# code-server - VS Code in the browser # https://github.com/coder/code-server # Version: v4.107.0 # Domain: code.dooplex.hu # Auth: Authentik Forward Auth (Proxy) - no native OIDC support # # code-server's built-in auth is basic password-based, so we use # Authentik forward auth for SSO and disable internal auth. # # Authentik Setup: # 1. Create Proxy Provider: # - Name: code-server # - External Host: https://code.dooplex.hu # - Mode: Forward auth (single application) # 2. Create Application linked to this provider # 3. Create Outpost (or add to existing) with this provider --- apiVersion: v1 kind: Namespace metadata: name: code-system labels: app.kubernetes.io/name: code-server --- apiVersion: apps/v1 kind: Deployment metadata: name: code-server namespace: code-system labels: app.kubernetes.io/instance: code-server app.kubernetes.io/name: code-server spec: replicas: 1 selector: matchLabels: app.kubernetes.io/instance: code-server app.kubernetes.io/name: code-server strategy: type: Recreate template: metadata: labels: app.kubernetes.io/instance: code-server app.kubernetes.io/name: code-server annotations: match-regex.version-checker.io/code-server: '^[0-9]+\.[0-9]+\.[0-9]+$' spec: securityContext: fsGroup: 1000 containers: - name: code-server image: codercom/code-server:4.108.0 args: - --bind-addr=0.0.0.0:8080 - --auth=none - --disable-telemetry - --disable-update-check env: - name: TZ value: "Europe/Budapest" - name: HOME value: "/home/coder" - name: USER value: "coder" # Proxy trust for headers - name: CS_DISABLE_PROXY_TRUST value: "false" - name: GIT_CONFIG_GLOBAL value: "/home/coder/.config/git/config" lifecycle: postStart: exec: command: ["/bin/sh", "-c", "mkdir -p /home/coder/.config/git"] ports: - containerPort: 8080 name: http resources: requests: cpu: 200m memory: 512Mi limits: cpu: 2000m memory: 4Gi volumeMounts: - name: config mountPath: /home/coder/.config - name: workspace mountPath: /home/coder/workspace - name: local mountPath: /home/coder/.local - name: config mountPath: /home/coder/.ssh subPath: ssh livenessProbe: httpGet: path: /healthz port: http initialDelaySeconds: 30 periodSeconds: 30 readinessProbe: httpGet: path: /healthz port: http initialDelaySeconds: 10 periodSeconds: 10 securityContext: runAsUser: 1000 runAsGroup: 1000 volumes: - name: config persistentVolumeClaim: claimName: code-server-config - name: workspace persistentVolumeClaim: claimName: code-server-workspace - name: local persistentVolumeClaim: claimName: code-server-local --- apiVersion: v1 kind: Service metadata: name: code-server namespace: code-system labels: app.kubernetes.io/instance: code-server app.kubernetes.io/name: code-server spec: type: ClusterIP ports: - name: http port: 8080 targetPort: http selector: app.kubernetes.io/instance: code-server app.kubernetes.io/name: code-server --- # Ingress with Authentik forward auth apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: code-server namespace: code-system labels: app.kubernetes.io/instance: code-server app.kubernetes.io/name: code-server annotations: cert-manager.io/cluster-issuer: letsencrypt-prod external-dns.alpha.kubernetes.io/hostname: code.dooplex.hu,code.home nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/proxy-body-size: "500m" nginx.ingress.kubernetes.io/proxy-read-timeout: "3600" nginx.ingress.kubernetes.io/proxy-send-timeout: "3600" # WebSocket support for code-server nginx.ingress.kubernetes.io/proxy-http-version: "1.1" nginx.ingress.kubernetes.io/upstream-hash-by: "$remote_addr" # Authentik forward auth nginx.ingress.kubernetes.io/auth-url: http://ak-outpost-code-outpost.auth-system.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx nginx.ingress.kubernetes.io/auth-signin: https://code.dooplex.hu/outpost.goauthentik.io/start?rd=$escaped_request_uri nginx.ingress.kubernetes.io/auth-snippet: | proxy_set_header X-Forwarded-Host $http_host; nginx.ingress.kubernetes.io/configuration-snippet: | set $geo_allowed 0; if ($remote_addr ~ "^192\.168\.") { set $geo_allowed 1; } if ($remote_addr ~ "^10\.") { set $geo_allowed 1; } if ($geoip2_country_code = "HU") { set $geo_allowed 1; } if ($geo_allowed = 0) { return 403 "Access restricted to Hungary"; } spec: ingressClassName: nginx-internal rules: - host: code.dooplex.hu http: paths: - path: / pathType: Prefix backend: service: name: code-server port: number: 8080 - host: code.home http: paths: - path: / pathType: Prefix backend: service: name: code-server port: number: 8080 tls: - hosts: - code.dooplex.hu secretName: code-server-tls --- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: code-server-config namespace: code-system labels: app.kubernetes.io/instance: code-server app.kubernetes.io/name: code-server-config recurring-job-group.longhorn.io/default: enabled recurring-job.longhorn.io/source: enabled spec: accessModes: - ReadWriteOnce storageClassName: longhorn resources: requests: storage: 2Gi --- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: code-server-workspace namespace: code-system labels: app.kubernetes.io/instance: code-server app.kubernetes.io/name: code-server-workspace recurring-job-group.longhorn.io/default: enabled recurring-job.longhorn.io/source: enabled spec: accessModes: - ReadWriteOnce storageClassName: longhorn resources: requests: storage: 20Gi --- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: code-server-local namespace: code-system labels: app.kubernetes.io/instance: code-server app.kubernetes.io/name: code-server-local spec: accessModes: - ReadWriteOnce storageClassName: longhorn resources: requests: storage: 5Gi