Site configuration for sourcegraph.com is split into two files. One contains non-sensitive configurations and the other production secrets such as GitHub OAuth credentials.
To update the non-sensitive configuration, follow these steps:
After your PR is approved, merge it with the “release” branch.
Wait until the Buildkite build is green, so your changes are successfully deployed.
Your changes will be result in the frontend being redeployed with a unique hash for the configuration change. See ConfigMapGeneration
Go to https://sourcegraph.com/site-admin/configuration to confirm that the non-sensitive configuration changes are live.
Our site configuration contains many secrets like OAuth credentials. It is stored in GSM in the
sourcegraph-dev project. The secrets are synced to the cluster using Terraform, and is managed in the dotcom workspace on Terraform Cloud.
To update secrets in site config for our Dotcom deployment, follow these steps:
- In GSM, copy the contents of the latest version of the secret and make the necessary changes.
- Create a new secret version with the updated site configuration. Disable all previous versions.
- Start a new run in the dotcom workspace
- Click Actions → Start a new run
- Specify that the reason for running is to sync secrets
- Select the run type Plan and apply (standard)
- Press Start run
- Request access to the permissions set Sourcegraph Dot Com projects using Entitle
- Once the Terraform run has applied and the Entitle request has been approved, make sure you are connected to the Dotcom cluster with
kubectl config current-context, then run the following commands:
kubectl rollout restart -n prod deployments/sourcegraph-frontend kubectl rollout restart -n prod deployments/sourcegraph-frontend-internal
External service connections are handled through the sourcegraph.com UI. The only credentials managed through GSM are for the Dotcom default GitHub and GitLab connections. To rotate those tokens follow these steps:
- Generate a new API token from the code host. Make sure it’s properly documented in 1password.
- On the external service configuration, replace
REDACTEDby the new token and save changes.
- Ensure that the new token works.
- Revoke the old token from the code host.
Changes to the notices section can be merged by the author without explicit approval from the DevEx team.