Hexr supports fully air-gapped deployment for classified environments, FedRAMP HIGH workloads, and any infrastructure that must operate without outbound internet access. All platform components run from images pre-loaded into your private registry. This page covers the four-step process: downloading the bundle, transferring it, loading images, and installing via Helm.
Prerequisites
| Requirement | Description |
|---|
| Private container registry | Harbor, Nexus, or similar |
| Private Helm repository | ChartMuseum or OCI-compatible registry |
| Kubernetes cluster | No internet access required after setup |
| PostgreSQL | Internal database server |
| Image bundle | Downloaded from Hexr on a connected machine |
Step 1: Download the image bundle
Run this on an internet-connected machine before transfer:
# Download all Hexr images
hexr bundle download --version 0.8.0 --output hexr-bundle.tar.gz
auto-registrar:v0.2.2
cred-injector:v0.4.2
hexr-vault:v0.1.1
hexr-gateway:v0.4.1
hexr-dashboard:v0.3.11
hexr-sandbox:v0.2.1
a2a-sidecar:v0.1.1
enterprise-pid-mapper:latest
cloud-api:v0.8.0
envoy:v1.28
valkey:8
otel-collector:latest
spire-server + spire-agent
Step 2: Transfer to the air-gapped network
Transfer hexr-bundle.tar.gz via your approved media transfer process (USB drive, DVD, or cross-domain solution).
Step 3: Load images into your private registry
Using the Hexr CLI
Manually with Docker
hexr bundle push --file hexr-bundle.tar.gz \
--registry registry.internal.example.com/hexr
docker load < hexr-bundle.tar.gz
docker tag hexr-auto-registrar:v0.2.2 registry.internal/hexr/auto-registrar:v0.2.2
docker push registry.internal/hexr/auto-registrar:v0.2.2
# Repeat for each image in the bundle
Step 4: Install via Helm
Create an air-gapped values file that points to your private registry and disables OIDC:
# values-airgapped.yaml
global:
registry: registry.internal.example.com/hexr
trustDomain: classified.internal
spire:
oidc:
enabled: false # No external cloud federation in air-gapped mode
helm install hexr-runtime ./hexr-runtime \
-n hexr-system \
-f values-airgapped.yaml \
--timeout 10m
Behavior differences in air-gapped mode
| Feature | Air-gapped behavior |
|---|
| Cloud credential exchange | Disabled (no external STS endpoint) |
| OIDC discovery | Disabled (no public endpoint) |
| Tool calls | Internal APIs only |
| LLM providers | Self-hosted models (Ollama, vLLM) |
| Dashboard | Internal hostname only |
| Telemetry | Internal Prometheus and Grafana |
Cloud credential exchange (AWS STS, GCP Workload Identity, Azure AD) requires outbound connectivity to cloud provider endpoints. In air-gapped environments, you can still use hexr.vault for internal secrets and self-hosted LLM providers for inference.