Deploy langgenius/dify, an LLM-based chatbot app on Kubernetes with Helm chart.
helm repo add dify https://borispolonsky.github.io/dify-helm
helm repo update
helm install my-release dify/difyFor customized installation, please refer to the README.md file.
The following diagram illustrates the complete network architecture and service topology of the Dify Helm deployment:
graph TB
%% External Traffic Entry Points
Internet[๐ Internet] --> Ingress[๐ช Ingress Controller]
Internet --> LB[โ๏ธ LoadBalancer Service]
%% Main Traffic Flow
Ingress --> ProxyService[๐ Proxy Service<br/>Port: 80]
LB --> ProxyService
%% Proxy Pod and Routing
ProxyService --> ProxyPod[๐ฆ Proxy Pod<br/>nginx:latest<br/>Port: 80]
%% Backend Services Routing
ProxyPod -->|API Endpoints| APIService[๐ง API Service<br/>Port: 5001]
ProxyPod -->|Web Pages| WebService[๐ Web Service<br/>Port: 3000]
ProxyPod -->|Plugin Routes| PluginService[๐ Plugin Daemon Service<br/>Port: 5002]
ProxyPod -->|Marketplace| MarketplaceAPI[๐ Marketplace API<br/>External]
%% Backend Pods
APIService --> APIPod[๐ฆ API Pod<br/>langgenius/dify-api:1.8.1<br/>Port: 5001]
WebService --> WebPod[๐ฆ Web Pod<br/>langgenius/dify-web:1.8.1<br/>Port: 3000]
PluginService --> PluginPod[๐ฆ Plugin Daemon Pod<br/>langgenius/dify-plugin-daemon:0.2.0-local<br/>Port: 5002, 5003]
%% Worker Pod (Background Processing)
WorkerPod[๐ฆ Worker Pod<br/>langgenius/dify-api:1.8.1]
%% Beat Pod (Periodic task scheduler)
BeatPod[๐ฆ Beat Pod<br/>langgenius/dify-api:1.8.1]
%% Sandbox Service
SandboxService[๐๏ธ Sandbox Service<br/>Port: 8194] --> SandboxPod[๐ฆ Sandbox Pod<br/>langgenius/dify-sandbox:0.2.12<br/>Port: 8194]
%% SSRF Proxy Service
SSRFService[๐ก๏ธ SSRF Proxy Service<br/>Port: 3128] --> SSRFPod[๐ฆ SSRF Proxy Pod<br/>ubuntu/squid:latest<br/>Port: 3128]
%% Internal Communications
APIPod -.->|Code Execution| SandboxService
APIPod -.->|SSRF Protection| SSRFService
APIPod -.->|Plugin Management| PluginService
WorkerPod -.->|Background Tasks| APIPod
%% Data Layer - Databases
subgraph DataLayer [๐๏ธ Data Layer]
PostgresService[๐ PostgreSQL Service<br/>Port: 5432]
RedisService[๐ด Redis Service<br/>Port: 6379]
VectorDBService[๐งฎ Vector DB Service]
end
%% Database Connections
APIPod -.->|Database Operations| PostgresService
WorkerPod -.->|Database Operations| PostgresService
PluginPod -.->|Database Operations| PostgresService
APIPod -.->|Cache & Sessions| RedisService
WorkerPod -.->|Task Processing| RedisService
BeatPod -.->|Task Scheduling| RedisService
APIPod -.->|Vector Storage| VectorDBService
WorkerPod -.->|Vector Operations| VectorDBService
%% Storage Layer
subgraph StorageLayer [๐พ Storage Layer]
StorageType{Storage Type}
LocalPVC[๐ Local PVC]
S3Storage[โ๏ธ AWS S3]
AzureStorage[โ๏ธ Azure Blob]
GCSStorage[โ๏ธ Google Cloud Storage]
end
%% Storage Connections
APIPod -.->|File Storage| StorageType
WorkerPod -.->|File Storage| StorageType
PluginPod -.->|Plugin Storage| StorageType
StorageType --> LocalPVC
StorageType --> S3Storage
StorageType --> AzureStorage
StorageType --> GCSStorage
%% Vector Database Options
subgraph VectorOptions [๐งฎ Vector Database Options]
WeaviateDB[๐ Weaviate<br/>Port: 8080]
QdrantDB[โก Qdrant<br/>Port: 6333]
MilvusDB[๐ Milvus<br/>Port: 19530]
PGVectorDB[๐ PGVector<br/>Port: 5432]
end
VectorDBService -.-> WeaviateDB
VectorDBService -.-> QdrantDB
VectorDBService -.-> MilvusDB
VectorDBService -.-> PGVectorDB
%% External Dependencies
subgraph ExternalServices [๐ External Services]
ExternalDB[(๐ง External PostgreSQL)]
ExternalRedis[(๐ด External Redis)]
ExternalVector[(๐งฎ External Vector DB)]
ExternalStorage[(๐พ External Object Storage)]
end
%% External Service Connections (Alternative)
APIPod -.->|Alternative| ExternalDB
APIPod -.->|Alternative| ExternalRedis
APIPod -.->|Alternative| ExternalVector
APIPod -.->|Alternative| ExternalStorage
%% Styling
classDef podClass fill:#e1f5fe,stroke:#0277bd,stroke-width:2px
classDef serviceClass fill:#f3e5f5,stroke:#7b1fa2,stroke-width:2px
classDef storageClass fill:#e8f5e8,stroke:#2e7d32,stroke-width:2px
classDef externalClass fill:#fff3e0,stroke:#ef6c00,stroke-width:2px
class APIPod,WebPod,WorkerPod,BeatPod,SandboxPod,SSRFPod,PluginPod podClass
class APIService,WebService,SandboxService,SSRFService,PluginService,ProxyService serviceClass
class PostgresService,RedisService,VectorDBService,WeaviateDB,QdrantDB,MilvusDB,PGVectorDB storageClass
class ExternalDB,ExternalRedis,ExternalVector,ExternalStorage,S3Storage,AzureStorage,GCSStorage externalClass
The Nginx proxy handles traffic routing with the following rules:
/console/api โ API Service (5001)
/api โ API Service (5001)
/v1 โ API Service (5001)
/files โ API Service (5001)
/mcp โ API Service (5001)
/e/ โ Plugin Daemon (5002)
/explore โ Web Service (3000)
/marketplace โ External Marketplace API
/ โ Web Service (3000) [Default Route]| Component | Image | Port | Role |
|---|---|---|---|
| API | langgenius/dify-api:1.8.1 |
5001 | RESTful API server, business logic processing |
| Web | langgenius/dify-web:1.8.1 |
3000 | Web UI frontend |
| Worker | langgenius/dify-api:1.8.1 |
- | Background task processing (Celery) |
| Beat | langgenius/dify-api:1.8.1 |
- | Periodic task scheduler (Celery Beat) |
| Sandbox | langgenius/dify-sandbox:0.2.12 |
8194 | Secure code execution environment |
| Plugin Daemon | langgenius/dify-plugin-daemon:0.2.0-local |
5002, 5003 | Plugin management and execution |
| SSRF Proxy | ubuntu/squid:latest |
3128 | External request security proxy |
| Nginx Proxy | nginx:latest |
80 | Reverse proxy, load balancing |
- Redis
- PostgreSQL
- Object Storage:
- Amazon S3
- Microsoft Azure Blob Storage
- Alibaba Cloud OSS
- Google Cloud Storage
- Tencent Cloud COS
- Huawei Cloud OBS
- Volcengine TOS
- External Vector DB:
- Weaviate
- Qdrant
- Milvus
- PGVector
- Tencent Vector DB
- MyScaleDB
- TableStore
- elasticsearch
In Kubernetes production environments, storing sensitive information (such as database passwords, API keys, etc.) directly in values.yaml is insecure. The ExternalSecret feature solves this problem through the External Secrets Operator, which can securely retrieve sensitive information from external secret management systems (such as AWS Secrets Manager, HashiCorp Vault, Azure Key Vault, etc.) and automatically create Kubernetes Secret resources.
Why ExternalSecret is needed:
- Security: Avoid storing plain text passwords in Git repositories or configuration files
- Centralized Management: Unified management of all sensitive information
- Automatic Rotation: Support for automatic key updates and rotation
- Compliance: Meet enterprise security and compliance requirements
When ExternalSecret is enabled, sensitive information for the following components can be retrieved from external secret stores:
- PostgreSQL: Database username, password
- Redis: Authentication password, username
- Elasticsearch: Username, password
- AWS S3: Access Key ID, Secret Access Key
- ElasticSearch: Username, Password
- Resend: API Key, sender email
- SendGrid: API Key, sender email
- Code Execution Service: API Key
- Plugin System: Daemon Key, internal API Key
- Application Core: Secret Key
Usage: Set externalSecret.enabled: true in values.yaml and configure the corresponding secretStore and remoteRefs parameters.
