Codefresh Installation Options

How to run Codefresh in the Enterprise

Codefresh offers 3 installation options that can cater to any size of organization:

  • Full cloud version that runs 100% in the cloud and is fully managed by Codefresh.
  • On-premises version where Codefresh runs inside the customer datacenter/cloud.
  • Hybrid version where the UI runs in the Codefresh cloud, but builds are running on customer premises.

On-premises and Hybrid versions are available to Enterprise customers that are looking for a “behind-the-firewall” solution.

Cloud version

The Cloud version is the easiest way to start using Codefresh as it is fully managed and runs 100% on the cloud. All maintenance and updates are executed by the Codefresh DevOps team.

You can also create a free account on the SAAS version right away. The account is forever free with some limitations on number of builds.

The cloud version runs on multiple clouds:


Codefresh Cloud is also compliant with SOC2 - Type2 showing our commitment to security and availability.


The Cloud version has multi-account support with most git providers (GitLab, GitHub, Bitbucket) as well as Azure and Google.

Hybrid installation

For organizations that don’t want their source code to leave their premises, or have other security constraints, Codefresh offers the hybrid installation.

The User Interface still runs on Codefresh infrastructure, while the actual builds happen in the location of the customer (Codefresh builders run on a Kubernetes cluster).


The hybrid installation strikes the perfect balance between security, flexibility and ease of use. Codefresh still does the heavy lifting for maintaining most of the platform parts. The sensitive data (such as source code and internal services) never leave the premises of the customers.

With the hybrid installation mode, Codefresh can easily connect to internal secure services that have no public presence. The UI part is still compliant with Soc2.


Here are the security implications of the hybrid solution:

Company Asset Flow/Storage of data Comments
Source code Stays behind the firewall  
Binary artifacts Stay behind the firewall  
Build logs Also sent to Codefresh Web application  
Pipeline volumes Stay behind the firewall  
Pipeline variables Defined in Codefresh Web application  
Deployment docker images Stay behind the firewall Stored on your Docker registry
Development docker images Stay behind the firewall Stored on your Docker registry
Testing docker images Stay behind the firewall Stored on your Docker registry
Inline pipeline definition Defined in Codefresh Web application  
Pipelines as YAML file Stay behind the firewall  
Test results Stay behind the firewall  
HTML Test reports Shown on Web application Stored in your S3 or Google bucket or Azure storage
Production database data Stays behind the firewall  
Test database data Stays behind the firewall  
Other services (e.g. Queue, ESB) Stay behind the firewall  
Kubernetes deployment specs Stay behind the firewall  
Helm charts Stay behind the firewall  
Other deployment resources/script (e.g. terraform) Stay behind the firewall  
Shared configuration variables Defined in Codefresh Web application  
Deployment secrets (from git/Puppet/Vault etc) Stay behind the firewall  
Audit logs Managed via Codefresh Web application  
SSO/Idp Configuration Managed via Codefresh Web application  
User emails Managed via Codefresh Web application  
Access control rules Managed via Codefresh Web application  

On-premises Installation

For customers that wish to have full control over everything, Codefresh also offers an on-premises option. In this case everything (UI and builds) are running on an environment (Kubernetes cluster) fully managed by the customer.

While Codefresh can still help with maintenance of the on-premises platform, we would recommend trying the Hybrid solution first as it offers the most flexibility while maintaining high security.

Comparison table

Characteristic Cloud Hybrid On Premise
Managed by Codefresh Codefresh and Customer Customer
UI runs on public cloud public cloud private cluster
Builds run on public cloud private cluster private cluster
Access to secure/private services no yes yes
Customer maintenance effort none some full
Best for most companies companies with security constraints Large scale installations
Available to all customers enterprise plans enterprise plans

High level Architecture

The most important components are the following:

The Codefresh VPC: This is where all internal Codefresh services are running (analyzed in the next section). Codefresh is using internally Mongo and PostgreSQL for storing information such as users and authentication.

The Pipeline execution environment. This is where all pipelines run. The Codefresh engine component is responsible for taking pipeline definitions and running them in managed Kubernetes clusters by automatically launching the Docker containers that each pipeline needs for its steps.

External actors. Codefresh is offering a public API that is consumed both by the Web User interface as well as the Codefresh CLI. The API is also available for any custom integration with external tools or services.

Topology diagram

If we zoom into the Codefresh Services platform we will see the following:

Topology diagram

Topology diagram (click to enlarge)

Core Components

pipeline-manager manages all CRUD operations regarding pipelines

cfsign signs server tls certificates for docker daemons and generates client tls certificates for hybrid pipelines

cf-api is the central backend component. It functions as an API gateway for other services and is also responsible for authentication/authorization.

context-manager manages all possible authentication/configuration that are used by Codefresh system and by Codefresh engine

runtime-environment-manager is responsible for managing the different environments where pipelines can run. The Codefresh SAAS installation has runtime environment that are fully managed by the Codefresh team. In hybrid installations, customers can add their own runtime environments using private Kubernetes clusters

Trigger Components

hermes controls trigger management in Codefresh

nomios enables triggers from Dockerhub (when a new image/tag is pushed)

cronus enables defining cron like triggers for pipelines

Log Component

cf-broadcaster stores build logs from pipelines (the replacement for Firebase in the previous installer). The only component that the UI and CLI have access to through a web socket in order to stream logs.

Kubernetes Components

cluster-providers provides an interface to define clusters contexts for connecting Kubernetes clusters in Codefresh

helm-repo-manager is responsible for the Helm repository admin API and ChartMuseum proxy for managing Helm charts it Codefresh

k8s-monitor is an agent that gets installed on each Kubernetes cluster to provide information for the Kubernetes dashboards

charts-manager models the Helm chart view in Codefresh.

kube-integration provides an interface to retrieve all required information from a Kubernetes cluster, can be run either as a http server, or npm module

tasker-kubernetes provides cache storage for Kubernetes dashboards in Codefresh