Configuration reference

The chart’s values.yaml is the source of truth for every setting; this page mirrors it and adds the env var each value lands as inside the radar-hub container.

Required

values.yaml	Env var	Notes
`hub.publicURL`	`RADAR_HUB_PUBLIC_URL`, `HUB_FRONTEND_URL`, `HUB_ALLOWED_ORIGINS`	The single public URL for the web app + tunnel. No trailing slash. Required - the hub fails fast at boot if `RADAR_HUB_PUBLIC_URL` is empty in self-hosted mode.
`hub.cookiePassword` (or `cookiePasswordExistingSecret`)	`HUB_COOKIE_PASSWORD`	32+ bytes. `openssl rand -base64 48`.
`license.key` (or `license.existingSecret`)	`RADAR_HUB_LICENSE_KEY`	Skyhook-issued JWT.
`postgres.dsn` / `postgres.existingSecret` / `postgres.cnpg.cluster`	`HUB_DB_DSN`	Exactly one source.
Auth: `auth.breakGlass.email` + `password` (or `passwordHash`)	`RADAR_HUB_BOOTSTRAP_ADMIN_EMAIL`, `RADAR_HUB_BOOTSTRAP_ADMIN_PASSWORD`, `RADAR_HUB_BOOTSTRAP_ADMIN_PASSWORD_HASH`	Always-available bootstrap. Permanent, not a stopgap.

Why are the value keys still under hub.* and the env vars HUB_* / RADAR_HUB_*? radar-hub is the actual Go binary’s name - these are real identifiers, not user-facing prose. The chart key hub.publicURL configures the running radar-hub Pod; the binary reads it through RADAR_HUB_PUBLIC_URL, HUB_FRONTEND_URL, and HUB_ALLOWED_ORIGINS for the separate canonical-origin, redirect, and CORS checks. Renaming would break existing dotfiles and runbooks.

Branding

Surfaced by GET /api/config and rendered by the web app’s TopBar / help menu / Tokens wizard.

values.yaml	Env var	Default
`branding.brandName`	`RADAR_HUB_BRAND_NAME`	`Radar`
`branding.docsURL`	`RADAR_HUB_BRAND_DOCS_URL`	`https://radarhq.io/docs`
`branding.supportEmail`	`RADAR_HUB_BRAND_SUPPORT_EMAIL`	`support@radarhq.io`
`branding.feedbackEmail`	`RADAR_HUB_BRAND_FEEDBACK_EMAIL`	`feedback@radarhq.io`

brandName controls the wordmark in the web app’s sidebar. Override to your own company name to white-label the deployment surface. The “Powered by Radar” footer remains visible per EULA terms.

Audit retention

values.yaml	Env var	Default
`hub.auditRetentionDays`	`RADAR_HUB_AUDIT_RETENTION_DAYS`	`365`

Self-hosted ignores plan-tiered retention (Cloud’s Free 7d / Team 30d / Enterprise 365d) and uses this single value. Backed by query-time filtering only - rows are not actively swept.

OIDC

Set together; partial config is a fatal misconfiguration at boot.

values.yaml	Env var
`auth.oidc.issuer`	`RADAR_HUB_OIDC_ISSUER`
`auth.oidc.clientID`	`RADAR_HUB_OIDC_CLIENT_ID`
`auth.oidc.clientSecret`	`RADAR_HUB_OIDC_CLIENT_SECRET`
`auth.oidc.callbackURL`	`RADAR_HUB_OIDC_CALLBACK_URL` (auto-derives from `hub.publicURL` + `/api/auth/oidc/callback` when empty; override only for split-origin Ingress setups)
`auth.oidc.groupClaim`	`RADAR_HUB_OIDC_GROUP_CLAIM` (default `groups`; the chart sets this even when `adminGroups` is empty, in which case role mapping is a no-op and everyone gets `defaultRole`)
`auth.oidc.adminGroups` (list)	`RADAR_HUB_OIDC_ADMIN_GROUPS` (CSV)
`auth.oidc.defaultRole`	`RADAR_HUB_OIDC_DEFAULT_ROLE` (one of `owner` / `member` / `viewer`; default `member`)

See Authentication for IdP-specific recipes.

Singleton org name

values.yaml	Env var	Default
`hub.orgName`	`RADAR_HUB_ORG_NAME`	`Default`

Used only for the very first login (when the singleton is seeded). Renaming the org later happens through the web app’s Settings → Organization page; this value is not re-applied on subsequent boots.

Mode flag

The chart hardcodes RADAR_HUB_MODE=self_hosted in the radar-hub Deployment - you don’t set it directly. The mode controls every Cloud-vs-self-hosted seam (single-org gate, billing impl, audit retention source, /api/config response shape).

Version + cluster domain

values.yaml	Env var	Default
(auto - from `Chart.AppVersion`, override via `image.hub.tag`)	`RADAR_HUB_VERSION`	the chart’s appVersion
`clusterDomain`	(used by chart template only)	`cluster.local`

RADAR_HUB_VERSION is what /api/config reports as version.current and what the help menu surfaces in the web app. Override only if you need a custom build identifier. clusterDomain is the in-cluster DNS suffix the chart uses to build HUB_UPSTREAM for the web container’s nginx (<svc>.<ns>.svc.<clusterDomain>). The default works for every standard Kubernetes cluster; override if your cluster uses a non-default domain (some kubeadm setups or multi-cluster meshes do).

Resource sizing

hub:
  resources:
    requests:
      cpu: 100m
      memory: 256Mi
    limits:
      cpu: 1
      memory: 1Gi
  replicas: 1

Single replica is correct for the operational load — the tunnel session registry is in-memory, so a second replica without a sticky-routing layer would split tunnels across pods. The control plane is intentionally single-instance; if you outgrow it, talk to us.

Image overrides

The chart defaults to ghcr.io/skyhook-dev/radar-hub:<appVersion> and radar-hub-web:<appVersion>. To pin or repoint at a private mirror:

image:
  hub:
    repository: my-mirror.example/skyhook/radar-hub
    tag: 0.2.1
  web:
    repository: my-mirror.example/skyhook/radar-hub-web
    tag: 0.2.1
imagePullSecrets:
  - name: my-mirror-pull-secret

Ingress

ingress:
  enabled: true
  className: nginx
  host: radar.acme.example
  tls:
    enabled: true
    secretName: radar-acme-tls
  annotations:
    nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
    nginx.ingress.kubernetes.io/proxy-send-timeout: "600"

The chart serves the web app + API + tunnel under a single host - the web container’s nginx reverse-proxies /api, /agent, /c/{id}/api/*, /c/{id}/mcp, and /mcp to the radar-hub Service via in-cluster DNS. Other /c/{id} paths are client-side routes served by the web app’s index.html fallback. Customers wanting api.acme.example + app.acme.example split origins should disable this Ingress and write their own.

Skipping the chart’s Secret

If your security model forbids any secret material in values.yaml, every credential supports an existingSecret ref:

values key	existingSecret ref	Required Secret key
`hub.cookiePassword`	`hub.cookiePasswordExistingSecret`	`cookie-password`
`license.key`	`license.existingSecret`	`license`
`auth.oidc.clientSecret`	`auth.oidc.clientSecretExistingSecret`	`client-secret`
`auth.breakGlass.passwordHash`	`auth.breakGlass.passwordHashExistingSecret`	`password-hash`
`postgres.dsn`	`postgres.existingSecret`	`dsn`
(CNPG)	`postgres.cnpg.secretName`	`uri` (CNPG default)

​Required

​Branding

​Audit retention

​OIDC

​Singleton org name

​Mode flag

​Version + cluster domain

​Resource sizing

​Image overrides

​Ingress

​Skipping the chart’s Secret