IMPORTANT
Airgapped deployments are available exclusively for Business plan customers. Contact our sales team for pricing and licensing information.
Airgapped deployments are available exclusively for Business plan customers. Contact our sales team for pricing and licensing information.
What is an airgapped deployment?
An airgapped deployment operates in a completely isolated network environment with no external internet connectivity. This isolation is common in highly regulated industries, government facilities, and organizations with strict security requirements. Plane supports fully airgapped deployments where all components - application services, databases, storage, and integrations - operate entirely within your isolated network perimeter.Airgapped cluster architecture
Here’s how Plane operates in an airgapped environment with internal enterprise applications:
-
No telemetry
Plane does not send application data, usage metrics, or telemetry outside the cluster. No analytics, crash reports, or usage statistics leave your network. -
Offline licensing
License validation happens through uploaded license files downloaded from the Prime portal. No internet connection required after initial license file transfer. -
Zero external dependencies
After initial image import, no external network connectivity is required for Plane to operate. All features work entirely within your isolated environment. -
Internal-only communication
All service-to-service communication stays within your cluster. Services never attempt to reach external APIs, CDNs, or third-party services.
How integrations stay internal
The airgapped cluster diagram above shows the complete data flow. Key points:- OAuth providers - Your internal GitHub Enterprise or GitLab instance acts as the OAuth provider
- Authorization endpoints - All OAuth URLs point to internal systems, never external SaaS services
- API communication - Plane makes API calls only to your internal instances
- Webhook delivery - Internal systems send webhooks to Plane’s internal endpoints
- No SaaS fallback - Plane never attempts to reach github.com, gitlab.com, or slack.com APIs
Kubernetes-specific requirements
Base environment
Deploying airgapped Plane via Kubernetes requires preparing all dependencies to operate without any external network access.Container images and artifacts
- Maintain an internal OCI or container registry to host all Plane service images
- Prepare a controlled process to pull, verify, and mirror Plane container images and Helm charts from an online staging environment into the airgapped registry
Kubernetes environment
Supported versions: Kubernetes 1.31 – 1.33 Required components:- IngressClass configured
- StorageClass available
- cert-manager configured with an internal CA
- Ensure node OS dependencies and container runtime packages are available from mirrored package repositories like apt, yum, or offline bundles
Scaling
Horizontal scaling is handled via replica counts configurable invalues.yaml.
Plane avoids using StatefulSets where possible due to the complexity of scaling stateful workloads in Kubernetes. The monitor service uses a StatefulSet.
For airgapped clusters:
- Ensure metrics-server images are mirrored if using HPA
- If using node autoscaling, ensure node images are pre-loaded and registries accessible on bootstrap
Secrets management
Plane supports using existing external secret stores, provided they are reachable within the airgapped environment:- AWS Secrets Manager for private VPC with no internet
- HashiCorp Vault
- Self-hosted Bitwarden
- Kubernetes Secrets
- SOPS, sealed-secrets, if preferred
Additional considerations
- Ensure all secret providers can function without external network access
- cert-manager must use an internal certificate authority
- Keys and secret rotation policies should be part of the airgap operational procedures