From ca1b56038dcb49713158389f2b0a4d3f17e01345 Mon Sep 17 00:00:00 2001 From: Wojciech Galanciak Date: Wed, 7 May 2025 19:53:23 +0200 Subject: [PATCH 01/31] fix: separate SSL certificates (#101) --- compose/nginx/nginx.conf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/compose/nginx/nginx.conf b/compose/nginx/nginx.conf index c2f1f24..b5a33eb 100644 --- a/compose/nginx/nginx.conf +++ b/compose/nginx/nginx.conf @@ -11,8 +11,8 @@ http { server_name ; proxy_buffer_size 128k; proxy_buffers 4 256k; - ssl_certificate ; - ssl_certificate_key ; + ssl_certificate ; + ssl_certificate_key ; ssl_dhparam ; ssl_prefer_server_ciphers on; ssl_protocols TLSv1.2; @@ -55,8 +55,8 @@ http { proxy_buffers 4 256k; # setup the SSL certificate - ssl_certificate ; - ssl_certificate_key ; + ssl_certificate ; + ssl_certificate_key ; ssl_dhparam ; ssl_prefer_server_ciphers on; ssl_protocols TLSv1.2; From b64df4601010e38f1f9e9f64b24889bfdf411b43 Mon Sep 17 00:00:00 2001 From: Ignacio Moreno Date: Thu, 8 May 2025 14:02:03 -0600 Subject: [PATCH 02/31] fix: Set environment variables via .env file. (#99) * Set environment variables via .env file. * Missing change * Change how hostnames and secret are set. * changes for env template * add env variable resolver on sso redirect value --- compose/.env-template | 22 ++++++++++++++++++++++ compose/compose.yaml | 9 ++++----- compose/cthq.properties | 13 +++++++------ 3 files changed, 33 insertions(+), 11 deletions(-) create mode 100644 compose/.env-template diff --git a/compose/.env-template b/compose/.env-template new file mode 100644 index 0000000..64d7d60 --- /dev/null +++ b/compose/.env-template @@ -0,0 +1,22 @@ +############################################################################### +# CodeTogether – Environment Template +# ----------------------------------------------------------------------------- +# 1. Copy this file to `.env` in the same directory as `compose.yaml`. +# 2. Replace the placeholders on the right‑hand side with your real values. +# +# Variables +# --------- +# COLLAB_FQDN Public hostname (FQDN) that end‑users hit to reach the Collab +# service (e.g. collab.example.com). +# +# INTEL_FQDN Public hostname (FQDN) for the Intel service +# (e.g. intel.example.com). +# +# INTEL_SECRET Shared secret Collab uses to authenticate when authenticating +# communication with the intel service. +# Use a strong, private value. +############################################################################### + +COLLAB_FQDN=collab.example.com +INTEL_FQDN=intel.example.com +INTEL_SECRET=super-secret-string \ No newline at end of file diff --git a/compose/compose.yaml b/compose/compose.yaml index 8d3b95b..cd52345 100644 --- a/compose/compose.yaml +++ b/compose/compose.yaml @@ -1,12 +1,13 @@ +# 👇 Rename `.env-template` to `.env` before running this file +# Set the appropriate values once renamed services: codetogether-collab: image: hub.edge.codetogether.com/releases/codetogether-collab:latest container_name: codetogether-collab environment: - # your collab/pair programming server URL - - CT_SERVER_URL=https://your-collab-server-fqdn + - CT_SERVER_URL=https://${COLLAB_FQDN} - CT_INTEL_URL=http://codetogether-intel:1080 - - CT_INTEL_SECRET=your-collab-intel-secret + - CT_INTEL_SECRET=${INTEL_SECRET} - CT_AV_ENABLED=false - CT_AV_LAN_IP=auto networks: @@ -31,8 +32,6 @@ services: codetogether-intel: image: hub.edge.codetogether.com/releases/codetogether-intel:latest container_name: codetogether-intel - environment: - - CT_HQ_BASE_URL=https://your-intel-server-fqdn networks: - codetogethernet volumes: diff --git a/compose/cthq.properties b/compose/cthq.properties index 1afe6b6..5c6e13c 100644 --- a/compose/cthq.properties +++ b/compose/cthq.properties @@ -1,8 +1,9 @@ -# Fill in values specific to your deployment -hq.base.url=https:// -hq.collab.url=https://your-collab-server-fqdn -hq.collab.secret= +# Variables below are injected from the `.env` file +hq.base.url=https://${INTEL_FQDN} +hq.collab.url=https://${COLLAB_FQDN} +hq.collab.secret=${INTEL_SECRET} +# Fill in values specific to your deployment # THE LINE BELOW IS NOT NEEDED WITH SINGLE TENANT #hq.sso.tenants=github,gitlab # GitHub SSO @@ -10,7 +11,7 @@ hq.sso.github.provider=github hq.sso.github.label=GitHub hq.sso.github.client.id= hq.sso.github.client.secret= -hq.sso.github.redirect.uri=https:///api/v1/auth/sso/success/insights +hq.sso.github.redirect.uri=https://${INTEL_FQDN}/api/v1/auth/sso/success/insights hq.sso.github.auth.uri=https://github.com/login/oauth/authorize hq.sso.github.token.uri=https://github.com/login/oauth/access_token hq.sso.github.info.uri=https://api.github.com/user @@ -22,7 +23,7 @@ hq.sso.github.logout.uri=https://github.com/logout # hq.sso.gitlab.client.id= # hq.sso.gitlab.client.secret= # hq.sso.gitlab.client.issuer.url=https://gitlab.com -# hq.sso.gitlab.azure.redirect.uri=https:///api/v1/auth/sso/success/insights +# hq.sso.gitlab.azure.redirect.uri=https://${INTEL_FQDN}/api/v1/auth/sso/success/insights # These values do not need to be changed, though secrets can be updated hq.db.type=CASSANDRA From 2c6b2878a0faddbb3a8b9c69388d691db883aa5a Mon Sep 17 00:00:00 2001 From: Wojciech Galanciak Date: Sat, 10 May 2025 15:02:51 +0200 Subject: [PATCH 03/31] fix: add env_file to codetogether-intel (#105) --- compose/compose.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/compose/compose.yaml b/compose/compose.yaml index cd52345..ca9dba9 100644 --- a/compose/compose.yaml +++ b/compose/compose.yaml @@ -32,6 +32,8 @@ services: codetogether-intel: image: hub.edge.codetogether.com/releases/codetogether-intel:latest container_name: codetogether-intel + env_file: + - .env networks: - codetogethernet volumes: From 26058432b12b7550e3ba3f607708fa739cee4957 Mon Sep 17 00:00:00 2001 From: Wojciech Galanciak Date: Mon, 12 May 2025 10:57:26 +0200 Subject: [PATCH 04/31] fix: missing CT_HQ_BASE_URL env var (#107) --- compose/compose.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/compose/compose.yaml b/compose/compose.yaml index ca9dba9..27c3e94 100644 --- a/compose/compose.yaml +++ b/compose/compose.yaml @@ -34,6 +34,8 @@ services: container_name: codetogether-intel env_file: - .env + environment: + - CT_HQ_BASE_URL=https://${INTEL_FQDN} networks: - codetogethernet volumes: @@ -73,4 +75,4 @@ services: retries: 70 networks: codetogethernet: - driver: bridge \ No newline at end of file + driver: bridge From fb116eed6e85790ec73719237b91d108c0f1c81d Mon Sep 17 00:00:00 2001 From: Wojciech Galanciak Date: Mon, 12 May 2025 12:25:43 +0200 Subject: [PATCH 05/31] feat: nginx auto config (#109) --- compose/.env-template | 45 ++++++++++++++----- compose/compose.yaml | 6 ++- .../nginx/{nginx.conf => nginx.conf.template} | 19 ++++---- 3 files changed, 50 insertions(+), 20 deletions(-) rename compose/nginx/{nginx.conf => nginx.conf.template} (88%) diff --git a/compose/.env-template b/compose/.env-template index 64d7d60..9acc048 100644 --- a/compose/.env-template +++ b/compose/.env-template @@ -3,20 +3,45 @@ # ----------------------------------------------------------------------------- # 1. Copy this file to `.env` in the same directory as `compose.yaml`. # 2. Replace the placeholders on the right‑hand side with your real values. +# 3. Place all SSL certificates and Diffie‑Hellman parameters in the +# `nginx/ssl` directory. +# 4. Run `docker‑compose up -d` to start the containers. # -# Variables -# --------- -# COLLAB_FQDN Public hostname (FQDN) that end‑users hit to reach the Collab -# service (e.g. collab.example.com). +# Variables (all required unless stated otherwise) +# ---------------------------------------------- +# COLLAB_FQDN Public hostname (FQDN) that end‑users hit to reach the +# Collab service (e.g. collab.example.com). # -# INTEL_FQDN Public hostname (FQDN) for the Intel service -# (e.g. intel.example.com). +# INTEL_FQDN Public hostname (FQDN) for the Intel service +# (e.g. intel.example.com). # -# INTEL_SECRET Shared secret Collab uses to authenticate when authenticating -# communication with the intel service. -# Use a strong, private value. +# INTEL_SECRET Shared secret Collab uses to authenticate when +# communicating with the Intel service. Use a strong, +# private value. +# +# SSL_COLLAB_CERT Certificate filename that Nginx serves for the Collab +# virtual host (e.g. ssl-collab.crt). +# +# SSL_COLLAB_KEY Private key filename for the Collab certificate +# (e.g. ssl-collab.key). +# +# SSL_INTEL_CERT Certificate filename for the Intel virtual host +# (e.g. ssl-intel.crt). +# +# SSL_INTEL_KEY Private key filename for the Intel certificate +# (e.g. ssl-intel.key). +# +# DHPARAM_PATH Diffie‑Hellman parameters file (e.g. dhparam.pem). ############################################################################### COLLAB_FQDN=collab.example.com INTEL_FQDN=intel.example.com -INTEL_SECRET=super-secret-string \ No newline at end of file +INTEL_SECRET=super-secret-string + +SSL_COLLAB_CERT=ssl-collab.crt +SSL_COLLAB_KEY=ssl-collab.key + +SSL_INTEL_CERT=ssl-intel.crt +SSL_INTEL_KEY=ssl-intel.key + +DHPARAM_PATH=dhparam.pem \ No newline at end of file diff --git a/compose/compose.yaml b/compose/compose.yaml index 27c3e94..e5e96d2 100644 --- a/compose/compose.yaml +++ b/compose/compose.yaml @@ -18,10 +18,14 @@ services: nginx: image: nginx:latest container_name: codetogether-nginx + env_file: + - .env + environment: + - NGINX_ENVSUBST_OUTPUT_DIR=/etc/nginx ports: - "443:443" volumes: - - ./nginx/nginx.conf:/etc/nginx/nginx.conf + - ./nginx/nginx.conf.template:/etc/nginx/templates/nginx.conf.template:ro - ./nginx/ssl:/etc/nginx/ssl - ./nginx/log:/var/log/nginx networks: diff --git a/compose/nginx/nginx.conf b/compose/nginx/nginx.conf.template similarity index 88% rename from compose/nginx/nginx.conf rename to compose/nginx/nginx.conf.template index b5a33eb..4418cd7 100644 --- a/compose/nginx/nginx.conf +++ b/compose/nginx/nginx.conf.template @@ -1,6 +1,7 @@ events { worker_connections 1024; } + http { include mime.types; default_type application/octet-stream; @@ -8,12 +9,12 @@ http { keepalive_timeout 65; server { listen 443 ssl http2; - server_name ; + server_name ${COLLAB_FQDN}; proxy_buffer_size 128k; proxy_buffers 4 256k; - ssl_certificate ; - ssl_certificate_key ; - ssl_dhparam ; + ssl_certificate /etc/nginx/ssl/${SSL_COLLAB_CERT}; + ssl_certificate_key /etc/nginx/ssl/${SSL_COLLAB_KEY}; + ssl_dhparam /etc/nginx/ssl/${DHPARAM_PATH}; ssl_prefer_server_ciphers on; ssl_protocols TLSv1.2; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; @@ -47,7 +48,7 @@ http { } } server { - server_name ; + server_name ${INTEL_FQDN}; listen 443 ssl http2; # configure proxy buffer sizes @@ -55,9 +56,9 @@ http { proxy_buffers 4 256k; # setup the SSL certificate - ssl_certificate ; - ssl_certificate_key ; - ssl_dhparam ; + ssl_certificate /etc/nginx/ssl/${SSL_INTEL_CERT}; + ssl_certificate_key /etc/nginx/ssl/${SSL_INTEL_KEY}; + ssl_dhparam /etc/nginx/ssl/${DHPARAM_PATH}; ssl_prefer_server_ciphers on; ssl_protocols TLSv1.2; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; @@ -91,4 +92,4 @@ http { proxy_send_timeout 360; } } -} +} \ No newline at end of file From 4d79a6db468b55abb0b244713ef3d29a73b2544c Mon Sep 17 00:00:00 2001 From: Wojciech Galanciak Date: Mon, 12 May 2025 13:05:36 +0200 Subject: [PATCH 06/31] fix: add step for sso provider (#110) --- compose/.env-template | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/compose/.env-template b/compose/.env-template index 9acc048..d0af82b 100644 --- a/compose/.env-template +++ b/compose/.env-template @@ -5,7 +5,8 @@ # 2. Replace the placeholders on the right‑hand side with your real values. # 3. Place all SSL certificates and Diffie‑Hellman parameters in the # `nginx/ssl` directory. -# 4. Run `docker‑compose up -d` to start the containers. +# 4. Configure your SSO provider in the `cthq.properties` file. +# 5. Run `docker‑compose up -d` to start the containers. # # Variables (all required unless stated otherwise) # ---------------------------------------------- From 063a4ebdcddb5d77eca760e5bfd7b8c5c4d41224 Mon Sep 17 00:00:00 2001 From: Wojciech Galanciak Date: Mon, 12 May 2025 14:23:51 +0200 Subject: [PATCH 07/31] fix: add client_max_body_size to intel (#112) --- compose/nginx/nginx.conf.template | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/compose/nginx/nginx.conf.template b/compose/nginx/nginx.conf.template index 4418cd7..2456c39 100644 --- a/compose/nginx/nginx.conf.template +++ b/compose/nginx/nginx.conf.template @@ -23,7 +23,6 @@ http { set $realIP $remote_addr; set $forwardTo $proxy_add_x_forwarded_for; set $reqHost $http_host; - client_max_body_size 32M; if ($http_x_real_ip != '') { set $realIP $http_x_real_ip; } @@ -70,6 +69,7 @@ http { set $realIP $remote_addr; set $forwardTo $proxy_add_x_forwarded_for; set $reqHost $http_host; + client_max_body_size 32M; if ($http_x_real_ip != '') { set $realIP $http_x_real_ip; } From d665be1f5137fbe47d6965b39a002c49fb6c25b4 Mon Sep 17 00:00:00 2001 From: Wojciech Galanciak Date: Mon, 12 May 2025 17:54:07 +0200 Subject: [PATCH 08/31] fix: tweak name of dhparam.pem env var (#113) * tweak name of dhparam.pem env var * fix env var name in nginx template * fix pam to pem --- compose/.env-template | 4 ++-- compose/nginx/nginx.conf.template | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/compose/.env-template b/compose/.env-template index d0af82b..c88f162 100644 --- a/compose/.env-template +++ b/compose/.env-template @@ -32,7 +32,7 @@ # SSL_INTEL_KEY Private key filename for the Intel certificate # (e.g. ssl-intel.key). # -# DHPARAM_PATH Diffie‑Hellman parameters file (e.g. dhparam.pem). +# DHPARAM_PEM Diffie‑Hellman parameters file (e.g. dhparam.pem). ############################################################################### COLLAB_FQDN=collab.example.com @@ -45,4 +45,4 @@ SSL_COLLAB_KEY=ssl-collab.key SSL_INTEL_CERT=ssl-intel.crt SSL_INTEL_KEY=ssl-intel.key -DHPARAM_PATH=dhparam.pem \ No newline at end of file +DHPARAM_PEM=dhparam.pem \ No newline at end of file diff --git a/compose/nginx/nginx.conf.template b/compose/nginx/nginx.conf.template index 2456c39..85f1068 100644 --- a/compose/nginx/nginx.conf.template +++ b/compose/nginx/nginx.conf.template @@ -14,7 +14,7 @@ http { proxy_buffers 4 256k; ssl_certificate /etc/nginx/ssl/${SSL_COLLAB_CERT}; ssl_certificate_key /etc/nginx/ssl/${SSL_COLLAB_KEY}; - ssl_dhparam /etc/nginx/ssl/${DHPARAM_PATH}; + ssl_dhparam /etc/nginx/ssl/${DHPARAM_PEM}; ssl_prefer_server_ciphers on; ssl_protocols TLSv1.2; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; @@ -57,7 +57,7 @@ http { # setup the SSL certificate ssl_certificate /etc/nginx/ssl/${SSL_INTEL_CERT}; ssl_certificate_key /etc/nginx/ssl/${SSL_INTEL_KEY}; - ssl_dhparam /etc/nginx/ssl/${DHPARAM_PATH}; + ssl_dhparam /etc/nginx/ssl/${DHPARAM_PEM}; ssl_prefer_server_ciphers on; ssl_protocols TLSv1.2; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; From 56d5eeefaf680b961f6569b4a48184aa629dee22 Mon Sep 17 00:00:00 2001 From: Ignacio Moreno Date: Mon, 12 May 2025 09:58:53 -0600 Subject: [PATCH 09/31] fix: missing env file on collab (#114) --- compose/compose.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/compose/compose.yaml b/compose/compose.yaml index e5e96d2..b443a7f 100644 --- a/compose/compose.yaml +++ b/compose/compose.yaml @@ -4,6 +4,8 @@ services: codetogether-collab: image: hub.edge.codetogether.com/releases/codetogether-collab:latest container_name: codetogether-collab + env_file: + - .env environment: - CT_SERVER_URL=https://${COLLAB_FQDN} - CT_INTEL_URL=http://codetogether-intel:1080 From f21332a7f248568b065840821ed81355c4b534c7 Mon Sep 17 00:00:00 2001 From: danc094codetogether Date: Mon, 12 May 2025 10:38:42 -0600 Subject: [PATCH 10/31] =?UTF-8?q?fix:=20handle=20nil=20ai.openai.api=5Fkey?= =?UTF-8?q?=20to=20prevent=20template=20er=E2=80=A6=20(#116)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * fix(intel-chart): handle nil ai.openai.api_key to prevent template errors Adjusted the Helm chart template for ai-secrets to avoid referencing ai.openai.api_key and ai.external.api_key when undefined. This fixes a fatal error during `helm template` when AI mode is set to `bundled` and no OpenAI config is present. Ensures compatibility with bundled-only deployments. * Changes to fix workflow issues --- charts/intel/templates/secrets.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/charts/intel/templates/secrets.yaml b/charts/intel/templates/secrets.yaml index 5cdd56d..b5b85e7 100644 --- a/charts/intel/templates/secrets.yaml +++ b/charts/intel/templates/secrets.yaml @@ -4,5 +4,13 @@ metadata: name: ai-secrets type: Opaque data: + {{- if .Values.ai.openai }} + {{- if .Values.ai.openai.api_key }} openai-api-key: {{ .Values.ai.openai.api_key | b64enc }} + {{- end }} + {{- end }} + {{- if .Values.ai.external }} + {{- if .Values.ai.external.api_key }} external-ai-key: {{ .Values.ai.external.api_key | b64enc }} + {{- end }} + {{- end }} From 11960ddbcad980a2e131fce5e0733f5ccdf295e0 Mon Sep 17 00:00:00 2001 From: Wojciech Galanciak Date: Mon, 12 May 2025 20:30:56 +0200 Subject: [PATCH 11/31] fix: cleanup for sso tenants (#117) --- compose/cthq.properties | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/compose/cthq.properties b/compose/cthq.properties index 5c6e13c..8b8c254 100644 --- a/compose/cthq.properties +++ b/compose/cthq.properties @@ -4,8 +4,10 @@ hq.collab.url=https://${COLLAB_FQDN} hq.collab.secret=${INTEL_SECRET} # Fill in values specific to your deployment -# THE LINE BELOW IS NOT NEEDED WITH SINGLE TENANT -#hq.sso.tenants=github,gitlab + +# If you want to run with multiple SSO providers, add their names separated with commas +hq.sso.tenants=github + # GitHub SSO hq.sso.github.provider=github hq.sso.github.label=GitHub @@ -18,13 +20,6 @@ hq.sso.github.info.uri=https://api.github.com/user hq.sso.github.jwt.set.uri=https://token.actions.githubusercontent.com/.well-known/jwks hq.sso.github.logout.uri=https://github.com/logout -# hq.sso.gitlab.provider=gitlab -# hq.sso.gitlab.label=Gitlab test -# hq.sso.gitlab.client.id= -# hq.sso.gitlab.client.secret= -# hq.sso.gitlab.client.issuer.url=https://gitlab.com -# hq.sso.gitlab.azure.redirect.uri=https://${INTEL_FQDN}/api/v1/auth/sso/success/insights - # These values do not need to be changed, though secrets can be updated hq.db.type=CASSANDRA hq.cassandra.db.host=codetogether-cassandra From 9cd2f4841f0488085e592ae4038d4742c4eb1d30 Mon Sep 17 00:00:00 2001 From: danc094codetogether Date: Fri, 16 May 2025 11:38:20 -0600 Subject: [PATCH 12/31] feat(intel): add option to disable AI integration entirely (#120) Previously, the Helm chart required either 'bundled' or 'external' AI mode to be configured, making it mandatory to include AI integration. This commit introduces a new flag `ai.enabled` to allow disabling AI features entirely, enabling Intel to be deployed without any AI-related containers or resources. --- charts/intel/templates/deployment.yaml | 66 ++++++++++++++------------ charts/intel/values.yaml | 1 + 2 files changed, 36 insertions(+), 31 deletions(-) diff --git a/charts/intel/templates/deployment.yaml b/charts/intel/templates/deployment.yaml index 0615be8..9c0d7e0 100644 --- a/charts/intel/templates/deployment.yaml +++ b/charts/intel/templates/deployment.yaml @@ -28,21 +28,23 @@ spec: {{- end }} serviceAccountName: {{ include "codetogether.serviceAccountName" . }} containers: - {{- if eq .Values.ai.mode "bundled" }} - - name: codetogether-llm - image: "{{ .Values.ai.image.repository }}:{{ .Values.ai.image.tag }}" - imagePullPolicy: Always - ports: - - name: ai - containerPort: 8000 - protocol: TCP - resources: - requests: - cpu: {{ .Values.ai.resources.requests.cpu | quote }} - memory: {{ .Values.ai.resources.requests.memory | quote }} - limits: - cpu: {{ .Values.ai.resources.limits.cpu | quote }} - memory: {{ .Values.ai.resources.limits.memory | quote }} + {{- if .Values.ai.enabled }} + {{- if eq .Values.ai.mode "bundled" }} + - name: codetogether-llm + image: "{{ .Values.ai.image.repository }}:{{ .Values.ai.image.tag }}" + imagePullPolicy: Always + ports: + - name: ai + containerPort: 8000 + protocol: TCP + resources: + requests: + cpu: {{ .Values.ai.resources.requests.cpu | quote }} + memory: {{ .Values.ai.resources.requests.memory | quote }} + limits: + cpu: {{ .Values.ai.resources.limits.cpu | quote }} + memory: {{ .Values.ai.resources.limits.memory | quote }} + {{- end }} {{- end }} - name: {{ .Chart.Name }} securityContext: @@ -56,22 +58,24 @@ spec: - name: AI_BUNDLED_URL value: "http://codetogether-llm:8000" {{- end }} - {{- if eq .Values.ai.mode "external" }} - - name: AI_PROVIDER - valueFrom: - configMapKeyRef: - name: ai-config - key: ai_provider - - name: AI_EXTERNAL_URL - valueFrom: - configMapKeyRef: - name: ai-config - key: ai_url - - name: AI_EXTERNAL_API_KEY - valueFrom: - secretKeyRef: - name: ai-external-secret - key: api-key + {{- if .Values.ai.enabled }} + {{- if eq .Values.ai.mode "external" }} + - name: AI_PROVIDER + valueFrom: + configMapKeyRef: + name: ai-config + key: ai_provider + - name: AI_EXTERNAL_URL + valueFrom: + configMapKeyRef: + name: ai-config + key: ai_url + - name: AI_EXTERNAL_API_KEY + valueFrom: + secretKeyRef: + name: ai-external-secret + key: api-key + {{- end }} {{- end }} # # Set CodeTogether runtime configuration diff --git a/charts/intel/values.yaml b/charts/intel/values.yaml index ac9227e..04507b2 100644 --- a/charts/intel/values.yaml +++ b/charts/intel/values.yaml @@ -139,6 +139,7 @@ securityContext: {} # runAsUser: 1000 ai: + enabled: false mode: "bundled" # Options: bundled | external provider: "ollama" # No OpenAI dependency resources: From c7bee305582a2ca6ae7b87bee2724f0194bd6669 Mon Sep 17 00:00:00 2001 From: Ignacio Moreno Date: Tue, 10 Jun 2025 11:59:09 -0600 Subject: [PATCH 13/31] Change gen ai image name on values file (#122) --- charts/intel/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/intel/values.yaml b/charts/intel/values.yaml index 04507b2..ab0f8fe 100644 --- a/charts/intel/values.yaml +++ b/charts/intel/values.yaml @@ -152,7 +152,7 @@ ai: memory: "8Gi" gpu: false image: - repository: registry.digitalocean.com/codetogether-registry/ai-summarization + repository: registry.digitalocean.com/codetogether-registry/codetogether-llm tag: latest From 75c414ffac11767ff9d3c9a763d5b540d4dcfa52 Mon Sep 17 00:00:00 2001 From: Ignacio Moreno Date: Tue, 10 Jun 2025 12:03:34 -0600 Subject: [PATCH 14/31] fix: bump up version number (#123) --- charts/intel/Chart.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/intel/Chart.yaml b/charts/intel/Chart.yaml index a63a302..f3e928a 100644 --- a/charts/intel/Chart.yaml +++ b/charts/intel/Chart.yaml @@ -3,8 +3,8 @@ name: codetogether-intel description: CodeTogether Intel provides advanced project insights for developers type: application -version: 1.2.3 -appVersion: "2025.1.0" +version: 1.2.4 +appVersion: "2025.3.0" icon: https://www.codetogether.com/wp-content/uploads/2020/02/codetogether-circle-128.png home: https://www.codetogether.com From aacad5767139e752c0f6fd60eb749f007cf31524 Mon Sep 17 00:00:00 2001 From: danc094codetogether Date: Mon, 16 Jun 2025 15:59:23 -0600 Subject: [PATCH 15/31] docs: remove outdated metrics section from README (#130) - Removed the section referring to metrics(prometeus), etc from the README Co-authored-by: engineering --- charts/collab/README.md | 5 ----- 1 file changed, 5 deletions(-) diff --git a/charts/collab/README.md b/charts/collab/README.md index 621f5a5..f235f45 100644 --- a/charts/collab/README.md +++ b/charts/collab/README.md @@ -36,11 +36,6 @@ The following table lists configurable parameters of the CodeTogether Collab cha | `codetogether.noclients` | Disables the `/clients` endpoint if set to `true` | `false` | | `codetogether.timeZone.enabled` | Enables a customized time zone for the container | `false` | | `codetogether.timeZone.region` | Time zone region for the container | `America/Chicago` | -| `direct.metrics.statsdEnabled` | Enables StatsD metrics collection | `false` | -| `direct.metrics.statsdHost` | Host for StatsD metrics | `https://my-graphite-fqdn` | -| `direct.metrics.statsdPort` | Port for StatsD metrics | `8125` | -| `direct.metrics.statsdProtocol` | Protocol for StatsD metrics | `UDP` | -| `direct.metrics.prometheusEnabled` | Enables Prometheus metrics collection | `false` | | `locatorCentral.database.host` | Host for locator-central database | `10.10.0.2` | | `locatorCentral.database.port` | Port for locator-central database | `3306` | | `locatorCentral.database.schema` | Schema name for locator-central database | `codetogether` | From 23ddc3ef1d64e05f38745ac376094ad8ef7a15c7 Mon Sep 17 00:00:00 2001 From: Ignacio Moreno Date: Tue, 17 Jun 2025 09:11:45 -0600 Subject: [PATCH 16/31] fix: add note to env-template file (#127) --- compose/.env-template | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/compose/.env-template b/compose/.env-template index c88f162..0899e06 100644 --- a/compose/.env-template +++ b/compose/.env-template @@ -39,10 +39,11 @@ COLLAB_FQDN=collab.example.com INTEL_FQDN=intel.example.com INTEL_SECRET=super-secret-string +# SSL cerfificate files should be placed in the `nginx/ssl` directory. SSL_COLLAB_CERT=ssl-collab.crt SSL_COLLAB_KEY=ssl-collab.key SSL_INTEL_CERT=ssl-intel.crt SSL_INTEL_KEY=ssl-intel.key -DHPARAM_PEM=dhparam.pem \ No newline at end of file +DHPARAM_PEM=dhparam.pem From 447a8a71f58c8ef823d1beb5a9870de12704bab4 Mon Sep 17 00:00:00 2001 From: danc094codetogether Date: Wed, 18 Jun 2025 05:10:46 -0600 Subject: [PATCH 17/31] fix: update LLM image URL to hub.edge (#132) --- charts/intel/values.yaml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/charts/intel/values.yaml b/charts/intel/values.yaml index ab0f8fe..e9efd48 100644 --- a/charts/intel/values.yaml +++ b/charts/intel/values.yaml @@ -142,6 +142,9 @@ ai: enabled: false mode: "bundled" # Options: bundled | external provider: "ollama" # No OpenAI dependency + image: + repository: hub.edge.codetogether.com/releases/codetogether-llm + tag: latest resources: requests: cpu: "2" @@ -151,10 +154,6 @@ ai: cpu: "4" memory: "8Gi" gpu: false - image: - repository: registry.digitalocean.com/codetogether-registry/codetogether-llm - tag: latest - readinessProbe: initialDelaySeconds: 60 From 61a8250cc29fa9b7718cc9d2b6ad757f0380a501 Mon Sep 17 00:00:00 2001 From: danc094codetogether Date: Wed, 18 Jun 2025 05:12:40 -0600 Subject: [PATCH 18/31] docs: add deprecation notice to old Live chart (#131) --- charts/live/README.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/charts/live/README.md b/charts/live/README.md index 76048f3..b8cbf31 100644 --- a/charts/live/README.md +++ b/charts/live/README.md @@ -1,7 +1,10 @@ # README.md Helm Chart for CodeTogether Live +# CodeTogether Live Chart (Legacy) -## Summary +> **⚠️ Legacy Chart** +> This chart is now considered legacy and is not longer supported, is not recommended for new deployments. +## Summary This chart creates a CodeTogether Live server deployment on a Kubernetes cluster using the Helm package manager. ## Prerequisites From d4665b0f8797076099aeb445d1f20a703350bb89 Mon Sep 17 00:00:00 2001 From: danc094codetogether Date: Wed, 18 Jun 2025 14:14:37 -0600 Subject: [PATCH 19/31] 126 automatically configure ollama integration when llm is enabled (#128) * Make sidecar AI container resource block optional in deployment - Updated deployment.yaml to include the `resources` block for the `codetogether-llm` sidecar only if values are defined in values.yaml. - Ensures the bundled AI container can run without specifying resource limits/requests by default. - Improved overall Helm template flexibility for embedded AI mode. - Validated that runs with AI Container embeeded. * Enable support for external AI provider - Updated deployment.yaml to support both bundled and external AI modes, allowing selection via .Values.ai.mode. - Added manifests for external AI integration: - ai-config ConfigMap: defines external provider and URL. - ai-external-secret Secret: stores the external API key. - Verified that external AI mode works by routing requests through the configured external service. * feat: automate creation of external AI ConfigMap and Secret from values.yaml - Added Helm templates to generate ai-config ConfigMap and ai-external-secret Secret automatically when AI external mode is enabled. - ConfigMap values (ai_provider, ai_url) and Secret value (api-key) are now configurable via values.yaml. - Ensured resources are only created when ai.enabled=true and ai.mode=external. * feat: allow use of existing or Helm-managed ai-external-secret in deployment - Updated deployment.yaml to support referencing a user-provided Secret for AI external API key, with fallback to Helm-managed creation. - Added ai-external-secret.yaml template to optionally create the secret from values if not provided. * Fixing helm template validations * Adding values configuration --------- Co-authored-by: engineering --- charts/intel/templates/ai-config.yaml | 11 ++ .../intel/templates/ai-external-secret.yaml | 12 ++ charts/intel/templates/deployment.yaml | 109 ++++++++---------- charts/intel/values.yaml | 5 +- 4 files changed, 71 insertions(+), 66 deletions(-) create mode 100644 charts/intel/templates/ai-config.yaml create mode 100644 charts/intel/templates/ai-external-secret.yaml diff --git a/charts/intel/templates/ai-config.yaml b/charts/intel/templates/ai-config.yaml new file mode 100644 index 0000000..763fedb --- /dev/null +++ b/charts/intel/templates/ai-config.yaml @@ -0,0 +1,11 @@ +{{- if and .Values.ai.enabled (eq .Values.ai.mode "external") }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: ai-config + namespace: {{ .Release.Namespace }} +data: + ai_provider: {{ .Values.ai.provider | quote }} + ai_url: {{ .Values.ai.url | quote }} +{{- end }} + diff --git a/charts/intel/templates/ai-external-secret.yaml b/charts/intel/templates/ai-external-secret.yaml new file mode 100644 index 0000000..ebd6468 --- /dev/null +++ b/charts/intel/templates/ai-external-secret.yaml @@ -0,0 +1,12 @@ +{{- $extSecret := (index .Values.ai "externalSecret" | default dict) }} +{{- if and .Values.ai.enabled (eq .Values.ai.mode "external") (or (not $extSecret.name) $extSecret.create) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ $extSecret.name | default (printf "%s-ai-external-secret" (include "codetogether.fullname" .)) }} + namespace: {{ .Release.Namespace }} +type: Opaque +stringData: + api-key: {{ $extSecret.apiKey | quote }} +{{- end }} + diff --git a/charts/intel/templates/deployment.yaml b/charts/intel/templates/deployment.yaml index 9c0d7e0..121e800 100644 --- a/charts/intel/templates/deployment.yaml +++ b/charts/intel/templates/deployment.yaml @@ -28,38 +28,20 @@ spec: {{- end }} serviceAccountName: {{ include "codetogether.serviceAccountName" . }} containers: - {{- if .Values.ai.enabled }} - {{- if eq .Values.ai.mode "bundled" }} - - name: codetogether-llm - image: "{{ .Values.ai.image.repository }}:{{ .Values.ai.image.tag }}" - imagePullPolicy: Always - ports: - - name: ai - containerPort: 8000 - protocol: TCP - resources: - requests: - cpu: {{ .Values.ai.resources.requests.cpu | quote }} - memory: {{ .Values.ai.resources.requests.memory | quote }} - limits: - cpu: {{ .Values.ai.resources.limits.cpu | quote }} - memory: {{ .Values.ai.resources.limits.memory | quote }} - {{- end }} - {{- end }} - name: {{ .Chart.Name }} securityContext: {{- toYaml .Values.securityContext | nindent 12 }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} env: - - name: AI_MODE - value: {{ .Values.ai.mode | quote }} - {{- if eq .Values.ai.mode "bundled" }} - - name: AI_BUNDLED_URL - value: "http://codetogether-llm:8000" - {{- end }} - {{- if .Values.ai.enabled }} - {{- if eq .Values.ai.mode "external" }} + - name: AI_MODE + value: {{ .Values.ai.mode | quote }} + {{- if eq .Values.ai.mode "bundled" }} + - name: AI_BUNDLED_URL + value: "http://codetogether-llm:8000" + {{- end }} + {{- if .Values.ai.enabled }} + {{- if eq .Values.ai.mode "external" }} - name: AI_PROVIDER valueFrom: configMapKeyRef: @@ -73,35 +55,29 @@ spec: - name: AI_EXTERNAL_API_KEY valueFrom: secretKeyRef: - name: ai-external-secret + name: {{ (index .Values.ai "externalSecret" | default dict).name | default (printf "%s-ai-external-secret" (include "codetogether.fullname" .)) }} key: api-key + {{- end }} + {{- end }} + # Set CodeTogether runtime configuration + - name: CT_HQ_BASE_URL + value: {{ .Values.codetogether.url | quote }} + {{- if .Values.java.customCacerts.enabled }} + - name: CT_TRUST_STORE + value: -Djavax.net.ssl.trustStore=/etc/ssl/certs/java/cacerts + {{- end }} + {{- if .Values.java.customJavaOptions }} + - name: CT_JAVA_OPTIONS + value: "{{ .Values.java.customJavaOptions | default "" }}" + {{- end }} + {{- if and .Values.java.customCacerts.enabled .Values.java.customCacerts.trustStorePasswordKey }} + - name: CT_TRUST_STORE_PASSWD + valueFrom: + secretKeyRef: + name: {{ .Values.java.customCacerts.cacertsSecretName }} + key: {{ .Values.java.customCacerts.trustStorePasswordKey }} + optional: true {{- end }} - {{- end }} - # - # Set CodeTogether runtime configuration - # - - name: CT_HQ_BASE_URL - value: {{ .Values.codetogether.url | quote }} - {{- if .Values.java.customCacerts.enabled }} - - name: CT_TRUST_STORE - value: -Djavax.net.ssl.trustStore=/etc/ssl/certs/java/cacerts - {{- end }} - - # Custom Java options (excluding trust store related settings) - {{- if .Values.java.customJavaOptions }} - - name: CT_JAVA_OPTIONS - value: "{{ .Values.java.customJavaOptions | default "" }}" - {{- end }} - - # Set trust store password only if trustStorePasswordKey is provided - {{- if and .Values.java.customCacerts.enabled .Values.java.customCacerts.trustStorePasswordKey }} - - name: CT_TRUST_STORE_PASSWD - valueFrom: - secretKeyRef: - name: {{ .Values.java.customCacerts.cacertsSecretName }} - key: {{ .Values.java.customCacerts.trustStorePasswordKey }} - optional: true - {{- end }} volumeMounts: - name: properties-volume @@ -112,29 +88,21 @@ spec: mountPath: /etc/ssl/certs/java/cacerts subPath: cacerts {{- end }} - - # - # Set container configuration - # ports: - name: http containerPort: 1080 protocol: TCP - + livenessProbe: - httpGet: - path: / - port: http initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} periodSeconds: {{ .Values.livenessProbe.periodSeconds }} timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} successThreshold: {{ .Values.livenessProbe.successThreshold }} failureThreshold: {{ .Values.livenessProbe.failureThreshold }} - readinessProbe: httpGet: path: / port: http - + readinessProbe: initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} periodSeconds: {{ .Values.readinessProbe.periodSeconds }} @@ -147,6 +115,21 @@ spec: resources: {{- toYaml .Values.resources | nindent 12 }} + + {{- if and .Values.ai.enabled (eq .Values.ai.mode "bundled") }} + - name: codetogether-llm + image: "{{ .Values.ai.image.repository }}:{{ .Values.ai.image.tag }}" + imagePullPolicy: Always + ports: + - name: ai + containerPort: 8000 + protocol: TCP + {{- if .Values.ai.resources }} + resources: + {{- toYaml .Values.ai.resources | nindent 12 }} + {{- end }} + {{- end }} + volumes: - name: properties-volume secret: diff --git a/charts/intel/values.yaml b/charts/intel/values.yaml index e9efd48..5f55a73 100644 --- a/charts/intel/values.yaml +++ b/charts/intel/values.yaml @@ -141,18 +141,17 @@ securityContext: {} ai: enabled: false mode: "bundled" # Options: bundled | external - provider: "ollama" # No OpenAI dependency image: repository: hub.edge.codetogether.com/releases/codetogether-llm tag: latest - resources: + resources: # Recommended resources configuration requests: cpu: "2" memory: "4Gi" gpu: false limits: cpu: "4" - memory: "8Gi" + memory: "4Gi" gpu: false readinessProbe: From 9e1cae0f284fdc868b09dbf068fb3224dd38af96 Mon Sep 17 00:00:00 2001 From: Ignacio Moreno Date: Wed, 18 Jun 2025 14:17:25 -0600 Subject: [PATCH 20/31] Gen AI Changes (#124) * Change resources of ai * Include gen ai on docker compose. * undo changes --- compose/.env-template | 4 ++++ compose/compose.ai.yaml | 13 +++++++++++++ 2 files changed, 17 insertions(+) create mode 100644 compose/compose.ai.yaml diff --git a/compose/.env-template b/compose/.env-template index 0899e06..82fa77c 100644 --- a/compose/.env-template +++ b/compose/.env-template @@ -47,3 +47,7 @@ SSL_INTEL_CERT=ssl-intel.crt SSL_INTEL_KEY=ssl-intel.key DHPARAM_PEM=dhparam.pem + +# Uncomment the following lines to enable AI integration with Ollama +#CT_HQ_OLLAMA_AI_URL=http://codetogether-llm:8000 +#CT_HQ_OLLAMA_AI_MODEL_NAME=gemma3:1b diff --git a/compose/compose.ai.yaml b/compose/compose.ai.yaml new file mode 100644 index 0000000..d3ef932 --- /dev/null +++ b/compose/compose.ai.yaml @@ -0,0 +1,13 @@ +# 👇 Rename `.env-template` to `.env` before running this file +# Set the appropriate values once renamed +services: + ai: + image: hub.edge.codetogether.com/releases/codetogether-llm:latest + container_name: codetogether-llm + ports: + - "8000:8000" + networks: + - codetogethernet + depends_on: + codetogether-intel: + condition: service_healthy \ No newline at end of file From 4fab2ad428016288a3d91d50b280bac22bd78a03 Mon Sep 17 00:00:00 2001 From: Ignacio Moreno Date: Wed, 18 Jun 2025 14:29:39 -0600 Subject: [PATCH 21/31] Fix collab helm chart to allow usage of locator. (#134) --- charts/collab/templates/deployment.yaml | 4 ++++ charts/collab/values.yaml | 3 +++ 2 files changed, 7 insertions(+) diff --git a/charts/collab/templates/deployment.yaml b/charts/collab/templates/deployment.yaml index 7c08ca3..689f562 100644 --- a/charts/collab/templates/deployment.yaml +++ b/charts/collab/templates/deployment.yaml @@ -99,6 +99,10 @@ spec: {{- if eq .Values.codetogether.mode "locator-edge" }} - name: CT_LOCATOR value: {{ .Values.locatorEdge.locator | quote }} + {{- if .Values.locatorEdge.locatorLan }} + - name: CT_LOCATOR_INTERNAL + value: {{ .Values.locatorEdge.locatorLan | quote }} + {{- end }} - name: CT_REGION value: {{ .Values.locatorEdge.region | quote }} {{- end }} diff --git a/charts/collab/values.yaml b/charts/collab/values.yaml index 04a4d89..b05bde9 100644 --- a/charts/collab/values.yaml +++ b/charts/collab/values.yaml @@ -117,6 +117,9 @@ locatorCentral: locatorEdge: # URL that the Locator is listening on. locator: "https://codetogether.locator" + # Internal k8s url for the locator service. + # Optional - If not set k8s dns need to know how to resolve the locator url. + # locatorLan: "http://..svc.cluster.local:443" # Optional region which can have CIDR IP address regions assigned to # allowing regional routing of requests. Only enable if deploying # CodeTogether to multiple regional data centers. From 8033f545dd34abada32baa7b0b4aa54c8f8d8fd4 Mon Sep 17 00:00:00 2001 From: Wojciech Galanciak Date: Mon, 30 Jun 2025 14:39:58 +0200 Subject: [PATCH 22/31] fix: invalid values in AI values section (#137) --- charts/intel/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/intel/values.yaml b/charts/intel/values.yaml index 5f55a73..1053ca9 100644 --- a/charts/intel/values.yaml +++ b/charts/intel/values.yaml @@ -148,11 +148,11 @@ ai: requests: cpu: "2" memory: "4Gi" - gpu: false + # gpu: "1" # Uncomment and set only if GPU is needed limits: cpu: "4" memory: "4Gi" - gpu: false + # gpu: "1" # Uncomment and set only if GPU is needed readinessProbe: initialDelaySeconds: 60 From 5547e7444a042335f25538cbef7a49e1be66fee6 Mon Sep 17 00:00:00 2001 From: Wojciech Galanciak Date: Mon, 30 Jun 2025 14:57:54 +0200 Subject: [PATCH 23/31] fix: support automatic configuration of the LLM integration if AI is enabled (#138) --- charts/intel/templates/deployment.yaml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/charts/intel/templates/deployment.yaml b/charts/intel/templates/deployment.yaml index 121e800..656a21c 100644 --- a/charts/intel/templates/deployment.yaml +++ b/charts/intel/templates/deployment.yaml @@ -78,6 +78,22 @@ spec: key: {{ .Values.java.customCacerts.trustStorePasswordKey }} optional: true {{- end }} + {{- if .Values.ai.enabled }} + - name: CT_HQ_OLLAMA_AI_URL + value: {{ if eq .Values.ai.mode "bundled" }}"http://localhost:8000"{{ else }}"{{ .Values.ai.url | quote }}"{{ end }} + - name: CT_HQ_OLLAMA_AI_MODEL_NAME + value: {{ .Values.ai.modelName | default "gemma3:1b" | quote }} + - name: CT_HQ_OLLAMA_AI_API_KEY + valueFrom: + secretKeyRef: + name: {{- if and (eq .Values.ai.mode "external") (not .Values.ai.externalSecret.create) }} + {{ .Values.ai.externalSecret.name }} + {{- else }} + {{ .Values.ai.externalSecret.name | default (printf "%s-ollama-api" .Release.Name) }} + {{- end }} + key: apiKey + {{- end }} + volumeMounts: - name: properties-volume From 6e96ea76a7fa34992d4f64ebcc02dc0893f4fbdf Mon Sep 17 00:00:00 2001 From: danc094codetogether Date: Mon, 30 Jun 2025 16:42:19 -0600 Subject: [PATCH 24/31] Fixes after Testing (#139) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Fixes after Testing - Refactored deployment.yaml to reference ai.externalSecret.name when create: false - Corrected CT_HQ_OLLAMA_AI_API_KEY key to apiKey to match Secret’s stringData - Updated ai-external-secret.yaml to generate a Secret only when create: true * Bump intel chart version to 1.2.5 * Fix to user http://codetogether-llm:8000/ always --------- Co-authored-by: engineering --- charts/intel/Chart.yaml | 2 +- .../intel/templates/ai-external-secret.yaml | 2 +- charts/intel/templates/deployment.yaml | 29 +++++++++---------- charts/intel/values.yaml | 16 +++++----- 4 files changed, 22 insertions(+), 27 deletions(-) diff --git a/charts/intel/Chart.yaml b/charts/intel/Chart.yaml index f3e928a..23c312a 100644 --- a/charts/intel/Chart.yaml +++ b/charts/intel/Chart.yaml @@ -3,7 +3,7 @@ name: codetogether-intel description: CodeTogether Intel provides advanced project insights for developers type: application -version: 1.2.4 +version: 1.2.5 appVersion: "2025.3.0" icon: https://www.codetogether.com/wp-content/uploads/2020/02/codetogether-circle-128.png diff --git a/charts/intel/templates/ai-external-secret.yaml b/charts/intel/templates/ai-external-secret.yaml index ebd6468..b01e8ad 100644 --- a/charts/intel/templates/ai-external-secret.yaml +++ b/charts/intel/templates/ai-external-secret.yaml @@ -7,6 +7,6 @@ metadata: namespace: {{ .Release.Namespace }} type: Opaque stringData: - api-key: {{ $extSecret.apiKey | quote }} + apiKey: {{ $extSecret.apiKey | quote }} {{- end }} diff --git a/charts/intel/templates/deployment.yaml b/charts/intel/templates/deployment.yaml index 656a21c..6d1c9a3 100644 --- a/charts/intel/templates/deployment.yaml +++ b/charts/intel/templates/deployment.yaml @@ -40,8 +40,7 @@ spec: - name: AI_BUNDLED_URL value: "http://codetogether-llm:8000" {{- end }} - {{- if .Values.ai.enabled }} - {{- if eq .Values.ai.mode "external" }} + {{- if and .Values.ai.enabled (eq .Values.ai.mode "external") }} - name: AI_PROVIDER valueFrom: configMapKeyRef: @@ -55,9 +54,8 @@ spec: - name: AI_EXTERNAL_API_KEY valueFrom: secretKeyRef: - name: {{ (index .Values.ai "externalSecret" | default dict).name | default (printf "%s-ai-external-secret" (include "codetogether.fullname" .)) }} - key: api-key - {{- end }} + name: {{ default (printf "%s-ai-external-secret" (include "codetogether.fullname" .)) .Values.ai.externalSecret.name | quote }} + key: apiKey {{- end }} # Set CodeTogether runtime configuration - name: CT_HQ_BASE_URL @@ -80,21 +78,23 @@ spec: {{- end }} {{- if .Values.ai.enabled }} - name: CT_HQ_OLLAMA_AI_URL - value: {{ if eq .Values.ai.mode "bundled" }}"http://localhost:8000"{{ else }}"{{ .Values.ai.url | quote }}"{{ end }} + value: {{ if eq .Values.ai.mode "bundled" }} + "http://codetogether-llm:8000" + {{ else }} + {{ .Values.ai.url | quote }} + {{ end }} - name: CT_HQ_OLLAMA_AI_MODEL_NAME value: {{ .Values.ai.modelName | default "gemma3:1b" | quote }} - name: CT_HQ_OLLAMA_AI_API_KEY + {{- if eq .Values.ai.mode "bundled" }} + value: "apiKey" + {{- else }} valueFrom: secretKeyRef: - name: {{- if and (eq .Values.ai.mode "external") (not .Values.ai.externalSecret.create) }} - {{ .Values.ai.externalSecret.name }} - {{- else }} - {{ .Values.ai.externalSecret.name | default (printf "%s-ollama-api" .Release.Name) }} - {{- end }} + name: {{ default (printf "%s-ai-external-secret" (include "codetogether.fullname" .)) .Values.ai.externalSecret.name | quote }} key: apiKey + {{- end }} {{- end }} - - volumeMounts: - name: properties-volume mountPath: /opt/codetogether/runtime/cthq.properties @@ -108,7 +108,6 @@ spec: - name: http containerPort: 1080 protocol: TCP - livenessProbe: initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} periodSeconds: {{ .Values.livenessProbe.periodSeconds }} @@ -131,7 +130,6 @@ spec: resources: {{- toYaml .Values.resources | nindent 12 }} - {{- if and .Values.ai.enabled (eq .Values.ai.mode "bundled") }} - name: codetogether-llm image: "{{ .Values.ai.image.repository }}:{{ .Values.ai.image.tag }}" @@ -145,7 +143,6 @@ spec: {{- toYaml .Values.ai.resources | nindent 12 }} {{- end }} {{- end }} - volumes: - name: properties-volume secret: diff --git a/charts/intel/values.yaml b/charts/intel/values.yaml index 1053ca9..5587d5f 100644 --- a/charts/intel/values.yaml +++ b/charts/intel/values.yaml @@ -144,15 +144,13 @@ ai: image: repository: hub.edge.codetogether.com/releases/codetogether-llm tag: latest - resources: # Recommended resources configuration - requests: - cpu: "2" - memory: "4Gi" - # gpu: "1" # Uncomment and set only if GPU is needed - limits: - cpu: "4" - memory: "4Gi" - # gpu: "1" # Uncomment and set only if GPU is needed +# resources: # Recommended resources configuration + # requests: + # cpu: "2" + # memory: "4Gi" + #limits: + # cpu: "4" + #memory: "4Gi" readinessProbe: initialDelaySeconds: 60 From b55b89c08aee6a58e45510047968b4010443590b Mon Sep 17 00:00:00 2001 From: Ignacio Moreno Date: Mon, 30 Jun 2025 17:17:57 -0600 Subject: [PATCH 25/31] Changes to use localhost always to avoid dns issues (#142) Co-authored-by: engineering --- charts/intel/templates/deployment.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/intel/templates/deployment.yaml b/charts/intel/templates/deployment.yaml index 6d1c9a3..8cdb59e 100644 --- a/charts/intel/templates/deployment.yaml +++ b/charts/intel/templates/deployment.yaml @@ -38,7 +38,7 @@ spec: value: {{ .Values.ai.mode | quote }} {{- if eq .Values.ai.mode "bundled" }} - name: AI_BUNDLED_URL - value: "http://codetogether-llm:8000" + value: "http://localhost:8000" {{- end }} {{- if and .Values.ai.enabled (eq .Values.ai.mode "external") }} - name: AI_PROVIDER @@ -79,7 +79,7 @@ spec: {{- if .Values.ai.enabled }} - name: CT_HQ_OLLAMA_AI_URL value: {{ if eq .Values.ai.mode "bundled" }} - "http://codetogether-llm:8000" + "http://localhost:8000" {{ else }} {{ .Values.ai.url | quote }} {{ end }} From c481aed40af7ee871971098c7dd46e4622342697 Mon Sep 17 00:00:00 2001 From: Wojciech Galanciak Date: Thu, 10 Jul 2025 18:01:53 +0200 Subject: [PATCH 26/31] feat: support for optional keycloak deployment (#145) * initial config * Docker compose example to run keycloak --------- Co-authored-by: Ignacio Moreno --- compose/.gitignore | 10 +++ compose/cthq.properties | 29 ++++--- compose/keycloak/.env-template | 9 ++ compose/keycloak/compose.keycloak.yaml | 95 ++++++++++++++++++++++ compose/keycloak/nginx/log/placeholder.txt | 0 compose/keycloak/nginx/nginx.conf.template | 57 +++++++++++++ compose/keycloak/nginx/ssl/placeholder.txt | 0 7 files changed, 189 insertions(+), 11 deletions(-) create mode 100644 compose/.gitignore create mode 100644 compose/keycloak/.env-template create mode 100644 compose/keycloak/compose.keycloak.yaml create mode 100644 compose/keycloak/nginx/log/placeholder.txt create mode 100644 compose/keycloak/nginx/nginx.conf.template create mode 100644 compose/keycloak/nginx/ssl/placeholder.txt diff --git a/compose/.gitignore b/compose/.gitignore new file mode 100644 index 0000000..cdb441f --- /dev/null +++ b/compose/.gitignore @@ -0,0 +1,10 @@ +data/ +nginx/log/ +nginx/ssl/*.key +nginx/ssl/*.pem +nginx/ssl/*.crt +keycloak/nginx/log/*.log +keycloak/nginx/ssl/*.key +keycloak/nginx/ssl/*.pem +keycloak/nginx/ssl/*.crt +.env \ No newline at end of file diff --git a/compose/cthq.properties b/compose/cthq.properties index 8b8c254..c8c481a 100644 --- a/compose/cthq.properties +++ b/compose/cthq.properties @@ -6,19 +6,26 @@ hq.collab.secret=${INTEL_SECRET} # Fill in values specific to your deployment # If you want to run with multiple SSO providers, add their names separated with commas -hq.sso.tenants=github +# hq.sso.tenants=github # GitHub SSO -hq.sso.github.provider=github -hq.sso.github.label=GitHub -hq.sso.github.client.id= -hq.sso.github.client.secret= -hq.sso.github.redirect.uri=https://${INTEL_FQDN}/api/v1/auth/sso/success/insights -hq.sso.github.auth.uri=https://github.com/login/oauth/authorize -hq.sso.github.token.uri=https://github.com/login/oauth/access_token -hq.sso.github.info.uri=https://api.github.com/user -hq.sso.github.jwt.set.uri=https://token.actions.githubusercontent.com/.well-known/jwks -hq.sso.github.logout.uri=https://github.com/logout +# hq.sso.github.provider=github +# hq.sso.github.label=GitHub +# hq.sso.github.client.id=Iv1.45b9336a78ce2476 +# hq.sso.github.client.secret=c4446ad126ec65b3d926e37de3fe880246aff371 +# hq.sso.github.redirect.uri=https://${INTEL_FQDN}/api/v1/auth/sso/success/insights +# hq.sso.github.auth.uri=https://github.com/login/oauth/authorize +# hq.sso.github.token.uri=https://github.com/login/oauth/access_token +# hq.sso.github.info.uri=https://api.github.com/user +# hq.sso.github.jwt.set.uri=https://token.actions.githubusercontent.com/.well-known/jwks +# hq.sso.github.logout.uri=https://github.com/logout + +hq.sso.provider=keycloak +hq.sso.client.id=codetogether +hq.sso.client.secret=eFl6XSKwMMsEW1yRTY9pHjBrCTHDEY64 +hq.sso.client.issuer.url=http://codetogether-keycloak:8080/realms/codetogether +hq.sso.redirect.uri=https://${INTEL_FQDN}/api/v1/auth/sso/success/insights +hq.sso.client.authentication.method=client_secret_post # These values do not need to be changed, though secrets can be updated hq.db.type=CASSANDRA diff --git a/compose/keycloak/.env-template b/compose/keycloak/.env-template new file mode 100644 index 0000000..5127bae --- /dev/null +++ b/compose/keycloak/.env-template @@ -0,0 +1,9 @@ +KEYCLOAK_FQDN=keycloak.example.com +SSL_KEYCLOAK_CERT=ssl-keycloak.crt +SSL_KEYCLOAK_KEY=ssl-keycloak.key + +KEYCLOAK_DB_USERNAME=keycloak +KEYCLOAK_DB_PASSWORD=keycloak + +KEYCLOAK_ADMIN_PASSWORD=keycloak +KEYCLOAK_ADMIN=admin \ No newline at end of file diff --git a/compose/keycloak/compose.keycloak.yaml b/compose/keycloak/compose.keycloak.yaml new file mode 100644 index 0000000..f842905 --- /dev/null +++ b/compose/keycloak/compose.keycloak.yaml @@ -0,0 +1,95 @@ +# 👇 Rename `.env-template` to `.env` before running this file +# Set the appropriate values once renamed +services: + # Relational database for Keycloak (optional) + codetogether-mysql: + image: mysql:8.0 + container_name: codetogether-mysql + restart: unless-stopped + env_file: + - .env + environment: + MYSQL_ROOT_PASSWORD: ${KEYCLOAK_DB_PASSWORD} + MYSQL_DATABASE: keycloak + MYSQL_USER: ${KEYCLOAK_DB_USERNAME} + MYSQL_PASSWORD: ${KEYCLOAK_DB_PASSWORD} + volumes: + - mysql_data:/var/lib/mysql + networks: + - codetogethernet + healthcheck: + test: ["CMD", "mysqladmin", "ping", "-h", "localhost"] + interval: 10s + timeout: 10s + retries: 30 + # Nginx reverse proxy for Keycloak (optional) + codetogether-keycloak-nginx: + image: nginx:latest + container_name: codetogether-keycloak-nginx + env_file: + - .env + environment: + - NGINX_ENVSUBST_OUTPUT_DIR=/etc/nginx + ports: + - "443:443" + volumes: + - ./nginx/nginx.conf.template:/etc/nginx/templates/nginx.conf.template:ro + - ./nginx/ssl:/etc/nginx/ssl + - ./nginx/log:/var/log/nginx + networks: + - codetogethernet + depends_on: + codetogether-keycloak: + condition: service_healthy + + # Keycloak service (optional) + codetogether-keycloak: + image: quay.io/keycloak/keycloak:latest + container_name: codetogether-keycloak + env_file: + - .env + depends_on: + codetogether-mysql: + condition: service_healthy + command: + - "start" + environment: + # Admin credentials + KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN} + KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD} + + # Database connectivity + KC_DB: mysql + KC_DB_USERNAME: ${KEYCLOAK_DB_USERNAME:-root} + KC_DB_PASSWORD: ${KEYCLOAK_DB_PASSWORD} + KC_DB_URL_HOST: codetogether-mysql + + # Feature flags & observability + KC_FEATURES: token-exchange + KC_HEALTH_ENABLED: "true" + KC_METRICS_ENABLED: "true" + + # Reverse‑proxy / HTTP + KC_HTTP_ENABLED: "true" + KC_PROXY: edge + KC_PROXY_HEADERS: xforwarded + KC_HOSTNAME_STRICT: "false" + KC_HOSTNAME_STRICT_HTTPS: "false" + KC_HOSTNAME: ${KEYCLOAK_FQDN} + KC_FRONTEND_URL: https://${KEYCLOAK_FQDN} + KC_HTTP_PORT: 8080 + networks: + - codetogethernet + healthcheck: + test: ["CMD-SHELL", "echo > /dev/tcp/localhost/8080 || exit 1"] + interval: 10s + timeout: 5s + retries: 5 + start_period: 30s + +volumes: + mysql_data: + +networks: + codetogethernet: + driver: bridge \ No newline at end of file diff --git a/compose/keycloak/nginx/log/placeholder.txt b/compose/keycloak/nginx/log/placeholder.txt new file mode 100644 index 0000000..e69de29 diff --git a/compose/keycloak/nginx/nginx.conf.template b/compose/keycloak/nginx/nginx.conf.template new file mode 100644 index 0000000..e48b298 --- /dev/null +++ b/compose/keycloak/nginx/nginx.conf.template @@ -0,0 +1,57 @@ +events { + worker_connections 1024; +} + +http { + include mime.types; + default_type application/octet-stream; + sendfile on; + keepalive_timeout 65; + server { + server_name ${KEYCLOAK_FQDN}; + listen 443 ssl http2; + + # configure proxy buffer sizes + proxy_buffer_size 128k; + proxy_buffers 4 256k; + + # setup the SSL certificate + ssl_certificate /etc/nginx/ssl/${SSL_KEYCLOAK_CERT}; + ssl_certificate_key /etc/nginx/ssl/${SSL_KEYCLOAK_KEY}; + # ssl_dhparam /etc/nginx/ssl/${DHPARAM_PEM}; + ssl_prefer_server_ciphers on; + ssl_protocols TLSv1.2; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + + # create the passthrough to the CodeTogether Intel container + location / { + + # set passthru parameters for the CodeTogether Intel container + set $realIP $remote_addr; + set $forwardTo $proxy_add_x_forwarded_for; + set $reqHost $http_host; + client_max_body_size 32M; + if ($http_x_real_ip != '') { + set $realIP $http_x_real_ip; + } + if ($http_x_forwarded_for != '') { + set $forwardTo $http_x_forwarded_for; + } + proxy_set_header X-Real-IP $realIP; + proxy_set_header X-Forwarded-For $forwardTo; + proxy_set_header Host $reqHost; + proxy_set_header X-Forwarded-Proto https; + + # setup the backend to service the HQ requests + proxy_pass http://codetogether-keycloak:8080; + proxy_set_header X-NginX-Proxy true; + proxy_http_version 1.1; + proxy_redirect off; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_read_timeout 360; + proxy_connect_timeout 360; + proxy_send_timeout 360; + } + } +} \ No newline at end of file diff --git a/compose/keycloak/nginx/ssl/placeholder.txt b/compose/keycloak/nginx/ssl/placeholder.txt new file mode 100644 index 0000000..e69de29 From 40dffd58e13f04017f57464d26d1ac39bd5783f8 Mon Sep 17 00:00:00 2001 From: Ignacio Moreno Date: Thu, 10 Jul 2025 10:07:48 -0600 Subject: [PATCH 27/31] 144 keycloak (#146) * initial config * Docker compose example to run keycloak * Undo properties file change * fixes on properties file --------- Co-authored-by: Wojciech Galanciak --- compose/cthq.properties | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/compose/cthq.properties b/compose/cthq.properties index c8c481a..f52ac5c 100644 --- a/compose/cthq.properties +++ b/compose/cthq.properties @@ -27,6 +27,13 @@ hq.sso.client.issuer.url=http://codetogether-keycloak:8080/realms/codetogether hq.sso.redirect.uri=https://${INTEL_FQDN}/api/v1/auth/sso/success/insights hq.sso.client.authentication.method=client_secret_post +# hq.sso.provider=keycloak +# hq.sso.client.id=YOUR_CLIENT_ID +# hq.sso.client.secret=YOUR_CLIENT_SECRET +# hq.sso.client.issuer.url=http://codetogether-keycloak:8080/realms/codetogether +# hq.sso.redirect.uri=https://${INTEL_FQDN}/api/v1/auth/sso/success/insights +# hq.sso.client.authentication.method=client_secret_post + # These values do not need to be changed, though secrets can be updated hq.db.type=CASSANDRA hq.cassandra.db.host=codetogether-cassandra From 502eb16f798694014abe80d0e9c92c1157c83d80 Mon Sep 17 00:00:00 2001 From: Ignacio Moreno Date: Thu, 10 Jul 2025 10:17:33 -0600 Subject: [PATCH 28/31] 144 keycloak (#147) * initial config * Docker compose example to run keycloak * Undo properties file change * fixes on properties file --------- Co-authored-by: Wojciech Galanciak --- compose/cthq.properties | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/compose/cthq.properties b/compose/cthq.properties index f52ac5c..1e985ae 100644 --- a/compose/cthq.properties +++ b/compose/cthq.properties @@ -34,6 +34,13 @@ hq.sso.client.authentication.method=client_secret_post # hq.sso.redirect.uri=https://${INTEL_FQDN}/api/v1/auth/sso/success/insights # hq.sso.client.authentication.method=client_secret_post +# hq.sso.provider=keycloak +# hq.sso.client.id=YOUR_CLIENT_ID +# hq.sso.client.secret=YOUR_CLIENT_SECRET +# hq.sso.client.issuer.url=http://codetogether-keycloak:8080/realms/codetogether +# hq.sso.redirect.uri=https://${INTEL_FQDN}/api/v1/auth/sso/success/insights +# hq.sso.client.authentication.method=client_secret_post + # These values do not need to be changed, though secrets can be updated hq.db.type=CASSANDRA hq.cassandra.db.host=codetogether-cassandra From f3790b8aecf8750940437c49b55fddf09fa7370e Mon Sep 17 00:00:00 2001 From: Ignacio Moreno Date: Thu, 10 Jul 2025 10:21:11 -0600 Subject: [PATCH 29/31] 144 keycloak (#149) --- compose/cthq.properties | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/compose/cthq.properties b/compose/cthq.properties index 1e985ae..761ad28 100644 --- a/compose/cthq.properties +++ b/compose/cthq.properties @@ -41,6 +41,13 @@ hq.sso.client.authentication.method=client_secret_post # hq.sso.redirect.uri=https://${INTEL_FQDN}/api/v1/auth/sso/success/insights # hq.sso.client.authentication.method=client_secret_post +# hq.sso.provider=keycloak +# hq.sso.client.id=YOUR_CLIENT_ID +# hq.sso.client.secret=YOUR_CLIENT_SECRET +# hq.sso.client.issuer.url=http://codetogether-keycloak:8080/realms/codetogether +# hq.sso.redirect.uri=https://${INTEL_FQDN}/api/v1/auth/sso/success/insights +# hq.sso.client.authentication.method=client_secret_post + # These values do not need to be changed, though secrets can be updated hq.db.type=CASSANDRA hq.cassandra.db.host=codetogether-cassandra From a044e6018527ebb2a8a6dc1cf84a31e7ba24492e Mon Sep 17 00:00:00 2001 From: Ignacio Moreno Date: Thu, 10 Jul 2025 10:22:34 -0600 Subject: [PATCH 30/31] fixes on properties file --- compose/cthq.properties | 50 +++++++++-------------------------------- 1 file changed, 11 insertions(+), 39 deletions(-) diff --git a/compose/cthq.properties b/compose/cthq.properties index 761ad28..8b8c254 100644 --- a/compose/cthq.properties +++ b/compose/cthq.properties @@ -6,47 +6,19 @@ hq.collab.secret=${INTEL_SECRET} # Fill in values specific to your deployment # If you want to run with multiple SSO providers, add their names separated with commas -# hq.sso.tenants=github +hq.sso.tenants=github # GitHub SSO -# hq.sso.github.provider=github -# hq.sso.github.label=GitHub -# hq.sso.github.client.id=Iv1.45b9336a78ce2476 -# hq.sso.github.client.secret=c4446ad126ec65b3d926e37de3fe880246aff371 -# hq.sso.github.redirect.uri=https://${INTEL_FQDN}/api/v1/auth/sso/success/insights -# hq.sso.github.auth.uri=https://github.com/login/oauth/authorize -# hq.sso.github.token.uri=https://github.com/login/oauth/access_token -# hq.sso.github.info.uri=https://api.github.com/user -# hq.sso.github.jwt.set.uri=https://token.actions.githubusercontent.com/.well-known/jwks -# hq.sso.github.logout.uri=https://github.com/logout - -hq.sso.provider=keycloak -hq.sso.client.id=codetogether -hq.sso.client.secret=eFl6XSKwMMsEW1yRTY9pHjBrCTHDEY64 -hq.sso.client.issuer.url=http://codetogether-keycloak:8080/realms/codetogether -hq.sso.redirect.uri=https://${INTEL_FQDN}/api/v1/auth/sso/success/insights -hq.sso.client.authentication.method=client_secret_post - -# hq.sso.provider=keycloak -# hq.sso.client.id=YOUR_CLIENT_ID -# hq.sso.client.secret=YOUR_CLIENT_SECRET -# hq.sso.client.issuer.url=http://codetogether-keycloak:8080/realms/codetogether -# hq.sso.redirect.uri=https://${INTEL_FQDN}/api/v1/auth/sso/success/insights -# hq.sso.client.authentication.method=client_secret_post - -# hq.sso.provider=keycloak -# hq.sso.client.id=YOUR_CLIENT_ID -# hq.sso.client.secret=YOUR_CLIENT_SECRET -# hq.sso.client.issuer.url=http://codetogether-keycloak:8080/realms/codetogether -# hq.sso.redirect.uri=https://${INTEL_FQDN}/api/v1/auth/sso/success/insights -# hq.sso.client.authentication.method=client_secret_post - -# hq.sso.provider=keycloak -# hq.sso.client.id=YOUR_CLIENT_ID -# hq.sso.client.secret=YOUR_CLIENT_SECRET -# hq.sso.client.issuer.url=http://codetogether-keycloak:8080/realms/codetogether -# hq.sso.redirect.uri=https://${INTEL_FQDN}/api/v1/auth/sso/success/insights -# hq.sso.client.authentication.method=client_secret_post +hq.sso.github.provider=github +hq.sso.github.label=GitHub +hq.sso.github.client.id= +hq.sso.github.client.secret= +hq.sso.github.redirect.uri=https://${INTEL_FQDN}/api/v1/auth/sso/success/insights +hq.sso.github.auth.uri=https://github.com/login/oauth/authorize +hq.sso.github.token.uri=https://github.com/login/oauth/access_token +hq.sso.github.info.uri=https://api.github.com/user +hq.sso.github.jwt.set.uri=https://token.actions.githubusercontent.com/.well-known/jwks +hq.sso.github.logout.uri=https://github.com/logout # These values do not need to be changed, though secrets can be updated hq.db.type=CASSANDRA From 98cd5b5665d004c50845e010a2858b04ade30927 Mon Sep 17 00:00:00 2001 From: Ignacio Moreno Date: Thu, 10 Jul 2025 11:07:57 -0600 Subject: [PATCH 31/31] Prepare examples for deployment with keycloak. --- compose/.env-with-keycloak-template | 63 ++++++++ .../keycloak/compose-keycloak-no-nginx.yaml | 76 ++++++++++ ...se.keycloak.yaml => compose-keycloak.yaml} | 0 .../ssl/nginx-with-keycloak.conf.template | 143 ++++++++++++++++++ 4 files changed, 282 insertions(+) create mode 100644 compose/.env-with-keycloak-template create mode 100644 compose/keycloak/compose-keycloak-no-nginx.yaml rename compose/keycloak/{compose.keycloak.yaml => compose-keycloak.yaml} (100%) create mode 100644 compose/nginx/ssl/nginx-with-keycloak.conf.template diff --git a/compose/.env-with-keycloak-template b/compose/.env-with-keycloak-template new file mode 100644 index 0000000..9662e99 --- /dev/null +++ b/compose/.env-with-keycloak-template @@ -0,0 +1,63 @@ +############################################################################### +# CodeTogether – Environment Template +# ----------------------------------------------------------------------------- +# 1. Copy this file to `.env` in the same directory as `compose.yaml`. +# 2. Replace the placeholders on the right‑hand side with your real values. +# 3. Place all SSL certificates and Diffie‑Hellman parameters in the +# `nginx/ssl` directory. +# 4. Configure your SSO provider in the `cthq.properties` file. +# 5. Run `docker‑compose up -d` to start the containers. +# +# Variables (all required unless stated otherwise) +# ---------------------------------------------- +# COLLAB_FQDN Public hostname (FQDN) that end‑users hit to reach the +# Collab service (e.g. collab.example.com). +# +# INTEL_FQDN Public hostname (FQDN) for the Intel service +# (e.g. intel.example.com). +# +# INTEL_SECRET Shared secret Collab uses to authenticate when +# communicating with the Intel service. Use a strong, +# private value. +# +# SSL_COLLAB_CERT Certificate filename that Nginx serves for the Collab +# virtual host (e.g. ssl-collab.crt). +# +# SSL_COLLAB_KEY Private key filename for the Collab certificate +# (e.g. ssl-collab.key). +# +# SSL_INTEL_CERT Certificate filename for the Intel virtual host +# (e.g. ssl-intel.crt). +# +# SSL_INTEL_KEY Private key filename for the Intel certificate +# (e.g. ssl-intel.key). +# +# DHPARAM_PEM Diffie‑Hellman parameters file (e.g. dhparam.pem). +############################################################################### + +COLLAB_FQDN=collab.example.com +INTEL_FQDN=intel.example.com +INTEL_SECRET=super-secret-string + +# SSL cerfificate files should be placed in the `nginx/ssl` directory. +SSL_COLLAB_CERT=ssl-collab.crt +SSL_COLLAB_KEY=ssl-collab.key + +SSL_INTEL_CERT=ssl-intel.crt +SSL_INTEL_KEY=ssl-intel.key + +DHPARAM_PEM=dhparam.pem + +KEYCLOAK_FQDN=keycloak.example.com +SSL_KEYCLOAK_CERT=ssl-keycloak.crt +SSL_KEYCLOAK_KEY=ssl-keycloak.key + +KEYCLOAK_DB_USERNAME=keycloak +KEYCLOAK_DB_PASSWORD=keycloak + +KEYCLOAK_ADMIN_PASSWORD=keycloak +KEYCLOAK_ADMIN=admin + +# Uncomment the following lines to enable AI integration with Ollama +#CT_HQ_OLLAMA_AI_URL=http://codetogether-llm:8000 +#CT_HQ_OLLAMA_AI_MODEL_NAME=gemma3:1b diff --git a/compose/keycloak/compose-keycloak-no-nginx.yaml b/compose/keycloak/compose-keycloak-no-nginx.yaml new file mode 100644 index 0000000..883a88d --- /dev/null +++ b/compose/keycloak/compose-keycloak-no-nginx.yaml @@ -0,0 +1,76 @@ +# 👇 Rename `.env-template` to `.env` before running this file +# Set the appropriate values once renamed +services: + # Relational database for Keycloak (optional) + codetogether-mysql: + image: mysql:8.0 + container_name: codetogether-mysql + restart: unless-stopped + env_file: + - .env + environment: + MYSQL_ROOT_PASSWORD: ${KEYCLOAK_DB_PASSWORD} + MYSQL_DATABASE: keycloak + MYSQL_USER: ${KEYCLOAK_DB_USERNAME} + MYSQL_PASSWORD: ${KEYCLOAK_DB_PASSWORD} + volumes: + - mysql_data:/var/lib/mysql + networks: + - codetogethernet + healthcheck: + test: ["CMD", "mysqladmin", "ping", "-h", "localhost"] + interval: 10s + timeout: 10s + retries: 30 + + # Keycloak service (optional) + codetogether-keycloak: + image: quay.io/keycloak/keycloak:latest + container_name: codetogether-keycloak + env_file: + - .env + depends_on: + codetogether-mysql: + condition: service_healthy + command: + - "start" + environment: + # Admin credentials + KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN} + KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD} + + # Database connectivity + KC_DB: mysql + KC_DB_USERNAME: ${KEYCLOAK_DB_USERNAME:-root} + KC_DB_PASSWORD: ${KEYCLOAK_DB_PASSWORD} + KC_DB_URL_HOST: codetogether-mysql + + # Feature flags & observability + KC_FEATURES: token-exchange + KC_HEALTH_ENABLED: "true" + KC_METRICS_ENABLED: "true" + + # Reverse‑proxy / HTTP + KC_HTTP_ENABLED: "true" + KC_PROXY: edge + KC_PROXY_HEADERS: xforwarded + KC_HOSTNAME_STRICT: "false" + KC_HOSTNAME_STRICT_HTTPS: "false" + KC_HOSTNAME: ${KEYCLOAK_FQDN} + KC_FRONTEND_URL: https://${KEYCLOAK_FQDN} + KC_HTTP_PORT: 8080 + networks: + - codetogethernet + healthcheck: + test: ["CMD-SHELL", "echo > /dev/tcp/localhost/8080 || exit 1"] + interval: 10s + timeout: 5s + retries: 5 + start_period: 30s + +volumes: + mysql_data: + +networks: + codetogethernet: + driver: bridge \ No newline at end of file diff --git a/compose/keycloak/compose.keycloak.yaml b/compose/keycloak/compose-keycloak.yaml similarity index 100% rename from compose/keycloak/compose.keycloak.yaml rename to compose/keycloak/compose-keycloak.yaml diff --git a/compose/nginx/ssl/nginx-with-keycloak.conf.template b/compose/nginx/ssl/nginx-with-keycloak.conf.template new file mode 100644 index 0000000..20260b7 --- /dev/null +++ b/compose/nginx/ssl/nginx-with-keycloak.conf.template @@ -0,0 +1,143 @@ +### To use this file rename it to nginx.conf.template so it is picked up by the compose.yml file. +events { + worker_connections 1024; +} + +http { + include mime.types; + default_type application/octet-stream; + sendfile on; + keepalive_timeout 65; + server { + listen 443 ssl http2; + server_name ${COLLAB_FQDN}; + proxy_buffer_size 128k; + proxy_buffers 4 256k; + ssl_certificate /etc/nginx/ssl/${SSL_COLLAB_CERT}; + ssl_certificate_key /etc/nginx/ssl/${SSL_COLLAB_KEY}; + ssl_dhparam /etc/nginx/ssl/${DHPARAM_PEM}; + ssl_prefer_server_ciphers on; + ssl_protocols TLSv1.2; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + location / { + # Similar proxy logic for headers + set $realIP $remote_addr; + set $forwardTo $proxy_add_x_forwarded_for; + set $reqHost $http_host; + if ($http_x_real_ip != '') { + set $realIP $http_x_real_ip; + } + if ($http_x_forwarded_for != '') { + set $forwardTo $http_x_forwarded_for; + } + add_header C-Real-IP $realIP; + add_header C-Forwarded-For $forwardTo; + add_header C-Request-Host $reqHost; + proxy_set_header X-Real-IP $realIP; + proxy_set_header X-Forwarded-For $forwardTo; + proxy_set_header Host $reqHost; + proxy_set_header X-NginX-Proxy true; + proxy_http_version 1.1; + proxy_redirect off; + proxy_pass http://codetogether-collab:1080; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_read_timeout 360; + proxy_connect_timeout 360; + proxy_send_timeout 360; + } + } + server { + server_name ${INTEL_FQDN}; + listen 443 ssl http2; + + # configure proxy buffer sizes + proxy_buffer_size 128k; + proxy_buffers 4 256k; + + # setup the SSL certificate + ssl_certificate /etc/nginx/ssl/${SSL_INTEL_CERT}; + ssl_certificate_key /etc/nginx/ssl/${SSL_INTEL_KEY}; + ssl_dhparam /etc/nginx/ssl/${DHPARAM_PEM}; + ssl_prefer_server_ciphers on; + ssl_protocols TLSv1.2; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + + # create the passthrough to the CodeTogether Intel container + location / { + + # set passthru parameters for the CodeTogether Intel container + set $realIP $remote_addr; + set $forwardTo $proxy_add_x_forwarded_for; + set $reqHost $http_host; + client_max_body_size 32M; + if ($http_x_real_ip != '') { + set $realIP $http_x_real_ip; + } + if ($http_x_forwarded_for != '') { + set $forwardTo $http_x_forwarded_for; + } + proxy_set_header X-Real-IP $realIP; + proxy_set_header X-Forwarded-For $forwardTo; + proxy_set_header Host $reqHost; + + # setup the backend to service the HQ requests + proxy_pass http://codetogether-intel:1080; + proxy_set_header X-NginX-Proxy true; + proxy_http_version 1.1; + proxy_redirect off; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_read_timeout 360; + proxy_connect_timeout 360; + proxy_send_timeout 360; + } + } + server { + server_name ${KEYCLOAK_FQDN}; + listen 443 ssl http2; + + # configure proxy buffer sizes + proxy_buffer_size 128k; + proxy_buffers 4 256k; + + # setup the SSL certificate + ssl_certificate /etc/nginx/ssl/${SSL_KEYCLOAK_CERT}; + ssl_certificate_key /etc/nginx/ssl/${SSL_KEYCLOAK_KEY}; + # ssl_dhparam /etc/nginx/ssl/${DHPARAM_PEM}; + ssl_prefer_server_ciphers on; + ssl_protocols TLSv1.2; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + + # create the passthrough to the CodeTogether Intel container + location / { + + # set passthru parameters for the CodeTogether Intel container + set $realIP $remote_addr; + set $forwardTo $proxy_add_x_forwarded_for; + set $reqHost $http_host; + client_max_body_size 32M; + if ($http_x_real_ip != '') { + set $realIP $http_x_real_ip; + } + if ($http_x_forwarded_for != '') { + set $forwardTo $http_x_forwarded_for; + } + proxy_set_header X-Real-IP $realIP; + proxy_set_header X-Forwarded-For $forwardTo; + proxy_set_header Host $reqHost; + proxy_set_header X-Forwarded-Proto https; + + # setup the backend to service the HQ requests + proxy_pass http://codetogether-keycloak:8080; + proxy_set_header X-NginX-Proxy true; + proxy_http_version 1.1; + proxy_redirect off; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_read_timeout 360; + proxy_connect_timeout 360; + proxy_send_timeout 360; + } + } +} \ No newline at end of file