community-grafana
Helm chart
Request a free trial
Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.
Tag:
1
global:
2
# -- Overrides the Docker registry globally for all images
3
imageRegistry: null
4
# To help compatibility with other charts which use global.imagePullSecrets.
5
# Allow either an array of {name: pullSecret} maps (k8s-style), or an array of strings (more common helm-style).
6
# Can be templated.
7
# global:
8
# imagePullSecrets:
9
# - name: pullSecret1
10
# - name: pullSecret2
11
# or
12
# global:
13
# imagePullSecrets:
14
# - pullSecret1
15
# - pullSecret2
16
imagePullSecrets: []
17
rbac:
18
create: true
19
## Use an existing ClusterRole/Role (depending on rbac.namespaced false/true)
20
# useExistingRole: name-of-some-role
21
# useExistingClusterRole: name-of-some-clusterRole
22
pspEnabled: false
23
pspUseAppArmor: false
24
namespaced: false
25
# Only has an effect if namespaced: true is set
26
namespaces: []
27
extraRoleRules: []
28
# - apiGroups: []
29
# resources: []
30
# verbs: []
31
extraClusterRoleRules: []
32
# - apiGroups: []
33
# resources: []
34
# verbs: []
35
serviceAccount:
36
create: true
37
name: ""
38
nameTest: ""
39
## ServiceAccount labels.
40
labels: {}
41
## Service account annotations. Can be templated.
42
# annotations:
43
# eks.amazonaws.com/role-arn: arn:aws:iam::123456789000:role/iam-role-name-here
44
45
## autoMount is deprecated in favor of automountServiceAccountToken
46
# autoMount: false
47
automountServiceAccountToken: false
48
replicas: 1
49
## Create a headless service for the deployment
50
headlessService: false
51
## Should the service account be auto mounted on the pod
52
automountServiceAccountToken: true
53
## Create HorizontalPodAutoscaler object for deployment type
54
#
55
autoscaling:
56
enabled: false
57
minReplicas: 1
58
maxReplicas: 5
59
targetCPU: "60"
60
targetMemory: ""
61
behavior: {}
62
## See `kubectl explain poddisruptionbudget.spec` for more
63
## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
64
podDisruptionBudget: {}
65
# apiVersion: ""
66
# minAvailable: 1
67
# maxUnavailable: 1
68
# unhealthyPodEvictionPolicy: IfHealthyBudget
69
70
## See `kubectl explain deployment.spec.strategy` for more
71
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
72
deploymentStrategy:
73
type: RollingUpdate
74
## The maximum time in seconds for a Deployment to make progress before it is considered to be failed.
75
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#progress-deadline-seconds
76
progressDeadlineSeconds: null
77
readinessProbe:
78
httpGet:
79
path: /api/health
80
port: grafana
81
livenessProbe:
82
httpGet:
83
path: /api/health
84
port: grafana
85
initialDelaySeconds: 60
86
timeoutSeconds: 30
87
failureThreshold: 10
88
## Use an alternate scheduler, e.g. "stork".
89
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
90
##
91
# schedulerName: "default-scheduler"
92
image:
93
# -- The Docker registry
94
registry: chainreg.biz
95
# -- Docker image repository
96
repository: scratch-images/test-tmp/grafana
97
# Overrides the Grafana image tag whose default is the chart appVersion
98
tag: v13.0.2-r4
99
sha: sha256:1006d3d782bdd74f45ec2b4187ae3323a2db5ae4e379f4005f61370997f58c57
100
pullPolicy: IfNotPresent
101
## Optionally specify an array of imagePullSecrets.
102
## Secrets must be manually created in the namespace.
103
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
104
## Can be templated.
105
##
106
pullSecrets: []
107
# - myRegistrKeySecretName
108
testFramework:
109
enabled: true
110
## The type of Helm hook used to run this test. Defaults to test.
111
## ref: https://helm.sh/docs/topics/charts_hooks/#the-available-hooks
112
##
113
# hookType: test
114
image:
115
# -- The Docker registry
116
registry: docker.io
117
repository: bats/bats
118
tag: "1.13.0"
119
imagePullPolicy: IfNotPresent
120
securityContext: {}
121
containerSecurityContext: {}
122
resources: {}
123
# limits:
124
# cpu: 100m
125
# memory: 128Mi
126
# requests:
127
# cpu: 100m
128
# memory: 128Mi
129
# dns configuration for pod
130
dnsPolicy: ~
131
dnsConfig: {}
132
# nameservers:
133
# - 8.8.8.8
134
# options:
135
# - name: ndots
136
# value: "2"
137
# - name: edns0
138
139
hostUsers: ~
140
securityContext:
141
runAsNonRoot: true
142
runAsUser: 472
143
runAsGroup: 472
144
fsGroup: 472
145
containerSecurityContext:
146
allowPrivilegeEscalation: false
147
privileged: false
148
capabilities:
149
drop:
150
- ALL
151
seccompProfile:
152
type: RuntimeDefault
153
# Enable creating the grafana configmap
154
createConfigmap: true
155
# Extra configmaps to mount in grafana pods
156
# Values are templated.
157
extraConfigmapMounts: []
158
# - name: certs-configmap
159
# mountPath: /etc/grafana/ssl/
160
# subPath: certificates.crt # (optional)
161
# configMap: certs-configmap
162
# readOnly: true
163
# optional: false
164
165
extraEmptyDirMounts: []
166
# - name: provisioning-notifiers
167
# mountPath: /etc/grafana/provisioning/notifiers
168
169
# Shadow `/usr/share/grafana/data/plugins-bundled` with an emptyDir so plugins
170
# listed under `plugins:` install cleanly into `/var/lib/grafana/plugins` instead
171
# of failing on the read-only bundled directory shipped in the Grafana image.
172
# Required for plugins moved out of core in Grafana 13 (e.g. `elasticsearch`,
173
# `cloudwatch`) when listed in `plugins:`. Side effect: any bundled plugin not
174
# explicitly listed in `plugins:` will not be available.
175
shadowBundledPlugins: false
176
# Apply extra labels to common labels.
177
extraLabels: {}
178
## Assign a PriorityClassName to pods if set
179
# priorityClassName:
180
downloadDashboardsImage:
181
# -- The Docker registry
182
registry: chainreg.biz
183
repository: scratch-images/test-tmp/curl
184
tag: 8.20.0-r1
185
sha: sha256:5497ac1c20052f642b0c6b901e464ab974b297101a9cfe6b0937fb3261ffa243
186
pullPolicy: IfNotPresent
187
downloadDashboards:
188
env: {}
189
envFromSecret: ""
190
resources: {}
191
securityContext:
192
allowPrivilegeEscalation: false
193
capabilities:
194
drop:
195
- ALL
196
seccompProfile:
197
type: RuntimeDefault
198
envValueFrom: {}
199
# ENV_NAME:
200
# configMapKeyRef:
201
# name: configmap-name
202
# key: value_key
203
## Pod Annotations
204
# podAnnotations: {}
205
206
## ConfigMap Annotations
207
# configMapAnnotations: {}
208
# argocd.argoproj.io/sync-options: Replace=true
209
210
## Pod Labels
211
# podLabels: {}
212
podPortName: grafana
213
gossipPortName: gossip
214
## Deployment annotations
215
# annotations: {}
216
217
## Expose the grafana service to be accessed from outside the cluster (LoadBalancer service).
218
## or access it from within the cluster (ClusterIP service). Set the service type and the port to serve it.
219
## ref: http://kubernetes.io/docs/user-guide/services/
220
##
221
service:
222
enabled: true
223
type: ClusterIP
224
# Set the ip family policy to configure dual-stack see [Configure dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services)
225
ipFamilyPolicy: ""
226
# Sets the families that should be supported and the order in which they should be applied to ClusterIP as well. Can be IPv4 and/or IPv6.
227
ipFamilies: []
228
loadBalancerIP: ""
229
loadBalancerClass: ""
230
loadBalancerSourceRanges: []
231
port: 80
232
targetPort: 3000
233
# targetPort: 4181 To be used with a proxy extraContainer
234
## Service annotations. Can be templated.
235
annotations: {}
236
labels: {}
237
portName: service
238
# Adds the appProtocol field to the service. This allows to work with istio protocol selection. Ex: "http" or "tcp"
239
appProtocol: ""
240
sessionAffinity: ""
241
# trafficDistribution allows specifying how traffic is distributed to Service endpoints.
242
# Valid values: "" (default - standard load balancing),"PreferSameZone" (K8s 1.34+), "PreferSameNode" (K8s 1.35+), "PreferClose" (deprecated, use PreferSameZone),
243
trafficDistribution: ""
244
serviceMonitor:
245
## If true, a ServiceMonitor CR is created for a prometheus operator
246
## https://github.com/coreos/prometheus-operator
247
##
248
enabled: false
249
path: /metrics
250
# namespace: monitoring (defaults to use the namespace this chart is deployed to)
251
labels: {}
252
# Set these to override the Prometheus global scrape interval/timeout.
253
# interval: 30s
254
# scrapeTimeout: 30s
255
scheme: http
256
tlsConfig: {}
257
relabelings: []
258
metricRelabelings: []
259
basicAuth: {}
260
targetLabels: []
261
extraExposePorts: []
262
# - name: keycloak
263
# port: 8080
264
# targetPort: 8080
265
266
# overrides pod.spec.hostAliases in the grafana deployment's pods
267
hostAliases: []
268
# - ip: "1.2.3.4"
269
# hostnames:
270
# - "my.host.com"
271
272
ingress:
273
enabled: false
274
# ingressClassName: nginx
275
# Values can be templated
276
annotations: {}
277
# kubernetes.io/ingress.class: nginx
278
# kubernetes.io/tls-acme: "true"
279
labels: {}
280
path: /
281
pathType: Prefix
282
hosts:
283
- chart-example.local
284
## Extra paths to prepend to every host configuration. This is useful when working with annotation based services.
285
extraPaths: []
286
# - path: /*
287
# pathType: Prefix
288
# backend:
289
# service:
290
# name: ssl-redirect
291
# port:
292
# name: use-annotation
293
294
tls: []
295
# - secretName: chart-example-tls
296
# hosts:
297
# - chart-example.local
298
# -- BETA: Configure the gateway routes for the chart here.
299
# More routes can be added by adding a dictionary key like the 'main' route.
300
# Be aware that this is an early beta of this feature,
301
# kube-prometheus-stack does not guarantee this works and is subject to change.
302
# Being BETA this can/will change in the future without notice, do not use unless you want to take that risk
303
# [[ref]](https://gateway-api.sigs.k8s.io/references/spec/#gateway.networking.k8s.io%2fv1alpha2)
304
route:
305
main:
306
# -- Enables or disables the route
307
enabled: false
308
# -- Set the route apiVersion, e.g. gateway.networking.k8s.io/v1 or gateway.networking.k8s.io/v1alpha2
309
apiVersion: gateway.networking.k8s.io/v1
310
# -- Set the route kind
311
# Valid options are GRPCRoute, HTTPRoute, TCPRoute, TLSRoute, UDPRoute
312
kind: HTTPRoute
313
annotations: {}
314
labels: {}
315
hostnames: []
316
# - my-filter.example.com
317
parentRefs: []
318
# - name: acme-gw
319
320
matches:
321
- path:
322
type: PathPrefix
323
value: /
324
## Timeouts define the timeouts that can be configured for an HTTP request.
325
## Ref. https://gateway-api.sigs.k8s.io/api-types/httproute/#timeouts-optional
326
timeouts: {}
327
# request: 10s
328
# backendRequest: 5s
329
330
## SessionPersistence defines and configures session persistence for the route rule.
331
## Ref. https://gateway-api.sigs.k8s.io/geps/gep-1619/
332
sessionPersistence: {}
333
# sessionName: grafana-session
334
# type: Cookie
335
# absoluteTimeout: 48h
336
# cookieConfig:
337
# lifetimeType: Permanent
338
339
## Filters define the filters that are applied to requests that match this rule.
340
filters: []
341
## Additional custom rules that can be added to the route
342
additionalRules: []
343
## httpsRedirect adds a filter for redirecting to https (HTTP 301 Moved Permanently).
344
## To redirect HTTP traffic to HTTPS, you need to have a Gateway with both HTTP and HTTPS listeners.
345
## Matches and filters do not take effect if enabled.
346
## Ref. https://gateway-api.sigs.k8s.io/guides/http-redirect-rewrite/
347
httpsRedirect: false
348
resources: {}
349
# limits:
350
# cpu: 100m
351
# memory: 128Mi
352
# requests:
353
# cpu: 100m
354
# memory: 128Mi
355
356
## Node labels for pod assignment
357
## ref: https://kubernetes.io/docs/user-guide/node-selection/
358
#
359
nodeSelector: {}
360
## Tolerations for pod assignment
361
## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
362
##
363
tolerations: []
364
## Affinity for pod assignment (evaluated as template)
365
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
366
##
367
affinity: {}
368
## Topology Spread Constraints
369
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
370
##
371
topologySpreadConstraints: []
372
## Additional init containers (evaluated as template)
373
## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
374
##
375
extraInitContainers: []
376
## Enable an Specify container in extraContainers. This is meant to allow adding an authentication proxy to a grafana pod
377
extraContainers: ""
378
# extraContainers: |
379
# - name: proxy
380
# image: quay.io/gambol99/keycloak-proxy:latest
381
# args:
382
# - -provider=github
383
# - -client-id=
384
# - -client-secret=
385
# - -github-org=<ORG_NAME>
386
# - -email-domain=*
387
# - -cookie-secret=
388
# - -http-address=http://0.0.0.0:4181
389
# - -upstream-url=http://127.0.0.1:3000
390
# ports:
391
# - name: proxy-web
392
# containerPort: 4181
393
394
## Volumes that can be used in init containers that will not be mounted to deployment pods
395
extraContainerVolumes: []
396
# - name: volume-from-secret
397
# secret:
398
# secretName: secret-to-mount
399
# - name: empty-dir-volume
400
# emptyDir: {}
401
402
## Enable persistence using Persistent Volume Claims
403
## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/
404
##
405
persistence:
406
type: pvc
407
enabled: false
408
# storageClassName: default
409
## (Optional) Use this to bind the claim to an existing PersistentVolume (PV) by name.
410
volumeName: ""
411
accessModes:
412
- ReadWriteOnce
413
size: 10Gi
414
# annotations: {}
415
finalizers:
416
- kubernetes.io/pvc-protection
417
# selectorLabels: {}
418
## Sub-directory of the PV to mount. Can be templated.
419
# subPath: ""
420
## Name of an existing PVC. Can be templated.
421
# existingClaim:
422
## Extra labels to apply to a PVC.
423
extraPvcLabels: {}
424
disableWarning: false
425
## If persistence is not enabled, this allows to mount the
426
## local storage in-memory to improve performance
427
##
428
inMemory:
429
enabled: false
430
## The maximum usage on memory medium EmptyDir would be
431
## the minimum value between the SizeLimit specified
432
## here and the sum of memory limits of all containers in a pod
433
##
434
# sizeLimit: 300Mi
435
## If 'lookupVolumeName' is set to true, Helm will attempt to retrieve
436
## the current value of 'spec.volumeName' and incorporate it into the template.
437
lookupVolumeName: true
438
initChownData:
439
## If false, data ownership will not be reset at startup
440
## This allows the grafana-server to be run with an arbitrary user
441
##
442
enabled: true
443
## initChownData container image
444
##
445
image:
446
# -- The Docker registry
447
registry: chainreg.biz
448
repository: scratch-images/test-tmp/busybox
449
tag: glibc-1.37.0-r60
450
sha: sha256:655f0f89892d3134b1c3dfa0eded3c451b1f2d39916d829753f28c889a547bd5
451
pullPolicy: IfNotPresent
452
## initChownData resource requests and limits
453
## Ref: http://kubernetes.io/docs/user-guide/compute-resources/
454
##
455
resources: {}
456
# limits:
457
# cpu: 100m
458
# memory: 128Mi
459
# requests:
460
# cpu: 100m
461
# memory: 128Mi
462
securityContext:
463
readOnlyRootFilesystem: false
464
runAsNonRoot: false
465
runAsUser: 0
466
seccompProfile:
467
type: RuntimeDefault
468
capabilities:
469
add:
470
- CHOWN
471
- DAC_OVERRIDE
472
drop:
473
- ALL
474
# Administrator credentials when not using an existing secret (see below)
475
adminUser: admin
476
# adminPassword: strongpassword
477
478
# Use an existing secret for the admin user.
479
admin:
480
## Name of the secret. Can be templated.
481
existingSecret: ""
482
userKey: admin-user
483
passwordKey: admin-password
484
## Define command to be executed at startup by grafana container
485
## Needed if using `vault-env` to manage secrets (ref: https://banzaicloud.com/blog/inject-secrets-into-pods-vault/)
486
## Default is "run.sh" as defined in grafana's Dockerfile
487
# command:
488
# - "sh"
489
# - "/run.sh"
490
491
## Optionally define args if command is used
492
## Needed if using `hashicorp/envconsul` to manage secrets
493
## By default no arguments are set
494
# args:
495
# - "-secret"
496
# - "secret/grafana"
497
# - "./grafana"
498
499
## Extra environment variables that will be pass onto deployment pods
500
##
501
## to provide grafana with access to CloudWatch on AWS EKS:
502
## 1. create an iam role of type "Web identity" with provider oidc.eks.* (note the provider for later)
503
## 2. edit the "Trust relationships" of the role, add a line inside the StringEquals clause using the
504
## same oidc eks provider as noted before (same as the existing line)
505
## also, replace NAMESPACE and prometheus-operator-grafana with the service account namespace and name
506
##
507
## "oidc.eks.us-east-1.amazonaws.com/id/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:sub": "system:serviceaccount:NAMESPACE:prometheus-operator-grafana",
508
##
509
## 3. attach a policy to the role, you can use a built in policy called CloudWatchReadOnlyAccess
510
## 4. use the following env: (replace 123456789000 and iam-role-name-here with your aws account number and role name)
511
##
512
## env:
513
## AWS_ROLE_ARN: arn:aws:iam::123456789000:role/iam-role-name-here
514
## AWS_WEB_IDENTITY_TOKEN_FILE: /var/run/secrets/eks.amazonaws.com/serviceaccount/token
515
## AWS_REGION: us-east-1
516
##
517
## 5. uncomment the EKS section in extraSecretMounts: below
518
## 6. uncomment the annotation section in the serviceAccount: above
519
## make sure to replace arn:aws:iam::123456789000:role/iam-role-name-here with your role arn
520
env: {}
521
## "valueFrom" environment variable references that will be added to deployment pods. Name is templated.
522
## ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core
523
## Renders in container spec as:
524
## env:
525
## ...
526
## - name: <key>
527
## valueFrom:
528
## <value rendered as YAML>
529
envValueFrom: {}
530
# ENV_NAME:
531
# configMapKeyRef:
532
# name: configmap-name
533
# key: value_key
534
535
## The name of a secret in the same kubernetes namespace which contain values to be added to the environment
536
## This can be useful for auth tokens, etc. Value is templated.
537
envFromSecret: ""
538
## Sensible environment variables that will be rendered as new secret object
539
## This can be useful for auth tokens, etc.
540
## If the secret values contains "{{", they'll need to be properly escaped so that they are not interpreted by Helm
541
## ref: https://helm.sh/docs/howto/charts_tips_and_tricks/#using-the-tpl-function
542
envRenderSecret: {}
543
## The names of secrets in the same kubernetes namespace which contain values to be added to the environment
544
## Each entry should contain a name key, and can optionally specify whether the secret must be defined with an optional key.
545
## Name is templated.
546
envFromSecrets: []
547
## - name: secret-name
548
## prefix: prefix
549
## optional: true
550
551
## The names of configmaps in the same kubernetes namespace which contain values to be added to the environment
552
## Each entry should contain a name key, and can optionally specify whether the configmap must be defined with an optional key.
553
## Name is templated.
554
## ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#configmapenvsource-v1-core
555
envFromConfigMaps: []
556
## - name: configmap-name
557
## prefix: prefix
558
## optional: true
559
560
# Inject Kubernetes services as environment variables.
561
# See https://kubernetes.io/docs/concepts/services-networking/connect-applications-service/#environment-variables
562
enableServiceLinks: true
563
## Additional grafana server secret mounts
564
# Defines additional mounts with secrets. Secrets must be manually created in the namespace.
565
extraSecretMounts: []
566
# - name: secret-files
567
# mountPath: /etc/secrets
568
# secretName: grafana-secret-files
569
# readOnly: true
570
# optional: false
571
# subPath: ""
572
#
573
# for AWS EKS (cloudwatch) use the following (see also instruction in env: above)
574
# - name: aws-iam-token
575
# mountPath: /var/run/secrets/eks.amazonaws.com/serviceaccount
576
# readOnly: true
577
# projected:
578
# defaultMode: 420
579
# sources:
580
# - serviceAccountToken:
581
# audience: sts.amazonaws.com
582
# expirationSeconds: 86400
583
# path: token
584
#
585
# for CSI e.g. Azure Key Vault use the following
586
# - name: secrets-store-inline
587
# mountPath: /run/secrets/vault.azure.com
588
# readOnly: true
589
# csi:
590
# driver: secrets-store.csi.k8s.io
591
# readOnly: true
592
# volumeAttributes:
593
# secretProviderClass: "akv-grafana-spc"
594
# nodePublishSecretRef: # Only required when using service principal mode
595
# name: grafana-akv-creds # Only required when using service principal mode
596
597
## Additional grafana server volume mounts
598
# Defines additional volume mounts.
599
extraVolumeMounts: []
600
# - name: extra-volume-0
601
# mountPath: /mnt/volume0
602
# readOnly: true
603
# - name: extra-volume-1
604
# mountPath: /mnt/volume1
605
# readOnly: true
606
# - name: grafana-secrets
607
# mountPath: /mnt/volume2
608
609
## Additional Grafana server volumes
610
extraVolumes: []
611
# - name: extra-volume-0
612
# existingClaim: volume-claim
613
# - name: extra-volume-1
614
# hostPath:
615
# path: /usr/shared/
616
# type: ""
617
# - name: grafana-secrets
618
# csi:
619
# driver: secrets-store.csi.k8s.io
620
# readOnly: true
621
# volumeAttributes:
622
# secretProviderClass: "grafana-env-spc"
623
624
## Container Lifecycle Hooks. Execute a specific bash command or make an HTTP request
625
lifecycleHooks: {}
626
# postStart:
627
# exec:
628
# command: []
629
630
## Pass the plugins you want installed as a list.
631
##
632
plugins: []
633
# - digrich-bubblechart-panel
634
# - grafana-clock-panel
635
## You can also use other plugin download URL, as long as they are valid zip files,
636
## and specify the name of the plugin as prefix, with an version. Like this:
637
# - marcusolsson-json-datasource@1.3.24@https://grafana.com/api/plugins/marcusolsson-json-datasource/versions/1.3.24/download
638
639
## Configure grafana datasources
640
## ref: http://docs.grafana.org/administration/provisioning/#datasources
641
##
642
datasources: {}
643
# datasources.yaml:
644
# apiVersion: 1
645
# datasources:
646
# - name: Prometheus
647
# type: prometheus
648
# url: http://prometheus-prometheus-server
649
# access: proxy
650
# isDefault: true
651
# - name: CloudWatch
652
# type: cloudwatch
653
# access: proxy
654
# uid: cloudwatch
655
# editable: false
656
# jsonData:
657
# authType: default
658
# defaultRegion: us-east-1
659
# deleteDatasources: []
660
# - name: Prometheus
661
662
## Configure grafana alerting (can be templated)
663
## ref: https://docs.grafana.com/alerting/set-up/provision-alerting-resources/file-provisioning/
664
##
665
alerting: {}
666
# policies.yaml:
667
# apiVersion: 1
668
# policies:
669
# - orgId: 1
670
# receiver: first_uid
671
#
672
# rules.yaml:
673
# apiVersion: 1
674
# groups:
675
# - orgId: 1
676
# name: '{{ .Chart.Name }}_my_rule_group'
677
# folder: my_first_folder
678
# interval: 60s
679
# rules:
680
# - uid: my_id_1
681
# title: my_first_rule
682
# condition: A
683
# data:
684
# - refId: A
685
# datasourceUid: '-100'
686
# model:
687
# conditions:
688
# - evaluator:
689
# params:
690
# - 3
691
# type: gt
692
# operator:
693
# type: and
694
# query:
695
# params:
696
# - A
697
# reducer:
698
# type: last
699
# type: query
700
# datasource:
701
# type: __expr__
702
# uid: '-100'
703
# expression: 1==0
704
# intervalMs: 1000
705
# maxDataPoints: 43200
706
# refId: A
707
# type: math
708
# dashboardUid: my_dashboard
709
# panelId: 123
710
# noDataState: Alerting
711
# for: 60s
712
# annotations:
713
# some_key: some_value
714
# labels:
715
# team: sre_team_1
716
#
717
# contactpoints.yaml:
718
# secret:
719
# apiVersion: 1
720
# contactPoints:
721
# - orgId: 1
722
# name: cp_1
723
# receivers:
724
# - uid: first_uid
725
# type: pagerduty
726
# settings:
727
# integrationKey: XXX
728
# severity: critical
729
# class: ping failure
730
# component: Grafana
731
# group: app-stack
732
# summary: |
733
# {{ `{{ include "default.message" . }}` }}
734
#
735
# templates.yaml:
736
# apiVersion: 1
737
# templates:
738
# - orgId: 1
739
# name: my_first_template
740
# template: |
741
# {{ `
742
# {{ define "my_first_template" }}
743
# Custom notification message
744
# {{ end }}
745
# ` }}
746
#
747
# mutetimes.yaml
748
# apiVersion: 1
749
# muteTimes:
750
# - orgId: 1
751
# name: mti_1
752
# # refer to https://prometheus.io/docs/alerting/latest/configuration/#time_interval-0
753
# time_intervals: {}
754
755
## Configure notifiers
756
## ref: http://docs.grafana.org/administration/provisioning/#alert-notification-channels
757
##
758
notifiers: {}
759
# notifiers.yaml:
760
# notifiers:
761
# - name: email-notifier
762
# type: email
763
# uid: email1
764
# # either:
765
# org_id: 1
766
# # or
767
# org_name: Main Org.
768
# is_default: true
769
# settings:
770
# addresses: an_email_address@example.com
771
# delete_notifiers:
772
773
## Configure grafana dashboard providers
774
## ref: http://docs.grafana.org/administration/provisioning/#dashboards
775
##
776
## `path` must be /var/lib/grafana/dashboards/<provider_name>
777
##
778
dashboardProviders: {}
779
# dashboardproviders.yaml:
780
# apiVersion: 1
781
# providers:
782
# - name: 'default'
783
# orgId: 1
784
# folder: ''
785
# type: file
786
# disableDeletion: false
787
# editable: true
788
# options:
789
# path: /var/lib/grafana/dashboards/default
790
791
## Configure how curl fetches remote dashboards. The beginning dash is required.
792
## NOTE: This sets the default short flags for all dashboards, but these
793
## defaults can be overridden individually for each dashboard by setting
794
## curlOptions. See the example dashboards section below.
795
##
796
## -s - silent mode
797
## -k - allow insecure (eg: non-TLS) connections
798
## -f - fail fast
799
## See the curl documentation for additional options
800
##
801
defaultCurlOptions: "-skf"
802
## Configure grafana dashboard to import
803
## NOTE: To use dashboards you must also enable/configure dashboardProviders
804
## ref: https://grafana.com/dashboards
805
##
806
## dashboards per provider, use provider name as key.
807
## For dashboards downloaded via gnetId or url, the optional "title" key overrides
808
## the dashboard title in the downloaded JSON so the UI displays your custom title.
809
##
810
dashboards: {}
811
# default:
812
# some-dashboard:
813
# json: |
814
# $RAW_JSON
815
# custom-dashboard:
816
# file: dashboards/custom-dashboard.json
817
# prometheus-stats:
818
# title: My Custom Dashboard Title # optional; overrides the dashboard title in the downloaded JSON
819
# gnetId: 2
820
# revision: 2
821
# datasource: Prometheus
822
# local-dashboard:
823
# url: https://example.com/repository/test.json
824
# curlOptions: "-sLf"
825
# token: ''
826
# local-dashboard-base64:
827
# url: https://example.com/repository/test-b64.json
828
# token: ''
829
# b64content: true
830
# local-dashboard-gitlab:
831
# url: https://example.com/repository/test-gitlab.json
832
# gitlabToken: ''
833
# local-dashboard-bitbucket:
834
# url: https://example.com/repository/test-bitbucket.json
835
# bearerToken: ''
836
# local-dashboard-azure:
837
# url: https://example.com/repository/test-azure.json
838
# basic: ''
839
# acceptHeader: '*/*'
840
841
## Reference to external ConfigMap per provider. Use provider name as key and ConfigMap name as value.
842
## A provider dashboards must be defined either by external ConfigMaps or in values.yaml, not in both.
843
## ConfigMap data example:
844
##
845
## data:
846
## example-dashboard.json: |
847
## RAW_JSON
848
##
849
dashboardsConfigMaps: {}
850
# default: ""
851
852
## Grafana's primary configuration
853
## NOTE: values in map will be converted to ini format
854
## ref: http://docs.grafana.org/installation/configuration/
855
##
856
grafana.ini:
857
paths:
858
data: /var/lib/grafana/
859
logs: /var/log/grafana
860
plugins: /var/lib/grafana/plugins
861
provisioning: /etc/grafana/provisioning
862
analytics:
863
check_for_updates: true
864
log:
865
mode: console
866
server:
867
domain: "{{ if (and .Values.ingress.enabled .Values.ingress.hosts) }}{{ tpl (.Values.ingress.hosts | first) . }}{{ else if (and .Values.route.main.enabled .Values.route.main.hostnames) }}{{ tpl (.Values.route.main.hostnames | first) . }}{{ else }}''{{ end }}"
868
unified_storage:
869
index_path: /var/lib/grafana-search/bleve
870
## grafana Authentication can be enabled with the following values on grafana.ini
871
# server:
872
# The full public facing url you use in browser, used for redirects and emails
873
# root_url:
874
# https://grafana.com/docs/grafana/latest/auth/github/#enable-github-in-grafana
875
# auth.github:
876
# enabled: false
877
# allow_sign_up: false
878
# scopes: user:email,read:org
879
# auth_url: https://github.com/login/oauth/authorize
880
# token_url: https://github.com/login/oauth/access_token
881
# api_url: https://api.github.com/user
882
# team_ids:
883
# allowed_organizations:
884
# client_id:
885
# client_secret:
886
## LDAP Authentication can be enabled with the following values on grafana.ini
887
## NOTE: Grafana will fail to start if the value for ldap.toml is invalid
888
# auth.ldap:
889
# enabled: true
890
# allow_sign_up: true
891
# config_file: /etc/grafana/ldap.toml
892
## Grafana's alerting configuration
893
# unified_alerting:
894
# enabled: true
895
# rule_version_record_limit: "5"
896
897
## Grafana's LDAP configuration
898
## Templated by the template in _helpers.tpl
899
## NOTE: To enable the grafana.ini must be configured with auth.ldap.enabled
900
## ref: http://docs.grafana.org/installation/configuration/#auth-ldap
901
## ref: http://docs.grafana.org/installation/ldap/#configuration
902
ldap:
903
enabled: false
904
# `existingSecret` is a reference to an existing secret containing the ldap configuration
905
# for Grafana in a key `ldap-toml`.
906
existingSecret: ""
907
# `config` is the content of `ldap.toml` that will be stored in the created secret
908
config: ""
909
# config: |-
910
# verbose_logging = true
911
# [[servers]]
912
# host = "my-ldap-server"
913
# port = 636
914
# use_ssl = true
915
# start_tls = false
916
# ssl_skip_verify = false
917
# bind_dn = "uid=%s,ou=users,dc=myorg,dc=com"
918
919
# When process namespace sharing is enabled, processes in a container are visible to all other containers in the same pod
920
# This parameter is added because the ldap reload api is not working https://grafana.com/docs/grafana/latest/developers/http_api/admin/#reload-ldap-configuration
921
# To allow an extraContainer to restart the Grafana container
922
shareProcessNamespace: false
923
## Grafana's SMTP configuration
924
## NOTE: To enable, grafana.ini must be configured with smtp.enabled
925
## ref: http://docs.grafana.org/installation/configuration/#smtp
926
smtp:
927
# `existingSecret` is a reference to an existing secret containing the smtp configuration
928
# for Grafana.
929
existingSecret: ""
930
userKey: "user"
931
passwordKey: "password"
932
## Sidecars that collect the configmaps with specified label and stores the included files them into the respective folders
933
## Requires at least Grafana 5 to work and can't be used together with parameters dashboardProviders, datasources and dashboards
934
sidecar:
935
image:
936
# -- The Docker registry
937
registry: chainreg.biz
938
repository: scratch-images/test-tmp/k8s-sidecar
939
tag: 2.7.3-r2
940
sha: sha256:33ba544059d7016bb6ba26a43fb59700a828ee6a93562504eef2d13f2d8209fc
941
imagePullPolicy: IfNotPresent
942
resources: {}
943
# limits:
944
# cpu: 100m
945
# memory: 100Mi
946
# requests:
947
# cpu: 50m
948
# memory: 50Mi
949
securityContext:
950
allowPrivilegeEscalation: false
951
capabilities:
952
drop:
953
- ALL
954
seccompProfile:
955
type: RuntimeDefault
956
# Set to true to skip tls verification for kube api calls. Can be overridden per sidecar
957
# skipTlsVerify: true
958
enableUniqueFilenames: false
959
readinessProbe: {}
960
livenessProbe: {}
961
# Log level default for all sidecars. Can be one of: DEBUG, INFO, WARN, ERROR, CRITICAL. Defaults to INFO
962
# logLevel: INFO
963
alerts:
964
enabled: false
965
# Additional environment variables for the alerts sidecar
966
env: {}
967
## "valueFrom" environment variable references that will be added to deployment pods. Name is templated.
968
## ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core
969
## Renders in container spec as:
970
## env:
971
## ...
972
## - name: <key>
973
## valueFrom:
974
## <value rendered as YAML>
975
envValueFrom: {}
976
# ENV_NAME:
977
# configMapKeyRef:
978
# name: configmap-name
979
# key: value_key
980
# Do not reprocess already processed unchanged resources on k8s API reconnect.
981
# ignoreAlreadyProcessed: true
982
# Set to true to skip tls verification for kube api calls. Overrides sidecar.skipTlsVerify
983
# skipTlsVerify: true
984
# label that the configmaps with alert are marked with (can be templated)
985
label: grafana_alert
986
# value of label that the configmaps with alert are set to (can be templated)
987
labelValue: ""
988
# Log level. Can be one of: DEBUG, INFO, WARN, ERROR, CRITICAL.
989
# logLevel: INFO
990
# If specified, the sidecar will search for alert config-maps inside this namespace.
991
# Otherwise the namespace in which the sidecar is running will be used.
992
# It's also possible to specify ALL to search in all namespaces
993
searchNamespace: null
994
# Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds.
995
watchMethod: WATCH
996
# search in configmap, secret or both
997
resource: both
998
#
999
# resourceName: comma separated list of resource names to be fetched/checked by this sidecar.
1000
# per default all resources of the type defined in {{ .Values.sidecar.alerts.resource }} will be checked.
1001
# This e.g. allows stricter RBAC rules which are limited to the resources meant for the sidecars.
1002
# resourceName: "secret/alerts-1,configmap/alerts-0"
1003
resourceName: ""
1004
#
1005
# watchServerTimeout: request to the server, asking it to cleanly close the connection after that.
1006
# defaults to 60sec; much higher values like 3600 seconds (1h) are feasible for non-Azure K8S
1007
# watchServerTimeout: 3600
1008
#
1009
# watchClientTimeout: is a client-side timeout, configuring your local socket.
1010
# If you have a network outage dropping all packets with no RST/FIN,
1011
# this is how long your client waits before realizing & dropping the connection.
1012
# defaults to 66sec (sic!)
1013
# watchClientTimeout: 60
1014
#
1015
# maxTotalRetries: Total number of retries to allow for any http request.
1016
# Takes precedence over other counts. Applies to all requests to reloadURL and k8s api requests.
1017
# Set to 0 to fail on the first retry.
1018
# maxTotalRetries: 5
1019
#
1020
# maxConnectRetries: How many connection-related errors to retry on for any http request.
1021
# These are errors raised before the request is sent to the remote server, which we assume has not triggered the server to process the request.
1022
# Applies to all requests to reloadURL and k8s api requests.
1023
# Set to 0 to fail on the first retry of this type.
1024
# maxConnectRetries: 10
1025
#
1026
# maxReadRetries: How many times to retry on read errors for any http request
1027
# These errors are raised after the request was sent to the server, so the request may have side-effects.
1028
# Applies to all requests to reloadURL and k8s api requests.
1029
# Set to 0 to fail on the first retry of this type.
1030
# maxReadRetries: 5
1031
#
1032
# Endpoint to send request to reload alerts
1033
reloadURL: "http://localhost:3000/api/admin/provisioning/alerting/reload"
1034
# Absolute path to a script to execute after a configmap got reloaded.
1035
# It runs before calls to REQ_URI. If the file is not executable it will be passed to sh.
1036
# Otherwise, it's executed as is. Shebangs known to work are #!/bin/sh and #!/usr/bin/env python
1037
script: null
1038
skipReload: false
1039
# This is needed if skipReload is true, to load any alerts defined at startup time.
1040
# Deploy the alert sidecar as an initContainer.
1041
initAlerts: false
1042
# Use native sidecar https://kubernetes.io/docs/concepts/workloads/pods/sidecar-containers/
1043
# restartPolicy: Always
1044
# # only applies to native sidecars
1045
# startupProbe:
1046
# httpGet:
1047
# path: /healthz
1048
# port: 8080
1049
# initialDelaySeconds: 5
1050
# periodSeconds: 5
1051
# failureThreshold: 60 # 5 minutes
1052
# Additional alerts sidecar volume mounts
1053
extraMounts: []
1054
# Sets the size limit of the alert sidecar emptyDir volume
1055
sizeLimit: ""
1056
dashboards:
1057
enabled: false
1058
# Additional environment variables for the dashboards sidecar
1059
env: {}
1060
## "valueFrom" environment variable references that will be added to deployment pods. Name is templated.
1061
## ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core
1062
## Renders in container spec as:
1063
## env:
1064
## ...
1065
## - name: <key>
1066
## valueFrom:
1067
## <value rendered as YAML>
1068
envValueFrom: {}
1069
# ENV_NAME:
1070
# configMapKeyRef:
1071
# name: configmap-name
1072
# key: value_key
1073
# Do not reprocess already processed unchanged resources on k8s API reconnect.
1074
# ignoreAlreadyProcessed: true
1075
# Set to true to skip tls verification for kube api calls. Overrides sidecar.skipTlsVerify
1076
# skipTlsVerify: true
1077
SCProvider: true
1078
# label that the configmaps with dashboards are marked with (can be templated)
1079
label: grafana_dashboard
1080
# value of label that the configmaps with dashboards are set to (can be templated)
1081
labelValue: ""
1082
# Log level. Can be one of: DEBUG, INFO, WARN, ERROR, CRITICAL.
1083
# logLevel: INFO
1084
# folder in the pod that should hold the collected dashboards (unless `defaultFolderName` is set)
1085
folder: /tmp/dashboards
1086
# The default folder name, it will create a subfolder under the `folder` and put dashboards in there instead
1087
defaultFolderName: null
1088
# Namespaces list. If specified, the sidecar will search for config-maps/secrets inside these namespaces.
1089
# Otherwise the namespace in which the sidecar is running will be used.
1090
# It's also possible to specify ALL to search in all namespaces.
1091
searchNamespace: null
1092
# Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds.
1093
watchMethod: WATCH
1094
# search in configmap, secret or both
1095
resource: both
1096
# If specified, the sidecar will look for annotation with this name to create folder and put graph here.
1097
# You can use this parameter together with `provider.foldersFromFilesStructure`to annotate configmaps and create folder structure.
1098
folderAnnotation: null
1099
#
1100
# resourceName: comma separated list of resource names to be fetched/checked by this sidecar.
1101
# per default all resources of the type defined in {{ .Values.sidecar.dashboards.resource }} will be checked.
1102
# This e.g. allows stricter RBAC rules which are limited to the resources meant for the sidecars.
1103
# resourceName: "secret/dashboards-0,configmap/dashboards-1"
1104
resourceName: ""
1105
#
1106
# maxTotalRetries: Total number of retries to allow for any http request.
1107
# Takes precedence over other counts. Applies to all requests to reloadURL and k8s api requests.
1108
# Set to 0 to fail on the first retry.
1109
# maxTotalRetries: 5
1110
#
1111
# maxConnectRetries: How many connection-related errors to retry on for any http request.
1112
# These are errors raised before the request is sent to the remote server, which we assume has not triggered the server to process the request.
1113
# Applies to all requests to reloadURL and k8s api requests.
1114
# Set to 0 to fail on the first retry of this type.
1115
# maxConnectRetries: 10
1116
#
1117
# maxReadRetries: How many times to retry on read errors for any http request
1118
# These errors are raised after the request was sent to the server, so the request may have side-effects.
1119
# Applies to all requests to reloadURL and k8s api requests.
1120
# Set to 0 to fail on the first retry of this type.
1121
# maxReadRetries: 5
1122
#
1123
# Endpoint to send request to reload alerts
1124
reloadURL: "http://localhost:3000/api/admin/provisioning/dashboards/reload"
1125
# Absolute path to a script to execute after a configmap got reloaded.
1126
# It runs before calls to REQ_URI. If the file is not executable it will be passed to sh.
1127
# Otherwise, it's executed as is. Shebangs known to work are #!/bin/sh and #!/usr/bin/env python
1128
script: null
1129
skipReload: false
1130
# This is needed if skipReload is true, to load any dashboards defined at startup time.
1131
# Deploy the dashboard sidecar as an initContainer.
1132
initDashboards: false
1133
# Use native sidecar https://kubernetes.io/docs/concepts/workloads/pods/sidecar-containers/
1134
# restartPolicy: Always
1135
# # only applies to native sidecars
1136
# startupProbe:
1137
# httpGet:
1138
# path: /healthz
1139
# port: 8083
1140
# initialDelaySeconds: 5
1141
# periodSeconds: 5
1142
# failureThreshold: 60 # 5 minutes
1143
# watchServerTimeout: request to the server, asking it to cleanly close the connection after that.
1144
# defaults to 60sec; much higher values like 3600 seconds (1h) are feasible for non-Azure K8S
1145
# watchServerTimeout: 3600
1146
#
1147
# watchClientTimeout: is a client-side timeout, configuring your local socket.
1148
# If you have a network outage dropping all packets with no RST/FIN,
1149
# this is how long your client waits before realizing & dropping the connection.
1150
# defaults to 66sec (sic!)
1151
# watchClientTimeout: 60
1152
#
1153
# provider configuration that lets grafana manage the dashboards
1154
provider:
1155
# name of the provider, should be unique
1156
name: sidecarProvider
1157
# orgid as configured in grafana
1158
orgid: 1
1159
# folder in which the dashboards should be imported in grafana
1160
folder: ''
1161
# <string> folder UID. will be automatically generated if not specified
1162
folderUid: ''
1163
# type of the provider
1164
type: file
1165
# disableDelete to activate a import-only behaviour
1166
disableDelete: false
1167
# allow updating provisioned dashboards from the UI
1168
allowUiUpdates: false
1169
# allow Grafana to replicate dashboard structure from filesystem
1170
foldersFromFilesStructure: false
1171
# Additional dashboards sidecar volume mounts
1172
extraMounts: []
1173
# Sets the size limit of the dashboard sidecar emptyDir volume
1174
sizeLimit: ""
1175
datasources:
1176
enabled: false
1177
# Additional environment variables for the datasourcessidecar
1178
env: {}
1179
## "valueFrom" environment variable references that will be added to deployment pods. Name is templated.
1180
## ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core
1181
## Renders in container spec as:
1182
## env:
1183
## ...
1184
## - name: <key>
1185
## valueFrom:
1186
## <value rendered as YAML>
1187
envValueFrom: {}
1188
# ENV_NAME:
1189
# configMapKeyRef:
1190
# name: configmap-name
1191
# key: value_key
1192
# Do not reprocess already processed unchanged resources on k8s API reconnect.
1193
# ignoreAlreadyProcessed: true
1194
# Set to true to skip tls verification for kube api calls. Overrides sidecar.skipTlsVerify
1195
# skipTlsVerify: true
1196
# label that the configmaps with datasources are marked with (can be templated)
1197
label: grafana_datasource
1198
# value of label that the configmaps with datasources are set to (can be templated)
1199
labelValue: ""
1200
# Log level. Can be one of: DEBUG, INFO, WARN, ERROR, CRITICAL.
1201
# logLevel: INFO
1202
# If specified, the sidecar will search for datasource config-maps inside this namespace.
1203
# Otherwise the namespace in which the sidecar is running will be used.
1204
# It's also possible to specify ALL to search in all namespaces
1205
searchNamespace: null
1206
# Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds.
1207
watchMethod: WATCH
1208
# search in configmap, secret or both
1209
resource: both
1210
#
1211
# resourceName: comma separated list of resource names to be fetched/checked by this sidecar.
1212
# per default all resources of the type defined in {{ .Values.sidecar.datasources.resource }} will be checked.
1213
# This e.g. allows stricter RBAC rules which are limited to the resources meant for the sidecars.
1214
# resourceName: "secret/datasources-0,configmap/datasources-15"
1215
resourceName: ""
1216
#
1217
# watchServerTimeout: request to the server, asking it to cleanly close the connection after that.
1218
# defaults to 60sec; much higher values like 3600 seconds (1h) are feasible for non-Azure K8S
1219
# watchServerTimeout: 3600
1220
#
1221
# watchClientTimeout: is a client-side timeout, configuring your local socket.
1222
# If you have a network outage dropping all packets with no RST/FIN,
1223
# this is how long your client waits before realizing & dropping the connection.
1224
# defaults to 66sec (sic!)
1225
# watchClientTimeout: 60
1226
#
1227
# maxTotalRetries: Total number of retries to allow for any http request.
1228
# Takes precedence over other counts. Applies to all requests to reloadURL and k8s api requests.
1229
# Set to 0 to fail on the first retry.
1230
# maxTotalRetries: 5
1231
#
1232
# maxConnectRetries: How many connection-related errors to retry on for any http request.
1233
# These are errors raised before the request is sent to the remote server, which we assume has not triggered the server to process the request.
1234
# Applies to all requests to reloadURL and k8s api requests.
1235
# Set to 0 to fail on the first retry of this type.
1236
# maxConnectRetries: 10
1237
#
1238
# maxReadRetries: How many times to retry on read errors for any http request
1239
# These errors are raised after the request was sent to the server, so the request may have side-effects.
1240
# Applies to all requests to reloadURL and k8s api requests.
1241
# Set to 0 to fail on the first retry of this type.
1242
# maxReadRetries: 5
1243
#
1244
# Endpoint to send request to reload datasources
1245
reloadURL: "http://localhost:3000/api/admin/provisioning/datasources/reload"
1246
# Absolute path to a script to execute after a configmap got reloaded.
1247
# It runs before calls to REQ_URI. If the file is not executable it will be passed to sh.
1248
# Otherwise, it's executed as is. Shebangs known to work are #!/bin/sh and #!/usr/bin/env python
1249
script: null
1250
skipReload: false
1251
# This is needed if skipReload is true, to load any datasources defined at startup time.
1252
# Deploy the datasources sidecar as an initContainer.
1253
initDatasources: false
1254
# Use native sidecar https://kubernetes.io/docs/concepts/workloads/pods/sidecar-containers/
1255
# restartPolicy: Always
1256
# # only applies to native sidecars
1257
# startupProbe:
1258
# httpGet:
1259
# path: /healthz
1260
# port: 8081
1261
# initialDelaySeconds: 5
1262
# periodSeconds: 5
1263
# failureThreshold: 60 # 5 minutes
1264
# Additional datasources sidecar volume mounts
1265
extraMounts: []
1266
# Sets the size limit of the datasource sidecar emptyDir volume
1267
sizeLimit: ""
1268
plugins:
1269
enabled: false
1270
# Additional environment variables for the plugins sidecar
1271
env: {}
1272
# Do not reprocess already processed unchanged resources on k8s API reconnect.
1273
# ignoreAlreadyProcessed: true
1274
# Set to true to skip tls verification for kube api calls. Overrides sidecar.skipTlsVerify
1275
# skipTlsVerify: true
1276
# label that the configmaps with plugins are marked with (can be templated)
1277
label: grafana_plugin
1278
# value of label that the configmaps with plugins are set to (can be templated)
1279
labelValue: ""
1280
# Log level. Can be one of: DEBUG, INFO, WARN, ERROR, CRITICAL.
1281
# logLevel: INFO
1282
# If specified, the sidecar will search for plugin config-maps inside this namespace.
1283
# Otherwise the namespace in which the sidecar is running will be used.
1284
# It's also possible to specify ALL to search in all namespaces
1285
searchNamespace: null
1286
# Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds.
1287
watchMethod: WATCH
1288
# search in configmap, secret or both
1289
resource: both
1290
#
1291
# resourceName: comma separated list of resource names to be fetched/checked by this sidecar.
1292
# per default all resources of the type defined in {{ .Values.sidecar.plugins.resource }} will be checked.
1293
# This e.g. allows stricter RBAC rules which are limited to the resources meant for the sidecars.
1294
# resourceName: "secret/plugins-0,configmap/plugins-1"
1295
resourceName: ""
1296
#
1297
# watchServerTimeout: request to the server, asking it to cleanly close the connection after that.
1298
# defaults to 60sec; much higher values like 3600 seconds (1h) are feasible for non-Azure K8S
1299
# watchServerTimeout: 3600
1300
#
1301
# watchClientTimeout: is a client-side timeout, configuring your local socket.
1302
# If you have a network outage dropping all packets with no RST/FIN,
1303
# this is how long your client waits before realizing & dropping the connection.
1304
# defaults to 66sec (sic!)
1305
# watchClientTimeout: 60
1306
#
1307
# maxTotalRetries: Total number of retries to allow for any http request.
1308
# Takes precedence over other counts. Applies to all requests to reloadURL and k8s api requests.
1309
# Set to 0 to fail on the first retry.
1310
# maxTotalRetries: 5
1311
#
1312
# maxConnectRetries: How many connection-related errors to retry on for any http request.
1313
# These are errors raised before the request is sent to the remote server, which we assume has not triggered the server to process the request.
1314
# Applies to all requests to reloadURL and k8s api requests.
1315
# Set to 0 to fail on the first retry of this type.
1316
# maxConnectRetries: 10
1317
#
1318
# maxReadRetries: How many times to retry on read errors for any http request
1319
# These errors are raised after the request was sent to the server, so the request may have side-effects.
1320
# Applies to all requests to reloadURL and k8s api requests.
1321
# Set to 0 to fail on the first retry of this type.
1322
# maxReadRetries: 5
1323
#
1324
# Endpoint to send request to reload plugins
1325
reloadURL: "http://localhost:3000/api/admin/provisioning/plugins/reload"
1326
# Absolute path to a script to execute after a configmap got reloaded.
1327
# It runs before calls to REQ_URI. If the file is not executable it will be passed to sh.
1328
# Otherwise, it's executed as is. Shebangs known to work are #!/bin/sh and #!/usr/bin/env python
1329
script: null
1330
skipReload: false
1331
# Deploy the datasource sidecar as an initContainer in addition to a container.
1332
# This is needed if skipReload is true, to load any plugins defined at startup time.
1333
initPlugins: false
1334
# Additional plugins sidecar volume mounts
1335
extraMounts: []
1336
# Sets the size limit of the plugin sidecar emptyDir volume
1337
sizeLimit: ""
1338
notifiers:
1339
enabled: false
1340
# Additional environment variables for the notifierssidecar
1341
env: {}
1342
# Do not reprocess already processed unchanged resources on k8s API reconnect.
1343
# ignoreAlreadyProcessed: true
1344
# Set to true to skip tls verification for kube api calls. Overrides sidecar.skipTlsVerify
1345
# skipTlsVerify: true
1346
# label that the configmaps with notifiers are marked with (can be templated)
1347
label: grafana_notifier
1348
# value of label that the configmaps with notifiers are set to (can be templated)
1349
labelValue: ""
1350
# Log level. Can be one of: DEBUG, INFO, WARN, ERROR, CRITICAL.
1351
# logLevel: INFO
1352
# If specified, the sidecar will search for notifier config-maps inside this namespace.
1353
# Otherwise the namespace in which the sidecar is running will be used.
1354
# It's also possible to specify ALL to search in all namespaces
1355
searchNamespace: null
1356
# Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds.
1357
watchMethod: WATCH
1358
# search in configmap, secret or both
1359
resource: both
1360
#
1361
# resourceName: comma separated list of resource names to be fetched/checked by this sidecar.
1362
# per default all resources of the type defined in {{ .Values.sidecar.notifiers.resource }} will be checked.
1363
# This e.g. allows stricter RBAC rules which are limited to the resources meant for the sidecars.
1364
# resourceName: "secret/notifiers-2,configmap/notifiers-1"
1365
resourceName: ""
1366
#
1367
# watchServerTimeout: request to the server, asking it to cleanly close the connection after that.
1368
# defaults to 60sec; much higher values like 3600 seconds (1h) are feasible for non-Azure K8S
1369
# watchServerTimeout: 3600
1370
#
1371
# watchClientTimeout: is a client-side timeout, configuring your local socket.
1372
# If you have a network outage dropping all packets with no RST/FIN,
1373
# this is how long your client waits before realizing & dropping the connection.
1374
# defaults to 66sec (sic!)
1375
# watchClientTimeout: 60
1376
#
1377
# maxTotalRetries: Total number of retries to allow for any http request.
1378
# Takes precedence over other counts. Applies to all requests to reloadURL and k8s api requests.
1379
# Set to 0 to fail on the first retry.
1380
# maxTotalRetries: 5
1381
#
1382
# maxConnectRetries: How many connection-related errors to retry on for any http request.
1383
# These are errors raised before the request is sent to the remote server, which we assume has not triggered the server to process the request.
1384
# Applies to all requests to reloadURL and k8s api requests.
1385
# Set to 0 to fail on the first retry of this type.
1386
# maxConnectRetries: 10
1387
#
1388
# maxReadRetries: How many times to retry on read errors for any http request
1389
# These errors are raised after the request was sent to the server, so the request may have side-effects.
1390
# Applies to all requests to reloadURL and k8s api requests.
1391
# Set to 0 to fail on the first retry of this type.
1392
# maxReadRetries: 5
1393
#
1394
# Endpoint to send request to reload notifiers
1395
reloadURL: "http://localhost:3000/api/admin/provisioning/notifications/reload"
1396
# Absolute path to a script to execute after a configmap got reloaded.
1397
# It runs before calls to REQ_URI. If the file is not executable it will be passed to sh.
1398
# Otherwise, it's executed as is. Shebangs known to work are #!/bin/sh and #!/usr/bin/env python
1399
script: null
1400
skipReload: false
1401
# Deploy the notifier sidecar as an initContainer in addition to a container.
1402
# This is needed if skipReload is true, to load any notifiers defined at startup time.
1403
initNotifiers: false
1404
# Use native sidecar https://kubernetes.io/docs/concepts/workloads/pods/sidecar-containers/
1405
# restartPolicy: Always
1406
# # only applies to native sidecars
1407
# startupProbe:
1408
# httpGet:
1409
# path: /healthz
1410
# port: 8082
1411
# initialDelaySeconds: 5
1412
# periodSeconds: 5
1413
# failureThreshold: 60 # 5 minutes
1414
# Additional notifiers sidecar volume mounts
1415
extraMounts: []
1416
# Sets the size limit of the notifier sidecar emptyDir volume
1417
sizeLimit: ""
1418
## Override the deployment namespace
1419
##
1420
namespaceOverride: ""
1421
## Number of old ReplicaSets to retain
1422
##
1423
revisionHistoryLimit: 10
1424
## Add a separate remote image renderer deployment/service
1425
imageRenderer:
1426
deploymentStrategy: {}
1427
## The maximum time in seconds for the image renderer Deployment to make progress before it is
1428
## considered to be failed.
1429
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#progress-deadline-seconds
1430
progressDeadlineSeconds: null
1431
# Enable the image-renderer deployment & service
1432
enabled: false
1433
replicas: 1
1434
autoscaling:
1435
enabled: false
1436
minReplicas: 1
1437
maxReplicas: 5
1438
targetCPU: "60"
1439
targetMemory: ""
1440
behavior: {}
1441
# The url of remote image renderer if it is not in the same namespace with the grafana instance
1442
serverURL: ""
1443
# The callback url of grafana instances if it is not in the same namespace with the remote image renderer
1444
renderingCallbackURL: ""
1445
# Token used for authentication between Grafana and the remote image renderer.
1446
token: ""
1447
# Use an existing secret for the image renderer token. Must contain a key named "token".
1448
existingSecret: ""
1449
image:
1450
# -- The Docker registry
1451
registry: chainreg.biz
1452
# image-renderer Image repository
1453
repository: scratch-images/test-tmp/grafana-image-renderer
1454
# image-renderer Image tag
1455
tag: 5.8.9-r0
1456
# image-renderer Image sha (optional)
1457
sha: sha256:b375e53d7546899f43f3c6ee0eb6d446df05f611c67bd3db5ca2defc8f60aa2e
1458
# image-renderer Image pull secrets (optional)
1459
pullSecrets: []
1460
# image-renderer ImagePullPolicy
1461
pullPolicy: Always
1462
dnsPolicy: ~
1463
dnsConfig: {}
1464
# nameservers:
1465
# - 8.8.8.8
1466
# options:
1467
# - name: ndots
1468
# value: "2"
1469
# - name: edns0
1470
# extra environment variables
1471
env:
1472
HTTP_HOST: "0.0.0.0"
1473
# Fixes "Error: Failed to launch the browser process!\nchrome_crashpad_handler: --database is required"
1474
XDG_CONFIG_HOME: /tmp/.chromium
1475
XDG_CACHE_HOME: /tmp/.chromium
1476
# RENDERING_ARGS: --no-sandbox,--disable-gpu,--window-size=1280x758
1477
# RENDERING_MODE: clustered
1478
# IGNORE_HTTPS_ERRORS: true
1479
## "valueFrom" environment variable references that will be added to deployment pods. Name is templated.
1480
## ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core
1481
## Renders in container spec as:
1482
## env:
1483
## ...
1484
## - name: <key>
1485
## valueFrom:
1486
## <value rendered as YAML>
1487
envValueFrom: {}
1488
# ENV_NAME:
1489
# configMapKeyRef:
1490
# name: configmap-name
1491
# key: value_key
1492
1493
# image-renderer deployment serviceAccount
1494
serviceAccountName: ""
1495
automountServiceAccountToken: false
1496
# image-renderer deployment hostUsers
1497
hostUsers: ~
1498
# image-renderer deployment securityContext
1499
securityContext: {}
1500
# image-renderer deployment container securityContext
1501
containerSecurityContext:
1502
seccompProfile:
1503
type: RuntimeDefault
1504
capabilities:
1505
drop: ['ALL']
1506
allowPrivilegeEscalation: false
1507
readOnlyRootFilesystem: true
1508
## image-renderer pod annotation
1509
podAnnotations: {}
1510
# image-renderer deployment Host Aliases
1511
hostAliases: []
1512
# image-renderer deployment priority class
1513
priorityClassName: ''
1514
# Path to the healthcheck endpoint. On Image Renderer v5.0.0 or newer, this is '/healthz'. Older versions use '/'.
1515
healthcheckPath: '/healthz'
1516
service:
1517
# Enable the image-renderer service
1518
enabled: true
1519
# image-renderer service port name
1520
portName: 'http'
1521
# image-renderer service port used by both service and deployment
1522
port: 8081
1523
targetPort: 8081
1524
# Adds the appProtocol field to the image-renderer service. This allows to work with istio protocol selection. Ex: "http" or "tcp"
1525
appProtocol: ""
1526
serviceMonitor:
1527
## If true, a ServiceMonitor CRD is created for a prometheus operator
1528
## https://github.com/coreos/prometheus-operator
1529
##
1530
enabled: false
1531
path: /metrics
1532
# namespace: monitoring (defaults to use the namespace this chart is deployed to)
1533
labels: {}
1534
# Set these to override the Prometheus global scrape interval/timeout.
1535
# interval: 1m
1536
# scrapeTimeout: 30s
1537
scheme: http
1538
tlsConfig: {}
1539
relabelings: []
1540
# See: https://doc.crds.dev/github.com/prometheus-operator/kube-prometheus/monitoring.coreos.com/ServiceMonitor/v1@v0.11.0#spec-targetLabels
1541
targetLabels: []
1542
# - targetLabel1
1543
# - targetLabel2
1544
# If https is enabled in Grafana, this needs to be set as 'https' to correctly configure the callback used in Grafana
1545
grafanaProtocol: http
1546
# In case a sub_path is used this needs to be added to the image renderer callback
1547
grafanaSubPath: ""
1548
# name of the image-renderer port on the pod
1549
podPortName: http
1550
# number of image-renderer replica sets to keep
1551
revisionHistoryLimit: 10
1552
networkPolicy:
1553
# Enable a NetworkPolicy to limit inbound traffic to only the created grafana pods
1554
limitIngress: true
1555
# Enable a NetworkPolicy to limit outbound traffic to only the created grafana pods
1556
limitEgress: false
1557
# Allow additional services to access image-renderer (eg. Prometheus operator when ServiceMonitor is enabled)
1558
extraIngressSelectors: []
1559
resources: {}
1560
# limits:
1561
# cpu: 100m
1562
# memory: 100Mi
1563
# requests:
1564
# cpu: 50m
1565
# memory: 50Mi
1566
## Node labels for pod assignment
1567
## ref: https://kubernetes.io/docs/user-guide/node-selection/
1568
#
1569
nodeSelector: {}
1570
## Tolerations for pod assignment
1571
## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
1572
##
1573
tolerations: []
1574
## Affinity for pod assignment (evaluated as template)
1575
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
1576
##
1577
affinity: {}
1578
## Use an alternate scheduler, e.g. "stork".
1579
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
1580
##
1581
# schedulerName: "default-scheduler"
1582
1583
# Extra configmaps to mount in image-renderer pods
1584
extraConfigmapMounts: []
1585
# Extra secrets to mount in image-renderer pods
1586
extraSecretMounts: []
1587
# Extra volumes to mount in image-renderer pods
1588
extraVolumeMounts: []
1589
# Extra volumes for image-renderer pods
1590
extraVolumes: []
1591
networkPolicy:
1592
# -- networkPolicy.enabled Enable creation of NetworkPolicy resources. Only Ingress traffic is filtered for now.
1593
enabled: false
1594
# --networkPolicy.allowExternal Don't require client label for connections
1595
# The Policy model to apply. When set to false, only pods with the correct
1596
# client label will have network access to grafana port defined.
1597
# When true, grafana will accept connections from any source
1598
# (with the correct destination port).
1599
#
1600
ingress: true
1601
# -- networkPolicy.ingress When true enables the creation
1602
# an ingress network policy
1603
allowExternal: true
1604
# -- networkPolicy.explicitNamespacesSelector A Kubernetes LabelSelector to explicitly select namespaces from which traffic could be allowed
1605
# If explicitNamespacesSelector is missing or set to {}, only client Pods that are in the networkPolicy's namespace
1606
# and that match other criteria, the ones that have the good label, can reach the grafana.
1607
# But sometimes, we want the grafana to be accessible to clients from other namespaces, in this case, we can use this
1608
# LabelSelector to select these namespaces, note that the networkPolicy's namespace should also be explicitly added.
1609
# </br>
1610
#
1611
# Example:
1612
#
1613
# ```
1614
# explicitNamespacesSelector:
1615
# matchLabels:
1616
# role: frontend
1617
# matchExpressions:
1618
# - {key: role, operator: In, values: [frontend]}
1619
# ```
1620
explicitNamespacesSelector: {}
1621
# -- networkPolicy.explicitIpBlocks List of CIDR blocks allowed as ingress sources.
1622
# Each entry must be a valid CIDR notation string (e.g. 10.0.0.0/8).
1623
# When defined, the specified CIDR ranges are added to the ingress `from` rules
1624
# using `ipBlock` entries and complement the other configured ingress sources.
1625
# </br>
1626
#
1627
# Example:
1628
#
1629
# ```
1630
# explicitIpBlocks:
1631
# - 35.191.0.0/16
1632
# - 130.211.0.0/22
1633
# ```
1634
#
1635
explicitIpBlocks: []
1636
egress:
1637
# -- networkPolicy.egress.enabled When enabled, an egress network policy will be
1638
# created allowing grafana to connect to external data sources from kubernetes cluster.
1639
enabled: false
1640
# -- networkPolicy.egress.blockDNSResolution When enabled, DNS resolution will be blocked
1641
# for all pods in the grafana namespace.
1642
blockDNSResolution: false
1643
# -- networkPolicy.egress.ports Add individual ports to be allowed by the egress
1644
ports: []
1645
# Add ports to the egress by specifying - port: <port number>
1646
# E.X.
1647
# - port: 80
1648
# - port: 443
1649
#
1650
# -- networkPolicy.egress.to Allow egress traffic to specific destinations
1651
to: []
1652
# -- destinations to the egress by specifying - ipBlock: <CIDR>
1653
# E.X.
1654
# to:
1655
# - namespaceSelector:
1656
# matchExpressions:
1657
# - {key: role, operator: In, values: [grafana]}
1658
# Enable backward compatibility of kubernetes where version below 1.13 doesn't have the enableServiceLinks option
1659
enableKubeBackwardCompatibility: false
1660
useStatefulSet: false
1661
# extraObjects could be utilized to add dynamic manifests via values
1662
extraObjects: []
1663
# Examples:
1664
# extraObjects:
1665
# - apiVersion: kubernetes-client.io/v1
1666
# kind: ExternalSecret
1667
# metadata:
1668
# name: grafana-secrets-{{ .Release.Name }}
1669
# spec:
1670
# backendType: gcpSecretsManager
1671
# data:
1672
# - key: grafana-admin-password
1673
# name: adminPassword
1674
# Alternatively, you can use strings, which lets you use additional templating features:
1675
# extraObjects:
1676
# - |
1677
# apiVersion: kubernetes-client.io/v1
1678
# kind: ExternalSecret
1679
# metadata:
1680
# name: grafana-secrets-{{ .Release.Name }}
1681
# spec:
1682
# backendType: gcpSecretsManager
1683
# data:
1684
# - key: grafana-admin-password
1685
# name: {{ include "some-other-template" }}
1686
1687
# assertNoLeakedSecrets is a helper function defined in _helpers.tpl that checks if secret
1688
# values are not exposed in the rendered grafana.ini configmap. It is enabled by default.
1689
#
1690
# To pass values into grafana.ini without exposing them in a configmap, use variable expansion:
1691
# https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#variable-expansion
1692
#
1693
# Alternatively, if you wish to allow secret values to be exposed in the rendered grafana.ini configmap,
1694
# you can disable this check by setting assertNoLeakedSecrets to false.
1695
assertNoLeakedSecrets: true
1696
# updateMode options are:
1697
# Off: n the Off update mode, the VPA recommender still analyzes resource usage and generates recommendations, but these recommendations are not automatically applied to Pods. The recommendations are only stored in the VPA object's .status field.
1698
# Initial: In Initial mode, VPA only sets resource requests when Pods are first created. It does not update resources for already running Pods, even if recommendations change over time. The recommendations apply only during Pod creation.
1699
# Recreate: In Recreate mode, VPA actively manages Pod resources by evicting Pods when their current resource requests differ significantly from recommendations. When a Pod is evicted, the workload controller (managing a Deployment, StatefulSet, etc) creates a replacement Pod, and the VPA admission controller applies the updated resource requests to the new Pod.
1700
# InPlaceOrRecreate: In Recreate mode, VPA actively manages Pod resources by evicting Pods when their current resource requests differ significantly from recommendations. When a Pod is evicted, the workload controller (managing a Deployment, StatefulSet, etc) creates a replacement Pod, and the VPA admission controller applies the updated resource requests to the new Pod.
1701
# Auto (deprecated): The Auto update mode is deprecated since VPA version 1.4.0. Use Recreate for eviction-based updates, or InPlaceOrRecreate for in-place updates with eviction fallback.
1702
verticalPodAutoscaler:
1703
enabled: false
1704
updateMode: "Off"
1705
controlledResources:
1706
cpu: true
1707
memory: true
1708
# Default safety bounds
1709
minAllowed:
1710
cpu: "25m"
1711
memory: "128Mi"
1712
maxAllowed:
1713
cpu: "1000m"
1714
memory: "1Gi"
1715
The trusted source for open source
Talk to an expertProduct
Customers
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.