baschno/buun-stack
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
cc77b4a5e019f0d1795135c5219c99546d9e18e0
buun-stack/prometheus/values.gomplate.yaml

297 lines
6.6 KiB
YAML
Raw Blame History

---
# kube-prometheus-stack Helm chart values
# https://github.com/prometheus-community/helm-charts/blob/main/charts/kube-prometheus-stack/values.yaml
grafana:
enabled: true
securityContext:
runAsNonRoot: true
runAsUser: 472
runAsGroup: 472
fsGroup: 472
seccompProfile:
type: RuntimeDefault
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: false
runAsNonRoot: true
runAsUser: 472
runAsGroup: 472
seccompProfile:
type: RuntimeDefault
admin:
existingSecret: grafana-admin-credentials
userKey: admin-user
passwordKey: admin-password
{{- if .Env.GRAFANA_OIDC_ENABLED }}
# Reference OIDC client secret from Kubernetes Secret
envValueFrom:
GRAFANA_OIDC_CLIENT_SECRET:
secretKeyRef:
name: grafana-oidc-credentials
key: client-secret
{{- end }}
ingress:
enabled: true
ingressClassName: traefik
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
hosts:
- {{ .Env.GRAFANA_HOST }}
tls:
- hosts:
- {{ .Env.GRAFANA_HOST }}
# Grafana configuration
grafana.ini:
server:
root_url: https://{{ .Env.GRAFANA_HOST }}
{{- if .Env.GRAFANA_OIDC_ENABLED }}
auth.generic_oauth:
enabled: true
name: Keycloak
allow_sign_up: true
client_id: grafana
client_secret: $__env{GRAFANA_OIDC_CLIENT_SECRET}
scopes: openid profile email
auth_url: https://{{ .Env.KEYCLOAK_HOST }}/realms/{{ .Env.KEYCLOAK_REALM }}/protocol/openid-connect/auth
token_url: https://{{ .Env.KEYCLOAK_HOST }}/realms/{{ .Env.KEYCLOAK_REALM }}/protocol/openid-connect/token
api_url: https://{{ .Env.KEYCLOAK_HOST }}/realms/{{ .Env.KEYCLOAK_REALM }}/protocol/openid-connect/userinfo
use_refresh_token: true
role_attribute_path: "contains(groups[*], 'grafana-admins') && 'Admin' || contains(groups[*], 'grafana-editors') && 'Editor' || 'Viewer'"
signout_redirect_url: https://{{ .Env.KEYCLOAK_HOST }}/realms/{{ .Env.KEYCLOAK_REALM }}/protocol/openid-connect/logout?post_logout_redirect_uri=https://{{ .Env.GRAFANA_HOST }}/login
{{- end }}
# Persist Grafana data
persistence:
enabled: true
size: 10Gi
# Resource configuration based on Goldilocks/VPA recommendations
resources:
requests:
cpu: 15m
memory: 480Mi
limits:
cpu: 50m
memory: 704Mi
sidecar:
resources:
requests:
cpu: 15m
memory: 128Mi
limits:
cpu: 25m
memory: 192Mi
# Prometheus Configuration
prometheus:
prometheusSpec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 2000
fsGroup: 2000
seccompProfile:
type: RuntimeDefault
containers:
- name: prometheus
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
# Retention settings
retention: 30d
retentionSize: "50GB"
# Storage
storageSpec:
volumeClaimTemplate:
spec:
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: 50Gi
# ServiceMonitor selection
# Select ServiceMonitors with release label only in namespaces with enable-monitoring label
serviceMonitorSelectorNilUsesHelmValues: true
serviceMonitorNamespaceSelector:
matchLabels:
buun.channel/enable-monitoring: "true"
# Resource configuration based on observed usage patterns
resources:
requests:
cpu: 100m
memory: 1.2Gi
limits:
cpu: 500m
memory: 2.5Gi
{{- if .Env.PROMETHEUS_HOST }}
ingress:
enabled: true
ingressClassName: traefik
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
hosts:
- {{ .Env.PROMETHEUS_HOST }}
tls:
- hosts:
- {{ .Env.PROMETHEUS_HOST }}
{{- end }}
# Alertmanager Configuration
alertmanager:
alertmanagerSpec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 2000
fsGroup: 2000
seccompProfile:
type: RuntimeDefault
containers:
- name: alertmanager
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
# Storage
storage:
volumeClaimTemplate:
spec:
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: 10Gi
# Resource configuration based on observed usage patterns
resources:
requests:
cpu: 15m
memory: 64Mi
limits:
cpu: 50m
memory: 128Mi
{{- if .Env.ALERTMANAGER_HOST }}
ingress:
enabled: true
ingressClassName: traefik
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
hosts:
- {{ .Env.ALERTMANAGER_HOST }}
tls:
- hosts:
- {{ .Env.ALERTMANAGER_HOST }}
{{- end }}
# Enable default monitoring targets
kubeApiServer:
enabled: true
kubelet:
enabled: true
kubeControllerManager:
enabled: true
coreDns:
enabled: true
kubeEtcd:
enabled: true
kubeScheduler:
enabled: true
kubeProxy:
enabled: true
kubeStateMetrics:
enabled: true
# kube-state-metrics subchart configuration
kube-state-metrics:
securityContext:
runAsNonRoot: true
runAsUser: 65534
runAsGroup: 65534
fsGroup: 65534
seccompProfile:
type: RuntimeDefault
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
# Resource configuration based on Goldilocks/VPA recommendations
resources:
requests:
cpu: 15m
memory: 128Mi
limits:
cpu: 50m
memory: 256Mi
nodeExporter:
enabled: true
# prometheus-node-exporter subchart configuration
prometheus-node-exporter:
# Resource configuration based on Goldilocks/VPA recommendations
resources:
requests:
cpu: 15m
memory: 128Mi
limits:
cpu: 50m
memory: 256Mi
# Prometheus Operator Configuration
# Resource configuration based on Goldilocks/VPA recommendations
prometheusOperator:
securityContext:
runAsNonRoot: true
runAsUser: 65534
runAsGroup: 65534
fsGroup: 65534
seccompProfile:
type: RuntimeDefault
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
resources:
requests:
cpu: 15m
memory: 110Mi
limits:
cpu: 50m
memory: 192Mi
Reference in New Issue View Git Blame Copy Permalink