This document will take you through how to setup HTTPS connection using the preinstalled Ingress controller, which allows external users to access your main web server over the network. It installs rules for the default ingress, see comments to restrict it to a specific host. It is our recommended method to configure network access for production environments.
- This document assumes that your Sourcegraph instance is deployed into a Kubernetes cluster and that ingress has already been installed for sourcegraph-frontend (by default).
WARNING: Please visit our Kubernetes Configuration Docs for more detail on Network-related topics
Install the NGINX ingress controller by following the instructions at https://kubernetes.github.io/ingress-nginx/deploy/
For example, GCE-GKE user would simply run this command kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.47.0/deploy/static/provider/cloud/deploy.yaml to install the NGINX ingress controller
Add the configure/ingress-nginx/install.sh command to the create-new-cluster.sh file at root, and commit the change. Your file should look similar to this:
echo ./configure/ingress-nginx/install.sh >> create-new-cluster.sh
./kubectl-apply-all.sh $@You should be able to access Sourcegraph using the external address returns from the following kubectl -n ingress-nginx get svc.
$kubectl -n ingress-nginx get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
ingress-nginx-controller LoadBalancer 10.XX.8.XXX XX.XXX.XXX.XX 80:32695/TCP,443:31722/TCP 5d13h
ingress-nginx-controller-admission ClusterIP 10.XX.8.X <none> 443/TCP 5d13hAfter your Sourcegraph instance is exposed via an ingress controller, you should consider using TLS so that all traffic will be served over HTTPS.
Place the newly created certificate and private key in a secured place. We will be using .envrc/private.key and .envrc/public.pem in this example.
Create a TLS secret that contains your TLS certificate and private key by running the following command:
kubectl create secret tls sourcegraph-tls --key .envrc/private.key --cert .envrc/public.pemNOTE: You can delete it by running
kubectl delete secret sourcegraph-tls
Add the previous command to the create-new-cluster.sh file at root, and commit the change. Your file should look similar to this:
echo ./configure/ingress-nginx/install.sh >> create-new-cluster.sh
echo kubectl create secret tls sourcegraph-tls --key .envrc/private.key --cert .envrc/public.pem >> create-new-cluster.sh
./kubectl-apply-all.sh $@Add the tls configuration to base/frontend/sourcegraph-frontend.Ingress.yaml file by commenting out the tls section, and replace sourcegraph.example.com with your domain.
NOTE: It must be a DNS name, not an IP address
# base/frontend/sourcegraph-frontend.Ingress.yaml
tls:
- hosts:
# Replace 'sourcegraph.example.com' with the real domain that you want to use for your Sourcegraph instance.
- sourcegraph.example.com
secretName: sourcegraph-tls
rules:
- http:
paths:
- path: /
backend:
serviceName: sourcegraph-frontend
servicePort: 30080
# Replace 'sourcegraph.example.com' with the real domain that you want to use for your Sourcegraph instance.
host: sourcegraph.example.com
Update your externalURL in the site configuration to e.g. https://sourcegraph.example.com:
{
"externalURL": "https://sourcegraph.example.com"
}Update the ingress controller with the previous changes with the following command:
kubectl apply -f base/frontend/sourcegraph-frontend.Ingress.yaml