Self-host Arcade with Helm
The Arcade Helm chart deploys the full Arcade platform onto a Kubernetes cluster you manage. It’s the bring-your-own-Kubernetes alternative to the cloud marketplaces: you control the cluster, the data, and the upgrade cadence.
What it deploys
The chart installs the complete platform — Engine, Coordinator, Worker, Dashboard, and Experience API — into a namespace on your cluster, along with the supporting controllers it needs.
Prerequisites
- Kubernetes 1.30 or later
- Helm 3.8 or later (for OCI chart support)
- PostgreSQL and Redis — bundled by the chart for proof-of-concept, or bring your own managed instances for production
- An OIDC identity provider
- An ingress controller or Gateway API implementation, TLS certificates, and a DNS hostname
Set up your identity provider
Arcade signs users in through your OpenID Connect (OIDC) identity provider. The provider authenticates dashboard users and backs the tokens that gateways validate, so set it up before you deploy.
- Register an application with your identity provider. Arcade works with Microsoft Entra ID, Okta, Auth0, or Keycloak, or any standards-compliant OIDC provider.
- Copy the application’s client ID, generate a client secret, and note the issuer URL. For Microsoft Entra ID, use the v2.0 issuer
https://login.microsoftonline.com/<tenant-id>/v2.0. - Provide the client ID, client secret, and issuer in your Helm values.
- After you deploy, register the redirect URI for your hostname’s
/signin/oidc/callbackpath on the application, then sign in to the dashboard.
Install the chart
Install from the OCI registry
The chart is published as an OCI artifact, so there’s no repository to add — install it directly. Provide your configuration in a values.yaml file (see Configuration).
helm install arcade \
oci://public.ecr.aws/s5i6x9d1/charts/arcade \
--namespace arcade --create-namespace \
-f values.yamlVerify the deployment
Once the pods are running, open your configured hostname and sign in through your identity provider to confirm the platform is up.
Configuration
Configure the platform through Helm values. The chart covers:
- Components — Engine, Coordinator, Worker, Dashboard, and Experience API
- Identity — your OIDC identity provider and OAuth providers
- Data stores — bundled or external PostgreSQL and Redis
- Networking — ingress or Gateway API, TLS, and the
engine.ssrfAllowlistfor reaching internal services - Security — encryption keys, network policies, and RBAC
- Telemetry — OpenTelemetry (OTLP) logs, metrics, and traces
The full, versioned values reference lives on Artifact Hub . Use it as the source of truth for every value and default.
Upgrade and roll back
Upgrade to a new chart version with helm upgrade, and roll back with helm rollback if needed. See the Artifact Hub listing for version-specific upgrade notes.
Next steps
- Create an MCP Gateway to scope and auth for each client
- Connect external clients with Warp Pipes
- Set up a User Source to authenticate end with your own identity provider