devcontainer/serverless

DevContainer Serverless 2.0

A serverless, auto-scaling development container platform with dynamic GitHub repository routing, secured by Authentik authentication.

Architecture Overview

User Request: https://devcontainer.farh.net/github/microsoft/vscode
     ↓
Authentik (Authentication & Authorization)
     ↓ (authenticated request with user headers)
NGINX Ingress (SSL termination, rate limiting)
     ↓
Routing Proxy (extracts GitHub repo from URL, adds headers)
     ↓ (with X-GitHub-Repo header)
Knative Service (devcontainer-serverless)
     ↓ (auto-scales from 0 to N instances)
Dev Container Instances (ephemeral, repo-specific)

Key Features

• 🚀 Scale to Zero: Containers automatically scale down to zero when not in use
• 🔐 Authentik Integration: Full authentication and authorization via Authentik
• 🐙 Dynamic GitHub Routing: Access any repo via /github/{owner}/{repo}
• ⚡ Fast Cold Start: Optimized startup for quick repository access
• 📁 Built-in File Manager: Upload/download files via web interface
• 🛠️ Multiple IDEs: VSCode, Antigravity, or headless mode
• 🎯 Per-User Isolation: Each request gets its own container instance

Quick Start

Prerequisites

• Kubernetes cluster with Knative Serving installed
• Authentik deployed and configured
• NGINX Ingress Controller
• cert-manager for SSL certificates

1. Deploy the Serverless Components

# Create namespace and deploy all components
kubectl apply -f serverless/deployment.yaml

# Build and push the routing proxy image
cd serverless/routing-proxy
docker build -t ghcr.io/cpfarhood/devcontainer-routing-proxy:latest .
docker push ghcr.io/cpfarhood/devcontainer-routing-proxy:latest

2. Configure Authentik

# Apply Authentik configuration
kubectl apply -f serverless/authentik-config.yaml

# Configure the application via Authentik web UI:
# 1. Go to Applications > Providers > Create
# 2. Type: Forward Auth (single application)
# 3. Name: devcontainer-forward-auth-provider
# 4. External host: https://devcontainer.farh.net
# 5. Create the Application pointing to this provider

3. Update DNS and SSL

# Point devcontainer.farh.net to your ingress controller
# The cert-manager will automatically provision SSL certificates

4. Test the Deployment

# Visit in browser (will redirect to Authentik for login)
https://devcontainer.farh.net/github/microsoft/vscode

# Check pod scaling
kubectl get pods -n devcontainers -w

# View logs
kubectl logs -n devcontainers deployment/devcontainer-routing-proxy -f
kubectl logs -n devcontainers -l serving.knative.dev/service=devcontainer-serverless -f

Usage

URL Format

https://devcontainer.farh.net/github/{owner}/{repo}

Examples

# Microsoft VSCode
https://devcontainer.farh.net/github/microsoft/vscode

# Kubernetes
https://devcontainer.farh.net/github/kubernetes/kubernetes

# Your private repo (requires GitHub token)
https://devcontainer.farh.net/github/yourorg/private-repo

Authentication Flow

1. User visits https://devcontainer.farh.net/github/owner/repo
2. NGINX Ingress checks with Authentik for authentication
3. If not authenticated, redirects to Authentik login
4. After successful login, request proceeds with user headers
5. Routing proxy extracts repository from URL
6. Knative spins up (or reuses) a container instance
7. Container clones the specified repository and starts IDE

File Upload/Download

Each container includes a built-in file manager accessible via the VNC web interface:

1. Connect to your dev container via the browser
2. Look for the file manager icon in the VNC toolbar
3. Upload/download files directly through the web interface

Configuration

Environment Variables (Secret)

Update the secret in serverless/deployment.yaml:

stringData:
  GITHUB_TOKEN: "ghp_your_github_token"      # For private repositories
  VNC_PASSWORD: "your_secure_password"       # VNC access password
  ANTHROPIC_API_KEY: "sk-ant-your_key"      # Claude API key
  GIT_USER_NAME: "Your Name"                 # Git commit author
  GIT_USER_EMAIL: "your.email@example.com"  # Git commit email

Scaling Configuration

Modify the Knative Service annotations in deployment.yaml:

annotations:
  autoscaling.knative.dev/minScale: "0"      # Scale to zero
  autoscaling.knative.dev/maxScale: "20"     # Max instances
  autoscaling.knative.dev/target: "1"        # 1 request per pod
  autoscaling.knative.dev/scale-to-zero-grace-period: "10m"

Resource Limits

Adjust per-instance resources:

resources:
  requests:
    memory: "1Gi"
    cpu: "500m"
  limits:
    memory: "8Gi"    # More memory for large repos
    cpu: "4000m"     # More CPU for compilation tasks

IDE Selection

Set the default IDE via environment variable:

env:
- name: IDE
  value: "vscode"  # Options: vscode, antigravity, none

Monitoring and Observability

Health Checks

# Routing proxy health
curl http://devcontainer-routing-proxy.devcontainers.svc.cluster.local/health

# Knative service status
kn service describe devcontainer-serverless -n devcontainers

# Check container logs
kubectl logs -n devcontainers -l serving.knative.dev/service=devcontainer-serverless -f

Metrics

The setup includes Prometheus integration:

• Authentik metrics: User authentication events
• Knative metrics: Container scaling, cold starts, request latency
• NGINX metrics: Request rates, response times
• Container metrics: Resource usage per repository

Grafana Dashboards

Import the provided dashboard for monitoring:

# TODO: Create Grafana dashboard JSON

Security Considerations

Network Policies

# Restrict networking between components
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: devcontainer-serverless-network-policy
  namespace: devcontainers
spec:
  podSelector:
    matchLabels:
      serving.knative.dev/service: devcontainer-serverless
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          app.kubernetes.io/component: routing-proxy
    ports:
    - protocol: TCP
      port: 5800
  egress:
  - to: []  # Allow all outbound (needed for git clone, package installs)
    ports:
    - protocol: TCP
      port: 443
    - protocol: TCP
      port: 80

Repository Access Control

Configure Authentik policies to control repository access:

# Example Authentik expression policy
github_repo = request.http_request.headers.get('X-GitHub-Repo', '')
user_groups = [g.name for g in request.user.ak_groups.all()]

# Allow admins access to everything
if 'admins' in user_groups:
    return True

# Allow developers access to public repos and specific private repos
if 'developers' in user_groups:
    # Add logic for private repository access based on user attributes
    if 'private-repo-access' in user.ak_attributes:
        allowed_repos = user.ak_attributes['private-repo-access']
        return github_repo in allowed_repos
    return True  # Public repos only

return False

Troubleshooting

Common Issues

1. Container won't start

   # Check Knative service status
   kn service describe devcontainer-serverless -n devcontainers
   
   # Check pod events
   kubectl describe pod -n devcontainers -l serving.knative.dev/service=devcontainer-serverless
   

2. Repository clone fails

   # Check GitHub token in secret
   kubectl get secret devcontainer-serverless-secrets -n devcontainers -o yaml
   
   # Check container logs for git errors
   kubectl logs -n devcontainers -l serving.knative.dev/service=devcontainer-serverless --tail=100
   

3. Authentik authentication loop

   # Check Authentik outpost logs
   kubectl logs -n authentik -l app.kubernetes.io/name=authentik
   
   # Verify ingress annotations
   kubectl describe ingress devcontainer-serverless-ingress -n devcontainers
   

4. Slow cold starts

   # Check container startup time
   kubectl logs -n devcontainers -l serving.knative.dev/service=devcontainer-serverless --timestamps
   
   # Consider increasing timeout
   # serving.knative.dev/timeoutSeconds: "900"  # 15 minutes
   

Performance Tuning

1. Reduce cold start time:

   • Use minimal base image layers
   • Pre-install common development tools
   • Optimize git clone (shallow clone for large repos)

2. Resource optimization:

   • Set appropriate resource requests/limits
   • Use autoscaling.knative.dev/target-utilization-percentage
   • Consider persistent volumes for frequently accessed repos

3. Network optimization:

   • Use private container registry for faster image pulls
   • Configure image pull policies appropriately
   • Consider using a git cache proxy

Development

Building the Routing Proxy

cd serverless/routing-proxy
docker build -t ghcr.io/cpfarhood/devcontainer-routing-proxy:v2.0.0 .
docker push ghcr.io/cpfarhood/devcontainer-routing-proxy:v2.0.0

Testing Locally

# Run the routing proxy locally
cd serverless/routing-proxy
docker run -p 8080:8080 \
  -e DEVCONTAINER_SERVICE_URL=host.docker.internal:5800 \
  ghcr.io/cpfarhood/devcontainer-routing-proxy:latest

# Test routing
curl -H "X-GitHub-Repo: https://github.com/microsoft/vscode" \
  http://localhost:8080/github/microsoft/vscode

Contributing

1. Create feature branch from feature/serverless-2.0.0
2. Make changes to serverless components
3. Test with local Knative setup
4. Submit pull request

Migration from 1.x

The serverless 2.0 architecture is a complete redesign. Migration steps:

1. Backup existing data: Export user configs, git credentials
2. Deploy 2.0 components: Following the quick start guide
3. Migrate users: Update Authentik with existing user accounts
4. Test extensively: Verify repository access and functionality
5. Switch DNS: Point domain to new infrastructure
6. Cleanup 1.x: Remove old Helm deployments

Roadmap

• GitLab support (/gitlab/group/project)
• Bitbucket support
• Repository templates and scaffolding
• Collaborative editing features
• IDE plugins and extensions management
• Resource quotas per user/group
• Repository caching and optimization
• Integration with CI/CD pipelines