Install IDE Services in a Kubernetes cluster
The Kubernetes installation of IDE Services offers a scalable solution suitable for managing larger workloads. The cluster can be deployed in your own environment, in platforms like Amazon Elastic Kubernetes Service, Google Kubernetes Engine, or any other Kubernetes-supporting cloud service. The minimum required version of Kubernetes is 1.27.
One of the distribution options for IDE Services is a Kubernetes Helm chart:
https://download-cdn.jetbrains.com/ide-services/charts/stable/ide-services-helm-2025.0.1.tgz
Version 1.27 or later | |
Version 3.12 or later | |
Namespace | A dedicated Kubernetes namespace |
Ingress controller | An Ingress controller already exists in the cluster and watches for objects of a specific IngressClass |
Object storage | An S3-compatible bucket or Azure Blob Storage |
Database | PostgreSQL version 13 or later |
Authentication provider | You have configured an external authentication service. |
User permissions | You have administrator permissions to the Kubernetes namespace |
Currently, IDE Services doesn't provide any native tools for backing up or recovering data. We recommend adhering to the industry's best practices for managing the storage.
During the IDE Services installation, user inputs are treated as secrets. The IDE Services configuration populates corresponding Kubernetes secret objects and injects them to the appropriate application components during the deployment.
Configurations for the PostgreSQL database, authentication provider, and object storage often contain sensitive data like passwords, keys, tokens, and so on. If you specify such sensitive data directly in the values.yaml file, Helm will automatically create a dedicated secret during the deployment. This ensures that individuals with access to your Kubernetes instance, but not the values.yaml file, won't be able to access sensitive data.
In IDE Services, Ingress is exposed outside the application both in terms of the Web interface and provided services (Remote Procedure Call, WebSocket, and so on.)
The host name is used without additional subdomains. It is expected that your organization owns the domain or is able to register it in NameServers and bind an IP to it.
You can use annotations to provide platform, cluster, and resource details. For example, you can specify the Ingress class, bind certificates, declare additional rules, and more.
If your setup operates without Ingress, you can disable Ingress, configure a different service type in the service
object, and provide required annotations.
The instructions below use kube-ide-services
as the name of the Kubernetes namespace (this value will be different for your installation):
Create a values.yaml file with deployment configuration. For example:
values.yaml
{...}Deploy the created configuration:
Helm chartOCI imageAdd the chart repository:
helm repo add jetbrains-ide-services \ https://download.jetbrains.com/ide-services/charts/stable
Run the deployment:
helm install jb-ide-services jetbrains-ide-services/ide-services-helm --version 2025.0.1 --namespace kube-ide-services -f values.yaml
helm install jb-ide-services \ oci://registry-1.docker.io/jetbrains/ide-services-helm \ --version 2025.0.1 \ --namespace kube-ide-services \ -f values.yaml
Verify the state of IDE Services pods:
kubectl -n kube-ide-services get pods
The IDE Services pods must have the Running state. If the pods are not in the Running state, you can attempt to identify the cause using the provided commands:
kubectl -n kube-ide-services get event
and
kubectl -n kube-ide-services describe po "${POD_NAME}"
Open
https://<server_domain>
in your browser to log in to the IDE Services Web UI.
Code With Me Relay is an essential part of the Code With Me Enterprise setup, which is distributed as part of the IDE Services Helm chart.
Generate certificates for Lobby and Relay to authenticate users on relays:
openssl ecparam -name secp384r1 -genkey -noout -out relay_auth_private.pem openssl ec -in relay_auth_private.pem -pubout -out relay_auth_public.pem
Add a Relay configuration to values.yaml:
cwmrelay: enabled: true ingress: enabled: true hostPattern: "cwm-__REPLICA_ID__.lvh.me" #mandatory <your_ingress_configuration> config: jwtPublicKey: | -----BEGIN PUBLIC KEY----- Your relay_auth_public.pem goes here -----END PUBLIC KEY----- jwtPrivateKey: | -----BEGIN EC PRIVATE KEY----- Your relay_auth_private.pem goes here -----END EC PRIVATE KEY-----
note
In the example, the value of the mandatory
cwmrelay.ingress.hostPattern
parameter contains the__REPLICA_ID__
part. This part is later replaced with numbers (from 1 to the number of instances configured incwmrelay.config.instanceCount
) to form a valid fully qualified domain name.Run the deployment.
note
To install IDE Services locally, you need to make sure that the domain name you provide during the installation can be resolved within your network. Additionally, you should plan ahead for the issuance of certificates.
Download the IDE Services Helm chart.
Unpack the file to a new installation directory.
Find the values.yaml file in the IDE Services chart and configure it for your organization.
Run the following command to find the images required for the installation:
helm template . -f ./values.yaml > out.yaml
Check that the local repository or local image registry contains the required images.
If the images are not present, refer to Docker Export and Import documentation to learn how to transfer the images to the local repository/registry.
Run the following command:
helm upgrade -i <desired_release_name> -f ./values.yaml
Thanks for your feedback!