add secret as arguemnt to operator

[KevinGruber2001]

Summary by CodeRabbit

• New Features
  • Added the --buildCacheSecretName CLI option to specify the Kubernetes Secret name for build cache credentials.
  • Deployment now exposes BUILD_CACHE_USERNAME and BUILD_CACHE_PASSWORD populated from the configured secret (keys optional). If no secret name is provided, a safe default placeholder is used so pods remain valid.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 27dbad50-fa5e-4c0f-ae40-f5504cc114d7

📥 Commits

Reviewing files that changed from the base of the PR and between 8a73ec5 and b6589cd.

📒 Files selected for processing (1)

• java/operator/org.eclipse.theia.cloud.operator/src/main/java/org/eclipse/theia/cloud/operator/TheiaCloudOperatorArguments.java

🚧 Files skipped from review as they are similar to previous changes (1)

• java/operator/org.eclipse.theia.cloud.operator/src/main/java/org/eclipse/theia/cloud/operator/TheiaCloudOperatorArguments.java

---

📝 Walkthrough

Walkthrough

Adds a new CLI option to specify a build-cache secret name, threads that value into deployment template replacements, and injects two secret-backed environment variables (username/password) into the container spec.

Changes

Cohort / File(s)	Summary
CLI Argument Configuration java/operator/org.eclipse.theia.cloud.operator/src/main/java/org/eclipse/theia/cloud/operator/TheiaCloudOperatorArguments.java	Added buildCacheSecretName field and public getter (getBuildCacheSecretName()), wired to CLI --buildCacheSecretName. Included the field in hashCode(), equals(), and toString(). Minor formatting/comment adjustments.
Deployment Template Processing java/operator/org.eclipse.theia.cloud.operator/src/main/java/org/eclipse/theia/cloud/operator/replacements/DefaultDeploymentTemplateReplacements.java	Added PLACEHOLDER_BUILD_CACHE_SECRET_NAME constant. When build cache is enabled and URL present, computes/uses the provided secret name (trimmed) or falls back to theia-cloud-no-cache-secret, and injects it into environment variable placeholders; when disabled, sets the placeholder to the no-cache fallback.
Kubernetes Manifest Template java/operator/org.eclipse.theia.cloud.operator/src/main/resources/templateDeployment.yaml	Added BUILD_CACHE_USERNAME and BUILD_CACHE_PASSWORD env vars sourced from secret placeholder-build-cache-secret-name via valueFrom.secretKeyRef (keys username/password), each marked optional: true so missing keys don't fail pod creation.

Sequence Diagram(s)

sequenceDiagram
  participant User/CLI as User/CLI
  participant Operator as Operator
  participant Replacer as TemplateReplacements
  participant K8sAPI as Kubernetes API
  participant Pod as Pod/Container

  User/CLI->>Operator: start with --buildCacheSecretName=<name>
  Operator->>Replacer: provide arguments (including buildCacheSecretName)
  Replacer->>Replacer: compute secret name or fallback
  Replacer->>K8sAPI: apply Deployment (template with secret-based env refs)
  K8sAPI->>Pod: create Pod referencing secret (secretKeyRef)
  Pod->>K8sAPI: attempt to read secret keys (username/password) (optional)

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• Add feature flag to enable shared cache #39: Modifies the same argument class, template replacements, and deployment template to extend build-cache credential handling.

Suggested reviewers

• lukaskratzel

Poem

🐰 A secret tucked beneath the cloud's green seam,
CLI whispers its name into the operator's dream,
Env keys peek out from the secret's gentle seam,
Builds hop along faster than they seem—
A rabbit cheers for cached compilation gleam! ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 23.08% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'add secret as arguemnt to operator' contains a typo ('arguemnt' instead of 'argument') and is vague about the specific mechanism; however, it does accurately describe the main change of adding a secret-related argument to the operator.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feature/add-secret-name-to-operator

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

java/operator/org.eclipse.theia.cloud.operator/src/main/java/org/eclipse/theia/cloud/operator/replacements/DefaultDeploymentTemplateReplacements.java (1)

172-182: Consider logging when build caching is enabled without credentials.

When enableBuildCaching is true but buildCacheSecretName is not provided, the code silently falls back to a dummy secret name. While this works correctly (the optional: true in the template ensures no failures), operators might want visibility into whether their cache is configured with or without authentication.

This is a suggestion for improved observability, not a blocking issue.

💡 Optional: Add debug/info logging for configuration visibility

+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;

 public class DefaultDeploymentTemplateReplacements implements DeploymentTemplateReplacements {
+    private static final Logger LOGGER = LogManager.getLogger(DefaultDeploymentTemplateReplacements.class);
     // ... existing code ...

             String secretName = (arguments.getBuildCacheSecretName() != null
                     && !arguments.getBuildCacheSecretName().trim().isEmpty())
                             ? arguments.getBuildCacheSecretName().trim()
                             : "theia-cloud-no-cache-secret";
+            if ("theia-cloud-no-cache-secret".equals(secretName)) {
+                LOGGER.debug("Build caching enabled without authentication credentials");
+            }
             environmentVariables.put(PLACEHOLDER_BUILD_CACHE_SECRET_NAME, secretName);

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@java/operator/org.eclipse.theia.cloud.operator/src/main/java/org/eclipse/theia/cloud/operator/replacements/DefaultDeploymentTemplateReplacements.java`
around lines 172 - 182, Add an informational/debug log in
DefaultDeploymentTemplateReplacements where enableBuildCaching is true but
arguments.getBuildCacheSecretName() is null/blank: detect the fallback path that
assigns "theia-cloud-no-cache-secret" (the branch that sets
PLACEHOLDER_BUILD_CACHE_SECRET_NAME) and log a clear message (via the class
logger) indicating build caching is enabled but no credentials/secret name were
provided and the dummy secret will be used; keep the log at info/debug level and
include the pod/deployment identifying info if available to aid operators.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@java/operator/org.eclipse.theia.cloud.operator/src/main/java/org/eclipse/theia/cloud/operator/TheiaCloudOperatorArguments.java`:
- Around line 502-503: In TheiaCloudOperatorArguments.equals() the field
buildCacheSecretName is compared using reference inequality
(buildCacheSecretName != other.buildCacheSecretName) instead of a null-safe
value comparison; update the comparison to use the same null-safe pattern used
for other String fields (e.g., Objects.equals(buildCacheSecretName,
other.buildCacheSecretName) or the existing (buildCacheSecretName != null ?
!buildCacheSecretName.equals(other.buildCacheSecretName) :
other.buildCacheSecretName != null) style) so equals() correctly compares string
contents.

---

Nitpick comments:
In
`@java/operator/org.eclipse.theia.cloud.operator/src/main/java/org/eclipse/theia/cloud/operator/replacements/DefaultDeploymentTemplateReplacements.java`:
- Around line 172-182: Add an informational/debug log in
DefaultDeploymentTemplateReplacements where enableBuildCaching is true but
arguments.getBuildCacheSecretName() is null/blank: detect the fallback path that
assigns "theia-cloud-no-cache-secret" (the branch that sets
PLACEHOLDER_BUILD_CACHE_SECRET_NAME) and log a clear message (via the class
logger) indicating build caching is enabled but no credentials/secret name were
provided and the dummy secret will be used; keep the log at info/debug level and
include the pod/deployment identifying info if available to aid operators.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 34e4fff2-1d97-431b-be9c-0b5693f753d5

📥 Commits

Reviewing files that changed from the base of the PR and between e431a13 and 8a73ec5.

📒 Files selected for processing (3)

• java/operator/org.eclipse.theia.cloud.operator/src/main/java/org/eclipse/theia/cloud/operator/TheiaCloudOperatorArguments.java
• java/operator/org.eclipse.theia.cloud.operator/src/main/java/org/eclipse/theia/cloud/operator/replacements/DefaultDeploymentTemplateReplacements.java
• java/operator/org.eclipse.theia.cloud.operator/src/main/resources/templateDeployment.yaml