community-grafana
Helm chart
Request a free trial
Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.
Tag:
1
global:
2
# -- Overrides the Docker registry globally for all images
3
imageRegistry: null
4
# To help compatibility with other charts which use global.imagePullSecrets.
5
# Allow either an array of {name: pullSecret} maps (k8s-style), or an array of strings (more common helm-style).
6
# Can be templated.
7
# global:
8
# imagePullSecrets:
9
# - name: pullSecret1
10
# - name: pullSecret2
11
# or
12
# global:
13
# imagePullSecrets:
14
# - pullSecret1
15
# - pullSecret2
16
imagePullSecrets: []
17
rbac:
18
create: true
19
## Use an existing ClusterRole/Role (depending on rbac.namespaced false/true)
20
# useExistingRole: name-of-some-role
21
# useExistingClusterRole: name-of-some-clusterRole
22
pspEnabled: false
23
pspUseAppArmor: false
24
namespaced: false
25
# Only has an effect if namespaced: true is set
26
namespaces: []
27
extraRoleRules: []
28
# - apiGroups: []
29
# resources: []
30
# verbs: []
31
extraClusterRoleRules: []
32
# - apiGroups: []
33
# resources: []
34
# verbs: []
35
serviceAccount:
36
create: true
37
name: ""
38
nameTest: ""
39
## ServiceAccount labels.
40
labels: {}
41
## Service account annotations. Can be templated.
42
# annotations:
43
# eks.amazonaws.com/role-arn: arn:aws:iam::123456789000:role/iam-role-name-here
44
45
## autoMount is deprecated in favor of automountServiceAccountToken
46
# autoMount: false
47
automountServiceAccountToken: false
48
replicas: 1
49
## Create a headless service for the deployment
50
headlessService: false
51
## Should the service account be auto mounted on the pod
52
automountServiceAccountToken: true
53
## Create HorizontalPodAutoscaler object for deployment type
54
#
55
autoscaling:
56
enabled: false
57
minReplicas: 1
58
maxReplicas: 5
59
targetCPU: "60"
60
targetMemory: ""
61
behavior: {}
62
## See `kubectl explain poddisruptionbudget.spec` for more
63
## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
64
podDisruptionBudget: {}
65
# apiVersion: ""
66
# minAvailable: 1
67
# maxUnavailable: 1
68
# unhealthyPodEvictionPolicy: IfHealthyBudget
69
70
## See `kubectl explain deployment.spec.strategy` for more
71
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
72
deploymentStrategy:
73
type: RollingUpdate
74
## The maximum time in seconds for a Deployment to make progress before it is considered to be failed.
75
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#progress-deadline-seconds
76
progressDeadlineSeconds: null
77
readinessProbe:
78
httpGet:
79
path: /api/health
80
port: grafana
81
livenessProbe:
82
httpGet:
83
path: /api/health
84
port: grafana
85
initialDelaySeconds: 60
86
timeoutSeconds: 30
87
failureThreshold: 10
88
## Use an alternate scheduler, e.g. "stork".
89
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
90
##
91
# schedulerName: "default-scheduler"
92
image:
93
# -- The Docker registry
94
registry: cgr.dev
95
# -- Docker image repository
96
repository: scratch-images/test-tmp/grafana
97
# Overrides the Grafana image tag whose default is the chart appVersion
98
tag: v13.0.2-r5
99
sha: sha256:62bca5165d94cf7138d36c7686d74871610653e315968ee1e097ad3d42966645
100
pullPolicy: IfNotPresent
101
## Optionally specify an array of imagePullSecrets.
102
## Secrets must be manually created in the namespace.
103
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
104
## Can be templated.
105
##
106
pullSecrets: []
107
# - myRegistrKeySecretName
108
testFramework:
109
enabled: true
110
## The type of Helm hook used to run this test. Defaults to test.
111
## ref: https://helm.sh/docs/topics/charts_hooks/#the-available-hooks
112
##
113
# hookType: test
114
image:
115
# -- The Docker registry
116
registry: docker.io
117
repository: bats/bats
118
tag: "1.13.0"
119
imagePullPolicy: IfNotPresent
120
securityContext: {}
121
containerSecurityContext: {}
122
resources: {}
123
# limits:
124
# cpu: 100m
125
# memory: 128Mi
126
# requests:
127
# cpu: 100m
128
# memory: 128Mi
129
# dns configuration for pod
130
dnsPolicy: ~
131
dnsConfig: {}
132
# nameservers:
133
# - 8.8.8.8
134
# options:
135
# - name: ndots
136
# value: "2"
137
# - name: edns0
138
139
hostUsers: ~
140
securityContext:
141
runAsNonRoot: true
142
runAsUser: 472
143
runAsGroup: 472
144
fsGroup: 472
145
containerSecurityContext:
146
allowPrivilegeEscalation: false
147
privileged: false
148
capabilities:
149
drop:
150
- ALL
151
seccompProfile:
152
type: RuntimeDefault
153
# Enable creating the grafana configmap
154
createConfigmap: true
155
# Extra configmaps to mount in grafana pods
156
# Values are templated.
157
extraConfigmapMounts: []
158
# - name: certs-configmap
159
# mountPath: /etc/grafana/ssl/
160
# subPath: certificates.crt # (optional)
161
# configMap: certs-configmap
162
# readOnly: true
163
# optional: false
164
165
extraEmptyDirMounts: []
166
# - name: provisioning-notifiers
167
# mountPath: /etc/grafana/provisioning/notifiers
168
169
# Shadow `/usr/share/grafana/data/plugins-bundled` with an emptyDir so plugins
170
# listed under `plugins:` install cleanly into `/var/lib/grafana/plugins` instead
171
# of failing on the read-only bundled directory shipped in the Grafana image.
172
# Required for plugins moved out of core in Grafana 13 (e.g. `elasticsearch`,
173
# `cloudwatch`) when listed in `plugins:`. Side effect: any bundled plugin not
174
# explicitly listed in `plugins:` will not be available.
175
shadowBundledPlugins: false
176
# Apply extra labels to common labels.
177
extraLabels: {}
178
## Assign a PriorityClassName to pods if set
179
# priorityClassName:
180
downloadDashboardsImage:
181
# -- The Docker registry
182
registry: cgr.dev
183
repository: scratch-images/test-tmp/curl
184
tag: 8.20.0-r1
185
sha: sha256:642ed18dbbae01947dc9d36b3db333aacdb8d866b029ff952fb46f5472cf1dfe
186
pullPolicy: IfNotPresent
187
downloadDashboards:
188
env: {}
189
envFromSecret: ""
190
resources: {}
191
securityContext:
192
allowPrivilegeEscalation: false
193
capabilities:
194
drop:
195
- ALL
196
seccompProfile:
197
type: RuntimeDefault
198
envValueFrom: {}
199
# ENV_NAME:
200
# configMapKeyRef:
201
# name: configmap-name
202
# key: value_key
203
## Pod Annotations
204
# podAnnotations: {}
205
206
## ConfigMap Annotations
207
# configMapAnnotations: {}
208
# argocd.argoproj.io/sync-options: Replace=true
209
210
## Pod Labels
211
# podLabels: {}
212
podPortName: grafana
213
gossipPortName: gossip
214
## Deployment annotations
215
# annotations: {}
216
217
## Expose the grafana service to be accessed from outside the cluster (LoadBalancer service).
218
## or access it from within the cluster (ClusterIP service). Set the service type and the port to serve it.
219
## ref: http://kubernetes.io/docs/user-guide/services/
220
##
221
service:
222
enabled: true
223
type: ClusterIP
224
# Set the ip family policy to configure dual-stack see [Configure dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services)
225
ipFamilyPolicy: ""
226
# Sets the families that should be supported and the order in which they should be applied to ClusterIP as well. Can be IPv4 and/or IPv6.
227
ipFamilies: []
228
loadBalancerIP: ""
229
loadBalancerClass: ""
230
loadBalancerSourceRanges: []
231
port: 80
232
targetPort: 3000
233
# targetPort: 4181 To be used with a proxy extraContainer
234
## Service annotations. Can be templated.
235
annotations: {}
236
labels: {}
237
portName: service
238
# Adds the appProtocol field to the service. This allows to work with istio protocol selection. Ex: "http" or "tcp"
239
appProtocol: ""
240
sessionAffinity: ""
241
# trafficDistribution allows specifying how traffic is distributed to Service endpoints.
242
# Valid values: "" (default - standard load balancing),"PreferSameZone" (K8s 1.34+), "PreferSameNode" (K8s 1.35+), "PreferClose" (deprecated, use PreferSameZone),
243
trafficDistribution: ""
244
serviceMonitor:
245
## If true, a ServiceMonitor CR is created for a prometheus operator
246
## https://github.com/coreos/prometheus-operator
247
##
248
enabled: false
249
path: /metrics
250
# namespace: monitoring (defaults to use the namespace this chart is deployed to)
251
labels: {}
252
# Set these to override the Prometheus global scrape interval/timeout.
253
# interval: 30s
254
# scrapeTimeout: 30s
255
scheme: http
256
tlsConfig: {}
257
relabelings: []
258
metricRelabelings: []
259
basicAuth: {}
260
targetLabels: []
261
extraExposePorts: []
262
# - name: keycloak
263
# port: 8080
264
# targetPort: 8080
265
266
# overrides pod.spec.hostAliases in the grafana deployment's pods
267
hostAliases: []
268
# - ip: "1.2.3.4"
269
# hostnames:
270
# - "my.host.com"
271
272
ingress:
273
enabled: false
274
# ingressClassName: nginx
275
# Values can be templated
276
annotations: {}
277
# kubernetes.io/ingress.class: nginx
278
# kubernetes.io/tls-acme: "true"
279
labels: {}
280
path: /
281
pathType: Prefix
282
hosts:
283
- chart-example.local
284
## Extra paths to prepend to every host configuration. This is useful when working with annotation based services.
285
extraPaths: []
286
# - path: /*
287
# pathType: Prefix
288
# backend:
289
# service:
290
# name: ssl-redirect
291
# port:
292
# name: use-annotation
293
294
tls: []
295
# - secretName: chart-example-tls
296
# hosts:
297
# - chart-example.local
298
# -- BETA: Configure the gateway routes for the chart here.
299
# More routes can be added by adding a dictionary key like the 'main' route.
300
# Be aware that this is an early beta of this feature,
301
# kube-prometheus-stack does not guarantee this works and is subject to change.
302
# Being BETA this can/will change in the future without notice, do not use unless you want to take that risk
303
# [[ref]](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io%2fv1alpha2)
304
route:
305
main:
306
# -- Enables or disables the route
307
enabled: false
308
# -- Set the route apiVersion, e.g. gateway.networking.k8s.io/v1 or gateway.networking.k8s.io/v1alpha2
309
apiVersion: gateway.networking.k8s.io/v1
310
# -- Set the route kind
311
# Valid options are GRPCRoute, HTTPRoute, TCPRoute, TLSRoute, UDPRoute
312
kind: HTTPRoute
313
annotations: {}
314
labels: {}
315
hostnames: []
316
# - my-filter.example.com
317
parentRefs: []
318
# - name: acme-gw
319
320
matches:
321
- path:
322
type: PathPrefix
323
value: /
324
## Timeouts define the timeouts that can be configured for an HTTP request.
325
## Ref. https://gateway-api.sigs.k8s.io/api-types/httproute/#timeouts-optional
326
timeouts: {}
327
# request: 10s
328
# backendRequest: 5s
329
330
## SessionPersistence defines and configures session persistence for the route rule.
331
## Ref. https://gateway-api.sigs.k8s.io/geps/gep-1619/
332
sessionPersistence: {}
333
# sessionName: grafana-session
334
# type: Cookie
335
# absoluteTimeout: 48h
336
# cookieConfig:
337
# lifetimeType: Permanent
338
339
## Filters define the filters that are applied to requests that match this rule.
340
filters: []
341
## Additional custom rules that can be added to the route
342
additionalRules: []
343
## httpsRedirect adds a filter for redirecting to https (HTTP 301 Moved Permanently).
344
## To redirect HTTP traffic to HTTPS, you need to have a Gateway with both HTTP and HTTPS listeners.
345
## Matches and filters do not take effect if enabled.
346
## Ref. https://gateway-api.sigs.k8s.io/guides/http-redirect-rewrite/
347
httpsRedirect: false
348
# -- BETA: Configure Gateway API ListenerSet resources for the chart here.
349
# ListenerSet allows attaching additional listeners to an existing Gateway.
350
# More listener sets can be added by adding a dictionary key like the 'main' entry.
351
# Being BETA this can/will change in the future without notice, do not use unless you want to take that risk
352
# [[ref]](https://gateway-api.sigs.k8s.io/reference/api-spec/main/spec/#listenerset)
353
listenerSet:
354
main:
355
# -- Enables or disables the listener set
356
enabled: false
357
# -- Set the ListenerSet apiVersion, e.g. gateway.networking.k8s.io/v1
358
apiVersion: gateway.networking.k8s.io/v1
359
annotations: {}
360
labels: {}
361
# -- Reference to the parent Gateway this ListenerSet attaches to
362
parentRef: {}
363
# name: my-gateway
364
# namespace: default
365
# group: gateway.networking.k8s.io
366
# kind: Gateway
367
368
# -- List of listeners to attach to the parent Gateway
369
listeners: []
370
# - name: https
371
# port: 443
372
# protocol: HTTPS
373
# hostname: grafana.example.com
374
# tls:
375
# mode: Terminate
376
# certificateRefs:
377
# - name: grafana-tls
378
# allowedRoutes:
379
# namespaces:
380
# from: Same
381
resources: {}
382
# limits:
383
# cpu: 100m
384
# memory: 128Mi
385
# requests:
386
# cpu: 100m
387
# memory: 128Mi
388
389
## Node labels for pod assignment
390
## ref: https://kubernetes.io/docs/user-guide/node-selection/
391
#
392
nodeSelector: {}
393
## Tolerations for pod assignment
394
## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
395
##
396
tolerations: []
397
## Affinity for pod assignment (evaluated as template)
398
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
399
##
400
affinity: {}
401
## Topology Spread Constraints
402
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
403
##
404
topologySpreadConstraints: []
405
## Additional init containers (evaluated as template)
406
## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
407
##
408
extraInitContainers: []
409
## Enable an Specify container in extraContainers. This is meant to allow adding an authentication proxy to a grafana pod
410
extraContainers: ""
411
# extraContainers: |
412
# - name: proxy
413
# image: quay.io/gambol99/keycloak-proxy:latest
414
# args:
415
# - -provider=github
416
# - -client-id=
417
# - -client-secret=
418
# - -github-org=<ORG_NAME>
419
# - -email-domain=*
420
# - -cookie-secret=
421
# - -http-address=http://0.0.0.0:4181
422
# - -upstream-url=http://127.0.0.1:3000
423
# ports:
424
# - name: proxy-web
425
# containerPort: 4181
426
427
## Volumes that can be used in init containers that will not be mounted to deployment pods
428
extraContainerVolumes: []
429
# - name: volume-from-secret
430
# secret:
431
# secretName: secret-to-mount
432
# - name: empty-dir-volume
433
# emptyDir: {}
434
435
## Enable persistence using Persistent Volume Claims
436
## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/
437
##
438
persistence:
439
type: pvc
440
enabled: false
441
# storageClassName: default
442
## (Optional) Use this to bind the claim to an existing PersistentVolume (PV) by name.
443
volumeName: ""
444
accessModes:
445
- ReadWriteOnce
446
size: 10Gi
447
# annotations: {}
448
finalizers:
449
- kubernetes.io/pvc-protection
450
# selectorLabels: {}
451
## Sub-directory of the PV to mount. Can be templated.
452
# subPath: ""
453
## Name of an existing PVC. Can be templated.
454
# existingClaim:
455
## Extra labels to apply to a PVC.
456
extraPvcLabels: {}
457
disableWarning: false
458
## If persistence is not enabled, this allows to mount the
459
## local storage in-memory to improve performance
460
##
461
inMemory:
462
enabled: false
463
## The maximum usage on memory medium EmptyDir would be
464
## the minimum value between the SizeLimit specified
465
## here and the sum of memory limits of all containers in a pod
466
##
467
# sizeLimit: 300Mi
468
## If 'lookupVolumeName' is set to true, Helm will attempt to retrieve
469
## the current value of 'spec.volumeName' and incorporate it into the template.
470
lookupVolumeName: true
471
initChownData:
472
## If false, data ownership will not be reset at startup
473
## This allows the grafana-server to be run with an arbitrary user
474
##
475
enabled: true
476
## initChownData container image
477
##
478
image:
479
# -- The Docker registry
480
registry: cgr.dev
481
repository: scratch-images/test-tmp/busybox
482
tag: glibc-1.37.0-r60
483
sha: sha256:655f0f89892d3134b1c3dfa0eded3c451b1f2d39916d829753f28c889a547bd5
484
pullPolicy: IfNotPresent
485
## initChownData resource requests and limits
486
## Ref: http://kubernetes.io/docs/user-guide/compute-resources/
487
##
488
resources: {}
489
# limits:
490
# cpu: 100m
491
# memory: 128Mi
492
# requests:
493
# cpu: 100m
494
# memory: 128Mi
495
securityContext:
496
readOnlyRootFilesystem: false
497
runAsNonRoot: false
498
runAsUser: 0
499
seccompProfile:
500
type: RuntimeDefault
501
capabilities:
502
add:
503
- CHOWN
504
- DAC_OVERRIDE
505
drop:
506
- ALL
507
# Administrator credentials when not using an existing secret (see below)
508
adminUser: admin
509
# adminPassword: strongpassword
510
511
# Use an existing secret for the admin user.
512
admin:
513
## Name of the secret. Can be templated.
514
existingSecret: ""
515
userKey: admin-user
516
passwordKey: admin-password
517
## Define command to be executed at startup by grafana container
518
## Needed if using `vault-env` to manage secrets (ref: https://banzaicloud.com/blog/inject-secrets-into-pods-vault/)
519
## Default is "run.sh" as defined in grafana's Dockerfile
520
# command:
521
# - "sh"
522
# - "/run.sh"
523
524
## Optionally define args if command is used
525
## Needed if using `hashicorp/envconsul` to manage secrets
526
## By default no arguments are set
527
# args:
528
# - "-secret"
529
# - "secret/grafana"
530
# - "./grafana"
531
532
## Extra environment variables that will be pass onto deployment pods
533
##
534
## to provide grafana with access to CloudWatch on AWS EKS:
535
## 1. create an iam role of type "Web identity" with provider oidc.eks.* (note the provider for later)
536
## 2. edit the "Trust relationships" of the role, add a line inside the StringEquals clause using the
537
## same oidc eks provider as noted before (same as the existing line)
538
## also, replace NAMESPACE and prometheus-operator-grafana with the service account namespace and name
539
##
540
## "oidc.eks.us-east-1.amazonaws.com/id/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:sub": "system:serviceaccount:NAMESPACE:prometheus-operator-grafana",
541
##
542
## 3. attach a policy to the role, you can use a built in policy called CloudWatchReadOnlyAccess
543
## 4. use the following env: (replace 123456789000 and iam-role-name-here with your aws account number and role name)
544
##
545
## env:
546
## AWS_ROLE_ARN: arn:aws:iam::123456789000:role/iam-role-name-here
547
## AWS_WEB_IDENTITY_TOKEN_FILE: /var/run/secrets/eks.amazonaws.com/serviceaccount/token
548
## AWS_REGION: us-east-1
549
##
550
## 5. uncomment the EKS section in extraSecretMounts: below
551
## 6. uncomment the annotation section in the serviceAccount: above
552
## make sure to replace arn:aws:iam::123456789000:role/iam-role-name-here with your role arn
553
env: {}
554
## "valueFrom" environment variable references that will be added to deployment pods. Name is templated.
555
## ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core
556
## Renders in container spec as:
557
## env:
558
## ...
559
## - name: <key>
560
## valueFrom:
561
## <value rendered as YAML>
562
envValueFrom: {}
563
# ENV_NAME:
564
# configMapKeyRef:
565
# name: configmap-name
566
# key: value_key
567
568
## The name of a secret in the same kubernetes namespace which contain values to be added to the environment
569
## This can be useful for auth tokens, etc. Value is templated.
570
envFromSecret: ""
571
## Sensible environment variables that will be rendered as new secret object
572
## This can be useful for auth tokens, etc.
573
## If the secret values contains "{{", they'll need to be properly escaped so that they are not interpreted by Helm
574
## ref: https://helm.sh/docs/howto/charts_tips_and_tricks/#using-the-tpl-function
575
envRenderSecret: {}
576
## The names of secrets in the same kubernetes namespace which contain values to be added to the environment
577
## Each entry should contain a name key, and can optionally specify whether the secret must be defined with an optional key.
578
## Name is templated.
579
envFromSecrets: []
580
## - name: secret-name
581
## prefix: prefix
582
## optional: true
583
584
## The names of configmaps in the same kubernetes namespace which contain values to be added to the environment
585
## Each entry should contain a name key, and can optionally specify whether the configmap must be defined with an optional key.
586
## Name is templated.
587
## ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#configmapenvsource-v1-core
588
envFromConfigMaps: []
589
## - name: configmap-name
590
## prefix: prefix
591
## optional: true
592
593
# Inject Kubernetes services as environment variables.
594
# See https://kubernetes.io/docs/concepts/services-networking/connect-applications-service/#environment-variables
595
enableServiceLinks: true
596
## Additional grafana server secret mounts
597
# Defines additional mounts with secrets. Secrets must be manually created in the namespace.
598
extraSecretMounts: []
599
# - name: secret-files
600
# mountPath: /etc/secrets
601
# secretName: grafana-secret-files
602
# readOnly: true
603
# optional: false
604
# subPath: ""
605
#
606
# for AWS EKS (cloudwatch) use the following (see also instruction in env: above)
607
# - name: aws-iam-token
608
# mountPath: /var/run/secrets/eks.amazonaws.com/serviceaccount
609
# readOnly: true
610
# projected:
611
# defaultMode: 420
612
# sources:
613
# - serviceAccountToken:
614
# audience: sts.amazonaws.com
615
# expirationSeconds: 86400
616
# path: token
617
#
618
# for CSI e.g. Azure Key Vault use the following
619
# - name: secrets-store-inline
620
# mountPath: /run/secrets/vault.azure.com
621
# readOnly: true
622
# csi:
623
# driver: secrets-store.csi.k8s.io
624
# readOnly: true
625
# volumeAttributes:
626
# secretProviderClass: "akv-grafana-spc"
627
# nodePublishSecretRef: # Only required when using service principal mode
628
# name: grafana-akv-creds # Only required when using service principal mode
629
630
## Additional grafana server volume mounts
631
# Defines additional volume mounts.
632
extraVolumeMounts: []
633
# - name: extra-volume-0
634
# mountPath: /mnt/volume0
635
# readOnly: true
636
# - name: extra-volume-1
637
# mountPath: /mnt/volume1
638
# readOnly: true
639
# - name: grafana-secrets
640
# mountPath: /mnt/volume2
641
642
## Additional Grafana server volumes
643
extraVolumes: []
644
# - name: extra-volume-0
645
# existingClaim: volume-claim
646
# - name: extra-volume-1
647
# hostPath:
648
# path: /usr/shared/
649
# type: ""
650
# - name: grafana-secrets
651
# csi:
652
# driver: secrets-store.csi.k8s.io
653
# readOnly: true
654
# volumeAttributes:
655
# secretProviderClass: "grafana-env-spc"
656
657
## Container Lifecycle Hooks. Execute a specific bash command or make an HTTP request
658
lifecycleHooks: {}
659
# postStart:
660
# exec:
661
# command: []
662
663
## Pass the plugins you want installed as a list.
664
##
665
plugins: []
666
# - digrich-bubblechart-panel
667
# - grafana-clock-panel
668
## You can also use other plugin download URL, as long as they are valid zip files,
669
## and specify the name of the plugin as prefix, with an version. Like this:
670
# - marcusolsson-json-datasource@1.3.24@https://grafana.com/api/plugins/marcusolsson-json-datasource/versions/1.3.24/download
671
672
## Configure grafana datasources
673
## ref: http://docs.grafana.org/administration/provisioning/#datasources
674
##
675
datasources: {}
676
# datasources.yaml:
677
# apiVersion: 1
678
# datasources:
679
# - name: Prometheus
680
# type: prometheus
681
# url: http://prometheus-prometheus-server
682
# access: proxy
683
# isDefault: true
684
# - name: CloudWatch
685
# type: cloudwatch
686
# access: proxy
687
# uid: cloudwatch
688
# editable: false
689
# jsonData:
690
# authType: default
691
# defaultRegion: us-east-1
692
# deleteDatasources: []
693
# - name: Prometheus
694
695
## Configure grafana alerting (can be templated)
696
## ref: https://docs.grafana.com/alerting/set-up/provision-alerting-resources/file-provisioning/
697
##
698
alerting: {}
699
# policies.yaml:
700
# apiVersion: 1
701
# policies:
702
# - orgId: 1
703
# receiver: first_uid
704
#
705
# rules.yaml:
706
# apiVersion: 1
707
# groups:
708
# - orgId: 1
709
# name: '{{ .Chart.Name }}_my_rule_group'
710
# folder: my_first_folder
711
# interval: 60s
712
# rules:
713
# - uid: my_id_1
714
# title: my_first_rule
715
# condition: A
716
# data:
717
# - refId: A
718
# datasourceUid: '-100'
719
# model:
720
# conditions:
721
# - evaluator:
722
# params:
723
# - 3
724
# type: gt
725
# operator:
726
# type: and
727
# query:
728
# params:
729
# - A
730
# reducer:
731
# type: last
732
# type: query
733
# datasource:
734
# type: __expr__
735
# uid: '-100'
736
# expression: 1==0
737
# intervalMs: 1000
738
# maxDataPoints: 43200
739
# refId: A
740
# type: math
741
# dashboardUid: my_dashboard
742
# panelId: 123
743
# noDataState: Alerting
744
# for: 60s
745
# annotations:
746
# some_key: some_value
747
# labels:
748
# team: sre_team_1
749
#
750
# contactpoints.yaml:
751
# secret:
752
# apiVersion: 1
753
# contactPoints:
754
# - orgId: 1
755
# name: cp_1
756
# receivers:
757
# - uid: first_uid
758
# type: pagerduty
759
# settings:
760
# integrationKey: XXX
761
# severity: critical
762
# class: ping failure
763
# component: Grafana
764
# group: app-stack
765
# summary: |
766
# {{ `{{ include "default.message" . }}` }}
767
#
768
# templates.yaml:
769
# apiVersion: 1
770
# templates:
771
# - orgId: 1
772
# name: my_first_template
773
# template: |
774
# {{ `
775
# {{ define "my_first_template" }}
776
# Custom notification message
777
# {{ end }}
778
# ` }}
779
#
780
# mutetimes.yaml
781
# apiVersion: 1
782
# muteTimes:
783
# - orgId: 1
784
# name: mti_1
785
# # refer to https://prometheus.io/docs/alerting/latest/configuration/#time_interval-0
786
# time_intervals: {}
787
788
## Configure notifiers
789
## ref: http://docs.grafana.org/administration/provisioning/#alert-notification-channels
790
##
791
notifiers: {}
792
# notifiers.yaml:
793
# notifiers:
794
# - name: email-notifier
795
# type: email
796
# uid: email1
797
# # either:
798
# org_id: 1
799
# # or
800
# org_name: Main Org.
801
# is_default: true
802
# settings:
803
# addresses: an_email_address@example.com
804
# delete_notifiers:
805
806
## Configure grafana dashboard providers
807
## ref: http://docs.grafana.org/administration/provisioning/#dashboards
808
##
809
## `path` must be /var/lib/grafana/dashboards/<provider_name>
810
##
811
dashboardProviders: {}
812
# dashboardproviders.yaml:
813
# apiVersion: 1
814
# providers:
815
# - name: 'default'
816
# orgId: 1
817
# folder: ''
818
# type: file
819
# disableDeletion: false
820
# editable: true
821
# options:
822
# path: /var/lib/grafana/dashboards/default
823
824
## Configure how curl fetches remote dashboards. The beginning dash is required.
825
## NOTE: This sets the default short flags for all dashboards, but these
826
## defaults can be overridden individually for each dashboard by setting
827
## curlOptions. See the example dashboards section below.
828
##
829
## -s - silent mode
830
## -k - allow insecure (eg: non-TLS) connections
831
## -f - fail fast
832
## See the curl documentation for additional options
833
##
834
defaultCurlOptions: "-skf"
835
## Configure grafana dashboard to import
836
## NOTE: To use dashboards you must also enable/configure dashboardProviders
837
## ref: https://grafana.com/dashboards
838
##
839
## dashboards per provider, use provider name as key.
840
## For dashboards downloaded via gnetId or url, the optional "title" key overrides
841
## the dashboard title in the downloaded JSON so the UI displays your custom title.
842
##
843
dashboards: {}
844
# default:
845
# some-dashboard:
846
# json: |
847
# $RAW_JSON
848
# custom-dashboard:
849
# file: dashboards/custom-dashboard.json
850
# prometheus-stats:
851
# title: My Custom Dashboard Title # optional; overrides the dashboard title in the downloaded JSON
852
# gnetId: 2
853
# revision: 2
854
# datasource: Prometheus
855
# local-dashboard:
856
# url: https://example.com/repository/test.json
857
# curlOptions: "-sLf"
858
# token: ''
859
# local-dashboard-base64:
860
# url: https://example.com/repository/test-b64.json
861
# token: ''
862
# b64content: true
863
# local-dashboard-gitlab:
864
# url: https://example.com/repository/test-gitlab.json
865
# gitlabToken: ''
866
# local-dashboard-bitbucket:
867
# url: https://example.com/repository/test-bitbucket.json
868
# bearerToken: ''
869
# local-dashboard-azure:
870
# url: https://example.com/repository/test-azure.json
871
# basic: ''
872
# acceptHeader: '*/*'
873
874
## Reference to external ConfigMap per provider. Use provider name as key and ConfigMap name as value.
875
## A provider dashboards must be defined either by external ConfigMaps or in values.yaml, not in both.
876
## ConfigMap data example:
877
##
878
## data:
879
## example-dashboard.json: |
880
## RAW_JSON
881
##
882
dashboardsConfigMaps: {}
883
# default: ""
884
885
## Grafana's primary configuration
886
## NOTE: values in map will be converted to ini format
887
## ref: http://docs.grafana.org/installation/configuration/
888
##
889
grafana.ini:
890
paths:
891
data: /var/lib/grafana/
892
logs: /var/log/grafana
893
plugins: /var/lib/grafana/plugins
894
provisioning: /etc/grafana/provisioning
895
analytics:
896
check_for_updates: true
897
log:
898
mode: console
899
server:
900
domain: "{{ if (and .Values.ingress.enabled .Values.ingress.hosts) }}{{ tpl (.Values.ingress.hosts | first) . }}{{ else if (and .Values.route.main.enabled .Values.route.main.hostnames) }}{{ tpl (.Values.route.main.hostnames | first) . }}{{ else }}''{{ end }}"
901
unified_storage:
902
index_path: /var/lib/grafana-search/bleve
903
## grafana Authentication can be enabled with the following values on grafana.ini
904
# server:
905
# The full public facing url you use in browser, used for redirects and emails
906
# root_url:
907
# https://grafana.com/docs/grafana/latest/auth/github/#enable-github-in-grafana
908
# auth.github:
909
# enabled: false
910
# allow_sign_up: false
911
# scopes: user:email,read:org
912
# auth_url: https://github.com/login/oauth/authorize
913
# token_url: https://github.com/login/oauth/access_token
914
# api_url: https://api.github.com/user
915
# team_ids:
916
# allowed_organizations:
917
# client_id:
918
# client_secret:
919
## LDAP Authentication can be enabled with the following values on grafana.ini
920
## NOTE: Grafana will fail to start if the value for ldap.toml is invalid
921
# auth.ldap:
922
# enabled: true
923
# allow_sign_up: true
924
# config_file: /etc/grafana/ldap.toml
925
## Grafana's alerting configuration
926
# unified_alerting:
927
# enabled: true
928
# rule_version_record_limit: "5"
929
930
## Grafana's LDAP configuration
931
## Templated by the template in _helpers.tpl
932
## NOTE: To enable the grafana.ini must be configured with auth.ldap.enabled
933
## ref: http://docs.grafana.org/installation/configuration/#auth-ldap
934
## ref: http://docs.grafana.org/installation/ldap/#configuration
935
ldap:
936
enabled: false
937
# `existingSecret` is a reference to an existing secret containing the ldap configuration
938
# for Grafana in a key `ldap-toml`.
939
existingSecret: ""
940
# `config` is the content of `ldap.toml` that will be stored in the created secret
941
config: ""
942
# config: |-
943
# verbose_logging = true
944
# [[servers]]
945
# host = "my-ldap-server"
946
# port = 636
947
# use_ssl = true
948
# start_tls = false
949
# ssl_skip_verify = false
950
# bind_dn = "uid=%s,ou=users,dc=myorg,dc=com"
951
952
# When process namespace sharing is enabled, processes in a container are visible to all other containers in the same pod
953
# This parameter is added because the ldap reload api is not working https://grafana.com/docs/grafana/latest/developers/http_api/admin/#reload-ldap-configuration
954
# To allow an extraContainer to restart the Grafana container
955
shareProcessNamespace: false
956
## Grafana's SMTP configuration
957
## NOTE: To enable, grafana.ini must be configured with smtp.enabled
958
## ref: http://docs.grafana.org/installation/configuration/#smtp
959
smtp:
960
# `existingSecret` is a reference to an existing secret containing the smtp configuration
961
# for Grafana.
962
existingSecret: ""
963
userKey: "user"
964
passwordKey: "password"
965
## Sidecars that collect the configmaps with specified label and stores the included files them into the respective folders
966
## Requires at least Grafana 5 to work and can't be used together with parameters dashboardProviders, datasources and dashboards
967
sidecar:
968
image:
969
# -- The Docker registry
970
registry: cgr.dev
971
repository: scratch-images/test-tmp/k8s-sidecar
972
tag: 2.7.3-r3
973
sha: sha256:5c59e8f8685c4d46f49f27694519a5575f9427dffc3a0cee9e87cd2d4ae36118
974
imagePullPolicy: IfNotPresent
975
resources: {}
976
# limits:
977
# cpu: 100m
978
# memory: 100Mi
979
# requests:
980
# cpu: 50m
981
# memory: 50Mi
982
securityContext:
983
allowPrivilegeEscalation: false
984
capabilities:
985
drop:
986
- ALL
987
seccompProfile:
988
type: RuntimeDefault
989
# Set to true to skip tls verification for kube api calls. Can be overridden per sidecar
990
# skipTlsVerify: true
991
enableUniqueFilenames: false
992
readinessProbe: {}
993
livenessProbe: {}
994
# Log level default for all sidecars. Can be one of: DEBUG, INFO, WARN, ERROR, CRITICAL. Defaults to INFO
995
# logLevel: INFO
996
alerts:
997
enabled: false
998
# Additional environment variables for the alerts sidecar
999
env: {}
1000
## "valueFrom" environment variable references that will be added to deployment pods. Name is templated.
1001
## ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core
1002
## Renders in container spec as:
1003
## env:
1004
## ...
1005
## - name: <key>
1006
## valueFrom:
1007
## <value rendered as YAML>
1008
envValueFrom: {}
1009
# ENV_NAME:
1010
# configMapKeyRef:
1011
# name: configmap-name
1012
# key: value_key
1013
# Do not reprocess already processed unchanged resources on k8s API reconnect.
1014
# ignoreAlreadyProcessed: true
1015
# Set to true to skip tls verification for kube api calls. Overrides sidecar.skipTlsVerify
1016
# skipTlsVerify: true
1017
# label that the configmaps with alert are marked with (can be templated)
1018
label: grafana_alert
1019
# value of label that the configmaps with alert are set to (can be templated)
1020
labelValue: ""
1021
# Log level. Can be one of: DEBUG, INFO, WARN, ERROR, CRITICAL.
1022
# logLevel: INFO
1023
# If specified, the sidecar will search for alert config-maps inside this namespace.
1024
# Otherwise the namespace in which the sidecar is running will be used.
1025
# It's also possible to specify ALL to search in all namespaces
1026
searchNamespace: null
1027
# Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds.
1028
watchMethod: WATCH
1029
# search in configmap, secret or both
1030
resource: both
1031
#
1032
# resourceName: comma separated list of resource names to be fetched/checked by this sidecar.
1033
# per default all resources of the type defined in {{ .Values.sidecar.alerts.resource }} will be checked.
1034
# This e.g. allows stricter RBAC rules which are limited to the resources meant for the sidecars.
1035
# resourceName: "secret/alerts-1,configmap/alerts-0"
1036
resourceName: ""
1037
#
1038
# watchServerTimeout: request to the server, asking it to cleanly close the connection after that.
1039
# defaults to 60sec; much higher values like 3600 seconds (1h) are feasible for non-Azure K8S
1040
# watchServerTimeout: 3600
1041
#
1042
# watchClientTimeout: is a client-side timeout, configuring your local socket.
1043
# If you have a network outage dropping all packets with no RST/FIN,
1044
# this is how long your client waits before realizing & dropping the connection.
1045
# defaults to 66sec (sic!)
1046
# watchClientTimeout: 60
1047
#
1048
# maxTotalRetries: Total number of retries to allow for any http request.
1049
# Takes precedence over other counts. Applies to all requests to reloadURL and k8s api requests.
1050
# Set to 0 to fail on the first retry.
1051
# maxTotalRetries: 5
1052
#
1053
# maxConnectRetries: How many connection-related errors to retry on for any http request.
1054
# These are errors raised before the request is sent to the remote server, which we assume has not triggered the server to process the request.
1055
# Applies to all requests to reloadURL and k8s api requests.
1056
# Set to 0 to fail on the first retry of this type.
1057
# maxConnectRetries: 10
1058
#
1059
# maxReadRetries: How many times to retry on read errors for any http request
1060
# These errors are raised after the request was sent to the server, so the request may have side-effects.
1061
# Applies to all requests to reloadURL and k8s api requests.
1062
# Set to 0 to fail on the first retry of this type.
1063
# maxReadRetries: 5
1064
#
1065
# Endpoint to send request to reload alerts
1066
reloadURL: "http://localhost:3000/api/admin/provisioning/alerting/reload"
1067
# Absolute path to a script to execute after a configmap got reloaded.
1068
# It runs before calls to REQ_URI. If the file is not executable it will be passed to sh.
1069
# Otherwise, it's executed as is. Shebangs known to work are #!/bin/sh and #!/usr/bin/env python
1070
script: null
1071
skipReload: false
1072
# This is needed if skipReload is true, to load any alerts defined at startup time.
1073
# Deploy the alert sidecar as an initContainer.
1074
initAlerts: false
1075
# Use native sidecar https://kubernetes.io/docs/concepts/workloads/pods/sidecar-containers/
1076
# restartPolicy: Always
1077
# # only applies to native sidecars
1078
# startupProbe:
1079
# httpGet:
1080
# path: /healthz
1081
# port: 8080
1082
# initialDelaySeconds: 5
1083
# periodSeconds: 5
1084
# failureThreshold: 60 # 5 minutes
1085
# Additional alerts sidecar volume mounts
1086
extraMounts: []
1087
# Sets the size limit of the alert sidecar emptyDir volume
1088
sizeLimit: ""
1089
dashboards:
1090
enabled: false
1091
# Additional environment variables for the dashboards sidecar
1092
env: {}
1093
## "valueFrom" environment variable references that will be added to deployment pods. Name is templated.
1094
## ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core
1095
## Renders in container spec as:
1096
## env:
1097
## ...
1098
## - name: <key>
1099
## valueFrom:
1100
## <value rendered as YAML>
1101
envValueFrom: {}
1102
# ENV_NAME:
1103
# configMapKeyRef:
1104
# name: configmap-name
1105
# key: value_key
1106
# Do not reprocess already processed unchanged resources on k8s API reconnect.
1107
# ignoreAlreadyProcessed: true
1108
# Set to true to skip tls verification for kube api calls. Overrides sidecar.skipTlsVerify
1109
# skipTlsVerify: true
1110
SCProvider: true
1111
# label that the configmaps with dashboards are marked with (can be templated)
1112
label: grafana_dashboard
1113
# value of label that the configmaps with dashboards are set to (can be templated)
1114
labelValue: ""
1115
# Log level. Can be one of: DEBUG, INFO, WARN, ERROR, CRITICAL.
1116
# logLevel: INFO
1117
# folder in the pod that should hold the collected dashboards (unless `defaultFolderName` is set)
1118
folder: /tmp/dashboards
1119
# The default folder name, it will create a subfolder under the `folder` and put dashboards in there instead
1120
defaultFolderName: null
1121
# Namespaces list. If specified, the sidecar will search for config-maps/secrets inside these namespaces.
1122
# Otherwise the namespace in which the sidecar is running will be used.
1123
# It's also possible to specify ALL to search in all namespaces.
1124
searchNamespace: null
1125
# Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds.
1126
watchMethod: WATCH
1127
# search in configmap, secret or both
1128
resource: both
1129
# If specified, the sidecar will look for annotation with this name to create folder and put graph here.
1130
# You can use this parameter together with `provider.foldersFromFilesStructure`to annotate configmaps and create folder structure.
1131
folderAnnotation: null
1132
#
1133
# resourceName: comma separated list of resource names to be fetched/checked by this sidecar.
1134
# per default all resources of the type defined in {{ .Values.sidecar.dashboards.resource }} will be checked.
1135
# This e.g. allows stricter RBAC rules which are limited to the resources meant for the sidecars.
1136
# resourceName: "secret/dashboards-0,configmap/dashboards-1"
1137
resourceName: ""
1138
#
1139
# maxTotalRetries: Total number of retries to allow for any http request.
1140
# Takes precedence over other counts. Applies to all requests to reloadURL and k8s api requests.
1141
# Set to 0 to fail on the first retry.
1142
# maxTotalRetries: 5
1143
#
1144
# maxConnectRetries: How many connection-related errors to retry on for any http request.
1145
# These are errors raised before the request is sent to the remote server, which we assume has not triggered the server to process the request.
1146
# Applies to all requests to reloadURL and k8s api requests.
1147
# Set to 0 to fail on the first retry of this type.
1148
# maxConnectRetries: 10
1149
#
1150
# maxReadRetries: How many times to retry on read errors for any http request
1151
# These errors are raised after the request was sent to the server, so the request may have side-effects.
1152
# Applies to all requests to reloadURL and k8s api requests.
1153
# Set to 0 to fail on the first retry of this type.
1154
# maxReadRetries: 5
1155
#
1156
# Endpoint to send request to reload alerts
1157
reloadURL: "http://localhost:3000/api/admin/provisioning/dashboards/reload"
1158
# Absolute path to a script to execute after a configmap got reloaded.
1159
# It runs before calls to REQ_URI. If the file is not executable it will be passed to sh.
1160
# Otherwise, it's executed as is. Shebangs known to work are #!/bin/sh and #!/usr/bin/env python
1161
script: null
1162
skipReload: false
1163
# This is needed if skipReload is true, to load any dashboards defined at startup time.
1164
# Deploy the dashboard sidecar as an initContainer.
1165
initDashboards: false
1166
# Use native sidecar https://kubernetes.io/docs/concepts/workloads/pods/sidecar-containers/
1167
# restartPolicy: Always
1168
# # only applies to native sidecars
1169
# startupProbe:
1170
# httpGet:
1171
# path: /healthz
1172
# port: 8083
1173
# initialDelaySeconds: 5
1174
# periodSeconds: 5
1175
# failureThreshold: 60 # 5 minutes
1176
# watchServerTimeout: request to the server, asking it to cleanly close the connection after that.
1177
# defaults to 60sec; much higher values like 3600 seconds (1h) are feasible for non-Azure K8S
1178
# watchServerTimeout: 3600
1179
#
1180
# watchClientTimeout: is a client-side timeout, configuring your local socket.
1181
# If you have a network outage dropping all packets with no RST/FIN,
1182
# this is how long your client waits before realizing & dropping the connection.
1183
# defaults to 66sec (sic!)
1184
# watchClientTimeout: 60
1185
#
1186
# provider configuration that lets grafana manage the dashboards
1187
provider:
1188
# name of the provider, should be unique
1189
name: sidecarProvider
1190
# orgid as configured in grafana
1191
orgid: 1
1192
# folder in which the dashboards should be imported in grafana
1193
folder: ''
1194
# <string> folder UID. will be automatically generated if not specified
1195
folderUid: ''
1196
# type of the provider
1197
type: file
1198
# disableDelete to activate a import-only behaviour
1199
disableDelete: false
1200
# allow updating provisioned dashboards from the UI
1201
allowUiUpdates: false
1202
# allow Grafana to replicate dashboard structure from filesystem
1203
foldersFromFilesStructure: false
1204
# Additional dashboards sidecar volume mounts
1205
extraMounts: []
1206
# Sets the size limit of the dashboard sidecar emptyDir volume
1207
sizeLimit: ""
1208
datasources:
1209
enabled: false
1210
# Additional environment variables for the datasourcessidecar
1211
env: {}
1212
## "valueFrom" environment variable references that will be added to deployment pods. Name is templated.
1213
## ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core
1214
## Renders in container spec as:
1215
## env:
1216
## ...
1217
## - name: <key>
1218
## valueFrom:
1219
## <value rendered as YAML>
1220
envValueFrom: {}
1221
# ENV_NAME:
1222
# configMapKeyRef:
1223
# name: configmap-name
1224
# key: value_key
1225
# Do not reprocess already processed unchanged resources on k8s API reconnect.
1226
# ignoreAlreadyProcessed: true
1227
# Set to true to skip tls verification for kube api calls. Overrides sidecar.skipTlsVerify
1228
# skipTlsVerify: true
1229
# label that the configmaps with datasources are marked with (can be templated)
1230
label: grafana_datasource
1231
# value of label that the configmaps with datasources are set to (can be templated)
1232
labelValue: ""
1233
# Log level. Can be one of: DEBUG, INFO, WARN, ERROR, CRITICAL.
1234
# logLevel: INFO
1235
# If specified, the sidecar will search for datasource config-maps inside this namespace.
1236
# Otherwise the namespace in which the sidecar is running will be used.
1237
# It's also possible to specify ALL to search in all namespaces
1238
searchNamespace: null
1239
# Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds.
1240
watchMethod: WATCH
1241
# search in configmap, secret or both
1242
resource: both
1243
#
1244
# resourceName: comma separated list of resource names to be fetched/checked by this sidecar.
1245
# per default all resources of the type defined in {{ .Values.sidecar.datasources.resource }} will be checked.
1246
# This e.g. allows stricter RBAC rules which are limited to the resources meant for the sidecars.
1247
# resourceName: "secret/datasources-0,configmap/datasources-15"
1248
resourceName: ""
1249
#
1250
# watchServerTimeout: request to the server, asking it to cleanly close the connection after that.
1251
# defaults to 60sec; much higher values like 3600 seconds (1h) are feasible for non-Azure K8S
1252
# watchServerTimeout: 3600
1253
#
1254
# watchClientTimeout: is a client-side timeout, configuring your local socket.
1255
# If you have a network outage dropping all packets with no RST/FIN,
1256
# this is how long your client waits before realizing & dropping the connection.
1257
# defaults to 66sec (sic!)
1258
# watchClientTimeout: 60
1259
#
1260
# maxTotalRetries: Total number of retries to allow for any http request.
1261
# Takes precedence over other counts. Applies to all requests to reloadURL and k8s api requests.
1262
# Set to 0 to fail on the first retry.
1263
# maxTotalRetries: 5
1264
#
1265
# maxConnectRetries: How many connection-related errors to retry on for any http request.
1266
# These are errors raised before the request is sent to the remote server, which we assume has not triggered the server to process the request.
1267
# Applies to all requests to reloadURL and k8s api requests.
1268
# Set to 0 to fail on the first retry of this type.
1269
# maxConnectRetries: 10
1270
#
1271
# maxReadRetries: How many times to retry on read errors for any http request
1272
# These errors are raised after the request was sent to the server, so the request may have side-effects.
1273
# Applies to all requests to reloadURL and k8s api requests.
1274
# Set to 0 to fail on the first retry of this type.
1275
# maxReadRetries: 5
1276
#
1277
# Endpoint to send request to reload datasources
1278
reloadURL: "http://localhost:3000/api/admin/provisioning/datasources/reload"
1279
# Absolute path to a script to execute after a configmap got reloaded.
1280
# It runs before calls to REQ_URI. If the file is not executable it will be passed to sh.
1281
# Otherwise, it's executed as is. Shebangs known to work are #!/bin/sh and #!/usr/bin/env python
1282
script: null
1283
skipReload: false
1284
# This is needed if skipReload is true, to load any datasources defined at startup time.
1285
# Deploy the datasources sidecar as an initContainer.
1286
initDatasources: false
1287
# Use native sidecar https://kubernetes.io/docs/concepts/workloads/pods/sidecar-containers/
1288
# restartPolicy: Always
1289
# # only applies to native sidecars
1290
# startupProbe:
1291
# httpGet:
1292
# path: /healthz
1293
# port: 8081
1294
# initialDelaySeconds: 5
1295
# periodSeconds: 5
1296
# failureThreshold: 60 # 5 minutes
1297
# Additional datasources sidecar volume mounts
1298
extraMounts: []
1299
# Sets the size limit of the datasource sidecar emptyDir volume
1300
sizeLimit: ""
1301
plugins:
1302
enabled: false
1303
# Additional environment variables for the plugins sidecar
1304
env: {}
1305
# Do not reprocess already processed unchanged resources on k8s API reconnect.
1306
# ignoreAlreadyProcessed: true
1307
# Set to true to skip tls verification for kube api calls. Overrides sidecar.skipTlsVerify
1308
# skipTlsVerify: true
1309
# label that the configmaps with plugins are marked with (can be templated)
1310
label: grafana_plugin
1311
# value of label that the configmaps with plugins are set to (can be templated)
1312
labelValue: ""
1313
# Log level. Can be one of: DEBUG, INFO, WARN, ERROR, CRITICAL.
1314
# logLevel: INFO
1315
# If specified, the sidecar will search for plugin config-maps inside this namespace.
1316
# Otherwise the namespace in which the sidecar is running will be used.
1317
# It's also possible to specify ALL to search in all namespaces
1318
searchNamespace: null
1319
# Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds.
1320
watchMethod: WATCH
1321
# search in configmap, secret or both
1322
resource: both
1323
#
1324
# resourceName: comma separated list of resource names to be fetched/checked by this sidecar.
1325
# per default all resources of the type defined in {{ .Values.sidecar.plugins.resource }} will be checked.
1326
# This e.g. allows stricter RBAC rules which are limited to the resources meant for the sidecars.
1327
# resourceName: "secret/plugins-0,configmap/plugins-1"
1328
resourceName: ""
1329
#
1330
# watchServerTimeout: request to the server, asking it to cleanly close the connection after that.
1331
# defaults to 60sec; much higher values like 3600 seconds (1h) are feasible for non-Azure K8S
1332
# watchServerTimeout: 3600
1333
#
1334
# watchClientTimeout: is a client-side timeout, configuring your local socket.
1335
# If you have a network outage dropping all packets with no RST/FIN,
1336
# this is how long your client waits before realizing & dropping the connection.
1337
# defaults to 66sec (sic!)
1338
# watchClientTimeout: 60
1339
#
1340
# maxTotalRetries: Total number of retries to allow for any http request.
1341
# Takes precedence over other counts. Applies to all requests to reloadURL and k8s api requests.
1342
# Set to 0 to fail on the first retry.
1343
# maxTotalRetries: 5
1344
#
1345
# maxConnectRetries: How many connection-related errors to retry on for any http request.
1346
# These are errors raised before the request is sent to the remote server, which we assume has not triggered the server to process the request.
1347
# Applies to all requests to reloadURL and k8s api requests.
1348
# Set to 0 to fail on the first retry of this type.
1349
# maxConnectRetries: 10
1350
#
1351
# maxReadRetries: How many times to retry on read errors for any http request
1352
# These errors are raised after the request was sent to the server, so the request may have side-effects.
1353
# Applies to all requests to reloadURL and k8s api requests.
1354
# Set to 0 to fail on the first retry of this type.
1355
# maxReadRetries: 5
1356
#
1357
# Endpoint to send request to reload plugins
1358
reloadURL: "http://localhost:3000/api/admin/provisioning/plugins/reload"
1359
# Absolute path to a script to execute after a configmap got reloaded.
1360
# It runs before calls to REQ_URI. If the file is not executable it will be passed to sh.
1361
# Otherwise, it's executed as is. Shebangs known to work are #!/bin/sh and #!/usr/bin/env python
1362
script: null
1363
skipReload: false
1364
# Deploy the datasource sidecar as an initContainer in addition to a container.
1365
# This is needed if skipReload is true, to load any plugins defined at startup time.
1366
initPlugins: false
1367
# Additional plugins sidecar volume mounts
1368
extraMounts: []
1369
# Sets the size limit of the plugin sidecar emptyDir volume
1370
sizeLimit: ""
1371
notifiers:
1372
enabled: false
1373
# Additional environment variables for the notifierssidecar
1374
env: {}
1375
# Do not reprocess already processed unchanged resources on k8s API reconnect.
1376
# ignoreAlreadyProcessed: true
1377
# Set to true to skip tls verification for kube api calls. Overrides sidecar.skipTlsVerify
1378
# skipTlsVerify: true
1379
# label that the configmaps with notifiers are marked with (can be templated)
1380
label: grafana_notifier
1381
# value of label that the configmaps with notifiers are set to (can be templated)
1382
labelValue: ""
1383
# Log level. Can be one of: DEBUG, INFO, WARN, ERROR, CRITICAL.
1384
# logLevel: INFO
1385
# If specified, the sidecar will search for notifier config-maps inside this namespace.
1386
# Otherwise the namespace in which the sidecar is running will be used.
1387
# It's also possible to specify ALL to search in all namespaces
1388
searchNamespace: null
1389
# Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds.
1390
watchMethod: WATCH
1391
# search in configmap, secret or both
1392
resource: both
1393
#
1394
# resourceName: comma separated list of resource names to be fetched/checked by this sidecar.
1395
# per default all resources of the type defined in {{ .Values.sidecar.notifiers.resource }} will be checked.
1396
# This e.g. allows stricter RBAC rules which are limited to the resources meant for the sidecars.
1397
# resourceName: "secret/notifiers-2,configmap/notifiers-1"
1398
resourceName: ""
1399
#
1400
# watchServerTimeout: request to the server, asking it to cleanly close the connection after that.
1401
# defaults to 60sec; much higher values like 3600 seconds (1h) are feasible for non-Azure K8S
1402
# watchServerTimeout: 3600
1403
#
1404
# watchClientTimeout: is a client-side timeout, configuring your local socket.
1405
# If you have a network outage dropping all packets with no RST/FIN,
1406
# this is how long your client waits before realizing & dropping the connection.
1407
# defaults to 66sec (sic!)
1408
# watchClientTimeout: 60
1409
#
1410
# maxTotalRetries: Total number of retries to allow for any http request.
1411
# Takes precedence over other counts. Applies to all requests to reloadURL and k8s api requests.
1412
# Set to 0 to fail on the first retry.
1413
# maxTotalRetries: 5
1414
#
1415
# maxConnectRetries: How many connection-related errors to retry on for any http request.
1416
# These are errors raised before the request is sent to the remote server, which we assume has not triggered the server to process the request.
1417
# Applies to all requests to reloadURL and k8s api requests.
1418
# Set to 0 to fail on the first retry of this type.
1419
# maxConnectRetries: 10
1420
#
1421
# maxReadRetries: How many times to retry on read errors for any http request
1422
# These errors are raised after the request was sent to the server, so the request may have side-effects.
1423
# Applies to all requests to reloadURL and k8s api requests.
1424
# Set to 0 to fail on the first retry of this type.
1425
# maxReadRetries: 5
1426
#
1427
# Endpoint to send request to reload notifiers
1428
reloadURL: "http://localhost:3000/api/admin/provisioning/notifications/reload"
1429
# Absolute path to a script to execute after a configmap got reloaded.
1430
# It runs before calls to REQ_URI. If the file is not executable it will be passed to sh.
1431
# Otherwise, it's executed as is. Shebangs known to work are #!/bin/sh and #!/usr/bin/env python
1432
script: null
1433
skipReload: false
1434
# Deploy the notifier sidecar as an initContainer in addition to a container.
1435
# This is needed if skipReload is true, to load any notifiers defined at startup time.
1436
initNotifiers: false
1437
# Use native sidecar https://kubernetes.io/docs/concepts/workloads/pods/sidecar-containers/
1438
# restartPolicy: Always
1439
# # only applies to native sidecars
1440
# startupProbe:
1441
# httpGet:
1442
# path: /healthz
1443
# port: 8082
1444
# initialDelaySeconds: 5
1445
# periodSeconds: 5
1446
# failureThreshold: 60 # 5 minutes
1447
# Additional notifiers sidecar volume mounts
1448
extraMounts: []
1449
# Sets the size limit of the notifier sidecar emptyDir volume
1450
sizeLimit: ""
1451
## Override the deployment namespace
1452
##
1453
namespaceOverride: ""
1454
## Number of old ReplicaSets to retain
1455
##
1456
revisionHistoryLimit: 10
1457
## Add a separate remote image renderer deployment/service
1458
imageRenderer:
1459
deploymentStrategy: {}
1460
## The maximum time in seconds for the image renderer Deployment to make progress before it is
1461
## considered to be failed.
1462
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#progress-deadline-seconds
1463
progressDeadlineSeconds: null
1464
# Enable the image-renderer deployment & service
1465
enabled: false
1466
replicas: 1
1467
autoscaling:
1468
enabled: false
1469
minReplicas: 1
1470
maxReplicas: 5
1471
targetCPU: "60"
1472
targetMemory: ""
1473
behavior: {}
1474
# The url of remote image renderer if it is not in the same namespace with the grafana instance
1475
serverURL: ""
1476
# The callback url of grafana instances if it is not in the same namespace with the remote image renderer
1477
renderingCallbackURL: ""
1478
# Token used for authentication between Grafana and the remote image renderer.
1479
token: ""
1480
# Use an existing secret for the image renderer token. Must contain a key named "token".
1481
existingSecret: ""
1482
image:
1483
# -- The Docker registry
1484
registry: cgr.dev
1485
# image-renderer Image repository
1486
repository: scratch-images/test-tmp/grafana-image-renderer
1487
# image-renderer Image tag
1488
tag: 5.8.11-r0
1489
# image-renderer Image sha (optional)
1490
sha: sha256:7a92b385837ab9fb1267b68b1f78701796236cc4729ac0eee01659eb0d051fea
1491
# image-renderer Image pull secrets (optional)
1492
pullSecrets: []
1493
# image-renderer ImagePullPolicy
1494
pullPolicy: Always
1495
dnsPolicy: ~
1496
dnsConfig: {}
1497
# nameservers:
1498
# - 8.8.8.8
1499
# options:
1500
# - name: ndots
1501
# value: "2"
1502
# - name: edns0
1503
# extra environment variables
1504
env:
1505
HTTP_HOST: "0.0.0.0"
1506
# Fixes "Error: Failed to launch the browser process!\nchrome_crashpad_handler: --database is required"
1507
XDG_CONFIG_HOME: /tmp/.chromium
1508
XDG_CACHE_HOME: /tmp/.chromium
1509
# RENDERING_ARGS: --no-sandbox,--disable-gpu,--window-size=1280x758
1510
# RENDERING_MODE: clustered
1511
# IGNORE_HTTPS_ERRORS: true
1512
## "valueFrom" environment variable references that will be added to deployment pods. Name is templated.
1513
## ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core
1514
## Renders in container spec as:
1515
## env:
1516
## ...
1517
## - name: <key>
1518
## valueFrom:
1519
## <value rendered as YAML>
1520
envValueFrom: {}
1521
# ENV_NAME:
1522
# configMapKeyRef:
1523
# name: configmap-name
1524
# key: value_key
1525
1526
# image-renderer deployment serviceAccount
1527
serviceAccountName: ""
1528
automountServiceAccountToken: false
1529
# image-renderer deployment hostUsers
1530
hostUsers: ~
1531
# image-renderer deployment securityContext
1532
securityContext: {}
1533
# image-renderer deployment container securityContext
1534
containerSecurityContext:
1535
seccompProfile:
1536
type: RuntimeDefault
1537
capabilities:
1538
drop: ['ALL']
1539
allowPrivilegeEscalation: false
1540
readOnlyRootFilesystem: true
1541
## image-renderer pod annotation
1542
podAnnotations: {}
1543
# image-renderer deployment Host Aliases
1544
hostAliases: []
1545
# image-renderer deployment priority class
1546
priorityClassName: ''
1547
# Path to the healthcheck endpoint. On Image Renderer v5.0.0 or newer, this is '/healthz'. Older versions use '/'.
1548
healthcheckPath: '/healthz'
1549
service:
1550
# Enable the image-renderer service
1551
enabled: true
1552
# image-renderer service port name
1553
portName: 'http'
1554
# image-renderer service port used by both service and deployment
1555
port: 8081
1556
targetPort: 8081
1557
# Adds the appProtocol field to the image-renderer service. This allows to work with istio protocol selection. Ex: "http" or "tcp"
1558
appProtocol: ""
1559
serviceMonitor:
1560
## If true, a ServiceMonitor CRD is created for a prometheus operator
1561
## https://github.com/coreos/prometheus-operator
1562
##
1563
enabled: false
1564
path: /metrics
1565
# namespace: monitoring (defaults to use the namespace this chart is deployed to)
1566
labels: {}
1567
# Set these to override the Prometheus global scrape interval/timeout.
1568
# interval: 1m
1569
# scrapeTimeout: 30s
1570
scheme: http
1571
tlsConfig: {}
1572
relabelings: []
1573
# See: https://doc.crds.dev/github.com/prometheus-operator/kube-prometheus/monitoring.coreos.com/ServiceMonitor/v1@v0.11.0#spec-targetLabels
1574
targetLabels: []
1575
# - targetLabel1
1576
# - targetLabel2
1577
# If https is enabled in Grafana, this needs to be set as 'https' to correctly configure the callback used in Grafana
1578
grafanaProtocol: http
1579
# In case a sub_path is used this needs to be added to the image renderer callback
1580
grafanaSubPath: ""
1581
# name of the image-renderer port on the pod
1582
podPortName: http
1583
# number of image-renderer replica sets to keep
1584
revisionHistoryLimit: 10
1585
networkPolicy:
1586
# Enable a NetworkPolicy to limit inbound traffic to only the created grafana pods
1587
limitIngress: true
1588
# Enable a NetworkPolicy to limit outbound traffic to only the created grafana pods
1589
limitEgress: false
1590
# Allow additional services to access image-renderer (eg. Prometheus operator when ServiceMonitor is enabled)
1591
extraIngressSelectors: []
1592
resources: {}
1593
# limits:
1594
# cpu: 100m
1595
# memory: 100Mi
1596
# requests:
1597
# cpu: 50m
1598
# memory: 50Mi
1599
## Node labels for pod assignment
1600
## ref: https://kubernetes.io/docs/user-guide/node-selection/
1601
#
1602
nodeSelector: {}
1603
## Tolerations for pod assignment
1604
## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
1605
##
1606
tolerations: []
1607
## Affinity for pod assignment (evaluated as template)
1608
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
1609
##
1610
affinity: {}
1611
## Use an alternate scheduler, e.g. "stork".
1612
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
1613
##
1614
# schedulerName: "default-scheduler"
1615
1616
# Extra configmaps to mount in image-renderer pods
1617
extraConfigmapMounts: []
1618
# Extra secrets to mount in image-renderer pods
1619
extraSecretMounts: []
1620
# Extra volumes to mount in image-renderer pods
1621
extraVolumeMounts: []
1622
# Extra volumes for image-renderer pods
1623
extraVolumes: []
1624
networkPolicy:
1625
# -- networkPolicy.enabled Enable creation of NetworkPolicy resources. Only Ingress traffic is filtered for now.
1626
enabled: false
1627
# --networkPolicy.allowExternal Don't require client label for connections
1628
# The Policy model to apply. When set to false, only pods with the correct
1629
# client label will have network access to grafana port defined.
1630
# When true, grafana will accept connections from any source
1631
# (with the correct destination port).
1632
#
1633
ingress: true
1634
# -- networkPolicy.ingress When true enables the creation
1635
# an ingress network policy
1636
allowExternal: true
1637
# -- networkPolicy.explicitNamespacesSelector A Kubernetes LabelSelector to explicitly select namespaces from which traffic could be allowed
1638
# If explicitNamespacesSelector is missing or set to {}, only client Pods that are in the networkPolicy's namespace
1639
# and that match other criteria, the ones that have the good label, can reach the grafana.
1640
# But sometimes, we want the grafana to be accessible to clients from other namespaces, in this case, we can use this
1641
# LabelSelector to select these namespaces, note that the networkPolicy's namespace should also be explicitly added.
1642
# </br>
1643
#
1644
# Example:
1645
#
1646
# ```
1647
# explicitNamespacesSelector:
1648
# matchLabels:
1649
# role: frontend
1650
# matchExpressions:
1651
# - {key: role, operator: In, values: [frontend]}
1652
# ```
1653
explicitNamespacesSelector: {}
1654
# -- networkPolicy.explicitIpBlocks List of CIDR blocks allowed as ingress sources.
1655
# Each entry must be a valid CIDR notation string (e.g. 10.0.0.0/8).
1656
# When defined, the specified CIDR ranges are added to the ingress `from` rules
1657
# using `ipBlock` entries and complement the other configured ingress sources.
1658
# </br>
1659
#
1660
# Example:
1661
#
1662
# ```
1663
# explicitIpBlocks:
1664
# - 35.191.0.0/16
1665
# - 130.211.0.0/22
1666
# ```
1667
#
1668
explicitIpBlocks: []
1669
egress:
1670
# -- networkPolicy.egress.enabled When enabled, an egress network policy will be
1671
# created allowing grafana to connect to external data sources from kubernetes cluster.
1672
enabled: false
1673
# -- networkPolicy.egress.blockDNSResolution When enabled, DNS resolution will be blocked
1674
# for all pods in the grafana namespace.
1675
blockDNSResolution: false
1676
# -- networkPolicy.egress.ports Add individual ports to be allowed by the egress
1677
ports: []
1678
# Add ports to the egress by specifying - port: <port number>
1679
# E.X.
1680
# - port: 80
1681
# - port: 443
1682
#
1683
# -- networkPolicy.egress.to Allow egress traffic to specific destinations
1684
to: []
1685
# -- destinations to the egress by specifying - ipBlock: <CIDR>
1686
# E.X.
1687
# to:
1688
# - namespaceSelector:
1689
# matchExpressions:
1690
# - {key: role, operator: In, values: [grafana]}
1691
# Enable backward compatibility of kubernetes where version below 1.13 doesn't have the enableServiceLinks option
1692
enableKubeBackwardCompatibility: false
1693
useStatefulSet: false
1694
# extraObjects could be utilized to add dynamic manifests via values
1695
extraObjects: []
1696
# Examples:
1697
# extraObjects:
1698
# - apiVersion: kubernetes-client.io/v1
1699
# kind: ExternalSecret
1700
# metadata:
1701
# name: grafana-secrets-{{ .Release.Name }}
1702
# spec:
1703
# backendType: gcpSecretsManager
1704
# data:
1705
# - key: grafana-admin-password
1706
# name: adminPassword
1707
# Alternatively, you can use strings, which lets you use additional templating features:
1708
# extraObjects:
1709
# - |
1710
# apiVersion: kubernetes-client.io/v1
1711
# kind: ExternalSecret
1712
# metadata:
1713
# name: grafana-secrets-{{ .Release.Name }}
1714
# spec:
1715
# backendType: gcpSecretsManager
1716
# data:
1717
# - key: grafana-admin-password
1718
# name: {{ include "some-other-template" }}
1719
1720
# assertNoLeakedSecrets is a helper function defined in _helpers.tpl that checks if secret
1721
# values are not exposed in the rendered grafana.ini configmap. It is enabled by default.
1722
#
1723
# To pass values into grafana.ini without exposing them in a configmap, use variable expansion:
1724
# https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#variable-expansion
1725
#
1726
# Alternatively, if you wish to allow secret values to be exposed in the rendered grafana.ini configmap,
1727
# you can disable this check by setting assertNoLeakedSecrets to false.
1728
assertNoLeakedSecrets: true
1729
# updateMode options are:
1730
# Off: n the Off update mode, the VPA recommender still analyzes resource usage and generates recommendations, but these recommendations are not automatically applied to Pods. The recommendations are only stored in the VPA object's .status field.
1731
# Initial: In Initial mode, VPA only sets resource requests when Pods are first created. It does not update resources for already running Pods, even if recommendations change over time. The recommendations apply only during Pod creation.
1732
# Recreate: In Recreate mode, VPA actively manages Pod resources by evicting Pods when their current resource requests differ significantly from recommendations. When a Pod is evicted, the workload controller (managing a Deployment, StatefulSet, etc) creates a replacement Pod, and the VPA admission controller applies the updated resource requests to the new Pod.
1733
# InPlaceOrRecreate: In Recreate mode, VPA actively manages Pod resources by evicting Pods when their current resource requests differ significantly from recommendations. When a Pod is evicted, the workload controller (managing a Deployment, StatefulSet, etc) creates a replacement Pod, and the VPA admission controller applies the updated resource requests to the new Pod.
1734
# Auto (deprecated): The Auto update mode is deprecated since VPA version 1.4.0. Use Recreate for eviction-based updates, or InPlaceOrRecreate for in-place updates with eviction fallback.
1735
verticalPodAutoscaler:
1736
enabled: false
1737
updateMode: "Off"
1738
controlledResources:
1739
cpu: true
1740
memory: true
1741
# Default safety bounds
1742
minAllowed:
1743
cpu: "25m"
1744
memory: "128Mi"
1745
maxAllowed:
1746
cpu: "1000m"
1747
memory: "1Gi"
1748
The trusted source for open source
Talk to an expertProduct
Customers
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.