Main

charts/collab/templates/deployment.yaml

@@ -13,7 +13,7 @@ spec:
       annotations:
         checksum/coturn: {{ include (print $.Template.BasePath "/secret-coturn.yaml") . | sha256sum }}
         checksum/dashboard: {{ include (print $.Template.BasePath "/secret-dashboard.yaml") . | sha256sum }}
-        checksum/intel: {{ include (print $.Template.BasePath "/secret-intel.yaml") . | sha256sum }}
+        checksum/intel: {{- if not .Values.intelsecret.enabled }} {{ include (print $.Template.BasePath "/secret-intel.yaml") . | sha256sum }} {{- else }} "external" {{- end }}
         checksum/ssl: {{ include (print $.Template.BasePath "/secret-ssl.yaml") . | sha256sum }}
       {{- with .Values.podAnnotations }}
         {{- toYaml . | nindent 8 }}
@@ -139,15 +139,27 @@ spec:
             value: {{ .Values.codetogether.timeZone.region | quote }}
           {{- end }}
 
+          {{- if and .Values.intelsecret.enabled (not .Values.intelsecret.ref) }}
+          {{- fail "intelsecret.enabled=true requires intelsecret.ref (existing Secret name)" -}}
+          {{- end }}
+
           - name: CT_INTEL_URL
             valueFrom:
               secretKeyRef:
-                name: {{ include "codetogether.fullname" . }}-intel
+                name: {{ if .Values.intelsecret.enabled -}}
+                        {{ .Values.intelsecret.ref | quote }}
+                      {{- else }}
+                        {{ printf "%s-intel" (include "codetogether.fullname" .) | quote }}
+                      {{- end }}
                 key: url
           - name: CT_INTEL_SECRET
             valueFrom:
               secretKeyRef:
-                name: {{ include "codetogether.fullname" . }}-intel
+                name: {{ if .Values.intelsecret.enabled -}}
+                        {{ .Values.intelsecret.ref | quote }}
+                      {{- else }}
+                        {{ printf "%s-intel" (include "codetogether.fullname" .) | quote }}
+                      {{- end }}
                 key: secret
           {{- if .Values.dashboard.enabled }}
           - name: CT_DASHBOARD_USER
@@ -182,6 +194,10 @@ spec:
               name: codetogether-runtime
             - mountPath: /tmp
               name: codetogether-tmp
+            - mountPath: /var/log/nginx
+              name: codetogether-runtime
+            - mountPath: /var/cache/nginx
+              name: codetogether-runtime
             {{- if .Values.favicon.enabled }}
             - mountPath: /opt/volatile-template/nginx/favicon.ico
               name: favicon-volume

charts/collab/templates/secret-intel.yaml

@@ -1,3 +1,4 @@
+{{- if not .Values.intelsecret.enabled }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -8,3 +9,4 @@ type: Opaque
 data:
   url: {{ .Values.intel.url | b64enc | quote }}
   secret: {{ .Values.intel.secret | b64enc | quote }}
+{{- end }}

charts/collab/values.yaml

@@ -37,6 +37,11 @@ imageCredentials:
 openshift:
   enabled: false
 
+# Optional: use an existing secret for Intel connection
+intelsecret:
+  enabled: false              # default OFF - chart-managed secret
+  ref: ""                     # name of existing Secret (must have keys: url, secret)
+
 #
 # Values required for establishing connection with the Intel server.
 #
@@ -206,13 +211,13 @@ serviceAccount:
 
 podAnnotations: {}
 
-securityContext: {}
+securityContext: {} #defaults to
   # capabilities:
   #   drop:
   #   - ALL
-  # readOnlyRootFilesystem: true
   # runAsNonRoot: true
-  # runAsUser: 1000
+  # readOnlyRootFilesystem: true # enable for read-only setup
+  # runAsUser: 0 # Use '0' for root user for read-only setup
 
 readinessProbe:
   initialDelaySeconds: 60

charts/intel/templates/ai-config.yaml

@@ -2,10 +2,11 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: ai-config
+  name: {{ printf "%s-ai-config" (include "codetogether.fullname" .) }}
   namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "codetogether.labels" . | nindent 4 }}
 data:
   ai_provider: {{ .Values.ai.provider | quote }}
   ai_url: {{ .Values.ai.url | quote }}
-{{- end }}
-
+{{- end }}

charts/intel/templates/deployment.yaml

@@ -26,6 +26,17 @@ spec:
       imagePullSecrets:
         - name: {{ include "codetogether.fullname" . }}-pull-secret
       {{- end }}
+      {{- if .Values.readOnlyMode.enabled }}
+      initContainers:
+        - name: prepare-ro
+          image: busybox:latest
+          securityContext:
+            runAsUser: 0
+          command: ["sh", "-lc", "mkdir -p /mnt/volatile/var-log-nginx /mnt/volatile/var-cache-nginx /mnt/var/log-codetogether || true"]
+          volumeMounts:
+            - name: volatile
+              mountPath: /mnt/volatile
+      {{- end }}
       serviceAccountName: {{ include "codetogether.serviceAccountName" . }}
       containers:
         - name: {{ .Chart.Name }}
@@ -44,12 +55,12 @@ spec:
             - name: AI_PROVIDER
               valueFrom:
                 configMapKeyRef:
-                  name: ai-config
+                  name: {{ printf "%s-ai-config" (include "codetogether.fullname" .) }}
                   key: ai_provider
             - name: AI_EXTERNAL_URL
               valueFrom:
                 configMapKeyRef:
-                  name: ai-config
+                  name: {{ printf "%s-ai-config" (include "codetogether.fullname" .) }}
                   key: ai_url
             - name: AI_EXTERNAL_API_KEY
               valueFrom:
@@ -76,6 +87,10 @@ spec:
                   key: {{ .Values.java.customCacerts.trustStorePasswordKey }}
                   optional: true
             {{- end }}
+            {{- if .Values.codetogether.trustAllCerts }}
+            - name: CT_TRUST_ALL_CERTS
+              value: "true"
+            {{- end }}
             {{- if .Values.ai.enabled }}
             - name: CT_HQ_OLLAMA_AI_URL
               value: {{ if eq .Values.ai.mode "bundled" }}
@@ -104,6 +119,20 @@ spec:
               mountPath: /etc/ssl/certs/java/cacerts
               subPath: cacerts
             {{- end }}
+            {{- if .Values.readOnlyMode.enabled }}
+            - name: volatile
+              mountPath: /run/volatile
+            - name: run
+              mountPath: /run
+            - name: tmp
+              mountPath: /tmp
+            - name: volatile
+              mountPath: /var/log/nginx
+              subPath: var-log-nginx
+            - name: volatile
+              mountPath: /var/cache/nginx
+              subPath: var-cache-nginx            
+            {{- end }}
           ports:
             - name: http
               containerPort: 1080
@@ -152,6 +181,16 @@ spec:
           secret:
             secretName: {{ .Values.java.customCacerts.cacertsSecretName }}
         {{- end }}
+        {{- if .Values.readOnlyMode.enabled }}
+        - name: volatile
+          emptyDir: {}
+        - name: run
+          emptyDir:
+            medium: Memory
+        - name: tmp
+          emptyDir:
+            medium: Memory
+        {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

charts/intel/templates/secrets.yaml

@@ -1,3 +1,4 @@
+{{- if .Values.ai.enabled }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -14,3 +15,4 @@ data:
   external-ai-key: {{ .Values.ai.external.api_key | b64enc }}
   {{- end }}
   {{- end }}
+{{- end }}

charts/intel/values.yaml

@@ -32,12 +32,14 @@ imageCredentials:
   email: unused
 
 #
-# Set CodeTogether runing mode and server's FQDN (HTTPS is mandatory for CodeTogether)
+# Set CodeTogether running mode and server's FQDN (HTTPS is mandatory for CodeTogether)
 # Use 'direct' for simple evaluations and small deployments. CodeTogether can provide
 # guidance on the best deployment option based on your needs.
 #
 codetogether:
   url: https://<server-fqdn>
+  trustAllCerts: false  # Set to 'true' to trust all certificates
+
 
 hqproperties:
   hq.sso.client.id: CLIENTID.apps.googleusercontent.com
@@ -130,20 +132,26 @@ serviceAccount:
 
 podAnnotations: {}
 
-securityContext: {}
+securityContext: {} #defaults to
+
   # capabilities:
   #   drop:
   #   - ALL
-  # readOnlyRootFilesystem: true
+  #readOnlyRootFilesystem: true  # enable for read-only setup
+  #runAsUser: 0 # Use '0' for root user for read-only setup
   # runAsNonRoot: true
   # runAsUser: 1000
 
 ai:
   enabled: false
   mode: "bundled"  # Options: bundled | external
-  image:
-    repository: hub.edge.codetogether.com/releases/codetogether-llm
-    tag: latest
+  provider: ""
+  url: ""
+  modelName: "gemma3:1b"
+  externalSecret:
+    create: false
+    name: ""
+    apiKey: ""
 #  resources:       # Recommended resources configuration
  #   requests:
   #    cpu: "2"
@@ -173,3 +181,6 @@ tolerations: []
 affinity: {}
 
 replicaCount: 1
+
+readOnlyMode:
+  enabled: false # Set to 'true' to enable read-only mode

compose/.env-template

@@ -51,3 +51,7 @@ DHPARAM_PEM=dhparam.pem
 # Uncomment the following lines to enable AI integration with Ollama
 #CT_HQ_OLLAMA_AI_URL=http://codetogether-llm:8000
 #CT_HQ_OLLAMA_AI_MODEL_NAME=gemma3:1b
+
+# Enable “to trust all certificates”
+CT_TRUST_ALL_CERTS=false
+

compose/.env-with-keycloak-template

@@ -55,8 +55,8 @@ SSL_KEYCLOAK_KEY=ssl-keycloak.key
 KEYCLOAK_DB_USERNAME=keycloak
 KEYCLOAK_DB_PASSWORD=keycloak
 
-KEYCLOAK_ADMIN_PASSWORD=keycloak
-KEYCLOAK_ADMIN=admin
+KC_BOOTSTRAP_ADMIN_PASSWORD=keycloak
+KC_BOOTSTRAP_ADMIN_USERNAME=admin
 
 # Uncomment the following lines to enable AI integration with Ollama
 #CT_HQ_OLLAMA_AI_URL=http://codetogether-llm:8000

compose/keycloak/.env-template

@@ -5,5 +5,5 @@ SSL_KEYCLOAK_KEY=ssl-keycloak.key
 KEYCLOAK_DB_USERNAME=keycloak
 KEYCLOAK_DB_PASSWORD=keycloak
 
-KEYCLOAK_ADMIN_PASSWORD=keycloak
-KEYCLOAK_ADMIN=admin
+KC_BOOTSTRAP_ADMIN_PASSWORD=keycloak
+KC_BOOTSTRAP_ADMIN_USERNAME=admin

compose/keycloak/compose-keycloak-no-nginx.yaml

@@ -36,8 +36,8 @@ services:
       - "start"
     environment:
       # Admin credentials
-      KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN}
-      KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD}
+      KC_BOOTSTRAP_ADMIN_USERNAME: ${KC_BOOTSTRAP_ADMIN_USERNAME}
+      KC_BOOTSTRAP_ADMIN_PASSWORD: ${KC_BOOTSTRAP_ADMIN_PASSWORD}
 
       # Database connectivity
       KC_DB: mysql
@@ -62,11 +62,15 @@ services:
     networks:
       - codetogethernet
     healthcheck:
-      test: ["CMD-SHELL", "echo > /dev/tcp/localhost/8080 || exit 1"]
+      test:
+        [
+          "CMD-SHELL",
+          "bash -lc 'exec 3<>/dev/tcp/127.0.0.1/9000 && printf \"GET /health/ready HTTP/1.1\\r\\nHost: localhost\\r\\nConnection: close\\r\\n\\r\\n\" >&3 && head -n1 <&3 | grep -q \" 200 \"'"
+        ]
       interval: 10s
       timeout: 5s
-      retries: 5
-      start_period: 30s
+      retries: 30
+      start_period: 90s
 
 volumes:
   mysql_data:

compose/keycloak/compose-keycloak.yaml

@@ -55,8 +55,8 @@ services:
       - "start"
     environment:
       # Admin credentials
-      KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN}
-      KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD}
+      KC_BOOTSTRAP_ADMIN_USERNAME: ${KC_BOOTSTRAP_ADMIN_USERNAME}
+      KC_BOOTSTRAP_ADMIN_PASSWORD: ${KC_BOOTSTRAP_ADMIN_PASSWORD}
 
       # Database connectivity
       KC_DB: mysql
@@ -81,11 +81,15 @@ services:
     networks:
       - codetogethernet
     healthcheck:
-      test: ["CMD-SHELL", "echo > /dev/tcp/localhost/8080 || exit 1"]
+      test:
+        [
+          "CMD-SHELL",
+          "bash -lc 'exec 3<>/dev/tcp/127.0.0.1/9000 && printf \"GET /health/ready HTTP/1.1\\r\\nHost: localhost\\r\\nConnection: close\\r\\n\\r\\n\" >&3 && head -n1 <&3 | grep -q \" 200 \"'"
+        ]
       interval: 10s
       timeout: 5s
-      retries: 5
-      start_period: 30s
+      retries: 30
+      start_period: 90s
 
 volumes:
   mysql_data: