when the .Values.services.silo.enabled flag is true, and the ConfigMap for silo is updated accordingly.

Changes

File(s)	Change Summary
charts/plane-enterprise/Chart.yaml	Updated application version from 1.1.4 to 1.1.5.
charts/plane-enterprise/templates/config-secrets/silo.yaml	Added a new Kubernetes Secret resource for the silo service with conditional secret key generation and updated the corresponding ConfigMap logic.
charts/plane-enterprise/templates/workloads/{api.deployment.yaml, beat-worker.deployment.yaml, migrator.job.yaml, worker.deployment.yaml}	Introduced conditional inclusion of a secret reference ({{ .Release.Name }}-silo-secrets) in the environment configuration if .Values.services.silo.enabled is true.
charts/plane-enterprise/templates/workloads/silo.deployment.yaml	Added a non-optional secret reference to {{ .Release.Name }}-silo-secrets as an environment variable source in the main container configuration.

Sequence Diagram(s)

sequenceDiagram
    participant Values as .Values.services.silo.enabled
    participant Chart as Helm Chart Template
    participant Secret as Silo Secret Resource
    participant Workload as Deployment/Job/Worker

    Values->>Chart: Check if silo is enabled
    alt If enabled
        Chart->>Secret: Create or fetch SILO_HMAC_SECRET_KEY secret
        Secret-->>Chart: Provide secret details
        Chart->>Workload: Include secret reference in env configuration
    else Not enabled
        Chart->>Workload: Skip secret configuration
    end

Loading

Possibly related PRs

• fix: bumped appVersion to v1.5.0 #60: Updates the version in Chart.yaml, similar to the version bump performed here.
• Master #75: Also focuses on updating the version number in the Helm chart, indicating a close code-level relation.

Suggested reviewers

• mguptahub

Poem

I'm a rabbit with a hop so fine,
Bumping versions with a joyful shine.
Secrets now dance in each pod's embrace,
Conditional hops keep up the pace.
Coding in meadows, I bring change with grace!

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (5)

charts/plane-enterprise/templates/config-secrets/silo.yaml (5)

1-16: Secret Resource Template Review

• The new Kubernetes Secret is conditionally created based on .Values.services.silo.enabled, which is a proper guard.
• The logic first checks if a custom HMAC secret key is provided via .Values.env.silo_envs.hmac_secret_key. If not, it attempts to retrieve an existing Secret via the lookup function; otherwise, it generates a random 32-character string.
• Suggestion: When retrieving the secret key from an existing Secret (line 12), note that values in a Secret’s .data field are typically base64 encoded. If the intention is to work with plain text in stringData, consider decoding the value using the b64dec function. For example:

-  SILO_HMAC_SECRET_KEY: {{ (lookup "v1" "Secret" .Release.Namespace (printf "%s-silo-secrets" .Release.Name)).data.SILO_HMAC_SECRET_KEY | default (randAlphaNum 32) | quote }}
+  SILO_HMAC_SECRET_KEY: {{ (lookup "v1" "Secret" .Release.Namespace (printf "%s-silo-secrets" .Release.Name)).data.SILO_HMAC_SECRET_KEY | b64dec | default (randAlphaNum 32) | quote }}

🧰 Tools

🪛 YAMLlint (1.35.1)

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

---

30-36: ConfigMap HMAC Key Logic Consistency

• The ConfigMap section (lines 30–36) replicates the logic for setting SILO_HMAC_SECRET_KEY similar to the Secret. This ensures that if a key is provided in values it is used; otherwise, the template tries to retrieve an existing value before generating a new one.
• Suggestion: Since similar logic is repeated in both the Secret and ConfigMap resources, consider abstracting this into a common template helper to reduce duplication and ensure consistency in future changes.

---

38-44: CORS Configuration Logic Review

• The conditional block for CORS_ALLOWED_ORIGINS covers the wildcard scenario and a nuanced concatenation of origins.
• Note: Ensure that the concatenated URLs (line 41) meet the intended format and that commas are the appropriate delimiter for your use case. If this pattern is reused elsewhere, consider consolidating it into a helper template.

🧰 Tools

🪛 YAMLlint (1.35.1)

[error] 44-44: trailing spaces

(trailing-spaces)

---

50-56: RabbitMQ URL Configuration Check

• The template provides conditional construction of the AMQP_URL based on whether a local setup or an external URL is provided.
• Suggestion: For consistency, consider quoting the external URL value in line 53 if it is intended to be a string literal.

---

61-67: Database URL Conditional Logic

• The conditional structure for setting DATABASE_URL is clear: it selects between a local PostgreSQL setup, a remote URL, or an empty string.
• Nitpick: For templating consistency, consider using the dash syntax (e.g., {{- else }}) throughout the conditional blocks.

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a77467b and 89f8edb.

📒 Files selected for processing (7)

• charts/plane-enterprise/Chart.yaml (1 hunks)
• charts/plane-enterprise/templates/config-secrets/silo.yaml (1 hunks)
• charts/plane-enterprise/templates/workloads/api.deployment.yaml (1 hunks)
• charts/plane-enterprise/templates/workloads/beat-worker.deployment.yaml (1 hunks)
• charts/plane-enterprise/templates/workloads/migrator.job.yaml (1 hunks)
• charts/plane-enterprise/templates/workloads/silo.deployment.yaml (1 hunks)
• charts/plane-enterprise/templates/workloads/worker.deployment.yaml (1 hunks)

✅ Files skipped from review due to trivial changes (1)

• charts/plane-enterprise/Chart.yaml

🔇 Additional comments (13)

charts/plane-enterprise/templates/workloads/migrator.job.yaml (1)

35-39: Conditional Secret Injection in Job Specification

The conditional block for including the silo secret reference is correctly implemented. By wrapping the secret reference within an if block that checks .Values.services.silo.enabled, the chart cleanly ensures that the {{ .Release.Name }}-silo-secrets is only injected when the silo service is enabled. Verify that the YAML indentation remains consistent when rendered.

charts/plane-enterprise/templates/workloads/worker.deployment.yaml (1)

47-51: Consistent Conditional Secret Injection for Worker Deployment

The conditional block that adds the silo secret reference is properly structured. This ensures that the {{ .Release.Name }}-silo-secrets is only included when .Values.services.silo.enabled is true. The implementation is consistent with similar modifications in other workload files.

charts/plane-enterprise/templates/workloads/beat-worker.deployment.yaml (1)

47-51: Conditional Secret Reference in Beat-worker Deployment

The additional block introduces a conditional secret reference that integrates seamlessly with the existing environment variable configuration. The approach ensures that silo secrets are only included when enabled, mirroring the pattern used in the other deployments.

charts/plane-enterprise/templates/workloads/api.deployment.yaml (1)

69-73: Secret Injection via Conditional Block in API Deployment

The change adds a conditional block to insert the silo secret reference into the API deployment’s envFrom list only when .Values.services.silo.enabled is true. This maintains consistency across deployments and ensures secure, environment-specific secret management.

charts/plane-enterprise/templates/workloads/silo.deployment.yaml (1)

83-85: Mandatory Secret Reference in Silo Deployment

The silo deployment now explicitly includes the {{ .Release.Name }}-silo-secrets reference as part of the container's environment sources. Since this file is conditionally rendered when .Values.services.silo.enabled is true, the direct inclusion is appropriate and consistent with the approach used in other workload configurations.

charts/plane-enterprise/templates/config-secrets/silo.yaml (8)

46-49: URL Endpoint Configurations

• The API endpoints (APP_BASE_URL, API_BASE_URL, and SILO_API_BASE_URL) are correctly templated using .Values and .Release variables.
• The use of default values (e.g., "cluster.local") appears consistent with standard configurations.

---

58-59: Payment and Feature Flag Server Endpoints

• The definitions for PAYMENT_SERVER_BASE_URL and FEATURE_FLAG_SERVER_BASE_URL use the expected service discovery patterns and templating.

---

69-73: Redis URL Configuration

• The Redis configuration correctly differentiates between a local setup and a remote URL scenario.
• The use of quoting for the remote URL in line 72 ensures that an empty default is explicitly set.

---

76-78: Sentry Configuration Review

• The Sentry-related keys (SENTRY_DSN, SENTRY_ENVIRONMENT, and SENTRY_TRACES_SAMPLE_RATE) are configured with defaults that help prevent misconfiguration.

---

80-84: Slack Integration Secrets

• The template conditionally includes Slack integration secrets based on whether the Slack connector is enabled.
• The approach of providing a default empty string with proper quoting is sound.

🧰 Tools

🪛 YAMLlint (1.35.1)

[error] 80-80: trailing spaces

(trailing-spaces)

---

86-93: GitHub Integration Secrets

• The GitHub integration section cleanly handles client IDs, secrets, app names, and private keys using the same conditional and default logic as other connector configurations.

---

95-99: GitLab Integration Secrets

• The GitLab connector is configured similarly to the Slack and GitHub sections, ensuring consistency in secret management.

---

100-101: Template Conditional Closure

• The template correctly terminates the block with {{- end }}, ensuring that resources are only generated when .Values.services.silo.enabled is true.
• This closure prevents unintentional resource creation.

🧰 Tools

🪛 YAMLlint (1.35.1)

[error] 101-101: no new line character at the end of file

(new-line-at-end-of-file)