Release #185
Merged
Release #185
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* Set environment variables via .env file. * Missing change * Change how hostnames and secret are set. * changes for env template * add env variable resolver on sso redirect value
* tweak name of dhparam.pem env var * fix env var name in nginx template * fix pam to pem
* fix(intel-chart): handle nil ai.openai.api_key to prevent template errors Adjusted the Helm chart template for ai-secrets to avoid referencing ai.openai.api_key and ai.external.api_key when undefined. This fixes a fatal error during `helm template` when AI mode is set to `bundled` and no OpenAI config is present. Ensures compatibility with bundled-only deployments. * Changes to fix workflow issues
Previously, the Helm chart required either 'bundled' or 'external' AI mode to be configured, making it mandatory to include AI integration. This commit introduces a new flag `ai.enabled` to allow disabling AI features entirely, enabling Intel to be deployed without any AI-related containers or resources.
- Removed the section referring to metrics(prometeus), etc from the README Co-authored-by: engineering <engineering@codetogether.com>
) * Make sidecar AI container resource block optional in deployment - Updated deployment.yaml to include the `resources` block for the `codetogether-llm` sidecar only if values are defined in values.yaml. - Ensures the bundled AI container can run without specifying resource limits/requests by default. - Improved overall Helm template flexibility for embedded AI mode. - Validated that runs with AI Container embeeded. * Enable support for external AI provider - Updated deployment.yaml to support both bundled and external AI modes, allowing selection via .Values.ai.mode. - Added manifests for external AI integration: - ai-config ConfigMap: defines external provider and URL. - ai-external-secret Secret: stores the external API key. - Verified that external AI mode works by routing requests through the configured external service. * feat: automate creation of external AI ConfigMap and Secret from values.yaml - Added Helm templates to generate ai-config ConfigMap and ai-external-secret Secret automatically when AI external mode is enabled. - ConfigMap values (ai_provider, ai_url) and Secret value (api-key) are now configurable via values.yaml. - Ensured resources are only created when ai.enabled=true and ai.mode=external. * feat: allow use of existing or Helm-managed ai-external-secret in deployment - Updated deployment.yaml to support referencing a user-provided Secret for AI external API key, with fallback to Helm-managed creation. - Added ai-external-secret.yaml template to optionally create the secret from values if not provided. * Fixing helm template validations * Adding values configuration --------- Co-authored-by: engineering <engineering@codetogether.com>
* Change resources of ai * Include gen ai on docker compose. * undo changes
* Fixes after Testing - Refactored deployment.yaml to reference ai.externalSecret.name when create: false - Corrected CT_HQ_OLLAMA_AI_API_KEY key to apiKey to match Secret’s stringData - Updated ai-external-secret.yaml to generate a Secret only when create: true * Bump intel chart version to 1.2.5 * Fix to user http://codetogether-llm:8000/ always --------- Co-authored-by: engineering <engineering@codetogether.com>
Co-authored-by: engineering <engineering@codetogether.com>
* initial config * Docker compose example to run keycloak --------- Co-authored-by: Ignacio Moreno <nmorenor@gmail.com>
* initial config * Docker compose example to run keycloak * Undo properties file change * fixes on properties file --------- Co-authored-by: Wojciech Galanciak <wojtek@codetogether.com>
* initial config * Docker compose example to run keycloak * Undo properties file change * fixes on properties file --------- Co-authored-by: Wojciech Galanciak <wojtek@codetogether.com>
* feat(charts, compose): add CT_TRUST_ALL_CERTS support Fixes: #157 - values.yaml: introduce `java.trustAllCerts` (default false) to toggle CT_TRUST_ALL_CERTS - deployment.yaml: inject `CT_TRUST_ALL_CERTS=true` into container env when `trustAllCerts` is enabled - .env-template: add `CT_TRUST_ALL_CERTS` entry for Docker Compose - compose.yml: reference `${CT_TRUST_ALL_CERTS}` in codetogether‑intel service * refactor(charts): move trustAllCerts under codetogether section - values.yaml: remove java.trustAllCerts; add codetogether.trustAllCerts (default false) - deployment.yaml: guard CT_TRUST_ALL_CERTS injection on .Values.codetogether.trustAllCerts * fix(compose): remove redundant CT_TRUST_ALL_CERTS env entry - Drop explicit `CT_TRUST_ALL_CERTS` from the `environment` section in the `codetogether-intel` service - Rely on `env_file: .env` to inject the variable --------- Co-authored-by: engineering <engineering@codetogether.com>
Fixes: #160 Wrap the `ai-secrets` Secret manifest with a `.Values.ai.enabled` conditional so it is not rendered when AI is disabled. This prevents clashes with pre-existing `ai-secrets` owned by other releases and keeps templates clean.
…e Secret conflicts (#164) Fixes: #163 Problem - Deploying multiple `codetogether-intel` releases in the same namespace caused a collision on statically named resources (e.g., `ai-secrets` / `ai-config`), producing Helm ownership errors. What changed - templates/ai-config.yaml - Create ConfigMap only when `ai.enabled=true` and `ai.mode=external`. - Name is now release-scoped: `{{ .Release.Name }}-ai-config`. - templates/ai-external-secret.yaml - Respect `ai.externalSecret.create` and `ai.externalSecret.name`. - Default Secret name is release-scoped: `{{ include "codetogether.fullname" . }}-ai-external-secret`. - Store API key under `stringData.apiKey`. - templates/deployment.yaml - Read `AI_PROVIDER` / `AI_EXTERNAL_URL` from `{{ .Release.Name }}-ai-config`. - Read `AI_EXTERNAL_API_KEY` from the default or user-specified Secret: `{{ default (printf "%s-ai-external-secret" (include "codetogether.fullname" .)) .Values.ai.externalSecret.name }}`. - Bundled mode unchanged; external resources are not created in bundled mode. Why - Ensures two or more releases (e.g., `qa-intel` and `demo-staging-intel`) can coexist in the same namespace without Helm ownership clashes. How to test - External (chart-managed Secret): `helm template demo-staging-intel ./charts/intel -n default \ --set ai.enabled=true --set ai.mode=external \ --set ai.provider=openai --set ai.url=https://api.openai.com \ --set ai.externalSecret.create=true --set ai.externalSecret.apiKey=TESTKEY` → renders `demo-staging-intel-ai-config` and `demo-staging-intel-ai-external-secret`. - External (existing Secret): `kubectl create secret generic my-custom-ai-secret -n default \ --from-literal=apiKey=TESTKEY` `helm template qa-intel ./charts/intel -n default \ --set ai.enabled=true --set ai.mode=external \ --set ai.provider=openai --set ai.url=https://api.openai.com \ --set ai.externalSecret.create=false --set ai.externalSecret.name=my-custom-ai-secret` → renders only the release-scoped ConfigMap; Deployment references the existing Secret. - Bundled: `helm template demo ./charts/intel -n default --set ai.enabled=true --set ai.mode=bundled` → no AI ConfigMap/Secret rendered; sidecar included.
…se/templates (#166) Fixes: #165 - Replace deprecated KEYCLOAK_ADMIN / KEYCLOAK_ADMIN_PASSWORD with KC_BOOTSTRAP_ADMIN_USERNAME / KC_BOOTSTRAP_ADMIN_PASSWORD. - Update compose files to pass new env vars to the Keycloak container. - Refresh .env templates to reflect the new names. - Remove references to deprecated vars. Touched: - compose/.env-with-keycloak-template - compose/keycloak/.env-template - compose/keycloak/compose-keycloak.yaml - compose/keycloak/compose-keycloak-no-nginx.yaml Why: eliminates KC-SERVICES0110 warnings and ensures deterministic, persistent admin on first bootstrap. BREAKING CHANGE: set KC_BOOTSTRAP_ADMIN_USERNAME and KC_BOOTSTRAP_ADMIN_PASSWORD instead of KEYCLOAK_ADMIN*.
* feat(helm): add RO rootfs support for Intel and Collab Fixes: #168 - tmpfs emptyDir for /run and /tmp - RW runtime at /run/volatile, reuse for /var/log/nginx and /var/cache/nginx - Intel: initContainer to create subpaths - enable via securityContext (readOnlyRootFileSystem, runAsUser=0) * Typo fixes * Typo fixes * Fixing typo * Changes to defauts * Fixes
* collab, intel: align read-only handling with live legacy chart Fixes: #174 - Gate all tmp/runtime mounts behind securityContext.readOnlyRootFileSystem - When RO=true, mount emptyDir to /run, /tmp, /var/log/nginx, /var/cache/nginx - Remove readOnlyMode flag and prepare-ro initContainer * Fixes
Removed initContainers configuration for read-only mode.
…oup (#178) * OpenShit Teting Commit * Intel Changes * Fixes * Fixes * Fix * feat(charts): OpenShift compatibility + read-only rootfs support for collab & intel Fixes: #177 This change makes the codetogether-collab and codetogether-intel charts work out-of-the-box on both vanilla Kubernetes and OpenShift (restricted-v2 SCC), and adds first-class support for readOnlyRootFilesystem via init containers. Key changes ----------- Collab - Add initContainer `prepare-volatile` to create writable runtime paths when readOnlyRootFilesystem=true (e.g., /run, /var/log/nginx, /var/cache/nginx, and the existing /run/volatile/* tree). - Conditionally handle OpenShift vs vanilla: - OpenShift: do NOT set runAsUser/runAsGroup/fsGroup; let SCC assign UIDs. Keep runAsNonRoot and disallow privilege escalation. Avoid chown. Use `install -d -m 0775/2775` for group-write with sticky set as needed. - Vanilla: init runs as root (UID 0) to chown created dirs to the non-root runtime user (defaults to 1000:1000); main container runs non-root. - When readOnlyRootFilesystem=true: - Mount EmptyDir volumes to /run, /tmp (Memory), /var/log/nginx, /var/cache/nginx. - Add matching volumeMounts. - Keep probes and ports unchanged. - Values: add/clarify `openshift.enabled` flag, securityContext defaults, imageCredentials usage, and sample values for both environments. Intel - Add initContainer `prepare-runtime` to create /var/log/nginx and /var/cache/nginx and make them writable under read-only rootfs. - Same OpenShift vs vanilla split as collab (no explicit UID/GID on OCP; root init + non-root app for vanilla). - Mount EmptyDir + volumeMounts for /run, /tmp (Memory), /var/log/nginx, /var/cache/nginx when readOnlyRootFilesystem=true. - Preserve existing envs (AI mode, HQ base URL, Java options, etc.). Why --- - Fixes SCC denials on OpenShift when explicit runAsUser/fsGroup were set. - Fixes initContainer permission errors (e.g., "Operation not permitted" on /run) by avoiding chown on OpenShift and using 2775 with umask 002. - Enables secure read-only rootfs operation by provisioning necessary writable paths via EmptyDir. Testing ------- - OpenShift 4.x: - `openshift.enabled=true`, remove fsGroup=0, do not set runAsUser/runAsGroup. - initContainers succeed; pods transition to Running. - Vanilla (DigitalOcean Kubernetes): - `openshift.enabled=false`, readOnlyRootFilesystem=true. - init runs as root, chowns to 1000:1000; app runs as non-root. - Pods healthy; readiness/liveness OK. Breaking changes ---------------- - None functionally; however, when enabling readOnlyRootFilesystem, the chart now requires the EmptyDir mounts (added by default when the flag is true). * Testing * fix(openshift): make Intel/Collab charts run on OpenShift; verified in-cluster Fixes: #177 - Validated (same OpenShift env) - This change fixes the customer’s OpenShift issue.
nmorenor
approved these changes
Oct 2, 2025
Removed volumeMounts configuration for properties-volume.
Changed the medium of the codetogether-tmp volume from 'Memory' to an empty object.
nmorenor
approved these changes
Oct 2, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.