Flow Helm Chart
A Helm chart for deploying the Flow workflow engine platform to Kubernetes.
Overview
Flow is a distributed workflow automation platform consisting of:
- Core Services: Workflow Engine, Activity Registry, Definition Store, Workflow Logging, Connection Store, Tenant Registry
- Frontend: Blazor WebAssembly web application
- Activity Services: 23+ activity implementations for various integrations (HTTP, SQL, Azure, AWS, etc.)
- Infrastructure: RabbitMQ for messaging, PostgreSQL/SQL Server for persistence
Prerequisites
- Kubernetes 1.25+
- Helm 3.8+
- PV provisioner (if using built-in PostgreSQL/RabbitMQ)
Quick Start
Install from Gitea Helm Repository
The Flow Helm chart is published to the Gitea Package Registry at https://git.kn.entit.eu.
# Add the Helm repository (requires authentication for private repos)
helm repo add entit-flow https://git.kn.entit.eu/api/packages/EntitAB/helm \
--username YOUR_GITEA_USERNAME \
--password YOUR_GITEA_TOKEN
# Update repository cache
helm repo update
# Search for available versions
helm search repo entit-flow/flow --versions
# Install the chart
helm install flow entit-flow/flow \
--namespace flow \
--create-namespace \
-f values.yaml
Install from Local Source
# Add Helm Dependencies
cd helm/flow
helm dependency update
# Install for Development
helm install flow ./helm/flow -f ./helm/flow/values-dev.yaml
# Install for Production
helm install flow ./helm/flow \
-f ./helm/flow/values-prod.yaml \
--set global.azureAd.tenantId=YOUR_TENANT_ID \
--set global.azureAd.clientId=YOUR_CLIENT_ID \
--set global.azureAd.clientSecret=YOUR_CLIENT_SECRET
Helm Repository Setup
Using in Kubernetes (from Gitea Registry)
After the chart is published to Gitea, you can install it in any Kubernetes cluster:
# 1. Add the Gitea Helm repository
helm repo add entit-flow https://git.kn.entit.eu/api/packages/EntitAB/helm \
--username $GITEA_USER \
--password $GITEA_TOKEN
# 2. Update repositories
helm repo update
# 3. Install the chart (development)
helm install flow entit-flow/flow \
--namespace flow \
--create-namespace \
-f values-dev.yaml
# 4. Install the chart (production)
helm install flow entit-flow/flow \
--namespace flow \
--create-namespace \
-f values-prod.yaml \
--set global.azureAd.tenantId=YOUR_TENANT_ID \
--set global.azureAd.clientId=YOUR_CLIENT_ID
Using with ArgoCD
Create an ArgoCD Application that references the Gitea Helm repository:
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: flow
namespace: argocd
spec:
project: default
source:
repoURL: https://git.kn.entit.eu/api/packages/EntitAB/helm
chart: flow
targetRevision: 0.1.0
helm:
valueFiles:
- values-prod.yaml
parameters:
- name: global.azureAd.tenantId
value: YOUR_TENANT_ID
- name: global.azureAd.clientId
value: YOUR_CLIENT_ID
destination:
server: https://kubernetes.default.svc
namespace: flow
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
---
# Repository credentials secret for ArgoCD
apiVersion: v1
kind: Secret
metadata:
name: gitea-helm-repo
namespace: argocd
labels:
argocd.argoproj.io/secret-type: repository
stringData:
type: helm
url: https://git.kn.entit.eu/api/packages/EntitAB/helm
username: YOUR_GITEA_USER
password: YOUR_GITEA_TOKEN
Using with Flux CD
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: entit-flow
namespace: flux-system
spec:
interval: 1h
url: https://git.kn.entit.eu/api/packages/EntitAB/helm
secretRef:
name: gitea-helm-auth
---
apiVersion: v1
kind: Secret
metadata:
name: gitea-helm-auth
namespace: flux-system
stringData:
username: YOUR_GITEA_USER
password: YOUR_GITEA_TOKEN
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: flow
namespace: flow
spec:
interval: 5m
chart:
spec:
chart: flow
version: "0.1.0"
sourceRef:
kind: HelmRepository
name: entit-flow
namespace: flux-system
valuesFrom:
- kind: ConfigMap
name: flow-values
valuesKey: values.yaml
Publishing Charts (CI/CD)
The chart is automatically published to Gitea when changes are pushed to the main branch. The CI pipeline:
- Lints and validates the chart
- Runs unit tests
- Packages the chart
- Pushes to Gitea Package Registry at
https://git.kn.entit.eu/api/packages/EntitAB/helm
To publish manually:
# Set credentials
export GITEA_USER=your-username
export GITEA_TOKEN=your-token
# Package and push
make push-gitea
Required GitHub Secrets for CI:
GITEA_USER- Gitea usernameGITEA_TOKEN- Gitea personal access token withwrite:packagescope
Configuration
Global Configuration
| Parameter | Description | Default |
|---|---|---|
global.imageRegistry |
Container registry for all images | "" |
global.imagePullSecrets |
Image pull secrets | [] |
global.azureAd.enabled |
Enable Azure AD authentication | true |
global.azureAd.tenantId |
Azure AD tenant ID | "" |
global.azureAd.clientId |
Azure AD application client ID | "" |
global.database.provider |
Database provider (Postgres/SqlServer) | Postgres |
global.rabbitmq.host |
RabbitMQ host | {{ .Release.Name }}-rabbitmq |
Core Services
Each core service supports the following configuration:
| Parameter | Description | Default |
|---|---|---|
<service>.enabled |
Enable the service | true |
<service>.replicaCount |
Number of replicas | 1 |
<service>.image.repository |
Image repository | varies |
<service>.image.tag |
Image tag | "" (uses appVersion) |
<service>.resources |
CPU/Memory resources | varies |
<service>.autoscaling.enabled |
Enable HPA | false |
<service>.ingress.enabled |
Enable ingress | false |
Activity Services
Activity services can be enabled/disabled individually:
httpRequestActivity:
enabled: true
replicaCount: 2
sqlActivity:
enabled: true
# Disable activities not needed
awsS3Activity:
enabled: false
Database Configuration
Using Built-in PostgreSQL
postgresql:
enabled: true
auth:
username: flow
password: your-password
database: flow
Using External PostgreSQL
postgresql:
enabled: false
global:
database:
provider: Postgres
postgres:
host: your-postgres-host.postgres.database.azure.com
port: 5432
database: flow
username: flow
existingSecret: your-db-secret
existingSecretKey: password
Using SQL Server
postgresql:
enabled: false
global:
database:
provider: SqlServer
sqlServer:
connectionString: "Server=your-server;Database=flow;User Id=flow;Password=xxx;"
RabbitMQ Configuration
Using Built-in RabbitMQ
rabbitmq:
enabled: true
auth:
username: flow
password: your-password
Using External RabbitMQ
rabbitmq:
enabled: false
global:
rabbitmq:
host: your-rabbitmq-host
username: flow
existingSecret: rabbitmq-secret
existingSecretKey: password
Ingress Configuration
NGINX Ingress with TLS
frontendWeb:
ingress:
enabled: true
className: nginx
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: "true"
cert-manager.io/cluster-issuer: letsencrypt-prod
hosts:
- host: flow.example.com
paths:
- path: /
pathType: Prefix
tls:
- secretName: flow-tls
hosts:
- flow.example.com
Security
Pod Security
podSecurityContext:
fsGroup: 1000
runAsNonRoot: true
securityContext:
runAsNonRoot: true
runAsUser: 1000
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
Network Policies
Enable network policies for production:
networkPolicy:
enabled: true
Upgrading
helm upgrade flow ./helm/flow -f values-prod.yaml
Uninstalling
helm uninstall flow
Note: This will not delete PVCs. To completely remove data:
kubectl delete pvc -l app.kubernetes.io/instance=flow
Building Docker Images
Each service has a Dockerfile. Build all images:
# Build all services
for service in WorkflowEngine ActivityRegistry DefinitionStore WorkflowLogging ConnectionStore TenantRegistry; do
docker build -t niblo/flow-${service}:latest -f $service/Dockerfile .
done
# Push to Docker Hub
for service in WorkflowEngine ActivityRegistry DefinitionStore WorkflowLogging ConnectionStore TenantRegistry; do
docker push niblo/flow-${service}:latest
done