Skipper

Appearance

Domains & SSL

Every Skipper cluster gets automatic HTTPS, both on free kipper.run subdomains and custom domains.

Free kipper.run subdomains

When you run kip install, Skipper registers a free subdomain based on your server's IP address:

203-0-113-10.kipper.run

Apps deployed to the cluster get subdomains automatically:

hello-203-0-113-10.kipper.run
api-203-0-113-10.kipper.run
console-203-0-113-10.kipper.run

All subdomains are single-level (using dashes, not dots) to work with the wildcard TLS certificate.

How it works

A wildcard DNS record (*.kipper.run) points all subdomains to the Skipper Gateway. The gateway looks up the cluster IP from its registry and reverse-proxies the request. TLS is terminated at the gateway using a Let's Encrypt wildcard certificate.

Subdomain expiry

Free subdomains expire after 30 days of inactivity. Running any kip command against the cluster automatically renews the registration. If a subdomain expires, re-running kip install will re-register it.

Custom console domain

Replace the auto-generated console URL with your own domain:

bash
kip cluster domain skipper.example.com

This command handles everything in one step:

  • Console Ingress: adds the custom hostname with TLS
  • Console API Ingress: adds both api.{domain} and console-api-{domain-dashed}.kipper.run
  • Dex: updates the issuer URL, Ingress, and redirect URIs
  • Gateway: registers a clean kipper.run subdomain (e.g. skipper-example-com.kipper.run)
  • console-api: updates CLUSTER_DOMAIN, CONSOLE_DOMAIN, and DEX_ISSUER

After running this command, all Skipper URLs use the clean subdomain derived from your custom domain instead of the raw server hostname.

See Configuration: Custom console domain for more details.

Custom app domains

Apps can use custom domains instead of kipper.run subdomains. Set a route with a custom host in the web console's Route panel, or via the API.

With a custom domain, traffic goes directly to your server (bypassing the gateway) and cert-manager issues a Let's Encrypt certificate automatically.

TIP

Point your domain's A record to the server's IP before configuring it. cert-manager needs DNS to resolve to issue the TLS certificate.

SSL certificates

All SSL certificates are managed automatically:

  • kipper.run subdomains: wildcard certificate on the gateway, renewed by Caddy
  • Custom domains: per-domain certificate on the cluster, issued and renewed by cert-manager
  • No manual certificate management required

Released under the Apache 2.0 License.

Copyright © 2026 Labb Consulting