Conversation
KevinGruber2001
temporarily deployed
to
test1
GitHub Actions
Inactive
|
Important Review skippedDraft detected. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
📝 Coding Plan
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment Tip You can customize the tone of the review comments and chat replies.Configure the |
KevinGruber2001
temporarily deployed
to
test1
GitHub Actions
Inactive
KevinGruber2001
temporarily deployed
to
test1
GitHub Actions
Inactive
KevinGruber2001
had a problem deploying
to
test1
GitHub Actions
Failure
KevinGruber2001
had a problem deploying
to
test1
GitHub Actions
Failure
KevinGruber2001
temporarily deployed
to
test1
GitHub Actions
Inactive
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
KevinGruber2001
force-pushed
the
feat/15-integrate-shared-cache-node-into-theia-cloud-combined
branch
from
f3474a5 to
d459ac9
Compare
KevinGruber2001
temporarily deployed
to
test2
GitHub Actions
Inactive
KevinGruber2001
had a problem deploying
to
test2
GitHub Actions
Failure
KevinGruber2001
had a problem deploying
to
test1
GitHub Actions
Failure
KevinGruber2001
temporarily deployed
to
test2
GitHub Actions
Inactive
KevinGruber2001
had a problem deploying
to
test2
GitHub Actions
Failure
KevinGruber2001
temporarily deployed
to
test2
GitHub Actions
Inactive
KevinGruber2001
temporarily deployed
to
test2
GitHub Actions
Inactive
There was a problem hiding this comment.
Pull request overview
This PR adds a shared Gradle build cache node using a new theia-shared-cache Helm subchart. It configures the cache for the test2 test environment and adds the necessary TLS infrastructure (internal CA, cache certificates, trust bundle), Grafana dashboards, and Prometheus service monitors. A reference to a Reposilite Maven proxy monitoring setup is also added.
Changes:
- Adds
theia-shared-cacheas a Helm subchart dependency totheia-cloud-combined, with cache-related TLS certificates and trust bundles intheia-certificates - Adds Prometheus
ServiceMonitorand Grafana dashboards for both the shared cache and Reposilite - Enables caching (
enableCaching,cacheUrl) in the operator config fortest2and in the reference values file, and adds acachehost entry across all deployment environments
Reviewed changes
Copilot reviewed 17 out of 17 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
charts/theia-cloud-combined/Chart.yaml |
Adds theia-shared-cache as a subchart dependency |
charts/theia-cloud-combined/values.yaml |
Adds cache host and theia-shared-cache disabled-by-default config |
charts/theia-certificates/templates/cache-certificate.yml |
New public TLS certificate for external cache access |
charts/theia-certificates/templates/cache-internal-certificate.yml |
New internal TLS certificate for in-cluster cache comms |
charts/theia-certificates/templates/internal-ca.yml |
New internal CA + ClusterIssuer for self-signed internal certs |
charts/theia-certificates/templates/trust-bundle.yml |
New trust-manager Bundle to distribute the internal CA to target namespaces |
charts/theia-certificates/values.yaml |
Adds cache host config to values |
charts/theia-monitoring/values.yaml |
Adds sharedCacheNamespaces and reposiliteNamespaces values |
charts/theia-monitoring/templates/servicemonitor-cache.yaml |
New Prometheus ServiceMonitor for the cache |
charts/theia-monitoring/templates/servicemonitor-reposilite.yaml |
New Prometheus ServiceMonitor for Reposilite |
charts/theia-monitoring/templates/dashboard-cache.yaml |
New Grafana dashboard for cache metrics |
charts/theia-monitoring/templates/dashboard-reposilite.yaml |
New Grafana dashboard for Reposilite metrics |
deployments/test2.theia-test.artemis.cit.tum.de/values.yaml |
Enables the shared cache and configures caching for test2 |
deployments/test1.theia-test.artemis.cit.tum.de/values.yaml |
Adds cache host entry |
deployments/test3.theia-test.artemis.cit.tum.de/values.yaml |
Not updated — missing cache host entry (unchanged, not in PR) |
deployments/theia.artemis.cit.tum.de/values.yaml |
Adds cache host entry |
deployments/theia-staging.artemis.cit.tum.de/values.yaml |
Adds cache host entry |
value-reference-files/theia-cloud-helm-values.yml |
Adds enableCaching and cacheUrl to reference config |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "current": { "selected": false, "text": "test2", "value": "test2" }, | ||
| "hide": 0, | ||
| "includeAll": false, | ||
| "label": "Namespace", | ||
| "multi": false, | ||
| "name": "namespace", | ||
| "options": [ | ||
| { "selected": true, "text": "test2", "value": "test2" } | ||
| ], | ||
| "query": "test2", | ||
| "skipUrlSync": false, | ||
| "type": "custom" |
There was a problem hiding this comment.
The Grafana dashboard templates for both dashboard-cache.yaml and dashboard-reposilite.yaml hardcode the namespace dropdown variable to only the test2 namespace (see the templating.list section near the end of each file). This means when the dashboards are deployed to production environments (e.g., theia, theia-staging), the namespace selector will only offer test2 as an option. Unlike the existing dashboard-theiacloud.yaml, which uses Helm templating for the query and options fields of the namespace variable, these new dashboards embed the namespace list directly as static JSON. Consider using Prometheus label_values() queries (as done in dashboard-session-startup.yaml) or dynamically templating the namespace options so the dashboards are useful across all environments.
| "current": { "selected": false, "text": "test2", "value": "test2" }, | |
| "hide": 0, | |
| "includeAll": false, | |
| "label": "Namespace", | |
| "multi": false, | |
| "name": "namespace", | |
| "options": [ | |
| { "selected": true, "text": "test2", "value": "test2" } | |
| ], | |
| "query": "test2", | |
| "skipUrlSync": false, | |
| "type": "custom" | |
| "current": {}, | |
| "datasource": null, | |
| "definition": "label_values(kube_pod_info, \"namespace\")", | |
| "hide": 0, | |
| "includeAll": false, | |
| "label": "Namespace", | |
| "multi": false, | |
| "name": "namespace", | |
| "options": [], | |
| "query": "label_values(kube_pod_info, \"namespace\")", | |
| "refresh": 2, | |
| "skipUrlSync": false, | |
| "sort": 1, | |
| "type": "query" |
| - theia-cloud-combined-cache | ||
| - theia-cloud-combined-cache.theia-cloud.svc.cluster.local |
There was a problem hiding this comment.
The cache-internal-certificate.yml is deployed as a cluster-scoped resource but contains no namespace-aware templating. Its dnsNames hardcode theia-cloud-combined-cache and theia-cloud-combined-cache.theia-cloud.svc.cluster.local. However, when the theia-shared-cache subchart is installed as part of theia-cloud-combined, the actual Kubernetes service name is generated from the parent chart name and subchart name (i.e., tum-theia-cloud-theia-shared-cache or similar), not theia-cloud-combined-cache. Additionally, the deployment namespace may not be theia-cloud. This certificate will likely not match the actual service DNS names, causing TLS verification failures. Verify the exact service name generated by the subchart and update the dnsNames accordingly.
| - theia-cloud-combined-cache | |
| - theia-cloud-combined-cache.theia-cloud.svc.cluster.local | |
| - {{ printf "%s-%s" .Release.Name "theia-shared-cache" | quote }} | |
| - {{ printf "%s-%s.%s.svc.cluster.local" .Release.Name "theia-shared-cache" .Release.Namespace | quote }} |
| sessionsPerUser: 10 | ||
| storageClassName: csi-rbd-sc | ||
| enableCaching: true | ||
| cacheUrl: "http://theia-shared-cache:5071" |
There was a problem hiding this comment.
The cacheUrl in the value reference file uses http://theia-shared-cache:5071 (HTTP, port 5071, no /cache/ path suffix), while the actual test2 deployment uses https://theia-cloud-combined-cache:8080/cache/ (HTTPS, port 8080, with /cache/ path suffix). These two values are inconsistent — they differ in protocol, hostname, port, and path. Since the reference file is used as documentation for how to configure caching, this inconsistency could mislead users. The reference file should match the pattern used in the working deployment, or add a comment explaining that the URL format depends on whether TLS is enabled and on the service name specific to the deployment.
| cacheUrl: "http://theia-shared-cache:5071" | |
| # URL of the cache service; adjust protocol/host/port/path for your environment. | |
| cacheUrl: "https://theia-cloud-combined-cache:8080/cache/" |
|
|
||
| operator: | ||
| image: theiacloud/theia-cloud-operator:1.1.0-next | ||
| image: ghcr.io/ls1intum/theia/operator:pr-41 |
There was a problem hiding this comment.
The operator image is set to a PR-specific tag ghcr.io/ls1intum/theia/operator:pr-41 in the reference file. Reference/example files should not contain PR-specific image tags, as these are ephemeral and will become unavailable once the PR is merged or closed. This should be updated to a stable tag such as latest or a pinned release version.
| image: ghcr.io/ls1intum/theia/operator:pr-41 | |
| image: ghcr.io/ls1intum/theia/operator:latest |
| - test2 | ||
| - theia | ||
| - theia-staging | ||
| - test1 | ||
| - test3 |
There was a problem hiding this comment.
The trust-bundle.yml hardcodes the target namespace list and does not use Helm templating, so it cannot adapt to different deployment environments when the chart is installed. If this chart is installed for the theia.artemis.cit.tum.de deployment (which doesn't have its own trust-bundle.yml override), the same hardcoded list including test2, theia, theia-staging, test1, and test3 will be applied. While this may be intentional since the Bundle is cluster-scoped and serves all environments, it means any new environment added to the cluster requires a manual update to this file. More critically, if this chart is managed per-deployment, the single hardcoded list could cause conflicts (duplicate Bundle names). Consider whether the namespace list should be driven by a templated .Values reference like other similar resources in the codebase.
| - test2 | |
| - theia | |
| - theia-staging | |
| - test1 | |
| - test3 | |
| {{- toYaml .Values.trustBundle.targetNamespaces | nindent 12 }} |
| "templating": { | ||
| "list": [ | ||
| { | ||
| "current": { "selected": false, "text": "test2", "value": "test2" }, | ||
| "hide": 0, | ||
| "includeAll": false, | ||
| "label": "Namespace", | ||
| "multi": false, | ||
| "name": "namespace", | ||
| "options": [ | ||
| { "selected": true, "text": "test2", "value": "test2" } | ||
| ], | ||
| "query": "test2", | ||
| "skipUrlSync": false, | ||
| "type": "custom" | ||
| } | ||
| ] |
There was a problem hiding this comment.
Same issue as in dashboard-cache.yaml: the namespace variable in the templating.list section hardcodes only test2 as both the static option and the default query value. This makes the dashboard non-functional in other environments. Consider using a dynamic label_values() query or Helm template-driven namespace options to support all environments.
| - name: theia-shared-cache | ||
| version: "0.2.3-pr.24" | ||
| repository: "oci://ghcr.io/ls1intum/charts" |
There was a problem hiding this comment.
The Chart.lock file has not been updated to include the new theia-shared-cache dependency. After adding a new dependency to Chart.yaml, helm dependency update must be run to regenerate Chart.lock so that the new dependency (theia-shared-cache version 0.2.3-pr.24) is recorded. Without this, helm dependency build will fail or may use an incorrect/stale lock file.
| repository: "https://ls1intum.github.io/theia-workspace-garbage-collector/" | ||
|
|
||
| - name: theia-shared-cache | ||
| version: "0.2.3-pr.24" |
There was a problem hiding this comment.
The theia-shared-cache subchart version is 0.2.3-pr.24, which is a PR-specific pre-release version. Using a PR-specific version in the Chart.yaml means the chart depends on a transient artifact that will eventually become unavailable. This should be updated to a stable, released version once the upstream PR is merged, before merging this PR into the production branch.
| version: "0.2.3-pr.24" | |
| version: "0.2.3" |
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 12 out of 12 changed files in this pull request and generated 5 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| scheme: https | ||
| tlsConfig: | ||
| insecureSkipVerify: true No newline at end of file |
There was a problem hiding this comment.
The servicemonitor-cache.yaml uses scheme: https with insecureSkipVerify: true for scraping the cache server's metrics endpoint. While TLS is enabled on the cache server, skipping TLS verification defeats the security purpose of using TLS. Prometheus should be configured to use the internal CA trust bundle (the theia-internal-trust bundle distributed via trust-manager) to properly verify the server certificate instead of disabling verification entirely.
| "list": [ | ||
| { | ||
| "current": { "selected": false, "text": "test2", "value": "test2" }, | ||
| "hide": 0, | ||
| "includeAll": false, | ||
| "label": "Namespace", | ||
| "multi": false, | ||
| "name": "namespace", | ||
| "options": [ | ||
| { "selected": true, "text": "test2", "value": "test2" } | ||
| ], | ||
| "query": "test2", | ||
| "skipUrlSync": false, | ||
| "type": "custom" | ||
| } | ||
| ] |
There was a problem hiding this comment.
The Grafana dashboard definitions for both shared-cache and Reposilite have the namespace template variable hardcoded to "test2" as its only option and default. If the theia-monitoring chart is deployed cluster-wide for multiple environments (as stated by the comment "This chart is installed ONCE per cluster"), these dashboards will only show data for test2 unless the namespace variable is updated. Consider using a Prometheus-based label-values query (using the label_values() query type in Grafana) to dynamically populate the namespace dropdown, so the dashboard works across all monitored namespaces without manual updates.
| { | ||
| "current": { "selected": false, "text": "test2", "value": "test2" }, | ||
| "hide": 0, | ||
| "includeAll": false, | ||
| "label": "Namespace", | ||
| "multi": false, | ||
| "name": "namespace", | ||
| "options": [ | ||
| { "selected": true, "text": "test2", "value": "test2" } | ||
| ], | ||
| "query": "test2", | ||
| "skipUrlSync": false, | ||
| "type": "custom" | ||
| } | ||
| ] | ||
| }, |
There was a problem hiding this comment.
Same hardcoded namespace issue as in dashboard-cache.yaml: the namespace template variable has only "test2" as its only option and default value. This means the Reposilite dashboard will only show metrics for test2. The namespace list should be made dynamic or driven from a template variable populated via a Prometheus query.
| - name: theia-shared-cache | ||
| version: 0.3.1 | ||
| repository: "oci://ghcr.io/eduide/charts" |
There was a problem hiding this comment.
The theia-shared-cache dependency has been added to Chart.yaml, but the Chart.lock file has not been updated to include this new dependency. The Chart.lock still only lists the original four dependencies without theia-shared-cache. This means helm dependency update must be run to regenerate the lock file; otherwise, Helm will fail to correctly resolve and download the new sub-chart during deployment. Please run helm dependency update charts/theia-cloud-combined to regenerate Chart.lock.
| apiVersion: cert-manager.io/v1 | ||
| kind: Certificate | ||
| metadata: | ||
| name: cache-internal-cert | ||
| spec: | ||
| secretName: cache-internal-cert-secret | ||
| issuerRef: | ||
| name: theia-internal-ca-issuer | ||
| kind: ClusterIssuer | ||
| commonName: "theia-shared-cache" | ||
| dnsNames: | ||
| - theia-cloud-combined-cache | ||
| - theia-cloud-combined-cache.{{ .Release.Namespace }}.svc.cluster.local | ||
| privateKey: | ||
| rotationPolicy: Never |
There was a problem hiding this comment.
The cache-internal-certificate.yml in the theia-certificates chart is not conditional (no if/enabled guard), meaning the certificate and its dependency on theia-internal-ca-issuer will always be applied for every environment that uses theia-certificates. The theia-internal-ca-issuer ClusterIssuer is likewise always created. However, the cache is only enabled in the test2 deployment (theia-shared-cache.enabled: true). For environments where the cache is not deployed, this certificate will be generated but unused, and any environments that don't have the theia-internal-ca-issuer ClusterIssuer pre-existing (i.e., because this is also a new addition) will now have it created for all environments regardless of cache being used.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 13 out of 13 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - name: theia-cloud | ||
| version: 1.4.0-next.0 | ||
| repository: "https://ls1intum.github.io/theia-cloud-helm" | ||
| repository: "https://eduide.github.io/EduIDE-helm" |
There was a problem hiding this comment.
The theia-cloud chart repository in Chart.yaml was changed from https://ls1intum.github.io/theia-cloud-helm to https://eduide.github.io/EduIDE-helm. This is a significant upstream repository change that affects where the theia-cloud dependency is fetched from. The Chart.lock still references the old repository URL, which further confirms the lock file is out of date (see related comment). Additionally, the workflow in deploy-theia.yml at line 140-142 still patches the Chart.yaml looking for the old URL patterns (e.g., https://ls1intum.github.io/theia-cloud-helm and https://eclipse-theia.github.io/theia-cloud-helm/), but won't find the new URL https://eduide.github.io/EduIDE-helm, meaning the branch-override logic in the CI workflow will no longer work correctly when helm_chart_branch is specified.
| "templating": { | ||
| "list": [ | ||
| { | ||
| "current": { "selected": false, "text": "test2", "value": "test2" }, | ||
| "hide": 0, | ||
| "includeAll": false, | ||
| "label": "Namespace", | ||
| "multi": false, | ||
| "name": "namespace", | ||
| "options": [ | ||
| { "selected": true, "text": "test2", "value": "test2" } | ||
| ], | ||
| "query": "test2", | ||
| "skipUrlSync": false, | ||
| "type": "custom" | ||
| } | ||
| ] |
There was a problem hiding this comment.
The Grafana dashboard namespace variable for dashboard-reposilite.yaml uses a hardcoded "type": "custom" with a fixed "query": "test2" and a single option "test2". This is inconsistent with the existing patterns in the codebase (see dashboard-session-startup.yaml which uses a dynamic label_values() query, and dashboard-theiacloud.yaml which uses a static comma-separated list of all namespaces). This makes the dashboard usable only in the test2 namespace without modification.
| permissions: | ||
| contents: read | ||
| runs-on: arc-runner-set-stateless | ||
| runs-on: ubuntu-latest |
There was a problem hiding this comment.
The runner was changed from arc-runner-set-stateless (a custom self-hosted runner) to ubuntu-latest (a GitHub-hosted runner). The deployment workflow uses a KUBECONFIG secret to connect to the Kubernetes cluster. Running on GitHub-hosted runners means that Kubernetes cluster access must be routed through GitHub's infrastructure rather than from a trusted internal runner. Verify that this is intentional and that the network routing from GitHub-hosted runners to your cluster is properly secured and allowed.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 13 out of 13 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| stringData: | ||
| username: "prometheus" | ||
| password: "prometheus" |
There was a problem hiding this comment.
The servicemonitor-reposilite.yaml embeds the Reposilite Prometheus credentials (username: "prometheus", password: "prometheus") as plaintext in the YAML file. Even though the comment states the metrics endpoint doesn't need to be secure, having literal credentials committed to the repository (and rendered as Kubernetes Secrets) is a security anti-pattern. If the credentials ever change, they would be in source control history. Consider using a Helm value with a secret (e.g., {{ .Values.reposilite.metricsPassword }}) that can be supplied at deploy time.
| name: Install Theia Cloud Helm Chart | ||
| permissions: | ||
| contents: read | ||
| runs-on: arc-runner-set-stateless | ||
| runs-on: ubuntu-latest | ||
| # Link to GitHub Environment for secrets and protection rules | ||
| environment: ${{ inputs.environment }} | ||
|
|
There was a problem hiding this comment.
The Patch Chart.yaml step in this workflow uses sed patterns to replace the theia-cloud chart repository URL with a local path when helm_chart_branch is specified. Those patterns match ls1intum.github.io/theia-cloud-helm and eclipse-theia.github.io/theia-cloud-helm. However, Chart.yaml now sets the repository for theia-cloud to "https://eduide.github.io/EduIDE-Helm" — none of the existing sed patterns match this new URL. As a result, the Patch Chart.yaml step will silently do nothing when helm_chart_branch is provided, and the deployment will use the remote EduIDE chart instead of the local branch. The sed patterns should be updated to include the new URL.
| apiVersion: cert-manager.io/v1 | ||
| kind: Certificate | ||
| metadata: | ||
| name: theia-internal-ca | ||
| spec: | ||
| isCA: true | ||
| commonName: theia-internal-ca | ||
| secretName: theia-internal-ca-secret | ||
| issuerRef: | ||
| name: theia-cloud-selfsigned-issuer | ||
| kind: ClusterIssuer | ||
| privateKey: | ||
| algorithm: ECDSA | ||
| size: 256 | ||
| duration: 87600h # 10 years | ||
| renewBefore: 8760h # renew 1 year before expiry | ||
| --- | ||
| apiVersion: cert-manager.io/v1 | ||
| kind: ClusterIssuer | ||
| metadata: | ||
| name: theia-internal-ca-issuer | ||
| spec: | ||
| ca: | ||
| secretName: theia-internal-ca-secret No newline at end of file |
There was a problem hiding this comment.
The internal-ca.yml creates a theia-internal-ca Certificate and theia-internal-ca-issuer ClusterIssuer without any Helm conditional ({{- if ... }}). These are cluster-scoped/global resources. If the theia-certificates chart is deployed for multiple environments (test1, test2, test3, theia, theia-staging), re-deploying it in a second namespace will attempt to re-create the same ClusterIssuer and Certificate (by the same name), which will either conflict or silently overwrite. Consider wrapping these with a Helm conditional (e.g., {{- if .Values.internalCA.enabled }}) or documenting that this chart must only be installed once per cluster.
Aligns with EduIDE-Helm PR #11 which adds v1beta11 support. With helm_chart_tag=pr-11, CI will now resolve theia-cloud-crds:1.2.0-next.1.pr-11 from GHCR.
Points theia-cloud-crds at the eduide-fork conversion-webhook image (conversion-webhook:pr-70) which includes the v1beta11 AppDefinition mapper required for the sidecar redesign.
theia-no-ls:pr-46 and langserver-java:pr-46 no longer exist in the registry. The no-ls AppDefinitions reference images from ls1intum/theia directly, so these preloading entries served no purpose.
- preserve explicit mountWorkspace=false in Helm template (avoid default overriding false) - support sidecar imageTag/defaultImageTag fallback when sidecar image has no explicit tag - set landing default app to a defined sidecar app and remove stale additionalApps entries - remove hardcoded latest tags in sidecar appdefs to honor defaultImageTag overrides - preload no-ls IDE + sidecar langserver images used by test3
- replace ls1intum/theia image references with ghcr.io/eduide/eduide for no-ls IDE and sidecar images - align test3 appdefinitions and preloading with PR-tagged image pipeline
- add explicit workflow overrides for preloading image indices 7..10 - ensure java-17-no-ls/rust-no-ls and langserver-java/langserver-rust track IDE tag input
…15-integrate-shared-cache-node-into-theia-cloud-combined
No description provided.