Site configuration for sourcegraph.com is split into two files. One contains non-sensitive configurations and the other production secrets such as GitHub OAuth credentials.
Non-sensitve configurations are stored in a ConfigMap and are updated through our standard git flow.
Our site configuration contains many secrets like OAuth credentials. It is stored in GSM in the
sourcegraph-dev project. To update secrets in site config for our Cloud deployment, follow these steps:
- In GSM, copy the contents of the latest version of the secret and make the necessary changes.
- Create a new secret version with the updated site configuration. Disable all previous versions.
sourcegraph/infrastructure/cloud. You should see only the
frontend-secretsresource being changed.
terraform applyto apply the changes in our Cloud cluster
kubectl rollout restart -n prod deployments/sourcegraph-frontendand
kubectl rollout restart -n prod deployments/sourcegraph-frontend-internal. Make sure you are connected to the Cloud cluster with
kubectl config current-context.
External service connections are handled through the sourcegraph.com UI. The only credentials managed through GSM are for the Cloud default GitHub and GitLab connections. To rotate those tokens follow these steps:
- Generate a new API token from the code host. Make sure it’s properly documented in 1password.
- On the external service configuration, replace
REDACTEDby the new token and save changes.
- Ensure that the new token works.
- Revoke the old token from the code host.
Changes to the notices section can be merged by the author without explicit approval from the DevOps team.