diff --git a/charts/collab/templates/deployment.yaml b/charts/collab/templates/deployment.yaml index 689f562..eb2332e 100644 --- a/charts/collab/templates/deployment.yaml +++ b/charts/collab/templates/deployment.yaml @@ -13,7 +13,7 @@ spec: annotations: checksum/coturn: {{ include (print $.Template.BasePath "/secret-coturn.yaml") . | sha256sum }} checksum/dashboard: {{ include (print $.Template.BasePath "/secret-dashboard.yaml") . | sha256sum }} - checksum/intel: {{ include (print $.Template.BasePath "/secret-intel.yaml") . | sha256sum }} + checksum/intel: {{- if not .Values.intelsecret.enabled }} {{ include (print $.Template.BasePath "/secret-intel.yaml") . | sha256sum }} {{- else }} "external" {{- end }} checksum/ssl: {{ include (print $.Template.BasePath "/secret-ssl.yaml") . | sha256sum }} {{- with .Values.podAnnotations }} {{- toYaml . | nindent 8 }} @@ -139,15 +139,27 @@ spec: value: {{ .Values.codetogether.timeZone.region | quote }} {{- end }} + {{- if and .Values.intelsecret.enabled (not .Values.intelsecret.ref) }} + {{- fail "intelsecret.enabled=true requires intelsecret.ref (existing Secret name)" -}} + {{- end }} + - name: CT_INTEL_URL valueFrom: secretKeyRef: - name: {{ include "codetogether.fullname" . }}-intel + name: {{ if .Values.intelsecret.enabled -}} + {{ .Values.intelsecret.ref | quote }} + {{- else }} + {{ printf "%s-intel" (include "codetogether.fullname" .) | quote }} + {{- end }} key: url - name: CT_INTEL_SECRET valueFrom: secretKeyRef: - name: {{ include "codetogether.fullname" . }}-intel + name: {{ if .Values.intelsecret.enabled -}} + {{ .Values.intelsecret.ref | quote }} + {{- else }} + {{ printf "%s-intel" (include "codetogether.fullname" .) | quote }} + {{- end }} key: secret {{- if .Values.dashboard.enabled }} - name: CT_DASHBOARD_USER @@ -182,6 +194,10 @@ spec: name: codetogether-runtime - mountPath: /tmp name: codetogether-tmp + - mountPath: /var/log/nginx + name: codetogether-runtime + - mountPath: /var/cache/nginx + name: codetogether-runtime {{- if .Values.favicon.enabled }} - mountPath: /opt/volatile-template/nginx/favicon.ico name: favicon-volume diff --git a/charts/collab/templates/secret-intel.yaml b/charts/collab/templates/secret-intel.yaml index 79750a2..73d147d 100644 --- a/charts/collab/templates/secret-intel.yaml +++ b/charts/collab/templates/secret-intel.yaml @@ -1,3 +1,4 @@ +{{- if not .Values.intelsecret.enabled }} apiVersion: v1 kind: Secret metadata: @@ -8,3 +9,4 @@ type: Opaque data: url: {{ .Values.intel.url | b64enc | quote }} secret: {{ .Values.intel.secret | b64enc | quote }} +{{- end }} \ No newline at end of file diff --git a/charts/collab/values.yaml b/charts/collab/values.yaml index b05bde9..9a663bd 100644 --- a/charts/collab/values.yaml +++ b/charts/collab/values.yaml @@ -37,6 +37,11 @@ imageCredentials: openshift: enabled: false +# Optional: use an existing secret for Intel connection +intelsecret: + enabled: false # default OFF - chart-managed secret + ref: "" # name of existing Secret (must have keys: url, secret) + # # Values required for establishing connection with the Intel server. # @@ -206,13 +211,13 @@ serviceAccount: podAnnotations: {} -securityContext: {} +securityContext: {} #defaults to # capabilities: # drop: # - ALL - # readOnlyRootFilesystem: true # runAsNonRoot: true - # runAsUser: 1000 + # readOnlyRootFilesystem: true # enable for read-only setup + # runAsUser: 0 # Use '0' for root user for read-only setup readinessProbe: initialDelaySeconds: 60 diff --git a/charts/intel/templates/ai-config.yaml b/charts/intel/templates/ai-config.yaml index 763fedb..7b97990 100644 --- a/charts/intel/templates/ai-config.yaml +++ b/charts/intel/templates/ai-config.yaml @@ -2,10 +2,11 @@ apiVersion: v1 kind: ConfigMap metadata: - name: ai-config + name: {{ printf "%s-ai-config" (include "codetogether.fullname" .) }} namespace: {{ .Release.Namespace }} + labels: + {{- include "codetogether.labels" . | nindent 4 }} data: ai_provider: {{ .Values.ai.provider | quote }} ai_url: {{ .Values.ai.url | quote }} -{{- end }} - +{{- end }} \ No newline at end of file diff --git a/charts/intel/templates/deployment.yaml b/charts/intel/templates/deployment.yaml index 8cdb59e..3ccea51 100644 --- a/charts/intel/templates/deployment.yaml +++ b/charts/intel/templates/deployment.yaml @@ -26,6 +26,17 @@ spec: imagePullSecrets: - name: {{ include "codetogether.fullname" . }}-pull-secret {{- end }} + {{- if .Values.readOnlyMode.enabled }} + initContainers: + - name: prepare-ro + image: busybox:latest + securityContext: + runAsUser: 0 + command: ["sh", "-lc", "mkdir -p /mnt/volatile/var-log-nginx /mnt/volatile/var-cache-nginx /mnt/var/log-codetogether || true"] + volumeMounts: + - name: volatile + mountPath: /mnt/volatile + {{- end }} serviceAccountName: {{ include "codetogether.serviceAccountName" . }} containers: - name: {{ .Chart.Name }} @@ -44,12 +55,12 @@ spec: - name: AI_PROVIDER valueFrom: configMapKeyRef: - name: ai-config + name: {{ printf "%s-ai-config" (include "codetogether.fullname" .) }} key: ai_provider - name: AI_EXTERNAL_URL valueFrom: configMapKeyRef: - name: ai-config + name: {{ printf "%s-ai-config" (include "codetogether.fullname" .) }} key: ai_url - name: AI_EXTERNAL_API_KEY valueFrom: @@ -76,6 +87,10 @@ spec: key: {{ .Values.java.customCacerts.trustStorePasswordKey }} optional: true {{- end }} + {{- if .Values.codetogether.trustAllCerts }} + - name: CT_TRUST_ALL_CERTS + value: "true" + {{- end }} {{- if .Values.ai.enabled }} - name: CT_HQ_OLLAMA_AI_URL value: {{ if eq .Values.ai.mode "bundled" }} @@ -104,6 +119,20 @@ spec: mountPath: /etc/ssl/certs/java/cacerts subPath: cacerts {{- end }} + {{- if .Values.readOnlyMode.enabled }} + - name: volatile + mountPath: /run/volatile + - name: run + mountPath: /run + - name: tmp + mountPath: /tmp + - name: volatile + mountPath: /var/log/nginx + subPath: var-log-nginx + - name: volatile + mountPath: /var/cache/nginx + subPath: var-cache-nginx + {{- end }} ports: - name: http containerPort: 1080 @@ -152,6 +181,16 @@ spec: secret: secretName: {{ .Values.java.customCacerts.cacertsSecretName }} {{- end }} + {{- if .Values.readOnlyMode.enabled }} + - name: volatile + emptyDir: {} + - name: run + emptyDir: + medium: Memory + - name: tmp + emptyDir: + medium: Memory + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/intel/templates/secrets.yaml b/charts/intel/templates/secrets.yaml index b5b85e7..9f50ecd 100644 --- a/charts/intel/templates/secrets.yaml +++ b/charts/intel/templates/secrets.yaml @@ -1,3 +1,4 @@ +{{- if .Values.ai.enabled }} apiVersion: v1 kind: Secret metadata: @@ -14,3 +15,4 @@ data: external-ai-key: {{ .Values.ai.external.api_key | b64enc }} {{- end }} {{- end }} +{{- end }} diff --git a/charts/intel/values.yaml b/charts/intel/values.yaml index 5587d5f..a0378cb 100644 --- a/charts/intel/values.yaml +++ b/charts/intel/values.yaml @@ -32,12 +32,14 @@ imageCredentials: email: unused # -# Set CodeTogether runing mode and server's FQDN (HTTPS is mandatory for CodeTogether) +# Set CodeTogether running mode and server's FQDN (HTTPS is mandatory for CodeTogether) # Use 'direct' for simple evaluations and small deployments. CodeTogether can provide # guidance on the best deployment option based on your needs. # codetogether: url: https:// + trustAllCerts: false # Set to 'true' to trust all certificates + hqproperties: hq.sso.client.id: CLIENTID.apps.googleusercontent.com @@ -130,20 +132,26 @@ serviceAccount: podAnnotations: {} -securityContext: {} +securityContext: {} #defaults to + # capabilities: # drop: # - ALL - # readOnlyRootFilesystem: true + #readOnlyRootFilesystem: true # enable for read-only setup + #runAsUser: 0 # Use '0' for root user for read-only setup # runAsNonRoot: true # runAsUser: 1000 ai: enabled: false mode: "bundled" # Options: bundled | external - image: - repository: hub.edge.codetogether.com/releases/codetogether-llm - tag: latest + provider: "" + url: "" + modelName: "gemma3:1b" + externalSecret: + create: false + name: "" + apiKey: "" # resources: # Recommended resources configuration # requests: # cpu: "2" @@ -173,3 +181,6 @@ tolerations: [] affinity: {} replicaCount: 1 + +readOnlyMode: + enabled: false # Set to 'true' to enable read-only mode \ No newline at end of file diff --git a/compose/.env-template b/compose/.env-template index 82fa77c..502b43d 100644 --- a/compose/.env-template +++ b/compose/.env-template @@ -51,3 +51,7 @@ DHPARAM_PEM=dhparam.pem # Uncomment the following lines to enable AI integration with Ollama #CT_HQ_OLLAMA_AI_URL=http://codetogether-llm:8000 #CT_HQ_OLLAMA_AI_MODEL_NAME=gemma3:1b + +# Enable “to trust all certificates” +CT_TRUST_ALL_CERTS=false + diff --git a/compose/.env-with-keycloak-template b/compose/.env-with-keycloak-template index 9662e99..b609fb9 100644 --- a/compose/.env-with-keycloak-template +++ b/compose/.env-with-keycloak-template @@ -55,8 +55,8 @@ SSL_KEYCLOAK_KEY=ssl-keycloak.key KEYCLOAK_DB_USERNAME=keycloak KEYCLOAK_DB_PASSWORD=keycloak -KEYCLOAK_ADMIN_PASSWORD=keycloak -KEYCLOAK_ADMIN=admin +KC_BOOTSTRAP_ADMIN_PASSWORD=keycloak +KC_BOOTSTRAP_ADMIN_USERNAME=admin # Uncomment the following lines to enable AI integration with Ollama #CT_HQ_OLLAMA_AI_URL=http://codetogether-llm:8000 diff --git a/compose/keycloak/.env-template b/compose/keycloak/.env-template index 5127bae..8851a11 100644 --- a/compose/keycloak/.env-template +++ b/compose/keycloak/.env-template @@ -5,5 +5,5 @@ SSL_KEYCLOAK_KEY=ssl-keycloak.key KEYCLOAK_DB_USERNAME=keycloak KEYCLOAK_DB_PASSWORD=keycloak -KEYCLOAK_ADMIN_PASSWORD=keycloak -KEYCLOAK_ADMIN=admin \ No newline at end of file +KC_BOOTSTRAP_ADMIN_PASSWORD=keycloak +KC_BOOTSTRAP_ADMIN_USERNAME=admin diff --git a/compose/keycloak/compose-keycloak-no-nginx.yaml b/compose/keycloak/compose-keycloak-no-nginx.yaml index 883a88d..8af2fd9 100644 --- a/compose/keycloak/compose-keycloak-no-nginx.yaml +++ b/compose/keycloak/compose-keycloak-no-nginx.yaml @@ -36,8 +36,8 @@ services: - "start" environment: # Admin credentials - KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN} - KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD} + KC_BOOTSTRAP_ADMIN_USERNAME: ${KC_BOOTSTRAP_ADMIN_USERNAME} + KC_BOOTSTRAP_ADMIN_PASSWORD: ${KC_BOOTSTRAP_ADMIN_PASSWORD} # Database connectivity KC_DB: mysql @@ -62,11 +62,15 @@ services: networks: - codetogethernet healthcheck: - test: ["CMD-SHELL", "echo > /dev/tcp/localhost/8080 || exit 1"] + test: + [ + "CMD-SHELL", + "bash -lc 'exec 3<>/dev/tcp/127.0.0.1/9000 && printf \"GET /health/ready HTTP/1.1\\r\\nHost: localhost\\r\\nConnection: close\\r\\n\\r\\n\" >&3 && head -n1 <&3 | grep -q \" 200 \"'" + ] interval: 10s timeout: 5s - retries: 5 - start_period: 30s + retries: 30 + start_period: 90s volumes: mysql_data: diff --git a/compose/keycloak/compose-keycloak.yaml b/compose/keycloak/compose-keycloak.yaml index f842905..d1d5233 100644 --- a/compose/keycloak/compose-keycloak.yaml +++ b/compose/keycloak/compose-keycloak.yaml @@ -55,8 +55,8 @@ services: - "start" environment: # Admin credentials - KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN} - KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD} + KC_BOOTSTRAP_ADMIN_USERNAME: ${KC_BOOTSTRAP_ADMIN_USERNAME} + KC_BOOTSTRAP_ADMIN_PASSWORD: ${KC_BOOTSTRAP_ADMIN_PASSWORD} # Database connectivity KC_DB: mysql @@ -81,11 +81,15 @@ services: networks: - codetogethernet healthcheck: - test: ["CMD-SHELL", "echo > /dev/tcp/localhost/8080 || exit 1"] + test: + [ + "CMD-SHELL", + "bash -lc 'exec 3<>/dev/tcp/127.0.0.1/9000 && printf \"GET /health/ready HTTP/1.1\\r\\nHost: localhost\\r\\nConnection: close\\r\\n\\r\\n\" >&3 && head -n1 <&3 | grep -q \" 200 \"'" + ] interval: 10s timeout: 5s - retries: 5 - start_period: 30s + retries: 30 + start_period: 90s volumes: mysql_data: