Codegen On-Prem Deployment: Bring the OS for Code Agents In House

If your organization can’t move code or logs outside its network, you shouldn’t have to sit out the agent era.

Today we’re introducing Codegen on-prem — the same operating system for code agents that powers our cloud, packaged for your Kubernetes. Install with Helm, keep all code and telemetry inside your environment, use your model API keys, and enforce your policies.

So how does on-prem deployment work, who benefits most from it, and what makes Codegen’s approach the right fit for modern engineering teams?

What is on-premises deployment? 

On-premises deployment means the stack runs inside your own facilities or data centers, not in a vendor’s cloud. You procure the hardware and network, install and operate the software, and keep code and data within your physical and legal boundary. 

The upside is full control. You can customize the environment end-to-end, enforce your security policies, and meet strict regulatory requirements with direct access to the systems that hold your IP. The trade-off is ownership of the entire lifecycle — capacity planning, purchasing, installation, patching, upgrades, monitoring, and security all sit with your team.

Who benefits from on-prem

On-prem is a fit when code and telemetry must stay in-region or on site; when audits, industry rules, or internal policies prohibit external processing; or when the network itself is constrained (strict egress, private services, even fully air-gapped). 

In short: if “keep it in house” is non-negotiable, on-prem is the straightforward path. 

• Data residency / sovereignty: code and telemetry must remain in-region or in-house.
• Regulatory and audit pressure: finance, healthcare, public sector, or any org with rigorous approvals.
• IP sensitivity: proprietary models, unreleased features, or high-value codebases.
• Network constraints: private services, strict egress, or air-gapped environments.
• Operational integration: reuse of existing IAM, KMS/HSM, SIEM, proxies, and deployment processes.

How Codegen on-prem delivers

Codegen is an OS for code agents: it gives agents a safe runtime, orchestrates concurrent work, connects them to the tools engineers use daily, and records what happened with enough detail to trust the outcome. 

On-prem is a Kubernetes-native platform. You install with Helm charts, manage configuration in values.yaml, and use the same GitOps and CI/CD workflows you already rely on. 

Data stays put. Repositories, artifacts, logs, prompts, and agent trajectories live in your environment. If you need to route traffic through proxies or pin egress to specific destinations, you do that with your network policy and admission controls, not ours. And because model choice is yours, you bring your own API keys for the LLMs you use. 

Keys are managed locally and rotated on your schedule, with request routing that respects your security boundaries. If you prefer customer-managed keys (BYOK/CMEK) backed by your HSM or cloud KMS, that’s supported too — along with clear docs on what the keys protect and where they live.

Security posture is opinionated but transparent. Pods run under restricted policies with minimal capabilities and node isolation where practical. Policies are enforced at admission and at runtime using mechanisms you can audit (e.g., OPA/Gatekeeper for egress allowlists, trusted registries, and image provenance; RBAC for least-privilege). 

The point is simple: you control the guardrails, and the platform fits into them cleanly.

Observability is first-class. Codegen ships OpenTelemetry traces, metrics, and logs across agents, sandboxes, integrations, and check suites. We include ready-to-import “golden signal” dashboards and practical alert suggestions so SREs can see load, latency, and error profiles without reverse-engineering the system. 

Networking is explicit. We document ingress and egress patterns, DNS and proxy requirements, and the steps to run with zero outbound in air-gapped environments. If you mirror images to a private registry and provide pull secrets and pinned digests, the platform runs fully disconnected.

For more information check out our official on-prem documentation. 

What you should expect out of the box

Kubernetes-native deployment with Helm

Install, upgrade, and roll back with Helm charts. Manage values.yaml, pin images, verify signatures, and plug into GitOps and your CI/CD without special tooling.

Complete data sovereignty

Your repositories, artifacts, logs, prompts, and agent trajectories never leave your infrastructure. Enforce residency and org policies at the network and workload layers.

Your own API keys for AI models

Bring your providers and manage model API keys locally. Route traffic through your proxies, rotate on your schedule, and scope access by policy. 

Enterprise-grade support and SLAs

On-Prem is an enterprise-only offering with SLAs and hands-on help for hardening, sizing, and performance. Runbooks and escalation paths are included.

Flexible infrastructure support

Self-managed Kubernetes, OpenShift, Rancher, EKS-Anywhere — supported. Air-gapped and restricted networks are first-class: private registry mirroring, pull secrets, and offline licensing.

Getting started

Ready to see how Codegen can fit into your engineering workflow? 

Book a demo to watch it in action or contact our team to discuss deployment plans and pricing. We’ll help you explore the best path, cloud or on-prem, to bring AI agents safely into production.