Code hosts on GCP without public access

Please contact Sourcegraph directly via preferred contact method for more information.

As part of the Enterprise tier, Sourcegraph Cloud supports connecting to customer dependencies on GCP using GCP Private Service Connect. It creates a secure connection between customer GCP project and Sourcegraph Cloud instance, so that access to a private resource never occurs over the public internet.

When a customer has private dependencies inside the GCP and needs to expose it for Sourcegraph Cloud instance, please reach out to your account manager to initiate the process.

How it works

Sourcegraph supports connecting to private dependencies on GCP using GCP Private Service Connect (PSC). It is used to securely expose and connect services across the project boundary within GCP.

The customer is the Service Producer (the "producer"), and the Sourcegraph Cloud instance is the Service Consumer (the "consumer"). PSC can expose an internal regional load balancer for the private resource to the consumer. The consumer can then connect to the private resource over PSC transparently on their Sourcegraph Cloud instance.

link

Limitation

Cross-region connectivity is not supported by Google Cloud for Private Service Connect. The Sourcegraph Cloud instance and the customer code host must be in the same region, learn more from our supported regions.

Steps

Initiate the process

Customers should reach out to their account manager to initiate the process. The account manager will work with the customer to collect the required information and initiate the process, including but not limited to:

The DNS name of the private code host, e.g., gitlab.internal.company.net.
The region of the private code host on GCP, e.g., us-central1.
The type of TLS certificate used by the private resource: either self-signed by an internal private CA or issued by a public CA.
The location of where the TLS connection is terminated, one of the load balancer, or the private code host node.

Finally, Sourcegraph will provide the following:

A reference architecture in Terraform to demonstrate the setup on customer end.
The GCP Project ID of the Sourcegraph Cloud instance.

Create Private Service Connect connection

Customer should publish their services using PSC by following the GCP documentation. The customer needs to permit connection from the provided GCP Project ID earlier. The customer needs to provide the [Service Attachment] URI to Sourcegraph. The Service Attachment URI is in the format of projects/:id/regions/:region/serviceAttachments/:name.

Upon receiving the Service Attachment URI, Sourcegraph will create a connection to the customer service using PSC, and Sourcegraph will follow up with the customer to confirm the connection is established.

SH
gcloud compute service-attachments delete [SERVICE_ATTACHMENT_NAME] --region=[REGION] --project=[YOUR_PROJECT_ID]

Learn more from documentation of gcloud compute service-attachments delete and management of published services.

How secure is the connection?

All traffic between the producer and consumer is encrypted in transit. You may learn more from Google's whitepaper about encryption in transit and Sourcegraph's security practices.

What are the next steps when artifact registry connectivity is working?

Only if the private artifact registry is protected by authentication, the customer will need to:

Create executor secrets containing credentials for Sourcegraph to access the private artifact registry - how to configure executor secrets
Update auto-indexing inference configuration to create additional files from executor secrets for the given programming language - how to configure auto-indexing

Can I use self-signed TLS certificate for my private resources?

Yes. Please work with your account team to add the certificate chain of your internal CA to site configuration at experimentalFeatures.tls.external.certificates.