Production Deployment

The default Helm install runs Skyflo with bundled PostgreSQL and Redis. For production, configure external databases, TLS termination, scaling, and network isolation.

Ingress

Expose the Command Center through a Kubernetes Ingress. Route traffic to the skyflo-ui service on port 80. The Helm chart does not include an Ingress resource. Create one separately. See Ingress & Exposure for cloud-specific manifests (AWS ALB, GCP, Azure).

yaml

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: skyflo-ingress
  namespace: skyflo
spec:
  ingressClassName: nginx
  tls:
    - hosts:
        - skyflo.example.com
      secretName: skyflo-tls
  rules:
    - host: skyflo.example.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: skyflo-ui
                port:
                  number: 80

TLS

Terminate TLS at the Ingress controller or load balancer. Use cert-manager for automated certificate management.

yaml

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: ops@example.com
    privateKeySecretRef:
      name: letsencrypt-prod
    solvers:
      - http01:
          ingress:
            class: nginx

Add the annotation to your Ingress:

yaml

metadata:
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod

External PostgreSQL

For production, point Skyflo at an external PostgreSQL instance (RDS, Cloud SQL, Azure Database for PostgreSQL, or self-managed).

yaml

postgresql:
  enabled: false
  external:
    url: "postgresql://skyflo:password@your-pg-host:5432/skyflo"

Or use individual fields instead of the full URL:

yaml

postgresql:
  enabled: false
  external:
    host: "your-pg-host"
    port: 5432
    database: skyflo
    username: skyflo
    password: "your-password"

Requirements:

PostgreSQL 14+
A dedicated database for Skyflo
Network connectivity from the cluster to the database host
TLS for the connection (recommended)

External Redis

Replace the bundled Redis with an external instance (ElastiCache, Memorystore, Azure Cache for Redis, or self-managed).

yaml

redis:
  enabled: false
  external:
    url: "redis://your-redis-host:6379/0"

Requirements:

Redis 7+
Network connectivity from the cluster to the Redis host
TLS for the connection (recommended)

Horizontal Scaling

The Engine and MCP Server support horizontal scaling. Scale based on concurrent user sessions and tool execution load.

yaml

engine:
  replicas: 3
 
mcp:
  replicas: 2

The Command Center (ui service, Next.js) is stateless and scales independently.

yaml

ui:
  replicas: 2

Session state is stored in Redis. All Engine replicas share the same Redis and PostgreSQL instances.

Node Selectors

Pin Skyflo components to specific node pools using node selectors, tolerations, or node affinity.

yaml

engine:
  nodeSelector:
    workload: skyflo
  tolerations:
    - key: "dedicated"
      operator: "Equal"
      value: "skyflo"
      effect: "NoSchedule"
 
mcp:
  nodeSelector:
    workload: skyflo

Network Policies

Restrict traffic between Skyflo components and external services.

yaml

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: skyflo-engine
  namespace: skyflo
spec:
  podSelector:
    matchLabels:
      app: skyflo-engine
  policyTypes:
    - Ingress
    - Egress
  ingress:
    - from:
        - podSelector:
            matchLabels:
              app: skyflo-ui
      ports:
        - port: 8080
  egress:
    - to:
        - podSelector:
            matchLabels:
              app: skyflo-mcp
      ports:
        - port: 8888
    - to:
        - podSelector:
            matchLabels:
              app: skyflo-redis
      ports:
        - port: 6379
    - to:
        - podSelector:
            matchLabels:
              app: skyflo-postgres
      ports:
        - port: 5432

Adjust selectors and ports based on your deployment configuration.

Backup Strategy

PostgreSQL

Back up the Skyflo database regularly. It stores conversations, audit trail, and token usage data.

Managed databases (RDS, Cloud SQL): Enable automated backups with point-in-time recovery.
Self-managed: Use pg_dump on a schedule. Store backups in object storage (S3, GCS, Azure Blob).

bash

pg_dump -h your-pg-host -U skyflo -d skyflo | gzip > skyflo-backup-$(date +%Y%m%d).sql.gz

Redis

Redis stores streaming state and session data. It is ephemeral by design. If Redis is lost, active streams are interrupted but no persistent data is lost. PostgreSQL is the system of record.

For production, enable Redis persistence (AOF or RDB) or accept that Redis data is reconstructable from PostgreSQL on restart.

Next Steps

Helm Values Reference: full configuration reference
Ingress & Exposure: cloud-specific Ingress manifests
Upgrading: upgrade Skyflo releases