Add note to env-template file #127
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
wgalanciak
requested changes
Jun 16, 2025
wgalanciak
approved these changes
Jun 17, 2025
nmorenor
added a commit
that referenced
this pull request
Jun 30, 2025
* fix: separate SSL certificates (#101) * fix: Set environment variables via .env file. (#99) * Set environment variables via .env file. * Missing change * Change how hostnames and secret are set. * changes for env template * add env variable resolver on sso redirect value * fix: add env_file to codetogether-intel (#105) * fix: missing CT_HQ_BASE_URL env var (#107) * feat: nginx auto config (#109) * fix: add step for sso provider (#110) * fix: add client_max_body_size to intel (#112) * fix: tweak name of dhparam.pem env var (#113) * tweak name of dhparam.pem env var * fix env var name in nginx template * fix pam to pem * fix: missing env file on collab (#114) * fix: handle nil ai.openai.api_key to prevent template er… (#116) * fix(intel-chart): handle nil ai.openai.api_key to prevent template errors Adjusted the Helm chart template for ai-secrets to avoid referencing ai.openai.api_key and ai.external.api_key when undefined. This fixes a fatal error during `helm template` when AI mode is set to `bundled` and no OpenAI config is present. Ensures compatibility with bundled-only deployments. * Changes to fix workflow issues * fix: cleanup for sso tenants (#117) * feat(intel): add option to disable AI integration entirely (#120) Previously, the Helm chart required either 'bundled' or 'external' AI mode to be configured, making it mandatory to include AI integration. This commit introduces a new flag `ai.enabled` to allow disabling AI features entirely, enabling Intel to be deployed without any AI-related containers or resources. * Change gen ai image name on values file (#122) * fix: bump up version number (#123) * docs: remove outdated metrics section from README (#130) - Removed the section referring to metrics(prometeus), etc from the README Co-authored-by: engineering <engineering@codetogether.com> * fix: add note to env-template file (#127) * fix: update LLM image URL to hub.edge (#132) * docs: add deprecation notice to old Live chart (#131) * 126 automatically configure ollama integration when llm is enabled (#128) * Make sidecar AI container resource block optional in deployment - Updated deployment.yaml to include the `resources` block for the `codetogether-llm` sidecar only if values are defined in values.yaml. - Ensures the bundled AI container can run without specifying resource limits/requests by default. - Improved overall Helm template flexibility for embedded AI mode. - Validated that runs with AI Container embeeded. * Enable support for external AI provider - Updated deployment.yaml to support both bundled and external AI modes, allowing selection via .Values.ai.mode. - Added manifests for external AI integration: - ai-config ConfigMap: defines external provider and URL. - ai-external-secret Secret: stores the external API key. - Verified that external AI mode works by routing requests through the configured external service. * feat: automate creation of external AI ConfigMap and Secret from values.yaml - Added Helm templates to generate ai-config ConfigMap and ai-external-secret Secret automatically when AI external mode is enabled. - ConfigMap values (ai_provider, ai_url) and Secret value (api-key) are now configurable via values.yaml. - Ensured resources are only created when ai.enabled=true and ai.mode=external. * feat: allow use of existing or Helm-managed ai-external-secret in deployment - Updated deployment.yaml to support referencing a user-provided Secret for AI external API key, with fallback to Helm-managed creation. - Added ai-external-secret.yaml template to optionally create the secret from values if not provided. * Fixing helm template validations * Adding values configuration --------- Co-authored-by: engineering <engineering@codetogether.com> * Gen AI Changes (#124) * Change resources of ai * Include gen ai on docker compose. * undo changes * Fix collab helm chart to allow usage of locator. (#134) * fix: invalid values in AI values section (#137) * fix: support automatic configuration of the LLM integration if AI is enabled (#138) * Fixes after Testing (#139) * Fixes after Testing - Refactored deployment.yaml to reference ai.externalSecret.name when create: false - Corrected CT_HQ_OLLAMA_AI_API_KEY key to apiKey to match Secret’s stringData - Updated ai-external-secret.yaml to generate a Secret only when create: true * Bump intel chart version to 1.2.5 * Fix to user http://codetogether-llm:8000/ always --------- Co-authored-by: engineering <engineering@codetogether.com> * Changes to use localhost always to avoid dns issues (#142) Co-authored-by: engineering <engineering@codetogether.com> --------- Co-authored-by: Wojciech Galanciak <wojtek@codetogether.com> Co-authored-by: danc094codetogether <daniel@codetogether.com> Co-authored-by: engineering <engineering@codetogether.com>
nmorenor
added a commit
that referenced
this pull request
Sep 18, 2025
* fix: separate SSL certificates (#101) * fix: Set environment variables via .env file. (#99) * Set environment variables via .env file. * Missing change * Change how hostnames and secret are set. * changes for env template * add env variable resolver on sso redirect value * fix: add env_file to codetogether-intel (#105) * fix: missing CT_HQ_BASE_URL env var (#107) * feat: nginx auto config (#109) * fix: add step for sso provider (#110) * fix: add client_max_body_size to intel (#112) * fix: tweak name of dhparam.pem env var (#113) * tweak name of dhparam.pem env var * fix env var name in nginx template * fix pam to pem * fix: missing env file on collab (#114) * fix: handle nil ai.openai.api_key to prevent template er… (#116) * fix(intel-chart): handle nil ai.openai.api_key to prevent template errors Adjusted the Helm chart template for ai-secrets to avoid referencing ai.openai.api_key and ai.external.api_key when undefined. This fixes a fatal error during `helm template` when AI mode is set to `bundled` and no OpenAI config is present. Ensures compatibility with bundled-only deployments. * Changes to fix workflow issues * fix: cleanup for sso tenants (#117) * feat(intel): add option to disable AI integration entirely (#120) Previously, the Helm chart required either 'bundled' or 'external' AI mode to be configured, making it mandatory to include AI integration. This commit introduces a new flag `ai.enabled` to allow disabling AI features entirely, enabling Intel to be deployed without any AI-related containers or resources. * Change gen ai image name on values file (#122) * fix: bump up version number (#123) * docs: remove outdated metrics section from README (#130) - Removed the section referring to metrics(prometeus), etc from the README Co-authored-by: engineering <engineering@codetogether.com> * fix: add note to env-template file (#127) * fix: update LLM image URL to hub.edge (#132) * docs: add deprecation notice to old Live chart (#131) * 126 automatically configure ollama integration when llm is enabled (#128) * Make sidecar AI container resource block optional in deployment - Updated deployment.yaml to include the `resources` block for the `codetogether-llm` sidecar only if values are defined in values.yaml. - Ensures the bundled AI container can run without specifying resource limits/requests by default. - Improved overall Helm template flexibility for embedded AI mode. - Validated that runs with AI Container embeeded. * Enable support for external AI provider - Updated deployment.yaml to support both bundled and external AI modes, allowing selection via .Values.ai.mode. - Added manifests for external AI integration: - ai-config ConfigMap: defines external provider and URL. - ai-external-secret Secret: stores the external API key. - Verified that external AI mode works by routing requests through the configured external service. * feat: automate creation of external AI ConfigMap and Secret from values.yaml - Added Helm templates to generate ai-config ConfigMap and ai-external-secret Secret automatically when AI external mode is enabled. - ConfigMap values (ai_provider, ai_url) and Secret value (api-key) are now configurable via values.yaml. - Ensured resources are only created when ai.enabled=true and ai.mode=external. * feat: allow use of existing or Helm-managed ai-external-secret in deployment - Updated deployment.yaml to support referencing a user-provided Secret for AI external API key, with fallback to Helm-managed creation. - Added ai-external-secret.yaml template to optionally create the secret from values if not provided. * Fixing helm template validations * Adding values configuration --------- Co-authored-by: engineering <engineering@codetogether.com> * Gen AI Changes (#124) * Change resources of ai * Include gen ai on docker compose. * undo changes * Fix collab helm chart to allow usage of locator. (#134) * fix: invalid values in AI values section (#137) * fix: support automatic configuration of the LLM integration if AI is enabled (#138) * Fixes after Testing (#139) * Fixes after Testing - Refactored deployment.yaml to reference ai.externalSecret.name when create: false - Corrected CT_HQ_OLLAMA_AI_API_KEY key to apiKey to match Secret’s stringData - Updated ai-external-secret.yaml to generate a Secret only when create: true * Bump intel chart version to 1.2.5 * Fix to user http://codetogether-llm:8000/ always --------- Co-authored-by: engineering <engineering@codetogether.com> * Changes to use localhost always to avoid dns issues (#142) Co-authored-by: engineering <engineering@codetogether.com> * feat: support for optional keycloak deployment (#145) * initial config * Docker compose example to run keycloak --------- Co-authored-by: Ignacio Moreno <nmorenor@gmail.com> * 144 keycloak (#146) * initial config * Docker compose example to run keycloak * Undo properties file change * fixes on properties file --------- Co-authored-by: Wojciech Galanciak <wojtek@codetogether.com> * 144 keycloak (#147) * initial config * Docker compose example to run keycloak * Undo properties file change * fixes on properties file --------- Co-authored-by: Wojciech Galanciak <wojtek@codetogether.com> * 144 keycloak (#149) * fixes on properties file * Prepare examples for deployment with keycloak. * move files * feat(charts, compose): add CT_TRUST_ALL_CERTS support (#158) * feat(charts, compose): add CT_TRUST_ALL_CERTS support Fixes: #157 - values.yaml: introduce `java.trustAllCerts` (default false) to toggle CT_TRUST_ALL_CERTS - deployment.yaml: inject `CT_TRUST_ALL_CERTS=true` into container env when `trustAllCerts` is enabled - .env-template: add `CT_TRUST_ALL_CERTS` entry for Docker Compose - compose.yml: reference `${CT_TRUST_ALL_CERTS}` in codetogether‑intel service * refactor(charts): move trustAllCerts under codetogether section - values.yaml: remove java.trustAllCerts; add codetogether.trustAllCerts (default false) - deployment.yaml: guard CT_TRUST_ALL_CERTS injection on .Values.codetogether.trustAllCerts * fix(compose): remove redundant CT_TRUST_ALL_CERTS env entry - Drop explicit `CT_TRUST_ALL_CERTS` from the `environment` section in the `codetogether-intel` service - Rely on `env_file: .env` to inject the variable --------- Co-authored-by: engineering <engineering@codetogether.com> * feat(chart): guard `ai-secrets` template behind `ai.enabled` (#161) Fixes: #160 Wrap the `ai-secrets` Secret manifest with a `.Values.ai.enabled` conditional so it is not rendered when AI is disabled. This prevents clashes with pre-existing `ai-secrets` owned by other releases and keeps templates clean. * fix: improve keycloak compose health check (#162) * fix(helm/intel): scope AI resources per-release to avoid cross-release Secret conflicts (#164) Fixes: #163 Problem - Deploying multiple `codetogether-intel` releases in the same namespace caused a collision on statically named resources (e.g., `ai-secrets` / `ai-config`), producing Helm ownership errors. What changed - templates/ai-config.yaml - Create ConfigMap only when `ai.enabled=true` and `ai.mode=external`. - Name is now release-scoped: `{{ .Release.Name }}-ai-config`. - templates/ai-external-secret.yaml - Respect `ai.externalSecret.create` and `ai.externalSecret.name`. - Default Secret name is release-scoped: `{{ include "codetogether.fullname" . }}-ai-external-secret`. - Store API key under `stringData.apiKey`. - templates/deployment.yaml - Read `AI_PROVIDER` / `AI_EXTERNAL_URL` from `{{ .Release.Name }}-ai-config`. - Read `AI_EXTERNAL_API_KEY` from the default or user-specified Secret: `{{ default (printf "%s-ai-external-secret" (include "codetogether.fullname" .)) .Values.ai.externalSecret.name }}`. - Bundled mode unchanged; external resources are not created in bundled mode. Why - Ensures two or more releases (e.g., `qa-intel` and `demo-staging-intel`) can coexist in the same namespace without Helm ownership clashes. How to test - External (chart-managed Secret): `helm template demo-staging-intel ./charts/intel -n default \ --set ai.enabled=true --set ai.mode=external \ --set ai.provider=openai --set ai.url=https://api.openai.com \ --set ai.externalSecret.create=true --set ai.externalSecret.apiKey=TESTKEY` → renders `demo-staging-intel-ai-config` and `demo-staging-intel-ai-external-secret`. - External (existing Secret): `kubectl create secret generic my-custom-ai-secret -n default \ --from-literal=apiKey=TESTKEY` `helm template qa-intel ./charts/intel -n default \ --set ai.enabled=true --set ai.mode=external \ --set ai.provider=openai --set ai.url=https://api.openai.com \ --set ai.externalSecret.create=false --set ai.externalSecret.name=my-custom-ai-secret` → renders only the release-scoped ConfigMap; Deployment references the existing Secret. - Bundled: `helm template demo ./charts/intel -n default --set ai.enabled=true --set ai.mode=bundled` → no AI ConfigMap/Secret rendered; sidecar included. * chore(keycloak): switch to KC_BOOTSTRAP_* admin vars and update compose/templates (#166) Fixes: #165 - Replace deprecated KEYCLOAK_ADMIN / KEYCLOAK_ADMIN_PASSWORD with KC_BOOTSTRAP_ADMIN_USERNAME / KC_BOOTSTRAP_ADMIN_PASSWORD. - Update compose files to pass new env vars to the Keycloak container. - Refresh .env templates to reflect the new names. - Remove references to deprecated vars. Touched: - compose/.env-with-keycloak-template - compose/keycloak/.env-template - compose/keycloak/compose-keycloak.yaml - compose/keycloak/compose-keycloak-no-nginx.yaml Why: eliminates KC-SERVICES0110 warnings and ensures deterministic, persistent admin on first bootstrap. BREAKING CHANGE: set KC_BOOTSTRAP_ADMIN_USERNAME and KC_BOOTSTRAP_ADMIN_PASSWORD instead of KEYCLOAK_ADMIN*. * feat(helm): add RO rootfs support for Intel and Collab (#169) * feat(helm): add RO rootfs support for Intel and Collab Fixes: #168 - tmpfs emptyDir for /run and /tmp - RW runtime at /run/volatile, reuse for /var/log/nginx and /var/cache/nginx - Intel: initContainer to create subpaths - enable via securityContext (readOnlyRootFileSystem, runAsUser=0) * Typo fixes * Typo fixes * Fixing typo * Changes to defauts * Fixes * feat(helm-collab): Support optional existing secret for Intel connection (#171) Fixes: #170 - add values: intelsecret.enabled/ref - conditionally render templates/secret-intel.yaml - deployment envs read from external secret when enabled(fail if ref missing) - default unchanged (chart still creates "release"-intel) --------- Co-authored-by: Wojciech Galanciak <wojtek@codetogether.com> Co-authored-by: Ignacio Moreno <ignacio@codetogether.com> Co-authored-by: engineering <engineering@codetogether.com> Co-authored-by: Ignacio Moreno <nmorenor@gmail.com>
nmorenor
added a commit
that referenced
this pull request
Sep 25, 2025
* fix: separate SSL certificates (#101) * fix: Set environment variables via .env file. (#99) * Set environment variables via .env file. * Missing change * Change how hostnames and secret are set. * changes for env template * add env variable resolver on sso redirect value * fix: add env_file to codetogether-intel (#105) * fix: missing CT_HQ_BASE_URL env var (#107) * feat: nginx auto config (#109) * fix: add step for sso provider (#110) * fix: add client_max_body_size to intel (#112) * fix: tweak name of dhparam.pem env var (#113) * tweak name of dhparam.pem env var * fix env var name in nginx template * fix pam to pem * fix: missing env file on collab (#114) * fix: handle nil ai.openai.api_key to prevent template er… (#116) * fix(intel-chart): handle nil ai.openai.api_key to prevent template errors Adjusted the Helm chart template for ai-secrets to avoid referencing ai.openai.api_key and ai.external.api_key when undefined. This fixes a fatal error during `helm template` when AI mode is set to `bundled` and no OpenAI config is present. Ensures compatibility with bundled-only deployments. * Changes to fix workflow issues * fix: cleanup for sso tenants (#117) * feat(intel): add option to disable AI integration entirely (#120) Previously, the Helm chart required either 'bundled' or 'external' AI mode to be configured, making it mandatory to include AI integration. This commit introduces a new flag `ai.enabled` to allow disabling AI features entirely, enabling Intel to be deployed without any AI-related containers or resources. * Change gen ai image name on values file (#122) * fix: bump up version number (#123) * docs: remove outdated metrics section from README (#130) - Removed the section referring to metrics(prometeus), etc from the README Co-authored-by: engineering <engineering@codetogether.com> * fix: add note to env-template file (#127) * fix: update LLM image URL to hub.edge (#132) * docs: add deprecation notice to old Live chart (#131) * 126 automatically configure ollama integration when llm is enabled (#128) * Make sidecar AI container resource block optional in deployment - Updated deployment.yaml to include the `resources` block for the `codetogether-llm` sidecar only if values are defined in values.yaml. - Ensures the bundled AI container can run without specifying resource limits/requests by default. - Improved overall Helm template flexibility for embedded AI mode. - Validated that runs with AI Container embeeded. * Enable support for external AI provider - Updated deployment.yaml to support both bundled and external AI modes, allowing selection via .Values.ai.mode. - Added manifests for external AI integration: - ai-config ConfigMap: defines external provider and URL. - ai-external-secret Secret: stores the external API key. - Verified that external AI mode works by routing requests through the configured external service. * feat: automate creation of external AI ConfigMap and Secret from values.yaml - Added Helm templates to generate ai-config ConfigMap and ai-external-secret Secret automatically when AI external mode is enabled. - ConfigMap values (ai_provider, ai_url) and Secret value (api-key) are now configurable via values.yaml. - Ensured resources are only created when ai.enabled=true and ai.mode=external. * feat: allow use of existing or Helm-managed ai-external-secret in deployment - Updated deployment.yaml to support referencing a user-provided Secret for AI external API key, with fallback to Helm-managed creation. - Added ai-external-secret.yaml template to optionally create the secret from values if not provided. * Fixing helm template validations * Adding values configuration --------- Co-authored-by: engineering <engineering@codetogether.com> * Gen AI Changes (#124) * Change resources of ai * Include gen ai on docker compose. * undo changes * Fix collab helm chart to allow usage of locator. (#134) * fix: invalid values in AI values section (#137) * fix: support automatic configuration of the LLM integration if AI is enabled (#138) * Fixes after Testing (#139) * Fixes after Testing - Refactored deployment.yaml to reference ai.externalSecret.name when create: false - Corrected CT_HQ_OLLAMA_AI_API_KEY key to apiKey to match Secret’s stringData - Updated ai-external-secret.yaml to generate a Secret only when create: true * Bump intel chart version to 1.2.5 * Fix to user http://codetogether-llm:8000/ always --------- Co-authored-by: engineering <engineering@codetogether.com> * Changes to use localhost always to avoid dns issues (#142) Co-authored-by: engineering <engineering@codetogether.com> * feat: support for optional keycloak deployment (#145) * initial config * Docker compose example to run keycloak --------- Co-authored-by: Ignacio Moreno <nmorenor@gmail.com> * 144 keycloak (#146) * initial config * Docker compose example to run keycloak * Undo properties file change * fixes on properties file --------- Co-authored-by: Wojciech Galanciak <wojtek@codetogether.com> * 144 keycloak (#147) * initial config * Docker compose example to run keycloak * Undo properties file change * fixes on properties file --------- Co-authored-by: Wojciech Galanciak <wojtek@codetogether.com> * 144 keycloak (#149) * fixes on properties file * Prepare examples for deployment with keycloak. * move files * feat(charts, compose): add CT_TRUST_ALL_CERTS support (#158) * feat(charts, compose): add CT_TRUST_ALL_CERTS support Fixes: #157 - values.yaml: introduce `java.trustAllCerts` (default false) to toggle CT_TRUST_ALL_CERTS - deployment.yaml: inject `CT_TRUST_ALL_CERTS=true` into container env when `trustAllCerts` is enabled - .env-template: add `CT_TRUST_ALL_CERTS` entry for Docker Compose - compose.yml: reference `${CT_TRUST_ALL_CERTS}` in codetogether‑intel service * refactor(charts): move trustAllCerts under codetogether section - values.yaml: remove java.trustAllCerts; add codetogether.trustAllCerts (default false) - deployment.yaml: guard CT_TRUST_ALL_CERTS injection on .Values.codetogether.trustAllCerts * fix(compose): remove redundant CT_TRUST_ALL_CERTS env entry - Drop explicit `CT_TRUST_ALL_CERTS` from the `environment` section in the `codetogether-intel` service - Rely on `env_file: .env` to inject the variable --------- Co-authored-by: engineering <engineering@codetogether.com> * feat(chart): guard `ai-secrets` template behind `ai.enabled` (#161) Fixes: #160 Wrap the `ai-secrets` Secret manifest with a `.Values.ai.enabled` conditional so it is not rendered when AI is disabled. This prevents clashes with pre-existing `ai-secrets` owned by other releases and keeps templates clean. * fix: improve keycloak compose health check (#162) * fix(helm/intel): scope AI resources per-release to avoid cross-release Secret conflicts (#164) Fixes: #163 Problem - Deploying multiple `codetogether-intel` releases in the same namespace caused a collision on statically named resources (e.g., `ai-secrets` / `ai-config`), producing Helm ownership errors. What changed - templates/ai-config.yaml - Create ConfigMap only when `ai.enabled=true` and `ai.mode=external`. - Name is now release-scoped: `{{ .Release.Name }}-ai-config`. - templates/ai-external-secret.yaml - Respect `ai.externalSecret.create` and `ai.externalSecret.name`. - Default Secret name is release-scoped: `{{ include "codetogether.fullname" . }}-ai-external-secret`. - Store API key under `stringData.apiKey`. - templates/deployment.yaml - Read `AI_PROVIDER` / `AI_EXTERNAL_URL` from `{{ .Release.Name }}-ai-config`. - Read `AI_EXTERNAL_API_KEY` from the default or user-specified Secret: `{{ default (printf "%s-ai-external-secret" (include "codetogether.fullname" .)) .Values.ai.externalSecret.name }}`. - Bundled mode unchanged; external resources are not created in bundled mode. Why - Ensures two or more releases (e.g., `qa-intel` and `demo-staging-intel`) can coexist in the same namespace without Helm ownership clashes. How to test - External (chart-managed Secret): `helm template demo-staging-intel ./charts/intel -n default \ --set ai.enabled=true --set ai.mode=external \ --set ai.provider=openai --set ai.url=https://api.openai.com \ --set ai.externalSecret.create=true --set ai.externalSecret.apiKey=TESTKEY` → renders `demo-staging-intel-ai-config` and `demo-staging-intel-ai-external-secret`. - External (existing Secret): `kubectl create secret generic my-custom-ai-secret -n default \ --from-literal=apiKey=TESTKEY` `helm template qa-intel ./charts/intel -n default \ --set ai.enabled=true --set ai.mode=external \ --set ai.provider=openai --set ai.url=https://api.openai.com \ --set ai.externalSecret.create=false --set ai.externalSecret.name=my-custom-ai-secret` → renders only the release-scoped ConfigMap; Deployment references the existing Secret. - Bundled: `helm template demo ./charts/intel -n default --set ai.enabled=true --set ai.mode=bundled` → no AI ConfigMap/Secret rendered; sidecar included. * chore(keycloak): switch to KC_BOOTSTRAP_* admin vars and update compose/templates (#166) Fixes: #165 - Replace deprecated KEYCLOAK_ADMIN / KEYCLOAK_ADMIN_PASSWORD with KC_BOOTSTRAP_ADMIN_USERNAME / KC_BOOTSTRAP_ADMIN_PASSWORD. - Update compose files to pass new env vars to the Keycloak container. - Refresh .env templates to reflect the new names. - Remove references to deprecated vars. Touched: - compose/.env-with-keycloak-template - compose/keycloak/.env-template - compose/keycloak/compose-keycloak.yaml - compose/keycloak/compose-keycloak-no-nginx.yaml Why: eliminates KC-SERVICES0110 warnings and ensures deterministic, persistent admin on first bootstrap. BREAKING CHANGE: set KC_BOOTSTRAP_ADMIN_USERNAME and KC_BOOTSTRAP_ADMIN_PASSWORD instead of KEYCLOAK_ADMIN*. * feat(helm): add RO rootfs support for Intel and Collab (#169) * feat(helm): add RO rootfs support for Intel and Collab Fixes: #168 - tmpfs emptyDir for /run and /tmp - RW runtime at /run/volatile, reuse for /var/log/nginx and /var/cache/nginx - Intel: initContainer to create subpaths - enable via securityContext (readOnlyRootFileSystem, runAsUser=0) * Typo fixes * Typo fixes * Fixing typo * Changes to defauts * Fixes * feat(helm-collab): Support optional existing secret for Intel connection (#171) Fixes: #170 - add values: intelsecret.enabled/ref - conditionally render templates/secret-intel.yaml - deployment envs read from external secret when enabled(fail if ref missing) - default unchanged (chart still creates "release"-intel) * collab, intel: align read-only handling with live legacy chart (#175) * collab, intel: align read-only handling with live legacy chart Fixes: #174 - Gate all tmp/runtime mounts behind securityContext.readOnlyRootFileSystem - When RO=true, mount emptyDir to /run, /tmp, /var/log/nginx, /var/cache/nginx - Remove readOnlyMode flag and prepare-ro initContainer * Fixes * Bump version from 1.2.5 to 1.2.6 * Bump version to 1.2.3 in Chart.yaml * Fix indentation in deployment.yaml * Remove initContainers for readOnlyMode Removed initContainers configuration for read-only mode. * Bump version from 1.2.6 to 1.2.7 * Bump version from 1.2.3 to 1.2.4 --------- Co-authored-by: Wojciech Galanciak <wojtek@codetogether.com> Co-authored-by: Ignacio Moreno <ignacio@codetogether.com> Co-authored-by: engineering <engineering@codetogether.com> Co-authored-by: Ignacio Moreno <nmorenor@gmail.com>
nmorenor
added a commit
that referenced
this pull request
Oct 2, 2025
* fix: separate SSL certificates (#101) * fix: Set environment variables via .env file. (#99) * Set environment variables via .env file. * Missing change * Change how hostnames and secret are set. * changes for env template * add env variable resolver on sso redirect value * fix: add env_file to codetogether-intel (#105) * fix: missing CT_HQ_BASE_URL env var (#107) * feat: nginx auto config (#109) * fix: add step for sso provider (#110) * fix: add client_max_body_size to intel (#112) * fix: tweak name of dhparam.pem env var (#113) * tweak name of dhparam.pem env var * fix env var name in nginx template * fix pam to pem * fix: missing env file on collab (#114) * fix: handle nil ai.openai.api_key to prevent template er… (#116) * fix(intel-chart): handle nil ai.openai.api_key to prevent template errors Adjusted the Helm chart template for ai-secrets to avoid referencing ai.openai.api_key and ai.external.api_key when undefined. This fixes a fatal error during `helm template` when AI mode is set to `bundled` and no OpenAI config is present. Ensures compatibility with bundled-only deployments. * Changes to fix workflow issues * fix: cleanup for sso tenants (#117) * feat(intel): add option to disable AI integration entirely (#120) Previously, the Helm chart required either 'bundled' or 'external' AI mode to be configured, making it mandatory to include AI integration. This commit introduces a new flag `ai.enabled` to allow disabling AI features entirely, enabling Intel to be deployed without any AI-related containers or resources. * Change gen ai image name on values file (#122) * fix: bump up version number (#123) * docs: remove outdated metrics section from README (#130) - Removed the section referring to metrics(prometeus), etc from the README Co-authored-by: engineering <engineering@codetogether.com> * fix: add note to env-template file (#127) * fix: update LLM image URL to hub.edge (#132) * docs: add deprecation notice to old Live chart (#131) * 126 automatically configure ollama integration when llm is enabled (#128) * Make sidecar AI container resource block optional in deployment - Updated deployment.yaml to include the `resources` block for the `codetogether-llm` sidecar only if values are defined in values.yaml. - Ensures the bundled AI container can run without specifying resource limits/requests by default. - Improved overall Helm template flexibility for embedded AI mode. - Validated that runs with AI Container embeeded. * Enable support for external AI provider - Updated deployment.yaml to support both bundled and external AI modes, allowing selection via .Values.ai.mode. - Added manifests for external AI integration: - ai-config ConfigMap: defines external provider and URL. - ai-external-secret Secret: stores the external API key. - Verified that external AI mode works by routing requests through the configured external service. * feat: automate creation of external AI ConfigMap and Secret from values.yaml - Added Helm templates to generate ai-config ConfigMap and ai-external-secret Secret automatically when AI external mode is enabled. - ConfigMap values (ai_provider, ai_url) and Secret value (api-key) are now configurable via values.yaml. - Ensured resources are only created when ai.enabled=true and ai.mode=external. * feat: allow use of existing or Helm-managed ai-external-secret in deployment - Updated deployment.yaml to support referencing a user-provided Secret for AI external API key, with fallback to Helm-managed creation. - Added ai-external-secret.yaml template to optionally create the secret from values if not provided. * Fixing helm template validations * Adding values configuration --------- Co-authored-by: engineering <engineering@codetogether.com> * Gen AI Changes (#124) * Change resources of ai * Include gen ai on docker compose. * undo changes * Fix collab helm chart to allow usage of locator. (#134) * fix: invalid values in AI values section (#137) * fix: support automatic configuration of the LLM integration if AI is enabled (#138) * Fixes after Testing (#139) * Fixes after Testing - Refactored deployment.yaml to reference ai.externalSecret.name when create: false - Corrected CT_HQ_OLLAMA_AI_API_KEY key to apiKey to match Secret’s stringData - Updated ai-external-secret.yaml to generate a Secret only when create: true * Bump intel chart version to 1.2.5 * Fix to user http://codetogether-llm:8000/ always --------- Co-authored-by: engineering <engineering@codetogether.com> * Changes to use localhost always to avoid dns issues (#142) Co-authored-by: engineering <engineering@codetogether.com> * feat: support for optional keycloak deployment (#145) * initial config * Docker compose example to run keycloak --------- Co-authored-by: Ignacio Moreno <nmorenor@gmail.com> * 144 keycloak (#146) * initial config * Docker compose example to run keycloak * Undo properties file change * fixes on properties file --------- Co-authored-by: Wojciech Galanciak <wojtek@codetogether.com> * 144 keycloak (#147) * initial config * Docker compose example to run keycloak * Undo properties file change * fixes on properties file --------- Co-authored-by: Wojciech Galanciak <wojtek@codetogether.com> * 144 keycloak (#149) * fixes on properties file * Prepare examples for deployment with keycloak. * move files * feat(charts, compose): add CT_TRUST_ALL_CERTS support (#158) * feat(charts, compose): add CT_TRUST_ALL_CERTS support Fixes: #157 - values.yaml: introduce `java.trustAllCerts` (default false) to toggle CT_TRUST_ALL_CERTS - deployment.yaml: inject `CT_TRUST_ALL_CERTS=true` into container env when `trustAllCerts` is enabled - .env-template: add `CT_TRUST_ALL_CERTS` entry for Docker Compose - compose.yml: reference `${CT_TRUST_ALL_CERTS}` in codetogether‑intel service * refactor(charts): move trustAllCerts under codetogether section - values.yaml: remove java.trustAllCerts; add codetogether.trustAllCerts (default false) - deployment.yaml: guard CT_TRUST_ALL_CERTS injection on .Values.codetogether.trustAllCerts * fix(compose): remove redundant CT_TRUST_ALL_CERTS env entry - Drop explicit `CT_TRUST_ALL_CERTS` from the `environment` section in the `codetogether-intel` service - Rely on `env_file: .env` to inject the variable --------- Co-authored-by: engineering <engineering@codetogether.com> * feat(chart): guard `ai-secrets` template behind `ai.enabled` (#161) Fixes: #160 Wrap the `ai-secrets` Secret manifest with a `.Values.ai.enabled` conditional so it is not rendered when AI is disabled. This prevents clashes with pre-existing `ai-secrets` owned by other releases and keeps templates clean. * fix: improve keycloak compose health check (#162) * fix(helm/intel): scope AI resources per-release to avoid cross-release Secret conflicts (#164) Fixes: #163 Problem - Deploying multiple `codetogether-intel` releases in the same namespace caused a collision on statically named resources (e.g., `ai-secrets` / `ai-config`), producing Helm ownership errors. What changed - templates/ai-config.yaml - Create ConfigMap only when `ai.enabled=true` and `ai.mode=external`. - Name is now release-scoped: `{{ .Release.Name }}-ai-config`. - templates/ai-external-secret.yaml - Respect `ai.externalSecret.create` and `ai.externalSecret.name`. - Default Secret name is release-scoped: `{{ include "codetogether.fullname" . }}-ai-external-secret`. - Store API key under `stringData.apiKey`. - templates/deployment.yaml - Read `AI_PROVIDER` / `AI_EXTERNAL_URL` from `{{ .Release.Name }}-ai-config`. - Read `AI_EXTERNAL_API_KEY` from the default or user-specified Secret: `{{ default (printf "%s-ai-external-secret" (include "codetogether.fullname" .)) .Values.ai.externalSecret.name }}`. - Bundled mode unchanged; external resources are not created in bundled mode. Why - Ensures two or more releases (e.g., `qa-intel` and `demo-staging-intel`) can coexist in the same namespace without Helm ownership clashes. How to test - External (chart-managed Secret): `helm template demo-staging-intel ./charts/intel -n default \ --set ai.enabled=true --set ai.mode=external \ --set ai.provider=openai --set ai.url=https://api.openai.com \ --set ai.externalSecret.create=true --set ai.externalSecret.apiKey=TESTKEY` → renders `demo-staging-intel-ai-config` and `demo-staging-intel-ai-external-secret`. - External (existing Secret): `kubectl create secret generic my-custom-ai-secret -n default \ --from-literal=apiKey=TESTKEY` `helm template qa-intel ./charts/intel -n default \ --set ai.enabled=true --set ai.mode=external \ --set ai.provider=openai --set ai.url=https://api.openai.com \ --set ai.externalSecret.create=false --set ai.externalSecret.name=my-custom-ai-secret` → renders only the release-scoped ConfigMap; Deployment references the existing Secret. - Bundled: `helm template demo ./charts/intel -n default --set ai.enabled=true --set ai.mode=bundled` → no AI ConfigMap/Secret rendered; sidecar included. * chore(keycloak): switch to KC_BOOTSTRAP_* admin vars and update compose/templates (#166) Fixes: #165 - Replace deprecated KEYCLOAK_ADMIN / KEYCLOAK_ADMIN_PASSWORD with KC_BOOTSTRAP_ADMIN_USERNAME / KC_BOOTSTRAP_ADMIN_PASSWORD. - Update compose files to pass new env vars to the Keycloak container. - Refresh .env templates to reflect the new names. - Remove references to deprecated vars. Touched: - compose/.env-with-keycloak-template - compose/keycloak/.env-template - compose/keycloak/compose-keycloak.yaml - compose/keycloak/compose-keycloak-no-nginx.yaml Why: eliminates KC-SERVICES0110 warnings and ensures deterministic, persistent admin on first bootstrap. BREAKING CHANGE: set KC_BOOTSTRAP_ADMIN_USERNAME and KC_BOOTSTRAP_ADMIN_PASSWORD instead of KEYCLOAK_ADMIN*. * feat(helm): add RO rootfs support for Intel and Collab (#169) * feat(helm): add RO rootfs support for Intel and Collab Fixes: #168 - tmpfs emptyDir for /run and /tmp - RW runtime at /run/volatile, reuse for /var/log/nginx and /var/cache/nginx - Intel: initContainer to create subpaths - enable via securityContext (readOnlyRootFileSystem, runAsUser=0) * Typo fixes * Typo fixes * Fixing typo * Changes to defauts * Fixes * feat(helm-collab): Support optional existing secret for Intel connection (#171) Fixes: #170 - add values: intelsecret.enabled/ref - conditionally render templates/secret-intel.yaml - deployment envs read from external secret when enabled(fail if ref missing) - default unchanged (chart still creates "release"-intel) * collab, intel: align read-only handling with live legacy chart (#175) * collab, intel: align read-only handling with live legacy chart Fixes: #174 - Gate all tmp/runtime mounts behind securityContext.readOnlyRootFileSystem - When RO=true, mount emptyDir to /run, /tmp, /var/log/nginx, /var/cache/nginx - Remove readOnlyMode flag and prepare-ro initContainer * Fixes * Bump version from 1.2.5 to 1.2.6 * Bump version to 1.2.3 in Chart.yaml * Fix indentation in deployment.yaml * Remove initContainers for readOnlyMode Removed initContainers configuration for read-only mode. * Bump version from 1.2.6 to 1.2.7 * Bump version from 1.2.3 to 1.2.4 * 177 collab intel rofs on open shift avoid run as user 0 support fs group (#178) * OpenShit Teting Commit * Intel Changes * Fixes * Fixes * Fix * feat(charts): OpenShift compatibility + read-only rootfs support for collab & intel Fixes: #177 This change makes the codetogether-collab and codetogether-intel charts work out-of-the-box on both vanilla Kubernetes and OpenShift (restricted-v2 SCC), and adds first-class support for readOnlyRootFilesystem via init containers. Key changes ----------- Collab - Add initContainer `prepare-volatile` to create writable runtime paths when readOnlyRootFilesystem=true (e.g., /run, /var/log/nginx, /var/cache/nginx, and the existing /run/volatile/* tree). - Conditionally handle OpenShift vs vanilla: - OpenShift: do NOT set runAsUser/runAsGroup/fsGroup; let SCC assign UIDs. Keep runAsNonRoot and disallow privilege escalation. Avoid chown. Use `install -d -m 0775/2775` for group-write with sticky set as needed. - Vanilla: init runs as root (UID 0) to chown created dirs to the non-root runtime user (defaults to 1000:1000); main container runs non-root. - When readOnlyRootFilesystem=true: - Mount EmptyDir volumes to /run, /tmp (Memory), /var/log/nginx, /var/cache/nginx. - Add matching volumeMounts. - Keep probes and ports unchanged. - Values: add/clarify `openshift.enabled` flag, securityContext defaults, imageCredentials usage, and sample values for both environments. Intel - Add initContainer `prepare-runtime` to create /var/log/nginx and /var/cache/nginx and make them writable under read-only rootfs. - Same OpenShift vs vanilla split as collab (no explicit UID/GID on OCP; root init + non-root app for vanilla). - Mount EmptyDir + volumeMounts for /run, /tmp (Memory), /var/log/nginx, /var/cache/nginx when readOnlyRootFilesystem=true. - Preserve existing envs (AI mode, HQ base URL, Java options, etc.). Why --- - Fixes SCC denials on OpenShift when explicit runAsUser/fsGroup were set. - Fixes initContainer permission errors (e.g., "Operation not permitted" on /run) by avoiding chown on OpenShift and using 2775 with umask 002. - Enables secure read-only rootfs operation by provisioning necessary writable paths via EmptyDir. Testing ------- - OpenShift 4.x: - `openshift.enabled=true`, remove fsGroup=0, do not set runAsUser/runAsGroup. - initContainers succeed; pods transition to Running. - Vanilla (DigitalOcean Kubernetes): - `openshift.enabled=false`, readOnlyRootFilesystem=true. - init runs as root, chowns to 1000:1000; app runs as non-root. - Pods healthy; readiness/liveness OK. Breaking changes ---------------- - None functionally; however, when enabling readOnlyRootFilesystem, the chart now requires the EmptyDir mounts (added by default when the flag is true). * Testing * fix(openshift): make Intel/Collab charts run on OpenShift; verified in-cluster Fixes: #177 - Validated (same OpenShift env) - This change fixes the customer’s OpenShift issue. * Allow to set the CT_CUSTOM_CLIENTS_ORIGIN env variable. * fix env variable name * Allow to add custom ide location url (#184) * Remove volumeMounts for readOnlyRootFilesystem Removed volumeMounts configuration for properties-volume. * Update codetogether-tmp volume medium configuration Changed the medium of the codetogether-tmp volume from 'Memory' to an empty object. * Simplify emptyDir volume definition in deployment.yaml * Update version and appVersion in Chart.yaml --------- Co-authored-by: Wojciech Galanciak <wojtek@codetogether.com> Co-authored-by: Ignacio Moreno <ignacio@codetogether.com> Co-authored-by: engineering <engineering@codetogether.com> Co-authored-by: Ignacio Moreno <nmorenor@gmail.com>
danc094codetogether
added a commit
that referenced
this pull request
Oct 15, 2025
* fix: separate SSL certificates (#101) * fix: Set environment variables via .env file. (#99) * Set environment variables via .env file. * Missing change * Change how hostnames and secret are set. * changes for env template * add env variable resolver on sso redirect value * fix: add env_file to codetogether-intel (#105) * fix: missing CT_HQ_BASE_URL env var (#107) * feat: nginx auto config (#109) * fix: add step for sso provider (#110) * fix: add client_max_body_size to intel (#112) * fix: tweak name of dhparam.pem env var (#113) * tweak name of dhparam.pem env var * fix env var name in nginx template * fix pam to pem * fix: missing env file on collab (#114) * fix: handle nil ai.openai.api_key to prevent template er… (#116) * fix(intel-chart): handle nil ai.openai.api_key to prevent template errors Adjusted the Helm chart template for ai-secrets to avoid referencing ai.openai.api_key and ai.external.api_key when undefined. This fixes a fatal error during `helm template` when AI mode is set to `bundled` and no OpenAI config is present. Ensures compatibility with bundled-only deployments. * Changes to fix workflow issues * fix: cleanup for sso tenants (#117) * feat(intel): add option to disable AI integration entirely (#120) Previously, the Helm chart required either 'bundled' or 'external' AI mode to be configured, making it mandatory to include AI integration. This commit introduces a new flag `ai.enabled` to allow disabling AI features entirely, enabling Intel to be deployed without any AI-related containers or resources. * Change gen ai image name on values file (#122) * fix: bump up version number (#123) * docs: remove outdated metrics section from README (#130) - Removed the section referring to metrics(prometeus), etc from the README Co-authored-by: engineering <engineering@codetogether.com> * fix: add note to env-template file (#127) * fix: update LLM image URL to hub.edge (#132) * docs: add deprecation notice to old Live chart (#131) * 126 automatically configure ollama integration when llm is enabled (#128) * Make sidecar AI container resource block optional in deployment - Updated deployment.yaml to include the `resources` block for the `codetogether-llm` sidecar only if values are defined in values.yaml. - Ensures the bundled AI container can run without specifying resource limits/requests by default. - Improved overall Helm template flexibility for embedded AI mode. - Validated that runs with AI Container embeeded. * Enable support for external AI provider - Updated deployment.yaml to support both bundled and external AI modes, allowing selection via .Values.ai.mode. - Added manifests for external AI integration: - ai-config ConfigMap: defines external provider and URL. - ai-external-secret Secret: stores the external API key. - Verified that external AI mode works by routing requests through the configured external service. * feat: automate creation of external AI ConfigMap and Secret from values.yaml - Added Helm templates to generate ai-config ConfigMap and ai-external-secret Secret automatically when AI external mode is enabled. - ConfigMap values (ai_provider, ai_url) and Secret value (api-key) are now configurable via values.yaml. - Ensured resources are only created when ai.enabled=true and ai.mode=external. * feat: allow use of existing or Helm-managed ai-external-secret in deployment - Updated deployment.yaml to support referencing a user-provided Secret for AI external API key, with fallback to Helm-managed creation. - Added ai-external-secret.yaml template to optionally create the secret from values if not provided. * Fixing helm template validations * Adding values configuration --------- Co-authored-by: engineering <engineering@codetogether.com> * Gen AI Changes (#124) * Change resources of ai * Include gen ai on docker compose. * undo changes * Fix collab helm chart to allow usage of locator. (#134) * fix: invalid values in AI values section (#137) * fix: support automatic configuration of the LLM integration if AI is enabled (#138) * Fixes after Testing (#139) * Fixes after Testing - Refactored deployment.yaml to reference ai.externalSecret.name when create: false - Corrected CT_HQ_OLLAMA_AI_API_KEY key to apiKey to match Secret’s stringData - Updated ai-external-secret.yaml to generate a Secret only when create: true * Bump intel chart version to 1.2.5 * Fix to user http://codetogether-llm:8000/ always --------- Co-authored-by: engineering <engineering@codetogether.com> * Changes to use localhost always to avoid dns issues (#142) Co-authored-by: engineering <engineering@codetogether.com> * feat: support for optional keycloak deployment (#145) * initial config * Docker compose example to run keycloak --------- Co-authored-by: Ignacio Moreno <nmorenor@gmail.com> * 144 keycloak (#146) * initial config * Docker compose example to run keycloak * Undo properties file change * fixes on properties file --------- Co-authored-by: Wojciech Galanciak <wojtek@codetogether.com> * 144 keycloak (#147) * initial config * Docker compose example to run keycloak * Undo properties file change * fixes on properties file --------- Co-authored-by: Wojciech Galanciak <wojtek@codetogether.com> * 144 keycloak (#149) * fixes on properties file * Prepare examples for deployment with keycloak. * move files * feat(charts, compose): add CT_TRUST_ALL_CERTS support (#158) * feat(charts, compose): add CT_TRUST_ALL_CERTS support Fixes: #157 - values.yaml: introduce `java.trustAllCerts` (default false) to toggle CT_TRUST_ALL_CERTS - deployment.yaml: inject `CT_TRUST_ALL_CERTS=true` into container env when `trustAllCerts` is enabled - .env-template: add `CT_TRUST_ALL_CERTS` entry for Docker Compose - compose.yml: reference `${CT_TRUST_ALL_CERTS}` in codetogether‑intel service * refactor(charts): move trustAllCerts under codetogether section - values.yaml: remove java.trustAllCerts; add codetogether.trustAllCerts (default false) - deployment.yaml: guard CT_TRUST_ALL_CERTS injection on .Values.codetogether.trustAllCerts * fix(compose): remove redundant CT_TRUST_ALL_CERTS env entry - Drop explicit `CT_TRUST_ALL_CERTS` from the `environment` section in the `codetogether-intel` service - Rely on `env_file: .env` to inject the variable --------- Co-authored-by: engineering <engineering@codetogether.com> * feat(chart): guard `ai-secrets` template behind `ai.enabled` (#161) Fixes: #160 Wrap the `ai-secrets` Secret manifest with a `.Values.ai.enabled` conditional so it is not rendered when AI is disabled. This prevents clashes with pre-existing `ai-secrets` owned by other releases and keeps templates clean. * fix: improve keycloak compose health check (#162) * fix(helm/intel): scope AI resources per-release to avoid cross-release Secret conflicts (#164) Fixes: #163 Problem - Deploying multiple `codetogether-intel` releases in the same namespace caused a collision on statically named resources (e.g., `ai-secrets` / `ai-config`), producing Helm ownership errors. What changed - templates/ai-config.yaml - Create ConfigMap only when `ai.enabled=true` and `ai.mode=external`. - Name is now release-scoped: `{{ .Release.Name }}-ai-config`. - templates/ai-external-secret.yaml - Respect `ai.externalSecret.create` and `ai.externalSecret.name`. - Default Secret name is release-scoped: `{{ include "codetogether.fullname" . }}-ai-external-secret`. - Store API key under `stringData.apiKey`. - templates/deployment.yaml - Read `AI_PROVIDER` / `AI_EXTERNAL_URL` from `{{ .Release.Name }}-ai-config`. - Read `AI_EXTERNAL_API_KEY` from the default or user-specified Secret: `{{ default (printf "%s-ai-external-secret" (include "codetogether.fullname" .)) .Values.ai.externalSecret.name }}`. - Bundled mode unchanged; external resources are not created in bundled mode. Why - Ensures two or more releases (e.g., `qa-intel` and `demo-staging-intel`) can coexist in the same namespace without Helm ownership clashes. How to test - External (chart-managed Secret): `helm template demo-staging-intel ./charts/intel -n default \ --set ai.enabled=true --set ai.mode=external \ --set ai.provider=openai --set ai.url=https://api.openai.com \ --set ai.externalSecret.create=true --set ai.externalSecret.apiKey=TESTKEY` → renders `demo-staging-intel-ai-config` and `demo-staging-intel-ai-external-secret`. - External (existing Secret): `kubectl create secret generic my-custom-ai-secret -n default \ --from-literal=apiKey=TESTKEY` `helm template qa-intel ./charts/intel -n default \ --set ai.enabled=true --set ai.mode=external \ --set ai.provider=openai --set ai.url=https://api.openai.com \ --set ai.externalSecret.create=false --set ai.externalSecret.name=my-custom-ai-secret` → renders only the release-scoped ConfigMap; Deployment references the existing Secret. - Bundled: `helm template demo ./charts/intel -n default --set ai.enabled=true --set ai.mode=bundled` → no AI ConfigMap/Secret rendered; sidecar included. * chore(keycloak): switch to KC_BOOTSTRAP_* admin vars and update compose/templates (#166) Fixes: #165 - Replace deprecated KEYCLOAK_ADMIN / KEYCLOAK_ADMIN_PASSWORD with KC_BOOTSTRAP_ADMIN_USERNAME / KC_BOOTSTRAP_ADMIN_PASSWORD. - Update compose files to pass new env vars to the Keycloak container. - Refresh .env templates to reflect the new names. - Remove references to deprecated vars. Touched: - compose/.env-with-keycloak-template - compose/keycloak/.env-template - compose/keycloak/compose-keycloak.yaml - compose/keycloak/compose-keycloak-no-nginx.yaml Why: eliminates KC-SERVICES0110 warnings and ensures deterministic, persistent admin on first bootstrap. BREAKING CHANGE: set KC_BOOTSTRAP_ADMIN_USERNAME and KC_BOOTSTRAP_ADMIN_PASSWORD instead of KEYCLOAK_ADMIN*. * feat(helm): add RO rootfs support for Intel and Collab (#169) * feat(helm): add RO rootfs support for Intel and Collab Fixes: #168 - tmpfs emptyDir for /run and /tmp - RW runtime at /run/volatile, reuse for /var/log/nginx and /var/cache/nginx - Intel: initContainer to create subpaths - enable via securityContext (readOnlyRootFileSystem, runAsUser=0) * Typo fixes * Typo fixes * Fixing typo * Changes to defauts * Fixes * feat(helm-collab): Support optional existing secret for Intel connection (#171) Fixes: #170 - add values: intelsecret.enabled/ref - conditionally render templates/secret-intel.yaml - deployment envs read from external secret when enabled(fail if ref missing) - default unchanged (chart still creates "release"-intel) * collab, intel: align read-only handling with live legacy chart (#175) * collab, intel: align read-only handling with live legacy chart Fixes: #174 - Gate all tmp/runtime mounts behind securityContext.readOnlyRootFileSystem - When RO=true, mount emptyDir to /run, /tmp, /var/log/nginx, /var/cache/nginx - Remove readOnlyMode flag and prepare-ro initContainer * Fixes * Bump version from 1.2.5 to 1.2.6 * Bump version to 1.2.3 in Chart.yaml * Fix indentation in deployment.yaml * Remove initContainers for readOnlyMode Removed initContainers configuration for read-only mode. * Bump version from 1.2.6 to 1.2.7 * Bump version from 1.2.3 to 1.2.4 * 177 collab intel rofs on open shift avoid run as user 0 support fs group (#178) * OpenShit Teting Commit * Intel Changes * Fixes * Fixes * Fix * feat(charts): OpenShift compatibility + read-only rootfs support for collab & intel Fixes: #177 This change makes the codetogether-collab and codetogether-intel charts work out-of-the-box on both vanilla Kubernetes and OpenShift (restricted-v2 SCC), and adds first-class support for readOnlyRootFilesystem via init containers. Key changes ----------- Collab - Add initContainer `prepare-volatile` to create writable runtime paths when readOnlyRootFilesystem=true (e.g., /run, /var/log/nginx, /var/cache/nginx, and the existing /run/volatile/* tree). - Conditionally handle OpenShift vs vanilla: - OpenShift: do NOT set runAsUser/runAsGroup/fsGroup; let SCC assign UIDs. Keep runAsNonRoot and disallow privilege escalation. Avoid chown. Use `install -d -m 0775/2775` for group-write with sticky set as needed. - Vanilla: init runs as root (UID 0) to chown created dirs to the non-root runtime user (defaults to 1000:1000); main container runs non-root. - When readOnlyRootFilesystem=true: - Mount EmptyDir volumes to /run, /tmp (Memory), /var/log/nginx, /var/cache/nginx. - Add matching volumeMounts. - Keep probes and ports unchanged. - Values: add/clarify `openshift.enabled` flag, securityContext defaults, imageCredentials usage, and sample values for both environments. Intel - Add initContainer `prepare-runtime` to create /var/log/nginx and /var/cache/nginx and make them writable under read-only rootfs. - Same OpenShift vs vanilla split as collab (no explicit UID/GID on OCP; root init + non-root app for vanilla). - Mount EmptyDir + volumeMounts for /run, /tmp (Memory), /var/log/nginx, /var/cache/nginx when readOnlyRootFilesystem=true. - Preserve existing envs (AI mode, HQ base URL, Java options, etc.). Why --- - Fixes SCC denials on OpenShift when explicit runAsUser/fsGroup were set. - Fixes initContainer permission errors (e.g., "Operation not permitted" on /run) by avoiding chown on OpenShift and using 2775 with umask 002. - Enables secure read-only rootfs operation by provisioning necessary writable paths via EmptyDir. Testing ------- - OpenShift 4.x: - `openshift.enabled=true`, remove fsGroup=0, do not set runAsUser/runAsGroup. - initContainers succeed; pods transition to Running. - Vanilla (DigitalOcean Kubernetes): - `openshift.enabled=false`, readOnlyRootFilesystem=true. - init runs as root, chowns to 1000:1000; app runs as non-root. - Pods healthy; readiness/liveness OK. Breaking changes ---------------- - None functionally; however, when enabling readOnlyRootFilesystem, the chart now requires the EmptyDir mounts (added by default when the flag is true). * Testing * fix(openshift): make Intel/Collab charts run on OpenShift; verified in-cluster Fixes: #177 - Validated (same OpenShift env) - This change fixes the customer’s OpenShift issue. * Allow to set the CT_CUSTOM_CLIENTS_ORIGIN env variable. * fix env variable name * Allow to add custom ide location url (#184) * Remove volumeMounts for readOnlyRootFilesystem Removed volumeMounts configuration for properties-volume. * Update codetogether-tmp volume medium configuration Changed the medium of the codetogether-tmp volume from 'Memory' to an empty object. * Simplify emptyDir volume definition in deployment.yaml * Update version and appVersion in Chart.yaml * refactor(helm): decouple customClientsUrl from AI config (#187) Fixes: #180 - Render clients url when codetogether.customClientsUrl * Bump version and appVersion in Chart.yaml * Bump version and appVersion in Chart.yaml --------- Co-authored-by: Wojciech Galanciak <wojtek@codetogether.com> Co-authored-by: Ignacio Moreno <ignacio@codetogether.com> Co-authored-by: engineering <engineering@codetogether.com> Co-authored-by: Ignacio Moreno <nmorenor@gmail.com>
danc094codetogether
added a commit
that referenced
this pull request
Nov 27, 2025
* fix: separate SSL certificates (#101) * fix: Set environment variables via .env file. (#99) * Set environment variables via .env file. * Missing change * Change how hostnames and secret are set. * changes for env template * add env variable resolver on sso redirect value * fix: add env_file to codetogether-intel (#105) * fix: missing CT_HQ_BASE_URL env var (#107) * feat: nginx auto config (#109) * fix: add step for sso provider (#110) * fix: add client_max_body_size to intel (#112) * fix: tweak name of dhparam.pem env var (#113) * tweak name of dhparam.pem env var * fix env var name in nginx template * fix pam to pem * fix: missing env file on collab (#114) * fix: handle nil ai.openai.api_key to prevent template er… (#116) * fix(intel-chart): handle nil ai.openai.api_key to prevent template errors Adjusted the Helm chart template for ai-secrets to avoid referencing ai.openai.api_key and ai.external.api_key when undefined. This fixes a fatal error during `helm template` when AI mode is set to `bundled` and no OpenAI config is present. Ensures compatibility with bundled-only deployments. * Changes to fix workflow issues * fix: cleanup for sso tenants (#117) * feat(intel): add option to disable AI integration entirely (#120) Previously, the Helm chart required either 'bundled' or 'external' AI mode to be configured, making it mandatory to include AI integration. This commit introduces a new flag `ai.enabled` to allow disabling AI features entirely, enabling Intel to be deployed without any AI-related containers or resources. * Change gen ai image name on values file (#122) * fix: bump up version number (#123) * docs: remove outdated metrics section from README (#130) - Removed the section referring to metrics(prometeus), etc from the README Co-authored-by: engineering <engineering@codetogether.com> * fix: add note to env-template file (#127) * fix: update LLM image URL to hub.edge (#132) * docs: add deprecation notice to old Live chart (#131) * 126 automatically configure ollama integration when llm is enabled (#128) * Make sidecar AI container resource block optional in deployment - Updated deployment.yaml to include the `resources` block for the `codetogether-llm` sidecar only if values are defined in values.yaml. - Ensures the bundled AI container can run without specifying resource limits/requests by default. - Improved overall Helm template flexibility for embedded AI mode. - Validated that runs with AI Container embeeded. * Enable support for external AI provider - Updated deployment.yaml to support both bundled and external AI modes, allowing selection via .Values.ai.mode. - Added manifests for external AI integration: - ai-config ConfigMap: defines external provider and URL. - ai-external-secret Secret: stores the external API key. - Verified that external AI mode works by routing requests through the configured external service. * feat: automate creation of external AI ConfigMap and Secret from values.yaml - Added Helm templates to generate ai-config ConfigMap and ai-external-secret Secret automatically when AI external mode is enabled. - ConfigMap values (ai_provider, ai_url) and Secret value (api-key) are now configurable via values.yaml. - Ensured resources are only created when ai.enabled=true and ai.mode=external. * feat: allow use of existing or Helm-managed ai-external-secret in deployment - Updated deployment.yaml to support referencing a user-provided Secret for AI external API key, with fallback to Helm-managed creation. - Added ai-external-secret.yaml template to optionally create the secret from values if not provided. * Fixing helm template validations * Adding values configuration --------- Co-authored-by: engineering <engineering@codetogether.com> * Gen AI Changes (#124) * Change resources of ai * Include gen ai on docker compose. * undo changes * Fix collab helm chart to allow usage of locator. (#134) * fix: invalid values in AI values section (#137) * fix: support automatic configuration of the LLM integration if AI is enabled (#138) * Fixes after Testing (#139) * Fixes after Testing - Refactored deployment.yaml to reference ai.externalSecret.name when create: false - Corrected CT_HQ_OLLAMA_AI_API_KEY key to apiKey to match Secret’s stringData - Updated ai-external-secret.yaml to generate a Secret only when create: true * Bump intel chart version to 1.2.5 * Fix to user http://codetogether-llm:8000/ always --------- Co-authored-by: engineering <engineering@codetogether.com> * Changes to use localhost always to avoid dns issues (#142) Co-authored-by: engineering <engineering@codetogether.com> * feat: support for optional keycloak deployment (#145) * initial config * Docker compose example to run keycloak --------- Co-authored-by: Ignacio Moreno <nmorenor@gmail.com> * 144 keycloak (#146) * initial config * Docker compose example to run keycloak * Undo properties file change * fixes on properties file --------- Co-authored-by: Wojciech Galanciak <wojtek@codetogether.com> * 144 keycloak (#147) * initial config * Docker compose example to run keycloak * Undo properties file change * fixes on properties file --------- Co-authored-by: Wojciech Galanciak <wojtek@codetogether.com> * 144 keycloak (#149) * fixes on properties file * Prepare examples for deployment with keycloak. * move files * feat(charts, compose): add CT_TRUST_ALL_CERTS support (#158) * feat(charts, compose): add CT_TRUST_ALL_CERTS support Fixes: #157 - values.yaml: introduce `java.trustAllCerts` (default false) to toggle CT_TRUST_ALL_CERTS - deployment.yaml: inject `CT_TRUST_ALL_CERTS=true` into container env when `trustAllCerts` is enabled - .env-template: add `CT_TRUST_ALL_CERTS` entry for Docker Compose - compose.yml: reference `${CT_TRUST_ALL_CERTS}` in codetogether‑intel service * refactor(charts): move trustAllCerts under codetogether section - values.yaml: remove java.trustAllCerts; add codetogether.trustAllCerts (default false) - deployment.yaml: guard CT_TRUST_ALL_CERTS injection on .Values.codetogether.trustAllCerts * fix(compose): remove redundant CT_TRUST_ALL_CERTS env entry - Drop explicit `CT_TRUST_ALL_CERTS` from the `environment` section in the `codetogether-intel` service - Rely on `env_file: .env` to inject the variable --------- Co-authored-by: engineering <engineering@codetogether.com> * feat(chart): guard `ai-secrets` template behind `ai.enabled` (#161) Fixes: #160 Wrap the `ai-secrets` Secret manifest with a `.Values.ai.enabled` conditional so it is not rendered when AI is disabled. This prevents clashes with pre-existing `ai-secrets` owned by other releases and keeps templates clean. * fix: improve keycloak compose health check (#162) * fix(helm/intel): scope AI resources per-release to avoid cross-release Secret conflicts (#164) Fixes: #163 Problem - Deploying multiple `codetogether-intel` releases in the same namespace caused a collision on statically named resources (e.g., `ai-secrets` / `ai-config`), producing Helm ownership errors. What changed - templates/ai-config.yaml - Create ConfigMap only when `ai.enabled=true` and `ai.mode=external`. - Name is now release-scoped: `{{ .Release.Name }}-ai-config`. - templates/ai-external-secret.yaml - Respect `ai.externalSecret.create` and `ai.externalSecret.name`. - Default Secret name is release-scoped: `{{ include "codetogether.fullname" . }}-ai-external-secret`. - Store API key under `stringData.apiKey`. - templates/deployment.yaml - Read `AI_PROVIDER` / `AI_EXTERNAL_URL` from `{{ .Release.Name }}-ai-config`. - Read `AI_EXTERNAL_API_KEY` from the default or user-specified Secret: `{{ default (printf "%s-ai-external-secret" (include "codetogether.fullname" .)) .Values.ai.externalSecret.name }}`. - Bundled mode unchanged; external resources are not created in bundled mode. Why - Ensures two or more releases (e.g., `qa-intel` and `demo-staging-intel`) can coexist in the same namespace without Helm ownership clashes. How to test - External (chart-managed Secret): `helm template demo-staging-intel ./charts/intel -n default \ --set ai.enabled=true --set ai.mode=external \ --set ai.provider=openai --set ai.url=https://api.openai.com \ --set ai.externalSecret.create=true --set ai.externalSecret.apiKey=TESTKEY` → renders `demo-staging-intel-ai-config` and `demo-staging-intel-ai-external-secret`. - External (existing Secret): `kubectl create secret generic my-custom-ai-secret -n default \ --from-literal=apiKey=TESTKEY` `helm template qa-intel ./charts/intel -n default \ --set ai.enabled=true --set ai.mode=external \ --set ai.provider=openai --set ai.url=https://api.openai.com \ --set ai.externalSecret.create=false --set ai.externalSecret.name=my-custom-ai-secret` → renders only the release-scoped ConfigMap; Deployment references the existing Secret. - Bundled: `helm template demo ./charts/intel -n default --set ai.enabled=true --set ai.mode=bundled` → no AI ConfigMap/Secret rendered; sidecar included. * chore(keycloak): switch to KC_BOOTSTRAP_* admin vars and update compose/templates (#166) Fixes: #165 - Replace deprecated KEYCLOAK_ADMIN / KEYCLOAK_ADMIN_PASSWORD with KC_BOOTSTRAP_ADMIN_USERNAME / KC_BOOTSTRAP_ADMIN_PASSWORD. - Update compose files to pass new env vars to the Keycloak container. - Refresh .env templates to reflect the new names. - Remove references to deprecated vars. Touched: - compose/.env-with-keycloak-template - compose/keycloak/.env-template - compose/keycloak/compose-keycloak.yaml - compose/keycloak/compose-keycloak-no-nginx.yaml Why: eliminates KC-SERVICES0110 warnings and ensures deterministic, persistent admin on first bootstrap. BREAKING CHANGE: set KC_BOOTSTRAP_ADMIN_USERNAME and KC_BOOTSTRAP_ADMIN_PASSWORD instead of KEYCLOAK_ADMIN*. * feat(helm): add RO rootfs support for Intel and Collab (#169) * feat(helm): add RO rootfs support for Intel and Collab Fixes: #168 - tmpfs emptyDir for /run and /tmp - RW runtime at /run/volatile, reuse for /var/log/nginx and /var/cache/nginx - Intel: initContainer to create subpaths - enable via securityContext (readOnlyRootFileSystem, runAsUser=0) * Typo fixes * Typo fixes * Fixing typo * Changes to defauts * Fixes * feat(helm-collab): Support optional existing secret for Intel connection (#171) Fixes: #170 - add values: intelsecret.enabled/ref - conditionally render templates/secret-intel.yaml - deployment envs read from external secret when enabled(fail if ref missing) - default unchanged (chart still creates "release"-intel) * collab, intel: align read-only handling with live legacy chart (#175) * collab, intel: align read-only handling with live legacy chart Fixes: #174 - Gate all tmp/runtime mounts behind securityContext.readOnlyRootFileSystem - When RO=true, mount emptyDir to /run, /tmp, /var/log/nginx, /var/cache/nginx - Remove readOnlyMode flag and prepare-ro initContainer * Fixes * Bump version from 1.2.5 to 1.2.6 * Bump version to 1.2.3 in Chart.yaml * Fix indentation in deployment.yaml * Remove initContainers for readOnlyMode Removed initContainers configuration for read-only mode. * Bump version from 1.2.6 to 1.2.7 * Bump version from 1.2.3 to 1.2.4 * 177 collab intel rofs on open shift avoid run as user 0 support fs group (#178) * OpenShit Teting Commit * Intel Changes * Fixes * Fixes * Fix * feat(charts): OpenShift compatibility + read-only rootfs support for collab & intel Fixes: #177 This change makes the codetogether-collab and codetogether-intel charts work out-of-the-box on both vanilla Kubernetes and OpenShift (restricted-v2 SCC), and adds first-class support for readOnlyRootFilesystem via init containers. Key changes ----------- Collab - Add initContainer `prepare-volatile` to create writable runtime paths when readOnlyRootFilesystem=true (e.g., /run, /var/log/nginx, /var/cache/nginx, and the existing /run/volatile/* tree). - Conditionally handle OpenShift vs vanilla: - OpenShift: do NOT set runAsUser/runAsGroup/fsGroup; let SCC assign UIDs. Keep runAsNonRoot and disallow privilege escalation. Avoid chown. Use `install -d -m 0775/2775` for group-write with sticky set as needed. - Vanilla: init runs as root (UID 0) to chown created dirs to the non-root runtime user (defaults to 1000:1000); main container runs non-root. - When readOnlyRootFilesystem=true: - Mount EmptyDir volumes to /run, /tmp (Memory), /var/log/nginx, /var/cache/nginx. - Add matching volumeMounts. - Keep probes and ports unchanged. - Values: add/clarify `openshift.enabled` flag, securityContext defaults, imageCredentials usage, and sample values for both environments. Intel - Add initContainer `prepare-runtime` to create /var/log/nginx and /var/cache/nginx and make them writable under read-only rootfs. - Same OpenShift vs vanilla split as collab (no explicit UID/GID on OCP; root init + non-root app for vanilla). - Mount EmptyDir + volumeMounts for /run, /tmp (Memory), /var/log/nginx, /var/cache/nginx when readOnlyRootFilesystem=true. - Preserve existing envs (AI mode, HQ base URL, Java options, etc.). Why --- - Fixes SCC denials on OpenShift when explicit runAsUser/fsGroup were set. - Fixes initContainer permission errors (e.g., "Operation not permitted" on /run) by avoiding chown on OpenShift and using 2775 with umask 002. - Enables secure read-only rootfs operation by provisioning necessary writable paths via EmptyDir. Testing ------- - OpenShift 4.x: - `openshift.enabled=true`, remove fsGroup=0, do not set runAsUser/runAsGroup. - initContainers succeed; pods transition to Running. - Vanilla (DigitalOcean Kubernetes): - `openshift.enabled=false`, readOnlyRootFilesystem=true. - init runs as root, chowns to 1000:1000; app runs as non-root. - Pods healthy; readiness/liveness OK. Breaking changes ---------------- - None functionally; however, when enabling readOnlyRootFilesystem, the chart now requires the EmptyDir mounts (added by default when the flag is true). * Testing * fix(openshift): make Intel/Collab charts run on OpenShift; verified in-cluster Fixes: #177 - Validated (same OpenShift env) - This change fixes the customer’s OpenShift issue. * Allow to set the CT_CUSTOM_CLIENTS_ORIGIN env variable. * fix env variable name * Allow to add custom ide location url (#184) * Remove volumeMounts for readOnlyRootFilesystem Removed volumeMounts configuration for properties-volume. * Update codetogether-tmp volume medium configuration Changed the medium of the codetogether-tmp volume from 'Memory' to an empty object. * Simplify emptyDir volume definition in deployment.yaml * Update version and appVersion in Chart.yaml * refactor(helm): decouple customClientsUrl from AI config (#187) Fixes: #180 - Render clients url when codetogether.customClientsUrl * Bump version and appVersion in Chart.yaml * Bump version and appVersion in Chart.yaml * fix: enable read-only FS support (#189) * Bump version and appVersion in Chart.yaml * Bump version to 1.2.7 and appVersion to 2025.4.2 * Remove run-nginx volume mount Removed run-nginx volume mount from deployment. * Add run-volatile mount and volume to deployment.yaml * Refactor deployment.yaml for memory-backed volumes Updated volume mounts and volumes to use memory medium for tmp and run-volatile. --------- Co-authored-by: Wojciech Galanciak <wojtek@codetogether.com> Co-authored-by: Ignacio Moreno <ignacio@codetogether.com> Co-authored-by: engineering <engineering@codetogether.com> Co-authored-by: Ignacio Moreno <nmorenor@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #129