From 09a2b743558d529e67f7ac4448a5e4d8cf77d795 Mon Sep 17 00:00:00 2001 From: Ignacio Moreno Date: Fri, 7 Feb 2025 09:56:37 -0600 Subject: [PATCH 1/4] Change collab helm chart to use private registry image --- charts/collab/Chart.yaml | 2 +- charts/collab/values.yaml | 5 +---- charts/intel/Chart.yaml | 2 +- 3 files changed, 3 insertions(+), 6 deletions(-) diff --git a/charts/collab/Chart.yaml b/charts/collab/Chart.yaml index 464c383..0ab4a12 100644 --- a/charts/collab/Chart.yaml +++ b/charts/collab/Chart.yaml @@ -3,7 +3,7 @@ name: codetogether-collab description: CodeTogether Collab type: application -version: 1.2.1 +version: 1.2.2 appVersion: "2025.1.0" icon: https://www.codetogether.com/wp-content/uploads/2020/02/codetogether-circle-128.png diff --git a/charts/collab/values.yaml b/charts/collab/values.yaml index dc798a8..04a4d89 100644 --- a/charts/collab/values.yaml +++ b/charts/collab/values.yaml @@ -11,10 +11,7 @@ nameOverride: "" fullnameOverride: "" image: - # By default use DockerHub repository. - repository: codetogether/codetogether-collab - # Uncomment to use CodeTogether private Docker registry. - # repository: hub.edge.codetogether.com/releases/codetogether + repository: hub.edge.codetogether.com/releases/codetogether-collab pullPolicy: Always # Overrides the image tag whose default is the chart appVersion. tag: "latest" diff --git a/charts/intel/Chart.yaml b/charts/intel/Chart.yaml index a844591..f009c0b 100644 --- a/charts/intel/Chart.yaml +++ b/charts/intel/Chart.yaml @@ -3,7 +3,7 @@ name: codetogether-intel description: CodeTogether Intel provides advanced project insights for developers type: application -version: 1.2.1 +version: 1.2.2 appVersion: "2025.1.0" icon: https://www.codetogether.com/wp-content/uploads/2020/02/codetogether-circle-128.png From 652acee799b71b22b746467b9319234a9d0c595e Mon Sep 17 00:00:00 2001 From: Ignacio Moreno Date: Fri, 7 Feb 2025 09:58:38 -0600 Subject: [PATCH 2/4] Changes for docker compose. (#85) --- compose/codetogether.nginx | 46 +++++++++++++++++++++++++++++++++++--- compose/compose.yaml | 44 ++++++++++++++++++++++++++++++------ compose/cthq.properties | 2 ++ 3 files changed, 82 insertions(+), 10 deletions(-) diff --git a/compose/codetogether.nginx b/compose/codetogether.nginx index 54d10cb..2152f44 100644 --- a/compose/codetogether.nginx +++ b/compose/codetogether.nginx @@ -1,3 +1,43 @@ +server { + listen 443 ssl http2; + server_name ; + proxy_buffer_size 128k; + proxy_buffers 4 256k; + ssl_certificate ; + ssl_certificate_key ; + ssl_dhparam ; + ssl_prefer_server_ciphers on; + ssl_protocols TLSv1.2; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + location / { + # Similar proxy logic for headers + set $realIP $remote_addr; + set $forwardTo $proxy_add_x_forwarded_for; + set $reqHost $http_host; + client_max_body_size 32M; + if ($http_x_real_ip != '') { + set $realIP $http_x_real_ip; + } + if ($http_x_forwarded_for != '') { + set $forwardTo $http_x_forwarded_for; + } + add_header C-Real-IP $realIP; + add_header C-Forwarded-For $forwardTo; + add_header C-Request-Host $reqHost; + proxy_set_header X-Real-IP $realIP; + proxy_set_header X-Forwarded-For $forwardTo; + proxy_set_header Host $reqHost; + proxy_set_header X-NginX-Proxy true; + proxy_http_version 1.1; + proxy_redirect off; + proxy_pass http://codetogether-collab:1080; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_read_timeout 360; + proxy_connect_timeout 360; + proxy_send_timeout 360; + } +} server { server_name ; listen 443 ssl http2; @@ -14,10 +54,10 @@ server { ssl_protocols TLSv1.2; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - # create the passthrough to the CodeTogether HQ container + # create the passthrough to the CodeTogether Intel container location / { - # set passthru parameters for the CodeTogether HQ container + # set passthru parameters for the CodeTogether Intel container set $realIP $remote_addr; set $forwardTo $proxy_add_x_forwarded_for; set $reqHost $http_host; @@ -32,7 +72,7 @@ server { proxy_set_header Host $reqHost; # setup the backend to service the HQ requests - proxy_pass http://127.0.0.1:1080; + proxy_pass http://codetogether-intel:1080; proxy_set_header X-NginX-Proxy true; proxy_http_version 1.1; proxy_redirect off; diff --git a/compose/compose.yaml b/compose/compose.yaml index b67a89c..534fd87 100644 --- a/compose/compose.yaml +++ b/compose/compose.yaml @@ -1,9 +1,37 @@ -services: - codetogether-intel: - image: hub.edge.codetogether.com/releases/codetogether-intel:latest +services: + codetogether-collab: + image: registry.digitalocean.com/codetogether-registry/codetogether-collab:latest + container_name: codetogether-collab + environment: + - CT_LICENSE_URL=http://codetogether-intel:1080 + - CT_SERVER_URL=https://your-collab-server-fqdn + - CT_INTEL_SECRET=your-collab-intel-secret + - CT_AV_ENABLED=false + - CT_AV_LAN_IP=auto + networks: + - hqnet + depends_on: + codetogether-hq: + condition: service_healthy + nginx: + image: nginx:latest + container_name: codetogether-nginx + ports: + - "443:443" + volumes: + - ./nginx/nginx.conf:/etc/nginx/nginx.conf + - ./nginx/ssl:/etc/nginx/ssl + - ./nginx/log:/var/log/nginx + networks: + - hqnet + depends_on: + codetogether-hq: + condition: service_healthy + codetogether-hq: + image: registry.digitalocean.com/codetogether-registry/codetogether-intel:latest container_name: codetogether-intel environment: - - CT_HQ_BASE_URL=https://your-hq-server-fqdn + - CT_HQ_BASE_URL=https://your-intel-server-fqdn networks: - hqnet volumes: @@ -18,10 +46,12 @@ services: start_period: 20s interval: 10s timeout: 10s - retries: 30 + retries: 50 cassandra: image: cassandra:latest container_name: codetogether-cassandra + ports: + - 9042:9042 networks: - hqnet environment: @@ -38,7 +68,7 @@ services: start_period: 30s interval: 10s timeout: 10s - retries: 20 + retries: 70 networks: hqnet: - driver: bridge + driver: bridge \ No newline at end of file diff --git a/compose/cthq.properties b/compose/cthq.properties index 9d9c916..b27661b 100644 --- a/compose/cthq.properties +++ b/compose/cthq.properties @@ -3,6 +3,8 @@ hq.base.url=https:// hq.sso.redirect.uri=https:///api/v1/auth/sso/success/insights hq.sso.client.id= hq.sso.client.secret= +hq.collab.url=https://your-collab-server-fqdn +hq.collab.secret= # Generic single sign-on configuration hq.sso.client.issuer.url=https:////.well-known/openid-configuration From 105a65c337977b5b4c2dce727a9e61ba97a1fc38 Mon Sep 17 00:00:00 2001 From: Ignacio Moreno Date: Fri, 7 Feb 2025 11:16:48 -0600 Subject: [PATCH 3/4] Rename hq to intel --- compose/compose.yaml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/compose/compose.yaml b/compose/compose.yaml index 534fd87..6d0ef95 100644 --- a/compose/compose.yaml +++ b/compose/compose.yaml @@ -9,9 +9,9 @@ services: - CT_AV_ENABLED=false - CT_AV_LAN_IP=auto networks: - - hqnet + - codetogethernet depends_on: - codetogether-hq: + codetogether-intel: condition: service_healthy nginx: image: nginx:latest @@ -23,17 +23,17 @@ services: - ./nginx/ssl:/etc/nginx/ssl - ./nginx/log:/var/log/nginx networks: - - hqnet + - codetogethernet depends_on: - codetogether-hq: + codetogether-intel: condition: service_healthy - codetogether-hq: + codetogether-intel: image: registry.digitalocean.com/codetogether-registry/codetogether-intel:latest container_name: codetogether-intel environment: - CT_HQ_BASE_URL=https://your-intel-server-fqdn networks: - - hqnet + - codetogethernet volumes: - ./cthq.properties:/opt/codetogether/runtime/cthq.properties:ro ports: @@ -42,7 +42,7 @@ services: cassandra: condition: service_healthy healthcheck: - test: ["CMD", "grep", "-q", "CodeTogether HQ backend started", "/var/log/codetogether-runtime/server.log"] + test: ["CMD", "grep", "-q", "CodeTogether Intel backend started", "/var/log/codetogether-runtime/server.log"] start_period: 20s interval: 10s timeout: 10s @@ -53,7 +53,7 @@ services: ports: - 9042:9042 networks: - - hqnet + - codetogethernet environment: - HEAP_NEWSIZE=96M - MAX_HEAP_SIZE=512M @@ -70,5 +70,5 @@ services: timeout: 10s retries: 70 networks: - hqnet: + codetogethernet: driver: bridge \ No newline at end of file From d9dace6fd7c7a7a72e22bc2e41ca6f68c850cf05 Mon Sep 17 00:00:00 2001 From: patrick-codetogether Date: Mon, 10 Feb 2025 08:05:40 -0700 Subject: [PATCH 4/4] Allow user to provide their own hqproperties secret (#86) * allow users to provide their own hqproperties secret for improved security over sensitive information * PR feedback. cleaner value structure and using an explicit hqpropertiessecret.enabled value to toggle whether the secret is read --- charts/intel/README.md | 3 ++- charts/intel/templates/deployment.yaml | 8 +++++++- charts/intel/templates/secret-properties.yaml | 14 ++++---------- charts/intel/values.yaml | 9 ++++----- 4 files changed, 17 insertions(+), 17 deletions(-) diff --git a/charts/intel/README.md b/charts/intel/README.md index bafd7a8..a0aa20f 100644 --- a/charts/intel/README.md +++ b/charts/intel/README.md @@ -31,6 +31,8 @@ The following table lists configurable parameters of the CodeTogether Intel char | `imageCredentials.password` | Docker registry password | `my-customer-password` | | `imageCredentials.email` | Docker registry email | `unused` | | `codetogether.url` | Full URL for the CodeTogether Intel server | `https://` | +| `hqpropertiessecret.enabled` | (Optional) If true, the value in hqpropertiessecret.ref will be used in place of the hqproperties values | `false` | +| `hqpropertiessecret.ref` | (Optional) Name of a Kubernetes secret containing the hqproperties secret. If provided, will override the other values in the hqproperties section | `kubernetes-secret-name` | | `hqproperties.hq.sso.client.id` | Client ID for Single Sign-On (SSO) | `CLIENTID.apps.googleusercontent.com` | | `hqproperties.hq.sso.client.secret` | Client Secret for Single Sign-On (SSO) | `CLIENTSECRET` | | `hqproperties.hq.sso.client.issuer.url` | Issuer URL for Single Sign-On (SSO) | `https://accounts.google.com` | @@ -51,7 +53,6 @@ The following table lists configurable parameters of the CodeTogether Intel char | `java.customCacerts.enabled` | Enables mounting a custom Java trust store (cacerts) | `false` | | `java.customCacerts.cacertsSecretName` | Name of the Kubernetes secret containing the `cacerts` file | `custom-java-cacerts` | | `java.customCacerts.trustStorePasswordKey` | (Optional) Key inside the Kubernetes secret containing the trust store password | `trustStorePassword` | -| `cassandra.passwordSecret` | (Optional) Name of a Kubernetes secret containing the Cassandra database password. | | | `ingress.enabled` | Enables ingress controller resource | `true` | | `ingress.annotations` | Annotations for ingress | `{}` | | `ingress.tls.secretName` | TLS secret name for ingress | `codetogether-intel-tls` | diff --git a/charts/intel/templates/deployment.yaml b/charts/intel/templates/deployment.yaml index a15aec4..573af19 100644 --- a/charts/intel/templates/deployment.yaml +++ b/charts/intel/templates/deployment.yaml @@ -107,7 +107,13 @@ spec: volumes: - name: properties-volume secret: - secretName: {{ if .Values.fullnameOverride }}{{ .Values.fullnameOverride }}-hqproperties{{ else }}hqproperties{{ end }} + secretName: {{- if .Values.hqpropertiessecret.enabled }} + {{- .Values.hqpropertiessecret.ref }} + {{- else if .Values.fullnameOverride }} + {{- printf "%s-hqproperties" .Values.fullnameOverride }} + {{- else }} + {{- "hqproperties" }} + {{- end }} {{- if .Values.java.customCacerts.enabled }} - name: java-cacerts secret: diff --git a/charts/intel/templates/secret-properties.yaml b/charts/intel/templates/secret-properties.yaml index 998c94b..a1d1746 100644 --- a/charts/intel/templates/secret-properties.yaml +++ b/charts/intel/templates/secret-properties.yaml @@ -1,3 +1,4 @@ +{{- if not .Values.hqpropertiessecret.enabled }} apiVersion: v1 kind: Secret metadata: @@ -5,14 +6,7 @@ metadata: type: Opaque stringData: cthq.properties: |- - {{- $cassandraPassword := "" }} - {{- if and (hasKey .Values "cassandra") (hasKey .Values.cassandra "passwordSecret") .Values.cassandra.passwordSecret (lookup "v1" "Secret" .Release.Namespace .Values.cassandra.passwordSecret) }} - {{- $cassandraPassword := (lookup "v1" "Secret" .Release.Namespace .Values.cassandra.passwordSecret).data.cassandraPassword | b64dec }} - {{- end }} {{- range $key, $value := .Values.hqproperties }} - {{- if and (eq $key "hq.cassandra.db.password") $cassandraPassword }} - {{ $key }}={{ $cassandraPassword }} - {{- else }} - {{ $key }}={{ $value }} - {{- end }} - {{- end }} \ No newline at end of file + {{ $key }}={{ $value }} + {{- end }} +{{- end }} diff --git a/charts/intel/values.yaml b/charts/intel/values.yaml index ba8cf44..c33abdb 100644 --- a/charts/intel/values.yaml +++ b/charts/intel/values.yaml @@ -59,11 +59,10 @@ hqproperties: # default datacenter name is 'datacenter1' # hq.cassandra.db.localdatacenter: datacenter1 -# Optional property, if provided the value from the secret will be used as the cassandra DB password -# This will overwrite the value in the hqproperties hq.cassandra.db.password -# The secret must have a key named 'cassandraPassword' -cassandra: - passwordSecret: "" +# Optional properties, if enabled is true, the values in the secret will be used as the hqproperties secret +hqpropertiessecret: + enabled: false + ref: "intel-test-hqproperties-arbitrary" java: customCacerts: