grafana
Helm chart
Request a free trial
Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.
Tag:
1
# This file has been modified by Chainguard, Inc.
2
#
3
# Copyright Chainguard, Inc. All Rights Reserved.
4
# Chainguard, Inc. modifications are subject to the license
5
# available at: https://www.chainguard.dev/legal/software-license-agreement
6
#
7
# Copyright Broadcom, Inc. All Rights Reserved.
8
# SPDX-License-Identifier: APACHE-2.0
9
10
## @section Global parameters
11
## Global Docker image parameters
12
## Please, note that this will override the image parameters, including dependencies, configured to use the global value
13
## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass
14
15
## @param global.imageRegistry Global Docker image registry
16
## @param global.imagePullSecrets Global Docker registry secret names as an array
17
## @param global.defaultStorageClass Global default StorageClass for Persistent Volume(s)
18
## @param global.storageClass DEPRECATED: use global.defaultStorageClass instead
19
##
20
global:
21
imageRegistry: ""
22
## E.g.
23
## imagePullSecrets:
24
## - myRegistryKeySecretName
25
##
26
imagePullSecrets: []
27
defaultStorageClass: ""
28
storageClass: ""
29
## Security parameters
30
##
31
security:
32
## @param global.security.allowInsecureImages Allows skipping image verification
33
allowInsecureImages: false
34
## Compatibility adaptations for Kubernetes platforms
35
##
36
compatibility:
37
## Compatibility adaptations for Openshift
38
##
39
openshift:
40
## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
41
##
42
adaptSecurityContext: auto
43
org: ""
44
## @section Common parameters
45
46
## @param kubeVersion Force target Kubernetes version (using Helm capabilities if not set)
47
##
48
kubeVersion: ""
49
## @param extraDeploy Array of extra objects to deploy with the release
50
##
51
extraDeploy: []
52
## @param nameOverride String to partially override grafana.fullname template (will maintain the release name)
53
##
54
nameOverride: ""
55
## @param fullnameOverride String to fully override grafana.fullname template
56
##
57
fullnameOverride: ""
58
## @param namespaceOverride String to fully override common.names.namespace
59
##
60
namespaceOverride: ""
61
## @param clusterDomain Default Kubernetes cluster domain
62
##
63
clusterDomain: cluster.local
64
## @param commonLabels Labels to add to all deployed objects
65
##
66
commonLabels: {}
67
## @param commonAnnotations Annotations to add to all deployed objects
68
##
69
commonAnnotations: {}
70
## @param usePasswordFiles Mount credentials as files instead of using environment variables
71
##
72
usePasswordFiles: true
73
## @section Grafana parameters
74
75
## Iamguarded Grafana image version
76
## @param image.registry [default: REGISTRY_NAME] Grafana image registry
77
## @param image.repository [default: REPOSITORY_NAME/grafana] Grafana image repository
78
## @skip image.tag Grafana image tag (immutable tags are recommended)
79
## @param image.digest Grafana image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
80
## @param image.pullPolicy Grafana image pull policy
81
## @param image.pullSecrets Grafana image pull secrets
82
##
83
image:
84
registry: cgr.dev
85
repository: chainguard-private/grafana-iamguarded
86
tag: 12.4.0
87
digest: ""
88
## Specify a imagePullPolicy
89
## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
90
##
91
pullPolicy: IfNotPresent
92
## Optionally specify an array of imagePullSecrets.
93
## Secrets must be manually created in the namespace.
94
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
95
##
96
## pullSecrets:
97
## - myRegistryKeySecretName
98
pullSecrets: []
99
## Admin credentials configuration
100
##
101
admin:
102
## @param admin.user Grafana admin username
103
##
104
user: "admin"
105
## @param admin.password Admin password. If a password is not provided a random password will be generated
106
##
107
password: ""
108
## @param admin.existingSecret Name of the existing secret containing admin password
109
##
110
existingSecret: ""
111
## @param admin.existingSecretPasswordKey Password key on the existing secret
112
##
113
existingSecretPasswordKey: password
114
## SMTP configuration
115
##
116
smtp:
117
## @param smtp.enabled Enable SMTP configuration
118
##
119
enabled: false
120
## @param smtp.user SMTP user
121
##
122
user: user
123
## @param smtp.password SMTP password
124
##
125
password: password
126
## @param smtp.host Custom host for the smtp server
127
## e.g:
128
## host: mysmtphost.com
129
##
130
host: ""
131
## @param smtp.fromAddress From address
132
##
133
fromAddress: ""
134
## @param smtp.fromName From name
135
##
136
fromName: ""
137
## @param smtp.skipVerify Enable skip verify
138
##
139
skipVerify: "false"
140
## @param smtp.existingSecret Name of existing secret containing SMTP credentials (user and password)
141
##
142
existingSecret: ""
143
## @param smtp.existingSecretUserKey User key on the existing secret
144
##
145
existingSecretUserKey: user
146
## @param smtp.existingSecretPasswordKey Password key on the existing secret
147
##
148
existingSecretPasswordKey: password
149
## @param plugins Grafana plugins to be installed in deployment time separated by commas
150
## Specify plugins as a list separated by commas ( you will need to scape them when specifying from command line )
151
## Example:
152
## plugins: grafana-kubernetes-app,grafana-example-app
153
##
154
plugins: ""
155
## Ldap configuration for Grafana
156
##
157
ldap:
158
## @param ldap.enabled Enable LDAP for Grafana
159
##
160
enabled: false
161
## @param ldap.allowSignUp Allows LDAP sign up for Grafana
162
##
163
allowSignUp: false
164
## @param ldap.configuration Specify content for ldap.toml configuration file
165
## e.g:
166
## configuration: |-
167
## [[servers]]
168
## host = "127.0.0.1"
169
## port = 389
170
## use_ssl = false
171
## ...
172
##
173
configuration: ""
174
## @param ldap.configMapName Name of the ConfigMap with the ldap.toml configuration file for Grafana
175
## NOTE: When it's set the ldap.configuration parameter is ignored
176
##
177
configMapName: ""
178
## @param ldap.secretName Name of the Secret with the ldap.toml configuration file for Grafana
179
## NOTE: When it's set the ldap.configuration parameter is ignored
180
##
181
secretName: ""
182
## @param ldap.uri Server URI, eg. ldap://ldap_server:389
183
##
184
uri: ""
185
## @param ldap.binddn DN of the account used to search in the LDAP server.
186
##
187
binddn: ""
188
## @param ldap.bindpw Password for binddn account.
189
##
190
bindpw: ""
191
## @param ldap.basedn Base DN path where binddn account will search for the users.
192
##
193
basedn: ""
194
## @param ldap.searchAttribute Field used to match with the user name (uid, samAccountName, cn, etc). This value will be ignored if 'ldap.searchFilter' is set
195
##
196
searchAttribute: "uid"
197
## @param ldap.searchFilter User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(|(sAMAccountName=%s)(userPrincipalName=%s)"
198
##
199
searchFilter: ""
200
## @param ldap.extraConfiguration Extra ldap configuration.
201
## Example:
202
## extraConfiguration: |-
203
## # set to true if you want to skip SSL cert validation
204
## ssl_skip_verify = false
205
## # group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))"
206
## # group_search_filter_user_attribute = "distinguishedName"
207
## # group_search_base_dns = ["ou=groups,dc=grafana,dc=org"]
208
## # Specify names of the LDAP attributes your LDAP uses
209
## [servers.attributes]
210
## # member_of = "memberOf"
211
## # email = "email"
212
##
213
extraConfiguration: ""
214
## @param ldap.tls.enabled Enabled TLS configuration.
215
## @param ldap.tls.startTls Use STARTTLS instead of LDAPS.
216
## @param ldap.tls.skipVerify Skip any SSL verification (hostanames or certificates)
217
## @param ldap.tls.certificatesMountPath Where LDAP certifcates are mounted.
218
## @param ldap.tls.certificatesSecret Secret with LDAP certificates.
219
## @param ldap.tls.CAFilename CA certificate filename. Should match with the CA entry key in the ldap.tls.certificatesSecret.
220
## @param ldap.tls.certFilename Client certificate filename to authenticate against the LDAP server. Should match with certificate the entry key in the ldap.tls.certificatesSecret.
221
## @param ldap.tls.certKeyFilename Client Key filename to authenticate against the LDAP server. Should match with certificate the entry key in the ldap.tls.certificatesSecret.
222
##
223
tls:
224
enabled: false
225
startTls: false
226
skipVerify: false
227
certificatesMountPath: /opt/iamguarded/grafana/conf/ldap/
228
certificatesSecret: ""
229
CAFilename: ""
230
certFilename: ""
231
certKeyFilename: ""
232
## Grafana Image Renderer configuration for Grafana
233
##
234
imageRenderer:
235
## @param imageRenderer.enabled Enable using a remote rendering service to render PNG images
236
##
237
enabled: false
238
## @param imageRenderer.serverURL URL of the remote rendering service
239
##
240
serverURL: ""
241
## @param imageRenderer.callbackURL URL of the callback service
242
##
243
callbackURL: ""
244
## Parameters to override the default grafana.ini file.
245
## It is needed to create a configmap or a secret containing the grafana.ini file.
246
## @param config.useGrafanaIniFile Allows to load a `grafana.ini` file
247
## @param config.grafanaIniConfigMap Name of the ConfigMap containing the `grafana.ini` file
248
## @param config.grafanaIniSecret Name of the Secret containing the `grafana.ini` file
249
##
250
config:
251
useGrafanaIniFile: false
252
grafanaIniConfigMap: ""
253
grafanaIniSecret: ""
254
## Create dasboard provider to load dashboards, a default one is created to load dashboards
255
## from "/opt/iamguarded/grafana/dashboards"
256
## @param dashboardsProvider.enabled Enable the use of a Grafana dashboard provider
257
## @param dashboardsProvider.configMapName Name of a ConfigMap containing a custom dashboard provider
258
##
259
dashboardsProvider:
260
enabled: false
261
## Important to set the Path to "/opt/iamguarded/grafana/dashboards"
262
## Evaluated as a template.
263
##
264
configMapName: ""
265
## @param dashboardsConfigMaps Array with the names of a series of ConfigMaps containing dashboards files
266
## They will be mounted by the default dashboard provider if it is enabled
267
## Use an array with the configMap names.
268
## In order to use subfolders, uncomment "#foldersFromFilesStructure: true" line in default provider config. or create your own dashboard provider.
269
## Example:
270
## dashboardsConfigMaps:
271
## - configMapName: mydashboard
272
## folderName: foo
273
## fileName: mydashboard.json
274
## - configMapName: myotherdashboard
275
## folderName: bar
276
## fileName: myotherdashboard.json
277
##
278
dashboardsConfigMaps: []
279
## Import datasources from an externally-managed secret, or a secret definition set via Helm values.
280
##
281
datasources:
282
## @param datasources.secretName The name of an externally-managed secret containing custom datasource files.
283
##
284
secretName: ""
285
## @param datasources.secretDefinition The contents of a secret defining a custom datasource file. Only used if datasources.secretName is empty or not defined.
286
## Example:
287
## secretDefinition:
288
## apiVersion: 1
289
## datasources:
290
## - name: Prometheus
291
## type: prometheus
292
## url: http://prometheus-prometheus-server
293
## access: proxy
294
## isDefault: true
295
##
296
secretDefinition: {}
297
## Create notifiers from a configMap
298
## The notifiersName must contain the files
299
## @param notifiers.configMapName Name of a ConfigMap containing Grafana notifiers configuration
300
##
301
notifiers:
302
configMapName: ""
303
## Create alerting rules, contact points, notification policies, templates, and mute timings from a configMap
304
## @param alerting.configMapName Name of a ConfigMap containing Grafana alerting configuration
305
##
306
alerting:
307
configMapName: ""
308
## @section Grafana Deployment parameters
309
grafana:
310
## @param grafana.replicaCount Number of Grafana nodes
311
##
312
replicaCount: 1
313
## @param grafana.kind Use either Deployment or StatefulSet (default)
314
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/
315
##
316
kind: Deployment
317
## @param grafana.podManagementPolicy StatefulSet pod management policy
318
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#pod-management-policies
319
##
320
podManagementPolicy: Parallel
321
## @param grafana.updateStrategy.type Set up update strategy for Grafana installation.
322
## Set to Recreate if you use persistent volume that cannot be mounted by more than one pods to make sure the pods is destroyed first.
323
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
324
## Example:
325
## updateStrategy:
326
## type: RollingUpdate
327
## rollingUpdate:
328
## maxSurge: 25%
329
## maxUnavailable: 25%
330
##
331
updateStrategy:
332
type: RollingUpdate
333
## @param grafana.automountServiceAccountToken Mount Service Account token in pod
334
##
335
automountServiceAccountToken: false
336
## @param grafana.hostAliases Add deployment host aliases
337
## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
338
##
339
hostAliases: []
340
## @param grafana.schedulerName Alternative scheduler
341
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
342
##
343
schedulerName: ""
344
## @param grafana.terminationGracePeriodSeconds In seconds, time the given to the Grafana pod needs to terminate gracefully
345
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods
346
##
347
terminationGracePeriodSeconds: ""
348
## @param grafana.priorityClassName Priority class name
349
## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
350
##
351
priorityClassName: ""
352
## @param grafana.podLabels Extra labels for Grafana pods
353
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
354
##
355
podLabels: {}
356
## @param grafana.podAnnotations Grafana Pod annotations
357
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
358
##
359
podAnnotations: {}
360
## @param grafana.podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
361
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
362
##
363
podAffinityPreset: ""
364
## @param grafana.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
365
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
366
##
367
podAntiAffinityPreset: soft
368
## @param grafana.containerPorts.grafana Grafana container port
369
##
370
containerPorts:
371
grafana: 3000
372
## @param grafana.extraPorts Extra ports for Grafana deployment
373
##
374
extraPorts: []
375
## Node affinity preset
376
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
377
## @param grafana.nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
378
## @param grafana.nodeAffinityPreset.key Node label key to match Ignored if `affinity` is set.
379
## @param grafana.nodeAffinityPreset.values Node label values to match. Ignored if `affinity` is set.
380
##
381
nodeAffinityPreset:
382
type: ""
383
## E.g.
384
## key: "kubernetes.io/e2e-az-name"
385
##
386
key: ""
387
## E.g.
388
## values:
389
## - e2e-az1
390
## - e2e-az2
391
##
392
values: []
393
## @param grafana.affinity Affinity for pod assignment
394
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
395
## Note: podAffinityPreset, podAntiAffinityPreset, and nodeAffinityPreset will be ignored when it's set
396
##
397
affinity: {}
398
## @param grafana.nodeSelector Node labels for pod assignment
399
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
400
##
401
nodeSelector: {}
402
## @param grafana.tolerations Tolerations for pod assignment
403
## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
404
##
405
tolerations: []
406
## @param grafana.topologySpreadConstraints Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in
407
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
408
##
409
## topologySpreadConstraints:
410
## - maxSkew: 1
411
## topologyKey: failure-domain.beta.kubernetes.io/zone
412
## whenUnsatisfiable: DoNotSchedule
413
##
414
topologySpreadConstraints: []
415
## @param grafana.podSecurityContext.enabled Enable securityContext on for Grafana deployment
416
## @param grafana.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
417
## @param grafana.podSecurityContext.sysctls Set kernel settings using the sysctl interface
418
## @param grafana.podSecurityContext.supplementalGroups Set filesystem extra groups
419
## @param grafana.podSecurityContext.fsGroup Group to configure permissions for volumes
420
##
421
podSecurityContext:
422
enabled: true
423
fsGroupChangePolicy: Always
424
sysctls: []
425
supplementalGroups: []
426
fsGroup: 1001
427
## Configure Container Security Context
428
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
429
## @param grafana.containerSecurityContext.enabled Enabled containers' Security Context
430
## @param grafana.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
431
## @param grafana.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
432
## @param grafana.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
433
## @param grafana.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
434
## @param grafana.containerSecurityContext.privileged Set container's Security Context privileged
435
## @param grafana.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
436
## @param grafana.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation
437
## @param grafana.containerSecurityContext.capabilities.drop List of capabilities to be dropped
438
## @param grafana.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
439
##
440
containerSecurityContext:
441
enabled: true
442
seLinuxOptions: {}
443
runAsUser: 1001
444
runAsGroup: 1001
445
runAsNonRoot: true
446
privileged: false
447
readOnlyRootFilesystem: true
448
allowPrivilegeEscalation: false
449
capabilities:
450
drop: ["ALL"]
451
seccompProfile:
452
type: "RuntimeDefault"
453
## Grafana containers' resource requests and limits
454
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
455
## We usually recommend not to specify default resources and to leave this as a conscious
456
## choice for the user. This also increases chances charts run on environments with little
457
## resources, such as Minikube. If you do want to specify resources, uncomment the following
458
## lines, adjust them as necessary, and remove the curly braces after 'resources:'.
459
## @param grafana.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if grafana.resources is set (grafana.resources is recommended for production).
460
##
461
resourcesPreset: "nano"
462
## @param grafana.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
463
## Example:
464
## resources:
465
## requests:
466
## cpu: 2
467
## memory: 512Mi
468
## limits:
469
## cpu: 3
470
## memory: 1024Mi
471
##
472
resources: {}
473
## Grafana containers' liveness probe
474
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
475
## @param grafana.livenessProbe.enabled Enable livenessProbe
476
## @param grafana.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
477
## @param grafana.livenessProbe.periodSeconds Period seconds for livenessProbe
478
## @param grafana.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
479
## @param grafana.livenessProbe.failureThreshold Failure threshold for livenessProbe
480
## @param grafana.livenessProbe.successThreshold Success threshold for livenessProbe
481
##
482
livenessProbe:
483
enabled: true
484
initialDelaySeconds: 120
485
periodSeconds: 10
486
timeoutSeconds: 5
487
failureThreshold: 6
488
successThreshold: 1
489
## Grafana containers' readinessProbe probe
490
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
491
## @param grafana.readinessProbe.enabled Enable readinessProbe
492
## @param grafana.readinessProbe.path Path for readinessProbe
493
## @param grafana.readinessProbe.scheme Scheme for readinessProbe
494
## @param grafana.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
495
## @param grafana.readinessProbe.periodSeconds Period seconds for readinessProbe
496
## @param grafana.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
497
## @param grafana.readinessProbe.failureThreshold Failure threshold for readinessProbe
498
## @param grafana.readinessProbe.successThreshold Success threshold for readinessProbe
499
##
500
readinessProbe:
501
enabled: true
502
path: /api/health
503
scheme: HTTP
504
initialDelaySeconds: 30
505
periodSeconds: 10
506
timeoutSeconds: 5
507
failureThreshold: 6
508
successThreshold: 1
509
## @param grafana.startupProbe.enabled Enable startupProbe
510
## @param grafana.startupProbe.path Path for readinessProbe
511
## @param grafana.startupProbe.scheme Scheme for readinessProbe
512
## @param grafana.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
513
## @param grafana.startupProbe.periodSeconds Period seconds for startupProbe
514
## @param grafana.startupProbe.timeoutSeconds Timeout seconds for startupProbe
515
## @param grafana.startupProbe.failureThreshold Failure threshold for startupProbe
516
## @param grafana.startupProbe.successThreshold Success threshold for startupProbe
517
##
518
startupProbe:
519
enabled: false
520
path: /api/health
521
scheme: HTTP
522
initialDelaySeconds: 30
523
periodSeconds: 10
524
timeoutSeconds: 5
525
failureThreshold: 6
526
successThreshold: 1
527
## @param grafana.customLivenessProbe Custom livenessProbe that overrides the default one
528
##
529
customLivenessProbe: {}
530
## @param grafana.customReadinessProbe Custom readinessProbe that overrides the default one
531
##
532
customReadinessProbe: {}
533
## @param grafana.customStartupProbe Custom startupProbe that overrides the default one
534
##
535
customStartupProbe: {}
536
## @param grafana.lifecycleHooks for the Grafana container(s) to automate configuration before or after startup
537
##
538
lifecycleHooks: {}
539
## @param grafana.sidecars Attach additional sidecar containers to the Grafana pod
540
## Example:
541
## sidecars:
542
## - name: your-image-name
543
## image: your-image
544
## imagePullPolicy: Always
545
## ports:
546
## - name: portname
547
## containerPort: 1234
548
##
549
sidecars: []
550
## @param grafana.initContainers Add additional init containers to the Grafana pod(s)
551
## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
552
## e.g:
553
## initContainers:
554
## - name: your-image-name
555
## image: your-image
556
## imagePullPolicy: Always
557
## command: ['sh', '-c', 'echo "hello world"']
558
##
559
initContainers: []
560
## @param grafana.enableServiceLinks Whether information about services should be injected into pod's environment variable
561
## The environment variables injected by service links are not used, but can lead to slow boot times or slow running of the scripts when there are many services in the current namespace.
562
## If you experience slow pod startups or slow running of the scripts you probably want to set this to `false`.
563
##
564
enableServiceLinks: true
565
## @param grafana.extraVolumes Additional volumes for the Grafana pod
566
## Example:
567
## extraVolumes:
568
## - name: my-volume
569
## emptyDir: {}
570
##
571
extraVolumes: []
572
## @param grafana.extraVolumeMounts Additional volume mounts for the Grafana container
573
## Example:
574
## extraVolumeMounts:
575
## - name: my-volume
576
## mountPath: /opt/iamguarded/grafana/my-stuff
577
##
578
extraVolumeMounts: []
579
## @param grafana.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for Grafana nodes
580
##
581
extraEnvVarsCM: ""
582
## @param grafana.extraEnvVarsCMOptional Whether to still run the Grafana node if the ConfigMap does not exist
583
##
584
extraEnvVarsCMOptional: false
585
## @param grafana.extraEnvVarsSecret Name of existing Secret containing extra env vars for Grafana nodes
586
##
587
extraEnvVarsSecret: ""
588
## @param grafana.extraEnvVarsSecretOptional Whether to still run the Grafana node if the Secret does not exist
589
##
590
extraEnvVarsSecretOptional: false
591
## @param grafana.extraEnvVars Array containing extra env vars to configure Grafana
592
## For example:
593
## extraEnvVars:
594
## - name: GF_DEFAULT_INSTANCE_NAME
595
## value: my-instance
596
##
597
extraEnvVars: []
598
## @param grafana.extraConfigmaps Array to mount extra ConfigMaps to configure Grafana
599
## For example:
600
## extraConfigmaps:
601
## - name: myconfigmap
602
## mountPath: /opt/iamguarded/desired-path
603
## subPath: file-name.extension (optional)
604
## readOnly: true
605
##
606
extraConfigmaps: []
607
## @param grafana.command Override default container command (useful when using custom images)
608
##
609
command: []
610
## @param grafana.args Override default container args (useful when using custom images)
611
##
612
args: []
613
## Pod Disruption Budget configuration
614
## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb
615
## @param grafana.pdb.create Enable/disable a Pod Disruption Budget creation
616
## @param grafana.pdb.minAvailable Minimum number/percentage of pods that should remain scheduled
617
## @param grafana.pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `grafana.pdb.minAvailable` and `grafana.pdb.maxUnavailable` are empty.
618
##
619
pdb:
620
create: true
621
minAvailable: ""
622
maxUnavailable: ""
623
## @section Persistence parameters
624
625
## Enable persistence using Persistent Volume Claims
626
## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/
627
## @param persistence.enabled Enable persistence
628
## @param persistence.annotations Persistent Volume Claim annotations
629
## @param persistence.accessMode Persistent Volume Access Mode
630
## @param persistence.accessModes Persistent Volume Access Modes
631
## @param persistence.storageClass Storage class to use with the PVC
632
## @param persistence.existingClaim If you want to reuse an existing claim, you can pass the name of the PVC using the existingClaim variable. Please note that this setting will be ignored when `grafana.kind` is set to `StatefulSet`.
633
## @param persistence.size Size for the PV
634
##
635
persistence:
636
enabled: true
637
## If defined, storageClassName: <storageClass>
638
## If set to "-", storageClassName: "", which disables dynamic provisioning
639
## If undefined (the default) or set to null, no storageClassName spec is
640
## set, choosing the default provisioner. (gp2 on AWS, standard on
641
## GKE, AWS & OpenStack)
642
##
643
storageClass: ""
644
annotations: {}
645
existingClaim: ""
646
accessMode: ReadWriteOnce
647
accessModes: []
648
size: 10Gi
649
## @section RBAC parameters
650
651
## @param serviceAccount.create Specifies whether a ServiceAccount should be created
652
## @param serviceAccount.name The name of the ServiceAccount to use. If not set and create is true, a name is generated using the fullname template
653
## @param serviceAccount.annotations Annotations to add to the ServiceAccount Metadata
654
## @param serviceAccount.automountServiceAccountToken Automount service account token for the application controller service account
655
serviceAccount:
656
create: true
657
name: ""
658
annotations: {}
659
automountServiceAccountToken: false
660
## @section Traffic exposure parameters
661
662
## Service parameters
663
##
664
service:
665
## @param service.type Kubernetes Service type
666
##
667
type: ClusterIP
668
## @param service.clusterIP Grafana service Cluster IP
669
## e.g.:
670
## clusterIP: None
671
##
672
clusterIP: ""
673
## @param service.ports.grafana Grafana service port
674
##
675
ports:
676
grafana: 3000
677
## @param service.nodePorts.grafana Specify the nodePort value for the LoadBalancer and NodePort service types
678
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
679
##
680
nodePorts:
681
grafana: ""
682
## @param service.loadBalancerIP loadBalancerIP if Grafana service type is `LoadBalancer` (optional, cloud specific)
683
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer
684
##
685
loadBalancerIP: ""
686
## @param service.loadBalancerClass loadBalancerClass if Grafana service type is `LoadBalancer` (optional, cloud specific)
687
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer
688
##
689
loadBalancerClass: ""
690
## @param service.loadBalancerSourceRanges loadBalancerSourceRanges if Grafana service type is `LoadBalancer` (optional, cloud specific)
691
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer
692
## e.g:
693
## loadBalancerSourceRanges:
694
## - 10.10.10.0/24
695
##
696
loadBalancerSourceRanges: []
697
## @param service.annotations Provide any additional annotations which may be required.
698
## This can be used to set the LoadBalancer service type to internal only.
699
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
700
##
701
annotations: {}
702
## @param service.externalTrafficPolicy Grafana service external traffic policy
703
## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
704
##
705
externalTrafficPolicy: Cluster
706
## @param service.extraPorts Extra port to expose on Grafana service
707
##
708
extraPorts: []
709
## @param service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP"
710
## If "ClientIP", consecutive client requests will be directed to the same Pod
711
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
712
##
713
sessionAffinity: None
714
## @param service.sessionAffinityConfig Additional settings for the sessionAffinity
715
## sessionAffinityConfig:
716
## clientIP:
717
## timeoutSeconds: 300
718
##
719
sessionAffinityConfig: {}
720
## Network Policies
721
## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
722
##
723
networkPolicy:
724
## @param networkPolicy.enabled Specifies whether a NetworkPolicy should be created
725
##
726
enabled: true
727
## @param networkPolicy.allowExternal Don't require server label for connections
728
## The Policy model to apply. When set to false, only pods with the correct
729
## server label will have network access to the ports server is listening
730
## on. When true, server will accept connections from any source
731
## (with the correct destination port).
732
##
733
allowExternal: true
734
## @param networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
735
##
736
allowExternalEgress: true
737
## @param networkPolicy.addExternalClientAccess Allow access from pods with client label set to "true". Ignored if `networkPolicy.allowExternal` is true.
738
##
739
addExternalClientAccess: true
740
## @param networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
741
## e.g:
742
## extraIngress:
743
## - ports:
744
## - port: 1234
745
## from:
746
## - podSelector:
747
## - matchLabels:
748
## - role: frontend
749
## - podSelector:
750
## - matchExpressions:
751
## - key: role
752
## operator: In
753
## values:
754
## - frontend
755
extraIngress: []
756
## @param networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
757
## e.g:
758
## extraEgress:
759
## - ports:
760
## - port: 1234
761
## to:
762
## - podSelector:
763
## - matchLabels:
764
## - role: frontend
765
## - podSelector:
766
## - matchExpressions:
767
## - key: role
768
## operator: In
769
## values:
770
## - frontend
771
##
772
extraEgress: []
773
## @param networkPolicy.ingressPodMatchLabels [object] Labels to match to allow traffic from other pods. Ignored if `networkPolicy.allowExternal` is true.
774
## e.g:
775
## ingressPodMatchLabels:
776
## my-client: "true"
777
#
778
ingressPodMatchLabels: {}
779
## @param networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces. Ignored if `networkPolicy.allowExternal` is true.
780
## @param networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces. Ignored if `networkPolicy.allowExternal` is true.
781
##
782
ingressNSMatchLabels: {}
783
ingressNSPodMatchLabels: {}
784
## Configure the ingress resource that allows you to access the
785
## Grafana installation. Set up the URL
786
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/
787
##
788
ingress:
789
## @param ingress.enabled Set to true to enable ingress record generation
790
##
791
enabled: false
792
## DEPRECATED: Use ingress.annotations instead of ingress.certManager
793
## certManager: false
794
##
795
796
## @param ingress.pathType Ingress Path type
797
##
798
pathType: ImplementationSpecific
799
## @param ingress.apiVersion Override API Version (automatically detected if not set)
800
##
801
apiVersion: ""
802
## @param ingress.hostname When the ingress is enabled, a host pointing to this will be created
803
##
804
hostname: grafana.local
805
## @param ingress.path Default path for the ingress resource
806
## The Path to Grafana. You may need to set this to '/*' in order to use this with ALB ingress controllers.
807
##
808
path: /
809
## @param ingress.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations.
810
## For a full list of possible ingress annotations, please see
811
## ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md
812
## Use this parameter to set the required annotations for cert-manager, see
813
## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations
814
##
815
## e.g:
816
## annotations:
817
## kubernetes.io/ingress.class: nginx
818
## cert-manager.io/cluster-issuer: cluster-issuer-name
819
##
820
annotations: {}
821
## @param ingress.tls Enable TLS configuration for the hostname defined at ingress.hostname parameter
822
## TLS certificates will be retrieved from a TLS secret with name: {{- printf "%s-tls" .Values.ingress.hostname }}
823
## You can use the ingress.secrets parameter to create this TLS secret or relay on cert-manager to create it
824
##
825
tls: false
826
## @param ingress.extraHosts The list of additional hostnames to be covered with this ingress record.
827
## Most likely the hostname above will be enough, but in the event more hosts are needed, this is an array
828
## extraHosts:
829
## - name: grafana.local
830
## path: /
831
##
832
extraHosts: []
833
## @param ingress.extraPaths Any additional arbitrary paths that may need to be added to the ingress under the main host.
834
## For example: The ALB ingress controller requires a special rule for handling SSL redirection.
835
## extraPaths:
836
## - path: /*
837
## backend:
838
## serviceName: ssl-redirect
839
## servicePort: use-annotation
840
##
841
extraPaths: []
842
## @param ingress.extraTls The tls configuration for additional hostnames to be covered with this ingress record.
843
## see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
844
## extraTls:
845
## - hosts:
846
## - grafana.local
847
## secretName: grafana.local-tls
848
##
849
extraTls: []
850
## @param ingress.secrets If you're providing your own certificates, please use this to add the certificates as secrets
851
## key and certificate should start with -----BEGIN CERTIFICATE----- or
852
## -----BEGIN RSA PRIVATE KEY-----
853
##
854
## name should line up with a tlsSecret set further up
855
## If you're using cert-manager, this is unneeded, as it will create the secret for you if it is not set
856
##
857
## @param ingress.secrets It is also possible to create and manage the certificates outside of this helm chart
858
## Please see README.md for more information
859
## e.g:
860
## - name: grafana.local-tls
861
## key:
862
## certificate:
863
##
864
secrets: []
865
## @param ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm
866
##
867
selfSigned: false
868
## @param ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+)
869
ingressClassName: ""
870
## @param ingress.extraRules Additional rules to be covered with this ingress record
871
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules
872
## e.g:
873
## extraRules:
874
## - host: example.local
875
## http:
876
## path: /
877
## backend:
878
## service:
879
## name: example-svc
880
## port:
881
## name: http
882
##
883
extraRules: []
884
## @section Metrics parameters
885
886
## Prometheus metrics
887
##
888
metrics:
889
## @param metrics.enabled Enable the export of Prometheus metrics
890
##
891
enabled: false
892
## Prometheus Operator ServiceMonitor configuration
893
## @param metrics.service.annotations [object] Annotations for Prometheus metrics service
894
##
895
service:
896
annotations:
897
prometheus.io/scrape: "true"
898
prometheus.io/port: "3000"
899
prometheus.io/path: "/metrics"
900
serviceMonitor:
901
## @param metrics.serviceMonitor.enabled if `true`, creates a Prometheus Operator ServiceMonitor (also requires `metrics.enabled` to be `true`)
902
##
903
enabled: false
904
## @param metrics.serviceMonitor.namespace Namespace in which Prometheus is running
905
##
906
namespace: ""
907
## @param metrics.serviceMonitor.interval Interval at which metrics should be scraped.
908
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
909
## e.g:
910
## interval: 10s
911
##
912
interval: ""
913
## @param metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended
914
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
915
## e.g:
916
## scrapeTimeout: 10s
917
##
918
scrapeTimeout: ""
919
## @param metrics.serviceMonitor.selector Prometheus instance selector labels
920
## e.g:
921
## selector:
922
## prometheus: my-prometheus
923
##
924
selector: {}
925
## @param metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping
926
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig
927
##
928
relabelings: []
929
## @param metrics.serviceMonitor.metricRelabelings MetricRelabelConfigs to apply to samples before ingestion
930
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig
931
##
932
metricRelabelings: []
933
## @param metrics.serviceMonitor.honorLabels Labels to honor to add to the scrape endpoint
934
##
935
honorLabels: false
936
## DEPRECATED metrics.serviceMonitor.additionalLabels - It will be removed in a future release, please use metrics.serviceMonitor.labels instead
937
## @param metrics.serviceMonitor.labels Additional custom labels for the ServiceMonitor
938
##
939
labels: {}
940
## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus.
941
##
942
jobLabel: ""
943
## Prometheus Operator PrometheusRule configuration
944
##
945
prometheusRule:
946
## @param metrics.prometheusRule.enabled if `true`, creates a Prometheus Operator PrometheusRule (also requires `metrics.enabled` to be `true` and `metrics.prometheusRule.rules`)
947
##
948
enabled: false
949
## @param metrics.prometheusRule.namespace Namespace for the PrometheusRule Resource (defaults to the Release Namespace)
950
##
951
namespace: ""
952
## @param metrics.prometheusRule.additionalLabels Additional labels that can be used so PrometheusRule will be discovered by Prometheus
953
##
954
additionalLabels: {}
955
## @param metrics.prometheusRule.rules PrometheusRule rules to configure
956
## e.g:
957
## - alert: Grafana-Down
958
## annotations:
959
## message: 'Grafana instance is down'
960
## summary: Grafana instance is down
961
## expr: absent(up{job="grafana"} == 1)
962
## labels:
963
## severity: warning
964
## service: grafana
965
## for: 5m
966
##
967
rules: []
968
## @section Volume permissions init Container Parameters
969
970
## 'volumePermissions' init container parameters
971
## Changes the owner and group of the persistent volume mount point to runAsUser:fsGroup values
972
## based on the `grafana:podSecurityContext`/`grafana:containerSecurityContext`` parameters
973
## May require setting `grafana:podSecurityContext:runAsNonRoot` to false
974
##
975
volumePermissions:
976
## @param volumePermissions.enabled Enable init container that changes the owner/group of the PV mount point to `runAsUser:fsGroup`
977
##
978
enabled: false
979
## OS Shell + Utility image
980
## @param volumePermissions.image.registry [default: REGISTRY_NAME] OS Shell + Utility image registry
981
## @param volumePermissions.image.repository [default: REPOSITORY_NAME/os-shell] OS Shell + Utility image repository
982
## @skip volumePermissions.image.tag OS Shell + Utility image tag (immutable tags are recommended)
983
## @param volumePermissions.image.digest OS Shell + Utility image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
984
## @param volumePermissions.image.pullPolicy OS Shell + Utility image pull policy
985
## @param volumePermissions.image.pullSecrets OS Shell + Utility image pull secrets
986
##
987
image:
988
registry: cgr.dev
989
repository: chainguard-private/os-shell-iamguarded
990
tag: 1.0.0
991
digest: ""
992
pullPolicy: IfNotPresent
993
## Optionally specify an array of imagePullSecrets.
994
## Secrets must be manually created in the namespace.
995
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
996
## e.g:
997
## pullSecrets:
998
## - myRegistryKeySecretName
999
##
1000
pullSecrets: []
1001
## Init container's resource requests and limits
1002
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
1003
## @param volumePermissions.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production).
1004
##
1005
resourcesPreset: "nano"
1006
## @param volumePermissions.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
1007
## Example:
1008
## resources:
1009
## requests:
1010
## cpu: 2
1011
## memory: 512Mi
1012
## limits:
1013
## cpu: 3
1014
## memory: 1024Mi
1015
##
1016
resources: {}
1017
## Init container Container Security Context
1018
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
1019
## @param volumePermissions.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
1020
## @param volumePermissions.containerSecurityContext.runAsUser Set init container's Security Context runAsUser
1021
## NOTE: when runAsUser is set to special value "auto", init container will try to chown the
1022
## data folder to auto-determined user&group, using commands: `id -u`:`id -G | cut -d" " -f2`
1023
## "auto" is especially useful for OpenShift which has scc with dynamic user ids (and 0 is not allowed)
1024
##
1025
containerSecurityContext:
1026
seLinuxOptions: {}
1027
runAsUser: 0
1028
## @section Diagnostic Mode Parameters
1029
1030
## Enable diagnostic mode in the deployment
1031
##
1032
diagnosticMode:
1033
## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden)
1034
##
1035
enabled: false
1036
## @param diagnosticMode.command Command to override all containers in the deployment
1037
##
1038
command:
1039
- sleep
1040
## @param diagnosticMode.args Args to override all containers in the deployment
1041
##
1042
args:
1043
- infinity
1044