From 7cb6ac883ca878bb416e3c2af7974c722c1d55e2 Mon Sep 17 00:00:00 2001 From: lukaskratzel Date: Tue, 10 Mar 2026 13:33:22 +0100 Subject: [PATCH 1/9] Fix registry references --- .../templates/appdefinition.yaml | 2 +- charts/theia-appdefinitions/values.yaml | 12 ++++---- charts/theia-cloud-combined/values.yaml | 26 ++++++++--------- .../values.yaml | 20 ++++++------- .../values.yaml | 20 ++++++------- .../values.yaml | 28 +++++++++---------- .../values.yaml | 20 ++++++------- .../theia.artemis.cit.tum.de/values.yaml | 20 ++++++------- .../theia-cloud-helm-values.yml | 16 +++++------ .../tum-theia-cloud-helm-test-values.yaml | 20 ++++++------- 10 files changed, 92 insertions(+), 92 deletions(-) diff --git a/charts/theia-appdefinitions/templates/appdefinition.yaml b/charts/theia-appdefinitions/templates/appdefinition.yaml index 0676b9a..525dfb4 100644 --- a/charts/theia-appdefinitions/templates/appdefinition.yaml +++ b/charts/theia-appdefinitions/templates/appdefinition.yaml @@ -8,7 +8,7 @@ metadata: helm.sh/revision: {{ $.Release.Revision | quote }} spec: name: {{ .name }} - image: {{ .image | default "ghcr.io/ls1intum/theia/default" }}:{{ .imageTag | default $.Values.defaultImageTag | default "latest" }} + image: {{ .image | default "ghcr.io/eduide/eduide/default" }}:{{ .imageTag | default $.Values.defaultImageTag | default "latest" }} uid: {{ .uid | default 101 }} port: {{ .port | default 3000 }} ingressname: {{ .ingressname | default "theia-cloud-demo-ws-route" }} diff --git a/charts/theia-appdefinitions/values.yaml b/charts/theia-appdefinitions/values.yaml index e6ddcfb..a342dec 100644 --- a/charts/theia-appdefinitions/values.yaml +++ b/charts/theia-appdefinitions/values.yaml @@ -5,7 +5,7 @@ defaultImageTag: latest apps: - name: java-17-latest - image: ghcr.io/ls1intum/theia/java-17 + image: ghcr.io/eduide/eduide/java-17 # imageTag: latest # Optional: override defaultImageTag for this app requestsMemory: 2000M requestsCpu: 500m @@ -17,7 +17,7 @@ apps: dataBridgePort: "16281" - name: c-latest - image: ghcr.io/ls1intum/theia/c + image: ghcr.io/eduide/eduide/c # imageTag: latest # Optional: override defaultImageTag for this app requestsMemory: 100M requestsCpu: 200m @@ -29,7 +29,7 @@ apps: dataBridgePort: "16281" - name: javascript-latest - image: ghcr.io/ls1intum/theia/javascript + image: ghcr.io/eduide/eduide/javascript # imageTag: latest # Optional: override defaultImageTag for this app requestsMemory: 100M requestsCpu: 200m @@ -41,7 +41,7 @@ apps: dataBridgePort: "16281" - name: ocaml-latest - image: ghcr.io/ls1intum/theia/ocaml + image: ghcr.io/eduide/eduide/ocaml # imageTag: latest # Optional: override defaultImageTag for this app requestsMemory: 100M requestsCpu: 200m @@ -53,7 +53,7 @@ apps: dataBridgePort: "16281" - name: python-latest - image: ghcr.io/ls1intum/theia/python + image: ghcr.io/eduide/eduide/python # imageTag: latest # Optional: override defaultImageTag for this app requestsMemory: 100M requestsCpu: 200m @@ -65,7 +65,7 @@ apps: dataBridgePort: "16281" - name: rust-latest - image: ghcr.io/ls1intum/theia/rust + image: ghcr.io/eduide/eduide/rust # imageTag: latest # Optional: override defaultImageTag for this app requestsMemory: 100M requestsCpu: 200m diff --git a/charts/theia-cloud-combined/values.yaml b/charts/theia-cloud-combined/values.yaml index 32febb8..f245724 100644 --- a/charts/theia-cloud-combined/values.yaml +++ b/charts/theia-cloud-combined/values.yaml @@ -41,26 +41,26 @@ theia-cloud: interval: 3 operator: - image: ghcr.io/ls1intum/theia/operator:latest + image: ghcr.io/eduide/eduide/operator:latest replicas: 1 sessionsPerUser: 10 storageClassName: csi-rbd-sc eagerStart: true service: - image: ghcr.io/ls1intum/theia/service:latest + image: ghcr.io/eduide/eduide/service:latest # Public token (must match app.id or be set explicitly) authToken: nJV3nKZmpxTD4wu2 preloading: images: - - ghcr.io/ls1intum/theia/landing-page:latest - - ghcr.io/ls1intum/theia/java-17:latest - - ghcr.io/ls1intum/theia/c:latest - - ghcr.io/ls1intum/theia/javascript:latest - - ghcr.io/ls1intum/theia/ocaml:latest - - ghcr.io/ls1intum/theia/rust:latest - - ghcr.io/ls1intum/theia/python:latest + - ghcr.io/eduide/eduide/landing-page:latest + - ghcr.io/eduide/eduide/java-17:latest + - ghcr.io/eduide/eduide/c:latest + - ghcr.io/eduide/eduide/javascript:latest + - ghcr.io/eduide/eduide/ocaml:latest + - ghcr.io/eduide/eduide/rust:latest + - ghcr.io/eduide/eduide/python:latest imagePullPolicy: Always @@ -70,7 +70,7 @@ theia-cloud: landingPage: # We use the try now page as landing page since the default does not support mutliple apps -> https://github.com/eclipsesource/theia-cloud/discussions/301 - image: ghcr.io/ls1intum/theia/landing-page:latest + image: ghcr.io/eduide/eduide/landing-page:latest # We can define a default blueprint appDefinition: "java-17-latest" ephemeralStorage: false @@ -137,16 +137,16 @@ theia-appdefinitions: # Individual apps can override the tag in their definition, e.g.: # apps: # - name: java-17-v1 - # image: ghcr.io/ls1intum/theia/java-17 + # image: ghcr.io/eduide/eduide/java-17 # imageTag: v1.0.0 # - name: python-v2 - # image: ghcr.io/ls1intum/theia/python + # image: ghcr.io/eduide/eduide/python # imageTag: v2.0.0 theia-workspace-garbage-collector: replicaCount: 1 image: - repository: ghcr.io/ls1intum/theia/garbage-collector + repository: ghcr.io/eduide/eduide/garbage-collector tag: latest pullPolicy: Always diff --git a/deployments/test1.theia-test.artemis.cit.tum.de/values.yaml b/deployments/test1.theia-test.artemis.cit.tum.de/values.yaml index 0c43346..f0c907e 100644 --- a/deployments/test1.theia-test.artemis.cit.tum.de/values.yaml +++ b/deployments/test1.theia-test.artemis.cit.tum.de/values.yaml @@ -43,24 +43,24 @@ theia-cloud: interval: 3 operator: - #image: ghcr.io/ls1intum/theia/operator:latest + #image: ghcr.io/eduide/eduide/operator:latest #eagerStart: false replicas: 1 sessionsPerUser: 1000 # Needed for load tests - not recommended for production storageClassName: csi-rbd-sc # service: - # image: ghcr.io/ls1intum/theia/service:latest + # image: ghcr.io/eduide/eduide/service:latest preloading: images: - - ghcr.io/ls1intum/theia/landing-page:latest - - ghcr.io/ls1intum/theia/java-17:latest - - ghcr.io/ls1intum/theia/c:latest - - ghcr.io/ls1intum/theia/javascript:latest - - ghcr.io/ls1intum/theia/ocaml:latest - - ghcr.io/ls1intum/theia/rust:latest - - ghcr.io/ls1intum/theia/python:latest + - ghcr.io/eduide/eduide/landing-page:latest + - ghcr.io/eduide/eduide/java-17:latest + - ghcr.io/eduide/eduide/c:latest + - ghcr.io/eduide/eduide/javascript:latest + - ghcr.io/eduide/eduide/ocaml:latest + - ghcr.io/eduide/eduide/rust:latest + - ghcr.io/eduide/eduide/python:latest imagePullPolicy: Always @@ -70,7 +70,7 @@ theia-cloud: landingPage: # We use the try now page as landing page since the default does not support mutliple apps -> https://github.com/eclipsesource/theia-cloud/discussions/301 - image: ghcr.io/ls1intum/theia/landing-page + image: ghcr.io/eduide/eduide/landing-page # We can define a default blueprint appDefinition: "java-17-latest" ephemeralStorage: true diff --git a/deployments/test2.theia-test.artemis.cit.tum.de/values.yaml b/deployments/test2.theia-test.artemis.cit.tum.de/values.yaml index 4ee8008..176519c 100644 --- a/deployments/test2.theia-test.artemis.cit.tum.de/values.yaml +++ b/deployments/test2.theia-test.artemis.cit.tum.de/values.yaml @@ -43,24 +43,24 @@ theia-cloud: interval: 3 operator: - #image: ghcr.io/ls1intum/theia/operator:latest + #image: ghcr.io/eduide/eduide/operator:latest #eagerStart: false replicas: 1 sessionsPerUser: 10 storageClassName: csi-rbd-sc # service: - # image: ghcr.io/ls1intum/theia/service:latest + # image: ghcr.io/eduide/eduide/service:latest preloading: images: - - ghcr.io/ls1intum/theia/landing-page:latest - - ghcr.io/ls1intum/theia/java-17:latest - - ghcr.io/ls1intum/theia/c:latest - - ghcr.io/ls1intum/theia/javascript:latest - - ghcr.io/ls1intum/theia/ocaml:latest - - ghcr.io/ls1intum/theia/rust:latest - - ghcr.io/ls1intum/theia/python:latest + - ghcr.io/eduide/eduide/landing-page:latest + - ghcr.io/eduide/eduide/java-17:latest + - ghcr.io/eduide/eduide/c:latest + - ghcr.io/eduide/eduide/javascript:latest + - ghcr.io/eduide/eduide/ocaml:latest + - ghcr.io/eduide/eduide/rust:latest + - ghcr.io/eduide/eduide/python:latest imagePullPolicy: Always @@ -70,7 +70,7 @@ theia-cloud: landingPage: # We use the try now page as landing page since the default does not support multiple apps -> https://github.com/eclipsesource/theia-cloud/discussions/301 - image: ghcr.io/ls1intum/theia/landing-page + image: ghcr.io/eduide/eduide/landing-page # We can define a default blueprint appDefinition: "java-17-latest" ephemeralStorage: true diff --git a/deployments/test3.theia-test.artemis.cit.tum.de/values.yaml b/deployments/test3.theia-test.artemis.cit.tum.de/values.yaml index 15171f5..063095a 100644 --- a/deployments/test3.theia-test.artemis.cit.tum.de/values.yaml +++ b/deployments/test3.theia-test.artemis.cit.tum.de/values.yaml @@ -43,7 +43,7 @@ theia-cloud: interval: 3 operator: - image: ghcr.io/ls1intum/theia/operator:latest + image: ghcr.io/eduide/eduide/operator:latest #eagerStart: false replicas: 1 sessionsPerUser: 10 @@ -55,19 +55,19 @@ theia-cloud: ephemeral-storage: "256Mi" # service: - # image: ghcr.io/ls1intum/theia/service:latest + # image: ghcr.io/eduide/eduide/service:latest preloading: images: - - ghcr.io/ls1intum/theia/landing-page:latest - - ghcr.io/ls1intum/theia/java-17:latest - - ghcr.io/ls1intum/theia/c:latest - - ghcr.io/ls1intum/theia/javascript:latest - - ghcr.io/ls1intum/theia/ocaml:latest - - ghcr.io/ls1intum/theia/rust:latest - - ghcr.io/ls1intum/theia/python:latest - - ghcr.io/ls1intum/theia/theia-no-ls:pr-46 - - ghcr.io/ls1intum/theia/langserver-java:pr-46 + - ghcr.io/eduide/eduide/landing-page:latest + - ghcr.io/eduide/eduide/java-17:latest + - ghcr.io/eduide/eduide/c:latest + - ghcr.io/eduide/eduide/javascript:latest + - ghcr.io/eduide/eduide/ocaml:latest + - ghcr.io/eduide/eduide/rust:latest + - ghcr.io/eduide/eduide/python:latest + - ghcr.io/eduide/eduide/theia-no-ls:pr-46 + - ghcr.io/eduide/eduide/langserver-java:pr-46 imagePullPolicy: Always @@ -77,7 +77,7 @@ theia-cloud: landingPage: # We use the try now page as landing page since the default does not support mutliple apps -> https://github.com/eclipsesource/theia-cloud/discussions/301 - image: ghcr.io/ls1intum/theia/landing-page + image: ghcr.io/eduide/eduide/landing-page # We can define a default blueprint # 1. The actual image data (Must be a Base64 encoded string) @@ -137,10 +137,10 @@ theia-cloud: theia-appdefinitions: apps: - name: java-ls-test - image: ghcr.io/ls1intum/theia/theia-no-ls + image: ghcr.io/eduide/eduide/theia-no-ls imageTag: pr-46 options: - langserver-image: ghcr.io/ls1intum/theia/langserver-java:pr-46 + langserver-image: ghcr.io/eduide/eduide/langserver-java:pr-46 monitoring: targetNamespaces: diff --git a/deployments/theia-staging.artemis.cit.tum.de/values.yaml b/deployments/theia-staging.artemis.cit.tum.de/values.yaml index db6cfac..9cb1397 100644 --- a/deployments/theia-staging.artemis.cit.tum.de/values.yaml +++ b/deployments/theia-staging.artemis.cit.tum.de/values.yaml @@ -42,24 +42,24 @@ theia-cloud: interval: 3 operator: - #image: ghcr.io/ls1intum/theia/operator:latest + #image: ghcr.io/eduide/eduide/operator:latest #eagerStart: false replicas: 1 sessionsPerUser: 10 storageClassName: csi-rbd-sc # service: - # image: ghcr.io/ls1intum/theia/service:latest + # image: ghcr.io/eduide/eduide/service:latest preloading: images: - - ghcr.io/ls1intum/theia/landing-page:latest - - ghcr.io/ls1intum/theia/java-17:latest - - ghcr.io/ls1intum/theia/c:latest - - ghcr.io/ls1intum/theia/javascript:latest - - ghcr.io/ls1intum/theia/ocaml:latest - - ghcr.io/ls1intum/theia/rust:latest - - ghcr.io/ls1intum/theia/python:latest + - ghcr.io/eduide/eduide/landing-page:latest + - ghcr.io/eduide/eduide/java-17:latest + - ghcr.io/eduide/eduide/c:latest + - ghcr.io/eduide/eduide/javascript:latest + - ghcr.io/eduide/eduide/ocaml:latest + - ghcr.io/eduide/eduide/rust:latest + - ghcr.io/eduide/eduide/python:latest imagePullPolicy: Always @@ -69,7 +69,7 @@ theia-cloud: landingPage: # We use the try now page as landing page since the default does not support mutliple apps -> https://github.com/eclipsesource/theia-cloud/discussions/301 - image: ghcr.io/ls1intum/theia/landing-page + image: ghcr.io/eduide/eduide/landing-page logoFileExtension: "png" # We can define a default blueprint appDefinition: "java-17-latest" diff --git a/deployments/theia.artemis.cit.tum.de/values.yaml b/deployments/theia.artemis.cit.tum.de/values.yaml index b633b1b..0596259 100644 --- a/deployments/theia.artemis.cit.tum.de/values.yaml +++ b/deployments/theia.artemis.cit.tum.de/values.yaml @@ -42,24 +42,24 @@ theia-cloud: interval: 3 operator: - #image: ghcr.io/ls1intum/theia/operator:latest + #image: ghcr.io/eduide/eduide/operator:latest #eagerStart: false replicas: 3 sessionsPerUser: 10 storageClassName: csi-rbd-sc # service: - # image: ghcr.io/ls1intum/theia/service:latest + # image: ghcr.io/eduide/eduide/service:latest preloading: images: - - ghcr.io/ls1intum/theia/landing-page:latest - - ghcr.io/ls1intum/theia/java-17:latest - - ghcr.io/ls1intum/theia/c:latest - - ghcr.io/ls1intum/theia/javascript:latest - - ghcr.io/ls1intum/theia/ocaml:latest - - ghcr.io/ls1intum/theia/rust:latest - - ghcr.io/ls1intum/theia/python:latest + - ghcr.io/eduide/eduide/landing-page:latest + - ghcr.io/eduide/eduide/java-17:latest + - ghcr.io/eduide/eduide/c:latest + - ghcr.io/eduide/eduide/javascript:latest + - ghcr.io/eduide/eduide/ocaml:latest + - ghcr.io/eduide/eduide/rust:latest + - ghcr.io/eduide/eduide/python:latest imagePullPolicy: Always @@ -69,7 +69,7 @@ theia-cloud: landingPage: # We use the try now page as landing page since the default does not support mutliple apps -> https://github.com/eclipsesource/theia-cloud/discussions/301 - image: ghcr.io/ls1intum/theia/landing-page + image: ghcr.io/eduide/eduide/landing-page logoFileExtension: "png" # We can define a default blueprint appDefinition: "java-17-latest" diff --git a/value-reference-files/theia-cloud-helm-values.yml b/value-reference-files/theia-cloud-helm-values.yml index 8955848..412e407 100644 --- a/value-reference-files/theia-cloud-helm-values.yml +++ b/value-reference-files/theia-cloud-helm-values.yml @@ -42,13 +42,13 @@ service: preloading: images: - - ghcr.io/ls1intum/theia/landing-page:latest - - ghcr.io/ls1intum/theia/java-17:latest - - ghcr.io/ls1intum/theia/c:latest - - ghcr.io/ls1intum/theia/javascript:latest - - ghcr.io/ls1intum/theia/ocaml:latest - - ghcr.io/ls1intum/theia/rust:latest - - ghcr.io/ls1intum/theia/python:latest + - ghcr.io/eduide/eduide/landing-page:latest + - ghcr.io/eduide/eduide/java-17:latest + - ghcr.io/eduide/eduide/c:latest + - ghcr.io/eduide/eduide/javascript:latest + - ghcr.io/eduide/eduide/ocaml:latest + - ghcr.io/eduide/eduide/rust:latest + - ghcr.io/eduide/eduide/python:latest imagePullPolicy: Always @@ -58,7 +58,7 @@ demoApplication: landingPage: # We use the try now page as landing page since the default does not support mutliple apps -> https://github.com/eclipsesource/theia-cloud/discussions/301 - image: ghcr.io/ls1intum/theia/landing-page + image: ghcr.io/eduide/eduide/landing-page # We can define a default blueprint appDefinition: "java-17-latest" ephemeralStorage: true diff --git a/value-reference-files/tum-theia-cloud-helm-test-values.yaml b/value-reference-files/tum-theia-cloud-helm-test-values.yaml index 9518709..69e5519 100644 --- a/value-reference-files/tum-theia-cloud-helm-test-values.yaml +++ b/value-reference-files/tum-theia-cloud-helm-test-values.yaml @@ -40,24 +40,24 @@ theia-cloud: interval: 3 operator: - image: ghcr.io/ls1intum/theia/operator:pr-22 + image: ghcr.io/eduide/eduide/operator:pr-22 eagerStart: false replicas: 1 sessionsPerUser: 10 storageClassName: csi-rbd-sc service: - image: ghcr.io/ls1intum/theia/service:pr-22 + image: ghcr.io/eduide/eduide/service:pr-22 preloading: images: - - ghcr.io/ls1intum/theia/landing-page:latest - - ghcr.io/ls1intum/theia/java-17:latest - - ghcr.io/ls1intum/theia/c:latest - - ghcr.io/ls1intum/theia/javascript:latest - - ghcr.io/ls1intum/theia/ocaml:latest - - ghcr.io/ls1intum/theia/rust:latest - - ghcr.io/ls1intum/theia/python:latest + - ghcr.io/eduide/eduide/landing-page:latest + - ghcr.io/eduide/eduide/java-17:latest + - ghcr.io/eduide/eduide/c:latest + - ghcr.io/eduide/eduide/javascript:latest + - ghcr.io/eduide/eduide/ocaml:latest + - ghcr.io/eduide/eduide/rust:latest + - ghcr.io/eduide/eduide/python:latest imagePullPolicy: Always @@ -67,7 +67,7 @@ theia-cloud: landingPage: # We use the try now page as landing page since the default does not support mutliple apps -> https://github.com/eclipsesource/theia-cloud/discussions/301 - image: ghcr.io/ls1intum/theia/landing-page + image: ghcr.io/eduide/eduide/landing-page # We can define a default blueprint appDefinition: "java-17-latest" ephemeralStorage: false From 73af868da0ae40cd8a36c153718dbef6ca1c1bcb Mon Sep 17 00:00:00 2001 From: lukaskratzel Date: Tue, 10 Mar 2026 13:41:11 +0100 Subject: [PATCH 2/9] Hotfix --- .github/workflows/deploy-theia.yml | 45 ++++++++++++++++++++---------- 1 file changed, 30 insertions(+), 15 deletions(-) diff --git a/.github/workflows/deploy-theia.yml b/.github/workflows/deploy-theia.yml index bb143d3..19fe55e 100644 --- a/.github/workflows/deploy-theia.yml +++ b/.github/workflows/deploy-theia.yml @@ -114,7 +114,15 @@ jobs: kubectl config get-contexts kubectl get nodes - # Step 3.5: Checkout upstream Helm chart branch if specified + # Step 3.5: Checkout upstream Helm charts from the source repository. + - name: Checkout Upstream Helm Main + if: inputs.helm_chart_branch == '' + uses: actions/checkout@v4 + with: + repository: EduIDE/EduIDE-Helm + ref: main + path: upstream-helm + - name: Checkout Upstream Helm Branch if: inputs.helm_chart_branch != '' uses: actions/checkout@v4 @@ -123,11 +131,14 @@ jobs: ref: ${{ inputs.helm_chart_branch }} path: upstream-helm - # Step 3.6: Patch Chart.yaml to use local upstream chart + # Step 3.6: Patch Chart.yaml to use the checked-out upstream chart - name: Patch Chart.yaml - if: inputs.helm_chart_branch != '' run: | - echo "Patching Chart.yaml to use local upstream chart from branch: ${{ inputs.helm_chart_branch }}" + if [ -n "${{ inputs.helm_chart_branch }}" ]; then + echo "Patching Chart.yaml to use local upstream chart from branch: ${{ inputs.helm_chart_branch }}" + else + echo "Patching Chart.yaml to use local upstream chart from main" + fi # Remove Chart.lock to force fresh dependency resolution rm -f ./charts/theia-cloud-combined/Chart.lock @@ -136,11 +147,8 @@ jobs: UPSTREAM_VERSION=$(grep '^version:' ./upstream-helm/charts/theia-cloud/Chart.yaml | head -1 | awk '{print $2}') echo "Detected upstream chart version: $UPSTREAM_VERSION" - # Patch the repository URL to use local file path - sed -i 's|repository: "https://eduide.github.io/EduIDE-Helm"|repository: "file://../../upstream-helm/charts/theia-cloud"|' ./charts/theia-cloud-combined/Chart.yaml - - # Patch the version to match the local chart's version exactly - sed -i "/name: theia-cloud/{n;s/version: .*/version: $UPSTREAM_VERSION/}" ./charts/theia-cloud-combined/Chart.yaml + # Patch the dependency to use the local checkout instead of the published OCI chart. + sed -i "/name: theia-cloud/{n;s|version: .*|version: $UPSTREAM_VERSION|;n;s|repository: .*|repository: \"file://../../upstream-helm/charts/theia-cloud\"|;}" ./charts/theia-cloud-combined/Chart.yaml echo "Patched Chart.yaml content:" cat ./charts/theia-cloud-combined/Chart.yaml @@ -151,18 +159,25 @@ jobs: env: KUBECONFIG: ${{ github.workspace }}/kubeconfig run: | - # Add EduIDE Theia Cloud Helm repository - helm repo add theia-cloud-repo https://eduide.github.io/EduIDE-Helm/ - helm repo update - # Update dependencies for our custom chart helm dependency update ./charts/theia-cloud-combined + - name: Install Theia Cloud base and CRDs + env: + KUBECONFIG: ${{ github.workspace }}/kubeconfig + run: | + THEIA_CLOUD_BASE_CHART=./upstream-helm/charts/theia-cloud-base + THEIA_CLOUD_CRDS_CHART=./upstream-helm/charts/theia-cloud-crds # Install base components (operator base, metrics, etc.) - helm upgrade theia-cloud-base theia-cloud-repo/theia-cloud-base --install -n default -f ${{ vars.HELM_VALUES_PATH }}/theia-base-helm-values.yml + helm upgrade theia-cloud-base "$THEIA_CLOUD_BASE_CHART" --install -n default -f ${{ vars.HELM_VALUES_PATH }}/theia-base-helm-values.yml # Install Custom Resource Definitions (CRDs) for Theia Cloud - helm upgrade theia-cloud-crds theia-cloud-repo/theia-cloud-crds --install -n default -f ${{ vars.HELM_VALUES_PATH }}/theia-crds-helm-values.yml + helm upgrade theia-cloud-crds "$THEIA_CLOUD_CRDS_CHART" --install -n default -f ${{ vars.HELM_VALUES_PATH }}/theia-crds-helm-values.yml + + - name: Install cluster-wide monitoring + env: + KUBECONFIG: ${{ github.workspace }}/kubeconfig + run: | # Install cluster-wide monitoring (PodMonitors + Grafana Dashboards) # This is installed once per cluster, not per environment From b55e091ea455f96528d9d149a4758b169d083780 Mon Sep 17 00:00:00 2001 From: lukaskratzel Date: Tue, 10 Mar 2026 14:04:06 +0100 Subject: [PATCH 3/9] Fix preloading --- .github/workflows/deploy-theia.yml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/deploy-theia.yml b/.github/workflows/deploy-theia.yml index 19fe55e..11eedbe 100644 --- a/.github/workflows/deploy-theia.yml +++ b/.github/workflows/deploy-theia.yml @@ -224,14 +224,14 @@ jobs: --set theia-certificates.wildcardCertificate="$(cat wildcard.crt)" \ --set theia-certificates.wildcardKey="$(cat wildcard.key)" \ --set theia-cloud.keycloak.cookieSecret="${{ secrets.THEIA_KEYCLOAK_COOKIE_SECRET }}" \ - --set theia-cloud.landingPage.image="ghcr.io/ls1intum/theia/landing-page:${THEIA_CLOUD_TAG}" \ - --set theia-cloud.operator.image="ghcr.io/ls1intum/theia/operator:${THEIA_CLOUD_TAG}" \ - --set theia-cloud.service.image="ghcr.io/ls1intum/theia/service:${THEIA_CLOUD_TAG}" \ - --set "theia-cloud.preloading.images[0]=ghcr.io/ls1intum/theia/landing-page:${THEIA_CLOUD_TAG}" \ - --set "theia-cloud.preloading.images[1]=ghcr.io/ls1intum/theia/java-17:${IDE_IMAGES_TAG}" \ - --set "theia-cloud.preloading.images[2]=ghcr.io/ls1intum/theia/c:${IDE_IMAGES_TAG}" \ - --set "theia-cloud.preloading.images[3]=ghcr.io/ls1intum/theia/javascript:${IDE_IMAGES_TAG}" \ - --set "theia-cloud.preloading.images[4]=ghcr.io/ls1intum/theia/ocaml:${IDE_IMAGES_TAG}" \ - --set "theia-cloud.preloading.images[5]=ghcr.io/ls1intum/theia/rust:${IDE_IMAGES_TAG}" \ - --set "theia-cloud.preloading.images[6]=ghcr.io/ls1intum/theia/python:${IDE_IMAGES_TAG}" \ + --set theia-cloud.landingPage.image="ghcr.io/eduide/eduide/landing-page:${THEIA_CLOUD_TAG}" \ + --set theia-cloud.operator.image="ghcr.io/eduide/eduide/operator:${THEIA_CLOUD_TAG}" \ + --set theia-cloud.service.image="ghcr.io/eduide/eduide/service:${THEIA_CLOUD_TAG}" \ + --set "theia-cloud.preloading.images[0]=ghcr.io/eduide/eduide/landing-page:${THEIA_CLOUD_TAG}" \ + --set "theia-cloud.preloading.images[1]=ghcr.io/eduide/eduide/java-17:${IDE_IMAGES_TAG}" \ + --set "theia-cloud.preloading.images[2]=ghcr.io/eduide/eduide/c:${IDE_IMAGES_TAG}" \ + --set "theia-cloud.preloading.images[3]=ghcr.io/eduide/eduide/javascript:${IDE_IMAGES_TAG}" \ + --set "theia-cloud.preloading.images[4]=ghcr.io/eduide/eduide/ocaml:${IDE_IMAGES_TAG}" \ + --set "theia-cloud.preloading.images[5]=ghcr.io/eduide/eduide/rust:${IDE_IMAGES_TAG}" \ + --set "theia-cloud.preloading.images[6]=ghcr.io/eduide/eduide/python:${IDE_IMAGES_TAG}" \ --set theia-appdefinitions.defaultImageTag="${IDE_IMAGES_TAG}" From 2b0419f1a2d52592e4120ac191d49b3eb6f2f22e Mon Sep 17 00:00:00 2001 From: lukaskratzel Date: Tue, 10 Mar 2026 14:12:20 +0100 Subject: [PATCH 4/9] Fixes --- .github/workflows/deploy-theia.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/deploy-theia.yml b/.github/workflows/deploy-theia.yml index 11eedbe..8d35148 100644 --- a/.github/workflows/deploy-theia.yml +++ b/.github/workflows/deploy-theia.yml @@ -224,10 +224,10 @@ jobs: --set theia-certificates.wildcardCertificate="$(cat wildcard.crt)" \ --set theia-certificates.wildcardKey="$(cat wildcard.key)" \ --set theia-cloud.keycloak.cookieSecret="${{ secrets.THEIA_KEYCLOAK_COOKIE_SECRET }}" \ - --set theia-cloud.landingPage.image="ghcr.io/eduide/eduide/landing-page:${THEIA_CLOUD_TAG}" \ - --set theia-cloud.operator.image="ghcr.io/eduide/eduide/operator:${THEIA_CLOUD_TAG}" \ - --set theia-cloud.service.image="ghcr.io/eduide/eduide/service:${THEIA_CLOUD_TAG}" \ - --set "theia-cloud.preloading.images[0]=ghcr.io/eduide/eduide/landing-page:${THEIA_CLOUD_TAG}" \ + --set theia-cloud.landingPage.image="ghcr.io/eduide/eduide-cloud/landing-page:${THEIA_CLOUD_TAG}" \ + --set theia-cloud.operator.image="ghcr.io/eduide/eduide-cloud/operator:${THEIA_CLOUD_TAG}" \ + --set theia-cloud.service.image="ghcr.io/eduide/eduide-cloud/service:${THEIA_CLOUD_TAG}" \ + --set "theia-cloud.preloading.images[0]=ghcr.io/eduide/eduid-cloud/landing-page:${THEIA_CLOUD_TAG}" \ --set "theia-cloud.preloading.images[1]=ghcr.io/eduide/eduide/java-17:${IDE_IMAGES_TAG}" \ --set "theia-cloud.preloading.images[2]=ghcr.io/eduide/eduide/c:${IDE_IMAGES_TAG}" \ --set "theia-cloud.preloading.images[3]=ghcr.io/eduide/eduide/javascript:${IDE_IMAGES_TAG}" \ From f109d6906979d169019f8470c64f94ad1a9138fa Mon Sep 17 00:00:00 2001 From: lukaskratzel Date: Tue, 10 Mar 2026 14:17:39 +0100 Subject: [PATCH 5/9] Move secrets into shared gateway and update docs --- .github/workflows/deploy-theia.yml | 6 ++- charts/theia-shared-gateway/README.md | 3 +- .../templates/certificates.yaml | 20 ++++++++ .../templates/envoyproxy.yaml | 17 +++++++ .../templates/gatewayclass.yaml | 20 ++++++++ .../templates/wildcard-secret.yaml | 11 +++++ charts/theia-shared-gateway/values.yaml | 29 +++++++++++ deployments/shared-gateway-prod/values.yaml | 49 +++++++++++++++++-- 8 files changed, 149 insertions(+), 6 deletions(-) create mode 100644 charts/theia-shared-gateway/templates/certificates.yaml create mode 100644 charts/theia-shared-gateway/templates/envoyproxy.yaml create mode 100644 charts/theia-shared-gateway/templates/gatewayclass.yaml create mode 100644 charts/theia-shared-gateway/templates/wildcard-secret.yaml diff --git a/.github/workflows/deploy-theia.yml b/.github/workflows/deploy-theia.yml index 8d35148..5844b8e 100644 --- a/.github/workflows/deploy-theia.yml +++ b/.github/workflows/deploy-theia.yml @@ -196,7 +196,9 @@ jobs: helm upgrade --install theia-shared-gateway ./charts/theia-shared-gateway \ --namespace "$SHARED_GATEWAY_NAMESPACE" \ --create-namespace \ - -f "$SHARED_GATEWAY_VALUES_FILE" + -f "$SHARED_GATEWAY_VALUES_FILE" \ + --set wildcardTLSSecret.certificate="${{ secrets.THEIA_WILDCARD_CERTIFICATE_CERT }}" \ + --set wildcardTLSSecret.key="${{ secrets.THEIA_WILDCARD_CERTIFICATE_KEY }}" # Step 6: Install the main Theia Cloud application with environment-specific configuration # This includes the operator, service, certificates, and app definitions @@ -227,7 +229,7 @@ jobs: --set theia-cloud.landingPage.image="ghcr.io/eduide/eduide-cloud/landing-page:${THEIA_CLOUD_TAG}" \ --set theia-cloud.operator.image="ghcr.io/eduide/eduide-cloud/operator:${THEIA_CLOUD_TAG}" \ --set theia-cloud.service.image="ghcr.io/eduide/eduide-cloud/service:${THEIA_CLOUD_TAG}" \ - --set "theia-cloud.preloading.images[0]=ghcr.io/eduide/eduid-cloud/landing-page:${THEIA_CLOUD_TAG}" \ + --set "theia-cloud.preloading.images[0]=ghcr.io/eduide/eduide-cloud/landing-page:${THEIA_CLOUD_TAG}" \ --set "theia-cloud.preloading.images[1]=ghcr.io/eduide/eduide/java-17:${IDE_IMAGES_TAG}" \ --set "theia-cloud.preloading.images[2]=ghcr.io/eduide/eduide/c:${IDE_IMAGES_TAG}" \ --set "theia-cloud.preloading.images[3]=ghcr.io/eduide/eduide/javascript:${IDE_IMAGES_TAG}" \ diff --git a/charts/theia-shared-gateway/README.md b/charts/theia-shared-gateway/README.md index 40b1b28..d5d5851 100644 --- a/charts/theia-shared-gateway/README.md +++ b/charts/theia-shared-gateway/README.md @@ -21,7 +21,8 @@ For production cluster values, use `deployments/shared-gateway-prod/values.yaml` ## Notes -- TLS secrets referenced by listeners must exist in `gateway.namespace`. +- The shared gateway chart should own the TLS material referenced by its listeners. +- For production, use cert-manager `Certificate` resources for concrete hosts and create the wildcard webview secret in `gateway.namespace` from the deploy-time wildcard certificate/key. - Tenant charts should set: - `theia-cloud.gateway.create=false` - `theia-cloud.gateway.routes.enabled=true` diff --git a/charts/theia-shared-gateway/templates/certificates.yaml b/charts/theia-shared-gateway/templates/certificates.yaml new file mode 100644 index 0000000..3711b4c --- /dev/null +++ b/charts/theia-shared-gateway/templates/certificates.yaml @@ -0,0 +1,20 @@ +{{- if and .Values.managedCertificates.enabled (gt (len .Values.managedCertificates.certificates) 0) }} +{{- range $cert := .Values.managedCertificates.certificates }} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ $cert.name }} + namespace: {{ default $.Values.gateway.namespace $cert.namespace }} +spec: + secretName: {{ $cert.secretName }} + commonName: {{ $cert.hostname | quote }} + dnsNames: + - {{ $cert.hostname | quote }} + issuerRef: + kind: {{ $.Values.managedCertificates.issuerRef.kind }} + name: {{ $.Values.managedCertificates.issuerRef.name }} + privateKey: + rotationPolicy: Never +{{- end }} +{{- end }} diff --git a/charts/theia-shared-gateway/templates/envoyproxy.yaml b/charts/theia-shared-gateway/templates/envoyproxy.yaml new file mode 100644 index 0000000..8671814 --- /dev/null +++ b/charts/theia-shared-gateway/templates/envoyproxy.yaml @@ -0,0 +1,17 @@ +{{- if .Values.envoyProxy.create }} +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: EnvoyProxy +metadata: + name: {{ .Values.envoyProxy.name }} + namespace: {{ .Values.envoyProxy.namespace }} + {{- with .Values.envoyProxy.labels }} + labels: +{{ toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.envoyProxy.annotations }} + annotations: +{{ toYaml . | nindent 4 }} + {{- end }} +spec: +{{ toYaml .Values.envoyProxy.spec | nindent 2 }} +{{- end }} diff --git a/charts/theia-shared-gateway/templates/gatewayclass.yaml b/charts/theia-shared-gateway/templates/gatewayclass.yaml new file mode 100644 index 0000000..d183ffb --- /dev/null +++ b/charts/theia-shared-gateway/templates/gatewayclass.yaml @@ -0,0 +1,20 @@ +{{- if .Values.gatewayClass.create }} +apiVersion: gateway.networking.k8s.io/v1 +kind: GatewayClass +metadata: + name: {{ .Values.gateway.className }} + {{- with .Values.gatewayClass.labels }} + labels: +{{ toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.gatewayClass.annotations }} + annotations: +{{ toYaml . | nindent 4 }} + {{- end }} +spec: + controllerName: {{ .Values.gatewayClass.controllerName }} + {{- with .Values.gatewayClass.parametersRef }} + parametersRef: +{{ toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/theia-shared-gateway/templates/wildcard-secret.yaml b/charts/theia-shared-gateway/templates/wildcard-secret.yaml new file mode 100644 index 0000000..ecea5e7 --- /dev/null +++ b/charts/theia-shared-gateway/templates/wildcard-secret.yaml @@ -0,0 +1,11 @@ +{{- if .Values.wildcardTLSSecret.create }} +apiVersion: v1 +kind: Secret +type: kubernetes.io/tls +metadata: + name: {{ .Values.wildcardTLSSecret.name }} + namespace: {{ .Values.wildcardTLSSecret.namespace }} +data: + tls.crt: {{ .Values.wildcardTLSSecret.certificate | quote }} + tls.key: {{ .Values.wildcardTLSSecret.key | quote }} +{{- end }} diff --git a/charts/theia-shared-gateway/values.yaml b/charts/theia-shared-gateway/values.yaml index 5a83455..1da3c3c 100644 --- a/charts/theia-shared-gateway/values.yaml +++ b/charts/theia-shared-gateway/values.yaml @@ -19,3 +19,32 @@ gateway: # - hostname # - tlsSecretName listeners: [] + +gatewayClass: + create: false + controllerName: gateway.envoyproxy.io/gatewayclass-controller + labels: {} + annotations: {} + parametersRef: {} + +envoyProxy: + create: false + name: theia-shared-gateway + namespace: envoy-gateway-system + labels: {} + annotations: {} + spec: {} + +managedCertificates: + enabled: false + issuerRef: + kind: ClusterIssuer + name: letsencrypt-prod + certificates: [] + +wildcardTLSSecret: + create: false + name: static-theia-cert + namespace: gateway-system + certificate: "" + key: "" diff --git a/deployments/shared-gateway-prod/values.yaml b/deployments/shared-gateway-prod/values.yaml index 435edbe..17cc8a0 100644 --- a/deployments/shared-gateway-prod/values.yaml +++ b/deployments/shared-gateway-prod/values.yaml @@ -10,13 +10,56 @@ gateway: listeners: - name: prod-landing hostname: theia.artemis.cit.tum.de - tlsSecretName: shared-theia-cert + tlsSecretName: landing-page-cert-secret - name: prod-service hostname: service.theia.artemis.cit.tum.de - tlsSecretName: shared-theia-cert + tlsSecretName: service-cert-secret - name: prod-instances hostname: instance.theia.artemis.cit.tum.de - tlsSecretName: shared-theia-cert + tlsSecretName: ws-cert-secret - name: prod-webview hostname: "*.webview.instance.theia.artemis.cit.tum.de" tlsSecretName: static-theia-cert + +gatewayClass: + create: true + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parametersRef: + group: gateway.envoyproxy.io + kind: EnvoyProxy + name: theia-shared-gateway + namespace: envoy-gateway-system + +envoyProxy: + create: true + name: theia-shared-gateway + namespace: envoy-gateway-system + spec: + provider: + type: Kubernetes + kubernetes: + envoyService: + annotations: + metallb.io/address-pool: ingress + metallb.io/loadBalancerIPs: 131.159.88.82 + +managedCertificates: + enabled: true + issuerRef: + kind: ClusterIssuer + name: letsencrypt-prod + certificates: + - name: landing-page-cert + secretName: landing-page-cert-secret + hostname: theia.artemis.cit.tum.de + - name: service-cert + secretName: service-cert-secret + hostname: service.theia.artemis.cit.tum.de + - name: instance-cert + secretName: ws-cert-secret + hostname: instance.theia.artemis.cit.tum.de + +wildcardTLSSecret: + create: true + name: static-theia-cert + namespace: gateway-system From af82c850f9a46fc9a088308d67ec1f2b0270d4c8 Mon Sep 17 00:00:00 2001 From: lukaskratzel Date: Tue, 10 Mar 2026 14:50:25 +0100 Subject: [PATCH 6/9] Switch to oci based publishing of helm charts --- .github/workflows/deploy-pr.yml | 10 +-- .github/workflows/deploy-theia.yml | 100 ++++++++++++++----------- README.md | 12 ++- charts/theia-cloud-combined/Chart.yaml | 2 +- docs/adding-environments.md | 2 +- 5 files changed, 71 insertions(+), 55 deletions(-) diff --git a/.github/workflows/deploy-pr.yml b/.github/workflows/deploy-pr.yml index b33e27e..07de104 100644 --- a/.github/workflows/deploy-pr.yml +++ b/.github/workflows/deploy-pr.yml @@ -31,8 +31,8 @@ on: description: 'IDE images tag (appdefinitions and preloading)' required: false default: 'latest' - helm_chart_branch: - description: 'Branch of theia-cloud-helm to use (leave empty for default)' + helm_chart_tag: + description: 'Preview OCI tag from theia-cloud-helm to use (for example pr-123)' required: false default: '' @@ -49,7 +49,7 @@ jobs: environment: test1 theia_cloud_tag: ${{ inputs.theia_cloud_tag || 'latest' }} ide_images_tag: ${{ inputs.ide_images_tag || 'latest' }} - helm_chart_branch: ${{ inputs.helm_chart_branch || '' }} + helm_chart_tag: ${{ inputs.helm_chart_tag || '' }} deploy_shared_gateway: false shared_gateway_values_file: deployments/shared-gateway/values.yaml shared_gateway_namespace: gateway-system @@ -67,7 +67,7 @@ jobs: environment: test2 theia_cloud_tag: ${{ inputs.theia_cloud_tag || 'latest' }} ide_images_tag: ${{ inputs.ide_images_tag || 'latest' }} - helm_chart_branch: ${{ inputs.helm_chart_branch || '' }} + helm_chart_tag: ${{ inputs.helm_chart_tag || '' }} deploy_shared_gateway: false shared_gateway_values_file: deployments/shared-gateway/values.yaml shared_gateway_namespace: gateway-system @@ -85,7 +85,7 @@ jobs: environment: test3 theia_cloud_tag: ${{ inputs.theia_cloud_tag || 'latest' }} ide_images_tag: ${{ inputs.ide_images_tag || 'latest' }} - helm_chart_branch: ${{ inputs.helm_chart_branch || '' }} + helm_chart_tag: ${{ inputs.helm_chart_tag || '' }} deploy_shared_gateway: false shared_gateway_values_file: deployments/shared-gateway/values.yaml shared_gateway_namespace: gateway-system diff --git a/.github/workflows/deploy-theia.yml b/.github/workflows/deploy-theia.yml index 5844b8e..9cadfc8 100644 --- a/.github/workflows/deploy-theia.yml +++ b/.github/workflows/deploy-theia.yml @@ -54,8 +54,8 @@ on: required: false type: string default: "latest" - helm_chart_branch: - description: "Branch of theia-cloud-helm to use (leave empty for main/published)" + helm_chart_tag: + description: "Published OCI preview tag to use for upstream helm charts (e.g. pr-123)" required: false type: string default: "" @@ -80,6 +80,7 @@ jobs: name: Install Theia Cloud Helm Chart permissions: contents: read + packages: read runs-on: ubuntu-latest # Link to GitHub Environment for secrets and protection rules environment: ${{ inputs.environment }} @@ -114,45 +115,37 @@ jobs: kubectl config get-contexts kubectl get nodes - # Step 3.5: Checkout upstream Helm charts from the source repository. - - name: Checkout Upstream Helm Main - if: inputs.helm_chart_branch == '' - uses: actions/checkout@v4 - with: - repository: EduIDE/EduIDE-Helm - ref: main - path: upstream-helm - - - name: Checkout Upstream Helm Branch - if: inputs.helm_chart_branch != '' - uses: actions/checkout@v4 - with: - repository: EduIDE/EduIDE-Helm - ref: ${{ inputs.helm_chart_branch }} - path: upstream-helm - - # Step 3.6: Patch Chart.yaml to use the checked-out upstream chart - - name: Patch Chart.yaml + - name: Patch Chart.yaml for OCI preview tag + if: inputs.helm_chart_tag != '' run: | - if [ -n "${{ inputs.helm_chart_branch }}" ]; then - echo "Patching Chart.yaml to use local upstream chart from branch: ${{ inputs.helm_chart_branch }}" - else - echo "Patching Chart.yaml to use local upstream chart from main" - fi - - # Remove Chart.lock to force fresh dependency resolution - rm -f ./charts/theia-cloud-combined/Chart.lock - - # Get the version from the local upstream chart - UPSTREAM_VERSION=$(grep '^version:' ./upstream-helm/charts/theia-cloud/Chart.yaml | head -1 | awk '{print $2}') - echo "Detected upstream chart version: $UPSTREAM_VERSION" - - # Patch the dependency to use the local checkout instead of the published OCI chart. - sed -i "/name: theia-cloud/{n;s|version: .*|version: $UPSTREAM_VERSION|;n;s|repository: .*|repository: \"file://../../upstream-helm/charts/theia-cloud\"|;}" ./charts/theia-cloud-combined/Chart.yaml - - echo "Patched Chart.yaml content:" + set -euo pipefail + + get_theia_cloud_version() { + awk ' + $1 == "-" && $2 == "name:" && $3 == "theia-cloud" { in_dep=1; next } + in_dep && $1 == "version:" { print $2; exit } + ' ./charts/theia-cloud-combined/Chart.yaml + } + + normalize_preview_version() { + local base="$1" + local tag="$2" + printf '%s.%s' "$base" "$tag" + } + + THEIA_CLOUD_VERSION="$(get_theia_cloud_version)" + PREVIEW_VERSION="$(normalize_preview_version "$THEIA_CLOUD_VERSION" "${{ inputs.helm_chart_tag }}")" + sed -i "/name: theia-cloud/{n;s|version: .*|version: ${PREVIEW_VERSION}|;}" ./charts/theia-cloud-combined/Chart.yaml + + echo "Using OCI preview version: ${PREVIEW_VERSION}" cat ./charts/theia-cloud-combined/Chart.yaml + - name: Login to GHCR + env: + GHCR_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + echo "$GHCR_TOKEN" | helm registry login ghcr.io -u "${{ github.actor }}" --password-stdin + # Step 4: Install Theia Cloud base components, CRDs, and cluster-wide monitoring # These are prerequisites from the upstream Theia Cloud Helm repository - name: Setup Helm dependencies @@ -165,14 +158,29 @@ jobs: env: KUBECONFIG: ${{ github.workspace }}/kubeconfig run: | - THEIA_CLOUD_BASE_CHART=./upstream-helm/charts/theia-cloud-base - THEIA_CLOUD_CRDS_CHART=./upstream-helm/charts/theia-cloud-crds + set -euo pipefail + + THEIA_CLOUD_BASE_VERSION="1.4.0-next.0" + THEIA_CLOUD_CRDS_VERSION="1.2.0-next.0" + + if [ -n "${{ inputs.helm_chart_tag }}" ]; then + normalize_preview_version() { + local base="$1" + local tag="$2" + printf '%s.%s' "$base" "$tag" + } + + THEIA_CLOUD_BASE_VERSION="$(normalize_preview_version "$THEIA_CLOUD_BASE_VERSION" "${{ inputs.helm_chart_tag }}")" + THEIA_CLOUD_CRDS_VERSION="$(normalize_preview_version "$THEIA_CLOUD_CRDS_VERSION" "${{ inputs.helm_chart_tag }}")" + fi + THEIA_CLOUD_BASE_CHART=oci://ghcr.io/eduide/charts/theia-cloud-base + THEIA_CLOUD_CRDS_CHART=oci://ghcr.io/eduide/charts/theia-cloud-crds # Install base components (operator base, metrics, etc.) - helm upgrade theia-cloud-base "$THEIA_CLOUD_BASE_CHART" --install -n default -f ${{ vars.HELM_VALUES_PATH }}/theia-base-helm-values.yml + helm upgrade theia-cloud-base "$THEIA_CLOUD_BASE_CHART" --version "$THEIA_CLOUD_BASE_VERSION" --install -n default -f ${{ vars.HELM_VALUES_PATH }}/theia-base-helm-values.yml # Install Custom Resource Definitions (CRDs) for Theia Cloud - helm upgrade theia-cloud-crds "$THEIA_CLOUD_CRDS_CHART" --install -n default -f ${{ vars.HELM_VALUES_PATH }}/theia-crds-helm-values.yml + helm upgrade theia-cloud-crds "$THEIA_CLOUD_CRDS_CHART" --version "$THEIA_CLOUD_CRDS_VERSION" --install -n default -f ${{ vars.HELM_VALUES_PATH }}/theia-crds-helm-values.yml - name: Install cluster-wide monitoring env: @@ -191,14 +199,18 @@ jobs: SHARED_GATEWAY_VALUES_FILE: ${{ inputs.shared_gateway_values_file }} SHARED_GATEWAY_NAMESPACE: ${{ inputs.shared_gateway_namespace }} run: | + set -euo pipefail + SHARED_GATEWAY_NAMESPACE="${SHARED_GATEWAY_NAMESPACE:-gateway-system}" + echo "${{ secrets.THEIA_WILDCARD_CERTIFICATE_CERT }}" | base64 -w 0 > shared-gateway-wildcard.crt + echo "${{ secrets.THEIA_WILDCARD_CERTIFICATE_KEY }}" | base64 -w 0 > shared-gateway-wildcard.key helm upgrade --install theia-shared-gateway ./charts/theia-shared-gateway \ --namespace "$SHARED_GATEWAY_NAMESPACE" \ --create-namespace \ -f "$SHARED_GATEWAY_VALUES_FILE" \ - --set wildcardTLSSecret.certificate="${{ secrets.THEIA_WILDCARD_CERTIFICATE_CERT }}" \ - --set wildcardTLSSecret.key="${{ secrets.THEIA_WILDCARD_CERTIFICATE_KEY }}" + --set wildcardTLSSecret.certificate="$(cat shared-gateway-wildcard.crt)" \ + --set wildcardTLSSecret.key="$(cat shared-gateway-wildcard.key)" # Step 6: Install the main Theia Cloud application with environment-specific configuration # This includes the operator, service, certificates, and app definitions diff --git a/README.md b/README.md index 5fac8fb..421e458 100644 --- a/README.md +++ b/README.md @@ -129,13 +129,12 @@ Configuration files for each environment are located in the [deployments/](deplo 2. **Install Theia Cloud base charts**: ```bash - helm repo add theia-cloud-repo https://eclipse-theia.github.io/theia-cloud-helm/ - helm repo update + helm registry login ghcr.io - helm upgrade theia-cloud-base theia-cloud-repo/theia-cloud-base --install \ + helm upgrade theia-cloud-base oci://ghcr.io/eduide/charts/theia-cloud-base --version 1.2.0-next.0 --install \ -f deployments/your-environment/theia-base-helm-values.yml - helm upgrade theia-cloud-crds theia-cloud-repo/theia-cloud-crds --install \ + helm upgrade theia-cloud-crds oci://ghcr.io/eduide/charts/theia-cloud-crds --version 1.2.0-next.0 --install \ -f deployments/your-environment/theia-crds-helm-values.yml ``` @@ -150,11 +149,16 @@ Configuration files for each environment are located in the [deployments/](deplo 4. **Install the combined Theia Cloud chart**: ```bash + helm registry login ghcr.io helm upgrade --install theia-cloud-combined ./charts/theia-cloud-combined \ --namespace your-namespace --create-namespace \ -f deployments/your-environment/values.yaml ``` +Normal deployments consume released OCI charts from `ghcr.io/eduide/charts`. +The `theia-cloud` dependency version in [charts/theia-cloud-combined/Chart.yaml](/Users/lukaskratzel/Uni/bachelor/theia-deployment/charts/theia-cloud-combined/Chart.yaml) controls the main application chart, while `theia-cloud-base` and `theia-cloud-crds` are pinned separately in the workflow at `1.2.0-next.0`. +For PR previews, you can set `helm_chart_tag` to a value like `pr-123` to pull preview OCI charts published from `theia-cloud-helm` pull requests as versions such as `.pr-123`. + When using GitHub Actions, shared-gateway settings are passed as hardcoded inputs by the caller workflows (`deploy-pr.yml`, `deploy-staging.yml`, `deploy-production.yml`): - `deploy_shared_gateway` (`true`/`false`) diff --git a/charts/theia-cloud-combined/Chart.yaml b/charts/theia-cloud-combined/Chart.yaml index 7f8673e..2a3df9b 100644 --- a/charts/theia-cloud-combined/Chart.yaml +++ b/charts/theia-cloud-combined/Chart.yaml @@ -7,7 +7,7 @@ appVersion: 1.0.0 dependencies: - name: theia-cloud version: 1.4.0-next.0 - repository: "https://eduide.github.io/EduIDE-Helm" + repository: "oci://ghcr.io/eduide/charts" - name: theia-certificates version: 0.1.0 diff --git a/docs/adding-environments.md b/docs/adding-environments.md index e31bff9..3d00998 100644 --- a/docs/adding-environments.md +++ b/docs/adding-environments.md @@ -194,7 +194,7 @@ deploy-test2: environment: test2 theia_cloud_tag: ${{ inputs.theia_cloud_tag || 'latest' }} ide_images_tag: ${{ inputs.ide_images_tag || 'latest' }} - helm_chart_branch: ${{ inputs.helm_chart_branch || '' }} + helm_chart_tag: ${{ inputs.helm_chart_tag || '' }} deploy_shared_gateway: true shared_gateway_values_file: deployments/shared-gateway/values.yaml shared_gateway_namespace: gateway-system From b1835ef5cbc571d5bc9adc06709cc1c43680c59f Mon Sep 17 00:00:00 2001 From: lukaskratzel Date: Tue, 10 Mar 2026 15:19:30 +0100 Subject: [PATCH 7/9] Fixes --- README.md | 2 +- charts/theia-shared-gateway/templates/wildcard-secret.yaml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 421e458..d94eb1f 100644 --- a/README.md +++ b/README.md @@ -156,7 +156,7 @@ Configuration files for each environment are located in the [deployments/](deplo ``` Normal deployments consume released OCI charts from `ghcr.io/eduide/charts`. -The `theia-cloud` dependency version in [charts/theia-cloud-combined/Chart.yaml](/Users/lukaskratzel/Uni/bachelor/theia-deployment/charts/theia-cloud-combined/Chart.yaml) controls the main application chart, while `theia-cloud-base` and `theia-cloud-crds` are pinned separately in the workflow at `1.2.0-next.0`. +The `theia-cloud` dependency version in `charts/theia-cloud-combined/Chart.yaml` controls the main application chart, while `theia-cloud-base` and `theia-cloud-crds` are pinned separately in the workflow at `1.2.0-next.0` and `1.4.0-next.0`. For PR previews, you can set `helm_chart_tag` to a value like `pr-123` to pull preview OCI charts published from `theia-cloud-helm` pull requests as versions such as `.pr-123`. When using GitHub Actions, shared-gateway settings are passed as hardcoded inputs diff --git a/charts/theia-shared-gateway/templates/wildcard-secret.yaml b/charts/theia-shared-gateway/templates/wildcard-secret.yaml index ecea5e7..325ed6c 100644 --- a/charts/theia-shared-gateway/templates/wildcard-secret.yaml +++ b/charts/theia-shared-gateway/templates/wildcard-secret.yaml @@ -6,6 +6,6 @@ metadata: name: {{ .Values.wildcardTLSSecret.name }} namespace: {{ .Values.wildcardTLSSecret.namespace }} data: - tls.crt: {{ .Values.wildcardTLSSecret.certificate | quote }} - tls.key: {{ .Values.wildcardTLSSecret.key | quote }} + tls.crt: {{ .Values.wildcardTLSSecret.certificate }} + tls.key: {{ .Values.wildcardTLSSecret.key }} {{- end }} From 21c6de16d8237d92ab059b1210d0a0186d409a51 Mon Sep 17 00:00:00 2001 From: lukaskratzel Date: Tue, 10 Mar 2026 15:31:15 +0100 Subject: [PATCH 8/9] Preload oauth proxy images --- charts/theia-cloud-combined/values.yaml | 1 + deployments/test1.theia-test.artemis.cit.tum.de/values.yaml | 1 + deployments/test2.theia-test.artemis.cit.tum.de/values.yaml | 1 + deployments/test3.theia-test.artemis.cit.tum.de/values.yaml | 1 + deployments/theia-staging.artemis.cit.tum.de/values.yaml | 1 + deployments/theia.artemis.cit.tum.de/values.yaml | 1 + value-reference-files/theia-cloud-helm-values.yml | 1 + value-reference-files/tum-theia-cloud-helm-test-values.yaml | 1 + 8 files changed, 8 insertions(+) diff --git a/charts/theia-cloud-combined/values.yaml b/charts/theia-cloud-combined/values.yaml index f245724..51b0225 100644 --- a/charts/theia-cloud-combined/values.yaml +++ b/charts/theia-cloud-combined/values.yaml @@ -61,6 +61,7 @@ theia-cloud: - ghcr.io/eduide/eduide/ocaml:latest - ghcr.io/eduide/eduide/rust:latest - ghcr.io/eduide/eduide/python:latest + - quay.io/oauth2-proxy/oauth2-proxy:v7.12.0 imagePullPolicy: Always diff --git a/deployments/test1.theia-test.artemis.cit.tum.de/values.yaml b/deployments/test1.theia-test.artemis.cit.tum.de/values.yaml index f0c907e..5e605f2 100644 --- a/deployments/test1.theia-test.artemis.cit.tum.de/values.yaml +++ b/deployments/test1.theia-test.artemis.cit.tum.de/values.yaml @@ -61,6 +61,7 @@ theia-cloud: - ghcr.io/eduide/eduide/ocaml:latest - ghcr.io/eduide/eduide/rust:latest - ghcr.io/eduide/eduide/python:latest + - quay.io/oauth2-proxy/oauth2-proxy:v7.12.0 imagePullPolicy: Always diff --git a/deployments/test2.theia-test.artemis.cit.tum.de/values.yaml b/deployments/test2.theia-test.artemis.cit.tum.de/values.yaml index 176519c..af7f278 100644 --- a/deployments/test2.theia-test.artemis.cit.tum.de/values.yaml +++ b/deployments/test2.theia-test.artemis.cit.tum.de/values.yaml @@ -61,6 +61,7 @@ theia-cloud: - ghcr.io/eduide/eduide/ocaml:latest - ghcr.io/eduide/eduide/rust:latest - ghcr.io/eduide/eduide/python:latest + - quay.io/oauth2-proxy/oauth2-proxy:v7.12.0 imagePullPolicy: Always diff --git a/deployments/test3.theia-test.artemis.cit.tum.de/values.yaml b/deployments/test3.theia-test.artemis.cit.tum.de/values.yaml index 063095a..48a4941 100644 --- a/deployments/test3.theia-test.artemis.cit.tum.de/values.yaml +++ b/deployments/test3.theia-test.artemis.cit.tum.de/values.yaml @@ -66,6 +66,7 @@ theia-cloud: - ghcr.io/eduide/eduide/ocaml:latest - ghcr.io/eduide/eduide/rust:latest - ghcr.io/eduide/eduide/python:latest + - quay.io/oauth2-proxy/oauth2-proxy:v7.12.0 - ghcr.io/eduide/eduide/theia-no-ls:pr-46 - ghcr.io/eduide/eduide/langserver-java:pr-46 diff --git a/deployments/theia-staging.artemis.cit.tum.de/values.yaml b/deployments/theia-staging.artemis.cit.tum.de/values.yaml index 9cb1397..e40fdde 100644 --- a/deployments/theia-staging.artemis.cit.tum.de/values.yaml +++ b/deployments/theia-staging.artemis.cit.tum.de/values.yaml @@ -60,6 +60,7 @@ theia-cloud: - ghcr.io/eduide/eduide/ocaml:latest - ghcr.io/eduide/eduide/rust:latest - ghcr.io/eduide/eduide/python:latest + - quay.io/oauth2-proxy/oauth2-proxy:v7.12.0 imagePullPolicy: Always diff --git a/deployments/theia.artemis.cit.tum.de/values.yaml b/deployments/theia.artemis.cit.tum.de/values.yaml index 0596259..5072106 100644 --- a/deployments/theia.artemis.cit.tum.de/values.yaml +++ b/deployments/theia.artemis.cit.tum.de/values.yaml @@ -60,6 +60,7 @@ theia-cloud: - ghcr.io/eduide/eduide/ocaml:latest - ghcr.io/eduide/eduide/rust:latest - ghcr.io/eduide/eduide/python:latest + - quay.io/oauth2-proxy/oauth2-proxy:v7.12.0 imagePullPolicy: Always diff --git a/value-reference-files/theia-cloud-helm-values.yml b/value-reference-files/theia-cloud-helm-values.yml index 412e407..f098116 100644 --- a/value-reference-files/theia-cloud-helm-values.yml +++ b/value-reference-files/theia-cloud-helm-values.yml @@ -49,6 +49,7 @@ preloading: - ghcr.io/eduide/eduide/ocaml:latest - ghcr.io/eduide/eduide/rust:latest - ghcr.io/eduide/eduide/python:latest + - quay.io/oauth2-proxy/oauth2-proxy:v7.12.0 imagePullPolicy: Always diff --git a/value-reference-files/tum-theia-cloud-helm-test-values.yaml b/value-reference-files/tum-theia-cloud-helm-test-values.yaml index 69e5519..bdff3ba 100644 --- a/value-reference-files/tum-theia-cloud-helm-test-values.yaml +++ b/value-reference-files/tum-theia-cloud-helm-test-values.yaml @@ -58,6 +58,7 @@ theia-cloud: - ghcr.io/eduide/eduide/ocaml:latest - ghcr.io/eduide/eduide/rust:latest - ghcr.io/eduide/eduide/python:latest + - quay.io/oauth2-proxy/oauth2-proxy:v7.12.0 imagePullPolicy: Always From 3566fa26c73e78ad51ff09f137dcbeb30362772e Mon Sep 17 00:00:00 2001 From: lukaskratzel Date: Tue, 10 Mar 2026 15:43:56 +0100 Subject: [PATCH 9/9] Revert "Preload oauth proxy images" This reverts commit 21c6de16d8237d92ab059b1210d0a0186d409a51. --- charts/theia-cloud-combined/values.yaml | 1 - deployments/test1.theia-test.artemis.cit.tum.de/values.yaml | 1 - deployments/test2.theia-test.artemis.cit.tum.de/values.yaml | 1 - deployments/test3.theia-test.artemis.cit.tum.de/values.yaml | 1 - deployments/theia-staging.artemis.cit.tum.de/values.yaml | 1 - deployments/theia.artemis.cit.tum.de/values.yaml | 1 - value-reference-files/theia-cloud-helm-values.yml | 1 - value-reference-files/tum-theia-cloud-helm-test-values.yaml | 1 - 8 files changed, 8 deletions(-) diff --git a/charts/theia-cloud-combined/values.yaml b/charts/theia-cloud-combined/values.yaml index 51b0225..f245724 100644 --- a/charts/theia-cloud-combined/values.yaml +++ b/charts/theia-cloud-combined/values.yaml @@ -61,7 +61,6 @@ theia-cloud: - ghcr.io/eduide/eduide/ocaml:latest - ghcr.io/eduide/eduide/rust:latest - ghcr.io/eduide/eduide/python:latest - - quay.io/oauth2-proxy/oauth2-proxy:v7.12.0 imagePullPolicy: Always diff --git a/deployments/test1.theia-test.artemis.cit.tum.de/values.yaml b/deployments/test1.theia-test.artemis.cit.tum.de/values.yaml index 5e605f2..f0c907e 100644 --- a/deployments/test1.theia-test.artemis.cit.tum.de/values.yaml +++ b/deployments/test1.theia-test.artemis.cit.tum.de/values.yaml @@ -61,7 +61,6 @@ theia-cloud: - ghcr.io/eduide/eduide/ocaml:latest - ghcr.io/eduide/eduide/rust:latest - ghcr.io/eduide/eduide/python:latest - - quay.io/oauth2-proxy/oauth2-proxy:v7.12.0 imagePullPolicy: Always diff --git a/deployments/test2.theia-test.artemis.cit.tum.de/values.yaml b/deployments/test2.theia-test.artemis.cit.tum.de/values.yaml index af7f278..176519c 100644 --- a/deployments/test2.theia-test.artemis.cit.tum.de/values.yaml +++ b/deployments/test2.theia-test.artemis.cit.tum.de/values.yaml @@ -61,7 +61,6 @@ theia-cloud: - ghcr.io/eduide/eduide/ocaml:latest - ghcr.io/eduide/eduide/rust:latest - ghcr.io/eduide/eduide/python:latest - - quay.io/oauth2-proxy/oauth2-proxy:v7.12.0 imagePullPolicy: Always diff --git a/deployments/test3.theia-test.artemis.cit.tum.de/values.yaml b/deployments/test3.theia-test.artemis.cit.tum.de/values.yaml index 48a4941..063095a 100644 --- a/deployments/test3.theia-test.artemis.cit.tum.de/values.yaml +++ b/deployments/test3.theia-test.artemis.cit.tum.de/values.yaml @@ -66,7 +66,6 @@ theia-cloud: - ghcr.io/eduide/eduide/ocaml:latest - ghcr.io/eduide/eduide/rust:latest - ghcr.io/eduide/eduide/python:latest - - quay.io/oauth2-proxy/oauth2-proxy:v7.12.0 - ghcr.io/eduide/eduide/theia-no-ls:pr-46 - ghcr.io/eduide/eduide/langserver-java:pr-46 diff --git a/deployments/theia-staging.artemis.cit.tum.de/values.yaml b/deployments/theia-staging.artemis.cit.tum.de/values.yaml index e40fdde..9cb1397 100644 --- a/deployments/theia-staging.artemis.cit.tum.de/values.yaml +++ b/deployments/theia-staging.artemis.cit.tum.de/values.yaml @@ -60,7 +60,6 @@ theia-cloud: - ghcr.io/eduide/eduide/ocaml:latest - ghcr.io/eduide/eduide/rust:latest - ghcr.io/eduide/eduide/python:latest - - quay.io/oauth2-proxy/oauth2-proxy:v7.12.0 imagePullPolicy: Always diff --git a/deployments/theia.artemis.cit.tum.de/values.yaml b/deployments/theia.artemis.cit.tum.de/values.yaml index 5072106..0596259 100644 --- a/deployments/theia.artemis.cit.tum.de/values.yaml +++ b/deployments/theia.artemis.cit.tum.de/values.yaml @@ -60,7 +60,6 @@ theia-cloud: - ghcr.io/eduide/eduide/ocaml:latest - ghcr.io/eduide/eduide/rust:latest - ghcr.io/eduide/eduide/python:latest - - quay.io/oauth2-proxy/oauth2-proxy:v7.12.0 imagePullPolicy: Always diff --git a/value-reference-files/theia-cloud-helm-values.yml b/value-reference-files/theia-cloud-helm-values.yml index f098116..412e407 100644 --- a/value-reference-files/theia-cloud-helm-values.yml +++ b/value-reference-files/theia-cloud-helm-values.yml @@ -49,7 +49,6 @@ preloading: - ghcr.io/eduide/eduide/ocaml:latest - ghcr.io/eduide/eduide/rust:latest - ghcr.io/eduide/eduide/python:latest - - quay.io/oauth2-proxy/oauth2-proxy:v7.12.0 imagePullPolicy: Always diff --git a/value-reference-files/tum-theia-cloud-helm-test-values.yaml b/value-reference-files/tum-theia-cloud-helm-test-values.yaml index bdff3ba..69e5519 100644 --- a/value-reference-files/tum-theia-cloud-helm-test-values.yaml +++ b/value-reference-files/tum-theia-cloud-helm-test-values.yaml @@ -58,7 +58,6 @@ theia-cloud: - ghcr.io/eduide/eduide/ocaml:latest - ghcr.io/eduide/eduide/rust:latest - ghcr.io/eduide/eduide/python:latest - - quay.io/oauth2-proxy/oauth2-proxy:v7.12.0 imagePullPolicy: Always