Autonomize · Genesis Downloads
Customer sign-in Admin sign-in

Genesis Downloads · Install guide

Install Genesis — from zero to ready

End-to-end runbook for an air-gapped customer cluster. Two Zarf bundles, one license key, one wizard. Vendor side never reaches in — everything runs in your VPC.

Sign in with license key Air-gap workflow →

What you'll need

License key

Issued by Autonomize. Format sk_yourorg_*. Used by both genesis CLI and the in-cluster wizard.

Gap-host

Linux/macOS workstation with one-way internet access to downloads.genesis.autonomize.ai. Used to pull bundles. Never connects to your cluster.

Customer cluster

Any conformant Kubernetes 1.28+ (AKS / EKS / GKE / OpenShift / RKE2 / on-prem). 3 nodes, 8 vCPU + 32 GiB RAM each.

Customer prerequisites — you bring these

Genesis ships no statefuls. Your DBA / platform team operates the following; preflight verifies them as the wizard's first step.

PostgreSQL 14+

Connection URL (postgres://user:pass@host:5432/db) supplied at the wizard's config step. HA / backup discipline is yours. Backs Keycloak, AI Studio backend, authz, etc.

Redis 7+

Connection URL (redis://host:6379/0) supplied at the config step. Used for rate limiting and session caching. Single-instance OK for dev; HA for prod.

cert-manager

Installed in any namespace (default cert-manager). Issues TLS certs for in-cluster Ingress. Preflight FAILs if absent.

DNS + Ingress

Your platform hostname (e.g. genesis.acme-health.internal) resolves to the cluster's Ingress LB. Customer-supplied IngressClass.

TLS chain

Your cert + intermediate + root in a Kubernetes Secret. We never issue certs via Let's Encrypt or ACM — air-gapped clusters.

Image registry

Three patterns: customer-owned (Harbor / private ACR / ECR / GCR / Nexus / Artifactory), Zarf in-cluster (zarf init), or cloud-native attached (AKS attach-acr / GKE Artifact Registry / EKS ECR).

Optional A genesis-holmes-creds Secret with Azure OpenAI credentials enables the HolmesGPT advice layer on the Pre-flight and Troubleshoot tabs. Without it, deterministic checks still gate everything; LLM-driven remediation copy is just disabled. See air-gap workflow →

The seven steps

  1. 01
    Receive your license key.

    Autonomize ops issues sk_<slug>_<32hex> through the portal admin UI; your platform-admin receives it via 1Password.

  2. 02
    Install the CLI on your gap-host.

    One-way internet workstation. The CLI is a Typer + httpx + cosign tool with no cluster credentials.

    pipx install genesis
genesis login                          # paste sk_yourorg_*
genesis releases                       # see the bundles entitled to you
  3. 03
    Pull the two bundles.

    Each release publishes ops (CRDs + Operator + Control Plane console + 5 agents — stateless) and platform (the Genesis umbrella, includes Keycloak + APISIX). Both signed and SBOM'd.

    genesis pull 3.2.10                    # downloads ops + platform .tar.zst + .cosign.bundle + .sha256
  4. 04
    Verify cosign signatures & ingest SBOMs.

    Cosign keyless verification is rooted in the public Sigstore TUF root; nothing crosses the air-gap until both bundles pass. Pipe the SBOMs into your vulnerability scanner (Trivy / Grype / Snyk) and gate on your CVE policy.

    genesis verify ./genesis-ops-3.2.10.tar.zst
genesis verify ./genesis-platform-3.2.10.tar.zst
# Both should print: ✓ cosign verify OK · sha256 match · SLSA provenance present

trivy sbom ./sbom-3.2.10.cdx.json     # ingest into your scanner of choice
  5. 05
    Cross the air-gap.

    Move the tarballs via your approved process — USB, data diode, or one-way file portal. We don't constrain the medium.

  6. 06
    Deploy ops — the first bundle.

    Installs the four CRDs (GenesisDeployment, GenesisUpgrade, PreflightReport, HealthReport), the kopf operator, the Control Plane console, and the five agents (Preflight, Deploy, Health, Troubleshoot, Support-Bundle). Stateless — no Postgres or Keycloak yet.

    zarf package deploy genesis-ops-3.2.10.tar.zst
kubectl get pods -n genesis    # all Running, all 1/1
kubectl port-forward -n genesis svc/genesis-control-plane 8443:443
# open https://localhost:8443 in a browser

    port-forward only required for the first install — later access is via your Ingress.

  7. 07
    Walk the four-tab wizard to install the platform.

    Sign in to the Control Plane console. Tabs are phase-locked — you can't reach the next tab until the previous phase reports Passed. See the four-tab breakdown below.

The four wizard tabs

Pre-flight

17+ deterministic checks across cluster, network, identity, data, and your cloud. Stage 1 needs no inputs; stage 2 collects your postgres_url, redis_url, keycloak_issuer_url, cert_manager_namespace, image_registry, and tls_cert_secret and re-runs the affected probes.

Platform install

Operator runs the three-gate chain (preflight passed, customer approval, bundle SHA re-verify), then zarf package deploy genesis-platform-<ver>.tar.zst followed by helm install genesis. Reconcile events stream live via SSE.

Post-install

Eight verification probes (Pod Health, Service Endpoints, TLS, DB connectivity, FHIR R4, Prior Auth smoke, Performance baseline, Secrets audit) plus a HolmesGPT chat panel.

Dashboard

Steady-state ops landing — KPI strip + activity log streamed from the agents' CRs.

Verification artifacts

cosign.bundle

Keyless OIDC-federated signature. Verify with cosign verify-blob --bundle <file>.cosign.bundle <file>.tar.zst. Identity must be the AzDO release pipeline.

SLSA L3 · FULCIO · REKOR

sbom-{ver}.cdx.json

CycloneDX 1.5. Pipe into your scanner of choice (Snyk, Trivy, Grype). Lists every container layer + Python wheel + OS package across both bundles.

CYCLONEDX 1.5 · AUDIT-READY

hipaa-attestation-{ver}.pdf

Signed PDF enumerating every change since the previous release that touches PHI handling, encryption, audit logging, or access control.

PDF · HIPAA · SIGNED

Upgrades

Same shape as install. Pull a new bundle, verify, transfer, and submit a GenesisUpgrade CR via the Upgrade tab. The operator reconciles through the same three-gate chain (preflight → approval → bundle SHA re-verify), runs zarf package deploy + helm upgrade, audits Postgres schema migrations, and regenerates a per-upgrade HIPAA attestation. rollbackOnFailure defaults to true.

Where to go next

Air-gap workflow →

The exact sneakernet path: gap-host pulls, sidecar manifests, cluster-side ingest. Read the workflow.

Scan the bundle →

Plug the SBOM and image archives into your existing scanners (Trivy, Snyk, Aqua, Wiz, etc.). No new tool to approve.

Scanner runbook →

Already onboarded?

Sign in to see the latest releases entitled to your organisation, rotate keys, and view the download audit log.

Sign in →