Understand Codefresh installation options
The Codefresh platform supports three different installation options, all compliant with SOC2 - Type2.
The Runner installation is the hybrid installation mode for Codefresh pipelines. The Codefresh UI runs in the Codefresh cloud, and the builds run on customer premises. The Runner combines flexibility with security, and is optimal for Enterprise customers looking for a “behind-the-firewall” solution.
See Hybrid Runner.
On-Premises installation is for customers who want full control over their environments. Both the UI and the builds run on the Kubernetes cluster in an environment fully managed by you as our customer.
While Codefresh can still help with maintenance of the On-Premises platform, we would recommend the Hybrid Runner as it combines flexibility without compromising on security.
GitOps installation is a full-featured solution for application deployments and releases powered by the Argo Project. Codefresh uses Argo CD, Argo Workflows, Argo Events, and Argo Rollouts, extended with unique functionality and features essential for enterprise deployments.
GitOps installations support Hosted and Hybrid options.
Note on Cloud Builds for Codefresh pipelines
Cloud Builds for Codefresh pipelines are disabled for all accounts by default.
Account admins can request Codefresh to enable Cloud Builds for an account. There is no manual action required except to click on the Enable Cloud Builds button as shown below. The timeframe for the response is up to 24 hours.
As an account admin, you can then grant access to users or have the users explicitly request access to a runtime environment to run pipelines.
The Hybrid Runner installation is for organizations who want their source code to live within their premises, or have other security constraints. For implementation details, see [Runner installation behind firewalls. The UI runs on Codefresh infrastructure, while the builds happen in a Kubernetes cluster in the customer’s premises.
Hybrid Runner installation strikes the perfect balance between security, flexibility, and ease of use. Codefresh still does the heavy lifting for maintaining most of the platform parts. Sensitive data such as source code and internal services never leave customer premises.
Codefresh can easily connect to internal secure services that have no public presence. The UI is still compliant with Soc2.
The table lists the security implications of Hybrid Runner installation.
|Company Asset||Flow/Storage of data||Comments|
|Source code||Stays behind the firewall|
|Binary artifacts||Stay behind the firewall|
|Build logs||Also sent to Codefresh Web application|
|Pipeline volumes||Stay behind the firewall|
|Pipeline variables||Defined in Codefresh Web application|
|Deployment docker images||Stay behind the firewall||Stored on your Docker registry|
|Development docker images||Stay behind the firewall||Stored on your Docker registry|
|Testing docker images||Stay behind the firewall||Stored on your Docker registry|
|Inline pipeline definition||Defined in Codefresh Web application|
|Pipelines as YAML file||Stay behind the firewall|
|Test results||Stay behind the firewall|
|HTML Test reports||Shown on Web application||Stored in your S3 or Google bucket or Azure storage|
|Production database data||Stays behind the firewall|
|Test database data||Stays behind the firewall|
|Other services (e.g. Queue, ESB)||Stay behind the firewall|
|Kubernetes deployment specs||Stay behind the firewall|
|Helm charts||Stay behind the firewall|
|Other deployment resources/script (e.g. terraform)||Stay behind the firewall|
|Shared configuration variables||Defined in Codefresh Web application|
|Deployment secrets (from git/Puppet/Vault etc)||Stay behind the firewall|
|Audit logs||Managed via Codefresh Web application|
|SSO/Idp Configuration||Managed via Codefresh Web application|
|User emails||Managed via Codefresh Web application|
|Access control rules||Managed via Codefresh Web application|
For customers who want full control, Codefresh also offers on-premises installation. Both the UI and builds run on a Kubernetes cluster fully managed by the customer.
Codefresh GitOps also supports SaaS and hybrid installation options:
The SaaS version of GitOps, Hosted GitOps has Argo CD installed in the Codefresh cluster.
Hosted GitOps Runtime is installed and provisioned in a Codefresh cluster, and managed by Codefresh.
Hosted environments are full-cloud environments, where all updates and improvements are managed by Codefresh, with zero-maintenance overhead for you as the customer.
Currently, you can add one Hosted GitOps Runtime per account. For the architecture, see Hosted GitOps Runtime architecture.
For more information on how to set up the hosted environment, including provisioning hosted runtimes, see Set up Hosted GitOps.
The hybrid version of GitOps, has Argo CD installed in the customer’s cluster.
Hybrid GitOps is installed in the customer’s cluster, and managed by the customer.
The Hybrid GitOps Runtime is optimal for organizations with security constraints, wanting to manage CI/CD operations within their premises. Hybrid GitOps strikes the perfect balance between security, flexibility, and ease of use. Codefresh maintains and manages most aspects of the platform, apart from installing and upgrading Hybrid GitOps Runtimes which are managed by the customer.
Hosted vs.Hybrid GitOps
The table below highlights the main differences between Hosted and Hybrid GitOps.
|Runtime||Installation||Provisioned by Codefresh||Provisioned by customer|
|Runtime cluster||Managed by Codefresh||Managed by customer|
|Number per account||One runtime||Multiple runtimes, one per cluster|
|External cluster||Managed by customer||Managed by customer|
|Upgrade||Managed by Codefresh||Managed by customer|
|Uninstall||Managed by customer||Managed by customer|
|Argo CD||Codefresh cluster||Customer cluster|
|CI Ops||Delivery Pipelines||Not supported||Supported|
|Workflow Templates||Not supported||Supported|
|Dashboards||Home||Hosted runtime and deployments||Runtimes, deployments, Delivery Pipelines|
Installation options comparison
Codefresh Runner and GitOps environments can co-exist giving you the best of both worlds.
|Characteristic||Hybrid Runner||On Premise||GitOps|
|Managed by||Codefresh and customer||Customer||Codefresh and customer|
|UI runs on||Public cloud||Private cluster||Public cloud|
|Builds run on||Private cluster||Private cluster||Private cluster (Hybrid)/Codefresh cluster (Hosted)|
|Access to secure/private services||Yes||Yes||Yes|
|Customer maintenance effort||Some||Full||Some|
|Best for||Companies with security constraints||Large scale installations||Companies with security constraints|
|Available to||Enterprise plans||Enterprise plans||Enterprise plans|