TLS configuration for Gitpod Self-Hosted

To run your own Gitpod instance, you need a TLS certificate for your Gitpod domain. There are the following three options to provide these TLS certificates.

Option 1: Cert-Manager

Configure cert-manager to issue these certificates (usually with a DNS-01 challenge and services like Let’s encrypt). See the getting started guide for more information.

kots-tls-cert-manager

TLS certificates configuration options during the installation process

Option 2: Self-signed by Gitpod

We usually do not recommend this option for production usage.

Let Gitpod generate self-signed certificates for your installation. This option can be used in case your load balancer does the TLS termination or for testing settings. For the latter case, you need to add the custom CA to your browser to let it accept the self-signed certificate. Use this command to export the CA:

$ kubectl get secrets -n <namespace> ca-issuer-ca -o jsonpath='{.data.ca.crt}' | base64 -d > ~/ca.crt

kots-tls-self-signed

Option 3: Bring your own certificate

Upload your own TLS certificate, key, and (optionally) CA certificate. When your TLS certificate is signed by a publicly accepted TLS authority, you just need to upload your certificate and key. In case it is a self-signed certificate (e.g. signed by a corporate CA), you also need to upload your CA.

kots-tls-bring-own

⚠️ Limitation

Adding custom CA certificates is currently not supported on Google Kubernetes Engine (GKE) because on GKE containerd does not support custom certificates.

Was this helpful?