# Private Mode
### What is Private Mode?
Private Mode allows organizations with strict data residency requirements to deploy Baz while maintaining full control over their source code storage. Instead of persisting repositories on Baz's infrastructure, you deploy a single FSS pod in your environment that provides Baz temporary access to perform code analysis.
While code is queried and processed on Baz infrastructure during analysis, it is handled transiently and immediately wiped once the review process completes or errors out. No source code is persisted on Baz servers.
### How It Works
In Baz's standard deployment, the FSS runs on Baz infrastructure. With Private Mode, you deploy this same service in your own environment instead.
**Standard Deployment**: Repository → FSS (Baz Infrastructure) → Analysis
**Private Mode**: Repository → FSS (Your Infrastructure) → Analysis
The FSS acts as a filesystem operator for Baz, providing temporary access to diffs, files, and directories across commits. Your repositories remain in your infrastructure, and the FSS gives Baz controlled, temporary access only when needed for code review.
### Architecture
**Key Components:**
* **Ingress Controller**: Routes traffic from a customer-configured subdomain (e.g., `https://baz.acme.com` or `https://acme.com/baz`) to the FSS pod
* **FSS Pod**: Provides temporary filesystem access to repositories for Baz analysis
* **Baz Infrastructure**: Connects via REST API with IP whitelist, SSL/TLS, and API key authentication
### Network Requirements
The FSS pod requires outbound connectivity to Baz's infrastructure. You'll need to allowlist the following 3 public IP addresses:
* `18.190.165.140`
* `3.20.124.148`
* `3.12.220.91`
### Setup Guide
Setting up Private Mode requires coordination with Baz support. The process ensures secure integration between your infrastructure and Baz's platform.
#### Prerequisites
Before beginning setup, ensure you have:
* Kubernetes cluster running on AWS EKS
* Helm 3.x installed
* Ingress controller configured (e.g., Traefik, NGINX)
* Ability to configure a subdomain or URL prefix for FSS access
* AWS account ID for ECR image access
* Network policies allowing inbound HTTPS from Baz IP addresses
* A GitHub Personal Access Token (GH PAT) with read access to the repositories you wish to integrate. It does not matter if the token is a classic token or a fine grained token - it needs **read** permissions for **contents**. [GitHub docs](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens)
#### Step 1: Contact Baz Support
Sign up to Baz, and then reach out to **** (or your shared Slack channel if one exists) to initiate Private Mode setup. Baz support will provide:
* API token for FSS pod authentication
* Helm chart for FSS deployment
* ECR repository access for your AWS account
#### Step 2: Deploy FSS with Helm
Install the FSS pod in your Kubernetes cluster using the Helm chart from GitHub. You will need to create a values.yml file with **at least** the following keys:
```yml
image:
repository: 497250501322.dkr.ecr.us-east-2.amazonaws.com/baz-fss-private-mode
tag: 0.1.0 # Replace with latest - as given from baz support
service:
type: ClusterIP
port: 3000
env: private
githubPat: # required (or set via secret). Needs to have the permissions to the repos you intend to integrate
privateModeKey: # required (or set via secret). Supplied by baz support
```
There are more configuration options in [values.yml](https://github.com/baz-scm/helm-charts/blob/main/charts/private-mode/values.yaml) if you wish to configure secrets etc. Once set, deploy the [helm chart](https://github.com/baz-scm/helm-charts/tree/main/charts/private-mode):
```bash
helm repo add baz https://baz-scm.github.io/helm-charts
helm repo update
helm install baz-fss baz/private-mode \
--namespace baz-system \
--create-namespace \
--set apiToken=YOUR_API_TOKEN
```
#### Step 3: Configure Ingress Route
Set up an ingress route that makes the FSS accessible from either:
* A subdomain: `https://baz.acme.com`
* A URL prefix: `https://acme.com/baz`
The ingress must allow inbound traffic from Baz's 3 public IP addresses as noted above.
**Example Traefik IngressRoute:**
```yaml
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: baz-fss
namespace: baz-system
spec:
entryPoints:
- websecure
routes:
- match: Host(`baz.acme.com`)
kind: Rule
services:
- name: baz-fss
port: 8080
tls:
certResolver: letsencrypt
```
#### Step 4: Create Baz Account and Organization
1. Sign up at ****
2. Create your user account
3. Set up your organization
#### Step 5: Share Integration Details
Provide the FSS endpoint URL (e.g., `https://baz.acme.com`) to baz support to validate the traffic works from their end. Baz support will:
1. Configure the FSS integration for your organization
2. Test connectivity and authentication
3. Verify the setup is working as expected
4. Notify you when complete
#### Step 6: Connect Your Repositories
Once Baz support confirms the integration is ready:
1. Go back to baz.co/login, and follow the standard Baz integration flow for GitHub or GitLab
2. All repository storage and filesystem operations will automatically use your FSS pod. Feel free to follow the container logs of the container on your end.
3. Begin using Baz as normal with full Private Mode data residency
### Security Considerations
**Data Residency**: Source code is stored exclusively in your infrastructure. Baz accesses code transiently for analysis and immediately wipes it after processing.
**Authentication**: FSS communicates with Baz infrastructure using REST API with multiple security layers:
* IP whitelist (only Baz's public IPs can connect)
* SSL/TLS encryption
* API key authentication
**Network Isolation**: The FSS operates behind your ingress controller with strict network policies. Only authorized Baz IP addresses can reach the service.
**Audit Logging**: All FSS operations are logged within your environment for compliance and security monitoring.
### Support
All Private Mode setups require assistance from Baz support. For any issues, questions, or to initiate setup:
* **Email**:
* **Slack**: Your shared channel (if one exists)
Our team will guide you through the entire setup process and help troubleshoot any issues that arise.
## FAQ
Does Private Mode support all Baz features?
Yes, Private Mode supports the full suite of Baz features. Note that you'll need to upgrade your FSS pod periodically to access new features and improvements.
Why is a GitHub PAT needed? Do we need to create it per user?
The GitHub PAT is used by the pod that is deployed on the customer side, so it is able to clone the repository without any input from our system (sending secrets is not a good idea). The PAT is serving the entire org, so it doesn't matter who creates it - we only need 1 valid PAT.
Which permissions should I give the GitHub PAT?
The PAT needs `contents: read` permissions to the repositories you integrate with baz. **Important -** you should first give this token access to the repositories you with to onboard. Only then go back to GitHub and integrate the relevant repositories with the baz-reviewer app. Example permissions:
What happens if my FSS pod goes down?
Code reviews will pause until the FSS is restored. No data is lost, and reviews will resume automatically once connectivity is re-established.
Can I deploy FSS outside of AWS EKS?
No, currently FSS deployment is only supported on AWS EKS. This ensures optimal compatibility with our ECR-hosted images and infrastructure requirements.
