Main (#173)

* fix: separate SSL certificates (#101)

* fix: Set environment variables via .env file. (#99)

* Set environment variables via .env file.

* Missing change

* Change how hostnames and secret are set.

* changes for env template

* add env variable resolver on sso redirect value

* fix: add env_file to codetogether-intel (#105)

* fix: missing CT_HQ_BASE_URL env var (#107)

* feat: nginx auto config (#109)

* fix: add step for sso provider (#110)

* fix: add client_max_body_size to intel (#112)

* fix: tweak name of dhparam.pem env var (#113)

* tweak name of dhparam.pem env var

* fix env var name in nginx template

* fix pam to pem

* fix: missing env file on collab (#114)

* fix: handle nil ai.openai.api_key to prevent template er… (#116)

* fix(intel-chart): handle nil ai.openai.api_key to prevent template errors

Adjusted the Helm chart template for ai-secrets to avoid referencing ai.openai.api_key and
ai.external.api_key when undefined.
This fixes a fatal error during `helm template` when AI mode is set to `bundled`
and no OpenAI config is present. Ensures compatibility with bundled-only deployments.

* Changes to fix workflow issues

* fix: cleanup for sso tenants (#117)

* feat(intel): add option to disable AI integration entirely (#120)

Previously, the Helm chart required either 'bundled' or 'external' AI mode to be configured, making it
mandatory to include AI integration. This commit introduces a new flag `ai.enabled` to allow disabling
AI features entirely, enabling Intel to be deployed without any AI-related containers or resources.

* Change gen ai image name on values file (#122)

* fix: bump up version number (#123)

* docs: remove outdated metrics section from README (#130)

- Removed the section referring to metrics(prometeus), etc from the README

Co-authored-by: engineering <engineering@codetogether.com>

* fix: add note to env-template file (#127)

* fix: update LLM image URL to hub.edge (#132)

* docs: add deprecation notice to old Live chart (#131)

* 126 automatically configure ollama integration when llm is enabled (#128)

* Make sidecar AI container resource block optional in deployment

- Updated deployment.yaml to include the `resources` block for the `codetogether-llm` sidecar only if values are defined in values.yaml.
- Ensures the bundled AI container can run without specifying resource limits/requests by default.
- Improved overall Helm template flexibility for embedded AI mode.
- Validated that runs with AI Container embeeded.

* Enable support for external AI provider

- Updated deployment.yaml to support both bundled and external AI modes, allowing selection via .Values.ai.mode.
- Added manifests for external AI integration:
  - ai-config ConfigMap: defines external provider and URL.
  - ai-external-secret Secret: stores the external API key.
- Verified that external AI mode works by routing requests through the configured external service.

* feat: automate creation of external AI ConfigMap and Secret from values.yaml

- Added Helm templates to generate ai-config ConfigMap and ai-external-secret Secret automatically when AI external mode is enabled.
- ConfigMap values (ai_provider, ai_url) and Secret value (api-key) are now configurable via values.yaml.
- Ensured resources are only created when ai.enabled=true and ai.mode=external.

* feat: allow use of existing or Helm-managed ai-external-secret in deployment

- Updated deployment.yaml to support referencing a user-provided Secret for AI external API key, with fallback to Helm-managed creation.
- Added ai-external-secret.yaml template to optionally create the secret from values if not provided.

* Fixing helm template validations

* Adding values configuration

---------

Co-authored-by: engineering <engineering@codetogether.com>

* Gen AI Changes (#124)

* Change resources of ai

* Include gen ai on docker compose.

* undo changes

* Fix collab helm chart to allow usage of locator. (#134)

* fix: invalid values in AI values section (#137)

* fix: support automatic configuration of the LLM integration if AI is enabled (#138)

* Fixes after Testing (#139)

* Fixes after Testing
- Refactored deployment.yaml to reference ai.externalSecret.name when create: false
- Corrected CT_HQ_OLLAMA_AI_API_KEY key to apiKey to match Secret’s stringData
- Updated ai-external-secret.yaml to generate a Secret only when create: true

* Bump intel chart version to 1.2.5

* Fix to user http://codetogether-llm:8000/ always

---------

Co-authored-by: engineering <engineering@codetogether.com>

* Changes to use localhost always to avoid dns issues (#142)

Co-authored-by: engineering <engineering@codetogether.com>

* feat: support for optional keycloak deployment (#145)

* initial config

* Docker compose example to run keycloak

---------

Co-authored-by: Ignacio Moreno <nmorenor@gmail.com>

* 144 keycloak (#146)

* initial config

* Docker compose example to run keycloak

* Undo properties file change

* fixes on properties file

---------

Co-authored-by: Wojciech Galanciak <wojtek@codetogether.com>

* 144 keycloak (#147)

* initial config

* Docker compose example to run keycloak

* Undo properties file change

* fixes on properties file

---------

Co-authored-by: Wojciech Galanciak <wojtek@codetogether.com>

* 144 keycloak (#149)

* fixes on properties file

* Prepare examples for deployment with keycloak.

* move files

* feat(charts, compose): add CT_TRUST_ALL_CERTS support (#158)

* feat(charts, compose): add CT_TRUST_ALL_CERTS support

Fixes: #157
- values.yaml: introduce `java.trustAllCerts` (default false) to toggle CT_TRUST_ALL_CERTS
- deployment.yaml: inject `CT_TRUST_ALL_CERTS=true` into container env when `trustAllCerts` is enabled
- .env-template: add `CT_TRUST_ALL_CERTS` entry for Docker Compose
- compose.yml: reference `${CT_TRUST_ALL_CERTS}` in codetogether‑intel service

* refactor(charts): move trustAllCerts under codetogether section

- values.yaml: remove java.trustAllCerts; add codetogether.trustAllCerts (default false)
- deployment.yaml: guard CT_TRUST_ALL_CERTS injection on .Values.codetogether.trustAllCerts

* fix(compose): remove redundant CT_TRUST_ALL_CERTS env entry

- Drop explicit `CT_TRUST_ALL_CERTS` from the `environment` section in the `codetogether-intel` service
- Rely on `env_file: .env` to inject the variable

---------

Co-authored-by: engineering <engineering@codetogether.com>

* feat(chart): guard `ai-secrets` template behind `ai.enabled` (#161)

Fixes: #160

Wrap the `ai-secrets` Secret manifest with a `.Values.ai.enabled` conditional
so it is not rendered when AI is disabled. This prevents clashes with
pre-existing `ai-secrets` owned by other releases and keeps templates clean.

* fix: improve keycloak compose health check (#162)

* fix(helm/intel): scope AI resources per-release to avoid cross-release Secret conflicts (#164)

Fixes: #163

Problem
- Deploying multiple `codetogether-intel` releases in the same namespace caused
  a collision on statically named resources (e.g., `ai-secrets` / `ai-config`),
  producing Helm ownership errors.

What changed
- templates/ai-config.yaml
  - Create ConfigMap only when `ai.enabled=true` and `ai.mode=external`.
  - Name is now release-scoped: `{{ .Release.Name }}-ai-config`.

- templates/ai-external-secret.yaml
  - Respect `ai.externalSecret.create` and `ai.externalSecret.name`.
  - Default Secret name is release-scoped:
    `{{ include "codetogether.fullname" . }}-ai-external-secret`.
  - Store API key under `stringData.apiKey`.

- templates/deployment.yaml
  - Read `AI_PROVIDER` / `AI_EXTERNAL_URL` from `{{ .Release.Name }}-ai-config`.
  - Read `AI_EXTERNAL_API_KEY` from the default or user-specified Secret:
    `{{ default (printf "%s-ai-external-secret" (include "codetogether.fullname" .)) .Values.ai.externalSecret.name }}`.
  - Bundled mode unchanged; external resources are not created in bundled mode.

Why
- Ensures two or more releases (e.g., `qa-intel` and `demo-staging-intel`)
  can coexist in the same namespace without Helm ownership clashes.

How to test
- External (chart-managed Secret):
  `helm template demo-staging-intel ./charts/intel -n default \
    --set ai.enabled=true --set ai.mode=external \
    --set ai.provider=openai --set ai.url=https://api.openai.com \
    --set ai.externalSecret.create=true --set ai.externalSecret.apiKey=TESTKEY`
  → renders `demo-staging-intel-ai-config` and `demo-staging-intel-ai-external-secret`.

- External (existing Secret):
  `kubectl create secret generic my-custom-ai-secret -n default \
    --from-literal=apiKey=TESTKEY`
  `helm template qa-intel ./charts/intel -n default \
    --set ai.enabled=true --set ai.mode=external \
    --set ai.provider=openai --set ai.url=https://api.openai.com \
    --set ai.externalSecret.create=false --set ai.externalSecret.name=my-custom-ai-secret`
  → renders only the release-scoped ConfigMap; Deployment references the existing Secret.

- Bundled:
  `helm template demo ./charts/intel -n default --set ai.enabled=true --set ai.mode=bundled`
  → no AI ConfigMap/Secret rendered; sidecar included.

* chore(keycloak): switch to KC_BOOTSTRAP_* admin vars and update compose/templates (#166)

Fixes: #165

- Replace deprecated KEYCLOAK_ADMIN / KEYCLOAK_ADMIN_PASSWORD with
  KC_BOOTSTRAP_ADMIN_USERNAME / KC_BOOTSTRAP_ADMIN_PASSWORD.
- Update compose files to pass new env vars to the Keycloak container.
- Refresh .env templates to reflect the new names.
- Remove references to deprecated vars.

Touched:
- compose/.env-with-keycloak-template
- compose/keycloak/.env-template
- compose/keycloak/compose-keycloak.yaml
- compose/keycloak/compose-keycloak-no-nginx.yaml

Why: eliminates KC-SERVICES0110 warnings and ensures deterministic, persistent admin on first bootstrap.

BREAKING CHANGE: set KC_BOOTSTRAP_ADMIN_USERNAME and KC_BOOTSTRAP_ADMIN_PASSWORD instead of KEYCLOAK_ADMIN*.

* feat(helm): add RO rootfs support for Intel and Collab (#169)

* feat(helm): add RO rootfs support for Intel and Collab

Fixes: #168

- tmpfs emptyDir for /run and /tmp
- RW runtime at /run/volatile, reuse for /var/log/nginx and /var/cache/nginx
- Intel: initContainer to create subpaths
- enable via securityContext (readOnlyRootFileSystem, runAsUser=0)

* Typo fixes

* Typo fixes

* Fixing typo

* Changes to defauts

* Fixes

* feat(helm-collab): Support optional existing secret for Intel connection (#171)

Fixes: #170

- add values: intelsecret.enabled/ref
- conditionally render templates/secret-intel.yaml
- deployment envs read from external secret when enabled(fail if ref missing)
- default unchanged (chart still creates "release"-intel)

---------

Co-authored-by: Wojciech Galanciak <wojtek@codetogether.com>
Co-authored-by: Ignacio Moreno <ignacio@codetogether.com>
Co-authored-by: engineering <engineering@codetogether.com>
Co-authored-by: Ignacio Moreno <nmorenor@gmail.com>

Author: 4 people

charts/collab/templates/deployment.yaml

@@ -13,7 +13,7 @@ spec:
       annotations:
         checksum/coturn: {{ include (print $.Template.BasePath "/secret-coturn.yaml") . | sha256sum }}
         checksum/dashboard: {{ include (print $.Template.BasePath "/secret-dashboard.yaml") . | sha256sum }}
-        checksum/intel: {{ include (print $.Template.BasePath "/secret-intel.yaml") . | sha256sum }}
+        checksum/intel: {{- if not .Values.intelsecret.enabled }} {{ include (print $.Template.BasePath "/secret-intel.yaml") . | sha256sum }} {{- else }} "external" {{- end }}
         checksum/ssl: {{ include (print $.Template.BasePath "/secret-ssl.yaml") . | sha256sum }}
       {{- with .Values.podAnnotations }}
         {{- toYaml . | nindent 8 }}
@@ -139,15 +139,27 @@ spec:
             value: {{ .Values.codetogether.timeZone.region | quote }}
           {{- end }}
 
+          {{- if and .Values.intelsecret.enabled (not .Values.intelsecret.ref) }}
+          {{- fail "intelsecret.enabled=true requires intelsecret.ref (existing Secret name)" -}}
+          {{- end }}
+
           - name: CT_INTEL_URL
             valueFrom:
               secretKeyRef:
-                name: {{ include "codetogether.fullname" . }}-intel
+                name: {{ if .Values.intelsecret.enabled -}}
+                        {{ .Values.intelsecret.ref | quote }}
+                      {{- else }}
+                        {{ printf "%s-intel" (include "codetogether.fullname" .) | quote }}
+                      {{- end }}
                 key: url
           - name: CT_INTEL_SECRET
             valueFrom:
               secretKeyRef:
-                name: {{ include "codetogether.fullname" . }}-intel
+                name: {{ if .Values.intelsecret.enabled -}}
+                        {{ .Values.intelsecret.ref | quote }}
+                      {{- else }}
+                        {{ printf "%s-intel" (include "codetogether.fullname" .) | quote }}
+                      {{- end }}
                 key: secret
           {{- if .Values.dashboard.enabled }}
           - name: CT_DASHBOARD_USER
@@ -182,6 +194,10 @@ spec:
               name: codetogether-runtime
             - mountPath: /tmp
               name: codetogether-tmp
+            - mountPath: /var/log/nginx
+              name: codetogether-runtime
+            - mountPath: /var/cache/nginx
+              name: codetogether-runtime
             {{- if .Values.favicon.enabled }}
             - mountPath: /opt/volatile-template/nginx/favicon.ico
               name: favicon-volume

charts/collab/templates/secret-intel.yaml

@@ -1,3 +1,4 @@
+{{- if not .Values.intelsecret.enabled }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -8,3 +9,4 @@ type: Opaque
 data:
   url: {{ .Values.intel.url | b64enc | quote }}
   secret: {{ .Values.intel.secret | b64enc | quote }}
+{{- end }}

charts/collab/values.yaml

@@ -37,6 +37,11 @@ imageCredentials:
 openshift:
   enabled: false
 
+# Optional: use an existing secret for Intel connection
+intelsecret:
+  enabled: false              # default OFF - chart-managed secret
+  ref: ""                     # name of existing Secret (must have keys: url, secret)
+
 #
 # Values required for establishing connection with the Intel server.
 #
@@ -206,13 +211,13 @@ serviceAccount:
 
 podAnnotations: {}
 
-securityContext: {}
+securityContext: {} #defaults to
   # capabilities:
   #   drop:
   #   - ALL
-  # readOnlyRootFilesystem: true
   # runAsNonRoot: true
-  # runAsUser: 1000
+  # readOnlyRootFilesystem: true # enable for read-only setup
+  # runAsUser: 0 # Use '0' for root user for read-only setup
 
 readinessProbe:
   initialDelaySeconds: 60

charts/intel/templates/ai-config.yaml

@@ -2,10 +2,11 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: ai-config
+  name: {{ printf "%s-ai-config" (include "codetogether.fullname" .) }}
   namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "codetogether.labels" . | nindent 4 }}
 data:
   ai_provider: {{ .Values.ai.provider | quote }}
   ai_url: {{ .Values.ai.url | quote }}
-{{- end }}
-
+{{- end }}

charts/intel/templates/deployment.yaml

@@ -26,6 +26,17 @@ spec:
       imagePullSecrets:
         - name: {{ include "codetogether.fullname" . }}-pull-secret
       {{- end }}
+      {{- if .Values.readOnlyMode.enabled }}
+      initContainers:
+        - name: prepare-ro
+          image: busybox:latest
+          securityContext:
+            runAsUser: 0
+          command: ["sh", "-lc", "mkdir -p /mnt/volatile/var-log-nginx /mnt/volatile/var-cache-nginx /mnt/var/log-codetogether || true"]
+          volumeMounts:
+            - name: volatile
+              mountPath: /mnt/volatile
+      {{- end }}
       serviceAccountName: {{ include "codetogether.serviceAccountName" . }}
       containers:
         - name: {{ .Chart.Name }}
@@ -44,12 +55,12 @@ spec:
             - name: AI_PROVIDER
               valueFrom:
                 configMapKeyRef:
-                  name: ai-config
+                  name: {{ printf "%s-ai-config" (include "codetogether.fullname" .) }}
                   key: ai_provider
             - name: AI_EXTERNAL_URL
               valueFrom:
                 configMapKeyRef:
-                  name: ai-config
+                  name: {{ printf "%s-ai-config" (include "codetogether.fullname" .) }}
                   key: ai_url
             - name: AI_EXTERNAL_API_KEY
               valueFrom:
@@ -76,6 +87,10 @@ spec:
                   key: {{ .Values.java.customCacerts.trustStorePasswordKey }}
                   optional: true
             {{- end }}
+            {{- if .Values.codetogether.trustAllCerts }}
+            - name: CT_TRUST_ALL_CERTS
+              value: "true"
+            {{- end }}
             {{- if .Values.ai.enabled }}
             - name: CT_HQ_OLLAMA_AI_URL
               value: {{ if eq .Values.ai.mode "bundled" }}
@@ -104,6 +119,20 @@ spec:
               mountPath: /etc/ssl/certs/java/cacerts
               subPath: cacerts
             {{- end }}
+            {{- if .Values.readOnlyMode.enabled }}
+            - name: volatile
+              mountPath: /run/volatile
+            - name: run
+              mountPath: /run
+            - name: tmp
+              mountPath: /tmp
+            - name: volatile
+              mountPath: /var/log/nginx
+              subPath: var-log-nginx
+            - name: volatile
+              mountPath: /var/cache/nginx
+              subPath: var-cache-nginx            
+            {{- end }}
           ports:
             - name: http
               containerPort: 1080
@@ -152,6 +181,16 @@ spec:
           secret:
             secretName: {{ .Values.java.customCacerts.cacertsSecretName }}
         {{- end }}
+        {{- if .Values.readOnlyMode.enabled }}
+        - name: volatile
+          emptyDir: {}
+        - name: run
+          emptyDir:
+            medium: Memory
+        - name: tmp
+          emptyDir:
+            medium: Memory
+        {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

charts/intel/templates/secrets.yaml

@@ -1,3 +1,4 @@
+{{- if .Values.ai.enabled }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -14,3 +15,4 @@ data:
   external-ai-key: {{ .Values.ai.external.api_key | b64enc }}
   {{- end }}
   {{- end }}
+{{- end }}

charts/intel/values.yaml

@@ -32,12 +32,14 @@ imageCredentials:
   email: unused
 
 #
-# Set CodeTogether runing mode and server's FQDN (HTTPS is mandatory for CodeTogether)
+# Set CodeTogether running mode and server's FQDN (HTTPS is mandatory for CodeTogether)
 # Use 'direct' for simple evaluations and small deployments. CodeTogether can provide
 # guidance on the best deployment option based on your needs.
 #
 codetogether:
   url: https://<server-fqdn>
+  trustAllCerts: false  # Set to 'true' to trust all certificates
+
 
 hqproperties:
   hq.sso.client.id: CLIENTID.apps.googleusercontent.com
@@ -130,20 +132,26 @@ serviceAccount:
 
 podAnnotations: {}
 
-securityContext: {}
+securityContext: {} #defaults to
+
   # capabilities:
   #   drop:
   #   - ALL
-  # readOnlyRootFilesystem: true
+  #readOnlyRootFilesystem: true  # enable for read-only setup
+  #runAsUser: 0 # Use '0' for root user for read-only setup
   # runAsNonRoot: true
   # runAsUser: 1000
 
 ai:
   enabled: false
   mode: "bundled"  # Options: bundled | external
-  image:
-    repository: hub.edge.codetogether.com/releases/codetogether-llm
-    tag: latest
+  provider: ""
+  url: ""
+  modelName: "gemma3:1b"
+  externalSecret:
+    create: false
+    name: ""
+    apiKey: ""
 #  resources:       # Recommended resources configuration
  #   requests:
   #    cpu: "2"
@@ -173,3 +181,6 @@ tolerations: []
 affinity: {}
 
 replicaCount: 1
+
+readOnlyMode:
+  enabled: false # Set to 'true' to enable read-only mode

compose/.env-template

@@ -51,3 +51,7 @@ DHPARAM_PEM=dhparam.pem
 # Uncomment the following lines to enable AI integration with Ollama
 #CT_HQ_OLLAMA_AI_URL=http://codetogether-llm:8000
 #CT_HQ_OLLAMA_AI_MODEL_NAME=gemma3:1b
+
+# Enable “to trust all certificates”
+CT_TRUST_ALL_CERTS=false
+

compose/.env-with-keycloak-template

@@ -55,8 +55,8 @@ SSL_KEYCLOAK_KEY=ssl-keycloak.key
 KEYCLOAK_DB_USERNAME=keycloak
 KEYCLOAK_DB_PASSWORD=keycloak
 
-KEYCLOAK_ADMIN_PASSWORD=keycloak
-KEYCLOAK_ADMIN=admin
+KC_BOOTSTRAP_ADMIN_PASSWORD=keycloak
+KC_BOOTSTRAP_ADMIN_USERNAME=admin
 
 # Uncomment the following lines to enable AI integration with Ollama
 #CT_HQ_OLLAMA_AI_URL=http://codetogether-llm:8000

compose/keycloak/.env-template

@@ -5,5 +5,5 @@ SSL_KEYCLOAK_KEY=ssl-keycloak.key
 KEYCLOAK_DB_USERNAME=keycloak
 KEYCLOAK_DB_PASSWORD=keycloak
 
-KEYCLOAK_ADMIN_PASSWORD=keycloak
-KEYCLOAK_ADMIN=admin
+KC_BOOTSTRAP_ADMIN_PASSWORD=keycloak
+KC_BOOTSTRAP_ADMIN_USERNAME=admin