[INFRA-372]: Add Plane-EE Helm chart configuration for PostgreSQL read replica support

[pratapalakshmi]

Summary by CodeRabbit

• New Features

  • Added PostgreSQL read-replica support with configurable enablement and replica URL, plus runtime validation to prevent enabling a replica without a URL. Exposes enable flag and replica URL to app configuration.

• Chores

  • Bumped Helm chart version to 2.4.1.

[coderabbitai]

Walkthrough

Bumps the Plane Enterprise Helm chart to version 2.4.1 and adds PostgreSQL read-replica configuration: new values for services.postgres.read_replica, a template-time validation, conditional DATABASE_READ_REPLICA_URL in the Secret, and ENABLE_READ_REPLICA in the ConfigMap.

Changes

Read-replica and chart version

Layer / File(s)	Summary
Data Shape charts/plane-enterprise/values.yaml	Adds services.postgres.read_replica with enabled: false and remote_url: ''.
Template Validation charts/plane-enterprise/templates/config-secrets/app-env.yaml	Adds a fail check that aborts rendering when read_replica.enabled is true but read_replica.remote_url is empty.
Secret wiring charts/plane-enterprise/templates/config-secrets/app-env.yaml	Conditionally emits DATABASE_READ_REPLICA_URL in the Secret stringData only when read_replica.enabled and a non-empty remote_url are present.
ConfigMap wiring charts/plane-enterprise/templates/config-secrets/app-env.yaml	Adds ENABLE_READ_REPLICA in ConfigMap data, computed as "1" when enabled, "0" otherwise (defaults to false).
Chart metadata charts/plane-enterprise/Chart.yaml	Bumps Helm chart version from 2.4.0 to 2.4.1 (keeping appVersion: "2.5.4").

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 I hopped through charts with a curious peep,
Added a replica for Postgres to keep.
A fail to protect, an env to relay,
Version bumped lightly — off I hop away! 🥕

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding PostgreSQL read replica support configuration to the Plane-EE Helm chart across three files (Chart.yaml version bump, app-env.yaml template updates, and values.yaml configuration additions).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/add/read_replica/enterprise

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 0/1 reviews remaining, refill in 60 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

charts/plane-enterprise/templates/config-secrets/app-env.yaml (1)

28-30: Consider documenting that read-replica is remote-only.

Unlike the DATABASE_URL block (Lines 20-26) which derives a URL from the in-cluster service when local_setup=true, the new block has no local_setup branch — read-replica only works when an explicit remote_url is supplied. That seems intentional (in-cluster single-node Postgres can't serve as its own replica), but it's worth a short comment in values.yaml next to read_replica.remote_url to set operator expectations.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@charts/plane-enterprise/templates/config-secrets/app-env.yaml` around lines
28 - 30, Add a short clarifying comment in values.yaml next to the
services.postgres.read_replica.remote_url key stating that read-replica is
remote-only (the chart/template only sets DATABASE_READ_REPLICA_URL when
remote_url is provided and does not derive an in-cluster URL even with
local_setup=true); reference the values key
services.postgres.read_replica.remote_url and the template output variable
DATABASE_READ_REPLICA_URL so operators understand they must supply a remote URL
for replicas.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@charts/plane-enterprise/templates/config-secrets/app-env.yaml`:
- Around line 28-30: Guard against enabled=true with an empty remote_url by
updating the template that emits DATABASE_READ_REPLICA_URL: check
.Values.services.postgres.read_replica.enabled and
.Values.services.postgres.read_replica.remote_url together: either only render
DATABASE_READ_REPLICA_URL when remote_url is non-empty, or add a fail-fast check
(e.g. {{- if and .Values.services.postgres.read_replica.enabled (not
.Values.services.postgres.read_replica.remote_url) }}{{ fail
"read_replica.enabled is true but read_replica.remote_url is empty" }}{{- end
}}) to stop chart rendering; ensure this is coordinated with ENABLE_READ_REPLICA
so the ConfigMap and Secret remain consistent (refer to
.Values.services.postgres.read_replica.enabled,
.Values.services.postgres.read_replica.remote_url, DATABASE_READ_REPLICA_URL and
ENABLE_READ_REPLICA).

In `@charts/plane-enterprise/values.yaml`:
- Around line 84-86: The inline comment on the remote_url entry under
read_replica contains trailing whitespace; edit the values for
read_replica.remote_url to remove the extra spaces after "URL ONLY" so the
comment ends immediately after the text (ensure symbol names: read_replica and
remote_url remain unchanged).

---

Nitpick comments:
In `@charts/plane-enterprise/templates/config-secrets/app-env.yaml`:
- Around line 28-30: Add a short clarifying comment in values.yaml next to the
services.postgres.read_replica.remote_url key stating that read-replica is
remote-only (the chart/template only sets DATABASE_READ_REPLICA_URL when
remote_url is provided and does not derive an in-cluster URL even with
local_setup=true); reference the values key
services.postgres.read_replica.remote_url and the template output variable
DATABASE_READ_REPLICA_URL so operators understand they must supply a remote URL
for replicas.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 6e4fe427-4e0c-4586-9d92-0fae4932f121

📥 Commits

Reviewing files that changed from the base of the PR and between 41dc47d and f3679fc.

📒 Files selected for processing (3)

• charts/plane-enterprise/Chart.yaml
• charts/plane-enterprise/templates/config-secrets/app-env.yaml
• charts/plane-enterprise/values.yaml

[makeplane]

Linked to Plane Work Item(s)

• [INFRA-372] Add db_read_replica_url support in plane-enterprise-helm chart

This comment was auto-generated by Plane

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@charts/plane-enterprise/templates/config-secrets/app-env.yaml`:
- Around line 1-3: The fail-fast validation for postgres read replica should
only run when the chart will generate the Secret (i.e. when
external_secrets.app_env_existingSecret is empty); update the condition around
the existing fail so it is gated by the existing-secret check—either wrap the
current block in the existing "{{- if empty
.Values.external_secrets.app_env_existingSecret }}" guard or add an extra "and
(empty .Values.external_secrets.app_env_existingSecret)" clause to the current
conditional that checks ".Values.services.postgres.read_replica.enabled" and
".Values.services.postgres.read_replica.remote_url", ensuring the
fail("read_replica.enabled is true but read_replica.remote_url is empty") only
triggers when app_env secret will be generated by the chart.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 757058a8-bf71-45cb-b3a1-05291fb4779f

📥 Commits

Reviewing files that changed from the base of the PR and between f3679fc and d76ad79.

📒 Files selected for processing (3)

• charts/plane-enterprise/Chart.yaml
• charts/plane-enterprise/templates/config-secrets/app-env.yaml
• charts/plane-enterprise/values.yaml

✅ Files skipped from review due to trivial changes (1)

• charts/plane-enterprise/values.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Fail-fast validation fires even when an external secret is in use, blocking a valid configuration.

The validation is placed outside the {{- if empty .Values.external_secrets.app_env_existingSecret}} gate that controls Secret generation. A user who supplies external_secrets.app_env_existingSecret (their own pre-existing secret that already contains DATABASE_READ_REPLICA_URL) while setting read_replica.enabled = true and leaving remote_url = "" in values will get a hard render failure, even though their deployment is perfectly valid.

The guard should only apply when the chart is generating the Secret itself:

🛡️ Proposed fix

-{{- if and .Values.services.postgres.read_replica.enabled (not .Values.services.postgres.read_replica.remote_url) }}
-{{- fail "read_replica.enabled is true but read_replica.remote_url is empty" }}
-{{- end }}
+{{- if and (empty .Values.external_secrets.app_env_existingSecret) .Values.services.postgres.read_replica.enabled (not .Values.services.postgres.read_replica.remote_url) }}
+{{- fail "read_replica.enabled is true but read_replica.remote_url is empty" }}
+{{- end }}

🧰 Tools

🪛 YAMLlint (1.38.0)

[error] 1-1: syntax error: expected the node content, but found '-'

(syntax)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@charts/plane-enterprise/templates/config-secrets/app-env.yaml` around lines 1
- 3, The fail-fast validation for postgres read replica should only run when the
chart will generate the Secret (i.e. when
external_secrets.app_env_existingSecret is empty); update the condition around
the existing fail so it is gated by the existing-secret check—either wrap the
current block in the existing "{{- if empty
.Values.external_secrets.app_env_existingSecret }}" guard or add an extra "and
(empty .Values.external_secrets.app_env_existingSecret)" clause to the current
conditional that checks ".Values.services.postgres.read_replica.enabled" and
".Values.services.postgres.read_replica.remote_url", ensuring the
fail("read_replica.enabled is true but read_replica.remote_url is empty") only
triggers when app_env secret will be generated by the chart.