forked from langfuse/langfuse
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy path.env.dev-oci.example
More file actions
196 lines (162 loc) · 7.68 KB
/
.env.dev-oci.example
File metadata and controls
196 lines (162 loc) · 7.68 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
#####################################################################
# .env (template) — OCI Object Storage / S3-compatible configuration
#
# IMPORTANT SECURITY NOTES (Oracle best practice)
# - Prefer OCI-native auth (Instance Principal / Workload Identity / Resource Principal)
# over static keys.
# - If you must use static keys, store them in a secure secret manager
# (e.g., Kubernetes Secret / OCI Vault) and inject at runtime.
# - Rotate/revoke any credentials that were previously shared or committed.
#####################################################################
#####################################################################
# 1) Storage/Auth category (CHOOSE ONE)
#
# The app can read/write/download to/from an OCI object store for:
# - Batch exports (exports/)
# - Media uploads (media/)
# - Event uploads (events/)
#
# Pick exactly ONE auth mechanism for OCI-native object storage by setting:
# LANGFUSE_USE_OCI_NATIVE_OBJECT_STORAGE=true
# LANGFUSE_OCI_AUTH_TYPE=<one of the values below>
#
# Supported values:
# workload_identity | instance_principal | resource_principal | oci_profile | session_token
#####################################################################
#####################################################################
# Category A — OCI Object Storage with INSTANCE PRINCIPAL (recommended on OCI Compute)
# Use when:
# - Running on OCI Compute with IAM set up (dynamic group + policies)
#
# Set:
# LANGFUSE_USE_OCI_NATIVE_OBJECT_STORAGE=true
# LANGFUSE_OCI_AUTH_TYPE=instance_principal
#
# NOTE: Do NOT set *_ACCESS_KEY_ID / *_SECRET_ACCESS_KEY in this category.
#####################################################################
#####################################################################
# Category B — OCI Object Storage with WORKLOAD IDENTITY (common on OKE)
# Use when:
# - Running on OKE with OCI Workload Identity configured
#
# Set:
# LANGFUSE_USE_OCI_NATIVE_OBJECT_STORAGE=true
# LANGFUSE_OCI_AUTH_TYPE=workload_identity
#
# Optional (only if your environment requires additional CA trust):
# NODE_EXTRA_CA_CERTS=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
#
# NOTE: Do NOT set *_ACCESS_KEY_ID / *_SECRET_ACCESS_KEY in this category.
#####################################################################
#####################################################################
# Category C — OCI Object Storage with RESOURCE PRINCIPAL (common for OCI services)
# Use when:
# - Running inside an OCI service/runtime that injects Resource Principal env vars
# (e.g., certain managed services / automation contexts)
#
# Set:
# LANGFUSE_USE_OCI_NATIVE_OBJECT_STORAGE=true
# LANGFUSE_OCI_AUTH_TYPE=resource_principal
#
# NOTE: Do NOT set *_ACCESS_KEY_ID / *_SECRET_ACCESS_KEY in this category.
#####################################################################
#####################################################################
# Category D — OCI Object Storage with OCI CONFIG PROFILE (developer local)
# Use when:
# - You have an OCI config file locally or mounted in the runtime
# - You want to use a named profile
#
# Set:
# LANGFUSE_USE_OCI_NATIVE_OBJECT_STORAGE=true
# LANGFUSE_OCI_AUTH_TYPE=oci_profile
# OCI_CONFIG_FILE=/path/to/oci/config
# OCI_CONFIG_PROFILE=DEFAULT
#
# NOTE: Avoid adding config files into images; mount/inject securely.
#####################################################################
#####################################################################
# Category E — OCI Object Storage with SESSION TOKEN (short-lived user auth)
# Use when:
# - You use OCI CLI session authentication (short-lived token flow)
# - USE oci session authenticate
# - Appropriate for interactive/dev use; less common for long-running services
#
# Set:
# LANGFUSE_USE_OCI_NATIVE_OBJECT_STORAGE=true
# LANGFUSE_OCI_AUTH_TYPE=session_token
# OCI_CONFIG_FILE=/path/to/oci/config
# OCI_CONFIG_PROFILE=DEFAULT
#####################################################################
#####################################################################
# Other possible setup — Non-OCI provider (AWS S3 / GCP / Azure / MinIO / etc.)
# Use when:
# - Your object storage is NOT OCI Object Storage
#
# Set:
# LANGFUSE_USE_OCI_NATIVE_OBJECT_STORAGE=false
#
# Then configure endpoints/regions/credentials for your provider.
#####################################################################
#####################################################################
# 2) Feature: S3 Batch Export
#
# Required (when enabled):
# - *_BUCKET, *_REGION, *_ENDPOINT, *_PREFIX
# Optional:
# - *_EXTERNAL_ENDPOINT
# - *_FORCE_PATH_STYLE=true (needed for many S3-compatible providers like MinIO)
#
# Credentials:
# - Set *_ACCESS_KEY_ID/_SECRET_ACCESS_KEY ONLY for static-key auth
# (non-OCI S3-compatible providers)
#####################################################################
LANGFUSE_S3_BATCH_EXPORT_ENABLED=true
LANGFUSE_S3_BATCH_EXPORT_BUCKET=langfuse-bucket
LANGFUSE_S3_BATCH_EXPORT_PREFIX=exports/
# OCI example region/endpoint:
LANGFUSE_S3_BATCH_EXPORT_REGION=us-chicago-1
LANGFUSE_S3_BATCH_EXPORT_ENDPOINT=https://objectstorage.us-chicago-1.oraclecloud.com
LANGFUSE_S3_BATCH_EXPORT_EXTERNAL_ENDPOINT=https://objectstorage.us-chicago-1.oraclecloud.com
# MinIO / S3-compat setting (safe to keep true for many S3-compatible endpoints)
LANGFUSE_S3_BATCH_EXPORT_FORCE_PATH_STYLE=true
# Static-key auth (non-OCI). Leave blank/commented for OCI-native auth types above.
LANGFUSE_S3_BATCH_EXPORT_ACCESS_KEY_ID=__REPLACE_ME__
LANGFUSE_S3_BATCH_EXPORT_SECRET_ACCESS_KEY=__REPLACE_ME__
#####################################################################
# 3) Feature: S3 Media Upload
#####################################################################
LANGFUSE_S3_MEDIA_UPLOAD_BUCKET=langfuse-bucket
LANGFUSE_S3_MEDIA_UPLOAD_PREFIX=media/
LANGFUSE_S3_MEDIA_UPLOAD_REGION=us-chicago-1
LANGFUSE_S3_MEDIA_UPLOAD_ENDPOINT=https://objectstorage.us-chicago-1.oraclecloud.com
LANGFUSE_S3_MEDIA_UPLOAD_FORCE_PATH_STYLE=true
# Static-key auth (non-OCI). Leave blank/commented for OCI-native auth types above.
LANGFUSE_S3_MEDIA_UPLOAD_ACCESS_KEY_ID=__REPLACE_ME__
LANGFUSE_S3_MEDIA_UPLOAD_SECRET_ACCESS_KEY=__REPLACE_ME__
#####################################################################
# 4) Feature: S3 Event Upload (optional)
#####################################################################
LANGFUSE_S3_EVENT_UPLOAD_BUCKET=langfuse-bucket
LANGFUSE_S3_EVENT_UPLOAD_PREFIX=events/
LANGFUSE_S3_EVENT_UPLOAD_REGION=us-chicago-1
LANGFUSE_S3_EVENT_UPLOAD_ENDPOINT=https://objectstorage.us-chicago-1.oraclecloud.com
LANGFUSE_S3_EVENT_UPLOAD_FORCE_PATH_STYLE=true
# Static-key auth (non-OCI). Leave blank/commented for OCI-native auth types above.
LANGFUSE_S3_EVENT_UPLOAD_ACCESS_KEY_ID=__REPLACE_ME__
LANGFUSE_S3_EVENT_UPLOAD_SECRET_ACCESS_KEY=__REPLACE_ME__
#####################################################################
# 5) OCI native auth configuration (used by oci_profile / session_token)
#####################################################################
# Only required when LANGFUSE_OCI_AUTH_TYPE is: oci_profile OR session_token
OCI_CONFIG_FILE=__REPLACE_ME__/config
OCI_CONFIG_PROFILE=DEFAULT
#####################################################################
# 6) Troubleshooting notes (comments only)
#
# - If you see TLS errors to the endpoint in Kubernetes/OKE, set NODE_EXTRA_CA_CERTS to the
# correct CA bundle path for your environment.
# - If using MinIO or certain S3-compatible providers and you get bucket addressing errors,
# set *_FORCE_PATH_STYLE=true.
# - If downloads work inside the cluster but not externally, configure
# LANGFUSE_S3_BATCH_EXPORT_EXTERNAL_ENDPOINT to a publicly reachable endpoint/DNS.
#####################################################################