mirror of
https://github.com/cdr/code-server.git
synced 2025-12-15 21:03:15 +01:00
369f459203
This commit adds comprehensive VPN infrastructure to enable secure, certificate-based access to code-server deployments. VPN provides an additional security layer by requiring network-level authentication before accessing internal resources. Features: - AWS Client VPN endpoint with certificate-based authentication - Split tunnel support (route only VPC traffic through VPN) - CloudWatch logging for all VPN connections - Multi-platform client support (Windows, macOS, Linux, iOS, Android) - Automatic certificate generation and ACM upload - Client configuration export scripts - Integration with both EC2 and EKS deployments New Terraform Module: - modules/vpn: Complete AWS Client VPN infrastructure - VPN endpoint with configurable authentication - Network associations for HA across multiple AZs - Authorization rules for VPC access - Security groups for VPN traffic - CloudWatch log groups and streams - Support for SAML/federated authentication Scripts: - scripts/generate-vpn-certificates.sh: Generate and upload VPN certificates - Creates CA, server, and client certificates - Automatically uploads to AWS Certificate Manager - Outputs certificate ARNs for Terraform configuration - scripts/export-vpn-config.sh: Export client VPN configuration - Downloads VPN config from AWS - Embeds client certificates - Creates platform-ready .ovpn files Deployment Updates: - EC2 and EKS deployments now support optional VPN - New variables for VPN configuration - Updated outputs to include VPN endpoint information - Example configurations with VPN settings Documentation: - VPN-SETUP-GUIDE.md: Comprehensive VPN setup guide - Certificate generation process - Terraform configuration - Client setup for all major platforms - Testing and troubleshooting - Advanced configuration options - Cost considerations and optimization Configuration Options: - Certificate-based or SAML/SSO authentication - Split tunnel (recommended) or full tunnel - UDP (faster) or TCP (more reliable) transport - Configurable session timeout (8-24 hours) - Custom DNS servers - Client login banner - Multiple authorization rules Security Features: - X.509 certificate authentication - Private subnet associations - Network-level access control - Session logging and audit trail - Support for multi-factor (VPN cert + OAuth2/SAML) Cost: ~$216/month base + ~$0.40/user/day for active connections
126 lines
4.1 KiB
HCL
126 lines
4.1 KiB
HCL
# EKS Deployment Outputs
|
|
|
|
output "vpc_id" {
|
|
description = "ID of the VPC"
|
|
value = module.vpc.vpc_id
|
|
}
|
|
|
|
output "private_subnet_ids" {
|
|
description = "IDs of private subnets"
|
|
value = module.vpc.private_subnet_ids
|
|
}
|
|
|
|
output "public_subnet_ids" {
|
|
description = "IDs of public subnets"
|
|
value = module.vpc.public_subnet_ids
|
|
}
|
|
|
|
output "eks_cluster_id" {
|
|
description = "ID of the EKS cluster"
|
|
value = module.eks.cluster_id
|
|
}
|
|
|
|
output "eks_cluster_endpoint" {
|
|
description = "Endpoint of the EKS cluster"
|
|
value = module.eks.cluster_endpoint
|
|
}
|
|
|
|
output "eks_cluster_arn" {
|
|
description = "ARN of the EKS cluster"
|
|
value = module.eks.cluster_arn
|
|
}
|
|
|
|
output "eks_cluster_oidc_issuer_url" {
|
|
description = "OIDC issuer URL of the EKS cluster"
|
|
value = module.eks.cluster_oidc_issuer_url
|
|
}
|
|
|
|
output "kms_key_arn" {
|
|
description = "ARN of the KMS key for encryption"
|
|
value = module.security.kms_key_arn
|
|
}
|
|
|
|
output "vpn_endpoint_id" {
|
|
description = "ID of the VPN endpoint (if enabled)"
|
|
value = var.enable_vpn ? module.vpn[0].vpn_endpoint_id : null
|
|
}
|
|
|
|
output "vpn_endpoint_dns_name" {
|
|
description = "DNS name of the VPN endpoint (if enabled)"
|
|
value = var.enable_vpn ? module.vpn[0].vpn_endpoint_dns_name : null
|
|
}
|
|
|
|
output "vpn_client_cidr_block" {
|
|
description = "CIDR block for VPN clients (if enabled)"
|
|
value = var.enable_vpn ? var.vpn_client_cidr_block : null
|
|
}
|
|
|
|
output "configure_kubectl" {
|
|
description = "Command to configure kubectl"
|
|
value = "aws eks update-kubeconfig --region ${var.aws_region} --name ${module.eks.cluster_id}"
|
|
}
|
|
|
|
output "next_steps" {
|
|
description = "Next steps to complete the setup"
|
|
value = <<-EOT
|
|
|
|
Code-Server EKS Deployment Complete!
|
|
|
|
Next Steps:
|
|
|
|
1. Configure kubectl to access the cluster:
|
|
${join("\n ", [
|
|
"aws eks update-kubeconfig --region ${var.aws_region} --name ${module.eks.cluster_id}",
|
|
"kubectl get nodes # Verify nodes are ready"
|
|
])}
|
|
|
|
2. Deploy Code-Server using Helm:
|
|
${join("\n ", [
|
|
"cd k8s",
|
|
"# Edit code-server-values.yaml with your configuration",
|
|
"helm upgrade --install code-server ../../ci/helm-chart \\",
|
|
" --namespace code-server \\",
|
|
" --create-namespace \\",
|
|
" --values code-server-values.yaml"
|
|
])}
|
|
|
|
3. (Optional) Deploy OAuth2 Proxy for SAML authentication:
|
|
${join("\n ", [
|
|
"# Edit k8s/oauth2-proxy.yaml with your SAML/OIDC configuration",
|
|
"kubectl apply -f k8s/oauth2-proxy.yaml"
|
|
])}
|
|
|
|
4. Get the Load Balancer URL:
|
|
${join("\n ", [
|
|
"kubectl get ingress -n code-server",
|
|
"# Wait for ADDRESS to be populated",
|
|
"# The URL will be in the format: xxxxx.region.elb.amazonaws.com"
|
|
])}
|
|
|
|
5. Configure DNS (if using custom domain):
|
|
${join("\n ", [
|
|
"# Create a CNAME record pointing to the ALB DNS name",
|
|
"# Update the ingress configuration with your domain"
|
|
])}
|
|
|
|
6. Monitor the deployment:
|
|
${join("\n ", [
|
|
"kubectl get pods -n code-server",
|
|
"kubectl logs -n code-server -l app.kubernetes.io/name=code-server",
|
|
"kubectl describe ingress -n code-server"
|
|
])}
|
|
|
|
Security Notes:
|
|
- All worker nodes are in private subnets
|
|
- EKS API endpoint is ${var.endpoint_public_access ? "public" : "private"}
|
|
- Data is encrypted at rest using KMS
|
|
- VPC Flow Logs are enabled for monitoring
|
|
- IRSA (IAM Roles for Service Accounts) is enabled
|
|
${var.enable_vpn ? "\n VPN Configuration:\n - VPN Endpoint: ${module.vpn[0].vpn_endpoint_dns_name}\n - To export VPN configuration: ../../scripts/export-vpn-config.sh ${module.vpn[0].vpn_endpoint_id} ${var.aws_region}\n - VPN clients will receive IPs from: ${var.vpn_client_cidr_block}" : ""}
|
|
|
|
Useful Commands:
|
|
- Scale nodes: kubectl scale deployment code-server -n code-server --replicas=3
|
|
- View logs: kubectl logs -n code-server -f deployment/code-server
|
|
- Port forward (testing): kubectl port-forward -n code-server svc/code-server 8080:8080
|
|
EOT
|
|
}
|