arizephoenix/phoenix-helm

By arizephoenix

Updated about 8 hours ago

Helm
1

100K+

arizephoenix/phoenix-helm repository overview

phoenix-helm

Version: 10.0.0 Type: application AppVersion: 18.0.0

Phoenix is an open-source AI observability platform designed for experimentation, evaluation, and troubleshooting. For instructions on how to deploy this Helm chart, see the self-hosting docs.

  • Tracing - Trace your LLM application's runtime using OpenTelemetry-based instrumentation.
  • Evaluation - Leverage LLMs to benchmark your application's performance using response and retrieval evals.
  • Datasets - Create versioned datasets of examples for experimentation, evaluation, and fine-tuning.
  • Experiments - Track and evaluate changes to prompts, LLMs, and retrieval.
  • Playground- Optimize prompts, compare models, adjust parameters, and replay traced LLM calls.
  • Prompt Management- Manage and test prompt changes systematically using version control, tagging, and experimentation.

Homepage: https://phoenix.arize.com/

Maintainers

Source Code

Requirements

RepositoryNameVersion
https://groundhog2k.github.io/helm-charts/postgresql(postgres)1.5.8

Values

KeyTypeDefaultDescription
additionalEnvlist[]Additional environment variables to add to the deployments pod spec For supported environment variables see https://arize.com/docs/phoenix/self-hosting/configuration#environment-variables Should only be used for capabilities not exposed via the helm chart directly
auth.accessTokenExpiryMinutesint60Duration in minutes before access tokens expire and require renewal (PHOENIX_ACCESS_TOKEN_EXPIRY_MINUTES)
auth.adminsstring""Semicolon-separated list of username and email pairs to create as admin users on startup (PHOENIX_ADMINS) Format: "username=email;username2=email2" (e.g., "John Doe=[email protected];Jane Doe=[email protected]") These users will be created with random passwords that must be reset on first login
auth.allowedOriginslist[]List of allowed CORS origins for cross-origin requests to the Phoenix API (PHOENIX_ALLOWED_ORIGINS)
auth.bruteForceLoginProtectionMaxAttemptsint5Maximum failed login attempts before temporary lockout (PHOENIX_BRUTE_FORCE_LOGIN_PROTECTION_MAX_ATTEMPTS) Only applies when brute force protection is enabled. Lockout duration is 5 minutes.
auth.cookiesPathstring"/"Cookie path for authentication cookies (PHOENIX_COOKIES_PATH) Set this when Phoenix is hosted under a sub-path
auth.createSecretbooltrueCreate Secret Boolean - Should the secret be created. If False and auth is enabled, this must preexist
auth.csrfTrustedOriginslist[]List of trusted origins for CSRF protection to prevent cross-site request forgery attacks (PHOENIX_CSRF_TRUSTED_ORIGINS)
auth.defaultAdminPasswordstring"admin"Default password for the admin user on initial setup (PHOENIX_DEFAULT_ADMIN_INITIAL_PASSWORD)
auth.disableBasicAuthboolfalseDisable password-based authentication (PHOENIX_DISABLE_BASIC_AUTH) When true, users can only authenticate via OAuth2/OIDC. Useful for SSO-only deployments.
auth.disableBruteForceLoginProtectionboolfalseDisable brute force login protection (PHOENIX_DISABLE_BRUTE_FORCE_LOGIN_PROTECTION) When false (default), repeated failed logins will temporarily lock the account
auth.enableAuthbooltrueEnable authentication and authorization for Phoenix (PHOENIX_ENABLE_AUTH)
auth.enableStrongPasswordPolicyboolfalseEnable strong password policy requiring 12+ characters with uppercase, lowercase, digit, and special character (PHOENIX_ENABLE_STRONG_PASSWORD_POLICY)
auth.ldap.allowSignUpbooltrueAllow automatic user creation on first LDAP login. Set to false to require pre-provisioned users.
auth.ldap.attrDisplayNamestring"displayName"LDAP attribute containing user's display name.
auth.ldap.attrEmailstring"mail"LDAP attribute containing user's email address. Valid values: - "mail" (or other attribute name): Use that LDAP attribute for email - "null": No-email mode for directories without email When using no-email mode ("null"): - attrUniqueId is REQUIRED (users identified by unique ID instead of email) - allowSignUp must be true (users auto-provisioned on first login) - auth.admins cannot be used (use groupRoleMappings for admin assignment)
auth.ldap.attrMemberOfstring"memberOf"LDAP attribute containing group memberships (default: "memberOf"). Used when groupSearchFilter is not set (Active Directory mode). Typical values: "memberOf" (AD, OpenLDAP with memberOf overlay)
auth.ldap.attrUniqueIdstring""LDAP attribute containing an immutable unique identifier. REQUIRED when attrEmail is "null" (no-email mode). Also recommended if you expect user emails to change frequently. Active Directory: "objectGUID", OpenLDAP: "entryUUID", 389 DS: "nsUniqueId"
auth.ldap.bindDnstring""Service account DN for binding to LDAP server. Example: "CN=svc-phoenix,OU=Service Accounts,DC=corp,DC=com"
auth.ldap.bindPasswordstring""Service account password for binding to LDAP server. Can be set directly here or via auth.secret with key PHOENIX_LDAP_BIND_PASSWORD
auth.ldap.enabledboolfalseEnable LDAP authentication
auth.ldap.groupRoleMappingsstring"[]"JSON array mapping LDAP groups to Phoenix roles. Format: [{"group_dn": "CN=Phoenix Admins,OU=Groups,DC=corp,DC=com", "role": "ADMIN"}] Supported roles: "ADMIN", "MEMBER", "VIEWER" (case-insensitive) Special group_dn value "*" matches all users (wildcard for default role)
auth.ldap.groupSearchBaseDnslist[]List of base DNs for group searches. Required when groupSearchFilter is set. Example: ["ou=groups,dc=example,dc=com"] Multiple: ["ou=groups,dc=corp,dc=com", "ou=teams,dc=corp,dc=com"]
auth.ldap.groupSearchFilterstring""LDAP filter for finding groups. Use %s as placeholder for user identifier. Two modes: - AD Mode (not set, recommended for Active Directory): Reads memberOf from user entry - Search Mode (set): Searches for groups containing the user Example for POSIX: "(&(objectClass=posixGroup)(memberUid=%s))"
auth.ldap.groupSearchFilterUserAttrstring""LDAP attribute from the user entry to substitute for %s in groupSearchFilter. When set: Reads the specified attribute from the user's LDAP entry When not set (default): Uses the login username directly Understanding group types: - POSIX (memberUid): Contains usernames like "jdoe" → use default or "uid" - groupOfNames (member): Contains full DNs → use "distinguishedName" (AD only) Note: OpenLDAP does not expose DN as an attribute. For groupOfNames with OpenLDAP, use memberOf overlay instead (AD mode).
auth.ldap.hoststring""LDAP server hostname (required when enabled). Comma-separated for multiple servers with failover. Examples: "ldap.corp.com" or "dc1.corp.com,dc2.corp.com,dc3.corp.com"
auth.ldap.portstring""LDAP server port. Defaults to 389 for StartTLS, 636 for LDAPS.
auth.ldap.tlsCaCertFilestring""Path to custom CA certificate file (PEM format) for TLS verification. Use when LDAP server uses a private/internal CA not in the system trust store.
auth.ldap.tlsClientCertFilestring""Path to client certificate file (PEM format) for mutual TLS authentication. Requires tlsClientKeyFile to also be set.
auth.ldap.tlsClientKeyFilestring""Path to client private key file (PEM format) for mutual TLS authentication. Requires tlsClientCertFile to also be set.
auth.ldap.tlsModestring"starttls"TLS connection mode: "starttls", "ldaps", or "none" - starttls: Upgrade from plaintext to TLS on port 389 (recommended) - ldaps: TLS from connection start on port 636 - none: No encryption (testing only, credentials sent in plaintext)
auth.ldap.tlsVerifybooltrueVerify TLS certificates. Should always be true in production.
auth.ldap.userSearchBaseDnslist[]List of base DNs for user searches (required when enabled). Searched in order. Example: ["OU=Users,DC=corp,DC=com"] Multiple: ["OU=Employees,DC=corp,DC=com", "OU=Contractors,DC=corp,DC=com"]
auth.ldap.userSearchFilterstring"(&(objectClass=user)(sAMAccountName=%s))"LDAP filter for finding users. Use %s as placeholder for username. Default for Active Directory: "(&(objectClass=user)(sAMAccountName=%s))" OpenLDAP example: "(&(objectClass=inetOrgPerson)(uid=%s))"
auth.namestring"phoenix-secret"Name of the Kubernetes secret containing authentication credentials
auth.oauth2.enabledboolfalseEnable OAuth2/OIDC authentication
auth.oauth2.providersstringnilList of OAuth2 identity providers to configure Each provider requires client_id, client_secret (unless token_endpoint_auth_method="none"), and oidc_config_url You can also define corresponding ENVs via auth.secrets[].valueFrom to use existing secrets ENVs: PHOENIX_OAUTH2_{{ $provider_upper }}_{{ setting }}, e.g. PHOENIX_OAUTH2_GOOGLE_CLIENT_SECRET
auth.passwordResetTokenExpiryMinutesint60Duration in minutes before password reset tokens expire (PHOENIX_PASSWORD_RESET_TOKEN_EXPIRY_MINUTES)
auth.refreshTokenExpiryMinutesint43200Duration in minutes before refresh tokens expire (PHOENIX_REFRESH_TOKEN_EXPIRY_MINUTES)
auth.secret[0]object{"key":"PHOENIX_SECRET","value":""}Environment variable name for the main Phoenix secret key used for encryption
auth.secret[0].valuestring""Autogenerated if empty
auth.secret[1]object{"key":"PHOENIX_ADMIN_SECRET","value":""}Environment variable name for the admin secret key
auth.secret[1].valuestring""Autogenerated if empty
auth.secret[2]object{"key":"PHOENIX_POSTGRES_PASSWORD","value":"postgres"}Environment variable name for the PostgreSQL password
auth.secret[2].valuestring"postgres"If using postgres in this chart, password must match with database.postgres.password
auth.secret[3]object{"key":"PHOENIX_SMTP_PASSWORD","value":""}Environment variable name for the SMTP password
auth.secret[3].valuestring""Autogenerated if empty
auth.secret[4]object{"key":"PHOENIX_DEFAULT_ADMIN_INITIAL_PASSWORD","value":""}Environment variable name for the default admin password
auth.secret[4].valuestring""Default password for the admin user on initial setup, uses defaultAdminPassword if empty
auth.useSecureCookiesboolfalseEnable secure cookies (should be true when using HTTPS)
database.allocatedStorageGiBint20Storage allocation in GiB for the database persistent volume
database.defaultRetentionPolicyDaysint0Default retention policy for traces in days (PHOENIX_DEFAULT_RETENTION_POLICY_DAYS) Set to 0 to disable automatic trace cleanup. When set to a positive value, traces older than this many days will be automatically removed from the database.
database.postgres.azureScopestring""Azure scope URL for PostgreSQL access token requests (PHOENIX_POSTGRES_AZURE_SCOPE) When empty, Phoenix uses the default Azure Database for PostgreSQL - Flexible Server scope (https://ossrdbms-aad.database.windows.net/.default). Override for sovereign clouds such as Azure Government (https://ossrdbms-aad.database.usgovcloudapi.net/.default). Only used when useAzureManagedIdentity is true.
database.postgres.dbstring"phoenix"Name of the PostgreSQL database (PHOENIX_POSTGRES_DB)
database.postgres.hoststring""Postgres Host (PHOENIX_POSTGRES_HOST) Default points to the groundhog2k PostgreSQL service when postgresql.enabled=true IMPORTANT: Only change this when using external PostgreSQL (postgresql.enabled=false, database.url empty) Examples: "localhost", "postgres.example.com", "your-rds-endpoint.region.rds.amazonaws.com"
database.postgres.passwordstring"postgres"PostgreSQL password (should match auth.secret."PHOENIX_POSTGRES_PASSWORD", PHOENIX_POSTGRES_PASSWORD)
database.postgres.portint5432Port number for PostgreSQL connections (PHOENIX_POSTGRES_PORT)
database.postgres.schemastring""PostgreSQL schema to use (PHOENIX_SQL_DATABASE_SCHEMA). When empty, the chart omits the env var and Phoenix uses the default schema (typically public).
database.postgres.useAwsIamAuthboolfalseEnable AWS RDS IAM authentication for PostgreSQL (PHOENIX_POSTGRES_USE_AWS_IAM_AUTH) When enabled, Phoenix will use AWS IAM credentials to generate short-lived authentication tokens instead of using a static password. Requires aioboto3 to be installed: pip install 'arize-phoenix[aws]' IMPORTANT: When enabled, do not set database.postgres.password
database.postgres.useAzureManagedIdentityboolfalseEnable Azure managed identity authentication for PostgreSQL (PHOENIX_POSTGRES_USE_AZURE_MANAGED_IDENTITY) When enabled, Phoenix will use Azure DefaultAzureCredential to obtain short-lived authentication tokens instead of using a static password. Requires azure-identity to be installed: pip install 'arize-phoenix[azure]'. Cannot be used with useAwsIamAuth. IMPORTANT: When enabled, do not set database.postgres.password
database.postgres.userstring"postgres"PostgreSQL username (PHOENIX_POSTGRES_USER)
database.readReplicaUrlstring""Optional PostgreSQL read replica URL for read-only query routing (PHOENIX_SQL_DATABASE_READ_REPLICA_URL) When set, Phoenix routes read-only queries to this replica while keeping writes on the primary. Ignored for SQLite deployments.
database.urlstring""Full database connection URL (overrides postgres settings if provided) IMPORTANT: Only set this for external databases (Strategy 3) - When using SQLite (Strategy 1): MUST be empty - SQLite auto-uses persistent volume - When using built-in PostgreSQL (Strategy 2): MUST be empty - auto-configured - When using external database (Strategy 3): MUST be configured with full connection string Examples for external databases: PostgreSQL: "postgresql://username:[email protected]:5432/phoenix" SQLite: "sqlite:///path/to/database.db" (only for external SQLite files, not recommended) WARNING: Setting this will override all database.postgres.* settings and disable built-in PostgreSQL validation
deployment.affinityobject{}
deployment.nodeSelectorobject{}
deployment.strategyobject{"rollingUpdate":{"maxSurge":"25%","maxUnavailable":"25%"},"type":"RollingUpdate"}Deployment strategy
deployment.tolerationslist[]Tolerations, nodeSelector and affinity For Pod scheduling strategy on the nodes
extraVolumeMountslist[]Extra Volume Mounts
extraVolumeslist[]Extra Volumes configuration
healthChecksobject{"livenessProbe":{"failureThreshold":3,"initialDelaySeconds":0,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":5},"readinessProbe":{"failureThreshold":3,"initialDelaySeconds":0,"periodSeconds":5,"successThreshold":1,"timeoutSeconds":3},"startupProbe":{"enabled":true,"failureThreshold":30,"initialDelaySeconds":1,"periodSeconds":1,"successThreshold":1,"timeoutSeconds":1}}Health check configuration
healthChecks.livenessProbeobject{"failureThreshold":3,"initialDelaySeconds":0,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":5}Liveness probe configuration
healthChecks.livenessProbe.failureThresholdint3Number of failures before container is restarted
healthChecks.livenessProbe.initialDelaySecondsint0Initial delay before liveness probe starts
healthChecks.livenessProbe.periodSecondsint10How often to perform the liveness probe
healthChecks.livenessProbe.successThresholdint1Number of consecutive successes for the probe to be considered successful
healthChecks.livenessProbe.timeoutSecondsint5Timeout for liveness probe
healthChecks.readinessProbeobject{"failureThreshold":3,"initialDelaySeconds":0,"periodSeconds":5,"successThreshold":1,"timeoutSeconds":3}Readiness probe configuration
healthChecks.readinessProbe.failureThresholdint3Number of failures before pod is marked unready
healthChecks.readinessProbe.initialDelaySecondsint0Initial delay before readiness probe starts
healthChecks.readinessProbe.periodSecondsint5How often to perform the readiness probe
healthChecks.readinessProbe.successThresholdint1Number of consecutive successes for the probe to be considered successful
healthChecks.readinessProbe.timeoutSecondsint3Timeout for readiness probe
healthChecks.startupProbeobject{"enabled":true,"failureThreshold":30,"initialDelaySeconds":1,"periodSeconds":1,"successThreshold":1,"timeoutSeconds":1}Startup probe configuration
healthChecks.startupProbe.enabledbooltrueEnable startup probe
healthChecks.startupProbe.failureThresholdint30Number of failures before container is considered failed to start
healthChecks.startupProbe.initialDelaySecondsint1Initial delay before startup probe starts
healthChecks.startupProbe.periodSecondsint1How often to perform the startup probe
healthChecks.startupProbe.successThresholdint1Number of consecutive successes for the probe to be considered successful
healthChecks.startupProbe.timeoutSecondsint1Timeout for startup probe
image.pullPolicystring"IfNotPresent"Image pull policy for Phoenix container (Always, IfNotPresent, or Never)
image.registrystring"docker.io"Docker image registry for Phoenix
image.repositorystring"arizephoenix/phoenix"Docker image repository for Phoenix
image.tagstring"version-18.0.0-nonroot"Docker image tag/version to deploy
ingress.annotationsobject{}Annotations to add to the ingress resource
ingress.apiPathstring"/"Path prefix for the Phoenix API
ingress.enabledbooltrueEnable ingress controller for external access
ingress.hoststring""Hostname for ingress
ingress.labelsobject{}Labels to add to the ingress resource
ingress.pathTypestring"Prefix"Ingress path type (Prefix, Exact, or ImplementationSpecific)
ingress.tls.enabledboolfalseEnable TLS/HTTPS for ingress
instrumentation.otlpTraceCollectorGrpcEndpointstring""OpenTelemetry collector gRPC endpoint for sending traces (PHOENIX_SERVER_INSTRUMENTATION_OTLP_TRACE_COLLECTOR_GRPC_ENDPOINT)
instrumentation.otlpTraceCollectorHttpEndpointstring""OpenTelemetry collector HTTP endpoint for sending traces (PHOENIX_SERVER_INSTRUMENTATION_OTLP_TRACE_COLLECTOR_HTTP_ENDPOINT)
logging.dbLevelstring"warning"Database logging level (debug, info, warning, error) PHOENIX_DB_LOGGING_LEVEL
logging.levelstring"info"Application logging level (debug, info, warning, error) PHOENIX_LOGGING_LEVEL
logging.logMigrationsbooltrueEnable logging of database migration operations (PHOENIX_LOG_MIGRATIONS)
logging.logSqlboolfalseLog all SQL statements to stdout for debugging (PHOENIX_LOG_SQL)
logging.modestring"default"Logging mode configuration - PHOENIX_LOGGING_MODE (default
persistence.accessModeslist["ReadWriteOnce"]Access modes for the persistent volume
persistence.annotationsobject{}Annotations to add to the PVC
persistence.enabledboolfalseEnable persistent storage for Phoenix home directory When enabled, Phoenix uses SQLite for local storage stored in the persistent volume IMPORTANT: Cannot be enabled simultaneously with postgresql.enabled=true NOTE: This setting is ignored when database.url="sqlite:///:memory:" (in-memory database) Choose one persistence strategy: - SQLite: persistence.enabled=true, postgresql.enabled=false - SQLite In-memory: persistence.inMemory=true , postgresql.enabled=false - groundhog2k PostgreSQL: persistence.enabled=false, postgresql.enabled=true - External DB: persistence.enabled=false, postgresql.enabled=false, database.url configured
persistence.inMemoryboolfalseEnable in-memory configuration of sqlite strategy
persistence.labelsobject{}Labels to add to the PVC
persistence.sizestring"20Gi"Size of the persistent volume for Phoenix home directory
persistence.storageClassstring""Kubernetes storage class for Phoenix home volume
postgresql.enabledbooltrueEnable PostgreSQL deployment. Set to false if you have your own postgres instance (e.g., RDS, CloudSQL) When disabled, you must configure database.url or database.postgres settings to point to your external database IMPORTANT: Cannot be enabled simultaneously with persistence.enabled=true (for SQLite) Choose one persistence strategy: - groundhog2k PostgreSQL: postgresql.enabled=true, persistence.enabled=false - SQLite: postgresql.enabled=false, persistence.enabled=true - External DB: postgresql.enabled=false, persistence.enabled=false, database.url configured
postgresql.image.registrystring"docker.io"
postgresql.image.repositorystring"postgres"
postgresql.image.tagstring"16"
postgresql.podSecurityContextobject{"fsGroup":999,"supplementalGroups":[999]}Security context for PostgreSQL container
postgresql.resourcesobject{"limits":{"cpu":"500m","memory":"512Mi"},"requests":{"cpu":"100m","memory":"256Mi"}}Resource limits
postgresql.securityContext.allowPrivilegeEscalationboolfalse
postgresql.securityContext.privilegedboolfalse
postgresql.securityContext.readOnlyRootFilesystembooltrue
postgresql.securityContext.runAsGroupint999
postgresql.securityContext.runAsNonRootbooltrue
postgresql.securityContext.runAsUserint999
postgresql.serviceobject{"port":5432,"type":"ClusterIP"}Service configuration
postgresql.settingsobject{"superuserPassword":{"value":"postgres"}}Database settings
postgresql.storageobject{"accessModes":["ReadWriteOnce"],"requestedSize":"20Gi"}Storage configuration
postgresql.userDatabaseobject{"name":{"value":"phoenix"},"password":{"value":"phoenix"},"user":{"value":"phoenix"}}User database configuration
replicaCountint1Number of Phoenix pod replicas
resourcesobject{"limits":{"cpu":"1000m","memory":"2Gi"},"requests":{"cpu":"500m","memory":"1Gi"}}Resource configuration
sandbox.allowedProvidersstring""Comma-separated allowlist of sandbox providers (PHOENIX_ALLOWED_SANDBOX_PROVIDERS) Accepted values: WASM, E2B, DAYTONA, VERCEL, DENO, MODAL (case-insensitive) When empty, the chart omits the env var and all providers are allowed. Set to "NONE" to disable all sandbox providers. Example: "WASM,DENO"
securityContextobject`{"container":{"allowPrivilegeEscalation":false,"capabilities":{"add":[],"drop":["ALL"]},"enabled":false,"privileged":false,"procMount":"Default","readOnlyRootFilesystem":true,"runAsGroup":65532,"runAsNonRoot":true,"runAsUser":65532,"seLinuxOptions":{},"seccompProfile":{"type":"RuntimeDefault"},"windowsOptions":{}},"pod":{"enabled":false,"fsGroup":65532,"fsGroupChangePolicy":"OnRootMismatch","runAsGroup":65532,"runAsNonRoot":true,"runAsUser":65532,"seLinuxOptions":{},"seccompProfile":{"type":"RuntimeDefault"},"supplementalGroups":[],"sysctls":[],"windowsOptio

Tag summary

Content type

Helm

Digest

sha256:fa3beb12b

Size

36.6 kB

Last updated

about 8 hours ago

helm pull oci://registry-1.docker.io/arizephoenix/phoenix-helm --version 10.0.0