Install IDE Services in a Kubernetes cluster
The Kubernetes installation of IDE Services offers a scalable solution suitable for managing larger workloads. The cluster can be deployed in your own environment, in platforms like Amazon Elastic Kubernetes Service, Google Kubernetes Engine, or any other Kubernetes-supporting cloud service. The minimum required version of Kubernetes is 1.27.
One of the distribution options for IDE Services is a Kubernetes Helm chart:
Installation requirements
Version 1.27 or later | |
Version 3.12 or later | |
Namespace | A dedicated Kubernetes namespace |
Ingress controller | An Ingress controller already exists in the cluster and watches for objects of a specific IngressClass |
Object storage | An S3-compatible bucket or Azure Blob Storage |
Database | PostgreSQL version 13 or later |
Authentication provider | You have configured an external authentication service. |
User permissions | You have administrator permissions to the Kubernetes namespace |
Plan your installation
Data backup and recovery
Currently, IDE Services doesn't provide any native tools for backing up or recovering data. We recommend adhering to the industry's best practices for managing the storage.
Secrets
During the IDE Services installation, user inputs are treated as secrets. The IDE Services configuration populates corresponding Kubernetes secret objects and injects them to the appropriate application components during the deployment.
Configurations for the PostgreSQL database, authentication provider, and object storage often contain sensitive data like passwords, keys, tokens, and so on. If you specify such sensitive data directly in the values.yaml file, Helm will automatically create a dedicated secret during the deployment. This ensures that individuals with access to your Kubernetes instance, but not the values.yaml file, won't be able to access sensitive data.
Ingress controller
In IDE Services, Ingress is exposed outside the application both in terms of the Web interface and provided services (Remote Procedure Call, WebSocket, and so on.)
The host name is used without additional subdomains. It is expected that your organization owns the domain or is able to register it in NameServers and bind an IP to it.
You can use annotations to provide platform, cluster, and resource details. For example, you can specify the Ingress class, bind certificates, declare additional rules, and more.
If your setup operates without Ingress, you can disable Ingress, configure a different service type in the service object, and provide required annotations.
Installation steps
The instructions below use kube-ide-services as the name of the Kubernetes namespace (this value will be different for your installation):
Create a values.yaml file with deployment configuration. For example:
ides: ingress: enabled: true hostname: ides.lvh.me annotations: nginx.ingress.kubernetes.io/ssl-redirect: "true" ingressClassName: nginx pathType: Prefix tls: - hosts: - ides.lvh.me secretName: ides-tls config: deploymentUrl: "https://ides.lvh.me" db: host: "ides-postgresql:5432" database: idesdb user: idespguser password: idespguserpwd storage: type: s3 s3: bucket: ides url: "http://ides-minio:9000" accessKey: idesminiouser secretKey: idesminiouserpwd auth: login-url: "https://accounts.google.com/o/oauth2/auth" token-url: "https://oauth2.googleapis.com/token" jwt-certs-url: "https://www.googleapis.com/oauth2/v3/certs" client-id: ides-server client-secret: "bacd3019-c3b9-4b31-98d5-d3c410a1098e" root-admin-emails: ["ides.admin@example.com"]Deploy the created configuration:
Add the chart repository:
helm repo add jetbrains-ide-services \ https://download.jetbrains.com/ide-services/charts/stableRun the deployment:
helm install jb-ide-services jetbrains-ide-services/ide-services-helm --version 2025.0.1 --namespace kube-ide-services -f values.yaml
helm install jb-ide-services \ oci://registry-1.docker.io/jetbrains/ide-services-helm \ --version 2025.0.1 \ --namespace kube-ide-services \ -f values.yamlVerify the state of IDE Services pods:
kubectl -n kube-ide-services get podsThe IDE Services pods must have the Running state. If the pods are not in the Running state, you can attempt to identify the cause using the provided commands:
kubectl -n kube-ide-services get eventand
kubectl -n kube-ide-services describe po "${POD_NAME}"Open
https://<server_domain>in your browser to log in to the IDE Services Web UI.
Configure the Code With Me Relay
Code With Me Relay is an essential part of the Code With Me Enterprise setup, which is distributed as part of the IDE Services Helm chart.
Generate certificates for Lobby and Relay to authenticate users on relays:
openssl ecparam -name secp384r1 -genkey -noout -out relay_auth_private.pem openssl ec -in relay_auth_private.pem -pubout -out relay_auth_public.pemAdd a Relay configuration to values.yaml:
cwmrelay: enabled: true ingress: enabled: true hostPattern: "cwm-__REPLICA_ID__.lvh.me" #mandatory <your_ingress_configuration> config: jwtPublicKey: | -----BEGIN PUBLIC KEY----- Your relay_auth_public.pem goes here -----END PUBLIC KEY----- jwtPrivateKey: | -----BEGIN EC PRIVATE KEY----- Your relay_auth_private.pem goes here -----END EC PRIVATE KEY-----Run the deployment.
Deploy the IDE Services Helm chart offline
Download the IDE Services Helm chart.
Unpack the file to a new installation directory.
Find the values.yaml file in the IDE Services chart and configure it for your organization.
Run the following command to find the images required for the installation:
helm template . -f ./values.yaml > out.yamlCheck that the local repository or local image registry contains the required images.
If the images are not present, refer to Docker Export and Import documentation to learn how to transfer the images to the local repository/registry.
Run the following command:
helm upgrade -i <desired_release_name> -f ./values.yaml