Skip to main content
By default, LangSmith will provision several Kubernetes secrets to store sensitive information such as license keys, salts, and other configuration parameters. However, you may want to use an existing secret that you have already created in your Kubernetes cluster (or provisioned via some sort of secrets operator). This can be useful if you want to manage sensitive information in a centralized way or if you have specific security requirements. By default we will provision the following secrets corresponding to different components of LangSmith:
  • langsmith-secrets: This secret contains the license key and some other basic configuration parameters. To get started, use the secrets template.
  • langsmith-redis: This secret contains the Redis connection string (or node URIs if using Redis cluster) and password. To get started, use the Redis secrets template.
  • langsmith-postgres: This secret contains the Postgres connection string and password. To get started, use the Postgres secrets template.
  • langsmith-clickhouse: This secret contains the ClickHouse connection string and password. To get started, use the ClickHouse secrets template.

Requirements

  • An existing Kubernetes cluster
  • A way to create Kubernetes secrets in your cluster. This can be done using kubectl, a Helm chart, or a secrets operator like Sealed Secrets

Parameters

You will need to create your own Kubernetes secrets that adhere to the structure of the secrets provisioned by the LangSmith Helm Chart.
The secrets must have the same structure as the ones provisioned by the LangSmith Helm Chart (refer to the links above to see the specific secrets). If you miss any of the required keys, your LangSmith instance may not work correctly.
An example secret may look like this:
Set api_key_salt once and do not change it. This value is used to hash all API keys at rest. Rotating it will permanently invalidate every existing API key in your organization, requiring all users to regenerate their keys.

Configuration

With these secrets provisioned, you can configure your LangSmith instance to use the secrets directly to avoid passing in secret values through plaintext. You can do this by modifying the langsmith_config.yaml file for your LangSmith Helm Chart installation.
Once configured, you will need to update your LangSmith installation. You can follow the upgrade guide. If everything is configured correctly, your LangSmith instance should now be accessible via the Ingress. You can run the following to check that your secrets are being used correctly:
You should see something like this in the output: