Skip to main content

Kubernetes

  • Version: 1.27 or newer. We test against 1.29 + 1.30.
  • Resources reserved for the control plane:
    • radar-hub (Go API + tunnel terminator): 100m CPU / 256Mi memory request, 1 CPU / 1Gi limit. Single replica is fine for hundreds of clusters.
    • radar-hub-web (nginx + web app bundle): 50m / 64Mi request.
    • Migration initContainer: shares the radar-hub image and runs to completion in the same Pod before the main hub container starts, so it doesn’t need its own resource budget.
  • Storage: the control plane is stateless; durable state lives in your Postgres. No PVC claims from the chart.
  • Ingress class: any (nginx, contour, traefik, gateway-api). Sample annotations in the install doc target nginx.

Postgres

The chart does NOT install Postgres. You must provide one of:
OptionBest for
Managed Postgres (RDS, Cloud SQL, Azure Flexible Server)Production. Zero ops impact on your cluster.
CloudNativePG Cluster in the same / nearby namespaceIf you already operate CNPG. Chart reads its connection Secret directly.
Crunchy / Zalando operatorSame shape as CNPG - point at the operator-generated Secret.
Hand-rolled postgres:17 Pod or external VMEvaluation only. Not recommended past pilot.
Version: Postgres 14 or newer. We test against 16 + 17. Sizing: the control plane’s working set is tiny - a few thousand rows for clusters + members + audit. 1 vCPU / 2Gi RAM is plenty for hundreds of customer clusters; the bottleneck is audit-log retention, sized at RADAR_HUB_AUDIT_RETENTION_DAYS * average events/day. Connection string: any standard postgres://user:pass@host:5432/db?sslmode=require URL. We recommend sslmode=require or stricter for managed databases.

Network

The control plane needs:
  • Inbound: browsers (your team) and customer in-cluster Radars reach <hub.publicURL> over HTTPS.
  • Outbound:
    • api.radarhq.io for the license heartbeat (on by default; disable via chart values if outbound HTTPS is forbidden).
    • Your IdP discovery endpoint for OIDC.
    • ghcr.io (or your private mirror) for image pulls.
The control plane does NOT need to reach customer clusters - the in-cluster Radar always initiates the WebSocket tunnel outbound.

Browser

  • Same matrix as the hosted Cloud: latest Chrome / Edge / Firefox / Safari. No IE.

DNS + TLS

  • One DNS record (e.g. radar.acme.example) pointing at your Ingress. This URL must be set as hub.publicURL in the Helm values - the control plane fails fast at boot if it’s not configured. Used for sign-in redirects, agent tunnel registration, OAuth-MCP resource publishing, and any other canonical-URL surface.
  • A TLS cert via cert-manager / your existing wildcard / a manually-provisioned Secret. The chart’s Ingress template accepts a pre-provisioned tls.secretName and is unopinionated about the cert source.

Auth provider (one of)

  • OIDC IdP with client credentials registered for <hub.publicURL>/api/auth/oidc/callback as a redirect URI. Tested against Okta, Auth0, Google Workspace, Azure AD.
  • Break-glass admin only for evaluation pilots; configurable via env vars. Permanent escape hatch even when OIDC is enabled.

License

A signed JWT issued by Skyhook. We mint one at deal close and rotate per the renewal schedule in your contract. Without a license the control plane still boots but renders a warn-only banner; see Licensing.