CodeTogether HQ On-Premises Installation via Kubernetes
Using Kubernetes (k8s) is the recommended approach for larger scale deployments in an Enterprise as it is easier to provide seamless upgrades and high availability via replicas. During upgrades of the HQ container, k8s will automatically handle spinning up the new instance while keeping the old around.
Step 1. Set Up Cassandra
To start with Cassandra, you are first required to activate the Bitnami chart repository from which the core Cassandra configuration will come from:
helm repo add bitnami https://charts.bitnami.com/bitnami
Once the repository is added, you will then create the values file to start Cassandra. By default, this can be quite a simple file similar to the following. Adjust the password as desired.
cassandra-values.yaml
global:
storageClass: do-block-storage
dbUser:
user: cassandra
password: cassandra
Once the file is ready, start up Cassandra in k8s.
helm install codetogether-cassandra bitnami/cassandra -f cassandra-values.yaml
To monitor the status of the pod coming up, you can check status using this command.
kubectl exec -it --namespace default $(kubectl get pods --namespace default -l app.kubernetes.io/name=cassandra,app.kubernetes.io/instance=codetogether-cassandra -o jsonpath='{.items[0].metadata.name}') -- nodetool status
Once the pod is up and running, you need to connect in to enable the keyspace that CodeTogether HQ will be using on the server. To connect into Cassandra, you will use a one-time use client to Cassandra that allows you to run the cli to create the keyspaces. The pod will go away once you're done with it.
kubectl run --namespace default codetogether-cassandra-client --rm --tty -i --restart='Never' --image docker.io/bitnami/cassandra:4.1.3-debian-11-r71 -- bash
Once you are in the Cassandra cli, you connect in using a command similar to the following and create the keyspace using a regular replication strategy.
I have no name!@codetogether-cassandra-client:/$ cqlsh -u cassandra -p cassandra codetogether-cassandra.default.svc.cluster.local
Warning: Using a password on the command line interface can be insecure.
Recommendation: use the credentials file to securely provide the password.
Connected to cassandra at hq-cassandra.default.svc.cluster.local:9042
[cqlsh 6.1.0 | Cassandra 4.1.3 | CQL spec 3.4.6 | Native protocol v5]
Use HELP for help.
cassandra@cqlsh> CREATE KEYSPACE hq WITH replication = {'class':'SimpleStrategy', 'replication_factor' : 1};
cassandra@cqlsh> exit
Step 2. Set Up External DNS (Optional)
Depending on your Kubernetes configuration, you may want to activate External DNS updating to your DNS service to facilitate automatic provisioning of DNS names. If you use a different system or prefer to map IP addresses manually, this step can be skipped.
provider: <provider>
digitalocean:
apiToken: <api-token>
interval: "1m"
policy: sync
To start External DNS which is also included in the Bitnami repository, simply run the following command:
helm install external-dns bitnami/external-dns -f externaldns-values.yaml
To monitor the startup of the External DNS pod you can run this command:
kubectl --namespace=default get pods -l "app.kubernetes.io/name=external-dns,app.kubernetes.io/instance=external-dns"
Step 3. Enable Nginx Ingress (Optional)
Depending on your Kubernetes configuration, you can decide what sort of Ingress controller you use. The example values file shared below assumes using the Nginx ingress, which if not active can be enabled via first adding the chart repository:
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
Next, install the Nginx ingress in the Kubernetes pod.
helm install nginx-ingress ingress-nginx/ingress-nginx --set controller.publishService.enabled=true
Step 4. Register the SSL Certificate
To prepare for the CodeTogether container’s ingress, you’ll need to register the SSL configuration files as secrets in Kubernetes.
kubectl create secret tls codetogether-hq-tls --key ssl.key --cert ssl.bundle.crt
Configuring the SSL certificate requires a trusted certificate that is fully rooted on the Internet including providing the intermediate certificates in the ssl-bundle.crt
file. Given the variety of clients and IDEs used with CodeTogether HQ, this is important to simplify any client-side configuration required. Use of an internal certificate or a certificate that is not fully rooted will require additional complex configuration within IDE clients to trust the certificate.
Step 5. Configure the Values for CodeTogether HQ
To access the full values.yaml
template file, download the latest version from GitHub. The following section will highlight section by section the values that should be configured as part of running via Kubernetes.
Download the latest version of the file from:
https://github.com/CodeTogether-Inc/CodeTogether-Deployment/blob/main/charts/hq/values.yaml
Set Up Registry Access
Provide your credentials to the CodeTogether HQ docker registry:
imageCredentials:
enabled: true
registry: hub.edge.codetogether.com
username: "my-customer-username"
password: "my-customer-password"
email: unused
Configure Server URL
Set the URL that will be used to connect to the server:
codetogether:
url: https://<server-fqdn>
Configure HQ Services
Provide the CodeTogether HQ container configuration properties. The following are the initial values that typically need to be configured with the exception of single sign-on values covered below.
cthq.properties
hqproperties:
hq.sso... (see below)
hq.db.type: CASSANDRA
hq.secret: SECRET1
hq.encryption.secret: SECRET2
hq.base.url: https://<server-fqdn>
hq.cassandra.db.name: hq
hq.cassandra.db.port: 9042
hq.cassandra.db.host: codetogether-cassandra.default.svc.cluster.local
hq.sso.redirect.uri: https://<server-fqdn>/api/v1/auth/sso/success/insights
hq.cassandra.db.password: cassandra
hq.cassandra.db.username: cassandra
# Default value is datacenter1, uncomment if using a custom name
# hq.cassandra.db.localdatacenter: datacenter1
If you followed the instructions above, the Cassandra database will be under the codetogether-cassandra name in the k8s Pod. If the name was changed, make sure to update it above.
Regarding the SSO configuration (hq.sso…), the following are the different keys that should be present to connect to your sign-on service.
hqproperties: (continues from above)
# Values that must be present for configuring SSO
hq.sso.client.id: <clientid>
hq.sso.client.secret: <clientsecret>
hq.sso.redirect.uri: https://<server-fqdn>/api/v1/auth/sso/success/insights
# Generic single sign-on configuration --
hq.sso.client.issuer.url: https://<sso-fqdn>/<path>/.well-known/openid-configuration
# hq.sso.name.attr: [preferred_username|name]
# Example for connecting with Keycloak --
# hq.sso.client.issuer.url: https://<keycloak-fqdn>/realms/<realm>
# Example for connecting to GitHub --
# hq.sso.provider: github
# hq.sso.auth.uri: https://github.com/login/oauth/authorize
# hq.sso.token.uri: https://github.com/login/oauth/access_token
# hq.sso.info.uri: https://api.github.com/user
# hq.sso.jwt.set.uri: https://token.actions.githubusercontent.com/.well-known/jwks
# hq.sso.logout.uri: https://github.com/logout
# hq.sso.name.attr: name
The majority of SSO providers require only a few settings to get connected. The issuer URL tells CodeTogether how to talk to the server, the client ID and secret are configured within the single sign-on service and authorize our backend to talk to the server. CodeTogether normally works well out of the box, but you can also set the primary name attribute to use for names in the system.
For GitHub, it can be configured using a different integration which provides added value. Most importantly, it allows CodeTogether to get all committer IDs for the users that are logging in, which eliminates extra steps requiring each end user to register their additional emails after login.
When in doubt, please contact your CodeTogether technical support representative for guidance on configuration of your specific SSO connection.
Configure Ingress
Configure the desired Ingress configuration. There are three key options, using className to determine which to use. In a default configuration, the already available ingress is likely the right option to choose and would look like the following. Note that you need to register the SSL certificate earlier.
ingress:
enabled: true
tls:
secretName: codetogether-hq-tls
The other values in the file likely do not require modification but can be changed based on your specific use cases or tuning as required.
Step 6. Start the CodeTogether HQ Backend
Before actually launching the CodeTogether backend, you first need to register the Helm chart repository for CodeTogether. Run the following command:
helm repo add codetogether https://helm.codetogether.io
Once the repository is set up, you can now start up the CodeTogether HQ Pod by running the following command:
helm install codetogether-hq codetogether/codetogether-hq -f values.yaml
Finally, you can monitor the pod to confirm it is up and running by using the following command:
kubectl --namespace=default get pods -l "app.kubernetes.io/name=codetogether-hq,app.kubernetes.io/instance=codetogether-hq"
With that, you can now connect to your server!
Simply open your browser to https://<server-fqdn>
and you’ll have an opportunity to log in via your single sign-on service and then proceed to provide your license file.
Continue next with the Getting Started Guide which walks through setting up projects and the flow for end-users of CodeTogether HQ.
Step 7. Applying Updates
To apply updates to CodeTogether, you can use the following command. Kubernetes will take into account starting up the new instance before spinning down the old, minimizing any downtime for users.
helm upgrade codetogether-hq codetogether/codetogether-hq -f values.yaml