Installation to Amazon EKS
This guide describes how to install the CodeCanvas application to a Kubernetes (K8s) cluster hosted in AWS EKS (Elastic Kubernetes Service). It implies that the database and object storage services are hosted in AWS, namely, in RDS and S3.
Before you begin the installation, make sure you've completed the steps described below.
CodeCanvas requires two PostgreSQL databases: one for the CodeCanvas application and another for the Jump server.
Install PostgreSQL server (version 12.2 – 15.5). The server must be accessible from the CodeCanvas application cluster, e.g., you can create a pod with the server in the same cluster.
Create dedicated databases for the CodeCanvas application and the Jump server.
Ensure that the database server is up and running before proceeding with the installation.
Create an AWS S3 bucket to store CodeCanvas and user data.
Amazon EKS cluster
Set up an Amazon EKS cluster for the CodeCanvas application. Make sure the cluster meets the requirements from the table below.
Requirement
Description
Helm
Version 3.6.0 or later
Kubernetes (K8s)
Version 1.29 or later
Cluster nodes
At least four nodes with Linux OS (x86_64), recommended min resources: 4 CPU cores and 8GB memory
Namespace
Create a dedicated namespace for the CodeCanvas application (replace
NAMESPACE_PLACEHOLDER
with an actual namespace name):kubectl create namespace NAMESPACE_PLACEHOLDER
Ingress controller
Install an Ingress controller compatible with your Kubernetes setup. In our example, we use an ingress-nginx controller.
Amazon EKS cluster
Set up a Kubernetes cluster for dev environments. Make sure the cluster meets the requirements from the table below. Depending on your needs, you can create multiple dev environment clusters (the requirements are the same for all clusters). To reduce latency for end users, we recommend deploying the dev environment cluster in the same region as the potential dev environment users.
Requirement
Description
Helm
Version 3.6.0 or later
Kubernetes (K8s)
Version 1.29 or later
Cluster nodes
Sufficient nodes to run dev environments, each with Linux OS (Ubuntu, x86_64), recommended min resources: 4 CPU cores and 8GB memory
Namespace
Create a dedicated namespace for the dev environment cluster (replace
NAMESPACE_PLACEHOLDER
with an actual namespace name):kubectl create namespace NAMESPACE_PLACEHOLDER
CSI driver
Install the
ebs.csi.aws.com
CSI driver in the cluster. For installation instructions, refer to the AWS documentation.CSI snapshot controller
Install the CSI snapshot controller in the cluster to enable Kubernetes snapshot manipulation. You can install it using the AWS-managed add-on or manually.
Storage class
Create a storage class for persistent volumes. You can use our recommended storage class configuration below.
apiVersion: storage.k8s.io/v1
{...}Volume snapshot class
Create a volume snapshot class for managing snapshots. You can use our recommended volume snapshot class configuration below.
apiVersion: snapshot.storage.k8s.io/v1
{...}CSI snapshot validation webhook
Install an add-on to the CSI driver that implements K8s snapshot validation. For the instructions, refer to the K8s documentation. Tested with v6.2.2.
warning
If you're using a different setup for DNS zones and TLS certificates management, you might need to adjust the
custom.values.yaml
file accordingly to your setup.
Domain name
Register a domain name for the CodeCanvas instance, e.g.,
codecanvas.example.com
.DNS zones
Install ExternalDNS in the CodeCanvas application cluster to manage DNS records.
TLS certificates
Install cert-manager in the CodeCanvas application cluster to manage TLS certificates issued by Let's Encrypt.
Subdomains
Configure subdomains for the CodeCanvas application components. The configuration in
custom.values.yaml
supposes the following DNS domain naming scheme:EXTERNAL_DOMAIN_PLACEHOLDER
– the main domain for the CodeCanvas application that serves the main administrative UI and REST API. For example,codecanvas.example.com
computeservice.EXTERNAL_DOMAIN_PLACEHOLDER
– the subdomain that serves thecompute-service
REST API. It is an internal domain customarily accessed only by dev environment pods.gateway.EXTERNAL_DOMAIN_PLACEHOLDER
– serves thegateway-relay
service. It is an external domain accessed by user IDE clients.jump.EXTERNAL_DOMAIN_PLACEHOLDER
– serves the REST API of thejump-server
service. It is an internal domain customarily accessed only by dev environment pods and the server.ssh.EXTERNAL_DOMAIN_PLACEHOLDER
– serves the SSH service of thejump-server
service. It is an external domain accessed by user IDE clients.
To grant CodeCanvas access to a storage bucket in AWS, you can use either static credentials or IAM roles for service accounts (IRSA). We recommend using IRSA.
Configure the IRSA role for the CodeCanvas application service account. CodeCanvas requires write permission to the bucket. For details on how to set up IRSA, refer to the AWS documentation.
note
Currently, IAM authentication for AWS RDS is not supported.
CodeCanvas uses the SMTP server to send various emails to users, for example, invitation links during the user creation, email verification, and other notifications. If you want to enable this functionality, ensure you have an SMTP server accessible from the CodeCanvas application cluster.
Create a custom.values.yaml
and copy the snippet below to it. You will replace placeholders with actual values in the next steps.
application:
{...}
In custom.values.yaml
, replace CODECANVAS_IRSA_ARN
with the actual ARN of the AWS IRSA role that the CodeCanvas application should use.
In custom.values.yaml
, replace EXTERNAL_DOMAIN_PLACEHOLDER
with the domain name you've registered for your CodeCanvas instance.
In custom.values.yaml
, replace CERT_MANAGER_NAME_PLACEHOLDER
with the name of cert-manager used in your cluster.
The CodeCanvas installation implies that you use an external PostgreSQL database. Though you can use any PostgreSQL database, we recommend using Amazon RDS.
Obtain the credentials for the database user that has permissions to create, read, update, and delete all entities in the schema.
A database secret is used to secure access to the PostgreSQL database.
Create a
codecanvas-db-secret.yaml
file and copy the snippet below to it.apiVersion: v1 kind: Secret type: Opaque metadata: name: codecanvas-db-secret-ext namespace: NAMESPACE_PLACEHOLDER stringData: DB_HOST: "CODECANVAS_DB_HOST_PLACEHOLDER" DB_NAME: "CODECANVAS_DB_NAME_PLACEHOLDER" DB_PASSWORD: "CODECANVAS_DB_PASSWORD_PLACEHOLDER" DB_PORT: "CODECANVAS_DB_PORT_PLACEHOLDER" DB_USERNAME: "CODECANVAS_DB_USERNAME_PLACEHOLDER"
Replace the following placeholders:
NAMESPACE_PLACEHOLDER
with your Kubernetes namespaceCODECANVAS_DB_PASSWORD_PLACEHOLDER
with a password for theCODECANVAS_DB_USERNAME_PLACEHOLDER
userCODECANVAS_DB_HOST_PLACEHOLDER
with the PostgreSQL hostnameCODECANVAS_DB_PORT_PLACEHOLDER
with the PostgreSQL port
Run:
kubectl apply -f codecanvas-db-secret.yaml
Delete the
codecanvas-db-secret.yaml
file.
The Jump server also uses an external PostgreSQL database.
Obtain the credentials for the database user that has permissions to create, read, update, and delete all entities in the schema.
A database secret is used to secure access to the PostgreSQL database.
Create a
jump-db-secret.yaml
file and copy the snippet below to it.apiVersion: v1 kind: Secret type: Opaque metadata: name: jump-db-secret-ext namespace: NAMESPACE_PLACEHOLDER stringData: DB_HOST: "JUMPSERVER_DB_HOST_PLACEHOLDER" DB_NAME: "JUMPSERVER_DB_NAME_PLACEHOLDER" DB_PASSWORD: "JUMPSERVER_DB_PASSWORD_PLACEHOLDER" DB_PORT: "JUMPSERVER_DB_PORT_PLACEHOLDER" DB_USERNAME: "JUMPSERVER_DB_USERNAME_PLACEHOLDER"
Replace the following placeholders:
NAMESPACE_PLACEHOLDER
with your Kubernetes namespaceJUMPSERVER_DB_PASSWORD_PLACEHOLDER
with a password for theJUMPSERVER_DB_USERNAME_PLACEHOLDER
userJUMPSERVER_DB_HOST_PLACEHOLDER
with the PostgreSQL hostnameJUMPSERVER_DB_PORT_PLACEHOLDER
with the PostgreSQL port
Run:
kubectl apply -f jump-db-secret.yaml
Delete the
jump-db-secret.yaml
file.
This installation implies that you use an AWS S3 bucket for storing user data.
You should authorize CodeCanvas to access your S3 object storage in one of two ways: using static credentials or IAM roles for service accounts (IRSA). We recommend using IRSA.
If you decide to use IRSA, there is no need to create a Kubernetes secret with static credentials. Instead, you should modify the custom.values.yaml
file to enable IRSA.
In custom.values.yaml
, replace the following section:
secret:
objectStorage:
existingSecretName: "codecanvas-objectstorage-secret-ext"
with
secret:
objectStorage:
region: "CODECANVAS_OBJECT_STORAGE_REGION_PLACEHOLDER"
bucket: "CODECANVAS_OBJECT_STORAGE_BUCKET_PLACEHOLDER"
Replace the following placeholders:
CODECANVAS_OBJECT_STORAGE_REGION_PLACEHOLDER
with the AWS region where the bucket is located (e.g.,eu-west-1
)CODECANVAS_OBJECT_STORAGE_BUCKET_PLACEHOLDER
with the name of the S3 bucket created for CodeCanvas
To set up authorization in your S3 object storage with static credentials, you should create an object storage secret and provide a username and password.
Create an
object-storage-secret.yaml
file and copy the snippet below to it.apiVersion: v1 kind: Secret type: Opaque metadata: name: codecanvas-objectstorage-secret-ext namespace: NAMESPACE_PLACEHOLDER stringData: CODECANVAS_OBJECT_STORAGE_ACCESS_KEY: "CODECANVAS_OBJECT_STORAGE_ACCESS_KEY_PLACEHOLDER" CODECANVAS_OBJECT_STORAGE_SECRET_KEY: "CODECANVAS_OBJECT_STORAGE_SECRET_KEY_PLACEHOLDER" CODECANVAS_OBJECT_STORAGE_BUCKET: "CODECANVAS_OBJECT_STORAGE_BUCKET_PLACEHOLDER" CODECANVAS_OBJECT_STORAGE_REGION: "CODECANVAS_OBJECT_STORAGE_REGION_PLACEHOLDER"
Replace the following placeholders:
NAMESPACE_PLACEHOLDER
with your Kubernetes namespaceCODECANVAS_OBJECT_STORAGE_ACCESS_KEY_PLACEHOLDER
with the AWS access keyCODECANVAS_OBJECT_STORAGE_SECRET_KEY_PLACEHOLDER
with the AWS secret keyCODECANVAS_OBJECT_STORAGE_BUCKET_PLACEHOLDER
with the name of the S3 bucket created for CodeCanvasCODECANVAS_OBJECT_STORAGE_REGION_PLACEHOLDER
with the AWS region where the bucket is located (e.g.,eu-west-1
)
Run:
kubectl apply -f object-storage-secret.yaml
Delete the
object-storage-secret.yaml
file.
warning
Important! Keep the master secret in a secure place. If you lose the master secret, you will lose access to all user data.
The CodeCanvas application keeps user secrets (e.g., credentials to external services) in the database in an encrypted form. The master secret is used to encrypt and decrypt these data.
Generate the master secret by running
openssl rand -base64 32
In
custom.values.yaml
, replaceMASTER_SECRET_PLACEHOLDER
with the generated value.
The system administrator account will be used for logging in to and configuring CodeCanvas after the installation.
In
custom.values.yaml
, replaceADMIN_USERNAME_PLACEHOLDER
andADMIN_PASSWORD_PLACEHOLDER
with desired administrator credentials.Replace
ADMIN_EMAIL_PLACEHOLDER
with an email address for receiving administrator notifications from CodeCanvas.
In custom.values.yaml
, replace WORKER_STORAGE_CLASS_NAME_PLACEHOLDER
with the storage class name you've created.
In custom.values.yaml
, replace WORKER_VOLUME_SNAPSHOT_CLASS_NAME_PLACEHOLDER
with the volume snapshot class name you've created.
The Relay server acts as an intermediary between JetBrains Gateway on a user machine and the dev environment. The communication between them is secured with SSL/TLS. To establish a secure connection, the gateway and the Relay server must have a pair of keys which you need to generate. The public key is shared with the Relay server. The private key is then used by JetBrains Gateway to authenticate dev environments in the Relay server.
Generate a private key:
openssl ecparam -name prime256v1 -genkey -noout -out gateway-ec-prime256v1-priv-key.pem
cat gateway-ec-prime256v1-priv-key.pem
In
custom.values.yaml
, replaceGATEWAY_PRIVATE_KEY_PLACEHOLDER
with the generated key value.Generate a public key:
openssl ec -in gateway-ec-prime256v1-priv-key.pem -pubout > gateway-ec-prime256v1-pub-key.pem
cat gateway-ec-prime256v1-pub-key.pem
In
custom.values.yaml
, replaceGATEWAY_PUBLIC_KEY_PLACEHOLDER
with the generated key value.Delete the
gateway-ec-prime256v1-priv-key.pem
andgateway-ec-prime256v1-pub-key.pem
files.
The Jump server acts as an intermediate server that provides indirect SSH connections between a user machine (SSH client, VS Code in the remote mode, etc.) and the SSH daemon in a dev environment. The SSH connection requires a pair of keys which you need to generate. The public key is shared with the Jump server. The private key is then used by the SSH client to authenticate in the Jump server.
Generate a private key:
openssl ecparam -name prime256v1 -genkey -noout -out jump-ec-prime256v1-priv-key.pem
cat jump-ec-prime256v1-priv-key.pem
In
custom.values.yaml
, replaceJUMP_PRIVATE_KEY_PLACEHOLDER
with the generated key value.Generate a public key:
openssl ec -in jump-ec-prime256v1-priv-key.pem -pubout > jump-ec-prime256v1-pub-key.pem
cat jump-ec-prime256v1-pub-key.pem
In
custom.values.yaml
, replaceJUMP_PUBLIC_KEY_PLACEHOLDER
with the generated key value.Delete the
jump-ec-prime256v1-priv-key.pem
andjump-ec-prime256v1-pub-key.pem
files.Generate a private host key:
openssl genrsa -traditional 2048 2>/dev/null
In
custom.values.yaml
, replaceJUMP_HOST_PRIVATE_KEY_PLACEHOLDER
with the generated key value.
In custom.values.yaml
, replace INGRESS_CLASS_PLACEHOLDER
with the Ingress class used for the CodeCanvas Kubernetes cluster.
Suppose you've set up a Service account in the application cluster and prefer the service account name to be independent of the Helm release name. In that case, you may want to specify a particular name for the Kubernetes service account that the CodeCanvas Helm chart will create. To do this, in custom.values.yaml
, replace CODECANVAS_KSA_NAME
with the desired name.
By default, CodeCanvas runs worker containers in the --privileged
mode (the containers have root privileges on the host node). If you want to avoid this due to security reasons, install Sysbox Container Runtime as described here.
Run:
helm upgrade -n NAMESPACE_PLACEHOLDER --wait --install \
-f custom.values.yaml \
codecanvas \
oci://public.registry.jetbrains.space/p/codecanvas/release-charts/codecanvas \
--version 2024.3.1
Here:
NAMESPACE_PLACEHOLDER
is your Kubernetes namespacecodecanvas
is the Helm release name. You can change it if needed
After you install your CodeCanvas instance, verify the installation.
Run:
kubectl -n NAMESPACE_PLACEHOLDER get pods
All pods must be in the Running
state. On average, it takes about 2 minutes after deployment for a pod to become active.
If the pods are not Running
, try finding the cause by running:
kubectl -n NAMESPACE_PLACEHOLDER get event
and
kubectl -n NAMESPACE_PLACEHOLDER describe pod POD_NAME
The domain name must resolve to the Ingress load balancer. You can check this by running:
nslookup EXTERNAL_DOMAIN_PLACEHOLDER
nslookup gateway.EXTERNAL_DOMAIN_PLACEHOLDER
nslookup jump.EXTERNAL_DOMAIN_PLACEHOLDER
nslookup ssh.EXTERNAL_DOMAIN_PLACEHOLDER
The output must not contain any errors.
Open your CodeCanvas instance in a browser. When logging in to CodeCanvas, use the administrator credentials provided during the installation.
warning
Before proceeding, activate your CodeCanvas instance.
To connect the dev environment cluster to CodeCanvas, you should create a connection in the CodeCanvas application.
Select Administration in the header navigation, then in the sidebar menu, select Computing Platforms.
Click New connection.
Give this connection a Name, specify the cluster's Kubernetes namespace, and click Save. The connection will be added to the list. Here you can also modify the pod YAML template according to your needs. Learn more
Click the connection in the list to open its details.
The connection details page provides the snippet of the
helm upgrade
command that you should use to install the CodeCanvas operator in the dev environment cluster. This operator will communicate with the CodeCanvas application and start/stop dev environments in the cluster.To connect to the CodeCanvas application, it will need an access token:
Click Generate token.
Copy the snippet to the clipboard.
Install the CodeCanvas operator Helm chart on the dev environment cluster using the snippet.
Click Test connection and ensure that all checks are successful.
After successfully verifying the installation and connecting the dev environment cluster, you can proceed to configure your CodeCanvas instance: creating dev environment instance types, adding users, namespaces, and so on.
Thanks for your feedback!