How to setup HTTPS connection with Ingress controller on your Kubernetes instance

This document will take you through how to setup HTTPS connection using the preinstalled Ingress controller, which allows external users to access your main web server over the network. It installs rules for the default ingress, see comments to restrict it to a specific host. This is our recommended method to configure network access for production environments.

Prerequisites

  • This document assumes that your Sourcegraph instance is deployed into a Kubernetes cluster and that ingress has already been installed for sourcegraph-frontend (by default).

Steps for GCE-GKE user

1. Install the NGINX ingress controller (ingress-nginx)

Install the NGINX ingress controller by following the instructions at https://kubernetes.github.io/ingress-nginx/deploy/

For example, GCE-GKE user would simply run this command kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v0.47.0/deploy/static/provider/cloud/deploy.yaml to install the NGINX ingress controller

2. Update the create-new-cluster.sh file

Add the configure/ingress-nginx/install.sh command to the create-new-cluster.sh file at root, and commit the change. Your file should look similar to this:

echo ./configure/ingress-nginx/install.sh >> create-new-cluster.sh
./kubectl-apply-all.sh $@

3. Once the ingress has acquired an external address

You should be able to access Sourcegraph using the external address returns from the following kubectl -n ingress-nginx get svc.

$kubectl -n ingress-nginx get svc
NAME                                 TYPE           CLUSTER-IP    EXTERNAL-IP     PORT(S)                      AGE
ingress-nginx-controller             LoadBalancer   10.XX.8.XXX   XX.XXX.XXX.XX   80:32695/TCP,443:31722/TCP   5d13h
ingress-nginx-controller-admission   ClusterIP      10.XX.8.X     <none>          443/TCP                      5d13h

Configure TLS/SSL

After your Sourcegraph instance is exposed via an ingress controller, you should consider using TLS so that all traffic will be served over HTTPS.

1. Create TLS certificate and private key

Place the newly created certificate and private key in a secured place. We will be using .envrc/private.key and .envrc/public.pem in this example.

2. Create a TLS secret for your Cluster

Create a TLS secret that contains your TLS certificate and private key by running the following command:

kubectl create secret tls sourcegraph-tls --key .envrc/private.key --cert .envrc/public.pem

3. Update the create-new-cluster.sh file

Add the previous command to the create-new-cluster.sh file at root, and commit the change. Your file should look similar to this:

echo ./configure/ingress-nginx/install.sh >> create-new-cluster.sh
echo kubectl create secret tls sourcegraph-tls --key .envrc/private.key --cert .envrc/public.pem  >> create-new-cluster.sh
./kubectl-apply-all.sh $@

4. Update the ingress sourcegraph-frontend.Ingress.yaml file

Add the tls configuration to base/frontend/sourcegraph-frontend.Ingress.yaml file by commenting out the tls section, and replace sourcegraph.example.com with your domain.

   # base/frontend/sourcegraph-frontend.Ingress.yaml
   tls:
     - hosts:
         #  Replace 'sourcegraph.example.com' with the real domain that you want to use for your Sourcegraph instance.
         - sourcegraph.example.com
       secretName: sourcegraph-tls
   rules:
     - http:
         paths:
         - path: /
           backend:
             serviceName: sourcegraph-frontend
             servicePort: 30080
       # Replace 'sourcegraph.example.com' with the real domain that you want to use for your Sourcegraph instance.
       host: sourcegraph.example.com

5. Update Site Configuration

Update your externalURL in the site configuration to e.g. https://sourcegraph.example.com:

{
"externalURL": "https://sourcegraph.example.com"
}

6. Update the ingress controller

Update the ingress controller with the previous changes with the following command:

kubectl apply -f base/frontend/sourcegraph-frontend.Ingress.yaml