mirror of
https://github.com/cdr/code-server.git
synced 2025-12-07 17:02:27 +01:00
b8094ac6a0
This commit adds complete Terraform infrastructure as code for deploying code-server on both EC2 and EKS platforms with enterprise-grade security and SAML/OIDC authentication. Features: - EC2 deployment with Auto Scaling Groups and Application Load Balancer - EKS deployment with managed node groups and AWS Load Balancer Controller - Private network setup with VPC, private subnets, and NAT gateways - SAML/OIDC authentication using OAuth2 Proxy - Security hardening: - KMS encryption for data at rest - TLS encryption in transit - IAM roles with least privilege - Security groups with minimal access - VPC Flow Logs - IMDSv2 enforcement - Auto-scaling capabilities for both EC2 and EKS - CloudWatch logging and monitoring - Automated deployment scripts Terraform Modules: - modules/vpc: VPC with public/private subnets, NAT, and VPC endpoints - modules/security: Security groups, IAM roles, and KMS keys - modules/ec2: EC2 Auto Scaling deployment with ALB - modules/eks: EKS cluster with managed node groups and addons Deployments: - deployments/ec2: EC2 deployment configuration - deployments/eks: EKS deployment configuration with Kubernetes manifests Documentation: - README.md: Comprehensive deployment and operations guide - QUICK-START.md: Quick reference for fast deployment - SAML-SETUP-GUIDE.md: Step-by-step IdP configuration guide Scripts: - scripts/deploy-ec2.sh: Automated EC2 deployment - scripts/deploy-eks.sh: Automated EKS deployment - scripts/destroy-ec2.sh: EC2 cleanup - scripts/destroy-eks.sh: EKS cleanup
144 lines
3.2 KiB
YAML
144 lines
3.2 KiB
YAML
# Helm values for Code-Server deployment on EKS
|
|
# This file should be customized before deployment
|
|
|
|
replicaCount: 1
|
|
|
|
image:
|
|
repository: codercom/code-server
|
|
tag: "4.18.0"
|
|
pullPolicy: IfNotPresent
|
|
|
|
imagePullSecrets: []
|
|
|
|
nameOverride: ""
|
|
fullnameOverride: "code-server"
|
|
|
|
serviceAccount:
|
|
create: true
|
|
annotations: {}
|
|
name: "code-server"
|
|
|
|
podAnnotations: {}
|
|
|
|
podSecurityContext:
|
|
fsGroup: 1000
|
|
runAsUser: 1000
|
|
runAsNonRoot: true
|
|
|
|
securityContext:
|
|
enabled: true
|
|
fsGroup: 1000
|
|
runAsUser: 1000
|
|
runAsNonRoot: true
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
readOnlyRootFilesystem: false
|
|
allowPrivilegeEscalation: false
|
|
|
|
service:
|
|
type: ClusterIP
|
|
port: 8080
|
|
|
|
# Ingress configuration with AWS Load Balancer Controller
|
|
ingress:
|
|
enabled: true
|
|
ingressClassName: "alb"
|
|
annotations:
|
|
alb.ingress.kubernetes.io/scheme: internal
|
|
alb.ingress.kubernetes.io/target-type: ip
|
|
alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS": 443}]'
|
|
alb.ingress.kubernetes.io/ssl-redirect: '443'
|
|
alb.ingress.kubernetes.io/healthcheck-path: /healthz
|
|
alb.ingress.kubernetes.io/healthcheck-protocol: HTTP
|
|
alb.ingress.kubernetes.io/healthcheck-interval-seconds: '30'
|
|
alb.ingress.kubernetes.io/healthcheck-timeout-seconds: '5'
|
|
alb.ingress.kubernetes.io/healthy-threshold-count: '2'
|
|
alb.ingress.kubernetes.io/unhealthy-threshold-count: '2'
|
|
# Uncomment and set your certificate ARN
|
|
# alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:region:account:certificate/xxxxx
|
|
# Uncomment to set custom subnets
|
|
# alb.ingress.kubernetes.io/subnets: subnet-xxxxx,subnet-yyyyy
|
|
# Uncomment to set custom security groups
|
|
# alb.ingress.kubernetes.io/security-groups: sg-xxxxx
|
|
hosts:
|
|
- host: code-server.example.com
|
|
paths:
|
|
- path: /
|
|
pathType: Prefix
|
|
tls: []
|
|
|
|
resources:
|
|
limits:
|
|
cpu: 2000m
|
|
memory: 4Gi
|
|
requests:
|
|
cpu: 500m
|
|
memory: 1Gi
|
|
|
|
# Persistent storage configuration
|
|
persistence:
|
|
enabled: true
|
|
storageClass: "gp3"
|
|
accessMode: ReadWriteOnce
|
|
size: 20Gi
|
|
annotations: {}
|
|
|
|
# Volume permissions init container
|
|
volumePermissions:
|
|
enabled: true
|
|
securityContext:
|
|
runAsUser: 0
|
|
|
|
nodeSelector: {}
|
|
|
|
tolerations: []
|
|
|
|
affinity: {}
|
|
|
|
# Extra environment variables
|
|
extraVars:
|
|
- name: DISABLE_TELEMETRY
|
|
value: "true"
|
|
|
|
# Extra arguments for code-server
|
|
extraArgs: []
|
|
|
|
# Lifecycle hooks
|
|
lifecycle:
|
|
enabled: false
|
|
|
|
# Extra init containers (e.g., for installing extensions)
|
|
extraInitContainers: |
|
|
# - name: install-extensions
|
|
# image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
|
|
# imagePullPolicy: IfNotPresent
|
|
# env:
|
|
# - name: SERVICE_URL
|
|
# value: https://open-vsx.org/vscode/gallery
|
|
# - name: ITEM_URL
|
|
# value: https://open-vsx.org/vscode/item
|
|
# command:
|
|
# - sh
|
|
# - -c
|
|
# - |
|
|
# code-server --install-extension ms-python.python
|
|
# code-server --install-extension golang.Go
|
|
# volumeMounts:
|
|
# - name: data
|
|
# mountPath: /home/coder
|
|
|
|
# Extra containers (e.g., OAuth2 Proxy sidecar)
|
|
extraContainers: ""
|
|
|
|
# Extra secret mounts
|
|
extraSecretMounts: []
|
|
|
|
# Extra volume mounts
|
|
extraVolumeMounts: []
|
|
|
|
# Extra configmap mounts
|
|
extraConfigmapMounts: []
|
|
|
|
# Extra ports
|
|
extraPorts: []
|