Gerrit
Supported on Enterprise plans.
Available via the Web app.
This feature is in beta and might change in the future.
A Gerrit instance can be connected to Sourcegraph as follows:
Configure Gerrit as a code host connection
- In the Site Admin settings area, select Manage code hosts from the options on the left and select the Add code host option.
- On the following screen, select Gerrit as the code host of choice.
- Next you will have to provide a configuration for the Gerrit code host connection. Here is an example configuration:
JSON{ "url": "https://gerrit.example.com/", // Be sure to add a trailing slash "username": "<username>", "password": "<password>", "projects": [ // If not set, all projects on the Gerrit instance will be mirrored "docs", "kubernetes/kubernetes" ], "exclude": [ // If not set, no repositories will be excluded. Takes precedence over the `projects` option { "name": "docs" } // Despite "docs" being specified in "projects", this setting will override it and exclude the "docs" project ], "authorization": {} // Marks all repositories as private. Users will be required to present valid Gerrit HTTP credentials in order to view repositories }
- The provided
usernameandpasswordmust be the HTTP credentials of an account on Gerrit that has access to all the repositories that need to be cloned. See the Gerrit HTTP documentation for details on how to generate HTTP credentials. - Select Add Repositories to create the connection. Sourcegraph will start mirroring the specified projects.
If you added the "authorization": {} option to the configuration, and this is the first Gerrit code host connection you have created for this Gerrit instance, you might see a warning like this:
Simply follow the steps in the next section to configure a Gerrit authentication provider.
Clone using SSH
To clone using SSH, provide "gitSSHCredential" in the configuration:
JSON{ "url": "https://gerrit.example.com/", "username": "<username>", "password": "<password>", "projects": [ "docs", "kubernetes/kubernetes" ], "gitSSHCredential": { "privateKey": "..." // base64 encoded private key that will be used for cloning }, "authorization": {} }
Add Gerrit as an authentication provider
If the "authorization": {} option has been set on a Gerrit code host connection, a Gerrit authentication provider will be required so that authroized users are able to search for and browse the code mirrored by that code host connection.
- In the Site Admin settings area, select Site configuration from the options on the left.
- Add a Gerrit configuration to the list of
"auth.providers".
- Here is an example configuration:
JSON{ "type": "gerrit", "url": "https://gerrit.example.com/" // This must match the URL of the code host connection. Be sure to add a trailing slash }
- Save the configuration. If there was a warning at the top of the page, it should now disappear.
Users should now be able to authenticate their Sourcegraph accounts using their Gerrit HTTP credentials.
Have users authenticate their Sourcegraph accounts using their Gerrit HTTP credentials
After configuring Gerrit as a code host connection and adding Gerrit as an authentication provider, users will be able to authenticate their Sourcegraph accounts using their Gerrit HTTP credentials:
As a user:
- Visit your user settings page and select Account security from the options on the left.
- Gerrit should appear in the list of accounts you are able to connect. If it does not appear, try refreshing the page.
- Select the Add option next to Gerrit.
- Provide your Gerrit username and HTTP password. If you are unsure of how to generate an HTTP password, see the Gerrit HTTP documentation.
- Once your Gerrit credentials are verified, you'll be able to view your private Gerrit projects within Sourcegraph! If you cannot immediately see any projects you should have access to, try giving it some time, as it can take a while for your Gerrit permissions to reflect on Sourcegraph if there is a high volume of users on the system.
Configuration
Gerrit connections support the following configuration options, which are specified in the JSON editor in the site admin "Manage code hosts" area.
admin/code_hosts/gerrit.schema.json
JSON{ // If non-null, enforces Gerrit repository permissions. This requires that there is an item in the [site configuration json](https://sourcegraph.com/docs/admin/config/site_config#auth-providers) `auth.providers` field, of type "gerrit" with the same `url` field as specified in this `GerritConnection`. "authorization": null, // The password associated with the Gerrit username used for authentication. "password": null, // An array of project strings specifying which Gerrit projects to mirror on Sourcegraph. If empty, all projects will be mirrored. "projects": null, // Other example values: // - ["name","owner/name"] // - [ // "docs", // "kubernetes/kubernetes", // "golang/go", // "facebook/react" // ] // A list of repositories to never mirror from this Gerrit instance. Takes precedence over \"projects\" configuration. // // Supports excluding by name ({"name": "owner/name"}) "exclude": null, // Other example values: // - [ // { // "name": "docs" // }, // { // "name": "php/php-src" // } // ] // URL of a Gerrit instance, such as https://gerrit.example.com. "url": null, // Other example values: // - "https://gerrit.example.com" // A username for authentication withe the Gerrit code host. "username": null }
Configuration Notes
HTTP Credentials Setup
Gerrit requires HTTP credentials for API access and repository cloning:
- Generate credentials in Gerrit web UI under Settings → HTTP Credentials
- The configured user must have access to all repositories that need to be mirrored
- HTTP credentials are separate from Gerrit user passwords
Project vs Repository Mirroring
Gerrit organizes code in projects, not individual repositories:
- Use
"projects": ["docs", "kubernetes/kubernetes"]to specify which projects to mirror - If
projectsis empty or omitted, all projects on the Gerrit instance will be mirrored - Project names follow the format shown in Gerrit's project list
Authentication and Authorization
The authorization field controls access to private repositories:
- Include
"authorization": {}to mark all repositories as private - Requires corresponding Gerrit authentication provider in site configuration
- Users must authenticate with their Gerrit HTTP credentials to access repositories
Security Considerations
Access Control
- Private Repository Access: Enable authorization to enforce Gerrit permissions in Sourcegraph
- Authentication Provider Required: Configure Gerrit as an auth provider when using authorization
- User Permission Sync: Sourcegraph respects Gerrit's project-level access controls
Credential Management
- Service Account: Use a dedicated Gerrit account with appropriate permissions for mirroring
- HTTP Credentials: Store HTTP username and password securely using Sourcegraph's secret management
- SSH Keys: For SSH cloning, ensure private keys are base64 encoded and securely stored
Network Security
- HTTPS Communication: Always use HTTPS URLs for Gerrit connections
- SSH Configuration: If using SSH, properly manage SSH keys and known_hosts configuration
- Firewall Rules: Ensure Sourcegraph can reach Gerrit endpoints on required ports
Permission Synchronization
- Real-time Sync: User permissions may take time to synchronize from Gerrit
- Access Validation: Users without proper Gerrit access will be denied repository access
- Project-Level Control: Permissions are enforced at the Gerrit project level
Common Examples
Basic Public Repository Setup
JSON{ "url": "https://gerrit.example.com/", "username": "sourcegraph-service", "password": "http-credentials-password", "projects": [ "public-docs", "open-source-project" ] }
Private Repository with Authorization
JSON{ "url": "https://gerrit.example.com/", "username": "sourcegraph-service", "password": "http-credentials-password", "projects": [ "internal/backend", "internal/frontend", "shared/libraries" ], "authorization": {} }
SSH-Based Cloning
JSON{ "url": "https://gerrit.example.com/", "username": "sourcegraph-service", "password": "http-credentials-password", "projects": [ "docs", "kubernetes/kubernetes" ], "gitSSHCredential": { "privateKey": "LS0tLS1CRUdJTi5CRUdJTiBPUE..." }, "authorization": {} }
Selective Project Exclusion
JSON{ "url": "https://gerrit.example.com/", "username": "sourcegraph-service", "password": "http-credentials-password", "projects": [ "active-project-1", "active-project-2", "legacy-project" ], "exclude": [ {"name": "legacy-project"} ] }
Best Practices
Setup and Configuration
- Service Account: Create a dedicated Gerrit account for Sourcegraph with minimal required permissions
- Project Selection: Be selective about which projects to mirror to avoid unnecessary resource usage
- URL Consistency: Ensure the Gerrit URL in code host config matches the auth provider URL exactly
Authentication Management
- Auth Provider Setup: Always configure Gerrit authentication provider when using authorization
- User Onboarding: Educate users on how to connect their Gerrit accounts to Sourcegraph
- Permission Testing: Test that users can access appropriate repositories after connecting accounts
Performance Optimization
- Selective Mirroring: Use specific project lists rather than mirroring all projects
- Exclusion Patterns: Use exclude rules to skip archived or inactive projects
- Connection Monitoring: Monitor Gerrit API usage and response times
Operational Considerations
- Credential Rotation: Implement regular rotation of HTTP credentials
- Permission Sync Monitoring: Monitor user permission synchronization status
- Project Changes: Update project lists when new projects are created or old ones archived
Troubleshooting
- Connection Issues: Verify HTTP credentials and Gerrit instance accessibility
- Missing Projects: Check project names match exactly as shown in Gerrit
- Permission Problems: Ensure auth provider configuration matches code host URL
- User Access Issues: Verify users have connected their Gerrit accounts and permissions have synced