From ca1b56038dcb49713158389f2b0a4d3f17e01345 Mon Sep 17 00:00:00 2001 From: Wojciech Galanciak Date: Wed, 7 May 2025 19:53:23 +0200 Subject: [PATCH 01/57] fix: separate SSL certificates (#101) --- compose/nginx/nginx.conf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/compose/nginx/nginx.conf b/compose/nginx/nginx.conf index c2f1f24..b5a33eb 100644 --- a/compose/nginx/nginx.conf +++ b/compose/nginx/nginx.conf @@ -11,8 +11,8 @@ http { server_name ; proxy_buffer_size 128k; proxy_buffers 4 256k; - ssl_certificate ; - ssl_certificate_key ; + ssl_certificate ; + ssl_certificate_key ; ssl_dhparam ; ssl_prefer_server_ciphers on; ssl_protocols TLSv1.2; @@ -55,8 +55,8 @@ http { proxy_buffers 4 256k; # setup the SSL certificate - ssl_certificate ; - ssl_certificate_key ; + ssl_certificate ; + ssl_certificate_key ; ssl_dhparam ; ssl_prefer_server_ciphers on; ssl_protocols TLSv1.2; From b64df4601010e38f1f9e9f64b24889bfdf411b43 Mon Sep 17 00:00:00 2001 From: Ignacio Moreno Date: Thu, 8 May 2025 14:02:03 -0600 Subject: [PATCH 02/57] fix: Set environment variables via .env file. (#99) * Set environment variables via .env file. * Missing change * Change how hostnames and secret are set. * changes for env template * add env variable resolver on sso redirect value --- compose/.env-template | 22 ++++++++++++++++++++++ compose/compose.yaml | 9 ++++----- compose/cthq.properties | 13 +++++++------ 3 files changed, 33 insertions(+), 11 deletions(-) create mode 100644 compose/.env-template diff --git a/compose/.env-template b/compose/.env-template new file mode 100644 index 0000000..64d7d60 --- /dev/null +++ b/compose/.env-template @@ -0,0 +1,22 @@ +############################################################################### +# CodeTogether – Environment Template +# ----------------------------------------------------------------------------- +# 1. Copy this file to `.env` in the same directory as `compose.yaml`. +# 2. Replace the placeholders on the right‑hand side with your real values. +# +# Variables +# --------- +# COLLAB_FQDN Public hostname (FQDN) that end‑users hit to reach the Collab +# service (e.g. collab.example.com). +# +# INTEL_FQDN Public hostname (FQDN) for the Intel service +# (e.g. intel.example.com). +# +# INTEL_SECRET Shared secret Collab uses to authenticate when authenticating +# communication with the intel service. +# Use a strong, private value. +############################################################################### + +COLLAB_FQDN=collab.example.com +INTEL_FQDN=intel.example.com +INTEL_SECRET=super-secret-string \ No newline at end of file diff --git a/compose/compose.yaml b/compose/compose.yaml index 8d3b95b..cd52345 100644 --- a/compose/compose.yaml +++ b/compose/compose.yaml @@ -1,12 +1,13 @@ +# 👇 Rename `.env-template` to `.env` before running this file +# Set the appropriate values once renamed services: codetogether-collab: image: hub.edge.codetogether.com/releases/codetogether-collab:latest container_name: codetogether-collab environment: - # your collab/pair programming server URL - - CT_SERVER_URL=https://your-collab-server-fqdn + - CT_SERVER_URL=https://${COLLAB_FQDN} - CT_INTEL_URL=http://codetogether-intel:1080 - - CT_INTEL_SECRET=your-collab-intel-secret + - CT_INTEL_SECRET=${INTEL_SECRET} - CT_AV_ENABLED=false - CT_AV_LAN_IP=auto networks: @@ -31,8 +32,6 @@ services: codetogether-intel: image: hub.edge.codetogether.com/releases/codetogether-intel:latest container_name: codetogether-intel - environment: - - CT_HQ_BASE_URL=https://your-intel-server-fqdn networks: - codetogethernet volumes: diff --git a/compose/cthq.properties b/compose/cthq.properties index 1afe6b6..5c6e13c 100644 --- a/compose/cthq.properties +++ b/compose/cthq.properties @@ -1,8 +1,9 @@ -# Fill in values specific to your deployment -hq.base.url=https:// -hq.collab.url=https://your-collab-server-fqdn -hq.collab.secret= +# Variables below are injected from the `.env` file +hq.base.url=https://${INTEL_FQDN} +hq.collab.url=https://${COLLAB_FQDN} +hq.collab.secret=${INTEL_SECRET} +# Fill in values specific to your deployment # THE LINE BELOW IS NOT NEEDED WITH SINGLE TENANT #hq.sso.tenants=github,gitlab # GitHub SSO @@ -10,7 +11,7 @@ hq.sso.github.provider=github hq.sso.github.label=GitHub hq.sso.github.client.id= hq.sso.github.client.secret= -hq.sso.github.redirect.uri=https:///api/v1/auth/sso/success/insights +hq.sso.github.redirect.uri=https://${INTEL_FQDN}/api/v1/auth/sso/success/insights hq.sso.github.auth.uri=https://github.com/login/oauth/authorize hq.sso.github.token.uri=https://github.com/login/oauth/access_token hq.sso.github.info.uri=https://api.github.com/user @@ -22,7 +23,7 @@ hq.sso.github.logout.uri=https://github.com/logout # hq.sso.gitlab.client.id= # hq.sso.gitlab.client.secret= # hq.sso.gitlab.client.issuer.url=https://gitlab.com -# hq.sso.gitlab.azure.redirect.uri=https:///api/v1/auth/sso/success/insights +# hq.sso.gitlab.azure.redirect.uri=https://${INTEL_FQDN}/api/v1/auth/sso/success/insights # These values do not need to be changed, though secrets can be updated hq.db.type=CASSANDRA From 2c6b2878a0faddbb3a8b9c69388d691db883aa5a Mon Sep 17 00:00:00 2001 From: Wojciech Galanciak Date: Sat, 10 May 2025 15:02:51 +0200 Subject: [PATCH 03/57] fix: add env_file to codetogether-intel (#105) --- compose/compose.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/compose/compose.yaml b/compose/compose.yaml index cd52345..ca9dba9 100644 --- a/compose/compose.yaml +++ b/compose/compose.yaml @@ -32,6 +32,8 @@ services: codetogether-intel: image: hub.edge.codetogether.com/releases/codetogether-intel:latest container_name: codetogether-intel + env_file: + - .env networks: - codetogethernet volumes: From 26058432b12b7550e3ba3f607708fa739cee4957 Mon Sep 17 00:00:00 2001 From: Wojciech Galanciak Date: Mon, 12 May 2025 10:57:26 +0200 Subject: [PATCH 04/57] fix: missing CT_HQ_BASE_URL env var (#107) --- compose/compose.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/compose/compose.yaml b/compose/compose.yaml index ca9dba9..27c3e94 100644 --- a/compose/compose.yaml +++ b/compose/compose.yaml @@ -34,6 +34,8 @@ services: container_name: codetogether-intel env_file: - .env + environment: + - CT_HQ_BASE_URL=https://${INTEL_FQDN} networks: - codetogethernet volumes: @@ -73,4 +75,4 @@ services: retries: 70 networks: codetogethernet: - driver: bridge \ No newline at end of file + driver: bridge From fb116eed6e85790ec73719237b91d108c0f1c81d Mon Sep 17 00:00:00 2001 From: Wojciech Galanciak Date: Mon, 12 May 2025 12:25:43 +0200 Subject: [PATCH 05/57] feat: nginx auto config (#109) --- compose/.env-template | 45 ++++++++++++++----- compose/compose.yaml | 6 ++- .../nginx/{nginx.conf => nginx.conf.template} | 19 ++++---- 3 files changed, 50 insertions(+), 20 deletions(-) rename compose/nginx/{nginx.conf => nginx.conf.template} (88%) diff --git a/compose/.env-template b/compose/.env-template index 64d7d60..9acc048 100644 --- a/compose/.env-template +++ b/compose/.env-template @@ -3,20 +3,45 @@ # ----------------------------------------------------------------------------- # 1. Copy this file to `.env` in the same directory as `compose.yaml`. # 2. Replace the placeholders on the right‑hand side with your real values. +# 3. Place all SSL certificates and Diffie‑Hellman parameters in the +# `nginx/ssl` directory. +# 4. Run `docker‑compose up -d` to start the containers. # -# Variables -# --------- -# COLLAB_FQDN Public hostname (FQDN) that end‑users hit to reach the Collab -# service (e.g. collab.example.com). +# Variables (all required unless stated otherwise) +# ---------------------------------------------- +# COLLAB_FQDN Public hostname (FQDN) that end‑users hit to reach the +# Collab service (e.g. collab.example.com). # -# INTEL_FQDN Public hostname (FQDN) for the Intel service -# (e.g. intel.example.com). +# INTEL_FQDN Public hostname (FQDN) for the Intel service +# (e.g. intel.example.com). # -# INTEL_SECRET Shared secret Collab uses to authenticate when authenticating -# communication with the intel service. -# Use a strong, private value. +# INTEL_SECRET Shared secret Collab uses to authenticate when +# communicating with the Intel service. Use a strong, +# private value. +# +# SSL_COLLAB_CERT Certificate filename that Nginx serves for the Collab +# virtual host (e.g. ssl-collab.crt). +# +# SSL_COLLAB_KEY Private key filename for the Collab certificate +# (e.g. ssl-collab.key). +# +# SSL_INTEL_CERT Certificate filename for the Intel virtual host +# (e.g. ssl-intel.crt). +# +# SSL_INTEL_KEY Private key filename for the Intel certificate +# (e.g. ssl-intel.key). +# +# DHPARAM_PATH Diffie‑Hellman parameters file (e.g. dhparam.pem). ############################################################################### COLLAB_FQDN=collab.example.com INTEL_FQDN=intel.example.com -INTEL_SECRET=super-secret-string \ No newline at end of file +INTEL_SECRET=super-secret-string + +SSL_COLLAB_CERT=ssl-collab.crt +SSL_COLLAB_KEY=ssl-collab.key + +SSL_INTEL_CERT=ssl-intel.crt +SSL_INTEL_KEY=ssl-intel.key + +DHPARAM_PATH=dhparam.pem \ No newline at end of file diff --git a/compose/compose.yaml b/compose/compose.yaml index 27c3e94..e5e96d2 100644 --- a/compose/compose.yaml +++ b/compose/compose.yaml @@ -18,10 +18,14 @@ services: nginx: image: nginx:latest container_name: codetogether-nginx + env_file: + - .env + environment: + - NGINX_ENVSUBST_OUTPUT_DIR=/etc/nginx ports: - "443:443" volumes: - - ./nginx/nginx.conf:/etc/nginx/nginx.conf + - ./nginx/nginx.conf.template:/etc/nginx/templates/nginx.conf.template:ro - ./nginx/ssl:/etc/nginx/ssl - ./nginx/log:/var/log/nginx networks: diff --git a/compose/nginx/nginx.conf b/compose/nginx/nginx.conf.template similarity index 88% rename from compose/nginx/nginx.conf rename to compose/nginx/nginx.conf.template index b5a33eb..4418cd7 100644 --- a/compose/nginx/nginx.conf +++ b/compose/nginx/nginx.conf.template @@ -1,6 +1,7 @@ events { worker_connections 1024; } + http { include mime.types; default_type application/octet-stream; @@ -8,12 +9,12 @@ http { keepalive_timeout 65; server { listen 443 ssl http2; - server_name ; + server_name ${COLLAB_FQDN}; proxy_buffer_size 128k; proxy_buffers 4 256k; - ssl_certificate ; - ssl_certificate_key ; - ssl_dhparam ; + ssl_certificate /etc/nginx/ssl/${SSL_COLLAB_CERT}; + ssl_certificate_key /etc/nginx/ssl/${SSL_COLLAB_KEY}; + ssl_dhparam /etc/nginx/ssl/${DHPARAM_PATH}; ssl_prefer_server_ciphers on; ssl_protocols TLSv1.2; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; @@ -47,7 +48,7 @@ http { } } server { - server_name ; + server_name ${INTEL_FQDN}; listen 443 ssl http2; # configure proxy buffer sizes @@ -55,9 +56,9 @@ http { proxy_buffers 4 256k; # setup the SSL certificate - ssl_certificate ; - ssl_certificate_key ; - ssl_dhparam ; + ssl_certificate /etc/nginx/ssl/${SSL_INTEL_CERT}; + ssl_certificate_key /etc/nginx/ssl/${SSL_INTEL_KEY}; + ssl_dhparam /etc/nginx/ssl/${DHPARAM_PATH}; ssl_prefer_server_ciphers on; ssl_protocols TLSv1.2; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; @@ -91,4 +92,4 @@ http { proxy_send_timeout 360; } } -} +} \ No newline at end of file From 4d79a6db468b55abb0b244713ef3d29a73b2544c Mon Sep 17 00:00:00 2001 From: Wojciech Galanciak Date: Mon, 12 May 2025 13:05:36 +0200 Subject: [PATCH 06/57] fix: add step for sso provider (#110) --- compose/.env-template | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/compose/.env-template b/compose/.env-template index 9acc048..d0af82b 100644 --- a/compose/.env-template +++ b/compose/.env-template @@ -5,7 +5,8 @@ # 2. Replace the placeholders on the right‑hand side with your real values. # 3. Place all SSL certificates and Diffie‑Hellman parameters in the # `nginx/ssl` directory. -# 4. Run `docker‑compose up -d` to start the containers. +# 4. Configure your SSO provider in the `cthq.properties` file. +# 5. Run `docker‑compose up -d` to start the containers. # # Variables (all required unless stated otherwise) # ---------------------------------------------- From 063a4ebdcddb5d77eca760e5bfd7b8c5c4d41224 Mon Sep 17 00:00:00 2001 From: Wojciech Galanciak Date: Mon, 12 May 2025 14:23:51 +0200 Subject: [PATCH 07/57] fix: add client_max_body_size to intel (#112) --- compose/nginx/nginx.conf.template | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/compose/nginx/nginx.conf.template b/compose/nginx/nginx.conf.template index 4418cd7..2456c39 100644 --- a/compose/nginx/nginx.conf.template +++ b/compose/nginx/nginx.conf.template @@ -23,7 +23,6 @@ http { set $realIP $remote_addr; set $forwardTo $proxy_add_x_forwarded_for; set $reqHost $http_host; - client_max_body_size 32M; if ($http_x_real_ip != '') { set $realIP $http_x_real_ip; } @@ -70,6 +69,7 @@ http { set $realIP $remote_addr; set $forwardTo $proxy_add_x_forwarded_for; set $reqHost $http_host; + client_max_body_size 32M; if ($http_x_real_ip != '') { set $realIP $http_x_real_ip; } From d665be1f5137fbe47d6965b39a002c49fb6c25b4 Mon Sep 17 00:00:00 2001 From: Wojciech Galanciak Date: Mon, 12 May 2025 17:54:07 +0200 Subject: [PATCH 08/57] fix: tweak name of dhparam.pem env var (#113) * tweak name of dhparam.pem env var * fix env var name in nginx template * fix pam to pem --- compose/.env-template | 4 ++-- compose/nginx/nginx.conf.template | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/compose/.env-template b/compose/.env-template index d0af82b..c88f162 100644 --- a/compose/.env-template +++ b/compose/.env-template @@ -32,7 +32,7 @@ # SSL_INTEL_KEY Private key filename for the Intel certificate # (e.g. ssl-intel.key). # -# DHPARAM_PATH Diffie‑Hellman parameters file (e.g. dhparam.pem). +# DHPARAM_PEM Diffie‑Hellman parameters file (e.g. dhparam.pem). ############################################################################### COLLAB_FQDN=collab.example.com @@ -45,4 +45,4 @@ SSL_COLLAB_KEY=ssl-collab.key SSL_INTEL_CERT=ssl-intel.crt SSL_INTEL_KEY=ssl-intel.key -DHPARAM_PATH=dhparam.pem \ No newline at end of file +DHPARAM_PEM=dhparam.pem \ No newline at end of file diff --git a/compose/nginx/nginx.conf.template b/compose/nginx/nginx.conf.template index 2456c39..85f1068 100644 --- a/compose/nginx/nginx.conf.template +++ b/compose/nginx/nginx.conf.template @@ -14,7 +14,7 @@ http { proxy_buffers 4 256k; ssl_certificate /etc/nginx/ssl/${SSL_COLLAB_CERT}; ssl_certificate_key /etc/nginx/ssl/${SSL_COLLAB_KEY}; - ssl_dhparam /etc/nginx/ssl/${DHPARAM_PATH}; + ssl_dhparam /etc/nginx/ssl/${DHPARAM_PEM}; ssl_prefer_server_ciphers on; ssl_protocols TLSv1.2; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; @@ -57,7 +57,7 @@ http { # setup the SSL certificate ssl_certificate /etc/nginx/ssl/${SSL_INTEL_CERT}; ssl_certificate_key /etc/nginx/ssl/${SSL_INTEL_KEY}; - ssl_dhparam /etc/nginx/ssl/${DHPARAM_PATH}; + ssl_dhparam /etc/nginx/ssl/${DHPARAM_PEM}; ssl_prefer_server_ciphers on; ssl_protocols TLSv1.2; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; From 56d5eeefaf680b961f6569b4a48184aa629dee22 Mon Sep 17 00:00:00 2001 From: Ignacio Moreno Date: Mon, 12 May 2025 09:58:53 -0600 Subject: [PATCH 09/57] fix: missing env file on collab (#114) --- compose/compose.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/compose/compose.yaml b/compose/compose.yaml index e5e96d2..b443a7f 100644 --- a/compose/compose.yaml +++ b/compose/compose.yaml @@ -4,6 +4,8 @@ services: codetogether-collab: image: hub.edge.codetogether.com/releases/codetogether-collab:latest container_name: codetogether-collab + env_file: + - .env environment: - CT_SERVER_URL=https://${COLLAB_FQDN} - CT_INTEL_URL=http://codetogether-intel:1080 From f21332a7f248568b065840821ed81355c4b534c7 Mon Sep 17 00:00:00 2001 From: danc094codetogether Date: Mon, 12 May 2025 10:38:42 -0600 Subject: [PATCH 10/57] =?UTF-8?q?fix:=20handle=20nil=20ai.openai.api=5Fkey?= =?UTF-8?q?=20to=20prevent=20template=20er=E2=80=A6=20(#116)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * fix(intel-chart): handle nil ai.openai.api_key to prevent template errors Adjusted the Helm chart template for ai-secrets to avoid referencing ai.openai.api_key and ai.external.api_key when undefined. This fixes a fatal error during `helm template` when AI mode is set to `bundled` and no OpenAI config is present. Ensures compatibility with bundled-only deployments. * Changes to fix workflow issues --- charts/intel/templates/secrets.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/charts/intel/templates/secrets.yaml b/charts/intel/templates/secrets.yaml index 5cdd56d..b5b85e7 100644 --- a/charts/intel/templates/secrets.yaml +++ b/charts/intel/templates/secrets.yaml @@ -4,5 +4,13 @@ metadata: name: ai-secrets type: Opaque data: + {{- if .Values.ai.openai }} + {{- if .Values.ai.openai.api_key }} openai-api-key: {{ .Values.ai.openai.api_key | b64enc }} + {{- end }} + {{- end }} + {{- if .Values.ai.external }} + {{- if .Values.ai.external.api_key }} external-ai-key: {{ .Values.ai.external.api_key | b64enc }} + {{- end }} + {{- end }} From 11960ddbcad980a2e131fce5e0733f5ccdf295e0 Mon Sep 17 00:00:00 2001 From: Wojciech Galanciak Date: Mon, 12 May 2025 20:30:56 +0200 Subject: [PATCH 11/57] fix: cleanup for sso tenants (#117) --- compose/cthq.properties | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/compose/cthq.properties b/compose/cthq.properties index 5c6e13c..8b8c254 100644 --- a/compose/cthq.properties +++ b/compose/cthq.properties @@ -4,8 +4,10 @@ hq.collab.url=https://${COLLAB_FQDN} hq.collab.secret=${INTEL_SECRET} # Fill in values specific to your deployment -# THE LINE BELOW IS NOT NEEDED WITH SINGLE TENANT -#hq.sso.tenants=github,gitlab + +# If you want to run with multiple SSO providers, add their names separated with commas +hq.sso.tenants=github + # GitHub SSO hq.sso.github.provider=github hq.sso.github.label=GitHub @@ -18,13 +20,6 @@ hq.sso.github.info.uri=https://api.github.com/user hq.sso.github.jwt.set.uri=https://token.actions.githubusercontent.com/.well-known/jwks hq.sso.github.logout.uri=https://github.com/logout -# hq.sso.gitlab.provider=gitlab -# hq.sso.gitlab.label=Gitlab test -# hq.sso.gitlab.client.id= -# hq.sso.gitlab.client.secret= -# hq.sso.gitlab.client.issuer.url=https://gitlab.com -# hq.sso.gitlab.azure.redirect.uri=https://${INTEL_FQDN}/api/v1/auth/sso/success/insights - # These values do not need to be changed, though secrets can be updated hq.db.type=CASSANDRA hq.cassandra.db.host=codetogether-cassandra From 9cd2f4841f0488085e592ae4038d4742c4eb1d30 Mon Sep 17 00:00:00 2001 From: danc094codetogether Date: Fri, 16 May 2025 11:38:20 -0600 Subject: [PATCH 12/57] feat(intel): add option to disable AI integration entirely (#120) Previously, the Helm chart required either 'bundled' or 'external' AI mode to be configured, making it mandatory to include AI integration. This commit introduces a new flag `ai.enabled` to allow disabling AI features entirely, enabling Intel to be deployed without any AI-related containers or resources. --- charts/intel/templates/deployment.yaml | 66 ++++++++++++++------------ charts/intel/values.yaml | 1 + 2 files changed, 36 insertions(+), 31 deletions(-) diff --git a/charts/intel/templates/deployment.yaml b/charts/intel/templates/deployment.yaml index 0615be8..9c0d7e0 100644 --- a/charts/intel/templates/deployment.yaml +++ b/charts/intel/templates/deployment.yaml @@ -28,21 +28,23 @@ spec: {{- end }} serviceAccountName: {{ include "codetogether.serviceAccountName" . }} containers: - {{- if eq .Values.ai.mode "bundled" }} - - name: codetogether-llm - image: "{{ .Values.ai.image.repository }}:{{ .Values.ai.image.tag }}" - imagePullPolicy: Always - ports: - - name: ai - containerPort: 8000 - protocol: TCP - resources: - requests: - cpu: {{ .Values.ai.resources.requests.cpu | quote }} - memory: {{ .Values.ai.resources.requests.memory | quote }} - limits: - cpu: {{ .Values.ai.resources.limits.cpu | quote }} - memory: {{ .Values.ai.resources.limits.memory | quote }} + {{- if .Values.ai.enabled }} + {{- if eq .Values.ai.mode "bundled" }} + - name: codetogether-llm + image: "{{ .Values.ai.image.repository }}:{{ .Values.ai.image.tag }}" + imagePullPolicy: Always + ports: + - name: ai + containerPort: 8000 + protocol: TCP + resources: + requests: + cpu: {{ .Values.ai.resources.requests.cpu | quote }} + memory: {{ .Values.ai.resources.requests.memory | quote }} + limits: + cpu: {{ .Values.ai.resources.limits.cpu | quote }} + memory: {{ .Values.ai.resources.limits.memory | quote }} + {{- end }} {{- end }} - name: {{ .Chart.Name }} securityContext: @@ -56,22 +58,24 @@ spec: - name: AI_BUNDLED_URL value: "http://codetogether-llm:8000" {{- end }} - {{- if eq .Values.ai.mode "external" }} - - name: AI_PROVIDER - valueFrom: - configMapKeyRef: - name: ai-config - key: ai_provider - - name: AI_EXTERNAL_URL - valueFrom: - configMapKeyRef: - name: ai-config - key: ai_url - - name: AI_EXTERNAL_API_KEY - valueFrom: - secretKeyRef: - name: ai-external-secret - key: api-key + {{- if .Values.ai.enabled }} + {{- if eq .Values.ai.mode "external" }} + - name: AI_PROVIDER + valueFrom: + configMapKeyRef: + name: ai-config + key: ai_provider + - name: AI_EXTERNAL_URL + valueFrom: + configMapKeyRef: + name: ai-config + key: ai_url + - name: AI_EXTERNAL_API_KEY + valueFrom: + secretKeyRef: + name: ai-external-secret + key: api-key + {{- end }} {{- end }} # # Set CodeTogether runtime configuration diff --git a/charts/intel/values.yaml b/charts/intel/values.yaml index ac9227e..04507b2 100644 --- a/charts/intel/values.yaml +++ b/charts/intel/values.yaml @@ -139,6 +139,7 @@ securityContext: {} # runAsUser: 1000 ai: + enabled: false mode: "bundled" # Options: bundled | external provider: "ollama" # No OpenAI dependency resources: From c7bee305582a2ca6ae7b87bee2724f0194bd6669 Mon Sep 17 00:00:00 2001 From: Ignacio Moreno Date: Tue, 10 Jun 2025 11:59:09 -0600 Subject: [PATCH 13/57] Change gen ai image name on values file (#122) --- charts/intel/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/intel/values.yaml b/charts/intel/values.yaml index 04507b2..ab0f8fe 100644 --- a/charts/intel/values.yaml +++ b/charts/intel/values.yaml @@ -152,7 +152,7 @@ ai: memory: "8Gi" gpu: false image: - repository: registry.digitalocean.com/codetogether-registry/ai-summarization + repository: registry.digitalocean.com/codetogether-registry/codetogether-llm tag: latest From 75c414ffac11767ff9d3c9a763d5b540d4dcfa52 Mon Sep 17 00:00:00 2001 From: Ignacio Moreno Date: Tue, 10 Jun 2025 12:03:34 -0600 Subject: [PATCH 14/57] fix: bump up version number (#123) --- charts/intel/Chart.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/intel/Chart.yaml b/charts/intel/Chart.yaml index a63a302..f3e928a 100644 --- a/charts/intel/Chart.yaml +++ b/charts/intel/Chart.yaml @@ -3,8 +3,8 @@ name: codetogether-intel description: CodeTogether Intel provides advanced project insights for developers type: application -version: 1.2.3 -appVersion: "2025.1.0" +version: 1.2.4 +appVersion: "2025.3.0" icon: https://www.codetogether.com/wp-content/uploads/2020/02/codetogether-circle-128.png home: https://www.codetogether.com From aacad5767139e752c0f6fd60eb749f007cf31524 Mon Sep 17 00:00:00 2001 From: danc094codetogether Date: Mon, 16 Jun 2025 15:59:23 -0600 Subject: [PATCH 15/57] docs: remove outdated metrics section from README (#130) - Removed the section referring to metrics(prometeus), etc from the README Co-authored-by: engineering --- charts/collab/README.md | 5 ----- 1 file changed, 5 deletions(-) diff --git a/charts/collab/README.md b/charts/collab/README.md index 621f5a5..f235f45 100644 --- a/charts/collab/README.md +++ b/charts/collab/README.md @@ -36,11 +36,6 @@ The following table lists configurable parameters of the CodeTogether Collab cha | `codetogether.noclients` | Disables the `/clients` endpoint if set to `true` | `false` | | `codetogether.timeZone.enabled` | Enables a customized time zone for the container | `false` | | `codetogether.timeZone.region` | Time zone region for the container | `America/Chicago` | -| `direct.metrics.statsdEnabled` | Enables StatsD metrics collection | `false` | -| `direct.metrics.statsdHost` | Host for StatsD metrics | `https://my-graphite-fqdn` | -| `direct.metrics.statsdPort` | Port for StatsD metrics | `8125` | -| `direct.metrics.statsdProtocol` | Protocol for StatsD metrics | `UDP` | -| `direct.metrics.prometheusEnabled` | Enables Prometheus metrics collection | `false` | | `locatorCentral.database.host` | Host for locator-central database | `10.10.0.2` | | `locatorCentral.database.port` | Port for locator-central database | `3306` | | `locatorCentral.database.schema` | Schema name for locator-central database | `codetogether` | From 23ddc3ef1d64e05f38745ac376094ad8ef7a15c7 Mon Sep 17 00:00:00 2001 From: Ignacio Moreno Date: Tue, 17 Jun 2025 09:11:45 -0600 Subject: [PATCH 16/57] fix: add note to env-template file (#127) --- compose/.env-template | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/compose/.env-template b/compose/.env-template index c88f162..0899e06 100644 --- a/compose/.env-template +++ b/compose/.env-template @@ -39,10 +39,11 @@ COLLAB_FQDN=collab.example.com INTEL_FQDN=intel.example.com INTEL_SECRET=super-secret-string +# SSL cerfificate files should be placed in the `nginx/ssl` directory. SSL_COLLAB_CERT=ssl-collab.crt SSL_COLLAB_KEY=ssl-collab.key SSL_INTEL_CERT=ssl-intel.crt SSL_INTEL_KEY=ssl-intel.key -DHPARAM_PEM=dhparam.pem \ No newline at end of file +DHPARAM_PEM=dhparam.pem From 447a8a71f58c8ef823d1beb5a9870de12704bab4 Mon Sep 17 00:00:00 2001 From: danc094codetogether Date: Wed, 18 Jun 2025 05:10:46 -0600 Subject: [PATCH 17/57] fix: update LLM image URL to hub.edge (#132) --- charts/intel/values.yaml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/charts/intel/values.yaml b/charts/intel/values.yaml index ab0f8fe..e9efd48 100644 --- a/charts/intel/values.yaml +++ b/charts/intel/values.yaml @@ -142,6 +142,9 @@ ai: enabled: false mode: "bundled" # Options: bundled | external provider: "ollama" # No OpenAI dependency + image: + repository: hub.edge.codetogether.com/releases/codetogether-llm + tag: latest resources: requests: cpu: "2" @@ -151,10 +154,6 @@ ai: cpu: "4" memory: "8Gi" gpu: false - image: - repository: registry.digitalocean.com/codetogether-registry/codetogether-llm - tag: latest - readinessProbe: initialDelaySeconds: 60 From 61a8250cc29fa9b7718cc9d2b6ad757f0380a501 Mon Sep 17 00:00:00 2001 From: danc094codetogether Date: Wed, 18 Jun 2025 05:12:40 -0600 Subject: [PATCH 18/57] docs: add deprecation notice to old Live chart (#131) --- charts/live/README.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/charts/live/README.md b/charts/live/README.md index 76048f3..b8cbf31 100644 --- a/charts/live/README.md +++ b/charts/live/README.md @@ -1,7 +1,10 @@ # README.md Helm Chart for CodeTogether Live +# CodeTogether Live Chart (Legacy) -## Summary +> **⚠️ Legacy Chart** +> This chart is now considered legacy and is not longer supported, is not recommended for new deployments. +## Summary This chart creates a CodeTogether Live server deployment on a Kubernetes cluster using the Helm package manager. ## Prerequisites From d4665b0f8797076099aeb445d1f20a703350bb89 Mon Sep 17 00:00:00 2001 From: danc094codetogether Date: Wed, 18 Jun 2025 14:14:37 -0600 Subject: [PATCH 19/57] 126 automatically configure ollama integration when llm is enabled (#128) * Make sidecar AI container resource block optional in deployment - Updated deployment.yaml to include the `resources` block for the `codetogether-llm` sidecar only if values are defined in values.yaml. - Ensures the bundled AI container can run without specifying resource limits/requests by default. - Improved overall Helm template flexibility for embedded AI mode. - Validated that runs with AI Container embeeded. * Enable support for external AI provider - Updated deployment.yaml to support both bundled and external AI modes, allowing selection via .Values.ai.mode. - Added manifests for external AI integration: - ai-config ConfigMap: defines external provider and URL. - ai-external-secret Secret: stores the external API key. - Verified that external AI mode works by routing requests through the configured external service. * feat: automate creation of external AI ConfigMap and Secret from values.yaml - Added Helm templates to generate ai-config ConfigMap and ai-external-secret Secret automatically when AI external mode is enabled. - ConfigMap values (ai_provider, ai_url) and Secret value (api-key) are now configurable via values.yaml. - Ensured resources are only created when ai.enabled=true and ai.mode=external. * feat: allow use of existing or Helm-managed ai-external-secret in deployment - Updated deployment.yaml to support referencing a user-provided Secret for AI external API key, with fallback to Helm-managed creation. - Added ai-external-secret.yaml template to optionally create the secret from values if not provided. * Fixing helm template validations * Adding values configuration --------- Co-authored-by: engineering --- charts/intel/templates/ai-config.yaml | 11 ++ .../intel/templates/ai-external-secret.yaml | 12 ++ charts/intel/templates/deployment.yaml | 109 ++++++++---------- charts/intel/values.yaml | 5 +- 4 files changed, 71 insertions(+), 66 deletions(-) create mode 100644 charts/intel/templates/ai-config.yaml create mode 100644 charts/intel/templates/ai-external-secret.yaml diff --git a/charts/intel/templates/ai-config.yaml b/charts/intel/templates/ai-config.yaml new file mode 100644 index 0000000..763fedb --- /dev/null +++ b/charts/intel/templates/ai-config.yaml @@ -0,0 +1,11 @@ +{{- if and .Values.ai.enabled (eq .Values.ai.mode "external") }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: ai-config + namespace: {{ .Release.Namespace }} +data: + ai_provider: {{ .Values.ai.provider | quote }} + ai_url: {{ .Values.ai.url | quote }} +{{- end }} + diff --git a/charts/intel/templates/ai-external-secret.yaml b/charts/intel/templates/ai-external-secret.yaml new file mode 100644 index 0000000..ebd6468 --- /dev/null +++ b/charts/intel/templates/ai-external-secret.yaml @@ -0,0 +1,12 @@ +{{- $extSecret := (index .Values.ai "externalSecret" | default dict) }} +{{- if and .Values.ai.enabled (eq .Values.ai.mode "external") (or (not $extSecret.name) $extSecret.create) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ $extSecret.name | default (printf "%s-ai-external-secret" (include "codetogether.fullname" .)) }} + namespace: {{ .Release.Namespace }} +type: Opaque +stringData: + api-key: {{ $extSecret.apiKey | quote }} +{{- end }} + diff --git a/charts/intel/templates/deployment.yaml b/charts/intel/templates/deployment.yaml index 9c0d7e0..121e800 100644 --- a/charts/intel/templates/deployment.yaml +++ b/charts/intel/templates/deployment.yaml @@ -28,38 +28,20 @@ spec: {{- end }} serviceAccountName: {{ include "codetogether.serviceAccountName" . }} containers: - {{- if .Values.ai.enabled }} - {{- if eq .Values.ai.mode "bundled" }} - - name: codetogether-llm - image: "{{ .Values.ai.image.repository }}:{{ .Values.ai.image.tag }}" - imagePullPolicy: Always - ports: - - name: ai - containerPort: 8000 - protocol: TCP - resources: - requests: - cpu: {{ .Values.ai.resources.requests.cpu | quote }} - memory: {{ .Values.ai.resources.requests.memory | quote }} - limits: - cpu: {{ .Values.ai.resources.limits.cpu | quote }} - memory: {{ .Values.ai.resources.limits.memory | quote }} - {{- end }} - {{- end }} - name: {{ .Chart.Name }} securityContext: {{- toYaml .Values.securityContext | nindent 12 }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} env: - - name: AI_MODE - value: {{ .Values.ai.mode | quote }} - {{- if eq .Values.ai.mode "bundled" }} - - name: AI_BUNDLED_URL - value: "http://codetogether-llm:8000" - {{- end }} - {{- if .Values.ai.enabled }} - {{- if eq .Values.ai.mode "external" }} + - name: AI_MODE + value: {{ .Values.ai.mode | quote }} + {{- if eq .Values.ai.mode "bundled" }} + - name: AI_BUNDLED_URL + value: "http://codetogether-llm:8000" + {{- end }} + {{- if .Values.ai.enabled }} + {{- if eq .Values.ai.mode "external" }} - name: AI_PROVIDER valueFrom: configMapKeyRef: @@ -73,35 +55,29 @@ spec: - name: AI_EXTERNAL_API_KEY valueFrom: secretKeyRef: - name: ai-external-secret + name: {{ (index .Values.ai "externalSecret" | default dict).name | default (printf "%s-ai-external-secret" (include "codetogether.fullname" .)) }} key: api-key + {{- end }} + {{- end }} + # Set CodeTogether runtime configuration + - name: CT_HQ_BASE_URL + value: {{ .Values.codetogether.url | quote }} + {{- if .Values.java.customCacerts.enabled }} + - name: CT_TRUST_STORE + value: -Djavax.net.ssl.trustStore=/etc/ssl/certs/java/cacerts + {{- end }} + {{- if .Values.java.customJavaOptions }} + - name: CT_JAVA_OPTIONS + value: "{{ .Values.java.customJavaOptions | default "" }}" + {{- end }} + {{- if and .Values.java.customCacerts.enabled .Values.java.customCacerts.trustStorePasswordKey }} + - name: CT_TRUST_STORE_PASSWD + valueFrom: + secretKeyRef: + name: {{ .Values.java.customCacerts.cacertsSecretName }} + key: {{ .Values.java.customCacerts.trustStorePasswordKey }} + optional: true {{- end }} - {{- end }} - # - # Set CodeTogether runtime configuration - # - - name: CT_HQ_BASE_URL - value: {{ .Values.codetogether.url | quote }} - {{- if .Values.java.customCacerts.enabled }} - - name: CT_TRUST_STORE - value: -Djavax.net.ssl.trustStore=/etc/ssl/certs/java/cacerts - {{- end }} - - # Custom Java options (excluding trust store related settings) - {{- if .Values.java.customJavaOptions }} - - name: CT_JAVA_OPTIONS - value: "{{ .Values.java.customJavaOptions | default "" }}" - {{- end }} - - # Set trust store password only if trustStorePasswordKey is provided - {{- if and .Values.java.customCacerts.enabled .Values.java.customCacerts.trustStorePasswordKey }} - - name: CT_TRUST_STORE_PASSWD - valueFrom: - secretKeyRef: - name: {{ .Values.java.customCacerts.cacertsSecretName }} - key: {{ .Values.java.customCacerts.trustStorePasswordKey }} - optional: true - {{- end }} volumeMounts: - name: properties-volume @@ -112,29 +88,21 @@ spec: mountPath: /etc/ssl/certs/java/cacerts subPath: cacerts {{- end }} - - # - # Set container configuration - # ports: - name: http containerPort: 1080 protocol: TCP - + livenessProbe: - httpGet: - path: / - port: http initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} periodSeconds: {{ .Values.livenessProbe.periodSeconds }} timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} successThreshold: {{ .Values.livenessProbe.successThreshold }} failureThreshold: {{ .Values.livenessProbe.failureThreshold }} - readinessProbe: httpGet: path: / port: http - + readinessProbe: initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} periodSeconds: {{ .Values.readinessProbe.periodSeconds }} @@ -147,6 +115,21 @@ spec: resources: {{- toYaml .Values.resources | nindent 12 }} + + {{- if and .Values.ai.enabled (eq .Values.ai.mode "bundled") }} + - name: codetogether-llm + image: "{{ .Values.ai.image.repository }}:{{ .Values.ai.image.tag }}" + imagePullPolicy: Always + ports: + - name: ai + containerPort: 8000 + protocol: TCP + {{- if .Values.ai.resources }} + resources: + {{- toYaml .Values.ai.resources | nindent 12 }} + {{- end }} + {{- end }} + volumes: - name: properties-volume secret: diff --git a/charts/intel/values.yaml b/charts/intel/values.yaml index e9efd48..5f55a73 100644 --- a/charts/intel/values.yaml +++ b/charts/intel/values.yaml @@ -141,18 +141,17 @@ securityContext: {} ai: enabled: false mode: "bundled" # Options: bundled | external - provider: "ollama" # No OpenAI dependency image: repository: hub.edge.codetogether.com/releases/codetogether-llm tag: latest - resources: + resources: # Recommended resources configuration requests: cpu: "2" memory: "4Gi" gpu: false limits: cpu: "4" - memory: "8Gi" + memory: "4Gi" gpu: false readinessProbe: From 9e1cae0f284fdc868b09dbf068fb3224dd38af96 Mon Sep 17 00:00:00 2001 From: Ignacio Moreno Date: Wed, 18 Jun 2025 14:17:25 -0600 Subject: [PATCH 20/57] Gen AI Changes (#124) * Change resources of ai * Include gen ai on docker compose. * undo changes --- compose/.env-template | 4 ++++ compose/compose.ai.yaml | 13 +++++++++++++ 2 files changed, 17 insertions(+) create mode 100644 compose/compose.ai.yaml diff --git a/compose/.env-template b/compose/.env-template index 0899e06..82fa77c 100644 --- a/compose/.env-template +++ b/compose/.env-template @@ -47,3 +47,7 @@ SSL_INTEL_CERT=ssl-intel.crt SSL_INTEL_KEY=ssl-intel.key DHPARAM_PEM=dhparam.pem + +# Uncomment the following lines to enable AI integration with Ollama +#CT_HQ_OLLAMA_AI_URL=http://codetogether-llm:8000 +#CT_HQ_OLLAMA_AI_MODEL_NAME=gemma3:1b diff --git a/compose/compose.ai.yaml b/compose/compose.ai.yaml new file mode 100644 index 0000000..d3ef932 --- /dev/null +++ b/compose/compose.ai.yaml @@ -0,0 +1,13 @@ +# 👇 Rename `.env-template` to `.env` before running this file +# Set the appropriate values once renamed +services: + ai: + image: hub.edge.codetogether.com/releases/codetogether-llm:latest + container_name: codetogether-llm + ports: + - "8000:8000" + networks: + - codetogethernet + depends_on: + codetogether-intel: + condition: service_healthy \ No newline at end of file From 4fab2ad428016288a3d91d50b280bac22bd78a03 Mon Sep 17 00:00:00 2001 From: Ignacio Moreno Date: Wed, 18 Jun 2025 14:29:39 -0600 Subject: [PATCH 21/57] Fix collab helm chart to allow usage of locator. (#134) --- charts/collab/templates/deployment.yaml | 4 ++++ charts/collab/values.yaml | 3 +++ 2 files changed, 7 insertions(+) diff --git a/charts/collab/templates/deployment.yaml b/charts/collab/templates/deployment.yaml index 7c08ca3..689f562 100644 --- a/charts/collab/templates/deployment.yaml +++ b/charts/collab/templates/deployment.yaml @@ -99,6 +99,10 @@ spec: {{- if eq .Values.codetogether.mode "locator-edge" }} - name: CT_LOCATOR value: {{ .Values.locatorEdge.locator | quote }} + {{- if .Values.locatorEdge.locatorLan }} + - name: CT_LOCATOR_INTERNAL + value: {{ .Values.locatorEdge.locatorLan | quote }} + {{- end }} - name: CT_REGION value: {{ .Values.locatorEdge.region | quote }} {{- end }} diff --git a/charts/collab/values.yaml b/charts/collab/values.yaml index 04a4d89..b05bde9 100644 --- a/charts/collab/values.yaml +++ b/charts/collab/values.yaml @@ -117,6 +117,9 @@ locatorCentral: locatorEdge: # URL that the Locator is listening on. locator: "https://codetogether.locator" + # Internal k8s url for the locator service. + # Optional - If not set k8s dns need to know how to resolve the locator url. + # locatorLan: "http://..svc.cluster.local:443" # Optional region which can have CIDR IP address regions assigned to # allowing regional routing of requests. Only enable if deploying # CodeTogether to multiple regional data centers. From 8033f545dd34abada32baa7b0b4aa54c8f8d8fd4 Mon Sep 17 00:00:00 2001 From: Wojciech Galanciak Date: Mon, 30 Jun 2025 14:39:58 +0200 Subject: [PATCH 22/57] fix: invalid values in AI values section (#137) --- charts/intel/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/intel/values.yaml b/charts/intel/values.yaml index 5f55a73..1053ca9 100644 --- a/charts/intel/values.yaml +++ b/charts/intel/values.yaml @@ -148,11 +148,11 @@ ai: requests: cpu: "2" memory: "4Gi" - gpu: false + # gpu: "1" # Uncomment and set only if GPU is needed limits: cpu: "4" memory: "4Gi" - gpu: false + # gpu: "1" # Uncomment and set only if GPU is needed readinessProbe: initialDelaySeconds: 60 From 5547e7444a042335f25538cbef7a49e1be66fee6 Mon Sep 17 00:00:00 2001 From: Wojciech Galanciak Date: Mon, 30 Jun 2025 14:57:54 +0200 Subject: [PATCH 23/57] fix: support automatic configuration of the LLM integration if AI is enabled (#138) --- charts/intel/templates/deployment.yaml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/charts/intel/templates/deployment.yaml b/charts/intel/templates/deployment.yaml index 121e800..656a21c 100644 --- a/charts/intel/templates/deployment.yaml +++ b/charts/intel/templates/deployment.yaml @@ -78,6 +78,22 @@ spec: key: {{ .Values.java.customCacerts.trustStorePasswordKey }} optional: true {{- end }} + {{- if .Values.ai.enabled }} + - name: CT_HQ_OLLAMA_AI_URL + value: {{ if eq .Values.ai.mode "bundled" }}"http://localhost:8000"{{ else }}"{{ .Values.ai.url | quote }}"{{ end }} + - name: CT_HQ_OLLAMA_AI_MODEL_NAME + value: {{ .Values.ai.modelName | default "gemma3:1b" | quote }} + - name: CT_HQ_OLLAMA_AI_API_KEY + valueFrom: + secretKeyRef: + name: {{- if and (eq .Values.ai.mode "external") (not .Values.ai.externalSecret.create) }} + {{ .Values.ai.externalSecret.name }} + {{- else }} + {{ .Values.ai.externalSecret.name | default (printf "%s-ollama-api" .Release.Name) }} + {{- end }} + key: apiKey + {{- end }} + volumeMounts: - name: properties-volume From 6e96ea76a7fa34992d4f64ebcc02dc0893f4fbdf Mon Sep 17 00:00:00 2001 From: danc094codetogether Date: Mon, 30 Jun 2025 16:42:19 -0600 Subject: [PATCH 24/57] Fixes after Testing (#139) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Fixes after Testing - Refactored deployment.yaml to reference ai.externalSecret.name when create: false - Corrected CT_HQ_OLLAMA_AI_API_KEY key to apiKey to match Secret’s stringData - Updated ai-external-secret.yaml to generate a Secret only when create: true * Bump intel chart version to 1.2.5 * Fix to user http://codetogether-llm:8000/ always --------- Co-authored-by: engineering --- charts/intel/Chart.yaml | 2 +- .../intel/templates/ai-external-secret.yaml | 2 +- charts/intel/templates/deployment.yaml | 29 +++++++++---------- charts/intel/values.yaml | 16 +++++----- 4 files changed, 22 insertions(+), 27 deletions(-) diff --git a/charts/intel/Chart.yaml b/charts/intel/Chart.yaml index f3e928a..23c312a 100644 --- a/charts/intel/Chart.yaml +++ b/charts/intel/Chart.yaml @@ -3,7 +3,7 @@ name: codetogether-intel description: CodeTogether Intel provides advanced project insights for developers type: application -version: 1.2.4 +version: 1.2.5 appVersion: "2025.3.0" icon: https://www.codetogether.com/wp-content/uploads/2020/02/codetogether-circle-128.png diff --git a/charts/intel/templates/ai-external-secret.yaml b/charts/intel/templates/ai-external-secret.yaml index ebd6468..b01e8ad 100644 --- a/charts/intel/templates/ai-external-secret.yaml +++ b/charts/intel/templates/ai-external-secret.yaml @@ -7,6 +7,6 @@ metadata: namespace: {{ .Release.Namespace }} type: Opaque stringData: - api-key: {{ $extSecret.apiKey | quote }} + apiKey: {{ $extSecret.apiKey | quote }} {{- end }} diff --git a/charts/intel/templates/deployment.yaml b/charts/intel/templates/deployment.yaml index 656a21c..6d1c9a3 100644 --- a/charts/intel/templates/deployment.yaml +++ b/charts/intel/templates/deployment.yaml @@ -40,8 +40,7 @@ spec: - name: AI_BUNDLED_URL value: "http://codetogether-llm:8000" {{- end }} - {{- if .Values.ai.enabled }} - {{- if eq .Values.ai.mode "external" }} + {{- if and .Values.ai.enabled (eq .Values.ai.mode "external") }} - name: AI_PROVIDER valueFrom: configMapKeyRef: @@ -55,9 +54,8 @@ spec: - name: AI_EXTERNAL_API_KEY valueFrom: secretKeyRef: - name: {{ (index .Values.ai "externalSecret" | default dict).name | default (printf "%s-ai-external-secret" (include "codetogether.fullname" .)) }} - key: api-key - {{- end }} + name: {{ default (printf "%s-ai-external-secret" (include "codetogether.fullname" .)) .Values.ai.externalSecret.name | quote }} + key: apiKey {{- end }} # Set CodeTogether runtime configuration - name: CT_HQ_BASE_URL @@ -80,21 +78,23 @@ spec: {{- end }} {{- if .Values.ai.enabled }} - name: CT_HQ_OLLAMA_AI_URL - value: {{ if eq .Values.ai.mode "bundled" }}"http://localhost:8000"{{ else }}"{{ .Values.ai.url | quote }}"{{ end }} + value: {{ if eq .Values.ai.mode "bundled" }} + "http://codetogether-llm:8000" + {{ else }} + {{ .Values.ai.url | quote }} + {{ end }} - name: CT_HQ_OLLAMA_AI_MODEL_NAME value: {{ .Values.ai.modelName | default "gemma3:1b" | quote }} - name: CT_HQ_OLLAMA_AI_API_KEY + {{- if eq .Values.ai.mode "bundled" }} + value: "apiKey" + {{- else }} valueFrom: secretKeyRef: - name: {{- if and (eq .Values.ai.mode "external") (not .Values.ai.externalSecret.create) }} - {{ .Values.ai.externalSecret.name }} - {{- else }} - {{ .Values.ai.externalSecret.name | default (printf "%s-ollama-api" .Release.Name) }} - {{- end }} + name: {{ default (printf "%s-ai-external-secret" (include "codetogether.fullname" .)) .Values.ai.externalSecret.name | quote }} key: apiKey + {{- end }} {{- end }} - - volumeMounts: - name: properties-volume mountPath: /opt/codetogether/runtime/cthq.properties @@ -108,7 +108,6 @@ spec: - name: http containerPort: 1080 protocol: TCP - livenessProbe: initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} periodSeconds: {{ .Values.livenessProbe.periodSeconds }} @@ -131,7 +130,6 @@ spec: resources: {{- toYaml .Values.resources | nindent 12 }} - {{- if and .Values.ai.enabled (eq .Values.ai.mode "bundled") }} - name: codetogether-llm image: "{{ .Values.ai.image.repository }}:{{ .Values.ai.image.tag }}" @@ -145,7 +143,6 @@ spec: {{- toYaml .Values.ai.resources | nindent 12 }} {{- end }} {{- end }} - volumes: - name: properties-volume secret: diff --git a/charts/intel/values.yaml b/charts/intel/values.yaml index 1053ca9..5587d5f 100644 --- a/charts/intel/values.yaml +++ b/charts/intel/values.yaml @@ -144,15 +144,13 @@ ai: image: repository: hub.edge.codetogether.com/releases/codetogether-llm tag: latest - resources: # Recommended resources configuration - requests: - cpu: "2" - memory: "4Gi" - # gpu: "1" # Uncomment and set only if GPU is needed - limits: - cpu: "4" - memory: "4Gi" - # gpu: "1" # Uncomment and set only if GPU is needed +# resources: # Recommended resources configuration + # requests: + # cpu: "2" + # memory: "4Gi" + #limits: + # cpu: "4" + #memory: "4Gi" readinessProbe: initialDelaySeconds: 60 From b55b89c08aee6a58e45510047968b4010443590b Mon Sep 17 00:00:00 2001 From: Ignacio Moreno Date: Mon, 30 Jun 2025 17:17:57 -0600 Subject: [PATCH 25/57] Changes to use localhost always to avoid dns issues (#142) Co-authored-by: engineering --- charts/intel/templates/deployment.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/intel/templates/deployment.yaml b/charts/intel/templates/deployment.yaml index 6d1c9a3..8cdb59e 100644 --- a/charts/intel/templates/deployment.yaml +++ b/charts/intel/templates/deployment.yaml @@ -38,7 +38,7 @@ spec: value: {{ .Values.ai.mode | quote }} {{- if eq .Values.ai.mode "bundled" }} - name: AI_BUNDLED_URL - value: "http://codetogether-llm:8000" + value: "http://localhost:8000" {{- end }} {{- if and .Values.ai.enabled (eq .Values.ai.mode "external") }} - name: AI_PROVIDER @@ -79,7 +79,7 @@ spec: {{- if .Values.ai.enabled }} - name: CT_HQ_OLLAMA_AI_URL value: {{ if eq .Values.ai.mode "bundled" }} - "http://codetogether-llm:8000" + "http://localhost:8000" {{ else }} {{ .Values.ai.url | quote }} {{ end }} From c481aed40af7ee871971098c7dd46e4622342697 Mon Sep 17 00:00:00 2001 From: Wojciech Galanciak Date: Thu, 10 Jul 2025 18:01:53 +0200 Subject: [PATCH 26/57] feat: support for optional keycloak deployment (#145) * initial config * Docker compose example to run keycloak --------- Co-authored-by: Ignacio Moreno --- compose/.gitignore | 10 +++ compose/cthq.properties | 29 ++++--- compose/keycloak/.env-template | 9 ++ compose/keycloak/compose.keycloak.yaml | 95 ++++++++++++++++++++++ compose/keycloak/nginx/log/placeholder.txt | 0 compose/keycloak/nginx/nginx.conf.template | 57 +++++++++++++ compose/keycloak/nginx/ssl/placeholder.txt | 0 7 files changed, 189 insertions(+), 11 deletions(-) create mode 100644 compose/.gitignore create mode 100644 compose/keycloak/.env-template create mode 100644 compose/keycloak/compose.keycloak.yaml create mode 100644 compose/keycloak/nginx/log/placeholder.txt create mode 100644 compose/keycloak/nginx/nginx.conf.template create mode 100644 compose/keycloak/nginx/ssl/placeholder.txt diff --git a/compose/.gitignore b/compose/.gitignore new file mode 100644 index 0000000..cdb441f --- /dev/null +++ b/compose/.gitignore @@ -0,0 +1,10 @@ +data/ +nginx/log/ +nginx/ssl/*.key +nginx/ssl/*.pem +nginx/ssl/*.crt +keycloak/nginx/log/*.log +keycloak/nginx/ssl/*.key +keycloak/nginx/ssl/*.pem +keycloak/nginx/ssl/*.crt +.env \ No newline at end of file diff --git a/compose/cthq.properties b/compose/cthq.properties index 8b8c254..c8c481a 100644 --- a/compose/cthq.properties +++ b/compose/cthq.properties @@ -6,19 +6,26 @@ hq.collab.secret=${INTEL_SECRET} # Fill in values specific to your deployment # If you want to run with multiple SSO providers, add their names separated with commas -hq.sso.tenants=github +# hq.sso.tenants=github # GitHub SSO -hq.sso.github.provider=github -hq.sso.github.label=GitHub -hq.sso.github.client.id= -hq.sso.github.client.secret= -hq.sso.github.redirect.uri=https://${INTEL_FQDN}/api/v1/auth/sso/success/insights -hq.sso.github.auth.uri=https://github.com/login/oauth/authorize -hq.sso.github.token.uri=https://github.com/login/oauth/access_token -hq.sso.github.info.uri=https://api.github.com/user -hq.sso.github.jwt.set.uri=https://token.actions.githubusercontent.com/.well-known/jwks -hq.sso.github.logout.uri=https://github.com/logout +# hq.sso.github.provider=github +# hq.sso.github.label=GitHub +# hq.sso.github.client.id=Iv1.45b9336a78ce2476 +# hq.sso.github.client.secret=c4446ad126ec65b3d926e37de3fe880246aff371 +# hq.sso.github.redirect.uri=https://${INTEL_FQDN}/api/v1/auth/sso/success/insights +# hq.sso.github.auth.uri=https://github.com/login/oauth/authorize +# hq.sso.github.token.uri=https://github.com/login/oauth/access_token +# hq.sso.github.info.uri=https://api.github.com/user +# hq.sso.github.jwt.set.uri=https://token.actions.githubusercontent.com/.well-known/jwks +# hq.sso.github.logout.uri=https://github.com/logout + +hq.sso.provider=keycloak +hq.sso.client.id=codetogether +hq.sso.client.secret=eFl6XSKwMMsEW1yRTY9pHjBrCTHDEY64 +hq.sso.client.issuer.url=http://codetogether-keycloak:8080/realms/codetogether +hq.sso.redirect.uri=https://${INTEL_FQDN}/api/v1/auth/sso/success/insights +hq.sso.client.authentication.method=client_secret_post # These values do not need to be changed, though secrets can be updated hq.db.type=CASSANDRA diff --git a/compose/keycloak/.env-template b/compose/keycloak/.env-template new file mode 100644 index 0000000..5127bae --- /dev/null +++ b/compose/keycloak/.env-template @@ -0,0 +1,9 @@ +KEYCLOAK_FQDN=keycloak.example.com +SSL_KEYCLOAK_CERT=ssl-keycloak.crt +SSL_KEYCLOAK_KEY=ssl-keycloak.key + +KEYCLOAK_DB_USERNAME=keycloak +KEYCLOAK_DB_PASSWORD=keycloak + +KEYCLOAK_ADMIN_PASSWORD=keycloak +KEYCLOAK_ADMIN=admin \ No newline at end of file diff --git a/compose/keycloak/compose.keycloak.yaml b/compose/keycloak/compose.keycloak.yaml new file mode 100644 index 0000000..f842905 --- /dev/null +++ b/compose/keycloak/compose.keycloak.yaml @@ -0,0 +1,95 @@ +# 👇 Rename `.env-template` to `.env` before running this file +# Set the appropriate values once renamed +services: + # Relational database for Keycloak (optional) + codetogether-mysql: + image: mysql:8.0 + container_name: codetogether-mysql + restart: unless-stopped + env_file: + - .env + environment: + MYSQL_ROOT_PASSWORD: ${KEYCLOAK_DB_PASSWORD} + MYSQL_DATABASE: keycloak + MYSQL_USER: ${KEYCLOAK_DB_USERNAME} + MYSQL_PASSWORD: ${KEYCLOAK_DB_PASSWORD} + volumes: + - mysql_data:/var/lib/mysql + networks: + - codetogethernet + healthcheck: + test: ["CMD", "mysqladmin", "ping", "-h", "localhost"] + interval: 10s + timeout: 10s + retries: 30 + # Nginx reverse proxy for Keycloak (optional) + codetogether-keycloak-nginx: + image: nginx:latest + container_name: codetogether-keycloak-nginx + env_file: + - .env + environment: + - NGINX_ENVSUBST_OUTPUT_DIR=/etc/nginx + ports: + - "443:443" + volumes: + - ./nginx/nginx.conf.template:/etc/nginx/templates/nginx.conf.template:ro + - ./nginx/ssl:/etc/nginx/ssl + - ./nginx/log:/var/log/nginx + networks: + - codetogethernet + depends_on: + codetogether-keycloak: + condition: service_healthy + + # Keycloak service (optional) + codetogether-keycloak: + image: quay.io/keycloak/keycloak:latest + container_name: codetogether-keycloak + env_file: + - .env + depends_on: + codetogether-mysql: + condition: service_healthy + command: + - "start" + environment: + # Admin credentials + KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN} + KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD} + + # Database connectivity + KC_DB: mysql + KC_DB_USERNAME: ${KEYCLOAK_DB_USERNAME:-root} + KC_DB_PASSWORD: ${KEYCLOAK_DB_PASSWORD} + KC_DB_URL_HOST: codetogether-mysql + + # Feature flags & observability + KC_FEATURES: token-exchange + KC_HEALTH_ENABLED: "true" + KC_METRICS_ENABLED: "true" + + # Reverse‑proxy / HTTP + KC_HTTP_ENABLED: "true" + KC_PROXY: edge + KC_PROXY_HEADERS: xforwarded + KC_HOSTNAME_STRICT: "false" + KC_HOSTNAME_STRICT_HTTPS: "false" + KC_HOSTNAME: ${KEYCLOAK_FQDN} + KC_FRONTEND_URL: https://${KEYCLOAK_FQDN} + KC_HTTP_PORT: 8080 + networks: + - codetogethernet + healthcheck: + test: ["CMD-SHELL", "echo > /dev/tcp/localhost/8080 || exit 1"] + interval: 10s + timeout: 5s + retries: 5 + start_period: 30s + +volumes: + mysql_data: + +networks: + codetogethernet: + driver: bridge \ No newline at end of file diff --git a/compose/keycloak/nginx/log/placeholder.txt b/compose/keycloak/nginx/log/placeholder.txt new file mode 100644 index 0000000..e69de29 diff --git a/compose/keycloak/nginx/nginx.conf.template b/compose/keycloak/nginx/nginx.conf.template new file mode 100644 index 0000000..e48b298 --- /dev/null +++ b/compose/keycloak/nginx/nginx.conf.template @@ -0,0 +1,57 @@ +events { + worker_connections 1024; +} + +http { + include mime.types; + default_type application/octet-stream; + sendfile on; + keepalive_timeout 65; + server { + server_name ${KEYCLOAK_FQDN}; + listen 443 ssl http2; + + # configure proxy buffer sizes + proxy_buffer_size 128k; + proxy_buffers 4 256k; + + # setup the SSL certificate + ssl_certificate /etc/nginx/ssl/${SSL_KEYCLOAK_CERT}; + ssl_certificate_key /etc/nginx/ssl/${SSL_KEYCLOAK_KEY}; + # ssl_dhparam /etc/nginx/ssl/${DHPARAM_PEM}; + ssl_prefer_server_ciphers on; + ssl_protocols TLSv1.2; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + + # create the passthrough to the CodeTogether Intel container + location / { + + # set passthru parameters for the CodeTogether Intel container + set $realIP $remote_addr; + set $forwardTo $proxy_add_x_forwarded_for; + set $reqHost $http_host; + client_max_body_size 32M; + if ($http_x_real_ip != '') { + set $realIP $http_x_real_ip; + } + if ($http_x_forwarded_for != '') { + set $forwardTo $http_x_forwarded_for; + } + proxy_set_header X-Real-IP $realIP; + proxy_set_header X-Forwarded-For $forwardTo; + proxy_set_header Host $reqHost; + proxy_set_header X-Forwarded-Proto https; + + # setup the backend to service the HQ requests + proxy_pass http://codetogether-keycloak:8080; + proxy_set_header X-NginX-Proxy true; + proxy_http_version 1.1; + proxy_redirect off; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_read_timeout 360; + proxy_connect_timeout 360; + proxy_send_timeout 360; + } + } +} \ No newline at end of file diff --git a/compose/keycloak/nginx/ssl/placeholder.txt b/compose/keycloak/nginx/ssl/placeholder.txt new file mode 100644 index 0000000..e69de29 From 40dffd58e13f04017f57464d26d1ac39bd5783f8 Mon Sep 17 00:00:00 2001 From: Ignacio Moreno Date: Thu, 10 Jul 2025 10:07:48 -0600 Subject: [PATCH 27/57] 144 keycloak (#146) * initial config * Docker compose example to run keycloak * Undo properties file change * fixes on properties file --------- Co-authored-by: Wojciech Galanciak --- compose/cthq.properties | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/compose/cthq.properties b/compose/cthq.properties index c8c481a..f52ac5c 100644 --- a/compose/cthq.properties +++ b/compose/cthq.properties @@ -27,6 +27,13 @@ hq.sso.client.issuer.url=http://codetogether-keycloak:8080/realms/codetogether hq.sso.redirect.uri=https://${INTEL_FQDN}/api/v1/auth/sso/success/insights hq.sso.client.authentication.method=client_secret_post +# hq.sso.provider=keycloak +# hq.sso.client.id=YOUR_CLIENT_ID +# hq.sso.client.secret=YOUR_CLIENT_SECRET +# hq.sso.client.issuer.url=http://codetogether-keycloak:8080/realms/codetogether +# hq.sso.redirect.uri=https://${INTEL_FQDN}/api/v1/auth/sso/success/insights +# hq.sso.client.authentication.method=client_secret_post + # These values do not need to be changed, though secrets can be updated hq.db.type=CASSANDRA hq.cassandra.db.host=codetogether-cassandra From 502eb16f798694014abe80d0e9c92c1157c83d80 Mon Sep 17 00:00:00 2001 From: Ignacio Moreno Date: Thu, 10 Jul 2025 10:17:33 -0600 Subject: [PATCH 28/57] 144 keycloak (#147) * initial config * Docker compose example to run keycloak * Undo properties file change * fixes on properties file --------- Co-authored-by: Wojciech Galanciak --- compose/cthq.properties | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/compose/cthq.properties b/compose/cthq.properties index f52ac5c..1e985ae 100644 --- a/compose/cthq.properties +++ b/compose/cthq.properties @@ -34,6 +34,13 @@ hq.sso.client.authentication.method=client_secret_post # hq.sso.redirect.uri=https://${INTEL_FQDN}/api/v1/auth/sso/success/insights # hq.sso.client.authentication.method=client_secret_post +# hq.sso.provider=keycloak +# hq.sso.client.id=YOUR_CLIENT_ID +# hq.sso.client.secret=YOUR_CLIENT_SECRET +# hq.sso.client.issuer.url=http://codetogether-keycloak:8080/realms/codetogether +# hq.sso.redirect.uri=https://${INTEL_FQDN}/api/v1/auth/sso/success/insights +# hq.sso.client.authentication.method=client_secret_post + # These values do not need to be changed, though secrets can be updated hq.db.type=CASSANDRA hq.cassandra.db.host=codetogether-cassandra From f3790b8aecf8750940437c49b55fddf09fa7370e Mon Sep 17 00:00:00 2001 From: Ignacio Moreno Date: Thu, 10 Jul 2025 10:21:11 -0600 Subject: [PATCH 29/57] 144 keycloak (#149) --- compose/cthq.properties | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/compose/cthq.properties b/compose/cthq.properties index 1e985ae..761ad28 100644 --- a/compose/cthq.properties +++ b/compose/cthq.properties @@ -41,6 +41,13 @@ hq.sso.client.authentication.method=client_secret_post # hq.sso.redirect.uri=https://${INTEL_FQDN}/api/v1/auth/sso/success/insights # hq.sso.client.authentication.method=client_secret_post +# hq.sso.provider=keycloak +# hq.sso.client.id=YOUR_CLIENT_ID +# hq.sso.client.secret=YOUR_CLIENT_SECRET +# hq.sso.client.issuer.url=http://codetogether-keycloak:8080/realms/codetogether +# hq.sso.redirect.uri=https://${INTEL_FQDN}/api/v1/auth/sso/success/insights +# hq.sso.client.authentication.method=client_secret_post + # These values do not need to be changed, though secrets can be updated hq.db.type=CASSANDRA hq.cassandra.db.host=codetogether-cassandra From a044e6018527ebb2a8a6dc1cf84a31e7ba24492e Mon Sep 17 00:00:00 2001 From: Ignacio Moreno Date: Thu, 10 Jul 2025 10:22:34 -0600 Subject: [PATCH 30/57] fixes on properties file --- compose/cthq.properties | 50 +++++++++-------------------------------- 1 file changed, 11 insertions(+), 39 deletions(-) diff --git a/compose/cthq.properties b/compose/cthq.properties index 761ad28..8b8c254 100644 --- a/compose/cthq.properties +++ b/compose/cthq.properties @@ -6,47 +6,19 @@ hq.collab.secret=${INTEL_SECRET} # Fill in values specific to your deployment # If you want to run with multiple SSO providers, add their names separated with commas -# hq.sso.tenants=github +hq.sso.tenants=github # GitHub SSO -# hq.sso.github.provider=github -# hq.sso.github.label=GitHub -# hq.sso.github.client.id=Iv1.45b9336a78ce2476 -# hq.sso.github.client.secret=c4446ad126ec65b3d926e37de3fe880246aff371 -# hq.sso.github.redirect.uri=https://${INTEL_FQDN}/api/v1/auth/sso/success/insights -# hq.sso.github.auth.uri=https://github.com/login/oauth/authorize -# hq.sso.github.token.uri=https://github.com/login/oauth/access_token -# hq.sso.github.info.uri=https://api.github.com/user -# hq.sso.github.jwt.set.uri=https://token.actions.githubusercontent.com/.well-known/jwks -# hq.sso.github.logout.uri=https://github.com/logout - -hq.sso.provider=keycloak -hq.sso.client.id=codetogether -hq.sso.client.secret=eFl6XSKwMMsEW1yRTY9pHjBrCTHDEY64 -hq.sso.client.issuer.url=http://codetogether-keycloak:8080/realms/codetogether -hq.sso.redirect.uri=https://${INTEL_FQDN}/api/v1/auth/sso/success/insights -hq.sso.client.authentication.method=client_secret_post - -# hq.sso.provider=keycloak -# hq.sso.client.id=YOUR_CLIENT_ID -# hq.sso.client.secret=YOUR_CLIENT_SECRET -# hq.sso.client.issuer.url=http://codetogether-keycloak:8080/realms/codetogether -# hq.sso.redirect.uri=https://${INTEL_FQDN}/api/v1/auth/sso/success/insights -# hq.sso.client.authentication.method=client_secret_post - -# hq.sso.provider=keycloak -# hq.sso.client.id=YOUR_CLIENT_ID -# hq.sso.client.secret=YOUR_CLIENT_SECRET -# hq.sso.client.issuer.url=http://codetogether-keycloak:8080/realms/codetogether -# hq.sso.redirect.uri=https://${INTEL_FQDN}/api/v1/auth/sso/success/insights -# hq.sso.client.authentication.method=client_secret_post - -# hq.sso.provider=keycloak -# hq.sso.client.id=YOUR_CLIENT_ID -# hq.sso.client.secret=YOUR_CLIENT_SECRET -# hq.sso.client.issuer.url=http://codetogether-keycloak:8080/realms/codetogether -# hq.sso.redirect.uri=https://${INTEL_FQDN}/api/v1/auth/sso/success/insights -# hq.sso.client.authentication.method=client_secret_post +hq.sso.github.provider=github +hq.sso.github.label=GitHub +hq.sso.github.client.id= +hq.sso.github.client.secret= +hq.sso.github.redirect.uri=https://${INTEL_FQDN}/api/v1/auth/sso/success/insights +hq.sso.github.auth.uri=https://github.com/login/oauth/authorize +hq.sso.github.token.uri=https://github.com/login/oauth/access_token +hq.sso.github.info.uri=https://api.github.com/user +hq.sso.github.jwt.set.uri=https://token.actions.githubusercontent.com/.well-known/jwks +hq.sso.github.logout.uri=https://github.com/logout # These values do not need to be changed, though secrets can be updated hq.db.type=CASSANDRA From 98cd5b5665d004c50845e010a2858b04ade30927 Mon Sep 17 00:00:00 2001 From: Ignacio Moreno Date: Thu, 10 Jul 2025 11:07:57 -0600 Subject: [PATCH 31/57] Prepare examples for deployment with keycloak. --- compose/.env-with-keycloak-template | 63 ++++++++ .../keycloak/compose-keycloak-no-nginx.yaml | 76 ++++++++++ ...se.keycloak.yaml => compose-keycloak.yaml} | 0 .../ssl/nginx-with-keycloak.conf.template | 143 ++++++++++++++++++ 4 files changed, 282 insertions(+) create mode 100644 compose/.env-with-keycloak-template create mode 100644 compose/keycloak/compose-keycloak-no-nginx.yaml rename compose/keycloak/{compose.keycloak.yaml => compose-keycloak.yaml} (100%) create mode 100644 compose/nginx/ssl/nginx-with-keycloak.conf.template diff --git a/compose/.env-with-keycloak-template b/compose/.env-with-keycloak-template new file mode 100644 index 0000000..9662e99 --- /dev/null +++ b/compose/.env-with-keycloak-template @@ -0,0 +1,63 @@ +############################################################################### +# CodeTogether – Environment Template +# ----------------------------------------------------------------------------- +# 1. Copy this file to `.env` in the same directory as `compose.yaml`. +# 2. Replace the placeholders on the right‑hand side with your real values. +# 3. Place all SSL certificates and Diffie‑Hellman parameters in the +# `nginx/ssl` directory. +# 4. Configure your SSO provider in the `cthq.properties` file. +# 5. Run `docker‑compose up -d` to start the containers. +# +# Variables (all required unless stated otherwise) +# ---------------------------------------------- +# COLLAB_FQDN Public hostname (FQDN) that end‑users hit to reach the +# Collab service (e.g. collab.example.com). +# +# INTEL_FQDN Public hostname (FQDN) for the Intel service +# (e.g. intel.example.com). +# +# INTEL_SECRET Shared secret Collab uses to authenticate when +# communicating with the Intel service. Use a strong, +# private value. +# +# SSL_COLLAB_CERT Certificate filename that Nginx serves for the Collab +# virtual host (e.g. ssl-collab.crt). +# +# SSL_COLLAB_KEY Private key filename for the Collab certificate +# (e.g. ssl-collab.key). +# +# SSL_INTEL_CERT Certificate filename for the Intel virtual host +# (e.g. ssl-intel.crt). +# +# SSL_INTEL_KEY Private key filename for the Intel certificate +# (e.g. ssl-intel.key). +# +# DHPARAM_PEM Diffie‑Hellman parameters file (e.g. dhparam.pem). +############################################################################### + +COLLAB_FQDN=collab.example.com +INTEL_FQDN=intel.example.com +INTEL_SECRET=super-secret-string + +# SSL cerfificate files should be placed in the `nginx/ssl` directory. +SSL_COLLAB_CERT=ssl-collab.crt +SSL_COLLAB_KEY=ssl-collab.key + +SSL_INTEL_CERT=ssl-intel.crt +SSL_INTEL_KEY=ssl-intel.key + +DHPARAM_PEM=dhparam.pem + +KEYCLOAK_FQDN=keycloak.example.com +SSL_KEYCLOAK_CERT=ssl-keycloak.crt +SSL_KEYCLOAK_KEY=ssl-keycloak.key + +KEYCLOAK_DB_USERNAME=keycloak +KEYCLOAK_DB_PASSWORD=keycloak + +KEYCLOAK_ADMIN_PASSWORD=keycloak +KEYCLOAK_ADMIN=admin + +# Uncomment the following lines to enable AI integration with Ollama +#CT_HQ_OLLAMA_AI_URL=http://codetogether-llm:8000 +#CT_HQ_OLLAMA_AI_MODEL_NAME=gemma3:1b diff --git a/compose/keycloak/compose-keycloak-no-nginx.yaml b/compose/keycloak/compose-keycloak-no-nginx.yaml new file mode 100644 index 0000000..883a88d --- /dev/null +++ b/compose/keycloak/compose-keycloak-no-nginx.yaml @@ -0,0 +1,76 @@ +# 👇 Rename `.env-template` to `.env` before running this file +# Set the appropriate values once renamed +services: + # Relational database for Keycloak (optional) + codetogether-mysql: + image: mysql:8.0 + container_name: codetogether-mysql + restart: unless-stopped + env_file: + - .env + environment: + MYSQL_ROOT_PASSWORD: ${KEYCLOAK_DB_PASSWORD} + MYSQL_DATABASE: keycloak + MYSQL_USER: ${KEYCLOAK_DB_USERNAME} + MYSQL_PASSWORD: ${KEYCLOAK_DB_PASSWORD} + volumes: + - mysql_data:/var/lib/mysql + networks: + - codetogethernet + healthcheck: + test: ["CMD", "mysqladmin", "ping", "-h", "localhost"] + interval: 10s + timeout: 10s + retries: 30 + + # Keycloak service (optional) + codetogether-keycloak: + image: quay.io/keycloak/keycloak:latest + container_name: codetogether-keycloak + env_file: + - .env + depends_on: + codetogether-mysql: + condition: service_healthy + command: + - "start" + environment: + # Admin credentials + KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN} + KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD} + + # Database connectivity + KC_DB: mysql + KC_DB_USERNAME: ${KEYCLOAK_DB_USERNAME:-root} + KC_DB_PASSWORD: ${KEYCLOAK_DB_PASSWORD} + KC_DB_URL_HOST: codetogether-mysql + + # Feature flags & observability + KC_FEATURES: token-exchange + KC_HEALTH_ENABLED: "true" + KC_METRICS_ENABLED: "true" + + # Reverse‑proxy / HTTP + KC_HTTP_ENABLED: "true" + KC_PROXY: edge + KC_PROXY_HEADERS: xforwarded + KC_HOSTNAME_STRICT: "false" + KC_HOSTNAME_STRICT_HTTPS: "false" + KC_HOSTNAME: ${KEYCLOAK_FQDN} + KC_FRONTEND_URL: https://${KEYCLOAK_FQDN} + KC_HTTP_PORT: 8080 + networks: + - codetogethernet + healthcheck: + test: ["CMD-SHELL", "echo > /dev/tcp/localhost/8080 || exit 1"] + interval: 10s + timeout: 5s + retries: 5 + start_period: 30s + +volumes: + mysql_data: + +networks: + codetogethernet: + driver: bridge \ No newline at end of file diff --git a/compose/keycloak/compose.keycloak.yaml b/compose/keycloak/compose-keycloak.yaml similarity index 100% rename from compose/keycloak/compose.keycloak.yaml rename to compose/keycloak/compose-keycloak.yaml diff --git a/compose/nginx/ssl/nginx-with-keycloak.conf.template b/compose/nginx/ssl/nginx-with-keycloak.conf.template new file mode 100644 index 0000000..20260b7 --- /dev/null +++ b/compose/nginx/ssl/nginx-with-keycloak.conf.template @@ -0,0 +1,143 @@ +### To use this file rename it to nginx.conf.template so it is picked up by the compose.yml file. +events { + worker_connections 1024; +} + +http { + include mime.types; + default_type application/octet-stream; + sendfile on; + keepalive_timeout 65; + server { + listen 443 ssl http2; + server_name ${COLLAB_FQDN}; + proxy_buffer_size 128k; + proxy_buffers 4 256k; + ssl_certificate /etc/nginx/ssl/${SSL_COLLAB_CERT}; + ssl_certificate_key /etc/nginx/ssl/${SSL_COLLAB_KEY}; + ssl_dhparam /etc/nginx/ssl/${DHPARAM_PEM}; + ssl_prefer_server_ciphers on; + ssl_protocols TLSv1.2; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + location / { + # Similar proxy logic for headers + set $realIP $remote_addr; + set $forwardTo $proxy_add_x_forwarded_for; + set $reqHost $http_host; + if ($http_x_real_ip != '') { + set $realIP $http_x_real_ip; + } + if ($http_x_forwarded_for != '') { + set $forwardTo $http_x_forwarded_for; + } + add_header C-Real-IP $realIP; + add_header C-Forwarded-For $forwardTo; + add_header C-Request-Host $reqHost; + proxy_set_header X-Real-IP $realIP; + proxy_set_header X-Forwarded-For $forwardTo; + proxy_set_header Host $reqHost; + proxy_set_header X-NginX-Proxy true; + proxy_http_version 1.1; + proxy_redirect off; + proxy_pass http://codetogether-collab:1080; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_read_timeout 360; + proxy_connect_timeout 360; + proxy_send_timeout 360; + } + } + server { + server_name ${INTEL_FQDN}; + listen 443 ssl http2; + + # configure proxy buffer sizes + proxy_buffer_size 128k; + proxy_buffers 4 256k; + + # setup the SSL certificate + ssl_certificate /etc/nginx/ssl/${SSL_INTEL_CERT}; + ssl_certificate_key /etc/nginx/ssl/${SSL_INTEL_KEY}; + ssl_dhparam /etc/nginx/ssl/${DHPARAM_PEM}; + ssl_prefer_server_ciphers on; + ssl_protocols TLSv1.2; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + + # create the passthrough to the CodeTogether Intel container + location / { + + # set passthru parameters for the CodeTogether Intel container + set $realIP $remote_addr; + set $forwardTo $proxy_add_x_forwarded_for; + set $reqHost $http_host; + client_max_body_size 32M; + if ($http_x_real_ip != '') { + set $realIP $http_x_real_ip; + } + if ($http_x_forwarded_for != '') { + set $forwardTo $http_x_forwarded_for; + } + proxy_set_header X-Real-IP $realIP; + proxy_set_header X-Forwarded-For $forwardTo; + proxy_set_header Host $reqHost; + + # setup the backend to service the HQ requests + proxy_pass http://codetogether-intel:1080; + proxy_set_header X-NginX-Proxy true; + proxy_http_version 1.1; + proxy_redirect off; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_read_timeout 360; + proxy_connect_timeout 360; + proxy_send_timeout 360; + } + } + server { + server_name ${KEYCLOAK_FQDN}; + listen 443 ssl http2; + + # configure proxy buffer sizes + proxy_buffer_size 128k; + proxy_buffers 4 256k; + + # setup the SSL certificate + ssl_certificate /etc/nginx/ssl/${SSL_KEYCLOAK_CERT}; + ssl_certificate_key /etc/nginx/ssl/${SSL_KEYCLOAK_KEY}; + # ssl_dhparam /etc/nginx/ssl/${DHPARAM_PEM}; + ssl_prefer_server_ciphers on; + ssl_protocols TLSv1.2; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + + # create the passthrough to the CodeTogether Intel container + location / { + + # set passthru parameters for the CodeTogether Intel container + set $realIP $remote_addr; + set $forwardTo $proxy_add_x_forwarded_for; + set $reqHost $http_host; + client_max_body_size 32M; + if ($http_x_real_ip != '') { + set $realIP $http_x_real_ip; + } + if ($http_x_forwarded_for != '') { + set $forwardTo $http_x_forwarded_for; + } + proxy_set_header X-Real-IP $realIP; + proxy_set_header X-Forwarded-For $forwardTo; + proxy_set_header Host $reqHost; + proxy_set_header X-Forwarded-Proto https; + + # setup the backend to service the HQ requests + proxy_pass http://codetogether-keycloak:8080; + proxy_set_header X-NginX-Proxy true; + proxy_http_version 1.1; + proxy_redirect off; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_read_timeout 360; + proxy_connect_timeout 360; + proxy_send_timeout 360; + } + } +} \ No newline at end of file From 0191fcd1ed6a08d53f498d346e4064bb51d786c5 Mon Sep 17 00:00:00 2001 From: Ignacio Moreno Date: Thu, 10 Jul 2025 11:15:24 -0600 Subject: [PATCH 32/57] move files --- compose/nginx/{ssl => }/nginx-with-keycloak.conf.template | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename compose/nginx/{ssl => }/nginx-with-keycloak.conf.template (100%) diff --git a/compose/nginx/ssl/nginx-with-keycloak.conf.template b/compose/nginx/nginx-with-keycloak.conf.template similarity index 100% rename from compose/nginx/ssl/nginx-with-keycloak.conf.template rename to compose/nginx/nginx-with-keycloak.conf.template From 65d2a487e964cf6970d63cb5a14bdeae9652b89b Mon Sep 17 00:00:00 2001 From: danc094codetogether Date: Mon, 21 Jul 2025 16:29:25 -0600 Subject: [PATCH 33/57] feat(charts, compose): add CT_TRUST_ALL_CERTS support (#158) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * feat(charts, compose): add CT_TRUST_ALL_CERTS support Fixes: #157 - values.yaml: introduce `java.trustAllCerts` (default false) to toggle CT_TRUST_ALL_CERTS - deployment.yaml: inject `CT_TRUST_ALL_CERTS=true` into container env when `trustAllCerts` is enabled - .env-template: add `CT_TRUST_ALL_CERTS` entry for Docker Compose - compose.yml: reference `${CT_TRUST_ALL_CERTS}` in codetogether‑intel service * refactor(charts): move trustAllCerts under codetogether section - values.yaml: remove java.trustAllCerts; add codetogether.trustAllCerts (default false) - deployment.yaml: guard CT_TRUST_ALL_CERTS injection on .Values.codetogether.trustAllCerts * fix(compose): remove redundant CT_TRUST_ALL_CERTS env entry - Drop explicit `CT_TRUST_ALL_CERTS` from the `environment` section in the `codetogether-intel` service - Rely on `env_file: .env` to inject the variable --------- Co-authored-by: engineering --- charts/intel/templates/deployment.yaml | 4 ++++ charts/intel/values.yaml | 2 ++ compose/.env-template | 4 ++++ 3 files changed, 10 insertions(+) diff --git a/charts/intel/templates/deployment.yaml b/charts/intel/templates/deployment.yaml index 8cdb59e..b37a34f 100644 --- a/charts/intel/templates/deployment.yaml +++ b/charts/intel/templates/deployment.yaml @@ -76,6 +76,10 @@ spec: key: {{ .Values.java.customCacerts.trustStorePasswordKey }} optional: true {{- end }} + {{- if .Values.codetogether.trustAllCerts }} + - name: CT_TRUST_ALL_CERTS + value: "true" + {{- end }} {{- if .Values.ai.enabled }} - name: CT_HQ_OLLAMA_AI_URL value: {{ if eq .Values.ai.mode "bundled" }} diff --git a/charts/intel/values.yaml b/charts/intel/values.yaml index 5587d5f..3eb285f 100644 --- a/charts/intel/values.yaml +++ b/charts/intel/values.yaml @@ -38,6 +38,8 @@ imageCredentials: # codetogether: url: https:// + trustAllCerts: false # Set to 'true' to trust all certificates + hqproperties: hq.sso.client.id: CLIENTID.apps.googleusercontent.com diff --git a/compose/.env-template b/compose/.env-template index 82fa77c..502b43d 100644 --- a/compose/.env-template +++ b/compose/.env-template @@ -51,3 +51,7 @@ DHPARAM_PEM=dhparam.pem # Uncomment the following lines to enable AI integration with Ollama #CT_HQ_OLLAMA_AI_URL=http://codetogether-llm:8000 #CT_HQ_OLLAMA_AI_MODEL_NAME=gemma3:1b + +# Enable “to trust all certificates” +CT_TRUST_ALL_CERTS=false + From 5f5741c2c925858607a47d8aa8932227faac3cb0 Mon Sep 17 00:00:00 2001 From: danc094codetogether Date: Mon, 11 Aug 2025 13:05:47 -0600 Subject: [PATCH 34/57] feat(chart): guard `ai-secrets` template behind `ai.enabled` (#161) Fixes: #160 Wrap the `ai-secrets` Secret manifest with a `.Values.ai.enabled` conditional so it is not rendered when AI is disabled. This prevents clashes with pre-existing `ai-secrets` owned by other releases and keeps templates clean. --- charts/intel/templates/secrets.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/charts/intel/templates/secrets.yaml b/charts/intel/templates/secrets.yaml index b5b85e7..9f50ecd 100644 --- a/charts/intel/templates/secrets.yaml +++ b/charts/intel/templates/secrets.yaml @@ -1,3 +1,4 @@ +{{- if .Values.ai.enabled }} apiVersion: v1 kind: Secret metadata: @@ -14,3 +15,4 @@ data: external-ai-key: {{ .Values.ai.external.api_key | b64enc }} {{- end }} {{- end }} +{{- end }} From 264c8e4f92842860f6320e3ead4ccf80e886795e Mon Sep 17 00:00:00 2001 From: Ignacio Moreno Date: Tue, 12 Aug 2025 07:16:01 -0600 Subject: [PATCH 35/57] fix: improve keycloak compose health check (#162) --- compose/keycloak/compose-keycloak-no-nginx.yaml | 10 +++++++--- compose/keycloak/compose-keycloak.yaml | 10 +++++++--- 2 files changed, 14 insertions(+), 6 deletions(-) diff --git a/compose/keycloak/compose-keycloak-no-nginx.yaml b/compose/keycloak/compose-keycloak-no-nginx.yaml index 883a88d..aee976e 100644 --- a/compose/keycloak/compose-keycloak-no-nginx.yaml +++ b/compose/keycloak/compose-keycloak-no-nginx.yaml @@ -62,11 +62,15 @@ services: networks: - codetogethernet healthcheck: - test: ["CMD-SHELL", "echo > /dev/tcp/localhost/8080 || exit 1"] + test: + [ + "CMD-SHELL", + "bash -lc 'exec 3<>/dev/tcp/127.0.0.1/9000 && printf \"GET /health/ready HTTP/1.1\\r\\nHost: localhost\\r\\nConnection: close\\r\\n\\r\\n\" >&3 && head -n1 <&3 | grep -q \" 200 \"'" + ] interval: 10s timeout: 5s - retries: 5 - start_period: 30s + retries: 30 + start_period: 90s volumes: mysql_data: diff --git a/compose/keycloak/compose-keycloak.yaml b/compose/keycloak/compose-keycloak.yaml index f842905..ba83c4b 100644 --- a/compose/keycloak/compose-keycloak.yaml +++ b/compose/keycloak/compose-keycloak.yaml @@ -81,11 +81,15 @@ services: networks: - codetogethernet healthcheck: - test: ["CMD-SHELL", "echo > /dev/tcp/localhost/8080 || exit 1"] + test: + [ + "CMD-SHELL", + "bash -lc 'exec 3<>/dev/tcp/127.0.0.1/9000 && printf \"GET /health/ready HTTP/1.1\\r\\nHost: localhost\\r\\nConnection: close\\r\\n\\r\\n\" >&3 && head -n1 <&3 | grep -q \" 200 \"'" + ] interval: 10s timeout: 5s - retries: 5 - start_period: 30s + retries: 30 + start_period: 90s volumes: mysql_data: From ecf00a434e9acb60cd9f5c30debb14e4fb32796d Mon Sep 17 00:00:00 2001 From: danc094codetogether Date: Wed, 27 Aug 2025 12:33:27 -0600 Subject: [PATCH 36/57] fix(helm/intel): scope AI resources per-release to avoid cross-release Secret conflicts (#164) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: #163 Problem - Deploying multiple `codetogether-intel` releases in the same namespace caused a collision on statically named resources (e.g., `ai-secrets` / `ai-config`), producing Helm ownership errors. What changed - templates/ai-config.yaml - Create ConfigMap only when `ai.enabled=true` and `ai.mode=external`. - Name is now release-scoped: `{{ .Release.Name }}-ai-config`. - templates/ai-external-secret.yaml - Respect `ai.externalSecret.create` and `ai.externalSecret.name`. - Default Secret name is release-scoped: `{{ include "codetogether.fullname" . }}-ai-external-secret`. - Store API key under `stringData.apiKey`. - templates/deployment.yaml - Read `AI_PROVIDER` / `AI_EXTERNAL_URL` from `{{ .Release.Name }}-ai-config`. - Read `AI_EXTERNAL_API_KEY` from the default or user-specified Secret: `{{ default (printf "%s-ai-external-secret" (include "codetogether.fullname" .)) .Values.ai.externalSecret.name }}`. - Bundled mode unchanged; external resources are not created in bundled mode. Why - Ensures two or more releases (e.g., `qa-intel` and `demo-staging-intel`) can coexist in the same namespace without Helm ownership clashes. How to test - External (chart-managed Secret): `helm template demo-staging-intel ./charts/intel -n default \ --set ai.enabled=true --set ai.mode=external \ --set ai.provider=openai --set ai.url=https://api.openai.com \ --set ai.externalSecret.create=true --set ai.externalSecret.apiKey=TESTKEY` → renders `demo-staging-intel-ai-config` and `demo-staging-intel-ai-external-secret`. - External (existing Secret): `kubectl create secret generic my-custom-ai-secret -n default \ --from-literal=apiKey=TESTKEY` `helm template qa-intel ./charts/intel -n default \ --set ai.enabled=true --set ai.mode=external \ --set ai.provider=openai --set ai.url=https://api.openai.com \ --set ai.externalSecret.create=false --set ai.externalSecret.name=my-custom-ai-secret` → renders only the release-scoped ConfigMap; Deployment references the existing Secret. - Bundled: `helm template demo ./charts/intel -n default --set ai.enabled=true --set ai.mode=bundled` → no AI ConfigMap/Secret rendered; sidecar included. --- charts/intel/templates/ai-config.yaml | 5 ++++- charts/intel/templates/deployment.yaml | 4 ++-- charts/intel/values.yaml | 10 +++++++--- 3 files changed, 13 insertions(+), 6 deletions(-) diff --git a/charts/intel/templates/ai-config.yaml b/charts/intel/templates/ai-config.yaml index 763fedb..0074238 100644 --- a/charts/intel/templates/ai-config.yaml +++ b/charts/intel/templates/ai-config.yaml @@ -2,10 +2,13 @@ apiVersion: v1 kind: ConfigMap metadata: - name: ai-config + name: {{ printf "%s-ai-config" (include "codetogether.fullname" .) }} namespace: {{ .Release.Namespace }} + labels: + {{- include "codetogether.labels" . | nindent 4 }} data: ai_provider: {{ .Values.ai.provider | quote }} ai_url: {{ .Values.ai.url | quote }} {{- end }} + diff --git a/charts/intel/templates/deployment.yaml b/charts/intel/templates/deployment.yaml index b37a34f..4af3218 100644 --- a/charts/intel/templates/deployment.yaml +++ b/charts/intel/templates/deployment.yaml @@ -44,12 +44,12 @@ spec: - name: AI_PROVIDER valueFrom: configMapKeyRef: - name: ai-config + name: {{ printf "%s-ai-config" (include "codetogether.fullname" .) }} key: ai_provider - name: AI_EXTERNAL_URL valueFrom: configMapKeyRef: - name: ai-config + name: {{ printf "%s-ai-config" (include "codetogether.fullname" .) }} key: ai_url - name: AI_EXTERNAL_API_KEY valueFrom: diff --git a/charts/intel/values.yaml b/charts/intel/values.yaml index 3eb285f..b17e158 100644 --- a/charts/intel/values.yaml +++ b/charts/intel/values.yaml @@ -143,9 +143,13 @@ securityContext: {} ai: enabled: false mode: "bundled" # Options: bundled | external - image: - repository: hub.edge.codetogether.com/releases/codetogether-llm - tag: latest + provider: "" + url: "" + modelName: "gemma3:1b" + externalSecret: + create: false + name: "" + apiKey: "" # resources: # Recommended resources configuration # requests: # cpu: "2" From b7f92f8939f1aa761b1800f9f96d20472be58991 Mon Sep 17 00:00:00 2001 From: danc094codetogether Date: Fri, 5 Sep 2025 11:31:20 -0600 Subject: [PATCH 37/57] chore(keycloak): switch to KC_BOOTSTRAP_* admin vars and update compose/templates (#166) Fixes: #165 - Replace deprecated KEYCLOAK_ADMIN / KEYCLOAK_ADMIN_PASSWORD with KC_BOOTSTRAP_ADMIN_USERNAME / KC_BOOTSTRAP_ADMIN_PASSWORD. - Update compose files to pass new env vars to the Keycloak container. - Refresh .env templates to reflect the new names. - Remove references to deprecated vars. Touched: - compose/.env-with-keycloak-template - compose/keycloak/.env-template - compose/keycloak/compose-keycloak.yaml - compose/keycloak/compose-keycloak-no-nginx.yaml Why: eliminates KC-SERVICES0110 warnings and ensures deterministic, persistent admin on first bootstrap. BREAKING CHANGE: set KC_BOOTSTRAP_ADMIN_USERNAME and KC_BOOTSTRAP_ADMIN_PASSWORD instead of KEYCLOAK_ADMIN*. --- compose/.env-with-keycloak-template | 4 ++-- compose/keycloak/.env-template | 4 ++-- compose/keycloak/compose-keycloak-no-nginx.yaml | 4 ++-- compose/keycloak/compose-keycloak.yaml | 4 ++-- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/compose/.env-with-keycloak-template b/compose/.env-with-keycloak-template index 9662e99..b609fb9 100644 --- a/compose/.env-with-keycloak-template +++ b/compose/.env-with-keycloak-template @@ -55,8 +55,8 @@ SSL_KEYCLOAK_KEY=ssl-keycloak.key KEYCLOAK_DB_USERNAME=keycloak KEYCLOAK_DB_PASSWORD=keycloak -KEYCLOAK_ADMIN_PASSWORD=keycloak -KEYCLOAK_ADMIN=admin +KC_BOOTSTRAP_ADMIN_PASSWORD=keycloak +KC_BOOTSTRAP_ADMIN_USERNAME=admin # Uncomment the following lines to enable AI integration with Ollama #CT_HQ_OLLAMA_AI_URL=http://codetogether-llm:8000 diff --git a/compose/keycloak/.env-template b/compose/keycloak/.env-template index 5127bae..d74827d 100644 --- a/compose/keycloak/.env-template +++ b/compose/keycloak/.env-template @@ -5,5 +5,5 @@ SSL_KEYCLOAK_KEY=ssl-keycloak.key KEYCLOAK_DB_USERNAME=keycloak KEYCLOAK_DB_PASSWORD=keycloak -KEYCLOAK_ADMIN_PASSWORD=keycloak -KEYCLOAK_ADMIN=admin \ No newline at end of file +KC_BOOTSTRAP_ADMIN_PASSWORD=keycloak +KC_BOOTSTRAP_ADMIN_USERNAME=admin \ No newline at end of file diff --git a/compose/keycloak/compose-keycloak-no-nginx.yaml b/compose/keycloak/compose-keycloak-no-nginx.yaml index aee976e..8af2fd9 100644 --- a/compose/keycloak/compose-keycloak-no-nginx.yaml +++ b/compose/keycloak/compose-keycloak-no-nginx.yaml @@ -36,8 +36,8 @@ services: - "start" environment: # Admin credentials - KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN} - KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD} + KC_BOOTSTRAP_ADMIN_USERNAME: ${KC_BOOTSTRAP_ADMIN_USERNAME} + KC_BOOTSTRAP_ADMIN_PASSWORD: ${KC_BOOTSTRAP_ADMIN_PASSWORD} # Database connectivity KC_DB: mysql diff --git a/compose/keycloak/compose-keycloak.yaml b/compose/keycloak/compose-keycloak.yaml index ba83c4b..d1d5233 100644 --- a/compose/keycloak/compose-keycloak.yaml +++ b/compose/keycloak/compose-keycloak.yaml @@ -55,8 +55,8 @@ services: - "start" environment: # Admin credentials - KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN} - KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD} + KC_BOOTSTRAP_ADMIN_USERNAME: ${KC_BOOTSTRAP_ADMIN_USERNAME} + KC_BOOTSTRAP_ADMIN_PASSWORD: ${KC_BOOTSTRAP_ADMIN_PASSWORD} # Database connectivity KC_DB: mysql From 2256e9d9820160ca878e90fa1fd8802b57c19a9b Mon Sep 17 00:00:00 2001 From: danc094codetogether Date: Thu, 18 Sep 2025 12:49:01 -0600 Subject: [PATCH 38/57] feat(helm): add RO rootfs support for Intel and Collab (#169) * feat(helm): add RO rootfs support for Intel and Collab Fixes: #168 - tmpfs emptyDir for /run and /tmp - RW runtime at /run/volatile, reuse for /var/log/nginx and /var/cache/nginx - Intel: initContainer to create subpaths - enable via securityContext (readOnlyRootFileSystem, runAsUser=0) * Typo fixes * Typo fixes * Fixing typo * Changes to defauts * Fixes --- charts/collab/templates/deployment.yaml | 4 +++ charts/collab/values.yaml | 6 ++--- charts/intel/templates/deployment.yaml | 35 +++++++++++++++++++++++++ charts/intel/values.yaml | 11 +++++--- 4 files changed, 50 insertions(+), 6 deletions(-) diff --git a/charts/collab/templates/deployment.yaml b/charts/collab/templates/deployment.yaml index 689f562..7a6288f 100644 --- a/charts/collab/templates/deployment.yaml +++ b/charts/collab/templates/deployment.yaml @@ -182,6 +182,10 @@ spec: name: codetogether-runtime - mountPath: /tmp name: codetogether-tmp + - mountPath: /var/log/nginx + name: codetogether-runtime + - mountPath: /var/cache/nginx + name: codetogether-runtime {{- if .Values.favicon.enabled }} - mountPath: /opt/volatile-template/nginx/favicon.ico name: favicon-volume diff --git a/charts/collab/values.yaml b/charts/collab/values.yaml index b05bde9..13e4026 100644 --- a/charts/collab/values.yaml +++ b/charts/collab/values.yaml @@ -206,13 +206,13 @@ serviceAccount: podAnnotations: {} -securityContext: {} +securityContext: {} #defaults to # capabilities: # drop: # - ALL - # readOnlyRootFilesystem: true # runAsNonRoot: true - # runAsUser: 1000 + # readOnlyRootFilesystem: true # enable for read-only setup + # runAsUser: 0 # Use '0' for root user for read-only setup readinessProbe: initialDelaySeconds: 60 diff --git a/charts/intel/templates/deployment.yaml b/charts/intel/templates/deployment.yaml index 4af3218..3ccea51 100644 --- a/charts/intel/templates/deployment.yaml +++ b/charts/intel/templates/deployment.yaml @@ -26,6 +26,17 @@ spec: imagePullSecrets: - name: {{ include "codetogether.fullname" . }}-pull-secret {{- end }} + {{- if .Values.readOnlyMode.enabled }} + initContainers: + - name: prepare-ro + image: busybox:latest + securityContext: + runAsUser: 0 + command: ["sh", "-lc", "mkdir -p /mnt/volatile/var-log-nginx /mnt/volatile/var-cache-nginx /mnt/var/log-codetogether || true"] + volumeMounts: + - name: volatile + mountPath: /mnt/volatile + {{- end }} serviceAccountName: {{ include "codetogether.serviceAccountName" . }} containers: - name: {{ .Chart.Name }} @@ -108,6 +119,20 @@ spec: mountPath: /etc/ssl/certs/java/cacerts subPath: cacerts {{- end }} + {{- if .Values.readOnlyMode.enabled }} + - name: volatile + mountPath: /run/volatile + - name: run + mountPath: /run + - name: tmp + mountPath: /tmp + - name: volatile + mountPath: /var/log/nginx + subPath: var-log-nginx + - name: volatile + mountPath: /var/cache/nginx + subPath: var-cache-nginx + {{- end }} ports: - name: http containerPort: 1080 @@ -156,6 +181,16 @@ spec: secret: secretName: {{ .Values.java.customCacerts.cacertsSecretName }} {{- end }} + {{- if .Values.readOnlyMode.enabled }} + - name: volatile + emptyDir: {} + - name: run + emptyDir: + medium: Memory + - name: tmp + emptyDir: + medium: Memory + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/intel/values.yaml b/charts/intel/values.yaml index b17e158..a0378cb 100644 --- a/charts/intel/values.yaml +++ b/charts/intel/values.yaml @@ -32,7 +32,7 @@ imageCredentials: email: unused # -# Set CodeTogether runing mode and server's FQDN (HTTPS is mandatory for CodeTogether) +# Set CodeTogether running mode and server's FQDN (HTTPS is mandatory for CodeTogether) # Use 'direct' for simple evaluations and small deployments. CodeTogether can provide # guidance on the best deployment option based on your needs. # @@ -132,11 +132,13 @@ serviceAccount: podAnnotations: {} -securityContext: {} +securityContext: {} #defaults to + # capabilities: # drop: # - ALL - # readOnlyRootFilesystem: true + #readOnlyRootFilesystem: true # enable for read-only setup + #runAsUser: 0 # Use '0' for root user for read-only setup # runAsNonRoot: true # runAsUser: 1000 @@ -179,3 +181,6 @@ tolerations: [] affinity: {} replicaCount: 1 + +readOnlyMode: + enabled: false # Set to 'true' to enable read-only mode \ No newline at end of file From 54402d5993857b34a4a021d8286d314e35fd980c Mon Sep 17 00:00:00 2001 From: danc094codetogether Date: Thu, 18 Sep 2025 14:00:56 -0600 Subject: [PATCH 39/57] feat(helm-collab): Support optional existing secret for Intel connection (#171) Fixes: #170 - add values: intelsecret.enabled/ref - conditionally render templates/secret-intel.yaml - deployment envs read from external secret when enabled(fail if ref missing) - default unchanged (chart still creates "release"-intel) --- charts/collab/templates/deployment.yaml | 18 +++++++++++++++--- charts/collab/templates/secret-intel.yaml | 2 ++ charts/collab/values.yaml | 5 +++++ 3 files changed, 22 insertions(+), 3 deletions(-) diff --git a/charts/collab/templates/deployment.yaml b/charts/collab/templates/deployment.yaml index 7a6288f..eb2332e 100644 --- a/charts/collab/templates/deployment.yaml +++ b/charts/collab/templates/deployment.yaml @@ -13,7 +13,7 @@ spec: annotations: checksum/coturn: {{ include (print $.Template.BasePath "/secret-coturn.yaml") . | sha256sum }} checksum/dashboard: {{ include (print $.Template.BasePath "/secret-dashboard.yaml") . | sha256sum }} - checksum/intel: {{ include (print $.Template.BasePath "/secret-intel.yaml") . | sha256sum }} + checksum/intel: {{- if not .Values.intelsecret.enabled }} {{ include (print $.Template.BasePath "/secret-intel.yaml") . | sha256sum }} {{- else }} "external" {{- end }} checksum/ssl: {{ include (print $.Template.BasePath "/secret-ssl.yaml") . | sha256sum }} {{- with .Values.podAnnotations }} {{- toYaml . | nindent 8 }} @@ -139,15 +139,27 @@ spec: value: {{ .Values.codetogether.timeZone.region | quote }} {{- end }} + {{- if and .Values.intelsecret.enabled (not .Values.intelsecret.ref) }} + {{- fail "intelsecret.enabled=true requires intelsecret.ref (existing Secret name)" -}} + {{- end }} + - name: CT_INTEL_URL valueFrom: secretKeyRef: - name: {{ include "codetogether.fullname" . }}-intel + name: {{ if .Values.intelsecret.enabled -}} + {{ .Values.intelsecret.ref | quote }} + {{- else }} + {{ printf "%s-intel" (include "codetogether.fullname" .) | quote }} + {{- end }} key: url - name: CT_INTEL_SECRET valueFrom: secretKeyRef: - name: {{ include "codetogether.fullname" . }}-intel + name: {{ if .Values.intelsecret.enabled -}} + {{ .Values.intelsecret.ref | quote }} + {{- else }} + {{ printf "%s-intel" (include "codetogether.fullname" .) | quote }} + {{- end }} key: secret {{- if .Values.dashboard.enabled }} - name: CT_DASHBOARD_USER diff --git a/charts/collab/templates/secret-intel.yaml b/charts/collab/templates/secret-intel.yaml index 79750a2..73d147d 100644 --- a/charts/collab/templates/secret-intel.yaml +++ b/charts/collab/templates/secret-intel.yaml @@ -1,3 +1,4 @@ +{{- if not .Values.intelsecret.enabled }} apiVersion: v1 kind: Secret metadata: @@ -8,3 +9,4 @@ type: Opaque data: url: {{ .Values.intel.url | b64enc | quote }} secret: {{ .Values.intel.secret | b64enc | quote }} +{{- end }} \ No newline at end of file diff --git a/charts/collab/values.yaml b/charts/collab/values.yaml index 13e4026..9a663bd 100644 --- a/charts/collab/values.yaml +++ b/charts/collab/values.yaml @@ -37,6 +37,11 @@ imageCredentials: openshift: enabled: false +# Optional: use an existing secret for Intel connection +intelsecret: + enabled: false # default OFF - chart-managed secret + ref: "" # name of existing Secret (must have keys: url, secret) + # # Values required for establishing connection with the Intel server. # From d382f9663820fd29dd9f42e00ba0c10d6ffec352 Mon Sep 17 00:00:00 2001 From: danc094codetogether Date: Wed, 24 Sep 2025 11:46:39 -0600 Subject: [PATCH 40/57] collab, intel: align read-only handling with live legacy chart (#175) * collab, intel: align read-only handling with live legacy chart Fixes: #174 - Gate all tmp/runtime mounts behind securityContext.readOnlyRootFileSystem - When RO=true, mount emptyDir to /run, /tmp, /var/log/nginx, /var/cache/nginx - Remove readOnlyMode flag and prepare-ro initContainer * Fixes --- charts/collab/templates/deployment.yaml | 3 +- charts/collab/values.yaml | 6 +-- charts/intel/templates/deployment.yaml | 55 +++++++++++-------------- charts/intel/values.yaml | 10 ++--- 4 files changed, 32 insertions(+), 42 deletions(-) diff --git a/charts/collab/templates/deployment.yaml b/charts/collab/templates/deployment.yaml index eb2332e..c5f8342 100644 --- a/charts/collab/templates/deployment.yaml +++ b/charts/collab/templates/deployment.yaml @@ -253,7 +253,8 @@ spec: - name: codetogether-runtime emptyDir: {} - name: codetogether-tmp - emptyDir: {} + emptyDir: + medium: Memory {{- else if .Values.favicon.enabled }} volumes: - name: favicon-volume diff --git a/charts/collab/values.yaml b/charts/collab/values.yaml index 9a663bd..5610e02 100644 --- a/charts/collab/values.yaml +++ b/charts/collab/values.yaml @@ -211,13 +211,13 @@ serviceAccount: podAnnotations: {} -securityContext: {} #defaults to +securityContext: {} #defaults # capabilities: # drop: # - ALL - # runAsNonRoot: true # readOnlyRootFilesystem: true # enable for read-only setup - # runAsUser: 0 # Use '0' for root user for read-only setup + # runAsNonRoot: true + # runAsUser: 0 readinessProbe: initialDelaySeconds: 60 diff --git a/charts/intel/templates/deployment.yaml b/charts/intel/templates/deployment.yaml index 3ccea51..cb81c66 100644 --- a/charts/intel/templates/deployment.yaml +++ b/charts/intel/templates/deployment.yaml @@ -26,17 +26,6 @@ spec: imagePullSecrets: - name: {{ include "codetogether.fullname" . }}-pull-secret {{- end }} - {{- if .Values.readOnlyMode.enabled }} - initContainers: - - name: prepare-ro - image: busybox:latest - securityContext: - runAsUser: 0 - command: ["sh", "-lc", "mkdir -p /mnt/volatile/var-log-nginx /mnt/volatile/var-cache-nginx /mnt/var/log-codetogether || true"] - volumeMounts: - - name: volatile - mountPath: /mnt/volatile - {{- end }} serviceAccountName: {{ include "codetogether.serviceAccountName" . }} containers: - name: {{ .Chart.Name }} @@ -110,6 +99,7 @@ spec: key: apiKey {{- end }} {{- end }} +{{- if .Values.securityContext.readOnlyRootFilesystem }} volumeMounts: - name: properties-volume mountPath: /opt/codetogether/runtime/cthq.properties @@ -119,20 +109,26 @@ spec: mountPath: /etc/ssl/certs/java/cacerts subPath: cacerts {{- end }} - {{- if .Values.readOnlyMode.enabled }} - - name: volatile - mountPath: /run/volatile - - name: run - mountPath: /run - - name: tmp - mountPath: /tmp - - name: volatile - mountPath: /var/log/nginx - subPath: var-log-nginx - - name: volatile - mountPath: /var/cache/nginx - subPath: var-cache-nginx + # Read-only root FS mounts + - mountPath: /run + name: codetogether-runtime + - mountPath: /tmp + name: codetogether-tmp + - mountPath: /var/log/nginx + name: codetogether-runtime + - mountPath: /var/cache/nginx + name: codetogether-runtime +{{- else }} + volumeMounts: + - name: properties-volume + mountPath: /opt/codetogether/runtime/cthq.properties + subPath: cthq.properties + {{- if .Values.java.customCacerts.enabled }} + - name: java-cacerts + mountPath: /etc/ssl/certs/java/cacerts + subPath: cacerts {{- end }} +{{- end }} ports: - name: http containerPort: 1080 @@ -181,16 +177,13 @@ spec: secret: secretName: {{ .Values.java.customCacerts.cacertsSecretName }} {{- end }} - {{- if .Values.readOnlyMode.enabled }} - - name: volatile +{{- if .Values.securityContext.readOnlyRootFilesystem }} + - name: codetogether-runtime emptyDir: {} - - name: run + - name: codetogether-tmp emptyDir: medium: Memory - - name: tmp - emptyDir: - medium: Memory - {{- end }} +{{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/intel/values.yaml b/charts/intel/values.yaml index a0378cb..4f3a38d 100644 --- a/charts/intel/values.yaml +++ b/charts/intel/values.yaml @@ -138,9 +138,8 @@ securityContext: {} #defaults to # drop: # - ALL #readOnlyRootFilesystem: true # enable for read-only setup - #runAsUser: 0 # Use '0' for root user for read-only setup - # runAsNonRoot: true - # runAsUser: 1000 + # runAsNonRoot: true # false for non-root user + # runAsUser: 0 ai: enabled: false @@ -180,7 +179,4 @@ tolerations: [] affinity: {} -replicaCount: 1 - -readOnlyMode: - enabled: false # Set to 'true' to enable read-only mode \ No newline at end of file +replicaCount: 1 \ No newline at end of file From 5bfed1dac6cc5f5854657a8bd9fef5e9ab98aeb3 Mon Sep 17 00:00:00 2001 From: danc094codetogether Date: Wed, 24 Sep 2025 11:49:38 -0600 Subject: [PATCH 41/57] Bump version from 1.2.5 to 1.2.6 --- charts/intel/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/intel/Chart.yaml b/charts/intel/Chart.yaml index 23c312a..0e2f3cd 100644 --- a/charts/intel/Chart.yaml +++ b/charts/intel/Chart.yaml @@ -3,7 +3,7 @@ name: codetogether-intel description: CodeTogether Intel provides advanced project insights for developers type: application -version: 1.2.5 +version: 1.2.6 appVersion: "2025.3.0" icon: https://www.codetogether.com/wp-content/uploads/2020/02/codetogether-circle-128.png From 7a46a700e5b0b61dff1f6372e3103f7c4420a469 Mon Sep 17 00:00:00 2001 From: danc094codetogether Date: Wed, 24 Sep 2025 11:50:05 -0600 Subject: [PATCH 42/57] Bump version to 1.2.3 in Chart.yaml --- charts/collab/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/collab/Chart.yaml b/charts/collab/Chart.yaml index 0ab4a12..74b0e6a 100644 --- a/charts/collab/Chart.yaml +++ b/charts/collab/Chart.yaml @@ -3,7 +3,7 @@ name: codetogether-collab description: CodeTogether Collab type: application -version: 1.2.2 +version: 1.2.3 appVersion: "2025.1.0" icon: https://www.codetogether.com/wp-content/uploads/2020/02/codetogether-circle-128.png From 8ca5b5d225cab266bcf49ca7e1eda566d375aad1 Mon Sep 17 00:00:00 2001 From: danc094codetogether Date: Wed, 24 Sep 2025 12:10:01 -0600 Subject: [PATCH 43/57] Fix indentation in deployment.yaml --- charts/intel/templates/deployment.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/intel/templates/deployment.yaml b/charts/intel/templates/deployment.yaml index 18ef87c..29fa619 100644 --- a/charts/intel/templates/deployment.yaml +++ b/charts/intel/templates/deployment.yaml @@ -139,7 +139,7 @@ spec: mountPath: /etc/ssl/certs/java/cacerts subPath: cacerts {{- end }} - +{{- end }} ports: - name: http containerPort: 1080 @@ -207,4 +207,4 @@ spec: {{- with .Values.tolerations }} tolerations: {{- toYaml . | nindent 8 }} - {{- end }} \ No newline at end of file + {{- end }} From 71c7bdf29bb18288306655217929d722e53e7334 Mon Sep 17 00:00:00 2001 From: danc094codetogether Date: Wed, 24 Sep 2025 12:15:00 -0600 Subject: [PATCH 44/57] Remove initContainers for readOnlyMode Removed initContainers configuration for read-only mode. --- charts/intel/templates/deployment.yaml | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/charts/intel/templates/deployment.yaml b/charts/intel/templates/deployment.yaml index 29fa619..e3fd996 100644 --- a/charts/intel/templates/deployment.yaml +++ b/charts/intel/templates/deployment.yaml @@ -26,17 +26,6 @@ spec: imagePullSecrets: - name: {{ include "codetogether.fullname" . }}-pull-secret {{- end }} - {{- if .Values.readOnlyMode.enabled }} - initContainers: - - name: prepare-ro - image: busybox:latest - securityContext: - runAsUser: 0 - command: ["sh", "-lc", "mkdir -p /mnt/volatile/var-log-nginx /mnt/volatile/var-cache-nginx /mnt/var/log-codetogether || true"] - volumeMounts: - - name: volatile - mountPath: /mnt/volatile - {{- end }} serviceAccountName: {{ include "codetogether.serviceAccountName" . }} containers: - name: {{ .Chart.Name }} From 6d3ed2aa61ecedd5792968af145d9465e50e603f Mon Sep 17 00:00:00 2001 From: danc094codetogether Date: Thu, 25 Sep 2025 12:28:52 -0600 Subject: [PATCH 45/57] Bump version from 1.2.6 to 1.2.7 --- charts/intel/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/intel/Chart.yaml b/charts/intel/Chart.yaml index 0e2f3cd..72f3c89 100644 --- a/charts/intel/Chart.yaml +++ b/charts/intel/Chart.yaml @@ -3,7 +3,7 @@ name: codetogether-intel description: CodeTogether Intel provides advanced project insights for developers type: application -version: 1.2.6 +version: 1.2.7 appVersion: "2025.3.0" icon: https://www.codetogether.com/wp-content/uploads/2020/02/codetogether-circle-128.png From 75aa28fcbe39053d086b59953a789094162116c3 Mon Sep 17 00:00:00 2001 From: danc094codetogether Date: Thu, 25 Sep 2025 12:29:15 -0600 Subject: [PATCH 46/57] Bump version from 1.2.3 to 1.2.4 --- charts/collab/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/collab/Chart.yaml b/charts/collab/Chart.yaml index 74b0e6a..5483e7b 100644 --- a/charts/collab/Chart.yaml +++ b/charts/collab/Chart.yaml @@ -3,7 +3,7 @@ name: codetogether-collab description: CodeTogether Collab type: application -version: 1.2.3 +version: 1.2.4 appVersion: "2025.1.0" icon: https://www.codetogether.com/wp-content/uploads/2020/02/codetogether-circle-128.png From dc6854c1deded1f940a4b2001d11e742e078facd Mon Sep 17 00:00:00 2001 From: danc094codetogether Date: Wed, 1 Oct 2025 11:52:35 -0600 Subject: [PATCH 47/57] 177 collab intel rofs on open shift avoid run as user 0 support fs group (#178) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * OpenShit Teting Commit * Intel Changes * Fixes * Fixes * Fix * feat(charts): OpenShift compatibility + read-only rootfs support for collab & intel Fixes: #177 This change makes the codetogether-collab and codetogether-intel charts work out-of-the-box on both vanilla Kubernetes and OpenShift (restricted-v2 SCC), and adds first-class support for readOnlyRootFilesystem via init containers. Key changes ----------- Collab - Add initContainer `prepare-volatile` to create writable runtime paths when readOnlyRootFilesystem=true (e.g., /run, /var/log/nginx, /var/cache/nginx, and the existing /run/volatile/* tree). - Conditionally handle OpenShift vs vanilla: - OpenShift: do NOT set runAsUser/runAsGroup/fsGroup; let SCC assign UIDs. Keep runAsNonRoot and disallow privilege escalation. Avoid chown. Use `install -d -m 0775/2775` for group-write with sticky set as needed. - Vanilla: init runs as root (UID 0) to chown created dirs to the non-root runtime user (defaults to 1000:1000); main container runs non-root. - When readOnlyRootFilesystem=true: - Mount EmptyDir volumes to /run, /tmp (Memory), /var/log/nginx, /var/cache/nginx. - Add matching volumeMounts. - Keep probes and ports unchanged. - Values: add/clarify `openshift.enabled` flag, securityContext defaults, imageCredentials usage, and sample values for both environments. Intel - Add initContainer `prepare-runtime` to create /var/log/nginx and /var/cache/nginx and make them writable under read-only rootfs. - Same OpenShift vs vanilla split as collab (no explicit UID/GID on OCP; root init + non-root app for vanilla). - Mount EmptyDir + volumeMounts for /run, /tmp (Memory), /var/log/nginx, /var/cache/nginx when readOnlyRootFilesystem=true. - Preserve existing envs (AI mode, HQ base URL, Java options, etc.). Why --- - Fixes SCC denials on OpenShift when explicit runAsUser/fsGroup were set. - Fixes initContainer permission errors (e.g., "Operation not permitted" on /run) by avoiding chown on OpenShift and using 2775 with umask 002. - Enables secure read-only rootfs operation by provisioning necessary writable paths via EmptyDir. Testing ------- - OpenShift 4.x: - `openshift.enabled=true`, remove fsGroup=0, do not set runAsUser/runAsGroup. - initContainers succeed; pods transition to Running. - Vanilla (DigitalOcean Kubernetes): - `openshift.enabled=false`, readOnlyRootFilesystem=true. - init runs as root, chowns to 1000:1000; app runs as non-root. - Pods healthy; readiness/liveness OK. Breaking changes ---------------- - None functionally; however, when enabling readOnlyRootFilesystem, the chart now requires the EmptyDir mounts (added by default when the flag is true). * Testing * fix(openshift): make Intel/Collab charts run on OpenShift; verified in-cluster Fixes: #177 - Validated (same OpenShift env) - This change fixes the customer’s OpenShift issue. --- charts/collab/Chart.yaml | 2 +- charts/collab/templates/deployment.yaml | 8 ++----- charts/collab/values.yaml | 3 ++- charts/intel/Chart.yaml | 2 +- charts/intel/templates/deployment.yaml | 29 ------------------------- charts/intel/values.yaml | 10 ++++----- 6 files changed, 11 insertions(+), 43 deletions(-) diff --git a/charts/collab/Chart.yaml b/charts/collab/Chart.yaml index 5483e7b..a03dbec 100644 --- a/charts/collab/Chart.yaml +++ b/charts/collab/Chart.yaml @@ -3,7 +3,7 @@ name: codetogether-collab description: CodeTogether Collab type: application -version: 1.2.4 +version: 1.2.5 appVersion: "2025.1.0" icon: https://www.codetogether.com/wp-content/uploads/2020/02/codetogether-circle-128.png diff --git a/charts/collab/templates/deployment.yaml b/charts/collab/templates/deployment.yaml index c5f8342..ff2fde7 100644 --- a/charts/collab/templates/deployment.yaml +++ b/charts/collab/templates/deployment.yaml @@ -194,10 +194,6 @@ spec: name: codetogether-runtime - mountPath: /tmp name: codetogether-tmp - - mountPath: /var/log/nginx - name: codetogether-runtime - - mountPath: /var/cache/nginx - name: codetogether-runtime {{- if .Values.favicon.enabled }} - mountPath: /opt/volatile-template/nginx/favicon.ico name: favicon-volume @@ -248,13 +244,13 @@ spec: resources: {{- toYaml .Values.resources | nindent 12 }} + {{- if .Values.securityContext.readOnlyRootFilesystem}} volumes: - name: codetogether-runtime emptyDir: {} - name: codetogether-tmp - emptyDir: - medium: Memory + emptyDir: {} {{- else if .Values.favicon.enabled }} volumes: - name: favicon-volume diff --git a/charts/collab/values.yaml b/charts/collab/values.yaml index 45f712c..2f729e8 100644 --- a/charts/collab/values.yaml +++ b/charts/collab/values.yaml @@ -217,7 +217,8 @@ securityContext: {} #defaults # - ALL # readOnlyRootFilesystem: true # enable for read-only setup # runAsNonRoot: true - # runAsUser: 0 # Use '0' for root user for read-only setup + # runAsUser: 1000 # Use '0' for root user, in vanilla k8s you can use any non-root uid + # In openshift, dont set runAsUser, let OpenShift assign the values readinessProbe: initialDelaySeconds: 60 diff --git a/charts/intel/Chart.yaml b/charts/intel/Chart.yaml index 72f3c89..885e7d8 100644 --- a/charts/intel/Chart.yaml +++ b/charts/intel/Chart.yaml @@ -3,7 +3,7 @@ name: codetogether-intel description: CodeTogether Intel provides advanced project insights for developers type: application -version: 1.2.7 +version: 1.2.8 appVersion: "2025.3.0" icon: https://www.codetogether.com/wp-content/uploads/2020/02/codetogether-circle-128.png diff --git a/charts/intel/templates/deployment.yaml b/charts/intel/templates/deployment.yaml index e3fd996..930b1a1 100644 --- a/charts/intel/templates/deployment.yaml +++ b/charts/intel/templates/deployment.yaml @@ -99,7 +99,6 @@ spec: key: apiKey {{- end }} {{- end }} -{{- if .Values.securityContext.readOnlyRootFilesystem }} volumeMounts: - name: properties-volume mountPath: /opt/codetogether/runtime/cthq.properties @@ -109,26 +108,6 @@ spec: mountPath: /etc/ssl/certs/java/cacerts subPath: cacerts {{- end }} - # Read-only root FS mounts - - mountPath: /run - name: codetogether-runtime - - mountPath: /tmp - name: codetogether-tmp - - mountPath: /var/log/nginx - name: codetogether-runtime - - mountPath: /var/cache/nginx - name: codetogether-runtime -{{- else }} - volumeMounts: - - name: properties-volume - mountPath: /opt/codetogether/runtime/cthq.properties - subPath: cthq.properties - {{- if .Values.java.customCacerts.enabled }} - - name: java-cacerts - mountPath: /etc/ssl/certs/java/cacerts - subPath: cacerts - {{- end }} -{{- end }} ports: - name: http containerPort: 1080 @@ -177,14 +156,6 @@ spec: secret: secretName: {{ .Values.java.customCacerts.cacertsSecretName }} {{- end }} -{{- if .Values.securityContext.readOnlyRootFilesystem }} - - name: codetogether-runtime - emptyDir: {} - - name: codetogether-tmp - emptyDir: - medium: Memory -{{- end }} - {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/intel/values.yaml b/charts/intel/values.yaml index 0405873..6cb0cc5 100644 --- a/charts/intel/values.yaml +++ b/charts/intel/values.yaml @@ -132,14 +132,14 @@ serviceAccount: podAnnotations: {} -securityContext: {} #defaults to - +securityContext: {} #defaults # capabilities: # drop: # - ALL - #readOnlyRootFilesystem: true # enable for read-only setup - # runAsNonRoot: true # false for non-root user - # runAsUser: 0 # Use '0' for root user for read-only setup + # readOnlyRootFilesystem: true # enable for read-only setup + # runAsNonRoot: true + # runAsUser: 1000 # Use '0' for root user + # In openshift, dont set runAsUser, let OpenShift assign the values ai: enabled: false From 0bfa15d3008d0a37c3783c6743f73a52c14a7339 Mon Sep 17 00:00:00 2001 From: Ignacio Moreno Date: Wed, 1 Oct 2025 17:37:18 -0600 Subject: [PATCH 48/57] Allow to set the CT_CUSTOM_CLIENTS_ORIGIN env variable. --- charts/intel/templates/deployment.yaml | 4 ++++ charts/intel/values.yaml | 1 + 2 files changed, 5 insertions(+) diff --git a/charts/intel/templates/deployment.yaml b/charts/intel/templates/deployment.yaml index 930b1a1..19ba549 100644 --- a/charts/intel/templates/deployment.yaml +++ b/charts/intel/templates/deployment.yaml @@ -87,6 +87,10 @@ spec: {{ else }} {{ .Values.ai.url | quote }} {{ end }} + {{- if .Values.codetogether.customClientsUrl }} + - name: CT_HQ_OLLAMA_AI_CLIENTS_URL + value: {{ .Values.codetogether.customClientsUrl | quote }} + {{- end }} - name: CT_HQ_OLLAMA_AI_MODEL_NAME value: {{ .Values.ai.modelName | default "gemma3:1b" | quote }} - name: CT_HQ_OLLAMA_AI_API_KEY diff --git a/charts/intel/values.yaml b/charts/intel/values.yaml index 6cb0cc5..bb4c418 100644 --- a/charts/intel/values.yaml +++ b/charts/intel/values.yaml @@ -39,6 +39,7 @@ imageCredentials: codetogether: url: https:// trustAllCerts: false # Set to 'true' to trust all certificates + # customClientsUrl: "" # Optional custom URL for clients to download from hqproperties: From f914f00a618269e3ef8c4d9487f2425c66731fab Mon Sep 17 00:00:00 2001 From: Ignacio Moreno Date: Thu, 2 Oct 2025 09:40:52 -0600 Subject: [PATCH 49/57] fix env variable name --- charts/intel/templates/deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/intel/templates/deployment.yaml b/charts/intel/templates/deployment.yaml index 19ba549..e6325a2 100644 --- a/charts/intel/templates/deployment.yaml +++ b/charts/intel/templates/deployment.yaml @@ -88,7 +88,7 @@ spec: {{ .Values.ai.url | quote }} {{ end }} {{- if .Values.codetogether.customClientsUrl }} - - name: CT_HQ_OLLAMA_AI_CLIENTS_URL + - name: CT_CUSTOM_CLIENTS_ORIGIN value: {{ .Values.codetogether.customClientsUrl | quote }} {{- end }} - name: CT_HQ_OLLAMA_AI_MODEL_NAME From f66443d1f0b6566f9d7b55e2b1e5539bc3625dcc Mon Sep 17 00:00:00 2001 From: Ignacio Moreno Date: Thu, 2 Oct 2025 11:34:31 -0600 Subject: [PATCH 50/57] Allow to add custom ide location url (#184) --- compose/.env-template | 3 +++ 1 file changed, 3 insertions(+) diff --git a/compose/.env-template b/compose/.env-template index 502b43d..4082c18 100644 --- a/compose/.env-template +++ b/compose/.env-template @@ -55,3 +55,6 @@ DHPARAM_PEM=dhparam.pem # Enable “to trust all certificates” CT_TRUST_ALL_CERTS=false +# Uncomment and set the following variable to enable custom IDE clients location +# CT_CUSTOM_CLIENTS_ORIGIN= + From 29e56fb0e36cfbb7b6310a3d3e94f5e1eaec99b8 Mon Sep 17 00:00:00 2001 From: danc094codetogether Date: Thu, 2 Oct 2025 12:00:50 -0600 Subject: [PATCH 51/57] Remove volumeMounts for readOnlyRootFilesystem Removed volumeMounts configuration for properties-volume. --- charts/intel/templates/deployment.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/charts/intel/templates/deployment.yaml b/charts/intel/templates/deployment.yaml index 328acc1..e6325a2 100644 --- a/charts/intel/templates/deployment.yaml +++ b/charts/intel/templates/deployment.yaml @@ -103,7 +103,6 @@ spec: key: apiKey {{- end }} {{- end }} -{{- if .Values.securityContext.readOnlyRootFilesystem }} volumeMounts: - name: properties-volume mountPath: /opt/codetogether/runtime/cthq.properties From d489e34883eac0784d67ce32d8b0c2e20354df09 Mon Sep 17 00:00:00 2001 From: danc094codetogether Date: Thu, 2 Oct 2025 12:02:26 -0600 Subject: [PATCH 52/57] Update codetogether-tmp volume medium configuration Changed the medium of the codetogether-tmp volume from 'Memory' to an empty object. --- charts/collab/templates/deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/collab/templates/deployment.yaml b/charts/collab/templates/deployment.yaml index 0652b5a..08c36e1 100644 --- a/charts/collab/templates/deployment.yaml +++ b/charts/collab/templates/deployment.yaml @@ -251,7 +251,7 @@ spec: emptyDir: {} - name: codetogether-tmp emptyDir: - medium: Memory + medium: {} {{- else if .Values.favicon.enabled }} volumes: - name: favicon-volume From 235a2dd3020695f1ea7e41e09ae6765a4a40983f Mon Sep 17 00:00:00 2001 From: danc094codetogether Date: Thu, 2 Oct 2025 12:05:05 -0600 Subject: [PATCH 53/57] Simplify emptyDir volume definition in deployment.yaml --- charts/collab/templates/deployment.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/charts/collab/templates/deployment.yaml b/charts/collab/templates/deployment.yaml index 08c36e1..ff2fde7 100644 --- a/charts/collab/templates/deployment.yaml +++ b/charts/collab/templates/deployment.yaml @@ -250,8 +250,7 @@ spec: - name: codetogether-runtime emptyDir: {} - name: codetogether-tmp - emptyDir: - medium: {} + emptyDir: {} {{- else if .Values.favicon.enabled }} volumes: - name: favicon-volume From 0c577f7287ce74125060ddca9a9d44bdc8e8e407 Mon Sep 17 00:00:00 2001 From: danc094codetogether Date: Thu, 2 Oct 2025 12:05:35 -0600 Subject: [PATCH 54/57] Update version and appVersion in Chart.yaml --- charts/collab/Chart.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/charts/collab/Chart.yaml b/charts/collab/Chart.yaml index 41bd3c2..a03dbec 100644 --- a/charts/collab/Chart.yaml +++ b/charts/collab/Chart.yaml @@ -4,7 +4,6 @@ description: CodeTogether Collab type: application version: 1.2.5 - appVersion: "2025.1.0" icon: https://www.codetogether.com/wp-content/uploads/2020/02/codetogether-circle-128.png From a9aa40178091a157d92caa8419b61b9f4bf9491c Mon Sep 17 00:00:00 2001 From: danc094codetogether Date: Wed, 15 Oct 2025 11:48:13 -0600 Subject: [PATCH 55/57] refactor(helm): decouple customClientsUrl from AI config (#187) Fixes: #180 - Render clients url when codetogether.customClientsUrl --- charts/intel/templates/deployment.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/charts/intel/templates/deployment.yaml b/charts/intel/templates/deployment.yaml index e6325a2..4697f06 100644 --- a/charts/intel/templates/deployment.yaml +++ b/charts/intel/templates/deployment.yaml @@ -60,6 +60,10 @@ spec: # Set CodeTogether runtime configuration - name: CT_HQ_BASE_URL value: {{ .Values.codetogether.url | quote }} + {{- if .Values.codetogether.customClientsUrl }} + - name: CT_CUSTOM_CLIENTS_ORIGIN + value: {{ .Values.codetogether.customClientsUrl | quote }} + {{- end }} {{- if .Values.java.customCacerts.enabled }} - name: CT_TRUST_STORE value: -Djavax.net.ssl.trustStore=/etc/ssl/certs/java/cacerts @@ -87,10 +91,6 @@ spec: {{ else }} {{ .Values.ai.url | quote }} {{ end }} - {{- if .Values.codetogether.customClientsUrl }} - - name: CT_CUSTOM_CLIENTS_ORIGIN - value: {{ .Values.codetogether.customClientsUrl | quote }} - {{- end }} - name: CT_HQ_OLLAMA_AI_MODEL_NAME value: {{ .Values.ai.modelName | default "gemma3:1b" | quote }} - name: CT_HQ_OLLAMA_AI_API_KEY From b38154c11f48eb27a3863131833cb75fa0340a36 Mon Sep 17 00:00:00 2001 From: danc094codetogether Date: Wed, 15 Oct 2025 11:54:19 -0600 Subject: [PATCH 56/57] Bump version and appVersion in Chart.yaml --- charts/intel/Chart.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/intel/Chart.yaml b/charts/intel/Chart.yaml index 885e7d8..be2d15f 100644 --- a/charts/intel/Chart.yaml +++ b/charts/intel/Chart.yaml @@ -3,8 +3,8 @@ name: codetogether-intel description: CodeTogether Intel provides advanced project insights for developers type: application -version: 1.2.8 -appVersion: "2025.3.0" +version: 1.2.9 +appVersion: "2025.4.1" icon: https://www.codetogether.com/wp-content/uploads/2020/02/codetogether-circle-128.png home: https://www.codetogether.com From eb0923fe99cab57ad0107d76c791e5bccfa319cd Mon Sep 17 00:00:00 2001 From: danc094codetogether Date: Wed, 15 Oct 2025 11:54:54 -0600 Subject: [PATCH 57/57] Bump version and appVersion in Chart.yaml --- charts/collab/Chart.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/collab/Chart.yaml b/charts/collab/Chart.yaml index a03dbec..42977d6 100644 --- a/charts/collab/Chart.yaml +++ b/charts/collab/Chart.yaml @@ -3,8 +3,8 @@ name: codetogether-collab description: CodeTogether Collab type: application -version: 1.2.5 -appVersion: "2025.1.0" +version: 1.2.6 +appVersion: "2025.4.0" icon: https://www.codetogether.com/wp-content/uploads/2020/02/codetogether-circle-128.png home: https://www.codetogether.com