Private Mode

Deploy Baz with complete data residency control through an isolated File System Service (FSS) running in your environment.

What is Private Mode?

Private Mode allows organizations with strict data residency requirements to deploy Baz while maintaining full control over their source code storage. Instead of persisting repositories on Baz's infrastructure, you deploy a single FSS pod in your environment that provides Baz temporary access to perform code analysis.

While code is queried and processed on Baz infrastructure during analysis, it is handled transiently and immediately wiped once the review process completes or errors out. No source code is persisted on Baz servers.

How It Works

In Baz's standard deployment, the FSS runs on Baz infrastructure. With Private Mode, you deploy this same service in your own environment instead.

Standard Deployment: Repository → FSS (Baz Infrastructure) → Analysis

Private Mode: Repository → FSS (Your Infrastructure) → Analysis

The FSS acts as a filesystem operator for Baz, providing temporary access to diffs, files, and directories across commits. Your repositories remain in your infrastructure, and the FSS gives Baz controlled, temporary access only when needed for code review.

Architecture

Key Components:

Ingress Controller: Routes traffic from a customer-configured subdomain (e.g., https://baz.acme.com or https://acme.com/baz) to the FSS pod
FSS Pod: Provides temporary filesystem access to repositories for Baz analysis
Baz Infrastructure: Connects via REST API with IP whitelist, SSL/TLS, and API key authentication

Network Requirements

The FSS pod requires outbound connectivity to Baz's infrastructure. You'll need to allowlist the following 3 public IP addresses:

35.123.45.67
52.234.56.78
18.345.67.89

Setup Guide

Setting up Private Mode requires coordination with Baz support. The process ensures secure integration between your infrastructure and Baz's platform.

Prerequisites

Before beginning setup, ensure you have:

Kubernetes cluster running on AWS EKS
Helm 3.x installed
Ingress controller configured (e.g., Traefik, NGINX)
Ability to configure a subdomain or URL prefix for FSS access
AWS account ID for ECR image access
Network policies allowing inbound HTTPS from Baz IP addresses

Step 1: Contact Baz Support

Reach out to [email protected] (or your shared Slack channel if one exists) to initiate Private Mode setup. Baz support will provide:

API token for FSS pod authentication
Helm chart for FSS deployment
ECR repository access for your AWS account

Step 2: Deploy FSS with Helm

Install the FSS pod in your Kubernetes cluster using the Helm chart from GitHub:

helm repo add baz https://baz-scm.github.io/helm-charts
helm repo update

helm install baz-fss baz/private-mode \
  --namespace baz-system \
  --create-namespace \
  --set apiToken=YOUR_API_TOKEN \
  --set awsAccountId=YOUR_AWS_ACCOUNT_ID

Full chart documentation: https://github.com/baz-scm/helm-charts/tree/main/charts/private-mode

Step 3: Configure Ingress Route

Set up an ingress route that makes the FSS accessible from either:

A subdomain: https://baz.acme.com
A URL prefix: https://acme.com/baz

The ingress must allow inbound traffic from Baz's 3 public IP addresses as noted above.

Example Traefik IngressRoute:

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: baz-fss
  namespace: baz-system
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`baz.acme.com`)
      kind: Rule
      services:
        - name: baz-fss
          port: 8080
  tls:
    certResolver: letsencrypt

Step 4: Create Baz Account and Organization

Sign up at https://baz.co/login
Create your user account
Set up your organization

Provide the following information to Baz support:

Your organization name/ID from Baz
AWS account ID hosting the FSS
FSS endpoint URL (e.g., https://baz.acme.com)

Step 6: Baz Support Completes Integration

Baz support will:

Configure the FSS integration for your organization
Test connectivity and authentication
Verify the setup is working as expected
Notify you when complete

Step 7: Connect Your Repositories

Once Baz support confirms the integration is ready:

Follow the standard Baz integration flow for GitHub or GitLab
All repository storage and filesystem operations will automatically use your FSS pod
Begin using Baz as normal with full Private Mode data residency

Security Considerations

Data Residency: Source code is stored exclusively in your infrastructure. Baz accesses code transiently for analysis and immediately wipes it after processing.

Authentication: FSS communicates with Baz infrastructure using REST API with multiple security layers:

IP whitelist (only Baz's public IPs can connect)
SSL/TLS encryption
API key authentication

Network Isolation: The FSS operates behind your ingress controller with strict network policies. Only authorized Baz IP addresses can reach the service.

Audit Logging: All FSS operations are logged within your environment for compliance and security monitoring.

Support

All Private Mode setups require assistance from Baz support. For any issues, questions, or to initiate setup:

Email: [email protected]
Slack: Your shared channel (if one exists)

Our team will guide you through the entire setup process and help troubleshoot any issues that arise.

FAQ

Does Private Mode support all Baz features?

Yes, Private Mode supports the full suite of Baz features. Note that you'll need to upgrade your FSS pod periodically to access new features and improvements.

What happens if my FSS pod goes down?

Code reviews will pause until the FSS is restored. No data is lost, and reviews will resume automatically once connectivity is re-established.

Can I deploy FSS outside of AWS EKS?

No, currently FSS deployment is only supported on AWS EKS. This ensures optimal compatibility with our ECR-hosted images and infrastructure requirements.

PreviousWeb NextNotifications

Last updated 1 hour ago