Flowise

Deploy Flowise on Kubernetes — an open-source low-code tool for building LLM applications, chatbots, and AI agents with a visual drag-and-drop editor. Supports standalone SQLite mode and scalable queue mode with PostgreSQL, Redis, and S3 shared storage.

auth.existingSecret holds 5 keys — losing any of them invalidates all sessions and stored credentials

Flowise auto-generates 5 secrets on first boot: encryptionKey, jwtAuthTokenSecret, jwtRefreshTokenSecret, expressSessionSecret, and tokenHashSecret. Without auth.existingSecret, a reinstall generates new values and invalidates all existing sessions, stored API credentials, and tool configurations. Always provide a stable auth.existingSecret in production before the first deployment.

Key Features

Two topologies — standalone (SQLite + local PVC) or queue mode (PostgreSQL + Redis + S3)
5-key auth secret — all Flowise security tokens managed via a single existingSecret
BullMQ queue mode — separate main pod (UI + API) and worker pods (execution) for scale-out
PostgreSQL bootstrap — uuid-ossp extension injected automatically on first run
S3 shared storage required in queue mode — local PVC is incompatible with multiple replicas

Installation

HTTPS repository:

helm repo add helmforge https://repo.helmforge.dev
helm repo update
helm install flowise helmforge/flowise -f values.yaml

OCI registry:

helm install flowise oci://ghcr.io/helmforgedev/helm/flowise -f values.yaml

Deployment Examples

# values.yaml — Flowise standalone with SQLite (zero database configuration)
architecture:
  mode: standalone

flowise:
  appUrl: 'https://flowise.example.com'
  fileSizeLimit: 50mb

auth:
  existingSecret: flowise-auth-secrets # must contain all 5 keys before first deploy
  existingSecretEncryptionKeyKey: encryption-key
  existingSecretJwtAuthTokenSecretKey: jwt-auth-token-secret
  existingSecretJwtRefreshTokenSecretKey: jwt-refresh-token-secret
  existingSecretExpressSessionSecretKey: express-session-secret
  existingSecretTokenHashSecretKey: token-hash-secret
  secureCookies: true # enable when serving via HTTPS

persistence:
  enabled: true
  size: 10Gi

ingress:
  enabled: true
  ingressClassName: traefik
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
  hosts:
    - host: flowise.example.com
      paths:
        - path: /
          pathType: Prefix
  tls:
    - secretName: flowise-tls
      hosts:
        - flowise.example.com

# values.yaml — Flowise standalone with bundled PostgreSQL
# NOTE: bundled PostgreSQL auto-injects uuid-ossp extension
architecture:
  mode: standalone

flowise:
  appUrl: 'https://flowise.example.com'

auth:
  existingSecret: flowise-auth-secrets
  secureCookies: true

postgresql:
  enabled: true
  auth:
    database: flowise
    username: flowise
    password: 'strong-db-password'
  standalone:
    persistence:
      enabled: true
      size: 20Gi

persistence:
  enabled: true
  size: 5Gi # tool data and uploads (no SQLite when PostgreSQL active)

ingress:
  enabled: true
  ingressClassName: traefik
  hosts:
    - host: flowise.example.com
      paths:
        - path: /
          pathType: Prefix

# values.yaml — Flowise in queue mode (PostgreSQL + Redis + S3 mandatory)
# Queue mode: persistence.enabled MUST be false; storage.type MUST be s3
architecture:
  mode: queue

flowise:
  replicaCount: 2 # main pods (UI + API + job submission)
  appUrl: 'https://flowise.example.com'

queue:
  name: flowise-queue
  worker:
    replicaCount: 3 # separate worker pods consuming BullMQ jobs
    concurrency: 10 # simultaneous BullMQ jobs per worker

auth:
  existingSecret: flowise-auth-secrets
  secureCookies: true

postgresql:
  enabled: true
  auth:
    password: 'strong-db-password'

redis:
  enabled: true
  auth:
    enabled: true
    password: 'strong-redis-password'

persistence:
  enabled: false # local PVC is incompatible with queue mode replicas

storage:
  type: s3 # required in queue mode for shared blob storage
  s3:
    bucketName: flowise-storage
    region: us-east-1
    endpointUrl: 'https://s3.amazonaws.com'
    forcePathStyle: false # set to true for MinIO
    existingSecret: flowise-s3-credentials

ingress:
  enabled: true
  ingressClassName: traefik
  hosts:
    - host: flowise.example.com
      paths:
        - path: /
          pathType: Prefix

# values.yaml — Flowise with external PostgreSQL
# IMPORTANT: External PostgreSQL must have uuid-ossp extension:
#   CREATE EXTENSION IF NOT EXISTS "uuid-ossp";
architecture:
  mode: standalone

flowise:
  appUrl: 'https://flowise.example.com'

auth:
  existingSecret: flowise-auth-secrets

postgresql:
  enabled: false

database:
  mode: external
  external:
    vendor: postgres
    host: postgres.database.svc.cluster.local
    name: flowise
    username: flowise
    existingSecret: flowise-db-credentials
    existingSecretPasswordKey: database-password
    ssl: false

persistence:
  enabled: true
  size: 10Gi

Configuration Reference

Core

Parameter	Type	Default	Description
`nameOverride`	string	`""`	Override the chart name.
`fullnameOverride`	string	`""`	Override the full release name.
`architecture.mode`	string	`standalone`	Topology: `standalone` or `queue`.

Image

Parameter	Type	Default	Description
`image.repository`	string	`docker.io/flowiseai/flowise`	Flowise image.
`image.tag`	string	`"3.1.1"`	Image tag.

Flowise Configuration

Parameter	Type	Default	Description
`flowise.replicaCount`	integer	`1`	Main pod replicas. Use `queue` mode for more than 1.
`flowise.appUrl`	string	`""`	Full public URL. Auto-detected from Ingress if empty.
`flowise.logLevel`	string	`info`	Log level: `error`, `warn`, `info`, `verbose`, `debug`.
`flowise.fileSizeLimit`	string	`50mb`	Maximum file upload size accepted by Flowise.
`flowise.corsOrigins`	string	`*`	Allowed CORS origins.
`flowise.disableTelemetry`	boolean	`true`	Disable telemetry reporting.
`flowise.extraEnv`	array	`[]`	Extra environment variables for the main container.

Auth Secrets

Parameter	Type	Default	Description
`auth.existingSecret`	string	`""`	Existing secret with all 5 Flowise auth tokens.
`auth.existingSecretEncryptionKeyKey`	string	`encryption-key`	Key for `FLOWISE_SECRETKEY_OVERWRITE`.
`auth.existingSecretJwtAuthTokenSecretKey`	string	`jwt-auth-token-secret`	Key for `JWT_AUTH_TOKEN_SECRET`.
`auth.existingSecretJwtRefreshTokenSecretKey`	string	`jwt-refresh-token-secret`	Key for `JWT_REFRESH_TOKEN_SECRET`.
`auth.existingSecretExpressSessionSecretKey`	string	`express-session-secret`	Key for `EXPRESS_SESSION_SECRET`.
`auth.existingSecretTokenHashSecretKey`	string	`token-hash-secret`	Key for `TOKEN_HASH_SECRET`.
`auth.secureCookies`	boolean	`false`	Enable secure cookies. Set `true` when serving via HTTPS.

Database

Parameter	Type	Default	Description
`database.mode`	string	`auto`	Mode: `auto`, `sqlite`, `external`, or `postgresql`.
`database.sqlite.path`	string	`/root/.flowise/database.sqlite`	SQLite file path inside the data volume.
`database.external.vendor`	string	`postgres`	External DB vendor: `postgres` or `mysql`.
`database.external.host`	string	`""`	External database hostname.
`database.external.existingSecret`	string	`""`	Existing secret with database password.
`database.external.ssl`	boolean	`false`	Enable SSL for external database connections.

External PostgreSQL requires uuid-ossp extension

Flowise 3.1.1 migrations use uuid_generate_v4(), which requires uuid-ossp. The bundled PostgreSQL subchart injects this extension automatically via initdb.scripts. For external PostgreSQL, run manually before installing:

CREATE EXTENSION IF NOT EXISTS "uuid-ossp";

PostgreSQL Subchart

Parameter	Type	Default	Description
`postgresql.enabled`	boolean	`false`	Deploy the bundled PostgreSQL subchart.
`postgresql.auth.database`	string	`flowise`	Database name.
`postgresql.auth.password`	string	`""`	Password. Auto-generated if empty.
`postgresql.standalone.persistence.size`	string	`8Gi`	PVC size for PostgreSQL.

Queue Mode

Queue mode requires persistence.enabled=false and storage.type=s3

In queue mode, multiple main and worker pods share the same blob storage. Local PVC (ReadWriteOnce) cannot be shared across pods. Set persistence.enabled: false and configure storage.type: s3 with a shared S3-compatible bucket.

Parameter	Type	Default	Description
`queue.name`	string	`flowise-queue`	BullMQ queue name shared by main and workers.
`queue.worker.replicaCount`	integer	`1`	Number of worker Deployment replicas.
`queue.worker.concurrency`	integer	`100000`	Simultaneous BullMQ jobs per worker.
`queue.worker.removeOnAge`	integer	`86400`	Completed job retention in seconds.
`queue.worker.removeOnCount`	integer	`10000`	Maximum completed job count retained.
`queue.worker.extraEnv`	array	`[]`	Extra environment variables for worker pods.
`queue.worker.resources`	object	`{}`	CPU/memory requests and limits for workers.

Storage

Parameter	Type	Default	Description
`storage.type`	string	`local`	Storage type: `local` or `s3`.
`storage.local.path`	string	`/root/.flowise/storage`	Local blob storage path.
`storage.s3.bucketName`	string	`""`	S3 bucket name.
`storage.s3.region`	string	`us-east-1`	S3 region.
`storage.s3.endpointUrl`	string	`""`	Custom S3 endpoint URL.
`storage.s3.forcePathStyle`	boolean	`false`	Force path-style requests. Set `true` for MinIO.
`storage.s3.existingSecret`	string	`""`	Existing secret with S3 credentials.

Persistence

Parameter	Type	Default	Description
`persistence.enabled`	boolean	`true`	Enable PVC for `/root/.flowise`. Set `false` in queue mode.
`persistence.size`	string	`10Gi`	PVC size.
`persistence.storageClass`	string	`""`	StorageClass for the PVC.
`persistence.existingClaim`	string	`""`	Use an existing PVC.

Backup

Backup runs pg_dump on PostgreSQL only. SQLite and local storage blobs are not included.

Parameter	Type	Default	Description
`backup.enabled`	boolean	`false`	Enable scheduled `pg_dump` S3 backup.
`backup.schedule`	string	`"0 3 * * *"`	Cron schedule.
`backup.s3.endpoint`	string	`""`	S3-compatible endpoint URL.
`backup.s3.bucket`	string	`""`	Target bucket name.
`backup.s3.existingSecret`	string	`""`	Existing secret with S3 credentials.