community-grafana
Helm chart
Request a free trial
Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.
1
global:
2
# -- Overrides the Docker registry globally for all images
3
imageRegistry: null
4
# To help compatibility with other charts which use global.imagePullSecrets.
5
# Allow either an array of {name: pullSecret} maps (k8s-style), or an array of strings (more common helm-style).
6
# Can be templated.
7
# global:
8
# imagePullSecrets:
9
# - name: pullSecret1
10
# - name: pullSecret2
11
# or
12
# global:
13
# imagePullSecrets:
14
# - pullSecret1
15
# - pullSecret2
16
imagePullSecrets: []
17
rbac:
18
create: true
19
## Use an existing ClusterRole/Role (depending on rbac.namespaced false/true)
20
# useExistingRole: name-of-some-role
21
# useExistingClusterRole: name-of-some-clusterRole
22
pspEnabled: false
23
pspUseAppArmor: false
24
namespaced: false
25
# Only has an effect if namespaced: true is set
26
namespaces: []
27
extraRoleRules: []
28
# - apiGroups: []
29
# resources: []
30
# verbs: []
31
extraClusterRoleRules: []
32
# - apiGroups: []
33
# resources: []
34
# verbs: []
35
serviceAccount:
36
create: true
37
name: ""
38
nameTest: ""
39
## ServiceAccount labels.
40
labels: {}
41
## Service account annotations. Can be templated.
42
# annotations:
43
# eks.amazonaws.com/role-arn: arn:aws:iam::123456789000:role/iam-role-name-here
44
45
## autoMount is deprecated in favor of automountServiceAccountToken
46
# autoMount: false
47
automountServiceAccountToken: false
48
replicas: 1
49
## Create a headless service for the deployment
50
headlessService: false
51
## Should the service account be auto mounted on the pod
52
automountServiceAccountToken: true
53
## Create HorizontalPodAutoscaler object for deployment type
54
#
55
autoscaling:
56
enabled: false
57
minReplicas: 1
58
maxReplicas: 5
59
targetCPU: "60"
60
targetMemory: ""
61
behavior: {}
62
## See `kubectl explain poddisruptionbudget.spec` for more
63
## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
64
podDisruptionBudget: {}
65
# apiVersion: ""
66
# minAvailable: 1
67
# maxUnavailable: 1
68
# unhealthyPodEvictionPolicy: IfHealthyBudget
69
70
## See `kubectl explain deployment.spec.strategy` for more
71
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
72
deploymentStrategy:
73
type: RollingUpdate
74
## The maximum time in seconds for a Deployment to make progress before it is considered to be failed.
75
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#progress-deadline-seconds
76
progressDeadlineSeconds: null
77
readinessProbe:
78
httpGet:
79
path: /api/health
80
port: grafana
81
livenessProbe:
82
httpGet:
83
path: /api/health
84
port: grafana
85
initialDelaySeconds: 60
86
timeoutSeconds: 30
87
failureThreshold: 10
88
## Use an alternate scheduler, e.g. "stork".
89
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
90
##
91
# schedulerName: "default-scheduler"
92
image:
93
# -- The Docker registry
94
registry: cgr.dev
95
# -- Docker image repository
96
repository: scratch-images/test-tmp/grafana
97
# Overrides the Grafana image tag whose default is the chart appVersion
98
tag: v13.0.1-r6
99
sha: sha256:0f91c224a7e6d8889f8a579869a4a41a3aad9ee2b9fc9ce403d234e5dfce27c9
100
pullPolicy: IfNotPresent
101
## Optionally specify an array of imagePullSecrets.
102
## Secrets must be manually created in the namespace.
103
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
104
## Can be templated.
105
##
106
pullSecrets: []
107
# - myRegistrKeySecretName
108
testFramework:
109
enabled: true
110
## The type of Helm hook used to run this test. Defaults to test.
111
## ref: https://helm.sh/docs/topics/charts_hooks/#the-available-hooks
112
##
113
# hookType: test
114
image:
115
# -- The Docker registry
116
registry: docker.io
117
repository: bats/bats
118
tag: "1.13.0"
119
imagePullPolicy: IfNotPresent
120
securityContext: {}
121
containerSecurityContext: {}
122
resources: {}
123
# limits:
124
# cpu: 100m
125
# memory: 128Mi
126
# requests:
127
# cpu: 100m
128
# memory: 128Mi
129
# dns configuration for pod
130
dnsPolicy: ~
131
dnsConfig: {}
132
# nameservers:
133
# - 8.8.8.8
134
# options:
135
# - name: ndots
136
# value: "2"
137
# - name: edns0
138
139
hostUsers: ~
140
securityContext:
141
runAsNonRoot: true
142
runAsUser: 472
143
runAsGroup: 472
144
fsGroup: 472
145
containerSecurityContext:
146
allowPrivilegeEscalation: false
147
privileged: false
148
capabilities:
149
drop:
150
- ALL
151
seccompProfile:
152
type: RuntimeDefault
153
# Enable creating the grafana configmap
154
createConfigmap: true
155
# Extra configmaps to mount in grafana pods
156
# Values are templated.
157
extraConfigmapMounts: []
158
# - name: certs-configmap
159
# mountPath: /etc/grafana/ssl/
160
# subPath: certificates.crt # (optional)
161
# configMap: certs-configmap
162
# readOnly: true
163
# optional: false
164
165
extraEmptyDirMounts: []
166
# - name: provisioning-notifiers
167
# mountPath: /etc/grafana/provisioning/notifiers
168
169
# Shadow `/usr/share/grafana/data/plugins-bundled` with an emptyDir so plugins
170
# listed under `plugins:` install cleanly into `/var/lib/grafana/plugins` instead
171
# of failing on the read-only bundled directory shipped in the Grafana image.
172
# Required for plugins moved out of core in Grafana 13 (e.g. `elasticsearch`,
173
# `cloudwatch`) when listed in `plugins:`. Side effect: any bundled plugin not
174
# explicitly listed in `plugins:` will not be available.
175
shadowBundledPlugins: false
176
# Apply extra labels to common labels.
177
extraLabels: {}
178
## Assign a PriorityClassName to pods if set
179
# priorityClassName:
180
downloadDashboardsImage:
181
# -- The Docker registry
182
registry: cgr.dev
183
repository: scratch-images/test-tmp/curl
184
tag: 8.20.0-r1
185
sha: sha256:c446a5f0ce551dd19a1d2c3f74c144338a0b9f144de74326214527de543ec812
186
pullPolicy: IfNotPresent
187
downloadDashboards:
188
env: {}
189
envFromSecret: ""
190
resources: {}
191
securityContext:
192
allowPrivilegeEscalation: false
193
capabilities:
194
drop:
195
- ALL
196
seccompProfile:
197
type: RuntimeDefault
198
envValueFrom: {}
199
# ENV_NAME:
200
# configMapKeyRef:
201
# name: configmap-name
202
# key: value_key
203
## Pod Annotations
204
# podAnnotations: {}
205
206
## ConfigMap Annotations
207
# configMapAnnotations: {}
208
# argocd.argoproj.io/sync-options: Replace=true
209
210
## Pod Labels
211
# podLabels: {}
212
podPortName: grafana
213
gossipPortName: gossip
214
## Deployment annotations
215
# annotations: {}
216
217
## Expose the grafana service to be accessed from outside the cluster (LoadBalancer service).
218
## or access it from within the cluster (ClusterIP service). Set the service type and the port to serve it.
219
## ref: http://kubernetes.io/docs/user-guide/services/
220
##
221
service:
222
enabled: true
223
type: ClusterIP
224
# Set the ip family policy to configure dual-stack see [Configure dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services)
225
ipFamilyPolicy: ""
226
# Sets the families that should be supported and the order in which they should be applied to ClusterIP as well. Can be IPv4 and/or IPv6.
227
ipFamilies: []
228
loadBalancerIP: ""
229
loadBalancerClass: ""
230
loadBalancerSourceRanges: []
231
port: 80
232
targetPort: 3000
233
# targetPort: 4181 To be used with a proxy extraContainer
234
## Service annotations. Can be templated.
235
annotations: {}
236
labels: {}
237
portName: service
238
# Adds the appProtocol field to the service. This allows to work with istio protocol selection. Ex: "http" or "tcp"
239
appProtocol: ""
240
sessionAffinity: ""
241
# trafficDistribution allows specifying how traffic is distributed to Service endpoints.
242
# Valid values: "" (default - standard load balancing),"PreferSameZone" (K8s 1.34+), "PreferSameNode" (K8s 1.35+), "PreferClose" (deprecated, use PreferSameZone),
243
trafficDistribution: ""
244
serviceMonitor:
245
## If true, a ServiceMonitor CR is created for a prometheus operator
246
## https://github.com/coreos/prometheus-operator
247
##
248
enabled: false
249
path: /metrics
250
# namespace: monitoring (defaults to use the namespace this chart is deployed to)
251
labels: {}
252
interval: 30s
253
scheme: http
254
tlsConfig: {}
255
scrapeTimeout: 30s
256
relabelings: []
257
metricRelabelings: []
258
basicAuth: {}
259
targetLabels: []
260
extraExposePorts: []
261
# - name: keycloak
262
# port: 8080
263
# targetPort: 8080
264
265
# overrides pod.spec.hostAliases in the grafana deployment's pods
266
hostAliases: []
267
# - ip: "1.2.3.4"
268
# hostnames:
269
# - "my.host.com"
270
271
ingress:
272
enabled: false
273
# ingressClassName: nginx
274
# Values can be templated
275
annotations: {}
276
# kubernetes.io/ingress.class: nginx
277
# kubernetes.io/tls-acme: "true"
278
labels: {}
279
path: /
280
pathType: Prefix
281
hosts:
282
- chart-example.local
283
## Extra paths to prepend to every host configuration. This is useful when working with annotation based services.
284
extraPaths: []
285
# - path: /*
286
# pathType: Prefix
287
# backend:
288
# service:
289
# name: ssl-redirect
290
# port:
291
# name: use-annotation
292
293
tls: []
294
# - secretName: chart-example-tls
295
# hosts:
296
# - chart-example.local
297
# -- BETA: Configure the gateway routes for the chart here.
298
# More routes can be added by adding a dictionary key like the 'main' route.
299
# Be aware that this is an early beta of this feature,
300
# kube-prometheus-stack does not guarantee this works and is subject to change.
301
# Being BETA this can/will change in the future without notice, do not use unless you want to take that risk
302
# [[ref]](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io%2fv1alpha2)
303
route:
304
main:
305
# -- Enables or disables the route
306
enabled: false
307
# -- Set the route apiVersion, e.g. gateway.networking.k8s.io/v1 or gateway.networking.k8s.io/v1alpha2
308
apiVersion: gateway.networking.k8s.io/v1
309
# -- Set the route kind
310
# Valid options are GRPCRoute, HTTPRoute, TCPRoute, TLSRoute, UDPRoute
311
kind: HTTPRoute
312
annotations: {}
313
labels: {}
314
hostnames: []
315
# - my-filter.example.com
316
parentRefs: []
317
# - name: acme-gw
318
319
matches:
320
- path:
321
type: PathPrefix
322
value: /
323
## Timeouts define the timeouts that can be configured for an HTTP request.
324
## Ref. https://gateway-api.sigs.k8s.io/api-types/httproute/#timeouts-optional
325
timeouts: {}
326
# request: 10s
327
# backendRequest: 5s
328
329
## SessionPersistence defines and configures session persistence for the route rule.
330
## Ref. https://gateway-api.sigs.k8s.io/geps/gep-1619/
331
sessionPersistence: {}
332
# sessionName: grafana-session
333
# type: Cookie
334
# absoluteTimeout: 48h
335
# cookieConfig:
336
# lifetimeType: Permanent
337
338
## Filters define the filters that are applied to requests that match this rule.
339
filters: []
340
## Additional custom rules that can be added to the route
341
additionalRules: []
342
## httpsRedirect adds a filter for redirecting to https (HTTP 301 Moved Permanently).
343
## To redirect HTTP traffic to HTTPS, you need to have a Gateway with both HTTP and HTTPS listeners.
344
## Matches and filters do not take effect if enabled.
345
## Ref. https://gateway-api.sigs.k8s.io/guides/http-redirect-rewrite/
346
httpsRedirect: false
347
resources: {}
348
# limits:
349
# cpu: 100m
350
# memory: 128Mi
351
# requests:
352
# cpu: 100m
353
# memory: 128Mi
354
355
## Node labels for pod assignment
356
## ref: https://kubernetes.io/docs/user-guide/node-selection/
357
#
358
nodeSelector: {}
359
## Tolerations for pod assignment
360
## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
361
##
362
tolerations: []
363
## Affinity for pod assignment (evaluated as template)
364
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
365
##
366
affinity: {}
367
## Topology Spread Constraints
368
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
369
##
370
topologySpreadConstraints: []
371
## Additional init containers (evaluated as template)
372
## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
373
##
374
extraInitContainers: []
375
## Enable an Specify container in extraContainers. This is meant to allow adding an authentication proxy to a grafana pod
376
extraContainers: ""
377
# extraContainers: |
378
# - name: proxy
379
# image: quay.io/gambol99/keycloak-proxy:latest
380
# args:
381
# - -provider=github
382
# - -client-id=
383
# - -client-secret=
384
# - -github-org=<ORG_NAME>
385
# - -email-domain=*
386
# - -cookie-secret=
387
# - -http-address=http://0.0.0.0:4181
388
# - -upstream-url=http://127.0.0.1:3000
389
# ports:
390
# - name: proxy-web
391
# containerPort: 4181
392
393
## Volumes that can be used in init containers that will not be mounted to deployment pods
394
extraContainerVolumes: []
395
# - name: volume-from-secret
396
# secret:
397
# secretName: secret-to-mount
398
# - name: empty-dir-volume
399
# emptyDir: {}
400
401
## Enable persistence using Persistent Volume Claims
402
## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/
403
##
404
persistence:
405
type: pvc
406
enabled: false
407
# storageClassName: default
408
## (Optional) Use this to bind the claim to an existing PersistentVolume (PV) by name.
409
volumeName: ""
410
accessModes:
411
- ReadWriteOnce
412
size: 10Gi
413
# annotations: {}
414
finalizers:
415
- kubernetes.io/pvc-protection
416
# selectorLabels: {}
417
## Sub-directory of the PV to mount. Can be templated.
418
# subPath: ""
419
## Name of an existing PVC. Can be templated.
420
# existingClaim:
421
## Extra labels to apply to a PVC.
422
extraPvcLabels: {}
423
disableWarning: false
424
## If persistence is not enabled, this allows to mount the
425
## local storage in-memory to improve performance
426
##
427
inMemory:
428
enabled: false
429
## The maximum usage on memory medium EmptyDir would be
430
## the minimum value between the SizeLimit specified
431
## here and the sum of memory limits of all containers in a pod
432
##
433
# sizeLimit: 300Mi
434
## If 'lookupVolumeName' is set to true, Helm will attempt to retrieve
435
## the current value of 'spec.volumeName' and incorporate it into the template.
436
lookupVolumeName: true
437
initChownData:
438
## If false, data ownership will not be reset at startup
439
## This allows the grafana-server to be run with an arbitrary user
440
##
441
enabled: true
442
## initChownData container image
443
##
444
image:
445
# -- The Docker registry
446
registry: cgr.dev
447
repository: scratch-images/test-tmp/busybox
448
tag: glibc-1.37.0-r59
449
sha: sha256:acad249c0a9cb8a50a17e453f590e9d95c2d35001ed5dcba37a4020740b671a9
450
pullPolicy: IfNotPresent
451
## initChownData resource requests and limits
452
## Ref: http://kubernetes.io/docs/user-guide/compute-resources/
453
##
454
resources: {}
455
# limits:
456
# cpu: 100m
457
# memory: 128Mi
458
# requests:
459
# cpu: 100m
460
# memory: 128Mi
461
securityContext:
462
readOnlyRootFilesystem: false
463
runAsNonRoot: false
464
runAsUser: 0
465
seccompProfile:
466
type: RuntimeDefault
467
capabilities:
468
add:
469
- CHOWN
470
drop:
471
- ALL
472
# Administrator credentials when not using an existing secret (see below)
473
adminUser: admin
474
# adminPassword: strongpassword
475
476
# Use an existing secret for the admin user.
477
admin:
478
## Name of the secret. Can be templated.
479
existingSecret: ""
480
userKey: admin-user
481
passwordKey: admin-password
482
## Define command to be executed at startup by grafana container
483
## Needed if using `vault-env` to manage secrets (ref: https://banzaicloud.com/blog/inject-secrets-into-pods-vault/)
484
## Default is "run.sh" as defined in grafana's Dockerfile
485
# command:
486
# - "sh"
487
# - "/run.sh"
488
489
## Optionally define args if command is used
490
## Needed if using `hashicorp/envconsul` to manage secrets
491
## By default no arguments are set
492
# args:
493
# - "-secret"
494
# - "secret/grafana"
495
# - "./grafana"
496
497
## Extra environment variables that will be pass onto deployment pods
498
##
499
## to provide grafana with access to CloudWatch on AWS EKS:
500
## 1. create an iam role of type "Web identity" with provider oidc.eks.* (note the provider for later)
501
## 2. edit the "Trust relationships" of the role, add a line inside the StringEquals clause using the
502
## same oidc eks provider as noted before (same as the existing line)
503
## also, replace NAMESPACE and prometheus-operator-grafana with the service account namespace and name
504
##
505
## "oidc.eks.us-east-1.amazonaws.com/id/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:sub": "system:serviceaccount:NAMESPACE:prometheus-operator-grafana",
506
##
507
## 3. attach a policy to the role, you can use a built in policy called CloudWatchReadOnlyAccess
508
## 4. use the following env: (replace 123456789000 and iam-role-name-here with your aws account number and role name)
509
##
510
## env:
511
## AWS_ROLE_ARN: arn:aws:iam::123456789000:role/iam-role-name-here
512
## AWS_WEB_IDENTITY_TOKEN_FILE: /var/run/secrets/eks.amazonaws.com/serviceaccount/token
513
## AWS_REGION: us-east-1
514
##
515
## 5. uncomment the EKS section in extraSecretMounts: below
516
## 6. uncomment the annotation section in the serviceAccount: above
517
## make sure to replace arn:aws:iam::123456789000:role/iam-role-name-here with your role arn
518
env: {}
519
## "valueFrom" environment variable references that will be added to deployment pods. Name is templated.
520
## ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core
521
## Renders in container spec as:
522
## env:
523
## ...
524
## - name: <key>
525
## valueFrom:
526
## <value rendered as YAML>
527
envValueFrom: {}
528
# ENV_NAME:
529
# configMapKeyRef:
530
# name: configmap-name
531
# key: value_key
532
533
## The name of a secret in the same kubernetes namespace which contain values to be added to the environment
534
## This can be useful for auth tokens, etc. Value is templated.
535
envFromSecret: ""
536
## Sensible environment variables that will be rendered as new secret object
537
## This can be useful for auth tokens, etc.
538
## If the secret values contains "{{", they'll need to be properly escaped so that they are not interpreted by Helm
539
## ref: https://helm.sh/docs/howto/charts_tips_and_tricks/#using-the-tpl-function
540
envRenderSecret: {}
541
## The names of secrets in the same kubernetes namespace which contain values to be added to the environment
542
## Each entry should contain a name key, and can optionally specify whether the secret must be defined with an optional key.
543
## Name is templated.
544
envFromSecrets: []
545
## - name: secret-name
546
## prefix: prefix
547
## optional: true
548
549
## The names of configmaps in the same kubernetes namespace which contain values to be added to the environment
550
## Each entry should contain a name key, and can optionally specify whether the configmap must be defined with an optional key.
551
## Name is templated.
552
## ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#configmapenvsource-v1-core
553
envFromConfigMaps: []
554
## - name: configmap-name
555
## prefix: prefix
556
## optional: true
557
558
# Inject Kubernetes services as environment variables.
559
# See https://kubernetes.io/docs/concepts/services-networking/connect-applications-service/#environment-variables
560
enableServiceLinks: true
561
## Additional grafana server secret mounts
562
# Defines additional mounts with secrets. Secrets must be manually created in the namespace.
563
extraSecretMounts: []
564
# - name: secret-files
565
# mountPath: /etc/secrets
566
# secretName: grafana-secret-files
567
# readOnly: true
568
# optional: false
569
# subPath: ""
570
#
571
# for AWS EKS (cloudwatch) use the following (see also instruction in env: above)
572
# - name: aws-iam-token
573
# mountPath: /var/run/secrets/eks.amazonaws.com/serviceaccount
574
# readOnly: true
575
# projected:
576
# defaultMode: 420
577
# sources:
578
# - serviceAccountToken:
579
# audience: sts.amazonaws.com
580
# expirationSeconds: 86400
581
# path: token
582
#
583
# for CSI e.g. Azure Key Vault use the following
584
# - name: secrets-store-inline
585
# mountPath: /run/secrets/vault.azure.com
586
# readOnly: true
587
# csi:
588
# driver: secrets-store.csi.k8s.io
589
# readOnly: true
590
# volumeAttributes:
591
# secretProviderClass: "akv-grafana-spc"
592
# nodePublishSecretRef: # Only required when using service principal mode
593
# name: grafana-akv-creds # Only required when using service principal mode
594
595
## Additional grafana server volume mounts
596
# Defines additional volume mounts.
597
extraVolumeMounts: []
598
# - name: extra-volume-0
599
# mountPath: /mnt/volume0
600
# readOnly: true
601
# - name: extra-volume-1
602
# mountPath: /mnt/volume1
603
# readOnly: true
604
# - name: grafana-secrets
605
# mountPath: /mnt/volume2
606
607
## Additional Grafana server volumes
608
extraVolumes: []
609
# - name: extra-volume-0
610
# existingClaim: volume-claim
611
# - name: extra-volume-1
612
# hostPath:
613
# path: /usr/shared/
614
# type: ""
615
# - name: grafana-secrets
616
# csi:
617
# driver: secrets-store.csi.k8s.io
618
# readOnly: true
619
# volumeAttributes:
620
# secretProviderClass: "grafana-env-spc"
621
622
## Container Lifecycle Hooks. Execute a specific bash command or make an HTTP request
623
lifecycleHooks: {}
624
# postStart:
625
# exec:
626
# command: []
627
628
## Pass the plugins you want installed as a list.
629
##
630
plugins: []
631
# - digrich-bubblechart-panel
632
# - grafana-clock-panel
633
## You can also use other plugin download URL, as long as they are valid zip files,
634
## and specify the name of the plugin as prefix, with an version. Like this:
635
# - marcusolsson-json-datasource@1.3.24@https://grafana.com/api/plugins/marcusolsson-json-datasource/versions/1.3.24/download
636
637
## Configure grafana datasources
638
## ref: http://docs.grafana.org/administration/provisioning/#datasources
639
##
640
datasources: {}
641
# datasources.yaml:
642
# apiVersion: 1
643
# datasources:
644
# - name: Prometheus
645
# type: prometheus
646
# url: http://prometheus-prometheus-server
647
# access: proxy
648
# isDefault: true
649
# - name: CloudWatch
650
# type: cloudwatch
651
# access: proxy
652
# uid: cloudwatch
653
# editable: false
654
# jsonData:
655
# authType: default
656
# defaultRegion: us-east-1
657
# deleteDatasources: []
658
# - name: Prometheus
659
660
## Configure grafana alerting (can be templated)
661
## ref: https://docs.grafana.com/alerting/set-up/provision-alerting-resources/file-provisioning/
662
##
663
alerting: {}
664
# policies.yaml:
665
# apiVersion: 1
666
# policies:
667
# - orgId: 1
668
# receiver: first_uid
669
#
670
# rules.yaml:
671
# apiVersion: 1
672
# groups:
673
# - orgId: 1
674
# name: '{{ .Chart.Name }}_my_rule_group'
675
# folder: my_first_folder
676
# interval: 60s
677
# rules:
678
# - uid: my_id_1
679
# title: my_first_rule
680
# condition: A
681
# data:
682
# - refId: A
683
# datasourceUid: '-100'
684
# model:
685
# conditions:
686
# - evaluator:
687
# params:
688
# - 3
689
# type: gt
690
# operator:
691
# type: and
692
# query:
693
# params:
694
# - A
695
# reducer:
696
# type: last
697
# type: query
698
# datasource:
699
# type: __expr__
700
# uid: '-100'
701
# expression: 1==0
702
# intervalMs: 1000
703
# maxDataPoints: 43200
704
# refId: A
705
# type: math
706
# dashboardUid: my_dashboard
707
# panelId: 123
708
# noDataState: Alerting
709
# for: 60s
710
# annotations:
711
# some_key: some_value
712
# labels:
713
# team: sre_team_1
714
#
715
# contactpoints.yaml:
716
# secret:
717
# apiVersion: 1
718
# contactPoints:
719
# - orgId: 1
720
# name: cp_1
721
# receivers:
722
# - uid: first_uid
723
# type: pagerduty
724
# settings:
725
# integrationKey: XXX
726
# severity: critical
727
# class: ping failure
728
# component: Grafana
729
# group: app-stack
730
# summary: |
731
# {{ `{{ include "default.message" . }}` }}
732
#
733
# templates.yaml:
734
# apiVersion: 1
735
# templates:
736
# - orgId: 1
737
# name: my_first_template
738
# template: |
739
# {{ `
740
# {{ define "my_first_template" }}
741
# Custom notification message
742
# {{ end }}
743
# ` }}
744
#
745
# mutetimes.yaml
746
# apiVersion: 1
747
# muteTimes:
748
# - orgId: 1
749
# name: mti_1
750
# # refer to https://prometheus.io/docs/alerting/latest/configuration/#time_interval-0
751
# time_intervals: {}
752
753
## Configure notifiers
754
## ref: http://docs.grafana.org/administration/provisioning/#alert-notification-channels
755
##
756
notifiers: {}
757
# notifiers.yaml:
758
# notifiers:
759
# - name: email-notifier
760
# type: email
761
# uid: email1
762
# # either:
763
# org_id: 1
764
# # or
765
# org_name: Main Org.
766
# is_default: true
767
# settings:
768
# addresses: an_email_address@example.com
769
# delete_notifiers:
770
771
## Configure grafana dashboard providers
772
## ref: http://docs.grafana.org/administration/provisioning/#dashboards
773
##
774
## `path` must be /var/lib/grafana/dashboards/<provider_name>
775
##
776
dashboardProviders: {}
777
# dashboardproviders.yaml:
778
# apiVersion: 1
779
# providers:
780
# - name: 'default'
781
# orgId: 1
782
# folder: ''
783
# type: file
784
# disableDeletion: false
785
# editable: true
786
# options:
787
# path: /var/lib/grafana/dashboards/default
788
789
## Configure how curl fetches remote dashboards. The beginning dash is required.
790
## NOTE: This sets the default short flags for all dashboards, but these
791
## defaults can be overridden individually for each dashboard by setting
792
## curlOptions. See the example dashboards section below.
793
##
794
## -s - silent mode
795
## -k - allow insecure (eg: non-TLS) connections
796
## -f - fail fast
797
## See the curl documentation for additional options
798
##
799
defaultCurlOptions: "-skf"
800
## Configure grafana dashboard to import
801
## NOTE: To use dashboards you must also enable/configure dashboardProviders
802
## ref: https://grafana.com/dashboards
803
##
804
## dashboards per provider, use provider name as key.
805
## For dashboards downloaded via gnetId or url, the optional "title" key overrides
806
## the dashboard title in the downloaded JSON so the UI displays your custom title.
807
##
808
dashboards: {}
809
# default:
810
# some-dashboard:
811
# json: |
812
# $RAW_JSON
813
# custom-dashboard:
814
# file: dashboards/custom-dashboard.json
815
# prometheus-stats:
816
# title: My Custom Dashboard Title # optional; overrides the dashboard title in the downloaded JSON
817
# gnetId: 2
818
# revision: 2
819
# datasource: Prometheus
820
# local-dashboard:
821
# url: https://example.com/repository/test.json
822
# curlOptions: "-sLf"
823
# token: ''
824
# local-dashboard-base64:
825
# url: https://example.com/repository/test-b64.json
826
# token: ''
827
# b64content: true
828
# local-dashboard-gitlab:
829
# url: https://example.com/repository/test-gitlab.json
830
# gitlabToken: ''
831
# local-dashboard-bitbucket:
832
# url: https://example.com/repository/test-bitbucket.json
833
# bearerToken: ''
834
# local-dashboard-azure:
835
# url: https://example.com/repository/test-azure.json
836
# basic: ''
837
# acceptHeader: '*/*'
838
839
## Reference to external ConfigMap per provider. Use provider name as key and ConfigMap name as value.
840
## A provider dashboards must be defined either by external ConfigMaps or in values.yaml, not in both.
841
## ConfigMap data example:
842
##
843
## data:
844
## example-dashboard.json: |
845
## RAW_JSON
846
##
847
dashboardsConfigMaps: {}
848
# default: ""
849
850
## Grafana's primary configuration
851
## NOTE: values in map will be converted to ini format
852
## ref: http://docs.grafana.org/installation/configuration/
853
##
854
grafana.ini:
855
paths:
856
data: /var/lib/grafana/
857
logs: /var/log/grafana
858
plugins: /var/lib/grafana/plugins
859
provisioning: /etc/grafana/provisioning
860
analytics:
861
check_for_updates: true
862
log:
863
mode: console
864
server:
865
domain: "{{ if (and .Values.ingress.enabled .Values.ingress.hosts) }}{{ tpl (.Values.ingress.hosts | first) . }}{{ else if (and .Values.route.main.enabled .Values.route.main.hostnames) }}{{ tpl (.Values.route.main.hostnames | first) . }}{{ else }}''{{ end }}"
866
unified_storage:
867
index_path: /var/lib/grafana-search/bleve
868
## grafana Authentication can be enabled with the following values on grafana.ini
869
# server:
870
# The full public facing url you use in browser, used for redirects and emails
871
# root_url:
872
# https://grafana.com/docs/grafana/latest/auth/github/#enable-github-in-grafana
873
# auth.github:
874
# enabled: false
875
# allow_sign_up: false
876
# scopes: user:email,read:org
877
# auth_url: https://github.com/login/oauth/authorize
878
# token_url: https://github.com/login/oauth/access_token
879
# api_url: https://api.github.com/user
880
# team_ids:
881
# allowed_organizations:
882
# client_id:
883
# client_secret:
884
## LDAP Authentication can be enabled with the following values on grafana.ini
885
## NOTE: Grafana will fail to start if the value for ldap.toml is invalid
886
# auth.ldap:
887
# enabled: true
888
# allow_sign_up: true
889
# config_file: /etc/grafana/ldap.toml
890
## Grafana's alerting configuration
891
# unified_alerting:
892
# enabled: true
893
# rule_version_record_limit: "5"
894
895
## Grafana's LDAP configuration
896
## Templated by the template in _helpers.tpl
897
## NOTE: To enable the grafana.ini must be configured with auth.ldap.enabled
898
## ref: http://docs.grafana.org/installation/configuration/#auth-ldap
899
## ref: http://docs.grafana.org/installation/ldap/#configuration
900
ldap:
901
enabled: false
902
# `existingSecret` is a reference to an existing secret containing the ldap configuration
903
# for Grafana in a key `ldap-toml`.
904
existingSecret: ""
905
# `config` is the content of `ldap.toml` that will be stored in the created secret
906
config: ""
907
# config: |-
908
# verbose_logging = true
909
# [[servers]]
910
# host = "my-ldap-server"
911
# port = 636
912
# use_ssl = true
913
# start_tls = false
914
# ssl_skip_verify = false
915
# bind_dn = "uid=%s,ou=users,dc=myorg,dc=com"
916
917
# When process namespace sharing is enabled, processes in a container are visible to all other containers in the same pod
918
# This parameter is added because the ldap reload api is not working https://grafana.com/docs/grafana/latest/developers/http_api/admin/#reload-ldap-configuration
919
# To allow an extraContainer to restart the Grafana container
920
shareProcessNamespace: false
921
## Grafana's SMTP configuration
922
## NOTE: To enable, grafana.ini must be configured with smtp.enabled
923
## ref: http://docs.grafana.org/installation/configuration/#smtp
924
smtp:
925
# `existingSecret` is a reference to an existing secret containing the smtp configuration
926
# for Grafana.
927
existingSecret: ""
928
userKey: "user"
929
passwordKey: "password"
930
## Sidecars that collect the configmaps with specified label and stores the included files them into the respective folders
931
## Requires at least Grafana 5 to work and can't be used together with parameters dashboardProviders, datasources and dashboards
932
sidecar:
933
image:
934
# -- The Docker registry
935
registry: cgr.dev
936
repository: scratch-images/test-tmp/k8s-sidecar
937
tag: 2.7.3-r1
938
sha: sha256:a67dc6ed62647ec60c9ef35a3afb88065279e5d30588d1509b8222446aceb851
939
imagePullPolicy: IfNotPresent
940
resources: {}
941
# limits:
942
# cpu: 100m
943
# memory: 100Mi
944
# requests:
945
# cpu: 50m
946
# memory: 50Mi
947
securityContext:
948
allowPrivilegeEscalation: false
949
capabilities:
950
drop:
951
- ALL
952
seccompProfile:
953
type: RuntimeDefault
954
# skipTlsVerify Set to true to skip tls verification for kube api calls
955
# skipTlsVerify: true
956
enableUniqueFilenames: false
957
readinessProbe: {}
958
livenessProbe: {}
959
# Log level default for all sidecars. Can be one of: DEBUG, INFO, WARN, ERROR, CRITICAL. Defaults to INFO
960
# logLevel: INFO
961
alerts:
962
enabled: false
963
# Additional environment variables for the alerts sidecar
964
env: {}
965
## "valueFrom" environment variable references that will be added to deployment pods. Name is templated.
966
## ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core
967
## Renders in container spec as:
968
## env:
969
## ...
970
## - name: <key>
971
## valueFrom:
972
## <value rendered as YAML>
973
envValueFrom: {}
974
# ENV_NAME:
975
# configMapKeyRef:
976
# name: configmap-name
977
# key: value_key
978
# Do not reprocess already processed unchanged resources on k8s API reconnect.
979
# ignoreAlreadyProcessed: true
980
# label that the configmaps with alert are marked with (can be templated)
981
label: grafana_alert
982
# value of label that the configmaps with alert are set to (can be templated)
983
labelValue: ""
984
# Log level. Can be one of: DEBUG, INFO, WARN, ERROR, CRITICAL.
985
# logLevel: INFO
986
# If specified, the sidecar will search for alert config-maps inside this namespace.
987
# Otherwise the namespace in which the sidecar is running will be used.
988
# It's also possible to specify ALL to search in all namespaces
989
searchNamespace: null
990
# Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds.
991
watchMethod: WATCH
992
# search in configmap, secret or both
993
resource: both
994
#
995
# resourceName: comma separated list of resource names to be fetched/checked by this sidecar.
996
# per default all resources of the type defined in {{ .Values.sidecar.alerts.resource }} will be checked.
997
# This e.g. allows stricter RBAC rules which are limited to the resources meant for the sidecars.
998
# resourceName: "secret/alerts-1,configmap/alerts-0"
999
resourceName: ""
1000
#
1001
# watchServerTimeout: request to the server, asking it to cleanly close the connection after that.
1002
# defaults to 60sec; much higher values like 3600 seconds (1h) are feasible for non-Azure K8S
1003
# watchServerTimeout: 3600
1004
#
1005
# watchClientTimeout: is a client-side timeout, configuring your local socket.
1006
# If you have a network outage dropping all packets with no RST/FIN,
1007
# this is how long your client waits before realizing & dropping the connection.
1008
# defaults to 66sec (sic!)
1009
# watchClientTimeout: 60
1010
#
1011
# maxTotalRetries: Total number of retries to allow for any http request.
1012
# Takes precedence over other counts. Applies to all requests to reloadURL and k8s api requests.
1013
# Set to 0 to fail on the first retry.
1014
# maxTotalRetries: 5
1015
#
1016
# maxConnectRetries: How many connection-related errors to retry on for any http request.
1017
# These are errors raised before the request is sent to the remote server, which we assume has not triggered the server to process the request.
1018
# Applies to all requests to reloadURL and k8s api requests.
1019
# Set to 0 to fail on the first retry of this type.
1020
# maxConnectRetries: 10
1021
#
1022
# maxReadRetries: How many times to retry on read errors for any http request
1023
# These errors are raised after the request was sent to the server, so the request may have side-effects.
1024
# Applies to all requests to reloadURL and k8s api requests.
1025
# Set to 0 to fail on the first retry of this type.
1026
# maxReadRetries: 5
1027
#
1028
# Endpoint to send request to reload alerts
1029
reloadURL: "http://localhost:3000/api/admin/provisioning/alerting/reload"
1030
# Absolute path to a script to execute after a configmap got reloaded.
1031
# It runs before calls to REQ_URI. If the file is not executable it will be passed to sh.
1032
# Otherwise, it's executed as is. Shebangs known to work are #!/bin/sh and #!/usr/bin/env python
1033
script: null
1034
skipReload: false
1035
# This is needed if skipReload is true, to load any alerts defined at startup time.
1036
# Deploy the alert sidecar as an initContainer.
1037
initAlerts: false
1038
# Use native sidecar https://kubernetes.io/docs/concepts/workloads/pods/sidecar-containers/
1039
# restartPolicy: Always
1040
# # only applies to native sidecars
1041
# startupProbe:
1042
# httpGet:
1043
# path: /healthz
1044
# port: 8080
1045
# initialDelaySeconds: 5
1046
# periodSeconds: 5
1047
# failureThreshold: 60 # 5 minutes
1048
# Additional alerts sidecar volume mounts
1049
extraMounts: []
1050
# Sets the size limit of the alert sidecar emptyDir volume
1051
sizeLimit: ""
1052
dashboards:
1053
enabled: false
1054
# Additional environment variables for the dashboards sidecar
1055
env: {}
1056
## "valueFrom" environment variable references that will be added to deployment pods. Name is templated.
1057
## ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core
1058
## Renders in container spec as:
1059
## env:
1060
## ...
1061
## - name: <key>
1062
## valueFrom:
1063
## <value rendered as YAML>
1064
envValueFrom: {}
1065
# ENV_NAME:
1066
# configMapKeyRef:
1067
# name: configmap-name
1068
# key: value_key
1069
# Do not reprocess already processed unchanged resources on k8s API reconnect.
1070
# ignoreAlreadyProcessed: true
1071
SCProvider: true
1072
# label that the configmaps with dashboards are marked with (can be templated)
1073
label: grafana_dashboard
1074
# value of label that the configmaps with dashboards are set to (can be templated)
1075
labelValue: ""
1076
# Log level. Can be one of: DEBUG, INFO, WARN, ERROR, CRITICAL.
1077
# logLevel: INFO
1078
# folder in the pod that should hold the collected dashboards (unless `defaultFolderName` is set)
1079
folder: /tmp/dashboards
1080
# The default folder name, it will create a subfolder under the `folder` and put dashboards in there instead
1081
defaultFolderName: null
1082
# Namespaces list. If specified, the sidecar will search for config-maps/secrets inside these namespaces.
1083
# Otherwise the namespace in which the sidecar is running will be used.
1084
# It's also possible to specify ALL to search in all namespaces.
1085
searchNamespace: null
1086
# Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds.
1087
watchMethod: WATCH
1088
# search in configmap, secret or both
1089
resource: both
1090
# If specified, the sidecar will look for annotation with this name to create folder and put graph here.
1091
# You can use this parameter together with `provider.foldersFromFilesStructure`to annotate configmaps and create folder structure.
1092
folderAnnotation: null
1093
#
1094
# resourceName: comma separated list of resource names to be fetched/checked by this sidecar.
1095
# per default all resources of the type defined in {{ .Values.sidecar.dashboards.resource }} will be checked.
1096
# This e.g. allows stricter RBAC rules which are limited to the resources meant for the sidecars.
1097
# resourceName: "secret/dashboards-0,configmap/dashboards-1"
1098
resourceName: ""
1099
#
1100
# maxTotalRetries: Total number of retries to allow for any http request.
1101
# Takes precedence over other counts. Applies to all requests to reloadURL and k8s api requests.
1102
# Set to 0 to fail on the first retry.
1103
# maxTotalRetries: 5
1104
#
1105
# maxConnectRetries: How many connection-related errors to retry on for any http request.
1106
# These are errors raised before the request is sent to the remote server, which we assume has not triggered the server to process the request.
1107
# Applies to all requests to reloadURL and k8s api requests.
1108
# Set to 0 to fail on the first retry of this type.
1109
# maxConnectRetries: 10
1110
#
1111
# maxReadRetries: How many times to retry on read errors for any http request
1112
# These errors are raised after the request was sent to the server, so the request may have side-effects.
1113
# Applies to all requests to reloadURL and k8s api requests.
1114
# Set to 0 to fail on the first retry of this type.
1115
# maxReadRetries: 5
1116
#
1117
# Endpoint to send request to reload alerts
1118
reloadURL: "http://localhost:3000/api/admin/provisioning/dashboards/reload"
1119
# Absolute path to a script to execute after a configmap got reloaded.
1120
# It runs before calls to REQ_URI. If the file is not executable it will be passed to sh.
1121
# Otherwise, it's executed as is. Shebangs known to work are #!/bin/sh and #!/usr/bin/env python
1122
script: null
1123
skipReload: false
1124
# This is needed if skipReload is true, to load any dashboards defined at startup time.
1125
# Deploy the dashboard sidecar as an initContainer.
1126
initDashboards: false
1127
# Use native sidecar https://kubernetes.io/docs/concepts/workloads/pods/sidecar-containers/
1128
# restartPolicy: Always
1129
# # only applies to native sidecars
1130
# startupProbe:
1131
# httpGet:
1132
# path: /healthz
1133
# port: 8083
1134
# initialDelaySeconds: 5
1135
# periodSeconds: 5
1136
# failureThreshold: 60 # 5 minutes
1137
# watchServerTimeout: request to the server, asking it to cleanly close the connection after that.
1138
# defaults to 60sec; much higher values like 3600 seconds (1h) are feasible for non-Azure K8S
1139
# watchServerTimeout: 3600
1140
#
1141
# watchClientTimeout: is a client-side timeout, configuring your local socket.
1142
# If you have a network outage dropping all packets with no RST/FIN,
1143
# this is how long your client waits before realizing & dropping the connection.
1144
# defaults to 66sec (sic!)
1145
# watchClientTimeout: 60
1146
#
1147
# provider configuration that lets grafana manage the dashboards
1148
provider:
1149
# name of the provider, should be unique
1150
name: sidecarProvider
1151
# orgid as configured in grafana
1152
orgid: 1
1153
# folder in which the dashboards should be imported in grafana
1154
folder: ''
1155
# <string> folder UID. will be automatically generated if not specified
1156
folderUid: ''
1157
# type of the provider
1158
type: file
1159
# disableDelete to activate a import-only behaviour
1160
disableDelete: false
1161
# allow updating provisioned dashboards from the UI
1162
allowUiUpdates: false
1163
# allow Grafana to replicate dashboard structure from filesystem
1164
foldersFromFilesStructure: false
1165
# Additional dashboards sidecar volume mounts
1166
extraMounts: []
1167
# Sets the size limit of the dashboard sidecar emptyDir volume
1168
sizeLimit: ""
1169
datasources:
1170
enabled: false
1171
# Additional environment variables for the datasourcessidecar
1172
env: {}
1173
## "valueFrom" environment variable references that will be added to deployment pods. Name is templated.
1174
## ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core
1175
## Renders in container spec as:
1176
## env:
1177
## ...
1178
## - name: <key>
1179
## valueFrom:
1180
## <value rendered as YAML>
1181
envValueFrom: {}
1182
# ENV_NAME:
1183
# configMapKeyRef:
1184
# name: configmap-name
1185
# key: value_key
1186
# Do not reprocess already processed unchanged resources on k8s API reconnect.
1187
# ignoreAlreadyProcessed: true
1188
# label that the configmaps with datasources are marked with (can be templated)
1189
label: grafana_datasource
1190
# value of label that the configmaps with datasources are set to (can be templated)
1191
labelValue: ""
1192
# Log level. Can be one of: DEBUG, INFO, WARN, ERROR, CRITICAL.
1193
# logLevel: INFO
1194
# If specified, the sidecar will search for datasource config-maps inside this namespace.
1195
# Otherwise the namespace in which the sidecar is running will be used.
1196
# It's also possible to specify ALL to search in all namespaces
1197
searchNamespace: null
1198
# Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds.
1199
watchMethod: WATCH
1200
# search in configmap, secret or both
1201
resource: both
1202
#
1203
# resourceName: comma separated list of resource names to be fetched/checked by this sidecar.
1204
# per default all resources of the type defined in {{ .Values.sidecar.datasources.resource }} will be checked.
1205
# This e.g. allows stricter RBAC rules which are limited to the resources meant for the sidecars.
1206
# resourceName: "secret/datasources-0,configmap/datasources-15"
1207
resourceName: ""
1208
#
1209
# watchServerTimeout: request to the server, asking it to cleanly close the connection after that.
1210
# defaults to 60sec; much higher values like 3600 seconds (1h) are feasible for non-Azure K8S
1211
# watchServerTimeout: 3600
1212
#
1213
# watchClientTimeout: is a client-side timeout, configuring your local socket.
1214
# If you have a network outage dropping all packets with no RST/FIN,
1215
# this is how long your client waits before realizing & dropping the connection.
1216
# defaults to 66sec (sic!)
1217
# watchClientTimeout: 60
1218
#
1219
# maxTotalRetries: Total number of retries to allow for any http request.
1220
# Takes precedence over other counts. Applies to all requests to reloadURL and k8s api requests.
1221
# Set to 0 to fail on the first retry.
1222
# maxTotalRetries: 5
1223
#
1224
# maxConnectRetries: How many connection-related errors to retry on for any http request.
1225
# These are errors raised before the request is sent to the remote server, which we assume has not triggered the server to process the request.
1226
# Applies to all requests to reloadURL and k8s api requests.
1227
# Set to 0 to fail on the first retry of this type.
1228
# maxConnectRetries: 10
1229
#
1230
# maxReadRetries: How many times to retry on read errors for any http request
1231
# These errors are raised after the request was sent to the server, so the request may have side-effects.
1232
# Applies to all requests to reloadURL and k8s api requests.
1233
# Set to 0 to fail on the first retry of this type.
1234
# maxReadRetries: 5
1235
#
1236
# Endpoint to send request to reload datasources
1237
reloadURL: "http://localhost:3000/api/admin/provisioning/datasources/reload"
1238
# Absolute path to a script to execute after a configmap got reloaded.
1239
# It runs before calls to REQ_URI. If the file is not executable it will be passed to sh.
1240
# Otherwise, it's executed as is. Shebangs known to work are #!/bin/sh and #!/usr/bin/env python
1241
script: null
1242
skipReload: false
1243
# This is needed if skipReload is true, to load any datasources defined at startup time.
1244
# Deploy the datasources sidecar as an initContainer.
1245
initDatasources: false
1246
# Use native sidecar https://kubernetes.io/docs/concepts/workloads/pods/sidecar-containers/
1247
# restartPolicy: Always
1248
# # only applies to native sidecars
1249
# startupProbe:
1250
# httpGet:
1251
# path: /healthz
1252
# port: 8081
1253
# initialDelaySeconds: 5
1254
# periodSeconds: 5
1255
# failureThreshold: 60 # 5 minutes
1256
# Additional datasources sidecar volume mounts
1257
extraMounts: []
1258
# Sets the size limit of the datasource sidecar emptyDir volume
1259
sizeLimit: ""
1260
plugins:
1261
enabled: false
1262
# Additional environment variables for the plugins sidecar
1263
env: {}
1264
# Do not reprocess already processed unchanged resources on k8s API reconnect.
1265
# ignoreAlreadyProcessed: true
1266
# label that the configmaps with plugins are marked with (can be templated)
1267
label: grafana_plugin
1268
# value of label that the configmaps with plugins are set to (can be templated)
1269
labelValue: ""
1270
# Log level. Can be one of: DEBUG, INFO, WARN, ERROR, CRITICAL.
1271
# logLevel: INFO
1272
# If specified, the sidecar will search for plugin config-maps inside this namespace.
1273
# Otherwise the namespace in which the sidecar is running will be used.
1274
# It's also possible to specify ALL to search in all namespaces
1275
searchNamespace: null
1276
# Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds.
1277
watchMethod: WATCH
1278
# search in configmap, secret or both
1279
resource: both
1280
#
1281
# resourceName: comma separated list of resource names to be fetched/checked by this sidecar.
1282
# per default all resources of the type defined in {{ .Values.sidecar.plugins.resource }} will be checked.
1283
# This e.g. allows stricter RBAC rules which are limited to the resources meant for the sidecars.
1284
# resourceName: "secret/plugins-0,configmap/plugins-1"
1285
resourceName: ""
1286
#
1287
# watchServerTimeout: request to the server, asking it to cleanly close the connection after that.
1288
# defaults to 60sec; much higher values like 3600 seconds (1h) are feasible for non-Azure K8S
1289
# watchServerTimeout: 3600
1290
#
1291
# watchClientTimeout: is a client-side timeout, configuring your local socket.
1292
# If you have a network outage dropping all packets with no RST/FIN,
1293
# this is how long your client waits before realizing & dropping the connection.
1294
# defaults to 66sec (sic!)
1295
# watchClientTimeout: 60
1296
#
1297
# maxTotalRetries: Total number of retries to allow for any http request.
1298
# Takes precedence over other counts. Applies to all requests to reloadURL and k8s api requests.
1299
# Set to 0 to fail on the first retry.
1300
# maxTotalRetries: 5
1301
#
1302
# maxConnectRetries: How many connection-related errors to retry on for any http request.
1303
# These are errors raised before the request is sent to the remote server, which we assume has not triggered the server to process the request.
1304
# Applies to all requests to reloadURL and k8s api requests.
1305
# Set to 0 to fail on the first retry of this type.
1306
# maxConnectRetries: 10
1307
#
1308
# maxReadRetries: How many times to retry on read errors for any http request
1309
# These errors are raised after the request was sent to the server, so the request may have side-effects.
1310
# Applies to all requests to reloadURL and k8s api requests.
1311
# Set to 0 to fail on the first retry of this type.
1312
# maxReadRetries: 5
1313
#
1314
# Endpoint to send request to reload plugins
1315
reloadURL: "http://localhost:3000/api/admin/provisioning/plugins/reload"
1316
# Absolute path to a script to execute after a configmap got reloaded.
1317
# It runs before calls to REQ_URI. If the file is not executable it will be passed to sh.
1318
# Otherwise, it's executed as is. Shebangs known to work are #!/bin/sh and #!/usr/bin/env python
1319
script: null
1320
skipReload: false
1321
# Deploy the datasource sidecar as an initContainer in addition to a container.
1322
# This is needed if skipReload is true, to load any plugins defined at startup time.
1323
initPlugins: false
1324
# Additional plugins sidecar volume mounts
1325
extraMounts: []
1326
# Sets the size limit of the plugin sidecar emptyDir volume
1327
sizeLimit: ""
1328
notifiers:
1329
enabled: false
1330
# Additional environment variables for the notifierssidecar
1331
env: {}
1332
# Do not reprocess already processed unchanged resources on k8s API reconnect.
1333
# ignoreAlreadyProcessed: true
1334
# label that the configmaps with notifiers are marked with (can be templated)
1335
label: grafana_notifier
1336
# value of label that the configmaps with notifiers are set to (can be templated)
1337
labelValue: ""
1338
# Log level. Can be one of: DEBUG, INFO, WARN, ERROR, CRITICAL.
1339
# logLevel: INFO
1340
# If specified, the sidecar will search for notifier config-maps inside this namespace.
1341
# Otherwise the namespace in which the sidecar is running will be used.
1342
# It's also possible to specify ALL to search in all namespaces
1343
searchNamespace: null
1344
# Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds.
1345
watchMethod: WATCH
1346
# search in configmap, secret or both
1347
resource: both
1348
#
1349
# resourceName: comma separated list of resource names to be fetched/checked by this sidecar.
1350
# per default all resources of the type defined in {{ .Values.sidecar.notifiers.resource }} will be checked.
1351
# This e.g. allows stricter RBAC rules which are limited to the resources meant for the sidecars.
1352
# resourceName: "secret/notifiers-2,configmap/notifiers-1"
1353
resourceName: ""
1354
#
1355
# watchServerTimeout: request to the server, asking it to cleanly close the connection after that.
1356
# defaults to 60sec; much higher values like 3600 seconds (1h) are feasible for non-Azure K8S
1357
# watchServerTimeout: 3600
1358
#
1359
# watchClientTimeout: is a client-side timeout, configuring your local socket.
1360
# If you have a network outage dropping all packets with no RST/FIN,
1361
# this is how long your client waits before realizing & dropping the connection.
1362
# defaults to 66sec (sic!)
1363
# watchClientTimeout: 60
1364
#
1365
# maxTotalRetries: Total number of retries to allow for any http request.
1366
# Takes precedence over other counts. Applies to all requests to reloadURL and k8s api requests.
1367
# Set to 0 to fail on the first retry.
1368
# maxTotalRetries: 5
1369
#
1370
# maxConnectRetries: How many connection-related errors to retry on for any http request.
1371
# These are errors raised before the request is sent to the remote server, which we assume has not triggered the server to process the request.
1372
# Applies to all requests to reloadURL and k8s api requests.
1373
# Set to 0 to fail on the first retry of this type.
1374
# maxConnectRetries: 10
1375
#
1376
# maxReadRetries: How many times to retry on read errors for any http request
1377
# These errors are raised after the request was sent to the server, so the request may have side-effects.
1378
# Applies to all requests to reloadURL and k8s api requests.
1379
# Set to 0 to fail on the first retry of this type.
1380
# maxReadRetries: 5
1381
#
1382
# Endpoint to send request to reload notifiers
1383
reloadURL: "http://localhost:3000/api/admin/provisioning/notifications/reload"
1384
# Absolute path to a script to execute after a configmap got reloaded.
1385
# It runs before calls to REQ_URI. If the file is not executable it will be passed to sh.
1386
# Otherwise, it's executed as is. Shebangs known to work are #!/bin/sh and #!/usr/bin/env python
1387
script: null
1388
skipReload: false
1389
# Deploy the notifier sidecar as an initContainer in addition to a container.
1390
# This is needed if skipReload is true, to load any notifiers defined at startup time.
1391
initNotifiers: false
1392
# Use native sidecar https://kubernetes.io/docs/concepts/workloads/pods/sidecar-containers/
1393
# restartPolicy: Always
1394
# # only applies to native sidecars
1395
# startupProbe:
1396
# httpGet:
1397
# path: /healthz
1398
# port: 8082
1399
# initialDelaySeconds: 5
1400
# periodSeconds: 5
1401
# failureThreshold: 60 # 5 minutes
1402
# Additional notifiers sidecar volume mounts
1403
extraMounts: []
1404
# Sets the size limit of the notifier sidecar emptyDir volume
1405
sizeLimit: ""
1406
## Override the deployment namespace
1407
##
1408
namespaceOverride: ""
1409
## Number of old ReplicaSets to retain
1410
##
1411
revisionHistoryLimit: 10
1412
## Add a separate remote image renderer deployment/service
1413
imageRenderer:
1414
deploymentStrategy: {}
1415
## The maximum time in seconds for the image renderer Deployment to make progress before it is
1416
## considered to be failed.
1417
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#progress-deadline-seconds
1418
progressDeadlineSeconds: null
1419
# Enable the image-renderer deployment & service
1420
enabled: false
1421
replicas: 1
1422
autoscaling:
1423
enabled: false
1424
minReplicas: 1
1425
maxReplicas: 5
1426
targetCPU: "60"
1427
targetMemory: ""
1428
behavior: {}
1429
# The url of remote image renderer if it is not in the same namespace with the grafana instance
1430
serverURL: ""
1431
# The callback url of grafana instances if it is not in the same namespace with the remote image renderer
1432
renderingCallbackURL: ""
1433
# Token used for authentication between Grafana and the remote image renderer.
1434
token: ""
1435
# Use an existing secret for the image renderer token. Must contain a key named "token".
1436
existingSecret: ""
1437
image:
1438
# -- The Docker registry
1439
registry: cgr.dev
1440
# image-renderer Image repository
1441
repository: scratch-images/test-tmp/grafana-image-renderer
1442
# image-renderer Image tag
1443
tag: 5.8.4-r0
1444
# image-renderer Image sha (optional)
1445
sha: sha256:0046bc17ff37c53ec46a547af751eb79bc35f3cbc817dba14748aefc7761de39
1446
# image-renderer Image pull secrets (optional)
1447
pullSecrets: []
1448
# image-renderer ImagePullPolicy
1449
pullPolicy: Always
1450
dnsPolicy: ~
1451
dnsConfig: {}
1452
# nameservers:
1453
# - 8.8.8.8
1454
# options:
1455
# - name: ndots
1456
# value: "2"
1457
# - name: edns0
1458
# extra environment variables
1459
env:
1460
HTTP_HOST: "0.0.0.0"
1461
# Fixes "Error: Failed to launch the browser process!\nchrome_crashpad_handler: --database is required"
1462
XDG_CONFIG_HOME: /tmp/.chromium
1463
XDG_CACHE_HOME: /tmp/.chromium
1464
# RENDERING_ARGS: --no-sandbox,--disable-gpu,--window-size=1280x758
1465
# RENDERING_MODE: clustered
1466
# IGNORE_HTTPS_ERRORS: true
1467
## "valueFrom" environment variable references that will be added to deployment pods. Name is templated.
1468
## ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core
1469
## Renders in container spec as:
1470
## env:
1471
## ...
1472
## - name: <key>
1473
## valueFrom:
1474
## <value rendered as YAML>
1475
envValueFrom: {}
1476
# ENV_NAME:
1477
# configMapKeyRef:
1478
# name: configmap-name
1479
# key: value_key
1480
1481
# image-renderer deployment serviceAccount
1482
serviceAccountName: ""
1483
automountServiceAccountToken: false
1484
# image-renderer deployment hostUsers
1485
hostUsers: ~
1486
# image-renderer deployment securityContext
1487
securityContext: {}
1488
# image-renderer deployment container securityContext
1489
containerSecurityContext:
1490
seccompProfile:
1491
type: RuntimeDefault
1492
capabilities:
1493
drop: ['ALL']
1494
allowPrivilegeEscalation: false
1495
readOnlyRootFilesystem: true
1496
## image-renderer pod annotation
1497
podAnnotations: {}
1498
# image-renderer deployment Host Aliases
1499
hostAliases: []
1500
# image-renderer deployment priority class
1501
priorityClassName: ''
1502
# Path to the healthcheck endpoint. On Image Renderer v5.0.0 or newer, this is '/healthz'. Older versions use '/'.
1503
healthcheckPath: '/healthz'
1504
service:
1505
# Enable the image-renderer service
1506
enabled: true
1507
# image-renderer service port name
1508
portName: 'http'
1509
# image-renderer service port used by both service and deployment
1510
port: 8081
1511
targetPort: 8081
1512
# Adds the appProtocol field to the image-renderer service. This allows to work with istio protocol selection. Ex: "http" or "tcp"
1513
appProtocol: ""
1514
serviceMonitor:
1515
## If true, a ServiceMonitor CRD is created for a prometheus operator
1516
## https://github.com/coreos/prometheus-operator
1517
##
1518
enabled: false
1519
path: /metrics
1520
# namespace: monitoring (defaults to use the namespace this chart is deployed to)
1521
labels: {}
1522
interval: 1m
1523
scheme: http
1524
tlsConfig: {}
1525
scrapeTimeout: 30s
1526
relabelings: []
1527
# See: https://doc.crds.dev/github.com/prometheus-operator/kube-prometheus/monitoring.coreos.com/ServiceMonitor/v1@v0.11.0#spec-targetLabels
1528
targetLabels: []
1529
# - targetLabel1
1530
# - targetLabel2
1531
# If https is enabled in Grafana, this needs to be set as 'https' to correctly configure the callback used in Grafana
1532
grafanaProtocol: http
1533
# In case a sub_path is used this needs to be added to the image renderer callback
1534
grafanaSubPath: ""
1535
# name of the image-renderer port on the pod
1536
podPortName: http
1537
# number of image-renderer replica sets to keep
1538
revisionHistoryLimit: 10
1539
networkPolicy:
1540
# Enable a NetworkPolicy to limit inbound traffic to only the created grafana pods
1541
limitIngress: true
1542
# Enable a NetworkPolicy to limit outbound traffic to only the created grafana pods
1543
limitEgress: false
1544
# Allow additional services to access image-renderer (eg. Prometheus operator when ServiceMonitor is enabled)
1545
extraIngressSelectors: []
1546
resources: {}
1547
# limits:
1548
# cpu: 100m
1549
# memory: 100Mi
1550
# requests:
1551
# cpu: 50m
1552
# memory: 50Mi
1553
## Node labels for pod assignment
1554
## ref: https://kubernetes.io/docs/user-guide/node-selection/
1555
#
1556
nodeSelector: {}
1557
## Tolerations for pod assignment
1558
## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
1559
##
1560
tolerations: []
1561
## Affinity for pod assignment (evaluated as template)
1562
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
1563
##
1564
affinity: {}
1565
## Use an alternate scheduler, e.g. "stork".
1566
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
1567
##
1568
# schedulerName: "default-scheduler"
1569
1570
# Extra configmaps to mount in image-renderer pods
1571
extraConfigmapMounts: []
1572
# Extra secrets to mount in image-renderer pods
1573
extraSecretMounts: []
1574
# Extra volumes to mount in image-renderer pods
1575
extraVolumeMounts: []
1576
# Extra volumes for image-renderer pods
1577
extraVolumes: []
1578
networkPolicy:
1579
# -- networkPolicy.enabled Enable creation of NetworkPolicy resources. Only Ingress traffic is filtered for now.
1580
enabled: false
1581
# --networkPolicy.allowExternal Don't require client label for connections
1582
# The Policy model to apply. When set to false, only pods with the correct
1583
# client label will have network access to grafana port defined.
1584
# When true, grafana will accept connections from any source
1585
# (with the correct destination port).
1586
#
1587
ingress: true
1588
# -- networkPolicy.ingress When true enables the creation
1589
# an ingress network policy
1590
allowExternal: true
1591
# -- networkPolicy.explicitNamespacesSelector A Kubernetes LabelSelector to explicitly select namespaces from which traffic could be allowed
1592
# If explicitNamespacesSelector is missing or set to {}, only client Pods that are in the networkPolicy's namespace
1593
# and that match other criteria, the ones that have the good label, can reach the grafana.
1594
# But sometimes, we want the grafana to be accessible to clients from other namespaces, in this case, we can use this
1595
# LabelSelector to select these namespaces, note that the networkPolicy's namespace should also be explicitly added.
1596
# </br>
1597
#
1598
# Example:
1599
#
1600
# ```
1601
# explicitNamespacesSelector:
1602
# matchLabels:
1603
# role: frontend
1604
# matchExpressions:
1605
# - {key: role, operator: In, values: [frontend]}
1606
# ```
1607
explicitNamespacesSelector: {}
1608
# -- networkPolicy.explicitIpBlocks List of CIDR blocks allowed as ingress sources.
1609
# Each entry must be a valid CIDR notation string (e.g. 10.0.0.0/8).
1610
# When defined, the specified CIDR ranges are added to the ingress `from` rules
1611
# using `ipBlock` entries and complement the other configured ingress sources.
1612
# </br>
1613
#
1614
# Example:
1615
#
1616
# ```
1617
# explicitIpBlocks:
1618
# - 35.191.0.0/16
1619
# - 130.211.0.0/22
1620
# ```
1621
#
1622
explicitIpBlocks: []
1623
egress:
1624
# -- networkPolicy.egress.enabled When enabled, an egress network policy will be
1625
# created allowing grafana to connect to external data sources from kubernetes cluster.
1626
enabled: false
1627
# -- networkPolicy.egress.blockDNSResolution When enabled, DNS resolution will be blocked
1628
# for all pods in the grafana namespace.
1629
blockDNSResolution: false
1630
# -- networkPolicy.egress.ports Add individual ports to be allowed by the egress
1631
ports: []
1632
# Add ports to the egress by specifying - port: <port number>
1633
# E.X.
1634
# - port: 80
1635
# - port: 443
1636
#
1637
# -- networkPolicy.egress.to Allow egress traffic to specific destinations
1638
to: []
1639
# -- destinations to the egress by specifying - ipBlock: <CIDR>
1640
# E.X.
1641
# to:
1642
# - namespaceSelector:
1643
# matchExpressions:
1644
# - {key: role, operator: In, values: [grafana]}
1645
# Enable backward compatibility of kubernetes where version below 1.13 doesn't have the enableServiceLinks option
1646
enableKubeBackwardCompatibility: false
1647
useStatefulSet: false
1648
# extraObjects could be utilized to add dynamic manifests via values
1649
extraObjects: []
1650
# Examples:
1651
# extraObjects:
1652
# - apiVersion: kubernetes-client.io/v1
1653
# kind: ExternalSecret
1654
# metadata:
1655
# name: grafana-secrets-{{ .Release.Name }}
1656
# spec:
1657
# backendType: gcpSecretsManager
1658
# data:
1659
# - key: grafana-admin-password
1660
# name: adminPassword
1661
# Alternatively, you can use strings, which lets you use additional templating features:
1662
# extraObjects:
1663
# - |
1664
# apiVersion: kubernetes-client.io/v1
1665
# kind: ExternalSecret
1666
# metadata:
1667
# name: grafana-secrets-{{ .Release.Name }}
1668
# spec:
1669
# backendType: gcpSecretsManager
1670
# data:
1671
# - key: grafana-admin-password
1672
# name: {{ include "some-other-template" }}
1673
1674
# assertNoLeakedSecrets is a helper function defined in _helpers.tpl that checks if secret
1675
# values are not exposed in the rendered grafana.ini configmap. It is enabled by default.
1676
#
1677
# To pass values into grafana.ini without exposing them in a configmap, use variable expansion:
1678
# https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#variable-expansion
1679
#
1680
# Alternatively, if you wish to allow secret values to be exposed in the rendered grafana.ini configmap,
1681
# you can disable this check by setting assertNoLeakedSecrets to false.
1682
assertNoLeakedSecrets: true
1683
# updateMode options are:
1684
# Off: n the Off update mode, the VPA recommender still analyzes resource usage and generates recommendations, but these recommendations are not automatically applied to Pods. The recommendations are only stored in the VPA object's .status field.
1685
# Initial: In Initial mode, VPA only sets resource requests when Pods are first created. It does not update resources for already running Pods, even if recommendations change over time. The recommendations apply only during Pod creation.
1686
# Recreate: In Recreate mode, VPA actively manages Pod resources by evicting Pods when their current resource requests differ significantly from recommendations. When a Pod is evicted, the workload controller (managing a Deployment, StatefulSet, etc) creates a replacement Pod, and the VPA admission controller applies the updated resource requests to the new Pod.
1687
# InPlaceOrRecreate: In Recreate mode, VPA actively manages Pod resources by evicting Pods when their current resource requests differ significantly from recommendations. When a Pod is evicted, the workload controller (managing a Deployment, StatefulSet, etc) creates a replacement Pod, and the VPA admission controller applies the updated resource requests to the new Pod.
1688
# Auto (deprecated): The Auto update mode is deprecated since VPA version 1.4.0. Use Recreate for eviction-based updates, or InPlaceOrRecreate for in-place updates with eviction fallback.
1689
verticalPodAutoscaler:
1690
enabled: false
1691
updateMode: "Off"
1692
controlledResources:
1693
cpu: true
1694
memory: true
1695
# Default safety bounds
1696
minAllowed:
1697
cpu: "25m"
1698
memory: "128Mi"
1699
maxAllowed:
1700
cpu: "1000m"
1701
memory: "1Gi"
1702
The trusted source for open source
Talk to an expertProduct
Customers
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.