feat: add secondary datastore option (closes #260)

[xvirgov]

Description

Adding secondary datastore configuration in the chart

What problem is being solved?

How is it being solved?

Following same way the primary configuration is provided:

1. direct values (creates a new, separate secret from the one created for primary)
2. using an existing secret
3. uri secret

What changes are made to solve it?

References

Review Checklist

• [ x] I have clicked on "allow edits by maintainers".
• I have added documentation for new/changed functionality in this PR or in a PR to openfga.dev [Provide a link to any relevant PRs in the references section above]
• The correct base branch is being used, if not main
• I have added tests to validate that the change in functionality is working as expected

Summary by CodeRabbit

• New Features
  • Added support for configuring an optional secondary datastore for OpenFGA deployments. Users can now set up a redundant or additional PostgreSQL database configuration through customizable Helm values, with automatic generation of required Kubernetes secrets and environment variables. Secondary datastore connection details can be provided directly or sourced from existing secrets.

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: xvirgov / name: Michal Virgovic (1fc4736, 345308a, c988a37)

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

Walkthrough

Adds secondary datastore support to OpenFGA Helm charts by introducing template helpers for environment configuration and secret name resolution, updating deployment specifications to include secondary datastore environment variables, creating conditional secrets resources, and defining configuration schema with new secondary datastore options.

Changes

Cohort / File(s)	Summary
Template Helpers charts/openfga/templates/_helpers.tpl	Added openfga.datastore.secondary.secretName and openfga.datastore.secondary.envConfig template definitions to handle secondary datastore configuration with conditional logic for URI, username, and password sourcing from secrets or generated values.
Deployment Configuration charts/openfga/templates/deployment.yaml	Extended container environment variables to include secondary datastore configuration via the new template helper include statement.
Secrets Resource charts/openfga/templates/secrets.yaml	Added conditional secondary datastore Secret block that generates base64-encoded data fields for password, username, and URI when secondary datastore is enabled.
Configuration Schema charts/openfga/values.yaml	Introduced secondary datastore configuration block with enabled flag, uri, uriSecret, username, password, existingSecret, and nested secretKeys properties for flexible credential sourcing.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Merge Conflict Detection	✅ Passed	✅ No merge conflicts detected when merging into main
Title check	✅ Passed	The title 'feat: add secondary datastore option (closes #260)' clearly and concisely describes the main change—adding secondary datastore support to the Helm chart, which is reflected across all modified files.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@charts/openfga/templates/secrets.yaml`:
- Around line 19-20: The unconditional YAML document separator '---' is always
emitted which can create an empty document; change the template so the '---' is
only rendered when the secondary secret block will be produced — i.e., wrap the
separator inside the existing conditional that checks
.Values.datastore.secondary.enabled and ( .Values.datastore.secondary.username
|| .Values.datastore.secondary.password || .Values.datastore.secondary.uri ), or
alternatively emit the separator only when either the primary or secondary
secret condition is true so that '---' appears only when a secret resource is
actually rendered.

[Copilot]

Pull request overview

This PR adds support for configuring a secondary (read-only) datastore for OpenFGA, which is useful for PostgreSQL read replica setups. The implementation follows the same pattern as the primary datastore configuration, supporting three methods: direct values (creates a new secret), using an existing secret, or using a URI secret.

Changes:

• Added datastore.secondary configuration block in values.yaml with all necessary fields
• Created template helper for secondary datastore secret name and environment configuration
• Updated deployment to inject secondary datastore environment variables
• Added secret creation logic for secondary datastore credentials

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 5 comments.

File	Description
charts/openfga/values.yaml	Adds secondary datastore configuration fields (enabled, uri, uriSecret, username, password, existingSecret, secretKeys)
charts/openfga/templates/secrets.yaml	Adds conditional secret creation for secondary datastore credentials
charts/openfga/templates/deployment.yaml	Injects secondary datastore environment variables into the container
charts/openfga/templates/_helpers.tpl	Adds helper templates for secondary datastore secret name and environment variable configuration

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The README.md should be updated to document the new secondary datastore configuration feature. Currently, the README documents the primary datastore configuration with examples. Consider adding a section explaining how to configure a secondary (read-only) datastore for PostgreSQL, including examples of the three configuration methods (direct values, existing secret, and uriSecret) similar to the existing datastore documentation.

[xvirgov]

The readme doesn't contain doc for other values either, I don't think it's necessary to add it there either

[Copilot]

Consider adding validation or documentation to clarify the behavior when datastore.secondary.enabled is true but no configuration method is provided (no uri/uriSecret/existingSecret). Currently, this would result in the secondary datastore being marked as enabled but with no actual configuration, which might cause runtime errors in OpenFGA. Either add a Helm validation that ensures at least one configuration method is provided when enabled is true, or document that enabled is a feature flag that still requires one of the configuration methods to be set.

Suggested change

	# Optional read datastore configuration (for PostgreSQL)
	# Optional read datastore configuration (for PostgreSQL)
	# NOTE:
	# - `enabled` acts as a feature flag to turn on the secondary (read) datastore.
	# - When `enabled` is set to true, you must configure at least ONE of:
	# * `uri` – direct connection string
	# * `uriSecret` – name of a Secret containing the connection string
	# * `existingSecret`– name of a Secret containing credentials referenced via `secretKeys`
	# Otherwise, OpenFGA may start with secondary datastore marked as enabled but without
	# any usable configuration, which can lead to runtime errors.

[xvirgov]

I think that once reading up on the docs about secondary, it's clear that either of these options needs to be specified but I can add it if you think it's a good idea anyway

[chadbirch]

It looks good to me. Just the minor linting error that lint-test is observing, but nothing that looks functionally significant.