1# Langfuse Helm Chart Configuration
5 # -- Allow insecure images to use bitnami legacy repository. Can be set to false if secure images are being used (Paid).
6 allowInsecureImages: true
7# -- Override the name for the selector labels, defaults to the chart name
9# -- Override the full name of the deployed resources, defaults to a combination of the release name and the name for the selector labels
11# Core Langfuse Configuration
13 # Logging configuration
15 # -- Set the log level for the application (trace, debug, info, warn, error, fatal)
17 # -- Set the log format for the application (text or json)
19 # -- Used to hash API keys. Can be configured by value or existing secret reference. To generate a new salt, run `openssl rand -base64 32`.
25 # -- Langfuse EE license key.
31 # -- EE: Langfuse allowed organization creators. See [documentation](https://langfuse.com/self-hosting/organization-creators)
32 allowedOrganizationCreators: []
33 # -- Authentication and SSO settings:
34 # -- If you want to disable username/password login, set auth.disableUsernamePassword to true.
35 # -- Refer to [documentation](https://langfuse.com/self-hosting/authentication-and-sso) for available keys for each provider.
36 # -- For each provider, add it to auth.providers, and add respective configuration options under it.
37 # -- For options, use the last part (after provider name) of the respective environment variable's name, in camelCase.
38 # -- Values can be specified directly as strings, or as secret references using secretKeyRef.
39 # -- For example, to use Azure AD as your SSO provider, use the following lines:
41 # disableUsernamePassword: true
44 # clientId: "<YOUR CLIENT ID>"
47 # name: "my-sso-secret"
48 # key: "azure-client-secret"
49 # tenantId: "<YOUR TENANT ID>"
50 # -- For sensitive fields, it is recommended to use secretKeyRef to avoid storing secrets in values.yaml
52 # -- Used to encrypt sensitive data. Must be 256 bits (64 string characters in hex format). Generate via `openssl rand -hex 32`.
60 # -- Whether or not to report basic usage statistics to a centralized server.
61 telemetryEnabled: true
62 # -- Disable public sign up
64 # -- Enable experimental features
65 experimentalFeaturesEnabled: false
66 # -- Node.js environment to use for all langfuse deployments
69 # -- Whether to create a service account for all langfuse deployments
71 # -- Annotations for the service account
73 # -- Override the name of the service account to use, discovered automatically if not set
75 # -- Whether to automount service account token in pods. Set to false to disable automatic mounting of the service account token.
76 automountServiceAccountToken: true
78 # -- SMTP connection URL. See [documentation](https://langfuse.com/self-hosting/transactional-emails)
80 # -- From address for emails. Required if connectionUrl is set.
83 # -- Set to `true` to enable the ingress resource
85 # -- Additional labels for the ingress resource
87 # -- Annotations for the ingress resource
89 # -- The class name for the ingress resource
91 # -- The hosts for the ingress resource
94 # - host: "langfuse.example.com"
97 # pathType: ImplementationSpecific
100 # -- Set to `true` to enable use HTTPS on the ingress
102 # -- The name of the secret to use for TLS Key
104 # -- Pod security context for all langfuse deployments
105 podSecurityContext: {}
106 # -- Security context for all langfuse deployments
108 # -- Node selector for all langfuse deployments
110 # -- Tolerations for all langfuse deployments
112 # -- Affinity for all langfuse deployments
114 # -- DNS configuration for all langfuse deployments
117 # -- Annotations for all langfuse pods
119 # -- Labels for all langfuse pods
121 # -- Topology spread constraints for all langfuse pods
122 topologySpreadConstraints: []
124 # -- Annotations for all langfuse deployments
126 # -- Deployment strategy for all langfuse deployments (can be overridden by individual deployments)
128 # -- Number of replicas to use for all langfuse deployments. Can be overridden by the individual deployments
130 # -- Number of old ReplicaSets to retain to allow rollback. Can be overridden by the individual deployments
131 revisionHistoryLimit: 10
132 # -- Resources for all langfuse deployments. Can be overridden by the individual deployments
135 # -- The image tag to use for all langfuse deployments. Can be overridden by the individual deployments. Falls back to appVersion if not set.
137 # -- The pull policy to use for all langfuse deployments. Can be overridden by the individual deployments.
139 # -- The pull secrets to use for all langfuse deployments. Can be overridden by the individual deployments.
141 # -- List of additional environment variables to be added to all langfuse deployments. See [documentation](https://langfuse.com/docs/deployment/self-host#configuring-environment-variables) for details.
143 # -- Secrets or ConfigMap of additional environment variables to be added to all langfuse deployments. See [documentation](https://langfuse.com/docs/deployment/self-host#configuring-environment-variables) for details.
144 additionalEnvFrom: []
145 # -- Allows additional containers to be added to all langfuse deployments
147 # -- Allows additional volumes to be added to all langfuse deployments
149 # -- Allows additional init containers to be added to all langfuse deployments
150 extraInitContainers: []
151 # -- Allows additional volume mounts to be added to all langfuse deployments
152 extraVolumeMounts: []
153 # -- Allows additional lifecycle hooks to be added to all langfuse deployments
155 # Web deployment configuration
158 # -- The image repository to use for the langfuse web pods.
159 repository: cgr.dev/chainguard-private/langfuse-fips
160 # -- The tag to use for the langfuse web pods. Using `langfuse.image.tag` if not set.
161 tag: latest@sha256:de9b1eeb6bdcc509adc6ca04f7a0919b62f7902d831ace9635133623937a0937
162 # -- The pull policy to use for the langfuse web pods. Using `langfuse.image.pullPolicy` if not set.
164 # -- The pull secrets to use for the langfuse web pods. Using `langfuse.image.pullSecrets` if not set.
167 # -- Additional labels for the langfuse web deployment
169 # -- Annotations for the web deployment
171 # -- Deployment strategy for the web deployment. Overrides the global deployment strategy
174 # -- Annotations for the web pods
176 # -- Labels for the web pods
178 # -- Node selector for the web pods. Overrides the global nodeSelector
180 # -- Tolerations for the web pods. Overrides the global tolerations
182 # -- Affinity for the web pods. Overrides the global affinity
184 # -- Topology spread constraints for the web pods. Overrides the global topologySpreadConstraints
185 topologySpreadConstraints: null
186 # -- Allows additional containers to be added to all langfuse web pods
188 # -- List of additional environment variables to be added to all langfuse web pods. See [documentation](https://langfuse.com/docs/deployment/self-host#configuring-environment-variables) for details.
190 # -- Secrets or ConfigMap of additional environment variables to be added to all langfuse web pods. See [documentation](https://langfuse.com/docs/deployment/self-host#configuring-environment-variables) for details.
191 additionalEnvFrom: []
193 # -- The type of service to use for the langfuse web application
195 # -- The port to use for the langfuse web application
197 # -- The external port that will be exposed by the service. Falls back to `port` if not set.
199 # -- The node port to use for the langfuse web application
201 # -- Additional labels for the langfuse web application service
203 # -- Annotations for the langfuse web application service
205 # -- Resources for the langfuse web pods. Defaults to the global resources
207 # -- Number of replicas to use if HPA is not enabled. Defaults to the global replicas
209 # -- Number of old ReplicaSets to retain to allow rollback.
210 revisionHistoryLimit: null
211 # KEDA ScaledObject configuration
213 # -- Set to `true` to enable KEDA for the langfuse web pods
214 # Note: When both KEDA and HPA are enabled, the deployment will fail.
216 # -- The minimum number of replicas to use for the langfuse web pods
218 # -- The maximum number of replicas to use for the langfuse web pods
220 # -- The polling interval in seconds for checking metrics
222 # -- The trigger type for scaling (cpu or memory)
224 # -- The metric type for scaling (Utilization or AverageValue)
225 metricType: "Utilization"
226 # -- The target utilization percentage for the langfuse web pods
228 # -- Optional container name to target for metrics (leave empty to target all containers)
230 # Horizontal Pod Autoscaler configuration
232 # -- Set to `true` to enable HPA for the langfuse web pods
233 # Note: When both KEDA and HPA are enabled, the deployment will fail.
235 # -- Annotations for the langfuse web HPA
237 # -- The minimum number of replicas to use for the langfuse web pods
239 # -- The maximum number of replicas to use for the langfuse web pods
241 # -- The target CPU utilization percentage for the langfuse web pods
242 targetCPUUtilizationPercentage: 50
243 # Vertical Pod Autoscaler configuration
245 # -- Set to `true` to enable VPA for the langfuse web pods
247 # -- The resources to control for the langfuse web pods
248 controlledResources: []
249 # -- The maximum allowed resources for the langfuse web pods
251 # -- The minimum allowed resources for the langfuse web pods
254 # -- The update policy mode for the langfuse web pods
256 # -- Adding records to /etc/hosts in the pod's network.
259 # -- Path to check for liveness.
260 path: "/api/public/health"
261 # -- Initial delay seconds for livenessProbe.
262 initialDelaySeconds: 20
263 # -- Period seconds for livenessProbe.
265 # -- Timeout seconds for livenessProbe.
267 # -- Failure threshold for livenessProbe.
269 # -- Success threshold for livenessProbe.
272 # -- Path to check for readiness.
273 path: "/api/public/ready"
274 # -- Initial delay seconds for readinessProbe.
275 initialDelaySeconds: 20
276 # -- Period seconds for readinessProbe.
278 # -- Timeout seconds for readinessProbe.
280 # -- Failure threshold for readinessProbe.
282 # -- Success threshold for readinessProbe.
284 # Pod Disruption Budget configuration for the web deployment
286 # -- Set to `true` to create a Pod Disruption Budget for the langfuse web pods
288 # -- Minimum number of available pods during disruptions. Cannot be set simultaneously with maxUnavailable.
290 # -- Maximum number of unavailable pods during disruptions. Cannot be set simultaneously with minAvailable. Defaults to 1 if neither is set.
292 # Worker deployment configuration
294 # -- Adding records to /etc/hosts in the worker pod's network.
297 # -- The image repository to use for the langfuse worker pods
298 repository: cgr.dev/chainguard-private/langfuse-worker-fips
299 # -- The tag to use for the langfuse worker pods. Using `langfuse.image.tag` if not set.
300 tag: latest@sha256:e351da5c0930ea685803c11940222117341fa8f6b680e4ebdf9116c8ad6c242e
301 # -- The pull policy to use for the langfuse worker pods. Using `langfuse.image.pullPolicy` if not set.
303 # -- The pull secrets to use for the langfuse worker pods. Using `langfuse.image.pullSecrets` if not set.
306 # -- Additional labels for the worker deployment
308 # -- Annotations for the worker deployment
310 # -- Deployment strategy for the worker deployment. Overrides the global deployment strategy
313 # -- Annotations for the worker pods
315 # -- Labels for the worker pods
317 # -- Node selector for the worker pods. Overrides the global nodeSelector
319 # -- Tolerations for the worker pods. Overrides the global tolerations
321 # -- Affinity for the worker pods. Overrides the global affinity
323 # -- Topology spread constraints for the worker pods. Overrides the global topologySpreadConstraints
324 topologySpreadConstraints: null
325 # -- Allows additional containers to be added to all langfuse worker pods
327 # -- List of additional environment variables to be added to all langfuse worker pods. See [documentation](https://langfuse.com/docs/deployment/self-host#configuring-environment-variables) for details.
329 # -- Secrets or ConfigMap of additional environment variables to be added to all langfuse worker pods. See [documentation](https://langfuse.com/docs/deployment/self-host#configuring-environment-variables) for details.
330 additionalEnvFrom: []
331 # -- Resources for the langfuse worker pods. Defaults to the global resources
333 # -- Number of replicas to use if HPA is not enabled. Defaults to the global replicas
335 # -- Number of old ReplicaSets to retain to allow rollback.
336 revisionHistoryLimit: null
337 # KEDA ScaledObject configuration
339 # -- Set to `true` to enable KEDA for the langfuse worker pods
340 # Note: When both KEDA and HPA are enabled, the deployment will fail.
342 # -- The minimum number of replicas to use for the langfuse worker pods
344 # -- The maximum number of replicas to use for the langfuse worker pods
346 # -- The polling interval in seconds for checking metrics
348 # -- The trigger type for scaling (cpu or memory)
350 # -- The metric type for scaling (Utilization or AverageValue)
351 metricType: "Utilization"
352 # -- The target utilization percentage for the langfuse worker pods
354 # -- Optional container name to target for metrics (leave empty to target all containers)
356 # Horizontal Pod Autoscaler configuration
358 # -- Set to `true` to enable HPA for the langfuse worker pods
359 # Note: When both KEDA and HPA are enabled, the deployment will fail.
361 # -- Annotations for the langfuse worker HPA
363 # -- The minimum number of replicas to use for the langfuse worker pods
365 # -- The maximum number of replicas to use for the langfuse worker pods
367 # -- The target CPU utilization percentage for the langfuse worker pods
368 targetCPUUtilizationPercentage: 50
369 # Vertical Pod Autoscaler configuration
371 # -- Set to `true` to enable VPA for the langfuse worker pods
373 # -- The resources to control for the langfuse worker pods
374 controlledResources: []
375 # -- The maximum allowed resources for the langfuse worker pods
377 # -- The minimum allowed resources for the langfuse worker pods
380 # -- The update policy mode for the langfuse worker pods
382 # Pod Disruption Budget configuration for the worker deployment
384 # -- Set to `true` to create a Pod Disruption Budget for the worker deployment
386 # -- Minimum number of available pods during disruptions. Cannot be set simultaneously with maxUnavailable.
388 # -- Maximum number of unavailable pods during disruptions. Cannot be set simultaneously with minAvailable. Defaults to 1 if neither is set.
391 # -- Initial delay seconds for livenessProbe.
392 initialDelaySeconds: 20
393 # -- Period seconds for livenessProbe.
395 # -- Timeout seconds for livenessProbe.
397 # -- Failure threshold for livenessProbe.
399 # -- Success threshold for livenessProbe.
401 # NextAuth configuration
403 # -- When deploying to production, set the `nextauth.url` value to the canonical URL of your site.
404 url: http://localhost:3000
405 # -- Used to encrypt the NextAuth.js JWT, and to hash email verification tokens. Can be configured by value or existing secret reference.
411# PostgreSQL Configuration
413 # -- Enable PostgreSQL deployment (via Bitnami Helm Chart). If you want to use an external Postgres server (or a managed one), set this to false
415 # -- PostgreSQL host to connect to. If postgresql.deploy is true, this will be set automatically based on the release name.
417 # -- Port of the postgres server to use. Defaults to 5432.
419 # -- Additional database connection arguments
421 # -- If `postgresql.deploy` is set to false, Connection string of your Postgres database used for database migrations. Use this if you want to use a different user for migrations or use connection pooling on DATABASE_URL. For large deployments, configure the database user with long timeouts as migrations might need a while to complete.
423 # -- If your database user lacks the CREATE DATABASE permission, you must create a shadow database and configure the "SHADOW_DATABASE_URL". This is often the case if you use a Cloud database. Refer to the Prisma docs for detailed instructions.
424 shadowDatabaseUrl: ""
426 # -- Overwrite default repository of helm chart to point to non-paid bitnami images.
427 repository: bitnamilegacy/postgresql
428 # image: docker.io/bitnami/postgresql:17.3.0-debian-12-r1
429 # Authentication configuration
431 # -- Username to use to connect to the postgres database deployed with Langfuse. In case `postgresql.deploy` is set to `true`, the user will be created automatically.
433 # -- Password to use to connect to the postgres database deployed with Langfuse. In case `postgresql.deploy` is set to `true`, the password will be set automatically.
435 # -- If you want to use an existing secret for the postgres password, set the name of the secret here. (`postgresql.auth.password` will be ignored and picked up from this secret).
437 # -- The keys in the existing secret that contain the passwords. If using the default `postgres` user, both `userPasswordKey` and `adminPasswordKey` must be provided.
439 userPasswordKey: password
440 adminPasswordKey: password
441 # -- Database name to use for Langfuse.
442 database: postgres_langfuse
443 # -- Additional database connection arguments
445 # Migration configuration
447 # -- Whether to run automatic migrations on startup
449 # Subchart specific settings
450 architecture: standalone
455# Key-Value Store / Redis Configuration
457 # -- Enable valkey deployment (via Bitnami Helm Chart). If you want to use a Redis or Valkey server already deployed, set to false.
459 # -- Redis host to connect to. If redis.deploy is true, this will be set automatically based on the release name.
461 # -- Redis port to connect to.
464 # -- Overwrite default repository of helm chart to point to non-paid bitnami images.
465 repository: bitnamilegacy/valkey
466 # image: docker.io/bitnami/valkey:8.0.2-debian-12-r2
467 # Redis TLS configuration
469 # -- Set to `true` to enable TLS/SSL encrypted connection to the Redis server
471 # -- Path to the CA certificate file for TLS verification
473 # -- Path to the client certificate file for mutual TLS authentication
475 # -- Path to the client private key file for mutual TLS authentication
477 # Authentication configuration
479 # -- Username for Redis authentication. Set to null to omit username from connection string entirely.
480 # In case `redis.deploy` is set to `true`, the user will be created automatically.
482 # -- Password for Redis authentication. Set to null to disable authentication (for passwordless Redis like AWS ElastiCache without auth).
483 # Use URL-encoded passwords or avoid special characters in the password.
485 # -- If you want to use an existing secret for the redis password, set the name of the secret here. (`redis.auth.password` will be ignored and picked up from this secret).
487 # -- The key in the existing secret that contains the password.
488 existingSecretPasswordKey: ""
490 # Redis Cluster configuration
492 # -- Set to `true` to enable Redis Cluster mode. When enabled, you must set `redis.deploy` to `false` and provide cluster nodes.
494 # -- List of Redis cluster nodes in the format "host:port". Example: ["redis-1:6379", "redis-2:6379", "redis-3:6379"]
496 # Redis Sentinel configuration
498 # -- Set to `true` to enable Redis Sentinel mode. Cannot be enabled simultaneously with cluster mode. When enabled, you must set `redis.deploy` to `false`.
500 # -- Name of the Redis Sentinel master. Required when `redis.sentinel.enabled` is `true`.
502 # -- Comma-separated list of Redis Sentinel nodes in the format "host:port". Example: "sentinel-1:26379,sentinel-2:26379,sentinel-3:26379". Required when `redis.sentinel.enabled` is `true`.
504 # -- Username for Redis Sentinel authentication (optional).
506 # -- Password for Redis Sentinel authentication (optional).
508 # -- If you want to use an existing secret for the sentinel password, set the name of the secret here. (`redis.sentinel.password` will be ignored and picked up from this secret).
510 # -- The key in the existing secret that contains the sentinel password.
511 existingSecretPasswordKey: ""
512 # Subchart specific settings
513 architecture: standalone
515 # -- Extra flags for the valkey deployment. Must include `--maxmemory-policy noeviction`.
517 - "--maxmemory-policy noeviction"
518# ClickHouse Configuration
520 # -- Enable ClickHouse deployment (via Bitnami Helm Chart). If you want to use an external Clickhouse server (or a managed one), set this to false
522 # -- ClickHouse host to connect to. If clickhouse.deploy is true, this will be set automatically based on the release name.
524 # -- ClickHouse HTTP port to connect to.
526 # -- ClickHouse native port to connect to.
528 # -- ClickHouse database to use.
531 # -- Overwrite default repository of helm chart to point to non-paid bitnami images.
532 repository: bitnamilegacy/clickhouse
533 # image: docker.io/bitnami/clickhouse:25.2.1-debian-12-r0
536 # -- Overwrite default repository of helm chart to point to non-paid bitnami images.
537 repository: bitnamilegacy/zookeeper
538 # image: docker.io/bitnami/zookeeper:3.9.3-debian-12-r8
539 # Authentication configuration
541 # -- Username for the ClickHouse user.
543 # -- Password for the ClickHouse user.
545 # -- If you want to use an existing secret for the ClickHouse password, set the name of the secret here. (`clickhouse.auth.password` will be ignored and picked up from this secret).
547 # -- The key in the existing secret that contains the password.
548 existingSecretKey: ""
549 # Migration configuration
551 # -- Migration URL (TCP protocol) for clickhouse
553 # -- Set to true to establish SSL connection for migration
555 # -- Whether to run automatic ClickHouse migrations on startup
557 # -- Whether to run ClickHouse commands ON CLUSTER. Controls CLICKHOUSE_CLUSTER_ENABLED setting.
559 # -- Subchart specific settings
560 shards: 1 # Fixed - Langfuse does not support sharding
561 # -- Number of replicas to use for the ClickHouse cluster. 1 corresponds to a single, non-HA deployment.
563 # -- The resources preset to use for the ClickHouse cluster.
564 resourcesPreset: 2xlarge
565# S3/MinIO Configuration
567 # -- Enable MinIO deployment (via Bitnami Helm Chart). If you want to use a custom BlobStorage, e.g. S3, set to false.
569 # -- Storage provider to use. Options: s3 (default), azure, gcs
570 # -- When set to 'azure', enables Azure Blob Storage native integration
571 # -- When set to 'gcs', enables Google Cloud Storage native integration
572 # -- When set to 's3', uses S3-compatible interface (default behavior)
573 storageProvider: "s3"
575 # -- Overwrite default repository of helm chart to point to non-paid bitnami images.
576 repository: bitnamilegacy/minio
577 # image: docker.io/bitnami/minio:2024.12.18-debian-12-r1
578 # -- S3 bucket to use for all uploads. Can be overridden per upload type.
580 # -- S3 region to use for all uploads. Can be overridden per upload type.
582 # -- S3 endpoint to use for all uploads. Can be overridden per upload type.
584 # -- Whether to force path style on requests. Required for MinIO. Can be overridden per upload type.
586 # -- S3 accessKeyId to use for all uploads. Can be overridden per upload type.
592 # -- S3 secretAccessKey to use for all uploads. Can be overridden per upload type.
598 # Google Cloud Storage Configuration (only used when storageProvider is 'gcs')
600 # -- Google Cloud Storage credentials JSON or path to credentials file
601 # -- Can be the JSON content directly or a path to the credentials file
602 # -- If not provided, will fallback to environment credentials (e.g., service account attached to pods)
603 # -- Example: Set value to the JSON service account key content, or use secretKeyRef to reference a secret
609 # S3 Concurrency Configuration
611 # -- Maximum number of concurrent read operations to S3. Defaults to 50.
613 # -- Maximum number of concurrent write operations to S3. Defaults to 50.
615 # Event Upload Configuration
617 # -- S3 bucket to use for event uploads.
619 # -- Prefix to use for event uploads within the bucket.
621 # -- S3 region to use for event uploads.
623 # -- S3 endpoint to use for event uploads.
625 # -- Whether to force path style on requests. Required for MinIO.
627 # -- S3 accessKeyId to use for event uploads.
633 # -- S3 secretAccessKey to use for event uploads.
639 # Batch Export Configuration
641 # -- Enable batch export.
643 # -- S3 bucket to use for batch exports.
645 # -- Prefix to use for batch exports within the bucket.
647 # -- S3 region to use for batch exports.
649 # -- S3 endpoint to use for batch exports.
651 # -- Whether to force path style on requests. Required for MinIO.
653 # -- S3 accessKeyId to use for batch exports.
659 # -- S3 secretAccessKey to use for batch exports.
665 # Media Upload Configuration
667 # -- Enable media uploads.
669 # -- S3 bucket to use for media uploads.
671 # -- Prefix to use for media uploads within the bucket.
673 # -- S3 region to use for media uploads.
675 # -- S3 endpoint to use for media uploads.
677 # -- Whether to force path style on requests. Required for MinIO.
679 # -- S3 accessKeyId to use for media uploads.
685 # -- S3 secretAccessKey to use for media uploads.
691 # -- Maximum content length for media uploads. Defaults to 1GB.
692 maxContentLength: 1000000000
693 # -- Expiry time for download URLs. Defaults to 1 hour.
694 downloadUrlExpirySeconds: 3600
695 # MinIO subchart specific settings
696 defaultBuckets: langfuse
700 # -- Password for MinIO root user
702 # -- If you want to use an existing secret for the root user password, set the name of the secret here. (`s3.auth.rootPassword` will be ignored and picked up from this secret).
704 # -- Key where the Minio root user is being stored inside the existing secret `s3.auth.existingSecret`
705 rootUserSecretKey: ""
706 # -- Key where the Minio root user password is being stored inside the existing secret `s3.auth.existingSecret`
707 rootPasswordSecretKey: ""
708# Additional manifests