Commit d27e49c
Release (#191)
* fix: separate SSL certificates (#101)
* fix: Set environment variables via .env file. (#99)
* Set environment variables via .env file.
* Missing change
* Change how hostnames and secret are set.
* changes for env template
* add env variable resolver on sso redirect value
* fix: add env_file to codetogether-intel (#105)
* fix: missing CT_HQ_BASE_URL env var (#107)
* feat: nginx auto config (#109)
* fix: add step for sso provider (#110)
* fix: add client_max_body_size to intel (#112)
* fix: tweak name of dhparam.pem env var (#113)
* tweak name of dhparam.pem env var
* fix env var name in nginx template
* fix pam to pem
* fix: missing env file on collab (#114)
* fix: handle nil ai.openai.api_key to prevent template er… (#116)
* fix(intel-chart): handle nil ai.openai.api_key to prevent template errors
Adjusted the Helm chart template for ai-secrets to avoid referencing ai.openai.api_key and
ai.external.api_key when undefined.
This fixes a fatal error during `helm template` when AI mode is set to `bundled`
and no OpenAI config is present. Ensures compatibility with bundled-only deployments.
* Changes to fix workflow issues
* fix: cleanup for sso tenants (#117)
* feat(intel): add option to disable AI integration entirely (#120)
Previously, the Helm chart required either 'bundled' or 'external' AI mode to be configured, making it
mandatory to include AI integration. This commit introduces a new flag `ai.enabled` to allow disabling
AI features entirely, enabling Intel to be deployed without any AI-related containers or resources.
* Change gen ai image name on values file (#122)
* fix: bump up version number (#123)
* docs: remove outdated metrics section from README (#130)
- Removed the section referring to metrics(prometeus), etc from the README
Co-authored-by: engineering <[email protected]>
* fix: add note to env-template file (#127)
* fix: update LLM image URL to hub.edge (#132)
* docs: add deprecation notice to old Live chart (#131)
* 126 automatically configure ollama integration when llm is enabled (#128)
* Make sidecar AI container resource block optional in deployment
- Updated deployment.yaml to include the `resources` block for the `codetogether-llm` sidecar only if values are defined in values.yaml.
- Ensures the bundled AI container can run without specifying resource limits/requests by default.
- Improved overall Helm template flexibility for embedded AI mode.
- Validated that runs with AI Container embeeded.
* Enable support for external AI provider
- Updated deployment.yaml to support both bundled and external AI modes, allowing selection via .Values.ai.mode.
- Added manifests for external AI integration:
- ai-config ConfigMap: defines external provider and URL.
- ai-external-secret Secret: stores the external API key.
- Verified that external AI mode works by routing requests through the configured external service.
* feat: automate creation of external AI ConfigMap and Secret from values.yaml
- Added Helm templates to generate ai-config ConfigMap and ai-external-secret Secret automatically when AI external mode is enabled.
- ConfigMap values (ai_provider, ai_url) and Secret value (api-key) are now configurable via values.yaml.
- Ensured resources are only created when ai.enabled=true and ai.mode=external.
* feat: allow use of existing or Helm-managed ai-external-secret in deployment
- Updated deployment.yaml to support referencing a user-provided Secret for AI external API key, with fallback to Helm-managed creation.
- Added ai-external-secret.yaml template to optionally create the secret from values if not provided.
* Fixing helm template validations
* Adding values configuration
---------
Co-authored-by: engineering <[email protected]>
* Gen AI Changes (#124)
* Change resources of ai
* Include gen ai on docker compose.
* undo changes
* Fix collab helm chart to allow usage of locator. (#134)
* fix: invalid values in AI values section (#137)
* fix: support automatic configuration of the LLM integration if AI is enabled (#138)
* Fixes after Testing (#139)
* Fixes after Testing
- Refactored deployment.yaml to reference ai.externalSecret.name when create: false
- Corrected CT_HQ_OLLAMA_AI_API_KEY key to apiKey to match Secret’s stringData
- Updated ai-external-secret.yaml to generate a Secret only when create: true
* Bump intel chart version to 1.2.5
* Fix to user http://codetogether-llm:8000/ always
---------
Co-authored-by: engineering <[email protected]>
* Changes to use localhost always to avoid dns issues (#142)
Co-authored-by: engineering <[email protected]>
* feat: support for optional keycloak deployment (#145)
* initial config
* Docker compose example to run keycloak
---------
Co-authored-by: Ignacio Moreno <[email protected]>
* 144 keycloak (#146)
* initial config
* Docker compose example to run keycloak
* Undo properties file change
* fixes on properties file
---------
Co-authored-by: Wojciech Galanciak <[email protected]>
* 144 keycloak (#147)
* initial config
* Docker compose example to run keycloak
* Undo properties file change
* fixes on properties file
---------
Co-authored-by: Wojciech Galanciak <[email protected]>
* 144 keycloak (#149)
* fixes on properties file
* Prepare examples for deployment with keycloak.
* move files
* feat(charts, compose): add CT_TRUST_ALL_CERTS support (#158)
* feat(charts, compose): add CT_TRUST_ALL_CERTS support
Fixes: #157
- values.yaml: introduce `java.trustAllCerts` (default false) to toggle CT_TRUST_ALL_CERTS
- deployment.yaml: inject `CT_TRUST_ALL_CERTS=true` into container env when `trustAllCerts` is enabled
- .env-template: add `CT_TRUST_ALL_CERTS` entry for Docker Compose
- compose.yml: reference `${CT_TRUST_ALL_CERTS}` in codetogether‑intel service
* refactor(charts): move trustAllCerts under codetogether section
- values.yaml: remove java.trustAllCerts; add codetogether.trustAllCerts (default false)
- deployment.yaml: guard CT_TRUST_ALL_CERTS injection on .Values.codetogether.trustAllCerts
* fix(compose): remove redundant CT_TRUST_ALL_CERTS env entry
- Drop explicit `CT_TRUST_ALL_CERTS` from the `environment` section in the `codetogether-intel` service
- Rely on `env_file: .env` to inject the variable
---------
Co-authored-by: engineering <[email protected]>
* feat(chart): guard `ai-secrets` template behind `ai.enabled` (#161)
Fixes: #160
Wrap the `ai-secrets` Secret manifest with a `.Values.ai.enabled` conditional
so it is not rendered when AI is disabled. This prevents clashes with
pre-existing `ai-secrets` owned by other releases and keeps templates clean.
* fix: improve keycloak compose health check (#162)
* fix(helm/intel): scope AI resources per-release to avoid cross-release Secret conflicts (#164)
Fixes: #163
Problem
- Deploying multiple `codetogether-intel` releases in the same namespace caused
a collision on statically named resources (e.g., `ai-secrets` / `ai-config`),
producing Helm ownership errors.
What changed
- templates/ai-config.yaml
- Create ConfigMap only when `ai.enabled=true` and `ai.mode=external`.
- Name is now release-scoped: `{{ .Release.Name }}-ai-config`.
- templates/ai-external-secret.yaml
- Respect `ai.externalSecret.create` and `ai.externalSecret.name`.
- Default Secret name is release-scoped:
`{{ include "codetogether.fullname" . }}-ai-external-secret`.
- Store API key under `stringData.apiKey`.
- templates/deployment.yaml
- Read `AI_PROVIDER` / `AI_EXTERNAL_URL` from `{{ .Release.Name }}-ai-config`.
- Read `AI_EXTERNAL_API_KEY` from the default or user-specified Secret:
`{{ default (printf "%s-ai-external-secret" (include "codetogether.fullname" .)) .Values.ai.externalSecret.name }}`.
- Bundled mode unchanged; external resources are not created in bundled mode.
Why
- Ensures two or more releases (e.g., `qa-intel` and `demo-staging-intel`)
can coexist in the same namespace without Helm ownership clashes.
How to test
- External (chart-managed Secret):
`helm template demo-staging-intel ./charts/intel -n default \
--set ai.enabled=true --set ai.mode=external \
--set ai.provider=openai --set ai.url=https://api.openai.com \
--set ai.externalSecret.create=true --set ai.externalSecret.apiKey=TESTKEY`
→ renders `demo-staging-intel-ai-config` and `demo-staging-intel-ai-external-secret`.
- External (existing Secret):
`kubectl create secret generic my-custom-ai-secret -n default \
--from-literal=apiKey=TESTKEY`
`helm template qa-intel ./charts/intel -n default \
--set ai.enabled=true --set ai.mode=external \
--set ai.provider=openai --set ai.url=https://api.openai.com \
--set ai.externalSecret.create=false --set ai.externalSecret.name=my-custom-ai-secret`
→ renders only the release-scoped ConfigMap; Deployment references the existing Secret.
- Bundled:
`helm template demo ./charts/intel -n default --set ai.enabled=true --set ai.mode=bundled`
→ no AI ConfigMap/Secret rendered; sidecar included.
* chore(keycloak): switch to KC_BOOTSTRAP_* admin vars and update compose/templates (#166)
Fixes: #165
- Replace deprecated KEYCLOAK_ADMIN / KEYCLOAK_ADMIN_PASSWORD with
KC_BOOTSTRAP_ADMIN_USERNAME / KC_BOOTSTRAP_ADMIN_PASSWORD.
- Update compose files to pass new env vars to the Keycloak container.
- Refresh .env templates to reflect the new names.
- Remove references to deprecated vars.
Touched:
- compose/.env-with-keycloak-template
- compose/keycloak/.env-template
- compose/keycloak/compose-keycloak.yaml
- compose/keycloak/compose-keycloak-no-nginx.yaml
Why: eliminates KC-SERVICES0110 warnings and ensures deterministic, persistent admin on first bootstrap.
BREAKING CHANGE: set KC_BOOTSTRAP_ADMIN_USERNAME and KC_BOOTSTRAP_ADMIN_PASSWORD instead of KEYCLOAK_ADMIN*.
* feat(helm): add RO rootfs support for Intel and Collab (#169)
* feat(helm): add RO rootfs support for Intel and Collab
Fixes: #168
- tmpfs emptyDir for /run and /tmp
- RW runtime at /run/volatile, reuse for /var/log/nginx and /var/cache/nginx
- Intel: initContainer to create subpaths
- enable via securityContext (readOnlyRootFileSystem, runAsUser=0)
* Typo fixes
* Typo fixes
* Fixing typo
* Changes to defauts
* Fixes
* feat(helm-collab): Support optional existing secret for Intel connection (#171)
Fixes: #170
- add values: intelsecret.enabled/ref
- conditionally render templates/secret-intel.yaml
- deployment envs read from external secret when enabled(fail if ref missing)
- default unchanged (chart still creates "release"-intel)
* collab, intel: align read-only handling with live legacy chart (#175)
* collab, intel: align read-only handling with live legacy chart
Fixes: #174
- Gate all tmp/runtime mounts behind securityContext.readOnlyRootFileSystem
- When RO=true, mount emptyDir to /run, /tmp, /var/log/nginx, /var/cache/nginx
- Remove readOnlyMode flag and prepare-ro initContainer
* Fixes
* Bump version from 1.2.5 to 1.2.6
* Bump version to 1.2.3 in Chart.yaml
* Fix indentation in deployment.yaml
* Remove initContainers for readOnlyMode
Removed initContainers configuration for read-only mode.
* Bump version from 1.2.6 to 1.2.7
* Bump version from 1.2.3 to 1.2.4
* 177 collab intel rofs on open shift avoid run as user 0 support fs group (#178)
* OpenShit Teting Commit
* Intel Changes
* Fixes
* Fixes
* Fix
* feat(charts): OpenShift compatibility + read-only rootfs support for collab & intel
Fixes: #177
This change makes the codetogether-collab and codetogether-intel charts work
out-of-the-box on both vanilla Kubernetes and OpenShift (restricted-v2 SCC),
and adds first-class support for readOnlyRootFilesystem via init containers.
Key changes
-----------
Collab
- Add initContainer `prepare-volatile` to create writable runtime paths when
readOnlyRootFilesystem=true (e.g., /run, /var/log/nginx, /var/cache/nginx,
and the existing /run/volatile/* tree).
- Conditionally handle OpenShift vs vanilla:
- OpenShift: do NOT set runAsUser/runAsGroup/fsGroup; let SCC assign UIDs.
Keep runAsNonRoot and disallow privilege escalation. Avoid chown.
Use `install -d -m 0775/2775` for group-write with sticky set as needed.
- Vanilla: init runs as root (UID 0) to chown created dirs to the non-root
runtime user (defaults to 1000:1000); main container runs non-root.
- When readOnlyRootFilesystem=true:
- Mount EmptyDir volumes to /run, /tmp (Memory), /var/log/nginx, /var/cache/nginx.
- Add matching volumeMounts.
- Keep probes and ports unchanged.
- Values: add/clarify `openshift.enabled` flag, securityContext defaults,
imageCredentials usage, and sample values for both environments.
Intel
- Add initContainer `prepare-runtime` to create /var/log/nginx and
/var/cache/nginx and make them writable under read-only rootfs.
- Same OpenShift vs vanilla split as collab (no explicit UID/GID on OCP;
root init + non-root app for vanilla).
- Mount EmptyDir + volumeMounts for /run, /tmp (Memory), /var/log/nginx,
/var/cache/nginx when readOnlyRootFilesystem=true.
- Preserve existing envs (AI mode, HQ base URL, Java options, etc.).
Why
---
- Fixes SCC denials on OpenShift when explicit runAsUser/fsGroup were set.
- Fixes initContainer permission errors (e.g., "Operation not permitted" on /run)
by avoiding chown on OpenShift and using 2775 with umask 002.
- Enables secure read-only rootfs operation by provisioning necessary
writable paths via EmptyDir.
Testing
-------
- OpenShift 4.x:
- `openshift.enabled=true`, remove fsGroup=0, do not set runAsUser/runAsGroup.
- initContainers succeed; pods transition to Running.
- Vanilla (DigitalOcean Kubernetes):
- `openshift.enabled=false`, readOnlyRootFilesystem=true.
- init runs as root, chowns to 1000:1000; app runs as non-root.
- Pods healthy; readiness/liveness OK.
Breaking changes
----------------
- None functionally; however, when enabling readOnlyRootFilesystem, the chart
now requires the EmptyDir mounts (added by default when the flag is true).
* Testing
* fix(openshift): make Intel/Collab charts run on OpenShift; verified in-cluster
Fixes: #177
- Validated (same OpenShift env)
- This change fixes the customer’s OpenShift issue.
* Allow to set the CT_CUSTOM_CLIENTS_ORIGIN env variable.
* fix env variable name
* Allow to add custom ide location url (#184)
* Remove volumeMounts for readOnlyRootFilesystem
Removed volumeMounts configuration for properties-volume.
* Update codetogether-tmp volume medium configuration
Changed the medium of the codetogether-tmp volume from 'Memory' to an empty object.
* Simplify emptyDir volume definition in deployment.yaml
* Update version and appVersion in Chart.yaml
* refactor(helm): decouple customClientsUrl from AI config (#187)
Fixes: #180
- Render clients url when codetogether.customClientsUrl
* Bump version and appVersion in Chart.yaml
* Bump version and appVersion in Chart.yaml
* fix: enable read-only FS support (#189)
* Bump version and appVersion in Chart.yaml
* Bump version to 1.2.7 and appVersion to 2025.4.2
* Remove run-nginx volume mount
Removed run-nginx volume mount from deployment.
* Add run-volatile mount and volume to deployment.yaml
* Refactor deployment.yaml for memory-backed volumes
Updated volume mounts and volumes to use memory medium for tmp and run-volatile.
---------
Co-authored-by: Wojciech Galanciak <[email protected]>
Co-authored-by: Ignacio Moreno <[email protected]>
Co-authored-by: engineering <[email protected]>
Co-authored-by: Ignacio Moreno <[email protected]>1 parent 1af48cb commit d27e49c
File tree
4 files changed
+31
-12
lines changed- charts
- collab
- templates
- intel
- templates
4 files changed
+31
-12
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
3 | 3 | | |
4 | 4 | | |
5 | 5 | | |
6 | | - | |
7 | | - | |
| 6 | + | |
| 7 | + | |
8 | 8 | | |
9 | 9 | | |
10 | 10 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
190 | 190 | | |
191 | 191 | | |
192 | 192 | | |
193 | | - | |
194 | | - | |
195 | | - | |
196 | | - | |
| 193 | + | |
| 194 | + | |
| 195 | + | |
| 196 | + | |
| 197 | + | |
| 198 | + | |
197 | 199 | | |
198 | 200 | | |
199 | 201 | | |
| |||
247 | 249 | | |
248 | 250 | | |
249 | 251 | | |
250 | | - | |
251 | | - | |
252 | | - | |
253 | | - | |
| 252 | + | |
| 253 | + | |
| 254 | + | |
| 255 | + | |
| 256 | + | |
| 257 | + | |
254 | 258 | | |
255 | 259 | | |
256 | 260 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
3 | 3 | | |
4 | 4 | | |
5 | 5 | | |
6 | | - | |
7 | | - | |
| 6 | + | |
| 7 | + | |
8 | 8 | | |
9 | 9 | | |
10 | 10 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
116 | 116 | | |
117 | 117 | | |
118 | 118 | | |
| 119 | + | |
| 120 | + | |
| 121 | + | |
| 122 | + | |
| 123 | + | |
| 124 | + | |
| 125 | + | |
| 126 | + | |
119 | 127 | | |
120 | 128 | | |
121 | 129 | | |
| |||
164 | 172 | | |
165 | 173 | | |
166 | 174 | | |
| 175 | + | |
| 176 | + | |
| 177 | + | |
| 178 | + | |
| 179 | + | |
| 180 | + | |
| 181 | + | |
167 | 182 | | |
168 | 183 | | |
169 | 184 | | |
| |||
0 commit comments