# Flow Helm Chart A Helm chart for deploying the Flow workflow engine platform to Kubernetes. ## Overview Flow is a distributed workflow automation platform consisting of: - **Core Services**: Workflow Engine, Activity Registry, Definition Store, Workflow Logging, Connection Store, Tenant Registry - **Frontend**: Blazor WebAssembly web application - **Activity Services**: 23+ activity implementations for various integrations (HTTP, SQL, Azure, AWS, etc.) - **Infrastructure**: RabbitMQ for messaging, PostgreSQL/SQL Server for persistence ## Prerequisites - Kubernetes 1.25+ - Helm 3.8+ - PV provisioner (if using built-in PostgreSQL/RabbitMQ) ## Quick Start ### Install from Gitea Helm Repository The Flow Helm chart is published to the Gitea Package Registry at `https://git.kn.entit.eu`. ```bash # Add the Helm repository (requires authentication for private repos) helm repo add entit-flow https://git.kn.entit.eu/api/packages/EntitAB/helm \ --username YOUR_GITEA_USERNAME \ --password YOUR_GITEA_TOKEN # Update repository cache helm repo update # Search for available versions helm search repo entit-flow/flow --versions # Install the chart helm install flow entit-flow/flow \ --namespace flow \ --create-namespace \ -f values.yaml ``` ### Install from Local Source ```bash # Add Helm Dependencies cd helm/flow helm dependency update # Install for Development helm install flow ./helm/flow -f ./helm/flow/values-dev.yaml # Install for Production helm install flow ./helm/flow \ -f ./helm/flow/values-prod.yaml \ --set global.azureAd.tenantId=YOUR_TENANT_ID \ --set global.azureAd.clientId=YOUR_CLIENT_ID \ --set global.azureAd.clientSecret=YOUR_CLIENT_SECRET ``` ## Helm Repository Setup ### Using in Kubernetes (from Gitea Registry) After the chart is published to Gitea, you can install it in any Kubernetes cluster: ```bash # 1. Add the Gitea Helm repository helm repo add entit-flow https://git.kn.entit.eu/api/packages/EntitAB/helm \ --username $GITEA_USER \ --password $GITEA_TOKEN # 2. Update repositories helm repo update # 3. Install the chart (development) helm install flow entit-flow/flow \ --namespace flow \ --create-namespace \ -f values-dev.yaml # 4. Install the chart (production) helm install flow entit-flow/flow \ --namespace flow \ --create-namespace \ -f values-prod.yaml \ --set global.azureAd.tenantId=YOUR_TENANT_ID \ --set global.azureAd.clientId=YOUR_CLIENT_ID ``` ### Using with ArgoCD Create an ArgoCD Application that references the Gitea Helm repository: ```yaml apiVersion: argoproj.io/v1alpha1 kind: Application metadata: name: flow namespace: argocd spec: project: default source: repoURL: https://git.kn.entit.eu/api/packages/EntitAB/helm chart: flow targetRevision: 0.1.0 helm: valueFiles: - values-prod.yaml parameters: - name: global.azureAd.tenantId value: YOUR_TENANT_ID - name: global.azureAd.clientId value: YOUR_CLIENT_ID destination: server: https://kubernetes.default.svc namespace: flow syncPolicy: automated: prune: true selfHeal: true syncOptions: - CreateNamespace=true --- # Repository credentials secret for ArgoCD apiVersion: v1 kind: Secret metadata: name: gitea-helm-repo namespace: argocd labels: argocd.argoproj.io/secret-type: repository stringData: type: helm url: https://git.kn.entit.eu/api/packages/EntitAB/helm username: YOUR_GITEA_USER password: YOUR_GITEA_TOKEN ``` ### Using with Flux CD ```yaml apiVersion: source.toolkit.fluxcd.io/v1beta2 kind: HelmRepository metadata: name: entit-flow namespace: flux-system spec: interval: 1h url: https://git.kn.entit.eu/api/packages/EntitAB/helm secretRef: name: gitea-helm-auth --- apiVersion: v1 kind: Secret metadata: name: gitea-helm-auth namespace: flux-system stringData: username: YOUR_GITEA_USER password: YOUR_GITEA_TOKEN --- apiVersion: helm.toolkit.fluxcd.io/v2beta1 kind: HelmRelease metadata: name: flow namespace: flow spec: interval: 5m chart: spec: chart: flow version: "0.1.0" sourceRef: kind: HelmRepository name: entit-flow namespace: flux-system valuesFrom: - kind: ConfigMap name: flow-values valuesKey: values.yaml ``` ### Publishing Charts (CI/CD) The chart is automatically published to Gitea when changes are pushed to the `main` branch. The CI pipeline: 1. Lints and validates the chart 2. Runs unit tests 3. Packages the chart 4. Pushes to Gitea Package Registry at `https://git.kn.entit.eu/api/packages/EntitAB/helm` To publish manually: ```bash # Set credentials export GITEA_USER=your-username export GITEA_TOKEN=your-token # Package and push make push-gitea ``` **Required GitHub Secrets for CI:** - `GITEA_USER` - Gitea username - `GITEA_TOKEN` - Gitea personal access token with `write:package` scope ## Configuration ### Global Configuration | Parameter | Description | Default | |-----------|-------------|---------| | `global.imageRegistry` | Container registry for all images | `""` | | `global.imagePullSecrets` | Image pull secrets | `[]` | | `global.azureAd.enabled` | Enable Azure AD authentication | `true` | | `global.azureAd.tenantId` | Azure AD tenant ID | `""` | | `global.azureAd.clientId` | Azure AD application client ID | `""` | | `global.database.provider` | Database provider (Postgres/SqlServer) | `Postgres` | | `global.rabbitmq.host` | RabbitMQ host | `{{ .Release.Name }}-rabbitmq` | ### Core Services Each core service supports the following configuration: | Parameter | Description | Default | |-----------|-------------|---------| | `.enabled` | Enable the service | `true` | | `.replicaCount` | Number of replicas | `1` | | `.image.repository` | Image repository | varies | | `.image.tag` | Image tag | `""` (uses appVersion) | | `.resources` | CPU/Memory resources | varies | | `.autoscaling.enabled` | Enable HPA | `false` | | `.ingress.enabled` | Enable ingress | `false` | ### Activity Services Activity services can be enabled/disabled individually: ```yaml httpRequestActivity: enabled: true replicaCount: 2 sqlActivity: enabled: true # Disable activities not needed awsS3Activity: enabled: false ``` ### Database Configuration #### Using Built-in PostgreSQL ```yaml postgresql: enabled: true auth: username: flow password: your-password database: flow ``` #### Using External PostgreSQL ```yaml postgresql: enabled: false global: database: provider: Postgres postgres: host: your-postgres-host.postgres.database.azure.com port: 5432 database: flow username: flow existingSecret: your-db-secret existingSecretKey: password ``` #### Using SQL Server ```yaml postgresql: enabled: false global: database: provider: SqlServer sqlServer: connectionString: "Server=your-server;Database=flow;User Id=flow;Password=xxx;" ``` ### RabbitMQ Configuration #### Using Built-in RabbitMQ ```yaml rabbitmq: enabled: true auth: username: flow password: your-password ``` #### Using External RabbitMQ ```yaml rabbitmq: enabled: false global: rabbitmq: host: your-rabbitmq-host username: flow existingSecret: rabbitmq-secret existingSecretKey: password ``` ## Ingress Configuration ### NGINX Ingress with TLS ```yaml frontendWeb: ingress: enabled: true className: nginx annotations: nginx.ingress.kubernetes.io/ssl-redirect: "true" cert-manager.io/cluster-issuer: letsencrypt-prod hosts: - host: flow.example.com paths: - path: / pathType: Prefix tls: - secretName: flow-tls hosts: - flow.example.com ``` ## Security ### Pod Security ```yaml podSecurityContext: fsGroup: 1000 runAsNonRoot: true securityContext: runAsNonRoot: true runAsUser: 1000 allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true ``` ### Network Policies Enable network policies for production: ```yaml networkPolicy: enabled: true ``` ## Upgrading ```bash helm upgrade flow ./helm/flow -f values-prod.yaml ``` ## Uninstalling ```bash helm uninstall flow ``` **Note**: This will not delete PVCs. To completely remove data: ```bash kubectl delete pvc -l app.kubernetes.io/instance=flow ``` ## Building Docker Images Each service has a Dockerfile. Build all images: ```bash # Build all services for service in WorkflowEngine ActivityRegistry DefinitionStore WorkflowLogging ConnectionStore TenantRegistry; do docker build -t niblo/flow-${service}:latest -f $service/Dockerfile . done # Push to Docker Hub for service in WorkflowEngine ActivityRegistry DefinitionStore WorkflowLogging ConnectionStore TenantRegistry; do docker push niblo/flow-${service}:latest done