EduIDE · KevinGruber2001 · Nov 18, 2025 · Nov 18, 2025 · Nov 18, 2025 · Nov 18, 2025
diff --git a/.github/workflows/deploy-theia.yml b/.github/workflows/deploy-theia.yml
@@ -261,6 +261,15 @@ jobs:
           # This is installed once per cluster, not per environment
           helm upgrade theia-monitoring ./charts/theia-monitoring --install -n default
 
+      - name: Install internal TLS infrastructure
+        env:
+          KUBECONFIG: ${{ github.workspace }}/kubeconfig
+        run: |
+
+          # Install cluster-scoped internal CA and trust bundle (once per cluster)
+          # Distributes the trust bundle ConfigMap to all namespaces
+          helm upgrade --install theia-internal-tls ./charts/theia-internal-tls -n cert-manager
+
       # Step 5: Install shared Gateway (optional, cluster-level)
       - name: Install Shared Gateway (optional)
         if: inputs.deploy_shared_gateway && inputs.shared_gateway_values_file != ''

diff --git a/README.md b/README.md
@@ -29,8 +29,9 @@ This repository serves as the infrastructure-as-code for deploying and managing
 ├── charts/                 # Custom Helm charts
 │   ├── theia-cloud-combined/    # Combined chart with all components
 │   ├── theia-shared-gateway/    # Shared Gateway API entrypoint
+│   ├── theia-internal-tls/      # Cluster-scoped internal CA + trust bundle
 │   ├── theia-appdefinitions/    # Custom IDE environments (images/configs)
-│   ├── theia-certificates/      # SSL certificate management
+│   ├── theia-certificates/      # SSL certificate management (per-namespace)
 │   └── theia-metrics/           # Prometheus/Grafana dashboards
 │
 ├── value-reference-files/  # Reference Helm values for different setups
@@ -147,7 +148,16 @@ Configuration files for each environment are located in the [deployments/](deplo
    For the dedicated production cluster, use:
    `deployments/shared-gateway-prod/values.yaml`.
 
-4. **Install the combined Theia Cloud chart**:
+4. **Install the internal TLS infrastructure (once per cluster)**:
+   ```bash
+   helm upgrade --install theia-internal-tls ./charts/theia-internal-tls \
+     --namespace cert-manager
+   ```
+   This deploys the cluster-scoped internal CA and trust bundle used for TLS
+   between internal services (e.g., shared cache and workspaces). The trust
+   bundle ConfigMap is automatically distributed to all namespaces.
+
+5. **Install the combined Theia Cloud chart**:
    ```bash
    helm registry login ghcr.io
    helm upgrade --install theia-cloud-combined ./charts/theia-cloud-combined \

diff --git a/charts/theia-certificates/templates/cache-internal-certificate.yml b/charts/theia-certificates/templates/cache-internal-certificate.yml
@@ -0,0 +1,15 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: cache-internal-cert
+spec:
+  secretName: cache-internal-cert-secret
+  issuerRef:
+    name: theia-internal-ca-issuer
+    kind: ClusterIssuer
+  commonName: "theia-shared-cache"
+  dnsNames:
+    - theia-cloud-combined-cache
+    - theia-cloud-combined-cache.{{ .Release.Namespace }}.svc.cluster.local
+  privateKey:
+    rotationPolicy: Never
diff --git a/charts/theia-cloud-combined/Chart.yaml b/charts/theia-cloud-combined/Chart.yaml
@@ -21,6 +21,6 @@ dependencies:
     version: 0.1.0
     repository: "oci://ghcr.io/eduide/charts"
 
-  - name: theia-shared-cache
-    version: "0.3.1"
+  - name: eduide-shared-cache
+    version: 0.5.0
     repository: "oci://ghcr.io/eduide/charts"
diff --git a/charts/theia-cloud-combined/values.yaml b/charts/theia-cloud-combined/values.yaml
@@ -6,6 +6,9 @@ hosts:
     landing: theia
     instance: instance.theia
 
+theia-shared-cache:
+  enabled: false
+
 theia-certificates:
   hosts:
     configuration: *hostsConfig
@@ -49,6 +52,11 @@ theia-cloud:
     sessionsPerUser: 10
     storageClassName: csi-rbd-sc
     eagerStart: true
+    enableBuildCaching: false
+    buildCacheUrl: ""
+    enableBuildCachePush: false
+    enableDependencyCaching: false
+    dependencyCacheUrl: ""
 
   service:
     image: ghcr.io/eduide/eduide-cloud/service:latest

diff --git a/charts/theia-internal-tls/Chart.yaml b/charts/theia-internal-tls/Chart.yaml
@@ -0,0 +1,5 @@
+apiVersion: v2
+name: theia-internal-tls
+description: Cluster-scoped trust infrastructure for internal tls (internal CA + trust bundle)
+version: 0.1.0
+appVersion: 1.0.0
diff --git a/charts/theia-internal-tls/templates/internal-ca.yml b/charts/theia-internal-tls/templates/internal-ca.yml
@@ -0,0 +1,24 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: theia-internal-ca
+spec:
+  isCA: true
+  commonName: theia-internal-ca
+  secretName: theia-internal-ca-secret
+  issuerRef:
+    name: theia-cloud-selfsigned-issuer
+    kind: ClusterIssuer
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  duration: 87600h    # 10 years
+  renewBefore: 8760h  # renew 1 year before expiry
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: theia-internal-ca-issuer
+spec:
+  ca:
+    secretName: theia-internal-ca-secret
diff --git a/charts/theia-internal-tls/templates/trust-bundle.yml b/charts/theia-internal-tls/templates/trust-bundle.yml
@@ -0,0 +1,24 @@
+apiVersion: trust.cert-manager.io/v1alpha1
+kind: Bundle
+metadata:
+  name: theia-internal-trust
+spec:
+  sources:
+    # Include the default public CAs (Let's Encrypt, etc.)
+    - useDefaultCAs: true
+
+    # Internal CA certificate from cert-manager
+    - secret:
+        name: "theia-internal-ca-secret"
+        key: "ca.crt"
+
+  target:
+    # trust-manager creates a ConfigMap with this name in target namespaces
+    configMap:
+      key: "trust-bundle.pem"
+
+    # Also generate a JKS truststore (Java KeyStore)
+    # This is what Java/Gradle will use directly
+    additionalFormats:
+      jks:
+        key: "truststore.jks"