CodeTogether-Inc · wgalanciak · May 12, 2025 · May 7, 2025 · May 8, 2025 · May 10, 2025
diff --git a/charts/intel/templates/secrets.yaml b/charts/intel/templates/secrets.yaml
@@ -4,5 +4,13 @@ metadata:
   name: ai-secrets
 type: Opaque
 data:
+  {{- if .Values.ai.openai }}
+  {{- if .Values.ai.openai.api_key }}
   openai-api-key: {{ .Values.ai.openai.api_key | b64enc }}
+  {{- end }}
+  {{- end }}
+  {{- if .Values.ai.external }}
+  {{- if .Values.ai.external.api_key }}
   external-ai-key: {{ .Values.ai.external.api_key | b64enc }}
+  {{- end }}
+  {{- end }}
diff --git a/compose/.env-template b/compose/.env-template
@@ -0,0 +1,48 @@
+###############################################################################
+# CodeTogether – Environment Template
+# -----------------------------------------------------------------------------
+# 1.  Copy this file to `.env` in the same directory as `compose.yaml`.
+# 2.  Replace the placeholders on the right‑hand side with your real values.
+# 3.  Place all SSL certificates and Diffie‑Hellman parameters in the
+#     `nginx/ssl` directory.
+# 4.  Configure your SSO provider in the `cthq.properties` file.
+# 5.  Run `docker‑compose up -d` to start the containers.
+#
+# Variables (all required unless stated otherwise)
+# ----------------------------------------------
+# COLLAB_FQDN        Public hostname (FQDN) that end‑users hit to reach the
+#                    Collab service (e.g. collab.example.com).
+#
+# INTEL_FQDN         Public hostname (FQDN) for the Intel service
+#                    (e.g. intel.example.com).
+#
+# INTEL_SECRET       Shared secret Collab uses to authenticate when
+#                    communicating with the Intel service. Use a strong,
+#                    private value.
+#
+# SSL_COLLAB_CERT    Certificate filename that Nginx serves for the Collab
+#                    virtual host (e.g. ssl-collab.crt).
+#
+# SSL_COLLAB_KEY     Private key filename for the Collab certificate
+#                    (e.g. ssl-collab.key).
+#
+# SSL_INTEL_CERT     Certificate filename for the Intel virtual host
+#                    (e.g. ssl-intel.crt).
+#
+# SSL_INTEL_KEY      Private key filename for the Intel certificate
+#                    (e.g. ssl-intel.key).
+#
+# DHPARAM_PEM        Diffie‑Hellman parameters file (e.g. dhparam.pem).
+###############################################################################
+
+COLLAB_FQDN=collab.example.com
+INTEL_FQDN=intel.example.com
+INTEL_SECRET=super-secret-string
+
+SSL_COLLAB_CERT=ssl-collab.crt
+SSL_COLLAB_KEY=ssl-collab.key
+
+SSL_INTEL_CERT=ssl-intel.crt
+SSL_INTEL_KEY=ssl-intel.key
+
+DHPARAM_PEM=dhparam.pem
diff --git a/compose/compose.yaml b/compose/compose.yaml
@@ -1,12 +1,15 @@
+# 👇 Rename `.env-template` to `.env` before running this file
+# Set the appropriate values once renamed
 services: 
   codetogether-collab:
     image: hub.edge.codetogether.com/releases/codetogether-collab:latest
     container_name: codetogether-collab
+    env_file:
+      - .env
     environment:
-      # your collab/pair programming server URL
-      - CT_SERVER_URL=https://your-collab-server-fqdn
+      - CT_SERVER_URL=https://${COLLAB_FQDN}
       - CT_INTEL_URL=http://codetogether-intel:1080
-      - CT_INTEL_SECRET=your-collab-intel-secret
+      - CT_INTEL_SECRET=${INTEL_SECRET}
       - CT_AV_ENABLED=false
       - CT_AV_LAN_IP=auto
     networks:
@@ -17,10 +20,14 @@ services:
   nginx:
     image: nginx:latest
     container_name: codetogether-nginx
+    env_file:
+      - .env
+    environment:
+      - NGINX_ENVSUBST_OUTPUT_DIR=/etc/nginx
     ports:
       - "443:443"
     volumes:
-      - ./nginx/nginx.conf:/etc/nginx/nginx.conf
+      - ./nginx/nginx.conf.template:/etc/nginx/templates/nginx.conf.template:ro
       - ./nginx/ssl:/etc/nginx/ssl
       - ./nginx/log:/var/log/nginx
     networks:
@@ -31,8 +38,10 @@ services:
   codetogether-intel:
     image: hub.edge.codetogether.com/releases/codetogether-intel:latest
     container_name: codetogether-intel
+    env_file:
+      - .env
     environment:
-      - CT_HQ_BASE_URL=https://your-intel-server-fqdn
+      - CT_HQ_BASE_URL=https://${INTEL_FQDN}
     networks:
       - codetogethernet
     volumes:
@@ -72,4 +81,4 @@ services:
       retries: 70
 networks:
   codetogethernet:
-    driver: bridge
+    driver: bridge
diff --git a/compose/cthq.properties b/compose/cthq.properties
@@ -1,29 +1,25 @@
+# Variables below are injected from the `.env` file
+hq.base.url=https://${INTEL_FQDN}
+hq.collab.url=https://${COLLAB_FQDN}
+hq.collab.secret=${INTEL_SECRET}
+
 # Fill in values specific to your deployment
-hq.base.url=https://<server-fqdn>
-hq.collab.url=https://your-collab-server-fqdn
-hq.collab.secret=<your-collab-intel-secret>
 
-# THE LINE BELOW IS NOT NEEDED WITH SINGLE TENANT
-#hq.sso.tenants=github,gitlab
+# If you want to run with multiple SSO providers, add their names separated with commas
+hq.sso.tenants=github
+
 # GitHub SSO
 hq.sso.github.provider=github
 hq.sso.github.label=GitHub
 hq.sso.github.client.id=<github_client_id>
 hq.sso.github.client.secret=<github_client_secret>
-hq.sso.github.redirect.uri=https://<server-fqdn>/api/v1/auth/sso/success/insights
+hq.sso.github.redirect.uri=https://${INTEL_FQDN}/api/v1/auth/sso/success/insights
 hq.sso.github.auth.uri=https://github.com/login/oauth/authorize
 hq.sso.github.token.uri=https://github.com/login/oauth/access_token
 hq.sso.github.info.uri=https://api.github.com/user
 hq.sso.github.jwt.set.uri=https://token.actions.githubusercontent.com/.well-known/jwks
 hq.sso.github.logout.uri=https://github.com/logout
 
-# hq.sso.gitlab.provider=gitlab
-# hq.sso.gitlab.label=Gitlab test
-# hq.sso.gitlab.client.id=<gitlab_client_id>
-# hq.sso.gitlab.client.secret=<gitlab_client_secret>
-# hq.sso.gitlab.client.issuer.url=https://gitlab.com
-# hq.sso.gitlab.azure.redirect.uri=https://<server-fqdn>/api/v1/auth/sso/success/insights
-
 # These values do not need to be changed, though secrets can be updated
 hq.db.type=CASSANDRA
 hq.cassandra.db.host=codetogether-cassandra

diff --git a/compose/nginx/nginx.conf → compose/nginx/nginx.conf.template b/compose/nginx/nginx.conf → compose/nginx/nginx.conf.template
@@ -1,19 +1,20 @@
 events {
     worker_connections  1024;
 }
+
 http {
     include       mime.types;
     default_type  application/octet-stream;
     sendfile        on;
     keepalive_timeout  65;
     server {
         listen       443 ssl http2;
-        server_name  <collab-server-fqdn>;
+        server_name  ${COLLAB_FQDN};
         proxy_buffer_size 128k;
         proxy_buffers 4 256k;
-        ssl_certificate      <path-to-ssl-bundle.crt>;
-        ssl_certificate_key  <path-to-ssl.key>;
-        ssl_dhparam          <path-to-dhparam.pem>;
+        ssl_certificate /etc/nginx/ssl/${SSL_COLLAB_CERT};
+        ssl_certificate_key /etc/nginx/ssl/${SSL_COLLAB_KEY};
+        ssl_dhparam /etc/nginx/ssl/${DHPARAM_PEM};
         ssl_prefer_server_ciphers on;
         ssl_protocols TLSv1.2;
         ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
@@ -22,7 +23,6 @@ http {
             set $realIP $remote_addr;
             set $forwardTo $proxy_add_x_forwarded_for;
             set $reqHost $http_host;
-            client_max_body_size 32M;
             if ($http_x_real_ip != '') {
                 set $realIP $http_x_real_ip;
             }
@@ -47,17 +47,17 @@ http {
         }
     }
     server {
-        server_name          <server-fqdn>;
+        server_name          ${INTEL_FQDN};
         listen               443 ssl http2;
 
         # configure proxy buffer sizes
         proxy_buffer_size    128k;
         proxy_buffers        4 256k;
 
         # setup the SSL certificate
-        ssl_certificate      <path-to-ssl-bundle.crt>;
-        ssl_certificate_key  <path-to-ssl.key>;
-        ssl_dhparam          <path-to-dhparam.pem>;
+        ssl_certificate /etc/nginx/ssl/${SSL_INTEL_CERT};
+        ssl_certificate_key /etc/nginx/ssl/${SSL_INTEL_KEY};
+        ssl_dhparam /etc/nginx/ssl/${DHPARAM_PEM};
         ssl_prefer_server_ciphers on;
         ssl_protocols        TLSv1.2;
         ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
@@ -69,6 +69,7 @@ http {
             set $realIP      $remote_addr;
             set $forwardTo   $proxy_add_x_forwarded_for;
             set $reqHost     $http_host;
+            client_max_body_size 32M;
             if ($http_x_real_ip != '') {
                 set $realIP  $http_x_real_ip;
             }
@@ -91,4 +92,4 @@ http {
             proxy_send_timeout    360;
         }
     }
-}
+}