diff --git a/charts/collab/README.md b/charts/collab/README.md index 621f5a5..f235f45 100644 --- a/charts/collab/README.md +++ b/charts/collab/README.md @@ -36,11 +36,6 @@ The following table lists configurable parameters of the CodeTogether Collab cha | `codetogether.noclients` | Disables the `/clients` endpoint if set to `true` | `false` | | `codetogether.timeZone.enabled` | Enables a customized time zone for the container | `false` | | `codetogether.timeZone.region` | Time zone region for the container | `America/Chicago` | -| `direct.metrics.statsdEnabled` | Enables StatsD metrics collection | `false` | -| `direct.metrics.statsdHost` | Host for StatsD metrics | `https://my-graphite-fqdn` | -| `direct.metrics.statsdPort` | Port for StatsD metrics | `8125` | -| `direct.metrics.statsdProtocol` | Protocol for StatsD metrics | `UDP` | -| `direct.metrics.prometheusEnabled` | Enables Prometheus metrics collection | `false` | | `locatorCentral.database.host` | Host for locator-central database | `10.10.0.2` | | `locatorCentral.database.port` | Port for locator-central database | `3306` | | `locatorCentral.database.schema` | Schema name for locator-central database | `codetogether` | diff --git a/charts/collab/templates/deployment.yaml b/charts/collab/templates/deployment.yaml index 7c08ca3..689f562 100644 --- a/charts/collab/templates/deployment.yaml +++ b/charts/collab/templates/deployment.yaml @@ -99,6 +99,10 @@ spec: {{- if eq .Values.codetogether.mode "locator-edge" }} - name: CT_LOCATOR value: {{ .Values.locatorEdge.locator | quote }} + {{- if .Values.locatorEdge.locatorLan }} + - name: CT_LOCATOR_INTERNAL + value: {{ .Values.locatorEdge.locatorLan | quote }} + {{- end }} - name: CT_REGION value: {{ .Values.locatorEdge.region | quote }} {{- end }} diff --git a/charts/collab/values.yaml b/charts/collab/values.yaml index 04a4d89..b05bde9 100644 --- a/charts/collab/values.yaml +++ b/charts/collab/values.yaml @@ -117,6 +117,9 @@ locatorCentral: locatorEdge: # URL that the Locator is listening on. locator: "https://codetogether.locator" + # Internal k8s url for the locator service. + # Optional - If not set k8s dns need to know how to resolve the locator url. + # locatorLan: "http://..svc.cluster.local:443" # Optional region which can have CIDR IP address regions assigned to # allowing regional routing of requests. Only enable if deploying # CodeTogether to multiple regional data centers. diff --git a/charts/intel/Chart.yaml b/charts/intel/Chart.yaml index a63a302..23c312a 100644 --- a/charts/intel/Chart.yaml +++ b/charts/intel/Chart.yaml @@ -3,8 +3,8 @@ name: codetogether-intel description: CodeTogether Intel provides advanced project insights for developers type: application -version: 1.2.3 -appVersion: "2025.1.0" +version: 1.2.5 +appVersion: "2025.3.0" icon: https://www.codetogether.com/wp-content/uploads/2020/02/codetogether-circle-128.png home: https://www.codetogether.com diff --git a/charts/intel/templates/ai-config.yaml b/charts/intel/templates/ai-config.yaml new file mode 100644 index 0000000..763fedb --- /dev/null +++ b/charts/intel/templates/ai-config.yaml @@ -0,0 +1,11 @@ +{{- if and .Values.ai.enabled (eq .Values.ai.mode "external") }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: ai-config + namespace: {{ .Release.Namespace }} +data: + ai_provider: {{ .Values.ai.provider | quote }} + ai_url: {{ .Values.ai.url | quote }} +{{- end }} + diff --git a/charts/intel/templates/ai-external-secret.yaml b/charts/intel/templates/ai-external-secret.yaml new file mode 100644 index 0000000..b01e8ad --- /dev/null +++ b/charts/intel/templates/ai-external-secret.yaml @@ -0,0 +1,12 @@ +{{- $extSecret := (index .Values.ai "externalSecret" | default dict) }} +{{- if and .Values.ai.enabled (eq .Values.ai.mode "external") (or (not $extSecret.name) $extSecret.create) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ $extSecret.name | default (printf "%s-ai-external-secret" (include "codetogether.fullname" .)) }} + namespace: {{ .Release.Namespace }} +type: Opaque +stringData: + apiKey: {{ $extSecret.apiKey | quote }} +{{- end }} + diff --git a/charts/intel/templates/deployment.yaml b/charts/intel/templates/deployment.yaml index 9c0d7e0..8cdb59e 100644 --- a/charts/intel/templates/deployment.yaml +++ b/charts/intel/templates/deployment.yaml @@ -28,38 +28,19 @@ spec: {{- end }} serviceAccountName: {{ include "codetogether.serviceAccountName" . }} containers: - {{- if .Values.ai.enabled }} - {{- if eq .Values.ai.mode "bundled" }} - - name: codetogether-llm - image: "{{ .Values.ai.image.repository }}:{{ .Values.ai.image.tag }}" - imagePullPolicy: Always - ports: - - name: ai - containerPort: 8000 - protocol: TCP - resources: - requests: - cpu: {{ .Values.ai.resources.requests.cpu | quote }} - memory: {{ .Values.ai.resources.requests.memory | quote }} - limits: - cpu: {{ .Values.ai.resources.limits.cpu | quote }} - memory: {{ .Values.ai.resources.limits.memory | quote }} - {{- end }} - {{- end }} - name: {{ .Chart.Name }} securityContext: {{- toYaml .Values.securityContext | nindent 12 }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} env: - - name: AI_MODE - value: {{ .Values.ai.mode | quote }} - {{- if eq .Values.ai.mode "bundled" }} - - name: AI_BUNDLED_URL - value: "http://codetogether-llm:8000" - {{- end }} - {{- if .Values.ai.enabled }} - {{- if eq .Values.ai.mode "external" }} + - name: AI_MODE + value: {{ .Values.ai.mode | quote }} + {{- if eq .Values.ai.mode "bundled" }} + - name: AI_BUNDLED_URL + value: "http://localhost:8000" + {{- end }} + {{- if and .Values.ai.enabled (eq .Values.ai.mode "external") }} - name: AI_PROVIDER valueFrom: configMapKeyRef: @@ -73,36 +54,47 @@ spec: - name: AI_EXTERNAL_API_KEY valueFrom: secretKeyRef: - name: ai-external-secret - key: api-key + name: {{ default (printf "%s-ai-external-secret" (include "codetogether.fullname" .)) .Values.ai.externalSecret.name | quote }} + key: apiKey + {{- end }} + # Set CodeTogether runtime configuration + - name: CT_HQ_BASE_URL + value: {{ .Values.codetogether.url | quote }} + {{- if .Values.java.customCacerts.enabled }} + - name: CT_TRUST_STORE + value: -Djavax.net.ssl.trustStore=/etc/ssl/certs/java/cacerts + {{- end }} + {{- if .Values.java.customJavaOptions }} + - name: CT_JAVA_OPTIONS + value: "{{ .Values.java.customJavaOptions | default "" }}" + {{- end }} + {{- if and .Values.java.customCacerts.enabled .Values.java.customCacerts.trustStorePasswordKey }} + - name: CT_TRUST_STORE_PASSWD + valueFrom: + secretKeyRef: + name: {{ .Values.java.customCacerts.cacertsSecretName }} + key: {{ .Values.java.customCacerts.trustStorePasswordKey }} + optional: true + {{- end }} + {{- if .Values.ai.enabled }} + - name: CT_HQ_OLLAMA_AI_URL + value: {{ if eq .Values.ai.mode "bundled" }} + "http://localhost:8000" + {{ else }} + {{ .Values.ai.url | quote }} + {{ end }} + - name: CT_HQ_OLLAMA_AI_MODEL_NAME + value: {{ .Values.ai.modelName | default "gemma3:1b" | quote }} + - name: CT_HQ_OLLAMA_AI_API_KEY + {{- if eq .Values.ai.mode "bundled" }} + value: "apiKey" + {{- else }} + valueFrom: + secretKeyRef: + name: {{ default (printf "%s-ai-external-secret" (include "codetogether.fullname" .)) .Values.ai.externalSecret.name | quote }} + key: apiKey + {{- end }} {{- end }} - {{- end }} - # - # Set CodeTogether runtime configuration - # - - name: CT_HQ_BASE_URL - value: {{ .Values.codetogether.url | quote }} - {{- if .Values.java.customCacerts.enabled }} - - name: CT_TRUST_STORE - value: -Djavax.net.ssl.trustStore=/etc/ssl/certs/java/cacerts - {{- end }} - - # Custom Java options (excluding trust store related settings) - {{- if .Values.java.customJavaOptions }} - - name: CT_JAVA_OPTIONS - value: "{{ .Values.java.customJavaOptions | default "" }}" - {{- end }} - - # Set trust store password only if trustStorePasswordKey is provided - {{- if and .Values.java.customCacerts.enabled .Values.java.customCacerts.trustStorePasswordKey }} - - name: CT_TRUST_STORE_PASSWD - valueFrom: - secretKeyRef: - name: {{ .Values.java.customCacerts.cacertsSecretName }} - key: {{ .Values.java.customCacerts.trustStorePasswordKey }} - optional: true - {{- end }} - volumeMounts: - name: properties-volume mountPath: /opt/codetogether/runtime/cthq.properties @@ -112,29 +104,20 @@ spec: mountPath: /etc/ssl/certs/java/cacerts subPath: cacerts {{- end }} - - # - # Set container configuration - # ports: - name: http containerPort: 1080 protocol: TCP - livenessProbe: - httpGet: - path: / - port: http initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} periodSeconds: {{ .Values.livenessProbe.periodSeconds }} timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} successThreshold: {{ .Values.livenessProbe.successThreshold }} failureThreshold: {{ .Values.livenessProbe.failureThreshold }} - readinessProbe: httpGet: path: / port: http - + readinessProbe: initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} periodSeconds: {{ .Values.readinessProbe.periodSeconds }} @@ -147,6 +130,19 @@ spec: resources: {{- toYaml .Values.resources | nindent 12 }} + {{- if and .Values.ai.enabled (eq .Values.ai.mode "bundled") }} + - name: codetogether-llm + image: "{{ .Values.ai.image.repository }}:{{ .Values.ai.image.tag }}" + imagePullPolicy: Always + ports: + - name: ai + containerPort: 8000 + protocol: TCP + {{- if .Values.ai.resources }} + resources: + {{- toYaml .Values.ai.resources | nindent 12 }} + {{- end }} + {{- end }} volumes: - name: properties-volume secret: diff --git a/charts/intel/values.yaml b/charts/intel/values.yaml index 04507b2..5587d5f 100644 --- a/charts/intel/values.yaml +++ b/charts/intel/values.yaml @@ -141,20 +141,16 @@ securityContext: {} ai: enabled: false mode: "bundled" # Options: bundled | external - provider: "ollama" # No OpenAI dependency - resources: - requests: - cpu: "2" - memory: "4Gi" - gpu: false - limits: - cpu: "4" - memory: "8Gi" - gpu: false image: - repository: registry.digitalocean.com/codetogether-registry/ai-summarization + repository: hub.edge.codetogether.com/releases/codetogether-llm tag: latest - +# resources: # Recommended resources configuration + # requests: + # cpu: "2" + # memory: "4Gi" + #limits: + # cpu: "4" + #memory: "4Gi" readinessProbe: initialDelaySeconds: 60 diff --git a/charts/live/README.md b/charts/live/README.md index 76048f3..b8cbf31 100644 --- a/charts/live/README.md +++ b/charts/live/README.md @@ -1,7 +1,10 @@ # README.md Helm Chart for CodeTogether Live +# CodeTogether Live Chart (Legacy) -## Summary +> **⚠️ Legacy Chart** +> This chart is now considered legacy and is not longer supported, is not recommended for new deployments. +## Summary This chart creates a CodeTogether Live server deployment on a Kubernetes cluster using the Helm package manager. ## Prerequisites diff --git a/compose/.env-template b/compose/.env-template index c88f162..82fa77c 100644 --- a/compose/.env-template +++ b/compose/.env-template @@ -39,10 +39,15 @@ COLLAB_FQDN=collab.example.com INTEL_FQDN=intel.example.com INTEL_SECRET=super-secret-string +# SSL cerfificate files should be placed in the `nginx/ssl` directory. SSL_COLLAB_CERT=ssl-collab.crt SSL_COLLAB_KEY=ssl-collab.key SSL_INTEL_CERT=ssl-intel.crt SSL_INTEL_KEY=ssl-intel.key -DHPARAM_PEM=dhparam.pem \ No newline at end of file +DHPARAM_PEM=dhparam.pem + +# Uncomment the following lines to enable AI integration with Ollama +#CT_HQ_OLLAMA_AI_URL=http://codetogether-llm:8000 +#CT_HQ_OLLAMA_AI_MODEL_NAME=gemma3:1b diff --git a/compose/.env-with-keycloak-template b/compose/.env-with-keycloak-template new file mode 100644 index 0000000..9662e99 --- /dev/null +++ b/compose/.env-with-keycloak-template @@ -0,0 +1,63 @@ +############################################################################### +# CodeTogether – Environment Template +# ----------------------------------------------------------------------------- +# 1. Copy this file to `.env` in the same directory as `compose.yaml`. +# 2. Replace the placeholders on the right‑hand side with your real values. +# 3. Place all SSL certificates and Diffie‑Hellman parameters in the +# `nginx/ssl` directory. +# 4. Configure your SSO provider in the `cthq.properties` file. +# 5. Run `docker‑compose up -d` to start the containers. +# +# Variables (all required unless stated otherwise) +# ---------------------------------------------- +# COLLAB_FQDN Public hostname (FQDN) that end‑users hit to reach the +# Collab service (e.g. collab.example.com). +# +# INTEL_FQDN Public hostname (FQDN) for the Intel service +# (e.g. intel.example.com). +# +# INTEL_SECRET Shared secret Collab uses to authenticate when +# communicating with the Intel service. Use a strong, +# private value. +# +# SSL_COLLAB_CERT Certificate filename that Nginx serves for the Collab +# virtual host (e.g. ssl-collab.crt). +# +# SSL_COLLAB_KEY Private key filename for the Collab certificate +# (e.g. ssl-collab.key). +# +# SSL_INTEL_CERT Certificate filename for the Intel virtual host +# (e.g. ssl-intel.crt). +# +# SSL_INTEL_KEY Private key filename for the Intel certificate +# (e.g. ssl-intel.key). +# +# DHPARAM_PEM Diffie‑Hellman parameters file (e.g. dhparam.pem). +############################################################################### + +COLLAB_FQDN=collab.example.com +INTEL_FQDN=intel.example.com +INTEL_SECRET=super-secret-string + +# SSL cerfificate files should be placed in the `nginx/ssl` directory. +SSL_COLLAB_CERT=ssl-collab.crt +SSL_COLLAB_KEY=ssl-collab.key + +SSL_INTEL_CERT=ssl-intel.crt +SSL_INTEL_KEY=ssl-intel.key + +DHPARAM_PEM=dhparam.pem + +KEYCLOAK_FQDN=keycloak.example.com +SSL_KEYCLOAK_CERT=ssl-keycloak.crt +SSL_KEYCLOAK_KEY=ssl-keycloak.key + +KEYCLOAK_DB_USERNAME=keycloak +KEYCLOAK_DB_PASSWORD=keycloak + +KEYCLOAK_ADMIN_PASSWORD=keycloak +KEYCLOAK_ADMIN=admin + +# Uncomment the following lines to enable AI integration with Ollama +#CT_HQ_OLLAMA_AI_URL=http://codetogether-llm:8000 +#CT_HQ_OLLAMA_AI_MODEL_NAME=gemma3:1b diff --git a/compose/.gitignore b/compose/.gitignore new file mode 100644 index 0000000..cdb441f --- /dev/null +++ b/compose/.gitignore @@ -0,0 +1,10 @@ +data/ +nginx/log/ +nginx/ssl/*.key +nginx/ssl/*.pem +nginx/ssl/*.crt +keycloak/nginx/log/*.log +keycloak/nginx/ssl/*.key +keycloak/nginx/ssl/*.pem +keycloak/nginx/ssl/*.crt +.env \ No newline at end of file diff --git a/compose/compose.ai.yaml b/compose/compose.ai.yaml new file mode 100644 index 0000000..d3ef932 --- /dev/null +++ b/compose/compose.ai.yaml @@ -0,0 +1,13 @@ +# 👇 Rename `.env-template` to `.env` before running this file +# Set the appropriate values once renamed +services: + ai: + image: hub.edge.codetogether.com/releases/codetogether-llm:latest + container_name: codetogether-llm + ports: + - "8000:8000" + networks: + - codetogethernet + depends_on: + codetogether-intel: + condition: service_healthy \ No newline at end of file diff --git a/compose/keycloak/.env-template b/compose/keycloak/.env-template new file mode 100644 index 0000000..5127bae --- /dev/null +++ b/compose/keycloak/.env-template @@ -0,0 +1,9 @@ +KEYCLOAK_FQDN=keycloak.example.com +SSL_KEYCLOAK_CERT=ssl-keycloak.crt +SSL_KEYCLOAK_KEY=ssl-keycloak.key + +KEYCLOAK_DB_USERNAME=keycloak +KEYCLOAK_DB_PASSWORD=keycloak + +KEYCLOAK_ADMIN_PASSWORD=keycloak +KEYCLOAK_ADMIN=admin \ No newline at end of file diff --git a/compose/keycloak/compose-keycloak-no-nginx.yaml b/compose/keycloak/compose-keycloak-no-nginx.yaml new file mode 100644 index 0000000..883a88d --- /dev/null +++ b/compose/keycloak/compose-keycloak-no-nginx.yaml @@ -0,0 +1,76 @@ +# 👇 Rename `.env-template` to `.env` before running this file +# Set the appropriate values once renamed +services: + # Relational database for Keycloak (optional) + codetogether-mysql: + image: mysql:8.0 + container_name: codetogether-mysql + restart: unless-stopped + env_file: + - .env + environment: + MYSQL_ROOT_PASSWORD: ${KEYCLOAK_DB_PASSWORD} + MYSQL_DATABASE: keycloak + MYSQL_USER: ${KEYCLOAK_DB_USERNAME} + MYSQL_PASSWORD: ${KEYCLOAK_DB_PASSWORD} + volumes: + - mysql_data:/var/lib/mysql + networks: + - codetogethernet + healthcheck: + test: ["CMD", "mysqladmin", "ping", "-h", "localhost"] + interval: 10s + timeout: 10s + retries: 30 + + # Keycloak service (optional) + codetogether-keycloak: + image: quay.io/keycloak/keycloak:latest + container_name: codetogether-keycloak + env_file: + - .env + depends_on: + codetogether-mysql: + condition: service_healthy + command: + - "start" + environment: + # Admin credentials + KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN} + KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD} + + # Database connectivity + KC_DB: mysql + KC_DB_USERNAME: ${KEYCLOAK_DB_USERNAME:-root} + KC_DB_PASSWORD: ${KEYCLOAK_DB_PASSWORD} + KC_DB_URL_HOST: codetogether-mysql + + # Feature flags & observability + KC_FEATURES: token-exchange + KC_HEALTH_ENABLED: "true" + KC_METRICS_ENABLED: "true" + + # Reverse‑proxy / HTTP + KC_HTTP_ENABLED: "true" + KC_PROXY: edge + KC_PROXY_HEADERS: xforwarded + KC_HOSTNAME_STRICT: "false" + KC_HOSTNAME_STRICT_HTTPS: "false" + KC_HOSTNAME: ${KEYCLOAK_FQDN} + KC_FRONTEND_URL: https://${KEYCLOAK_FQDN} + KC_HTTP_PORT: 8080 + networks: + - codetogethernet + healthcheck: + test: ["CMD-SHELL", "echo > /dev/tcp/localhost/8080 || exit 1"] + interval: 10s + timeout: 5s + retries: 5 + start_period: 30s + +volumes: + mysql_data: + +networks: + codetogethernet: + driver: bridge \ No newline at end of file diff --git a/compose/keycloak/compose-keycloak.yaml b/compose/keycloak/compose-keycloak.yaml new file mode 100644 index 0000000..f842905 --- /dev/null +++ b/compose/keycloak/compose-keycloak.yaml @@ -0,0 +1,95 @@ +# 👇 Rename `.env-template` to `.env` before running this file +# Set the appropriate values once renamed +services: + # Relational database for Keycloak (optional) + codetogether-mysql: + image: mysql:8.0 + container_name: codetogether-mysql + restart: unless-stopped + env_file: + - .env + environment: + MYSQL_ROOT_PASSWORD: ${KEYCLOAK_DB_PASSWORD} + MYSQL_DATABASE: keycloak + MYSQL_USER: ${KEYCLOAK_DB_USERNAME} + MYSQL_PASSWORD: ${KEYCLOAK_DB_PASSWORD} + volumes: + - mysql_data:/var/lib/mysql + networks: + - codetogethernet + healthcheck: + test: ["CMD", "mysqladmin", "ping", "-h", "localhost"] + interval: 10s + timeout: 10s + retries: 30 + # Nginx reverse proxy for Keycloak (optional) + codetogether-keycloak-nginx: + image: nginx:latest + container_name: codetogether-keycloak-nginx + env_file: + - .env + environment: + - NGINX_ENVSUBST_OUTPUT_DIR=/etc/nginx + ports: + - "443:443" + volumes: + - ./nginx/nginx.conf.template:/etc/nginx/templates/nginx.conf.template:ro + - ./nginx/ssl:/etc/nginx/ssl + - ./nginx/log:/var/log/nginx + networks: + - codetogethernet + depends_on: + codetogether-keycloak: + condition: service_healthy + + # Keycloak service (optional) + codetogether-keycloak: + image: quay.io/keycloak/keycloak:latest + container_name: codetogether-keycloak + env_file: + - .env + depends_on: + codetogether-mysql: + condition: service_healthy + command: + - "start" + environment: + # Admin credentials + KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN} + KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD} + + # Database connectivity + KC_DB: mysql + KC_DB_USERNAME: ${KEYCLOAK_DB_USERNAME:-root} + KC_DB_PASSWORD: ${KEYCLOAK_DB_PASSWORD} + KC_DB_URL_HOST: codetogether-mysql + + # Feature flags & observability + KC_FEATURES: token-exchange + KC_HEALTH_ENABLED: "true" + KC_METRICS_ENABLED: "true" + + # Reverse‑proxy / HTTP + KC_HTTP_ENABLED: "true" + KC_PROXY: edge + KC_PROXY_HEADERS: xforwarded + KC_HOSTNAME_STRICT: "false" + KC_HOSTNAME_STRICT_HTTPS: "false" + KC_HOSTNAME: ${KEYCLOAK_FQDN} + KC_FRONTEND_URL: https://${KEYCLOAK_FQDN} + KC_HTTP_PORT: 8080 + networks: + - codetogethernet + healthcheck: + test: ["CMD-SHELL", "echo > /dev/tcp/localhost/8080 || exit 1"] + interval: 10s + timeout: 5s + retries: 5 + start_period: 30s + +volumes: + mysql_data: + +networks: + codetogethernet: + driver: bridge \ No newline at end of file diff --git a/compose/keycloak/nginx/log/placeholder.txt b/compose/keycloak/nginx/log/placeholder.txt new file mode 100644 index 0000000..e69de29 diff --git a/compose/keycloak/nginx/nginx.conf.template b/compose/keycloak/nginx/nginx.conf.template new file mode 100644 index 0000000..e48b298 --- /dev/null +++ b/compose/keycloak/nginx/nginx.conf.template @@ -0,0 +1,57 @@ +events { + worker_connections 1024; +} + +http { + include mime.types; + default_type application/octet-stream; + sendfile on; + keepalive_timeout 65; + server { + server_name ${KEYCLOAK_FQDN}; + listen 443 ssl http2; + + # configure proxy buffer sizes + proxy_buffer_size 128k; + proxy_buffers 4 256k; + + # setup the SSL certificate + ssl_certificate /etc/nginx/ssl/${SSL_KEYCLOAK_CERT}; + ssl_certificate_key /etc/nginx/ssl/${SSL_KEYCLOAK_KEY}; + # ssl_dhparam /etc/nginx/ssl/${DHPARAM_PEM}; + ssl_prefer_server_ciphers on; + ssl_protocols TLSv1.2; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + + # create the passthrough to the CodeTogether Intel container + location / { + + # set passthru parameters for the CodeTogether Intel container + set $realIP $remote_addr; + set $forwardTo $proxy_add_x_forwarded_for; + set $reqHost $http_host; + client_max_body_size 32M; + if ($http_x_real_ip != '') { + set $realIP $http_x_real_ip; + } + if ($http_x_forwarded_for != '') { + set $forwardTo $http_x_forwarded_for; + } + proxy_set_header X-Real-IP $realIP; + proxy_set_header X-Forwarded-For $forwardTo; + proxy_set_header Host $reqHost; + proxy_set_header X-Forwarded-Proto https; + + # setup the backend to service the HQ requests + proxy_pass http://codetogether-keycloak:8080; + proxy_set_header X-NginX-Proxy true; + proxy_http_version 1.1; + proxy_redirect off; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_read_timeout 360; + proxy_connect_timeout 360; + proxy_send_timeout 360; + } + } +} \ No newline at end of file diff --git a/compose/keycloak/nginx/ssl/placeholder.txt b/compose/keycloak/nginx/ssl/placeholder.txt new file mode 100644 index 0000000..e69de29 diff --git a/compose/nginx/ssl/nginx-with-keycloak.conf.template b/compose/nginx/ssl/nginx-with-keycloak.conf.template new file mode 100644 index 0000000..20260b7 --- /dev/null +++ b/compose/nginx/ssl/nginx-with-keycloak.conf.template @@ -0,0 +1,143 @@ +### To use this file rename it to nginx.conf.template so it is picked up by the compose.yml file. +events { + worker_connections 1024; +} + +http { + include mime.types; + default_type application/octet-stream; + sendfile on; + keepalive_timeout 65; + server { + listen 443 ssl http2; + server_name ${COLLAB_FQDN}; + proxy_buffer_size 128k; + proxy_buffers 4 256k; + ssl_certificate /etc/nginx/ssl/${SSL_COLLAB_CERT}; + ssl_certificate_key /etc/nginx/ssl/${SSL_COLLAB_KEY}; + ssl_dhparam /etc/nginx/ssl/${DHPARAM_PEM}; + ssl_prefer_server_ciphers on; + ssl_protocols TLSv1.2; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + location / { + # Similar proxy logic for headers + set $realIP $remote_addr; + set $forwardTo $proxy_add_x_forwarded_for; + set $reqHost $http_host; + if ($http_x_real_ip != '') { + set $realIP $http_x_real_ip; + } + if ($http_x_forwarded_for != '') { + set $forwardTo $http_x_forwarded_for; + } + add_header C-Real-IP $realIP; + add_header C-Forwarded-For $forwardTo; + add_header C-Request-Host $reqHost; + proxy_set_header X-Real-IP $realIP; + proxy_set_header X-Forwarded-For $forwardTo; + proxy_set_header Host $reqHost; + proxy_set_header X-NginX-Proxy true; + proxy_http_version 1.1; + proxy_redirect off; + proxy_pass http://codetogether-collab:1080; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_read_timeout 360; + proxy_connect_timeout 360; + proxy_send_timeout 360; + } + } + server { + server_name ${INTEL_FQDN}; + listen 443 ssl http2; + + # configure proxy buffer sizes + proxy_buffer_size 128k; + proxy_buffers 4 256k; + + # setup the SSL certificate + ssl_certificate /etc/nginx/ssl/${SSL_INTEL_CERT}; + ssl_certificate_key /etc/nginx/ssl/${SSL_INTEL_KEY}; + ssl_dhparam /etc/nginx/ssl/${DHPARAM_PEM}; + ssl_prefer_server_ciphers on; + ssl_protocols TLSv1.2; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + + # create the passthrough to the CodeTogether Intel container + location / { + + # set passthru parameters for the CodeTogether Intel container + set $realIP $remote_addr; + set $forwardTo $proxy_add_x_forwarded_for; + set $reqHost $http_host; + client_max_body_size 32M; + if ($http_x_real_ip != '') { + set $realIP $http_x_real_ip; + } + if ($http_x_forwarded_for != '') { + set $forwardTo $http_x_forwarded_for; + } + proxy_set_header X-Real-IP $realIP; + proxy_set_header X-Forwarded-For $forwardTo; + proxy_set_header Host $reqHost; + + # setup the backend to service the HQ requests + proxy_pass http://codetogether-intel:1080; + proxy_set_header X-NginX-Proxy true; + proxy_http_version 1.1; + proxy_redirect off; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_read_timeout 360; + proxy_connect_timeout 360; + proxy_send_timeout 360; + } + } + server { + server_name ${KEYCLOAK_FQDN}; + listen 443 ssl http2; + + # configure proxy buffer sizes + proxy_buffer_size 128k; + proxy_buffers 4 256k; + + # setup the SSL certificate + ssl_certificate /etc/nginx/ssl/${SSL_KEYCLOAK_CERT}; + ssl_certificate_key /etc/nginx/ssl/${SSL_KEYCLOAK_KEY}; + # ssl_dhparam /etc/nginx/ssl/${DHPARAM_PEM}; + ssl_prefer_server_ciphers on; + ssl_protocols TLSv1.2; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + + # create the passthrough to the CodeTogether Intel container + location / { + + # set passthru parameters for the CodeTogether Intel container + set $realIP $remote_addr; + set $forwardTo $proxy_add_x_forwarded_for; + set $reqHost $http_host; + client_max_body_size 32M; + if ($http_x_real_ip != '') { + set $realIP $http_x_real_ip; + } + if ($http_x_forwarded_for != '') { + set $forwardTo $http_x_forwarded_for; + } + proxy_set_header X-Real-IP $realIP; + proxy_set_header X-Forwarded-For $forwardTo; + proxy_set_header Host $reqHost; + proxy_set_header X-Forwarded-Proto https; + + # setup the backend to service the HQ requests + proxy_pass http://codetogether-keycloak:8080; + proxy_set_header X-NginX-Proxy true; + proxy_http_version 1.1; + proxy_redirect off; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_read_timeout 360; + proxy_connect_timeout 360; + proxy_send_timeout 360; + } + } +} \ No newline at end of file