Skip to content

DX-75: Add GitHub Codespaces support with private Keycloak (nginx TLS sidecar)#106

Draft
mstrong98 wants to merge 1 commit into
devfrom
enh/DX-75-codespaces-support
Draft

DX-75: Add GitHub Codespaces support with private Keycloak (nginx TLS sidecar)#106
mstrong98 wants to merge 1 commit into
devfrom
enh/DX-75-codespaces-support

Conversation

@mstrong98

@mstrong98 mstrong98 commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

Why

The template only ships a local VS Code dev container flow. DX-75 adds first-class GitHub Codespaces support so the stack can be spun up in the cloud (including for headless/agentic use) without exposing Keycloak on a public port.

What

Adds a second, separate Codespaces-only dev container config under .devcontainer/codespaces/. It reuses the existing ../docker-compose.yml stack via a compose override and does not modify any existing template files. The local VS Code flow and the remote_host/ flow are unchanged.

The headline design decision is keeping Keycloak private:

  • A new keycloak-tls nginx:alpine sidecar generates a self-signed cert on start and TLS-terminates traffic to the internal keycloak:8080.
  • The sidecar claims the external Keycloak hostname (${CODESPACE_NAME}-8080.app.github.dev) as a Docker network alias, so the app server's server-side OIDC discovery resolves that hostname internally to nginx instead of going out to the public internet.
  • The browser reaches Keycloak through the Private forwarded port. Both paths agree on the same issuer URL, so discovery and login work with no public port.

This relies on two settings already present in the template: httpc_params.verify=false (so the self-signed cert is accepted during discovery) and KC_PROXY=edge (so Keycloak trusts the forwarded headers).

Files (all new, under .devcontainer/codespaces/)

  • devcontainer.json - Codespaces config; same services/extensions/settings as the local config, plus docker-outside-of-docker for stack inspection; forwardPorts with labels; prebuild-cached onCreateCommand (myw_product fetch node_modules); non-blocking postStartCommand (no myw_product watch).
  • docker-compose.codespaces.yml - env overrides pointing app/Keycloak at the Codespace external HTTPS URLs; adds the keycloak-tls sidecar. Only overrides env/aliases; does not redefine base service bodies.
  • nginx-keycloak.conf - TLS reverse proxy (443 -> keycloak:8080) with X-Forwarded-* headers.
  • new-codespace.sh - gh-based programmatic spin-up plus a health poll (REPO/BRANCH/MACHINE/IDLE overridable).
  • README.md - architecture write-up, required org-level Harbor Codespaces secrets, prebuild setup, recommended machine size, and caveats.

…sidecar

Add a second, Codespaces-only dev container config under
.devcontainer/codespaces/ without modifying any existing template files
(local devcontainer flow, remote_host flow, base compose stack unchanged).

Keycloak is kept PRIVATE: an nginx:alpine TLS sidecar (keycloak-tls) owns the
external Keycloak hostname as a Docker network alias, so the app server's
server-side OIDC discovery resolves internally to nginx (which TLS-terminates
and proxies to keycloak:8080) while the browser uses the Private forwarded
port. No port is made Public. Relies on existing httpc_params.verify=false
and KC_PROXY=edge.

Files:
- devcontainer.json: Codespaces config reusing the base stack via a compose
  override; same services/extensions/features as local plus
  docker-outside-of-docker; forwardPorts + labels; prebuild-cached
  onCreateCommand; non-blocking postStartCommand.
- docker-compose.codespaces.yml: env overrides pointing app/Keycloak at the
  Codespace external HTTPS URLs; new keycloak-tls sidecar.
- nginx-keycloak.conf: TLS reverse proxy to keycloak:8080.
- new-codespace.sh: gh-based programmatic spin-up + health poll.
- README.md: architecture, Harbor secrets, prebuild, machine size, caveats.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@mstrong98 mstrong98 marked this pull request as draft June 26, 2026 14:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant