Code hosts on GCP without public access
As part of the Enterprise tier, Sourcegraph Cloud supports connecting to customer dependencies on GCP using GCP Private Service Connect. It creates a secure connection between customer GCP project and Sourcegraph Cloud instance, so that access to a private resource never occurs over the public internet.
When a customer has private dependencies inside the GCP and needs to expose it for Sourcegraph Cloud instance, please reach out to your account manager to initiate the process.
How it works
Sourcegraph supports connecting to private dependencies on GCP using GCP Private Service Connect (PSC). It is used to securely expose and connect services across the project boundary within GCP.
The customer is the Service Producer (the "producer"), and the Sourcegraph Cloud instance is the Service Consumer (the "consumer"). PSC can expose an internal regional load balancer for the private resource to the consumer. The consumer can then connect to the private resource over PSC transparently on their Sourcegraph Cloud instance.
Limitation
Cross-region connectivity is not supported by Google Cloud for Private Service Connect. The Sourcegraph Cloud instance and the customer code host must be in the same region, learn more from our supported regions.
Steps
Initiate the process
Customers should reach out to their account manager to initiate the process. The account manager will work with the customer to collect the required information and initiate the process, including but not limited to:
- The DNS name of the private code host, e.g., gitlab.internal.company.net.
- The region of the private code host on GCP, e.g., us-central1.
- The type of TLS certificate used by the private resource: either self-signed by an internal private CA or issued by a public CA.
- The location of where the TLS connection is terminated, one of the load balancer, or the private code host node.
Finally, Sourcegraph will provide the following:
- A reference architecture in Terraform to demonstrate the setup on customer end.
- The GCP Project ID of the Sourcegraph Cloud instance.
Create Private Service Connect connection
Customer should publish their services using PSC by following the GCP documentation. The customer needs to permit connection from the provided GCP Project ID earlier. The customer needs to provide the [Service Attachment] URI to Sourcegraph. The Service Attachment URI is in the format of projects/:id/regions/:region/serviceAttachments/:name.
Upon receiving the Service Attachment URI, Sourcegraph will create a connection to the customer service using PSC, and Sourcegraph will follow up with the customer to confirm the connection is established.
Create the code host connection
Once the connection is established, the customer can create the code host connection on their Sourcegraph Cloud instance.
Verify artifact registries are working
Once the connection to private artifact registry is established, customer might then verify that auto-indexing is working with private registry dependencies by configuring auto-indexing
FAQ
How can I restrict access to my private resource connection?
The customer has full control over the access to the Service Attachment by configuring the accept and reject lists. Sourcegraph will provide the GCP Project ID to be added to the accept list.
Additionally, you may terminate the connection at any point. You can do so by running:
SHgcloud compute service-attachments delete [SERVICE_ATTACHMENT_NAME] --region=[REGION] --project=[YOUR_PROJECT_ID]
Learn more from documentation of gcloud compute service-attachments delete and management of published services.
How secure is the connection?
All traffic between the producer and consumer is encrypted in transit. You may learn more from Google's whitepaper about encryption in transit and Sourcegraph's security practices.
What are the next steps when artifact registry connectivity is working?
Only if the private artifact registry is protected by authentication, the customer will need to:
- Create executor secrets containing credentials for Sourcegraph to access the private artifact registry - how to configure executor secrets
- Update auto-indexing inference configuration to create additional files from executor secrets for the given programming language - how to configure auto-indexing
Can I use self-signed TLS certificate for my private resources?
Yes. Please work with your account team to add the certificate chain of your internal CA to site configuration at experimentalFeatures.tls.external.certificates.