Installation
NavFlow AI Runtime ships as a Helm chart for Kubernetes. The chart deploys all platform services (control plane, receiver, pipeline, sink, UI) with bundled NATS and PostgreSQL.
The AI agent is not included in the Helm chart. Agents are deployed separately — see Agents.
Prerequisites
- Kubernetes 1.24+
- Helm 3.10+
Quick install
# Clone the repo
git clone https://github.com/glassflow/glassflow-ai-runtime.git
cd glassflow-ai-runtime/charts/glassflow-ai-runtime
# Fetch dependencies (NATS + PostgreSQL sub-charts)
helm dependency build
# Install with a secure JWT secret
helm install navflow . \
--set controlplane.jwtSecret="$(openssl rand -hex 32)"This deploys all services with ClusterIP services. See Exposing the UI for ingress setup.
Configuration
JWT secret
The control plane uses a JWT secret to sign authentication tokens. Always set this to a random value in production:
--set controlplane.jwtSecret="$(openssl rand -hex 32)"CORS origins
Set this to the external URL where the UI is served, so the browser can call the API:
--set controlplane.corsAllowedOrigins="https://navflow.example.com"Image registry and tag
global:
image:
registry: ghcr.io/glassflow
tag: v0.1.0
pullPolicy: IfNotPresentEmail (optional)
Enable password-reset emails and member invites:
controlplane:
smtp:
connectionUrl: "smtp://user:pass@smtp.example.com:587"
fromAddress: "noreply@example.com"
uiBaseUrl: "https://navflow.example.com"Exposing the UI
The chart does not include an Ingress resource. Create one that matches your cluster’s ingress controller.
Same domain for UI and API
Serve the UI at / and the API at /api on the same domain:
# ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: navflow
spec:
ingressClassName: nginx
rules:
- host: navflow.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: navflow-ui
port:
number: 3000
- path: /api
pathType: Prefix
backend:
service:
name: navflow-controlplane
port:
number: 8080
- path: /healthz
pathType: Exact
backend:
service:
name: navflow-controlplane
port:
number: 8080
tls:
- hosts:
- navflow.example.com
secretName: navflow-tlsWith this setup, use:
--set controlplane.corsAllowedOrigins="https://navflow.example.com" \
--set ui.apiUrl=""An empty ui.apiUrl means the browser calls the same origin.
Separate domains
If you prefer app.example.com for the UI and api.example.com for the API:
--set controlplane.corsAllowedOrigins="https://app.example.com" \
--set ui.apiUrl="https://api.example.com"Exposing the receiver
The receiver needs to be reachable by your event sources (OTLP exporters, webhook producers, etc.) and your AI agent. Create a LoadBalancer service or ingress:
apiVersion: v1
kind: Service
metadata:
name: navflow-receiver-lb
spec:
type: LoadBalancer
selector:
app.kubernetes.io/component: receiver
ports:
- port: 4318
targetPort: 4318External PostgreSQL
To use an existing PostgreSQL instance instead of the bundled one:
helm install navflow . \
--set postgresql.enabled=false \
--set postgresql.externalUrl="postgres://user:pass@your-postgres:5432/gfai?sslmode=require" \
--set controlplane.jwtSecret="$(openssl rand -hex 32)"External NATS
To use an existing NATS cluster instead of the bundled one:
helm install navflow . \
--set nats.enabled=false \
--set nats.externalUrl="nats://your-nats:4222" \
--set controlplane.jwtSecret="$(openssl rand -hex 32)"External Redis
Redis is used for context windows (sliding window event storage). The Helm chart bundles redis-stack-server by default.
To use an existing Redis instance:
helm install navflow . \
--set redis.enabled=false \
--set redis.externalUrl="redis://your-redis:6379" \
--set controlplane.jwtSecret="$(openssl rand -hex 32)"Redis is only required if you enable context windows on any pipeline. If you don’t use context windows, Redis can be disabled entirely with --set redis.enabled=false.
Uninstall
helm uninstall navflowThe PostgreSQL PVC is retained by default. Delete it manually to remove stored data.
All values
See the full values reference in the Helm chart README .