Question about air-gapped environment
Hi Windmill team 
,
I’m Kyuesung Oh from LG CNS Korea IT Service company. We need to deploy Windmill completely air-gapped (no outbound internet) inside a high-security manufacturing network. Could you clarify a few things?
1. Offline installation path
Is there an official doc or script for importing all required Docker images, Hub templates, and dependencies without docker pull from public registries?
If not, is exporting from an online environment with windmill hub sync --export → moving the tarballs → --import the recommended approach?
2. Domain allow-list (if partial egress is possible)
Do you publish a list of FQDNs/ports Windmill components must reach (licensing, Telemetry, templates, AI features, etc.)?
For EE features such as SMTP and AI Assist, are separate endpoints involved?
3. SSL / certificate chain for hub sync
We hit x509: certificate signed by unknown authority when pointing hub sync at our internal registry.
Is adding our corporate root CA to the Windmill runner’s /usr/local/share/ca-certificates sufficient, or are additional parameters (--insecure, custom CA flags) supported?
4. Product limits in air-gapped mode
Are any features (AI Assist, template marketplace, updates) disabled or require work-arounds when there’s zero egress?
Any guidance, doc links, or community success stories would be greatly appreciated. Thanks a lot!
,I’m Kyuesung Oh from LG CNS Korea IT Service company. We need to deploy Windmill completely air-gapped (no outbound internet) inside a high-security manufacturing network. Could you clarify a few things?
1. Offline installation path
Is there an official doc or script for importing all required Docker images, Hub templates, and dependencies without docker pull from public registries?
If not, is exporting from an online environment with windmill hub sync --export → moving the tarballs → --import the recommended approach?
2. Domain allow-list (if partial egress is possible)
Do you publish a list of FQDNs/ports Windmill components must reach (licensing, Telemetry, templates, AI features, etc.)?
For EE features such as SMTP and AI Assist, are separate endpoints involved?
3. SSL / certificate chain for hub sync
We hit x509: certificate signed by unknown authority when pointing hub sync at our internal registry.
Is adding our corporate root CA to the Windmill runner’s /usr/local/share/ca-certificates sufficient, or are additional parameters (--insecure, custom CA flags) supported?
4. Product limits in air-gapped mode
Are any features (AI Assist, template marketplace, updates) disabled or require work-arounds when there’s zero egress?
Any guidance, doc links, or community success stories would be greatly appreciated. Thanks a lot!
