Add shared cache node helm chart

[KevinGruber2001]

Summary by CodeRabbit

• New Features

  • Cluster-scoped internal TLS infrastructure with automatic trust-bundle distribution to all namespaces
  • Optional shared cache component with TLS support and configurable resource limits
  • New monitoring dashboards and scrape targets for shared cache and repository service observability
  • Operator flags to enable/disable build and dependency caching (optional acceleration)

• Documentation

  • Quick Start and environment docs updated to include internal TLS installation step and trust-bundle behavior

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds a new cluster-scoped internal TLS Helm chart and workflow step, integrates a shared cache into the main Theia Cloud helm values and deployments, and introduces monitoring dashboards and ServiceMonitors for the shared cache and Reposilite; documentation and value references updated accordingly.

Changes

Cohort / File(s)	Summary
Internal TLS Chart charts/theia-internal-tls/Chart.yaml, charts/theia-internal-tls/templates/internal-ca.yml, charts/theia-internal-tls/templates/trust-bundle.yml	New Helm chart creating a long-lived CA Certificate, a ClusterIssuer, and a cert-manager Bundle that emits a trust ConfigMap (and JKS) to target namespaces.
Workflow .github/workflows/deploy-theia.yml	Inserted Helm step to install theia-internal-tls (uses workflow KUBECONFIG) between cluster-wide monitoring and subsequent deployment steps.
Certificates charts/theia-certificates/templates/cache-internal-certificate.yml	Added cert-manager Certificate cache-internal-cert issued by theia-internal-ca-issuer for the shared cache service, stored in cache-internal-cert-secret.
Shared Cache Integration charts/theia-cloud-combined/Chart.yaml, charts/theia-cloud-combined/values.yaml, deployments/.../values.yaml	Added theia-shared-cache values (enabled flag and resources), changed dependency version formatting, and added operator cache-related flags/URLs; test deployment values enable cache + TLS and resource settings.
Monitoring charts/theia-monitoring/templates/dashboard-cache.yaml, charts/theia-monitoring/templates/dashboard-reposilite.yaml, charts/theia-monitoring/templates/servicemonitor-cache.yaml, charts/theia-monitoring/templates/servicemonitor-reposilite.yaml, charts/theia-monitoring/values.yaml	Added Grafana dashboards for shared cache and Reposilite, ServiceMonitors for both services, and a small values file whitespace cleanup.
Docs & References README.md, docs/adding-environments.md, value-reference-files/theia-cloud-helm-values.yml	README Quick Start updated to include internal TLS install step and chart entry; docs note cluster-wide install of internal TLS; value-reference updated operator image and disabled caching defaults.

Sequence Diagram(s)

mermaid
sequenceDiagram
participant CI as GitHub Actions
participant Helm as Helm CLI
participant K8s as Kubernetes API
participant CM as cert-manager
participant NS as Namespace ConfigMaps
participant Service as Shared Cache Service

CI->>Helm: helm upgrade --install theia-internal-tls (uses KUBECONFIG)
Helm->>K8s: Create Certificate (theia-internal-ca) & ClusterIssuer
K8s->>CM: cert-manager issues CA cert, creates secret
CM->>K8s: Create Bundle (theia-internal-trust) targeting namespaces
K8s->>NS: Distribute trust ConfigMap (`trust-bundle.pem`, `truststore.jks`)
Service->>K8s: Use ConfigMap + certificate secret for internal TLS

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related issues

• Integrate Theia Shared Cache Node into Theia Deployments EduIDE-shared-cache#3: Implements the Theia Shared Cache integration (helm charts, certs, monitoring) described by the issue.
• Integrate Shared cache node into theia-cloud-combined #15: Adds shared cache as a dependency/feature in the combined chart and corresponding values and monitoring, matching this PR's changes.

Possibly related PRs

• Migrate custom monitoring to rancher native prometheus/ grafana stack… #25: Related monitoring/dashboard changes and templates overlap with this PR's additions.
• Fix registry references #71: Related workflow modifications; both change deploy-theia.yml ordering and Helm steps.

Suggested labels

ready to merge

Suggested reviewers

• lukaskratzel
• CodeByNikolas
• Mtze

Poem

🐇 A Rabbit's Note on Trust and Cache
New CA seeds the meadow green and wide,
Trust bundles travel, placed in every side,
Caches hum and metrics glow, dashboards gleam,
Helm charts hop forward — together we stream.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The PR title mentions 'shared cache node' but the changes encompass much more: internal TLS infrastructure, monitoring dashboards, caching policies, and deployment configurations. The title is incomplete and doesn't capture the full scope of the changeset.	Revise the title to reflect the broader scope, such as: 'Add shared cache integration with internal TLS and monitoring infrastructure' or 'Integrate shared cache and internal TLS with monitoring dashboards.'

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/15-integrate-shared-cache-node-into-theia-cloud-combined

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

🧹 Nitpick comments (9)

deployments/test3.theia-test.artemis.cit.tum.de/theia-crds-helm-values.yml (1)

3-4: Consider using stable image tags for deployment configurations.

Using PR-specific image tags in deployment configurations may pose risks:

• PR branches and their associated images are typically temporary
• Images may be cleaned up after PR merge/closure
• Reproducibility could be affected if the image is no longer available

For test environments, consider using commit SHAs or semantic version tags that persist after PR lifecycle.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@deployments/test3.theia-test.artemis.cit.tum.de/theia-crds-helm-values.yml`
around lines 3 - 4, The deployment uses a PR-specific image tag under the
conversion.image key (conversion: image:
ghcr.io/eduide/eduide-cloud/conversion-webhook:pr-70); replace the ephemeral PR
tag with a stable, long-lived identifier (e.g., a commit SHA or semver tag) so
the image remains available after PR close/merge—update the conversion.image
value to point to the chosen immutable tag and verify the CI/build produces that
tag before deploying.

deployments/test2.theia-test.artemis.cit.tum.de/theia-crds-helm-values.yml (1)

4-5: Consider using stable image tags for deployment configurations.

Using PR-specific image tags in deployment configurations may pose risks:

• PR branches and their associated images are typically temporary
• Images may be cleaned up after PR merge/closure
• Reproducibility could be affected if the image is no longer available

For test environments, consider using commit SHAs or semantic version tags that persist after PR lifecycle.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@deployments/test2.theia-test.artemis.cit.tum.de/theia-crds-helm-values.yml`
around lines 4 - 5, The deployment is using a transient PR-specific image tag in
the conversion.image field
(ghcr.io/eduide/eduide-cloud/conversion-webhook:pr-70); change this to a stable,
persistent tag (e.g., a commit SHA or semantic version) so the image remains
available after PR closure—update the conversion.image value to reference the
chosen immutable tag (commit SHA or semver) instead of the "pr-70" branch tag.

deployments/internal-tls-infrastructure/values.yaml (1)

2-7: Namespace list is drift-prone as new environments are added.

Consider deriving targets via label/selector-based distribution (if supported by your trust-bundle setup) or enforcing this list via CI validation against known environment namespaces to avoid missed TLS trust propagation during future environment onboarding.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@deployments/internal-tls-infrastructure/values.yaml` around lines 2 - 7, The
hard-coded namespaces list under the "namespaces" key in values.yaml is prone to
drift; instead update the chart/config to accept a selector-based target (e.g.,
replace or augment the "namespaces" array with a "namespaceSelector" field that
supports label selectors) and modify the trust-bundle consumer code/path to
honor namespaceSelector when computing targets, or alternatively add a CI
validation step that compares the "namespaces" array against the canonical
cluster namespaces and fails the PR if there are missing/extra entries;
reference the "namespaces" key in values.yaml and the trust-bundle consumer
logic to implement either the selector support or the CI enforcement so future
environments are not missed.

charts/theia-internal-tls/templates/internal-ca.yml (1)

9-11: Implicit dependency on theia-cloud-selfsigned-issuer ClusterIssuer.

This Certificate references theia-cloud-selfsigned-issuer which must exist before theia-internal-tls is installed. Per the workflow, this is satisfied because theia-cloud-crds (which creates this issuer) is installed before theia-internal-tls.

Consider adding a comment in the chart's README or Chart.yaml to document this prerequisite for operators who may install the chart manually outside the workflow.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@charts/theia-internal-tls/templates/internal-ca.yml` around lines 9 - 11, Add
a clear prerequisite note to the theia-internal-tls chart documentation stating
that the Certificate in templates/internal-ca.yml references the ClusterIssuer
named theia-cloud-selfsigned-issuer and that this ClusterIssuer must exist
(provided by theia-cloud-crds) before installing theia-internal-tls; update
README.md and/or Chart.yaml to document this dependency and mention the
installer/workflow order or manual installation steps to create
theia-cloud-selfsigned-issuer beforehand.

value-reference-files/theia-cloud-helm-values.yml (1)

34-34: Reference file uses PR-specific image tag.

The operator image ghcr.io/ls1intum/theia/operator:pr-41 references a specific PR build. If this is a reference/template file for new deployments, consider using a stable tag like latest or a released version. If this is intentionally tracking a feature branch, this can be ignored.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@value-reference-files/theia-cloud-helm-values.yml` at line 34, The values
file currently pins the operator image to the PR build
"ghcr.io/ls1intum/theia/operator:pr-41"; update the image key to use a stable
tag (for example "latest" or a specific release version) or make it configurable
via a values variable so templates/defaults don't reference a transient PR tag —
change the value assigned to the image key (the "image" entry) accordingly or
replace it with a variable reference used by your chart.

charts/theia-monitoring/templates/servicemonitor-reposilite.yaml (1)

22-26: Consider handling empty reposiliteNamespaces gracefully.

If .Values.reposiliteNamespaces is empty or undefined, the matchNames list will be empty, which could cause the ServiceMonitor to match no services or behave unexpectedly. Consider wrapping this in a conditional or ensuring the values file always has at least one namespace.

♻️ Suggested defensive check

+{{- if .Values.reposiliteNamespaces }}
   namespaceSelector:
     matchNames:
       {{- range .Values.reposiliteNamespaces }}
       - {{ . }}
       {{- end }}
+{{- else }}
+  namespaceSelector:
+    any: true
+{{- end }}

Or add validation in values.yaml with a comment indicating the list must not be empty.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@charts/theia-monitoring/templates/servicemonitor-reposilite.yaml` around
lines 22 - 26, The namespaceSelector.matchNames block in the ServiceMonitor
template can render an empty list when .Values.reposiliteNamespaces is empty;
update the template to guard rendering by checking if
.Values.reposiliteNamespaces is defined and non-empty (e.g., with an if or
hasKey/len check) before iterating, or provide a sensible default (single-item
list or omit matchNames to use cluster-wide matching) so
namespaceSelector.matchNames does not become an empty array; modify the
templates/servicemonitor-reposilite.yaml around the namespaceSelector and the
range over .Values.reposiliteNamespaces to implement this conditional, or add
validation/default in values.yaml to ensure reposiliteNamespaces is always
populated.

charts/theia-monitoring/templates/dashboard-cache.yaml (1)

505-521: Same hardcoded namespace variable issue as the Reposilite dashboard.

The namespace template variable should use a Prometheus query for dynamic namespace discovery instead of hardcoding test2.

♻️ Suggested change to make namespace dynamic

       "templating": {
         "list": [
           {
-            "current": { "selected": false, "text": "test2", "value": "test2" },
+            "current": {},
+            "datasource": { "type": "prometheus", "uid": "prometheus" },
             "hide": 0,
             "includeAll": false,
             "label": "Namespace",
             "multi": false,
             "name": "namespace",
-            "options": [
-              { "selected": true, "text": "test2", "value": "test2" }
-            ],
-            "query": "test2",
+            "query": "label_values(gradle_cache_cache_hits_total, namespace)",
+            "refresh": 2,
             "skipUrlSync": false,
-            "type": "custom"
+            "type": "query"
           }
         ]
       },

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@charts/theia-monitoring/templates/dashboard-cache.yaml` around lines 505 -
521, The namespace template variable is hardcoded to "test2"; update the
templating entry with name "namespace" so it uses a Prometheus query-based
variable instead of fixed options: change "type" from "custom" to "query", set
"query" to a Prometheus label_values call (e.g. label_values(namespace)) and
configure the "datasource" to the Prometheus data source, and remove the
hardcoded "options" and static "current" values so namespaces are discovered
dynamically at runtime.

deployments/test3.theia-test.artemis.cit.tum.de/values.yaml (1)

72-75: Using :latest tags reduces deployment reproducibility.

While acceptable for test environments, pinning specific image versions (e.g., SHA digests or semantic versions) would improve reproducibility and rollback capability. Consider using versioned tags when promoting to staging/production.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@deployments/test3.theia-test.artemis.cit.tum.de/values.yaml` around lines 72
- 75, The deployment uses unpinned images
(ghcr.io/eduide/eduide/java-17-no-ls:latest,
ghcr.io/eduide/eduide/rust-no-ls:latest,
ghcr.io/eduide/eduide/langserver-java:latest,
ghcr.io/eduide/eduide/langserver-rust:latest); replace each :latest with a
specific semantic version tag or an image digest (SHA) in values.yaml to ensure
reproducible deployments, and optionally expose those tags as configurable
values (e.g., image.tag or image.digest variables) so CI can inject promoted
versions during release.

charts/theia-monitoring/templates/dashboard-reposilite.yaml (1)

774-790: Hardcoded namespace variable limits dashboard reusability.

The namespace template variable is defined as type: "custom" with only test2 as an option. This prevents users from selecting other namespaces dynamically. Consider using a Prometheus label_values query to auto-discover namespaces.

♻️ Suggested change to make namespace dynamic

       "templating": {
         "list": [
           {
-            "current": { "selected": false, "text": "test2", "value": "test2" },
+            "current": {},
+            "datasource": { "type": "prometheus", "uid": "prometheus" },
             "hide": 0,
             "includeAll": false,
             "label": "Namespace",
             "multi": false,
             "name": "namespace",
-            "options": [
-              { "selected": true, "text": "test2", "value": "test2" }
-            ],
-            "query": "test2",
+            "query": "label_values(jetty_requests_total, namespace)",
+            "refresh": 2,
             "skipUrlSync": false,
-            "type": "custom"
+            "type": "query"
           }
         ]
       },

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@charts/theia-monitoring/templates/dashboard-reposilite.yaml` around lines 774
- 790, The templating entry for the variable with "name": "namespace" is
hardcoded as type: "custom" with a single option "test2"; replace this with a
dynamic Prometheus-backed variable by changing the variable's "type" from
"custom" to "query", setting its "datasource" to your Prometheus datasource, and
replacing the "query" (currently "test2") with a Prometheus label_values(...)
query (e.g., label_values(kube_namespace_labels, namespace) or
label_values(kube_pod_info, namespace) depending on your metrics), remove the
static "options" block, and enable "includeAll" or appropriate "multi"/refresh
settings so users can select namespaces dynamically (locate the templating.list
element where "name": "namespace" to make these edits).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@charts/theia-internal-tls/templates/trust-bundle.yml`:
- Around line 15-24: The target block currently has no namespaceSelector so the
ConfigMap (target.configMap key "trust-bundle.pem" and additionalFormats.jks key
"truststore.jks") will be propagated cluster-wide; either add a
namespaceSelector under target (using namespaceSelector.matchLabels or
matchExpressions to select the intended namespaces) to limit distribution to the
namespaces listed in trustBundle.namespaces, and ensure those namespaces are
labeled accordingly, or if cluster-wide distribution is intended remove the
unused trustBundle.namespaces entries from the values to avoid confusion.

In `@deployments/test2.theia-test.artemis.cit.tum.de/values.yaml`:
- Around line 84-88: The deployment values use unsupported cache keys
(enableBuildCaching, buildCacheUrl, enableBuildCachePush,
enableDependencyCaching, dependencyCacheUrl) while the reference file uses
enableCaching and cacheUrl, but neither set is referenced by the operator
templates; inspect the operator chart templates (search for occurrences of
enableCaching, cacheUrl, buildCacheUrl, enableBuildCaching, etc.) to confirm
whether the operator supports caching—if the operator supports caching,
standardize both values.yaml files to the operator's expected keys (e.g., switch
to enableCaching and cacheUrl or the operator's exact names) and update any
template references accordingly; if the operator does not support caching,
remove all cache-related keys from both the reference and deployment values.yaml
to avoid unsupported configuration.

In `@docs/adding-environments.md`:
- Line 98: The docs claim the internal trust bundle (ConfigMap
theia-internal-trust created by charts/theia-internal-tls) is distributed to all
namespaces, but the actual deployment uses a namespace-scoped list in
deployments/internal-tls-infrastructure/values.yaml; update docs to state that
new namespaces must be added to that values.yaml (or alternatively change the
implementation to cluster-wide distribution), and reference
charts/theia-internal-tls and theia-internal-trust so readers know which
ConfigMap and chart to update.

In `@value-reference-files/theia-cloud-helm-values.yml`:
- Around line 39-40: The values file currently uses enableCaching and cacheUrl
and references the service theia-shared-cache:5071 which conflicts with test2
deployment service names and newer operator keys; update the file to target one
operator version: either (A) keep legacy keys (enableCaching, cacheUrl) but
change cacheUrl to the actual service DNS and port used in the cluster (e.g.,
match the live cache service name and port), or (B) migrate to the newer
operator keys (enableBuildCaching, buildCacheUrl, enableBuildCachePush,
enableDependencyCaching, dependencyCacheUrl) and set
buildCacheUrl/dependencyCacheUrl to the correct service DNSs
(theia-cloud-combined-cache-server:8080 and
theia-cloud-combined-reposilite:8080) and appropriate flags; ensure the chosen
key set (enableCaching vs enableBuildCaching/enableDependencyCaching)
consistently matches the operator version you intend to deploy.

---

Nitpick comments:
In `@charts/theia-internal-tls/templates/internal-ca.yml`:
- Around line 9-11: Add a clear prerequisite note to the theia-internal-tls
chart documentation stating that the Certificate in templates/internal-ca.yml
references the ClusterIssuer named theia-cloud-selfsigned-issuer and that this
ClusterIssuer must exist (provided by theia-cloud-crds) before installing
theia-internal-tls; update README.md and/or Chart.yaml to document this
dependency and mention the installer/workflow order or manual installation steps
to create theia-cloud-selfsigned-issuer beforehand.

In `@charts/theia-monitoring/templates/dashboard-cache.yaml`:
- Around line 505-521: The namespace template variable is hardcoded to "test2";
update the templating entry with name "namespace" so it uses a Prometheus
query-based variable instead of fixed options: change "type" from "custom" to
"query", set "query" to a Prometheus label_values call (e.g.
label_values(namespace)) and configure the "datasource" to the Prometheus data
source, and remove the hardcoded "options" and static "current" values so
namespaces are discovered dynamically at runtime.

In `@charts/theia-monitoring/templates/dashboard-reposilite.yaml`:
- Around line 774-790: The templating entry for the variable with "name":
"namespace" is hardcoded as type: "custom" with a single option "test2"; replace
this with a dynamic Prometheus-backed variable by changing the variable's "type"
from "custom" to "query", setting its "datasource" to your Prometheus
datasource, and replacing the "query" (currently "test2") with a Prometheus
label_values(...) query (e.g., label_values(kube_namespace_labels, namespace) or
label_values(kube_pod_info, namespace) depending on your metrics), remove the
static "options" block, and enable "includeAll" or appropriate "multi"/refresh
settings so users can select namespaces dynamically (locate the templating.list
element where "name": "namespace" to make these edits).

In `@charts/theia-monitoring/templates/servicemonitor-reposilite.yaml`:
- Around line 22-26: The namespaceSelector.matchNames block in the
ServiceMonitor template can render an empty list when
.Values.reposiliteNamespaces is empty; update the template to guard rendering by
checking if .Values.reposiliteNamespaces is defined and non-empty (e.g., with an
if or hasKey/len check) before iterating, or provide a sensible default
(single-item list or omit matchNames to use cluster-wide matching) so
namespaceSelector.matchNames does not become an empty array; modify the
templates/servicemonitor-reposilite.yaml around the namespaceSelector and the
range over .Values.reposiliteNamespaces to implement this conditional, or add
validation/default in values.yaml to ensure reposiliteNamespaces is always
populated.

In `@deployments/internal-tls-infrastructure/values.yaml`:
- Around line 2-7: The hard-coded namespaces list under the "namespaces" key in
values.yaml is prone to drift; instead update the chart/config to accept a
selector-based target (e.g., replace or augment the "namespaces" array with a
"namespaceSelector" field that supports label selectors) and modify the
trust-bundle consumer code/path to honor namespaceSelector when computing
targets, or alternatively add a CI validation step that compares the
"namespaces" array against the canonical cluster namespaces and fails the PR if
there are missing/extra entries; reference the "namespaces" key in values.yaml
and the trust-bundle consumer logic to implement either the selector support or
the CI enforcement so future environments are not missed.

In `@deployments/test2.theia-test.artemis.cit.tum.de/theia-crds-helm-values.yml`:
- Around line 4-5: The deployment is using a transient PR-specific image tag in
the conversion.image field
(ghcr.io/eduide/eduide-cloud/conversion-webhook:pr-70); change this to a stable,
persistent tag (e.g., a commit SHA or semantic version) so the image remains
available after PR closure—update the conversion.image value to reference the
chosen immutable tag (commit SHA or semver) instead of the "pr-70" branch tag.

In `@deployments/test3.theia-test.artemis.cit.tum.de/theia-crds-helm-values.yml`:
- Around line 3-4: The deployment uses a PR-specific image tag under the
conversion.image key (conversion: image:
ghcr.io/eduide/eduide-cloud/conversion-webhook:pr-70); replace the ephemeral PR
tag with a stable, long-lived identifier (e.g., a commit SHA or semver tag) so
the image remains available after PR close/merge—update the conversion.image
value to point to the chosen immutable tag and verify the CI/build produces that
tag before deploying.

In `@deployments/test3.theia-test.artemis.cit.tum.de/values.yaml`:
- Around line 72-75: The deployment uses unpinned images
(ghcr.io/eduide/eduide/java-17-no-ls:latest,
ghcr.io/eduide/eduide/rust-no-ls:latest,
ghcr.io/eduide/eduide/langserver-java:latest,
ghcr.io/eduide/eduide/langserver-rust:latest); replace each :latest with a
specific semantic version tag or an image digest (SHA) in values.yaml to ensure
reproducible deployments, and optionally expose those tags as configurable
values (e.g., image.tag or image.digest variables) so CI can inject promoted
versions during release.

In `@value-reference-files/theia-cloud-helm-values.yml`:
- Line 34: The values file currently pins the operator image to the PR build
"ghcr.io/ls1intum/theia/operator:pr-41"; update the image key to use a stable
tag (for example "latest" or a specific release version) or make it configurable
via a values variable so templates/defaults don't reference a transient PR tag —
change the value assigned to the image key (the "image" entry) accordingly or
replace it with a variable reference used by your chart.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: bbd85950-d27c-43a0-8543-ed5cd335daeb

📥 Commits

Reviewing files that changed from the base of the PR and between 34d6830 and f5fd25b.

📒 Files selected for processing (22)

• .github/workflows/deploy-theia.yml
• README.md
• charts/theia-appdefinitions/templates/appdefinition.yaml
• charts/theia-certificates/templates/cache-internal-certificate.yml
• charts/theia-cloud-combined/Chart.yaml
• charts/theia-cloud-combined/values.yaml
• charts/theia-internal-tls/Chart.yaml
• charts/theia-internal-tls/templates/internal-ca.yml
• charts/theia-internal-tls/templates/trust-bundle.yml
• charts/theia-internal-tls/values.yaml
• charts/theia-monitoring/templates/dashboard-cache.yaml
• charts/theia-monitoring/templates/dashboard-reposilite.yaml
• charts/theia-monitoring/templates/servicemonitor-cache.yaml
• charts/theia-monitoring/templates/servicemonitor-reposilite.yaml
• charts/theia-monitoring/values.yaml
• deployments/internal-tls-infrastructure/values.yaml
• deployments/test2.theia-test.artemis.cit.tum.de/theia-crds-helm-values.yml
• deployments/test2.theia-test.artemis.cit.tum.de/values.yaml
• deployments/test3.theia-test.artemis.cit.tum.de/theia-crds-helm-values.yml
• deployments/test3.theia-test.artemis.cit.tum.de/values.yaml
• docs/adding-environments.md
• value-reference-files/theia-cloud-helm-values.yml

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

deployments/test2.theia-test.artemis.cit.tum.de/values.yaml (1)

18-18: Pin the shared-cache image to an immutable reference.

Line 18 uses tag: "main", which makes deployments non-reproducible and can pull unreviewed changes between releases. Use a specific version tag, commit hash, or image digest instead.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@deployments/test2.theia-test.artemis.cit.tum.de/values.yaml` at line 18, The
deployment uses a mutable image reference via the YAML key `tag: "main"` which
makes releases non-reproducible; update the `tag` value for the shared-cache
image to an immutable reference (a specific version tag, a commit SHA, or an
image digest like `@sha256:...`) so the image is pinned and cannot change
between deployments.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@deployments/test2.theia-test.artemis.cit.tum.de/values.yaml`:
- Around line 42-43: The TLS hostname in buildCacheUrl (uses
theia-cloud-combined-cache-server) does not match the SANs in the certificate
referenced by secretName (cache-internal-cert-secret); either change
buildCacheUrl to use theia-cloud-combined-cache (or
theia-cloud-combined-cache.<Release>.svc.cluster.local) so it matches the
existing SANs, or add theia-cloud-combined-cache-server as an additional SAN in
the certificate template
(charts/theia-certificates/templates/cache-internal-certificate.yml) so the
certificate covers the hostname used by buildCacheUrl.

---

Nitpick comments:
In `@deployments/test2.theia-test.artemis.cit.tum.de/values.yaml`:
- Line 18: The deployment uses a mutable image reference via the YAML key `tag:
"main"` which makes releases non-reproducible; update the `tag` value for the
shared-cache image to an immutable reference (a specific version tag, a commit
SHA, or an image digest like `@sha256:...`) so the image is pinned and cannot
change between deployments.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f768a89a-14fa-405e-a840-551787f18787

📥 Commits

Reviewing files that changed from the base of the PR and between d4f6572 and e18573c.

📒 Files selected for processing (5)

• .github/workflows/deploy-theia.yml
• charts/theia-cloud-combined/values.yaml
• deployments/test2.theia-test.artemis.cit.tum.de/values.yaml
• docs/adding-environments.md
• value-reference-files/theia-cloud-helm-values.yml

✅ Files skipped from review due to trivial changes (1)

• docs/adding-environments.md

🚧 Files skipped from review as they are similar to previous changes (3)

• .github/workflows/deploy-theia.yml
• charts/theia-cloud-combined/values.yaml
• value-reference-files/theia-cloud-helm-values.yml