radar-hub Go service + radar-hub-web nginx + web app + Postgres) running inside your own infrastructure. The cluster-side Radar binary is unchanged - the only thing that moves on-prem is the team / tenancy / tunnel-orchestration layer.
When to choose self-hosted
Pick self-hosted when:- Cluster metadata cannot leave your VPC for compliance reasons (regulated industries, customer-data-handling clusters, government).
- Your security team requires every dependency in the auth + observability path to be inside your perimeter.
- You already operate Postgres and a Helm-managed application stack and would rather add a service than buy a SaaS.
app.radarhq.io when:
- Speed-of-onboarding matters more than the deployment-shape concession.
- You don’t want to operate a Postgres + control-plane upgrade cadence.
- Your fleet is small enough that the free tier covers it.
What ships in this section
Requirements
Kubernetes versions, Postgres versions, resource ask, network egress.
Install
Helm walkthrough, BYO Postgres / CloudNativePG variants, license setup.
Configuration reference
Full
values.yaml reference and the RADAR_HUB_* env-var matrix.Authentication
OIDC (Okta / Auth0 / Google / Azure AD) and the always-available break-glass admin.
Licensing
What gets sent home, the warn-only banner ladder, key rotation.
Upgrades
Helm upgrade flow, migration safety, version-skew policy.
Backups
pg_dump recipe, restore drill, what’s recoverable from K8s state alone.Troubleshooting
License-not-renewing, db-migration-failed, log collection.
Architecture
Component diagram, data flow, trust boundaries.
What’s the same as Cloud
Everything except the deployment shape:- The Radar binary you install in each customer cluster is unchanged - same Helm chart (
skyhook-io/radar), samecloud.url/cloud.tokenconfig. - The tunnel protocol (yamux over WebSocket) is unchanged.
- The web app UX is unchanged. Multi-org create + the Billing tab are hidden via
/api/config- everything else looks identical. - Personal access tokens (
rhp_*) work identically for MCP and CLI.
What’s different
| Cloud | Self-hosted | |
|---|---|---|
| Hosting | app.radarhq.io (Skyhook) | Your cluster |
| Auth | WorkOS AuthKit | OIDC + always-available break-glass admin |
| Orgs | Multi-tenant | Single org per deployment |
| Billing | Stripe per cluster | Annual license; cluster count reported, not metered |
| Support | Public docs + support@radarhq.io | Per-contract; license heartbeat carries support metadata |
| Updates | Skyhook deploys; you see it | You run helm upgrade |