Slipway never receives a kubeconfig and never holds your cluster credentials. The only secret it stores is the agent’s outbound auth token (hashed). Because the connection is outbound-only, private and firewalled clusters work without any inbound access.
Prerequisites
Your cluster needs these already installed (the slipway chart doesn’t add them):- An ingress controller (e.g. Traefik).
- cert-manager with an issuer for wildcard TLS, and reflector to mirror the cert into tenant namespaces.
- A CSI snapshot controller, if you use named volumes.
Set it up
- Register the cluster on the Clusters page. Slipway mints a one-time agent token and returns the exact
helmcommand to run. The token is shown once. - Install the agent by running that command. It installs BuildKit, an in-cluster registry, and the agent. The cluster flips from
pendingtoreadyonce the agent’s first connection lands. - Point an environment at it — set the cluster on an environment, or as your org’s default target. New deployments for that environment then build and run in your cluster.
Registry authentication
The chart’s in-cluster registry accepts unauthenticated pulls from inside your cluster by default. Since the cluster is yours alone, that is usually fine. To require authentication anyway, setregistry.auth.tokenCert in the chart values to the public certificate of slipway’s registry token signer (available from support). The registry then only serves clients carrying tokens minted by the slipway control plane, scoped to your organization’s images.