Private network configuration
A private network refers to a secure network environment segregated from the public internet, designed to facilitate internal communications and operations within an organization. This network setup restricts external access, enhancing security and control over data flow by limiting exposure to external threats and unauthorized access.
When deploying self-hosted Sourcegraph instances in private networks with specific compliance and policy requirements, additional configuration may be required to ensure all networking features function correctly. The reasons for applying the following configuration options depend on the specific functionality of the Sourcegraph service and the unique network and infrastructure requirements of the organization.
The following is a list of Sourcegraph services and how and when each initiates outbound connections to external services:
- executor: Sourcegraph Executor batch change or precise indexing jobs may need to connect to services hosted within an organization's private network
- frontend: The frontend service communicates externally when connecting to external auth providers, sending telemetry data, testing code host connections, and connecting to externally hosted Sourcegraph services
- gitserver: Executes git commands against externally hosted code hosts
- migrator: Connects to Postgres instances (which may be externally hosted) to process database migrations
- repo-updater: Communicates with code hosts APIs to coordinate repository synchronization
- worker: Sourcegraph Worker run various background jobs that may require establishing connections to services hosted within an organization's private network
HTTP proxy configuration
All Sourcegraph services respect the conventional HTTP_PROXY
, HTTPS_PROXY
, and NO_PROXY
environment variables for routing Sourcegraph client application HTTP traffic through a proxy server. The steps for configuring proxy environment variables will depend on your Sourcegraph deployment method.
Kubernetes Helm
Add the proxy environment variables to your Sourcegraph Helm chart override file:
YAMLexecutor|frontend|gitserver|migrator|repo-updater|worker: env: - name: HTTP_PROXY value: http://proxy.example.com:8080 - name: HTTPS_PROXY value: http://proxy.example.com:8080 - name: NO_PROXY value: "blobstore,codeinsights-db,codeintel-db,sourcegraph-frontend-internal,sourcegraph-frontend,github-proxy,gitserver,grafana,indexed-search-indexer,indexed-search,jaeger-query,pgsql,precise-code-intel-worker,prometheus,redis-cache,redis-store,repo-updater,searcher,symbols,syntect-server,worker-executors,worker,cloud-sql-proxy,localhost,127.0.0.1,.svc,.svc.cluster.local,kubernetes.default.svc"
NO_PROXY
correctly can cause the proxy configuration to interfere with local networking between internal Sourcegraph services.Using private CA root certificates
Some organizations maintain a private Certificate Authority (CA) for issuing certificates within their private network. When Sourcegraph connects to TLS encrypted service using a self-signed certificate that it does not trust, you will observe an x509: certificate signed by unknown authority
error message in logs.
In order for Sourcegraph to respect an organization's self-signed certificates, the private CA root certificate(s) will need to be appended to Sourcegraph's trusted CA root certificate list in /etc/ssl/certs/ca-certificates.crt
.
Configuring sourcegraph-frontend to recognize private CA root certificates
The following details the process for setting up the sourcegraph-frontend to acknowledge and trust a private CA root certificate for Sourcegraph instances deployed using Helm. For any other Sourcegraph service that needs to trust an organization's private CA root certificate (including gitserver, repo-updater, or migrator), similar steps will need to be followed.
- Copy out the existing
ca-certificates.crt
file from the sourcegraph-frontend container:
SHkubectl cp $(kubectl get pod -l app=sourcegraph-frontend -o jsonpath='{.items[0].metadata.name}'):/etc/ssl/certs/ca-certificates.crt sourcegraph-frontend-ca-certificates.crt
- Concatenate the private CA root certificate to the
sourcegraph-frontend-ca-certificates.crt
file:
SHcat sourcegraph-frontend-ca-certificates.crt {private-ca-certificate.crt file} > ca-certificates.crt
- Create a new Kubernetes ConfigMap containing the concatenated
ca-certificates.crt
file:
SHkubectl create configmap sourcegraph-frontend-ca-certificates --from-file=ca-certificates.crt
- Mount the
sourcegraph-frontend-ca-certificates
ConfigMap to the sourcegraph-frontend Deployment:
YAMLfrontend: extraVolumes: - name: ca-certificates configMap: name: sourcegraph-frontend-ca-certificates extraVolumeMounts: - name: ca-certificates mountPath: /etc/ssl/certs/
Once deployed, you should see the private CA root certificate in the sourcegraph-frontend container's /etc/ssl/certs/ca-certificates.crt
file.
SHkubectl exec -it $(kubectl get pod -l app=sourcegraph-frontend -o jsonpath='{.items[0].metadata.name}') -- tail /etc/ssl/certs/ca-certificates.crt
You can verify that the self-signed certificate is trusted using curl
:
SHkubectl exec -it $(kubectl get pod -l app=sourcegraph-frontend -o jsonpath='{.items[0].metadata.name}') -- curl -v {https://internal.service.example.com} > /dev/null