Highflame Services

Highflame Service deployment via Helm charts

Deploying Highflame on Kubernetes

A self-service guide to installing the Highflame AI security platform on your own Kubernetes cluster using the official Helm charts.

This guide is platform-neutral — the same workflow installs Highflame on any conformant Kubernetes 1.32+ cluster. Cloud native / managed K8s-specific notes are called out inline where they matter.

What you are deploying

The Highflame platform is delivered as a collection of microservices that run together in a single Kubernetes namespace. The values files in this directory describe how each service should be configured for a self-hosted production install.

Prerequisites

You will need the following before starting.

Tooling on your workstation

Tool

Minimum version

Notes

kubectl

1.32

Configured against the target cluster

helm

3.x

OCI support required

Kubernetes cluster

Requirement

Minimum

Kubernetes version

1.32

Core node pool

3 nodes × 8 vCPU / 16 GB RAM

GPU node pool (for Guard models)

4 nodes × 4 vCPU / 16 GB RAM + GPU

Ingress

ALB (EKS), or AGIC (AKS), or GCE (GKE), or Nginx Ingress Controller

Storage class

Block storage with high IOPS

External managed services

Service

Purpose

Sizing floor

PostgreSQL 17+

Primary data store

4 vCPU / 8 GB RAM

Redis 7

Caching

4 GB RAM

ClickHouse 24+

Span and event analytics

4 vCPU / 16 GB RAM

Object storage

License + model artefacts

—

Credentials and licenses

You will need the following from your Highflame representative:

Highflame license bundle — license.jwt and public.pem (license)
Highflame Feature flag config — goff.yaml
GitHub Container Registry access — docker login password HIGHFLAME_DOCKER_CRED
Authz signing keys — For microservice internal communications authz-signing-keys
Auth keys — For microservice internal communications auth-keys
GCP service-account JSON (if using GCP-hosted detection models) — gcp-credential.json
Identity provider config — Clerk publishable + secret key (or your SAML/OIDC equivalent)

Add the Highflame Helm repository

helm repo add highflame-charts https://highflame-ai.github.io/charts
helm repo update
helm search repo highflame-charts

You should see three charts:

Chart

Used by

highflame-charts/highflame-generic

All core platform services

highflame-charts/highflame-redteam

RedTeam services

highflame-charts/highflame-ingress

Optional ingress wiring

Pick your chart and platform values

This repository ships two value-file variants:

Configure environment variables

Export the chart versions and namespace you intend to deploy into. These are referenced by every subsequent command.

export HIGHFLAME_NAMESPACE="highflame-prod"
export HIGHFLAME_GENERIC_VER="1.0.8"
export HIGHFLAME_REDTEAM_VER="1.0.9"
export HIGHFLAME_INGRESS_VER="1.0.0"

Then, for each service, set the variables documented in ../docs/service-vars.md. The values files use ${VAR_NAME} placeholders that you should substitute (either with envsubst, your CI templating engine or by editing the file directly).

Create the namespace

kubectl create namespace ${HIGHFLAME_NAMESPACE}

Create the image pull secret

Highflame images are hosted on GitHub Container Registry. Create the pull secret in your namespace:

kubectl --namespace ${HIGHFLAME_NAMESPACE} create secret docker-registry highflame-registry-secret \
  --docker-server="ghcr.io" \
  --docker-username="highflame" \
  --docker-password="HIGHFLAME_DOCKER_CRED" \
  --docker-email="[email protected]"

HIGHFLAME_DOCKER_CRED will be shared by the Highflame representative

Create platform secrets

Highflame license (`required`)

kubectl --namespace ${HIGHFLAME_NAMESPACE} create secret generic highflame-license \
  --from-file=./license \
  --dry-run=client -o yaml | kubectl apply -f -

will be shared by the Highflame representative

Redis CA certificate (`only if your Redis enforces TLS`)

kubectl --namespace ${HIGHFLAME_NAMESPACE} create secret generic highflame-redis-cert \
  --from-file=redis-ca.pem \
  --dry-run=client -o yaml | kubectl apply -f -

GCP service-account credential (`required`)

kubectl --namespace ${HIGHFLAME_NAMESPACE} create secret generic highflame-gcp-cred \
  --from-file=gcp-credential.json \
  --dry-run=client -o yaml | kubectl apply -f -

gcp-credential.json will be shared by the Highflame representative

Highflame signing keys - AuthZ signing keys (`required`)

kubectl --namespace ${HIGHFLAME_NAMESPACE} create secret generic highflame-signing-keys \
  --from-file=./authz-signing-keys \
  --dry-run=client -o yaml | kubectl apply -f -

authz-signing-keys will be shared by the Highflame representative

Highflame auth keys - JWT keys (`required`)

kubectl --namespace ${HIGHFLAME_NAMESPACE} create secret generic highflame-auth-keys \
  --from-file=./auth-keys \
  --dry-run=client -o yaml | kubectl apply -f -

auth-keys will be shared by the Highflame representative

Highflame Feature flag config (`required`)

kubectl --namespace ${HIGHFLAME_NAMESPACE} create secret generic highflame-goff \
    --from-file=goff.yaml \
    --dry-run=client -o yaml | kubectl apply -f -

goff.yaml will be shared by the Highflame representative

Install services in the correct order

The services have startup dependencies. Deploy them in the order below — each step should be reached READY 1/1 before moving on.

highflame-flag

export HIGHFLAME_SVC="highflame-flag"

helm upgrade --install ${HIGHFLAME_SVC} highflame-charts/highflame-generic \
  --namespace ${HIGHFLAME_NAMESPACE} \
  --version ${HIGHFLAME_GENERIC_VER} \
  -f ${HIGHFLAME_SVC}-helm-values-tmpl.yml \
  --timeout=15m

kubectl --namespace ${HIGHFLAME_NAMESPACE} get deployment ${HIGHFLAME_SVC}

highflame-admin

export HIGHFLAME_SVC="highflame-admin"

helm upgrade --install ${HIGHFLAME_SVC} highflame-charts/highflame-generic \
  --namespace ${HIGHFLAME_NAMESPACE} \
  --version ${HIGHFLAME_GENERIC_VER} \
  -f ${HIGHFLAME_SVC}-helm-values-tmpl.yml \
  --timeout=15m

kubectl --namespace ${HIGHFLAME_NAMESPACE} get deployment ${HIGHFLAME_SVC}

Admin runs its own database migrations on startup. The first install may take 2–5 minutes.

highflame-authn

export HIGHFLAME_SVC="highflame-authn"

helm upgrade --install ${HIGHFLAME_SVC} highflame-charts/highflame-generic \
  --namespace ${HIGHFLAME_NAMESPACE} \
  --version ${HIGHFLAME_GENERIC_VER} \
  -f ${HIGHFLAME_SVC}-helm-values-tmpl.yml \
  --timeout=15m

kubectl --namespace ${HIGHFLAME_NAMESPACE} get deployment ${HIGHFLAME_SVC}

highflame-authz

export HIGHFLAME_SVC="highflame-authz"

helm upgrade --install ${HIGHFLAME_SVC} highflame-charts/highflame-generic \
  --namespace ${HIGHFLAME_NAMESPACE} \
  --version ${HIGHFLAME_GENERIC_VER} \
  -f ${HIGHFLAME_SVC}-helm-values-tmpl.yml \
  --timeout=15m

kubectl --namespace ${HIGHFLAME_NAMESPACE} get deployment ${HIGHFLAME_SVC}

highflame-cerberus

export HIGHFLAME_SVC="highflame-cerberus"

helm upgrade --install ${HIGHFLAME_SVC} highflame-charts/highflame-generic \
  --namespace ${HIGHFLAME_NAMESPACE} \
  --version ${HIGHFLAME_GENERIC_VER} \
  -f ${HIGHFLAME_SVC}-helm-values-tmpl.yml \
  --timeout=15m

kubectl --namespace ${HIGHFLAME_NAMESPACE} get deployment ${HIGHFLAME_SVC}

highflame-collector

export HIGHFLAME_SVC="highflame-collector"

helm upgrade --install ${HIGHFLAME_SVC} highflame-charts/highflame-generic \
  --namespace ${HIGHFLAME_NAMESPACE} \
  --version ${HIGHFLAME_GENERIC_VER} \
  -f ${HIGHFLAME_SVC}-helm-values-tmpl.yml \
  --timeout=15m

kubectl --namespace ${HIGHFLAME_NAMESPACE} get deployment ${HIGHFLAME_SVC}

highflame-dlp

export HIGHFLAME_SVC="highflame-dlp"

helm upgrade --install ${HIGHFLAME_SVC} highflame-charts/highflame-generic \
  --namespace ${HIGHFLAME_NAMESPACE} \
  --version ${HIGHFLAME_GENERIC_VER} \
  -f ${HIGHFLAME_SVC}-helm-values-tmpl.yml \
  --timeout=15m

kubectl --namespace ${HIGHFLAME_NAMESPACE} get deployment ${HIGHFLAME_SVC}

highflame-firehog

export HIGHFLAME_SVC="highflame-firehog"

helm upgrade --install ${HIGHFLAME_SVC} highflame-charts/highflame-generic \
  --namespace ${HIGHFLAME_NAMESPACE} \
  --version ${HIGHFLAME_GENERIC_VER} \
  -f ${HIGHFLAME_SVC}-helm-values-tmpl.yml \
  --timeout=15m

kubectl --namespace ${HIGHFLAME_NAMESPACE} get deployment ${HIGHFLAME_SVC}

highflame-guard

export HIGHFLAME_SVC="highflame-guard"

helm upgrade --install ${HIGHFLAME_SVC} highflame-charts/highflame-generic \
  --namespace ${HIGHFLAME_NAMESPACE} \
  --version ${HIGHFLAME_GENERIC_VER} \
  -f ${HIGHFLAME_SVC}-helm-values-tmpl.yml \
  --timeout=15m

kubectl --namespace ${HIGHFLAME_NAMESPACE} get deployment ${HIGHFLAME_SVC}

highflame-guard-cm

export HIGHFLAME_SVC="highflame-guard-cm"

helm upgrade --install ${HIGHFLAME_SVC} highflame-charts/highflame-generic \
  --namespace ${HIGHFLAME_NAMESPACE} \
  --version ${HIGHFLAME_GENERIC_VER} \
  -f ${HIGHFLAME_SVC}-helm-values-tmpl.yml \
  --timeout=15m

kubectl --namespace ${HIGHFLAME_NAMESPACE} get deployment ${HIGHFLAME_SVC}

highflame-guard-deepcontext

export HIGHFLAME_SVC="highflame-guard-deepcontext"

helm upgrade --install ${HIGHFLAME_SVC} highflame-charts/highflame-generic \
  --namespace ${HIGHFLAME_NAMESPACE} \
  --version ${HIGHFLAME_GENERIC_VER} \
  -f ${HIGHFLAME_SVC}-helm-values-tmpl.yml \
  --timeout=15m

kubectl --namespace ${HIGHFLAME_NAMESPACE} get deployment ${HIGHFLAME_SVC}

highflame-observatory

export HIGHFLAME_SVC="highflame-observatory"

helm upgrade --install ${HIGHFLAME_SVC} highflame-charts/highflame-generic \
  --namespace ${HIGHFLAME_NAMESPACE} \
  --version ${HIGHFLAME_GENERIC_VER} \
  -f ${HIGHFLAME_SVC}-helm-values-tmpl.yml \
  --timeout=15m

kubectl --namespace ${HIGHFLAME_NAMESPACE} get deployment ${HIGHFLAME_SVC}

highflame-redteam

export HIGHFLAME_SVC="highflame-redteam"

helm upgrade --install ${HIGHFLAME_SVC} highflame-charts/highflame-redteam \
  --namespace ${HIGHFLAME_NAMESPACE} \
  --version ${HIGHFLAME_REDTEAM_VER} \
  -f ${HIGHFLAME_SVC}-helm-values-tmpl.yml \
  --timeout=15m

kubectl --namespace ${HIGHFLAME_NAMESPACE} get deployment ${HIGHFLAME_SVC}

highflame-redteam-lab1 (optional)

export HIGHFLAME_SVC="highflame-redteam-lab1"

helm upgrade --install ${HIGHFLAME_SVC} highflame-charts/highflame-redteam \
  --namespace ${HIGHFLAME_NAMESPACE} \
  --version ${HIGHFLAME_REDTEAM_VER} \
  -f ${HIGHFLAME_SVC}-helm-values-tmpl.yml \
  --timeout=15m

kubectl --namespace ${HIGHFLAME_NAMESPACE} get deployment ${HIGHFLAME_SVC}

highflame-shield

export HIGHFLAME_SVC="highflame-shield"

helm upgrade --install ${HIGHFLAME_SVC} highflame-charts/highflame-generic \
  --namespace ${HIGHFLAME_NAMESPACE} \
  --version ${HIGHFLAME_GENERIC_VER} \
  -f ${HIGHFLAME_SVC}-helm-values-tmpl.yml \
  --timeout=15m

kubectl --namespace ${HIGHFLAME_NAMESPACE} get deployment ${HIGHFLAME_SVC}

highflame-studio

export HIGHFLAME_SVC="highflame-studio"

helm upgrade --install ${HIGHFLAME_SVC} highflame-charts/highflame-generic \
  --namespace ${HIGHFLAME_NAMESPACE} \
  --version ${HIGHFLAME_GENERIC_VER} \
  -f ${HIGHFLAME_SVC}-helm-values-tmpl.yml \
  --timeout=15m

kubectl --namespace ${HIGHFLAME_NAMESPACE} get deployment ${HIGHFLAME_SVC}

Verify the deployment

All pods running

kubectl --namespace ${HIGHFLAME_NAMESPACE} get pods

End-to-end smoke test (Optional)

A scripted smoke test is provided in ../smoke_test/. Run it from your workstation against the deployed cluster to confirm the highflame components are responding correctly.

Upgrading

To roll out a new chart or image version:

Update HIGHFLAME_GENERIC_VER / HIGHFLAME_REDTEAM_VER to the target.
Update IMAGE_TAG in each affected values file.
Re-run the relevant helm upgrade --install command.

helm upgrade --install is idempotent — running it again with the same values is a no-op.

Schema changes: Admin migrations are run automatically on startup.

Troubleshooting

Symptom

Likely cause

Fix

ImagePullBackOff on every pod

Image pull secret missing or wrong

Re-create highflame-registry-secret

CrashLoopBackOff on Admin with cannot connect to database

Wrong DB_HOST / credentials, or network policy blocking egress

kubectl exec into a pod and psql to the DB to confirm reachability

Shield pods restart with failed to verify license

License secret missing or public.pem does not match license.jwt

check the license secrets highflame-license and if it is missing, please create it

Guard pods stuck Pending

No GPU node available or wrong nodeSelector

Confirm GPU node pool labels match the values file's nodeSelector

Studio loads but shows 401

Clerk config not set, or Admin can't issue tokens

Set Clerk env vars in highflame-admin-helm-values-tmpl.yml and highflame-studio-helm-values-tmpl.yml

Pods OOM-killed under load

Default resource requests are conservative

Bump resources.requests / resources.limits in the values file

Security checklist

Before exposing your install to production traffic, confirm:

HIGHFLAME_INTERNAL_SERVICE_SECRET is identical across services but never exposed externally
Postgres and Redis are reachable only from inside the cluster's VPC/VNet
Ingress terminates TLS with a certificate from a trusted CA
IMAGE_TAG is pinned to an immutable release tag (never latest)

Support

PreviousGCP NextSupport

Last updated 6 days ago