Helm-Charts/README.md

# Flow Helm Chart

A Helm chart for deploying the Flow workflow engine platform to Kubernetes.

## Overview

Flow is a distributed workflow automation platform consisting of:

- **Core Services**: Workflow Engine, Activity Registry, Definition Store, Workflow Logging, Connection Store, Tenant Registry
- **Frontend**: Blazor WebAssembly web application
- **Activity Services**: 23+ activity implementations for various integrations (HTTP, SQL, Azure, AWS, etc.)
- **Infrastructure**: RabbitMQ for messaging, PostgreSQL/SQL Server for persistence

## Prerequisites

- Kubernetes 1.25+
- Helm 3.8+
- PV provisioner (if using built-in PostgreSQL/RabbitMQ)

## Quick Start

### Install from Gitea Helm Repository

The Flow Helm chart is published to the Gitea Package Registry at `https://git.kn.entit.eu`.

```bash
# Add the Helm repository (requires authentication for private repos)
helm repo add entit-flow https://git.kn.entit.eu/api/packages/EntitAB/helm \
  --username YOUR_GITEA_USERNAME \
  --password YOUR_GITEA_TOKEN

# Update repository cache
helm repo update

# Search for available versions
helm search repo entit-flow/flow --versions

# Install the chart
helm install flow entit-flow/flow \
  --namespace flow \
  --create-namespace \
  -f values.yaml
```

### Install from Local Source

```bash
# Add Helm Dependencies
cd helm/flow
helm dependency update

# Install for Development
helm install flow ./helm/flow -f ./helm/flow/values-dev.yaml

# Install for Production
helm install flow ./helm/flow \
  -f ./helm/flow/values-prod.yaml \
  --set global.azureAd.tenantId=YOUR_TENANT_ID \
  --set global.azureAd.clientId=YOUR_CLIENT_ID \
  --set global.azureAd.clientSecret=YOUR_CLIENT_SECRET
```

## Helm Repository Setup

### Using in Kubernetes (from Gitea Registry)

After the chart is published to Gitea, you can install it in any Kubernetes cluster:

```bash
# 1. Add the Gitea Helm repository
helm repo add entit-flow https://git.kn.entit.eu/api/packages/EntitAB/helm \
  --username $GITEA_USER \
  --password $GITEA_TOKEN

# 2. Update repositories
helm repo update

# 3. Install the chart (development)
helm install flow entit-flow/flow \
  --namespace flow \
  --create-namespace \
  -f values-dev.yaml

# 4. Install the chart (production)
helm install flow entit-flow/flow \
  --namespace flow \
  --create-namespace \
  -f values-prod.yaml \
  --set global.azureAd.tenantId=YOUR_TENANT_ID \
  --set global.azureAd.clientId=YOUR_CLIENT_ID
```

### Using with ArgoCD

Create an ArgoCD Application that references the Gitea Helm repository:

```yaml
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: flow
  namespace: argocd
spec:
  project: default
  source:
    repoURL: https://git.kn.entit.eu/api/packages/EntitAB/helm
    chart: flow
    targetRevision: 0.1.0
    helm:
      valueFiles:
        - values-prod.yaml
      parameters:
        - name: global.azureAd.tenantId
          value: YOUR_TENANT_ID
        - name: global.azureAd.clientId
          value: YOUR_CLIENT_ID
  destination:
    server: https://kubernetes.default.svc
    namespace: flow
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
      - CreateNamespace=true
---
# Repository credentials secret for ArgoCD
apiVersion: v1
kind: Secret
metadata:
  name: gitea-helm-repo
  namespace: argocd
  labels:
    argocd.argoproj.io/secret-type: repository
stringData:
  type: helm
  url: https://git.kn.entit.eu/api/packages/EntitAB/helm
  username: YOUR_GITEA_USER
  password: YOUR_GITEA_TOKEN
```

### Using with Flux CD

```yaml
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
  name: entit-flow
  namespace: flux-system
spec:
  interval: 1h
  url: https://git.kn.entit.eu/api/packages/EntitAB/helm
  secretRef:
    name: gitea-helm-auth
---
apiVersion: v1
kind: Secret
metadata:
  name: gitea-helm-auth
  namespace: flux-system
stringData:
  username: YOUR_GITEA_USER
  password: YOUR_GITEA_TOKEN
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
  name: flow
  namespace: flow
spec:
  interval: 5m
  chart:
    spec:
      chart: flow
      version: "0.1.0"
      sourceRef:
        kind: HelmRepository
        name: entit-flow
        namespace: flux-system
  valuesFrom:
    - kind: ConfigMap
      name: flow-values
      valuesKey: values.yaml
```

### Publishing Charts (CI/CD)

The chart is automatically published to Gitea when changes are pushed to the `main` branch. The CI pipeline:

1. Lints and validates the chart
2. Runs unit tests
3. Packages the chart
4. Pushes to Gitea Package Registry at `https://git.kn.entit.eu/api/packages/EntitAB/helm`

To publish manually:

```bash
# Set credentials
export GITEA_USER=your-username
export GITEA_TOKEN=your-token

# Package and push
make push-gitea
```

**Required GitHub Secrets for CI:**
- `GITEA_USER` - Gitea username
- `GITEA_TOKEN` - Gitea personal access token with `write:package` scope

## Configuration

### Global Configuration

| Parameter | Description | Default |
|-----------|-------------|---------|
| `global.imageRegistry` | Container registry for all images | `""` |
| `global.imagePullSecrets` | Image pull secrets | `[]` |
| `global.azureAd.enabled` | Enable Azure AD authentication | `true` |
| `global.azureAd.tenantId` | Azure AD tenant ID | `""` |
| `global.azureAd.clientId` | Azure AD application client ID | `""` |
| `global.database.provider` | Database provider (Postgres/SqlServer) | `Postgres` |
| `global.rabbitmq.host` | RabbitMQ host | `{{ .Release.Name }}-rabbitmq` |

### Core Services

Each core service supports the following configuration:

| Parameter | Description | Default |
|-----------|-------------|---------|
| `<service>.enabled` | Enable the service | `true` |
| `<service>.replicaCount` | Number of replicas | `1` |
| `<service>.image.repository` | Image repository | varies |
| `<service>.image.tag` | Image tag | `""` (uses appVersion) |
| `<service>.resources` | CPU/Memory resources | varies |
| `<service>.autoscaling.enabled` | Enable HPA | `false` |
| `<service>.ingress.enabled` | Enable ingress | `false` |

### Activity Services

Activity services can be enabled/disabled individually:

```yaml
httpRequestActivity:
  enabled: true
  replicaCount: 2

sqlActivity:
  enabled: true

# Disable activities not needed
awsS3Activity:
  enabled: false
```

### Database Configuration

#### Using Built-in PostgreSQL

```yaml
postgresql:
  enabled: true
  auth:
    username: flow
    password: your-password
    database: flow
```

#### Using External PostgreSQL

```yaml
postgresql:
  enabled: false

global:
  database:
    provider: Postgres
    postgres:
      host: your-postgres-host.postgres.database.azure.com
      port: 5432
      database: flow
      username: flow
      existingSecret: your-db-secret
      existingSecretKey: password
```

#### Using SQL Server

```yaml
postgresql:
  enabled: false

global:
  database:
    provider: SqlServer
    sqlServer:
      connectionString: "Server=your-server;Database=flow;User Id=flow;Password=xxx;"
```

### RabbitMQ Configuration

#### Using Built-in RabbitMQ

```yaml
rabbitmq:
  enabled: true
  auth:
    username: flow
    password: your-password
```

#### Using External RabbitMQ

```yaml
rabbitmq:
  enabled: false

global:
  rabbitmq:
    host: your-rabbitmq-host
    username: flow
    existingSecret: rabbitmq-secret
    existingSecretKey: password
```

## Ingress Configuration

### NGINX Ingress with TLS

```yaml
frontendWeb:
  ingress:
    enabled: true
    className: nginx
    annotations:
      nginx.ingress.kubernetes.io/ssl-redirect: "true"
      cert-manager.io/cluster-issuer: letsencrypt-prod
    hosts:
      - host: flow.example.com
        paths:
          - path: /
            pathType: Prefix
    tls:
      - secretName: flow-tls
        hosts:
          - flow.example.com
```

## Security

### Pod Security

```yaml
podSecurityContext:
  fsGroup: 1000
  runAsNonRoot: true

securityContext:
  runAsNonRoot: true
  runAsUser: 1000
  allowPrivilegeEscalation: false
  capabilities:
    drop:
      - ALL
  readOnlyRootFilesystem: true
```

### Network Policies

Enable network policies for production:

```yaml
networkPolicy:
  enabled: true
```

## Upgrading

```bash
helm upgrade flow ./helm/flow -f values-prod.yaml
```

## Uninstalling

```bash
helm uninstall flow
```

**Note**: This will not delete PVCs. To completely remove data:

```bash
kubectl delete pvc -l app.kubernetes.io/instance=flow
```

## Building Docker Images

Each service has a Dockerfile. Build all images:

```bash
# Build all services
for service in WorkflowEngine ActivityRegistry DefinitionStore WorkflowLogging ConnectionStore TenantRegistry; do
  docker build -t niblo/flow-${service}:latest -f $service/Dockerfile .
done

# Push to Docker Hub
for service in WorkflowEngine ActivityRegistry DefinitionStore WorkflowLogging ConnectionStore TenantRegistry; do
  docker push niblo/flow-${service}:latest
done