Skip to main content
The self-hosted Hexr runtime gives you the full platform — SPIRE identity, Vault secrets, the Credential Injector, Gateway, and the observability stack — running entirely within your own Kubernetes cluster. Your agent code stays identical to the Hexr Cloud version; only the deployment target changes. This guide walks through the prerequisites, Helm configuration, and verification steps to get your cluster ready.

Prerequisites

RequirementMinimum
Kubernetes1.28+
Helm3.12+
kubectlConfigured with cluster access
PostgreSQL14+ (external or in-cluster)
Nodes3 nodes, 4 vCPU / 16 GB RAM each

Step 1: Add the Helm repository

helm repo add hexr https://charts.hexr.dev
helm repo update

Step 2: Create namespaces

kubectl create namespace hexr-system
kubectl create namespace spire

Step 3: Configure values

Create a values.yaml file with your environment-specific settings: 
global:
  trustDomain: your-company.internal
  registry: your-registry.example.com/hexr

spire:
  server:
    trustDomain: your-company.internal
  agent:
    socketPath: /run/spire/sockets/agent.sock

attestor:
  database:
    postgres:
      external:
        host: your-postgres.example.com
        port: 5432
        database: hexr_attestor
        user: hexr

hexr-vault:
  vault:
    postgres:
      url: postgresql://hexr:PASSWORD@your-postgres.example.com:5432/hexr_vault

credentialInjector:
  aws:
    roleArn: arn:aws:iam::123456789:role/hexr-agent-role
  gcp:
    workloadIdentityProvider: projects/123/locations/global/workloadIdentityPools/hexr/providers/spire

dashboard:
  ingress:
    enabled: true
    host: dashboard.your-company.com

Step 4: Install

helm install hexr-runtime hexr/hexr-runtime \
  -n hexr-system \
  -f values.yaml \
  --set attestor.database.postgres.external.password="YOUR_DB_PASSWORD" \
  --timeout 10m

Step 5: Verify

Check that all pods are running in both namespaces: 
kubectl get pods -n hexr-system
kubectl get pods -n spire
Expected output: 
spire-server-0                    1/1     Running
spire-agent-xxxxx                 1/1     Running  (one per node)
auto-registrar-xxxxx              1/1     Running
cred-injector-xxxxx               1/1     Running
hexr-vault-xxxxx                  1/1     Running
hexr-gateway-xxxxx                1/1     Running
hexr-dashboard-xxxxx              1/1     Running
otel-collector-xxxxx              1/1     Running
valkey-0                          1/1     Running

Step 6: Deploy your first agent

hexr build my_agent.py --tenant my-team --trust-domain your-company.internal
hexr push
hexr deploy

Next steps

Terraform setup

Provision infrastructure on AWS, GCP, or Azure with Terraform modules before installing Hexr.

Air-gapped deployment

Deploy Hexr in a fully disconnected environment with no internet access.