From db4a91d09f639c14178ecd079dd82ec3ce95d7b5 Mon Sep 17 00:00:00 2001 From: Ignacio Moreno Date: Mon, 30 Jun 2025 17:25:31 -0600 Subject: [PATCH 1/6] Changes for release (#143) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * fix: separate SSL certificates (#101) * fix: Set environment variables via .env file. (#99) * Set environment variables via .env file. * Missing change * Change how hostnames and secret are set. * changes for env template * add env variable resolver on sso redirect value * fix: add env_file to codetogether-intel (#105) * fix: missing CT_HQ_BASE_URL env var (#107) * feat: nginx auto config (#109) * fix: add step for sso provider (#110) * fix: add client_max_body_size to intel (#112) * fix: tweak name of dhparam.pem env var (#113) * tweak name of dhparam.pem env var * fix env var name in nginx template * fix pam to pem * fix: missing env file on collab (#114) * fix: handle nil ai.openai.api_key to prevent template er… (#116) * fix(intel-chart): handle nil ai.openai.api_key to prevent template errors Adjusted the Helm chart template for ai-secrets to avoid referencing ai.openai.api_key and ai.external.api_key when undefined. This fixes a fatal error during `helm template` when AI mode is set to `bundled` and no OpenAI config is present. Ensures compatibility with bundled-only deployments. * Changes to fix workflow issues * fix: cleanup for sso tenants (#117) * feat(intel): add option to disable AI integration entirely (#120) Previously, the Helm chart required either 'bundled' or 'external' AI mode to be configured, making it mandatory to include AI integration. This commit introduces a new flag `ai.enabled` to allow disabling AI features entirely, enabling Intel to be deployed without any AI-related containers or resources. * Change gen ai image name on values file (#122) * fix: bump up version number (#123) * docs: remove outdated metrics section from README (#130) - Removed the section referring to metrics(prometeus), etc from the README Co-authored-by: engineering * fix: add note to env-template file (#127) * fix: update LLM image URL to hub.edge (#132) * docs: add deprecation notice to old Live chart (#131) * 126 automatically configure ollama integration when llm is enabled (#128) * Make sidecar AI container resource block optional in deployment - Updated deployment.yaml to include the `resources` block for the `codetogether-llm` sidecar only if values are defined in values.yaml. - Ensures the bundled AI container can run without specifying resource limits/requests by default. - Improved overall Helm template flexibility for embedded AI mode. - Validated that runs with AI Container embeeded. * Enable support for external AI provider - Updated deployment.yaml to support both bundled and external AI modes, allowing selection via .Values.ai.mode. - Added manifests for external AI integration: - ai-config ConfigMap: defines external provider and URL. - ai-external-secret Secret: stores the external API key. - Verified that external AI mode works by routing requests through the configured external service. * feat: automate creation of external AI ConfigMap and Secret from values.yaml - Added Helm templates to generate ai-config ConfigMap and ai-external-secret Secret automatically when AI external mode is enabled. - ConfigMap values (ai_provider, ai_url) and Secret value (api-key) are now configurable via values.yaml. - Ensured resources are only created when ai.enabled=true and ai.mode=external. * feat: allow use of existing or Helm-managed ai-external-secret in deployment - Updated deployment.yaml to support referencing a user-provided Secret for AI external API key, with fallback to Helm-managed creation. - Added ai-external-secret.yaml template to optionally create the secret from values if not provided. * Fixing helm template validations * Adding values configuration --------- Co-authored-by: engineering * Gen AI Changes (#124) * Change resources of ai * Include gen ai on docker compose. * undo changes * Fix collab helm chart to allow usage of locator. (#134) * fix: invalid values in AI values section (#137) * fix: support automatic configuration of the LLM integration if AI is enabled (#138) * Fixes after Testing (#139) * Fixes after Testing - Refactored deployment.yaml to reference ai.externalSecret.name when create: false - Corrected CT_HQ_OLLAMA_AI_API_KEY key to apiKey to match Secret’s stringData - Updated ai-external-secret.yaml to generate a Secret only when create: true * Bump intel chart version to 1.2.5 * Fix to user http://codetogether-llm:8000/ always --------- Co-authored-by: engineering * Changes to use localhost always to avoid dns issues (#142) Co-authored-by: engineering --------- Co-authored-by: Wojciech Galanciak Co-authored-by: danc094codetogether Co-authored-by: engineering --- charts/collab/README.md | 5 - charts/collab/templates/deployment.yaml | 4 + charts/collab/values.yaml | 3 + charts/intel/Chart.yaml | 4 +- charts/intel/templates/ai-config.yaml | 11 ++ .../intel/templates/ai-external-secret.yaml | 12 ++ charts/intel/templates/deployment.yaml | 126 +++++++++--------- charts/intel/values.yaml | 20 ++- charts/live/README.md | 5 +- compose/.env-template | 7 +- compose/compose.ai.yaml | 13 ++ 11 files changed, 124 insertions(+), 86 deletions(-) create mode 100644 charts/intel/templates/ai-config.yaml create mode 100644 charts/intel/templates/ai-external-secret.yaml create mode 100644 compose/compose.ai.yaml diff --git a/charts/collab/README.md b/charts/collab/README.md index 621f5a5..f235f45 100644 --- a/charts/collab/README.md +++ b/charts/collab/README.md @@ -36,11 +36,6 @@ The following table lists configurable parameters of the CodeTogether Collab cha | `codetogether.noclients` | Disables the `/clients` endpoint if set to `true` | `false` | | `codetogether.timeZone.enabled` | Enables a customized time zone for the container | `false` | | `codetogether.timeZone.region` | Time zone region for the container | `America/Chicago` | -| `direct.metrics.statsdEnabled` | Enables StatsD metrics collection | `false` | -| `direct.metrics.statsdHost` | Host for StatsD metrics | `https://my-graphite-fqdn` | -| `direct.metrics.statsdPort` | Port for StatsD metrics | `8125` | -| `direct.metrics.statsdProtocol` | Protocol for StatsD metrics | `UDP` | -| `direct.metrics.prometheusEnabled` | Enables Prometheus metrics collection | `false` | | `locatorCentral.database.host` | Host for locator-central database | `10.10.0.2` | | `locatorCentral.database.port` | Port for locator-central database | `3306` | | `locatorCentral.database.schema` | Schema name for locator-central database | `codetogether` | diff --git a/charts/collab/templates/deployment.yaml b/charts/collab/templates/deployment.yaml index 7c08ca3..689f562 100644 --- a/charts/collab/templates/deployment.yaml +++ b/charts/collab/templates/deployment.yaml @@ -99,6 +99,10 @@ spec: {{- if eq .Values.codetogether.mode "locator-edge" }} - name: CT_LOCATOR value: {{ .Values.locatorEdge.locator | quote }} + {{- if .Values.locatorEdge.locatorLan }} + - name: CT_LOCATOR_INTERNAL + value: {{ .Values.locatorEdge.locatorLan | quote }} + {{- end }} - name: CT_REGION value: {{ .Values.locatorEdge.region | quote }} {{- end }} diff --git a/charts/collab/values.yaml b/charts/collab/values.yaml index 04a4d89..b05bde9 100644 --- a/charts/collab/values.yaml +++ b/charts/collab/values.yaml @@ -117,6 +117,9 @@ locatorCentral: locatorEdge: # URL that the Locator is listening on. locator: "https://codetogether.locator" + # Internal k8s url for the locator service. + # Optional - If not set k8s dns need to know how to resolve the locator url. + # locatorLan: "http://..svc.cluster.local:443" # Optional region which can have CIDR IP address regions assigned to # allowing regional routing of requests. Only enable if deploying # CodeTogether to multiple regional data centers. diff --git a/charts/intel/Chart.yaml b/charts/intel/Chart.yaml index a63a302..23c312a 100644 --- a/charts/intel/Chart.yaml +++ b/charts/intel/Chart.yaml @@ -3,8 +3,8 @@ name: codetogether-intel description: CodeTogether Intel provides advanced project insights for developers type: application -version: 1.2.3 -appVersion: "2025.1.0" +version: 1.2.5 +appVersion: "2025.3.0" icon: https://www.codetogether.com/wp-content/uploads/2020/02/codetogether-circle-128.png home: https://www.codetogether.com diff --git a/charts/intel/templates/ai-config.yaml b/charts/intel/templates/ai-config.yaml new file mode 100644 index 0000000..763fedb --- /dev/null +++ b/charts/intel/templates/ai-config.yaml @@ -0,0 +1,11 @@ +{{- if and .Values.ai.enabled (eq .Values.ai.mode "external") }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: ai-config + namespace: {{ .Release.Namespace }} +data: + ai_provider: {{ .Values.ai.provider | quote }} + ai_url: {{ .Values.ai.url | quote }} +{{- end }} + diff --git a/charts/intel/templates/ai-external-secret.yaml b/charts/intel/templates/ai-external-secret.yaml new file mode 100644 index 0000000..b01e8ad --- /dev/null +++ b/charts/intel/templates/ai-external-secret.yaml @@ -0,0 +1,12 @@ +{{- $extSecret := (index .Values.ai "externalSecret" | default dict) }} +{{- if and .Values.ai.enabled (eq .Values.ai.mode "external") (or (not $extSecret.name) $extSecret.create) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ $extSecret.name | default (printf "%s-ai-external-secret" (include "codetogether.fullname" .)) }} + namespace: {{ .Release.Namespace }} +type: Opaque +stringData: + apiKey: {{ $extSecret.apiKey | quote }} +{{- end }} + diff --git a/charts/intel/templates/deployment.yaml b/charts/intel/templates/deployment.yaml index 9c0d7e0..8cdb59e 100644 --- a/charts/intel/templates/deployment.yaml +++ b/charts/intel/templates/deployment.yaml @@ -28,38 +28,19 @@ spec: {{- end }} serviceAccountName: {{ include "codetogether.serviceAccountName" . }} containers: - {{- if .Values.ai.enabled }} - {{- if eq .Values.ai.mode "bundled" }} - - name: codetogether-llm - image: "{{ .Values.ai.image.repository }}:{{ .Values.ai.image.tag }}" - imagePullPolicy: Always - ports: - - name: ai - containerPort: 8000 - protocol: TCP - resources: - requests: - cpu: {{ .Values.ai.resources.requests.cpu | quote }} - memory: {{ .Values.ai.resources.requests.memory | quote }} - limits: - cpu: {{ .Values.ai.resources.limits.cpu | quote }} - memory: {{ .Values.ai.resources.limits.memory | quote }} - {{- end }} - {{- end }} - name: {{ .Chart.Name }} securityContext: {{- toYaml .Values.securityContext | nindent 12 }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} env: - - name: AI_MODE - value: {{ .Values.ai.mode | quote }} - {{- if eq .Values.ai.mode "bundled" }} - - name: AI_BUNDLED_URL - value: "http://codetogether-llm:8000" - {{- end }} - {{- if .Values.ai.enabled }} - {{- if eq .Values.ai.mode "external" }} + - name: AI_MODE + value: {{ .Values.ai.mode | quote }} + {{- if eq .Values.ai.mode "bundled" }} + - name: AI_BUNDLED_URL + value: "http://localhost:8000" + {{- end }} + {{- if and .Values.ai.enabled (eq .Values.ai.mode "external") }} - name: AI_PROVIDER valueFrom: configMapKeyRef: @@ -73,36 +54,47 @@ spec: - name: AI_EXTERNAL_API_KEY valueFrom: secretKeyRef: - name: ai-external-secret - key: api-key + name: {{ default (printf "%s-ai-external-secret" (include "codetogether.fullname" .)) .Values.ai.externalSecret.name | quote }} + key: apiKey + {{- end }} + # Set CodeTogether runtime configuration + - name: CT_HQ_BASE_URL + value: {{ .Values.codetogether.url | quote }} + {{- if .Values.java.customCacerts.enabled }} + - name: CT_TRUST_STORE + value: -Djavax.net.ssl.trustStore=/etc/ssl/certs/java/cacerts + {{- end }} + {{- if .Values.java.customJavaOptions }} + - name: CT_JAVA_OPTIONS + value: "{{ .Values.java.customJavaOptions | default "" }}" + {{- end }} + {{- if and .Values.java.customCacerts.enabled .Values.java.customCacerts.trustStorePasswordKey }} + - name: CT_TRUST_STORE_PASSWD + valueFrom: + secretKeyRef: + name: {{ .Values.java.customCacerts.cacertsSecretName }} + key: {{ .Values.java.customCacerts.trustStorePasswordKey }} + optional: true + {{- end }} + {{- if .Values.ai.enabled }} + - name: CT_HQ_OLLAMA_AI_URL + value: {{ if eq .Values.ai.mode "bundled" }} + "http://localhost:8000" + {{ else }} + {{ .Values.ai.url | quote }} + {{ end }} + - name: CT_HQ_OLLAMA_AI_MODEL_NAME + value: {{ .Values.ai.modelName | default "gemma3:1b" | quote }} + - name: CT_HQ_OLLAMA_AI_API_KEY + {{- if eq .Values.ai.mode "bundled" }} + value: "apiKey" + {{- else }} + valueFrom: + secretKeyRef: + name: {{ default (printf "%s-ai-external-secret" (include "codetogether.fullname" .)) .Values.ai.externalSecret.name | quote }} + key: apiKey + {{- end }} {{- end }} - {{- end }} - # - # Set CodeTogether runtime configuration - # - - name: CT_HQ_BASE_URL - value: {{ .Values.codetogether.url | quote }} - {{- if .Values.java.customCacerts.enabled }} - - name: CT_TRUST_STORE - value: -Djavax.net.ssl.trustStore=/etc/ssl/certs/java/cacerts - {{- end }} - - # Custom Java options (excluding trust store related settings) - {{- if .Values.java.customJavaOptions }} - - name: CT_JAVA_OPTIONS - value: "{{ .Values.java.customJavaOptions | default "" }}" - {{- end }} - - # Set trust store password only if trustStorePasswordKey is provided - {{- if and .Values.java.customCacerts.enabled .Values.java.customCacerts.trustStorePasswordKey }} - - name: CT_TRUST_STORE_PASSWD - valueFrom: - secretKeyRef: - name: {{ .Values.java.customCacerts.cacertsSecretName }} - key: {{ .Values.java.customCacerts.trustStorePasswordKey }} - optional: true - {{- end }} - volumeMounts: - name: properties-volume mountPath: /opt/codetogether/runtime/cthq.properties @@ -112,29 +104,20 @@ spec: mountPath: /etc/ssl/certs/java/cacerts subPath: cacerts {{- end }} - - # - # Set container configuration - # ports: - name: http containerPort: 1080 protocol: TCP - livenessProbe: - httpGet: - path: / - port: http initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} periodSeconds: {{ .Values.livenessProbe.periodSeconds }} timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} successThreshold: {{ .Values.livenessProbe.successThreshold }} failureThreshold: {{ .Values.livenessProbe.failureThreshold }} - readinessProbe: httpGet: path: / port: http - + readinessProbe: initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} periodSeconds: {{ .Values.readinessProbe.periodSeconds }} @@ -147,6 +130,19 @@ spec: resources: {{- toYaml .Values.resources | nindent 12 }} + {{- if and .Values.ai.enabled (eq .Values.ai.mode "bundled") }} + - name: codetogether-llm + image: "{{ .Values.ai.image.repository }}:{{ .Values.ai.image.tag }}" + imagePullPolicy: Always + ports: + - name: ai + containerPort: 8000 + protocol: TCP + {{- if .Values.ai.resources }} + resources: + {{- toYaml .Values.ai.resources | nindent 12 }} + {{- end }} + {{- end }} volumes: - name: properties-volume secret: diff --git a/charts/intel/values.yaml b/charts/intel/values.yaml index 04507b2..5587d5f 100644 --- a/charts/intel/values.yaml +++ b/charts/intel/values.yaml @@ -141,20 +141,16 @@ securityContext: {} ai: enabled: false mode: "bundled" # Options: bundled | external - provider: "ollama" # No OpenAI dependency - resources: - requests: - cpu: "2" - memory: "4Gi" - gpu: false - limits: - cpu: "4" - memory: "8Gi" - gpu: false image: - repository: registry.digitalocean.com/codetogether-registry/ai-summarization + repository: hub.edge.codetogether.com/releases/codetogether-llm tag: latest - +# resources: # Recommended resources configuration + # requests: + # cpu: "2" + # memory: "4Gi" + #limits: + # cpu: "4" + #memory: "4Gi" readinessProbe: initialDelaySeconds: 60 diff --git a/charts/live/README.md b/charts/live/README.md index 76048f3..b8cbf31 100644 --- a/charts/live/README.md +++ b/charts/live/README.md @@ -1,7 +1,10 @@ # README.md Helm Chart for CodeTogether Live +# CodeTogether Live Chart (Legacy) -## Summary +> **⚠️ Legacy Chart** +> This chart is now considered legacy and is not longer supported, is not recommended for new deployments. +## Summary This chart creates a CodeTogether Live server deployment on a Kubernetes cluster using the Helm package manager. ## Prerequisites diff --git a/compose/.env-template b/compose/.env-template index c88f162..82fa77c 100644 --- a/compose/.env-template +++ b/compose/.env-template @@ -39,10 +39,15 @@ COLLAB_FQDN=collab.example.com INTEL_FQDN=intel.example.com INTEL_SECRET=super-secret-string +# SSL cerfificate files should be placed in the `nginx/ssl` directory. SSL_COLLAB_CERT=ssl-collab.crt SSL_COLLAB_KEY=ssl-collab.key SSL_INTEL_CERT=ssl-intel.crt SSL_INTEL_KEY=ssl-intel.key -DHPARAM_PEM=dhparam.pem \ No newline at end of file +DHPARAM_PEM=dhparam.pem + +# Uncomment the following lines to enable AI integration with Ollama +#CT_HQ_OLLAMA_AI_URL=http://codetogether-llm:8000 +#CT_HQ_OLLAMA_AI_MODEL_NAME=gemma3:1b diff --git a/compose/compose.ai.yaml b/compose/compose.ai.yaml new file mode 100644 index 0000000..d3ef932 --- /dev/null +++ b/compose/compose.ai.yaml @@ -0,0 +1,13 @@ +# 👇 Rename `.env-template` to `.env` before running this file +# Set the appropriate values once renamed +services: + ai: + image: hub.edge.codetogether.com/releases/codetogether-llm:latest + container_name: codetogether-llm + ports: + - "8000:8000" + networks: + - codetogethernet + depends_on: + codetogether-intel: + condition: service_healthy \ No newline at end of file From d0bfcd3cf02dd33f8074718df76526f926982143 Mon Sep 17 00:00:00 2001 From: Ignacio Moreno Date: Thu, 10 Jul 2025 10:19:26 -0600 Subject: [PATCH 2/6] Add keycloak docker compose (#148) --- compose/.gitignore | 10 +++ compose/cthq.properties | 43 +++++++--- compose/keycloak/.env-template | 9 ++ compose/keycloak/compose.keycloak.yaml | 95 ++++++++++++++++++++++ compose/keycloak/nginx/log/placeholder.txt | 0 compose/keycloak/nginx/nginx.conf.template | 57 +++++++++++++ compose/keycloak/nginx/ssl/placeholder.txt | 0 7 files changed, 203 insertions(+), 11 deletions(-) create mode 100644 compose/.gitignore create mode 100644 compose/keycloak/.env-template create mode 100644 compose/keycloak/compose.keycloak.yaml create mode 100644 compose/keycloak/nginx/log/placeholder.txt create mode 100644 compose/keycloak/nginx/nginx.conf.template create mode 100644 compose/keycloak/nginx/ssl/placeholder.txt diff --git a/compose/.gitignore b/compose/.gitignore new file mode 100644 index 0000000..cdb441f --- /dev/null +++ b/compose/.gitignore @@ -0,0 +1,10 @@ +data/ +nginx/log/ +nginx/ssl/*.key +nginx/ssl/*.pem +nginx/ssl/*.crt +keycloak/nginx/log/*.log +keycloak/nginx/ssl/*.key +keycloak/nginx/ssl/*.pem +keycloak/nginx/ssl/*.crt +.env \ No newline at end of file diff --git a/compose/cthq.properties b/compose/cthq.properties index 8b8c254..1e985ae 100644 --- a/compose/cthq.properties +++ b/compose/cthq.properties @@ -6,19 +6,40 @@ hq.collab.secret=${INTEL_SECRET} # Fill in values specific to your deployment # If you want to run with multiple SSO providers, add their names separated with commas -hq.sso.tenants=github +# hq.sso.tenants=github # GitHub SSO -hq.sso.github.provider=github -hq.sso.github.label=GitHub -hq.sso.github.client.id= -hq.sso.github.client.secret= -hq.sso.github.redirect.uri=https://${INTEL_FQDN}/api/v1/auth/sso/success/insights -hq.sso.github.auth.uri=https://github.com/login/oauth/authorize -hq.sso.github.token.uri=https://github.com/login/oauth/access_token -hq.sso.github.info.uri=https://api.github.com/user -hq.sso.github.jwt.set.uri=https://token.actions.githubusercontent.com/.well-known/jwks -hq.sso.github.logout.uri=https://github.com/logout +# hq.sso.github.provider=github +# hq.sso.github.label=GitHub +# hq.sso.github.client.id=Iv1.45b9336a78ce2476 +# hq.sso.github.client.secret=c4446ad126ec65b3d926e37de3fe880246aff371 +# hq.sso.github.redirect.uri=https://${INTEL_FQDN}/api/v1/auth/sso/success/insights +# hq.sso.github.auth.uri=https://github.com/login/oauth/authorize +# hq.sso.github.token.uri=https://github.com/login/oauth/access_token +# hq.sso.github.info.uri=https://api.github.com/user +# hq.sso.github.jwt.set.uri=https://token.actions.githubusercontent.com/.well-known/jwks +# hq.sso.github.logout.uri=https://github.com/logout + +hq.sso.provider=keycloak +hq.sso.client.id=codetogether +hq.sso.client.secret=eFl6XSKwMMsEW1yRTY9pHjBrCTHDEY64 +hq.sso.client.issuer.url=http://codetogether-keycloak:8080/realms/codetogether +hq.sso.redirect.uri=https://${INTEL_FQDN}/api/v1/auth/sso/success/insights +hq.sso.client.authentication.method=client_secret_post + +# hq.sso.provider=keycloak +# hq.sso.client.id=YOUR_CLIENT_ID +# hq.sso.client.secret=YOUR_CLIENT_SECRET +# hq.sso.client.issuer.url=http://codetogether-keycloak:8080/realms/codetogether +# hq.sso.redirect.uri=https://${INTEL_FQDN}/api/v1/auth/sso/success/insights +# hq.sso.client.authentication.method=client_secret_post + +# hq.sso.provider=keycloak +# hq.sso.client.id=YOUR_CLIENT_ID +# hq.sso.client.secret=YOUR_CLIENT_SECRET +# hq.sso.client.issuer.url=http://codetogether-keycloak:8080/realms/codetogether +# hq.sso.redirect.uri=https://${INTEL_FQDN}/api/v1/auth/sso/success/insights +# hq.sso.client.authentication.method=client_secret_post # These values do not need to be changed, though secrets can be updated hq.db.type=CASSANDRA diff --git a/compose/keycloak/.env-template b/compose/keycloak/.env-template new file mode 100644 index 0000000..5127bae --- /dev/null +++ b/compose/keycloak/.env-template @@ -0,0 +1,9 @@ +KEYCLOAK_FQDN=keycloak.example.com +SSL_KEYCLOAK_CERT=ssl-keycloak.crt +SSL_KEYCLOAK_KEY=ssl-keycloak.key + +KEYCLOAK_DB_USERNAME=keycloak +KEYCLOAK_DB_PASSWORD=keycloak + +KEYCLOAK_ADMIN_PASSWORD=keycloak +KEYCLOAK_ADMIN=admin \ No newline at end of file diff --git a/compose/keycloak/compose.keycloak.yaml b/compose/keycloak/compose.keycloak.yaml new file mode 100644 index 0000000..f842905 --- /dev/null +++ b/compose/keycloak/compose.keycloak.yaml @@ -0,0 +1,95 @@ +# 👇 Rename `.env-template` to `.env` before running this file +# Set the appropriate values once renamed +services: + # Relational database for Keycloak (optional) + codetogether-mysql: + image: mysql:8.0 + container_name: codetogether-mysql + restart: unless-stopped + env_file: + - .env + environment: + MYSQL_ROOT_PASSWORD: ${KEYCLOAK_DB_PASSWORD} + MYSQL_DATABASE: keycloak + MYSQL_USER: ${KEYCLOAK_DB_USERNAME} + MYSQL_PASSWORD: ${KEYCLOAK_DB_PASSWORD} + volumes: + - mysql_data:/var/lib/mysql + networks: + - codetogethernet + healthcheck: + test: ["CMD", "mysqladmin", "ping", "-h", "localhost"] + interval: 10s + timeout: 10s + retries: 30 + # Nginx reverse proxy for Keycloak (optional) + codetogether-keycloak-nginx: + image: nginx:latest + container_name: codetogether-keycloak-nginx + env_file: + - .env + environment: + - NGINX_ENVSUBST_OUTPUT_DIR=/etc/nginx + ports: + - "443:443" + volumes: + - ./nginx/nginx.conf.template:/etc/nginx/templates/nginx.conf.template:ro + - ./nginx/ssl:/etc/nginx/ssl + - ./nginx/log:/var/log/nginx + networks: + - codetogethernet + depends_on: + codetogether-keycloak: + condition: service_healthy + + # Keycloak service (optional) + codetogether-keycloak: + image: quay.io/keycloak/keycloak:latest + container_name: codetogether-keycloak + env_file: + - .env + depends_on: + codetogether-mysql: + condition: service_healthy + command: + - "start" + environment: + # Admin credentials + KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN} + KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD} + + # Database connectivity + KC_DB: mysql + KC_DB_USERNAME: ${KEYCLOAK_DB_USERNAME:-root} + KC_DB_PASSWORD: ${KEYCLOAK_DB_PASSWORD} + KC_DB_URL_HOST: codetogether-mysql + + # Feature flags & observability + KC_FEATURES: token-exchange + KC_HEALTH_ENABLED: "true" + KC_METRICS_ENABLED: "true" + + # Reverse‑proxy / HTTP + KC_HTTP_ENABLED: "true" + KC_PROXY: edge + KC_PROXY_HEADERS: xforwarded + KC_HOSTNAME_STRICT: "false" + KC_HOSTNAME_STRICT_HTTPS: "false" + KC_HOSTNAME: ${KEYCLOAK_FQDN} + KC_FRONTEND_URL: https://${KEYCLOAK_FQDN} + KC_HTTP_PORT: 8080 + networks: + - codetogethernet + healthcheck: + test: ["CMD-SHELL", "echo > /dev/tcp/localhost/8080 || exit 1"] + interval: 10s + timeout: 5s + retries: 5 + start_period: 30s + +volumes: + mysql_data: + +networks: + codetogethernet: + driver: bridge \ No newline at end of file diff --git a/compose/keycloak/nginx/log/placeholder.txt b/compose/keycloak/nginx/log/placeholder.txt new file mode 100644 index 0000000..e69de29 diff --git a/compose/keycloak/nginx/nginx.conf.template b/compose/keycloak/nginx/nginx.conf.template new file mode 100644 index 0000000..e48b298 --- /dev/null +++ b/compose/keycloak/nginx/nginx.conf.template @@ -0,0 +1,57 @@ +events { + worker_connections 1024; +} + +http { + include mime.types; + default_type application/octet-stream; + sendfile on; + keepalive_timeout 65; + server { + server_name ${KEYCLOAK_FQDN}; + listen 443 ssl http2; + + # configure proxy buffer sizes + proxy_buffer_size 128k; + proxy_buffers 4 256k; + + # setup the SSL certificate + ssl_certificate /etc/nginx/ssl/${SSL_KEYCLOAK_CERT}; + ssl_certificate_key /etc/nginx/ssl/${SSL_KEYCLOAK_KEY}; + # ssl_dhparam /etc/nginx/ssl/${DHPARAM_PEM}; + ssl_prefer_server_ciphers on; + ssl_protocols TLSv1.2; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + + # create the passthrough to the CodeTogether Intel container + location / { + + # set passthru parameters for the CodeTogether Intel container + set $realIP $remote_addr; + set $forwardTo $proxy_add_x_forwarded_for; + set $reqHost $http_host; + client_max_body_size 32M; + if ($http_x_real_ip != '') { + set $realIP $http_x_real_ip; + } + if ($http_x_forwarded_for != '') { + set $forwardTo $http_x_forwarded_for; + } + proxy_set_header X-Real-IP $realIP; + proxy_set_header X-Forwarded-For $forwardTo; + proxy_set_header Host $reqHost; + proxy_set_header X-Forwarded-Proto https; + + # setup the backend to service the HQ requests + proxy_pass http://codetogether-keycloak:8080; + proxy_set_header X-NginX-Proxy true; + proxy_http_version 1.1; + proxy_redirect off; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_read_timeout 360; + proxy_connect_timeout 360; + proxy_send_timeout 360; + } + } +} \ No newline at end of file diff --git a/compose/keycloak/nginx/ssl/placeholder.txt b/compose/keycloak/nginx/ssl/placeholder.txt new file mode 100644 index 0000000..e69de29 From a778d1b9d01b07a5afe4cf15c2b2f73408416987 Mon Sep 17 00:00:00 2001 From: Ignacio Moreno Date: Thu, 10 Jul 2025 10:24:01 -0600 Subject: [PATCH 3/6] Missing change (#150) Missing change From 3cb3823f7e72f4df7cd5ce7351cbe7a052a90d62 Mon Sep 17 00:00:00 2001 From: Ignacio Moreno Date: Thu, 10 Jul 2025 11:12:38 -0600 Subject: [PATCH 4/6] Prepare docker compose examples with keycloak. (#151) --- compose/.env-with-keycloak-template | 63 ++++++++ .../keycloak/compose-keycloak-no-nginx.yaml | 76 ++++++++++ compose/keycloak/compose-keycloak.yaml | 95 ++++++++++++ .../ssl/nginx-with-keycloak.conf.template | 143 ++++++++++++++++++ 4 files changed, 377 insertions(+) create mode 100644 compose/.env-with-keycloak-template create mode 100644 compose/keycloak/compose-keycloak-no-nginx.yaml create mode 100644 compose/keycloak/compose-keycloak.yaml create mode 100644 compose/nginx/ssl/nginx-with-keycloak.conf.template diff --git a/compose/.env-with-keycloak-template b/compose/.env-with-keycloak-template new file mode 100644 index 0000000..9662e99 --- /dev/null +++ b/compose/.env-with-keycloak-template @@ -0,0 +1,63 @@ +############################################################################### +# CodeTogether – Environment Template +# ----------------------------------------------------------------------------- +# 1. Copy this file to `.env` in the same directory as `compose.yaml`. +# 2. Replace the placeholders on the right‑hand side with your real values. +# 3. Place all SSL certificates and Diffie‑Hellman parameters in the +# `nginx/ssl` directory. +# 4. Configure your SSO provider in the `cthq.properties` file. +# 5. Run `docker‑compose up -d` to start the containers. +# +# Variables (all required unless stated otherwise) +# ---------------------------------------------- +# COLLAB_FQDN Public hostname (FQDN) that end‑users hit to reach the +# Collab service (e.g. collab.example.com). +# +# INTEL_FQDN Public hostname (FQDN) for the Intel service +# (e.g. intel.example.com). +# +# INTEL_SECRET Shared secret Collab uses to authenticate when +# communicating with the Intel service. Use a strong, +# private value. +# +# SSL_COLLAB_CERT Certificate filename that Nginx serves for the Collab +# virtual host (e.g. ssl-collab.crt). +# +# SSL_COLLAB_KEY Private key filename for the Collab certificate +# (e.g. ssl-collab.key). +# +# SSL_INTEL_CERT Certificate filename for the Intel virtual host +# (e.g. ssl-intel.crt). +# +# SSL_INTEL_KEY Private key filename for the Intel certificate +# (e.g. ssl-intel.key). +# +# DHPARAM_PEM Diffie‑Hellman parameters file (e.g. dhparam.pem). +############################################################################### + +COLLAB_FQDN=collab.example.com +INTEL_FQDN=intel.example.com +INTEL_SECRET=super-secret-string + +# SSL cerfificate files should be placed in the `nginx/ssl` directory. +SSL_COLLAB_CERT=ssl-collab.crt +SSL_COLLAB_KEY=ssl-collab.key + +SSL_INTEL_CERT=ssl-intel.crt +SSL_INTEL_KEY=ssl-intel.key + +DHPARAM_PEM=dhparam.pem + +KEYCLOAK_FQDN=keycloak.example.com +SSL_KEYCLOAK_CERT=ssl-keycloak.crt +SSL_KEYCLOAK_KEY=ssl-keycloak.key + +KEYCLOAK_DB_USERNAME=keycloak +KEYCLOAK_DB_PASSWORD=keycloak + +KEYCLOAK_ADMIN_PASSWORD=keycloak +KEYCLOAK_ADMIN=admin + +# Uncomment the following lines to enable AI integration with Ollama +#CT_HQ_OLLAMA_AI_URL=http://codetogether-llm:8000 +#CT_HQ_OLLAMA_AI_MODEL_NAME=gemma3:1b diff --git a/compose/keycloak/compose-keycloak-no-nginx.yaml b/compose/keycloak/compose-keycloak-no-nginx.yaml new file mode 100644 index 0000000..883a88d --- /dev/null +++ b/compose/keycloak/compose-keycloak-no-nginx.yaml @@ -0,0 +1,76 @@ +# 👇 Rename `.env-template` to `.env` before running this file +# Set the appropriate values once renamed +services: + # Relational database for Keycloak (optional) + codetogether-mysql: + image: mysql:8.0 + container_name: codetogether-mysql + restart: unless-stopped + env_file: + - .env + environment: + MYSQL_ROOT_PASSWORD: ${KEYCLOAK_DB_PASSWORD} + MYSQL_DATABASE: keycloak + MYSQL_USER: ${KEYCLOAK_DB_USERNAME} + MYSQL_PASSWORD: ${KEYCLOAK_DB_PASSWORD} + volumes: + - mysql_data:/var/lib/mysql + networks: + - codetogethernet + healthcheck: + test: ["CMD", "mysqladmin", "ping", "-h", "localhost"] + interval: 10s + timeout: 10s + retries: 30 + + # Keycloak service (optional) + codetogether-keycloak: + image: quay.io/keycloak/keycloak:latest + container_name: codetogether-keycloak + env_file: + - .env + depends_on: + codetogether-mysql: + condition: service_healthy + command: + - "start" + environment: + # Admin credentials + KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN} + KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD} + + # Database connectivity + KC_DB: mysql + KC_DB_USERNAME: ${KEYCLOAK_DB_USERNAME:-root} + KC_DB_PASSWORD: ${KEYCLOAK_DB_PASSWORD} + KC_DB_URL_HOST: codetogether-mysql + + # Feature flags & observability + KC_FEATURES: token-exchange + KC_HEALTH_ENABLED: "true" + KC_METRICS_ENABLED: "true" + + # Reverse‑proxy / HTTP + KC_HTTP_ENABLED: "true" + KC_PROXY: edge + KC_PROXY_HEADERS: xforwarded + KC_HOSTNAME_STRICT: "false" + KC_HOSTNAME_STRICT_HTTPS: "false" + KC_HOSTNAME: ${KEYCLOAK_FQDN} + KC_FRONTEND_URL: https://${KEYCLOAK_FQDN} + KC_HTTP_PORT: 8080 + networks: + - codetogethernet + healthcheck: + test: ["CMD-SHELL", "echo > /dev/tcp/localhost/8080 || exit 1"] + interval: 10s + timeout: 5s + retries: 5 + start_period: 30s + +volumes: + mysql_data: + +networks: + codetogethernet: + driver: bridge \ No newline at end of file diff --git a/compose/keycloak/compose-keycloak.yaml b/compose/keycloak/compose-keycloak.yaml new file mode 100644 index 0000000..f842905 --- /dev/null +++ b/compose/keycloak/compose-keycloak.yaml @@ -0,0 +1,95 @@ +# 👇 Rename `.env-template` to `.env` before running this file +# Set the appropriate values once renamed +services: + # Relational database for Keycloak (optional) + codetogether-mysql: + image: mysql:8.0 + container_name: codetogether-mysql + restart: unless-stopped + env_file: + - .env + environment: + MYSQL_ROOT_PASSWORD: ${KEYCLOAK_DB_PASSWORD} + MYSQL_DATABASE: keycloak + MYSQL_USER: ${KEYCLOAK_DB_USERNAME} + MYSQL_PASSWORD: ${KEYCLOAK_DB_PASSWORD} + volumes: + - mysql_data:/var/lib/mysql + networks: + - codetogethernet + healthcheck: + test: ["CMD", "mysqladmin", "ping", "-h", "localhost"] + interval: 10s + timeout: 10s + retries: 30 + # Nginx reverse proxy for Keycloak (optional) + codetogether-keycloak-nginx: + image: nginx:latest + container_name: codetogether-keycloak-nginx + env_file: + - .env + environment: + - NGINX_ENVSUBST_OUTPUT_DIR=/etc/nginx + ports: + - "443:443" + volumes: + - ./nginx/nginx.conf.template:/etc/nginx/templates/nginx.conf.template:ro + - ./nginx/ssl:/etc/nginx/ssl + - ./nginx/log:/var/log/nginx + networks: + - codetogethernet + depends_on: + codetogether-keycloak: + condition: service_healthy + + # Keycloak service (optional) + codetogether-keycloak: + image: quay.io/keycloak/keycloak:latest + container_name: codetogether-keycloak + env_file: + - .env + depends_on: + codetogether-mysql: + condition: service_healthy + command: + - "start" + environment: + # Admin credentials + KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN} + KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD} + + # Database connectivity + KC_DB: mysql + KC_DB_USERNAME: ${KEYCLOAK_DB_USERNAME:-root} + KC_DB_PASSWORD: ${KEYCLOAK_DB_PASSWORD} + KC_DB_URL_HOST: codetogether-mysql + + # Feature flags & observability + KC_FEATURES: token-exchange + KC_HEALTH_ENABLED: "true" + KC_METRICS_ENABLED: "true" + + # Reverse‑proxy / HTTP + KC_HTTP_ENABLED: "true" + KC_PROXY: edge + KC_PROXY_HEADERS: xforwarded + KC_HOSTNAME_STRICT: "false" + KC_HOSTNAME_STRICT_HTTPS: "false" + KC_HOSTNAME: ${KEYCLOAK_FQDN} + KC_FRONTEND_URL: https://${KEYCLOAK_FQDN} + KC_HTTP_PORT: 8080 + networks: + - codetogethernet + healthcheck: + test: ["CMD-SHELL", "echo > /dev/tcp/localhost/8080 || exit 1"] + interval: 10s + timeout: 5s + retries: 5 + start_period: 30s + +volumes: + mysql_data: + +networks: + codetogethernet: + driver: bridge \ No newline at end of file diff --git a/compose/nginx/ssl/nginx-with-keycloak.conf.template b/compose/nginx/ssl/nginx-with-keycloak.conf.template new file mode 100644 index 0000000..20260b7 --- /dev/null +++ b/compose/nginx/ssl/nginx-with-keycloak.conf.template @@ -0,0 +1,143 @@ +### To use this file rename it to nginx.conf.template so it is picked up by the compose.yml file. +events { + worker_connections 1024; +} + +http { + include mime.types; + default_type application/octet-stream; + sendfile on; + keepalive_timeout 65; + server { + listen 443 ssl http2; + server_name ${COLLAB_FQDN}; + proxy_buffer_size 128k; + proxy_buffers 4 256k; + ssl_certificate /etc/nginx/ssl/${SSL_COLLAB_CERT}; + ssl_certificate_key /etc/nginx/ssl/${SSL_COLLAB_KEY}; + ssl_dhparam /etc/nginx/ssl/${DHPARAM_PEM}; + ssl_prefer_server_ciphers on; + ssl_protocols TLSv1.2; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + location / { + # Similar proxy logic for headers + set $realIP $remote_addr; + set $forwardTo $proxy_add_x_forwarded_for; + set $reqHost $http_host; + if ($http_x_real_ip != '') { + set $realIP $http_x_real_ip; + } + if ($http_x_forwarded_for != '') { + set $forwardTo $http_x_forwarded_for; + } + add_header C-Real-IP $realIP; + add_header C-Forwarded-For $forwardTo; + add_header C-Request-Host $reqHost; + proxy_set_header X-Real-IP $realIP; + proxy_set_header X-Forwarded-For $forwardTo; + proxy_set_header Host $reqHost; + proxy_set_header X-NginX-Proxy true; + proxy_http_version 1.1; + proxy_redirect off; + proxy_pass http://codetogether-collab:1080; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_read_timeout 360; + proxy_connect_timeout 360; + proxy_send_timeout 360; + } + } + server { + server_name ${INTEL_FQDN}; + listen 443 ssl http2; + + # configure proxy buffer sizes + proxy_buffer_size 128k; + proxy_buffers 4 256k; + + # setup the SSL certificate + ssl_certificate /etc/nginx/ssl/${SSL_INTEL_CERT}; + ssl_certificate_key /etc/nginx/ssl/${SSL_INTEL_KEY}; + ssl_dhparam /etc/nginx/ssl/${DHPARAM_PEM}; + ssl_prefer_server_ciphers on; + ssl_protocols TLSv1.2; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + + # create the passthrough to the CodeTogether Intel container + location / { + + # set passthru parameters for the CodeTogether Intel container + set $realIP $remote_addr; + set $forwardTo $proxy_add_x_forwarded_for; + set $reqHost $http_host; + client_max_body_size 32M; + if ($http_x_real_ip != '') { + set $realIP $http_x_real_ip; + } + if ($http_x_forwarded_for != '') { + set $forwardTo $http_x_forwarded_for; + } + proxy_set_header X-Real-IP $realIP; + proxy_set_header X-Forwarded-For $forwardTo; + proxy_set_header Host $reqHost; + + # setup the backend to service the HQ requests + proxy_pass http://codetogether-intel:1080; + proxy_set_header X-NginX-Proxy true; + proxy_http_version 1.1; + proxy_redirect off; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_read_timeout 360; + proxy_connect_timeout 360; + proxy_send_timeout 360; + } + } + server { + server_name ${KEYCLOAK_FQDN}; + listen 443 ssl http2; + + # configure proxy buffer sizes + proxy_buffer_size 128k; + proxy_buffers 4 256k; + + # setup the SSL certificate + ssl_certificate /etc/nginx/ssl/${SSL_KEYCLOAK_CERT}; + ssl_certificate_key /etc/nginx/ssl/${SSL_KEYCLOAK_KEY}; + # ssl_dhparam /etc/nginx/ssl/${DHPARAM_PEM}; + ssl_prefer_server_ciphers on; + ssl_protocols TLSv1.2; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + + # create the passthrough to the CodeTogether Intel container + location / { + + # set passthru parameters for the CodeTogether Intel container + set $realIP $remote_addr; + set $forwardTo $proxy_add_x_forwarded_for; + set $reqHost $http_host; + client_max_body_size 32M; + if ($http_x_real_ip != '') { + set $realIP $http_x_real_ip; + } + if ($http_x_forwarded_for != '') { + set $forwardTo $http_x_forwarded_for; + } + proxy_set_header X-Real-IP $realIP; + proxy_set_header X-Forwarded-For $forwardTo; + proxy_set_header Host $reqHost; + proxy_set_header X-Forwarded-Proto https; + + # setup the backend to service the HQ requests + proxy_pass http://codetogether-keycloak:8080; + proxy_set_header X-NginX-Proxy true; + proxy_http_version 1.1; + proxy_redirect off; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_read_timeout 360; + proxy_connect_timeout 360; + proxy_send_timeout 360; + } + } +} \ No newline at end of file From 2428a29582d74c01dc21749be2e40eb6e405ea85 Mon Sep 17 00:00:00 2001 From: Ignacio Moreno Date: Thu, 10 Jul 2025 11:16:54 -0600 Subject: [PATCH 5/6] Move files to right path (#152) --- .../nginx/nginx-with-keycloak.conf.template | 143 ++++++++++++++++++ 1 file changed, 143 insertions(+) create mode 100644 compose/nginx/nginx-with-keycloak.conf.template diff --git a/compose/nginx/nginx-with-keycloak.conf.template b/compose/nginx/nginx-with-keycloak.conf.template new file mode 100644 index 0000000..20260b7 --- /dev/null +++ b/compose/nginx/nginx-with-keycloak.conf.template @@ -0,0 +1,143 @@ +### To use this file rename it to nginx.conf.template so it is picked up by the compose.yml file. +events { + worker_connections 1024; +} + +http { + include mime.types; + default_type application/octet-stream; + sendfile on; + keepalive_timeout 65; + server { + listen 443 ssl http2; + server_name ${COLLAB_FQDN}; + proxy_buffer_size 128k; + proxy_buffers 4 256k; + ssl_certificate /etc/nginx/ssl/${SSL_COLLAB_CERT}; + ssl_certificate_key /etc/nginx/ssl/${SSL_COLLAB_KEY}; + ssl_dhparam /etc/nginx/ssl/${DHPARAM_PEM}; + ssl_prefer_server_ciphers on; + ssl_protocols TLSv1.2; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + location / { + # Similar proxy logic for headers + set $realIP $remote_addr; + set $forwardTo $proxy_add_x_forwarded_for; + set $reqHost $http_host; + if ($http_x_real_ip != '') { + set $realIP $http_x_real_ip; + } + if ($http_x_forwarded_for != '') { + set $forwardTo $http_x_forwarded_for; + } + add_header C-Real-IP $realIP; + add_header C-Forwarded-For $forwardTo; + add_header C-Request-Host $reqHost; + proxy_set_header X-Real-IP $realIP; + proxy_set_header X-Forwarded-For $forwardTo; + proxy_set_header Host $reqHost; + proxy_set_header X-NginX-Proxy true; + proxy_http_version 1.1; + proxy_redirect off; + proxy_pass http://codetogether-collab:1080; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_read_timeout 360; + proxy_connect_timeout 360; + proxy_send_timeout 360; + } + } + server { + server_name ${INTEL_FQDN}; + listen 443 ssl http2; + + # configure proxy buffer sizes + proxy_buffer_size 128k; + proxy_buffers 4 256k; + + # setup the SSL certificate + ssl_certificate /etc/nginx/ssl/${SSL_INTEL_CERT}; + ssl_certificate_key /etc/nginx/ssl/${SSL_INTEL_KEY}; + ssl_dhparam /etc/nginx/ssl/${DHPARAM_PEM}; + ssl_prefer_server_ciphers on; + ssl_protocols TLSv1.2; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + + # create the passthrough to the CodeTogether Intel container + location / { + + # set passthru parameters for the CodeTogether Intel container + set $realIP $remote_addr; + set $forwardTo $proxy_add_x_forwarded_for; + set $reqHost $http_host; + client_max_body_size 32M; + if ($http_x_real_ip != '') { + set $realIP $http_x_real_ip; + } + if ($http_x_forwarded_for != '') { + set $forwardTo $http_x_forwarded_for; + } + proxy_set_header X-Real-IP $realIP; + proxy_set_header X-Forwarded-For $forwardTo; + proxy_set_header Host $reqHost; + + # setup the backend to service the HQ requests + proxy_pass http://codetogether-intel:1080; + proxy_set_header X-NginX-Proxy true; + proxy_http_version 1.1; + proxy_redirect off; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_read_timeout 360; + proxy_connect_timeout 360; + proxy_send_timeout 360; + } + } + server { + server_name ${KEYCLOAK_FQDN}; + listen 443 ssl http2; + + # configure proxy buffer sizes + proxy_buffer_size 128k; + proxy_buffers 4 256k; + + # setup the SSL certificate + ssl_certificate /etc/nginx/ssl/${SSL_KEYCLOAK_CERT}; + ssl_certificate_key /etc/nginx/ssl/${SSL_KEYCLOAK_KEY}; + # ssl_dhparam /etc/nginx/ssl/${DHPARAM_PEM}; + ssl_prefer_server_ciphers on; + ssl_protocols TLSv1.2; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + + # create the passthrough to the CodeTogether Intel container + location / { + + # set passthru parameters for the CodeTogether Intel container + set $realIP $remote_addr; + set $forwardTo $proxy_add_x_forwarded_for; + set $reqHost $http_host; + client_max_body_size 32M; + if ($http_x_real_ip != '') { + set $realIP $http_x_real_ip; + } + if ($http_x_forwarded_for != '') { + set $forwardTo $http_x_forwarded_for; + } + proxy_set_header X-Real-IP $realIP; + proxy_set_header X-Forwarded-For $forwardTo; + proxy_set_header Host $reqHost; + proxy_set_header X-Forwarded-Proto https; + + # setup the backend to service the HQ requests + proxy_pass http://codetogether-keycloak:8080; + proxy_set_header X-NginX-Proxy true; + proxy_http_version 1.1; + proxy_redirect off; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_read_timeout 360; + proxy_connect_timeout 360; + proxy_send_timeout 360; + } + } +} \ No newline at end of file From 0f4189f867fac3bd3590960fee5a1b170226ace7 Mon Sep 17 00:00:00 2001 From: Wojciech Galanciak Date: Wed, 16 Jul 2025 18:33:07 +0200 Subject: [PATCH 6/6] remove redundant file (#156) --- compose/keycloak/compose.keycloak.yaml | 95 -------------------------- 1 file changed, 95 deletions(-) delete mode 100644 compose/keycloak/compose.keycloak.yaml diff --git a/compose/keycloak/compose.keycloak.yaml b/compose/keycloak/compose.keycloak.yaml deleted file mode 100644 index f842905..0000000 --- a/compose/keycloak/compose.keycloak.yaml +++ /dev/null @@ -1,95 +0,0 @@ -# 👇 Rename `.env-template` to `.env` before running this file -# Set the appropriate values once renamed -services: - # Relational database for Keycloak (optional) - codetogether-mysql: - image: mysql:8.0 - container_name: codetogether-mysql - restart: unless-stopped - env_file: - - .env - environment: - MYSQL_ROOT_PASSWORD: ${KEYCLOAK_DB_PASSWORD} - MYSQL_DATABASE: keycloak - MYSQL_USER: ${KEYCLOAK_DB_USERNAME} - MYSQL_PASSWORD: ${KEYCLOAK_DB_PASSWORD} - volumes: - - mysql_data:/var/lib/mysql - networks: - - codetogethernet - healthcheck: - test: ["CMD", "mysqladmin", "ping", "-h", "localhost"] - interval: 10s - timeout: 10s - retries: 30 - # Nginx reverse proxy for Keycloak (optional) - codetogether-keycloak-nginx: - image: nginx:latest - container_name: codetogether-keycloak-nginx - env_file: - - .env - environment: - - NGINX_ENVSUBST_OUTPUT_DIR=/etc/nginx - ports: - - "443:443" - volumes: - - ./nginx/nginx.conf.template:/etc/nginx/templates/nginx.conf.template:ro - - ./nginx/ssl:/etc/nginx/ssl - - ./nginx/log:/var/log/nginx - networks: - - codetogethernet - depends_on: - codetogether-keycloak: - condition: service_healthy - - # Keycloak service (optional) - codetogether-keycloak: - image: quay.io/keycloak/keycloak:latest - container_name: codetogether-keycloak - env_file: - - .env - depends_on: - codetogether-mysql: - condition: service_healthy - command: - - "start" - environment: - # Admin credentials - KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN} - KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD} - - # Database connectivity - KC_DB: mysql - KC_DB_USERNAME: ${KEYCLOAK_DB_USERNAME:-root} - KC_DB_PASSWORD: ${KEYCLOAK_DB_PASSWORD} - KC_DB_URL_HOST: codetogether-mysql - - # Feature flags & observability - KC_FEATURES: token-exchange - KC_HEALTH_ENABLED: "true" - KC_METRICS_ENABLED: "true" - - # Reverse‑proxy / HTTP - KC_HTTP_ENABLED: "true" - KC_PROXY: edge - KC_PROXY_HEADERS: xforwarded - KC_HOSTNAME_STRICT: "false" - KC_HOSTNAME_STRICT_HTTPS: "false" - KC_HOSTNAME: ${KEYCLOAK_FQDN} - KC_FRONTEND_URL: https://${KEYCLOAK_FQDN} - KC_HTTP_PORT: 8080 - networks: - - codetogethernet - healthcheck: - test: ["CMD-SHELL", "echo > /dev/tcp/localhost/8080 || exit 1"] - interval: 10s - timeout: 5s - retries: 5 - start_period: 30s - -volumes: - mysql_data: - -networks: - codetogethernet: - driver: bridge \ No newline at end of file