--- # kube-prometheus-stack Helm chart values # https://github.com/prometheus-community/helm-charts/blob/main/charts/kube-prometheus-stack/values.yaml grafana: enabled: true securityContext: runAsNonRoot: true runAsUser: 472 runAsGroup: 472 fsGroup: 472 seccompProfile: type: RuntimeDefault containerSecurityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: false runAsNonRoot: true runAsUser: 472 runAsGroup: 472 seccompProfile: type: RuntimeDefault admin: existingSecret: grafana-admin-credentials userKey: admin-user passwordKey: admin-password {{- if eq .Env.GRAFANA_OIDC_ENABLED "true" }} # Reference OIDC client secret from Kubernetes Secret envValueFrom: GRAFANA_OIDC_CLIENT_SECRET: secretKeyRef: name: grafana-oidc-credentials key: client-secret {{- end }} ingress: enabled: true ingressClassName: traefik annotations: traefik.ingress.kubernetes.io/router.entrypoints: websecure hosts: - {{ .Env.GRAFANA_HOST }} tls: - hosts: - {{ .Env.GRAFANA_HOST }} # Grafana configuration grafana.ini: server: root_url: https://{{ .Env.GRAFANA_HOST }} {{- if eq .Env.GRAFANA_OIDC_ENABLED "true" }} auth.generic_oauth: enabled: true name: Keycloak allow_sign_up: true client_id: grafana client_secret: $__env{GRAFANA_OIDC_CLIENT_SECRET} scopes: openid profile email auth_url: https://{{ .Env.KEYCLOAK_HOST }}/realms/{{ .Env.KEYCLOAK_REALM }}/protocol/openid-connect/auth token_url: https://{{ .Env.KEYCLOAK_HOST }}/realms/{{ .Env.KEYCLOAK_REALM }}/protocol/openid-connect/token api_url: https://{{ .Env.KEYCLOAK_HOST }}/realms/{{ .Env.KEYCLOAK_REALM }}/protocol/openid-connect/userinfo use_refresh_token: true role_attribute_path: "contains(groups[*], 'grafana-admins') && 'Admin' || contains(groups[*], 'grafana-editors') && 'Editor' || 'Viewer'" signout_redirect_url: https://{{ .Env.KEYCLOAK_HOST }}/realms/{{ .Env.KEYCLOAK_REALM }}/protocol/openid-connect/logout?post_logout_redirect_uri=https://{{ .Env.GRAFANA_HOST }}/login {{- end }} # Persist Grafana data persistence: enabled: true size: 10Gi # Resource configuration based on Goldilocks/VPA recommendations resources: requests: cpu: 15m memory: 480Mi limits: cpu: 50m memory: 704Mi sidecar: resources: requests: cpu: 15m memory: 128Mi limits: cpu: 25m memory: 192Mi # Prometheus Configuration prometheus: prometheusSpec: securityContext: runAsNonRoot: true runAsUser: 1000 runAsGroup: 2000 fsGroup: 2000 seccompProfile: type: RuntimeDefault containers: - name: prometheus securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true # Retention settings retention: 30d retentionSize: "50GB" # Storage storageSpec: volumeClaimTemplate: spec: accessModes: ["ReadWriteOnce"] resources: requests: storage: 50Gi # ServiceMonitor selection # Select ServiceMonitors with release label only in namespaces with enable-monitoring label serviceMonitorSelectorNilUsesHelmValues: true serviceMonitorNamespaceSelector: matchLabels: buun.channel/enable-monitoring: "true" # Resource configuration based on observed usage patterns resources: requests: cpu: 100m memory: 1.2Gi limits: cpu: 500m memory: 2.5Gi {{- if .Env.PROMETHEUS_HOST }} ingress: enabled: true ingressClassName: traefik annotations: traefik.ingress.kubernetes.io/router.entrypoints: websecure hosts: - {{ .Env.PROMETHEUS_HOST }} tls: - hosts: - {{ .Env.PROMETHEUS_HOST }} {{- end }} # Alertmanager Configuration alertmanager: alertmanagerSpec: securityContext: runAsNonRoot: true runAsUser: 1000 runAsGroup: 2000 fsGroup: 2000 seccompProfile: type: RuntimeDefault containers: - name: alertmanager securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true # Storage storage: volumeClaimTemplate: spec: accessModes: ["ReadWriteOnce"] resources: requests: storage: 10Gi # Resource configuration based on observed usage patterns resources: requests: cpu: 15m memory: 64Mi limits: cpu: 50m memory: 128Mi {{- if .Env.ALERTMANAGER_HOST }} ingress: enabled: true ingressClassName: traefik annotations: traefik.ingress.kubernetes.io/router.entrypoints: websecure hosts: - {{ .Env.ALERTMANAGER_HOST }} tls: - hosts: - {{ .Env.ALERTMANAGER_HOST }} {{- end }} # Enable default monitoring targets kubeApiServer: enabled: true kubelet: enabled: true kubeControllerManager: enabled: true coreDns: enabled: true kubeEtcd: enabled: true kubeScheduler: enabled: true kubeProxy: enabled: true kubeStateMetrics: enabled: true # kube-state-metrics subchart configuration kube-state-metrics: securityContext: runAsNonRoot: true runAsUser: 65534 runAsGroup: 65534 fsGroup: 65534 seccompProfile: type: RuntimeDefault containerSecurityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true # Resource configuration based on Goldilocks/VPA recommendations resources: requests: cpu: 15m memory: 128Mi limits: cpu: 50m memory: 256Mi nodeExporter: enabled: true # prometheus-node-exporter subchart configuration prometheus-node-exporter: # Resource configuration based on Goldilocks/VPA recommendations resources: requests: cpu: 15m memory: 128Mi limits: cpu: 50m memory: 256Mi # Prometheus Operator Configuration # Resource configuration based on Goldilocks/VPA recommendations prometheusOperator: securityContext: runAsNonRoot: true runAsUser: 65534 runAsGroup: 65534 fsGroup: 65534 seccompProfile: type: RuntimeDefault containerSecurityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true resources: requests: cpu: 15m memory: 110Mi limits: cpu: 50m memory: 192Mi