DirectorySecurity AdvisoriesPricing
Sign in
Directory
community-grafana logoHELM

community-grafana

Helm chart
Last changed
Request a free trial

Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.

Overview
Chart versions
Default values
Chart metadata
Images

Tag:

1
global:
2
# -- Overrides the Docker registry globally for all images
3
imageRegistry: null
4
# To help compatibility with other charts which use global.imagePullSecrets.
5
# Allow either an array of {name: pullSecret} maps (k8s-style), or an array of strings (more common helm-style).
6
# Can be templated.
7
# global:
8
# imagePullSecrets:
9
# - name: pullSecret1
10
# - name: pullSecret2
11
# or
12
# global:
13
# imagePullSecrets:
14
# - pullSecret1
15
# - pullSecret2
16
imagePullSecrets: []
17
rbac:
18
create: true
19
## Use an existing ClusterRole/Role (depending on rbac.namespaced false/true)
20
# useExistingRole: name-of-some-role
21
# useExistingClusterRole: name-of-some-clusterRole
22
pspEnabled: false
23
pspUseAppArmor: false
24
namespaced: false
25
# Only has an effect if namespaced: true is set
26
namespaces: []
27
extraRoleRules: []
28
# - apiGroups: []
29
# resources: []
30
# verbs: []
31
extraClusterRoleRules: []
32
# - apiGroups: []
33
# resources: []
34
# verbs: []
35
serviceAccount:
36
create: true
37
name: ""
38
nameTest: ""
39
## ServiceAccount labels.
40
labels: {}
41
## Service account annotations. Can be templated.
42
# annotations:
43
# eks.amazonaws.com/role-arn: arn:aws:iam::123456789000:role/iam-role-name-here
44
45
## autoMount is deprecated in favor of automountServiceAccountToken
46
# autoMount: false
47
automountServiceAccountToken: false
48
replicas: 1
49
## Create a headless service for the deployment
50
headlessService: false
51
## Should the service account be auto mounted on the pod
52
automountServiceAccountToken: true
53
## Create HorizontalPodAutoscaler object for deployment type
54
#
55
autoscaling:
56
enabled: false
57
minReplicas: 1
58
maxReplicas: 5
59
targetCPU: "60"
60
targetMemory: ""
61
behavior: {}
62
## See `kubectl explain poddisruptionbudget.spec` for more
63
## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
64
podDisruptionBudget: {}
65
# apiVersion: ""
66
# minAvailable: 1
67
# maxUnavailable: 1
68
# unhealthyPodEvictionPolicy: IfHealthyBudget
69
70
## See `kubectl explain deployment.spec.strategy` for more
71
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
72
deploymentStrategy:
73
type: RollingUpdate
74
## The maximum time in seconds for a Deployment to make progress before it is considered to be failed.
75
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#progress-deadline-seconds
76
progressDeadlineSeconds: null
77
readinessProbe:
78
httpGet:
79
path: /api/health
80
port: grafana
81
livenessProbe:
82
httpGet:
83
path: /api/health
84
port: grafana
85
initialDelaySeconds: 60
86
timeoutSeconds: 30
87
failureThreshold: 10
88
## Use an alternate scheduler, e.g. "stork".
89
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
90
##
91
# schedulerName: "default-scheduler"
92
image:
93
# -- The Docker registry
94
registry: cgr.dev
95
# -- Docker image repository
96
repository: scratch-images/test-tmp/grafana
97
# Overrides the Grafana image tag whose default is the chart appVersion
98
tag: v13.1.0-r1
99
sha: sha256:5df5e68d71881f09236ecda733d225df656bbc5e92232267de920eca881fecdf
100
pullPolicy: IfNotPresent
101
## Optionally specify an array of imagePullSecrets.
102
## Secrets must be manually created in the namespace.
103
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
104
## Can be templated.
105
##
106
pullSecrets: []
107
# - myRegistrKeySecretName
108
testFramework:
109
enabled: true
110
## The type of Helm hook used to run this test. Defaults to test.
111
## ref: https://helm.sh/docs/topics/charts_hooks/#the-available-hooks
112
##
113
# hookType: test
114
image:
115
# -- The Docker registry
116
registry: docker.io
117
repository: bats/bats
118
tag: "1.13.0"
119
imagePullPolicy: IfNotPresent
120
securityContext: {}
121
containerSecurityContext: {}
122
resources: {}
123
# limits:
124
# cpu: 100m
125
# memory: 128Mi
126
# requests:
127
# cpu: 100m
128
# memory: 128Mi
129
# dns configuration for pod
130
dnsPolicy: ~
131
dnsConfig: {}
132
# nameservers:
133
# - 8.8.8.8
134
# options:
135
# - name: ndots
136
# value: "2"
137
# - name: edns0
138
139
hostUsers: ~
140
securityContext:
141
runAsNonRoot: true
142
runAsUser: 472
143
runAsGroup: 472
144
fsGroup: 472
145
containerSecurityContext:
146
allowPrivilegeEscalation: false
147
privileged: false
148
capabilities:
149
drop:
150
- ALL
151
seccompProfile:
152
type: RuntimeDefault
153
# Enable creating the grafana configmap
154
createConfigmap: true
155
# Extra configmaps to mount in grafana pods
156
# Values are templated.
157
extraConfigmapMounts: []
158
# - name: certs-configmap
159
# mountPath: /etc/grafana/ssl/
160
# subPath: certificates.crt # (optional)
161
# configMap: certs-configmap
162
# readOnly: true
163
# optional: false
164
165
extraEmptyDirMounts: []
166
# - name: provisioning-notifiers
167
# mountPath: /etc/grafana/provisioning/notifiers
168
169
# Shadow `/usr/share/grafana/data/plugins-bundled` with an emptyDir so plugins
170
# listed under `plugins:` install cleanly into `/var/lib/grafana/plugins` instead
171
# of failing on the read-only bundled directory shipped in the Grafana image.
172
# Required for plugins moved out of core in Grafana 13 (e.g. `elasticsearch`,
173
# `cloudwatch`) when listed in `plugins:`. Side effect: any bundled plugin not
174
# explicitly listed in `plugins:` will not be available.
175
shadowBundledPlugins: false
176
# Apply extra labels to common labels.
177
extraLabels: {}
178
## Assign a PriorityClassName to pods if set
179
# priorityClassName:
180
downloadDashboardsImage:
181
# -- The Docker registry
182
registry: cgr.dev
183
repository: scratch-images/test-tmp/curl
184
tag: 8.21.0-r1
185
sha: sha256:a030b919dc6695fa26597d888d50e6381df74d33205fe9e63907c556a612bfad
186
pullPolicy: IfNotPresent
187
downloadDashboards:
188
env: {}
189
envFromSecret: ""
190
resources: {}
191
securityContext:
192
allowPrivilegeEscalation: false
193
capabilities:
194
drop:
195
- ALL
196
seccompProfile:
197
type: RuntimeDefault
198
envValueFrom: {}
199
# ENV_NAME:
200
# configMapKeyRef:
201
# name: configmap-name
202
# key: value_key
203
## Pod Annotations
204
# podAnnotations: {}
205
206
## ConfigMap Annotations
207
# configMapAnnotations: {}
208
# argocd.argoproj.io/sync-options: Replace=true
209
210
## Pod Labels
211
# podLabels: {}
212
podPortName: grafana
213
gossipPortName: gossip
214
## Deployment annotations
215
# annotations: {}
216
217
## Expose the grafana service to be accessed from outside the cluster (LoadBalancer service).
218
## or access it from within the cluster (ClusterIP service). Set the service type and the port to serve it.
219
## ref: http://kubernetes.io/docs/user-guide/services/
220
##
221
service:
222
enabled: true
223
type: ClusterIP
224
# Set the ip family policy to configure dual-stack see [Configure dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services)
225
ipFamilyPolicy: ""
226
# Sets the families that should be supported and the order in which they should be applied to ClusterIP as well. Can be IPv4 and/or IPv6.
227
ipFamilies: []
228
loadBalancerIP: ""
229
loadBalancerClass: ""
230
loadBalancerSourceRanges: []
231
port: 80
232
targetPort: 3000
233
# targetPort: 4181 To be used with a proxy extraContainer
234
## Service annotations. Can be templated.
235
annotations: {}
236
labels: {}
237
portName: service
238
# Adds the appProtocol field to the service. This allows to work with istio protocol selection. Ex: "http" or "tcp"
239
appProtocol: ""
240
sessionAffinity: ""
241
# trafficDistribution allows specifying how traffic is distributed to Service endpoints.
242
# Valid values: "" (default - standard load balancing),"PreferSameZone" (K8s 1.34+), "PreferSameNode" (K8s 1.35+), "PreferClose" (deprecated, use PreferSameZone),
243
trafficDistribution: ""
244
serviceMonitor:
245
## If true, a ServiceMonitor CR is created for a prometheus operator
246
## https://github.com/coreos/prometheus-operator
247
##
248
enabled: false
249
path: /metrics
250
# namespace: monitoring (defaults to use the namespace this chart is deployed to)
251
labels: {}
252
# Set these to override the Prometheus global scrape interval/timeout.
253
# interval: 30s
254
# scrapeTimeout: 30s
255
scheme: http
256
tlsConfig: {}
257
relabelings: []
258
metricRelabelings: []
259
basicAuth: {}
260
targetLabels: []
261
extraExposePorts: []
262
# - name: keycloak
263
# port: 8080
264
# targetPort: 8080
265
266
# overrides pod.spec.hostAliases in the grafana deployment's pods
267
hostAliases: []
268
# - ip: "1.2.3.4"
269
# hostnames:
270
# - "my.host.com"
271
272
ingress:
273
enabled: false
274
# ingressClassName: nginx
275
# Values can be templated
276
annotations: {}
277
# kubernetes.io/ingress.class: nginx
278
# kubernetes.io/tls-acme: "true"
279
labels: {}
280
path: /
281
pathType: Prefix
282
hosts:
283
- chart-example.local
284
## Extra paths to prepend to every host configuration. This is useful when working with annotation based services.
285
extraPaths: []
286
# - path: /*
287
# pathType: Prefix
288
# backend:
289
# service:
290
# name: ssl-redirect
291
# port:
292
# name: use-annotation
293
294
tls: []
295
# - secretName: chart-example-tls
296
# hosts:
297
# - chart-example.local
298
# -- BETA: Configure the gateway routes for the chart here.
299
# More routes can be added by adding a dictionary key like the 'main' route.
300
# Be aware that this is an early beta of this feature,
301
# kube-prometheus-stack does not guarantee this works and is subject to change.
302
# Being BETA this can/will change in the future without notice, do not use unless you want to take that risk
303
# [[ref]](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io%2fv1alpha2)
304
route:
305
main:
306
# -- Enables or disables the route
307
enabled: false
308
# -- Set the route apiVersion, e.g. gateway.networking.k8s.io/v1 or gateway.networking.k8s.io/v1alpha2
309
apiVersion: gateway.networking.k8s.io/v1
310
# -- Set the route kind
311
# Valid options are GRPCRoute, HTTPRoute, TCPRoute, TLSRoute, UDPRoute
312
kind: HTTPRoute
313
annotations: {}
314
labels: {}
315
hostnames: []
316
# - my-filter.example.com
317
parentRefs: []
318
# - name: acme-gw
319
320
matches:
321
- path:
322
type: PathPrefix
323
value: /
324
## Timeouts define the timeouts that can be configured for an HTTP request.
325
## Ref. https://gateway-api.sigs.k8s.io/api-types/httproute/#timeouts-optional
326
timeouts: {}
327
# request: 10s
328
# backendRequest: 5s
329
330
## SessionPersistence defines and configures session persistence for the route rule.
331
## Ref. https://gateway-api.sigs.k8s.io/geps/gep-1619/
332
sessionPersistence: {}
333
# sessionName: grafana-session
334
# type: Cookie
335
# absoluteTimeout: 48h
336
# cookieConfig:
337
# lifetimeType: Permanent
338
339
## Filters define the filters that are applied to requests that match this rule.
340
filters: []
341
## Additional custom rules that can be added to the route
342
additionalRules: []
343
## httpsRedirect adds a filter for redirecting to https (HTTP 301 Moved Permanently).
344
## To redirect HTTP traffic to HTTPS, you need to have a Gateway with both HTTP and HTTPS listeners.
345
## Matches and filters do not take effect if enabled.
346
## Ref. https://gateway-api.sigs.k8s.io/guides/http-redirect-rewrite/
347
httpsRedirect: false
348
# -- BETA: Configure Gateway API ListenerSet resources for the chart here.
349
# ListenerSet allows attaching additional listeners to an existing Gateway.
350
# More listener sets can be added by adding a dictionary key like the 'main' entry.
351
# Being BETA this can/will change in the future without notice, do not use unless you want to take that risk
352
# [[ref]](https://gateway-api.sigs.k8s.io/reference/api-spec/main/spec/#listenerset)
353
listenerSet:
354
main:
355
# -- Enables or disables the listener set
356
enabled: false
357
# -- Set the ListenerSet apiVersion, e.g. gateway.networking.k8s.io/v1
358
apiVersion: gateway.networking.k8s.io/v1
359
annotations: {}
360
labels: {}
361
# -- Reference to the parent Gateway this ListenerSet attaches to
362
parentRef: {}
363
# name: my-gateway
364
# namespace: default
365
# group: gateway.networking.k8s.io
366
# kind: Gateway
367
368
# -- List of listeners to attach to the parent Gateway
369
listeners: []
370
# - name: https
371
# port: 443
372
# protocol: HTTPS
373
# hostname: grafana.example.com
374
# tls:
375
# mode: Terminate
376
# certificateRefs:
377
# - name: grafana-tls
378
# allowedRoutes:
379
# namespaces:
380
# from: Same
381
resources: {}
382
# limits:
383
# cpu: 100m
384
# memory: 128Mi
385
# requests:
386
# cpu: 100m
387
# memory: 128Mi
388
389
## Node labels for pod assignment
390
## ref: https://kubernetes.io/docs/user-guide/node-selection/
391
#
392
nodeSelector: {}
393
## Tolerations for pod assignment
394
## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
395
##
396
tolerations: []
397
## Affinity for pod assignment (evaluated as template)
398
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
399
##
400
affinity: {}
401
## Topology Spread Constraints
402
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
403
##
404
topologySpreadConstraints: []
405
## Additional init containers (evaluated as template)
406
## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
407
##
408
extraInitContainers: []
409
## Enable an Specify container in extraContainers. This is meant to allow adding an authentication proxy to a grafana pod
410
extraContainers: ""
411
# extraContainers: |
412
# - name: proxy
413
# image: quay.io/gambol99/keycloak-proxy:latest
414
# args:
415
# - -provider=github
416
# - -client-id=
417
# - -client-secret=
418
# - -github-org=<ORG_NAME>
419
# - -email-domain=*
420
# - -cookie-secret=
421
# - -http-address=http://0.0.0.0:4181
422
# - -upstream-url=http://127.0.0.1:3000
423
# ports:
424
# - name: proxy-web
425
# containerPort: 4181
426
427
## Volumes that can be used in init containers that will not be mounted to deployment pods
428
extraContainerVolumes: []
429
# - name: volume-from-secret
430
# secret:
431
# secretName: secret-to-mount
432
# - name: empty-dir-volume
433
# emptyDir: {}
434
435
## Enable persistence using Persistent Volume Claims
436
## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/
437
##
438
persistence:
439
type: pvc
440
enabled: false
441
# storageClassName: default
442
## (Optional) Use this to bind the claim to an existing PersistentVolume (PV) by name.
443
volumeName: ""
444
accessModes:
445
- ReadWriteOnce
446
size: 10Gi
447
# annotations: {}
448
finalizers:
449
- kubernetes.io/pvc-protection
450
# selectorLabels: {}
451
## Sub-directory of the PV to mount. Can be templated.
452
# subPath: ""
453
## Name of an existing PVC. Can be templated.
454
# existingClaim:
455
## Extra labels to apply to a PVC.
456
extraPvcLabels: {}
457
disableWarning: false
458
## Configure StatefulSet persistent volume claim retention policy.
459
## This is ignored when Grafana is configured to use a Deployment with a PVC.
460
## By default, Kubernetes uses Retain for both whenDeleted and whenScaled.
461
persistentVolumeClaimRetentionPolicy: {}
462
# whenDeleted: Retain
463
# whenScaled: Retain
464
465
## If persistence is not enabled, this allows to mount the
466
## local storage in-memory to improve performance
467
##
468
inMemory:
469
enabled: false
470
## The maximum usage on memory medium EmptyDir would be
471
## the minimum value between the SizeLimit specified
472
## here and the sum of memory limits of all containers in a pod
473
##
474
# sizeLimit: 300Mi
475
## If 'lookupVolumeName' is set to true, Helm will attempt to retrieve
476
## the current value of 'spec.volumeName' and incorporate it into the template.
477
lookupVolumeName: true
478
initChownData:
479
## If false, data ownership will not be reset at startup
480
## This allows the grafana-server to be run with an arbitrary user
481
##
482
enabled: true
483
## initChownData container image
484
##
485
image:
486
# -- The Docker registry
487
registry: cgr.dev
488
repository: scratch-images/test-tmp/busybox
489
tag: glibc-1.37.0-r61
490
sha: sha256:19f59085b5a760212ec01b00a67b16b4dc5f8e633e6cac6f72cc232de62e5f3c
491
pullPolicy: IfNotPresent
492
## initChownData resource requests and limits
493
## Ref: http://kubernetes.io/docs/user-guide/compute-resources/
494
##
495
resources: {}
496
# limits:
497
# cpu: 100m
498
# memory: 128Mi
499
# requests:
500
# cpu: 100m
501
# memory: 128Mi
502
securityContext:
503
readOnlyRootFilesystem: false
504
runAsNonRoot: false
505
runAsUser: 0
506
seccompProfile:
507
type: RuntimeDefault
508
capabilities:
509
add:
510
- CHOWN
511
- DAC_OVERRIDE
512
drop:
513
- ALL
514
# Administrator credentials when not using an existing secret (see below)
515
adminUser: admin
516
# adminPassword: strongpassword
517
518
# Use an existing secret for the admin user.
519
admin:
520
## Name of the secret. Can be templated.
521
existingSecret: ""
522
userKey: admin-user
523
passwordKey: admin-password
524
## Define command to be executed at startup by grafana container
525
## Needed if using `vault-env` to manage secrets (ref: https://banzaicloud.com/blog/inject-secrets-into-pods-vault/)
526
## Default is "run.sh" as defined in grafana's Dockerfile
527
# command:
528
# - "sh"
529
# - "/run.sh"
530
531
## Optionally define args if command is used
532
## Needed if using `hashicorp/envconsul` to manage secrets
533
## By default no arguments are set
534
# args:
535
# - "-secret"
536
# - "secret/grafana"
537
# - "./grafana"
538
539
## Extra environment variables that will be pass onto deployment pods
540
##
541
## to provide grafana with access to CloudWatch on AWS EKS:
542
## 1. create an iam role of type "Web identity" with provider oidc.eks.* (note the provider for later)
543
## 2. edit the "Trust relationships" of the role, add a line inside the StringEquals clause using the
544
## same oidc eks provider as noted before (same as the existing line)
545
## also, replace NAMESPACE and prometheus-operator-grafana with the service account namespace and name
546
##
547
## "oidc.eks.us-east-1.amazonaws.com/id/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:sub": "system:serviceaccount:NAMESPACE:prometheus-operator-grafana",
548
##
549
## 3. attach a policy to the role, you can use a built in policy called CloudWatchReadOnlyAccess
550
## 4. use the following env: (replace 123456789000 and iam-role-name-here with your aws account number and role name)
551
##
552
## env:
553
## AWS_ROLE_ARN: arn:aws:iam::123456789000:role/iam-role-name-here
554
## AWS_WEB_IDENTITY_TOKEN_FILE: /var/run/secrets/eks.amazonaws.com/serviceaccount/token
555
## AWS_REGION: us-east-1
556
##
557
## 5. uncomment the EKS section in extraSecretMounts: below
558
## 6. uncomment the annotation section in the serviceAccount: above
559
## make sure to replace arn:aws:iam::123456789000:role/iam-role-name-here with your role arn
560
env: {}
561
## "valueFrom" environment variable references that will be added to deployment pods. Name is templated.
562
## ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core
563
## Renders in container spec as:
564
## env:
565
## ...
566
## - name: <key>
567
## valueFrom:
568
## <value rendered as YAML>
569
envValueFrom: {}
570
# ENV_NAME:
571
# configMapKeyRef:
572
# name: configmap-name
573
# key: value_key
574
575
## The name of a secret in the same kubernetes namespace which contain values to be added to the environment
576
## This can be useful for auth tokens, etc. Value is templated.
577
envFromSecret: ""
578
## Sensible environment variables that will be rendered as new secret object
579
## This can be useful for auth tokens, etc.
580
## If the secret values contains "{{", they'll need to be properly escaped so that they are not interpreted by Helm
581
## ref: https://helm.sh/docs/howto/charts_tips_and_tricks/#using-the-tpl-function
582
envRenderSecret: {}
583
## The names of secrets in the same kubernetes namespace which contain values to be added to the environment
584
## Each entry should contain a name key, and can optionally specify whether the secret must be defined with an optional key.
585
## Name is templated.
586
envFromSecrets: []
587
## - name: secret-name
588
## prefix: prefix
589
## optional: true
590
591
## The names of configmaps in the same kubernetes namespace which contain values to be added to the environment
592
## Each entry should contain a name key, and can optionally specify whether the configmap must be defined with an optional key.
593
## Name is templated.
594
## ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#configmapenvsource-v1-core
595
envFromConfigMaps: []
596
## - name: configmap-name
597
## prefix: prefix
598
## optional: true
599
600
# Inject Kubernetes services as environment variables.
601
# See https://kubernetes.io/docs/concepts/services-networking/connect-applications-service/#environment-variables
602
enableServiceLinks: true
603
## Additional grafana server secret mounts
604
# Defines additional mounts with secrets. Secrets must be manually created in the namespace.
605
extraSecretMounts: []
606
# - name: secret-files
607
# mountPath: /etc/secrets
608
# secretName: grafana-secret-files
609
# readOnly: true
610
# optional: false
611
# subPath: ""
612
#
613
# for AWS EKS (cloudwatch) use the following (see also instruction in env: above)
614
# - name: aws-iam-token
615
# mountPath: /var/run/secrets/eks.amazonaws.com/serviceaccount
616
# readOnly: true
617
# projected:
618
# defaultMode: 420
619
# sources:
620
# - serviceAccountToken:
621
# audience: sts.amazonaws.com
622
# expirationSeconds: 86400
623
# path: token
624
#
625
# for CSI e.g. Azure Key Vault use the following
626
# - name: secrets-store-inline
627
# mountPath: /run/secrets/vault.azure.com
628
# readOnly: true
629
# csi:
630
# driver: secrets-store.csi.k8s.io
631
# readOnly: true
632
# volumeAttributes:
633
# secretProviderClass: "akv-grafana-spc"
634
# nodePublishSecretRef: # Only required when using service principal mode
635
# name: grafana-akv-creds # Only required when using service principal mode
636
637
## Additional grafana server volume mounts
638
# Defines additional volume mounts.
639
extraVolumeMounts: []
640
# - name: extra-volume-0
641
# mountPath: /mnt/volume0
642
# readOnly: true
643
# - name: extra-volume-1
644
# mountPath: /mnt/volume1
645
# readOnly: true
646
# - name: grafana-secrets
647
# mountPath: /mnt/volume2
648
649
## Additional Grafana server volumes
650
extraVolumes: []
651
# - name: extra-volume-0
652
# existingClaim: volume-claim
653
# - name: extra-volume-1
654
# hostPath:
655
# path: /usr/shared/
656
# type: ""
657
# - name: grafana-secrets
658
# csi:
659
# driver: secrets-store.csi.k8s.io
660
# readOnly: true
661
# volumeAttributes:
662
# secretProviderClass: "grafana-env-spc"
663
664
## Container Lifecycle Hooks. Execute a specific bash command or make an HTTP request
665
lifecycleHooks: {}
666
# postStart:
667
# exec:
668
# command: []
669
670
## Pass the plugins you want installed as a list.
671
##
672
plugins: []
673
# - digrich-bubblechart-panel
674
# - grafana-clock-panel
675
## You can also use other plugin download URL, as long as they are valid zip files,
676
## and specify the name of the plugin as prefix, with an version. Like this:
677
# - marcusolsson-json-datasource@1.3.24@https://grafana.com/api/plugins/marcusolsson-json-datasource/versions/1.3.24/download
678
679
## Configure grafana datasources
680
## ref: http://docs.grafana.org/administration/provisioning/#datasources
681
##
682
datasources: {}
683
# datasources.yaml:
684
# apiVersion: 1
685
# datasources:
686
# - name: Prometheus
687
# type: prometheus
688
# url: http://prometheus-prometheus-server
689
# access: proxy
690
# isDefault: true
691
# - name: CloudWatch
692
# type: cloudwatch
693
# access: proxy
694
# uid: cloudwatch
695
# editable: false
696
# jsonData:
697
# authType: default
698
# defaultRegion: us-east-1
699
# deleteDatasources: []
700
# - name: Prometheus
701
702
## Configure grafana alerting (can be templated)
703
## ref: https://docs.grafana.com/alerting/set-up/provision-alerting-resources/file-provisioning/
704
##
705
alerting: {}
706
# policies.yaml:
707
# apiVersion: 1
708
# policies:
709
# - orgId: 1
710
# receiver: first_uid
711
#
712
# rules.yaml:
713
# apiVersion: 1
714
# groups:
715
# - orgId: 1
716
# name: '{{ .Chart.Name }}_my_rule_group'
717
# folder: my_first_folder
718
# interval: 60s
719
# rules:
720
# - uid: my_id_1
721
# title: my_first_rule
722
# condition: A
723
# data:
724
# - refId: A
725
# datasourceUid: '-100'
726
# model:
727
# conditions:
728
# - evaluator:
729
# params:
730
# - 3
731
# type: gt
732
# operator:
733
# type: and
734
# query:
735
# params:
736
# - A
737
# reducer:
738
# type: last
739
# type: query
740
# datasource:
741
# type: __expr__
742
# uid: '-100'
743
# expression: 1==0
744
# intervalMs: 1000
745
# maxDataPoints: 43200
746
# refId: A
747
# type: math
748
# dashboardUid: my_dashboard
749
# panelId: 123
750
# noDataState: Alerting
751
# for: 60s
752
# annotations:
753
# some_key: some_value
754
# labels:
755
# team: sre_team_1
756
#
757
# contactpoints.yaml:
758
# secret:
759
# apiVersion: 1
760
# contactPoints:
761
# - orgId: 1
762
# name: cp_1
763
# receivers:
764
# - uid: first_uid
765
# type: pagerduty
766
# settings:
767
# integrationKey: XXX
768
# severity: critical
769
# class: ping failure
770
# component: Grafana
771
# group: app-stack
772
# summary: |
773
# {{ `{{ include "default.message" . }}` }}
774
#
775
# templates.yaml:
776
# apiVersion: 1
777
# templates:
778
# - orgId: 1
779
# name: my_first_template
780
# template: |
781
# {{ `
782
# {{ define "my_first_template" }}
783
# Custom notification message
784
# {{ end }}
785
# ` }}
786
#
787
# mutetimes.yaml
788
# apiVersion: 1
789
# muteTimes:
790
# - orgId: 1
791
# name: mti_1
792
# # refer to https://prometheus.io/docs/alerting/latest/configuration/#time_interval-0
793
# time_intervals: {}
794
795
## Configure notifiers
796
## ref: http://docs.grafana.org/administration/provisioning/#alert-notification-channels
797
##
798
notifiers: {}
799
# notifiers.yaml:
800
# notifiers:
801
# - name: email-notifier
802
# type: email
803
# uid: email1
804
# # either:
805
# org_id: 1
806
# # or
807
# org_name: Main Org.
808
# is_default: true
809
# settings:
810
# addresses: an_email_address@example.com
811
# delete_notifiers:
812
813
## Configure grafana dashboard providers
814
## ref: http://docs.grafana.org/administration/provisioning/#dashboards
815
##
816
## `path` must be /var/lib/grafana/dashboards/<provider_name>
817
##
818
dashboardProviders: {}
819
# dashboardproviders.yaml:
820
# apiVersion: 1
821
# providers:
822
# - name: 'default'
823
# orgId: 1
824
# folder: ''
825
# type: file
826
# disableDeletion: false
827
# editable: true
828
# options:
829
# path: /var/lib/grafana/dashboards/default
830
831
## Configure how curl fetches remote dashboards. The beginning dash is required.
832
## NOTE: This sets the default short flags for all dashboards, but these
833
## defaults can be overridden individually for each dashboard by setting
834
## curlOptions. See the example dashboards section below.
835
##
836
## -s - silent mode
837
## -k - allow insecure (eg: non-TLS) connections
838
## -f - fail fast
839
## See the curl documentation for additional options
840
##
841
defaultCurlOptions: "-skf"
842
## Configure grafana dashboard to import
843
## NOTE: To use dashboards you must also enable/configure dashboardProviders
844
## ref: https://grafana.com/dashboards
845
##
846
## dashboards per provider, use provider name as key.
847
## For dashboards downloaded via gnetId or url, the optional "title" key overrides
848
## the dashboard title in the downloaded JSON so the UI displays your custom title.
849
##
850
dashboards: {}
851
# default:
852
# some-dashboard:
853
# json: |
854
# $RAW_JSON
855
# custom-dashboard:
856
# file: dashboards/custom-dashboard.json
857
# prometheus-stats:
858
# title: My Custom Dashboard Title # optional; overrides the dashboard title in the downloaded JSON
859
# gnetId: 2
860
# revision: 2
861
# datasource: Prometheus
862
# local-dashboard:
863
# url: https://example.com/repository/test.json
864
# curlOptions: "-sLf"
865
# token: ''
866
# local-dashboard-base64:
867
# url: https://example.com/repository/test-b64.json
868
# token: ''
869
# b64content: true
870
# local-dashboard-gitlab:
871
# url: https://example.com/repository/test-gitlab.json
872
# gitlabToken: ''
873
# local-dashboard-bitbucket:
874
# url: https://example.com/repository/test-bitbucket.json
875
# bearerToken: ''
876
# local-dashboard-azure:
877
# url: https://example.com/repository/test-azure.json
878
# basic: ''
879
# acceptHeader: '*/*'
880
881
## Reference to external ConfigMap per provider. Use provider name as key and ConfigMap name as value.
882
## A provider dashboards must be defined either by external ConfigMaps or in values.yaml, not in both.
883
## ConfigMap data example:
884
##
885
## data:
886
## example-dashboard.json: |
887
## RAW_JSON
888
##
889
dashboardsConfigMaps: {}
890
# default: ""
891
892
## Grafana's primary configuration
893
## NOTE: values in map will be converted to ini format
894
## ref: http://docs.grafana.org/installation/configuration/
895
##
896
grafana.ini:
897
paths:
898
data: /var/lib/grafana/
899
logs: /var/log/grafana
900
plugins: /var/lib/grafana/plugins
901
provisioning: /etc/grafana/provisioning
902
analytics:
903
check_for_updates: true
904
log:
905
mode: console
906
server:
907
domain: "{{ if (and .Values.ingress.enabled .Values.ingress.hosts) }}{{ tpl (.Values.ingress.hosts | first) . }}{{ else if (and .Values.route.main.enabled .Values.route.main.hostnames) }}{{ tpl (.Values.route.main.hostnames | first) . }}{{ else }}''{{ end }}"
908
unified_storage:
909
index_path: /var/lib/grafana-search/bleve
910
## grafana Authentication can be enabled with the following values on grafana.ini
911
# server:
912
# The full public facing url you use in browser, used for redirects and emails
913
# root_url:
914
# https://grafana.com/docs/grafana/latest/auth/github/#enable-github-in-grafana
915
# auth.github:
916
# enabled: false
917
# allow_sign_up: false
918
# scopes: user:email,read:org
919
# auth_url: https://github.com/login/oauth/authorize
920
# token_url: https://github.com/login/oauth/access_token
921
# api_url: https://api.github.com/user
922
# team_ids:
923
# allowed_organizations:
924
# client_id:
925
# client_secret:
926
## LDAP Authentication can be enabled with the following values on grafana.ini
927
## NOTE: Grafana will fail to start if the value for ldap.toml is invalid
928
# auth.ldap:
929
# enabled: true
930
# allow_sign_up: true
931
# config_file: /etc/grafana/ldap.toml
932
## Grafana's alerting configuration
933
# unified_alerting:
934
# enabled: true
935
# rule_version_record_limit: "5"
936
937
## Grafana's LDAP configuration
938
## Templated by the template in _helpers.tpl
939
## NOTE: To enable the grafana.ini must be configured with auth.ldap.enabled
940
## ref: http://docs.grafana.org/installation/configuration/#auth-ldap
941
## ref: http://docs.grafana.org/installation/ldap/#configuration
942
ldap:
943
enabled: false
944
# `existingSecret` is a reference to an existing secret containing the ldap configuration
945
# for Grafana in a key `ldap-toml`.
946
existingSecret: ""
947
# `config` is the content of `ldap.toml` that will be stored in the created secret
948
config: ""
949
# config: |-
950
# verbose_logging = true
951
# [[servers]]
952
# host = "my-ldap-server"
953
# port = 636
954
# use_ssl = true
955
# start_tls = false
956
# ssl_skip_verify = false
957
# bind_dn = "uid=%s,ou=users,dc=myorg,dc=com"
958
959
# When process namespace sharing is enabled, processes in a container are visible to all other containers in the same pod
960
# This parameter is added because the ldap reload api is not working https://grafana.com/docs/grafana/latest/developers/http_api/admin/#reload-ldap-configuration
961
# To allow an extraContainer to restart the Grafana container
962
shareProcessNamespace: false
963
## Grafana's SMTP configuration
964
## NOTE: To enable, grafana.ini must be configured with smtp.enabled
965
## ref: http://docs.grafana.org/installation/configuration/#smtp
966
smtp:
967
# `existingSecret` is a reference to an existing secret containing the smtp configuration
968
# for Grafana.
969
existingSecret: ""
970
userKey: "user"
971
passwordKey: "password"
972
## Sidecars that collect the configmaps with specified label and stores the included files them into the respective folders
973
## Requires at least Grafana 5 to work and can't be used together with parameters dashboardProviders, datasources and dashboards
974
sidecar:
975
image:
976
# -- The Docker registry
977
registry: cgr.dev
978
repository: scratch-images/test-tmp/k8s-sidecar
979
tag: 2.8.1-r0
980
sha: sha256:533145f4aed212fe62110048251ee9d558de8699ded4f77870e1f343b5eeeeed
981
imagePullPolicy: IfNotPresent
982
resources: {}
983
# limits:
984
# cpu: 100m
985
# memory: 100Mi
986
# requests:
987
# cpu: 50m
988
# memory: 50Mi
989
securityContext:
990
allowPrivilegeEscalation: false
991
capabilities:
992
drop:
993
- ALL
994
seccompProfile:
995
type: RuntimeDefault
996
# Set to true to skip tls verification for kube api calls. Can be overridden per sidecar
997
# skipTlsVerify: true
998
enableUniqueFilenames: false
999
readinessProbe: {}
1000
livenessProbe: {}
1001
# Log level default for all sidecars. Can be one of: DEBUG, INFO, WARN, ERROR, CRITICAL. Defaults to INFO
1002
# logLevel: INFO
1003
alerts:
1004
enabled: false
1005
# Additional environment variables for the alerts sidecar
1006
env: {}
1007
## "valueFrom" environment variable references that will be added to deployment pods. Name is templated.
1008
## ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core
1009
## Renders in container spec as:
1010
## env:
1011
## ...
1012
## - name: <key>
1013
## valueFrom:
1014
## <value rendered as YAML>
1015
envValueFrom: {}
1016
# ENV_NAME:
1017
# configMapKeyRef:
1018
# name: configmap-name
1019
# key: value_key
1020
# Do not reprocess already processed unchanged resources on k8s API reconnect.
1021
# ignoreAlreadyProcessed: true
1022
# Set to true to skip tls verification for kube api calls. Overrides sidecar.skipTlsVerify
1023
# skipTlsVerify: true
1024
# label that the configmaps with alert are marked with (can be templated)
1025
label: grafana_alert
1026
# value of label that the configmaps with alert are set to (can be templated)
1027
labelValue: ""
1028
# Log level. Can be one of: DEBUG, INFO, WARN, ERROR, CRITICAL.
1029
# logLevel: INFO
1030
# If specified, the sidecar will search for alert config-maps inside this namespace.
1031
# Otherwise the namespace in which the sidecar is running will be used.
1032
# It's also possible to specify ALL to search in all namespaces
1033
searchNamespace: null
1034
# Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds.
1035
watchMethod: WATCH
1036
# search in configmap, secret or both
1037
resource: both
1038
#
1039
# resourceName: comma separated list of resource names to be fetched/checked by this sidecar.
1040
# per default all resources of the type defined in {{ .Values.sidecar.alerts.resource }} will be checked.
1041
# This e.g. allows stricter RBAC rules which are limited to the resources meant for the sidecars.
1042
# resourceName: "secret/alerts-1,configmap/alerts-0"
1043
resourceName: ""
1044
#
1045
# watchServerTimeout: request to the server, asking it to cleanly close the connection after that.
1046
# defaults to 60sec; much higher values like 3600 seconds (1h) are feasible for non-Azure K8S
1047
# watchServerTimeout: 3600
1048
#
1049
# watchClientTimeout: is a client-side timeout, configuring your local socket.
1050
# If you have a network outage dropping all packets with no RST/FIN,
1051
# this is how long your client waits before realizing & dropping the connection.
1052
# defaults to 66sec (sic!)
1053
# watchClientTimeout: 60
1054
#
1055
# maxTotalRetries: Total number of retries to allow for any http request.
1056
# Takes precedence over other counts. Applies to all requests to reloadURL and k8s api requests.
1057
# Set to 0 to fail on the first retry.
1058
# maxTotalRetries: 5
1059
#
1060
# maxConnectRetries: How many connection-related errors to retry on for any http request.
1061
# These are errors raised before the request is sent to the remote server, which we assume has not triggered the server to process the request.
1062
# Applies to all requests to reloadURL and k8s api requests.
1063
# Set to 0 to fail on the first retry of this type.
1064
# maxConnectRetries: 10
1065
#
1066
# maxReadRetries: How many times to retry on read errors for any http request
1067
# These errors are raised after the request was sent to the server, so the request may have side-effects.
1068
# Applies to all requests to reloadURL and k8s api requests.
1069
# Set to 0 to fail on the first retry of this type.
1070
# maxReadRetries: 5
1071
#
1072
# Endpoint to send request to reload alerts
1073
reloadURL: "http://localhost:3000/api/admin/provisioning/alerting/reload"
1074
# Absolute path to a script to execute after a configmap got reloaded.
1075
# It runs before calls to REQ_URI. If the file is not executable it will be passed to sh.
1076
# Otherwise, it's executed as is. Shebangs known to work are #!/bin/sh and #!/usr/bin/env python
1077
script: null
1078
skipReload: false
1079
# This is needed if skipReload is true, to load any alerts defined at startup time.
1080
# Deploy the alert sidecar as an initContainer.
1081
initAlerts: false
1082
# Use native sidecar https://kubernetes.io/docs/concepts/workloads/pods/sidecar-containers/
1083
# restartPolicy: Always
1084
# # only applies to native sidecars
1085
# startupProbe:
1086
# httpGet:
1087
# path: /healthz
1088
# port: 8080
1089
# initialDelaySeconds: 5
1090
# periodSeconds: 5
1091
# failureThreshold: 60 # 5 minutes
1092
# Additional alerts sidecar volume mounts
1093
extraMounts: []
1094
# Sets the size limit of the alert sidecar emptyDir volume
1095
sizeLimit: ""
1096
dashboards:
1097
enabled: false
1098
# Additional environment variables for the dashboards sidecar
1099
env: {}
1100
## "valueFrom" environment variable references that will be added to deployment pods. Name is templated.
1101
## ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core
1102
## Renders in container spec as:
1103
## env:
1104
## ...
1105
## - name: <key>
1106
## valueFrom:
1107
## <value rendered as YAML>
1108
envValueFrom: {}
1109
# ENV_NAME:
1110
# configMapKeyRef:
1111
# name: configmap-name
1112
# key: value_key
1113
# Do not reprocess already processed unchanged resources on k8s API reconnect.
1114
# ignoreAlreadyProcessed: true
1115
# Set to true to skip tls verification for kube api calls. Overrides sidecar.skipTlsVerify
1116
# skipTlsVerify: true
1117
SCProvider: true
1118
# label that the configmaps with dashboards are marked with (can be templated)
1119
label: grafana_dashboard
1120
# value of label that the configmaps with dashboards are set to (can be templated)
1121
labelValue: ""
1122
# Log level. Can be one of: DEBUG, INFO, WARN, ERROR, CRITICAL.
1123
# logLevel: INFO
1124
# folder in the pod that should hold the collected dashboards (unless `defaultFolderName` is set)
1125
folder: /tmp/dashboards
1126
# The default folder name, it will create a subfolder under the `folder` and put dashboards in there instead
1127
defaultFolderName: null
1128
# Namespaces list. If specified, the sidecar will search for config-maps/secrets inside these namespaces.
1129
# Otherwise the namespace in which the sidecar is running will be used.
1130
# It's also possible to specify ALL to search in all namespaces.
1131
searchNamespace: null
1132
# Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds.
1133
watchMethod: WATCH
1134
# search in configmap, secret or both
1135
resource: both
1136
# If specified, the sidecar will look for annotation with this name to create folder and put graph here.
1137
# You can use this parameter together with `provider.foldersFromFilesStructure`to annotate configmaps and create folder structure.
1138
folderAnnotation: null
1139
#
1140
# resourceName: comma separated list of resource names to be fetched/checked by this sidecar.
1141
# per default all resources of the type defined in {{ .Values.sidecar.dashboards.resource }} will be checked.
1142
# This e.g. allows stricter RBAC rules which are limited to the resources meant for the sidecars.
1143
# resourceName: "secret/dashboards-0,configmap/dashboards-1"
1144
resourceName: ""
1145
#
1146
# maxTotalRetries: Total number of retries to allow for any http request.
1147
# Takes precedence over other counts. Applies to all requests to reloadURL and k8s api requests.
1148
# Set to 0 to fail on the first retry.
1149
# maxTotalRetries: 5
1150
#
1151
# maxConnectRetries: How many connection-related errors to retry on for any http request.
1152
# These are errors raised before the request is sent to the remote server, which we assume has not triggered the server to process the request.
1153
# Applies to all requests to reloadURL and k8s api requests.
1154
# Set to 0 to fail on the first retry of this type.
1155
# maxConnectRetries: 10
1156
#
1157
# maxReadRetries: How many times to retry on read errors for any http request
1158
# These errors are raised after the request was sent to the server, so the request may have side-effects.
1159
# Applies to all requests to reloadURL and k8s api requests.
1160
# Set to 0 to fail on the first retry of this type.
1161
# maxReadRetries: 5
1162
#
1163
# Endpoint to send request to reload alerts
1164
reloadURL: "http://localhost:3000/api/admin/provisioning/dashboards/reload"
1165
# Absolute path to a script to execute after a configmap got reloaded.
1166
# It runs before calls to REQ_URI. If the file is not executable it will be passed to sh.
1167
# Otherwise, it's executed as is. Shebangs known to work are #!/bin/sh and #!/usr/bin/env python
1168
script: null
1169
skipReload: false
1170
# This is needed if skipReload is true, to load any dashboards defined at startup time.
1171
# Deploy the dashboard sidecar as an initContainer.
1172
initDashboards: false
1173
# Use native sidecar https://kubernetes.io/docs/concepts/workloads/pods/sidecar-containers/
1174
# restartPolicy: Always
1175
# # only applies to native sidecars
1176
# startupProbe:
1177
# httpGet:
1178
# path: /healthz
1179
# port: 8083
1180
# initialDelaySeconds: 5
1181
# periodSeconds: 5
1182
# failureThreshold: 60 # 5 minutes
1183
# watchServerTimeout: request to the server, asking it to cleanly close the connection after that.
1184
# defaults to 60sec; much higher values like 3600 seconds (1h) are feasible for non-Azure K8S
1185
# watchServerTimeout: 3600
1186
#
1187
# watchClientTimeout: is a client-side timeout, configuring your local socket.
1188
# If you have a network outage dropping all packets with no RST/FIN,
1189
# this is how long your client waits before realizing & dropping the connection.
1190
# defaults to 66sec (sic!)
1191
# watchClientTimeout: 60
1192
#
1193
# provider configuration that lets grafana manage the dashboards
1194
provider:
1195
# name of the provider, should be unique
1196
name: sidecarProvider
1197
# orgid as configured in grafana
1198
orgid: 1
1199
# folder in which the dashboards should be imported in grafana
1200
folder: ''
1201
# <string> folder UID. will be automatically generated if not specified
1202
folderUid: ''
1203
# type of the provider
1204
type: file
1205
# disableDelete to activate a import-only behaviour
1206
disableDelete: false
1207
# allow updating provisioned dashboards from the UI
1208
allowUiUpdates: false
1209
# allow Grafana to replicate dashboard structure from filesystem
1210
foldersFromFilesStructure: false
1211
# Additional dashboards sidecar volume mounts
1212
extraMounts: []
1213
# Sets the size limit of the dashboard sidecar emptyDir volume
1214
sizeLimit: ""
1215
datasources:
1216
enabled: false
1217
# Additional environment variables for the datasourcessidecar
1218
env: {}
1219
## "valueFrom" environment variable references that will be added to deployment pods. Name is templated.
1220
## ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core
1221
## Renders in container spec as:
1222
## env:
1223
## ...
1224
## - name: <key>
1225
## valueFrom:
1226
## <value rendered as YAML>
1227
envValueFrom: {}
1228
# ENV_NAME:
1229
# configMapKeyRef:
1230
# name: configmap-name
1231
# key: value_key
1232
# Do not reprocess already processed unchanged resources on k8s API reconnect.
1233
# ignoreAlreadyProcessed: true
1234
# Set to true to skip tls verification for kube api calls. Overrides sidecar.skipTlsVerify
1235
# skipTlsVerify: true
1236
# label that the configmaps with datasources are marked with (can be templated)
1237
label: grafana_datasource
1238
# value of label that the configmaps with datasources are set to (can be templated)
1239
labelValue: ""
1240
# Log level. Can be one of: DEBUG, INFO, WARN, ERROR, CRITICAL.
1241
# logLevel: INFO
1242
# If specified, the sidecar will search for datasource config-maps inside this namespace.
1243
# Otherwise the namespace in which the sidecar is running will be used.
1244
# It's also possible to specify ALL to search in all namespaces
1245
searchNamespace: null
1246
# Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds.
1247
watchMethod: WATCH
1248
# search in configmap, secret or both
1249
resource: both
1250
#
1251
# resourceName: comma separated list of resource names to be fetched/checked by this sidecar.
1252
# per default all resources of the type defined in {{ .Values.sidecar.datasources.resource }} will be checked.
1253
# This e.g. allows stricter RBAC rules which are limited to the resources meant for the sidecars.
1254
# resourceName: "secret/datasources-0,configmap/datasources-15"
1255
resourceName: ""
1256
#
1257
# watchServerTimeout: request to the server, asking it to cleanly close the connection after that.
1258
# defaults to 60sec; much higher values like 3600 seconds (1h) are feasible for non-Azure K8S
1259
# watchServerTimeout: 3600
1260
#
1261
# watchClientTimeout: is a client-side timeout, configuring your local socket.
1262
# If you have a network outage dropping all packets with no RST/FIN,
1263
# this is how long your client waits before realizing & dropping the connection.
1264
# defaults to 66sec (sic!)
1265
# watchClientTimeout: 60
1266
#
1267
# maxTotalRetries: Total number of retries to allow for any http request.
1268
# Takes precedence over other counts. Applies to all requests to reloadURL and k8s api requests.
1269
# Set to 0 to fail on the first retry.
1270
# maxTotalRetries: 5
1271
#
1272
# maxConnectRetries: How many connection-related errors to retry on for any http request.
1273
# These are errors raised before the request is sent to the remote server, which we assume has not triggered the server to process the request.
1274
# Applies to all requests to reloadURL and k8s api requests.
1275
# Set to 0 to fail on the first retry of this type.
1276
# maxConnectRetries: 10
1277
#
1278
# maxReadRetries: How many times to retry on read errors for any http request
1279
# These errors are raised after the request was sent to the server, so the request may have side-effects.
1280
# Applies to all requests to reloadURL and k8s api requests.
1281
# Set to 0 to fail on the first retry of this type.
1282
# maxReadRetries: 5
1283
#
1284
# Endpoint to send request to reload datasources
1285
reloadURL: "http://localhost:3000/api/admin/provisioning/datasources/reload"
1286
# Absolute path to a script to execute after a configmap got reloaded.
1287
# It runs before calls to REQ_URI. If the file is not executable it will be passed to sh.
1288
# Otherwise, it's executed as is. Shebangs known to work are #!/bin/sh and #!/usr/bin/env python
1289
script: null
1290
skipReload: false
1291
# This is needed if skipReload is true, to load any datasources defined at startup time.
1292
# Deploy the datasources sidecar as an initContainer.
1293
initDatasources: false
1294
# Use native sidecar https://kubernetes.io/docs/concepts/workloads/pods/sidecar-containers/
1295
# restartPolicy: Always
1296
# # only applies to native sidecars
1297
# startupProbe:
1298
# httpGet:
1299
# path: /healthz
1300
# port: 8081
1301
# initialDelaySeconds: 5
1302
# periodSeconds: 5
1303
# failureThreshold: 60 # 5 minutes
1304
# Additional datasources sidecar volume mounts
1305
extraMounts: []
1306
# Sets the size limit of the datasource sidecar emptyDir volume
1307
sizeLimit: ""
1308
plugins:
1309
enabled: false
1310
# Additional environment variables for the plugins sidecar
1311
env: {}
1312
# Do not reprocess already processed unchanged resources on k8s API reconnect.
1313
# ignoreAlreadyProcessed: true
1314
# Set to true to skip tls verification for kube api calls. Overrides sidecar.skipTlsVerify
1315
# skipTlsVerify: true
1316
# label that the configmaps with plugins are marked with (can be templated)
1317
label: grafana_plugin
1318
# value of label that the configmaps with plugins are set to (can be templated)
1319
labelValue: ""
1320
# Log level. Can be one of: DEBUG, INFO, WARN, ERROR, CRITICAL.
1321
# logLevel: INFO
1322
# If specified, the sidecar will search for plugin config-maps inside this namespace.
1323
# Otherwise the namespace in which the sidecar is running will be used.
1324
# It's also possible to specify ALL to search in all namespaces
1325
searchNamespace: null
1326
# Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds.
1327
watchMethod: WATCH
1328
# search in configmap, secret or both
1329
resource: both
1330
#
1331
# resourceName: comma separated list of resource names to be fetched/checked by this sidecar.
1332
# per default all resources of the type defined in {{ .Values.sidecar.plugins.resource }} will be checked.
1333
# This e.g. allows stricter RBAC rules which are limited to the resources meant for the sidecars.
1334
# resourceName: "secret/plugins-0,configmap/plugins-1"
1335
resourceName: ""
1336
#
1337
# watchServerTimeout: request to the server, asking it to cleanly close the connection after that.
1338
# defaults to 60sec; much higher values like 3600 seconds (1h) are feasible for non-Azure K8S
1339
# watchServerTimeout: 3600
1340
#
1341
# watchClientTimeout: is a client-side timeout, configuring your local socket.
1342
# If you have a network outage dropping all packets with no RST/FIN,
1343
# this is how long your client waits before realizing & dropping the connection.
1344
# defaults to 66sec (sic!)
1345
# watchClientTimeout: 60
1346
#
1347
# maxTotalRetries: Total number of retries to allow for any http request.
1348
# Takes precedence over other counts. Applies to all requests to reloadURL and k8s api requests.
1349
# Set to 0 to fail on the first retry.
1350
# maxTotalRetries: 5
1351
#
1352
# maxConnectRetries: How many connection-related errors to retry on for any http request.
1353
# These are errors raised before the request is sent to the remote server, which we assume has not triggered the server to process the request.
1354
# Applies to all requests to reloadURL and k8s api requests.
1355
# Set to 0 to fail on the first retry of this type.
1356
# maxConnectRetries: 10
1357
#
1358
# maxReadRetries: How many times to retry on read errors for any http request
1359
# These errors are raised after the request was sent to the server, so the request may have side-effects.
1360
# Applies to all requests to reloadURL and k8s api requests.
1361
# Set to 0 to fail on the first retry of this type.
1362
# maxReadRetries: 5
1363
#
1364
# Endpoint to send request to reload plugins
1365
reloadURL: "http://localhost:3000/api/admin/provisioning/plugins/reload"
1366
# Absolute path to a script to execute after a configmap got reloaded.
1367
# It runs before calls to REQ_URI. If the file is not executable it will be passed to sh.
1368
# Otherwise, it's executed as is. Shebangs known to work are #!/bin/sh and #!/usr/bin/env python
1369
script: null
1370
skipReload: false
1371
# Deploy the datasource sidecar as an initContainer in addition to a container.
1372
# This is needed if skipReload is true, to load any plugins defined at startup time.
1373
initPlugins: false
1374
# Additional plugins sidecar volume mounts
1375
extraMounts: []
1376
# Sets the size limit of the plugin sidecar emptyDir volume
1377
sizeLimit: ""
1378
notifiers:
1379
enabled: false
1380
# Additional environment variables for the notifierssidecar
1381
env: {}
1382
# Do not reprocess already processed unchanged resources on k8s API reconnect.
1383
# ignoreAlreadyProcessed: true
1384
# Set to true to skip tls verification for kube api calls. Overrides sidecar.skipTlsVerify
1385
# skipTlsVerify: true
1386
# label that the configmaps with notifiers are marked with (can be templated)
1387
label: grafana_notifier
1388
# value of label that the configmaps with notifiers are set to (can be templated)
1389
labelValue: ""
1390
# Log level. Can be one of: DEBUG, INFO, WARN, ERROR, CRITICAL.
1391
# logLevel: INFO
1392
# If specified, the sidecar will search for notifier config-maps inside this namespace.
1393
# Otherwise the namespace in which the sidecar is running will be used.
1394
# It's also possible to specify ALL to search in all namespaces
1395
searchNamespace: null
1396
# Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds.
1397
watchMethod: WATCH
1398
# search in configmap, secret or both
1399
resource: both
1400
#
1401
# resourceName: comma separated list of resource names to be fetched/checked by this sidecar.
1402
# per default all resources of the type defined in {{ .Values.sidecar.notifiers.resource }} will be checked.
1403
# This e.g. allows stricter RBAC rules which are limited to the resources meant for the sidecars.
1404
# resourceName: "secret/notifiers-2,configmap/notifiers-1"
1405
resourceName: ""
1406
#
1407
# watchServerTimeout: request to the server, asking it to cleanly close the connection after that.
1408
# defaults to 60sec; much higher values like 3600 seconds (1h) are feasible for non-Azure K8S
1409
# watchServerTimeout: 3600
1410
#
1411
# watchClientTimeout: is a client-side timeout, configuring your local socket.
1412
# If you have a network outage dropping all packets with no RST/FIN,
1413
# this is how long your client waits before realizing & dropping the connection.
1414
# defaults to 66sec (sic!)
1415
# watchClientTimeout: 60
1416
#
1417
# maxTotalRetries: Total number of retries to allow for any http request.
1418
# Takes precedence over other counts. Applies to all requests to reloadURL and k8s api requests.
1419
# Set to 0 to fail on the first retry.
1420
# maxTotalRetries: 5
1421
#
1422
# maxConnectRetries: How many connection-related errors to retry on for any http request.
1423
# These are errors raised before the request is sent to the remote server, which we assume has not triggered the server to process the request.
1424
# Applies to all requests to reloadURL and k8s api requests.
1425
# Set to 0 to fail on the first retry of this type.
1426
# maxConnectRetries: 10
1427
#
1428
# maxReadRetries: How many times to retry on read errors for any http request
1429
# These errors are raised after the request was sent to the server, so the request may have side-effects.
1430
# Applies to all requests to reloadURL and k8s api requests.
1431
# Set to 0 to fail on the first retry of this type.
1432
# maxReadRetries: 5
1433
#
1434
# Endpoint to send request to reload notifiers
1435
reloadURL: "http://localhost:3000/api/admin/provisioning/notifications/reload"
1436
# Absolute path to a script to execute after a configmap got reloaded.
1437
# It runs before calls to REQ_URI. If the file is not executable it will be passed to sh.
1438
# Otherwise, it's executed as is. Shebangs known to work are #!/bin/sh and #!/usr/bin/env python
1439
script: null
1440
skipReload: false
1441
# Deploy the notifier sidecar as an initContainer in addition to a container.
1442
# This is needed if skipReload is true, to load any notifiers defined at startup time.
1443
initNotifiers: false
1444
# Use native sidecar https://kubernetes.io/docs/concepts/workloads/pods/sidecar-containers/
1445
# restartPolicy: Always
1446
# # only applies to native sidecars
1447
# startupProbe:
1448
# httpGet:
1449
# path: /healthz
1450
# port: 8082
1451
# initialDelaySeconds: 5
1452
# periodSeconds: 5
1453
# failureThreshold: 60 # 5 minutes
1454
# Additional notifiers sidecar volume mounts
1455
extraMounts: []
1456
# Sets the size limit of the notifier sidecar emptyDir volume
1457
sizeLimit: ""
1458
## Override the deployment namespace
1459
##
1460
namespaceOverride: ""
1461
## Number of old ReplicaSets to retain
1462
##
1463
revisionHistoryLimit: 10
1464
## Add a separate remote image renderer deployment/service
1465
imageRenderer:
1466
deploymentStrategy: {}
1467
## The maximum time in seconds for the image renderer Deployment to make progress before it is
1468
## considered to be failed.
1469
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#progress-deadline-seconds
1470
progressDeadlineSeconds: null
1471
# Enable the image-renderer deployment & service
1472
enabled: false
1473
replicas: 1
1474
autoscaling:
1475
enabled: false
1476
minReplicas: 1
1477
maxReplicas: 5
1478
targetCPU: "60"
1479
targetMemory: ""
1480
behavior: {}
1481
# The url of remote image renderer if it is not in the same namespace with the grafana instance
1482
serverURL: ""
1483
# The callback url of grafana instances if it is not in the same namespace with the remote image renderer
1484
renderingCallbackURL: ""
1485
# Token used for authentication between Grafana and the remote image renderer.
1486
token: ""
1487
# Use an existing secret for the image renderer token. Must contain a key named "token".
1488
existingSecret: ""
1489
image:
1490
# -- The Docker registry
1491
registry: cgr.dev
1492
# image-renderer Image repository
1493
repository: scratch-images/test-tmp/grafana-image-renderer
1494
# image-renderer Image tag
1495
tag: 5.9.1-r2
1496
# image-renderer Image sha (optional)
1497
sha: sha256:cde4b5a416e84cb4b498dce5ebff6c4b230e0b2d88d3469ef62c07f8ac0a8abf
1498
# image-renderer Image pull secrets (optional)
1499
pullSecrets: []
1500
# image-renderer ImagePullPolicy
1501
pullPolicy: Always
1502
dnsPolicy: ~
1503
dnsConfig: {}
1504
# nameservers:
1505
# - 8.8.8.8
1506
# options:
1507
# - name: ndots
1508
# value: "2"
1509
# - name: edns0
1510
# extra environment variables
1511
env:
1512
HTTP_HOST: "0.0.0.0"
1513
# Fixes "Error: Failed to launch the browser process!\nchrome_crashpad_handler: --database is required"
1514
XDG_CONFIG_HOME: /tmp/.chromium
1515
XDG_CACHE_HOME: /tmp/.chromium
1516
# RENDERING_ARGS: --no-sandbox,--disable-gpu,--window-size=1280x758
1517
# RENDERING_MODE: clustered
1518
# IGNORE_HTTPS_ERRORS: true
1519
## "valueFrom" environment variable references that will be added to deployment pods. Name is templated.
1520
## ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core
1521
## Renders in container spec as:
1522
## env:
1523
## ...
1524
## - name: <key>
1525
## valueFrom:
1526
## <value rendered as YAML>
1527
envValueFrom: {}
1528
# ENV_NAME:
1529
# configMapKeyRef:
1530
# name: configmap-name
1531
# key: value_key
1532
1533
# image-renderer deployment serviceAccount
1534
serviceAccountName: ""
1535
automountServiceAccountToken: false
1536
# image-renderer deployment hostUsers
1537
hostUsers: ~
1538
# image-renderer deployment securityContext
1539
securityContext: {}
1540
# image-renderer deployment container securityContext
1541
containerSecurityContext:
1542
seccompProfile:
1543
type: RuntimeDefault
1544
capabilities:
1545
drop: ['ALL']
1546
allowPrivilegeEscalation: false
1547
readOnlyRootFilesystem: true
1548
## image-renderer pod annotation
1549
podAnnotations: {}
1550
# image-renderer deployment Host Aliases
1551
hostAliases: []
1552
# image-renderer deployment priority class
1553
priorityClassName: ''
1554
# Path to the healthcheck endpoint. On Image Renderer v5.0.0 or newer, this is '/healthz'. Older versions use '/'.
1555
healthcheckPath: '/healthz'
1556
service:
1557
# Enable the image-renderer service
1558
enabled: true
1559
# image-renderer service port name
1560
portName: 'http'
1561
# image-renderer service port used by both service and deployment
1562
port: 8081
1563
targetPort: 8081
1564
# Adds the appProtocol field to the image-renderer service. This allows to work with istio protocol selection. Ex: "http" or "tcp"
1565
appProtocol: ""
1566
serviceMonitor:
1567
## If true, a ServiceMonitor CRD is created for a prometheus operator
1568
## https://github.com/coreos/prometheus-operator
1569
##
1570
enabled: false
1571
path: /metrics
1572
# namespace: monitoring (defaults to use the namespace this chart is deployed to)
1573
labels: {}
1574
# Set these to override the Prometheus global scrape interval/timeout.
1575
# interval: 1m
1576
# scrapeTimeout: 30s
1577
scheme: http
1578
tlsConfig: {}
1579
relabelings: []
1580
# See: https://doc.crds.dev/github.com/prometheus-operator/kube-prometheus/monitoring.coreos.com/ServiceMonitor/v1@v0.11.0#spec-targetLabels
1581
targetLabels: []
1582
# - targetLabel1
1583
# - targetLabel2
1584
# If https is enabled in Grafana, this needs to be set as 'https' to correctly configure the callback used in Grafana
1585
grafanaProtocol: http
1586
# In case a sub_path is used this needs to be added to the image renderer callback
1587
grafanaSubPath: ""
1588
# name of the image-renderer port on the pod
1589
podPortName: http
1590
# number of image-renderer replica sets to keep
1591
revisionHistoryLimit: 10
1592
networkPolicy:
1593
# Enable a NetworkPolicy to limit inbound traffic to only the created grafana pods
1594
limitIngress: true
1595
# Enable a NetworkPolicy to limit outbound traffic to only the created grafana pods
1596
limitEgress: false
1597
# Allow additional services to access image-renderer (eg. Prometheus operator when ServiceMonitor is enabled)
1598
extraIngressSelectors: []
1599
resources: {}
1600
# limits:
1601
# cpu: 100m
1602
# memory: 100Mi
1603
# requests:
1604
# cpu: 50m
1605
# memory: 50Mi
1606
## Node labels for pod assignment
1607
## ref: https://kubernetes.io/docs/user-guide/node-selection/
1608
#
1609
nodeSelector: {}
1610
## Tolerations for pod assignment
1611
## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
1612
##
1613
tolerations: []
1614
## Affinity for pod assignment (evaluated as template)
1615
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
1616
##
1617
affinity: {}
1618
## Use an alternate scheduler, e.g. "stork".
1619
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
1620
##
1621
# schedulerName: "default-scheduler"
1622
1623
# Extra configmaps to mount in image-renderer pods
1624
extraConfigmapMounts: []
1625
# Extra secrets to mount in image-renderer pods
1626
extraSecretMounts: []
1627
# Extra volumes to mount in image-renderer pods
1628
extraVolumeMounts: []
1629
# Extra volumes for image-renderer pods
1630
extraVolumes: []
1631
networkPolicy:
1632
# -- networkPolicy.enabled Enable creation of NetworkPolicy resources. Only Ingress traffic is filtered for now.
1633
enabled: false
1634
# --networkPolicy.allowExternal Don't require client label for connections
1635
# The Policy model to apply. When set to false, only pods with the correct
1636
# client label will have network access to grafana port defined.
1637
# When true, grafana will accept connections from any source
1638
# (with the correct destination port).
1639
#
1640
ingress: true
1641
# -- networkPolicy.ingress When true enables the creation
1642
# an ingress network policy
1643
allowExternal: true
1644
# -- networkPolicy.explicitNamespacesSelector A Kubernetes LabelSelector to explicitly select namespaces from which traffic could be allowed
1645
# If explicitNamespacesSelector is missing or set to {}, only client Pods that are in the networkPolicy's namespace
1646
# and that match other criteria, the ones that have the good label, can reach the grafana.
1647
# But sometimes, we want the grafana to be accessible to clients from other namespaces, in this case, we can use this
1648
# LabelSelector to select these namespaces, note that the networkPolicy's namespace should also be explicitly added.
1649
# </br>
1650
#
1651
# Example:
1652
#
1653
# ```
1654
# explicitNamespacesSelector:
1655
# matchLabels:
1656
# role: frontend
1657
# matchExpressions:
1658
# - {key: role, operator: In, values: [frontend]}
1659
# ```
1660
explicitNamespacesSelector: {}
1661
# -- networkPolicy.explicitIpBlocks List of CIDR blocks allowed as ingress sources.
1662
# Each entry must be a valid CIDR notation string (e.g. 10.0.0.0/8).
1663
# When defined, the specified CIDR ranges are added to the ingress `from` rules
1664
# using `ipBlock` entries and complement the other configured ingress sources.
1665
# </br>
1666
#
1667
# Example:
1668
#
1669
# ```
1670
# explicitIpBlocks:
1671
# - 35.191.0.0/16
1672
# - 130.211.0.0/22
1673
# ```
1674
#
1675
explicitIpBlocks: []
1676
egress:
1677
# -- networkPolicy.egress.enabled When enabled, an egress network policy will be
1678
# created allowing grafana to connect to external data sources from kubernetes cluster.
1679
enabled: false
1680
# -- networkPolicy.egress.blockDNSResolution When enabled, DNS resolution will be blocked
1681
# for all pods in the grafana namespace.
1682
blockDNSResolution: false
1683
# -- networkPolicy.egress.ports Add individual ports to be allowed by the egress
1684
ports: []
1685
# Add ports to the egress by specifying - port: <port number>
1686
# E.X.
1687
# - port: 80
1688
# - port: 443
1689
#
1690
# -- networkPolicy.egress.to Allow egress traffic to specific destinations
1691
to: []
1692
# -- destinations to the egress by specifying - ipBlock: <CIDR>
1693
# E.X.
1694
# to:
1695
# - namespaceSelector:
1696
# matchExpressions:
1697
# - {key: role, operator: In, values: [grafana]}
1698
# Enable backward compatibility of kubernetes where version below 1.13 doesn't have the enableServiceLinks option
1699
enableKubeBackwardCompatibility: false
1700
useStatefulSet: false
1701
# extraObjects could be utilized to add dynamic manifests via values
1702
extraObjects: []
1703
# Examples:
1704
# extraObjects:
1705
# - apiVersion: kubernetes-client.io/v1
1706
# kind: ExternalSecret
1707
# metadata:
1708
# name: grafana-secrets-{{ .Release.Name }}
1709
# spec:
1710
# backendType: gcpSecretsManager
1711
# data:
1712
# - key: grafana-admin-password
1713
# name: adminPassword
1714
# Alternatively, you can use strings, which lets you use additional templating features:
1715
# extraObjects:
1716
# - |
1717
# apiVersion: kubernetes-client.io/v1
1718
# kind: ExternalSecret
1719
# metadata:
1720
# name: grafana-secrets-{{ .Release.Name }}
1721
# spec:
1722
# backendType: gcpSecretsManager
1723
# data:
1724
# - key: grafana-admin-password
1725
# name: {{ include "some-other-template" }}
1726
1727
# assertNoLeakedSecrets is a helper function defined in _helpers.tpl that checks if secret
1728
# values are not exposed in the rendered grafana.ini configmap. It is enabled by default.
1729
#
1730
# To pass values into grafana.ini without exposing them in a configmap, use variable expansion:
1731
# https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#variable-expansion
1732
#
1733
# Alternatively, if you wish to allow secret values to be exposed in the rendered grafana.ini configmap,
1734
# you can disable this check by setting assertNoLeakedSecrets to false.
1735
assertNoLeakedSecrets: true
1736
# updateMode options are:
1737
# Off: n the Off update mode, the VPA recommender still analyzes resource usage and generates recommendations, but these recommendations are not automatically applied to Pods. The recommendations are only stored in the VPA object's .status field.
1738
# Initial: In Initial mode, VPA only sets resource requests when Pods are first created. It does not update resources for already running Pods, even if recommendations change over time. The recommendations apply only during Pod creation.
1739
# Recreate: In Recreate mode, VPA actively manages Pod resources by evicting Pods when their current resource requests differ significantly from recommendations. When a Pod is evicted, the workload controller (managing a Deployment, StatefulSet, etc) creates a replacement Pod, and the VPA admission controller applies the updated resource requests to the new Pod.
1740
# InPlaceOrRecreate: In Recreate mode, VPA actively manages Pod resources by evicting Pods when their current resource requests differ significantly from recommendations. When a Pod is evicted, the workload controller (managing a Deployment, StatefulSet, etc) creates a replacement Pod, and the VPA admission controller applies the updated resource requests to the new Pod.
1741
# Auto (deprecated): The Auto update mode is deprecated since VPA version 1.4.0. Use Recreate for eviction-based updates, or InPlaceOrRecreate for in-place updates with eviction fallback.
1742
verticalPodAutoscaler:
1743
enabled: false
1744
updateMode: "Off"
1745
controlledResources:
1746
cpu: true
1747
memory: true
1748
# Default safety bounds
1749
minAllowed:
1750
cpu: "25m"
1751
memory: "128Mi"
1752
maxAllowed:
1753
cpu: "1000m"
1754
memory: "1Gi"
1755

The trusted source for open source

Talk to an expert
PrivacyTerms

Product

Chainguard ContainersChainguard LibrariesChainguard VMsChainguard OS PackagesChainguard ActionsChainguard Agent SkillsIntegrationsPricing
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.