Main (#176)

* fix: separate SSL certificates (#101)

* fix: Set environment variables via .env file. (#99)

* Set environment variables via .env file.

* Missing change

* Change how hostnames and secret are set.

* changes for env template

* add env variable resolver on sso redirect value

* fix: add env_file to codetogether-intel (#105)

* fix: missing CT_HQ_BASE_URL env var (#107)

* feat: nginx auto config (#109)

* fix: add step for sso provider (#110)

* fix: add client_max_body_size to intel (#112)

* fix: tweak name of dhparam.pem env var (#113)

* tweak name of dhparam.pem env var

* fix env var name in nginx template

* fix pam to pem

* fix: missing env file on collab (#114)

* fix: handle nil ai.openai.api_key to prevent template er… (#116)

* fix(intel-chart): handle nil ai.openai.api_key to prevent template errors

Adjusted the Helm chart template for ai-secrets to avoid referencing ai.openai.api_key and
ai.external.api_key when undefined.
This fixes a fatal error during `helm template` when AI mode is set to `bundled`
and no OpenAI config is present. Ensures compatibility with bundled-only deployments.

* Changes to fix workflow issues

* fix: cleanup for sso tenants (#117)

* feat(intel): add option to disable AI integration entirely (#120)

Previously, the Helm chart required either 'bundled' or 'external' AI mode to be configured, making it
mandatory to include AI integration. This commit introduces a new flag `ai.enabled` to allow disabling
AI features entirely, enabling Intel to be deployed without any AI-related containers or resources.

* Change gen ai image name on values file (#122)

* fix: bump up version number (#123)

* docs: remove outdated metrics section from README (#130)

- Removed the section referring to metrics(prometeus), etc from the README

Co-authored-by: engineering <engineering@codetogether.com>

* fix: add note to env-template file (#127)

* fix: update LLM image URL to hub.edge (#132)

* docs: add deprecation notice to old Live chart (#131)

* 126 automatically configure ollama integration when llm is enabled (#128)

* Make sidecar AI container resource block optional in deployment

- Updated deployment.yaml to include the `resources` block for the `codetogether-llm` sidecar only if values are defined in values.yaml.
- Ensures the bundled AI container can run without specifying resource limits/requests by default.
- Improved overall Helm template flexibility for embedded AI mode.
- Validated that runs with AI Container embeeded.

* Enable support for external AI provider

- Updated deployment.yaml to support both bundled and external AI modes, allowing selection via .Values.ai.mode.
- Added manifests for external AI integration:
  - ai-config ConfigMap: defines external provider and URL.
  - ai-external-secret Secret: stores the external API key.
- Verified that external AI mode works by routing requests through the configured external service.

* feat: automate creation of external AI ConfigMap and Secret from values.yaml

- Added Helm templates to generate ai-config ConfigMap and ai-external-secret Secret automatically when AI external mode is enabled.
- ConfigMap values (ai_provider, ai_url) and Secret value (api-key) are now configurable via values.yaml.
- Ensured resources are only created when ai.enabled=true and ai.mode=external.

* feat: allow use of existing or Helm-managed ai-external-secret in deployment

- Updated deployment.yaml to support referencing a user-provided Secret for AI external API key, with fallback to Helm-managed creation.
- Added ai-external-secret.yaml template to optionally create the secret from values if not provided.

* Fixing helm template validations

* Adding values configuration

---------

Co-authored-by: engineering <engineering@codetogether.com>

* Gen AI Changes (#124)

* Change resources of ai

* Include gen ai on docker compose.

* undo changes

* Fix collab helm chart to allow usage of locator. (#134)

* fix: invalid values in AI values section (#137)

* fix: support automatic configuration of the LLM integration if AI is enabled (#138)

* Fixes after Testing (#139)

* Fixes after Testing
- Refactored deployment.yaml to reference ai.externalSecret.name when create: false
- Corrected CT_HQ_OLLAMA_AI_API_KEY key to apiKey to match Secret’s stringData
- Updated ai-external-secret.yaml to generate a Secret only when create: true

* Bump intel chart version to 1.2.5

* Fix to user http://codetogether-llm:8000/ always

---------

Co-authored-by: engineering <engineering@codetogether.com>

* Changes to use localhost always to avoid dns issues (#142)

Co-authored-by: engineering <engineering@codetogether.com>

* feat: support for optional keycloak deployment (#145)

* initial config

* Docker compose example to run keycloak

---------

Co-authored-by: Ignacio Moreno <nmorenor@gmail.com>

* 144 keycloak (#146)

* initial config

* Docker compose example to run keycloak

* Undo properties file change

* fixes on properties file

---------

Co-authored-by: Wojciech Galanciak <wojtek@codetogether.com>

* 144 keycloak (#147)

* initial config

* Docker compose example to run keycloak

* Undo properties file change

* fixes on properties file

---------

Co-authored-by: Wojciech Galanciak <wojtek@codetogether.com>

* 144 keycloak (#149)

* fixes on properties file

* Prepare examples for deployment with keycloak.

* move files

* feat(charts, compose): add CT_TRUST_ALL_CERTS support (#158)

* feat(charts, compose): add CT_TRUST_ALL_CERTS support

Fixes: #157
- values.yaml: introduce `java.trustAllCerts` (default false) to toggle CT_TRUST_ALL_CERTS
- deployment.yaml: inject `CT_TRUST_ALL_CERTS=true` into container env when `trustAllCerts` is enabled
- .env-template: add `CT_TRUST_ALL_CERTS` entry for Docker Compose
- compose.yml: reference `${CT_TRUST_ALL_CERTS}` in codetogether‑intel service

* refactor(charts): move trustAllCerts under codetogether section

- values.yaml: remove java.trustAllCerts; add codetogether.trustAllCerts (default false)
- deployment.yaml: guard CT_TRUST_ALL_CERTS injection on .Values.codetogether.trustAllCerts

* fix(compose): remove redundant CT_TRUST_ALL_CERTS env entry

- Drop explicit `CT_TRUST_ALL_CERTS` from the `environment` section in the `codetogether-intel` service
- Rely on `env_file: .env` to inject the variable

---------

Co-authored-by: engineering <engineering@codetogether.com>

* feat(chart): guard `ai-secrets` template behind `ai.enabled` (#161)

Fixes: #160

Wrap the `ai-secrets` Secret manifest with a `.Values.ai.enabled` conditional
so it is not rendered when AI is disabled. This prevents clashes with
pre-existing `ai-secrets` owned by other releases and keeps templates clean.

* fix: improve keycloak compose health check (#162)

* fix(helm/intel): scope AI resources per-release to avoid cross-release Secret conflicts (#164)

Fixes: #163

Problem
- Deploying multiple `codetogether-intel` releases in the same namespace caused
  a collision on statically named resources (e.g., `ai-secrets` / `ai-config`),
  producing Helm ownership errors.

What changed
- templates/ai-config.yaml
  - Create ConfigMap only when `ai.enabled=true` and `ai.mode=external`.
  - Name is now release-scoped: `{{ .Release.Name }}-ai-config`.

- templates/ai-external-secret.yaml
  - Respect `ai.externalSecret.create` and `ai.externalSecret.name`.
  - Default Secret name is release-scoped:
    `{{ include "codetogether.fullname" . }}-ai-external-secret`.
  - Store API key under `stringData.apiKey`.

- templates/deployment.yaml
  - Read `AI_PROVIDER` / `AI_EXTERNAL_URL` from `{{ .Release.Name }}-ai-config`.
  - Read `AI_EXTERNAL_API_KEY` from the default or user-specified Secret:
    `{{ default (printf "%s-ai-external-secret" (include "codetogether.fullname" .)) .Values.ai.externalSecret.name }}`.
  - Bundled mode unchanged; external resources are not created in bundled mode.

Why
- Ensures two or more releases (e.g., `qa-intel` and `demo-staging-intel`)
  can coexist in the same namespace without Helm ownership clashes.

How to test
- External (chart-managed Secret):
  `helm template demo-staging-intel ./charts/intel -n default \
    --set ai.enabled=true --set ai.mode=external \
    --set ai.provider=openai --set ai.url=https://api.openai.com \
    --set ai.externalSecret.create=true --set ai.externalSecret.apiKey=TESTKEY`
  → renders `demo-staging-intel-ai-config` and `demo-staging-intel-ai-external-secret`.

- External (existing Secret):
  `kubectl create secret generic my-custom-ai-secret -n default \
    --from-literal=apiKey=TESTKEY`
  `helm template qa-intel ./charts/intel -n default \
    --set ai.enabled=true --set ai.mode=external \
    --set ai.provider=openai --set ai.url=https://api.openai.com \
    --set ai.externalSecret.create=false --set ai.externalSecret.name=my-custom-ai-secret`
  → renders only the release-scoped ConfigMap; Deployment references the existing Secret.

- Bundled:
  `helm template demo ./charts/intel -n default --set ai.enabled=true --set ai.mode=bundled`
  → no AI ConfigMap/Secret rendered; sidecar included.

* chore(keycloak): switch to KC_BOOTSTRAP_* admin vars and update compose/templates (#166)

Fixes: #165

- Replace deprecated KEYCLOAK_ADMIN / KEYCLOAK_ADMIN_PASSWORD with
  KC_BOOTSTRAP_ADMIN_USERNAME / KC_BOOTSTRAP_ADMIN_PASSWORD.
- Update compose files to pass new env vars to the Keycloak container.
- Refresh .env templates to reflect the new names.
- Remove references to deprecated vars.

Touched:
- compose/.env-with-keycloak-template
- compose/keycloak/.env-template
- compose/keycloak/compose-keycloak.yaml
- compose/keycloak/compose-keycloak-no-nginx.yaml

Why: eliminates KC-SERVICES0110 warnings and ensures deterministic, persistent admin on first bootstrap.

BREAKING CHANGE: set KC_BOOTSTRAP_ADMIN_USERNAME and KC_BOOTSTRAP_ADMIN_PASSWORD instead of KEYCLOAK_ADMIN*.

* feat(helm): add RO rootfs support for Intel and Collab (#169)

* feat(helm): add RO rootfs support for Intel and Collab

Fixes: #168

- tmpfs emptyDir for /run and /tmp
- RW runtime at /run/volatile, reuse for /var/log/nginx and /var/cache/nginx
- Intel: initContainer to create subpaths
- enable via securityContext (readOnlyRootFileSystem, runAsUser=0)

* Typo fixes

* Typo fixes

* Fixing typo

* Changes to defauts

* Fixes

* feat(helm-collab): Support optional existing secret for Intel connection (#171)

Fixes: #170

- add values: intelsecret.enabled/ref
- conditionally render templates/secret-intel.yaml
- deployment envs read from external secret when enabled(fail if ref missing)
- default unchanged (chart still creates "release"-intel)

* collab, intel: align read-only handling with live legacy chart (#175)

* collab, intel: align read-only handling with live legacy chart

Fixes: #174

- Gate all tmp/runtime mounts behind securityContext.readOnlyRootFileSystem
- When RO=true, mount emptyDir to /run, /tmp, /var/log/nginx, /var/cache/nginx
- Remove readOnlyMode flag and prepare-ro initContainer

* Fixes

* Bump version from 1.2.5 to 1.2.6

* Bump version to 1.2.3 in Chart.yaml

* Fix indentation in deployment.yaml

* Remove initContainers for readOnlyMode

Removed initContainers configuration for read-only mode.

* Bump version from 1.2.6 to 1.2.7

* Bump version from 1.2.3 to 1.2.4

---------

Co-authored-by: Wojciech Galanciak <wojtek@codetogether.com>
Co-authored-by: Ignacio Moreno <ignacio@codetogether.com>
Co-authored-by: engineering <engineering@codetogether.com>
Co-authored-by: Ignacio Moreno <nmorenor@gmail.com>

Author: 4 people

charts/collab/Chart.yaml

@@ -3,7 +3,7 @@ name: codetogether-collab
 description: CodeTogether Collab
 
 type: application
-version: 1.2.3
+version: 1.2.4
 appVersion: "2025.1.0"
 
 icon: https://www.codetogether.com/wp-content/uploads/2020/02/codetogether-circle-128.png

charts/collab/templates/deployment.yaml

@@ -253,7 +253,8 @@ spec:
         - name: codetogether-runtime
           emptyDir: {}
         - name: codetogether-tmp
-          emptyDir: {}
+          emptyDir:
+            medium: Memory
       {{- else if .Values.favicon.enabled }}
       volumes:
         - name: favicon-volume

charts/collab/values.yaml

@@ -211,12 +211,12 @@ serviceAccount:
 
 podAnnotations: {}
 
-securityContext: {} #defaults to
+securityContext: {} #defaults
   # capabilities:
   #   drop:
   #   - ALL
-  # runAsNonRoot: true
   # readOnlyRootFilesystem: true # enable for read-only setup
+  # runAsNonRoot: true
   # runAsUser: 0 # Use '0' for root user for read-only setup
 
 readinessProbe:

charts/intel/Chart.yaml

@@ -3,7 +3,7 @@ name: codetogether-intel
 description: CodeTogether Intel provides advanced project insights for developers
 
 type: application
-version: 1.2.6
+version: 1.2.7
 appVersion: "2025.3.0"
 
 icon: https://www.codetogether.com/wp-content/uploads/2020/02/codetogether-circle-128.png

charts/intel/templates/deployment.yaml

@@ -26,17 +26,6 @@ spec:
       imagePullSecrets:
         - name: {{ include "codetogether.fullname" . }}-pull-secret
       {{- end }}
-      {{- if .Values.readOnlyMode.enabled }}
-      initContainers:
-        - name: prepare-ro
-          image: busybox:latest
-          securityContext:
-            runAsUser: 0
-          command: ["sh", "-lc", "mkdir -p /mnt/volatile/var-log-nginx /mnt/volatile/var-cache-nginx /mnt/var/log-codetogether || true"]
-          volumeMounts:
-            - name: volatile
-              mountPath: /mnt/volatile
-      {{- end }}
       serviceAccountName: {{ include "codetogether.serviceAccountName" . }}
       containers:
         - name: {{ .Chart.Name }}
@@ -110,6 +99,7 @@ spec:
                   key: apiKey
               {{- end }}
             {{- end }}
+{{- if .Values.securityContext.readOnlyRootFilesystem }}
           volumeMounts:
             - name: properties-volume
               mountPath: /opt/codetogether/runtime/cthq.properties
@@ -119,20 +109,26 @@ spec:
               mountPath: /etc/ssl/certs/java/cacerts
               subPath: cacerts
             {{- end }}
-            {{- if .Values.readOnlyMode.enabled }}
-            - name: volatile
-              mountPath: /run/volatile
-            - name: run
-              mountPath: /run
-            - name: tmp
-              mountPath: /tmp
-            - name: volatile
-              mountPath: /var/log/nginx
-              subPath: var-log-nginx
-            - name: volatile
-              mountPath: /var/cache/nginx
-              subPath: var-cache-nginx            
+            # Read-only root FS mounts
+            - mountPath: /run
+              name: codetogether-runtime
+            - mountPath: /tmp
+              name: codetogether-tmp
+            - mountPath: /var/log/nginx
+              name: codetogether-runtime
+            - mountPath: /var/cache/nginx
+              name: codetogether-runtime
+{{- else }}
+          volumeMounts:
+            - name: properties-volume
+              mountPath: /opt/codetogether/runtime/cthq.properties
+              subPath: cthq.properties
+            {{- if .Values.java.customCacerts.enabled }}
+            - name: java-cacerts
+              mountPath: /etc/ssl/certs/java/cacerts
+              subPath: cacerts
             {{- end }}
+{{- end }}
           ports:
             - name: http
               containerPort: 1080
@@ -181,16 +177,14 @@ spec:
           secret:
             secretName: {{ .Values.java.customCacerts.cacertsSecretName }}
         {{- end }}
-        {{- if .Values.readOnlyMode.enabled }}
-        - name: volatile
+{{- if .Values.securityContext.readOnlyRootFilesystem }}
+        - name: codetogether-runtime
           emptyDir: {}
-        - name: run
-          emptyDir:
-            medium: Memory
-        - name: tmp
+        - name: codetogether-tmp
           emptyDir:
             medium: Memory
-        {{- end }}
+{{- end }}
+
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
@@ -202,4 +196,4 @@ spec:
       {{- with .Values.tolerations }}
       tolerations:
         {{- toYaml . | nindent 8 }}
-      {{- end }}
+      {{- end }}

charts/intel/values.yaml

@@ -138,9 +138,8 @@ securityContext: {} #defaults to
   #   drop:
   #   - ALL
   #readOnlyRootFilesystem: true  # enable for read-only setup
-  #runAsUser: 0 # Use '0' for root user for read-only setup
-  # runAsNonRoot: true
-  # runAsUser: 1000
+  # runAsNonRoot: true           # false for non-root user
+  # runAsUser: 0 # Use '0' for root user for read-only setup
 
 ai:
   enabled: false
@@ -180,7 +179,4 @@ tolerations: []
 
 affinity: {}
 
-replicaCount: 1
-
-readOnlyMode:
-  enabled: false # Set to 'true' to enable read-only mode
+replicaCount: 1