Release (#90)

* Change collab helm chart to use private registry image

* Changes for docker compose. (#85)

* Rename hq to intel

* Allow user to provide their own hqproperties secret (#86)

* allow users to provide their own hqproperties secret for improved security over sensitive information

* PR feedback. cleaner value structure and using an explicit hqpropertiessecret.enabled value to toggle whether the secret is read

---------

Co-authored-by: Ignacio Moreno <nmorenor@gmail.com>
Co-authored-by: Ignacio Moreno <ignacio@codetogether.com>

Author: patrick-codetogether

charts/collab/Chart.yaml

@@ -3,7 +3,7 @@ name: codetogether-collab
 description: CodeTogether Collab
 
 type: application
-version: 1.2.1
+version: 1.2.2
 appVersion: "2025.1.0"
 
 icon: https://www.codetogether.com/wp-content/uploads/2020/02/codetogether-circle-128.png

charts/collab/values.yaml

@@ -11,10 +11,7 @@ nameOverride: ""
 fullnameOverride: ""
 
 image:
-  # By default use DockerHub repository.
-  repository: codetogether/codetogether-collab
-  # Uncomment to use CodeTogether private Docker registry.
-  # repository: hub.edge.codetogether.com/releases/codetogether
+  repository: hub.edge.codetogether.com/releases/codetogether-collab
   pullPolicy: Always
   # Overrides the image tag whose default is the chart appVersion.
   tag: "latest"

charts/intel/Chart.yaml

@@ -3,7 +3,7 @@ name: codetogether-intel
 description: CodeTogether Intel provides advanced project insights for developers
 
 type: application
-version: 1.2.1
+version: 1.2.2
 appVersion: "2025.1.0"
 
 icon: https://www.codetogether.com/wp-content/uploads/2020/02/codetogether-circle-128.png

charts/intel/README.md

@@ -31,6 +31,8 @@ The following table lists configurable parameters of the CodeTogether Intel char
 | `imageCredentials.password`                    | Docker registry password                                                                     | `my-customer-password`                                    |
 | `imageCredentials.email`                       | Docker registry email                                                                        | `unused`                                                  |
 | `codetogether.url`                             | Full URL for the CodeTogether Intel server                                                     | `https://<server-fqdn>`                                   |
+| `hqpropertiessecret.enabled`                     | (Optional) If true, the value in hqpropertiessecret.ref will be used in place of the hqproperties values     | `false` |
+| `hqpropertiessecret.ref`                     | (Optional) Name of a Kubernetes secret containing the hqproperties secret. If provided, will override the other values in the hqproperties section     | `kubernetes-secret-name` |
 | `hqproperties.hq.sso.client.id`                | Client ID for Single Sign-On (SSO)                                                          | `CLIENTID.apps.googleusercontent.com`                     |
 | `hqproperties.hq.sso.client.secret`            | Client Secret for Single Sign-On (SSO)                                                      | `CLIENTSECRET`                                            |
 | `hqproperties.hq.sso.client.issuer.url`        | Issuer URL for Single Sign-On (SSO)                                                         | `https://accounts.google.com`                             |
@@ -51,7 +53,6 @@ The following table lists configurable parameters of the CodeTogether Intel char
 | `java.customCacerts.enabled`                   | Enables mounting a custom Java trust store (cacerts)                                         | `false`                                                  |
 | `java.customCacerts.cacertsSecretName`         | Name of the Kubernetes secret containing the `cacerts` file                                  | `custom-java-cacerts`                                    |
 | `java.customCacerts.trustStorePasswordKey`     | (Optional) Key inside the Kubernetes secret containing the trust store password             | `trustStorePassword`                                     |
-| `cassandra.passwordSecret`                     | (Optional) Name of a Kubernetes secret containing the Cassandra database password.          |                                                           |
 | `ingress.enabled`                              | Enables ingress controller resource                                                         | `true`                                                    |
 | `ingress.annotations`                          | Annotations for ingress                                                                      | `{}`                                                      |
 | `ingress.tls.secretName`                       | TLS secret name for ingress                                                                 | `codetogether-intel-tls`                                     |

charts/intel/templates/deployment.yaml

@@ -107,7 +107,13 @@ spec:
       volumes:
         - name: properties-volume
           secret:
-            secretName: {{ if .Values.fullnameOverride }}{{ .Values.fullnameOverride }}-hqproperties{{ else }}hqproperties{{ end }}
+            secretName: {{- if .Values.hqpropertiessecret.enabled }}
+              {{- .Values.hqpropertiessecret.ref }}
+            {{- else if .Values.fullnameOverride }}
+              {{- printf "%s-hqproperties" .Values.fullnameOverride }}
+            {{- else }}
+              {{- "hqproperties" }}
+            {{- end }}
         {{- if .Values.java.customCacerts.enabled }}
         - name: java-cacerts
           secret:

charts/intel/templates/secret-properties.yaml

@@ -1,18 +1,12 @@
+{{- if not .Values.hqpropertiessecret.enabled }}
 apiVersion: v1
 kind: Secret
 metadata:
   name: {{ if .Values.fullnameOverride }}{{ .Values.fullnameOverride }}-hqproperties{{ else }}hqproperties{{ end }}
 type: Opaque
 stringData:
   cthq.properties: |-
-    {{- $cassandraPassword := "" }}
-    {{- if and (hasKey .Values "cassandra") (hasKey .Values.cassandra "passwordSecret") .Values.cassandra.passwordSecret (lookup "v1" "Secret" .Release.Namespace .Values.cassandra.passwordSecret) }}
-    {{- $cassandraPassword := (lookup "v1" "Secret" .Release.Namespace .Values.cassandra.passwordSecret).data.cassandraPassword | b64dec }}
-    {{- end }}
     {{- range $key, $value := .Values.hqproperties }}
-      {{- if and (eq $key "hq.cassandra.db.password") $cassandraPassword }}
-    {{ $key }}={{ $cassandraPassword }}
-      {{- else }}
-    {{ $key }}={{ $value }}
-      {{- end }}
-    {{- end }}
+       {{ $key }}={{ $value }}
+    {{- end }}
+{{- end }}

charts/intel/values.yaml

@@ -59,11 +59,10 @@ hqproperties:
   # default datacenter name is 'datacenter1'
   # hq.cassandra.db.localdatacenter: datacenter1
 
-# Optional property, if provided the value from the secret will be used as the cassandra DB password
-# This will overwrite the value in the hqproperties hq.cassandra.db.password
-# The secret must have a key named 'cassandraPassword'
-cassandra:
-  passwordSecret: ""
+# Optional properties, if enabled is true, the values in the secret will be used as the hqproperties secret
+hqpropertiessecret:
+  enabled: false
+  ref: "intel-test-hqproperties-arbitrary"
 
 java:
   customCacerts:

compose/codetogether.nginx

@@ -1,3 +1,43 @@
+server {
+    listen       443 ssl http2;
+    server_name  <collab-server-fqdn>;
+    proxy_buffer_size 128k;
+    proxy_buffers 4 256k;
+    ssl_certificate      <path-to-ssl-bundle.crt>;
+    ssl_certificate_key  <path-to-ssl.key>;
+    ssl_dhparam          <path-to-dhparam.pem>;
+    ssl_prefer_server_ciphers on;
+    ssl_protocols TLSv1.2;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+    location / {
+        # Similar proxy logic for headers
+        set $realIP $remote_addr;
+        set $forwardTo $proxy_add_x_forwarded_for;
+        set $reqHost $http_host;
+        client_max_body_size 32M;
+        if ($http_x_real_ip != '') {
+            set $realIP $http_x_real_ip;
+        }
+        if ($http_x_forwarded_for != '') {
+            set $forwardTo $http_x_forwarded_for;
+        }
+        add_header C-Real-IP $realIP;
+        add_header C-Forwarded-For $forwardTo;
+        add_header C-Request-Host $reqHost;
+        proxy_set_header X-Real-IP $realIP;
+        proxy_set_header X-Forwarded-For $forwardTo;
+        proxy_set_header Host $reqHost;
+        proxy_set_header X-NginX-Proxy true;
+        proxy_http_version 1.1;
+        proxy_redirect off;
+        proxy_pass http://codetogether-collab:1080;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_read_timeout 360;
+        proxy_connect_timeout 360;
+        proxy_send_timeout 360;
+    }
+}
 server {
     server_name          <server-fqdn>;
     listen               443 ssl http2;
@@ -14,10 +54,10 @@ server {
     ssl_protocols        TLSv1.2;
     ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
 
-    # create the passthrough to the CodeTogether HQ container
+    # create the passthrough to the CodeTogether Intel container
     location / {
 
-        # set passthru parameters for the CodeTogether HQ container
+        # set passthru parameters for the CodeTogether Intel container
         set $realIP      $remote_addr;
         set $forwardTo   $proxy_add_x_forwarded_for;
         set $reqHost     $http_host;
@@ -32,7 +72,7 @@ server {
         proxy_set_header Host $reqHost;
 
         # setup the backend to service the HQ requests
-        proxy_pass            http://127.0.0.1:1080;
+        proxy_pass            http://codetogether-intel:1080;
         proxy_set_header      X-NginX-Proxy true;
         proxy_http_version    1.1;
         proxy_redirect        off;

compose/compose.yaml

@@ -1,11 +1,39 @@
-services:
+services: 
+  codetogether-collab:
+    image: registry.digitalocean.com/codetogether-registry/codetogether-collab:latest
+    container_name: codetogether-collab
+    environment:
+      - CT_LICENSE_URL=http://codetogether-intel:1080
+      - CT_SERVER_URL=https://your-collab-server-fqdn
+      - CT_INTEL_SECRET=your-collab-intel-secret
+      - CT_AV_ENABLED=false
+      - CT_AV_LAN_IP=auto
+    networks:
+      - codetogethernet
+    depends_on:
+       codetogether-intel:
+        condition: service_healthy
+  nginx:
+    image: nginx:latest
+    container_name: codetogether-nginx
+    ports:
+      - "443:443"
+    volumes:
+      - ./nginx/nginx.conf:/etc/nginx/nginx.conf
+      - ./nginx/ssl:/etc/nginx/ssl
+      - ./nginx/log:/var/log/nginx
+    networks:
+      - codetogethernet
+    depends_on:
+       codetogether-intel:
+        condition: service_healthy
   codetogether-intel:
-    image: hub.edge.codetogether.com/releases/codetogether-intel:latest
+    image: registry.digitalocean.com/codetogether-registry/codetogether-intel:latest
     container_name: codetogether-intel
     environment:
-      - CT_HQ_BASE_URL=https://your-hq-server-fqdn
+      - CT_HQ_BASE_URL=https://your-intel-server-fqdn
     networks:
-      - hqnet
+      - codetogethernet
     volumes:
       - ./cthq.properties:/opt/codetogether/runtime/cthq.properties:ro
     ports:
@@ -14,16 +42,18 @@ services:
       cassandra:
         condition: service_healthy
     healthcheck:
-      test: ["CMD", "grep", "-q", "CodeTogether HQ backend started", "/var/log/codetogether-runtime/server.log"]
+      test: ["CMD", "grep", "-q", "CodeTogether Intel backend started", "/var/log/codetogether-runtime/server.log"]
       start_period: 20s
       interval: 10s
       timeout: 10s
-      retries: 30
+      retries: 50
   cassandra:
     image: cassandra:latest
     container_name: codetogether-cassandra
+    ports: 
+      - 9042:9042
     networks:
-      - hqnet
+      - codetogethernet
     environment:
       - HEAP_NEWSIZE=96M
       - MAX_HEAP_SIZE=512M
@@ -38,7 +68,7 @@ services:
       start_period: 30s
       interval: 10s
       timeout: 10s
-      retries: 20
+      retries: 70
 networks:
-  hqnet:
-    driver: bridge
+  codetogethernet:
+    driver: bridge

compose/cthq.properties

@@ -3,6 +3,8 @@ hq.base.url=https://<server-fqdn>
 hq.sso.redirect.uri=https://<server-fqdn>/api/v1/auth/sso/success/insights
 hq.sso.client.id=<clientid>
 hq.sso.client.secret=<clientsecret>
+hq.collab.url=https://your-collab-server-fqdn
+hq.collab.secret=<your-collab-intel-secret>
 
 # Generic single sign-on configuration
 hq.sso.client.issuer.url=https://<sso-fqdn>/<path>/.well-known/openid-configuration