prometheus
Helm chart
Request a free trial
Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.
Tag:
1
# This file has been modified by Chainguard, Inc.
2
#
3
# Copyright Chainguard, Inc. All Rights Reserved.
4
# Chainguard, Inc. modifications are subject to the license
5
# available at: https://www.chainguard.dev/legal/software-license-agreement
6
#
7
# Copyright Broadcom, Inc. All Rights Reserved.
8
# SPDX-License-Identifier: APACHE-2.0
9
10
## @section Global parameters
11
## Global Docker image parameters
12
## Please, note that this will override the image parameters, including dependencies, configured to use the global value
13
## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass
14
##
15
16
## @param global.imageRegistry Global Docker image registry
17
## @param global.imagePullSecrets Global Docker registry secret names as an array
18
## @param global.defaultStorageClass Global default StorageClass for Persistent Volume(s)
19
## @param global.storageClass DEPRECATED: use global.defaultStorageClass instead
20
##
21
global:
22
imageRegistry: ""
23
## E.g.
24
## imagePullSecrets:
25
## - myRegistryKeySecretName
26
##
27
imagePullSecrets: []
28
defaultStorageClass: ""
29
storageClass: ""
30
## Security parameters
31
##
32
security:
33
## @param global.security.allowInsecureImages Allows skipping image verification
34
allowInsecureImages: false
35
## Compatibility adaptations for Kubernetes platforms
36
##
37
compatibility:
38
## Compatibility adaptations for Openshift
39
##
40
openshift:
41
## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
42
##
43
adaptSecurityContext: auto
44
org: ""
45
## @section Common parameters
46
##
47
48
## @param kubeVersion Override Kubernetes version
49
##
50
kubeVersion: ""
51
## @param nameOverride String to partially override common.names.name
52
##
53
nameOverride: ""
54
## @param fullnameOverride String to fully override common.names.fullname
55
##
56
fullnameOverride: ""
57
## @param namespaceOverride String to fully override common.names.namespace
58
##
59
namespaceOverride: ""
60
## @param commonLabels Labels to add to all deployed objects
61
##
62
commonLabels: {}
63
## @param commonAnnotations Annotations to add to all deployed objects
64
##
65
commonAnnotations: {}
66
## @param clusterDomain Kubernetes cluster domain name
67
##
68
clusterDomain: cluster.local
69
## @param extraDeploy Array of extra objects to deploy with the release
70
##
71
extraDeploy: []
72
## Enable diagnostic mode in the deployment
73
##
74
diagnosticMode:
75
## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden)
76
##
77
enabled: false
78
## @param diagnosticMode.command Command to override all containers in the deployment
79
##
80
command:
81
- sleep
82
## @param diagnosticMode.args Args to override all containers in the deployment
83
##
84
args:
85
- infinity
86
## @param ingress.apiVersion Force Ingress API version (automatically detected if not set)
87
##
88
ingress:
89
apiVersion: ""
90
## @section Alertmanager Parameters
91
##
92
## Iamguarded Alertmanager image
93
## @param alertmanager.enabled Alertmanager enabled
94
## @param alertmanager.image.registry [default: REGISTRY_NAME] Alertmanager image registry
95
## @param alertmanager.image.repository [default: REPOSITORY_NAME/alertmanager] Alertmanager image repository
96
## @skip alertmanager.image.tag Alertmanager image tag (immutable tags are recommended)
97
## @param alertmanager.image.digest Alertmanager image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag image tag (immutable tags are recommended)
98
## @param alertmanager.image.pullPolicy Alertmanager image pull policy
99
## @param alertmanager.image.pullSecrets Alertmanager image pull secrets
100
##
101
alertmanager:
102
enabled: true
103
image:
104
registry: cgr.dev
105
repository: chainguard-private/prometheus-alertmanager-iamguarded
106
tag: 0.31.1
107
digest: ""
108
## Specify a imagePullPolicy
109
## ref: http://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
110
##
111
pullPolicy: IfNotPresent
112
## Optionally specify an array of imagePullSecrets.
113
## Secrets must be manually created in the namespace.
114
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
115
## e.g:
116
## pullSecrets:
117
## - myRegistryKeySecretName
118
##
119
pullSecrets: []
120
## @param alertmanager.configuration [string] Alertmanager configuration. This content will be stored in the the alertmanager.yaml file and the content can be a template.
121
## ref: <https://github.com/prometheus-community/helm-charts/blob/8f2743ed3a9c93c56978a95b62a63e84c52f5748/charts/alertmanager/values.yaml#L171-L188>
122
##
123
configuration: |
124
receivers:
125
- name: default-receiver
126
route:
127
group_wait: 10s
128
group_interval: 5m
129
receiver: default-receiver
130
repeat_interval: 3h
131
## @param alertmanager.replicaCount Number of Alertmanager replicas to deploy
132
##
133
replicaCount: 1
134
## @param alertmanager.containerPorts.http Alertmanager HTTP container port
135
## @param alertmanager.containerPorts.cluster Alertmanager Cluster HA port
136
##
137
containerPorts:
138
http: 9093
139
cluster: 9094
140
## Configure extra options for Alertmanager containers' liveness and readiness probes
141
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
142
## @param alertmanager.livenessProbe.enabled Enable livenessProbe on Alertmanager containers
143
## @param alertmanager.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
144
## @param alertmanager.livenessProbe.periodSeconds Period seconds for livenessProbe
145
## @param alertmanager.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
146
## @param alertmanager.livenessProbe.failureThreshold Failure threshold for livenessProbe
147
## @param alertmanager.livenessProbe.successThreshold Success threshold for livenessProbe
148
##
149
livenessProbe:
150
enabled: true
151
initialDelaySeconds: 5
152
periodSeconds: 20
153
timeoutSeconds: 3
154
failureThreshold: 3
155
successThreshold: 1
156
## @param alertmanager.readinessProbe.enabled Enable readinessProbe on Alertmanager containers
157
## @param alertmanager.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
158
## @param alertmanager.readinessProbe.periodSeconds Period seconds for readinessProbe
159
## @param alertmanager.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
160
## @param alertmanager.readinessProbe.failureThreshold Failure threshold for readinessProbe
161
## @param alertmanager.readinessProbe.successThreshold Success threshold for readinessProbe
162
##
163
readinessProbe:
164
enabled: true
165
initialDelaySeconds: 5
166
periodSeconds: 10
167
timeoutSeconds: 2
168
failureThreshold: 5
169
successThreshold: 1
170
## @param alertmanager.startupProbe.enabled Enable startupProbe on Alertmanager containers
171
## @param alertmanager.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
172
## @param alertmanager.startupProbe.periodSeconds Period seconds for startupProbe
173
## @param alertmanager.startupProbe.timeoutSeconds Timeout seconds for startupProbe
174
## @param alertmanager.startupProbe.failureThreshold Failure threshold for startupProbe
175
## @param alertmanager.startupProbe.successThreshold Success threshold for startupProbe
176
##
177
startupProbe:
178
enabled: false
179
initialDelaySeconds: 2
180
periodSeconds: 5
181
timeoutSeconds: 2
182
failureThreshold: 10
183
successThreshold: 1
184
## @param alertmanager.customLivenessProbe Custom livenessProbe that overrides the default one
185
##
186
customLivenessProbe: {}
187
## @param alertmanager.customReadinessProbe Custom readinessProbe that overrides the default one
188
##
189
customReadinessProbe: {}
190
## @param alertmanager.customStartupProbe Custom startupProbe that overrides the default one
191
##
192
customStartupProbe: {}
193
## Alertmanager resource requests and limits
194
## ref: http://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
195
## @param alertmanager.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if alertmanager.resources is set (alertmanager.resources is recommended for production).
196
##
197
resourcesPreset: "nano"
198
## @param alertmanager.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
199
## Example:
200
## resources:
201
## requests:
202
## cpu: 2
203
## memory: 512Mi
204
## limits:
205
## cpu: 3
206
## memory: 1024Mi
207
##
208
resources: {}
209
## Configure Pods Security Context
210
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
211
## @param alertmanager.podSecurityContext.enabled Enabled Alertmanager pods' Security Context
212
## @param alertmanager.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
213
## @param alertmanager.podSecurityContext.sysctls Set kernel settings using the sysctl interface
214
## @param alertmanager.podSecurityContext.supplementalGroups Set filesystem extra groups
215
## @param alertmanager.podSecurityContext.fsGroup Set Alertmanager pod's Security Context fsGroup
216
##
217
podSecurityContext:
218
enabled: true
219
fsGroupChangePolicy: Always
220
sysctls: []
221
supplementalGroups: []
222
fsGroup: 1001
223
## Configure Container Security Context
224
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
225
## @param alertmanager.containerSecurityContext.enabled Enabled containers' Security Context
226
## @param alertmanager.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
227
## @param alertmanager.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
228
## @param alertmanager.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
229
## @param alertmanager.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
230
## @param alertmanager.containerSecurityContext.privileged Set container's Security Context privileged
231
## @param alertmanager.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
232
## @param alertmanager.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation
233
## @param alertmanager.containerSecurityContext.capabilities.drop List of capabilities to be dropped
234
## @param alertmanager.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
235
##
236
containerSecurityContext:
237
enabled: true
238
seLinuxOptions: {}
239
runAsUser: 1001
240
runAsGroup: 1001
241
runAsNonRoot: true
242
privileged: false
243
readOnlyRootFilesystem: true
244
allowPrivilegeEscalation: false
245
capabilities:
246
drop: ["ALL"]
247
seccompProfile:
248
type: "RuntimeDefault"
249
## @param alertmanager.existingConfigmap The name of an existing ConfigMap with your custom configuration for Alertmanager
250
##
251
existingConfigmap: ""
252
## @param alertmanager.existingConfigmapKey The name of the key with the Alertmanager config file
253
##
254
existingConfigmapKey: ""
255
## @param alertmanager.command Override default container command (useful when using custom images)
256
##
257
command: []
258
## @param alertmanager.args Override default container args (useful when using custom images)
259
##
260
args: []
261
## @param alertmanager.extraArgs Additional arguments passed to the Prometheus server container
262
## extraArgs:
263
## - --log.level=debug
264
## - --tsdb.path=/data/
265
##
266
extraArgs: []
267
## @param alertmanager.automountServiceAccountToken Mount Service Account token in pod
268
##
269
automountServiceAccountToken: false
270
## @param alertmanager.hostAliases Alertmanager pods host aliases
271
## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
272
##
273
hostAliases: []
274
## @param alertmanager.podLabels Extra labels for Alertmanager pods
275
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
276
##
277
podLabels: {}
278
## @param alertmanager.podAnnotations Annotations for Alertmanager pods
279
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
280
##
281
podAnnotations: {}
282
## @param alertmanager.podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
283
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
284
##
285
podAffinityPreset: ""
286
## @param alertmanager.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
287
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
288
##
289
podAntiAffinityPreset: soft
290
## Pod Disruption Budget configuration
291
## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb
292
## @param alertmanager.pdb.create Enable/disable a Pod Disruption Budget creation
293
## @param alertmanager.pdb.minAvailable [object] Minimum number/percentage of pods that should remain scheduled
294
## @param alertmanager.pdb.maxUnavailable [object] Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `alertmanager.pdb.minAvailable` and `alertmanager.pdb.maxUnavailable` are empty.
295
##
296
pdb:
297
create: true
298
minAvailable: ""
299
maxUnavailable: ""
300
## Node affinity preset
301
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
302
##
303
nodeAffinityPreset:
304
## @param alertmanager.nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
305
##
306
type: ""
307
## @param alertmanager.nodeAffinityPreset.key Node label key to match. Ignored if `affinity` is set
308
##
309
key: ""
310
## @param alertmanager.nodeAffinityPreset.values Node label values to match. Ignored if `affinity` is set
311
## E.g.
312
## values:
313
## - e2e-az1
314
## - e2e-az2
315
##
316
values: []
317
## @param alertmanager.affinity Affinity for Alertmanager pods assignment
318
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
319
## NOTE: `podAffinityPreset`, `podAntiAffinityPreset`, and `nodeAffinityPreset` will be ignored when it's set
320
##
321
affinity: {}
322
## @param alertmanager.nodeSelector Node labels for Alertmanager pods assignment
323
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
324
##
325
nodeSelector: {}
326
## @param alertmanager.tolerations Tolerations for Alertmanager pods assignment
327
## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
328
##
329
tolerations: []
330
## @param alertmanager.updateStrategy.type Alertmanager statefulset strategy type
331
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
332
##
333
updateStrategy:
334
## StrategyType
335
## Can be set to RollingUpdate or OnDelete
336
##
337
type: RollingUpdate
338
## @param alertmanager.podManagementPolicy Statefulset Pod management policy, it needs to be Parallel to be able to complete the cluster join
339
## Ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#pod-management-policies
340
##
341
podManagementPolicy: OrderedReady
342
## @param alertmanager.priorityClassName Alertmanager pods' priorityClassName
343
##
344
priorityClassName: ""
345
## @param alertmanager.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template
346
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods
347
##
348
topologySpreadConstraints: []
349
## @param alertmanager.schedulerName Name of the k8s scheduler (other than default) for Alertmanager pods
350
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
351
##
352
schedulerName: ""
353
## @param alertmanager.terminationGracePeriodSeconds Seconds Redmine pod needs to terminate gracefully
354
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods
355
##
356
terminationGracePeriodSeconds: ""
357
## @param alertmanager.lifecycleHooks for the Alertmanager container(s) to automate configuration before or after startup
358
##
359
lifecycleHooks: {}
360
## @param alertmanager.extraEnvVars Array with extra environment variables to add to Alertmanager nodes
361
## e.g:
362
## extraEnvVars:
363
## - name: FOO
364
## value: "bar"
365
##
366
extraEnvVars: []
367
## @param alertmanager.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for Alertmanager nodes
368
##
369
extraEnvVarsCM: ""
370
## @param alertmanager.extraEnvVarsSecret Name of existing Secret containing extra env vars for Alertmanager nodes
371
##
372
extraEnvVarsSecret: ""
373
## @param alertmanager.extraVolumes Optionally specify extra list of additional volumes for the Alertmanager pod(s)
374
##
375
extraVolumes: []
376
## @param alertmanager.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Alertmanager container(s)
377
##
378
extraVolumeMounts: []
379
## @param alertmanager.sidecars Add additional sidecar containers to the Alertmanager pod(s)
380
## e.g:
381
## sidecars:
382
## - name: your-image-name
383
## image: your-image
384
## imagePullPolicy: Always
385
## ports:
386
## - name: portname
387
## containerPort: 1234
388
##
389
sidecars: []
390
## @param alertmanager.initContainers Add additional init containers to the Alertmanager pod(s)
391
## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
392
## e.g:
393
## initContainers:
394
## - name: your-image-name
395
## image: your-image
396
## imagePullPolicy: Always
397
## command: ['sh', '-c', 'echo "hello world"']
398
##
399
initContainers: []
400
## Alertmanager ingress parameters
401
## ref: http://kubernetes.io/docs/concepts/services-networking/ingress/
402
##
403
ingress:
404
## @param alertmanager.ingress.enabled Enable ingress record generation for Alertmanager
405
##
406
enabled: false
407
## @param alertmanager.ingress.pathType Ingress path type
408
##
409
pathType: ImplementationSpecific
410
## @param alertmanager.ingress.hostname Default host for the ingress record
411
##
412
hostname: alertmanager.prometheus.local
413
## @param alertmanager.ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+)
414
## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster .
415
## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/
416
##
417
ingressClassName: ""
418
## @param alertmanager.ingress.path Default path for the ingress record
419
## NOTE: You may need to set this to '/*' in order to use this with ALB ingress controllers
420
##
421
path: /
422
## @param alertmanager.ingress.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations.
423
## Use this parameter to set the required annotations for cert-manager, see
424
## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations
425
## e.g:
426
## annotations:
427
## kubernetes.io/ingress.class: nginx
428
## cert-manager.io/cluster-issuer: cluster-issuer-name
429
##
430
annotations: {}
431
## @param alertmanager.ingress.tls Enable TLS configuration for the host defined at `ingress.hostname` parameter
432
## TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.ingress.hostname }}`
433
## You can:
434
## - Use the `ingress.secrets` parameter to create this TLS secret
435
## - Rely on cert-manager to create it by setting the corresponding annotations
436
## - Rely on Helm to create self-signed certificates by setting `ingress.selfSigned=true`
437
##
438
tls: false
439
## @param alertmanager.ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm
440
##
441
selfSigned: false
442
## @param alertmanager.ingress.extraHosts An array with additional hostname(s) to be covered with the ingress record
443
## e.g:
444
## extraHosts:
445
## - name: prometheus.local
446
## path: /
447
##
448
extraHosts: []
449
## @param alertmanager.ingress.extraPaths An array with additional arbitrary paths that may need to be added to the ingress under the main host
450
## e.g:
451
## extraPaths:
452
## - path: /*
453
## backend:
454
## serviceName: ssl-redirect
455
## servicePort: use-annotation
456
##
457
extraPaths: []
458
## @param alertmanager.ingress.extraTls TLS configuration for additional hostname(s) to be covered with this ingress record
459
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
460
## e.g:
461
## extraTls:
462
## - hosts:
463
## - prometheus.local
464
## secretName: prometheus.local-tls
465
##
466
extraTls: []
467
## @param alertmanager.ingress.secrets Custom TLS certificates as secrets
468
## NOTE: 'key' and 'certificate' are expected in PEM format
469
## NOTE: 'name' should line up with a 'secretName' set further up
470
## If it is not set and you're using cert-manager, this is unneeded, as it will create a secret for you with valid certificates
471
## If it is not set and you're NOT using cert-manager either, self-signed certificates will be created valid for 365 days
472
## It is also possible to create and manage the certificates outside of this helm chart
473
## Please see README.md for more information
474
## e.g:
475
## secrets:
476
## - name: prometheus.local-tls
477
## key: |-
478
## -----BEGIN RSA PRIVATE KEY-----
479
## ...
480
## -----END RSA PRIVATE KEY-----
481
## certificate: |-
482
## -----BEGIN CERTIFICATE-----
483
## ...
484
## -----END CERTIFICATE-----
485
##
486
secrets: []
487
## @param alertmanager.ingress.extraRules Additional rules to be covered with this ingress record
488
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules
489
## e.g:
490
## extraRules:
491
## - host: example.local
492
## http:
493
## path: /
494
## backend:
495
## service:
496
## name: example-svc
497
## port:
498
## name: http
499
##
500
extraRules: []
501
## ServiceAccount configuration
502
##
503
serviceAccount:
504
## @param alertmanager.serviceAccount.create Specifies whether a ServiceAccount should be created
505
##
506
create: true
507
## @param alertmanager.serviceAccount.name The name of the ServiceAccount to use.
508
## If not set and create is true, a name is generated using the common.names.fullname template
509
##
510
name: ""
511
## @param alertmanager.serviceAccount.annotations Additional Service Account annotations (evaluated as a template)
512
##
513
annotations: {}
514
## @param alertmanager.serviceAccount.automountServiceAccountToken Automount service account token for the server service account
515
##
516
automountServiceAccountToken: false
517
## Network Policies
518
## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
519
##
520
networkPolicy:
521
## @param alertmanager.networkPolicy.enabled Specifies whether a NetworkPolicy should be created
522
##
523
enabled: true
524
## @param alertmanager.networkPolicy.allowExternal Don't require alertmanager label for connections
525
## The Policy model to apply. When set to false, only pods with the correct
526
## alertmanager label will have network access to the ports alertmanager is listening
527
## on. When true, alertmanager will accept connections from any source
528
## (with the correct destination port).
529
##
530
allowExternal: true
531
## @param alertmanager.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
532
##
533
allowExternalEgress: true
534
## @param alertmanager.networkPolicy.addExternalClientAccess Allow access from pods with client label set to "true". Ignored if `alertmanager.networkPolicy.allowExternal` is true.
535
##
536
addExternalClientAccess: true
537
## @param alertmanager.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
538
## e.g:
539
## extraIngress:
540
## - ports:
541
## - port: 1234
542
## from:
543
## - podSelector:
544
## - matchLabels:
545
## - role: frontend
546
## - podSelector:
547
## - matchExpressions:
548
## - key: role
549
## operator: In
550
## values:
551
## - frontend
552
extraIngress: []
553
## @param alertmanager.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
554
## e.g:
555
## extraEgress:
556
## - ports:
557
## - port: 1234
558
## to:
559
## - podSelector:
560
## - matchLabels:
561
## - role: frontend
562
## - podSelector:
563
## - matchExpressions:
564
## - key: role
565
## operator: In
566
## values:
567
## - frontend
568
##
569
extraEgress: []
570
## @param alertmanager.networkPolicy.ingressPodMatchLabels [object] Labels to match to allow traffic from other pods. Ignored if `alertmanager.networkPolicy.allowExternal` is true.
571
## e.g:
572
## ingressPodMatchLabels:
573
## my-client: "true"
574
#
575
ingressPodMatchLabels: {}
576
## @param alertmanager.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces. Ignored if `alertmanager.networkPolicy.allowExternal` is true.
577
## @param alertmanager.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces. Ignored if `alertmanager.networkPolicy.allowExternal` is true.
578
##
579
ingressNSMatchLabels: {}
580
ingressNSPodMatchLabels: {}
581
## Alertmanager service parameters
582
##
583
service:
584
## @param alertmanager.service.type Alertmanager service type
585
##
586
type: LoadBalancer
587
## @param alertmanager.service.ports.http Alertmanager service HTTP port
588
## @param alertmanager.service.ports.cluster Alertmanager cluster HA port
589
##
590
ports:
591
http: 80
592
cluster: 9094
593
## Node ports to expose
594
## @param alertmanager.service.nodePorts.http Node port for HTTP
595
## NOTE: choose port between <30000-32767>
596
##
597
nodePorts:
598
http: ""
599
## @param alertmanager.service.clusterIP Alertmanager service Cluster IP
600
## e.g.:
601
## clusterIP: None
602
##
603
clusterIP: ""
604
## @param alertmanager.service.loadBalancerIP Alertmanager service Load Balancer IP
605
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer
606
##
607
loadBalancerIP: ""
608
## @param alertmanager.service.loadBalancerClass Alertmanager service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific)
609
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer
610
##
611
loadBalancerClass: ""
612
## @param alertmanager.service.loadBalancerSourceRanges Alertmanager service Load Balancer sources
613
## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
614
## e.g:
615
## loadBalancerSourceRanges:
616
## - 10.10.10.0/24
617
##
618
loadBalancerSourceRanges: []
619
## @param alertmanager.service.externalTrafficPolicy Alertmanager service external traffic policy
620
## ref http://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
621
##
622
externalTrafficPolicy: Cluster
623
## @param alertmanager.service.annotations Additional custom annotations for Alertmanager service
624
##
625
annotations: {}
626
## @param alertmanager.service.extraPorts Extra ports to expose in Alertmanager service (normally used with the `sidecars` value)
627
##
628
extraPorts: []
629
## @param alertmanager.service.sessionAffinity Control where client requests go, to the same pod or round-robin
630
## Values: ClientIP or None
631
## ref: https://kubernetes.io/docs/concepts/services-networking/service/
632
##
633
sessionAffinity: None
634
## @param alertmanager.service.sessionAffinityConfig Additional settings for the sessionAffinity
635
## sessionAffinityConfig:
636
## clientIP:
637
## timeoutSeconds: 300
638
##
639
sessionAffinityConfig: {}
640
persistence:
641
## @param alertmanager.persistence.enabled Enable Alertmanager data persistence using VolumeClaimTemplates
642
##
643
enabled: false
644
## @param alertmanager.persistence.mountPath Path to mount the volume at.
645
##
646
mountPath: /iamguarded/alertmanager/data
647
## @param alertmanager.persistence.subPath The subdirectory of the volume to mount to, useful in dev environments and one PV for multiple services
648
##
649
subPath: ""
650
## @param alertmanager.persistence.storageClass PVC Storage Class for Concourse worker data volume
651
## If defined, storageClassName: <storageClass>
652
## If set to "-", storageClassName: "", which disables dynamic provisioning
653
## If undefined (the default) or set to null, no storageClassName spec is
654
## set, choosing the default provisioner. (gp2 on AWS, standard on
655
## GKE, AWS & OpenStack)
656
##
657
storageClass: ""
658
## @param alertmanager.persistence.accessModes PVC Access Mode for Concourse worker volume
659
##
660
accessModes:
661
- ReadWriteOnce
662
## @param alertmanager.persistence.size PVC Storage Request for Concourse worker volume
663
##
664
size: 8Gi
665
## @param alertmanager.persistence.annotations Annotations for the PVC
666
##
667
annotations: {}
668
## @param alertmanager.persistence.selector Selector to match an existing Persistent Volume (this value is evaluated as a template)
669
## selector:
670
## matchLabels:
671
## app: my-app
672
##
673
selector: {}
674
## @section Prometheus server Parameters
675
##
676
## Iamguarded Prometheus image
677
## @param server.image.registry [default: REGISTRY_NAME] Prometheus image registry
678
## @param server.image.repository [default: REPOSITORY_NAME/prometheus] Prometheus image repository
679
## @skip server.image.tag Prometheus image tag (immutable tags are recommended)
680
## @param server.image.digest Prometheus image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag image tag (immutable tags are recommended)
681
## @param server.image.pullPolicy Prometheus image pull policy
682
## @param server.image.pullSecrets Prometheus image pull secrets
683
##
684
server:
685
image:
686
registry: cgr.dev
687
repository: chainguard-private/prometheus-iamguarded
688
tag: 3.10.0
689
digest: ""
690
## Specify a imagePullPolicy
691
## ref: http://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
692
##
693
pullPolicy: IfNotPresent
694
## Optionally specify an array of imagePullSecrets.
695
## Secrets must be manually created in the namespace.
696
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
697
## e.g:
698
## pullSecrets:
699
## - myRegistryKeySecretName
700
##
701
pullSecrets: []
702
## @param server.scrapePrometheusHost Specifies whether to include prometheus host scraping job
703
##
704
scrapePrometheusHost: true
705
## @param server.scrapeAlertmanagerHost Specifies whether to include alertmanager host scraping job
706
##
707
scrapeAlertmanagerHost: true
708
## @param server.configuration [string] Promethus configuration. This content will be stored in the the prometheus.yaml file and the content can be a template.
709
## ref: <https://github.com/prometheus-community/helm-charts/blob/main/charts/prometheus/values.yaml>
710
##
711
configuration: |
712
global:
713
{{- if .Values.server.scrapeInterval }}
714
scrape_interval: {{ .Values.server.scrapeInterval }}
715
{{- end }}
716
{{- if .Values.server.scrapeTimeout }}
717
scrape_timeout: {{ .Values.server.scrapeTimeout }}
718
{{- end }}
719
{{- if .Values.server.evaluationInterval }}
720
evaluation_interval: {{ .Values.server.evaluationInterval }}
721
{{- end }}
722
external_labels:
723
monitor: {{ template "common.names.fullname" . }}
724
{{- if .Values.server.externalLabels }}
725
{{- include "common.tplvalues.render" (dict "value" .Values.server.externalLabels "context" $) | nindent 4 }}
726
{{- end }}
727
{{- if .Values.server.remoteWrite }}
728
remote_write: {{- include "common.tplvalues.render" (dict "value" .Values.server.remoteWrite "context" $) | nindent 4 }}
729
{{- end }}
730
scrape_configs:
731
{{- if .Values.server.scrapePrometheusHost }}
732
- job_name: prometheus
733
{{- include "prometheus.scrape_config" (dict "component" "server" "context" $) | nindent 4 }}
734
{{- end }}
735
{{- if and .Values.alertmanager.enabled .Values.server.scrapeAlertmanagerHost }}
736
- job_name: alertmanager
737
{{- include "prometheus.scrape_config" (dict "component" "alertmanager" "context" $) | nindent 4 }}
738
{{- end }}
739
{{- if .Values.server.extraScrapeConfigs}}
740
{{- include "common.tplvalues.render" (dict "value" .Values.server.extraScrapeConfigs "context" $) | nindent 2 }}
741
{{- end }}
742
{{- if or .Values.alertmanager.enabled .Values.server.alertingEndpoints}}
743
alerting:
744
alertmanagers:
745
{{- if .Values.server.alertingEndpoints }}
746
{{- include "common.tplvalues.render" (dict "value" .Values.server.alertingEndpoints "context" $) | nindent 4 }}
747
{{- end }}
748
- scheme: HTTP
749
static_configs:
750
- targets: [ "{{ printf "%s.%s.svc.%s:%d" (include "prometheus.alertmanager.fullname" .) (include "common.names.namespace" .) .Values.clusterDomain (int .Values.alertmanager.service.ports.http) }}" ]
751
rule_files:
752
- rules.yaml
753
{{- end }}
754
## @param server.alertingRules Prometheus alerting rules. This content will be stored in the the rules.yaml file and the content can be a template.
755
## ref: <https://prometheus.io/docs/prometheus/latest/configuration/alerting_rules/>
756
##
757
alertingRules: {}
758
## @param server.extraScrapeConfigs Promethus configuration, useful to declare new scrape_configs. This content will be merged with the 'server.configuration' value and stored in the the prometheus.yaml file.
759
## ref: <https://prometheus.io/docs/prometheus/latest/configuration/configuration/#scrape_config>
760
##
761
extraScrapeConfigs: []
762
## @param server.replicaCount Number of Prometheus replicas to deploy
763
##
764
replicaCount: 1
765
## @param server.containerPorts.http Prometheus HTTP container port
766
##
767
containerPorts:
768
http: 9090
769
## Configure extra options for Prometheus containers' liveness and readiness probes
770
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
771
## @param server.livenessProbe.enabled Enable livenessProbe on Prometheus containers
772
## @param server.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
773
## @param server.livenessProbe.periodSeconds Period seconds for livenessProbe
774
## @param server.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
775
## @param server.livenessProbe.failureThreshold Failure threshold for livenessProbe
776
## @param server.livenessProbe.successThreshold Success threshold for livenessProbe
777
##
778
livenessProbe:
779
enabled: true
780
initialDelaySeconds: 5
781
periodSeconds: 20
782
timeoutSeconds: 3
783
failureThreshold: 3
784
successThreshold: 1
785
## @param server.readinessProbe.enabled Enable readinessProbe on Prometheus containers
786
## @param server.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
787
## @param server.readinessProbe.periodSeconds Period seconds for readinessProbe
788
## @param server.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
789
## @param server.readinessProbe.failureThreshold Failure threshold for readinessProbe
790
## @param server.readinessProbe.successThreshold Success threshold for readinessProbe
791
##
792
readinessProbe:
793
enabled: true
794
initialDelaySeconds: 5
795
periodSeconds: 10
796
timeoutSeconds: 2
797
failureThreshold: 5
798
successThreshold: 1
799
## @param server.startupProbe.enabled Enable startupProbe on Prometheus containers
800
## @param server.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
801
## @param server.startupProbe.periodSeconds Period seconds for startupProbe
802
## @param server.startupProbe.timeoutSeconds Timeout seconds for startupProbe
803
## @param server.startupProbe.failureThreshold Failure threshold for startupProbe
804
## @param server.startupProbe.successThreshold Success threshold for startupProbe
805
##
806
startupProbe:
807
enabled: false
808
initialDelaySeconds: 2
809
periodSeconds: 5
810
timeoutSeconds: 2
811
failureThreshold: 10
812
successThreshold: 1
813
## @param server.customLivenessProbe Custom livenessProbe that overrides the default one
814
##
815
customLivenessProbe: {}
816
## @param server.customReadinessProbe Custom readinessProbe that overrides the default one
817
##
818
customReadinessProbe: {}
819
## @param server.customStartupProbe Custom startupProbe that overrides the default one
820
##
821
customStartupProbe: {}
822
## Prometheus resource requests and limits
823
## ref: http://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
824
## @param server.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if server.resources is set (server.resources is recommended for production).
825
##
826
resourcesPreset: "nano"
827
## @param server.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
828
## Example:
829
## resources:
830
## requests:
831
## cpu: 2
832
## memory: 512Mi
833
## limits:
834
## cpu: 3
835
## memory: 1024Mi
836
##
837
resources: {}
838
## Configure Pods Security Context
839
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
840
## @param server.podSecurityContext.enabled Enabled Prometheus pods' Security Context
841
## @param server.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
842
## @param server.podSecurityContext.sysctls Set kernel settings using the sysctl interface
843
## @param server.podSecurityContext.supplementalGroups Set filesystem extra groups
844
## @param server.podSecurityContext.fsGroup Set Prometheus pod's Security Context fsGroup
845
##
846
podSecurityContext:
847
enabled: true
848
fsGroupChangePolicy: Always
849
sysctls: []
850
supplementalGroups: []
851
fsGroup: 1001
852
## Configure Container Security Context
853
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
854
## @param server.containerSecurityContext.enabled Enabled containers' Security Context
855
## @param server.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
856
## @param server.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
857
## @param server.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
858
## @param server.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
859
## @param server.containerSecurityContext.privileged Set container's Security Context privileged
860
## @param server.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
861
## @param server.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation
862
## @param server.containerSecurityContext.capabilities.drop List of capabilities to be dropped
863
## @param server.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
864
##
865
containerSecurityContext:
866
enabled: true
867
seLinuxOptions: {}
868
runAsUser: 1001
869
runAsGroup: 1001
870
runAsNonRoot: true
871
privileged: false
872
readOnlyRootFilesystem: true
873
allowPrivilegeEscalation: false
874
capabilities:
875
drop: ["ALL"]
876
seccompProfile:
877
type: "RuntimeDefault"
878
## @param server.existingConfigmap The name of an existing ConfigMap with your custom configuration for Prometheus
879
##
880
existingConfigmap: ""
881
## @param server.existingConfigmapKey The name of the key with the Prometheus config file
882
##
883
existingConfigmapKey: ""
884
## @param server.command Override default container command (useful when using custom images)
885
##
886
command: []
887
## @param server.args Override default container args (useful when using custom images)
888
##
889
args: []
890
## @param server.extraArgs Additional arguments passed to the Prometheus server container
891
## extraArgs:
892
## - --log.level=debug
893
## - --tsdb.path=/data/
894
##
895
extraArgs: []
896
## @param server.automountServiceAccountToken Mount Service Account token in pod
897
##
898
automountServiceAccountToken: true
899
## @param server.hostAliases Prometheus pods host aliases
900
## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
901
##
902
hostAliases: []
903
## @param server.podLabels Extra labels for Prometheus pods
904
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
905
##
906
podLabels: {}
907
## @param server.podAnnotations Annotations for Prometheus pods
908
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
909
##
910
podAnnotations: {}
911
## @param server.podAffinityPreset Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
912
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
913
##
914
podAffinityPreset: ""
915
## @param server.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
916
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
917
##
918
podAntiAffinityPreset: soft
919
## Pod Disruption Budget configuration
920
## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb
921
## @param server.pdb.create Enable/disable a Pod Disruption Budget creation
922
## @param server.pdb.minAvailable [object] Minimum number/percentage of pods that should remain scheduled
923
## @param server.pdb.maxUnavailable [object] Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `server.pdb.minAvailable` and `server.pdb.maxUnavailable` are empty.
924
##
925
pdb:
926
create: true
927
minAvailable: ""
928
maxUnavailable: ""
929
## Node affinity preset
930
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
931
##
932
nodeAffinityPreset:
933
## @param server.nodeAffinityPreset.type Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard`
934
##
935
type: ""
936
## @param server.nodeAffinityPreset.key Node label key to match. Ignored if `affinity` is set
937
##
938
key: ""
939
## @param server.nodeAffinityPreset.values Node label values to match. Ignored if `affinity` is set
940
## E.g.
941
## values:
942
## - e2e-az1
943
## - e2e-az2
944
##
945
values: []
946
## @param server.affinity Affinity for Prometheus pods assignment
947
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
948
## NOTE: `podAffinityPreset`, `podAntiAffinityPreset`, and `nodeAffinityPreset` will be ignored when it's set
949
##
950
affinity: {}
951
## @param server.nodeSelector Node labels for Prometheus pods assignment
952
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
953
##
954
nodeSelector: {}
955
## @param server.tolerations Tolerations for Prometheus pods assignment
956
## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
957
##
958
tolerations: []
959
## @param server.updateStrategy.type Prometheus deployment strategy type. If persistence is enabled, strategy type should be set to Recreate to avoid dead locks.
960
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
961
##
962
updateStrategy:
963
## StrategyType
964
## Can be set to RollingUpdate or Recreate
965
##
966
type: RollingUpdate
967
## @param server.priorityClassName Prometheus pods' priorityClassName
968
##
969
priorityClassName: ""
970
## @param server.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template
971
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods
972
##
973
topologySpreadConstraints: []
974
## @param server.schedulerName Name of the k8s scheduler (other than default) for Prometheus pods
975
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
976
##
977
schedulerName: ""
978
## @param server.terminationGracePeriodSeconds Seconds Redmine pod needs to terminate gracefully
979
## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods
980
##
981
terminationGracePeriodSeconds: ""
982
## @param server.lifecycleHooks for the Prometheus container(s) to automate configuration before or after startup
983
##
984
lifecycleHooks: {}
985
## @param server.extraEnvVars Array with extra environment variables to add to Prometheus nodes
986
## e.g:
987
## extraEnvVars:
988
## - name: FOO
989
## value: "bar"
990
##
991
extraEnvVars: []
992
## @param server.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for Prometheus nodes
993
##
994
extraEnvVarsCM: ""
995
## @param server.extraEnvVarsSecret Name of existing Secret containing extra env vars for Prometheus nodes
996
##
997
extraEnvVarsSecret: ""
998
## @param server.extraVolumes Optionally specify extra list of additional volumes for the Prometheus pod(s)
999
##
1000
extraVolumes: []
1001
## @param server.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Prometheus container(s)
1002
##
1003
extraVolumeMounts: []
1004
## @param server.sidecars Add additional sidecar containers to the Prometheus pod(s)
1005
## e.g:
1006
## sidecars:
1007
## - name: your-image-name
1008
## image: your-image
1009
## imagePullPolicy: Always
1010
## ports:
1011
## - name: portname
1012
## containerPort: 1234
1013
##
1014
sidecars: []
1015
## @param server.initContainers Add additional init containers to the Prometheus pod(s)
1016
## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
1017
## e.g:
1018
## initContainers:
1019
## - name: your-image-name
1020
## image: your-image
1021
## imagePullPolicy: Always
1022
## command: ['sh', '-c', 'echo "hello world"']
1023
##
1024
initContainers: []
1025
## @param server.routePrefix Prefix for the internal routes of web endpoints
1026
##
1027
routePrefix: /
1028
## @param server.remoteWrite The remote_write spec configuration for Prometheus
1029
##
1030
remoteWrite: []
1031
## @param server.scrapeInterval Interval between consecutive scrapes. Example: "1m"
1032
##
1033
scrapeInterval: ""
1034
## @param server.scrapeTimeout Interval between consecutive scrapes. Example: "10s"
1035
##
1036
scrapeTimeout: ""
1037
## @param server.evaluationInterval Interval between consecutive evaluations. Example: "1m"
1038
##
1039
evaluationInterval: ""
1040
## @param server.enableAdminAPI Enable Prometheus adminitrative API
1041
## ref: https://prometheus.io/docs/prometheus/latest/querying/api/#tsdb-admin-apis
1042
##
1043
enableAdminAPI: false
1044
## @param server.enableRemoteWriteReceiver Enable Prometheus to be used as a receiver for the Prometheus remote write protocol.
1045
##
1046
enableRemoteWriteReceiver: false
1047
## @param server.enableFeatures Enable access to Prometheus disabled features.
1048
## ref: https://prometheus.io/docs/prometheus/latest/disabled_features/
1049
##
1050
enableFeatures: []
1051
## @param server.logLevel Log level for Prometheus
1052
##
1053
logLevel: info
1054
## @param server.logFormat Log format for Prometheus
1055
##
1056
logFormat: logfmt
1057
## @param server.retention Metrics retention days
1058
##
1059
retention: 10d
1060
## @param server.retentionSize Maximum size of metrics
1061
##
1062
retentionSize: "0"
1063
## @param server.alertingEndpoints Alertmanagers to which alerts will be sent
1064
## ref: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#alertmanager_config
1065
##
1066
alertingEndpoints: []
1067
## @param server.externalLabels External labels to add to any time series or alerts when communicating with external systems
1068
##
1069
externalLabels: {}
1070
## Thanos sidecar container configuration
1071
##
1072
thanos:
1073
## @param server.thanos.create Create a Thanos sidecar container
1074
##
1075
create: false
1076
## Iamguarded Thanos image
1077
## @param server.thanos.image.registry [default: REGISTRY_NAME] Thanos image registry
1078
## @param server.thanos.image.repository [default: REPOSITORY_NAME/thanos] Thanos image name
1079
## @skip server.thanos.image.tag Thanos image tag
1080
## @param server.thanos.image.digest Thanos image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
1081
## @param server.thanos.image.pullPolicy Thanos image pull policy
1082
## @param server.thanos.image.pullSecrets Specify docker-registry secret names as an array
1083
##
1084
image:
1085
registry: cgr.dev
1086
repository: chainguard-private/thanos-iamguarded
1087
tag: 0.41.0
1088
digest: ""
1089
## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
1090
##
1091
pullPolicy: IfNotPresent
1092
## Optionally specify an array of imagePullSecrets.
1093
## Secrets must be manually created in the namespace.
1094
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
1095
## Example:
1096
## pullSecrets:
1097
## - myRegistryKeySecretName
1098
##
1099
pullSecrets: []
1100
## Thanos Sidecar container's securityContext
1101
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
1102
## @param server.thanos.containerSecurityContext.enabled Enabled containers' Security Context
1103
## @param server.thanos.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
1104
## @param server.thanos.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
1105
## @param server.thanos.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
1106
## @param server.thanos.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
1107
## @param server.thanos.containerSecurityContext.privileged Set container's Security Context privileged
1108
## @param server.thanos.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
1109
## @param server.thanos.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation
1110
## @param server.thanos.containerSecurityContext.capabilities.drop List of capabilities to be dropped
1111
## @param server.thanos.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
1112
##
1113
containerSecurityContext:
1114
enabled: true
1115
seLinuxOptions: {}
1116
runAsUser: 1001
1117
runAsGroup: 1001
1118
runAsNonRoot: true
1119
privileged: false
1120
readOnlyRootFilesystem: true
1121
allowPrivilegeEscalation: false
1122
capabilities:
1123
drop: ["ALL"]
1124
seccompProfile:
1125
type: "RuntimeDefault"
1126
## @param server.thanos.prometheusUrl Override default prometheus url `http://localhost:9090`
1127
##
1128
prometheusUrl: ""
1129
## @param server.thanos.extraArgs Additional arguments passed to the thanos sidecar container
1130
## extraArgs:
1131
## - --log.level=debug
1132
## - --tsdb.path=/data/
1133
##
1134
extraArgs: []
1135
## @param server.thanos.objectStorageConfig.secretName Support mounting a Secret for the objectStorageConfig of the sideCar container.
1136
## @param server.thanos.objectStorageConfig.secretKey Secret key with the configuration file.
1137
## ref: https://github.com/thanos-io/thanos/blob/main/docs/storage.md
1138
## objectStorageConfig:
1139
## secretName: thanos-objstore-config
1140
## secretKey: thanos.yaml
1141
##
1142
objectStorageConfig:
1143
secretName: ""
1144
secretKey: thanos.yaml
1145
## ref: https://github.com/thanos-io/thanos/blob/main/docs/components/sidecar.md
1146
## @param server.thanos.extraVolumeMounts Additional volumeMounts from `server.volumes` for thanos sidecar container
1147
## extraVolumeMounts:
1148
## - name: my-secret-volume
1149
## mountPath: /etc/thanos/secrets/my-secret
1150
##
1151
extraVolumeMounts: []
1152
## Thanos sidecar container resource requests and limits.
1153
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
1154
## We usually recommend not to specify default resources and to leave this as a conscious
1155
## choice for the user. This also increases chances charts run on environments with little
1156
## resources, such as Minikube. If you do want to specify resources, uncomment the following
1157
## lines, adjust them as necessary, and remove the curly braces after 'resources:'.
1158
## @param server.thanos.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if server.thanos.resources is set (server.thanos.resources is recommended for production).
1159
##
1160
resourcesPreset: "nano"
1161
## @param server.thanos.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
1162
## Example:
1163
## resources:
1164
## requests:
1165
## cpu: 2
1166
## memory: 512Mi
1167
## limits:
1168
## cpu: 3
1169
## memory: 1024Mi
1170
##
1171
resources: {}
1172
## Configure extra options for liveness probe
1173
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
1174
## @param server.thanos.livenessProbe.enabled Turn on and off liveness probe
1175
## @param server.thanos.livenessProbe.initialDelaySeconds Delay before liveness probe is initiated
1176
## @param server.thanos.livenessProbe.periodSeconds How often to perform the probe
1177
## @param server.thanos.livenessProbe.timeoutSeconds When the probe times out
1178
## @param server.thanos.livenessProbe.failureThreshold Minimum consecutive failures for the probe
1179
## @param server.thanos.livenessProbe.successThreshold Minimum consecutive successes for the probe
1180
##
1181
livenessProbe:
1182
enabled: true
1183
initialDelaySeconds: 0
1184
periodSeconds: 5
1185
timeoutSeconds: 3
1186
failureThreshold: 120
1187
successThreshold: 1
1188
## Configure extra options for readiness probe
1189
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes
1190
## @param server.thanos.readinessProbe.enabled Turn on and off readiness probe
1191
## @param server.thanos.readinessProbe.initialDelaySeconds Delay before readiness probe is initiated
1192
## @param server.thanos.readinessProbe.periodSeconds How often to perform the probe
1193
## @param server.thanos.readinessProbe.timeoutSeconds When the probe times out
1194
## @param server.thanos.readinessProbe.failureThreshold Minimum consecutive failures for the probe
1195
## @param server.thanos.readinessProbe.successThreshold Minimum consecutive successes for the probe
1196
##
1197
readinessProbe:
1198
enabled: true
1199
initialDelaySeconds: 0
1200
periodSeconds: 5
1201
timeoutSeconds: 3
1202
failureThreshold: 120
1203
successThreshold: 1
1204
## @param server.thanos.customLivenessProbe Custom livenessProbe that overrides the default one
1205
##
1206
customLivenessProbe: {}
1207
## @param server.thanos.customReadinessProbe Custom readinessProbe that overrides the default one
1208
##
1209
customReadinessProbe: {}
1210
## Thanos Sidecar Service
1211
##
1212
service:
1213
## @param server.thanos.service.type Kubernetes service type
1214
##
1215
type: ClusterIP
1216
## @param server.thanos.service.ports.grpc Thanos service port
1217
##
1218
ports:
1219
grpc: 10901
1220
## @param server.thanos.service.clusterIP Specific cluster IP when service type is cluster IP. Use `None` to create headless service by default.
1221
## Use a "headless" service by default so it returns every pod's IP instead of loadbalancing requests.
1222
##
1223
clusterIP: None
1224
## @param server.thanos.service.nodePorts.grpc Specify the nodePort value for the LoadBalancer and NodePort service types.
1225
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport
1226
## e.g:
1227
## nodePort: 30901
1228
##
1229
nodePorts:
1230
grpc: ""
1231
## @param server.thanos.service.loadBalancerIP `loadBalancerIP` if service type is `LoadBalancer`
1232
## Set the LoadBalancer service type to internal only
1233
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
1234
##
1235
loadBalancerIP: ""
1236
## @param server.thanos.service.loadBalancerClass Thanos service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific)
1237
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer
1238
##
1239
loadBalancerClass: ""
1240
## @param server.thanos.service.loadBalancerSourceRanges Address that are allowed when svc is `LoadBalancer`
1241
## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
1242
## e.g:
1243
## loadBalancerSourceRanges:
1244
## - 10.10.10.0/24
1245
##
1246
loadBalancerSourceRanges: []
1247
## @param server.thanos.service.annotations Additional annotations for Prometheus service
1248
##
1249
annotations: {}
1250
## @param server.thanos.service.extraPorts Additional ports to expose from the Thanos sidecar container
1251
## extraPorts:
1252
## - name: http
1253
## port: 10902
1254
## targetPort: http
1255
## protocol: TCP
1256
##
1257
extraPorts: []
1258
## @param server.thanos.service.externalTrafficPolicy Prometheus service external traffic policy
1259
## ref http://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
1260
##
1261
externalTrafficPolicy: Cluster
1262
## @param server.thanos.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP"
1263
## If "ClientIP", consecutive client requests will be directed to the same Pod
1264
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
1265
##
1266
sessionAffinity: None
1267
## @param server.thanos.service.sessionAffinityConfig Additional settings for the sessionAffinity
1268
## sessionAffinityConfig:
1269
## clientIP:
1270
## timeoutSeconds: 300
1271
##
1272
sessionAffinityConfig: {}
1273
## Configure the ingress resource that allows you to access the
1274
## Thanos Sidecar installation. Set up the URL
1275
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/
1276
##
1277
ingress:
1278
## @param server.thanos.ingress.enabled Enable ingress controller resource
1279
##
1280
enabled: false
1281
## @param server.thanos.ingress.pathType Ingress path type
1282
##
1283
pathType: ImplementationSpecific
1284
## @param server.thanos.ingress.hostname Default host for the ingress record
1285
##
1286
hostname: thanos.prometheus.local
1287
## @param server.thanos.ingress.path Default path for the ingress record
1288
## NOTE: You may need to set this to '/*' in order to use this with ALB ingress controllers
1289
##
1290
path: /
1291
## @param server.thanos.ingress.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations.
1292
## For a full list of possible ingress annotations, please see
1293
## ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md
1294
## Use this parameter to set the required annotations for cert-manager, see
1295
## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations
1296
##
1297
## Examples:
1298
## kubernetes.io/ingress.class: nginx
1299
## cert-manager.io/cluster-issuer: cluster-issuer-name
1300
##
1301
annotations: {}
1302
## @param server.thanos.ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+)
1303
## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster .
1304
## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/
1305
##
1306
ingressClassName: ""
1307
## @param server.thanos.ingress.tls Enable TLS configuration for the host defined at `ingress.hostname` parameter
1308
## TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.ingress.hostname }}`
1309
## You can:
1310
## - Use the `ingress.secrets` parameter to create this TLS secret
1311
## - Relay on cert-manager to create it by setting `ingress.certManager=true`
1312
## - Relay on Helm to create self-signed certificates by setting `ingress.selfSigned=true`
1313
##
1314
tls: false
1315
## @param server.thanos.ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm
1316
##
1317
selfSigned: false
1318
## @param server.thanos.ingress.extraHosts An array with additional hostname(s) to be covered with the ingress record
1319
## e.g:
1320
## extraHosts:
1321
## - name: thanos.prometheus.local
1322
## path: /
1323
##
1324
extraHosts: []
1325
## @param server.thanos.ingress.extraPaths An array with additional arbitrary paths that may need to be added to the ingress under the main host
1326
## e.g:
1327
## extraPaths:
1328
## - path: /*
1329
## backend:
1330
## serviceName: ssl-redirect
1331
## servicePort: use-annotation
1332
##
1333
extraPaths: []
1334
## @param server.thanos.ingress.extraTls TLS configuration for additional hostname(s) to be covered with this ingress record
1335
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
1336
## e.g:
1337
## extraTls:
1338
## - hosts:
1339
## - thanos.prometheus.local
1340
## secretName: thanos.prometheus.local-tls
1341
##
1342
extraTls: []
1343
## @param server.thanos.ingress.secrets Custom TLS certificates as secrets
1344
## NOTE: 'key' and 'certificate' are expected in PEM format
1345
## NOTE: 'name' should line up with a 'secretName' set further up
1346
## If it is not set and you're using cert-manager, this is unneeded, as it will create a secret for you with valid certificates
1347
## If it is not set and you're NOT using cert-manager either, self-signed certificates will be created valid for 365 days
1348
## It is also possible to create and manage the certificates outside of this helm chart
1349
## Please see README.md for more information
1350
## e.g:
1351
## secrets:
1352
## - name: thanos.prometheus.local-tls
1353
## key: |-
1354
## -----BEGIN RSA PRIVATE KEY-----
1355
## ...
1356
## -----END RSA PRIVATE KEY-----
1357
## certificate: |-
1358
## -----BEGIN CERTIFICATE-----
1359
## ...
1360
## -----END CERTIFICATE-----
1361
##
1362
secrets: []
1363
## @param server.thanos.ingress.extraRules The list of additional rules to be added to this ingress record. Evaluated as a template
1364
## Useful when looking for additional customization, such as using different backend
1365
##
1366
extraRules: []
1367
## Prometheus Server ingress parameters
1368
## ref: http://kubernetes.io/docs/concepts/services-networking/ingress/
1369
##
1370
ingress:
1371
## @param server.ingress.enabled Enable ingress record generation for Prometheus
1372
##
1373
enabled: false
1374
## @param server.ingress.pathType Ingress path type
1375
##
1376
pathType: ImplementationSpecific
1377
## @param server.ingress.hostname Default host for the ingress record
1378
##
1379
hostname: server.prometheus.local
1380
## @param server.ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+)
1381
## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster .
1382
## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/
1383
##
1384
ingressClassName: ""
1385
## @param server.ingress.path Default path for the ingress record
1386
## NOTE: You may need to set this to '/*' in order to use this with ALB ingress controllers
1387
##
1388
path: /
1389
## @param server.ingress.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations.
1390
## Use this parameter to set the required annotations for cert-manager, see
1391
## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations
1392
## e.g:
1393
## annotations:
1394
## kubernetes.io/ingress.class: nginx
1395
## cert-manager.io/cluster-issuer: cluster-issuer-name
1396
##
1397
annotations: {}
1398
## @param server.ingress.tls Enable TLS configuration for the host defined at `ingress.hostname` parameter
1399
## TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.ingress.hostname }}`
1400
## You can:
1401
## - Use the `ingress.secrets` parameter to create this TLS secret
1402
## - Rely on cert-manager to create it by setting the corresponding annotations
1403
## - Rely on Helm to create self-signed certificates by setting `ingress.selfSigned=true`
1404
##
1405
tls: false
1406
## @param server.ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm
1407
##
1408
selfSigned: false
1409
## @param server.ingress.extraHosts An array with additional hostname(s) to be covered with the ingress record
1410
## e.g:
1411
## extraHosts:
1412
## - name: prometheus.local
1413
## path: /
1414
##
1415
extraHosts: []
1416
## @param server.ingress.extraPaths An array with additional arbitrary paths that may need to be added to the ingress under the main host
1417
## e.g:
1418
## extraPaths:
1419
## - path: /*
1420
## backend:
1421
## serviceName: ssl-redirect
1422
## servicePort: use-annotation
1423
##
1424
extraPaths: []
1425
## @param server.ingress.extraTls TLS configuration for additional hostname(s) to be covered with this ingress record
1426
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
1427
## e.g:
1428
## extraTls:
1429
## - hosts:
1430
## - prometheus.local
1431
## secretName: prometheus.local-tls
1432
##
1433
extraTls: []
1434
## @param server.ingress.secrets Custom TLS certificates as secrets
1435
## NOTE: 'key' and 'certificate' are expected in PEM format
1436
## NOTE: 'name' should line up with a 'secretName' set further up
1437
## If it is not set and you're using cert-manager, this is unneeded, as it will create a secret for you with valid certificates
1438
## If it is not set and you're NOT using cert-manager either, self-signed certificates will be created valid for 365 days
1439
## It is also possible to create and manage the certificates outside of this helm chart
1440
## Please see README.md for more information
1441
## e.g:
1442
## secrets:
1443
## - name: prometheus.local-tls
1444
## key: |-
1445
## -----BEGIN RSA PRIVATE KEY-----
1446
## ...
1447
## -----END RSA PRIVATE KEY-----
1448
## certificate: |-
1449
## -----BEGIN CERTIFICATE-----
1450
## ...
1451
## -----END CERTIFICATE-----
1452
##
1453
secrets: []
1454
## @param server.ingress.extraRules Additional rules to be covered with this ingress record
1455
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules
1456
## e.g:
1457
## extraRules:
1458
## - host: example.local
1459
## http:
1460
## path: /
1461
## backend:
1462
## service:
1463
## name: example-svc
1464
## port:
1465
## name: http
1466
##
1467
extraRules: []
1468
## ServiceAccount configuration
1469
##
1470
serviceAccount:
1471
## @param server.serviceAccount.create Specifies whether a ServiceAccount should be created
1472
##
1473
create: true
1474
## @param server.serviceAccount.name The name of the ServiceAccount to use.
1475
## If not set and create is true, a name is generated using the common.names.fullname template
1476
##
1477
name: ""
1478
## @param server.serviceAccount.annotations Additional Service Account annotations (evaluated as a template)
1479
##
1480
annotations: {}
1481
## @param server.serviceAccount.automountServiceAccountToken Automount service account token for the server service account
1482
##
1483
automountServiceAccountToken: false
1484
## Network Policies
1485
## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
1486
##
1487
networkPolicy:
1488
## @param server.networkPolicy.enabled Specifies whether a NetworkPolicy should be created
1489
##
1490
enabled: true
1491
## @param server.networkPolicy.allowExternal Don't require server label for connections
1492
## The Policy model to apply. When set to false, only pods with the correct
1493
## server label will have network access to the ports server is listening
1494
## on. When true, server will accept connections from any source
1495
## (with the correct destination port).
1496
##
1497
allowExternal: true
1498
## @param server.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
1499
##
1500
allowExternalEgress: true
1501
## @param server.networkPolicy.addExternalClientAccess Allow access from pods with client label set to "true". Ignored if `server.networkPolicy.allowExternal` is true.
1502
##
1503
addExternalClientAccess: true
1504
## @param server.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
1505
## e.g:
1506
## extraIngress:
1507
## - ports:
1508
## - port: 1234
1509
## from:
1510
## - podSelector:
1511
## - matchLabels:
1512
## - role: frontend
1513
## - podSelector:
1514
## - matchExpressions:
1515
## - key: role
1516
## operator: In
1517
## values:
1518
## - frontend
1519
extraIngress: []
1520
## @param server.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
1521
## e.g:
1522
## extraEgress:
1523
## - ports:
1524
## - port: 1234
1525
## to:
1526
## - podSelector:
1527
## - matchLabels:
1528
## - role: frontend
1529
## - podSelector:
1530
## - matchExpressions:
1531
## - key: role
1532
## operator: In
1533
## values:
1534
## - frontend
1535
##
1536
extraEgress: []
1537
## @param server.networkPolicy.ingressPodMatchLabels [object] Labels to match to allow traffic from other pods. Ignored if `server.networkPolicy.allowExternal` is true.
1538
## e.g:
1539
## ingressPodMatchLabels:
1540
## my-client: "true"
1541
#
1542
ingressPodMatchLabels: {}
1543
## @param server.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces. Ignored if `server.networkPolicy.allowExternal` is true.
1544
## @param server.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces. Ignored if `server.networkPolicy.allowExternal` is true.
1545
##
1546
ingressNSMatchLabels: {}
1547
ingressNSPodMatchLabels: {}
1548
## Prometheus service parameters
1549
##
1550
service:
1551
## @param server.service.type Prometheus service type
1552
##
1553
type: LoadBalancer
1554
## @param server.service.ports.http Prometheus service HTTP port
1555
##
1556
ports:
1557
http: 80
1558
## Node ports to expose
1559
## @param server.service.nodePorts.http Node port for HTTP
1560
## NOTE: choose port between <30000-32767>
1561
##
1562
nodePorts:
1563
http: ""
1564
## @param server.service.clusterIP Prometheus service Cluster IP
1565
## e.g.:
1566
## clusterIP: None
1567
##
1568
clusterIP: ""
1569
## @param server.service.loadBalancerIP Prometheus service Load Balancer IP
1570
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer
1571
##
1572
loadBalancerIP: ""
1573
## @param server.service.loadBalancerClass Prometheus service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific)
1574
## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer
1575
##
1576
loadBalancerClass: ""
1577
## @param server.service.loadBalancerSourceRanges Prometheus service Load Balancer sources
1578
## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
1579
## e.g:
1580
## loadBalancerSourceRanges:
1581
## - 10.10.10.0/24
1582
##
1583
loadBalancerSourceRanges: []
1584
## @param server.service.externalTrafficPolicy Prometheus service external traffic policy
1585
## ref http://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
1586
##
1587
externalTrafficPolicy: Cluster
1588
## @param server.service.annotations Additional custom annotations for Prometheus service
1589
##
1590
annotations: {}
1591
## @param server.service.extraPorts Extra ports to expose in Prometheus service (normally used with the `sidecars` value)
1592
##
1593
extraPorts: []
1594
## @param server.service.sessionAffinity Control where client requests go, to the same pod or round-robin. ClientIP by default.
1595
## Values: ClientIP or None
1596
## ref: https://kubernetes.io/docs/concepts/services-networking/service/
1597
##
1598
sessionAffinity: ClientIP
1599
## @param server.service.sessionAffinityConfig Additional settings for the sessionAffinity
1600
## sessionAffinityConfig:
1601
## clientIP:
1602
## timeoutSeconds: 300
1603
##
1604
sessionAffinityConfig: {}
1605
## Persistence Parameters
1606
##
1607
1608
## Enable persistence using Persistent Volume Claims
1609
## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/
1610
##
1611
persistence:
1612
## @param server.persistence.enabled Enable persistence using Persistent Volume Claims. If you have multiple instances (server.repicacount > 1), please considere using an external storage service like Thanos or Grafana Mimir
1613
##
1614
enabled: false
1615
## @param server.persistence.mountPath Path to mount the volume at.
1616
##
1617
mountPath: /iamguarded/prometheus/data
1618
## @param server.persistence.subPath The subdirectory of the volume to mount to, useful in dev environments and one PV for multiple services
1619
##
1620
subPath: ""
1621
## @param server.persistence.storageClass Storage class of backing PVC
1622
## If defined, storageClassName: <storageClass>
1623
## If set to "-", storageClassName: "", which disables dynamic provisioning
1624
## If undefined (the default) or set to null, no storageClassName spec is
1625
## set, choosing the default provisioner. (gp2 on AWS, standard on
1626
## GKE, AWS & OpenStack)
1627
##
1628
storageClass: ""
1629
## @param server.persistence.annotations Persistent Volume Claim annotations
1630
##
1631
annotations: {}
1632
## @param server.persistence.accessModes Persistent Volume Access Modes
1633
##
1634
accessModes:
1635
- ReadWriteOnce
1636
## @param server.persistence.size Size of data volume
1637
##
1638
size: 8Gi
1639
## @param server.persistence.existingClaim The name of an existing PVC to use for persistence
1640
##
1641
existingClaim: ""
1642
## @param server.persistence.selector Selector to match an existing Persistent Volume for Prometheus data PVC
1643
## If set, the PVC can't have a PV dynamically provisioned for it
1644
## E.g.
1645
## selector:
1646
## matchLabels:
1647
## app: my-app
1648
##
1649
selector: {}
1650
## @param server.persistence.dataSource Custom PVC data source
1651
##
1652
dataSource: {}
1653
# RBAC configuration
1654
##
1655
rbac:
1656
## @param server.rbac.create Specifies whether RBAC resources should be created
1657
##
1658
create: true
1659
## @param server.rbac.includeDefaultRules Specifies whether to include default rules from official prometheus helm chart
1660
## ref: https://github.com/prometheus-community/helm-charts/blob/main/charts/prometheus/templates/clusterrole.yaml
1661
##
1662
includeDefaultRules: true
1663
## @param server.rbac.rules Custom RBAC rules to set
1664
## e.g:
1665
## rules:
1666
## - apiGroups:
1667
## - ""
1668
## resources:
1669
## - pods
1670
## verbs:
1671
## - get
1672
## - list
1673
##
1674
rules: []
1675
## @section Init Container Parameters
1676
##
1677
1678
## 'volumePermissions' init container parameters
1679
## Changes the owner and group of the persistent volume mount point to runAsUser:fsGroup values
1680
## based on the *podSecurityContext/*containerSecurityContext parameters
1681
##
1682
volumePermissions:
1683
## @param volumePermissions.enabled Enable init container that changes the owner/group of the PV mount point to `runAsUser:fsGroup`
1684
##
1685
enabled: false
1686
## OS Shell + Utility image
1687
## @param volumePermissions.image.registry [default: REGISTRY_NAME] OS Shell + Utility image registry
1688
## @param volumePermissions.image.repository [default: REPOSITORY_NAME/os-shell] OS Shell + Utility image repository
1689
## @skip volumePermissions.image.tag OS Shell + Utility image tag (immutable tags are recommended)
1690
## @param volumePermissions.image.pullPolicy OS Shell + Utility image pull policy
1691
## @param volumePermissions.image.pullSecrets OS Shell + Utility image pull secrets
1692
##
1693
image:
1694
registry: cgr.dev
1695
repository: chainguard-private/os-shell-iamguarded
1696
tag: 1.0.0
1697
pullPolicy: IfNotPresent
1698
digest: ""
1699
## Optionally specify an array of imagePullSecrets.
1700
## Secrets must be manually created in the namespace.
1701
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
1702
## e.g:
1703
## pullSecrets:
1704
## - myRegistryKeySecretName
1705
##
1706
pullSecrets: []
1707
## Init container's resource requests and limits
1708
## ref: http://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
1709
## @param volumePermissions.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production).
1710
##
1711
resourcesPreset: "nano"
1712
## @param volumePermissions.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
1713
## Example:
1714
## resources:
1715
## requests:
1716
## cpu: 2
1717
## memory: 512Mi
1718
## limits:
1719
## cpu: 3
1720
## memory: 1024Mi
1721
##
1722
resources: {}
1723
## Init container Container Security Context
1724
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
1725
## @param volumePermissions.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
1726
## @param volumePermissions.containerSecurityContext.runAsUser Set init container's Security Context runAsUser
1727
## NOTE: when runAsUser is set to special value "auto", init container will try to chown the
1728
## data folder to auto-determined user&group, using commands: `id -u`:`id -G | cut -d" " -f2`
1729
## "auto" is especially useful for OpenShift which has scc with dynamic user ids (and 0 is not allowed)
1730
##
1731
containerSecurityContext:
1732
seLinuxOptions: {}
1733
runAsUser: 0
1734
The trusted source for open source
Talk to an expertCustomers
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.