JetBrains CodeCanvas
 
2025.1
  1. System Administrator Guide
  2. Infrastructure
  3. Jump Servers

Jump Servers

Limited in Free license
Last modified: 28 March 2025

tip

Basic post-installation steps for the system administrator:

  1. Activate the license

  2. Configure infrastructure

  3. Configure user access

  4. Configure namespaces

In corporate environments, firewalls or other security policies often restrict direct SSH connections to remote machines. CodeCanvas uses a Jump server to enable secure SSH connections from developers' local machines to dev environments (e.g., for development with VS Code or for accessing environments via the terminal). The Jump server is an intermediary that forwards SSH connections between the machines.

Depending on your setup, a Jump server may already be installed (e.g., in a single-cluster installation). In distributed setups or when scaling to multiple regions, you might need to add more Jump servers. We recommend deploying it as close to the target dev environments as possible to reduce latency (e.g., within the same dev environment cluster or in the same region). However, you can also deploy the Jump server in the CodeCanvas application cluster if needed.

Prerequisites

  • You have a Kubernetes cluster where you want to deploy the Jump server (we will refer to it as the Jump cluster). For example, this can be a dev environment cluster or a separate cluster within the same region.

  • The CodeCanvas application cluster is network-accessible from the Jump cluster.

  • These instructions imply that you have a default CodeCanvas installation which uses external-dns for automated DNS setup. If you use a different DNS setup, you need to create DNS records manually and ensure that the domain name reserved for the Jump server (e.g., jump.example.com) resolves correctly.

Deploy Jump server

  1. In CodeCanvas, select Administration in the header navigation, then in the sidebar menu, select Jump Servers.

  2. Click New connection.

  3. Specify the Jump server Name and other settings:

    • SSH host – the hostname or IP address of the Jump server (e.g., jump.example.com) that you reserved for the Jump server. It must be accessible from the CodeCanvas application and from the users' local machines.

    • SSH port – the port number for the SSH endpoint (1023–65535).

  4. Optionally, you can provide the Advanced settings:

    • Internal SSH host and Internal SSH port – (optional) the internal hostname and port number for the SSH endpoint. Use these settings only if your dev environments are running in an isolated network that doesn't have access to the external SSH hostname (the SSH host provided above). Note that in this case, you should configure the Jump server to be accessible from this internal network.

      Jump server in internal network

      If the dev environments do have access to the external SSH hostname (e.g., via internet access), you can leave these fields empty, and CodeCanvas will use the external SSH hostname and port for both user machine connections and dev environment communication.

    • Public SSH host key – (optional) the public part of the SSH host key is used to establish trust between the dev environments and the Jump server. Without this key, the dev environments will treat the Jump server as an unknown host and refuse to connect.

      By default (if the field is left empty), CodeCanvas automatically generates an SSH key pair for the Jump server. If you want to generate the key pair manually, you can do so and provide the public key here. Make sure to save the private key securely, as you will need it in the next step.

    • Public JWT Key – (optional) the public JWT key is used to authenticate and secure communication between the Jump server and the CodeCanvas backend. The Jump server uses its private JWT key to sign payloads sent to CodeCanvas. The public key provided here allows CodeCanvas to verify the signatures and ensure secure communication.

      By default (if the field is left empty), CodeCanvas automatically generates a JWT key pair for the Jump server. If you want to generate the key pair manually, you can do so and provide the public key here. Make sure to save the private key securely, as you will need it in the next step.

  5. Click Save to create the connection. After this, CodeCanvas generates a connection snippet that contains the manifest for a Kubernetes secret: 

    apiVersion: v1
kind: Secret
metadata:
  name: codecanvas-jump-secret
  namespace: JUMP_NAMESPACE_PLACEHOLDER
type: Opaque
stringData:
  JUMP_CANVAS_URL: https://codecanvas.example.com
  JUMP_SSH_HOST_KEY: SSH_PRIVATE_HOST_KEY_PLACEHOLDER
  JUMP_JWT_PRIVATE_KEY: JWT_PRIVATE_KEY_PLACEHOLDER

    Here:

    • metadata.name is the name of the secret. In our example, it is codecanvas-jump-secret.

    • JUMP_NAMESPACE_PLACEHOLDER – the Kubernetes namespace where the Jump server should be deployed. You can create a new namespace with kubectl create namespace JUMP_NAMESPACE_PLACEHOLDER or use an existing one.

    • JUMP_SSH_HOST_KEY – the private SSH host key for the Jump server. Provide it only if you generated the key pair manually.

    • JUMP_JWT_PRIVATE_KEY – the private JWT key for the Jump server. Provide it only if you generated the key pair manually.

  6. Create a Kubernetes secret file (e.g., jump-secret.yaml) and paste the snippet.

  7. Apply the secret to the Jump cluster:

    kubectl apply -f jump-secret.yaml

  8. note

    Important: To expose the Jump server's SSH port, we recommend configuring the Jump cluster with a LoadBalancer service type for the sshService. However, you can choose alternative configurations, e.g., with NodePort instead of LoadBalancer.

    Create a jump.values.yaml file with the following content: 

    application:
  secret:
    jump:
      existingSecretName: "SECRET_NAME_PLACEHOLDER"
  sshService:
    type: LoadBalancer
    port: SSH_PORT_PLACEHOLDER
    annotations:
      "external-dns.alpha.kubernetes.io/hostname": "JUMP_DOMAIN_PLACEHOLDER"

    Here:

    • SECRET_NAME_PLACEHOLDER – a name of the Jump server secret. In our example, it is codecanvas-jump-secret.

    • SSH_PORT_PLACEHOLDER – the SSH port number for the Jump server specified in the SSH port parameter.

    • JUMP_DOMAIN_PLACEHOLDER – a domain name reserved for the Jump server, e.g., jump.example.com. Same as the SSH host parameter.

  9. Apply the changes to the Jump cluster: 

    helm upgrade -n JUMP_NAMESPACE_PLACEHOLDER --wait --install \
-f jump.values.yaml \
codecanvas-jump \
oci://public.registry.jetbrains.space/p/codecanvas/release-charts/codecanvas-jump \
--version 2025.1.2

    Replace JUMP_NAMESPACE_PLACEHOLDER with the Kubernetes namespace where the Jump server should be deployed.

  10. In CodeCanvas, open the Jump server page and ensure that the server is in the Active state.

  11. The Jump server is now ready for use. When configuring a computing platform, select the Jump server from the Jump server dropdown.