Add shared cache node helm chart

[KevinGruber2001]

Summary by CodeRabbit

• New Features

  • Cluster-scoped internal TLS infrastructure with automatic trust-bundle distribution to all namespaces
  • Optional shared cache component with TLS support and configurable resource limits
  • New monitoring dashboards and scrape targets for shared cache and repository service observability
  • Operator flags to enable/disable build and dependency caching (optional acceleration)

• Documentation

  • Quick Start and environment docs updated to include internal TLS installation step and trust-bundle behavior

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds a new cluster-scoped internal TLS Helm chart and workflow step, integrates a shared cache into the main Theia Cloud helm values and deployments, and introduces monitoring dashboards and ServiceMonitors for the shared cache and Reposilite; documentation and value references updated accordingly.

Changes

Cohort / File(s)	Summary
Internal TLS Chart charts/theia-internal-tls/Chart.yaml, charts/theia-internal-tls/templates/internal-ca.yml, charts/theia-internal-tls/templates/trust-bundle.yml	New Helm chart creating a long-lived CA Certificate, a ClusterIssuer, and a cert-manager Bundle that emits a trust ConfigMap (and JKS) to target namespaces.
Workflow .github/workflows/deploy-theia.yml	Inserted Helm step to install theia-internal-tls (uses workflow KUBECONFIG) between cluster-wide monitoring and subsequent deployment steps.
Certificates charts/theia-certificates/templates/cache-internal-certificate.yml	Added cert-manager Certificate cache-internal-cert issued by theia-internal-ca-issuer for the shared cache service, stored in cache-internal-cert-secret.
Shared Cache Integration charts/theia-cloud-combined/Chart.yaml, charts/theia-cloud-combined/values.yaml, deployments/.../values.yaml	Added theia-shared-cache values (enabled flag and resources), changed dependency version formatting, and added operator cache-related flags/URLs; test deployment values enable cache + TLS and resource settings.
Monitoring charts/theia-monitoring/templates/dashboard-cache.yaml, charts/theia-monitoring/templates/dashboard-reposilite.yaml, charts/theia-monitoring/templates/servicemonitor-cache.yaml, charts/theia-monitoring/templates/servicemonitor-reposilite.yaml, charts/theia-monitoring/values.yaml	Added Grafana dashboards for shared cache and Reposilite, ServiceMonitors for both services, and a small values file whitespace cleanup.
Docs & References README.md, docs/adding-environments.md, value-reference-files/theia-cloud-helm-values.yml	README Quick Start updated to include internal TLS install step and chart entry; docs note cluster-wide install of internal TLS; value-reference updated operator image and disabled caching defaults.

Sequence Diagram(s)

mermaid
sequenceDiagram
participant CI as GitHub Actions
participant Helm as Helm CLI
participant K8s as Kubernetes API
participant CM as cert-manager
participant NS as Namespace ConfigMaps
participant Service as Shared Cache Service

CI->>Helm: helm upgrade --install theia-internal-tls (uses KUBECONFIG)
Helm->>K8s: Create Certificate (theia-internal-ca) & ClusterIssuer
K8s->>CM: cert-manager issues CA cert, creates secret
CM->>K8s: Create Bundle (theia-internal-trust) targeting namespaces
K8s->>NS: Distribute trust ConfigMap (`trust-bundle.pem`, `truststore.jks`)
Service->>K8s: Use ConfigMap + certificate secret for internal TLS

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related issues

• Integrate Theia Shared Cache Node into Theia Deployments EduIDE-shared-cache#3: Implements the Theia Shared Cache integration (helm charts, certs, monitoring) described by the issue.
• Integrate Shared cache node into theia-cloud-combined #15: Adds shared cache as a dependency/feature in the combined chart and corresponding values and monitoring, matching this PR's changes.

Possibly related PRs

• Migrate custom monitoring to rancher native prometheus/ grafana stack… #25: Related monitoring/dashboard changes and templates overlap with this PR's additions.
• Fix registry references #71: Related workflow modifications; both change deploy-theia.yml ordering and Helm steps.

Suggested labels

ready to merge

Suggested reviewers

• lukaskratzel
• CodeByNikolas
• Mtze

Poem

🐇 A Rabbit's Note on Trust and Cache
New CA seeds the meadow green and wide,
Trust bundles travel, placed in every side,
Caches hum and metrics glow, dashboards gleam,
Helm charts hop forward — together we stream.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The PR title mentions 'shared cache node' but the changes encompass much more: internal TLS infrastructure, monitoring dashboards, caching policies, and deployment configurations. The title is incomplete and doesn't capture the full scope of the changeset.	Revise the title to reflect the broader scope, such as: 'Add shared cache integration with internal TLS and monitoring infrastructure' or 'Integrate shared cache and internal TLS with monitoring dashboards.'

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/15-integrate-shared-cache-node-into-theia-cloud-combined

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Copilot reviewed 14 out of 14 changed files in this pull request and generated 9 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

theia-shared-cache values block won’t be passed to the shared cache subchart anymore, because the dependency name was changed to eduide-shared-cache in Chart.yaml. This means the enabled flag here is ignored. Rename this top-level values key to eduide-shared-cache (or set an explicit alias in Chart.yaml and use that key consistently).

Suggested change

	theia-shared-cache:
	eduide-shared-cache:

[Copilot]

These are hard-coded placeholder passwords committed into an environment values file. If this file is used for real deployments, it creates an easy-to-guess credential risk. Prefer referencing an existing Kubernetes Secret (or disable auth by default in committed env values), and keep credentials out of git.

Suggested change

	enabled: true
	reader:
	username: "reader"
	password: "changeme-reader"
	writer:
	username: "writer"
	password: "changeme-writer"
	enabled: false
	reader:
	username: ""
	password: ""
	writer:
	username: ""
	password: ""

[Copilot]

The operator caching configuration here (operator.buildCache / operator.dependencyCache) doesn’t match the schema introduced in this PR’s reference/default values (enableBuildCaching, buildCacheUrl, enableBuildCachePush, etc.). As written, these settings are likely ignored by the operator chart. Please align this environment values file with the actual operator values schema used by theia-cloud.

Suggested change

	buildCache:
	enabled: true
	push: true
	url: "https://theia-cloud-combined-cache:8080/cache/"
	secretName: ""
	dependencyCache:
	enabled: false
	url: "http://theia-cloud-combined-reposilite:8080/releases/"
	enableBuildCaching: true
	buildCacheUrl: "https://theia-cloud-combined-cache:8080/cache/"
	enableBuildCachePush: true
	buildCacheSecretName: ""
	enableDependencyCaching: false
	dependencyCacheUrl: "http://theia-cloud-combined-reposilite:8080/releases/"

[Copilot]

This chart introduces a trust.cert-manager.io/v1alpha1 Bundle resource, which requires cert-manager trust-manager (CRDs + controller) to be installed on the cluster. The repository docs/workflow changes here don’t mention installing trust-manager, so helm upgrade --install theia-internal-tls ... will fail on clusters that only have cert-manager.

[Copilot]

The Bundle spec doesn’t define which namespaces should receive the generated ConfigMap/format outputs (no target.namespaces / target.namespaceSelector), yet README/docs claim the trust bundle is distributed to all namespaces. Please make the target namespace selection explicit (or update the docs if the intent is same-namespace only).

[Copilot]

This section states the trust bundle ConfigMap (theia-internal-trust) is automatically distributed to all namespaces. The Bundle manifest added in this PR does not currently specify any namespace targeting, so this statement is likely inaccurate unless additional configuration/components exist. Please align the documentation with the actual Bundle behavior (and mention trust-manager if required).

Suggested change

The internal TLS infrastructure (internal CA + trust bundle) is deployed once per cluster via `charts/theia-internal-tls`. The trust bundle ConfigMap (`theia-internal-trust`) is automatically distributed to all namespaces, so no additional configuration is needed when adding a new environment.

The internal TLS infrastructure (internal CA + trust bundle) is deployed once per cluster via `charts/theia-internal-tls`. Distribution of the trust bundle ConfigMap (`theia-internal-trust`) to application namespaces depends on the `Bundle` target configuration managed by trust-manager; it is not implied automatically for every namespace by this chart alone. When adding a new environment, verify that your namespace is targeted and receives the ConfigMap, or update the trust-manager `Bundle` configuration if required.

[Copilot]

The new install step doesn’t mention prerequisites for the theia-internal-tls chart (at minimum: cert-manager, and trust-manager because the chart creates a trust.cert-manager.io/v1alpha1 Bundle). Without that, readers may follow these steps and hit a hard Helm failure due to missing CRDs/controllers. Please document the required components/versions here.

[Copilot]

commonName is set to theia-shared-cache, but the certificate SANs are for theia-cloud-combined-cache[...]. Since clients validate against SANs, having a different CN is confusing and can cause issues with older tooling. Consider setting commonName to the primary DNS name used in dnsNames (or omit CN entirely and rely on SANs).

Suggested change

	commonName: "theia-shared-cache"
	commonName: "theia-cloud-combined-cache"

[Copilot]

This workflow step lacks set -euo pipefail (used in other steps) and starts with a blank line, which makes failures easier to miss and inconsistent with the rest of the workflow. Consider adding set -euo pipefail and, if needed, --create-namespace for cert-manager to make the install more robust.

Suggested change

	# Install cluster-scoped internal CA and trust bundle (once per cluster)
	# Distributes the trust bundle ConfigMap to all namespaces
	helm upgrade --install theia-internal-tls ./charts/theia-internal-tls -n cert-manager
	set -euo pipefail
	# Install cluster-scoped internal CA and trust bundle (once per cluster)
	# Distributes the trust bundle ConfigMap to all namespaces
	helm upgrade --install theia-internal-tls ./charts/theia-internal-tls -n cert-manager --create-namespace

[Copilot]

Pull request overview

Copilot reviewed 15 out of 15 changed files in this pull request and generated 6 comments.

Comments suppressed due to low confidence (2)

deployments/test2.theia-test.artemis.cit.tum.de/values.yaml:146

• This values file still has unresolved merge markers, which makes the file invalid YAML and will cause the Test2 deployment to fail as soon as Helm tries to read it.

    image: ghcr.io/eduide/eduidec-landing-page
    sentry:
      enable: true
    # We can define a default blueprint
    appDefinition: "java-17-templates-latest"

deployments/test2.theia-test.artemis.cit.tum.de/values.yaml:160

• There is a second unresolved merge-conflict block here as well, so even if the earlier conflict is fixed this values file still will not parse as valid YAML.

      c-latest:
        label: C
      javascript-latest:
        label: Javascript
      ocaml-latest:

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 14 out of 14 changed files in this pull request and generated 7 comments.

Comments suppressed due to low confidence (1)

README.md:167

• This local-chart install path still skips helm dependency update ./charts/theia-cloud-combined, even though this repository already requires that step before installing the combined chart. With the new shared-cache dependency added in this PR, a fresh checkout will fail here because the subchart is not present yet, and a stale lock/build can resolve the old dependency instead.

5. **Install the combined Theia Cloud chart**:
   ```bash
   helm registry login ghcr.io
   helm upgrade --install theia-cloud-combined ./charts/theia-cloud-combined \
     --namespace your-namespace --create-namespace \
     -f deployments/your-environment/values.yaml

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 16 out of 16 changed files in this pull request and generated 8 comments.

[Copilot]

Pull request overview

Copilot reviewed 19 out of 19 changed files in this pull request and generated 9 comments.

[Copilot]

Pull request overview

Copilot reviewed 16 out of 16 changed files in this pull request and generated 5 comments.

[Copilot]

Pull request overview

Copilot reviewed 9 out of 9 changed files in this pull request and generated 2 comments.