grafana
Helm chart
Request a free trial
Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.
Tag:
1
global:
2
# -- Overrides the Docker registry globally for all images
3
imageRegistry: null
4
# To help compatibility with other charts which use global.imagePullSecrets.
5
# Allow either an array of {name: pullSecret} maps (k8s-style), or an array of strings (more common helm-style).
6
# Can be templated.
7
# global:
8
# imagePullSecrets:
9
# - name: pullSecret1
10
# - name: pullSecret2
11
# or
12
# global:
13
# imagePullSecrets:
14
# - pullSecret1
15
# - pullSecret2
16
imagePullSecrets: []
17
rbac:
18
create: true
19
## Use an existing ClusterRole/Role (depending on rbac.namespaced false/true)
20
# useExistingRole: name-of-some-role
21
# useExistingClusterRole: name-of-some-clusterRole
22
pspEnabled: false
23
pspUseAppArmor: false
24
namespaced: false
25
extraRoleRules: []
26
# - apiGroups: []
27
# resources: []
28
# verbs: []
29
extraClusterRoleRules: []
30
# - apiGroups: []
31
# resources: []
32
# verbs: []
33
serviceAccount:
34
create: true
35
name:
36
nameTest:
37
## ServiceAccount labels.
38
labels: {}
39
## Service account annotations. Can be templated.
40
# annotations:
41
# eks.amazonaws.com/role-arn: arn:aws:iam::123456789000:role/iam-role-name-here
42
43
## autoMount is deprecated in favor of automountServiceAccountToken
44
# autoMount: false
45
automountServiceAccountToken: false
46
replicas: 1
47
## Create a headless service for the deployment
48
headlessService: false
49
## Should the service account be auto mounted on the pod
50
automountServiceAccountToken: true
51
## Create HorizontalPodAutoscaler object for deployment type
52
#
53
autoscaling:
54
enabled: false
55
minReplicas: 1
56
maxReplicas: 5
57
targetCPU: "60"
58
targetMemory: ""
59
behavior: {}
60
## See `kubectl explain poddisruptionbudget.spec` for more
61
## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
62
podDisruptionBudget: {}
63
# apiVersion: ""
64
# minAvailable: 1
65
# maxUnavailable: 1
66
# unhealthyPodEvictionPolicy: IfHealthyBudget
67
68
## See `kubectl explain deployment.spec.strategy` for more
69
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
70
deploymentStrategy:
71
type: RollingUpdate
72
readinessProbe:
73
httpGet:
74
path: /api/health
75
port: grafana
76
livenessProbe:
77
httpGet:
78
path: /api/health
79
port: grafana
80
initialDelaySeconds: 60
81
timeoutSeconds: 30
82
failureThreshold: 10
83
## Use an alternate scheduler, e.g. "stork".
84
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
85
##
86
# schedulerName: "default-scheduler"
87
image:
88
# -- The Docker registry
89
registry: cgr.dev
90
# -- Docker image repository
91
repository: chainguard-private/grafana
92
# Overrides the Grafana image tag whose default is the chart appVersion
93
tag: latest
94
sha: sha256:d69d96981159150bb3281d334a11aca5681699ff850f2d5c13a1516f5bc29438
95
pullPolicy: IfNotPresent
96
## Optionally specify an array of imagePullSecrets.
97
## Secrets must be manually created in the namespace.
98
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
99
## Can be templated.
100
##
101
pullSecrets: []
102
# - myRegistrKeySecretName
103
testFramework:
104
enabled: true
105
## The type of Helm hook used to run this test. Defaults to test.
106
## ref: https://helm.sh/docs/topics/charts_hooks/#the-available-hooks
107
##
108
# hookType: test
109
image:
110
# -- The Docker registry
111
registry: docker.io
112
repository: bats/bats
113
tag: "v1.4.1"
114
imagePullPolicy: IfNotPresent
115
securityContext: {}
116
containerSecurityContext: {}
117
resources: {}
118
# limits:
119
# cpu: 100m
120
# memory: 128Mi
121
# requests:
122
# cpu: 100m
123
# memory: 128Mi
124
# dns configuration for pod
125
dnsPolicy: ~
126
dnsConfig: {}
127
# nameservers:
128
# - 8.8.8.8
129
# options:
130
# - name: ndots
131
# value: "2"
132
# - name: edns0
133
134
hostUsers: ~
135
securityContext:
136
runAsNonRoot: true
137
runAsUser: 472
138
runAsGroup: 472
139
fsGroup: 472
140
containerSecurityContext:
141
allowPrivilegeEscalation: false
142
privileged: false
143
capabilities:
144
drop:
145
- ALL
146
seccompProfile:
147
type: RuntimeDefault
148
# Enable creating the grafana configmap
149
createConfigmap: true
150
# Extra configmaps to mount in grafana pods
151
# Values are templated.
152
extraConfigmapMounts: []
153
# - name: certs-configmap
154
# mountPath: /etc/grafana/ssl/
155
# subPath: certificates.crt # (optional)
156
# configMap: certs-configmap
157
# readOnly: true
158
# optional: false
159
160
extraEmptyDirMounts: []
161
# - name: provisioning-notifiers
162
# mountPath: /etc/grafana/provisioning/notifiers
163
164
# Apply extra labels to common labels.
165
extraLabels: {}
166
## Assign a PriorityClassName to pods if set
167
# priorityClassName:
168
downloadDashboardsImage:
169
# -- The Docker registry
170
registry: cgr.dev
171
repository: chainguard-private/curl
172
tag: latest
173
sha: sha256:d7a9f5275564869552a6b3f47828802e5c4b1c776cb84387133b2e56ab79815e
174
pullPolicy: IfNotPresent
175
downloadDashboards:
176
env: {}
177
envFromSecret: ""
178
resources: {}
179
securityContext:
180
allowPrivilegeEscalation: false
181
capabilities:
182
drop:
183
- ALL
184
seccompProfile:
185
type: RuntimeDefault
186
envValueFrom: {}
187
# ENV_NAME:
188
# configMapKeyRef:
189
# name: configmap-name
190
# key: value_key
191
## Pod Annotations
192
# podAnnotations: {}
193
194
## ConfigMap Annotations
195
# configMapAnnotations: {}
196
# argocd.argoproj.io/sync-options: Replace=true
197
198
## Pod Labels
199
# podLabels: {}
200
podPortName: grafana
201
gossipPortName: gossip
202
## Deployment annotations
203
# annotations: {}
204
205
## Expose the grafana service to be accessed from outside the cluster (LoadBalancer service).
206
## or access it from within the cluster (ClusterIP service). Set the service type and the port to serve it.
207
## ref: http://kubernetes.io/docs/user-guide/services/
208
##
209
service:
210
enabled: true
211
type: ClusterIP
212
# Set the ip family policy to configure dual-stack see [Configure dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services)
213
ipFamilyPolicy: ""
214
# Sets the families that should be supported and the order in which they should be applied to ClusterIP as well. Can be IPv4 and/or IPv6.
215
ipFamilies: []
216
loadBalancerIP: ""
217
loadBalancerClass: ""
218
loadBalancerSourceRanges: []
219
port: 80
220
targetPort: 3000
221
# targetPort: 4181 To be used with a proxy extraContainer
222
## Service annotations. Can be templated.
223
annotations: {}
224
labels: {}
225
portName: service
226
# Adds the appProtocol field to the service. This allows to work with istio protocol selection. Ex: "http" or "tcp"
227
appProtocol: ""
228
sessionAffinity: ""
229
serviceMonitor:
230
## If true, a ServiceMonitor CR is created for a prometheus operator
231
## https://github.com/coreos/prometheus-operator
232
##
233
enabled: false
234
path: /metrics
235
# namespace: monitoring (defaults to use the namespace this chart is deployed to)
236
labels: {}
237
interval: 30s
238
scheme: http
239
tlsConfig: {}
240
scrapeTimeout: 30s
241
relabelings: []
242
metricRelabelings: []
243
basicAuth: {}
244
targetLabels: []
245
extraExposePorts: []
246
# - name: keycloak
247
# port: 8080
248
# targetPort: 8080
249
250
# overrides pod.spec.hostAliases in the grafana deployment's pods
251
hostAliases: []
252
# - ip: "1.2.3.4"
253
# hostnames:
254
# - "my.host.com"
255
256
ingress:
257
enabled: false
258
# For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName
259
# See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress
260
# ingressClassName: nginx
261
# Values can be templated
262
annotations: {}
263
# kubernetes.io/ingress.class: nginx
264
# kubernetes.io/tls-acme: "true"
265
labels: {}
266
path: /
267
# pathType is only for k8s >= 1.1=
268
pathType: Prefix
269
hosts:
270
- chart-example.local
271
## Extra paths to prepend to every host configuration. This is useful when working with annotation based services.
272
extraPaths: []
273
# - path: /*
274
# backend:
275
# serviceName: ssl-redirect
276
# servicePort: use-annotation
277
## Or for k8s > 1.19
278
# - path: /*
279
# pathType: Prefix
280
# backend:
281
# service:
282
# name: ssl-redirect
283
# port:
284
# name: use-annotation
285
286
tls: []
287
# - secretName: chart-example-tls
288
# hosts:
289
# - chart-example.local
290
# -- BETA: Configure the gateway routes for the chart here.
291
# More routes can be added by adding a dictionary key like the 'main' route.
292
# Be aware that this is an early beta of this feature,
293
# kube-prometheus-stack does not guarantee this works and is subject to change.
294
# Being BETA this can/will change in the future without notice, do not use unless you want to take that risk
295
# [[ref]](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io%2fv1alpha2)
296
route:
297
main:
298
# -- Enables or disables the route
299
enabled: false
300
# -- Set the route apiVersion, e.g. gateway.networking.k8s.io/v1 or gateway.networking.k8s.io/v1alpha2
301
apiVersion: gateway.networking.k8s.io/v1
302
# -- Set the route kind
303
# Valid options are GRPCRoute, HTTPRoute, TCPRoute, TLSRoute, UDPRoute
304
kind: HTTPRoute
305
annotations: {}
306
labels: {}
307
hostnames: []
308
# - my-filter.example.com
309
parentRefs: []
310
# - name: acme-gw
311
312
matches:
313
- path:
314
type: PathPrefix
315
value: /
316
## Filters define the filters that are applied to requests that match this rule.
317
filters: []
318
## Additional custom rules that can be added to the route
319
additionalRules: []
320
## httpsRedirect adds a filter for redirecting to https (HTTP 301 Moved Permanently).
321
## To redirect HTTP traffic to HTTPS, you need to have a Gateway with both HTTP and HTTPS listeners.
322
## Matches and filters do not take effect if enabled.
323
## Ref. https://gateway-api.sigs.k8s.io/guides/http-redirect-rewrite/
324
httpsRedirect: false
325
resources: {}
326
# limits:
327
# cpu: 100m
328
# memory: 128Mi
329
# requests:
330
# cpu: 100m
331
# memory: 128Mi
332
333
## Node labels for pod assignment
334
## ref: https://kubernetes.io/docs/user-guide/node-selection/
335
#
336
nodeSelector: {}
337
## Tolerations for pod assignment
338
## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
339
##
340
tolerations: []
341
## Affinity for pod assignment (evaluated as template)
342
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
343
##
344
affinity: {}
345
## Topology Spread Constraints
346
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
347
##
348
topologySpreadConstraints: []
349
## Additional init containers (evaluated as template)
350
## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
351
##
352
extraInitContainers: []
353
## Enable an Specify container in extraContainers. This is meant to allow adding an authentication proxy to a grafana pod
354
extraContainers: ""
355
# extraContainers: |
356
# - name: proxy
357
# image: quay.io/gambol99/keycloak-proxy:latest
358
# args:
359
# - -provider=github
360
# - -client-id=
361
# - -client-secret=
362
# - -github-org=<ORG_NAME>
363
# - -email-domain=*
364
# - -cookie-secret=
365
# - -http-address=http://0.0.0.0:4181
366
# - -upstream-url=http://127.0.0.1:3000
367
# ports:
368
# - name: proxy-web
369
# containerPort: 4181
370
371
## Volumes that can be used in init containers that will not be mounted to deployment pods
372
extraContainerVolumes: []
373
# - name: volume-from-secret
374
# secret:
375
# secretName: secret-to-mount
376
# - name: empty-dir-volume
377
# emptyDir: {}
378
379
## Enable persistence using Persistent Volume Claims
380
## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/
381
##
382
persistence:
383
type: pvc
384
enabled: false
385
# storageClassName: default
386
## (Optional) Use this to bind the claim to an existing PersistentVolume (PV) by name.
387
volumeName: ""
388
accessModes:
389
- ReadWriteOnce
390
size: 10Gi
391
# annotations: {}
392
finalizers:
393
- kubernetes.io/pvc-protection
394
# selectorLabels: {}
395
## Sub-directory of the PV to mount. Can be templated.
396
# subPath: ""
397
## Name of an existing PVC. Can be templated.
398
# existingClaim:
399
## Extra labels to apply to a PVC.
400
extraPvcLabels: {}
401
disableWarning: false
402
## If persistence is not enabled, this allows to mount the
403
## local storage in-memory to improve performance
404
##
405
inMemory:
406
enabled: false
407
## The maximum usage on memory medium EmptyDir would be
408
## the minimum value between the SizeLimit specified
409
## here and the sum of memory limits of all containers in a pod
410
##
411
# sizeLimit: 300Mi
412
## If 'lookupVolumeName' is set to true, Helm will attempt to retrieve
413
## the current value of 'spec.volumeName' and incorporate it into the template.
414
lookupVolumeName: true
415
initChownData:
416
## If false, data ownership will not be reset at startup
417
## This allows the grafana-server to be run with an arbitrary user
418
##
419
enabled: true
420
## initChownData container image
421
##
422
image:
423
# -- The Docker registry
424
registry: cgr.dev
425
repository: chainguard-private/busybox
426
tag: latest
427
sha: sha256:a4df82542624593a943071c90310653381295bb95494ff58a4650101aefeafaf
428
pullPolicy: IfNotPresent
429
## initChownData resource requests and limits
430
## Ref: http://kubernetes.io/docs/user-guide/compute-resources/
431
##
432
resources: {}
433
# limits:
434
# cpu: 100m
435
# memory: 128Mi
436
# requests:
437
# cpu: 100m
438
# memory: 128Mi
439
securityContext:
440
readOnlyRootFilesystem: false
441
runAsNonRoot: false
442
runAsUser: 0
443
seccompProfile:
444
type: RuntimeDefault
445
capabilities:
446
add:
447
- CHOWN
448
drop:
449
- ALL
450
# Administrator credentials when not using an existing secret (see below)
451
adminUser: admin
452
# adminPassword: strongpassword
453
454
# Use an existing secret for the admin user.
455
admin:
456
## Name of the secret. Can be templated.
457
existingSecret: ""
458
userKey: admin-user
459
passwordKey: admin-password
460
## Define command to be executed at startup by grafana container
461
## Needed if using `vault-env` to manage secrets (ref: https://banzaicloud.com/blog/inject-secrets-into-pods-vault/)
462
## Default is "run.sh" as defined in grafana's Dockerfile
463
# command:
464
# - "sh"
465
# - "/run.sh"
466
467
## Optionally define args if command is used
468
## Needed if using `hashicorp/envconsul` to manage secrets
469
## By default no arguments are set
470
# args:
471
# - "-secret"
472
# - "secret/grafana"
473
# - "./grafana"
474
475
## Extra environment variables that will be pass onto deployment pods
476
##
477
## to provide grafana with access to CloudWatch on AWS EKS:
478
## 1. create an iam role of type "Web identity" with provider oidc.eks.* (note the provider for later)
479
## 2. edit the "Trust relationships" of the role, add a line inside the StringEquals clause using the
480
## same oidc eks provider as noted before (same as the existing line)
481
## also, replace NAMESPACE and prometheus-operator-grafana with the service account namespace and name
482
##
483
## "oidc.eks.us-east-1.amazonaws.com/id/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:sub": "system:serviceaccount:NAMESPACE:prometheus-operator-grafana",
484
##
485
## 3. attach a policy to the role, you can use a built in policy called CloudWatchReadOnlyAccess
486
## 4. use the following env: (replace 123456789000 and iam-role-name-here with your aws account number and role name)
487
##
488
## env:
489
## AWS_ROLE_ARN: arn:aws:iam::123456789000:role/iam-role-name-here
490
## AWS_WEB_IDENTITY_TOKEN_FILE: /var/run/secrets/eks.amazonaws.com/serviceaccount/token
491
## AWS_REGION: us-east-1
492
##
493
## 5. uncomment the EKS section in extraSecretMounts: below
494
## 6. uncomment the annotation section in the serviceAccount: above
495
## make sure to replace arn:aws:iam::123456789000:role/iam-role-name-here with your role arn
496
env: {}
497
## "valueFrom" environment variable references that will be added to deployment pods. Name is templated.
498
## ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core
499
## Renders in container spec as:
500
## env:
501
## ...
502
## - name: <key>
503
## valueFrom:
504
## <value rendered as YAML>
505
envValueFrom: {}
506
# ENV_NAME:
507
# configMapKeyRef:
508
# name: configmap-name
509
# key: value_key
510
511
## The name of a secret in the same kubernetes namespace which contain values to be added to the environment
512
## This can be useful for auth tokens, etc. Value is templated.
513
envFromSecret: ""
514
## Sensible environment variables that will be rendered as new secret object
515
## This can be useful for auth tokens, etc.
516
## If the secret values contains "{{", they'll need to be properly escaped so that they are not interpreted by Helm
517
## ref: https://helm.sh/docs/howto/charts_tips_and_tricks/#using-the-tpl-function
518
envRenderSecret: {}
519
## The names of secrets in the same kubernetes namespace which contain values to be added to the environment
520
## Each entry should contain a name key, and can optionally specify whether the secret must be defined with an optional key.
521
## Name is templated.
522
envFromSecrets: []
523
## - name: secret-name
524
## prefix: prefix
525
## optional: true
526
527
## The names of configmaps in the same kubernetes namespace which contain values to be added to the environment
528
## Each entry should contain a name key, and can optionally specify whether the configmap must be defined with an optional key.
529
## Name is templated.
530
## ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#configmapenvsource-v1-core
531
envFromConfigMaps: []
532
## - name: configmap-name
533
## prefix: prefix
534
## optional: true
535
536
# Inject Kubernetes services as environment variables.
537
# See https://kubernetes.io/docs/concepts/services-networking/connect-applications-service/#environment-variables
538
enableServiceLinks: true
539
## Additional grafana server secret mounts
540
# Defines additional mounts with secrets. Secrets must be manually created in the namespace.
541
extraSecretMounts: []
542
# - name: secret-files
543
# mountPath: /etc/secrets
544
# secretName: grafana-secret-files
545
# readOnly: true
546
# optional: false
547
# subPath: ""
548
#
549
# for AWS EKS (cloudwatch) use the following (see also instruction in env: above)
550
# - name: aws-iam-token
551
# mountPath: /var/run/secrets/eks.amazonaws.com/serviceaccount
552
# readOnly: true
553
# projected:
554
# defaultMode: 420
555
# sources:
556
# - serviceAccountToken:
557
# audience: sts.amazonaws.com
558
# expirationSeconds: 86400
559
# path: token
560
#
561
# for CSI e.g. Azure Key Vault use the following
562
# - name: secrets-store-inline
563
# mountPath: /run/secrets/vault.azure.com
564
# readOnly: true
565
# csi:
566
# driver: secrets-store.csi.k8s.io
567
# readOnly: true
568
# volumeAttributes:
569
# secretProviderClass: "akv-grafana-spc"
570
# nodePublishSecretRef: # Only required when using service principal mode
571
# name: grafana-akv-creds # Only required when using service principal mode
572
573
## Additional grafana server volume mounts
574
# Defines additional volume mounts.
575
extraVolumeMounts: []
576
# - name: extra-volume-0
577
# mountPath: /mnt/volume0
578
# readOnly: true
579
# - name: extra-volume-1
580
# mountPath: /mnt/volume1
581
# readOnly: true
582
# - name: grafana-secrets
583
# mountPath: /mnt/volume2
584
585
## Additional Grafana server volumes
586
extraVolumes: []
587
# - name: extra-volume-0
588
# existingClaim: volume-claim
589
# - name: extra-volume-1
590
# hostPath:
591
# path: /usr/shared/
592
# type: ""
593
# - name: grafana-secrets
594
# csi:
595
# driver: secrets-store.csi.k8s.io
596
# readOnly: true
597
# volumeAttributes:
598
# secretProviderClass: "grafana-env-spc"
599
600
## Container Lifecycle Hooks. Execute a specific bash command or make an HTTP request
601
lifecycleHooks: {}
602
# postStart:
603
# exec:
604
# command: []
605
606
## Pass the plugins you want installed as a list.
607
##
608
plugins: []
609
# - digrich-bubblechart-panel
610
# - grafana-clock-panel
611
## You can also use other plugin download URL, as long as they are valid zip files,
612
## and specify the name of the plugin after the semicolon. Like this:
613
# - https://grafana.com/api/plugins/marcusolsson-json-datasource/versions/1.3.2/download;marcusolsson-json-datasource
614
615
## Configure grafana datasources
616
## ref: http://docs.grafana.org/administration/provisioning/#datasources
617
##
618
datasources: {}
619
# datasources.yaml:
620
# apiVersion: 1
621
# datasources:
622
# - name: Prometheus
623
# type: prometheus
624
# url: http://prometheus-prometheus-server
625
# access: proxy
626
# isDefault: true
627
# - name: CloudWatch
628
# type: cloudwatch
629
# access: proxy
630
# uid: cloudwatch
631
# editable: false
632
# jsonData:
633
# authType: default
634
# defaultRegion: us-east-1
635
# deleteDatasources: []
636
# - name: Prometheus
637
638
## Configure grafana alerting (can be templated)
639
## ref: https://docs.grafana.com/alerting/set-up/provision-alerting-resources/file-provisioning/
640
##
641
alerting: {}
642
# policies.yaml:
643
# apiVersion: 1
644
# policies:
645
# - orgId: 1
646
# receiver: first_uid
647
#
648
# rules.yaml:
649
# apiVersion: 1
650
# groups:
651
# - orgId: 1
652
# name: '{{ .Chart.Name }}_my_rule_group'
653
# folder: my_first_folder
654
# interval: 60s
655
# rules:
656
# - uid: my_id_1
657
# title: my_first_rule
658
# condition: A
659
# data:
660
# - refId: A
661
# datasourceUid: '-100'
662
# model:
663
# conditions:
664
# - evaluator:
665
# params:
666
# - 3
667
# type: gt
668
# operator:
669
# type: and
670
# query:
671
# params:
672
# - A
673
# reducer:
674
# type: last
675
# type: query
676
# datasource:
677
# type: __expr__
678
# uid: '-100'
679
# expression: 1==0
680
# intervalMs: 1000
681
# maxDataPoints: 43200
682
# refId: A
683
# type: math
684
# dashboardUid: my_dashboard
685
# panelId: 123
686
# noDataState: Alerting
687
# for: 60s
688
# annotations:
689
# some_key: some_value
690
# labels:
691
# team: sre_team_1
692
#
693
# contactpoints.yaml:
694
# secret:
695
# apiVersion: 1
696
# contactPoints:
697
# - orgId: 1
698
# name: cp_1
699
# receivers:
700
# - uid: first_uid
701
# type: pagerduty
702
# settings:
703
# integrationKey: XXX
704
# severity: critical
705
# class: ping failure
706
# component: Grafana
707
# group: app-stack
708
# summary: |
709
# {{ `{{ include "default.message" . }}` }}
710
#
711
# templates.yaml:
712
# apiVersion: 1
713
# templates:
714
# - orgId: 1
715
# name: my_first_template
716
# template: |
717
# {{ `
718
# {{ define "my_first_template" }}
719
# Custom notification message
720
# {{ end }}
721
# ` }}
722
#
723
# mutetimes.yaml
724
# apiVersion: 1
725
# muteTimes:
726
# - orgId: 1
727
# name: mti_1
728
# # refer to https://prometheus.io/docs/alerting/latest/configuration/#time_interval-0
729
# time_intervals: {}
730
731
## Configure notifiers
732
## ref: http://docs.grafana.org/administration/provisioning/#alert-notification-channels
733
##
734
notifiers: {}
735
# notifiers.yaml:
736
# notifiers:
737
# - name: email-notifier
738
# type: email
739
# uid: email1
740
# # either:
741
# org_id: 1
742
# # or
743
# org_name: Main Org.
744
# is_default: true
745
# settings:
746
# addresses: an_email_address@example.com
747
# delete_notifiers:
748
749
## Configure grafana dashboard providers
750
## ref: http://docs.grafana.org/administration/provisioning/#dashboards
751
##
752
## `path` must be /var/lib/grafana/dashboards/<provider_name>
753
##
754
dashboardProviders: {}
755
# dashboardproviders.yaml:
756
# apiVersion: 1
757
# providers:
758
# - name: 'default'
759
# orgId: 1
760
# folder: ''
761
# type: file
762
# disableDeletion: false
763
# editable: true
764
# options:
765
# path: /var/lib/grafana/dashboards/default
766
767
## Configure how curl fetches remote dashboards. The beginning dash is required.
768
## NOTE: This sets the default short flags for all dashboards, but these
769
## defaults can be overridden individually for each dashboard by setting
770
## curlOptions. See the example dashboards section below.
771
##
772
## -s - silent mode
773
## -k - allow insecure (eg: non-TLS) connections
774
## -f - fail fast
775
## See the curl documentation for additional options
776
##
777
defaultCurlOptions: "-skf"
778
## Configure grafana dashboard to import
779
## NOTE: To use dashboards you must also enable/configure dashboardProviders
780
## ref: https://grafana.com/dashboards
781
##
782
## dashboards per provider, use provider name as key.
783
##
784
dashboards: {}
785
# default:
786
# some-dashboard:
787
# json: |
788
# $RAW_JSON
789
# custom-dashboard:
790
# file: dashboards/custom-dashboard.json
791
# prometheus-stats:
792
# gnetId: 2
793
# revision: 2
794
# datasource: Prometheus
795
# local-dashboard:
796
# url: https://example.com/repository/test.json
797
# curlOptions: "-sLf"
798
# token: ''
799
# local-dashboard-base64:
800
# url: https://example.com/repository/test-b64.json
801
# token: ''
802
# b64content: true
803
# local-dashboard-gitlab:
804
# url: https://example.com/repository/test-gitlab.json
805
# gitlabToken: ''
806
# local-dashboard-bitbucket:
807
# url: https://example.com/repository/test-bitbucket.json
808
# bearerToken: ''
809
# local-dashboard-azure:
810
# url: https://example.com/repository/test-azure.json
811
# basic: ''
812
# acceptHeader: '*/*'
813
814
## Reference to external ConfigMap per provider. Use provider name as key and ConfigMap name as value.
815
## A provider dashboards must be defined either by external ConfigMaps or in values.yaml, not in both.
816
## ConfigMap data example:
817
##
818
## data:
819
## example-dashboard.json: |
820
## RAW_JSON
821
##
822
dashboardsConfigMaps: {}
823
# default: ""
824
825
## Grafana's primary configuration
826
## NOTE: values in map will be converted to ini format
827
## ref: http://docs.grafana.org/installation/configuration/
828
##
829
grafana.ini:
830
paths:
831
data: /var/lib/grafana/
832
logs: /var/log/grafana
833
plugins: /var/lib/grafana/plugins
834
provisioning: /etc/grafana/provisioning
835
analytics:
836
check_for_updates: true
837
log:
838
mode: console
839
server:
840
domain: "{{ if (and .Values.ingress.enabled .Values.ingress.hosts) }}{{ tpl (.Values.ingress.hosts | first) . }}{{ else if (and .Values.route.main.enabled .Values.route.main.hostnames) }}{{ tpl (.Values.route.main.hostnames | first) . }}{{ else }}''{{ end }}"
841
unified_storage:
842
index_path: /var/lib/grafana-search/bleve
843
## grafana Authentication can be enabled with the following values on grafana.ini
844
# server:
845
# The full public facing url you use in browser, used for redirects and emails
846
# root_url:
847
# https://grafana.com/docs/grafana/latest/auth/github/#enable-github-in-grafana
848
# auth.github:
849
# enabled: false
850
# allow_sign_up: false
851
# scopes: user:email,read:org
852
# auth_url: https://github.com/login/oauth/authorize
853
# token_url: https://github.com/login/oauth/access_token
854
# api_url: https://api.github.com/user
855
# team_ids:
856
# allowed_organizations:
857
# client_id:
858
# client_secret:
859
## LDAP Authentication can be enabled with the following values on grafana.ini
860
## NOTE: Grafana will fail to start if the value for ldap.toml is invalid
861
# auth.ldap:
862
# enabled: true
863
# allow_sign_up: true
864
# config_file: /etc/grafana/ldap.toml
865
## Grafana's alerting configuration
866
# unified_alerting:
867
# enabled: true
868
# rule_version_record_limit: "5"
869
870
## Grafana's LDAP configuration
871
## Templated by the template in _helpers.tpl
872
## NOTE: To enable the grafana.ini must be configured with auth.ldap.enabled
873
## ref: http://docs.grafana.org/installation/configuration/#auth-ldap
874
## ref: http://docs.grafana.org/installation/ldap/#configuration
875
ldap:
876
enabled: false
877
# `existingSecret` is a reference to an existing secret containing the ldap configuration
878
# for Grafana in a key `ldap-toml`.
879
existingSecret: ""
880
# `config` is the content of `ldap.toml` that will be stored in the created secret
881
config: ""
882
# config: |-
883
# verbose_logging = true
884
# [[servers]]
885
# host = "my-ldap-server"
886
# port = 636
887
# use_ssl = true
888
# start_tls = false
889
# ssl_skip_verify = false
890
# bind_dn = "uid=%s,ou=users,dc=myorg,dc=com"
891
892
# When process namespace sharing is enabled, processes in a container are visible to all other containers in the same pod
893
# This parameter is added because the ldap reload api is not working https://grafana.com/docs/grafana/latest/developers/http_api/admin/#reload-ldap-configuration
894
# To allow an extraContainer to restart the Grafana container
895
shareProcessNamespace: false
896
## Grafana's SMTP configuration
897
## NOTE: To enable, grafana.ini must be configured with smtp.enabled
898
## ref: http://docs.grafana.org/installation/configuration/#smtp
899
smtp:
900
# `existingSecret` is a reference to an existing secret containing the smtp configuration
901
# for Grafana.
902
existingSecret: ""
903
userKey: "user"
904
passwordKey: "password"
905
## Sidecars that collect the configmaps with specified label and stores the included files them into the respective folders
906
## Requires at least Grafana 5 to work and can't be used together with parameters dashboardProviders, datasources and dashboards
907
sidecar:
908
image:
909
# -- The Docker registry
910
registry: cgr.dev
911
repository: chainguard-private/k8s-sidecar
912
tag: latest
913
sha: sha256:fa7c8caa44059baa6c534d38059fba7725f581e49cab521c2e248212b99444a7
914
imagePullPolicy: IfNotPresent
915
resources: {}
916
# limits:
917
# cpu: 100m
918
# memory: 100Mi
919
# requests:
920
# cpu: 50m
921
# memory: 50Mi
922
securityContext:
923
allowPrivilegeEscalation: false
924
capabilities:
925
drop:
926
- ALL
927
seccompProfile:
928
type: RuntimeDefault
929
# skipTlsVerify Set to true to skip tls verification for kube api calls
930
# skipTlsVerify: true
931
enableUniqueFilenames: false
932
readinessProbe: {}
933
livenessProbe: {}
934
# Log level default for all sidecars. Can be one of: DEBUG, INFO, WARN, ERROR, CRITICAL. Defaults to INFO
935
# logLevel: INFO
936
alerts:
937
enabled: false
938
# Additional environment variables for the alerts sidecar
939
env: {}
940
## "valueFrom" environment variable references that will be added to deployment pods. Name is templated.
941
## ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core
942
## Renders in container spec as:
943
## env:
944
## ...
945
## - name: <key>
946
## valueFrom:
947
## <value rendered as YAML>
948
envValueFrom: {}
949
# ENV_NAME:
950
# configMapKeyRef:
951
# name: configmap-name
952
# key: value_key
953
# Do not reprocess already processed unchanged resources on k8s API reconnect.
954
# ignoreAlreadyProcessed: true
955
# label that the configmaps with alert are marked with (can be templated)
956
label: grafana_alert
957
# value of label that the configmaps with alert are set to (can be templated)
958
labelValue: ""
959
# Log level. Can be one of: DEBUG, INFO, WARN, ERROR, CRITICAL.
960
# logLevel: INFO
961
# If specified, the sidecar will search for alert config-maps inside this namespace.
962
# Otherwise the namespace in which the sidecar is running will be used.
963
# It's also possible to specify ALL to search in all namespaces
964
searchNamespace: null
965
# Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds.
966
watchMethod: WATCH
967
# search in configmap, secret or both
968
resource: both
969
#
970
# resourceName: comma separated list of resource names to be fetched/checked by this sidecar.
971
# per default all resources of the type defined in {{ .Values.sidecar.alerts.resource }} will be checked.
972
# This e.g. allows stricter RBAC rules which are limited to the resources meant for the sidecars.
973
# resourceName: "secret/alerts-1,configmap/alerts-0"
974
resourceName: ""
975
#
976
# watchServerTimeout: request to the server, asking it to cleanly close the connection after that.
977
# defaults to 60sec; much higher values like 3600 seconds (1h) are feasible for non-Azure K8S
978
# watchServerTimeout: 3600
979
#
980
# watchClientTimeout: is a client-side timeout, configuring your local socket.
981
# If you have a network outage dropping all packets with no RST/FIN,
982
# this is how long your client waits before realizing & dropping the connection.
983
# defaults to 66sec (sic!)
984
# watchClientTimeout: 60
985
#
986
# maxTotalRetries: Total number of retries to allow for any http request.
987
# Takes precedence over other counts. Applies to all requests to reloadURL and k8s api requests.
988
# Set to 0 to fail on the first retry.
989
# maxTotalRetries: 5
990
#
991
# maxConnectRetries: How many connection-related errors to retry on for any http request.
992
# These are errors raised before the request is sent to the remote server, which we assume has not triggered the server to process the request.
993
# Applies to all requests to reloadURL and k8s api requests.
994
# Set to 0 to fail on the first retry of this type.
995
# maxConnectRetries: 10
996
#
997
# maxReadRetries: How many times to retry on read errors for any http request
998
# These errors are raised after the request was sent to the server, so the request may have side-effects.
999
# Applies to all requests to reloadURL and k8s api requests.
1000
# Set to 0 to fail on the first retry of this type.
1001
# maxReadRetries: 5
1002
#
1003
# Endpoint to send request to reload alerts
1004
reloadURL: "http://localhost:3000/api/admin/provisioning/alerting/reload"
1005
# Absolute path to a script to execute after a configmap got reloaded.
1006
# It runs before calls to REQ_URI. If the file is not executable it will be passed to sh.
1007
# Otherwise, it's executed as is. Shebangs known to work are #!/bin/sh and #!/usr/bin/env python
1008
script: null
1009
skipReload: false
1010
# This is needed if skipReload is true, to load any alerts defined at startup time.
1011
# Deploy the alert sidecar as an initContainer.
1012
initAlerts: false
1013
# Use native sidecar https://kubernetes.io/docs/concepts/workloads/pods/sidecar-containers/
1014
# restartPolicy: Always
1015
# # only applies to native sidecars
1016
# startupProbe:
1017
# httpGet:
1018
# path: /healthz
1019
# port: 8080
1020
# initialDelaySeconds: 5
1021
# periodSeconds: 5
1022
# failureThreshold: 60 # 5 minutes
1023
# Additional alerts sidecar volume mounts
1024
extraMounts: []
1025
# Sets the size limit of the alert sidecar emptyDir volume
1026
sizeLimit: ""
1027
dashboards:
1028
enabled: false
1029
# Additional environment variables for the dashboards sidecar
1030
env: {}
1031
## "valueFrom" environment variable references that will be added to deployment pods. Name is templated.
1032
## ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core
1033
## Renders in container spec as:
1034
## env:
1035
## ...
1036
## - name: <key>
1037
## valueFrom:
1038
## <value rendered as YAML>
1039
envValueFrom: {}
1040
# ENV_NAME:
1041
# configMapKeyRef:
1042
# name: configmap-name
1043
# key: value_key
1044
# Do not reprocess already processed unchanged resources on k8s API reconnect.
1045
# ignoreAlreadyProcessed: true
1046
SCProvider: true
1047
# label that the configmaps with dashboards are marked with (can be templated)
1048
label: grafana_dashboard
1049
# value of label that the configmaps with dashboards are set to (can be templated)
1050
labelValue: ""
1051
# Log level. Can be one of: DEBUG, INFO, WARN, ERROR, CRITICAL.
1052
# logLevel: INFO
1053
# folder in the pod that should hold the collected dashboards (unless `defaultFolderName` is set)
1054
folder: /tmp/dashboards
1055
# The default folder name, it will create a subfolder under the `folder` and put dashboards in there instead
1056
defaultFolderName: null
1057
# Namespaces list. If specified, the sidecar will search for config-maps/secrets inside these namespaces.
1058
# Otherwise the namespace in which the sidecar is running will be used.
1059
# It's also possible to specify ALL to search in all namespaces.
1060
searchNamespace: null
1061
# Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds.
1062
watchMethod: WATCH
1063
# search in configmap, secret or both
1064
resource: both
1065
# If specified, the sidecar will look for annotation with this name to create folder and put graph here.
1066
# You can use this parameter together with `provider.foldersFromFilesStructure`to annotate configmaps and create folder structure.
1067
folderAnnotation: null
1068
#
1069
# resourceName: comma separated list of resource names to be fetched/checked by this sidecar.
1070
# per default all resources of the type defined in {{ .Values.sidecar.dashboards.resource }} will be checked.
1071
# This e.g. allows stricter RBAC rules which are limited to the resources meant for the sidecars.
1072
# resourceName: "secret/dashboards-0,configmap/dashboards-1"
1073
resourceName: ""
1074
#
1075
# maxTotalRetries: Total number of retries to allow for any http request.
1076
# Takes precedence over other counts. Applies to all requests to reloadURL and k8s api requests.
1077
# Set to 0 to fail on the first retry.
1078
# maxTotalRetries: 5
1079
#
1080
# maxConnectRetries: How many connection-related errors to retry on for any http request.
1081
# These are errors raised before the request is sent to the remote server, which we assume has not triggered the server to process the request.
1082
# Applies to all requests to reloadURL and k8s api requests.
1083
# Set to 0 to fail on the first retry of this type.
1084
# maxConnectRetries: 10
1085
#
1086
# maxReadRetries: How many times to retry on read errors for any http request
1087
# These errors are raised after the request was sent to the server, so the request may have side-effects.
1088
# Applies to all requests to reloadURL and k8s api requests.
1089
# Set to 0 to fail on the first retry of this type.
1090
# maxReadRetries: 5
1091
#
1092
# Endpoint to send request to reload alerts
1093
reloadURL: "http://localhost:3000/api/admin/provisioning/dashboards/reload"
1094
# Absolute path to a script to execute after a configmap got reloaded.
1095
# It runs before calls to REQ_URI. If the file is not executable it will be passed to sh.
1096
# Otherwise, it's executed as is. Shebangs known to work are #!/bin/sh and #!/usr/bin/env python
1097
script: null
1098
skipReload: false
1099
# This is needed if skipReload is true, to load any dashboards defined at startup time.
1100
# Deploy the dashboard sidecar as an initContainer.
1101
initDashboards: false
1102
# Use native sidecar https://kubernetes.io/docs/concepts/workloads/pods/sidecar-containers/
1103
# restartPolicy: Always
1104
# # only applies to native sidecars
1105
# startupProbe:
1106
# httpGet:
1107
# path: /healthz
1108
# port: 8083
1109
# initialDelaySeconds: 5
1110
# periodSeconds: 5
1111
# failureThreshold: 60 # 5 minutes
1112
# watchServerTimeout: request to the server, asking it to cleanly close the connection after that.
1113
# defaults to 60sec; much higher values like 3600 seconds (1h) are feasible for non-Azure K8S
1114
# watchServerTimeout: 3600
1115
#
1116
# watchClientTimeout: is a client-side timeout, configuring your local socket.
1117
# If you have a network outage dropping all packets with no RST/FIN,
1118
# this is how long your client waits before realizing & dropping the connection.
1119
# defaults to 66sec (sic!)
1120
# watchClientTimeout: 60
1121
#
1122
# provider configuration that lets grafana manage the dashboards
1123
provider:
1124
# name of the provider, should be unique
1125
name: sidecarProvider
1126
# orgid as configured in grafana
1127
orgid: 1
1128
# folder in which the dashboards should be imported in grafana
1129
folder: ''
1130
# <string> folder UID. will be automatically generated if not specified
1131
folderUid: ''
1132
# type of the provider
1133
type: file
1134
# disableDelete to activate a import-only behaviour
1135
disableDelete: false
1136
# allow updating provisioned dashboards from the UI
1137
allowUiUpdates: false
1138
# allow Grafana to replicate dashboard structure from filesystem
1139
foldersFromFilesStructure: false
1140
# Additional dashboards sidecar volume mounts
1141
extraMounts: []
1142
# Sets the size limit of the dashboard sidecar emptyDir volume
1143
sizeLimit: ""
1144
datasources:
1145
enabled: false
1146
# Additional environment variables for the datasourcessidecar
1147
env: {}
1148
## "valueFrom" environment variable references that will be added to deployment pods. Name is templated.
1149
## ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core
1150
## Renders in container spec as:
1151
## env:
1152
## ...
1153
## - name: <key>
1154
## valueFrom:
1155
## <value rendered as YAML>
1156
envValueFrom: {}
1157
# ENV_NAME:
1158
# configMapKeyRef:
1159
# name: configmap-name
1160
# key: value_key
1161
# Do not reprocess already processed unchanged resources on k8s API reconnect.
1162
# ignoreAlreadyProcessed: true
1163
# label that the configmaps with datasources are marked with (can be templated)
1164
label: grafana_datasource
1165
# value of label that the configmaps with datasources are set to (can be templated)
1166
labelValue: ""
1167
# Log level. Can be one of: DEBUG, INFO, WARN, ERROR, CRITICAL.
1168
# logLevel: INFO
1169
# If specified, the sidecar will search for datasource config-maps inside this namespace.
1170
# Otherwise the namespace in which the sidecar is running will be used.
1171
# It's also possible to specify ALL to search in all namespaces
1172
searchNamespace: null
1173
# Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds.
1174
watchMethod: WATCH
1175
# search in configmap, secret or both
1176
resource: both
1177
#
1178
# resourceName: comma separated list of resource names to be fetched/checked by this sidecar.
1179
# per default all resources of the type defined in {{ .Values.sidecar.datasources.resource }} will be checked.
1180
# This e.g. allows stricter RBAC rules which are limited to the resources meant for the sidecars.
1181
# resourceName: "secret/datasources-0,configmap/datasources-15"
1182
resourceName: ""
1183
#
1184
# watchServerTimeout: request to the server, asking it to cleanly close the connection after that.
1185
# defaults to 60sec; much higher values like 3600 seconds (1h) are feasible for non-Azure K8S
1186
# watchServerTimeout: 3600
1187
#
1188
# watchClientTimeout: is a client-side timeout, configuring your local socket.
1189
# If you have a network outage dropping all packets with no RST/FIN,
1190
# this is how long your client waits before realizing & dropping the connection.
1191
# defaults to 66sec (sic!)
1192
# watchClientTimeout: 60
1193
#
1194
# maxTotalRetries: Total number of retries to allow for any http request.
1195
# Takes precedence over other counts. Applies to all requests to reloadURL and k8s api requests.
1196
# Set to 0 to fail on the first retry.
1197
# maxTotalRetries: 5
1198
#
1199
# maxConnectRetries: How many connection-related errors to retry on for any http request.
1200
# These are errors raised before the request is sent to the remote server, which we assume has not triggered the server to process the request.
1201
# Applies to all requests to reloadURL and k8s api requests.
1202
# Set to 0 to fail on the first retry of this type.
1203
# maxConnectRetries: 10
1204
#
1205
# maxReadRetries: How many times to retry on read errors for any http request
1206
# These errors are raised after the request was sent to the server, so the request may have side-effects.
1207
# Applies to all requests to reloadURL and k8s api requests.
1208
# Set to 0 to fail on the first retry of this type.
1209
# maxReadRetries: 5
1210
#
1211
# Endpoint to send request to reload datasources
1212
reloadURL: "http://localhost:3000/api/admin/provisioning/datasources/reload"
1213
# Absolute path to a script to execute after a configmap got reloaded.
1214
# It runs before calls to REQ_URI. If the file is not executable it will be passed to sh.
1215
# Otherwise, it's executed as is. Shebangs known to work are #!/bin/sh and #!/usr/bin/env python
1216
script: null
1217
skipReload: false
1218
# This is needed if skipReload is true, to load any datasources defined at startup time.
1219
# Deploy the datasources sidecar as an initContainer.
1220
initDatasources: false
1221
# Use native sidecar https://kubernetes.io/docs/concepts/workloads/pods/sidecar-containers/
1222
# restartPolicy: Always
1223
# # only applies to native sidecars
1224
# startupProbe:
1225
# httpGet:
1226
# path: /healthz
1227
# port: 8081
1228
# initialDelaySeconds: 5
1229
# periodSeconds: 5
1230
# failureThreshold: 60 # 5 minutes
1231
# Additional datasources sidecar volume mounts
1232
extraMounts: []
1233
# Sets the size limit of the datasource sidecar emptyDir volume
1234
sizeLimit: ""
1235
plugins:
1236
enabled: false
1237
# Additional environment variables for the plugins sidecar
1238
env: {}
1239
# Do not reprocess already processed unchanged resources on k8s API reconnect.
1240
# ignoreAlreadyProcessed: true
1241
# label that the configmaps with plugins are marked with (can be templated)
1242
label: grafana_plugin
1243
# value of label that the configmaps with plugins are set to (can be templated)
1244
labelValue: ""
1245
# Log level. Can be one of: DEBUG, INFO, WARN, ERROR, CRITICAL.
1246
# logLevel: INFO
1247
# If specified, the sidecar will search for plugin config-maps inside this namespace.
1248
# Otherwise the namespace in which the sidecar is running will be used.
1249
# It's also possible to specify ALL to search in all namespaces
1250
searchNamespace: null
1251
# Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds.
1252
watchMethod: WATCH
1253
# search in configmap, secret or both
1254
resource: both
1255
#
1256
# resourceName: comma separated list of resource names to be fetched/checked by this sidecar.
1257
# per default all resources of the type defined in {{ .Values.sidecar.plugins.resource }} will be checked.
1258
# This e.g. allows stricter RBAC rules which are limited to the resources meant for the sidecars.
1259
# resourceName: "secret/plugins-0,configmap/plugins-1"
1260
resourceName: ""
1261
#
1262
# watchServerTimeout: request to the server, asking it to cleanly close the connection after that.
1263
# defaults to 60sec; much higher values like 3600 seconds (1h) are feasible for non-Azure K8S
1264
# watchServerTimeout: 3600
1265
#
1266
# watchClientTimeout: is a client-side timeout, configuring your local socket.
1267
# If you have a network outage dropping all packets with no RST/FIN,
1268
# this is how long your client waits before realizing & dropping the connection.
1269
# defaults to 66sec (sic!)
1270
# watchClientTimeout: 60
1271
#
1272
# maxTotalRetries: Total number of retries to allow for any http request.
1273
# Takes precedence over other counts. Applies to all requests to reloadURL and k8s api requests.
1274
# Set to 0 to fail on the first retry.
1275
# maxTotalRetries: 5
1276
#
1277
# maxConnectRetries: How many connection-related errors to retry on for any http request.
1278
# These are errors raised before the request is sent to the remote server, which we assume has not triggered the server to process the request.
1279
# Applies to all requests to reloadURL and k8s api requests.
1280
# Set to 0 to fail on the first retry of this type.
1281
# maxConnectRetries: 10
1282
#
1283
# maxReadRetries: How many times to retry on read errors for any http request
1284
# These errors are raised after the request was sent to the server, so the request may have side-effects.
1285
# Applies to all requests to reloadURL and k8s api requests.
1286
# Set to 0 to fail on the first retry of this type.
1287
# maxReadRetries: 5
1288
#
1289
# Endpoint to send request to reload plugins
1290
reloadURL: "http://localhost:3000/api/admin/provisioning/plugins/reload"
1291
# Absolute path to a script to execute after a configmap got reloaded.
1292
# It runs before calls to REQ_URI. If the file is not executable it will be passed to sh.
1293
# Otherwise, it's executed as is. Shebangs known to work are #!/bin/sh and #!/usr/bin/env python
1294
script: null
1295
skipReload: false
1296
# Deploy the datasource sidecar as an initContainer in addition to a container.
1297
# This is needed if skipReload is true, to load any plugins defined at startup time.
1298
initPlugins: false
1299
# Additional plugins sidecar volume mounts
1300
extraMounts: []
1301
# Sets the size limit of the plugin sidecar emptyDir volume
1302
sizeLimit: ""
1303
notifiers:
1304
enabled: false
1305
# Additional environment variables for the notifierssidecar
1306
env: {}
1307
# Do not reprocess already processed unchanged resources on k8s API reconnect.
1308
# ignoreAlreadyProcessed: true
1309
# label that the configmaps with notifiers are marked with (can be templated)
1310
label: grafana_notifier
1311
# value of label that the configmaps with notifiers are set to (can be templated)
1312
labelValue: ""
1313
# Log level. Can be one of: DEBUG, INFO, WARN, ERROR, CRITICAL.
1314
# logLevel: INFO
1315
# If specified, the sidecar will search for notifier config-maps inside this namespace.
1316
# Otherwise the namespace in which the sidecar is running will be used.
1317
# It's also possible to specify ALL to search in all namespaces
1318
searchNamespace: null
1319
# Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds.
1320
watchMethod: WATCH
1321
# search in configmap, secret or both
1322
resource: both
1323
#
1324
# resourceName: comma separated list of resource names to be fetched/checked by this sidecar.
1325
# per default all resources of the type defined in {{ .Values.sidecar.notifiers.resource }} will be checked.
1326
# This e.g. allows stricter RBAC rules which are limited to the resources meant for the sidecars.
1327
# resourceName: "secret/notifiers-2,configmap/notifiers-1"
1328
resourceName: ""
1329
#
1330
# watchServerTimeout: request to the server, asking it to cleanly close the connection after that.
1331
# defaults to 60sec; much higher values like 3600 seconds (1h) are feasible for non-Azure K8S
1332
# watchServerTimeout: 3600
1333
#
1334
# watchClientTimeout: is a client-side timeout, configuring your local socket.
1335
# If you have a network outage dropping all packets with no RST/FIN,
1336
# this is how long your client waits before realizing & dropping the connection.
1337
# defaults to 66sec (sic!)
1338
# watchClientTimeout: 60
1339
#
1340
# maxTotalRetries: Total number of retries to allow for any http request.
1341
# Takes precedence over other counts. Applies to all requests to reloadURL and k8s api requests.
1342
# Set to 0 to fail on the first retry.
1343
# maxTotalRetries: 5
1344
#
1345
# maxConnectRetries: How many connection-related errors to retry on for any http request.
1346
# These are errors raised before the request is sent to the remote server, which we assume has not triggered the server to process the request.
1347
# Applies to all requests to reloadURL and k8s api requests.
1348
# Set to 0 to fail on the first retry of this type.
1349
# maxConnectRetries: 10
1350
#
1351
# maxReadRetries: How many times to retry on read errors for any http request
1352
# These errors are raised after the request was sent to the server, so the request may have side-effects.
1353
# Applies to all requests to reloadURL and k8s api requests.
1354
# Set to 0 to fail on the first retry of this type.
1355
# maxReadRetries: 5
1356
#
1357
# Endpoint to send request to reload notifiers
1358
reloadURL: "http://localhost:3000/api/admin/provisioning/notifications/reload"
1359
# Absolute path to a script to execute after a configmap got reloaded.
1360
# It runs before calls to REQ_URI. If the file is not executable it will be passed to sh.
1361
# Otherwise, it's executed as is. Shebangs known to work are #!/bin/sh and #!/usr/bin/env python
1362
script: null
1363
skipReload: false
1364
# Deploy the notifier sidecar as an initContainer in addition to a container.
1365
# This is needed if skipReload is true, to load any notifiers defined at startup time.
1366
initNotifiers: false
1367
# Use native sidecar https://kubernetes.io/docs/concepts/workloads/pods/sidecar-containers/
1368
# restartPolicy: Always
1369
# # only applies to native sidecars
1370
# startupProbe:
1371
# httpGet:
1372
# path: /healthz
1373
# port: 8082
1374
# initialDelaySeconds: 5
1375
# periodSeconds: 5
1376
# failureThreshold: 60 # 5 minutes
1377
# Additional notifiers sidecar volume mounts
1378
extraMounts: []
1379
# Sets the size limit of the notifier sidecar emptyDir volume
1380
sizeLimit: ""
1381
## Override the deployment namespace
1382
##
1383
namespaceOverride: ""
1384
## Number of old ReplicaSets to retain
1385
##
1386
revisionHistoryLimit: 10
1387
## Add a seperate remote image renderer deployment/service
1388
imageRenderer:
1389
deploymentStrategy: {}
1390
# Enable the image-renderer deployment & service
1391
enabled: false
1392
replicas: 1
1393
autoscaling:
1394
enabled: false
1395
minReplicas: 1
1396
maxReplicas: 5
1397
targetCPU: "60"
1398
targetMemory: ""
1399
behavior: {}
1400
# The url of remote image renderer if it is not in the same namespace with the grafana instance
1401
serverURL: ""
1402
# The callback url of grafana instances if it is not in the same namespace with the remote image renderer
1403
renderingCallbackURL: ""
1404
image:
1405
# -- The Docker registry
1406
registry: cgr.dev
1407
# image-renderer Image repository
1408
repository: chainguard-private/grafana-image-renderer
1409
# image-renderer Image tag
1410
tag: latest
1411
# image-renderer Image sha (optional)
1412
sha: sha256:dfa6a6377438e6788fc1b32aa969a31ea6019d3c4c5854e3a1035d4dac1850e1
1413
# image-renderer Image pull secrets (optional)
1414
pullSecrets: []
1415
# image-renderer ImagePullPolicy
1416
pullPolicy: Always
1417
# extra environment variables
1418
env:
1419
HTTP_HOST: "0.0.0.0"
1420
# Fixes "Error: Failed to launch the browser process!\nchrome_crashpad_handler: --database is required"
1421
XDG_CONFIG_HOME: /tmp/.chromium
1422
XDG_CACHE_HOME: /tmp/.chromium
1423
# RENDERING_ARGS: --no-sandbox,--disable-gpu,--window-size=1280x758
1424
# RENDERING_MODE: clustered
1425
# IGNORE_HTTPS_ERRORS: true
1426
## "valueFrom" environment variable references that will be added to deployment pods. Name is templated.
1427
## ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core
1428
## Renders in container spec as:
1429
## env:
1430
## ...
1431
## - name: <key>
1432
## valueFrom:
1433
## <value rendered as YAML>
1434
envValueFrom: {}
1435
# ENV_NAME:
1436
# configMapKeyRef:
1437
# name: configmap-name
1438
# key: value_key
1439
1440
# image-renderer deployment serviceAccount
1441
serviceAccountName: ""
1442
automountServiceAccountToken: false
1443
# image-renderer deployment hostUsers
1444
hostUsers: ~
1445
# image-renderer deployment securityContext
1446
securityContext: {}
1447
# image-renderer deployment container securityContext
1448
containerSecurityContext:
1449
seccompProfile:
1450
type: RuntimeDefault
1451
capabilities:
1452
drop: ['ALL']
1453
allowPrivilegeEscalation: false
1454
readOnlyRootFilesystem: true
1455
## image-renderer pod annotation
1456
podAnnotations: {}
1457
# image-renderer deployment Host Aliases
1458
hostAliases: []
1459
# image-renderer deployment priority class
1460
priorityClassName: ''
1461
service:
1462
# Enable the image-renderer service
1463
enabled: true
1464
# image-renderer service port name
1465
portName: 'http'
1466
# image-renderer service port used by both service and deployment
1467
port: 8081
1468
targetPort: 8081
1469
# Adds the appProtocol field to the image-renderer service. This allows to work with istio protocol selection. Ex: "http" or "tcp"
1470
appProtocol: ""
1471
serviceMonitor:
1472
## If true, a ServiceMonitor CRD is created for a prometheus operator
1473
## https://github.com/coreos/prometheus-operator
1474
##
1475
enabled: false
1476
path: /metrics
1477
# namespace: monitoring (defaults to use the namespace this chart is deployed to)
1478
labels: {}
1479
interval: 1m
1480
scheme: http
1481
tlsConfig: {}
1482
scrapeTimeout: 30s
1483
relabelings: []
1484
# See: https://doc.crds.dev/github.com/prometheus-operator/kube-prometheus/monitoring.coreos.com/ServiceMonitor/v1@v0.11.0#spec-targetLabels
1485
targetLabels: []
1486
# - targetLabel1
1487
# - targetLabel2
1488
# If https is enabled in Grafana, this needs to be set as 'https' to correctly configure the callback used in Grafana
1489
grafanaProtocol: http
1490
# In case a sub_path is used this needs to be added to the image renderer callback
1491
grafanaSubPath: ""
1492
# name of the image-renderer port on the pod
1493
podPortName: http
1494
# number of image-renderer replica sets to keep
1495
revisionHistoryLimit: 10
1496
networkPolicy:
1497
# Enable a NetworkPolicy to limit inbound traffic to only the created grafana pods
1498
limitIngress: true
1499
# Enable a NetworkPolicy to limit outbound traffic to only the created grafana pods
1500
limitEgress: false
1501
# Allow additional services to access image-renderer (eg. Prometheus operator when ServiceMonitor is enabled)
1502
extraIngressSelectors: []
1503
resources: {}
1504
# limits:
1505
# cpu: 100m
1506
# memory: 100Mi
1507
# requests:
1508
# cpu: 50m
1509
# memory: 50Mi
1510
## Node labels for pod assignment
1511
## ref: https://kubernetes.io/docs/user-guide/node-selection/
1512
#
1513
nodeSelector: {}
1514
## Tolerations for pod assignment
1515
## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
1516
##
1517
tolerations: []
1518
## Affinity for pod assignment (evaluated as template)
1519
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
1520
##
1521
affinity: {}
1522
## Use an alternate scheduler, e.g. "stork".
1523
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
1524
##
1525
# schedulerName: "default-scheduler"
1526
1527
# Extra configmaps to mount in image-renderer pods
1528
extraConfigmapMounts: []
1529
# Extra secrets to mount in image-renderer pods
1530
extraSecretMounts: []
1531
# Extra volumes to mount in image-renderer pods
1532
extraVolumeMounts: []
1533
# Extra volumes for image-renderer pods
1534
extraVolumes: []
1535
networkPolicy:
1536
## @param networkPolicy.enabled Enable creation of NetworkPolicy resources. Only Ingress traffic is filtered for now.
1537
##
1538
enabled: false
1539
## @param networkPolicy.allowExternal Don't require client label for connections
1540
## The Policy model to apply. When set to false, only pods with the correct
1541
## client label will have network access to grafana port defined.
1542
## When true, grafana will accept connections from any source
1543
## (with the correct destination port).
1544
##
1545
ingress: true
1546
## @param networkPolicy.ingress When true enables the creation
1547
## an ingress network policy
1548
##
1549
allowExternal: true
1550
## @param networkPolicy.explicitNamespacesSelector A Kubernetes LabelSelector to explicitly select namespaces from which traffic could be allowed
1551
## If explicitNamespacesSelector is missing or set to {}, only client Pods that are in the networkPolicy's namespace
1552
## and that match other criteria, the ones that have the good label, can reach the grafana.
1553
## But sometimes, we want the grafana to be accessible to clients from other namespaces, in this case, we can use this
1554
## LabelSelector to select these namespaces, note that the networkPolicy's namespace should also be explicitly added.
1555
##
1556
## Example:
1557
## explicitNamespacesSelector:
1558
## matchLabels:
1559
## role: frontend
1560
## matchExpressions:
1561
## - {key: role, operator: In, values: [frontend]}
1562
##
1563
explicitNamespacesSelector: {}
1564
##
1565
##
1566
##
1567
##
1568
##
1569
##
1570
egress:
1571
## @param networkPolicy.egress.enabled When enabled, an egress network policy will be
1572
## created allowing grafana to connect to external data sources from kubernetes cluster.
1573
enabled: false
1574
##
1575
## @param networkPolicy.egress.blockDNSResolution When enabled, DNS resolution will be blocked
1576
## for all pods in the grafana namespace.
1577
blockDNSResolution: false
1578
##
1579
## @param networkPolicy.egress.ports Add individual ports to be allowed by the egress
1580
ports: []
1581
## Add ports to the egress by specifying - port: <port number>
1582
## E.X.
1583
## - port: 80
1584
## - port: 443
1585
##
1586
## @param networkPolicy.egress.to Allow egress traffic to specific destinations
1587
to: []
1588
## Add destinations to the egress by specifying - ipBlock: <CIDR>
1589
## E.X.
1590
## to:
1591
## - namespaceSelector:
1592
## matchExpressions:
1593
## - {key: role, operator: In, values: [grafana]}
1594
##
1595
##
1596
##
1597
##
1598
##
1599
# Enable backward compatibility of kubernetes where version below 1.13 doesn't have the enableServiceLinks option
1600
enableKubeBackwardCompatibility: false
1601
useStatefulSet: false
1602
# extraObjects could be utilized to add dynamic manifests via values
1603
extraObjects: []
1604
# Examples:
1605
# extraObjects:
1606
# - apiVersion: kubernetes-client.io/v1
1607
# kind: ExternalSecret
1608
# metadata:
1609
# name: grafana-secrets-{{ .Release.Name }}
1610
# spec:
1611
# backendType: gcpSecretsManager
1612
# data:
1613
# - key: grafana-admin-password
1614
# name: adminPassword
1615
# Alternatively, you can use strings, which lets you use additional templating features:
1616
# extraObjects:
1617
# - |
1618
# apiVersion: kubernetes-client.io/v1
1619
# kind: ExternalSecret
1620
# metadata:
1621
# name: grafana-secrets-{{ .Release.Name }}
1622
# spec:
1623
# backendType: gcpSecretsManager
1624
# data:
1625
# - key: grafana-admin-password
1626
# name: {{ include "some-other-template" }}
1627
1628
# assertNoLeakedSecrets is a helper function defined in _helpers.tpl that checks if secret
1629
# values are not exposed in the rendered grafana.ini configmap. It is enabled by default.
1630
#
1631
# To pass values into grafana.ini without exposing them in a configmap, use variable expansion:
1632
# https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#variable-expansion
1633
#
1634
# Alternatively, if you wish to allow secret values to be exposed in the rendered grafana.ini configmap,
1635
# you can disable this check by setting assertNoLeakedSecrets to false.
1636
assertNoLeakedSecrets: true
1637
The trusted source for open source
Talk to an expertProduct
Customers
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.