TLS configuration for Gitpod Self-Hosted

⚠️ Self-hosted as a product is no longer supported

The last official update of this product is the November 2022 self-hosted release. We no longer sell commercial self-hosted licenses. If you want to self-host Gitpod, you can still request our free community license. However, we no longer offer support or updates for it. If you are interested in an isolated, private installation of Gitpod, take a look at Gitpod Dedicated. Read our blog on Gitpod Dedicated to learn why we made the decision to discontinue self-hosted.

To run your own Gitpod instance, you need a TLS certificate for your Gitpod domain. There are three options to provide these TLS certificates.

Option 1: Cert-Manager

Configure cert-manager to issue these certificates (usually with a DNS-01 challenge and services like Let’s encrypt). See the installation guide) for more information.


TLS certificates configuration options during the installation process

Option 2: Self-signed by Gitpod

We usually do not recommend this option for production usage.

Let Gitpod generate self-signed certificates for your installation. This option can be used in case your load balancer does the TLS termination or for testing settings. For the latter case, you need to add the custom CA to your browser to let it accept the self-signed certificate. Use this command to export the CA:

$ kubectl get secrets -n  ca-issuer-ca -o jsonpath='{\.crt}' | base64 -d > ~/ca.crt


Option 3: Bring your own certificate

⚠️ Limitation

Adding custom CA certificates is currently not supported on Google Kubernetes Engine (GKE) because on GKE containerd does not support custom certificates.

Upload your own TLS certificate, key, and (optionally) CA certificate. When your TLS certificate is signed by a publicly accepted TLS authority, you just need to upload your certificate and key. In case it is a self-signed certificate (e.g. signed by a corporate CA), you also need to upload your CA.


Was this helpful?