diff --git a/charts/intel/templates/deployment.yaml b/charts/intel/templates/deployment.yaml index 0615be8..9c0d7e0 100644 --- a/charts/intel/templates/deployment.yaml +++ b/charts/intel/templates/deployment.yaml @@ -28,21 +28,23 @@ spec: {{- end }} serviceAccountName: {{ include "codetogether.serviceAccountName" . }} containers: - {{- if eq .Values.ai.mode "bundled" }} - - name: codetogether-llm - image: "{{ .Values.ai.image.repository }}:{{ .Values.ai.image.tag }}" - imagePullPolicy: Always - ports: - - name: ai - containerPort: 8000 - protocol: TCP - resources: - requests: - cpu: {{ .Values.ai.resources.requests.cpu | quote }} - memory: {{ .Values.ai.resources.requests.memory | quote }} - limits: - cpu: {{ .Values.ai.resources.limits.cpu | quote }} - memory: {{ .Values.ai.resources.limits.memory | quote }} + {{- if .Values.ai.enabled }} + {{- if eq .Values.ai.mode "bundled" }} + - name: codetogether-llm + image: "{{ .Values.ai.image.repository }}:{{ .Values.ai.image.tag }}" + imagePullPolicy: Always + ports: + - name: ai + containerPort: 8000 + protocol: TCP + resources: + requests: + cpu: {{ .Values.ai.resources.requests.cpu | quote }} + memory: {{ .Values.ai.resources.requests.memory | quote }} + limits: + cpu: {{ .Values.ai.resources.limits.cpu | quote }} + memory: {{ .Values.ai.resources.limits.memory | quote }} + {{- end }} {{- end }} - name: {{ .Chart.Name }} securityContext: @@ -56,22 +58,24 @@ spec: - name: AI_BUNDLED_URL value: "http://codetogether-llm:8000" {{- end }} - {{- if eq .Values.ai.mode "external" }} - - name: AI_PROVIDER - valueFrom: - configMapKeyRef: - name: ai-config - key: ai_provider - - name: AI_EXTERNAL_URL - valueFrom: - configMapKeyRef: - name: ai-config - key: ai_url - - name: AI_EXTERNAL_API_KEY - valueFrom: - secretKeyRef: - name: ai-external-secret - key: api-key + {{- if .Values.ai.enabled }} + {{- if eq .Values.ai.mode "external" }} + - name: AI_PROVIDER + valueFrom: + configMapKeyRef: + name: ai-config + key: ai_provider + - name: AI_EXTERNAL_URL + valueFrom: + configMapKeyRef: + name: ai-config + key: ai_url + - name: AI_EXTERNAL_API_KEY + valueFrom: + secretKeyRef: + name: ai-external-secret + key: api-key + {{- end }} {{- end }} # # Set CodeTogether runtime configuration diff --git a/charts/intel/templates/secrets.yaml b/charts/intel/templates/secrets.yaml index 5cdd56d..b5b85e7 100644 --- a/charts/intel/templates/secrets.yaml +++ b/charts/intel/templates/secrets.yaml @@ -4,5 +4,13 @@ metadata: name: ai-secrets type: Opaque data: + {{- if .Values.ai.openai }} + {{- if .Values.ai.openai.api_key }} openai-api-key: {{ .Values.ai.openai.api_key | b64enc }} + {{- end }} + {{- end }} + {{- if .Values.ai.external }} + {{- if .Values.ai.external.api_key }} external-ai-key: {{ .Values.ai.external.api_key | b64enc }} + {{- end }} + {{- end }} diff --git a/charts/intel/values.yaml b/charts/intel/values.yaml index ac9227e..04507b2 100644 --- a/charts/intel/values.yaml +++ b/charts/intel/values.yaml @@ -139,6 +139,7 @@ securityContext: {} # runAsUser: 1000 ai: + enabled: false mode: "bundled" # Options: bundled | external provider: "ollama" # No OpenAI dependency resources: diff --git a/compose/.env-template b/compose/.env-template new file mode 100644 index 0000000..c88f162 --- /dev/null +++ b/compose/.env-template @@ -0,0 +1,48 @@ +############################################################################### +# CodeTogether – Environment Template +# ----------------------------------------------------------------------------- +# 1. Copy this file to `.env` in the same directory as `compose.yaml`. +# 2. Replace the placeholders on the right‑hand side with your real values. +# 3. Place all SSL certificates and Diffie‑Hellman parameters in the +# `nginx/ssl` directory. +# 4. Configure your SSO provider in the `cthq.properties` file. +# 5. Run `docker‑compose up -d` to start the containers. +# +# Variables (all required unless stated otherwise) +# ---------------------------------------------- +# COLLAB_FQDN Public hostname (FQDN) that end‑users hit to reach the +# Collab service (e.g. collab.example.com). +# +# INTEL_FQDN Public hostname (FQDN) for the Intel service +# (e.g. intel.example.com). +# +# INTEL_SECRET Shared secret Collab uses to authenticate when +# communicating with the Intel service. Use a strong, +# private value. +# +# SSL_COLLAB_CERT Certificate filename that Nginx serves for the Collab +# virtual host (e.g. ssl-collab.crt). +# +# SSL_COLLAB_KEY Private key filename for the Collab certificate +# (e.g. ssl-collab.key). +# +# SSL_INTEL_CERT Certificate filename for the Intel virtual host +# (e.g. ssl-intel.crt). +# +# SSL_INTEL_KEY Private key filename for the Intel certificate +# (e.g. ssl-intel.key). +# +# DHPARAM_PEM Diffie‑Hellman parameters file (e.g. dhparam.pem). +############################################################################### + +COLLAB_FQDN=collab.example.com +INTEL_FQDN=intel.example.com +INTEL_SECRET=super-secret-string + +SSL_COLLAB_CERT=ssl-collab.crt +SSL_COLLAB_KEY=ssl-collab.key + +SSL_INTEL_CERT=ssl-intel.crt +SSL_INTEL_KEY=ssl-intel.key + +DHPARAM_PEM=dhparam.pem \ No newline at end of file diff --git a/compose/compose.yaml b/compose/compose.yaml index 8d3b95b..b443a7f 100644 --- a/compose/compose.yaml +++ b/compose/compose.yaml @@ -1,12 +1,15 @@ +# 👇 Rename `.env-template` to `.env` before running this file +# Set the appropriate values once renamed services: codetogether-collab: image: hub.edge.codetogether.com/releases/codetogether-collab:latest container_name: codetogether-collab + env_file: + - .env environment: - # your collab/pair programming server URL - - CT_SERVER_URL=https://your-collab-server-fqdn + - CT_SERVER_URL=https://${COLLAB_FQDN} - CT_INTEL_URL=http://codetogether-intel:1080 - - CT_INTEL_SECRET=your-collab-intel-secret + - CT_INTEL_SECRET=${INTEL_SECRET} - CT_AV_ENABLED=false - CT_AV_LAN_IP=auto networks: @@ -17,10 +20,14 @@ services: nginx: image: nginx:latest container_name: codetogether-nginx + env_file: + - .env + environment: + - NGINX_ENVSUBST_OUTPUT_DIR=/etc/nginx ports: - "443:443" volumes: - - ./nginx/nginx.conf:/etc/nginx/nginx.conf + - ./nginx/nginx.conf.template:/etc/nginx/templates/nginx.conf.template:ro - ./nginx/ssl:/etc/nginx/ssl - ./nginx/log:/var/log/nginx networks: @@ -31,8 +38,10 @@ services: codetogether-intel: image: hub.edge.codetogether.com/releases/codetogether-intel:latest container_name: codetogether-intel + env_file: + - .env environment: - - CT_HQ_BASE_URL=https://your-intel-server-fqdn + - CT_HQ_BASE_URL=https://${INTEL_FQDN} networks: - codetogethernet volumes: @@ -72,4 +81,4 @@ services: retries: 70 networks: codetogethernet: - driver: bridge \ No newline at end of file + driver: bridge diff --git a/compose/cthq.properties b/compose/cthq.properties index 1afe6b6..8b8c254 100644 --- a/compose/cthq.properties +++ b/compose/cthq.properties @@ -1,29 +1,25 @@ +# Variables below are injected from the `.env` file +hq.base.url=https://${INTEL_FQDN} +hq.collab.url=https://${COLLAB_FQDN} +hq.collab.secret=${INTEL_SECRET} + # Fill in values specific to your deployment -hq.base.url=https:// -hq.collab.url=https://your-collab-server-fqdn -hq.collab.secret= -# THE LINE BELOW IS NOT NEEDED WITH SINGLE TENANT -#hq.sso.tenants=github,gitlab +# If you want to run with multiple SSO providers, add their names separated with commas +hq.sso.tenants=github + # GitHub SSO hq.sso.github.provider=github hq.sso.github.label=GitHub hq.sso.github.client.id= hq.sso.github.client.secret= -hq.sso.github.redirect.uri=https:///api/v1/auth/sso/success/insights +hq.sso.github.redirect.uri=https://${INTEL_FQDN}/api/v1/auth/sso/success/insights hq.sso.github.auth.uri=https://github.com/login/oauth/authorize hq.sso.github.token.uri=https://github.com/login/oauth/access_token hq.sso.github.info.uri=https://api.github.com/user hq.sso.github.jwt.set.uri=https://token.actions.githubusercontent.com/.well-known/jwks hq.sso.github.logout.uri=https://github.com/logout -# hq.sso.gitlab.provider=gitlab -# hq.sso.gitlab.label=Gitlab test -# hq.sso.gitlab.client.id= -# hq.sso.gitlab.client.secret= -# hq.sso.gitlab.client.issuer.url=https://gitlab.com -# hq.sso.gitlab.azure.redirect.uri=https:///api/v1/auth/sso/success/insights - # These values do not need to be changed, though secrets can be updated hq.db.type=CASSANDRA hq.cassandra.db.host=codetogether-cassandra diff --git a/compose/nginx/nginx.conf b/compose/nginx/nginx.conf.template similarity index 89% rename from compose/nginx/nginx.conf rename to compose/nginx/nginx.conf.template index c2f1f24..85f1068 100644 --- a/compose/nginx/nginx.conf +++ b/compose/nginx/nginx.conf.template @@ -1,6 +1,7 @@ events { worker_connections 1024; } + http { include mime.types; default_type application/octet-stream; @@ -8,12 +9,12 @@ http { keepalive_timeout 65; server { listen 443 ssl http2; - server_name ; + server_name ${COLLAB_FQDN}; proxy_buffer_size 128k; proxy_buffers 4 256k; - ssl_certificate ; - ssl_certificate_key ; - ssl_dhparam ; + ssl_certificate /etc/nginx/ssl/${SSL_COLLAB_CERT}; + ssl_certificate_key /etc/nginx/ssl/${SSL_COLLAB_KEY}; + ssl_dhparam /etc/nginx/ssl/${DHPARAM_PEM}; ssl_prefer_server_ciphers on; ssl_protocols TLSv1.2; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; @@ -22,7 +23,6 @@ http { set $realIP $remote_addr; set $forwardTo $proxy_add_x_forwarded_for; set $reqHost $http_host; - client_max_body_size 32M; if ($http_x_real_ip != '') { set $realIP $http_x_real_ip; } @@ -47,7 +47,7 @@ http { } } server { - server_name ; + server_name ${INTEL_FQDN}; listen 443 ssl http2; # configure proxy buffer sizes @@ -55,9 +55,9 @@ http { proxy_buffers 4 256k; # setup the SSL certificate - ssl_certificate ; - ssl_certificate_key ; - ssl_dhparam ; + ssl_certificate /etc/nginx/ssl/${SSL_INTEL_CERT}; + ssl_certificate_key /etc/nginx/ssl/${SSL_INTEL_KEY}; + ssl_dhparam /etc/nginx/ssl/${DHPARAM_PEM}; ssl_prefer_server_ciphers on; ssl_protocols TLSv1.2; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; @@ -69,6 +69,7 @@ http { set $realIP $remote_addr; set $forwardTo $proxy_add_x_forwarded_for; set $reqHost $http_host; + client_max_body_size 32M; if ($http_x_real_ip != '') { set $realIP $http_x_real_ip; } @@ -91,4 +92,4 @@ http { proxy_send_timeout 360; } } -} +} \ No newline at end of file