a0529c9af7
* feat: add opt-in Langfuse fanout collector * feat: fan out Langfuse feedback scores * docs: prepare Langfuse fanout for OSS setup * fix: clarify Langfuse fanout collector config * test: stabilize librechat suite * test: fix upload dialog import order * fix: omit empty Langfuse tenant fields * fix: gate tenant Langfuse fanout * test: cover central Langfuse env fallback * style: format Langfuse fanout config * feat: route langfuse fanout by destination * docs: clarify langfuse compose destination scope * test: remove unrelated suite stabilization * style: sort agent imports * fix: treat blank tenant fanout toggle as disabled * fix: rename tenant fanout emergency toggle * test: guard langfuse fanout collector config drift * feat: tune langfuse fanout batching * test: render fanout helm tests without dependencies * fix: narrow remote agent run config * refactor: share string normalization helper * fix: align langfuse fanout env parsing * fix(langfuse): align score fanout toggles with traces * fix(langfuse): keep central fanout config collector-only * fix(langfuse): type fanout collector config * fix(langfuse): harden tenant fanout config * feat(langfuse): support media fanout gateway * fix(langfuse): route tenant fanout through destination URL * fix(langfuse): harden fanout routing checks * ci(langfuse): test fanout gateway changes * ci(langfuse): check fanout go formatting * fix(langfuse): satisfy api typecheck |
||
|---|---|---|
| .. | ||
| examples | ||
| templates | ||
| tests | ||
| .helmignore | ||
| Chart.yaml | ||
| DNS_CONFIGURATION.md | ||
| readme.md | ||
| values.yaml | ||
LibreChat Helm Chart
This Librechat Helm Chart provides an easy, light weight template to deploy LibreChat on Kubernetes
Variables
In this Chart, LibreChat will only work with environment Variables. You can Specify Vars and Secret using an existing Secret (This can be generated by creating an Env File and converting it to a Kubernetes Secret --from-env-file)
Setup
- Generate Variables
Generate
CREDS_KEY,JWT_SECRET,JWT_REFRESH_SECRETandMEILI_MASTER_KEYusingopenssl rand -hex 32andCREDS_IVusing openssl rand -hex 16. place them in a secret like this (If you want to change the secret name, remember to change it in your helm values):
apiVersion: v1
kind: Secret
metadata:
name: librechat-credentials-env
namespace: <librechat-chart-namespace>
type: Opaque
stringData:
CREDS_KEY: <generated value>
JWT_SECRET: <generated value>
JWT_REFRESH_SECRET: <generated value>
MEILI_MASTER_KEY: <generated value>
- Add Credentials to the Secret Dependant of the Model you want to use, create Credentials in your provider and add them to the Secret:
apiVersion: v1
kind: Secret
. . . .
OPENAI_API_KEY: <your secret value>
-
Apply the Secret to the Cluster
-
Fill out values.yaml and apply the Chart to the Cluster
Admin Panel SSO
When deploying the admin panel at a separate URL, set librechat.adminPanelUrl
to the external admin panel base URL. It may include a path, but it should not
end with a trailing / because LibreChat appends /auth/... callback paths.
librechat:
adminPanelUrl: https://admin.example.com/admin
This renders ADMIN_PANEL_URL for LibreChat's admin OAuth flow. For OpenID SSO,
also register this LibreChat callback URL with your identity provider:
https://<librechat-domain>/api/admin/oauth/openid/callback
Langfuse Fanout
The chart can optionally deploy a Langfuse fanout gateway with an internal OpenTelemetry Collector sidecar. The gateway handles Langfuse media fanout and proxies traces to the collector; the collector forwards tenant-scoped Langfuse traces to both a central Langfuse project and the tenant Langfuse project. It is disabled by default.
When enabled, the chart also sets LANGFUSE_FANOUT_ENABLED and
LANGFUSE_FANOUT_COLLECTOR_URL for the LibreChat app unless those values are
already provided in librechat.configEnv.
Set librechat.configEnv.LANGFUSE_FANOUT_TENANT_EXPORT_DISABLED=true to keep
central trace export flowing through the fanout gateway while disabling tenant trace
and score export. When omitted, false, or blank, tenant export remains available
if tenant keys and a known destination are configured.
Langfuse tenant base URLs are selected from the startup-configured destination map rendered into LibreChat and the fanout gateway. Tenant API keys can still be added through tenant app configuration at runtime without restarting either component. The internal collector provides trace memory limiting, batching, tenant routing, and removal of LibreChat-only routing attributes before export.
The fanout gateway stores one-time media upload plans in Redis so media create
and byte-upload requests can land on different gateway replicas. Set
langfuseFanout.redis.uri for an external Redis service, or enable the bundled
Redis chart with redis.enabled=true and let the chart derive the internal URI.
Scale the gateway manually with langfuseFanout.replicaCount; the chart does
not create a fanout HPA.
The internal collector receiver is bound to 127.0.0.1:4319 by default because
only the gateway sidecar should send traces to it.
The gateway exposes Prometheus metrics at /metrics. Configure
langfuseFanout.metrics.secret.name and .key to pass a bearer token secret to
the gateway; if omitted, /metrics returns 401. Use
langfuseFanout.service.annotations for scrape annotations when your cluster
uses annotation-based discovery. The gateway container also has configurable
/healthz liveness and readiness probes under langfuseFanout.
See otel/langfuse-fanout/README.md
for the central Langfuse secret and values example.