feature: lock down code-server (extensions, settings, no AI)

LuukBlankenstijn · claude · LuukBlankenstijn · commit bb912784e00f · 2026-06-03T22:10:42.000+02:00
* Pre-install a configurable list of extensions via init container into a
  per-pod emptyDir; main container reads from the same dir via
  --extensions-dir, so the extensions present are exactly what the chart
  ships.
* Render values.codeServer.settings into a settings.json ConfigMap and
  mount it as the user's settings file. Defaults set dark theme, turn off
  telemetry, hide AI/chat surfaces, and silence extension auto-update and
  recommendation prompts.
* Set EXTENSIONS_GALLERY={} so the marketplace returns nothing in the UI,
  effectively hiding install buttons while leaving the Extensions sidebar
  visible for the pre-installed ones.

Co-Authored-By: Claude Opus 4.7 &lt;noreply@anthropic.com&gt;
diff --git a/Chart.yaml b/Chart.yaml
@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.4
+version: 0.2.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
diff --git a/templates/code-server-deployment.yaml b/templates/code-server-deployment.yaml
@@ -17,14 +17,37 @@ spec:
       labels:
         {{- include "static-webhost.componentSelectorLabels" (dict "Context" . "Component" "code-server") | nindent 8 }}
     spec:
+      securityContext:
+        fsGroup: 1000
+      {{- with .Values.codeServer.extensions }}
+      initContainers:
+        - name: install-extensions
+          image: "{{ $.Values.codeServer.image.repository }}:{{ $.Values.codeServer.image.tag }}"
+          imagePullPolicy: {{ $.Values.codeServer.image.pullPolicy }}
+          command:
+            - sh
+            - -c
+            - |
+              set -e
+              {{- range . }}
+              code-server --extensions-dir /extensions --install-extension {{ . | quote }}
+              {{- end }}
+          volumeMounts:
+            - name: extensions
+              mountPath: /extensions
+      {{- end }}
       containers:
         - name: code-server
           image: "{{ .Values.codeServer.image.repository }}:{{ .Values.codeServer.image.tag }}"
           imagePullPolicy: {{ .Values.codeServer.image.pullPolicy }}
           args:
             - --bind-addr=0.0.0.0:8080
             - --auth=none
+            - --extensions-dir=/extensions
             - /srv
+          env:
+            - name: EXTENSIONS_GALLERY
+              value: "{}"
           ports:
             - name: http
               containerPort: 8080
@@ -33,6 +56,11 @@ spec:
             - name: data
               mountPath: /srv
               subPath: site
+            - name: extensions
+              mountPath: /extensions
+            - name: settings
+              mountPath: /home/coder/.local/share/code-server/User/settings.json
+              subPath: settings.json
           {{- with .Values.codeServer.resources }}
           resources:
             {{- toYaml . | nindent 12 }}
@@ -41,3 +69,8 @@ spec:
         - name: data
           persistentVolumeClaim:
             claimName: {{ include "static-webhost.fullname" . }}-data
+        - name: extensions
+          emptyDir: {}
+        - name: settings
+          configMap:
+            name: {{ include "static-webhost.fullname" . }}-code-server-settings
diff --git a/templates/code-server-settings-configmap.yaml b/templates/code-server-settings-configmap.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "static-webhost.fullname" . }}-code-server-settings
+  labels:
+    {{- include "static-webhost.labels" . | nindent 4 }}
+    app.kubernetes.io/component: code-server
+data:
+  settings.json: |
+    {{- .Values.codeServer.settings | toPrettyJson | nindent 4 }}
diff --git a/values.yaml b/values.yaml
@@ -47,6 +47,27 @@ codeServer:
     tag: latest
     pullPolicy: IfNotPresent
   resources: {}
+  # Extensions pre-installed by an init container into a per-pod emptyDir.
+  # The marketplace UI is disabled at runtime (EXTENSIONS_GALLERY={}), so the
+  # user can only run what we ship here.
+  extensions:
+    - bmewburn.vscode-intelephense-client
+    - dbaeumer.vscode-eslint
+    - esbenp.prettier-vscode
+  # VS Code user settings rendered into settings.json. Defaults enforce dark
+  # theme, no AI/telemetry, and silence extension recommendations/auto-update.
+  # Override or add keys here.
+  settings:
+    workbench.colorTheme: Default Dark Modern
+    telemetry.telemetryLevel: "off"
+    chat.commandCenter.enabled: false
+    chat.agent.enabled: false
+    chat.editing.enabled: false
+    inlineChat.enabled: false
+    workbench.welcomePage.walkthroughs.openOnInstall: false
+    extensions.autoUpdate: false
+    extensions.autoCheckUpdates: false
+    extensions.ignoreRecommendations: true
 
 # Caddy — serves the shared volume as static files.
 caddy:
