max-width="100%"

%}

{::nomarkdown}

<br>

{:/}

The Codefresh Control Plane is the SaaS component in the platform. External to the enterprise firewall, it does not have direct communication with the Codefresh Runtime, Codefresh Clients, or the customer's organizational systems. The Codefresh Runtime and the Codefresh Clients communicate with the Codefresh Control Plane to retrieve the required information.

{::nomarkdown}

<br>

{:/}

The GitOps Runtime is installed on a Kubernetes cluster, and houses the enterprise distribution of the Codefresh Application Proxy and the Argo Project.

Depending on the type of GitOps installation, the GitOps Runtime is installed either in the Codefresh platform (Hosted GitOps), or in the customer environment (Hybrid GitOps). Read more in[Codefresh GitOps Runtime architecture](#codefresh-gitops-runtime-architecture).

{::nomarkdown}

<br>

{:/}

GitOps Clients include the UI and the GitOps CLI.

The UI provides a unified, enterprise-wide view of deployments (runtimes and clusters), and CI/CD operations (Delivery Pipelines, workflows, and deployments) in the same location.

The Codefresh CLI includes commands to install hybrid runtimes, add external clusters, and manage runtimes and clusters.

The sections that follow show detailed views of the GitOps Runtime architecture for the different installation options, and descriptions of the GitOps Runtime components.

*[Hosted GitOps runtime architecture](#hosted-gitops-runtime-architecture)

*[Tunnel Server](#tunnel-server)

*[Tunnel Client](#tunnel-client)

<br>

In the hosted environment, the Codefresh Runtime is installed on a K8s cluster managed by Codefresh.

{% include

max-width="100%"

%}

Tunnel-based Hybrid GitOps runtimes use tunneling instead of ingress controllers to control communication between the GitOps Runtime in the customer cluster and the Codefresh GitOps Platform. Tunnel-based runtimes are optimal when the cluster with the GitOps Runtime is not exposed to the internet.

{% include

%}

Ingress-based runtimes use ingress controllers to control communication between the GitOps Runtime in the customer cluster and the Codefresh GitOps Platform. Ingress-based runtimes are optimal when the cluster with the GitOps Runtime is exposed to the internet.

%}

The GitOps Application Proxy (App-Proxy) functions as the Codefresh agent, and is deployed as a service in the GitOps Runtime.

For tunnel-based Hybrid GitOps Runtimes, the Tunnel Client forwards the incoming traffic from the Tunnel Server using the Request Routing Service to the GitOps App-Proxy.

* Implements commits for GitOps-controlled entities, such as Delivery Pipelines and other CI resources

* Implements state-change operations for non-GitOps controlled entities, such as terminating Argo Workflows

{::nomarkdown}

<br>

{:/}

The Argo Project includes:

* Argo CD for declarative continuous deployment

To maintain that high standard, we add several weeks of testing and bug fixes to new versions of Argo before making them available within Codefresh.

Typically, new versions of Argo are available within 30 days of release in Argo.

{::nomarkdown}

<br><br>

{:/}

The Request Routing Service is installed on the same cluster as the GitOps Runtime in the customer environment.

It receives requests from the the Tunnel Client (tunnel-based) or the ingress controller (ingress-based), and forwards the request URLs to the Application Proxy, and webhooks directly to the Event Sources.

The Request Routing Service is available from runtime version 0.0.543 and higher.

Older runtime versions are not affected as there is complete backward compatibility, and the ingress controller continues to route incoming requests.

Applies only to_tunnel-based_ Hybrid GitOps Runtimes.

The Codefresh Tunnel Server is installed in the Codefresh platform. It communicates with the enterprise cluster located behind a NAT or firewall.

* Manages the lifecycle of the Tunnel Client.

* Authenticates requests from the Tunnel Client to open tunneling connections.

{::nomarkdown}

<br>

{:/}

Applies only to_tunnel-based_ Hybrid GitOps Runtimes.

Installed on the same cluster as the Hybrid GitOps Runtime, the Tunnel Client establishes the tunneling connection to the Tunnel Server via the WebSocket Secure (WSS) protocol.

* Initiates the connection with the Tunnel Server.

* Forwards the incoming traffic from the Tunnel Server through the Request Routing Service to App-Proxy, and other services.

{::nomarkdown}

<br>

{:/}

The customer environment that communicates with the GitOps Runtime and Codefresh, generally includes:

* Ingress controller for ingress-based Hybrid runtimes

The ingress controller is configured on the same Kubernetes cluster as the GitOps Runtime, and implements the ingress traffic rules for the GitOps Runtime.

Organizational Systems include the customer's tracking, monitoring, notification, container registries, Git providers, and other systems. They can be entirely on-premises or in the public cloud.

Either the ingress controller (ingress hybrid environments), or the Tunnel Client (tunnel-based hybrid environments), forwards incoming events to the GitOps Application Proxy.

[Codefresh pricing](https://codefresh.io/pricing/){:target="\_blank"}

[Codefresh features](https://codefresh.io/features/){:target="\_blank"}