0.13.8 Release

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 to present Pydantic Services Inc.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

charts/logfire/Chart.yaml

@@ -1,9 +1,9 @@
 apiVersion: v2
-version: 0.13.7
+version: 0.13.8
 name: logfire
 description: Helm chart for self-hosted Pydantic Logfire
 
-appVersion: "f355af55"
+appVersion: "db7bde1d"
 
 dependencies:
   - name: postgresql

charts/logfire/README.md

@@ -1,11 +1,11 @@
 # logfire
 
-![Version: 0.13.7](https://img.shields.io/badge/Version-0.13.7-informational?style=flat-square) ![AppVersion: f355af55](https://img.shields.io/badge/AppVersion-f355af55-informational?style=flat-square)
+![Version: 0.13.8](https://img.shields.io/badge/Version-0.13.8-informational?style=flat-square) ![AppVersion: db7bde1d](https://img.shields.io/badge/AppVersion-db7bde1d-informational?style=flat-square)
 
 Helm chart for self-hosted Pydantic Logfire
 
-This chart exists as public documentation of how to set up and run self-hosted Pydantic Logfire but requires an image pull key to actually use.
-**Self-hosted Logfire is an Enterprise offering that requires a contract and payment, it is not free software**. Please contact sales@pydantic.dev to discuss setting up a contract and pricing.
+This repository and the chart source it contains are licensed under the MIT License. Deploying the official self-hosted Pydantic Logfire product requires separate commercial access to private container images.
+**Self-hosted Logfire is an Enterprise offering that requires a contract and payment.** Please contact sales@pydantic.dev to discuss setting up a contract and pricing.
 
 ## Local Quickstart (Evaluation & Testing)
 
@@ -600,10 +600,16 @@ Before diving deeper, verify these common configuration issues:
 | ai.azureOpenAi.apiKey | string | `nil` | Azure OpenAI API key. Can be a plain string or a map with valueFrom (e.g., secretKeyRef). |
 | ai.azureOpenAi.apiVersion | string | `nil` | Azure OpenAI API version |
 | ai.azureOpenAi.endpoint | string | `nil` | Azure OpenAI endpoint |
+| ai.chatModel | string | `nil` | AI provider+model string for chat-oriented workloads. Falls back to `ai.model` in the application when unset. |
+| ai.enterpriseChatModel | string | `nil` | Enterprise chat AI provider+model string. |
+| ai.enterpriseModel | string | `nil` | Enterprise default AI provider+model string. |
 | ai.model | string | `nil` | AI provider+model string. Prefix the model with the provider (e.g., `azure:gpt-4o`). See https://ai.pydantic.dev/models/ for more information. |
 | ai.openAi.apiKey | string | `nil` | OpenAI API key. Can be a plain string or a map with valueFrom (e.g., secretKeyRef). |
 | ai.openAi.baseUrl | string | `nil` | OpenAI base URL for custom endpoints (e.g., Azure OpenAI proxy, local models). |
 | ai.vertexAi.region | string | `nil` | Vertex AI region |
+| aiGatewayOauth | object | `{"issuer":"","resourceUrl":""}` | AI gateway OAuth metadata configuration. If left empty, the chart derives self-hosted defaults from the primary Logfire URL:   resourceUrl = <logfire.url>/proxy   issuer      = <logfire.url> |
+| aiGatewayOauth.issuer | string | `""` | OAuth authorization server issuer URL used by the AI gateway. |
+| aiGatewayOauth.resourceUrl | string | `""` | Public AI gateway resource URL (RFC 8707 audience). |
 | cert-manager | object | `{"installCRDs":true}` | cert-manager chart values (only used when `dev.deployCertManager` is true) |
 | dev.deployCertManager | bool | `false` | Deploy cert-manager (NOT for production; includes cluster-scoped resources). |
 | dev.deployMaildev | bool | `false` | Deploy MailDev to test emails |

charts/logfire/README.md.gotmpl

@@ -5,8 +5,8 @@
 
 {{ template "chart.description" . }}
 
-This chart exists as public documentation of how to set up and run self-hosted Pydantic Logfire but requires an image pull key to actually use.
-**Self-hosted Logfire is an Enterprise offering that requires a contract and payment, it is not free software**. Please contact sales@pydantic.dev to discuss setting up a contract and pricing.
+This repository and the chart source it contains are licensed under the MIT License. Deploying the official self-hosted Pydantic Logfire product requires separate commercial access to private container images.
+**Self-hosted Logfire is an Enterprise offering that requires a contract and payment.** Please contact sales@pydantic.dev to discuss setting up a contract and pricing.
 
 ## Local Quickstart (Evaluation & Testing)
 

charts/logfire/templates/_helpers.tpl

@@ -277,6 +277,38 @@ Primary logfire host with protocol scheme.
 {{- end -}}
 {{- end -}}
 
+{{/*
+Public AI gateway resource URL (RFC 8707 audience). Defaults to the main Logfire URL + /proxy.
+*/}}
+{{- define "logfire.gatewayOauthResourceUrl" -}}
+{{- if .Values.aiGatewayOauth.resourceUrl -}}
+{{- .Values.aiGatewayOauth.resourceUrl -}}
+{{- else if (index .Values "logfire-ai-gateway" "enabled") -}}
+{{- printf "%s/proxy" (include "logfire.url" . | trim) -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+OAuth issuer for AI gateway tokens. Defaults to the main Logfire URL.
+*/}}
+{{- define "logfire.gatewayOauthIssuer" -}}
+{{- if .Values.aiGatewayOauth.issuer -}}
+{{- .Values.aiGatewayOauth.issuer -}}
+{{- else if (index .Values "logfire-ai-gateway" "enabled") -}}
+{{- include "logfire.url" . | trim -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Public host used by the frontend CSP for AI gateway requests.
+*/}}
+{{- define "logfire.publicGatewayHost" -}}
+{{- $resourceUrl := include "logfire.gatewayOauthResourceUrl" . | trim -}}
+{{- if $resourceUrl -}}
+{{- (urlParse $resourceUrl).host -}}
+{{- end -}}
+{{- end -}}
+
 {{/*
 Full list of logfire urls, primary and alternative domains with scheme.
 */}}

charts/logfire/templates/logfire-ai-gateway.yaml

@@ -136,6 +136,15 @@ spec:
             value: {{ $serviceName }}
           - name: GITHUB_SHA
             value: {{ include "logfire.serviceTag" (dict "Values" .Values "serviceName" $serviceName "Chart" .Chart) | quote }}
+          - name: GATEWAY_OAUTH_SIGNING_SECRET
+            valueFrom:
+              secretKeyRef:
+                name: {{ include "logfire.secretName" (dict "ctx" . "secretName" "logfire-jwt-secret") }}
+                key: logfire-jwt-secret
+          - name: GATEWAY_OAUTH_RESOURCE_URL
+            value: {{ include "logfire.gatewayOauthResourceUrl" . | trim | quote }}
+          - name: GATEWAY_OAUTH_ISSUER
+            value: {{ include "logfire.gatewayOauthIssuer" . | trim | quote }}
           {{- if (include "logfire.inClusterTls.enabled" . | eq "true") }}
           - name: IN_CLUSTER_CA_BUNDLE_PATH
             value: /etc/logfire/incluster-ca/ca.crt

charts/logfire/templates/logfire-backend.yaml

@@ -137,7 +137,11 @@ spec:
             {{- end }}
             {{- with .Values.ai }}
             {{- with .model }}
-            - name: AI_MODEL
+            - name: AI_MODEL_DEFAULT
+              value: {{ . }}
+            {{- end }}
+            {{- with .chatModel }}
+            - name: AI_MODEL_CHAT
               value: {{ . }}
             {{- end }}
             {{- with .openAi }}
@@ -189,6 +193,14 @@ spec:
               value: {{ . }}
             {{- end }}
             {{- end }}
+            {{- with .enterpriseModel }}
+            - name: AI_ENTERPRISE_MODEL_DEFAULT
+              value: {{ . }}
+            {{- end }}
+            {{- with .enterpriseChatModel }}
+            - name: AI_ENTERPRISE_MODEL_CHAT
+              value: {{ . }}
+            {{- end }}
             {{- end }}
             - name: DEX_CLIENT_ID
               value: {{ include "logfire.dexClientId" . }}
@@ -234,6 +246,8 @@ spec:
             {{- if (index .Values "logfire-ai-gateway" "enabled") }}
             - name: GATEWAY_BASE_URL
               value: "{{ include "logfire.scheme" . }}://logfire-ai-gateway:{{ include "logfire.port" (dict "port" 8788 "root" .) }}"
+            - name: GATEWAY_OAUTH_RESOURCE_URL
+              value: {{ include "logfire.gatewayOauthResourceUrl" . | trim | quote }}
             {{- end }}
             {{- if (index .Values "logfire-ai-gateway" "enabled") }}
             - name: GATEWAY_ENCRYPTION_KEY
@@ -290,17 +304,20 @@ spec:
                 secretKeyRef:
                   name: {{ include "logfire.adminSecretName" (dict "ctx" . "secretName" "logfire-admin-totp-recovery-codes") }}
                   key: logfire-admin-totp-recovery-codes
+            {{- /* MCP OAuth2 is not supported without TLS for hostnames different than localhost */ -}}
+            {{- if or (include "logfire.effective_tls" . | eq "true") (eq (include "logfire.primary_hostname" .) "localhost") }}
             - name: MCP_OAUTH_CLIENT_SECRET
               valueFrom:
                 secretKeyRef:
                   name: {{ include "logfire.secretName" (dict "ctx" . "secretName" "logfire-mcp-oauth-client-secret") }}
                   key: logfire-mcp-oauth-client-secret
+            {{- end }}
             {{- include "logfire.groupOrganizationMapping" . | nindent 12 }}
             - name: BOOTSTRAPPED_ORGANIZATIONS
               # This will make it possible to log-in sans-credentials by visiting a URL like:
               # http://localhost:8080/logfire-meta/logfire-meta#token=U8TO1taNdD7YwgBMcfeQVU7RB6Hgtrwd
               # You'll need to get the right host and get the secret from k8s
-              value: '[{"admin_user_email": "{{ .Values.adminEmail }}", "admin_user_password": "$(ADMIN_PASSWORD)", "admin_user_totp_secret": "$(ADMIN_TOTP_SECRET)", "admin_user_totp_recovery_codes": $(ADMIN_TOTP_RECOVERY_CODES), "organization_name": "logfire-meta", "projects": [{"project_name": "logfire-meta", "write_token": "$(META_WRITE_TOKEN)", "permanent_frontend_token": "$(META_FRONTEND_TOKEN)"}], "oauth_clients": [{"client_id": "logfire-mcp", "client_secret": "$(MCP_OAUTH_CLIENT_SECRET)", "client_name": "Logfire Remote MCP Server", "redirect_uris": ["{{ include "logfire.url" . }}/mcp/oauth/callback"], "allowed_scopes": ["project:read", "project:write", "project:write_token", "project:read_dashboard", "project:write_dashboard", "project:read_alert", "project:write_alert", "organization:create_project", "organization:read_channel", "organization:write_channel"]}]}]'
+              value: '[{"admin_user_email": "{{ .Values.adminEmail }}", "admin_user_password": "$(ADMIN_PASSWORD)", "admin_user_totp_secret": "$(ADMIN_TOTP_SECRET)", "admin_user_totp_recovery_codes": $(ADMIN_TOTP_RECOVERY_CODES), "organization_name": "logfire-meta", "projects": [{"project_name": "logfire-meta", "write_token": "$(META_WRITE_TOKEN)", "permanent_frontend_token": "$(META_FRONTEND_TOKEN)"}]{{- if or (include "logfire.effective_tls" . | eq "true") (eq (include "logfire.primary_hostname" .) "localhost") }}, "oauth_clients": [{"client_id": "logfire-mcp", "client_secret": "$(MCP_OAUTH_CLIENT_SECRET)", "client_name": "Logfire Remote MCP Server", "redirect_uris": ["{{ include "logfire.url" . }}/mcp/oauth/callback"], "allowed_scopes": ["project:read", "project:write", "project:write_token", "project:read_dashboard", "project:write_dashboard", "project:read_alert", "project:write_alert", "organization:create_project", "organization:read_channel", "organization:write_channel"]}]{{- end }}}]'
             {{- with (index .Values $serviceName | default dict).env }}
               {{- . | toYaml | nindent 12 }}
             {{- end}}

charts/logfire/templates/logfire-ff-config.yaml

@@ -14,6 +14,7 @@ data:
   FF_CACHE_OBJECT_STORE_URI: "{{ include "logfire.scheme" . }}://logfire-ff-cache-byte:{{ include "logfire.port" (dict "port" 9001 "root" .) }}"
   FF_SHARED_REDIS_DSN: {{ .Values.redisDsn }}
   FF_OBJECT_STORE_URI: {{ .Values.objectStore.uri }}
+  FF_PG_TRANSACTION_TIMEOUT: "30s"
 {{- if (include "logfire.inClusterTls.enabled" . | eq "true") }}
   FF_TLS_MODE: "allow"
   FF_HTTPS_PORT: {{ .Values.inClusterTls.httpsPort | quote }}
@@ -36,7 +37,7 @@ metadata:
 data:
   FF_DISTRIBUTED_CHANCE: "0"
   FF_RETRY_FAILED_DISTRIBUTED_QUERIES: "false"
-  FF_EXTERNAL_TABLES_PG_ENABLED_TABLES: "logfire.annotations,logfire.experiments,logfire.datasets,logfire.dataset_cases"
+  FF_EXTERNAL_TABLES_PG_ENABLED_TABLES: "logfire.annotations,logfire.experiments,logfire.datasets,logfire.dataset_cases,logfire.alerts_ext,logfire.alert_runs_ext,logfire.alert_issues_ext,logfire.filter_alert_issue_hits_ext,logfire.saved_searches_ext"
 
 ---
 
@@ -65,6 +66,7 @@ data:
   FF_CACHE_OBJECT_STORE_HTTP_HEADERS: x-ff-no-warm-cache=1
   FF_COMPACTION_LOOP_BACKOFF_DELAY: "1s"
   FF_COMPACTION_TIERS: {{ include "logfire.ffCompactionTiersValue" . | squote }}
+  FF_INGEST_MAX_TIME_SKEW: "120s"
 
 ---
 
@@ -79,5 +81,6 @@ data:
   FF_BACKEND_SERVICE_URL: "{{ include "logfire.scheme" . }}://logfire-backend:{{ include "logfire.port" (dict "port" 8000 "root" .) }}"
   FF_REDIS_TAIL_DSN: {{ .Values.redisDsn }}
   FF_FAILOVER_OBJECT_STORE_URI: {{ .Values.objectStore.uri }}/_ingest_failover
+  FF_INGEST_MAX_TIME_SKEW: "120s"
   FF_INGEST_MAX_FUTURE_TIME_DRIFT: "1h"
   FF_INGEST_MAX_PAST_TIME_DRIFT: "24h"

charts/logfire/templates/logfire-ff-ingest-processor.yaml

@@ -109,6 +109,10 @@ spec:
               value: "0"
             - name: FF_INGEST_NUM_CLEANUP_WORKERS
               value: "0"
+            - name: FF_DIRECT_FILE_INGEST_SUBMIT_CONCURRENCY
+              value: "128"
+            - name: FF_INGEST_DIRECT_FILE_BUFFER_MAX_BYTES
+              value: "8MB"
             - name: FF_IO_THREADS
               value: {{ $cpuCores | quote }}
             - name: FF_DATAFUSION_THREADS

charts/logfire/templates/logfire-ff-maintenance-scheduler.yaml

@@ -91,8 +91,6 @@ spec:
               value: "1"
             - name: FF_DATAFUSION_MEMORY_LIMIT
               value: {{ (get $effectiveServiceValues "datafusionMemory" | default "512MB" | quote) }}
-            - name: FF_MAX_FILES_PER_COMPACTION_JOB
-              value: "10000"
             {{- include "logfire.otlpExporterEnv" (dict "root" . "serviceName" $serviceName "codeWorkDir" "/app") | nindent 12 }}
             - name: PG_DSN
               valueFrom:

charts/logfire/templates/logfire-ff-maintenance-worker.yaml

@@ -83,8 +83,6 @@ spec:
               value: "30s"
             - name: FF_DATAFUSION_MEMORY_LIMIT
               value: {{ (get $effectiveServiceValues "datafusionMemory" | default "512MB" | quote) }}
-            - name: FF_DATAFUSION_TARGET_PARTITIONS
-              value: "1"
             - name: FF_ENABLE_SPILL_TO_DISK
               value: "true"
             - name: FF_TEMP_DIR

charts/logfire/templates/logfire-ff-query-worker.yaml

@@ -80,8 +80,6 @@ spec:
               value: {{ (get $effectiveServiceValues "queryParallelism" | default "4" | quote) }}
             - name: FF_PG_POOL_MAX_CONNECTIONS
               value: "4"
-            - name: FF_PG_POOL_MIN_CONNECTIONS
-              value: "1"
             - name: FF_IO_THREADS
               value: {{ $cpuCores | quote }}
             - name: FF_DATAFUSION_THREADS

charts/logfire/templates/logfire-frontend-service.yaml

@@ -103,6 +103,10 @@ spec:
               value: ""
             - name: OTEL_SERVICE_NAME
               value: {{ $serviceName }}
+            {{- if (index .Values "logfire-ai-gateway" "enabled") }}
+            - name: PUBLIC_GATEWAY_HOST
+              value: {{ include "logfire.publicGatewayHost" . | trim | quote }}
+            {{- end }}
             {{ if eq (.Values.ingress.tls | default false) false }}
             - name: E2E
               value: "true"

charts/logfire/templates/logfire-remote-mcp.yaml

@@ -146,16 +146,6 @@ spec:
             value: "{{ include "logfire.scheme" . }}://logfire-ff-query-api"
           - name: FUSIONFIRE_QUERY_PORT
             value: "{{ include "logfire.port" (dict "port" 8011 "root" .) }}"
-          {{- /* MCP OAuth2 is not supported without TLS for hostnames different than localhost */ -}}
-          {{- if or (include "logfire.effective_tls" . | eq "true") (eq (include "logfire.primary_hostname" .) "localhost") }}
-          - name: LOGFIRE_OAUTH_CLIENT_ID
-            value: "logfire-mcp"
-          - name: LOGFIRE_OAUTH_CLIENT_SECRET
-            valueFrom:
-              secretKeyRef:
-                name: {{ include "logfire.secretName" (dict "ctx" . "secretName" "logfire-mcp-oauth-client-secret") }}
-                key: logfire-mcp-oauth-client-secret
-          {{- end }}
           - name: LOGFIRE_REGION
             value: {{ .Values.logfireRegion | default "local" }}
           - name: ALLOWED_HOSTS

charts/logfire/templates/logfire-service-config.yaml

@@ -71,10 +71,11 @@ stringData:
       acl path_ingest path_reg -i ^/v1/(traces|metrics|logs)$
       acl path_dex path_beg /auth-api
       acl path_backend path_reg -i ^/(ui-api|v1|api)/
+      acl path_backend path_beg /.well-known/oauth-authorization-server /.well-known/openid-configuration
       {{- if (index .Values "logfire-ai-gateway" "enabled") }}
-      acl path_ai_gateway path_beg /proxy
+      acl path_ai_gateway path_beg /proxy /.well-known/oauth-protected-resource/proxy
       {{- end }}
-      acl path_remote_mcp path_beg /mcp /.well-known/oauth-authorization-server/mcp /.well-known/oauth-protected-resource/mcp
+      acl path_remote_mcp path_beg /mcp /.well-known/oauth-protected-resource/mcp
 
 
       use_backend logfire-ingest if path_ingest

charts/logfire/templates/logfire-worker.yaml

@@ -108,6 +108,10 @@ spec:
               value: http://logfire-otel-collector:4317
             - name: FRONTEND_HOST
               value: {{ include "logfire.url" . | quote }}
+            {{- with .Values.ai.model }}
+            - name: AI_MODEL_DEFAULT
+              value: {{ . }}
+            {{- end }}
             - name: USAGE_TO_BUCKET_BUCKET_NAME
               value: {{ .Values.objectStore.uri }}/usage
             - name: UNSUBSCRIBE_SECRET

charts/logfire/values.yaml

@@ -309,6 +309,12 @@ ai:
   # -- AI provider+model string. Prefix the model with the provider (e.g., `azure:gpt-4o`).
   # See https://ai.pydantic.dev/models/ for more information.
   model:
+  # -- AI provider+model string for chat-oriented workloads. Falls back to `ai.model` in the application when unset.
+  chatModel:
+  # -- Enterprise default AI provider+model string.
+  enterpriseModel:
+  # -- Enterprise chat AI provider+model string.
+  enterpriseChatModel:
 
   openAi:
     # -- OpenAI API key. Can be a plain string or a map with valueFrom (e.g., secretKeyRef).
@@ -643,6 +649,16 @@ logfire-ai-gateway:
 #     maxUnavailable: 1
 #     minAvailable: 1
 
+# -- AI gateway OAuth metadata configuration.
+# If left empty, the chart derives self-hosted defaults from the primary Logfire URL:
+#   resourceUrl = <logfire.url>/proxy
+#   issuer      = <logfire.url>
+aiGatewayOauth:
+  # -- Public AI gateway resource URL (RFC 8707 audience).
+  resourceUrl: ""
+  # -- OAuth authorization server issuer URL used by the AI gateway.
+  issuer: ""
+
 
 # -- Autoscaling & resources for the `logfire-remote-mcp` pod
 # logfire-remote-mcp: