| title | Kubernetes - Helm Chart |
|---|
This guide covers deploying Langtail for production using Kubernetes with a Helm chart.
Note: This setup is for production, and it is highly recommended to generate your own secrets for security. Using default or insecure secrets in production is not advised.
- A running Kubernetes cluster.
- Helm installed on your local machine.
- A managed MySQL database.
- Access to the Langtail Helm chart repository.
Before deploying, ensure you have the following environment variables configured in your Helm values file:
# Env vars
AUTH_URL: https://langtail.yourdomain.com # Replace with the URL where the instance will be accessible
# Secret envs
DATABASE_URL: "mysql://user:password@your-database-host:3306/your-database"
MIGRATIONS_DATABASE_URL: "mysql://user:password@your-database-host:3306/your-database"
JWT_SIGNING_KEY: "your-jwt-signing-key"
JWT_PRIVATE: "your-jwt-private-key"
JWT_PUBLIC: "your-jwt-public-key"
AUTH_SECRET: "your-auth-secret"
PRISMA_FIELD_ENCRYPTION_KEY: "your-prisma-field-encryption-key"
IMAGES_AWS_SECRET_ACCESS_KEY: "your-aws-secret-access-key" # Optional - used for image uploads
# In case you want to enable login using email code
EMAIL_FROM: "your-email@example.com"
SMTP_URL: "smtp://user:password@smtp.example.com:587"
EMAIL_VERIFICATION_SECRET: "your-email-verification-secret"It's highly recommended to encrypt your secrets using a secret manager like Helm Secrets before storing the values yaml file.
You can also use your own secrets manager, but you'll add these values to configure langtail to use your own secrets in kubernetes:
manageSecret: false
secretRef:
name: "your-secret-name"
migrationName: "your-migration-secret-name"
In production, you must generate and set secure values for the following secrets. Here’s how to generate them:
Generate AUTH_SECRET
Run the following command to generate a new AUTH_SECRET:
$ openssl rand -base64 32Generate JWT_PUBLIC and JWT_PRIVATE
To generate new JWT keys:
- Go to https://mkjwk.org/.
- Select EC as the key type and P-256 as the curve.
- Copy the public and private keys and replace them in your
docker-compose.ymlunderJWT_PRIVATEandJWT_PUBLIC.
Generate JWT_SIGNING_KEY
To generate a new signing key:
- Go to https://mkjwk.org/.
- Select oct as the key type and Signature as the key use.
- Copy the generated key and replace the
JWT_SIGNING_KEYin yourdocker-compose.yml.
Generate PRISMA_FIELD_ENCRYPTION_KEY
This key is used to encrypt LLM provider keys in database.
Generate it via a web UI: cloak.47ng.com or via the command line:
npm install -g @47ng/cloak
cloak generateTo configure social login with Google and GitHub, follow the steps below:
-
Google OAuth Credentials: NextAuth.js - Google Provider
-
GitHub OAuth Credentials: NextAuth.js - GitHub Provider
Set the corresponding environment variables in your Helm values:
GITHUB_ID: "your-github-client-id"
GITHUB_SECRET: "your-github-client-secret"
GOOGLE_ID: "your-google-client-id"
GOOGLE_SECRET: "your-google-client-secret"To install Langtail using the Helm chart, follow these steps:
-
Add the Langtail Helm repository:
helm repo add langtail https://github.com/langtail/langtail-k8s
-
Install the Helm chart with your configured values (replace placeholders with your actual values):
helm install langtail langtail/langtail \ --set-file values.yaml
Langtail uses Helm chart hooks to manage migrations. The migration job runs automatically as part of the Helm chart upgrade process, ensuring that migrations are applied before the new version of the app is deployed.
To deploy or upgrade the Helm chart and apply the migrations:
helm upgrade langtail langtail/langtail \
--set-file values.yamlThis will ensure that the migrations are run before the app spins up with the new version.
Once the deployment is complete, your Langtail instance will be running on your Kubernetes cluster. Use the service details provided by Kubernetes to access the application.