Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.hexr.dev/llms.txt

Use this file to discover all available pages before exploring further.

Hexr supports fully air-gapped deployment for classified environments, FedRAMP HIGH workloads, and any infrastructure that must operate without outbound internet access. All platform components run from images pre-loaded into your private registry. This page covers the four-step process: downloading the bundle, transferring it, loading images, and installing via Helm.

Prerequisites

RequirementDescription
Private container registryHarbor, Nexus, or similar
Private Helm repositoryChartMuseum or OCI-compatible registry
Kubernetes clusterNo internet access required after setup
PostgreSQLInternal database server
Image bundleDownloaded from Hexr on a connected machine

Step 1: Download the image bundle

Run this on an internet-connected machine before transfer: 
# Download all Hexr images
hexr bundle download --version 0.8.0 --output hexr-bundle.tar.gz
The bundle includes: 
auto-registrar:v0.2.2
cred-injector:v0.4.2
hexr-vault:v0.1.1
hexr-gateway:v0.4.1
hexr-dashboard:v0.3.11
hexr-sandbox:v0.2.1
a2a-sidecar:v0.1.1
enterprise-pid-mapper:latest
cloud-api:v0.8.0
envoy:v1.28
valkey:8
otel-collector:latest
spire-server + spire-agent

Step 2: Transfer to the air-gapped network

Transfer hexr-bundle.tar.gz via your approved media transfer process (USB drive, DVD, or cross-domain solution).

Step 3: Load images into your private registry

hexr bundle push --file hexr-bundle.tar.gz \
  --registry registry.internal.example.com/hexr

Step 4: Install via Helm

Create an air-gapped values file that points to your private registry and disables OIDC: 
# values-airgapped.yaml
global:
  registry: registry.internal.example.com/hexr
  trustDomain: classified.internal

spire:
  oidc:
    enabled: false  # No external cloud federation in air-gapped mode
Then install: 
helm install hexr-runtime ./hexr-runtime \
  -n hexr-system \
  -f values-airgapped.yaml \
  --timeout 10m

Behavior differences in air-gapped mode

FeatureAir-gapped behavior
Cloud credential exchangeDisabled (no external STS endpoint)
OIDC discoveryDisabled (no public endpoint)
Tool callsInternal APIs only
LLM providersSelf-hosted models (Ollama, vLLM)
DashboardInternal hostname only
TelemetryInternal Prometheus and Grafana
Cloud credential exchange (AWS STS, GCP Workload Identity, Azure AD) requires outbound connectivity to cloud provider endpoints. In air-gapped environments, you can still use hexr.vault for internal secrets and self-hosted LLM providers for inference.