*[Traefik ingress configuration](#traefik-ingress-configuration)

<br><br>

Codefresh automatically validates the`values.yaml` file before initiating the installation to verify that the supplied values are correct.

You also have the option to manually run the validation if desired.

**Validation failure**

If there is a validation failure, Codefresh will terminate the Helm installation and display the error message:`Job has reached the specified backoff limit`.

To get more detailed and meaningful information on the reason for the validation failure, run:

where:

*`{NAMESPACE}` must be replaced with the namespace of the Hybrid GitOps Runtime.

**Disable automated validation**

You may want to disable automated validation for specific scenarios, such as to address false-negatives.

You can do so by either adding the flag to the Helm install command or adding the relevant section to the`values` file.

* In install command:

* In`values` file:

{% highlight yaml %}

{% raw %}

...

installer:

skipValidation: true

...

{% endraw %}

{% endhighlight %}

**Validated settings**

The table below lists the settings validated in the`values` file.

{: .table .table-bordered .table-hover}

| Setting| Validation|

| --------------| --------------|

|**`userToken`**| If explicitly defined, or defined as a`secretKeyRef` which exists in the current k8s context and the defined namespace.|

|**Account permissions**| If the user has admin permissions for the account in which they are installing the runtime.|

|**Runtime name**| If defined, and is unique to the account.|

|**Access mode**| {::nomarkdown}<ul><li>For tunnel-based, the default, if <codeclass="highlighter-rouge">accountId</code> is defined, and matches the account of the <codeclass="highlighter-rouge">userToken</code> defined in the file.</li><li>For ingress-based, if the <codeclass="highlighter-rouge">hosts</code> array contains at least one entry that is a valid URL (successful HTTP GET).</li><li>If both tunnel-based and ingress-based access modes are disabled, if <codeclass="highlighter-rouge">runtime.ingressUrl</code> is defined.</li></ul>{:/}|

|**`gitCredentials`**| {::nomarkdown}<ul><li>When defined, includes a Git password either explicitly, or as a <codeclass="highlighter-rouge">secretKeyRef</code>, similar to <codeclass="highlighter-rouge">userToken</code>.</li><li>The password or token has the required permissions in the Git provider.</li></ul>{:/}|

**How to: Manually validate values file**

1. To manually validate the`values` file, run:

where:

*`<values_file>` is the name of the values.yaml used by the Helm installation.

*`<namespace>` is the namespace in which to install the Hybrid GitOps runtime, either the default`codefresh`, or the custom name you intend to use for the installation. The Namespace must conform to the naming conventions for Kubernetes objects.

*`<version>` is the version of the runtime to install.

1. Continue with[Step 2: Select Hybrid Runtime install option](#step-2-select-hybrid-runtime-install-option).

1. In the Welcome page, select**+ Install Runtime**.

1. Continue with[Step 2: Set up GitOps Git provider](#step-2-set-up-gitops-git-provider).

As a one-time action, select the Git provider and the Shared Configuration Repository to associate with your account.

1. In the Welcome page, select**+ Install Runtime**.

1. Continue with[Step 3: Set up GitOps Git provider](#step-3-set-up-gitops-git-provider).

The Git provider you select for the first GitOps Runtime in your account is used for all the other Runtimes installed in the same account.

Select the Git provider and the Shared Configuration Repository to associate with your account.

The[Shared Configuration Repository]({{site.baseurl}}/docs/installation/gitops/shared-configuration/) is a Git repository with configuration manifests shared between all the Hybrid GitOps Runtimes within the same account.To change the Shared Configuration Repo after installation, see Reset Shared Configuration Repository.

The same Git provider is used for other GitOps Runtimes in the same account.

The[Shared Configuration Repository]({{site.baseurl}}/docs/installation/gitops/shared-configuration/) is a Git repository with configuration manifests shared between all the Hybrid GitOps Runtimes within the same account.

This is a one-time action, required once per account.

1. Select the**Git provider** from the list.

1. Define the**API URL** for the Git provider you selected, as one of the following:

* GitLab Server:`<server-url>/api/v4`

* Bitbucket Cloud:`https://api.bitbucket.org/2.0`

* Bitbucket Server:`<server-url>/rest/api/1.0`

1. Define the URL of the**Shared Configuration Repository**.

1. Define the URL of the**Shared Configuration Repository**.

1. Click**Next**.

1. Continue with[Step4: Install Hybrid Runtime](#step-4-install-hybrid-gitops-runtime).

1. Continue with[Step3: Install Hybrid Runtime](#step-3-install-hybrid-gitops-runtime).

Install the Hybrid GitOps Runtime through the Helm chart. The Codefresh`values.yaml` is located[here](https://github.com/codefresh-io/gitops-runtime-helm/tree/main/charts/gitops-runtime){:target="\_blank"}.

Before initiating the installation, Codefresh automatically validates the `values.yaml` file to verify that the supplied values are correct.<br>

If the Helm installation is terminated with the error message:`Job has reached the specified backoff limit`, you can get more detailed and meaningful information on the reason for the validation failure, with:

`kubectl logs jobs/validate-values -n ${NAMESPACE}`, replacing`{NAMESPACE}` with the namespace of the Hybrid GitOps Runtime.

**Runtime Name**

If you define a custom name for the Hybrid GitOps Runtime, it must start with a lower-case character, and can include up to 62 lower-case characters and numbers.

See[Ingress controller configuration](/#ingress-controller-configuration) in this article.

<br>

<br><br>

**How to**

1. To generate your Codefresh API key, click**Generate**.

* The Hybrid GitOps Runtime you added is prefixed with a green dot indicating that it is online

* The Type column for the Runtime displays**Helm**

* The Sync Status column displays**Complete Installation**, indicating that there are pending tasks to complete the installation.

1. Continue with[Step5: Configure Git credentials for runtime](#step-5-configure-git-credentials-for-hybrid-gitops-runtime).

1. Continue with[Step4: Configure Git credentials for runtime](#step-4-configure-git-credentials-for-hybrid-gitops-runtime).

Configure Git credentials to authorize access to and ensure proper functioning of the GitOps Runtime. This is one of the two steps to complete installing Hybrid GitOps Runtimes, the other being to configure the Runtime as an Argo Application, described in the next step.

Git credentials include authorizing access to Git through OAuth2 or auser (personal) accesstoken, and optionally configuring SSH access to Git.

Git credentials include authorizing access to Git through OAuth2 or aGit Runtimetoken, and optionally configuring SSH access totheGit installation repo for the Runtime.

**Git authorization**

* OAuth2 authorization is possible if your admin has registered an OAuth Application for Codefresh. See[OAuth2 setup for Codefresh]({{site.baseurl}}/docs/administration/account-user-management/oauth-setup/).

* Git access token authentication requires you to generatea personal access token in your Git provider account for the GitOps Runtime, with the correct scopes. See[GitOps Runtime token scopes]({{site.baseurl}}/docs/reference/git-tokens/#git-runtime-token-scopes).

* Git access token authentication requires you to generatean access token in your Git provider account for the GitOps Runtime, with the correct scopes. See[GitOps Runtime token scopes]({{site.baseurl}}/docs/reference/git-tokens/#git-runtime-token-scopes).

**SSH access to Git**

By default, Git repositories use the HTTPS protocol. You can also use SSH to connect Git repositories by entering the SSH private key.

By default, Git repositories use the HTTPS protocol. You can also use SSH to connect Git repositories by entering the SSH private key.

When SSH is configured for a GitOps Runtime, on creating/editing Git-Source applications, you can select HTTPS OR SSH as the protocol to connect to the Git repository. See[Repository URL in Application Source definitions]({{site.baseurl}}/docs/deployments/gitops/create-application/#source).

For more information on generating SSH private keys, see the official documentation:

*[GitHub](https://help.github.com/en/github/authenticating-to-github/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent){:target="\_blank"}

**Before you begin**

* To authenticate through a Gituser access token, make sure your token is valid and has the required scopes for GitOps Runtimes

* To authenticate through a GitRuntime access token, make sure your token is valid and has the required scopes for GitOps Runtimes

* To use SSH, copy the SSH private key for your Git provider

**How to**

1. Do one of the following:

* If your admin has set up OAuth access, click**Authorize Access to Git Provider**. Go to_step 2_.

* Alternatively, authenticate with an access token from your Git provider. Go to_step 3_.

1. For OAuth2 authorization:

%}

{:start="3"}

1. For Git token authentication, in the**Git Runtime Token** field, paste the Gitruntime token you generated.

1. For Git token authentication, in the**Git Runtime Token** field, paste the GitRuntime token you generated.

1. Optional. To configure SSH access to Git, expand**Connect Repo using SSH**, and then paste the raw SSH private key into the field.

{:start="5"}

1. Click**Configure**.

1. Continue with[Step6: (Optional) Configure Hybrid GitOps Runtime as Argo Application](#step-6-optional-configure-hybrid-gitops-runtime-as-argo-application).

1. Continue with[Step5: (Optional) Configure Hybrid GitOps Runtime as Argo Application](#step-5-optional-configure-hybrid-gitops-runtime-as-argo-application).

Configure the Hybrid GitOps Runtime as an Argo Application as the final step in the installation process.

By doing so, you can view the Runtime components, monitor health and sync statuses, and ensure that GitOps is the single source of truth for the Runtime.

1. Click**Configure as Argo Application**. Codefresh takes care of the configuration for you.

1. Continue with[Step7: (Optional) Create a Git Source](#step-7-optional-create-a-git-source).

1. Continue with[Step6: (Optional) Create a Git Source](#step-6-optional-create-a-git-source).

Create a[Git Source]({{site.baseurl}}/docs/installation/gitops/git-sources/#create-a-git-source) for the Runtime.

1. Optional. Create a Git Source.

1. Continue with[Step8: (Optional) Configure ingress-controllers](#step-8-optional-configure-ingress-controllers).

1. Continue with[Step7: (Optional) Configure ingress-controllers](#step-7-optional-configure-ingress-controllers).

Required only for ALB AWS, Istio, or NGINX Enterprise ingress-controllers.<br>

* Complete configuring these ingress controllers:

That's it! You have successfully completed installing a Hybrid GitOps Runtime with Helm. View the Runtime in the[Runtimes]({{site.baseurl}}/docs/installation/gitops/monitor-manage-runtimes/#gitops-runtime-views) page.

Depending on your configuration, if you have private registries, you need to override specific image values, and if your Git servers are on-premises, you need to add custom repository certificates. See[Optional GitOps Runtime configuration](#optional-gitops-runtime-configuration) in this article.

You can now add[external clusters to the Runtime]({{site.baseurl}}/docs/installation/gitops/managed-cluster/), and[create and deploy GitOps applications]({{site.baseurl}}/docs/deployments/gitops/create-application/).

You can now add[Git Sources]({{site.baseurl}}/installation/gitops/git-sources/),[external clusters]({{site.baseurl}}/docs/installation/gitops/managed-cluster/), and[create and deploy GitOps applications]({{site.baseurl}}/docs/deployments/gitops/create-application/).

**Git provider and Shared Configuration Repository**

The Git provider and Shared Configuration Repository, configured once per account,is alreadyavailable this setup in your initial installation,additional installations do not require this.

The Git provider and Shared Configuration Repository, configured once per account,has alreadybeen set up in your initial installation,and not required for additional installations.

**Access mode**

You can define the tunnel/ingress/service-mesh-based access mode for the additional GitOps Runtimes. The command in the How To below is valid for the tunnel-based access mode. For ingress-based or service-mesh-based access modes, add the required arguments and values, as described in the step-by-step section,[Step4: Install Hybrid GitOps Runtime](/#step-4-install-hybrid-gitops-runtime).

You can define the tunnel/ingress/service-mesh-based access mode for the additional GitOps Runtimes. The command in the How To below is valid for the tunnel-based access mode. For ingress-based or service-mesh-based access modes, add the required arguments and values, as described in the step-by-step section,[Step3: Install Hybrid GitOps Runtime](/#step-3-install-hybrid-gitops-runtime).

**Runtime name**

The new Runtime must have a unique name in the same account.

*`--wait` waits until all the pods are up and running for the deployment.

Depending on your configuration, if you have private registries, you need to override specific image values, and if your Git servers are on-premises, you need to add custom repository certificates. See[Optional GitOps Runtime configuration](#optional-gitops-runtime-configuration) in this article.

Feel free to user a different chart version and a unique name for the Runtime. You can get the values for both the Codefresh API token and account ID from the Codefresh UI as explained in the previous section.

The example is valid for the tunnel-based access mode. For ingress-based or service-mesh-based access modes, add the required arguments and values, as described in the step-by-step section,[Step4: Install Hybrid GitOps Runtime](/#step-4-install-hybrid-gitops-runtime).

The example is valid for the tunnel-based access mode. For ingress-based or service-mesh-based access modes, add the required arguments and values, as described in the step-by-step section,[Step3: Install Hybrid GitOps Runtime](/#step-3-install-hybrid-gitops-runtime).

Depending on your configuration, if you have private registries, you need to override specific image values, and if your Git servers are on-premises, you need to add custom repository certificates. See[Optional GitOps Runtime configuration](#optional-gitops-runtime-configuration) in this article.

By default, theCodefresh Runtime can deploy to the cluster it is installed on.

You can also[use Terraform to connect additional]({{site.baseurl}}/docs/installation/gitops/managed-cluster/#add-a-managed-cluster-with-terraform) external clusters to yourruntime.

By default, theGitOps Runtime can deploy to the cluster it is installed on.

You can also[use Terraform to connect additional]({{site.baseurl}}/docs/installation/gitops/managed-cluster/#add-a-managed-cluster-with-terraform) external clusters to yourRuntime.