diff --git a/langfuse/Chart.yaml b/langfuse/Chart.yaml index 4196779..83279b4 100644 --- a/langfuse/Chart.yaml +++ b/langfuse/Chart.yaml @@ -17,7 +17,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.2.1 +version: 0.3.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/langfuse/README.md b/langfuse/README.md index 253a925..95454be 100644 --- a/langfuse/README.md +++ b/langfuse/README.md @@ -18,7 +18,7 @@ The Postgres password will be generated and saved in a `Secret` (in the example ### Connecting to an Existing Database -If the bundled chart is disabled, one can authenticate to an existing database. +If the bundled chart is disabled, one can authenticate to an existing database using the `databaseURL` value: ```yaml postgresql: @@ -27,7 +27,7 @@ postgresql: databaseURL: "postgresql://some-existing-url" ``` -### Accessing the installation +### Accessing the Installation The chart comes with an ingress that can be set up with @@ -35,34 +35,51 @@ The chart comes with an ingress that can be set up with ingress: enabled: true hosts: ... + tls: ... ``` -### Additional options +### Additional Options -Any options not present in the [values file](values.yaml) can be put into a `Secret` to be passed to Langfuse: +Any options not available in the [values file](values.yaml) can be manually put into a `Secret` and passed in the `secrets.additional` value: ```yaml -additionalConfigurationSecret: langfuse-additional-options +secrets: + additional: + - my-github-options + - my-google-options + - ... ``` -You can create and update the secret at any time as it will not be managed by Helm. +You should create the secrets before installing the chart: ```shell -kubectl create secret generic langfuse-additional-options \ +kubectl create secret generic my-github-options \ --from-literal=AUTH_GITHUB_CLIENT_ID=... \ --from-literal=AUTH_GITHUB_CLIENT_SECRET=... ``` -## Uninstalling +This can also be used to avoid providing `databaseURL` in plaintext: -The usual `helm uninstall RELEASE_NAME` should work, but note that the following objects are not deleted automatically: +```yaml +postgresql: + enabled: false + +secrets: + additional: + - my-postgres-connection # field name is DATABASE_URL +``` + +## Notes on Uninstalling + +The usual `helm uninstall RELEASE_NAME` should work, +but note that the following objects are not deleted automatically with the default values: - the data PVC of the `postgres` subchart (if the subchart was enabled) -- the `-postgres-secret` secret (unless `postgresql.secret.alwaysKeepWhenUninstalled` is unset) -- the `-internal-secret` secret +- the `-postgres-secret` secret (if the subchart was enabled, controlled by `secrets.postgresql.keepWhenUninstalled`) +- the `-internal-secret` secret (controlled by `secrets.internal.keepWhenUninstalled`) This means that you can reinstall the chart and continue accessing the same data. -## Example values +## Example Value Chart See [megaver.se demo](https://docs.cluster.megaver.se/cluster/langfuse-demo-values.yaml) diff --git a/langfuse/templates/_helpers.tpl b/langfuse/templates/_helpers.tpl index 6f9fcaa..d60cce8 100644 --- a/langfuse/templates/_helpers.tpl +++ b/langfuse/templates/_helpers.tpl @@ -28,7 +28,14 @@ If release name contains chart name it will be used as a full name. {{- end }} {{- define "langfuse.internalSecret" -}} -{{- printf "%s-%s" (include "langfuse.fullname" .) "internal-secret" -}} + {{- printf "%s" (tpl .Values.secrets.internal.name $) -}} +{{- end }} + +{{- define "langfuse.internalSecret.annotations" -}} +{{- if .Values.secrets.internal.keepWhenUninstalled }} + "helm.sh/resource-policy": "keep" + "argocd.argoproj.io/sync-options": "Prune=false" +{{- end }} {{- end }} {{- define "langfuse.postgresqlSecret" -}} @@ -36,14 +43,19 @@ If release name contains chart name it will be used as a full name. {{- end }} {{- define "langfuse.postgresqlSecret.annotations" -}} -{{- if .Values.postgresql.secret.alwaysKeepWhenUninstalled -}} +{{- if .Values.secrets.postgresql.keepWhenUninstalled }} "helm.sh/resource-policy": "keep" + "argocd.argoproj.io/sync-options": "Prune=false" {{- end }} {{- end }} -{{- define "langfuse.internalSecret.annotations" -}} - "helm.sh/resource-policy": "keep" +{{- define "langfuse.additionalSecrets" -}} + {{- range .Values.secrets.additional }} + - secretRef: + name: {{ . }} + {{- end }} {{- end }} + {{- define "langfuse.databaseHost" -}} {{- if .Values.postgresql.enabled -}} @@ -106,7 +118,7 @@ Create a dictionary with keys and random values {{- define "langfuse.createRandomValuesForKeys" -}} {{- $result := dict -}} {{- range . -}} - {{- $_ := set $result . (randAlphaNum 100 | b64enc) -}} + {{- $_ := set $result . (randAlphaNum 50 | b64enc) -}} {{- end -}} {{- $result -}} {{- end -}} diff --git a/langfuse/templates/connection-secret.yaml b/langfuse/templates/connection-secret.yaml index e5c4703..b974f7b 100644 --- a/langfuse/templates/connection-secret.yaml +++ b/langfuse/templates/connection-secret.yaml @@ -6,7 +6,7 @@ metadata: name: {{ include "langfuse.connectionSecret" . }} type: Opaque stringData: - {{- if .Values.databaseURL }} + {{- if (and (not .Values.postgresql.enabled) .Values.databaseURL) }} database-url: {{ .Values.databaseURL | quote}} {{- end }} {{- if .Values.directURL }} diff --git a/langfuse/templates/deployment.yaml b/langfuse/templates/deployment.yaml index d079972..526981e 100644 --- a/langfuse/templates/deployment.yaml +++ b/langfuse/templates/deployment.yaml @@ -79,10 +79,7 @@ spec: envFrom: - configMapRef: name: {{ include "langfuse.configMap" . }} - {{- if .Values.additionalConfigurationSecret }} - - secretRef: - name: {{ .Values.additionalConfigurationSecret }} - {{- end }} + {{- include "langfuse.additionalSecrets" . }} livenessProbe: httpGet: path: /api/public/health diff --git a/langfuse/templates/internal-secret.yaml b/langfuse/templates/internal-secret.yaml index ba07612..3fcc87d 100644 --- a/langfuse/templates/internal-secret.yaml +++ b/langfuse/templates/internal-secret.yaml @@ -1,8 +1,10 @@ -{{- $secretName := (include "langfuse.internalSecret" .) -}} +{{- if .Values.secrets.internal.automaticallyManage -}} {{- include "langfuse.mergeSecretWithRandomForKeys" (dict - "name" $secretName + "name" (include "langfuse.internalSecret" .) "annotations" (include "langfuse.internalSecret.annotations" .) - "keys" (list "salt" "auth-secret") + "keys" (list "salt" "auth-secret") "context" . - ) -}} + ) -}} + +{{- end }} diff --git a/langfuse/templates/postgres-secret.yaml b/langfuse/templates/postgres-secret.yaml index c1fbb6f..aa6dbfd 100644 --- a/langfuse/templates/postgres-secret.yaml +++ b/langfuse/templates/postgres-secret.yaml @@ -1,4 +1,4 @@ -{{- if (and .Values.postgresql.enabled .Values.postgresql.secret.createIfMissing) -}} +{{- if (and .Values.postgresql.enabled .Values.secrets.postgresql.automaticallyManage) -}} {{- include "langfuse.mergeSecretWithRandomForKeys" (dict "name" (include "langfuse.postgresqlSecret" .) diff --git a/langfuse/values.yaml b/langfuse/values.yaml index c0a70d5..b437069 100644 --- a/langfuse/values.yaml +++ b/langfuse/values.yaml @@ -3,7 +3,7 @@ # This URL must agree with the app's URL for OAuth to work nextauthURL: http://localhost:3000 -# By default, the postgres subchart will be installed and the connection value overridden. +# By default, the postgresql subchart will be installed and the connection value overridden. # Disable the bundled subchart using postgresql.enabled if you want to use this setting. databaseURL: "postgresql://postgres:postgres@localhost:5432/postgres" @@ -16,13 +16,40 @@ toggles: experimentalFeatures: false telemetry: true -# This secret's fields (in the ENV_VAR: value format) are added to the Langfuse config -additionalConfigurationSecret: +# Where the non-public Langfuse configuration is stored +secrets: + # This group of settings is only relevant if postgresql.enabled is set. + postgresql: + # If set (default), random values are saved in the postgresql.auth.existingSecret secret + # for all the missing keys (existing values for these keys are preserved). + # If unset, you are expected to create the secret yourself before installing the chart. + automaticallyManage: true + # If set, the secret will be annotated so that it is kept with `helm uninstall` + # If unset, the secret will be deleted with `helm uninstall` + # This has no effect unless automaticallyManage is also true. + # Warning: reinstalling the chart with this value unset will generate a new password, + # but Postgres will continue to use an old password since it's stored on the PVC. + keepWhenUninstalled: true + internal: + # You can change the name to make several installations share the API keys. + name: "{{ .Release.Name }}-internal-secret" + # If set (default), random values are saved in the secrets.internal.name secret + # for all the missing keys (existing values for these keys are preserved). + # If unset, you are expected to create the secret yourself before installing the chart. + automaticallyManage: true + # If set, the secret will be annotated so that it is kept with `helm uninstall` + # If unset, the secret will be deleted with `helm uninstall` + # Warning: reinstalling the chart with this value unset will generate a new salt thus + # rendering old API keys unusable. + keepWhenUninstalled: true + # These secret's fields (in the ENV_VAR: value format) are added to the Langfuse config + # You will need to manage those manually; they will not be touched by the chart. + additional: [] # ------------ Postgres subchart postgresql: - # Setting this to false will not install the bundled Postgres subchart + # Setting this to false will disable the bundled Postgres subchart. enabled: true auth: @@ -32,17 +59,6 @@ postgresql: username: langfuse-user database: "{{ .Release.Name }}" - secret: - # If false, you are expected to manage the secret yourself. - # If true, random values are saved in the secret named in postgresql.auth.existingSecret - # for all the missing keys (existing values for these keys are preserved). - createIfMissing: true - # Set this to false if you want the secret to be deleted with `helm delete` - # This has no effect unless createIfMissing is also true. - # Warning: reinstalling the chart will generate a new password, but Postgres will - # continue to use an old password since it's stored on the PVC. - alwaysKeepWhenUninstalled: true - # ------------ Standard values generated by helm create replicaCount: 1 @@ -68,9 +84,8 @@ serviceAccount: podAnnotations: {} -podSecurityContext: - {} - # fsGroup: 2000 +podSecurityContext: {} +# fsGroup: 2000 securityContext: {} @@ -78,8 +93,8 @@ securityContext: # drop: # - ALL # readOnlyRootFilesystem: true - # runAsNonRoot: true - # runAsUser: 1000 +# runAsNonRoot: true +# runAsUser: 1000 service: type: ClusterIP @@ -88,10 +103,9 @@ service: ingress: enabled: false className: "" - annotations: - {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" hosts: - host: chart-example.local paths: @@ -112,8 +126,8 @@ resources: # cpu: 100m # memory: 128Mi # requests: - # cpu: 100m - # memory: 128Mi +# cpu: 100m +# memory: 128Mi autoscaling: enabled: false