community-grafana
Helm chart
Request a free trial
Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.
Tag:
1
global:
2
# -- Overrides the Docker registry globally for all images
3
imageRegistry: null
4
# To help compatibility with other charts which use global.imagePullSecrets.
5
# Allow either an array of {name: pullSecret} maps (k8s-style), or an array of strings (more common helm-style).
6
# Can be templated.
7
# global:
8
# imagePullSecrets:
9
# - name: pullSecret1
10
# - name: pullSecret2
11
# or
12
# global:
13
# imagePullSecrets:
14
# - pullSecret1
15
# - pullSecret2
16
imagePullSecrets: []
17
rbac:
18
create: true
19
## Use an existing ClusterRole/Role (depending on rbac.namespaced false/true)
20
# useExistingRole: name-of-some-role
21
# useExistingClusterRole: name-of-some-clusterRole
22
pspEnabled: false
23
pspUseAppArmor: false
24
namespaced: false
25
extraRoleRules: []
26
# - apiGroups: []
27
# resources: []
28
# verbs: []
29
extraClusterRoleRules: []
30
# - apiGroups: []
31
# resources: []
32
# verbs: []
33
serviceAccount:
34
create: true
35
name: ""
36
nameTest: ""
37
## ServiceAccount labels.
38
labels: {}
39
## Service account annotations. Can be templated.
40
# annotations:
41
# eks.amazonaws.com/role-arn: arn:aws:iam::123456789000:role/iam-role-name-here
42
43
## autoMount is deprecated in favor of automountServiceAccountToken
44
# autoMount: false
45
automountServiceAccountToken: false
46
replicas: 1
47
## Create a headless service for the deployment
48
headlessService: false
49
## Should the service account be auto mounted on the pod
50
automountServiceAccountToken: true
51
## Create HorizontalPodAutoscaler object for deployment type
52
#
53
autoscaling:
54
enabled: false
55
minReplicas: 1
56
maxReplicas: 5
57
targetCPU: "60"
58
targetMemory: ""
59
behavior: {}
60
## See `kubectl explain poddisruptionbudget.spec` for more
61
## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
62
podDisruptionBudget: {}
63
# apiVersion: ""
64
# minAvailable: 1
65
# maxUnavailable: 1
66
# unhealthyPodEvictionPolicy: IfHealthyBudget
67
68
## See `kubectl explain deployment.spec.strategy` for more
69
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
70
deploymentStrategy:
71
type: RollingUpdate
72
## The maximum time in seconds for a Deployment to make progress before it is considered to be failed.
73
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#progress-deadline-seconds
74
progressDeadlineSeconds: null
75
readinessProbe:
76
httpGet:
77
path: /api/health
78
port: grafana
79
livenessProbe:
80
httpGet:
81
path: /api/health
82
port: grafana
83
initialDelaySeconds: 60
84
timeoutSeconds: 30
85
failureThreshold: 10
86
## Use an alternate scheduler, e.g. "stork".
87
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
88
##
89
# schedulerName: "default-scheduler"
90
image:
91
# -- The Docker registry
92
registry: cgr.dev
93
# -- Docker image repository
94
repository: scratch-images/test-tmp/grafana
95
# Overrides the Grafana image tag whose default is the chart appVersion
96
tag: v13.0.1-r1
97
sha: sha256:d69d96981159150bb3281d334a11aca5681699ff850f2d5c13a1516f5bc29438
98
pullPolicy: IfNotPresent
99
## Optionally specify an array of imagePullSecrets.
100
## Secrets must be manually created in the namespace.
101
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
102
## Can be templated.
103
##
104
pullSecrets: []
105
# - myRegistrKeySecretName
106
testFramework:
107
enabled: true
108
## The type of Helm hook used to run this test. Defaults to test.
109
## ref: https://helm.sh/docs/topics/charts_hooks/#the-available-hooks
110
##
111
# hookType: test
112
image:
113
# -- The Docker registry
114
registry: docker.io
115
repository: bats/bats
116
tag: "1.13.0"
117
imagePullPolicy: IfNotPresent
118
securityContext: {}
119
containerSecurityContext: {}
120
resources: {}
121
# limits:
122
# cpu: 100m
123
# memory: 128Mi
124
# requests:
125
# cpu: 100m
126
# memory: 128Mi
127
# dns configuration for pod
128
dnsPolicy: ~
129
dnsConfig: {}
130
# nameservers:
131
# - 8.8.8.8
132
# options:
133
# - name: ndots
134
# value: "2"
135
# - name: edns0
136
137
hostUsers: ~
138
securityContext:
139
runAsNonRoot: true
140
runAsUser: 472
141
runAsGroup: 472
142
fsGroup: 472
143
containerSecurityContext:
144
allowPrivilegeEscalation: false
145
privileged: false
146
capabilities:
147
drop:
148
- ALL
149
seccompProfile:
150
type: RuntimeDefault
151
# Enable creating the grafana configmap
152
createConfigmap: true
153
# Extra configmaps to mount in grafana pods
154
# Values are templated.
155
extraConfigmapMounts: []
156
# - name: certs-configmap
157
# mountPath: /etc/grafana/ssl/
158
# subPath: certificates.crt # (optional)
159
# configMap: certs-configmap
160
# readOnly: true
161
# optional: false
162
163
extraEmptyDirMounts: []
164
# - name: provisioning-notifiers
165
# mountPath: /etc/grafana/provisioning/notifiers
166
167
# Shadow `/usr/share/grafana/data/plugins-bundled` with an emptyDir so plugins
168
# listed under `plugins:` install cleanly into `/var/lib/grafana/plugins` instead
169
# of failing on the read-only bundled directory shipped in the Grafana image.
170
# Required for plugins moved out of core in Grafana 13 (e.g. `elasticsearch`,
171
# `cloudwatch`) when listed in `plugins:`. Side effect: any bundled plugin not
172
# explicitly listed in `plugins:` will not be available.
173
shadowBundledPlugins: false
174
# Apply extra labels to common labels.
175
extraLabels: {}
176
## Assign a PriorityClassName to pods if set
177
# priorityClassName:
178
downloadDashboardsImage:
179
# -- The Docker registry
180
registry: cgr.dev
181
repository: scratch-images/test-tmp/curl
182
tag: 8.20.0-r0
183
sha: sha256:0b6dab295c31b1df1ce889be44b034712808c9bd7bb8d38fecb182687bb44598
184
pullPolicy: IfNotPresent
185
downloadDashboards:
186
env: {}
187
envFromSecret: ""
188
resources: {}
189
securityContext:
190
allowPrivilegeEscalation: false
191
capabilities:
192
drop:
193
- ALL
194
seccompProfile:
195
type: RuntimeDefault
196
envValueFrom: {}
197
# ENV_NAME:
198
# configMapKeyRef:
199
# name: configmap-name
200
# key: value_key
201
## Pod Annotations
202
# podAnnotations: {}
203
204
## ConfigMap Annotations
205
# configMapAnnotations: {}
206
# argocd.argoproj.io/sync-options: Replace=true
207
208
## Pod Labels
209
# podLabels: {}
210
podPortName: grafana
211
gossipPortName: gossip
212
## Deployment annotations
213
# annotations: {}
214
215
## Expose the grafana service to be accessed from outside the cluster (LoadBalancer service).
216
## or access it from within the cluster (ClusterIP service). Set the service type and the port to serve it.
217
## ref: http://kubernetes.io/docs/user-guide/services/
218
##
219
service:
220
enabled: true
221
type: ClusterIP
222
# Set the ip family policy to configure dual-stack see [Configure dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services)
223
ipFamilyPolicy: ""
224
# Sets the families that should be supported and the order in which they should be applied to ClusterIP as well. Can be IPv4 and/or IPv6.
225
ipFamilies: []
226
loadBalancerIP: ""
227
loadBalancerClass: ""
228
loadBalancerSourceRanges: []
229
port: 80
230
targetPort: 3000
231
# targetPort: 4181 To be used with a proxy extraContainer
232
## Service annotations. Can be templated.
233
annotations: {}
234
labels: {}
235
portName: service
236
# Adds the appProtocol field to the service. This allows to work with istio protocol selection. Ex: "http" or "tcp"
237
appProtocol: ""
238
sessionAffinity: ""
239
# trafficDistribution allows specifying how traffic is distributed to Service endpoints.
240
# Valid values: "" (default - standard load balancing),"PreferSameZone" (K8s 1.34+), "PreferSameNode" (K8s 1.35+), "PreferClose" (deprecated, use PreferSameZone),
241
trafficDistribution: ""
242
serviceMonitor:
243
## If true, a ServiceMonitor CR is created for a prometheus operator
244
## https://github.com/coreos/prometheus-operator
245
##
246
enabled: false
247
path: /metrics
248
# namespace: monitoring (defaults to use the namespace this chart is deployed to)
249
labels: {}
250
interval: 30s
251
scheme: http
252
tlsConfig: {}
253
scrapeTimeout: 30s
254
relabelings: []
255
metricRelabelings: []
256
basicAuth: {}
257
targetLabels: []
258
extraExposePorts: []
259
# - name: keycloak
260
# port: 8080
261
# targetPort: 8080
262
263
# overrides pod.spec.hostAliases in the grafana deployment's pods
264
hostAliases: []
265
# - ip: "1.2.3.4"
266
# hostnames:
267
# - "my.host.com"
268
269
ingress:
270
enabled: false
271
# ingressClassName: nginx
272
# Values can be templated
273
annotations: {}
274
# kubernetes.io/ingress.class: nginx
275
# kubernetes.io/tls-acme: "true"
276
labels: {}
277
path: /
278
pathType: Prefix
279
hosts:
280
- chart-example.local
281
## Extra paths to prepend to every host configuration. This is useful when working with annotation based services.
282
extraPaths: []
283
# - path: /*
284
# pathType: Prefix
285
# backend:
286
# service:
287
# name: ssl-redirect
288
# port:
289
# name: use-annotation
290
291
tls: []
292
# - secretName: chart-example-tls
293
# hosts:
294
# - chart-example.local
295
# -- BETA: Configure the gateway routes for the chart here.
296
# More routes can be added by adding a dictionary key like the 'main' route.
297
# Be aware that this is an early beta of this feature,
298
# kube-prometheus-stack does not guarantee this works and is subject to change.
299
# Being BETA this can/will change in the future without notice, do not use unless you want to take that risk
300
# [[ref]](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io%2fv1alpha2)
301
route:
302
main:
303
# -- Enables or disables the route
304
enabled: false
305
# -- Set the route apiVersion, e.g. gateway.networking.k8s.io/v1 or gateway.networking.k8s.io/v1alpha2
306
apiVersion: gateway.networking.k8s.io/v1
307
# -- Set the route kind
308
# Valid options are GRPCRoute, HTTPRoute, TCPRoute, TLSRoute, UDPRoute
309
kind: HTTPRoute
310
annotations: {}
311
labels: {}
312
hostnames: []
313
# - my-filter.example.com
314
parentRefs: []
315
# - name: acme-gw
316
317
matches:
318
- path:
319
type: PathPrefix
320
value: /
321
## Timeouts define the timeouts that can be configured for an HTTP request.
322
## Ref. https://gateway-api.sigs.k8s.io/api-types/httproute/#timeouts-optional
323
timeouts: {}
324
# request: 10s
325
# backendRequest: 5s
326
327
## SessionPersistence defines and configures session persistence for the route rule.
328
## Ref. https://gateway-api.sigs.k8s.io/geps/gep-1619/
329
sessionPersistence: {}
330
# sessionName: grafana-session
331
# type: Cookie
332
# absoluteTimeout: 48h
333
# cookieConfig:
334
# lifetimeType: Permanent
335
336
## Filters define the filters that are applied to requests that match this rule.
337
filters: []
338
## Additional custom rules that can be added to the route
339
additionalRules: []
340
## httpsRedirect adds a filter for redirecting to https (HTTP 301 Moved Permanently).
341
## To redirect HTTP traffic to HTTPS, you need to have a Gateway with both HTTP and HTTPS listeners.
342
## Matches and filters do not take effect if enabled.
343
## Ref. https://gateway-api.sigs.k8s.io/guides/http-redirect-rewrite/
344
httpsRedirect: false
345
resources: {}
346
# limits:
347
# cpu: 100m
348
# memory: 128Mi
349
# requests:
350
# cpu: 100m
351
# memory: 128Mi
352
353
## Node labels for pod assignment
354
## ref: https://kubernetes.io/docs/user-guide/node-selection/
355
#
356
nodeSelector: {}
357
## Tolerations for pod assignment
358
## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
359
##
360
tolerations: []
361
## Affinity for pod assignment (evaluated as template)
362
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
363
##
364
affinity: {}
365
## Topology Spread Constraints
366
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
367
##
368
topologySpreadConstraints: []
369
## Additional init containers (evaluated as template)
370
## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
371
##
372
extraInitContainers: []
373
## Enable an Specify container in extraContainers. This is meant to allow adding an authentication proxy to a grafana pod
374
extraContainers: ""
375
# extraContainers: |
376
# - name: proxy
377
# image: quay.io/gambol99/keycloak-proxy:latest
378
# args:
379
# - -provider=github
380
# - -client-id=
381
# - -client-secret=
382
# - -github-org=<ORG_NAME>
383
# - -email-domain=*
384
# - -cookie-secret=
385
# - -http-address=http://0.0.0.0:4181
386
# - -upstream-url=http://127.0.0.1:3000
387
# ports:
388
# - name: proxy-web
389
# containerPort: 4181
390
391
## Volumes that can be used in init containers that will not be mounted to deployment pods
392
extraContainerVolumes: []
393
# - name: volume-from-secret
394
# secret:
395
# secretName: secret-to-mount
396
# - name: empty-dir-volume
397
# emptyDir: {}
398
399
## Enable persistence using Persistent Volume Claims
400
## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/
401
##
402
persistence:
403
type: pvc
404
enabled: false
405
# storageClassName: default
406
## (Optional) Use this to bind the claim to an existing PersistentVolume (PV) by name.
407
volumeName: ""
408
accessModes:
409
- ReadWriteOnce
410
size: 10Gi
411
# annotations: {}
412
finalizers:
413
- kubernetes.io/pvc-protection
414
# selectorLabels: {}
415
## Sub-directory of the PV to mount. Can be templated.
416
# subPath: ""
417
## Name of an existing PVC. Can be templated.
418
# existingClaim:
419
## Extra labels to apply to a PVC.
420
extraPvcLabels: {}
421
disableWarning: false
422
## If persistence is not enabled, this allows to mount the
423
## local storage in-memory to improve performance
424
##
425
inMemory:
426
enabled: false
427
## The maximum usage on memory medium EmptyDir would be
428
## the minimum value between the SizeLimit specified
429
## here and the sum of memory limits of all containers in a pod
430
##
431
# sizeLimit: 300Mi
432
## If 'lookupVolumeName' is set to true, Helm will attempt to retrieve
433
## the current value of 'spec.volumeName' and incorporate it into the template.
434
lookupVolumeName: true
435
initChownData:
436
## If false, data ownership will not be reset at startup
437
## This allows the grafana-server to be run with an arbitrary user
438
##
439
enabled: true
440
## initChownData container image
441
##
442
image:
443
# -- The Docker registry
444
registry: cgr.dev
445
repository: scratch-images/test-tmp/busybox
446
tag: glibc-1.37.0-r57
447
sha: sha256:a4df82542624593a943071c90310653381295bb95494ff58a4650101aefeafaf
448
pullPolicy: IfNotPresent
449
## initChownData resource requests and limits
450
## Ref: http://kubernetes.io/docs/user-guide/compute-resources/
451
##
452
resources: {}
453
# limits:
454
# cpu: 100m
455
# memory: 128Mi
456
# requests:
457
# cpu: 100m
458
# memory: 128Mi
459
securityContext:
460
readOnlyRootFilesystem: false
461
runAsNonRoot: false
462
runAsUser: 0
463
seccompProfile:
464
type: RuntimeDefault
465
capabilities:
466
add:
467
- CHOWN
468
drop:
469
- ALL
470
# Administrator credentials when not using an existing secret (see below)
471
adminUser: admin
472
# adminPassword: strongpassword
473
474
# Use an existing secret for the admin user.
475
admin:
476
## Name of the secret. Can be templated.
477
existingSecret: ""
478
userKey: admin-user
479
passwordKey: admin-password
480
## Define command to be executed at startup by grafana container
481
## Needed if using `vault-env` to manage secrets (ref: https://banzaicloud.com/blog/inject-secrets-into-pods-vault/)
482
## Default is "run.sh" as defined in grafana's Dockerfile
483
# command:
484
# - "sh"
485
# - "/run.sh"
486
487
## Optionally define args if command is used
488
## Needed if using `hashicorp/envconsul` to manage secrets
489
## By default no arguments are set
490
# args:
491
# - "-secret"
492
# - "secret/grafana"
493
# - "./grafana"
494
495
## Extra environment variables that will be pass onto deployment pods
496
##
497
## to provide grafana with access to CloudWatch on AWS EKS:
498
## 1. create an iam role of type "Web identity" with provider oidc.eks.* (note the provider for later)
499
## 2. edit the "Trust relationships" of the role, add a line inside the StringEquals clause using the
500
## same oidc eks provider as noted before (same as the existing line)
501
## also, replace NAMESPACE and prometheus-operator-grafana with the service account namespace and name
502
##
503
## "oidc.eks.us-east-1.amazonaws.com/id/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:sub": "system:serviceaccount:NAMESPACE:prometheus-operator-grafana",
504
##
505
## 3. attach a policy to the role, you can use a built in policy called CloudWatchReadOnlyAccess
506
## 4. use the following env: (replace 123456789000 and iam-role-name-here with your aws account number and role name)
507
##
508
## env:
509
## AWS_ROLE_ARN: arn:aws:iam::123456789000:role/iam-role-name-here
510
## AWS_WEB_IDENTITY_TOKEN_FILE: /var/run/secrets/eks.amazonaws.com/serviceaccount/token
511
## AWS_REGION: us-east-1
512
##
513
## 5. uncomment the EKS section in extraSecretMounts: below
514
## 6. uncomment the annotation section in the serviceAccount: above
515
## make sure to replace arn:aws:iam::123456789000:role/iam-role-name-here with your role arn
516
env: {}
517
## "valueFrom" environment variable references that will be added to deployment pods. Name is templated.
518
## ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core
519
## Renders in container spec as:
520
## env:
521
## ...
522
## - name: <key>
523
## valueFrom:
524
## <value rendered as YAML>
525
envValueFrom: {}
526
# ENV_NAME:
527
# configMapKeyRef:
528
# name: configmap-name
529
# key: value_key
530
531
## The name of a secret in the same kubernetes namespace which contain values to be added to the environment
532
## This can be useful for auth tokens, etc. Value is templated.
533
envFromSecret: ""
534
## Sensible environment variables that will be rendered as new secret object
535
## This can be useful for auth tokens, etc.
536
## If the secret values contains "{{", they'll need to be properly escaped so that they are not interpreted by Helm
537
## ref: https://helm.sh/docs/howto/charts_tips_and_tricks/#using-the-tpl-function
538
envRenderSecret: {}
539
## The names of secrets in the same kubernetes namespace which contain values to be added to the environment
540
## Each entry should contain a name key, and can optionally specify whether the secret must be defined with an optional key.
541
## Name is templated.
542
envFromSecrets: []
543
## - name: secret-name
544
## prefix: prefix
545
## optional: true
546
547
## The names of configmaps in the same kubernetes namespace which contain values to be added to the environment
548
## Each entry should contain a name key, and can optionally specify whether the configmap must be defined with an optional key.
549
## Name is templated.
550
## ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#configmapenvsource-v1-core
551
envFromConfigMaps: []
552
## - name: configmap-name
553
## prefix: prefix
554
## optional: true
555
556
# Inject Kubernetes services as environment variables.
557
# See https://kubernetes.io/docs/concepts/services-networking/connect-applications-service/#environment-variables
558
enableServiceLinks: true
559
## Additional grafana server secret mounts
560
# Defines additional mounts with secrets. Secrets must be manually created in the namespace.
561
extraSecretMounts: []
562
# - name: secret-files
563
# mountPath: /etc/secrets
564
# secretName: grafana-secret-files
565
# readOnly: true
566
# optional: false
567
# subPath: ""
568
#
569
# for AWS EKS (cloudwatch) use the following (see also instruction in env: above)
570
# - name: aws-iam-token
571
# mountPath: /var/run/secrets/eks.amazonaws.com/serviceaccount
572
# readOnly: true
573
# projected:
574
# defaultMode: 420
575
# sources:
576
# - serviceAccountToken:
577
# audience: sts.amazonaws.com
578
# expirationSeconds: 86400
579
# path: token
580
#
581
# for CSI e.g. Azure Key Vault use the following
582
# - name: secrets-store-inline
583
# mountPath: /run/secrets/vault.azure.com
584
# readOnly: true
585
# csi:
586
# driver: secrets-store.csi.k8s.io
587
# readOnly: true
588
# volumeAttributes:
589
# secretProviderClass: "akv-grafana-spc"
590
# nodePublishSecretRef: # Only required when using service principal mode
591
# name: grafana-akv-creds # Only required when using service principal mode
592
593
## Additional grafana server volume mounts
594
# Defines additional volume mounts.
595
extraVolumeMounts: []
596
# - name: extra-volume-0
597
# mountPath: /mnt/volume0
598
# readOnly: true
599
# - name: extra-volume-1
600
# mountPath: /mnt/volume1
601
# readOnly: true
602
# - name: grafana-secrets
603
# mountPath: /mnt/volume2
604
605
## Additional Grafana server volumes
606
extraVolumes: []
607
# - name: extra-volume-0
608
# existingClaim: volume-claim
609
# - name: extra-volume-1
610
# hostPath:
611
# path: /usr/shared/
612
# type: ""
613
# - name: grafana-secrets
614
# csi:
615
# driver: secrets-store.csi.k8s.io
616
# readOnly: true
617
# volumeAttributes:
618
# secretProviderClass: "grafana-env-spc"
619
620
## Container Lifecycle Hooks. Execute a specific bash command or make an HTTP request
621
lifecycleHooks: {}
622
# postStart:
623
# exec:
624
# command: []
625
626
## Pass the plugins you want installed as a list.
627
##
628
plugins: []
629
# - digrich-bubblechart-panel
630
# - grafana-clock-panel
631
## You can also use other plugin download URL, as long as they are valid zip files,
632
## and specify the name of the plugin as prefix, with an version. Like this:
633
# - marcusolsson-json-datasource@1.3.24@https://grafana.com/api/plugins/marcusolsson-json-datasource/versions/1.3.24/download
634
635
## Configure grafana datasources
636
## ref: http://docs.grafana.org/administration/provisioning/#datasources
637
##
638
datasources: {}
639
# datasources.yaml:
640
# apiVersion: 1
641
# datasources:
642
# - name: Prometheus
643
# type: prometheus
644
# url: http://prometheus-prometheus-server
645
# access: proxy
646
# isDefault: true
647
# - name: CloudWatch
648
# type: cloudwatch
649
# access: proxy
650
# uid: cloudwatch
651
# editable: false
652
# jsonData:
653
# authType: default
654
# defaultRegion: us-east-1
655
# deleteDatasources: []
656
# - name: Prometheus
657
658
## Configure grafana alerting (can be templated)
659
## ref: https://docs.grafana.com/alerting/set-up/provision-alerting-resources/file-provisioning/
660
##
661
alerting: {}
662
# policies.yaml:
663
# apiVersion: 1
664
# policies:
665
# - orgId: 1
666
# receiver: first_uid
667
#
668
# rules.yaml:
669
# apiVersion: 1
670
# groups:
671
# - orgId: 1
672
# name: '{{ .Chart.Name }}_my_rule_group'
673
# folder: my_first_folder
674
# interval: 60s
675
# rules:
676
# - uid: my_id_1
677
# title: my_first_rule
678
# condition: A
679
# data:
680
# - refId: A
681
# datasourceUid: '-100'
682
# model:
683
# conditions:
684
# - evaluator:
685
# params:
686
# - 3
687
# type: gt
688
# operator:
689
# type: and
690
# query:
691
# params:
692
# - A
693
# reducer:
694
# type: last
695
# type: query
696
# datasource:
697
# type: __expr__
698
# uid: '-100'
699
# expression: 1==0
700
# intervalMs: 1000
701
# maxDataPoints: 43200
702
# refId: A
703
# type: math
704
# dashboardUid: my_dashboard
705
# panelId: 123
706
# noDataState: Alerting
707
# for: 60s
708
# annotations:
709
# some_key: some_value
710
# labels:
711
# team: sre_team_1
712
#
713
# contactpoints.yaml:
714
# secret:
715
# apiVersion: 1
716
# contactPoints:
717
# - orgId: 1
718
# name: cp_1
719
# receivers:
720
# - uid: first_uid
721
# type: pagerduty
722
# settings:
723
# integrationKey: XXX
724
# severity: critical
725
# class: ping failure
726
# component: Grafana
727
# group: app-stack
728
# summary: |
729
# {{ `{{ include "default.message" . }}` }}
730
#
731
# templates.yaml:
732
# apiVersion: 1
733
# templates:
734
# - orgId: 1
735
# name: my_first_template
736
# template: |
737
# {{ `
738
# {{ define "my_first_template" }}
739
# Custom notification message
740
# {{ end }}
741
# ` }}
742
#
743
# mutetimes.yaml
744
# apiVersion: 1
745
# muteTimes:
746
# - orgId: 1
747
# name: mti_1
748
# # refer to https://prometheus.io/docs/alerting/latest/configuration/#time_interval-0
749
# time_intervals: {}
750
751
## Configure notifiers
752
## ref: http://docs.grafana.org/administration/provisioning/#alert-notification-channels
753
##
754
notifiers: {}
755
# notifiers.yaml:
756
# notifiers:
757
# - name: email-notifier
758
# type: email
759
# uid: email1
760
# # either:
761
# org_id: 1
762
# # or
763
# org_name: Main Org.
764
# is_default: true
765
# settings:
766
# addresses: an_email_address@example.com
767
# delete_notifiers:
768
769
## Configure grafana dashboard providers
770
## ref: http://docs.grafana.org/administration/provisioning/#dashboards
771
##
772
## `path` must be /var/lib/grafana/dashboards/<provider_name>
773
##
774
dashboardProviders: {}
775
# dashboardproviders.yaml:
776
# apiVersion: 1
777
# providers:
778
# - name: 'default'
779
# orgId: 1
780
# folder: ''
781
# type: file
782
# disableDeletion: false
783
# editable: true
784
# options:
785
# path: /var/lib/grafana/dashboards/default
786
787
## Configure how curl fetches remote dashboards. The beginning dash is required.
788
## NOTE: This sets the default short flags for all dashboards, but these
789
## defaults can be overridden individually for each dashboard by setting
790
## curlOptions. See the example dashboards section below.
791
##
792
## -s - silent mode
793
## -k - allow insecure (eg: non-TLS) connections
794
## -f - fail fast
795
## See the curl documentation for additional options
796
##
797
defaultCurlOptions: "-skf"
798
## Configure grafana dashboard to import
799
## NOTE: To use dashboards you must also enable/configure dashboardProviders
800
## ref: https://grafana.com/dashboards
801
##
802
## dashboards per provider, use provider name as key.
803
## For dashboards downloaded via gnetId or url, the optional "title" key overrides
804
## the dashboard title in the downloaded JSON so the UI displays your custom title.
805
##
806
dashboards: {}
807
# default:
808
# some-dashboard:
809
# json: |
810
# $RAW_JSON
811
# custom-dashboard:
812
# file: dashboards/custom-dashboard.json
813
# prometheus-stats:
814
# title: My Custom Dashboard Title # optional; overrides the dashboard title in the downloaded JSON
815
# gnetId: 2
816
# revision: 2
817
# datasource: Prometheus
818
# local-dashboard:
819
# url: https://example.com/repository/test.json
820
# curlOptions: "-sLf"
821
# token: ''
822
# local-dashboard-base64:
823
# url: https://example.com/repository/test-b64.json
824
# token: ''
825
# b64content: true
826
# local-dashboard-gitlab:
827
# url: https://example.com/repository/test-gitlab.json
828
# gitlabToken: ''
829
# local-dashboard-bitbucket:
830
# url: https://example.com/repository/test-bitbucket.json
831
# bearerToken: ''
832
# local-dashboard-azure:
833
# url: https://example.com/repository/test-azure.json
834
# basic: ''
835
# acceptHeader: '*/*'
836
837
## Reference to external ConfigMap per provider. Use provider name as key and ConfigMap name as value.
838
## A provider dashboards must be defined either by external ConfigMaps or in values.yaml, not in both.
839
## ConfigMap data example:
840
##
841
## data:
842
## example-dashboard.json: |
843
## RAW_JSON
844
##
845
dashboardsConfigMaps: {}
846
# default: ""
847
848
## Grafana's primary configuration
849
## NOTE: values in map will be converted to ini format
850
## ref: http://docs.grafana.org/installation/configuration/
851
##
852
grafana.ini:
853
paths:
854
data: /var/lib/grafana/
855
logs: /var/log/grafana
856
plugins: /var/lib/grafana/plugins
857
provisioning: /etc/grafana/provisioning
858
analytics:
859
check_for_updates: true
860
log:
861
mode: console
862
server:
863
domain: "{{ if (and .Values.ingress.enabled .Values.ingress.hosts) }}{{ tpl (.Values.ingress.hosts | first) . }}{{ else if (and .Values.route.main.enabled .Values.route.main.hostnames) }}{{ tpl (.Values.route.main.hostnames | first) . }}{{ else }}''{{ end }}"
864
unified_storage:
865
index_path: /var/lib/grafana-search/bleve
866
## grafana Authentication can be enabled with the following values on grafana.ini
867
# server:
868
# The full public facing url you use in browser, used for redirects and emails
869
# root_url:
870
# https://grafana.com/docs/grafana/latest/auth/github/#enable-github-in-grafana
871
# auth.github:
872
# enabled: false
873
# allow_sign_up: false
874
# scopes: user:email,read:org
875
# auth_url: https://github.com/login/oauth/authorize
876
# token_url: https://github.com/login/oauth/access_token
877
# api_url: https://api.github.com/user
878
# team_ids:
879
# allowed_organizations:
880
# client_id:
881
# client_secret:
882
## LDAP Authentication can be enabled with the following values on grafana.ini
883
## NOTE: Grafana will fail to start if the value for ldap.toml is invalid
884
# auth.ldap:
885
# enabled: true
886
# allow_sign_up: true
887
# config_file: /etc/grafana/ldap.toml
888
## Grafana's alerting configuration
889
# unified_alerting:
890
# enabled: true
891
# rule_version_record_limit: "5"
892
893
## Grafana's LDAP configuration
894
## Templated by the template in _helpers.tpl
895
## NOTE: To enable the grafana.ini must be configured with auth.ldap.enabled
896
## ref: http://docs.grafana.org/installation/configuration/#auth-ldap
897
## ref: http://docs.grafana.org/installation/ldap/#configuration
898
ldap:
899
enabled: false
900
# `existingSecret` is a reference to an existing secret containing the ldap configuration
901
# for Grafana in a key `ldap-toml`.
902
existingSecret: ""
903
# `config` is the content of `ldap.toml` that will be stored in the created secret
904
config: ""
905
# config: |-
906
# verbose_logging = true
907
# [[servers]]
908
# host = "my-ldap-server"
909
# port = 636
910
# use_ssl = true
911
# start_tls = false
912
# ssl_skip_verify = false
913
# bind_dn = "uid=%s,ou=users,dc=myorg,dc=com"
914
915
# When process namespace sharing is enabled, processes in a container are visible to all other containers in the same pod
916
# This parameter is added because the ldap reload api is not working https://grafana.com/docs/grafana/latest/developers/http_api/admin/#reload-ldap-configuration
917
# To allow an extraContainer to restart the Grafana container
918
shareProcessNamespace: false
919
## Grafana's SMTP configuration
920
## NOTE: To enable, grafana.ini must be configured with smtp.enabled
921
## ref: http://docs.grafana.org/installation/configuration/#smtp
922
smtp:
923
# `existingSecret` is a reference to an existing secret containing the smtp configuration
924
# for Grafana.
925
existingSecret: ""
926
userKey: "user"
927
passwordKey: "password"
928
## Sidecars that collect the configmaps with specified label and stores the included files them into the respective folders
929
## Requires at least Grafana 5 to work and can't be used together with parameters dashboardProviders, datasources and dashboards
930
sidecar:
931
image:
932
# -- The Docker registry
933
registry: cgr.dev
934
repository: scratch-images/test-tmp/k8s-sidecar
935
tag: 2.7.1-r0
936
sha: sha256:fa7c8caa44059baa6c534d38059fba7725f581e49cab521c2e248212b99444a7
937
imagePullPolicy: IfNotPresent
938
resources: {}
939
# limits:
940
# cpu: 100m
941
# memory: 100Mi
942
# requests:
943
# cpu: 50m
944
# memory: 50Mi
945
securityContext:
946
allowPrivilegeEscalation: false
947
capabilities:
948
drop:
949
- ALL
950
seccompProfile:
951
type: RuntimeDefault
952
# skipTlsVerify Set to true to skip tls verification for kube api calls
953
# skipTlsVerify: true
954
enableUniqueFilenames: false
955
readinessProbe: {}
956
livenessProbe: {}
957
# Log level default for all sidecars. Can be one of: DEBUG, INFO, WARN, ERROR, CRITICAL. Defaults to INFO
958
# logLevel: INFO
959
alerts:
960
enabled: false
961
# Additional environment variables for the alerts sidecar
962
env: {}
963
## "valueFrom" environment variable references that will be added to deployment pods. Name is templated.
964
## ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core
965
## Renders in container spec as:
966
## env:
967
## ...
968
## - name: <key>
969
## valueFrom:
970
## <value rendered as YAML>
971
envValueFrom: {}
972
# ENV_NAME:
973
# configMapKeyRef:
974
# name: configmap-name
975
# key: value_key
976
# Do not reprocess already processed unchanged resources on k8s API reconnect.
977
# ignoreAlreadyProcessed: true
978
# label that the configmaps with alert are marked with (can be templated)
979
label: grafana_alert
980
# value of label that the configmaps with alert are set to (can be templated)
981
labelValue: ""
982
# Log level. Can be one of: DEBUG, INFO, WARN, ERROR, CRITICAL.
983
# logLevel: INFO
984
# If specified, the sidecar will search for alert config-maps inside this namespace.
985
# Otherwise the namespace in which the sidecar is running will be used.
986
# It's also possible to specify ALL to search in all namespaces
987
searchNamespace: null
988
# Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds.
989
watchMethod: WATCH
990
# search in configmap, secret or both
991
resource: both
992
#
993
# resourceName: comma separated list of resource names to be fetched/checked by this sidecar.
994
# per default all resources of the type defined in {{ .Values.sidecar.alerts.resource }} will be checked.
995
# This e.g. allows stricter RBAC rules which are limited to the resources meant for the sidecars.
996
# resourceName: "secret/alerts-1,configmap/alerts-0"
997
resourceName: ""
998
#
999
# watchServerTimeout: request to the server, asking it to cleanly close the connection after that.
1000
# defaults to 60sec; much higher values like 3600 seconds (1h) are feasible for non-Azure K8S
1001
# watchServerTimeout: 3600
1002
#
1003
# watchClientTimeout: is a client-side timeout, configuring your local socket.
1004
# If you have a network outage dropping all packets with no RST/FIN,
1005
# this is how long your client waits before realizing & dropping the connection.
1006
# defaults to 66sec (sic!)
1007
# watchClientTimeout: 60
1008
#
1009
# maxTotalRetries: Total number of retries to allow for any http request.
1010
# Takes precedence over other counts. Applies to all requests to reloadURL and k8s api requests.
1011
# Set to 0 to fail on the first retry.
1012
# maxTotalRetries: 5
1013
#
1014
# maxConnectRetries: How many connection-related errors to retry on for any http request.
1015
# These are errors raised before the request is sent to the remote server, which we assume has not triggered the server to process the request.
1016
# Applies to all requests to reloadURL and k8s api requests.
1017
# Set to 0 to fail on the first retry of this type.
1018
# maxConnectRetries: 10
1019
#
1020
# maxReadRetries: How many times to retry on read errors for any http request
1021
# These errors are raised after the request was sent to the server, so the request may have side-effects.
1022
# Applies to all requests to reloadURL and k8s api requests.
1023
# Set to 0 to fail on the first retry of this type.
1024
# maxReadRetries: 5
1025
#
1026
# Endpoint to send request to reload alerts
1027
reloadURL: "http://localhost:3000/api/admin/provisioning/alerting/reload"
1028
# Absolute path to a script to execute after a configmap got reloaded.
1029
# It runs before calls to REQ_URI. If the file is not executable it will be passed to sh.
1030
# Otherwise, it's executed as is. Shebangs known to work are #!/bin/sh and #!/usr/bin/env python
1031
script: null
1032
skipReload: false
1033
# This is needed if skipReload is true, to load any alerts defined at startup time.
1034
# Deploy the alert sidecar as an initContainer.
1035
initAlerts: false
1036
# Use native sidecar https://kubernetes.io/docs/concepts/workloads/pods/sidecar-containers/
1037
# restartPolicy: Always
1038
# # only applies to native sidecars
1039
# startupProbe:
1040
# httpGet:
1041
# path: /healthz
1042
# port: 8080
1043
# initialDelaySeconds: 5
1044
# periodSeconds: 5
1045
# failureThreshold: 60 # 5 minutes
1046
# Additional alerts sidecar volume mounts
1047
extraMounts: []
1048
# Sets the size limit of the alert sidecar emptyDir volume
1049
sizeLimit: ""
1050
dashboards:
1051
enabled: false
1052
# Additional environment variables for the dashboards sidecar
1053
env: {}
1054
## "valueFrom" environment variable references that will be added to deployment pods. Name is templated.
1055
## ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core
1056
## Renders in container spec as:
1057
## env:
1058
## ...
1059
## - name: <key>
1060
## valueFrom:
1061
## <value rendered as YAML>
1062
envValueFrom: {}
1063
# ENV_NAME:
1064
# configMapKeyRef:
1065
# name: configmap-name
1066
# key: value_key
1067
# Do not reprocess already processed unchanged resources on k8s API reconnect.
1068
# ignoreAlreadyProcessed: true
1069
SCProvider: true
1070
# label that the configmaps with dashboards are marked with (can be templated)
1071
label: grafana_dashboard
1072
# value of label that the configmaps with dashboards are set to (can be templated)
1073
labelValue: ""
1074
# Log level. Can be one of: DEBUG, INFO, WARN, ERROR, CRITICAL.
1075
# logLevel: INFO
1076
# folder in the pod that should hold the collected dashboards (unless `defaultFolderName` is set)
1077
folder: /tmp/dashboards
1078
# The default folder name, it will create a subfolder under the `folder` and put dashboards in there instead
1079
defaultFolderName: null
1080
# Namespaces list. If specified, the sidecar will search for config-maps/secrets inside these namespaces.
1081
# Otherwise the namespace in which the sidecar is running will be used.
1082
# It's also possible to specify ALL to search in all namespaces.
1083
searchNamespace: null
1084
# Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds.
1085
watchMethod: WATCH
1086
# search in configmap, secret or both
1087
resource: both
1088
# If specified, the sidecar will look for annotation with this name to create folder and put graph here.
1089
# You can use this parameter together with `provider.foldersFromFilesStructure`to annotate configmaps and create folder structure.
1090
folderAnnotation: null
1091
#
1092
# resourceName: comma separated list of resource names to be fetched/checked by this sidecar.
1093
# per default all resources of the type defined in {{ .Values.sidecar.dashboards.resource }} will be checked.
1094
# This e.g. allows stricter RBAC rules which are limited to the resources meant for the sidecars.
1095
# resourceName: "secret/dashboards-0,configmap/dashboards-1"
1096
resourceName: ""
1097
#
1098
# maxTotalRetries: Total number of retries to allow for any http request.
1099
# Takes precedence over other counts. Applies to all requests to reloadURL and k8s api requests.
1100
# Set to 0 to fail on the first retry.
1101
# maxTotalRetries: 5
1102
#
1103
# maxConnectRetries: How many connection-related errors to retry on for any http request.
1104
# These are errors raised before the request is sent to the remote server, which we assume has not triggered the server to process the request.
1105
# Applies to all requests to reloadURL and k8s api requests.
1106
# Set to 0 to fail on the first retry of this type.
1107
# maxConnectRetries: 10
1108
#
1109
# maxReadRetries: How many times to retry on read errors for any http request
1110
# These errors are raised after the request was sent to the server, so the request may have side-effects.
1111
# Applies to all requests to reloadURL and k8s api requests.
1112
# Set to 0 to fail on the first retry of this type.
1113
# maxReadRetries: 5
1114
#
1115
# Endpoint to send request to reload alerts
1116
reloadURL: "http://localhost:3000/api/admin/provisioning/dashboards/reload"
1117
# Absolute path to a script to execute after a configmap got reloaded.
1118
# It runs before calls to REQ_URI. If the file is not executable it will be passed to sh.
1119
# Otherwise, it's executed as is. Shebangs known to work are #!/bin/sh and #!/usr/bin/env python
1120
script: null
1121
skipReload: false
1122
# This is needed if skipReload is true, to load any dashboards defined at startup time.
1123
# Deploy the dashboard sidecar as an initContainer.
1124
initDashboards: false
1125
# Use native sidecar https://kubernetes.io/docs/concepts/workloads/pods/sidecar-containers/
1126
# restartPolicy: Always
1127
# # only applies to native sidecars
1128
# startupProbe:
1129
# httpGet:
1130
# path: /healthz
1131
# port: 8083
1132
# initialDelaySeconds: 5
1133
# periodSeconds: 5
1134
# failureThreshold: 60 # 5 minutes
1135
# watchServerTimeout: request to the server, asking it to cleanly close the connection after that.
1136
# defaults to 60sec; much higher values like 3600 seconds (1h) are feasible for non-Azure K8S
1137
# watchServerTimeout: 3600
1138
#
1139
# watchClientTimeout: is a client-side timeout, configuring your local socket.
1140
# If you have a network outage dropping all packets with no RST/FIN,
1141
# this is how long your client waits before realizing & dropping the connection.
1142
# defaults to 66sec (sic!)
1143
# watchClientTimeout: 60
1144
#
1145
# provider configuration that lets grafana manage the dashboards
1146
provider:
1147
# name of the provider, should be unique
1148
name: sidecarProvider
1149
# orgid as configured in grafana
1150
orgid: 1
1151
# folder in which the dashboards should be imported in grafana
1152
folder: ''
1153
# <string> folder UID. will be automatically generated if not specified
1154
folderUid: ''
1155
# type of the provider
1156
type: file
1157
# disableDelete to activate a import-only behaviour
1158
disableDelete: false
1159
# allow updating provisioned dashboards from the UI
1160
allowUiUpdates: false
1161
# allow Grafana to replicate dashboard structure from filesystem
1162
foldersFromFilesStructure: false
1163
# Additional dashboards sidecar volume mounts
1164
extraMounts: []
1165
# Sets the size limit of the dashboard sidecar emptyDir volume
1166
sizeLimit: ""
1167
datasources:
1168
enabled: false
1169
# Additional environment variables for the datasourcessidecar
1170
env: {}
1171
## "valueFrom" environment variable references that will be added to deployment pods. Name is templated.
1172
## ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core
1173
## Renders in container spec as:
1174
## env:
1175
## ...
1176
## - name: <key>
1177
## valueFrom:
1178
## <value rendered as YAML>
1179
envValueFrom: {}
1180
# ENV_NAME:
1181
# configMapKeyRef:
1182
# name: configmap-name
1183
# key: value_key
1184
# Do not reprocess already processed unchanged resources on k8s API reconnect.
1185
# ignoreAlreadyProcessed: true
1186
# label that the configmaps with datasources are marked with (can be templated)
1187
label: grafana_datasource
1188
# value of label that the configmaps with datasources are set to (can be templated)
1189
labelValue: ""
1190
# Log level. Can be one of: DEBUG, INFO, WARN, ERROR, CRITICAL.
1191
# logLevel: INFO
1192
# If specified, the sidecar will search for datasource config-maps inside this namespace.
1193
# Otherwise the namespace in which the sidecar is running will be used.
1194
# It's also possible to specify ALL to search in all namespaces
1195
searchNamespace: null
1196
# Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds.
1197
watchMethod: WATCH
1198
# search in configmap, secret or both
1199
resource: both
1200
#
1201
# resourceName: comma separated list of resource names to be fetched/checked by this sidecar.
1202
# per default all resources of the type defined in {{ .Values.sidecar.datasources.resource }} will be checked.
1203
# This e.g. allows stricter RBAC rules which are limited to the resources meant for the sidecars.
1204
# resourceName: "secret/datasources-0,configmap/datasources-15"
1205
resourceName: ""
1206
#
1207
# watchServerTimeout: request to the server, asking it to cleanly close the connection after that.
1208
# defaults to 60sec; much higher values like 3600 seconds (1h) are feasible for non-Azure K8S
1209
# watchServerTimeout: 3600
1210
#
1211
# watchClientTimeout: is a client-side timeout, configuring your local socket.
1212
# If you have a network outage dropping all packets with no RST/FIN,
1213
# this is how long your client waits before realizing & dropping the connection.
1214
# defaults to 66sec (sic!)
1215
# watchClientTimeout: 60
1216
#
1217
# maxTotalRetries: Total number of retries to allow for any http request.
1218
# Takes precedence over other counts. Applies to all requests to reloadURL and k8s api requests.
1219
# Set to 0 to fail on the first retry.
1220
# maxTotalRetries: 5
1221
#
1222
# maxConnectRetries: How many connection-related errors to retry on for any http request.
1223
# These are errors raised before the request is sent to the remote server, which we assume has not triggered the server to process the request.
1224
# Applies to all requests to reloadURL and k8s api requests.
1225
# Set to 0 to fail on the first retry of this type.
1226
# maxConnectRetries: 10
1227
#
1228
# maxReadRetries: How many times to retry on read errors for any http request
1229
# These errors are raised after the request was sent to the server, so the request may have side-effects.
1230
# Applies to all requests to reloadURL and k8s api requests.
1231
# Set to 0 to fail on the first retry of this type.
1232
# maxReadRetries: 5
1233
#
1234
# Endpoint to send request to reload datasources
1235
reloadURL: "http://localhost:3000/api/admin/provisioning/datasources/reload"
1236
# Absolute path to a script to execute after a configmap got reloaded.
1237
# It runs before calls to REQ_URI. If the file is not executable it will be passed to sh.
1238
# Otherwise, it's executed as is. Shebangs known to work are #!/bin/sh and #!/usr/bin/env python
1239
script: null
1240
skipReload: false
1241
# This is needed if skipReload is true, to load any datasources defined at startup time.
1242
# Deploy the datasources sidecar as an initContainer.
1243
initDatasources: false
1244
# Use native sidecar https://kubernetes.io/docs/concepts/workloads/pods/sidecar-containers/
1245
# restartPolicy: Always
1246
# # only applies to native sidecars
1247
# startupProbe:
1248
# httpGet:
1249
# path: /healthz
1250
# port: 8081
1251
# initialDelaySeconds: 5
1252
# periodSeconds: 5
1253
# failureThreshold: 60 # 5 minutes
1254
# Additional datasources sidecar volume mounts
1255
extraMounts: []
1256
# Sets the size limit of the datasource sidecar emptyDir volume
1257
sizeLimit: ""
1258
plugins:
1259
enabled: false
1260
# Additional environment variables for the plugins sidecar
1261
env: {}
1262
# Do not reprocess already processed unchanged resources on k8s API reconnect.
1263
# ignoreAlreadyProcessed: true
1264
# label that the configmaps with plugins are marked with (can be templated)
1265
label: grafana_plugin
1266
# value of label that the configmaps with plugins are set to (can be templated)
1267
labelValue: ""
1268
# Log level. Can be one of: DEBUG, INFO, WARN, ERROR, CRITICAL.
1269
# logLevel: INFO
1270
# If specified, the sidecar will search for plugin config-maps inside this namespace.
1271
# Otherwise the namespace in which the sidecar is running will be used.
1272
# It's also possible to specify ALL to search in all namespaces
1273
searchNamespace: null
1274
# Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds.
1275
watchMethod: WATCH
1276
# search in configmap, secret or both
1277
resource: both
1278
#
1279
# resourceName: comma separated list of resource names to be fetched/checked by this sidecar.
1280
# per default all resources of the type defined in {{ .Values.sidecar.plugins.resource }} will be checked.
1281
# This e.g. allows stricter RBAC rules which are limited to the resources meant for the sidecars.
1282
# resourceName: "secret/plugins-0,configmap/plugins-1"
1283
resourceName: ""
1284
#
1285
# watchServerTimeout: request to the server, asking it to cleanly close the connection after that.
1286
# defaults to 60sec; much higher values like 3600 seconds (1h) are feasible for non-Azure K8S
1287
# watchServerTimeout: 3600
1288
#
1289
# watchClientTimeout: is a client-side timeout, configuring your local socket.
1290
# If you have a network outage dropping all packets with no RST/FIN,
1291
# this is how long your client waits before realizing & dropping the connection.
1292
# defaults to 66sec (sic!)
1293
# watchClientTimeout: 60
1294
#
1295
# maxTotalRetries: Total number of retries to allow for any http request.
1296
# Takes precedence over other counts. Applies to all requests to reloadURL and k8s api requests.
1297
# Set to 0 to fail on the first retry.
1298
# maxTotalRetries: 5
1299
#
1300
# maxConnectRetries: How many connection-related errors to retry on for any http request.
1301
# These are errors raised before the request is sent to the remote server, which we assume has not triggered the server to process the request.
1302
# Applies to all requests to reloadURL and k8s api requests.
1303
# Set to 0 to fail on the first retry of this type.
1304
# maxConnectRetries: 10
1305
#
1306
# maxReadRetries: How many times to retry on read errors for any http request
1307
# These errors are raised after the request was sent to the server, so the request may have side-effects.
1308
# Applies to all requests to reloadURL and k8s api requests.
1309
# Set to 0 to fail on the first retry of this type.
1310
# maxReadRetries: 5
1311
#
1312
# Endpoint to send request to reload plugins
1313
reloadURL: "http://localhost:3000/api/admin/provisioning/plugins/reload"
1314
# Absolute path to a script to execute after a configmap got reloaded.
1315
# It runs before calls to REQ_URI. If the file is not executable it will be passed to sh.
1316
# Otherwise, it's executed as is. Shebangs known to work are #!/bin/sh and #!/usr/bin/env python
1317
script: null
1318
skipReload: false
1319
# Deploy the datasource sidecar as an initContainer in addition to a container.
1320
# This is needed if skipReload is true, to load any plugins defined at startup time.
1321
initPlugins: false
1322
# Additional plugins sidecar volume mounts
1323
extraMounts: []
1324
# Sets the size limit of the plugin sidecar emptyDir volume
1325
sizeLimit: ""
1326
notifiers:
1327
enabled: false
1328
# Additional environment variables for the notifierssidecar
1329
env: {}
1330
# Do not reprocess already processed unchanged resources on k8s API reconnect.
1331
# ignoreAlreadyProcessed: true
1332
# label that the configmaps with notifiers are marked with (can be templated)
1333
label: grafana_notifier
1334
# value of label that the configmaps with notifiers are set to (can be templated)
1335
labelValue: ""
1336
# Log level. Can be one of: DEBUG, INFO, WARN, ERROR, CRITICAL.
1337
# logLevel: INFO
1338
# If specified, the sidecar will search for notifier config-maps inside this namespace.
1339
# Otherwise the namespace in which the sidecar is running will be used.
1340
# It's also possible to specify ALL to search in all namespaces
1341
searchNamespace: null
1342
# Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds.
1343
watchMethod: WATCH
1344
# search in configmap, secret or both
1345
resource: both
1346
#
1347
# resourceName: comma separated list of resource names to be fetched/checked by this sidecar.
1348
# per default all resources of the type defined in {{ .Values.sidecar.notifiers.resource }} will be checked.
1349
# This e.g. allows stricter RBAC rules which are limited to the resources meant for the sidecars.
1350
# resourceName: "secret/notifiers-2,configmap/notifiers-1"
1351
resourceName: ""
1352
#
1353
# watchServerTimeout: request to the server, asking it to cleanly close the connection after that.
1354
# defaults to 60sec; much higher values like 3600 seconds (1h) are feasible for non-Azure K8S
1355
# watchServerTimeout: 3600
1356
#
1357
# watchClientTimeout: is a client-side timeout, configuring your local socket.
1358
# If you have a network outage dropping all packets with no RST/FIN,
1359
# this is how long your client waits before realizing & dropping the connection.
1360
# defaults to 66sec (sic!)
1361
# watchClientTimeout: 60
1362
#
1363
# maxTotalRetries: Total number of retries to allow for any http request.
1364
# Takes precedence over other counts. Applies to all requests to reloadURL and k8s api requests.
1365
# Set to 0 to fail on the first retry.
1366
# maxTotalRetries: 5
1367
#
1368
# maxConnectRetries: How many connection-related errors to retry on for any http request.
1369
# These are errors raised before the request is sent to the remote server, which we assume has not triggered the server to process the request.
1370
# Applies to all requests to reloadURL and k8s api requests.
1371
# Set to 0 to fail on the first retry of this type.
1372
# maxConnectRetries: 10
1373
#
1374
# maxReadRetries: How many times to retry on read errors for any http request
1375
# These errors are raised after the request was sent to the server, so the request may have side-effects.
1376
# Applies to all requests to reloadURL and k8s api requests.
1377
# Set to 0 to fail on the first retry of this type.
1378
# maxReadRetries: 5
1379
#
1380
# Endpoint to send request to reload notifiers
1381
reloadURL: "http://localhost:3000/api/admin/provisioning/notifications/reload"
1382
# Absolute path to a script to execute after a configmap got reloaded.
1383
# It runs before calls to REQ_URI. If the file is not executable it will be passed to sh.
1384
# Otherwise, it's executed as is. Shebangs known to work are #!/bin/sh and #!/usr/bin/env python
1385
script: null
1386
skipReload: false
1387
# Deploy the notifier sidecar as an initContainer in addition to a container.
1388
# This is needed if skipReload is true, to load any notifiers defined at startup time.
1389
initNotifiers: false
1390
# Use native sidecar https://kubernetes.io/docs/concepts/workloads/pods/sidecar-containers/
1391
# restartPolicy: Always
1392
# # only applies to native sidecars
1393
# startupProbe:
1394
# httpGet:
1395
# path: /healthz
1396
# port: 8082
1397
# initialDelaySeconds: 5
1398
# periodSeconds: 5
1399
# failureThreshold: 60 # 5 minutes
1400
# Additional notifiers sidecar volume mounts
1401
extraMounts: []
1402
# Sets the size limit of the notifier sidecar emptyDir volume
1403
sizeLimit: ""
1404
## Override the deployment namespace
1405
##
1406
namespaceOverride: ""
1407
## Number of old ReplicaSets to retain
1408
##
1409
revisionHistoryLimit: 10
1410
## Add a separate remote image renderer deployment/service
1411
imageRenderer:
1412
deploymentStrategy: {}
1413
## The maximum time in seconds for the image renderer Deployment to make progress before it is
1414
## considered to be failed.
1415
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#progress-deadline-seconds
1416
progressDeadlineSeconds: null
1417
# Enable the image-renderer deployment & service
1418
enabled: false
1419
replicas: 1
1420
autoscaling:
1421
enabled: false
1422
minReplicas: 1
1423
maxReplicas: 5
1424
targetCPU: "60"
1425
targetMemory: ""
1426
behavior: {}
1427
# The url of remote image renderer if it is not in the same namespace with the grafana instance
1428
serverURL: ""
1429
# The callback url of grafana instances if it is not in the same namespace with the remote image renderer
1430
renderingCallbackURL: ""
1431
# Token used for authentication between Grafana and the remote image renderer.
1432
token: ""
1433
# Use an existing secret for the image renderer token. Must contain a key named "token".
1434
existingSecret: ""
1435
image:
1436
# -- The Docker registry
1437
registry: cgr.dev
1438
# image-renderer Image repository
1439
repository: scratch-images/test-tmp/grafana-image-renderer
1440
# image-renderer Image tag
1441
tag: 5.8.3-r0
1442
# image-renderer Image sha (optional)
1443
sha: sha256:0e8137c562ed7bb5dfeeabae394f0f18a12b7b1318f79bdb2690d604f67447d5
1444
# image-renderer Image pull secrets (optional)
1445
pullSecrets: []
1446
# image-renderer ImagePullPolicy
1447
pullPolicy: Always
1448
# extra environment variables
1449
env:
1450
HTTP_HOST: "0.0.0.0"
1451
# Fixes "Error: Failed to launch the browser process!\nchrome_crashpad_handler: --database is required"
1452
XDG_CONFIG_HOME: /tmp/.chromium
1453
XDG_CACHE_HOME: /tmp/.chromium
1454
# RENDERING_ARGS: --no-sandbox,--disable-gpu,--window-size=1280x758
1455
# RENDERING_MODE: clustered
1456
# IGNORE_HTTPS_ERRORS: true
1457
## "valueFrom" environment variable references that will be added to deployment pods. Name is templated.
1458
## ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core
1459
## Renders in container spec as:
1460
## env:
1461
## ...
1462
## - name: <key>
1463
## valueFrom:
1464
## <value rendered as YAML>
1465
envValueFrom: {}
1466
# ENV_NAME:
1467
# configMapKeyRef:
1468
# name: configmap-name
1469
# key: value_key
1470
1471
# image-renderer deployment serviceAccount
1472
serviceAccountName: ""
1473
automountServiceAccountToken: false
1474
# image-renderer deployment hostUsers
1475
hostUsers: ~
1476
# image-renderer deployment securityContext
1477
securityContext: {}
1478
# image-renderer deployment container securityContext
1479
containerSecurityContext:
1480
seccompProfile:
1481
type: RuntimeDefault
1482
capabilities:
1483
drop: ['ALL']
1484
allowPrivilegeEscalation: false
1485
readOnlyRootFilesystem: true
1486
## image-renderer pod annotation
1487
podAnnotations: {}
1488
# image-renderer deployment Host Aliases
1489
hostAliases: []
1490
# image-renderer deployment priority class
1491
priorityClassName: ''
1492
# Path to the healthcheck endpoint. On Image Renderer v5.0.0 or newer, this is '/healthz'. Older versions use '/'.
1493
healthcheckPath: '/healthz'
1494
service:
1495
# Enable the image-renderer service
1496
enabled: true
1497
# image-renderer service port name
1498
portName: 'http'
1499
# image-renderer service port used by both service and deployment
1500
port: 8081
1501
targetPort: 8081
1502
# Adds the appProtocol field to the image-renderer service. This allows to work with istio protocol selection. Ex: "http" or "tcp"
1503
appProtocol: ""
1504
serviceMonitor:
1505
## If true, a ServiceMonitor CRD is created for a prometheus operator
1506
## https://github.com/coreos/prometheus-operator
1507
##
1508
enabled: false
1509
path: /metrics
1510
# namespace: monitoring (defaults to use the namespace this chart is deployed to)
1511
labels: {}
1512
interval: 1m
1513
scheme: http
1514
tlsConfig: {}
1515
scrapeTimeout: 30s
1516
relabelings: []
1517
# See: https://doc.crds.dev/github.com/prometheus-operator/kube-prometheus/monitoring.coreos.com/ServiceMonitor/v1@v0.11.0#spec-targetLabels
1518
targetLabels: []
1519
# - targetLabel1
1520
# - targetLabel2
1521
# If https is enabled in Grafana, this needs to be set as 'https' to correctly configure the callback used in Grafana
1522
grafanaProtocol: http
1523
# In case a sub_path is used this needs to be added to the image renderer callback
1524
grafanaSubPath: ""
1525
# name of the image-renderer port on the pod
1526
podPortName: http
1527
# number of image-renderer replica sets to keep
1528
revisionHistoryLimit: 10
1529
networkPolicy:
1530
# Enable a NetworkPolicy to limit inbound traffic to only the created grafana pods
1531
limitIngress: true
1532
# Enable a NetworkPolicy to limit outbound traffic to only the created grafana pods
1533
limitEgress: false
1534
# Allow additional services to access image-renderer (eg. Prometheus operator when ServiceMonitor is enabled)
1535
extraIngressSelectors: []
1536
resources: {}
1537
# limits:
1538
# cpu: 100m
1539
# memory: 100Mi
1540
# requests:
1541
# cpu: 50m
1542
# memory: 50Mi
1543
## Node labels for pod assignment
1544
## ref: https://kubernetes.io/docs/user-guide/node-selection/
1545
#
1546
nodeSelector: {}
1547
## Tolerations for pod assignment
1548
## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
1549
##
1550
tolerations: []
1551
## Affinity for pod assignment (evaluated as template)
1552
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
1553
##
1554
affinity: {}
1555
## Use an alternate scheduler, e.g. "stork".
1556
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
1557
##
1558
# schedulerName: "default-scheduler"
1559
1560
# Extra configmaps to mount in image-renderer pods
1561
extraConfigmapMounts: []
1562
# Extra secrets to mount in image-renderer pods
1563
extraSecretMounts: []
1564
# Extra volumes to mount in image-renderer pods
1565
extraVolumeMounts: []
1566
# Extra volumes for image-renderer pods
1567
extraVolumes: []
1568
networkPolicy:
1569
# -- networkPolicy.enabled Enable creation of NetworkPolicy resources. Only Ingress traffic is filtered for now.
1570
enabled: false
1571
# --networkPolicy.allowExternal Don't require client label for connections
1572
# The Policy model to apply. When set to false, only pods with the correct
1573
# client label will have network access to grafana port defined.
1574
# When true, grafana will accept connections from any source
1575
# (with the correct destination port).
1576
#
1577
ingress: true
1578
# -- networkPolicy.ingress When true enables the creation
1579
# an ingress network policy
1580
allowExternal: true
1581
# -- networkPolicy.explicitNamespacesSelector A Kubernetes LabelSelector to explicitly select namespaces from which traffic could be allowed
1582
# If explicitNamespacesSelector is missing or set to {}, only client Pods that are in the networkPolicy's namespace
1583
# and that match other criteria, the ones that have the good label, can reach the grafana.
1584
# But sometimes, we want the grafana to be accessible to clients from other namespaces, in this case, we can use this
1585
# LabelSelector to select these namespaces, note that the networkPolicy's namespace should also be explicitly added.
1586
# </br>
1587
#
1588
# Example:
1589
#
1590
# ```
1591
# explicitNamespacesSelector:
1592
# matchLabels:
1593
# role: frontend
1594
# matchExpressions:
1595
# - {key: role, operator: In, values: [frontend]}
1596
# ```
1597
explicitNamespacesSelector: {}
1598
# -- networkPolicy.explicitIpBlocks List of CIDR blocks allowed as ingress sources.
1599
# Each entry must be a valid CIDR notation string (e.g. 10.0.0.0/8).
1600
# When defined, the specified CIDR ranges are added to the ingress `from` rules
1601
# using `ipBlock` entries and complement the other configured ingress sources.
1602
# </br>
1603
#
1604
# Example:
1605
#
1606
# ```
1607
# explicitIpBlocks:
1608
# - 35.191.0.0/16
1609
# - 130.211.0.0/22
1610
# ```
1611
#
1612
explicitIpBlocks: []
1613
egress:
1614
# -- networkPolicy.egress.enabled When enabled, an egress network policy will be
1615
# created allowing grafana to connect to external data sources from kubernetes cluster.
1616
enabled: false
1617
# -- networkPolicy.egress.blockDNSResolution When enabled, DNS resolution will be blocked
1618
# for all pods in the grafana namespace.
1619
blockDNSResolution: false
1620
# -- networkPolicy.egress.ports Add individual ports to be allowed by the egress
1621
ports: []
1622
# Add ports to the egress by specifying - port: <port number>
1623
# E.X.
1624
# - port: 80
1625
# - port: 443
1626
#
1627
# -- networkPolicy.egress.to Allow egress traffic to specific destinations
1628
to: []
1629
# -- destinations to the egress by specifying - ipBlock: <CIDR>
1630
# E.X.
1631
# to:
1632
# - namespaceSelector:
1633
# matchExpressions:
1634
# - {key: role, operator: In, values: [grafana]}
1635
# Enable backward compatibility of kubernetes where version below 1.13 doesn't have the enableServiceLinks option
1636
enableKubeBackwardCompatibility: false
1637
useStatefulSet: false
1638
# extraObjects could be utilized to add dynamic manifests via values
1639
extraObjects: []
1640
# Examples:
1641
# extraObjects:
1642
# - apiVersion: kubernetes-client.io/v1
1643
# kind: ExternalSecret
1644
# metadata:
1645
# name: grafana-secrets-{{ .Release.Name }}
1646
# spec:
1647
# backendType: gcpSecretsManager
1648
# data:
1649
# - key: grafana-admin-password
1650
# name: adminPassword
1651
# Alternatively, you can use strings, which lets you use additional templating features:
1652
# extraObjects:
1653
# - |
1654
# apiVersion: kubernetes-client.io/v1
1655
# kind: ExternalSecret
1656
# metadata:
1657
# name: grafana-secrets-{{ .Release.Name }}
1658
# spec:
1659
# backendType: gcpSecretsManager
1660
# data:
1661
# - key: grafana-admin-password
1662
# name: {{ include "some-other-template" }}
1663
1664
# assertNoLeakedSecrets is a helper function defined in _helpers.tpl that checks if secret
1665
# values are not exposed in the rendered grafana.ini configmap. It is enabled by default.
1666
#
1667
# To pass values into grafana.ini without exposing them in a configmap, use variable expansion:
1668
# https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#variable-expansion
1669
#
1670
# Alternatively, if you wish to allow secret values to be exposed in the rendered grafana.ini configmap,
1671
# you can disable this check by setting assertNoLeakedSecrets to false.
1672
assertNoLeakedSecrets: true
1673
# updateMode options are:
1674
# Off: n the Off update mode, the VPA recommender still analyzes resource usage and generates recommendations, but these recommendations are not automatically applied to Pods. The recommendations are only stored in the VPA object's .status field.
1675
# Initial: In Initial mode, VPA only sets resource requests when Pods are first created. It does not update resources for already running Pods, even if recommendations change over time. The recommendations apply only during Pod creation.
1676
# Recreate: In Recreate mode, VPA actively manages Pod resources by evicting Pods when their current resource requests differ significantly from recommendations. When a Pod is evicted, the workload controller (managing a Deployment, StatefulSet, etc) creates a replacement Pod, and the VPA admission controller applies the updated resource requests to the new Pod.
1677
# InPlaceOrRecreate: In Recreate mode, VPA actively manages Pod resources by evicting Pods when their current resource requests differ significantly from recommendations. When a Pod is evicted, the workload controller (managing a Deployment, StatefulSet, etc) creates a replacement Pod, and the VPA admission controller applies the updated resource requests to the new Pod.
1678
# Auto (deprecated): The Auto update mode is deprecated since VPA version 1.4.0. Use Recreate for eviction-based updates, or InPlaceOrRecreate for in-place updates with eviction fallback.
1679
verticalPodAutoscaler:
1680
enabled: false
1681
updateMode: "Off"
1682
controlledResources:
1683
cpu: true
1684
memory: true
1685
# Default safety bounds
1686
minAllowed:
1687
cpu: "25m"
1688
memory: "128Mi"
1689
maxAllowed:
1690
cpu: "1000m"
1691
memory: "1Gi"
1692
The trusted source for open source
Talk to an expertProduct
Customers
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.