Release (#185)

* fix: separate SSL certificates (#101)

* fix: Set environment variables via .env file. (#99)

* Set environment variables via .env file.

* Missing change

* Change how hostnames and secret are set.

* changes for env template

* add env variable resolver on sso redirect value

* fix: add env_file to codetogether-intel (#105)

* fix: missing CT_HQ_BASE_URL env var (#107)

* feat: nginx auto config (#109)

* fix: add step for sso provider (#110)

* fix: add client_max_body_size to intel (#112)

* fix: tweak name of dhparam.pem env var (#113)

* tweak name of dhparam.pem env var

* fix env var name in nginx template

* fix pam to pem

* fix: missing env file on collab (#114)

* fix: handle nil ai.openai.api_key to prevent template er… (#116)

* fix(intel-chart): handle nil ai.openai.api_key to prevent template errors

Adjusted the Helm chart template for ai-secrets to avoid referencing ai.openai.api_key and
ai.external.api_key when undefined.
This fixes a fatal error during `helm template` when AI mode is set to `bundled`
and no OpenAI config is present. Ensures compatibility with bundled-only deployments.

* Changes to fix workflow issues

* fix: cleanup for sso tenants (#117)

* feat(intel): add option to disable AI integration entirely (#120)

Previously, the Helm chart required either 'bundled' or 'external' AI mode to be configured, making it
mandatory to include AI integration. This commit introduces a new flag `ai.enabled` to allow disabling
AI features entirely, enabling Intel to be deployed without any AI-related containers or resources.

* Change gen ai image name on values file (#122)

* fix: bump up version number (#123)

* docs: remove outdated metrics section from README (#130)

- Removed the section referring to metrics(prometeus), etc from the README

Co-authored-by: engineering <engineering@codetogether.com>

* fix: add note to env-template file (#127)

* fix: update LLM image URL to hub.edge (#132)

* docs: add deprecation notice to old Live chart (#131)

* 126 automatically configure ollama integration when llm is enabled (#128)

* Make sidecar AI container resource block optional in deployment

- Updated deployment.yaml to include the `resources` block for the `codetogether-llm` sidecar only if values are defined in values.yaml.
- Ensures the bundled AI container can run without specifying resource limits/requests by default.
- Improved overall Helm template flexibility for embedded AI mode.
- Validated that runs with AI Container embeeded.

* Enable support for external AI provider

- Updated deployment.yaml to support both bundled and external AI modes, allowing selection via .Values.ai.mode.
- Added manifests for external AI integration:
  - ai-config ConfigMap: defines external provider and URL.
  - ai-external-secret Secret: stores the external API key.
- Verified that external AI mode works by routing requests through the configured external service.

* feat: automate creation of external AI ConfigMap and Secret from values.yaml

- Added Helm templates to generate ai-config ConfigMap and ai-external-secret Secret automatically when AI external mode is enabled.
- ConfigMap values (ai_provider, ai_url) and Secret value (api-key) are now configurable via values.yaml.
- Ensured resources are only created when ai.enabled=true and ai.mode=external.

* feat: allow use of existing or Helm-managed ai-external-secret in deployment

- Updated deployment.yaml to support referencing a user-provided Secret for AI external API key, with fallback to Helm-managed creation.
- Added ai-external-secret.yaml template to optionally create the secret from values if not provided.

* Fixing helm template validations

* Adding values configuration

---------

Co-authored-by: engineering <engineering@codetogether.com>

* Gen AI Changes (#124)

* Change resources of ai

* Include gen ai on docker compose.

* undo changes

* Fix collab helm chart to allow usage of locator. (#134)

* fix: invalid values in AI values section (#137)

* fix: support automatic configuration of the LLM integration if AI is enabled (#138)

* Fixes after Testing (#139)

* Fixes after Testing
- Refactored deployment.yaml to reference ai.externalSecret.name when create: false
- Corrected CT_HQ_OLLAMA_AI_API_KEY key to apiKey to match Secret’s stringData
- Updated ai-external-secret.yaml to generate a Secret only when create: true

* Bump intel chart version to 1.2.5

* Fix to user http://codetogether-llm:8000/ always

---------

Co-authored-by: engineering <engineering@codetogether.com>

* Changes to use localhost always to avoid dns issues (#142)

Co-authored-by: engineering <engineering@codetogether.com>

* feat: support for optional keycloak deployment (#145)

* initial config

* Docker compose example to run keycloak

---------

Co-authored-by: Ignacio Moreno <nmorenor@gmail.com>

* 144 keycloak (#146)

* initial config

* Docker compose example to run keycloak

* Undo properties file change

* fixes on properties file

---------

Co-authored-by: Wojciech Galanciak <wojtek@codetogether.com>

* 144 keycloak (#147)

* initial config

* Docker compose example to run keycloak

* Undo properties file change

* fixes on properties file

---------

Co-authored-by: Wojciech Galanciak <wojtek@codetogether.com>

* 144 keycloak (#149)

* fixes on properties file

* Prepare examples for deployment with keycloak.

* move files

* feat(charts, compose): add CT_TRUST_ALL_CERTS support (#158)

* feat(charts, compose): add CT_TRUST_ALL_CERTS support

Fixes: #157
- values.yaml: introduce `java.trustAllCerts` (default false) to toggle CT_TRUST_ALL_CERTS
- deployment.yaml: inject `CT_TRUST_ALL_CERTS=true` into container env when `trustAllCerts` is enabled
- .env-template: add `CT_TRUST_ALL_CERTS` entry for Docker Compose
- compose.yml: reference `${CT_TRUST_ALL_CERTS}` in codetogether‑intel service

* refactor(charts): move trustAllCerts under codetogether section

- values.yaml: remove java.trustAllCerts; add codetogether.trustAllCerts (default false)
- deployment.yaml: guard CT_TRUST_ALL_CERTS injection on .Values.codetogether.trustAllCerts

* fix(compose): remove redundant CT_TRUST_ALL_CERTS env entry

- Drop explicit `CT_TRUST_ALL_CERTS` from the `environment` section in the `codetogether-intel` service
- Rely on `env_file: .env` to inject the variable

---------

Co-authored-by: engineering <engineering@codetogether.com>

* feat(chart): guard `ai-secrets` template behind `ai.enabled` (#161)

Fixes: #160

Wrap the `ai-secrets` Secret manifest with a `.Values.ai.enabled` conditional
so it is not rendered when AI is disabled. This prevents clashes with
pre-existing `ai-secrets` owned by other releases and keeps templates clean.

* fix: improve keycloak compose health check (#162)

* fix(helm/intel): scope AI resources per-release to avoid cross-release Secret conflicts (#164)

Fixes: #163

Problem
- Deploying multiple `codetogether-intel` releases in the same namespace caused
  a collision on statically named resources (e.g., `ai-secrets` / `ai-config`),
  producing Helm ownership errors.

What changed
- templates/ai-config.yaml
  - Create ConfigMap only when `ai.enabled=true` and `ai.mode=external`.
  - Name is now release-scoped: `{{ .Release.Name }}-ai-config`.

- templates/ai-external-secret.yaml
  - Respect `ai.externalSecret.create` and `ai.externalSecret.name`.
  - Default Secret name is release-scoped:
    `{{ include "codetogether.fullname" . }}-ai-external-secret`.
  - Store API key under `stringData.apiKey`.

- templates/deployment.yaml
  - Read `AI_PROVIDER` / `AI_EXTERNAL_URL` from `{{ .Release.Name }}-ai-config`.
  - Read `AI_EXTERNAL_API_KEY` from the default or user-specified Secret:
    `{{ default (printf "%s-ai-external-secret" (include "codetogether.fullname" .)) .Values.ai.externalSecret.name }}`.
  - Bundled mode unchanged; external resources are not created in bundled mode.

Why
- Ensures two or more releases (e.g., `qa-intel` and `demo-staging-intel`)
  can coexist in the same namespace without Helm ownership clashes.

How to test
- External (chart-managed Secret):
  `helm template demo-staging-intel ./charts/intel -n default \
    --set ai.enabled=true --set ai.mode=external \
    --set ai.provider=openai --set ai.url=https://api.openai.com \
    --set ai.externalSecret.create=true --set ai.externalSecret.apiKey=TESTKEY`
  → renders `demo-staging-intel-ai-config` and `demo-staging-intel-ai-external-secret`.

- External (existing Secret):
  `kubectl create secret generic my-custom-ai-secret -n default \
    --from-literal=apiKey=TESTKEY`
  `helm template qa-intel ./charts/intel -n default \
    --set ai.enabled=true --set ai.mode=external \
    --set ai.provider=openai --set ai.url=https://api.openai.com \
    --set ai.externalSecret.create=false --set ai.externalSecret.name=my-custom-ai-secret`
  → renders only the release-scoped ConfigMap; Deployment references the existing Secret.

- Bundled:
  `helm template demo ./charts/intel -n default --set ai.enabled=true --set ai.mode=bundled`
  → no AI ConfigMap/Secret rendered; sidecar included.

* chore(keycloak): switch to KC_BOOTSTRAP_* admin vars and update compose/templates (#166)

Fixes: #165

- Replace deprecated KEYCLOAK_ADMIN / KEYCLOAK_ADMIN_PASSWORD with
  KC_BOOTSTRAP_ADMIN_USERNAME / KC_BOOTSTRAP_ADMIN_PASSWORD.
- Update compose files to pass new env vars to the Keycloak container.
- Refresh .env templates to reflect the new names.
- Remove references to deprecated vars.

Touched:
- compose/.env-with-keycloak-template
- compose/keycloak/.env-template
- compose/keycloak/compose-keycloak.yaml
- compose/keycloak/compose-keycloak-no-nginx.yaml

Why: eliminates KC-SERVICES0110 warnings and ensures deterministic, persistent admin on first bootstrap.

BREAKING CHANGE: set KC_BOOTSTRAP_ADMIN_USERNAME and KC_BOOTSTRAP_ADMIN_PASSWORD instead of KEYCLOAK_ADMIN*.

* feat(helm): add RO rootfs support for Intel and Collab (#169)

* feat(helm): add RO rootfs support for Intel and Collab

Fixes: #168

- tmpfs emptyDir for /run and /tmp
- RW runtime at /run/volatile, reuse for /var/log/nginx and /var/cache/nginx
- Intel: initContainer to create subpaths
- enable via securityContext (readOnlyRootFileSystem, runAsUser=0)

* Typo fixes

* Typo fixes

* Fixing typo

* Changes to defauts

* Fixes

* feat(helm-collab): Support optional existing secret for Intel connection (#171)

Fixes: #170

- add values: intelsecret.enabled/ref
- conditionally render templates/secret-intel.yaml
- deployment envs read from external secret when enabled(fail if ref missing)
- default unchanged (chart still creates "release"-intel)

* collab, intel: align read-only handling with live legacy chart (#175)

* collab, intel: align read-only handling with live legacy chart

Fixes: #174

- Gate all tmp/runtime mounts behind securityContext.readOnlyRootFileSystem
- When RO=true, mount emptyDir to /run, /tmp, /var/log/nginx, /var/cache/nginx
- Remove readOnlyMode flag and prepare-ro initContainer

* Fixes

* Bump version from 1.2.5 to 1.2.6

* Bump version to 1.2.3 in Chart.yaml

* Fix indentation in deployment.yaml

* Remove initContainers for readOnlyMode

Removed initContainers configuration for read-only mode.

* Bump version from 1.2.6 to 1.2.7

* Bump version from 1.2.3 to 1.2.4

* 177 collab intel rofs on open shift avoid run as user 0 support fs group (#178)

* OpenShit Teting Commit

* Intel Changes

* Fixes

* Fixes

* Fix

* feat(charts): OpenShift compatibility + read-only rootfs support for collab & intel

Fixes: #177

This change makes the codetogether-collab and codetogether-intel charts work
out-of-the-box on both vanilla Kubernetes and OpenShift (restricted-v2 SCC),
and adds first-class support for readOnlyRootFilesystem via init containers.

Key changes
-----------
Collab
- Add initContainer `prepare-volatile` to create writable runtime paths when
  readOnlyRootFilesystem=true (e.g., /run, /var/log/nginx, /var/cache/nginx,
  and the existing /run/volatile/* tree).
- Conditionally handle OpenShift vs vanilla:
  - OpenShift: do NOT set runAsUser/runAsGroup/fsGroup; let SCC assign UIDs.
    Keep runAsNonRoot and disallow privilege escalation. Avoid chown.
    Use `install -d -m 0775/2775` for group-write with sticky set as needed.
  - Vanilla: init runs as root (UID 0) to chown created dirs to the non-root
    runtime user (defaults to 1000:1000); main container runs non-root.
- When readOnlyRootFilesystem=true:
  - Mount EmptyDir volumes to /run, /tmp (Memory), /var/log/nginx, /var/cache/nginx.
  - Add matching volumeMounts.
- Keep probes and ports unchanged.
- Values: add/clarify `openshift.enabled` flag, securityContext defaults,
  imageCredentials usage, and sample values for both environments.

Intel
- Add initContainer `prepare-runtime` to create /var/log/nginx and
  /var/cache/nginx and make them writable under read-only rootfs.
- Same OpenShift vs vanilla split as collab (no explicit UID/GID on OCP;
  root init + non-root app for vanilla).
- Mount EmptyDir + volumeMounts for /run, /tmp (Memory), /var/log/nginx,
/var/cache/nginx when readOnlyRootFilesystem=true.
- Preserve existing envs (AI mode, HQ base URL, Java options, etc.).

Why
---
- Fixes SCC denials on OpenShift when explicit runAsUser/fsGroup were set.
- Fixes initContainer permission errors (e.g., "Operation not permitted" on /run)
  by avoiding chown on OpenShift and using 2775 with umask 002.
- Enables secure read-only rootfs operation by provisioning necessary
  writable paths via EmptyDir.

Testing
-------
- OpenShift 4.x:
  - `openshift.enabled=true`, remove fsGroup=0, do not set runAsUser/runAsGroup.
  - initContainers succeed; pods transition to Running.
- Vanilla (DigitalOcean Kubernetes):
  - `openshift.enabled=false`, readOnlyRootFilesystem=true.
  - init runs as root, chowns to 1000:1000; app runs as non-root.
  - Pods healthy; readiness/liveness OK.

Breaking changes
----------------
- None functionally; however, when enabling readOnlyRootFilesystem, the chart
  now requires the EmptyDir mounts (added by default when the flag is true).

* Testing

* fix(openshift): make Intel/Collab charts run on OpenShift; verified in-cluster

Fixes: #177

- Validated (same OpenShift env)
- This change fixes the customer’s OpenShift issue.

* Allow to set the CT_CUSTOM_CLIENTS_ORIGIN env variable.

* fix env variable name

* Allow to add custom ide location url (#184)

* Remove volumeMounts for readOnlyRootFilesystem

Removed volumeMounts configuration for properties-volume.

* Update codetogether-tmp volume medium configuration

Changed the medium of the codetogether-tmp volume from 'Memory' to an empty object.

* Simplify emptyDir volume definition in deployment.yaml

* Update version and appVersion in Chart.yaml

---------

Co-authored-by: Wojciech Galanciak <wojtek@codetogether.com>
Co-authored-by: Ignacio Moreno <ignacio@codetogether.com>
Co-authored-by: engineering <engineering@codetogether.com>
Co-authored-by: Ignacio Moreno <nmorenor@gmail.com>

Author: 4 people

charts/collab/Chart.yaml

@@ -3,7 +3,7 @@ name: codetogether-collab
 description: CodeTogether Collab
 
 type: application
-version: 1.2.4
+version: 1.2.5
 appVersion: "2025.1.0"
 
 icon: https://www.codetogether.com/wp-content/uploads/2020/02/codetogether-circle-128.png

charts/collab/templates/deployment.yaml

@@ -194,10 +194,6 @@ spec:
               name: codetogether-runtime
             - mountPath: /tmp
               name: codetogether-tmp
-            - mountPath: /var/log/nginx
-              name: codetogether-runtime
-            - mountPath: /var/cache/nginx
-              name: codetogether-runtime
             {{- if .Values.favicon.enabled }}
             - mountPath: /opt/volatile-template/nginx/favicon.ico
               name: favicon-volume
@@ -248,13 +244,13 @@ spec:
 
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
+  
       {{- if .Values.securityContext.readOnlyRootFilesystem}}
       volumes:
         - name: codetogether-runtime
           emptyDir: {}
         - name: codetogether-tmp
-          emptyDir:
-            medium: Memory
+          emptyDir: {}
       {{- else if .Values.favicon.enabled }}
       volumes:
         - name: favicon-volume

charts/collab/values.yaml

@@ -217,7 +217,8 @@ securityContext: {} #defaults
   #   - ALL
   # readOnlyRootFilesystem: true # enable for read-only setup
   # runAsNonRoot: true
-  # runAsUser: 0 # Use '0' for root user for read-only setup
+  # runAsUser: 1000 # Use '0' for root user, in vanilla k8s you can use any non-root uid
+  # In openshift, dont set runAsUser, let OpenShift assign the values
 
 readinessProbe:
   initialDelaySeconds: 60

charts/intel/Chart.yaml

@@ -3,7 +3,7 @@ name: codetogether-intel
 description: CodeTogether Intel provides advanced project insights for developers
 
 type: application
-version: 1.2.7
+version: 1.2.8
 appVersion: "2025.3.0"
 
 icon: https://www.codetogether.com/wp-content/uploads/2020/02/codetogether-circle-128.png

charts/intel/templates/deployment.yaml

@@ -87,6 +87,10 @@ spec:
               {{ else }}
                 {{ .Values.ai.url | quote }}
               {{ end }}
+            {{- if .Values.codetogether.customClientsUrl }}
+            - name: CT_CUSTOM_CLIENTS_ORIGIN
+              value: {{ .Values.codetogether.customClientsUrl | quote }}
+            {{- end }}
             - name: CT_HQ_OLLAMA_AI_MODEL_NAME
               value: {{ .Values.ai.modelName | default "gemma3:1b" | quote }}
             - name: CT_HQ_OLLAMA_AI_API_KEY
@@ -99,7 +103,6 @@ spec:
                   key: apiKey
               {{- end }}
             {{- end }}
-{{- if .Values.securityContext.readOnlyRootFilesystem }}
           volumeMounts:
             - name: properties-volume
               mountPath: /opt/codetogether/runtime/cthq.properties
@@ -109,26 +112,6 @@ spec:
               mountPath: /etc/ssl/certs/java/cacerts
               subPath: cacerts
             {{- end }}
-            # Read-only root FS mounts
-            - mountPath: /run
-              name: codetogether-runtime
-            - mountPath: /tmp
-              name: codetogether-tmp
-            - mountPath: /var/log/nginx
-              name: codetogether-runtime
-            - mountPath: /var/cache/nginx
-              name: codetogether-runtime
-{{- else }}
-          volumeMounts:
-            - name: properties-volume
-              mountPath: /opt/codetogether/runtime/cthq.properties
-              subPath: cthq.properties
-            {{- if .Values.java.customCacerts.enabled }}
-            - name: java-cacerts
-              mountPath: /etc/ssl/certs/java/cacerts
-              subPath: cacerts
-            {{- end }}
-{{- end }}
           ports:
             - name: http
               containerPort: 1080
@@ -177,14 +160,6 @@ spec:
           secret:
             secretName: {{ .Values.java.customCacerts.cacertsSecretName }}
         {{- end }}
-{{- if .Values.securityContext.readOnlyRootFilesystem }}
-        - name: codetogether-runtime
-          emptyDir: {}
-        - name: codetogether-tmp
-          emptyDir:
-            medium: Memory
-{{- end }}
-
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

charts/intel/values.yaml

@@ -39,6 +39,7 @@ imageCredentials:
 codetogether:
   url: https://<server-fqdn>
   trustAllCerts: false  # Set to 'true' to trust all certificates
+  # customClientsUrl: "" # Optional custom URL for clients to download from
 
 
 hqproperties:
@@ -132,14 +133,14 @@ serviceAccount:
 
 podAnnotations: {}
 
-securityContext: {} #defaults to
-
+securityContext: {} #defaults
   # capabilities:
   #   drop:
   #   - ALL
-  #readOnlyRootFilesystem: true  # enable for read-only setup
-  # runAsNonRoot: true           # false for non-root user
-  # runAsUser: 0 # Use '0' for root user for read-only setup
+  # readOnlyRootFilesystem: true # enable for read-only setup
+  # runAsNonRoot: true
+  # runAsUser: 1000 # Use '0' for root user
+  # In openshift, dont set runAsUser, let OpenShift assign the values
 
 ai:
   enabled: false

compose/.env-template

@@ -55,3 +55,6 @@ DHPARAM_PEM=dhparam.pem
 # Enable “to trust all certificates”
 CT_TRUST_ALL_CERTS=false
 
+# Uncomment and set the following variable to enable custom IDE clients location
+# CT_CUSTOM_CLIENTS_ORIGIN=<your-custom-clients-origin>
+