1546 lines
53 KiB
YAML
1546 lines
53 KiB
YAML
|
global:
|
||
|
# -- Overrides the Docker registry globally for all images
|
||
|
imageRegistry: null
|
||
|
|
||
|
# To help compatibility with other charts which use global.imagePullSecrets.
|
||
|
# Allow either an array of {name: pullSecret} maps (k8s-style), or an array of strings (more common helm-style).
|
||
|
# Can be templated.
|
||
|
# global:
|
||
|
# imagePullSecrets:
|
||
|
# - name: pullSecret1
|
||
|
# - name: pullSecret2
|
||
|
# or
|
||
|
# global:
|
||
|
# imagePullSecrets:
|
||
|
# - pullSecret1
|
||
|
# - pullSecret2
|
||
|
imagePullSecrets: []
|
||
|
|
||
|
rbac:
|
||
|
create: true
|
||
|
## Use an existing ClusterRole/Role (depending on rbac.namespaced false/true)
|
||
|
# useExistingRole: name-of-some-role
|
||
|
# useExistingClusterRole: name-of-some-clusterRole
|
||
|
pspEnabled: false
|
||
|
pspUseAppArmor: false
|
||
|
namespaced: false
|
||
|
extraRoleRules: []
|
||
|
# - apiGroups: []
|
||
|
# resources: []
|
||
|
# verbs: []
|
||
|
extraClusterRoleRules: []
|
||
|
# - apiGroups: []
|
||
|
# resources: []
|
||
|
# verbs: []
|
||
|
serviceAccount:
|
||
|
create: true
|
||
|
name:
|
||
|
nameTest:
|
||
|
## ServiceAccount labels.
|
||
|
labels: {}
|
||
|
## Service account annotations. Can be templated.
|
||
|
# annotations:
|
||
|
# eks.amazonaws.com/role-arn: arn:aws:iam::123456789000:role/iam-role-name-here
|
||
|
|
||
|
## autoMount is deprecated in favor of automountServiceAccountToken
|
||
|
# autoMount: false
|
||
|
automountServiceAccountToken: false
|
||
|
|
||
|
replicas: 1
|
||
|
|
||
|
## Create a headless service for the deployment
|
||
|
headlessService: false
|
||
|
|
||
|
## Should the service account be auto mounted on the pod
|
||
|
automountServiceAccountToken: true
|
||
|
|
||
|
## Create HorizontalPodAutoscaler object for deployment type
|
||
|
#
|
||
|
autoscaling:
|
||
|
enabled: false
|
||
|
minReplicas: 1
|
||
|
maxReplicas: 5
|
||
|
targetCPU: "60"
|
||
|
targetMemory: ""
|
||
|
behavior: {}
|
||
|
|
||
|
## See `kubectl explain poddisruptionbudget.spec` for more
|
||
|
## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
|
||
|
podDisruptionBudget: {}
|
||
|
# apiVersion: ""
|
||
|
# minAvailable: 1
|
||
|
# maxUnavailable: 1
|
||
|
|
||
|
## See `kubectl explain deployment.spec.strategy` for more
|
||
|
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
|
||
|
deploymentStrategy:
|
||
|
type: RollingUpdate
|
||
|
|
||
|
readinessProbe:
|
||
|
httpGet:
|
||
|
path: /api/health
|
||
|
port: 3000
|
||
|
|
||
|
livenessProbe:
|
||
|
httpGet:
|
||
|
path: /api/health
|
||
|
port: 3000
|
||
|
initialDelaySeconds: 60
|
||
|
timeoutSeconds: 30
|
||
|
failureThreshold: 10
|
||
|
|
||
|
## Use an alternate scheduler, e.g. "stork".
|
||
|
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
|
||
|
##
|
||
|
# schedulerName: "default-scheduler"
|
||
|
|
||
|
image:
|
||
|
# -- The Docker registry
|
||
|
registry: docker.io
|
||
|
# -- Docker image repository
|
||
|
repository: grafana/grafana
|
||
|
# Overrides the Grafana image tag whose default is the chart appVersion
|
||
|
tag: ""
|
||
|
sha: ""
|
||
|
pullPolicy: IfNotPresent
|
||
|
|
||
|
## Optionally specify an array of imagePullSecrets.
|
||
|
## Secrets must be manually created in the namespace.
|
||
|
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
|
||
|
## Can be templated.
|
||
|
##
|
||
|
pullSecrets: []
|
||
|
# - myRegistrKeySecretName
|
||
|
|
||
|
testFramework:
|
||
|
enabled: true
|
||
|
## The type of Helm hook used to run this test. Defaults to test.
|
||
|
## ref: https://helm.sh/docs/topics/charts_hooks/#the-available-hooks
|
||
|
##
|
||
|
# hookType: test
|
||
|
image:
|
||
|
# -- The Docker registry
|
||
|
registry: docker.io
|
||
|
repository: bats/bats
|
||
|
tag: "v1.4.1"
|
||
|
imagePullPolicy: IfNotPresent
|
||
|
securityContext: {}
|
||
|
resources: {}
|
||
|
# limits:
|
||
|
# cpu: 100m
|
||
|
# memory: 128Mi
|
||
|
# requests:
|
||
|
# cpu: 100m
|
||
|
# memory: 128Mi
|
||
|
|
||
|
# dns configuration for pod
|
||
|
dnsPolicy: ~
|
||
|
dnsConfig: {}
|
||
|
# nameservers:
|
||
|
# - 8.8.8.8
|
||
|
# options:
|
||
|
# - name: ndots
|
||
|
# value: "2"
|
||
|
# - name: edns0
|
||
|
|
||
|
securityContext:
|
||
|
runAsNonRoot: true
|
||
|
runAsUser: 472
|
||
|
runAsGroup: 472
|
||
|
fsGroup: 472
|
||
|
|
||
|
containerSecurityContext:
|
||
|
allowPrivilegeEscalation: false
|
||
|
capabilities:
|
||
|
drop:
|
||
|
- ALL
|
||
|
seccompProfile:
|
||
|
type: RuntimeDefault
|
||
|
|
||
|
# Enable creating the grafana configmap
|
||
|
createConfigmap: true
|
||
|
|
||
|
# Extra configmaps to mount in grafana pods
|
||
|
# Values are templated.
|
||
|
extraConfigmapMounts: []
|
||
|
# - name: certs-configmap
|
||
|
# mountPath: /etc/grafana/ssl/
|
||
|
# subPath: certificates.crt # (optional)
|
||
|
# configMap: certs-configmap
|
||
|
# readOnly: true
|
||
|
# optional: false
|
||
|
|
||
|
|
||
|
extraEmptyDirMounts: []
|
||
|
# - name: provisioning-notifiers
|
||
|
# mountPath: /etc/grafana/provisioning/notifiers
|
||
|
|
||
|
|
||
|
# Apply extra labels to common labels.
|
||
|
extraLabels: {}
|
||
|
|
||
|
## Assign a PriorityClassName to pods if set
|
||
|
# priorityClassName:
|
||
|
|
||
|
downloadDashboardsImage:
|
||
|
# -- The Docker registry
|
||
|
registry: docker.io
|
||
|
repository: curlimages/curl
|
||
|
tag: 7.85.0
|
||
|
sha: ""
|
||
|
pullPolicy: IfNotPresent
|
||
|
|
||
|
downloadDashboards:
|
||
|
env: {}
|
||
|
envFromSecret: ""
|
||
|
resources: {}
|
||
|
securityContext:
|
||
|
allowPrivilegeEscalation: false
|
||
|
capabilities:
|
||
|
drop:
|
||
|
- ALL
|
||
|
seccompProfile:
|
||
|
type: RuntimeDefault
|
||
|
envValueFrom: {}
|
||
|
# ENV_NAME:
|
||
|
# configMapKeyRef:
|
||
|
# name: configmap-name
|
||
|
# key: value_key
|
||
|
|
||
|
## Pod Annotations
|
||
|
# podAnnotations: {}
|
||
|
|
||
|
## ConfigMap Annotations
|
||
|
# configMapAnnotations: {}
|
||
|
# argocd.argoproj.io/sync-options: Replace=true
|
||
|
|
||
|
## Pod Labels
|
||
|
# podLabels: {}
|
||
|
|
||
|
podPortName: grafana
|
||
|
gossipPortName: gossip
|
||
|
## Deployment annotations
|
||
|
# annotations: {}
|
||
|
|
||
|
## Expose the grafana service to be accessed from outside the cluster (LoadBalancer service).
|
||
|
## or access it from within the cluster (ClusterIP service). Set the service type and the port to serve it.
|
||
|
## ref: http://kubernetes.io/docs/user-guide/services/
|
||
|
##
|
||
|
service:
|
||
|
enabled: true
|
||
|
type: ClusterIP
|
||
|
# Set the ip family policy to configure dual-stack see [Configure dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services)
|
||
|
ipFamilyPolicy: ""
|
||
|
# Sets the families that should be supported and the order in which they should be applied to ClusterIP as well. Can be IPv4 and/or IPv6.
|
||
|
ipFamilies: []
|
||
|
loadBalancerIP: ""
|
||
|
loadBalancerClass: ""
|
||
|
loadBalancerSourceRanges: []
|
||
|
port: 80
|
||
|
targetPort: 3000
|
||
|
# targetPort: 4181 To be used with a proxy extraContainer
|
||
|
## Service annotations. Can be templated.
|
||
|
annotations: {}
|
||
|
labels: {}
|
||
|
portName: service
|
||
|
# Adds the appProtocol field to the service. This allows to work with istio protocol selection. Ex: "http" or "tcp"
|
||
|
appProtocol: ""
|
||
|
|
||
|
serviceMonitor:
|
||
|
## If true, a ServiceMonitor CR is created for a prometheus operator
|
||
|
## https://github.com/coreos/prometheus-operator
|
||
|
##
|
||
|
enabled: false
|
||
|
path: /metrics
|
||
|
# namespace: monitoring (defaults to use the namespace this chart is deployed to)
|
||
|
labels: {}
|
||
|
interval: 30s
|
||
|
scheme: http
|
||
|
tlsConfig: {}
|
||
|
scrapeTimeout: 30s
|
||
|
relabelings: []
|
||
|
metricRelabelings: []
|
||
|
targetLabels: []
|
||
|
|
||
|
extraExposePorts: []
|
||
|
# - name: keycloak
|
||
|
# port: 8080
|
||
|
# targetPort: 8080
|
||
|
|
||
|
# overrides pod.spec.hostAliases in the grafana deployment's pods
|
||
|
hostAliases: []
|
||
|
# - ip: "1.2.3.4"
|
||
|
# hostnames:
|
||
|
# - "my.host.com"
|
||
|
|
||
|
ingress:
|
||
|
enabled: false
|
||
|
# For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName
|
||
|
# See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress
|
||
|
# ingressClassName: nginx
|
||
|
# Values can be templated
|
||
|
annotations: {}
|
||
|
# kubernetes.io/ingress.class: nginx
|
||
|
# kubernetes.io/tls-acme: "true"
|
||
|
labels: {}
|
||
|
path: /
|
||
|
|
||
|
# pathType is only for k8s >= 1.1=
|
||
|
pathType: Prefix
|
||
|
|
||
|
hosts:
|
||
|
- chart-example.local
|
||
|
## Extra paths to prepend to every host configuration. This is useful when working with annotation based services.
|
||
|
extraPaths: []
|
||
|
# - path: /*
|
||
|
# backend:
|
||
|
# serviceName: ssl-redirect
|
||
|
# servicePort: use-annotation
|
||
|
## Or for k8s > 1.19
|
||
|
# - path: /*
|
||
|
# pathType: Prefix
|
||
|
# backend:
|
||
|
# service:
|
||
|
# name: ssl-redirect
|
||
|
# port:
|
||
|
# name: use-annotation
|
||
|
|
||
|
|
||
|
tls: []
|
||
|
# - secretName: chart-example-tls
|
||
|
# hosts:
|
||
|
# - chart-example.local
|
||
|
|
||
|
# -- BETA: Configure the gateway routes for the chart here.
|
||
|
# More routes can be added by adding a dictionary key like the 'main' route.
|
||
|
# Be aware that this is an early beta of this feature,
|
||
|
# kube-prometheus-stack does not guarantee this works and is subject to change.
|
||
|
# Being BETA this can/will change in the future without notice, do not use unless you want to take that risk
|
||
|
# [[ref]](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io%2fv1alpha2)
|
||
|
route:
|
||
|
main:
|
||
|
# -- Enables or disables the route
|
||
|
enabled: false
|
||
|
|
||
|
# -- Set the route apiVersion, e.g. gateway.networking.k8s.io/v1 or gateway.networking.k8s.io/v1alpha2
|
||
|
apiVersion: gateway.networking.k8s.io/v1
|
||
|
# -- Set the route kind
|
||
|
# Valid options are GRPCRoute, HTTPRoute, TCPRoute, TLSRoute, UDPRoute
|
||
|
kind: HTTPRoute
|
||
|
|
||
|
annotations: {}
|
||
|
labels: {}
|
||
|
|
||
|
hostnames: []
|
||
|
# - my-filter.example.com
|
||
|
parentRefs: []
|
||
|
# - name: acme-gw
|
||
|
|
||
|
matches:
|
||
|
- path:
|
||
|
type: PathPrefix
|
||
|
value: /
|
||
|
|
||
|
## Filters define the filters that are applied to requests that match this rule.
|
||
|
filters: []
|
||
|
|
||
|
## Additional custom rules that can be added to the route
|
||
|
additionalRules: []
|
||
|
|
||
|
resources: {}
|
||
|
# limits:
|
||
|
# cpu: 100m
|
||
|
# memory: 128Mi
|
||
|
# requests:
|
||
|
# cpu: 100m
|
||
|
# memory: 128Mi
|
||
|
|
||
|
## Node labels for pod assignment
|
||
|
## ref: https://kubernetes.io/docs/user-guide/node-selection/
|
||
|
#
|
||
|
nodeSelector: {}
|
||
|
|
||
|
## Tolerations for pod assignment
|
||
|
## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
|
||
|
##
|
||
|
tolerations: []
|
||
|
|
||
|
## Affinity for pod assignment (evaluated as template)
|
||
|
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
|
||
|
##
|
||
|
affinity: {}
|
||
|
|
||
|
## Topology Spread Constraints
|
||
|
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
|
||
|
##
|
||
|
topologySpreadConstraints: []
|
||
|
|
||
|
## Additional init containers (evaluated as template)
|
||
|
## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
|
||
|
##
|
||
|
extraInitContainers: []
|
||
|
|
||
|
## Enable an Specify container in extraContainers. This is meant to allow adding an authentication proxy to a grafana pod
|
||
|
extraContainers: ""
|
||
|
# extraContainers: |
|
||
|
# - name: proxy
|
||
|
# image: quay.io/gambol99/keycloak-proxy:latest
|
||
|
# args:
|
||
|
# - -provider=github
|
||
|
# - -client-id=
|
||
|
# - -client-secret=
|
||
|
# - -github-org=<ORG_NAME>
|
||
|
# - -email-domain=*
|
||
|
# - -cookie-secret=
|
||
|
# - -http-address=http://0.0.0.0:4181
|
||
|
# - -upstream-url=http://127.0.0.1:3000
|
||
|
# ports:
|
||
|
# - name: proxy-web
|
||
|
# containerPort: 4181
|
||
|
|
||
|
## Volumes that can be used in init containers that will not be mounted to deployment pods
|
||
|
extraContainerVolumes: []
|
||
|
# - name: volume-from-secret
|
||
|
# secret:
|
||
|
# secretName: secret-to-mount
|
||
|
# - name: empty-dir-volume
|
||
|
# emptyDir: {}
|
||
|
|
||
|
## Enable persistence using Persistent Volume Claims
|
||
|
## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/
|
||
|
##
|
||
|
persistence:
|
||
|
type: pvc
|
||
|
enabled: false
|
||
|
# storageClassName: default
|
||
|
accessModes:
|
||
|
- ReadWriteOnce
|
||
|
size: 10Gi
|
||
|
# annotations: {}
|
||
|
finalizers:
|
||
|
- kubernetes.io/pvc-protection
|
||
|
# selectorLabels: {}
|
||
|
## Sub-directory of the PV to mount. Can be templated.
|
||
|
# subPath: ""
|
||
|
## Name of an existing PVC. Can be templated.
|
||
|
# existingClaim:
|
||
|
## Extra labels to apply to a PVC.
|
||
|
extraPvcLabels: {}
|
||
|
disableWarning: false
|
||
|
|
||
|
## If persistence is not enabled, this allows to mount the
|
||
|
## local storage in-memory to improve performance
|
||
|
##
|
||
|
inMemory:
|
||
|
enabled: false
|
||
|
## The maximum usage on memory medium EmptyDir would be
|
||
|
## the minimum value between the SizeLimit specified
|
||
|
## here and the sum of memory limits of all containers in a pod
|
||
|
##
|
||
|
# sizeLimit: 300Mi
|
||
|
|
||
|
## If 'lookupVolumeName' is set to true, Helm will attempt to retrieve
|
||
|
## the current value of 'spec.volumeName' and incorporate it into the template.
|
||
|
lookupVolumeName: true
|
||
|
|
||
|
initChownData:
|
||
|
## If false, data ownership will not be reset at startup
|
||
|
## This allows the grafana-server to be run with an arbitrary user
|
||
|
##
|
||
|
enabled: true
|
||
|
|
||
|
## initChownData container image
|
||
|
##
|
||
|
image:
|
||
|
# -- The Docker registry
|
||
|
registry: docker.io
|
||
|
repository: library/busybox
|
||
|
tag: "1.31.1"
|
||
|
sha: ""
|
||
|
pullPolicy: IfNotPresent
|
||
|
|
||
|
## initChownData resource requests and limits
|
||
|
## Ref: http://kubernetes.io/docs/user-guide/compute-resources/
|
||
|
##
|
||
|
resources: {}
|
||
|
# limits:
|
||
|
# cpu: 100m
|
||
|
# memory: 128Mi
|
||
|
# requests:
|
||
|
# cpu: 100m
|
||
|
# memory: 128Mi
|
||
|
securityContext:
|
||
|
runAsNonRoot: false
|
||
|
runAsUser: 0
|
||
|
seccompProfile:
|
||
|
type: RuntimeDefault
|
||
|
capabilities:
|
||
|
add:
|
||
|
- CHOWN
|
||
|
|
||
|
# Administrator credentials when not using an existing secret (see below)
|
||
|
adminUser: admin
|
||
|
# adminPassword: strongpassword
|
||
|
|
||
|
# Use an existing secret for the admin user.
|
||
|
admin:
|
||
|
## Name of the secret. Can be templated.
|
||
|
existingSecret: ""
|
||
|
userKey: admin-user
|
||
|
passwordKey: admin-password
|
||
|
|
||
|
## Define command to be executed at startup by grafana container
|
||
|
## Needed if using `vault-env` to manage secrets (ref: https://banzaicloud.com/blog/inject-secrets-into-pods-vault/)
|
||
|
## Default is "run.sh" as defined in grafana's Dockerfile
|
||
|
# command:
|
||
|
# - "sh"
|
||
|
# - "/run.sh"
|
||
|
|
||
|
## Optionally define args if command is used
|
||
|
## Needed if using `hashicorp/envconsul` to manage secrets
|
||
|
## By default no arguments are set
|
||
|
# args:
|
||
|
# - "-secret"
|
||
|
# - "secret/grafana"
|
||
|
# - "./grafana"
|
||
|
|
||
|
## Extra environment variables that will be pass onto deployment pods
|
||
|
##
|
||
|
## to provide grafana with access to CloudWatch on AWS EKS:
|
||
|
## 1. create an iam role of type "Web identity" with provider oidc.eks.* (note the provider for later)
|
||
|
## 2. edit the "Trust relationships" of the role, add a line inside the StringEquals clause using the
|
||
|
## same oidc eks provider as noted before (same as the existing line)
|
||
|
## also, replace NAMESPACE and prometheus-operator-grafana with the service account namespace and name
|
||
|
##
|
||
|
## "oidc.eks.us-east-1.amazonaws.com/id/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:sub": "system:serviceaccount:NAMESPACE:prometheus-operator-grafana",
|
||
|
##
|
||
|
## 3. attach a policy to the role, you can use a built in policy called CloudWatchReadOnlyAccess
|
||
|
## 4. use the following env: (replace 123456789000 and iam-role-name-here with your aws account number and role name)
|
||
|
##
|
||
|
## env:
|
||
|
## AWS_ROLE_ARN: arn:aws:iam::123456789000:role/iam-role-name-here
|
||
|
## AWS_WEB_IDENTITY_TOKEN_FILE: /var/run/secrets/eks.amazonaws.com/serviceaccount/token
|
||
|
## AWS_REGION: us-east-1
|
||
|
##
|
||
|
## 5. uncomment the EKS section in extraSecretMounts: below
|
||
|
## 6. uncomment the annotation section in the serviceAccount: above
|
||
|
## make sure to replace arn:aws:iam::123456789000:role/iam-role-name-here with your role arn
|
||
|
|
||
|
env: {}
|
||
|
|
||
|
## "valueFrom" environment variable references that will be added to deployment pods. Name is templated.
|
||
|
## ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core
|
||
|
## Renders in container spec as:
|
||
|
## env:
|
||
|
## ...
|
||
|
## - name: <key>
|
||
|
## valueFrom:
|
||
|
## <value rendered as YAML>
|
||
|
envValueFrom: {}
|
||
|
# ENV_NAME:
|
||
|
# configMapKeyRef:
|
||
|
# name: configmap-name
|
||
|
# key: value_key
|
||
|
|
||
|
## The name of a secret in the same kubernetes namespace which contain values to be added to the environment
|
||
|
## This can be useful for auth tokens, etc. Value is templated.
|
||
|
envFromSecret: ""
|
||
|
|
||
|
## Sensible environment variables that will be rendered as new secret object
|
||
|
## This can be useful for auth tokens, etc.
|
||
|
## If the secret values contains "{{", they'll need to be properly escaped so that they are not interpreted by Helm
|
||
|
## ref: https://helm.sh/docs/howto/charts_tips_and_tricks/#using-the-tpl-function
|
||
|
envRenderSecret: {}
|
||
|
|
||
|
## The names of secrets in the same kubernetes namespace which contain values to be added to the environment
|
||
|
## Each entry should contain a name key, and can optionally specify whether the secret must be defined with an optional key.
|
||
|
## Name is templated.
|
||
|
envFromSecrets: []
|
||
|
## - name: secret-name
|
||
|
## prefix: prefix
|
||
|
## optional: true
|
||
|
|
||
|
## The names of conifgmaps in the same kubernetes namespace which contain values to be added to the environment
|
||
|
## Each entry should contain a name key, and can optionally specify whether the configmap must be defined with an optional key.
|
||
|
## Name is templated.
|
||
|
## ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#configmapenvsource-v1-core
|
||
|
envFromConfigMaps: []
|
||
|
## - name: configmap-name
|
||
|
## prefix: prefix
|
||
|
## optional: true
|
||
|
|
||
|
# Inject Kubernetes services as environment variables.
|
||
|
# See https://kubernetes.io/docs/concepts/services-networking/connect-applications-service/#environment-variables
|
||
|
enableServiceLinks: true
|
||
|
|
||
|
## Additional grafana server secret mounts
|
||
|
# Defines additional mounts with secrets. Secrets must be manually created in the namespace.
|
||
|
extraSecretMounts: []
|
||
|
# - name: secret-files
|
||
|
# mountPath: /etc/secrets
|
||
|
# secretName: grafana-secret-files
|
||
|
# readOnly: true
|
||
|
# optional: false
|
||
|
# subPath: ""
|
||
|
#
|
||
|
# for AWS EKS (cloudwatch) use the following (see also instruction in env: above)
|
||
|
# - name: aws-iam-token
|
||
|
# mountPath: /var/run/secrets/eks.amazonaws.com/serviceaccount
|
||
|
# readOnly: true
|
||
|
# projected:
|
||
|
# defaultMode: 420
|
||
|
# sources:
|
||
|
# - serviceAccountToken:
|
||
|
# audience: sts.amazonaws.com
|
||
|
# expirationSeconds: 86400
|
||
|
# path: token
|
||
|
#
|
||
|
# for CSI e.g. Azure Key Vault use the following
|
||
|
# - name: secrets-store-inline
|
||
|
# mountPath: /run/secrets
|
||
|
# readOnly: true
|
||
|
# csi:
|
||
|
# driver: secrets-store.csi.k8s.io
|
||
|
# readOnly: true
|
||
|
# volumeAttributes:
|
||
|
# secretProviderClass: "akv-grafana-spc"
|
||
|
# nodePublishSecretRef: # Only required when using service principal mode
|
||
|
# name: grafana-akv-creds # Only required when using service principal mode
|
||
|
|
||
|
## Additional grafana server volume mounts
|
||
|
# Defines additional volume mounts.
|
||
|
extraVolumeMounts: []
|
||
|
# - name: extra-volume-0
|
||
|
# mountPath: /mnt/volume0
|
||
|
# readOnly: true
|
||
|
# - name: extra-volume-1
|
||
|
# mountPath: /mnt/volume1
|
||
|
# readOnly: true
|
||
|
# - name: grafana-secrets
|
||
|
# mountPath: /mnt/volume2
|
||
|
|
||
|
## Additional Grafana server volumes
|
||
|
extraVolumes: []
|
||
|
# - name: extra-volume-0
|
||
|
# existingClaim: volume-claim
|
||
|
# - name: extra-volume-1
|
||
|
# hostPath:
|
||
|
# path: /usr/shared/
|
||
|
# type: ""
|
||
|
# - name: grafana-secrets
|
||
|
# csi:
|
||
|
# driver: secrets-store.csi.k8s.io
|
||
|
# readOnly: true
|
||
|
# volumeAttributes:
|
||
|
# secretProviderClass: "grafana-env-spc"
|
||
|
|
||
|
## Container Lifecycle Hooks. Execute a specific bash command or make an HTTP request
|
||
|
lifecycleHooks: {}
|
||
|
# postStart:
|
||
|
# exec:
|
||
|
# command: []
|
||
|
|
||
|
## Pass the plugins you want installed as a list.
|
||
|
##
|
||
|
plugins: []
|
||
|
# - digrich-bubblechart-panel
|
||
|
# - grafana-clock-panel
|
||
|
## You can also use other plugin download URL, as long as they are valid zip files,
|
||
|
## and specify the name of the plugin after the semicolon. Like this:
|
||
|
# - https://grafana.com/api/plugins/marcusolsson-json-datasource/versions/1.3.2/download;marcusolsson-json-datasource
|
||
|
|
||
|
## Configure grafana datasources
|
||
|
## ref: http://docs.grafana.org/administration/provisioning/#datasources
|
||
|
##
|
||
|
datasources: {}
|
||
|
# datasources.yaml:
|
||
|
# apiVersion: 1
|
||
|
# datasources:
|
||
|
# - name: Prometheus
|
||
|
# type: prometheus
|
||
|
# url: http://prometheus-prometheus-server
|
||
|
# access: proxy
|
||
|
# isDefault: true
|
||
|
# - name: CloudWatch
|
||
|
# type: cloudwatch
|
||
|
# access: proxy
|
||
|
# uid: cloudwatch
|
||
|
# editable: false
|
||
|
# jsonData:
|
||
|
# authType: default
|
||
|
# defaultRegion: us-east-1
|
||
|
# deleteDatasources: []
|
||
|
# - name: Prometheus
|
||
|
|
||
|
## Configure grafana alerting (can be templated)
|
||
|
## ref: https://docs.grafana.com/alerting/set-up/provision-alerting-resources/file-provisioning/
|
||
|
##
|
||
|
alerting: {}
|
||
|
# policies.yaml:
|
||
|
# apiVersion: 1
|
||
|
# policies:
|
||
|
# - orgId: 1
|
||
|
# receiver: first_uid
|
||
|
#
|
||
|
# rules.yaml:
|
||
|
# apiVersion: 1
|
||
|
# groups:
|
||
|
# - orgId: 1
|
||
|
# name: '{{ .Chart.Name }}_my_rule_group'
|
||
|
# folder: my_first_folder
|
||
|
# interval: 60s
|
||
|
# rules:
|
||
|
# - uid: my_id_1
|
||
|
# title: my_first_rule
|
||
|
# condition: A
|
||
|
# data:
|
||
|
# - refId: A
|
||
|
# datasourceUid: '-100'
|
||
|
# model:
|
||
|
# conditions:
|
||
|
# - evaluator:
|
||
|
# params:
|
||
|
# - 3
|
||
|
# type: gt
|
||
|
# operator:
|
||
|
# type: and
|
||
|
# query:
|
||
|
# params:
|
||
|
# - A
|
||
|
# reducer:
|
||
|
# type: last
|
||
|
# type: query
|
||
|
# datasource:
|
||
|
# type: __expr__
|
||
|
# uid: '-100'
|
||
|
# expression: 1==0
|
||
|
# intervalMs: 1000
|
||
|
# maxDataPoints: 43200
|
||
|
# refId: A
|
||
|
# type: math
|
||
|
# dashboardUid: my_dashboard
|
||
|
# panelId: 123
|
||
|
# noDataState: Alerting
|
||
|
# for: 60s
|
||
|
# annotations:
|
||
|
# some_key: some_value
|
||
|
# labels:
|
||
|
# team: sre_team_1
|
||
|
#
|
||
|
# contactpoints.yaml:
|
||
|
# secret:
|
||
|
# apiVersion: 1
|
||
|
# contactPoints:
|
||
|
# - orgId: 1
|
||
|
# name: cp_1
|
||
|
# receivers:
|
||
|
# - uid: first_uid
|
||
|
# type: pagerduty
|
||
|
# settings:
|
||
|
# integrationKey: XXX
|
||
|
# severity: critical
|
||
|
# class: ping failure
|
||
|
# component: Grafana
|
||
|
# group: app-stack
|
||
|
# summary: |
|
||
|
# {{ `{{ include "default.message" . }}` }}
|
||
|
#
|
||
|
# templates.yaml:
|
||
|
# apiVersion: 1
|
||
|
# templates:
|
||
|
# - orgId: 1
|
||
|
# name: my_first_template
|
||
|
# template: |
|
||
|
# {{ `
|
||
|
# {{ define "my_first_template" }}
|
||
|
# Custom notification message
|
||
|
# {{ end }}
|
||
|
# ` }}
|
||
|
#
|
||
|
# mutetimes.yaml
|
||
|
# apiVersion: 1
|
||
|
# muteTimes:
|
||
|
# - orgId: 1
|
||
|
# name: mti_1
|
||
|
# # refer to https://prometheus.io/docs/alerting/latest/configuration/#time_interval-0
|
||
|
# time_intervals: {}
|
||
|
|
||
|
## Configure notifiers
|
||
|
## ref: http://docs.grafana.org/administration/provisioning/#alert-notification-channels
|
||
|
##
|
||
|
notifiers: {}
|
||
|
# notifiers.yaml:
|
||
|
# notifiers:
|
||
|
# - name: email-notifier
|
||
|
# type: email
|
||
|
# uid: email1
|
||
|
# # either:
|
||
|
# org_id: 1
|
||
|
# # or
|
||
|
# org_name: Main Org.
|
||
|
# is_default: true
|
||
|
# settings:
|
||
|
# addresses: an_email_address@example.com
|
||
|
# delete_notifiers:
|
||
|
|
||
|
## Configure grafana dashboard providers
|
||
|
## ref: http://docs.grafana.org/administration/provisioning/#dashboards
|
||
|
##
|
||
|
## `path` must be /var/lib/grafana/dashboards/<provider_name>
|
||
|
##
|
||
|
dashboardProviders: {}
|
||
|
# dashboardproviders.yaml:
|
||
|
# apiVersion: 1
|
||
|
# providers:
|
||
|
# - name: 'default'
|
||
|
# orgId: 1
|
||
|
# folder: ''
|
||
|
# type: file
|
||
|
# disableDeletion: false
|
||
|
# editable: true
|
||
|
# options:
|
||
|
# path: /var/lib/grafana/dashboards/default
|
||
|
|
||
|
## Configure grafana dashboard to import
|
||
|
## NOTE: To use dashboards you must also enable/configure dashboardProviders
|
||
|
## ref: https://grafana.com/dashboards
|
||
|
##
|
||
|
## dashboards per provider, use provider name as key.
|
||
|
##
|
||
|
dashboards: {}
|
||
|
# default:
|
||
|
# some-dashboard:
|
||
|
# json: |
|
||
|
# $RAW_JSON
|
||
|
# custom-dashboard:
|
||
|
# file: dashboards/custom-dashboard.json
|
||
|
# prometheus-stats:
|
||
|
# gnetId: 2
|
||
|
# revision: 2
|
||
|
# datasource: Prometheus
|
||
|
# local-dashboard:
|
||
|
# url: https://example.com/repository/test.json
|
||
|
# token: ''
|
||
|
# local-dashboard-base64:
|
||
|
# url: https://example.com/repository/test-b64.json
|
||
|
# token: ''
|
||
|
# b64content: true
|
||
|
# local-dashboard-gitlab:
|
||
|
# url: https://example.com/repository/test-gitlab.json
|
||
|
# gitlabToken: ''
|
||
|
# local-dashboard-bitbucket:
|
||
|
# url: https://example.com/repository/test-bitbucket.json
|
||
|
# bearerToken: ''
|
||
|
# local-dashboard-azure:
|
||
|
# url: https://example.com/repository/test-azure.json
|
||
|
# basic: ''
|
||
|
# acceptHeader: '*/*'
|
||
|
|
||
|
## Reference to external ConfigMap per provider. Use provider name as key and ConfigMap name as value.
|
||
|
## A provider dashboards must be defined either by external ConfigMaps or in values.yaml, not in both.
|
||
|
## ConfigMap data example:
|
||
|
##
|
||
|
## data:
|
||
|
## example-dashboard.json: |
|
||
|
## RAW_JSON
|
||
|
##
|
||
|
dashboardsConfigMaps: {}
|
||
|
# default: ""
|
||
|
|
||
|
## Grafana's primary configuration
|
||
|
## NOTE: values in map will be converted to ini format
|
||
|
## ref: http://docs.grafana.org/installation/configuration/
|
||
|
##
|
||
|
grafana.ini:
|
||
|
paths:
|
||
|
data: /var/lib/grafana/
|
||
|
logs: /var/log/grafana
|
||
|
plugins: /var/lib/grafana/plugins
|
||
|
provisioning: /etc/grafana/provisioning
|
||
|
analytics:
|
||
|
check_for_updates: true
|
||
|
log:
|
||
|
mode: console
|
||
|
grafana_net:
|
||
|
url: https://grafana.net
|
||
|
server:
|
||
|
domain: "{{ if (and .Values.ingress.enabled .Values.ingress.hosts) }}{{ tpl (.Values.ingress.hosts | first) . }}{{ else }}''{{ end }}"
|
||
|
## grafana Authentication can be enabled with the following values on grafana.ini
|
||
|
# server:
|
||
|
# The full public facing url you use in browser, used for redirects and emails
|
||
|
# root_url:
|
||
|
# https://grafana.com/docs/grafana/latest/auth/github/#enable-github-in-grafana
|
||
|
# auth.github:
|
||
|
# enabled: false
|
||
|
# allow_sign_up: false
|
||
|
# scopes: user:email,read:org
|
||
|
# auth_url: https://github.com/login/oauth/authorize
|
||
|
# token_url: https://github.com/login/oauth/access_token
|
||
|
# api_url: https://api.github.com/user
|
||
|
# team_ids:
|
||
|
# allowed_organizations:
|
||
|
# client_id:
|
||
|
# client_secret:
|
||
|
## LDAP Authentication can be enabled with the following values on grafana.ini
|
||
|
## NOTE: Grafana will fail to start if the value for ldap.toml is invalid
|
||
|
# auth.ldap:
|
||
|
# enabled: true
|
||
|
# allow_sign_up: true
|
||
|
# config_file: /etc/grafana/ldap.toml
|
||
|
|
||
|
## Grafana's LDAP configuration
|
||
|
## Templated by the template in _helpers.tpl
|
||
|
## NOTE: To enable the grafana.ini must be configured with auth.ldap.enabled
|
||
|
## ref: http://docs.grafana.org/installation/configuration/#auth-ldap
|
||
|
## ref: http://docs.grafana.org/installation/ldap/#configuration
|
||
|
ldap:
|
||
|
enabled: false
|
||
|
# `existingSecret` is a reference to an existing secret containing the ldap configuration
|
||
|
# for Grafana in a key `ldap-toml`.
|
||
|
existingSecret: ""
|
||
|
# `config` is the content of `ldap.toml` that will be stored in the created secret
|
||
|
config: ""
|
||
|
# config: |-
|
||
|
# verbose_logging = true
|
||
|
|
||
|
# [[servers]]
|
||
|
# host = "my-ldap-server"
|
||
|
# port = 636
|
||
|
# use_ssl = true
|
||
|
# start_tls = false
|
||
|
# ssl_skip_verify = false
|
||
|
# bind_dn = "uid=%s,ou=users,dc=myorg,dc=com"
|
||
|
|
||
|
## Grafana's SMTP configuration
|
||
|
## NOTE: To enable, grafana.ini must be configured with smtp.enabled
|
||
|
## ref: http://docs.grafana.org/installation/configuration/#smtp
|
||
|
smtp:
|
||
|
# `existingSecret` is a reference to an existing secret containing the smtp configuration
|
||
|
# for Grafana.
|
||
|
existingSecret: ""
|
||
|
userKey: "user"
|
||
|
passwordKey: "password"
|
||
|
|
||
|
## Sidecars that collect the configmaps with specified label and stores the included files them into the respective folders
|
||
|
## Requires at least Grafana 5 to work and can't be used together with parameters dashboardProviders, datasources and dashboards
|
||
|
sidecar:
|
||
|
image:
|
||
|
# -- The Docker registry
|
||
|
registry: quay.io
|
||
|
repository: kiwigrid/k8s-sidecar
|
||
|
tag: 1.28.0
|
||
|
sha: ""
|
||
|
imagePullPolicy: IfNotPresent
|
||
|
resources: {}
|
||
|
# limits:
|
||
|
# cpu: 100m
|
||
|
# memory: 100Mi
|
||
|
# requests:
|
||
|
# cpu: 50m
|
||
|
# memory: 50Mi
|
||
|
securityContext:
|
||
|
allowPrivilegeEscalation: false
|
||
|
capabilities:
|
||
|
drop:
|
||
|
- ALL
|
||
|
seccompProfile:
|
||
|
type: RuntimeDefault
|
||
|
# skipTlsVerify Set to true to skip tls verification for kube api calls
|
||
|
# skipTlsVerify: true
|
||
|
enableUniqueFilenames: false
|
||
|
readinessProbe: {}
|
||
|
livenessProbe: {}
|
||
|
# Log level default for all sidecars. Can be one of: DEBUG, INFO, WARN, ERROR, CRITICAL. Defaults to INFO
|
||
|
# logLevel: INFO
|
||
|
alerts:
|
||
|
enabled: false
|
||
|
# Additional environment variables for the alerts sidecar
|
||
|
env: {}
|
||
|
# Do not reprocess already processed unchanged resources on k8s API reconnect.
|
||
|
# ignoreAlreadyProcessed: true
|
||
|
# label that the configmaps with alert are marked with
|
||
|
label: grafana_alert
|
||
|
# value of label that the configmaps with alert are set to
|
||
|
labelValue: ""
|
||
|
# Log level. Can be one of: DEBUG, INFO, WARN, ERROR, CRITICAL.
|
||
|
# logLevel: INFO
|
||
|
# If specified, the sidecar will search for alert config-maps inside this namespace.
|
||
|
# Otherwise the namespace in which the sidecar is running will be used.
|
||
|
# It's also possible to specify ALL to search in all namespaces
|
||
|
searchNamespace: null
|
||
|
# Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds.
|
||
|
watchMethod: WATCH
|
||
|
# search in configmap, secret or both
|
||
|
resource: both
|
||
|
# watchServerTimeout: request to the server, asking it to cleanly close the connection after that.
|
||
|
# defaults to 60sec; much higher values like 3600 seconds (1h) are feasible for non-Azure K8S
|
||
|
# watchServerTimeout: 3600
|
||
|
#
|
||
|
# watchClientTimeout: is a client-side timeout, configuring your local socket.
|
||
|
# If you have a network outage dropping all packets with no RST/FIN,
|
||
|
# this is how long your client waits before realizing & dropping the connection.
|
||
|
# defaults to 66sec (sic!)
|
||
|
# watchClientTimeout: 60
|
||
|
#
|
||
|
# maxTotalRetries: Total number of retries to allow for any http request.
|
||
|
# Takes precedence over other counts. Applies to all requests to reloadURL and k8s api requests.
|
||
|
# Set to 0 to fail on the first retry.
|
||
|
# maxTotalRetries: 5
|
||
|
#
|
||
|
# maxConnectRetries: How many connection-related errors to retry on for any http request.
|
||
|
# These are errors raised before the request is sent to the remote server, which we assume has not triggered the server to process the request.
|
||
|
# Applies to all requests to reloadURL and k8s api requests.
|
||
|
# Set to 0 to fail on the first retry of this type.
|
||
|
# maxConnectRetries: 10
|
||
|
#
|
||
|
# maxReadRetries: How many times to retry on read errors for any http request
|
||
|
# These errors are raised after the request was sent to the server, so the request may have side-effects.
|
||
|
# Applies to all requests to reloadURL and k8s api requests.
|
||
|
# Set to 0 to fail on the first retry of this type.
|
||
|
# maxReadRetries: 5
|
||
|
#
|
||
|
# Endpoint to send request to reload alerts
|
||
|
reloadURL: "http://localhost:3000/api/admin/provisioning/alerting/reload"
|
||
|
# Absolute path to shell script to execute after a alert got reloaded
|
||
|
script: null
|
||
|
skipReload: false
|
||
|
# This is needed if skipReload is true, to load any alerts defined at startup time.
|
||
|
# Deploy the alert sidecar as an initContainer.
|
||
|
initAlerts: false
|
||
|
# Additional alerts sidecar volume mounts
|
||
|
extraMounts: []
|
||
|
# Sets the size limit of the alert sidecar emptyDir volume
|
||
|
sizeLimit: {}
|
||
|
dashboards:
|
||
|
enabled: false
|
||
|
# Additional environment variables for the dashboards sidecar
|
||
|
env: {}
|
||
|
## "valueFrom" environment variable references that will be added to deployment pods. Name is templated.
|
||
|
## ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core
|
||
|
## Renders in container spec as:
|
||
|
## env:
|
||
|
## ...
|
||
|
## - name: <key>
|
||
|
## valueFrom:
|
||
|
## <value rendered as YAML>
|
||
|
envValueFrom: {}
|
||
|
# ENV_NAME:
|
||
|
# configMapKeyRef:
|
||
|
# name: configmap-name
|
||
|
# key: value_key
|
||
|
# Do not reprocess already processed unchanged resources on k8s API reconnect.
|
||
|
# ignoreAlreadyProcessed: true
|
||
|
SCProvider: true
|
||
|
# label that the configmaps with dashboards are marked with
|
||
|
label: grafana_dashboard
|
||
|
# value of label that the configmaps with dashboards are set to
|
||
|
labelValue: ""
|
||
|
# Log level. Can be one of: DEBUG, INFO, WARN, ERROR, CRITICAL.
|
||
|
# logLevel: INFO
|
||
|
# folder in the pod that should hold the collected dashboards (unless `defaultFolderName` is set)
|
||
|
folder: /tmp/dashboards
|
||
|
# The default folder name, it will create a subfolder under the `folder` and put dashboards in there instead
|
||
|
defaultFolderName: null
|
||
|
# Namespaces list. If specified, the sidecar will search for config-maps/secrets inside these namespaces.
|
||
|
# Otherwise the namespace in which the sidecar is running will be used.
|
||
|
# It's also possible to specify ALL to search in all namespaces.
|
||
|
searchNamespace: null
|
||
|
# Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds.
|
||
|
watchMethod: WATCH
|
||
|
# search in configmap, secret or both
|
||
|
resource: both
|
||
|
# If specified, the sidecar will look for annotation with this name to create folder and put graph here.
|
||
|
# You can use this parameter together with `provider.foldersFromFilesStructure`to annotate configmaps and create folder structure.
|
||
|
folderAnnotation: null
|
||
|
#
|
||
|
# maxTotalRetries: Total number of retries to allow for any http request.
|
||
|
# Takes precedence over other counts. Applies to all requests to reloadURL and k8s api requests.
|
||
|
# Set to 0 to fail on the first retry.
|
||
|
# maxTotalRetries: 5
|
||
|
#
|
||
|
# maxConnectRetries: How many connection-related errors to retry on for any http request.
|
||
|
# These are errors raised before the request is sent to the remote server, which we assume has not triggered the server to process the request.
|
||
|
# Applies to all requests to reloadURL and k8s api requests.
|
||
|
# Set to 0 to fail on the first retry of this type.
|
||
|
# maxConnectRetries: 10
|
||
|
#
|
||
|
# maxReadRetries: How many times to retry on read errors for any http request
|
||
|
# These errors are raised after the request was sent to the server, so the request may have side-effects.
|
||
|
# Applies to all requests to reloadURL and k8s api requests.
|
||
|
# Set to 0 to fail on the first retry of this type.
|
||
|
# maxReadRetries: 5
|
||
|
#
|
||
|
# Endpoint to send request to reload alerts
|
||
|
reloadURL: "http://localhost:3000/api/admin/provisioning/dashboards/reload"
|
||
|
# Absolute path to shell script to execute after a configmap got reloaded
|
||
|
script: null
|
||
|
skipReload: false
|
||
|
# watchServerTimeout: request to the server, asking it to cleanly close the connection after that.
|
||
|
# defaults to 60sec; much higher values like 3600 seconds (1h) are feasible for non-Azure K8S
|
||
|
# watchServerTimeout: 3600
|
||
|
#
|
||
|
# watchClientTimeout: is a client-side timeout, configuring your local socket.
|
||
|
# If you have a network outage dropping all packets with no RST/FIN,
|
||
|
# this is how long your client waits before realizing & dropping the connection.
|
||
|
# defaults to 66sec (sic!)
|
||
|
# watchClientTimeout: 60
|
||
|
#
|
||
|
# provider configuration that lets grafana manage the dashboards
|
||
|
provider:
|
||
|
# name of the provider, should be unique
|
||
|
name: sidecarProvider
|
||
|
# orgid as configured in grafana
|
||
|
orgid: 1
|
||
|
# folder in which the dashboards should be imported in grafana
|
||
|
folder: ''
|
||
|
# <string> folder UID. will be automatically generated if not specified
|
||
|
folderUid: ''
|
||
|
# type of the provider
|
||
|
type: file
|
||
|
# disableDelete to activate a import-only behaviour
|
||
|
disableDelete: false
|
||
|
# allow updating provisioned dashboards from the UI
|
||
|
allowUiUpdates: false
|
||
|
# allow Grafana to replicate dashboard structure from filesystem
|
||
|
foldersFromFilesStructure: false
|
||
|
# Additional dashboards sidecar volume mounts
|
||
|
extraMounts: []
|
||
|
# Sets the size limit of the dashboard sidecar emptyDir volume
|
||
|
sizeLimit: {}
|
||
|
datasources:
|
||
|
enabled: false
|
||
|
# Additional environment variables for the datasourcessidecar
|
||
|
env: {}
|
||
|
## "valueFrom" environment variable references that will be added to deployment pods. Name is templated.
|
||
|
## ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core
|
||
|
## Renders in container spec as:
|
||
|
## env:
|
||
|
## ...
|
||
|
## - name: <key>
|
||
|
## valueFrom:
|
||
|
## <value rendered as YAML>
|
||
|
envValueFrom: {}
|
||
|
# ENV_NAME:
|
||
|
# configMapKeyRef:
|
||
|
# name: configmap-name
|
||
|
# key: value_key
|
||
|
# Do not reprocess already processed unchanged resources on k8s API reconnect.
|
||
|
# ignoreAlreadyProcessed: true
|
||
|
# label that the configmaps with datasources are marked with
|
||
|
label: grafana_datasource
|
||
|
# value of label that the configmaps with datasources are set to
|
||
|
labelValue: ""
|
||
|
# Log level. Can be one of: DEBUG, INFO, WARN, ERROR, CRITICAL.
|
||
|
# logLevel: INFO
|
||
|
# If specified, the sidecar will search for datasource config-maps inside this namespace.
|
||
|
# Otherwise the namespace in which the sidecar is running will be used.
|
||
|
# It's also possible to specify ALL to search in all namespaces
|
||
|
searchNamespace: null
|
||
|
# Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds.
|
||
|
watchMethod: WATCH
|
||
|
# search in configmap, secret or both
|
||
|
resource: both
|
||
|
# watchServerTimeout: request to the server, asking it to cleanly close the connection after that.
|
||
|
# defaults to 60sec; much higher values like 3600 seconds (1h) are feasible for non-Azure K8S
|
||
|
# watchServerTimeout: 3600
|
||
|
#
|
||
|
# watchClientTimeout: is a client-side timeout, configuring your local socket.
|
||
|
# If you have a network outage dropping all packets with no RST/FIN,
|
||
|
# this is how long your client waits before realizing & dropping the connection.
|
||
|
# defaults to 66sec (sic!)
|
||
|
# watchClientTimeout: 60
|
||
|
#
|
||
|
# maxTotalRetries: Total number of retries to allow for any http request.
|
||
|
# Takes precedence over other counts. Applies to all requests to reloadURL and k8s api requests.
|
||
|
# Set to 0 to fail on the first retry.
|
||
|
# maxTotalRetries: 5
|
||
|
#
|
||
|
# maxConnectRetries: How many connection-related errors to retry on for any http request.
|
||
|
# These are errors raised before the request is sent to the remote server, which we assume has not triggered the server to process the request.
|
||
|
# Applies to all requests to reloadURL and k8s api requests.
|
||
|
# Set to 0 to fail on the first retry of this type.
|
||
|
# maxConnectRetries: 10
|
||
|
#
|
||
|
# maxReadRetries: How many times to retry on read errors for any http request
|
||
|
# These errors are raised after the request was sent to the server, so the request may have side-effects.
|
||
|
# Applies to all requests to reloadURL and k8s api requests.
|
||
|
# Set to 0 to fail on the first retry of this type.
|
||
|
# maxReadRetries: 5
|
||
|
#
|
||
|
# Endpoint to send request to reload datasources
|
||
|
reloadURL: "http://localhost:3000/api/admin/provisioning/datasources/reload"
|
||
|
# Absolute path to shell script to execute after a datasource got reloaded
|
||
|
script: null
|
||
|
skipReload: false
|
||
|
# This is needed if skipReload is true, to load any datasources defined at startup time.
|
||
|
# Deploy the datasources sidecar as an initContainer.
|
||
|
initDatasources: false
|
||
|
# Additional datasources sidecar volume mounts
|
||
|
extraMounts: []
|
||
|
# Sets the size limit of the datasource sidecar emptyDir volume
|
||
|
sizeLimit: {}
|
||
|
plugins:
|
||
|
enabled: false
|
||
|
# Additional environment variables for the plugins sidecar
|
||
|
env: {}
|
||
|
# Do not reprocess already processed unchanged resources on k8s API reconnect.
|
||
|
# ignoreAlreadyProcessed: true
|
||
|
# label that the configmaps with plugins are marked with
|
||
|
label: grafana_plugin
|
||
|
# value of label that the configmaps with plugins are set to
|
||
|
labelValue: ""
|
||
|
# Log level. Can be one of: DEBUG, INFO, WARN, ERROR, CRITICAL.
|
||
|
# logLevel: INFO
|
||
|
# If specified, the sidecar will search for plugin config-maps inside this namespace.
|
||
|
# Otherwise the namespace in which the sidecar is running will be used.
|
||
|
# It's also possible to specify ALL to search in all namespaces
|
||
|
searchNamespace: null
|
||
|
# Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds.
|
||
|
watchMethod: WATCH
|
||
|
# search in configmap, secret or both
|
||
|
resource: both
|
||
|
# watchServerTimeout: request to the server, asking it to cleanly close the connection after that.
|
||
|
# defaults to 60sec; much higher values like 3600 seconds (1h) are feasible for non-Azure K8S
|
||
|
# watchServerTimeout: 3600
|
||
|
#
|
||
|
# watchClientTimeout: is a client-side timeout, configuring your local socket.
|
||
|
# If you have a network outage dropping all packets with no RST/FIN,
|
||
|
# this is how long your client waits before realizing & dropping the connection.
|
||
|
# defaults to 66sec (sic!)
|
||
|
# watchClientTimeout: 60
|
||
|
#
|
||
|
# maxTotalRetries: Total number of retries to allow for any http request.
|
||
|
# Takes precedence over other counts. Applies to all requests to reloadURL and k8s api requests.
|
||
|
# Set to 0 to fail on the first retry.
|
||
|
# maxTotalRetries: 5
|
||
|
#
|
||
|
# maxConnectRetries: How many connection-related errors to retry on for any http request.
|
||
|
# These are errors raised before the request is sent to the remote server, which we assume has not triggered the server to process the request.
|
||
|
# Applies to all requests to reloadURL and k8s api requests.
|
||
|
# Set to 0 to fail on the first retry of this type.
|
||
|
# maxConnectRetries: 10
|
||
|
#
|
||
|
# maxReadRetries: How many times to retry on read errors for any http request
|
||
|
# These errors are raised after the request was sent to the server, so the request may have side-effects.
|
||
|
# Applies to all requests to reloadURL and k8s api requests.
|
||
|
# Set to 0 to fail on the first retry of this type.
|
||
|
# maxReadRetries: 5
|
||
|
#
|
||
|
# Endpoint to send request to reload plugins
|
||
|
reloadURL: "http://localhost:3000/api/admin/provisioning/plugins/reload"
|
||
|
# Absolute path to shell script to execute after a plugin got reloaded
|
||
|
script: null
|
||
|
skipReload: false
|
||
|
# Deploy the datasource sidecar as an initContainer in addition to a container.
|
||
|
# This is needed if skipReload is true, to load any plugins defined at startup time.
|
||
|
initPlugins: false
|
||
|
# Additional plugins sidecar volume mounts
|
||
|
extraMounts: []
|
||
|
# Sets the size limit of the plugin sidecar emptyDir volume
|
||
|
sizeLimit: {}
|
||
|
notifiers:
|
||
|
enabled: false
|
||
|
# Additional environment variables for the notifierssidecar
|
||
|
env: {}
|
||
|
# Do not reprocess already processed unchanged resources on k8s API reconnect.
|
||
|
# ignoreAlreadyProcessed: true
|
||
|
# label that the configmaps with notifiers are marked with
|
||
|
label: grafana_notifier
|
||
|
# value of label that the configmaps with notifiers are set to
|
||
|
labelValue: ""
|
||
|
# Log level. Can be one of: DEBUG, INFO, WARN, ERROR, CRITICAL.
|
||
|
# logLevel: INFO
|
||
|
# If specified, the sidecar will search for notifier config-maps inside this namespace.
|
||
|
# Otherwise the namespace in which the sidecar is running will be used.
|
||
|
# It's also possible to specify ALL to search in all namespaces
|
||
|
searchNamespace: null
|
||
|
# Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds.
|
||
|
watchMethod: WATCH
|
||
|
# search in configmap, secret or both
|
||
|
resource: both
|
||
|
# watchServerTimeout: request to the server, asking it to cleanly close the connection after that.
|
||
|
# defaults to 60sec; much higher values like 3600 seconds (1h) are feasible for non-Azure K8S
|
||
|
# watchServerTimeout: 3600
|
||
|
#
|
||
|
# watchClientTimeout: is a client-side timeout, configuring your local socket.
|
||
|
# If you have a network outage dropping all packets with no RST/FIN,
|
||
|
# this is how long your client waits before realizing & dropping the connection.
|
||
|
# defaults to 66sec (sic!)
|
||
|
# watchClientTimeout: 60
|
||
|
#
|
||
|
# maxTotalRetries: Total number of retries to allow for any http request.
|
||
|
# Takes precedence over other counts. Applies to all requests to reloadURL and k8s api requests.
|
||
|
# Set to 0 to fail on the first retry.
|
||
|
# maxTotalRetries: 5
|
||
|
#
|
||
|
# maxConnectRetries: How many connection-related errors to retry on for any http request.
|
||
|
# These are errors raised before the request is sent to the remote server, which we assume has not triggered the server to process the request.
|
||
|
# Applies to all requests to reloadURL and k8s api requests.
|
||
|
# Set to 0 to fail on the first retry of this type.
|
||
|
# maxConnectRetries: 10
|
||
|
#
|
||
|
# maxReadRetries: How many times to retry on read errors for any http request
|
||
|
# These errors are raised after the request was sent to the server, so the request may have side-effects.
|
||
|
# Applies to all requests to reloadURL and k8s api requests.
|
||
|
# Set to 0 to fail on the first retry of this type.
|
||
|
# maxReadRetries: 5
|
||
|
#
|
||
|
# Endpoint to send request to reload notifiers
|
||
|
reloadURL: "http://localhost:3000/api/admin/provisioning/notifications/reload"
|
||
|
# Absolute path to shell script to execute after a notifier got reloaded
|
||
|
script: null
|
||
|
skipReload: false
|
||
|
# Deploy the notifier sidecar as an initContainer in addition to a container.
|
||
|
# This is needed if skipReload is true, to load any notifiers defined at startup time.
|
||
|
initNotifiers: false
|
||
|
# Additional notifiers sidecar volume mounts
|
||
|
extraMounts: []
|
||
|
# Sets the size limit of the notifier sidecar emptyDir volume
|
||
|
sizeLimit: {}
|
||
|
|
||
|
## Override the deployment namespace
|
||
|
##
|
||
|
namespaceOverride: ""
|
||
|
|
||
|
## Number of old ReplicaSets to retain
|
||
|
##
|
||
|
revisionHistoryLimit: 10
|
||
|
|
||
|
## Add a seperate remote image renderer deployment/service
|
||
|
imageRenderer:
|
||
|
deploymentStrategy: {}
|
||
|
# Enable the image-renderer deployment & service
|
||
|
enabled: false
|
||
|
replicas: 1
|
||
|
autoscaling:
|
||
|
enabled: false
|
||
|
minReplicas: 1
|
||
|
maxReplicas: 5
|
||
|
targetCPU: "60"
|
||
|
targetMemory: ""
|
||
|
behavior: {}
|
||
|
# The url of remote image renderer if it is not in the same namespace with the grafana instance
|
||
|
serverURL: ""
|
||
|
# The callback url of grafana instances if it is not in the same namespace with the remote image renderer
|
||
|
renderingCallbackURL: ""
|
||
|
image:
|
||
|
# -- The Docker registry
|
||
|
registry: docker.io
|
||
|
# image-renderer Image repository
|
||
|
repository: grafana/grafana-image-renderer
|
||
|
# image-renderer Image tag
|
||
|
tag: latest
|
||
|
# image-renderer Image sha (optional)
|
||
|
sha: ""
|
||
|
# image-renderer ImagePullPolicy
|
||
|
pullPolicy: Always
|
||
|
# extra environment variables
|
||
|
env:
|
||
|
HTTP_HOST: "0.0.0.0"
|
||
|
# RENDERING_ARGS: --no-sandbox,--disable-gpu,--window-size=1280x758
|
||
|
# RENDERING_MODE: clustered
|
||
|
# IGNORE_HTTPS_ERRORS: true
|
||
|
|
||
|
## "valueFrom" environment variable references that will be added to deployment pods. Name is templated.
|
||
|
## ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core
|
||
|
## Renders in container spec as:
|
||
|
## env:
|
||
|
## ...
|
||
|
## - name: <key>
|
||
|
## valueFrom:
|
||
|
## <value rendered as YAML>
|
||
|
envValueFrom: {}
|
||
|
# ENV_NAME:
|
||
|
# configMapKeyRef:
|
||
|
# name: configmap-name
|
||
|
# key: value_key
|
||
|
|
||
|
# image-renderer deployment serviceAccount
|
||
|
serviceAccountName: ""
|
||
|
# image-renderer deployment securityContext
|
||
|
securityContext: {}
|
||
|
# image-renderer deployment container securityContext
|
||
|
containerSecurityContext:
|
||
|
seccompProfile:
|
||
|
type: RuntimeDefault
|
||
|
capabilities:
|
||
|
drop: ['ALL']
|
||
|
allowPrivilegeEscalation: false
|
||
|
readOnlyRootFilesystem: true
|
||
|
## image-renderer pod annotation
|
||
|
podAnnotations: {}
|
||
|
# image-renderer deployment Host Aliases
|
||
|
hostAliases: []
|
||
|
# image-renderer deployment priority class
|
||
|
priorityClassName: ''
|
||
|
service:
|
||
|
# Enable the image-renderer service
|
||
|
enabled: true
|
||
|
# image-renderer service port name
|
||
|
portName: 'http'
|
||
|
# image-renderer service port used by both service and deployment
|
||
|
port: 8081
|
||
|
targetPort: 8081
|
||
|
# Adds the appProtocol field to the image-renderer service. This allows to work with istio protocol selection. Ex: "http" or "tcp"
|
||
|
appProtocol: ""
|
||
|
serviceMonitor:
|
||
|
## If true, a ServiceMonitor CRD is created for a prometheus operator
|
||
|
## https://github.com/coreos/prometheus-operator
|
||
|
##
|
||
|
enabled: false
|
||
|
path: /metrics
|
||
|
# namespace: monitoring (defaults to use the namespace this chart is deployed to)
|
||
|
labels: {}
|
||
|
interval: 1m
|
||
|
scheme: http
|
||
|
tlsConfig: {}
|
||
|
scrapeTimeout: 30s
|
||
|
relabelings: []
|
||
|
# See: https://doc.crds.dev/github.com/prometheus-operator/kube-prometheus/monitoring.coreos.com/ServiceMonitor/v1@v0.11.0#spec-targetLabels
|
||
|
targetLabels: []
|
||
|
# - targetLabel1
|
||
|
# - targetLabel2
|
||
|
# If https is enabled in Grafana, this needs to be set as 'https' to correctly configure the callback used in Grafana
|
||
|
grafanaProtocol: http
|
||
|
# In case a sub_path is used this needs to be added to the image renderer callback
|
||
|
grafanaSubPath: ""
|
||
|
# name of the image-renderer port on the pod
|
||
|
podPortName: http
|
||
|
# number of image-renderer replica sets to keep
|
||
|
revisionHistoryLimit: 10
|
||
|
networkPolicy:
|
||
|
# Enable a NetworkPolicy to limit inbound traffic to only the created grafana pods
|
||
|
limitIngress: true
|
||
|
# Enable a NetworkPolicy to limit outbound traffic to only the created grafana pods
|
||
|
limitEgress: false
|
||
|
# Allow additional services to access image-renderer (eg. Prometheus operator when ServiceMonitor is enabled)
|
||
|
extraIngressSelectors: []
|
||
|
resources: {}
|
||
|
# limits:
|
||
|
# cpu: 100m
|
||
|
# memory: 100Mi
|
||
|
# requests:
|
||
|
# cpu: 50m
|
||
|
# memory: 50Mi
|
||
|
## Node labels for pod assignment
|
||
|
## ref: https://kubernetes.io/docs/user-guide/node-selection/
|
||
|
#
|
||
|
nodeSelector: {}
|
||
|
|
||
|
## Tolerations for pod assignment
|
||
|
## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
|
||
|
##
|
||
|
tolerations: []
|
||
|
|
||
|
## Affinity for pod assignment (evaluated as template)
|
||
|
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
|
||
|
##
|
||
|
affinity: {}
|
||
|
|
||
|
## Use an alternate scheduler, e.g. "stork".
|
||
|
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
|
||
|
##
|
||
|
# schedulerName: "default-scheduler"
|
||
|
|
||
|
# Extra configmaps to mount in image-renderer pods
|
||
|
extraConfigmapMounts: []
|
||
|
|
||
|
# Extra secrets to mount in image-renderer pods
|
||
|
extraSecretMounts: []
|
||
|
|
||
|
# Extra volumes to mount in image-renderer pods
|
||
|
extraVolumeMounts: []
|
||
|
|
||
|
# Extra volumes for image-renderer pods
|
||
|
extraVolumes: []
|
||
|
|
||
|
networkPolicy:
|
||
|
## @param networkPolicy.enabled Enable creation of NetworkPolicy resources. Only Ingress traffic is filtered for now.
|
||
|
##
|
||
|
enabled: false
|
||
|
## @param networkPolicy.allowExternal Don't require client label for connections
|
||
|
## The Policy model to apply. When set to false, only pods with the correct
|
||
|
## client label will have network access to grafana port defined.
|
||
|
## When true, grafana will accept connections from any source
|
||
|
## (with the correct destination port).
|
||
|
##
|
||
|
ingress: true
|
||
|
## @param networkPolicy.ingress When true enables the creation
|
||
|
## an ingress network policy
|
||
|
##
|
||
|
allowExternal: true
|
||
|
## @param networkPolicy.explicitNamespacesSelector A Kubernetes LabelSelector to explicitly select namespaces from which traffic could be allowed
|
||
|
## If explicitNamespacesSelector is missing or set to {}, only client Pods that are in the networkPolicy's namespace
|
||
|
## and that match other criteria, the ones that have the good label, can reach the grafana.
|
||
|
## But sometimes, we want the grafana to be accessible to clients from other namespaces, in this case, we can use this
|
||
|
## LabelSelector to select these namespaces, note that the networkPolicy's namespace should also be explicitly added.
|
||
|
##
|
||
|
## Example:
|
||
|
## explicitNamespacesSelector:
|
||
|
## matchLabels:
|
||
|
## role: frontend
|
||
|
## matchExpressions:
|
||
|
## - {key: role, operator: In, values: [frontend]}
|
||
|
##
|
||
|
explicitNamespacesSelector: {}
|
||
|
##
|
||
|
##
|
||
|
##
|
||
|
##
|
||
|
##
|
||
|
##
|
||
|
egress:
|
||
|
## @param networkPolicy.egress.enabled When enabled, an egress network policy will be
|
||
|
## created allowing grafana to connect to external data sources from kubernetes cluster.
|
||
|
enabled: false
|
||
|
##
|
||
|
## @param networkPolicy.egress.blockDNSResolution When enabled, DNS resolution will be blocked
|
||
|
## for all pods in the grafana namespace.
|
||
|
blockDNSResolution: false
|
||
|
##
|
||
|
## @param networkPolicy.egress.ports Add individual ports to be allowed by the egress
|
||
|
ports: []
|
||
|
## Add ports to the egress by specifying - port: <port number>
|
||
|
## E.X.
|
||
|
## - port: 80
|
||
|
## - port: 443
|
||
|
##
|
||
|
## @param networkPolicy.egress.to Allow egress traffic to specific destinations
|
||
|
to: []
|
||
|
## Add destinations to the egress by specifying - ipBlock: <CIDR>
|
||
|
## E.X.
|
||
|
## to:
|
||
|
## - namespaceSelector:
|
||
|
## matchExpressions:
|
||
|
## - {key: role, operator: In, values: [grafana]}
|
||
|
##
|
||
|
##
|
||
|
##
|
||
|
##
|
||
|
##
|
||
|
|
||
|
# Enable backward compatibility of kubernetes where version below 1.13 doesn't have the enableServiceLinks option
|
||
|
enableKubeBackwardCompatibility: false
|
||
|
useStatefulSet: false
|
||
|
# Create a dynamic manifests via values:
|
||
|
extraObjects: []
|
||
|
# - apiVersion: "kubernetes-client.io/v1"
|
||
|
# kind: ExternalSecret
|
||
|
# metadata:
|
||
|
# name: grafana-secrets
|
||
|
# spec:
|
||
|
# backendType: gcpSecretsManager
|
||
|
# data:
|
||
|
# - key: grafana-admin-password
|
||
|
# name: adminPassword
|
||
|
|
||
|
# assertNoLeakedSecrets is a helper function defined in _helpers.tpl that checks if secret
|
||
|
# values are not exposed in the rendered grafana.ini configmap. It is enabled by default.
|
||
|
#
|
||
|
# To pass values into grafana.ini without exposing them in a configmap, use variable expansion:
|
||
|
# https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#variable-expansion
|
||
|
#
|
||
|
# Alternatively, if you wish to allow secret values to be exposed in the rendered grafana.ini configmap,
|
||
|
# you can disable this check by setting assertNoLeakedSecrets to false.
|
||
|
assertNoLeakedSecrets: true
|