Coditect V5 - Automated Pod Provisioning & RBAC Architecture
Last Updated: 2025-10-07 GCP Project: serene-voltage-464305-n2 GKE Cluster: codi-poc-e2-cluster (us-central1-a) Domain: coditect.ai
π Table of Contentsβ
- Architecture Overview
- End-to-End User Flow
- Component Architecture
- Automated Provisioning System
- RBAC & Security Model
- Storage Architecture
- Implementation Details
- Deployment Strategy
ποΈ Architecture Overviewβ
High-Level System Diagramβ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β User Browser β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β React Wrapper (coditect.ai) β β
β β βββ Header (Logo, Theme, User Menu) β β
β β βββ SidePanel (Files, llm Chat, Settings) β β
β β βββ theia Embed (iframe to user workspace pod) β β
β β βββ Footer (Links, Status) β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
βββββββββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββββββββββββ
β HTTPS (JWT auth)
βββββββββββββββββββββββββββββΌββββββββββββββββββββββββββββββββββββββββββ
β Google Load Balancer β
β (34.8.51.57 - SSL termination) β
βββββββββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββββββββββββ
β
βββββββββββββββββββββ΄ββββββββββββββββββββ
β β
βββββββββΌβββββββββββββ βββββββββββΌβββββββββββββ
β Frontend Service β β Backend API Service β
β (React SPA) β β (Rust/Actix-web) β
β Port: 80 β β Port: 80 β
ββββββββββββββββββββββ ββββββββββββ¬ββββββββββββ
β
βββββββββββββββββββββ΄βββββββββββββββββββββ
β β
βββββββββββββΌβββββββββββ βββββββββββββββΌβββββββββ
β FoundationDB β β Kubernetes API β
β (Session/Metadata) β β (Pod Provisioning) β
β 3-node cluster β ββββββββββββ¬ββββββββββββ
ββββββββββββββββββββββββ β
βββββββββββββΌβββββββββββββ
β Per-User Namespaces β
β βββ user-alice β
β βββ user-bob β
β βββ user-charlie β
βββββββββββββ¬βββββββββββββ
β
ββββββββββββββββββββββββββ΄βββββββββββββββββββ
β β
βββββββββββββΌβββββββββββ βββββββββββββΌβββββββββββ
β workspace Pod β β workspace Pod β
β (user-alice) β β (user-bob) β
β β β β
β ββββββββββββββββββββ β β ββββββββββββββββββββ β
β β theia Container β β β β theia Container β β
β β Port: 3000 β β β β Port: 3000 β β
β ββββββββββββββββββββ β β ββββββββββββββββββββ β
β β β β
β ββββββββββββββββββββ β β ββββββββββββββββββββ β
β β WebSocket Sidecarβ β β β WebSocket Sidecarβ β
β β Port: 8765 β β β β Port: 8765 β β
β β (localhost only) β β β β (localhost only) β β
β ββββββββββββββββββββ β β ββββββββββββββββββββ β
β β β β
β ββββββββββββββββββββ β β ββββββββββββββββββββ β
β β PVC (50GB) β β β β PVC (50GB) β β
β β /workspace β β β β /workspace β β
β ββββββββββββββββββββ β β ββββββββββββββββββββ β
ββββββββββββββββββββββββ ββββββββββββββββββββββββ
Key Architectural Principlesβ
- Multi-Tenant Isolation: Each user gets their own Kubernetes namespace
- Ephemeral Pods, Persistent Data: Pods can be recreated, data survives in PVCs
- Sidecar Pattern: WebSocket gateway runs alongside theia (localhost communication)
- Automated Provisioning: Registration triggers namespace + pod + RBAC creation
- Centralized Auth: JWT from backend API, validated at every layer
- Zero Trust: RBAC enforced at Kubernetes level, not just application level
π End-to-End User Flowβ
Registration & Onboardingβ
1. User visits coditect.ai/register
ββ> Frontend: React registration form
2. User submits email/password
ββ> POST /api/v5/auth/register
Backend:
ββ> Hash password (Argon2)
ββ> Create user in FoundationDB
ββ> Assign tenant_id
ββ> Return success
3. Backend triggers provisioning controller
ββ> Kubernetes Controller watches FDB for new users
ββ> Create namespace: user-{user_id}
ββ> Create ServiceAccount
ββ> Create Role (pod, pvc access)
ββ> Create RoleBinding (user β role)
ββ> Create PVC (50GB standard-rwo)
ββ> Create Pod (theia + WebSocket sidecar)
4. User logs in
ββ> POST /api/v5/auth/login
Backend:
ββ> Verify password (Argon2)
ββ> Generate JWT token (exp: 24h)
ββ> Create session in FDB
ββ> Return JWT + session_id
5. User redirected to /ide
ββ> Frontend embeds iframe:
src="https://coditect.ai/workspace/{user_id}/theia"
6. Ingress routes traffic:
/workspace/{user_id}/theia β user-{user_id} namespace β theia pod (port 3000)
7. theia loads in iframe, establishes WebSocket
ββ> ws://localhost:8765 (sidecar)
WebSocket sidecar:
ββ> Validates JWT
ββ> Connects to FoundationDB
ββ> Syncs file changes, llm requests, terminal I/O
IDE Session Lifecycleβ
Session Start:
1. User opens /ide
2. Frontend validates JWT (decode, check expiry)
3. Frontend fetches session metadata: GET /api/v5/sessions/{session_id}
4. Frontend loads theia iframe with session context
5. theia connects to WebSocket sidecar (localhost:8765)
6. WebSocket establishes FDB connection
7. User files loaded from PVC β displayed in theia
Active Session:
- File edits β WebSocket β FDB (metadata + snapshots)
- terminal commands β Execute in pod β Output via WebSocket
- llm requests β WebSocket β Backend API β LM Studio/Claude
- Real-time sync: Multiple browser tabs share same session
Session End:
- User closes tab β WebSocket disconnect (clean shutdown)
- Session remains in FDB (can resume later)
- Pod stays running (configurable timeout: 30min idle β scale to zero)
Pod Lifecycle Managementβ
Pod Creation (On-Demand):
- Triggered by: First login after registration
- Process:
1. Controller creates namespace
2. Controller provisions PVC
3. Controller creates pod spec
4. Kubernetes schedules pod
5. Pod initializes (pull image, mount PVC)
6. Health checks pass
7. Ingress routes traffic to pod
Pod Scaling (Idle Timeout):
- After 30min idle: Scale replicas to 0
- Pod deleted, PVC remains
- Next access: Recreate pod from PVC
- Data intact, session restored
Pod Termination:
- User deletes account β Controller deletes namespace
- Cascade delete: Pod, PVC, Secrets, RBAC
- Data purged from FDB (GDPR compliance)
𧩠Component Architectureβ
1. Frontend (React Wrapper)β
Purpose: Provide branded UI wrapper around theia IDE
Technology Stack:
- React 18 + TypeScript
- Chakra UI (theme system)
- React Router (routing)
- Zustand (state management)
Key Components:
src/
βββ app.tsx // Main app, routing, auth context
βββ components/
β βββ header.tsx // Logo, theme toggle, user menu
β βββ footer.tsx // Links, status indicators
β βββ side-panel.tsx // File tree, llm chat, settings
β βββ theia-embed.tsx // Iframe wrapper for theia
βββ pages/
β βββ login-page.tsx // JWT auth login
β βββ register-page.tsx // User registration
β βββ IDEPage.tsx // Main IDE layout
βββ hooks/
β βββ useAuth.tsx // JWT validation, refresh
β βββ useSession.tsx // Session management
β βββ use-web-socket.tsx // WebSocket connection
βββ theme/
βββ chakraTheme.ts // Chakra UI theme
βββ theiaTheme.css // theia CSS overrides
Deployment:
- Build:
npm run buildβ static files - Serve: NGINX in coditect-frontend pod
- Route: coditect.ai β frontend service
- CDN: Google Cloud CDN (static assets)
2. Backend API (Rust/Actix-web)β
Purpose: Auth, session management, pod orchestration
Technology Stack:
- Rust 1.90 + Actix-web 4.4
- FoundationDB 7.1 client
- JWT (jsonwebtoken crate)
- Argon2 (password hashing)
API Endpoints:
// Authentication
POST /api/v5/auth/register // Create user
POST /api/v5/auth/login // Get JWT token
POST /api/v5/auth/logout // Invalidate session
POST /api/v5/auth/refresh // Refresh JWT
// Sessions
GET /api/v5/sessions // List user sessions
POST /api/v5/sessions // Create new session
GET /api/v5/sessions/{id} // Get session details
PUT /api/v5/sessions/{id} // Update session
DELETE /api/v5/sessions/{id} // Delete session
// workspaces (Pod Management)
GET /api/v5/workspaces // List user workspaces
POST /api/v5/workspaces // Provision new workspace
GET /api/v5/workspaces/{id} // Get workspace status
DELETE /api/v5/workspaces/{id} // Delete workspace (delete pod)
// Health
GET /health // Health check
GET /health/fdb // FDB connection status
Key Services:
src/
βββ main.rs // Server setup, routes
βββ handlers/
β βββ auth.rs // Auth endpoints
β βββ sessions.rs // Session CRUD
β βββ workspaces.rs // Pod provisioning
βββ services/
β βββ fdb_service.rs // FoundationDB client
β βββ jwt_service.rs // JWT encode/decode
β βββ k8s_service.rs // Kubernetes API client
β βββ provisioner.rs // Automated provisioning logic
βββ middleware/
β βββ auth_middleware.rs // JWT validation
β βββ rate_limit.rs // Rate limiting
βββ models/
βββ user.rs // User model
βββ session.rs // Session model
βββ workspace.rs // workspace model
Deployment:
- Container: us-central1-docker.pkg.dev/.../coditect-v5-api:latest
- Replicas: 3 (auto-scaling 3-10)
- Resources: 512Mi-1Gi memory, 500m-1000m CPU
- Health checks: /health endpoint
- Route: coditect.ai/api/v5/* β backend service
3. Provisioning Controller (Kubernetes Operator)β
Purpose: Automate namespace, pod, and RBAC creation
Technology: Rust + kube-rs (Kubernetes client)
Reconciliation Loop:
// Pseudo-code
async fn reconcile_user(user: User) -> Result<()> {
let ns_name = format!("user-{}", user.id);
// 1. Create namespace
if !namespace_exists(&ns_name).await? {
create_namespace(&ns_name).await?;
}
// 2. Create service account
create_service_account(&ns_name, "workspace-sa").await?;
// 3. Create RBAC
create_role(&ns_name, "workspace-access").await?;
create_role_binding(&ns_name, "workspace-sa", "workspace-access").await?;
// 4. Create PVC
if !pvc_exists(&ns_name, "workspace-storage").await? {
create_pvc(&ns_name, "workspace-storage", "50Gi").await?;
}
// 5. Create pod
if !pod_exists(&ns_name, "workspace").await? {
create_workspace_pod(&ns_name, &user).await?;
}
// 6. Wait for pod ready
wait_for_pod_ready(&ns_name, "workspace").await?;
// 7. Update user status in FDB
fdb_client.set_user_workspace_ready(user.id, true).await?;
Ok(())
}
Trigger Mechanisms:
- Watch FDB for new users (polling every 5s)
- Kubernetes CRD (custom resource: workspaceRequest)
- HTTP webhook from backend API
Deployment:
- Single pod in coditect-app namespace
- ServiceAccount with cluster-admin (or scoped RBAC)
- Watches all user-* namespaces
- Logs to Cloud Logging
4. workspace Pod (theia + WebSocket Sidecar)β
Purpose: Per-user IDE environment with real-time sync
Pod Specification:
apiVersion: v1
kind: Pod
metadata:
name: workspace
namespace: user-{user_id}
labels:
app: workspace
user_id: "{user_id}"
spec:
serviceAccountName: workspace-sa
containers:
# Main theia container
- name: theia
image: us-central1-docker.pkg.dev/serene-voltage-464305-n2/coditect/t2-workspace-theia:latest
ports:
- containerPort: 3000
name: theia-http
volumeMounts:
- name: workspace-storage
mountPath: /workspace
env:
- name: USER_ID
value: "{user_id}"
- name: WEBSOCKET_URL
value: "ws://localhost:8765"
resources:
requests:
memory: "2Gi"
cpu: "1000m"
limits:
memory: "4Gi"
cpu: "2000m"
livenessProbe:
httpGet:
path: /health
port: 3000
initialDelaySeconds: 30
periodSeconds: 10
readinessProbe:
httpGet:
path: /health
port: 3000
initialDelaySeconds: 10
periodSeconds: 5
# WebSocket sidecar
- name: websocket-gateway
image: us-central1-docker.pkg.dev/serene-voltage-464305-n2/coditect/websocket-gateway:latest
ports:
- containerPort: 8765
name: websocket
env:
- name: FDB_CLUSTER_STRING
value: "coditect:production@foundationdb-0.fdb-cluster.coditect-app.svc.cluster.local:4500"
- name: JWT_SECRET
valueFrom:
secretKeyRef:
name: jwt-secret
key: secret
- name: USER_ID
value: "{user_id}"
resources:
requests:
memory: "256Mi"
cpu: "200m"
limits:
memory: "512Mi"
cpu: "500m"
volumes:
- name: workspace-storage
persistentVolumeClaim:
claimName: workspace-storage
Sidecar Benefits:
- β Localhost communication: No network policies needed
- β Security: WebSocket not exposed outside pod
- β Simplicity: No service mesh required
- β Performance: Zero network latency (same pod)
π€ Automated Provisioning Systemβ
Provisioning Workflow Diagramβ
User Registration
β
βΌ
Backend API
ββ> Create user in FDB
ββ> Emit provisioning event
β
βΌ
Provisioning Controller
(watches FDB/CRD/webhook)
β
βΌ
ββββββββββββββββββββββββββββββ
β Step 1: Create Namespace β
β user-{user_id} β
βββββββββββββ¬βββββββββββββββββ
βΌ
ββββββββββββββββββββββββββββββ
β Step 2: Create RBAC β
β ββ> ServiceAccount β
β ββ> Role (pod/pvc access) β
β ββ> RoleBinding β
βββββββββββββ¬βββββββββββββββββ
βΌ
ββββββββββββββββββββββββββββββ
β Step 3: Create PVC β
β 50GB standard-rwo β
βββββββββββββ¬βββββββββββββββββ
βΌ
ββββββββββββββββββββββββββββββ
β Step 4: Create Pod β
β ββ> theia container β
β ββ> WebSocket sidecar β
βββββββββββββ¬βββββββββββββββββ
βΌ
ββββββββββββββββββββββββββββββ
β Step 5: Wait for Ready β
β Poll pod status (max 2min) β
βββββββββββββ¬βββββββββββββββββ
βΌ
ββββββββββββββββββββββββββββββ
β Step 6: Update FDB β
β Mark workspace as ready β
βββββββββββββ¬βββββββββββββββββ
βΌ
Success! β
Implementation: Kubernetes API Callsβ
// src/services/provisioner.rs
use kube::{Api, Client};
use k8s_openapi::api::core::v1::{Namespace, Pod, PersistentVolumeClaim, ServiceAccount};
use k8s_openapi::api::rbac::v1::{Role, RoleBinding};
pub struct Provisioner {
client: Client,
}
impl Provisioner {
pub async fn provision_workspace(&self, user_id: &str, user_email: &str) -> Result<()> {
let ns_name = format!("user-{}", user_id);
// Step 1: Create namespace
self.create_namespace(&ns_name).await?;
// Step 2: Create RBAC
self.create_service_account(&ns_name).await?;
self.create_role(&ns_name).await?;
self.create_role_binding(&ns_name, user_email).await?;
// Step 3: Create PVC
self.create_pvc(&ns_name).await?;
// Step 4: Create pod
self.create_workspace_pod(&ns_name, user_id).await?;
// Step 5: Wait for pod ready
self.wait_for_pod_ready(&ns_name, "workspace", Duration::from_secs(120)).await?;
Ok(())
}
async fn create_namespace(&self, name: &str) -> Result<()> {
let ns_api: Api<Namespace> = Api::all(self.client.clone());
let ns = Namespace {
metadata: ObjectMeta {
name: Some(name.to_string()),
labels: Some(BTreeMap::from([
("app".to_string(), "coditect".to_string()),
("managed-by".to_string(), "provisioner".to_string()),
])),
..Default::default()
},
..Default::default()
};
ns_api.create(&PostParams::default(), &ns).await?;
Ok(())
}
// ... (other create functions similar)
}
Deprovisioning (Account Deletion)β
pub async fn deprovision_workspace(&self, user_id: &str) -> Result<()> {
let ns_name = format!("user-{}", user_id);
// Delete namespace (cascade deletes pod, pvc, secrets, rbac)
let ns_api: Api<Namespace> = Api::all(self.client.clone());
ns_api.delete(&ns_name, &DeleteParams::default()).await?;
// Wait for namespace deletion (finalizers)
self.wait_for_namespace_deleted(&ns_name).await?;
// Purge FDB data (GDPR compliance)
fdb_client.delete_user_data(user_id).await?;
Ok(())
}
π RBAC & Security Modelβ
Multi-Tenant Isolationβ
Principle: Each user operates in isolated namespace with scoped RBAC
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Kubernetes Cluster β
β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Namespace: user-alice β β
β β β β
β β ServiceAccount: workspace-sa β β
β β Role: workspace-access β β
β β RoleBinding: workspace-sa β workspace-access β β
β β β β
β β Resources alice can access: β β
β β ββ> pods (get, list, create, delete) β β
β β ββ> pvcs (get, list) β β
β β ββ> secrets (get) - only in user-alice namespaceβ β
β β β β
β β β CANNOT access: β β
β β ββ> Other namespaces (user-bob, user-charlie) β β
β β ββ> Cluster-level resources β β
β β ββ> coditect-app namespace (system services) β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β Namespace: user-bob β β
β β (Isolated from alice) β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
RBAC Manifestsβ
ServiceAccount:
apiVersion: v1
kind: ServiceAccount
metadata:
name: workspace-sa
namespace: user-{user_id}
Role (scoped to namespace):
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: workspace-access
namespace: user-{user_id}
rules:
# Pod management
- apiGroups: [""]
resources: ["pods", "pods/log", "pods/exec"]
verbs: ["get", "list", "create", "delete", "watch"]
# PVC access (read-only)
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
verbs: ["get", "list"]
# Secret access (read JWT for validation)
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["jwt-secret"]
verbs: ["get"]
RoleBinding:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: workspace-sa-binding
namespace: user-{user_id}
subjects:
- kind: ServiceAccount
name: workspace-sa
namespace: user-{user_id}
roleRef:
kind: Role
name: workspace-access
apiGroup: rbac.authorization.k8s.io
Identity Mappingβ
Google IAM to Kubernetes RBAC:
User Email (user@example.com)
β
ββ> Backend API: Validate JWT
β ββ> JWT contains: user_id, email, tenant_id
β
ββ> Kubernetes: Map to ServiceAccount
β ββ> ServiceAccount: workspace-sa in user-{user_id} namespace
β
ββ> RBAC: Enforce via RoleBinding
ββ> RoleBinding: workspace-sa β workspace-access role
πΎ Storage Architectureβ
Persistent Volume Claims (Per-User)β
Purpose: User files, IDE settings, project data
PVC Specification:
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: workspace-storage
namespace: user-{user_id}
spec:
accessModes:
- ReadWriteOnce # Single pod can mount (not shared)
storageClassName: standard-rwo # GCE Persistent Disk (SSD)
resources:
requests:
storage: 50Gi
Storage Lifecycle:
User Registration β PVC Created (50GB)
β
βΌ
Pod Mounts PVC β /workspace directory
β
βΌ
User edits files β Writes to /workspace β Persists to GCE PD
β
βΌ
Pod deleted (idle) β PVC remains intact
β
βΌ
Pod recreated β Remounts same PVC β Files restored
β
βΌ
Account deleted β PVC deleted β Data purged
Storage Classesβ
Available Options:
| StorageClass | Backend | Performance | Cost | Use Case |
|---|---|---|---|---|
standard-rwo | Standard PD | Good | Low | Default (recommended) |
premium-rwo | SSD PD | Excellent | Medium | Power users, large projects |
filestore-rwx | Google Filestore (NFS) | Good | High | Multi-pod access (future) |
Cost Estimation (50GB per user):
Standard PD: $0.04/GB/month = $2.00/user/month
Premium SSD: $0.17/GB/month = $8.50/user/month
For 1000 users:
Standard: $2,000/month
Premium: $8,500/month
FoundationDB Storageβ
Purpose: Session metadata, file snapshots, llm history
Data Model:
Key Structure:
tenant/{tenant_id}/user/{user_id}/profile
tenant/{tenant_id}/user/{user_id}/sessions/{session_id}
tenant/{tenant_id}/user/{user_id}/files/{file_path}/metadata
tenant/{tenant_id}/user/{user_id}/files/{file_path}/snapshots/{timestamp}
tenant/{tenant_id}/user/{user_id}/llm_history/{conversation_id}/messages
Example Keys:
tenant/org-123/user/alice-456/profile
tenant/org-123/user/alice-456/sessions/session-789
tenant/org-123/user/alice-456/files/workspace/main.rs/metadata
tenant/org-123/user/alice-456/files/workspace/main.rs/snapshots/1696809600
tenant/org-123/user/alice-456/llm_history/conv-abc/messages
Data Separation:
- Hot data (active sessions): FoundationDB (low latency)
- Warm data (file content): PVC (block storage)
- Cold data (snapshots, archives): Cloud Storage (object storage)
π οΈ Implementation Detailsβ
Technology Choicesβ
| Component | Technology | Rationale |
|---|---|---|
| Frontend | React 18 + Chakra UI | Mature ecosystem, V4 compatibility |
| Backend | Rust + Actix-web | Performance, safety, async |
| Database | FoundationDB 7.1 | ACID transactions, multi-tenant |
| Storage | GCE Persistent Disk | Reliable, cost-effective |
| Container Runtime | containerd (GKE) | Industry standard |
| Provisioning | Rust + kube-rs | Type safety, performance |
| WebSocket | Rust + Tokio-tungstenite | Async, efficient |
Container Imagesβ
1. Frontend (coditect-frontend:latest):
FROM node:20-alpine as builder
WORKDIR /app
COPY package*.json ./
RUN npm ci
COPY . .
RUN npm run build
FROM nginx:alpine
COPY --from=builder /app/dist /usr/share/nginx/html
COPY nginx.conf /etc/nginx/nginx.conf
EXPOSE 80
2. Backend API (coditect-v5-api:latest):
FROM rust:1.90 as builder
RUN apt-get update && apt-get install -y clang libclang-dev
RUN curl -LO https://github.com/apple/foundationdb/releases/download/7.1.27/foundationdb-clients_7.1.27-1_amd64.deb && \
dpkg -i foundationdb-clients_7.1.27-1_amd64.deb
WORKDIR /app
COPY cargo.toml ./
RUN mkdir src && echo "fn main() {}" > src/main.rs && cargo build --release && rm -rf src
COPY src ./src
RUN cargo build --release
FROM debian:bookworm-slim
RUN apt-get update && apt-get install -y ca-certificates && \
curl -LO https://github.com/apple/foundationdb/releases/download/7.1.27/foundationdb-clients_7.1.27-1_amd64.deb && \
dpkg -i foundationdb-clients_7.1.27-1_amd64.deb && \
rm -rf /var/lib/apt/lists/*
WORKDIR /app
COPY --from=builder /app/target/release/api-server /app/api-server
COPY fdb.cluster /app/fdb.cluster
ENV FDB_CLUSTER_FILE=/app/fdb.cluster
EXPOSE 8080
CMD ["/app/api-server"]
3. theia workspace (t2-workspace-theia:latest):
FROM theia/theia:1.65.0
USER root
RUN apt-get update && apt-get install -y \
git curl wget vim nano build-essential python3 python3-pip nodejs npm
USER theia
WORKDIR /workspace
EXPOSE 3000
CMD ["node", "/theia/packages/cli/lib/backend/main.js", "--hostname=0.0.0.0", "--port=3000"]
4. WebSocket Gateway (websocket-gateway:latest):
FROM rust:1.90 as builder
# (Same FDB setup as backend)
WORKDIR /app
COPY websocket-gateway/ .
RUN cargo build --release
FROM debian:bookworm-slim
# (Same FDB runtime as backend)
WORKDIR /app
COPY --from=builder /app/target/release/websocket-gateway /app/websocket-gateway
EXPOSE 8765
CMD ["/app/websocket-gateway"]
π Deployment Strategyβ
Phase 1: Backend API Deployment β (COMPLETE)β
Status: Backend API deployed to GKE, pods currently CrashLoopBackOff (FDB connection issue)
Next Steps: Debug FDB connectivity from pods
Phase 2: Provisioning Controller (NEXT)β
Tasks:
- Build controller Docker image
- Deploy to GKE (single pod in coditect-app namespace)
- Grant ServiceAccount cluster-admin (or scoped RBAC)
- Test manual provisioning (kubectl apply)
- Integrate with backend API (webhook)
Timeline: 2-3 days
Phase 3: Frontend Integrationβ
Tasks:
- Build React wrapper with theia embed
- Implement JWT authentication flow
- Add session management UI
- Deploy frontend to GKE
- Update Ingress routes
Timeline: 3-4 days
Phase 4: E2E Testing & Productionβ
Tasks:
- Test full user registration β provisioning β IDE access flow
- Load testing (100 concurrent users)
- Security audit (RBAC verification)
- Monitoring setup (Cloud Logging, Prometheus)
- Production rollout (blue-green deployment)
Timeline: 3-5 days
π Referencesβ
Internal Documentsβ
- Deployment Tracker - Live deployment progress
- Deployment Guide - Complete GCP/GKE reference
- Execution Order - Phase-by-phase implementation plan
- Infrastructure Roadmap - Known issues and fixes
External References (GCP/GKE)β
- GKE Persistent Volumes
- GKE RBAC Best Practices
- Kubernetes Multi-Tenancy
- FoundationDB Kubernetes Operator
Research Documentsβ
- Google GCP GKE Persistent Containers with Pods - Patterns and best practices
Document Version: 1.0 Last Updated: 2025-10-07 Maintained By: Coditect Engineering Team