feat: Allow Setting Image Registry and Pull Secrets Globally

[borysei]

Description

What problem is being solved?

The Helm chart lacked support for global image registry and pull secrets configuration. Users couldn't:

• Override the container registry globally for all images (main OpenFGA + init containers)
• Set pull secrets at a global level or per-image level
• Easily switch between different registries (e.g., Docker Hub, GHCR, private registries)

This made it difficult for organizations with private registries or specific image pull requirements to deploy OpenFGA without maintaining custom forks.

How is it being solved?

The solution leverages the Bitnami common chart library (upgraded from 2.13.3 to 2.31.4) which provides standardized helper functions for:

1. Image rendering: common.images.image helper constructs full image paths with registry/repository/tag/digest
2. Pull secrets management: common.images.renderPullSecrets helper consolidates pull secrets from global and component-specific configurations

This follows Kubernetes and Helm best practices by supporting a hierarchy:

• Global settings (global.imageRegistry, global.imagePullSecrets)
• Component-specific settings (image.registry, image.pullSecrets)
• Component settings override global settings

What changes are made to solve it?

charts/openfga/values.yaml:53-62

• Added global.imageRegistry and global.imagePullSecrets fields
• Added image.registry, image.digest, and image.pullSecrets fields
• Added initContainer.registry, initContainer.digest, and initContainer.pullSecrets fields
• Removed top-level imagePullSecrets (migrated to component-specific)

charts/openfga/templates/_helpers.tpl:144-162

• Created openfga.pullSecrets helper (global and both main + init container images)
• Created openfga.jobPullSecrets helper (global and main image only - least privilege)
• Created openfga.image helper (renders full OpenFGA image path)
• Created openfga.initContainer.image helper (renders full init container image path)

charts/openfga/templates/*.yaml

• Replaced hardcoded image strings with helper templates
• Replaced manual imagePullSecrets YAML blocks with helper template calls

charts/openfga/values.schema.json

• Added comprehensive JSON schema documentation for all new fields

charts/openfga/Chart.yaml

• Upgraded Bitnami common chart dependency from 2.13.3 to 2.31.4

Review Checklist

• I have clicked on "allow edits by maintainers".
• I have added documentation for new/changed functionality in this PR or in a PR to openfga.dev [Provide a link to any relevant PRs in the references section above]
• The correct base branch is being used, if not main
• I have added tests to validate that the change in functionality is working as expected

Summary by CodeRabbit

• New Features

  • Added global settings for imageRegistry and imagePullSecrets.
  • Added registry, digest, and pullSecrets options for main and init container images; digest now supported and takes precedence over tag; init container pullPolicy configurable.
  • Unified handling of image references and imagePullSecrets across workloads for consistent configuration.

• Chores

  • Updated bundled common chart dependency to a newer version.

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: borysei / name: Bogdan Borysei (ba6a61f)

[coderabbitai]

Walkthrough

Updates Helm chart dependency version. Adds helper templates to centralize image and pullSecret rendering. Refactors deployment, job, and test templates to use new helpers. Expands values schema and defaults to support global registry, pull secrets, image registry/digest, and initContainer pull policy. Removes root-level imagePullSecrets from schema.

Changes

Cohort / File(s)	Summary of Edits
Chart dependency update charts/openfga/Chart.yaml	Bumped common chart dependency version from 2.13.3 to 2.31.4.
Template helpers for images and pull secrets charts/openfga/templates/_helpers.tpl	Added helpers: openfga.pullSecrets, openfga.jobPullSecrets, openfga.image, openfga.initContainer.image. Centralize image reference and pull secret rendering.
Deployment uses helpers charts/openfga/templates/deployment.yaml	Replaced inline imagePullSecrets and image fields with includes of new helpers for initContainer, migrate, and main containers.
Job uses helpers charts/openfga/templates/job.yaml	Replaced inline imagePullSecrets with openfga.jobPullSecrets; container image now via openfga.image.
Test pod uses helpers charts/openfga/templates/tests/test-connection.yaml	Switched to openfga.pullSecrets and openfga.image for pull secrets and image resolution.
Schema updates charts/openfga/values.schema.json	Added global.imageRegistry, global.imagePullSecrets; added registry, digest, pullSecrets to image and initContainer; added initContainer.pullPolicy; removed root-level imagePullSecrets.
Defaults updates charts/openfga/values.yaml	Added defaults for global.imageRegistry, global.imagePullSecrets; added registry, digest, pullSecrets to image and initContainer.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant U as Helm User
  participant H as Helm Renderer
  participant T as openfga.templates
  participant C as Common Chart Helpers

  U->>H: helm template/install
  H->>T: Render deployment/job/test templates
  T->>T: include "openfga.pullSecrets"/"jobPullSecrets"
  T->>T: include "openfga.image"/"openfga.initContainer.image"
  T->>C: common.images.image(imageRoot, global, chart)
  C-->>T: Resolved image (registry/repo:tag or @digest)
  T-->>H: Manifests with images & imagePullSecrets
  H-->>U: Final Kubernetes manifests

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Suggested reviewers

• rhamzeh

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The PR title "feat: Allow Setting Image Registry and Pull Secrets Globally" is directly aligned with the primary objective of this changeset. The core changes involve adding hierarchical configuration options for global image registry (global.imageRegistry) and image pull secrets (global.imagePullSecrets) alongside component-specific overrides, along with new Helm template helpers to support these settings. The title accurately captures this main feature without unnecessary detail or noise, and uses a conventional commit format (feat:) for clarity.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8e85901 and ba6a61f.

⛔ Files ignored due to path filters (1)

• charts/openfga/Chart.lock is excluded by !**/*.lock

📒 Files selected for processing (7)

• charts/openfga/Chart.yaml (1 hunks)
• charts/openfga/templates/_helpers.tpl (1 hunks)
• charts/openfga/templates/deployment.yaml (4 hunks)
• charts/openfga/templates/job.yaml (2 hunks)
• charts/openfga/templates/tests/test-connection.yaml (1 hunks)
• charts/openfga/values.schema.json (4 hunks)
• charts/openfga/values.yaml (2 hunks)

🔇 Additional comments (13)

charts/openfga/values.yaml (2)

1-13: LGTM: Well-structured hierarchical image configuration.

The addition of global and component-specific image configuration follows Helm best practices:

• Global defaults (lines 1-3) for consistency across components
• Component-level overrides (lines 8, 12-13) for flexibility
• Support for both tag-based and digest-based image selection

The empty defaults ensure backward compatibility.

---

57-63: LGTM: Consistent initContainer configuration.

The initContainer configuration mirrors the main image configuration structure, providing the same level of flexibility for registry, digest, and pull secrets.

charts/openfga/templates/deployment.yaml (2)

33-33: LGTM: Centralized pull secret management.

The replacement of the manual imagePullSecrets block with the openfga.pullSecrets helper centralizes secret management and ensures consistency across all pods.

---

43-43: LGTM: Consistent image resolution through helpers.

The template now consistently uses:

• openfga.initContainer.image (line 43) for the wait-for-migration container
• openfga.image (lines 56, 85) for both the migrate-database initContainer and main container

This centralization enables global registry configuration and digest-based image selection.

Also applies to: 56-56, 85-85

charts/openfga/templates/tests/test-connection.yaml (1)

10-10: LGTM: Test pod aligned with deployment pattern.

The test pod now uses the same helper templates (openfga.pullSecrets and openfga.image) as the deployment, ensuring consistency across all pod specifications.

Also applies to: 13-13

charts/openfga/templates/job.yaml (2)

28-28: LGTM: Proper use of job-specific pull secrets.

The job correctly uses openfga.jobPullSecrets instead of openfga.pullSecrets. Since the migration job doesn't use the initContainer image, excluding its pull secrets follows the principle of least privilege.

---

38-38: LGTM: Consistent image helper usage.

The migration job now uses the openfga.image helper, enabling centralized image configuration.

charts/openfga/templates/_helpers.tpl (2)

157-159: LGTM: Correct image helper implementation.

The openfga.image helper correctly passes . context to common.images.image and includes all required parameters (imageRoot, global, chart).

---

161-163: LGTM: Correct initContainer image helper implementation.

The openfga.initContainer.image helper correctly passes . context and required parameters. Note that it intentionally omits the chart parameter as initContainer images typically don't need chart-specific processing.

charts/openfga/values.schema.json (3)

6-17: LGTM: Well-documented global configuration schema.

The schema additions for global.imageRegistry and global.imagePullSecrets include clear descriptions that explain their purpose and provide examples of how they interact with component-specific settings.

---

22-47: LGTM: Comprehensive image configuration schema.

The schema properly documents:

• image.registry for component-specific registry override
• image.digest with clear precedence over tag
• image.pullSecrets for component-specific secrets

The descriptions reference official Kubernetes documentation for imagePullSecrets, which is helpful.

---

1130-1156: LGTM: Consistent initContainer schema additions.

The initContainer schema additions mirror the main image configuration, providing:

• Registry override capability
• Digest-based image selection
• Component-specific pull secrets
• Clear documentation for each field

charts/openfga/Chart.yaml (1)

28-28: Manual verification required: upstream fetch failed Please confirm that Bitnami common chart v2.31.4 provides common.images.image and common.images.renderPullSecrets helpers and review its changelog for breaking changes since v2.13.3.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Fix incorrect context parameter in helper template.

The openfga.pullSecrets helper passes $ (root context at template definition) instead of . (current context) to common.images.renderPullSecrets. This will cause the helper to receive the wrong context and fail to properly resolve image pull secrets.

Apply this diff to fix the context parameter:

 {{- define "openfga.pullSecrets" -}}
-{{- include "common.images.renderPullSecrets" (dict "images" (list .Values.image .Values.initContainer) "context" $) -}}
+{{- include "common.images.renderPullSecrets" (dict "images" (list .Values.image .Values.initContainer) "context" .) -}}
 {{- end }}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	{{- define "openfga.pullSecrets" -}}
	{{- include "common.images.renderPullSecrets" (dict "images" (list .Values.image .Values.initContainer) "context" $) -}}
	{{- end }}
	{{- define "openfga.pullSecrets" -}}
	{{- include "common.images.renderPullSecrets" (dict "images" (list .Values.image .Values.initContainer) "context" .) -}}
	{{- end }}

🤖 Prompt for AI Agents

In charts/openfga/templates/_helpers.tpl around lines 145 to 147, the helper
uses `$` (root context) when calling common.images.renderPullSecrets which
causes the wrong context to be passed; change the context argument from `$` to
`.` so the current template context is forwarded to renderPullSecrets, ensuring
image and initContainer values resolve correctly.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Fix incorrect context parameter in job helper template.

Same issue as in openfga.pullSecrets: the helper passes $ instead of . for the context parameter.

Apply this diff:

 {{- define "openfga.jobPullSecrets" -}}
-{{- include "common.images.renderPullSecrets" (dict "images" (list .Values.image) "context" $) -}}
+{{- include "common.images.renderPullSecrets" (dict "images" (list .Values.image) "context" .) -}}
 {{- end }}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	{{- define "openfga.jobPullSecrets" -}}
	{{- include "common.images.renderPullSecrets" (dict "images" (list .Values.image) "context" $) -}}
	{{- end }}
	{{- define "openfga.jobPullSecrets" -}}
	{{- include "common.images.renderPullSecrets" (dict "images" (list .Values.image) "context" .) -}}
	{{- end }}

🤖 Prompt for AI Agents

In charts/openfga/templates/_helpers.tpl around lines 153 to 155, the
jobPullSecrets helper is passing the wrong context variable ($) to the include
of common.images.renderPullSecrets; update the include call to pass the current
context (.) instead of $ so the correct scope/values are available when
rendering pull secrets.