[feat]: Implement Traefik ingress support in Plane-EE Helm chart

[pratapalakshmi]

• Updated values.yaml to switch ingressClass from 'nginx' to 'traefik-external'.
• Added new ingress-traefik.yaml template for Traefik IngressRoute configuration.
• Introduced traefik-middleware.yaml for request body size limiting middleware.
• Modified existing ingress.yaml to conditionally render based on the selected ingressClass.

Description

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• Feature (non-breaking change which adds functionality)
• Improvement (change that would cause existing functionality to not work as expected)
• Code refactoring
• Performance improvements
• Documentation update

Screenshots and Media (if applicable)

Test Scenarios

References

Summary by CodeRabbit

• New Features

  • Added optional Traefik ingress support for enterprise deployments
  • Added request body-size limiting for Traefik routes
  • Added optional RBAC to allow Traefik read access to TLS secrets

• Chores

  • Tightened ingress class validation so ingress resources are rendered only for the selected controller

[coderabbitai]

Walkthrough

Adds conditional Traefik support to the Plane Enterprise Helm chart: new Traefik IngressRoute, Middleware, and optional RBAC for secret reading, plus tightened nginx ingress rendering and a minor values.yaml comment. Resources are emitted only when ingress is enabled and ingress.ingressClass matches the target class.

Changes

Cohort / File(s)	Summary
Traefik IngressRoute charts/plane-enterprise/templates/ingress-traefik.yaml	New Helm template emitting a Traefik IngressRoute when ingress.enabled, ingress.ingressClass == "traefik", and license domain present; defines websecure entryPoint routes for multiple services with prioritized PathPrefix rules and TLS secret resolution (default <release>-ssl-cert unless overridden).
Traefik Middleware charts/plane-enterprise/templates/traefik-middleware.yaml	Adds a conditional Middleware <Release.Name>-body-limit that sets buffering.maxRequestBodyBytes = 5242880 (5 MB) when ingress enabled and ingressClass is "traefik".
Traefik RBAC charts/plane-enterprise/templates/traefik-rbac.yaml	Adds optional Role and RoleBinding to allow Traefik service account to get/list/watch secrets, emitted when ingress.enabled, ingress.ingressClass == "traefik", and traefik.createSecretReadRBAC is true.
NGINX Ingress charts/plane-enterprise/templates/ingress.yaml	Tightens ingress condition: Ingress will render only when ingress.enabled is true, licenseDomain is set, and ingress.ingressClass == "nginx".
Values charts/plane-enterprise/values.yaml	Adds a commented alternative line for ingressClass: 'traefik' while leaving the active ingressClass: 'nginx' unchanged.

Sequence Diagram(s)

mermaid
sequenceDiagram
participant Client as Client
participant Traefik as Traefik Ingress (IngressRoute)
participant Middleware as Body-Limit Middleware
participant K8s as Kubernetes API / Secrets
participant Service as Backend Services (web, api, auth, ...)
rect rgba(200,200,255,0.5)
Client->>Traefik: HTTPS request (hostname)
Traefik->>K8s: Resolve TLS secret (if needed)
K8s-->>Traefik: TLS secret (requires RBAC)
Traefik->>Middleware: Apply body-limit
Middleware->>Service: Forward request to matched service/port
Service-->>Client: Response
end

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

Poem

🐰 A hop, a route, a tiny cheer,
Traefik listens, middleware near,
Secrets fetched with careful paw,
Requests trimmed smartly—no faux pas,
The chart blooms bright, deployment clear.

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: implementing Traefik ingress support in the Plane-EE Helm chart. It is clear, specific, and directly reflects the core objective of adding Traefik-related templates and configuration to the Helm chart.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Merge Conflict Detection	✅ Passed	✅ No merge conflicts detected when merging into master

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chore/add/support/for/traefik/ingress

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 6

🤖 Fix all issues with AI agents

In `@charts/plane-enterprise/templates/ingress-traefik.yaml`:
- Around line 72-79: The body-limit middleware ({{ .Release.Name }}-body-limit)
is only attached to the catch-all rule (Host(`{{ .Values.license.licenseDomain
}}`) && PathPrefix(`/`)) so API/upload routes like /api/ and /auth/ remain
uncapped; update the Traefik ingress rules to include the same middleware on the
API/auth/upload rules that point to the {{ .Release.Name }}-web service (or
apply it globally to all host rules) so the 5 MB limit is enforced consistently,
and if you intentionally want selective coverage, add a short comment next to
the rule(s) explaining that rationale.
- Around line 81-82: The Traefik Ingress template currently hardcodes
tls.secretName ({{ default (printf "%s-ssl-cert" .Release.Name)
.Values.ssl.tls_secret_name }}) and therefore doesn’t support cert-manager
auto-provisioning; add an optional, conditional cert-manager Certificate
manifest (templated alongside the IngressRoute) that is rendered when
.Values.ssl.generateCerts (and optionally .Values.ssl.createIssuer) is true,
ensure it uses the same secretName and issuerRef as the existing nginx flow, and
wire any new values (e.g., ssl.certificateCommonName, ssl.dnsNames,
ssl.issuerName, ssl.issuerKind) into the template so users can enable automated
cert creation/renewal without manual steps.
- Around line 1-84: Add Traefik IngressRoute rules for the MinIO console and
RabbitMQ management UI when those services are locally deployed: insert two
additional route blocks (similar to existing ones) before the tls: block—one
matching Host(`{{ .Values.env.minioHost }}`) that forwards to service name {{
.Release.Name }}-minio on port 9090 when .Values.services.minio.local_setup is
true, and one matching Host(`{{ .Values.env.rabbitmqHost }}`) that forwards to
service name {{ .Release.Name }}-rabbitmq on port 15672 when
.Values.services.rabbitmq.local_setup is true; also update the tls section to
include those extra host entries (or add separate tls entries) so the
certificates cover minioHost and rabbitmqHost.

In `@charts/plane-enterprise/templates/traefik-middleware.yaml`:
- Line 1: The middleware template condition is too permissive compared to the
IngressRoute: update the conditional in templates/traefik-middleware.yaml to
require the same three checks used by the IngressRoute (ensure
.Values.ingress.enabled is true, .Values.ingress.ingressClass equals
"traefik-external", and .Values.license.licenseDomain is non-empty) so the
middleware is only rendered when an IngressRoute referencing it will also be
created; mirror the exact predicate logic found in ingress-traefik.yaml to keep
behavior consistent.

In `@charts/plane-enterprise/values.yaml`:
- Around line 28-30: The change to set ingressClass: 'traefik-external' in
values.yaml is a breaking default change for existing users; revert the default
back to 'nginx' (or leave it commented as before) so upgrades don't silently
switch Ingress controllers, or if you intend Traefik to be the new default, bump
the chart major version and add clear upgrade/migration notes explaining the
switch and required CRDs/controllers; refer to the ingressClass key and
ingress_annotations in values.yaml when making this change and update Chart.yaml
and CHANGELOG/UPGRADE notes accordingly.
- Line 29: The default ingress_annotations map currently contains an
nginx-specific key ("nginx.ingress.kubernetes.io/proxy-body-size": "5m") which
is ineffective when the default ingress class is Traefik; update the values.yaml
entry for ingress_annotations (the ingress_annotations map) to not include
nginx-only annotations by default — either set ingress_annotations to an empty
map or make the default conditional on the ingressClass (e.g., only populate the
nginx annotation when ingressClass == "nginx" or leave it empty so users
choosing nginx can supply their own overrides).

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Missing MinIO console and RabbitMQ management virtual-host routes.

The nginx ingress.yaml defines separate host rules for minioHost (port 9090) and rabbitmqHost (port 15672) when those services are locally deployed. This Traefik IngressRoute omits both, so users who rely on the MinIO console or RabbitMQ management UI will lose access after switching to traefik-external.

Sketch of the missing routes (add before the closing `tls:` block)

   {{- end }}

+  {{- if and .Values.services.minio.local_setup .Values.ingress.minioHost }}
+  - match: Host(`{{ .Values.ingress.minioHost }}`)
+    kind: Rule
+    services:
+      - name: {{ .Release.Name }}-minio
+        port: 9090
+  {{- end }}
+
+  {{- if and .Values.services.rabbitmq.local_setup .Values.ingress.rabbitmqHost }}
+  - match: Host(`{{ .Values.ingress.rabbitmqHost }}`)
+    kind: Rule
+    services:
+      - name: {{ .Release.Name }}-rabbitmq
+        port: 15672
+  {{- end }}
+
   # LAST: catch all

You will also need to add the extra hosts to the TLS section if using a shared cert, or add separate tls entries.

🧰 Tools

🪛 YAMLlint (1.38.0)

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

🤖 Prompt for AI Agents

In `@charts/plane-enterprise/templates/ingress-traefik.yaml` around lines 1 - 84,
Add Traefik IngressRoute rules for the MinIO console and RabbitMQ management UI
when those services are locally deployed: insert two additional route blocks
(similar to existing ones) before the tls: block—one matching Host(`{{
.Values.env.minioHost }}`) that forwards to service name {{ .Release.Name
}}-minio on port 9090 when .Values.services.minio.local_setup is true, and one
matching Host(`{{ .Values.env.rabbitmqHost }}`) that forwards to service name {{
.Release.Name }}-rabbitmq on port 15672 when
.Values.services.rabbitmq.local_setup is true; also update the tls section to
include those extra host entries (or add separate tls entries) so the
certificates cover minioHost and rabbitmqHost.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Body-limit middleware applied only to the catch-all, not to API/upload routes.

In the nginx Ingress the proxy-body-size: 5m annotation applies globally to all paths. Here the body-limit middleware is only on the / catch-all, leaving /api/, /auth/, etc. without a request-body cap. If the intent is to enforce a 5 MB upload limit consistently, the middleware should be attached to all routes (or at least the API route that handles uploads).

If selective application is intentional, a brief comment explaining the rationale would help future maintainers.

🤖 Prompt for AI Agents

In `@charts/plane-enterprise/templates/ingress-traefik.yaml` around lines 72 - 79,
The body-limit middleware ({{ .Release.Name }}-body-limit) is only attached to
the catch-all rule (Host(`{{ .Values.license.licenseDomain }}`) &&
PathPrefix(`/`)) so API/upload routes like /api/ and /auth/ remain uncapped;
update the Traefik ingress rules to include the same middleware on the
API/auth/upload rules that point to the {{ .Release.Name }}-web service (or
apply it globally to all host rules) so the 5 MB limit is enforced consistently,
and if you intentionally want selective coverage, add a short comment next to
the rule(s) explaining that rationale.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Condition is less restrictive than the IngressRoute template.

The IngressRoute in ingress-traefik.yaml additionally checks .Values.license.licenseDomain, but this middleware does not. When licenseDomain is empty, the middleware will be created with no IngressRoute to reference it. Align the conditions for consistency.

Proposed fix

-{{- if and .Values.ingress.enabled (eq .Values.ingress.ingressClass "traefik-external") }}
+{{- if and .Values.ingress.enabled (eq .Values.ingress.ingressClass "traefik-external") .Values.license.licenseDomain }}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	{{- if and .Values.ingress.enabled (eq .Values.ingress.ingressClass "traefik-external") }}
	{{- if and .Values.ingress.enabled (eq .Values.ingress.ingressClass "traefik-external") .Values.license.licenseDomain }}

🧰 Tools

🪛 YAMLlint (1.38.0)

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

🤖 Prompt for AI Agents

In `@charts/plane-enterprise/templates/traefik-middleware.yaml` at line 1, The
middleware template condition is too permissive compared to the IngressRoute:
update the conditional in templates/traefik-middleware.yaml to require the same
three checks used by the IngressRoute (ensure .Values.ingress.enabled is true,
.Values.ingress.ingressClass equals "traefik-external", and
.Values.license.licenseDomain is non-empty) so the middleware is only rendered
when an IngressRoute referencing it will also be created; mirror the exact
predicate logic found in ingress-traefik.yaml to keep behavior consistent.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Default ingress_annotations are nginx-specific but the default class is now Traefik.

"nginx.ingress.kubernetes.io/proxy-body-size": "5m" has no effect on a Traefik IngressRoute. With traefik-external as the default, this annotation is dead config and may confuse users. Consider either clearing the default annotations or making them conditional on the ingress class.

Possible fix

-  ingress_annotations: { "nginx.ingress.kubernetes.io/proxy-body-size": "5m" }
+  ingress_annotations: {}

Users who select nginx can supply annotations via their own values override.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	ingress_annotations: { "nginx.ingress.kubernetes.io/proxy-body-size": "5m" }
	ingress_annotations: {}

🤖 Prompt for AI Agents

In `@charts/plane-enterprise/values.yaml` at line 29, The default
ingress_annotations map currently contains an nginx-specific key
("nginx.ingress.kubernetes.io/proxy-body-size": "5m") which is ineffective when
the default ingress class is Traefik; update the values.yaml entry for
ingress_annotations (the ingress_annotations map) to not include nginx-only
annotations by default — either set ingress_annotations to an empty map or make
the default conditional on the ingressClass (e.g., only populate the nginx
annotation when ingressClass == "nginx" or leave it empty so users choosing
nginx can supply their own overrides).

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@charts/plane-enterprise/templates/ingress-traefik.yaml`:
- Around line 81-82: The template only sets tls.secretName ({{
.Values.ssl.tls_secret_name }}) for Traefik's websecure entrypoint and lacks
both an HTTP (web) IngressRoute with a redirect middleware and cert-manager
integration; update the chart documentation (README and values.yaml comments) to
(1) explain that this IngressRoute listens on the websecure entrypoint only and
instruct users to either add a companion IngressRoute for the web entrypoint
that references a redirect middleware or enable a Traefik static HTTP→HTTPS
redirect, and (2) explain the current requirement for a pre-existing secret
(tls.secretName) and provide migration steps for users coming from nginx's
ssl.generateCerts / ssl.createIssuer workflow—include sample steps to create a
cert-manager Issuer and Certificate that produce the expected secret or guidance
on modifying the template to support cert-manager annotations if they want
automated provisioning.

🧹 Nitpick comments (2)

charts/plane-enterprise/templates/traefik-rbac.yaml (2)

16-19: Role grants access to all secrets in the namespace — consider scoping down.

The Role allows get, list, and watch on all secrets in the release namespace. This is broader than required; Traefik only needs to read the specific TLS secret. You can restrict this with resourceNames:

Proposed scoping

 rules:
 - apiGroups: [""]
   resources: ["secrets"]
+  resourceNames: ["{{ default (printf "%s-ssl-cert" .Release.Name) .Values.ssl.tls_secret_name }}"]
   verbs: ["get", "list", "watch"]

This follows the principle of least privilege and prevents the Traefik service account from reading unrelated secrets (e.g., database credentials) in the same namespace.

---

12-15: Conventional managed-by label value is Helm (capitalized).

The standard Helm-generated label uses app.kubernetes.io/managed-by: Helm (capital H). Using lowercase helm may cause inconsistencies with labels on other resources managed by the same release.

Also applies to: 26-29

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

No HTTP-to-HTTPS redirect or cert-manager integration.

Two things to be aware of:

1. HTTP→HTTPS redirect: This IngressRoute only listens on the websecure entrypoint. There's no companion IngressRoute for the web (HTTP) entrypoint with a redirect middleware, so HTTP requests will get connection-refused rather than a graceful redirect. This may need to be handled at the Traefik deployment level, but it's worth documenting.

2. cert-manager: The nginx path supports ssl.generateCerts / ssl.createIssuer for automated certificate provisioning. This Traefik template only references a pre-existing secret. Users migrating from the nginx path with cert-manager will need manual steps.

Consider documenting these gaps in the chart's README or values.yaml comments.

🤖 Prompt for AI Agents

In `@charts/plane-enterprise/templates/ingress-traefik.yaml` around lines 81 - 82,
The template only sets tls.secretName ({{ .Values.ssl.tls_secret_name }}) for
Traefik's websecure entrypoint and lacks both an HTTP (web) IngressRoute with a
redirect middleware and cert-manager integration; update the chart documentation
(README and values.yaml comments) to (1) explain that this IngressRoute listens
on the websecure entrypoint only and instruct users to either add a companion
IngressRoute for the web entrypoint that references a redirect middleware or
enable a Traefik static HTTP→HTTPS redirect, and (2) explain the current
requirement for a pre-existing secret (tls.secretName) and provide migration
steps for users coming from nginx's ssl.generateCerts / ssl.createIssuer
workflow—include sample steps to create a cert-manager Issuer and Certificate
that produce the expected secret or guidance on modifying the template to
support cert-manager annotations if they want automated provisioning.