CodeTogether-Inc · wgalanciak · Feb 5, 2025 · Jan 24, 2025 · Jan 28, 2025 · Jan 30, 2025
diff --git a/.github/workflows/helm-template-check.yml b/.github/workflows/helm-template-check.yml
@@ -0,0 +1,37 @@
+name: Helm Template Validation
+
+on:
+  pull_request:
+    branches: [main, dev]
+
+jobs:
+  helm-lint:
+    name: Validate Helm Charts
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Install Required Dependencies
+        run: |
+          apt-get update && apt-get install -y unzip
+
+      - name: Install Helm
+        uses: azure/setup-helm@v3
+
+      - name: Validate Collab Chart
+        run: |
+          helm template collab ./charts/collab --values ./charts/collab/values.yaml
+
+      - name: Validate HQ Chart
+        run: |
+          helm template hq ./charts/hq --values ./charts/hq/values.yaml
+
+      - name: Validate Intel Chart
+        run: |
+          helm template intel ./charts/intel --values ./charts/intel/values.yaml
+
+      - name: Validate Live Chart
+        run: |
+          helm template live ./charts/live --values ./charts/live/values.yaml
diff --git a/README.md b/README.md
@@ -1,23 +1,34 @@
-This is a Helm Chart repository for CodeTogether's Live and HQ products.
+# CodeTogether Helm Chart Repository
 
-## Helm Charts Directory
+This repository contains Helm charts for deploying CodeTogether software, including:
 
-### CodeTogether Live
+- Intelligence Suite – Engineering intelligence for data-driven insights
+- Collabolation Module – Real-time collaboration within the IDE
+
+## Latest Helm Charts
+
+### CodeTogether Intel
+
+The `codetogether/codetogether-intel` Helm chart deploys the latest version of the CodeTogether Intelligence Suite backend. The Intelligence Suite leverages DevEx Workflow AI to drive goal-oriented success. It operates independently of server connectivity, allowing clients to continue tracking project activity locally and synchronize once the server is available.
+
+### CodeTogether Collab
 
-The `codetogether/codetogether` Helm chart can be used to deploy the CodeTogether Live
-backend. Live provides teams the ability to code together real-time right from within 
-their IDE.
+The `codetogether/codetogether-collab` Helm chart deploys the latest version of the CodeTogether Collabolation module backend. It enables real-time collaborative coding within the IDE, enhancing team synergy and communication across projects.
+
+## Deprecated Helm Charts
 
 ### CodeTogether HQ
 
-The `codetogether/codetogether-hq` Helm chart can be used to deploy the CodeTogether HQ
-backend. HQ provides teams unique insights into project hotspots and areas of opportunity
-to foster collaboration and on-time delivery of software.
+The `codetogether/codetogether-hq` Helm chart supports legacy users needing to deploy a previous version of the CodeTogether HQ Intelligence Suite backend.
+
+### CodeTogether Live
+
+The `codetogether/codetogether` Helm chart supports legacy users needing to deploy a previous version of the CodeTogether Live backend.
 
 ## Getting Started
 
-To begin using the repository, first add it to your Helm configuration:
+Add the CodeTogether repository to your Helm configuration:
 `helm repo add codetogether https://helm.codetogether.io`
 
-Then you can provision services using a command such as:
-`helm install codetogether codetogether/codetogether -f codetogether-values.yaml`
+Install a Helm chart using:
+`helm install codetogether codetogether/codetogether -f codetogether-values.yaml`
diff --git a/charts/collab/Chart.yaml b/charts/collab/Chart.yaml
@@ -3,9 +3,8 @@ name: codetogether-collab
 description: CodeTogether Collab
 
 type: application
-version: 1.1.0
+version: 1.2.0
 appVersion: "2025.1.0"
-kubeVersion: ">= 1.18.0"
 
 icon: https://www.codetogether.com/wp-content/uploads/2020/02/codetogether-circle-128.png
 home: https://www.codetogether.com

diff --git a/charts/collab/templates/deployment.yaml b/charts/collab/templates/deployment.yaml
@@ -33,7 +33,10 @@ spec:
         - name: {{ .Chart.Name }}
           securityContext:
             {{- toYaml .Values.securityContext | nindent 12 }}
-          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          image: >-
+            {{ .Values.image.repository }}
+            {{- if .Values.image.digest }}@{{ .Values.image.digest }}
+            {{- else }}:{{ .Values.image.tag | default .Chart.AppVersion }}{{- end }}
           imagePullPolicy: {{ .Values.image.pullPolicy }}
 
           env:

diff --git a/charts/collab/values.yaml b/charts/collab/values.yaml
@@ -18,6 +18,8 @@ image:
   pullPolicy: Always
   # Overrides the image tag whose default is the chart appVersion.
   tag: "latest"
+  # Optional - set to override the image tag, e.g. "sha256:1234567890"
+  digest: ""
 
 #
 # Configure the source location for the Docker image, using the

diff --git a/charts/hq/Chart.yaml b/charts/hq/Chart.yaml
@@ -3,9 +3,8 @@ name: codetogether-hq
 description: CodeTogether HQ provides advanced project insights for developers
 
 type: application
-version: 1.4.18
+version: 1.4.19
 appVersion: "2024.1.0"
-kubeVersion: ">= 1.18.0"
 
 icon: https://www.codetogether.com/wp-content/uploads/2020/02/codetogether-circle-128.png
 home: https://www.codetogether.com

diff --git a/charts/intel/Chart.yaml b/charts/intel/Chart.yaml
@@ -3,9 +3,8 @@ name: codetogether-intel
 description: CodeTogether Intel provides advanced project insights for developers
 
 type: application
-version: 1.1.0
+version: 1.2.0
 appVersion: "2025.1.0"
-kubeVersion: ">= 1.18.0"
 
 icon: https://www.codetogether.com/wp-content/uploads/2020/02/codetogether-circle-128.png
 home: https://www.codetogether.com

diff --git a/charts/intel/README.md b/charts/intel/README.md
@@ -10,7 +10,6 @@ This chart creates a CodeTogether Intel server deployment on a Kubernetes cluste
 
 This chart has been created with Helm v3 and tested with:
 
-- Kubernetes v1.18+
 - Helm v3.5+
 - Cassandra v3.11+
 
@@ -25,6 +24,7 @@ The following table lists configurable parameters of the CodeTogether Intel char
 | `image.repository`                             | Docker image repository for CodeTogether Intel                                                  | `hub.edge.codetogether.com/releases/codetogether-intel`      |
 | `image.pullPolicy`                             | Container image pull policy                                                                  | `Always`                                                  |
 | `image.tag`                                    | Tag for the CodeTogether Intel image                                                            | `latest`                                                  |
+| `image.digest`                                 | (Optional) Set to override the image tag, e.g. `sha256:1234567890`                           |                                                           | 
 | `imageCredentials.enabled`                     | Enables authentication for private Docker registry                                           | `true`                                                    |
 | `imageCredentials.registry`                    | Docker registry URL                                                                          | `hub.edge.codetogether.com`                               |
 | `imageCredentials.username`                    | Docker registry username                                                                     | `my-customer-username`                                    |
@@ -47,7 +47,11 @@ The following table lists configurable parameters of the CodeTogether Intel char
 | `hqproperties.hq.cassandra.db.username`        | Username for Cassandra database                                                             | `cassandra`                                               |
 | `hqproperties.hq.collab.url`               | URL of the collaboration server integrated with Intel                                              | `https://your-collab-server`                               |
 | `hqproperties.hq.collab.secret`            | Secret key for secure communication with the collaboration server                               | `SECRET`                                                  |
-
+| `java.customJavaOptions`                       | Additional Java options to be passed to the application                                      | `""`                                                     |
+| `java.customCacerts.enabled`                   | Enables mounting a custom Java trust store (cacerts)                                         | `false`                                                  |
+| `java.customCacerts.cacertsSecretName`         | Name of the Kubernetes secret containing the `cacerts` file                                  | `custom-java-cacerts`                                    |
+| `java.customCacerts.trustStorePasswordKey`     | (Optional) Key inside the Kubernetes secret containing the trust store password             | `trustStorePassword`                                     |
+| `cassandra.passwordSecret`                     | (Optional) Name of a Kubernetes secret containing the Cassandra database password.          |                                                           |
 | `ingress.enabled`                              | Enables ingress controller resource                                                         | `true`                                                    |
 | `ingress.annotations`                          | Annotations for ingress                                                                      | `{}`                                                      |
 | `ingress.tls.secretName`                       | TLS secret name for ingress                                                                 | `codetogether-intel-tls`                                     |
@@ -80,6 +84,29 @@ To secure CodeTogether, you can add a `secret` that contains your TLS (Transport
 $ kubectl create secret tls codetogether-intel-tls --key <your-private-key-filename> --cert <your-certificate-filename>
 ```
 
+## Custom Java Trust Store
+
+If your environment requires a custom CA certificate bundle, you can configure a custom Java trust store by creating a secret.
+
+If trust store is not protected by the password, use the following command to create the secret:
+```bash
+$ kubectl create secret generic custom-java-cacerts --from-file=cacerts=/path/to/custom/cacerts --namespace=codetogether-intel
+```
+
+If password is required to access the trust store, store it in the same secret:
+```bash
+$ kubectl create secret generic custom-java-cacerts --from-file=cacerts=/path/to/custom/cacerts --from-literal=trustStorePassword='your-secure-password' --namespace=codetogether-intel
+```
+
+## Using Secret for Cassandra Password
+
+If you prefer not to store the Cassandra password in values.yaml, you can store it securely in a Kubernetes secret.
+
+```bash
+kubectl create secret generic cassandra-password-secret --from-literal=cassandraPassword='your-secure-cassandra-password' --namespace=codetogether-intel
+```
+
+
 ## Installing the Chart
 
 To install the chart with the release name `codetogether-intel`:

diff --git a/charts/intel/templates/deployment.yaml b/charts/intel/templates/deployment.yaml
@@ -31,19 +31,49 @@ spec:
         - name: {{ .Chart.Name }}
           securityContext:
             {{- toYaml .Values.securityContext | nindent 12 }}
-          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          image: >-
+            {{ .Values.image.repository }}
+            {{- if .Values.image.digest }}@{{ .Values.image.digest }}
+            {{- else }}:{{ .Values.image.tag | default .Chart.AppVersion }}{{- end }}
           imagePullPolicy: {{ .Values.image.pullPolicy }}
-
           env:
           #
           # Set CodeTogether runtime configuration
           #         
           - name: CT_HQ_BASE_URL
             value: {{ .Values.codetogether.url | quote }}
+
+          {{- if .Values.java.customCacerts.enabled }} 
+          - name: CT_TRUST_STORE
+            value: -Djavax.net.ssl.trustStore=/etc/ssl/certs/java/cacerts 
+          {{- end }}
+
+          # Custom Java options (excluding trust store related settings)
+          {{- if .Values.java.customJavaOptions }} 
+          - name: CT_JAVA_OPTIONS
+            value: "{{ .Values.java.customJavaOptions | default "" }}"
+          {{- end }}
+
+          # Set trust store password only if trustStorePasswordKey is provided
+          {{- if and .Values.java.customCacerts.enabled .Values.java.customCacerts.trustStorePasswordKey }}
+          - name: CT_TRUST_STORE_PASSWD
+            valueFrom:
+              secretKeyRef:
+                name: {{ .Values.java.customCacerts.cacertsSecretName }}
+                key: {{ .Values.java.customCacerts.trustStorePasswordKey }}
+                optional: true  # Ensures the key is optional
+          {{- end }}
+
           volumeMounts:
             - name: properties-volume
               mountPath: /opt/codetogether/runtime/cthq.properties
               subPath: cthq.properties
+            {{- if .Values.java.customCacerts.enabled }}
+            - name: java-cacerts
+              mountPath: /etc/ssl/certs/java/cacerts
+              subPath: cacerts
+            {{- end }}
+
           # 
           # Set container configuration
           #
@@ -78,6 +108,11 @@ spec:
         - name: properties-volume
           secret:
             secretName: {{ if .Values.fullnameOverride }}{{ .Values.fullnameOverride }}-hqproperties{{ else }}hqproperties{{ end }}
+        {{- if .Values.java.customCacerts.enabled }}
+        - name: java-cacerts
+          secret:
+            secretName: {{ .Values.java.customCacerts.cacertsSecretName }}
+        {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

diff --git a/charts/intel/templates/secret-properties.yaml b/charts/intel/templates/secret-properties.yaml
@@ -5,6 +5,14 @@ metadata:
 type: Opaque
 stringData:
   cthq.properties: |-
+    {{- $cassandraPassword := "" }}
+    {{- if and (hasKey .Values "cassandra") (hasKey .Values.cassandra "passwordSecret") .Values.cassandra.passwordSecret (lookup "v1" "Secret" .Release.Namespace .Values.cassandra.passwordSecret) }}
+    {{- $cassandraPassword := (lookup "v1" "Secret" .Release.Namespace .Values.cassandra.passwordSecret).data.cassandraPassword | b64dec }}
+    {{- end }}
     {{- range $key, $value := .Values.hqproperties }}
-       {{ $key }}={{ $value }}
+      {{- if and (eq $key "hq.cassandra.db.password") $cassandraPassword }}
+    {{ $key }}={{ $cassandraPassword }}
+      {{- else }}
+    {{ $key }}={{ $value }}
+      {{- end }}
     {{- end }}
diff --git a/charts/intel/values.yaml b/charts/intel/values.yaml
@@ -15,6 +15,8 @@ image:
   pullPolicy: Always
   # Overrides the image tag whose default is the chart appVersion.
   tag: "latest"
+  # Optional: specify a digest to use a specific image version, if provided will override the
+  digest: ""
 
 #
 # Configure the source location for the Docker image, using the
@@ -57,6 +59,42 @@ hqproperties:
   # default datacenter name is 'datacenter1'
   # hq.cassandra.db.localdatacenter: datacenter1
 
+# Optional property, if provided the value from the secret will be used as the cassandra DB password
+# This will overwrite the value in the hqproperties hq.cassandra.db.password
+# The secret must have a key named 'cassandraPassword'
+cassandra:
+  passwordSecret: ""
+
+java:
+  customCacerts:
+    enabled: false  # Set to 'true' to enable custom Java trust store (cacerts) support.
+
+    # Name of the Kubernetes secret that contains the custom Java trust store (cacerts) file.
+    # This secret should be created before deploying the application using:
+    #   kubectl create secret generic custom-java-cacerts \
+    #     --from-file=cacerts=/path/to/custom/cacerts
+    #
+    # If a password is required for the trust store, it can optionally be added to the same secret (see below).
+    #
+    # The 'cacerts' file is mounted to the container at '/etc/ssl/certs/java/cacerts'.
+    cacertsSecretName: "custom-java-cacerts"
+
+    # (Optional) The key inside the Kubernetes secret that holds the trust store password.
+    # If a password is required for the custom trust store, store it in the same secret as a key-value pair:
+    #   kubectl create secret generic custom-java-cacerts \
+    #     --from-file=cacerts=/path/to/custom/cacerts \
+    #     --from-literal=trustStorePassword='your-secure-password'
+    #
+    # If this key is not present in the secret, no trust store password will be set.
+    # trustStorePasswordKey: "trustStorePassword"
+
+  # Additional custom Java options to be passed to the application.
+  # These options will be appended to the CT_JAVA_OPTIONS environment variable.
+  #
+  # Example:
+  # customJavaOptions: "-Xms512m -Xmx2g -XX:+UseG1GC"
+  customJavaOptions: ""
+
 #
 # Enables and configures Ingress (default = Nginx). The className value can be used
 # to change the default behavior. Please read the comments below to see details.

diff --git a/charts/live/Chart.yaml b/charts/live/Chart.yaml
@@ -3,9 +3,8 @@ name: codetogether
 description: CodeTogether Live provides pair programming and collaborative coding
 
 type: application
-version: 1.4.23
+version: 1.4.24
 appVersion: "2024.2.0"
-kubeVersion: ">= 1.18.0"
 
 icon: https://www.codetogether.com/wp-content/uploads/2020/02/codetogether-circle-128.png
 home: https://www.codetogether.com