Skip to main content

Network requirements

Outbound connectivity required:
  • artifacts-self-hosted.qodo.ai - Helm chart and image registry
  • artif-reg-self-hosted.codium.ai - Container images
  • AI model provider endpoints (api.openai.com, api.anthropic.com, etc.)
  • Git provider APIs (github.com, gitlab.com, or your self-hosted instances)
Inbound connectivity required:
  • Git provider webhooks must reach your ingress endpoints
  • Developer IDEs must reach Qodo API endpoints
  • (For Context Engine) Context retriever MCP endpoint
Firewall considerations:
  • Allow outbound HTTPS (443) to all external dependencies
  • Allow inbound HTTPS (443) for webhooks and API access
  • Ensure K8s cluster can reach external PostgreSQL if not in-cluster

Security best practices

Secrets management:
  • Use Kubernetes secrets for all sensitive data
  • Never commit .secrets.toml files to version control
  • Consider External Secrets Operator for centralized secret management
  • Rotate API keys and credentials regularly
Network policies:
  • Restrict pod-to-pod communication
  • Limit egress to only required endpoints
  • Implement namespace isolation
Access control:
  • Use RBAC for Kubernetes access
  • Implement principle of least privilege
  • Use service accounts with minimal permissions
TLS/SSL:
  • Always use TLS for external endpoints
  • Use cert-manager for certificate management
  • Configure proper certificate validation
Image security:
  • Images come from trusted Replicated registry
  • Regular updates through Helm for security patches
  • Scan images for vulnerabilities if required by policy