Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions cspell.config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -305,6 +305,9 @@ words:
- pguser
- dbname
- jdbc
- mflens
- APIURL
- DEPLOYMENTNAME
# Ignore RegExp patterns (for things like URLs, version numbers, etc.)
ignoreRegExpList:
# Ignore Cyrillic characters (non-English content in FAQ files)
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,194 @@
---
id: platform-managed-mode-configuration
sidebar_position: 3
title: Platform-managed Mode Configuration
description: How to switch to Platform-managed mode and migrate existing Keycloak users
pagination_prev: admin/configuration/access-control/access-control-overview
pagination_next: null
---

In **Platform-managed mode** (`ENABLE_USER_MANAGEMENT=true`), user roles and project
assignments are stored in the platform database and managed through the in-app UI
(**Settings → Administration**). This is in contrast to the default Keycloak-managed
mode, where roles and project access are read from JWT claims on every request.

For a comparison of both modes, see the
[Access Control Overview](./index.md#deployment-modes).

## Prerequisites

- Access to the Kubernetes cluster and Helm values file of AI/Run CodeMie Backend and UI
- If migrating from an existing Keycloak deployment: Keycloak service account client with `realm-management` roles in the target realm (see [Create Keycloak service account client](#create-keycloak-service-account-client))

---

## Step 1: Enable Platform-managed Mode

:::warning Both components must be updated
The AI/Run CodeMie backend and the UI must be configured consistently. Enabling only one of them results
in either missing UI controls or API errors.
:::

### AI/Run CodeMie Backend

Set the `ENABLE_USER_MANAGEMENT` environment variable to `true` in the AI/Run CodeMie Backend
deployment.

In the `codemie-api` Helm chart , add `ENABLE_USER_MANAGEMENT` to the `extraEnv` list:

```yaml
extraEnv:
- name: ENABLE_USER_MANAGEMENT
value: 'true'
```

Apply the changes to the deployment.

### AI/Run CodeMie UI

The UI must be told that Platform-managed mode is active so it shows the in-app
**Users management** and **Projects management** tabs under **Settings → Administration**.

In the `codemie-ui` Helm chart `values.yaml`, set:

```yaml
viteEnableUserManagement: true
```

Apply the changes to the deployment.

---

## Step 2: Migrate Existing Keycloak Users (existing deployments only)

:::info When is this step required?
Only perform this step if you are **switching an existing deployment** from Keycloak-managed
mode to Platform-managed mode and you are using `IDP_PROVIDER=keycloak`.

For **new installations** where `ENABLE_USER_MANAGEMENT=true` is set from the start, skip
this step entirely.
:::

When switching to Platform-managed mode on an existing deployment, the platform database
has no knowledge of existing Keycloak users or their project assignments. The one-time
Keycloak User Migration reads users and their `applications` / `applications_admin`
attributes from Keycloak and imports them into the platform database.

### 2.1 Configure migration environment variables

#### Create Keycloak service account client

In the Keycloak Admin Console, create a new client in the target realm:

1. Go to **Clients** and click **Create client**.
2. Set **Client ID** to `codemie-migration-client`, **Client type** to `OpenID Connect`. Click **Next**.
3. In **Capability config**, enable **Client authentication** and **Authorization**. Enable **Service accounts roles** under **Authentication flow**. Click **Next**.
4. In **Access settings**, set **Valid redirect URIs** and **Web origins** to `/*`. Click **Save**.
5. Go to the **Service accounts roles** tab and assign the following `realm-management` roles:
- `view-users`
- `view-clients`
- `view-authorization`
- `view-events`
- `view-realm`
- `view-identity-providers`
- `query-users`
- `query-clients`
- `query-groups`
- `query-realms`
6. Go to the **Credentials** tab and copy the **Client secret**.

#### Configure environment variables

Add the following environment variables to the AI/Run CodeMie Backend deployment alongside
`ENABLE_USER_MANAGEMENT=true`:

| Variable | Example value | Description |
| ------------------------------ | ------------------------------ | ---------------------------------------------------------------- |
| `KEYCLOAK_MIGRATION_ENABLED` | `true` | Enables the one-time import on startup. Disable after first run. |
| `KEYCLOAK_ADMIN_URL` | `https://keycloak.example.com` | Keycloak base URL (no trailing slash, no `/auth` path). |
| `KEYCLOAK_ADMIN_REALM` | `codemie-prod` | Realm that contains the users to migrate. |
| `KEYCLOAK_ADMIN_CLIENT_ID` | `codemie-migration-client` | Service account client ID with admin read permissions. |
| `KEYCLOAK_ADMIN_CLIENT_SECRET` | _(from Kubernetes secret)_ | Service account client secret. Use a Kubernetes secret. |

#### Create Kubernetes secret for the client secret

Before applying the Helm configuration, create a Kubernetes secret to store the Keycloak
service account client secret:

```bash
kubectl create secret generic codemie-migration-secret \
--from-literal=client_secret=<keycloak-client-secret> \
-n codemie
```

#### Example Helm configuration

```yaml
extraEnv:
- name: ENABLE_USER_MANAGEMENT
value: 'true'
- name: KEYCLOAK_MIGRATION_ENABLED
value: 'true'
- name: KEYCLOAK_ADMIN_URL
value: 'https://keycloak.example.com'
- name: KEYCLOAK_ADMIN_REALM
value: 'codemie-prod'
- name: KEYCLOAK_ADMIN_CLIENT_ID
value: 'codemie-migration-client'
- name: KEYCLOAK_ADMIN_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: codemie-migration-secret
key: client_secret
```

### 2.2 Disable migration after the first run

:::danger Disable after migration
Leave `KEYCLOAK_MIGRATION_ENABLED=true` running beyond the first successful startup will
re-import users on every pod restart, potentially overwriting manual changes made in the
in-app UI.
:::

After confirming the migration completed successfully, set `KEYCLOAK_MIGRATION_ENABLED`
back to `false` (or remove the variable entirely):

```yaml {4-5}
extraEnv:
- name: ENABLE_USER_MANAGEMENT
value: 'true'
- name: KEYCLOAK_MIGRATION_ENABLED
value: 'false'
```

Apply the changes to the deployment.

---

## Verification

After completing all steps, verify the setup:

1. Log in to the AI/Run CodeMie UI as an `admin` user.
2. Navigate to **Settings → Administration**.
3. Confirm the **Users management** and **Projects management** tabs are visible.
4. Check that existing users (if migrated) appear under **Users management** with their
project assignments intact.

## Granting Maintainer Role

The **Maintainer** role is a superset of Admin that additionally grants access to budget management. To assign it to a user, run the following SQL against the platform database:

```sql
UPDATE users SET is_maintainer = true, is_admin = true WHERE email = '<user-email>';
```

:::info
`is_admin` must also be set to `true` — the Maintainer role implies Admin.
:::

## See Also

- [API Configuration Reference — User Management Mode](../codemie/api-configuration.md#user-management-mode)
- [Platform Administration Guide](../codemie/platform-administration.md)
- [Project & User Management](../../../user-guide/project-user-management/projects.md)
29 changes: 17 additions & 12 deletions docs/admin/configuration/codemie/api-configuration.md
Original file line number Diff line number Diff line change
Expand Up @@ -218,11 +218,12 @@ Primary relational database for structured data and transactional operations.

Document store for full-text search, analytics, and unstructured data.

| Parameter | Type | Default | Description |
| ------------------ | ------ | ------------------------- | -------------------------------------------------- |
| `ELASTIC_URL` | string | `"http://localhost:9200"` | Elasticsearch cluster endpoint URL |
| `ELASTIC_PASSWORD` | string | `""` | Password for `elastic` user or configured username |
| `ELASTIC_USERNAME` | string | `""` | Username for Elasticsearch authentication |
| Parameter | Type | Default | Description |
| ----------------------------- | ------- | ------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| `ELASTIC_URL` | string | `"http://localhost:9200"` | Elasticsearch cluster endpoint URL |
| `ELASTIC_PASSWORD` | string | `""` | Password for `elastic` user or configured username |
| `ELASTIC_USERNAME` | string | `""` | Username for Elasticsearch authentication |
| `ELASTIC_DATASOURCE_REPLICAS` | integer | `1` | Number of replica shards for datasource indexes; set to `0` to have only the primary shard for each indexed datasource, reducing total shard usage on clusters with limited capacity |

#### Elasticsearch Indexes

Expand All @@ -232,7 +233,7 @@ Index names for different data types. Customize to avoid collisions in shared cl
| ----------------------------------------- | ------------ | -------------------------------------- | -------------------------------------------------------- |
| `ELASTIC_APPLICATION_INDEX` | string | `"applications"` | Indexed applications and their metadata |
| `ELASTIC_GIT_REPO_INDEX` | string | `"repositories"` | Code repository metadata and indexing status |
| `ELASTIC_LOGS_INDEX` | string | `"codemie_infra_logs*"` | Infrastructure logs pattern for monitoring and debugging |
| `ELASTIC_LOGS_INDEX` | string | `"logs-codemie-infra*"` | Infrastructure logs pattern for monitoring and debugging |
| `FEEDBACK_INDEX_NAME` | string | `"ca_feedback"` | User feedback and ratings on AI responses |
| `BACKGROUND_TASKS_INDEX` | string | `"background_tasks"` | Async task queue and execution status |
| `USER_CONVERSATION_INDEX` | string | `"codemie_raw_user_conversations"` | Complete conversation history and messages |
Expand Down Expand Up @@ -273,7 +274,7 @@ Configuration for Amazon S3 storage backend (requires `FILES_STORAGE_TYPE=aws`).

| Parameter | Type | Default | Description |
| ----------------------------- | ------ | -------------------------- | ------------------------------------------------------------------------------------------------- |
| `AWS_DEFAULT_REGION` | string | `""` | AWS region. Must be set if `AWS_S3_REGION` is not configured |
| `AWS_DEFAULT_REGION` | string | `""` | AWS region. Must be set if `AWS_S3_REGION` or `AWS_KMS_REGION` are not configured |
| `AWS_S3_REGION` | string | `AWS_DEFAULT_REGION` | S3-specific region override. When set, takes priority over `AWS_DEFAULT_REGION` for S3 operations |
| `AWS_S3_BUCKET_NAME` | string | `""` | S3 bucket name for user files and attachments |
| `CODEMIE_STORAGE_BUCKET_NAME` | string | `"codemie-global-storage"` | Bucket for system-level shared assets and resources |
Expand Down Expand Up @@ -311,10 +312,10 @@ Protect sensitive data at rest using cloud key management services or HashiCorp

Encrypt secrets and sensitive data using AWS Key Management Service.

| Parameter | Type | Default | Description |
| ---------------- | ------ | ------- | ------------------------------------------------------ |
| `AWS_KMS_KEY_ID` | string | `""` | KMS key ID or ARN for encryption/decryption operations |
| `AWS_KMS_REGION` | string | `""` | AWS region where KMS key is located |
| Parameter | Type | Default | Description |
| ---------------- | ------ | -------------------- | --------------------------------------------------------------------------------------------------- |
| `AWS_KMS_KEY_ID` | string | `""` | KMS key ID or ARN for encryption/decryption operations |
| `AWS_KMS_REGION` | string | `AWS_DEFAULT_REGION` | KMS-specific region override. When set, takes priority over `AWS_DEFAULT_REGION` for KMS operations |

### Azure Key Vault

Expand Down Expand Up @@ -381,6 +382,10 @@ Controls whether user roles and project access are read from JWT claims (Keycloa
or stored in the platform database (Platform-managed mode). See
[Access Control Overview](../access-control/index.md) for a full comparison.

For step-by-step instructions on enabling Platform-managed mode and migrating existing
Keycloak users, see
[Platform-managed Mode Configuration](../access-control/platform-managed-mode-configuration.md).

| Parameter | Type | Default | Description |
| ------------------------ | ---- | ------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| `ENABLE_USER_MANAGEMENT` | bool | `false` | Master switch. `true` enables Platform-managed mode: roles and project membership are stored in the platform DB and managed through the in-app UI. `false` uses Keycloak-managed mode where JWT claims are the authoritative source. |
Expand All @@ -398,7 +403,7 @@ database on startup.
| `KEYCLOAK_ADMIN_URL` | string | `""` | Keycloak base URL for admin API access (e.g., `https://keycloak.example.com`). |
| `KEYCLOAK_ADMIN_REALM` | string | `""` | Keycloak realm to migrate (e.g., `codemie-prod`). |
| `KEYCLOAK_ADMIN_CLIENT_ID` | string | `""` | Service account client ID with Keycloak admin permissions. |
| `KEYCLOAK_ADMIN_CLIENT_SECRET` | string | `""` | Service account client secret. Store in a Kubernetes secret and reference via `valueFrom.secretKeyRef`. |
| `KEYCLOAK_ADMIN_CLIENT_SECRET` | string | `""` | Service account client secret. |

---

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ import TabItem from '@theme/TabItem';

The Code Executor runs Python code in isolated Kubernetes pods with enforced resource limits and security policies.

It supports three deployment modes: local execution inside the API pod, sandbox pods in the same cluster, or sandbox pods in a dedicated cluster.
It supports four deployment modes: local execution inside the API pod, sandbox pods in the same cluster with shared namespace, sandbox pods in the same cluster with dedicated namespace, or sandbox pods in a dedicated cluster.

## Choosing a Deployment Mode

Expand All @@ -23,7 +23,7 @@ It supports three deployment modes: local execution inside the API pod, sandbox
| **Same cluster, dedicated namespace** | Namespace-level workload isolation | Separate pod, separate namespace | Yes (cross-namespace) |
| **Dedicated cluster** | Compliance, multi-tenant environments | Full cluster isolation | No (kubeconfig) |

## Deployment Options
## Deployment Modes

### Local Mode

Expand Down Expand Up @@ -121,7 +121,7 @@ extraEnv:

## Updating CodeMie API

After configuring any sandbox option, add the following common environment variables and apply the chart:
After configuring a sandbox deployment mode (Same Cluster or Dedicated Cluster), add the following environment variables and apply the chart:

```yaml
extraEnv:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -335,6 +335,7 @@ Configuration examples for these models can be found in the provider-specific se
| [`gpt-5-2-2025-12-11`](#gpt-52) | GPT-5.2 |
| [`gpt-5.3-codex-2026-02-24`](#gpt-53-codex) | GPT-5.3 Codex |
| [`gpt-5.4-2026-03-05`](#gpt-54) | GPT-5.4 |
| [`gpt-5.5-2026-04-24`](#gpt-55) | GPT-5.5 |
| [`o1`](#o1) | o1 |
| [`o3-mini`](#o3-mini) | o3 mini |
| [`o3-2025-04-16`](#o3) | o3 |
Expand Down Expand Up @@ -930,6 +931,39 @@ model_list:

</details>

### GPT-5.5 series

#### GPT-5.5

<details>
<summary><strong>GPT-5.5</strong></summary>

```yaml
# US Region
- model_name: gpt-5.5-2026-04-24
litellm_params:
model: azure/codemie-gpt-5.5-2026-04-24
api_base: https://api-base-eastus2-0.openai.azure.com/
litellm_credential_name: default_azure_openai_credential
model_info:
id: gpt-5-5-2026-04-24-eastus2-0
base_model: azure/gpt-5.5
label: "GPT-5.5"

# EU Region
- model_name: gpt-5.5-2026-04-24
litellm_params:
model: azure/codemie-gpt-5.5-2026-04-24
api_base: https://api-base-swedencentral-0.openai.azure.com/
litellm_credential_name: default_azure_openai_credential
model_info:
id: gpt-5-5-2026-04-24-swedencentral-0
base_model: azure/gpt-5.5
label: "GPT-5.5"
```

</details>

### GPT-5-codex

#### GPT-5.3-codex
Expand Down
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading