# Self-Hosted Neurelo Gateways

## Introduction

This guide shows you how to install the Neurelo Gateway within your existing network & compute infrastructure. If you are new to Neurelo, we recommend to follow the [getting started guides](/getting-started.md) for an introduction to the Neurelo platform and core concepts.

## Requirements

### 1. Neurelo Enterprise Subscription

Self-Hosting a Neurelo Gateway is currently an enterprise-only feature, so before proceeding please ensure that your organization’s subscription tier is up-to-date. For new customers wishing to self-host Neurelo, please contact us for details.

### 2. Create a “Gateway” and generate client credentials for the Gateway

Neurelo’s Gateways use the client-registration pattern to make the\` installation & maintenance process of Neurelo Gateways simple for cluster administrators. This means that only two fields, an “id” and “secret” are necessary to configure a Neurelo Gateway.

The values for the Gateway client id & secret fields can be generated from the Neurelo Dashboard via the following process:

* Navigate to the "Gateways" option by clicking the Org Selector at bottom left of your dashboard

<figure><img src="/files/SLLfmdeqZETNJNqbvTzh" alt="" width="526"><figcaption></figcaption></figure>

* Register a new Gateway

<figure><img src="/files/SjtYOvZIG8lFTx2F49C7" alt="" width="563"><figcaption></figcaption></figure>

* Complete the “Create Gateway” form. The Gateway Domain should be the domain which you would like to expose your Neurelo Gateway to listen for HTTPS API requests on.

<figure><img src="/files/T68u6U9BbG0m0miGw15L" alt="" width="563"><figcaption></figcaption></figure>

### 3. Helm - Cluster Dependencies (Cert Manager)

The Neurelo Gateway Kubernetes Operator uses webhooks to inject implicit default values during mutations on Runner Custom Resource Definitions. The webhook protocol is HTTPS and Neurelo depends on Cert Manager to issue self-signed certificates. A default cert-manager installation in the `cert-manager` namespace is sufficient.

The default one-line installation, copied from the official [cert-manager documentation](https://cert-manager.io/docs/installation/kubectl/#1-install-from-the-cert-manager-release-manifest), satisfies this requirement.

```bash
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.15.2/cert-manager.yaml
```

## **Recommended installation steps (TAR archives)**

For self-hosted deployments, Neurelo maintains TAR archives for Helm via download from the Neurelo UI. This section explains the Neurelo TAR archives and how to use them. Neurelo Helm charts are not distributed through a chart repo or chart museum at the moment.

1. Download the chart from the Neurelo UI

<figure><img src="/files/X5pjfDAJ0k3SMJWYNu00" alt="" width="563"><figcaption></figcaption></figure>

2. Extract the `values.yaml` file from the archive for modification

```bash
tar -xOf ./neurelo-0.1.0.tgz neurelo/values.yaml > values.yaml
```

3. Using your text editor of choice, edit the `values.yaml` and replace the `client.id` and `client.secret` properties with your Gateway’s [client credentials](#id-2.-create-a-gateway-and-generate-client-credentials-for-the-gateway)

```yaml
# Default values for neurelo.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.

# Client ID and Secret provided by the Neurelo control plane 
# during Gateway registration 
config:
  controlPlane:
    oidc:
      client:
        id: "<configure me>"
        secret: "<configure me>"

# Overrides the default image versions of managed applications
versions:
  dispatcher: "d8e3e7c"
  authn: "60d47a6"
  registry: "ea33202"
```

4. Install the Neurelo Gateway helm chart into your desired namespace, `neurelo` in the example below

```bash
helm install test ./neurelo-0.1.0.tgz -f ./values.yaml --namespace neurelo --create-namespace
```

## Troubleshooting

`INSTALLATION FAILED: Internal error occurred: failed calling webhook "webhook.cert-manager.io": failed to call webhook` during Helm installation

This error is caused because the self-signed certificate requested by the Custom Resource operator of the Neurelo Gateway was unable to be requested. Typically this suggests that the Cert Manager dependency is not installed or is not accessible to the Neurelo Gateway.

If Cert Manager is not installed, please follow [these](#id-3.-helm-cluster-dependencies-cert-manager) instructions for installing an un-opinionated, default instance in your cluster.

If Cert Manager is installed in the `cert-manager` namespace, please check the RBAC policy that Cert Manager is deployed with to ensure that self-signed cluster-internal certificates are able to be requested from within the namespace which you are attempting to deploy your Neurelo Gateway into.

If you still experience issues, please contact [`support@neurelo.com`](mailto:support@neurelo.com) with your Cert Manager installation details.&#x20;


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.neurelo.com/self-hosted-neurelo-gateways.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.