In the previous section we have seen how a pipeline can checkout code from the internal git repository. We also need to setup a trigger

so that every time a commit happens (or any other supported event), the Codefresh pipeline will be triggered automatically.

This is a two-step process:

If you have installed the[optional app-proxy]({{site.baseurl}}/docs/administration/codefresh-runner/#optional-installation-of-the-app-proxy), adding a trigger can be done exactly like the SAAS version of Codefresh, using only the Codefresh UI.

If you haven't installed the app-proxy, then adding a Git trigger is a two-step process:

1. First we setup a webhook endpoint in Codefresh.

1. Then we create the webhook call in the side of the the GIT provider.

and follow the wizard prompts.

The App Proxy is an optional component of the runner that once installed:

* Enables you to automatically create webhooks for Git in the Codefresh UI (same as the SAAS experience)

* Sends commit status information back to your Git provider (same as the SAAS experience)

* Makes all Git Operations in the GUI work exactly like the SAAS installation of Codefresh

The requirements for the App proxy is a Kubernetes cluster that:

1. has already the Codefresh runner installed

1. has an active[ingress controller](https://kubernetes.io/docs/concepts/services-networking/ingress/)

1. Allows incoming connections from the VPC/VPN where users are browsing the Codefresh UI. The ingress connection must have a hostname assigned for this route

Here is the architecture of the app-proxy:

{% include image.html

lightbox="true"

file="/images/administration/runner/app-proxy-architecture.png"

url="/images/administration/runner/app-proxy-architecture.png"

alt="How App Proxy and the Codefresh runner work together"

caption="How App Proxy and the Codefresh runner work together"

max-width="80%"

%}

Basically when a Git GET operation takes place, the Codefresh UI will ask the app-proxy (if it is present) and it will route the request to the backing Git provider. The confidential Git information never leaves the firewall premises and the connection between the browser and the ingress is SSL/HTTPS. This means that the app-proxy does not compromise security in any way.

To install the app-proxy on a Kubernetes cluster that already has a Codefresh runner use the following command:

If you want to install the Codefresh runner and app-proxy in a single command use the following:

If you have multiple ingress controllers in the Kubernetes cluster you can use the`app-proxy-ingress-class` parameter to define which ingress will be used. For additional security you can also define a whitelist for IPs/ranges that are allowed to use the ingress (to further limit the web browsers that can access the Ingress). Check the documentation of your ingress controller for the exact details.

If you don't want to use the wizard, you can also install the components of the runner yourself.

- Using the GitHub Container registry as Docker registry -[documentation]({{site.baseurl}}/docs/integrations/docker-registries/github-container-registry/)

- Simplified Git operations with the App Proxy for the Codefresh runner -[documentation]({{site.baseurl}}/docs/administration/codefresh-runner/#optional-installation-of-the-app-proxy)