DX-75: Add GitHub Codespaces support with private Keycloak (nginx TLS sidecar)#106
Draft
mstrong98 wants to merge 1 commit into
Draft
DX-75: Add GitHub Codespaces support with private Keycloak (nginx TLS sidecar)#106mstrong98 wants to merge 1 commit into
mstrong98 wants to merge 1 commit into
Conversation
…sidecar Add a second, Codespaces-only dev container config under .devcontainer/codespaces/ without modifying any existing template files (local devcontainer flow, remote_host flow, base compose stack unchanged). Keycloak is kept PRIVATE: an nginx:alpine TLS sidecar (keycloak-tls) owns the external Keycloak hostname as a Docker network alias, so the app server's server-side OIDC discovery resolves internally to nginx (which TLS-terminates and proxies to keycloak:8080) while the browser uses the Private forwarded port. No port is made Public. Relies on existing httpc_params.verify=false and KC_PROXY=edge. Files: - devcontainer.json: Codespaces config reusing the base stack via a compose override; same services/extensions/features as local plus docker-outside-of-docker; forwardPorts + labels; prebuild-cached onCreateCommand; non-blocking postStartCommand. - docker-compose.codespaces.yml: env overrides pointing app/Keycloak at the Codespace external HTTPS URLs; new keycloak-tls sidecar. - nginx-keycloak.conf: TLS reverse proxy to keycloak:8080. - new-codespace.sh: gh-based programmatic spin-up + health poll. - README.md: architecture, Harbor secrets, prebuild, machine size, caveats. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
The template only ships a local VS Code dev container flow. DX-75 adds first-class GitHub Codespaces support so the stack can be spun up in the cloud (including for headless/agentic use) without exposing Keycloak on a public port.
What
Adds a second, separate Codespaces-only dev container config under
.devcontainer/codespaces/. It reuses the existing../docker-compose.ymlstack via a compose override and does not modify any existing template files. The local VS Code flow and theremote_host/flow are unchanged.The headline design decision is keeping Keycloak private:
keycloak-tlsnginx:alpine sidecar generates a self-signed cert on start and TLS-terminates traffic to the internalkeycloak:8080.${CODESPACE_NAME}-8080.app.github.dev) as a Docker network alias, so the app server's server-side OIDC discovery resolves that hostname internally to nginx instead of going out to the public internet.This relies on two settings already present in the template:
httpc_params.verify=false(so the self-signed cert is accepted during discovery) andKC_PROXY=edge(so Keycloak trusts the forwarded headers).Files (all new, under
.devcontainer/codespaces/)devcontainer.json- Codespaces config; same services/extensions/settings as the local config, plusdocker-outside-of-dockerfor stack inspection;forwardPortswith labels; prebuild-cachedonCreateCommand(myw_product fetch node_modules); non-blockingpostStartCommand(nomyw_product watch).docker-compose.codespaces.yml- env overrides pointing app/Keycloak at the Codespace external HTTPS URLs; adds thekeycloak-tlssidecar. Only overrides env/aliases; does not redefine base service bodies.nginx-keycloak.conf- TLS reverse proxy (443 ->keycloak:8080) withX-Forwarded-*headers.new-codespace.sh-gh-based programmatic spin-up plus a health poll (REPO/BRANCH/MACHINE/IDLE overridable).README.md- architecture write-up, required org-level Harbor Codespaces secrets, prebuild setup, recommended machine size, and caveats.