diff --git a/argocd-apps/homelab.yaml b/argocd-apps/homelab.yaml index 6a0ba50..51cb58f 100644 --- a/argocd-apps/homelab.yaml +++ b/argocd-apps/homelab.yaml @@ -680,3 +680,25 @@ spec: - CreateNamespace=true - PruneLast=true --- +# Code-server +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: code-server + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: homelab + source: + repoURL: https://gitea.dooplex.hu/admin/homelab-manifests.git + targetRevision: main + path: code-system + destination: + server: https://kubernetes.default.svc + namespace: code-system + syncPolicy: + syncOptions: + - CreateNamespace=true + - PruneLast=true +--- diff --git a/code-system/code.yaml b/code-system/code.yaml new file mode 100644 index 0000000..d4244cc --- /dev/null +++ b/code-system/code.yaml @@ -0,0 +1,230 @@ +# code-server - VS Code in the browser +# https://github.com/coder/code-server +# Version: v4.107.0 +# Domain: code.dooplex.hu +# Auth: Authentik Forward Auth (Proxy) - no native OIDC support +# +# code-server's built-in auth is basic password-based, so we use +# Authentik forward auth for SSO and disable internal auth. +# +# Authentik Setup: +# 1. Create Proxy Provider: +# - Name: code-server +# - External Host: https://code.dooplex.hu +# - Mode: Forward auth (single application) +# 2. Create Application linked to this provider +# 3. Create Outpost (or add to existing) with this provider +--- +apiVersion: v1 +kind: Namespace +metadata: + name: code-system + labels: + app.kubernetes.io/name: code-server +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: code-server + namespace: code-system + labels: + app.kubernetes.io/instance: code-server + app.kubernetes.io/name: code-server +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: code-server + app.kubernetes.io/name: code-server + strategy: + type: Recreate + template: + metadata: + labels: + app.kubernetes.io/instance: code-server + app.kubernetes.io/name: code-server + spec: + securityContext: + fsGroup: 1000 + containers: + - name: code-server + image: codercom/code-server:4.107.0 + args: + - --bind-addr=0.0.0.0:8080 + - --auth=none + - --disable-telemetry + - --disable-update-check + env: + - name: TZ + value: "Europe/Budapest" + - name: HOME + value: "/home/coder" + - name: USER + value: "coder" + # Proxy trust for headers + - name: CS_DISABLE_PROXY_TRUST + value: "false" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 200m + memory: 512Mi + limits: + cpu: 2000m + memory: 4Gi + volumeMounts: + - name: config + mountPath: /home/coder/.config + - name: workspace + mountPath: /home/coder/workspace + - name: local + mountPath: /home/coder/.local + livenessProbe: + httpGet: + path: /healthz + port: http + initialDelaySeconds: 30 + periodSeconds: 30 + readinessProbe: + httpGet: + path: /healthz + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + volumes: + - name: config + persistentVolumeClaim: + claimName: code-server-config + - name: workspace + persistentVolumeClaim: + claimName: code-server-workspace + - name: local + persistentVolumeClaim: + claimName: code-server-local +--- +apiVersion: v1 +kind: Service +metadata: + name: code-server + namespace: code-system + labels: + app.kubernetes.io/instance: code-server + app.kubernetes.io/name: code-server +spec: + type: ClusterIP + ports: + - name: http + port: 8080 + targetPort: http + selector: + app.kubernetes.io/instance: code-server + app.kubernetes.io/name: code-server +--- +# Ingress with Authentik forward auth +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: code-server + namespace: code-system + labels: + app.kubernetes.io/instance: code-server + app.kubernetes.io/name: code-server + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + external-dns.alpha.kubernetes.io/hostname: code.dooplex.hu,code.home + nginx.ingress.kubernetes.io/ssl-redirect: "true" + nginx.ingress.kubernetes.io/proxy-body-size: "500m" + nginx.ingress.kubernetes.io/proxy-read-timeout: "3600" + nginx.ingress.kubernetes.io/proxy-send-timeout: "3600" + # WebSocket support for code-server + nginx.ingress.kubernetes.io/proxy-http-version: "1.1" + nginx.ingress.kubernetes.io/upstream-hash-by: "$remote_addr" + # Authentik forward auth + nginx.ingress.kubernetes.io/auth-url: http://ak-outpost-code-outpost.auth-system.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx + nginx.ingress.kubernetes.io/auth-signin: https://code.dooplex.hu/outpost.goauthentik.io/start?rd=$escaped_request_uri + nginx.ingress.kubernetes.io/auth-snippet: | + proxy_set_header X-Forwarded-Host $http_host; +spec: + ingressClassName: nginx-internal + rules: + - host: code.dooplex.hu + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: code-server + port: + number: 8080 + - host: code.home + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: code-server + port: + number: 8080 + tls: + - hosts: + - code.dooplex.hu + secretName: code-server-tls +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: code-server-config + namespace: code-system + labels: + app.kubernetes.io/instance: code-server + app.kubernetes.io/name: code-server-config + recurring-job-group.longhorn.io/needbackup: enabled + recurring-job.longhorn.io/source: enabled +spec: + accessModes: + - ReadWriteOnce + storageClassName: longhorn + resources: + requests: + storage: 2Gi +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: code-server-workspace + namespace: code-system + labels: + app.kubernetes.io/instance: code-server + app.kubernetes.io/name: code-server-workspace + recurring-job-group.longhorn.io/needbackup: enabled + recurring-job.longhorn.io/source: enabled +spec: + accessModes: + - ReadWriteOnce + storageClassName: longhorn + resources: + requests: + storage: 20Gi +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: code-server-local + namespace: code-system + labels: + app.kubernetes.io/instance: code-server + app.kubernetes.io/name: code-server-local +spec: + accessModes: + - ReadWriteOnce + storageClassName: longhorn + resources: + requests: + storage: 5Gi