58 KiB
Grafana Helm Chart
- Installs the web dashboarding system Grafana
Get Repo Info
helm repo add grafana https://grafana.github.io/helm-charts
helm repo update
See helm repo for command documentation.
Installing the Chart
To install the chart with the release name my-release
:
helm install my-release grafana/grafana
Uninstalling the Chart
To uninstall/delete the my-release deployment:
helm delete my-release
The command removes all the Kubernetes components associated with the chart and deletes the release.
Upgrading an existing Release to a new major version
A major chart version change (like v1.2.3 -> v2.0.0) indicates that there is an incompatible breaking change needing manual actions.
To 4.0.0 (And 3.12.1)
This version requires Helm >= 2.12.0.
To 5.0.0
You have to add --force to your helm upgrade command as the labels of the chart have changed.
To 6.0.0
This version requires Helm >= 3.1.0.
To 7.0.0
For consistency with other Helm charts, the global.image.registry
parameter was renamed
to global.imageRegistry
. If you were not previously setting global.image.registry
, no action
is required on upgrade. If you were previously setting global.image.registry
, you will
need to instead set global.imageRegistry
.
Configuration
Parameter | Description | Default |
---|---|---|
replicas |
Number of nodes | 1 |
podDisruptionBudget.minAvailable |
Pod disruption minimum available | nil |
podDisruptionBudget.maxUnavailable |
Pod disruption maximum unavailable | nil |
podDisruptionBudget.apiVersion |
Pod disruption apiVersion | nil |
deploymentStrategy |
Deployment strategy | { "type": "RollingUpdate" } |
livenessProbe |
Liveness Probe settings | { "httpGet": { "path": "/api/health", "port": 3000 } "initialDelaySeconds": 60, "timeoutSeconds": 30, "failureThreshold": 10 } |
readinessProbe |
Readiness Probe settings | { "httpGet": { "path": "/api/health", "port": 3000 } } |
securityContext |
Deployment securityContext | {"runAsUser": 472, "runAsGroup": 472, "fsGroup": 472} |
priorityClassName |
Name of Priority Class to assign pods | nil |
image.registry |
Image registry | docker.io |
image.repository |
Image repository | grafana/grafana |
image.tag |
Overrides the Grafana image tag whose default is the chart appVersion (Must be >= 5.0.0 ) |
`` |
image.sha |
Image sha (optional) | `` |
image.pullPolicy |
Image pull policy | IfNotPresent |
image.pullSecrets |
Image pull secrets (can be templated) | [] |
service.enabled |
Enable grafana service | true |
service.ipFamilies |
Kubernetes service IP families | [] |
service.ipFamilyPolicy |
Kubernetes service IP family policy | "" |
service.type |
Kubernetes service type | ClusterIP |
service.port |
Kubernetes port where service is exposed | 80 |
service.portName |
Name of the port on the service | service |
service.appProtocol |
Adds the appProtocol field to the service | `` |
service.targetPort |
Internal service is port | 3000 |
service.nodePort |
Kubernetes service nodePort | nil |
service.annotations |
Service annotations (can be templated) | {} |
service.labels |
Custom labels | {} |
service.clusterIP |
internal cluster service IP | nil |
service.loadBalancerIP |
IP address to assign to load balancer (if supported) | nil |
service.loadBalancerSourceRanges |
list of IP CIDRs allowed access to lb (if supported) | [] |
service.externalIPs |
service external IP addresses | [] |
service.externalTrafficPolicy |
change the default externalTrafficPolicy | nil |
headlessService |
Create a headless service | false |
extraExposePorts |
Additional service ports for sidecar containers | [] |
hostAliases |
adds rules to the pod's /etc/hosts | [] |
ingress.enabled |
Enables Ingress | false |
ingress.annotations |
Ingress annotations (values are templated) | {} |
ingress.labels |
Custom labels | {} |
ingress.path |
Ingress accepted path | / |
ingress.pathType |
Ingress type of path | Prefix |
ingress.hosts |
Ingress accepted hostnames | ["chart-example.local"] |
ingress.extraPaths |
Ingress extra paths to prepend to every host configuration. Useful when configuring custom actions with AWS ALB Ingress Controller. Requires ingress.hosts to have one or more host entries. |
[] |
ingress.tls |
Ingress TLS configuration | [] |
ingress.ingressClassName |
Ingress Class Name. MAY be required for Kubernetes versions >= 1.18 | "" |
resources |
CPU/Memory resource requests/limits | {} |
nodeSelector |
Node labels for pod assignment | {} |
tolerations |
Toleration labels for pod assignment | [] |
affinity |
Affinity settings for pod assignment | {} |
extraInitContainers |
Init containers to add to the grafana pod | {} |
extraContainers |
Sidecar containers to add to the grafana pod | "" |
extraContainerVolumes |
Volumes that can be mounted in sidecar containers | [] |
extraLabels |
Custom labels for all manifests | {} |
schedulerName |
Name of the k8s scheduler (other than default) | nil |
persistence.enabled |
Use persistent volume to store data | false |
persistence.type |
Type of persistence (pvc or statefulset ) |
pvc |
persistence.size |
Size of persistent volume claim | 10Gi |
persistence.existingClaim |
Use an existing PVC to persist data (can be templated) | nil |
persistence.storageClassName |
Type of persistent volume claim | nil |
persistence.accessModes |
Persistence access modes | [ReadWriteOnce] |
persistence.annotations |
PersistentVolumeClaim annotations | {} |
persistence.finalizers |
PersistentVolumeClaim finalizers | [ "kubernetes.io/pvc-protection" ] |
persistence.extraPvcLabels |
Extra labels to apply to a PVC. | {} |
persistence.subPath |
Mount a sub dir of the persistent volume (can be templated) | nil |
persistence.inMemory.enabled |
If persistence is not enabled, whether to mount the local storage in-memory to improve performance | false |
persistence.inMemory.sizeLimit |
SizeLimit for the in-memory local storage | nil |
persistence.disableWarning |
Hide NOTES warning, useful when persisting to a database | false |
initChownData.enabled |
If false, don't reset data ownership at startup | true |
initChownData.image.registry |
init-chown-data container image registry | docker.io |
initChownData.image.repository |
init-chown-data container image repository | busybox |
initChownData.image.tag |
init-chown-data container image tag | 1.31.1 |
initChownData.image.sha |
init-chown-data container image sha (optional) | "" |
initChownData.image.pullPolicy |
init-chown-data container image pull policy | IfNotPresent |
initChownData.resources |
init-chown-data pod resource requests & limits | {} |
schedulerName |
Alternate scheduler name | nil |
env |
Extra environment variables passed to pods | {} |
envValueFrom |
Environment variables from alternate sources. See the API docs on EnvVarSource for format details. Can be templated | {} |
envFromSecret |
Name of a Kubernetes secret (must be manually created in the same namespace) containing values to be added to the environment. Can be templated | "" |
envFromSecrets |
List of Kubernetes secrets (must be manually created in the same namespace) containing values to be added to the environment. Can be templated | [] |
envFromConfigMaps |
List of Kubernetes ConfigMaps (must be manually created in the same namespace) containing values to be added to the environment. Can be templated | [] |
envRenderSecret |
Sensible environment variables passed to pods and stored as secret. (passed through tpl) | {} |
enableServiceLinks |
Inject Kubernetes services as environment variables. | true |
extraSecretMounts |
Additional grafana server secret mounts | [] |
extraVolumeMounts |
Additional grafana server volume mounts | [] |
extraVolumes |
Additional Grafana server volumes | [] |
automountServiceAccountToken |
Mounted the service account token on the grafana pod. Mandatory, if sidecars are enabled | true |
createConfigmap |
Enable creating the grafana configmap | true |
extraConfigmapMounts |
Additional grafana server configMap volume mounts (values are templated) | [] |
extraEmptyDirMounts |
Additional grafana server emptyDir volume mounts | [] |
plugins |
Plugins to be loaded along with Grafana | [] |
datasources |
Configure grafana datasources (passed through tpl) | {} |
alerting |
Configure grafana alerting (passed through tpl) | {} |
notifiers |
Configure grafana notifiers | {} |
dashboardProviders |
Configure grafana dashboard providers | {} |
dashboards |
Dashboards to import | {} |
dashboardsConfigMaps |
ConfigMaps reference that contains dashboards | {} |
grafana.ini |
Grafana's primary configuration | {} |
global.imageRegistry |
Global image pull registry for all images. | null |
global.imagePullSecrets |
Global image pull secrets (can be templated). Allows either an array of {name: pullSecret} maps (k8s-style), or an array of strings (more common helm-style). | [] |
ldap.enabled |
Enable LDAP authentication | false |
ldap.existingSecret |
The name of an existing secret containing the ldap.toml file, this must have the key ldap-toml . |
"" |
ldap.config |
Grafana's LDAP configuration | "" |
annotations |
Deployment annotations | {} |
labels |
Deployment labels | {} |
podAnnotations |
Pod annotations | {} |
podLabels |
Pod labels | {} |
podPortName |
Name of the grafana port on the pod | grafana |
lifecycleHooks |
Lifecycle hooks for podStart and preStop Example | {} |
sidecar.image.registry |
Sidecar image registry | quay.io |
sidecar.image.repository |
Sidecar image repository | kiwigrid/k8s-sidecar |
sidecar.image.tag |
Sidecar image tag | 1.28.0 |
sidecar.image.sha |
Sidecar image sha (optional) | "" |
sidecar.imagePullPolicy |
Sidecar image pull policy | IfNotPresent |
sidecar.resources |
Sidecar resources | {} |
sidecar.securityContext |
Sidecar securityContext | {} |
sidecar.enableUniqueFilenames |
Sets the kiwigrid/k8s-sidecar UNIQUE_FILENAMES environment variable. If set to true the sidecar will create unique filenames where duplicate data keys exist between ConfigMaps and/or Secrets within the same or multiple Namespaces. |
false |
sidecar.alerts.enabled |
Enables the cluster wide search for alerts and adds/updates/deletes them in grafana | false |
sidecar.alerts.label |
Label that config maps with alerts should have to be added | grafana_alert |
sidecar.alerts.labelValue |
Label value that config maps with alerts should have to be added | "" |
sidecar.alerts.searchNamespace |
Namespaces list. If specified, the sidecar will search for alerts config-maps inside these namespaces. Otherwise the namespace in which the sidecar is running will be used. It's also possible to specify ALL to search in all namespaces. | nil |
sidecar.alerts.watchMethod |
Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds. | WATCH |
sidecar.alerts.resource |
Should the sidecar looks into secrets, configmaps or both. | both |
sidecar.alerts.reloadURL |
Full url of datasource configuration reload API endpoint, to invoke after a config-map change | "http://localhost:3000/api/admin/provisioning/alerting/reload" |
sidecar.alerts.skipReload |
Enabling this omits defining the REQ_URL and REQ_METHOD environment variables | false |
sidecar.alerts.initAlerts |
Set to true to deploy the alerts sidecar as an initContainer. This is needed if skipReload is true, to load any alerts defined at startup time. | false |
sidecar.alerts.extraMounts |
Additional alerts sidecar volume mounts. | [] |
sidecar.dashboards.enabled |
Enables the cluster wide search for dashboards and adds/updates/deletes them in grafana | false |
sidecar.dashboards.SCProvider |
Enables creation of sidecar provider | true |
sidecar.dashboards.provider.name |
Unique name of the grafana provider | sidecarProvider |
sidecar.dashboards.provider.orgid |
Id of the organisation, to which the dashboards should be added | 1 |
sidecar.dashboards.provider.folder |
Logical folder in which grafana groups dashboards | "" |
sidecar.dashboards.provider.folderUid |
Allows you to specify the static UID for the logical folder above | "" |
sidecar.dashboards.provider.disableDelete |
Activate to avoid the deletion of imported dashboards | false |
sidecar.dashboards.provider.allowUiUpdates |
Allow updating provisioned dashboards from the UI | false |
sidecar.dashboards.provider.type |
Provider type | file |
sidecar.dashboards.provider.foldersFromFilesStructure |
Allow Grafana to replicate dashboard structure from filesystem. | false |
sidecar.dashboards.watchMethod |
Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds. | WATCH |
sidecar.skipTlsVerify |
Set to true to skip tls verification for kube api calls | nil |
sidecar.dashboards.label |
Label that config maps with dashboards should have to be added | grafana_dashboard |
sidecar.dashboards.labelValue |
Label value that config maps with dashboards should have to be added | "" |
sidecar.dashboards.folder |
Folder in the pod that should hold the collected dashboards (unless sidecar.dashboards.defaultFolderName is set). This path will be mounted. |
/tmp/dashboards |
sidecar.dashboards.folderAnnotation |
The annotation the sidecar will look for in configmaps to override the destination folder for files | nil |
sidecar.dashboards.defaultFolderName |
The default folder name, it will create a subfolder under the sidecar.dashboards.folder and put dashboards in there instead |
nil |
sidecar.dashboards.searchNamespace |
Namespaces list. If specified, the sidecar will search for dashboards config-maps inside these namespaces. Otherwise the namespace in which the sidecar is running will be used. It's also possible to specify ALL to search in all namespaces. | nil |
sidecar.dashboards.script |
Absolute path to shell script to execute after a configmap got reloaded. | nil |
sidecar.dashboards.reloadURL |
Full url of dashboards configuration reload API endpoint, to invoke after a config-map change | "http://localhost:3000/api/admin/provisioning/dashboards/reload" |
sidecar.dashboards.skipReload |
Enabling this omits defining the REQ_USERNAME, REQ_PASSWORD, REQ_URL and REQ_METHOD environment variables | false |
sidecar.dashboards.resource |
Should the sidecar looks into secrets, configmaps or both. | both |
sidecar.dashboards.extraMounts |
Additional dashboard sidecar volume mounts. | [] |
sidecar.datasources.enabled |
Enables the cluster wide search for datasources and adds/updates/deletes them in grafana | false |
sidecar.datasources.label |
Label that config maps with datasources should have to be added | grafana_datasource |
sidecar.datasources.labelValue |
Label value that config maps with datasources should have to be added | "" |
sidecar.datasources.searchNamespace |
Namespaces list. If specified, the sidecar will search for datasources config-maps inside these namespaces. Otherwise the namespace in which the sidecar is running will be used. It's also possible to specify ALL to search in all namespaces. | nil |
sidecar.datasources.watchMethod |
Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds. | WATCH |
sidecar.datasources.resource |
Should the sidecar looks into secrets, configmaps or both. | both |
sidecar.datasources.reloadURL |
Full url of datasource configuration reload API endpoint, to invoke after a config-map change | "http://localhost:3000/api/admin/provisioning/datasources/reload" |
sidecar.datasources.skipReload |
Enabling this omits defining the REQ_URL and REQ_METHOD environment variables | false |
sidecar.datasources.initDatasources |
Set to true to deploy the datasource sidecar as an initContainer in addition to a container. This is needed if skipReload is true, to load any datasources defined at startup time. | false |
sidecar.notifiers.enabled |
Enables the cluster wide search for notifiers and adds/updates/deletes them in grafana | false |
sidecar.notifiers.label |
Label that config maps with notifiers should have to be added | grafana_notifier |
sidecar.notifiers.labelValue |
Label value that config maps with notifiers should have to be added | "" |
sidecar.notifiers.searchNamespace |
Namespaces list. If specified, the sidecar will search for notifiers config-maps (or secrets) inside these namespaces. Otherwise the namespace in which the sidecar is running will be used. It's also possible to specify ALL to search in all namespaces. | nil |
sidecar.notifiers.watchMethod |
Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds. | WATCH |
sidecar.notifiers.resource |
Should the sidecar looks into secrets, configmaps or both. | both |
sidecar.notifiers.reloadURL |
Full url of notifier configuration reload API endpoint, to invoke after a config-map change | "http://localhost:3000/api/admin/provisioning/notifications/reload" |
sidecar.notifiers.skipReload |
Enabling this omits defining the REQ_URL and REQ_METHOD environment variables | false |
sidecar.notifiers.initNotifiers |
Set to true to deploy the notifier sidecar as an initContainer in addition to a container. This is needed if skipReload is true, to load any notifiers defined at startup time. | false |
smtp.existingSecret |
The name of an existing secret containing the SMTP credentials. | "" |
smtp.userKey |
The key in the existing SMTP secret containing the username. | "user" |
smtp.passwordKey |
The key in the existing SMTP secret containing the password. | "password" |
admin.existingSecret |
The name of an existing secret containing the admin credentials (can be templated). | "" |
admin.userKey |
The key in the existing admin secret containing the username. | "admin-user" |
admin.passwordKey |
The key in the existing admin secret containing the password. | "admin-password" |
serviceAccount.automountServiceAccountToken |
Automount the service account token on all pods where is service account is used | false |
serviceAccount.annotations |
ServiceAccount annotations | |
serviceAccount.create |
Create service account | true |
serviceAccount.labels |
ServiceAccount labels | {} |
serviceAccount.name |
Service account name to use, when empty will be set to created account if serviceAccount.create is set else to default |
`` |
serviceAccount.nameTest |
Service account name to use for test, when empty will be set to created account if serviceAccount.create is set else to default |
nil |
rbac.create |
Create and use RBAC resources | true |
rbac.namespaced |
Creates Role and Rolebinding instead of the default ClusterRole and ClusteRoleBindings for the grafana instance | false |
rbac.useExistingRole |
Set to a rolename to use existing role - skipping role creating - but still doing serviceaccount and rolebinding to the rolename set here. | nil |
rbac.pspEnabled |
Create PodSecurityPolicy (with rbac.create , grant roles permissions as well) |
false |
rbac.pspUseAppArmor |
Enforce AppArmor in created PodSecurityPolicy (requires rbac.pspEnabled ) |
false |
rbac.extraRoleRules |
Additional rules to add to the Role | [] |
rbac.extraClusterRoleRules |
Additional rules to add to the ClusterRole | [] |
command |
Define command to be executed by grafana container at startup | nil |
args |
Define additional args if command is used | nil |
testFramework.enabled |
Whether to create test-related resources | true |
testFramework.image.registry |
test-framework image registry. |
docker.io |
testFramework.image.repository |
test-framework image repository. |
bats/bats |
testFramework.image.tag |
test-framework image tag. |
v1.4.1 |
testFramework.imagePullPolicy |
test-framework image pull policy. |
IfNotPresent |
testFramework.securityContext |
test-framework securityContext |
{} |
downloadDashboards.env |
Environment variables to be passed to the download-dashboards container |
{} |
downloadDashboards.envFromSecret |
Name of a Kubernetes secret (must be manually created in the same namespace) containing values to be added to the environment. Can be templated | "" |
downloadDashboards.resources |
Resources of download-dashboards container |
{} |
downloadDashboardsImage.registry |
Curl docker image registry | docker.io |
downloadDashboardsImage.repository |
Curl docker image repository | curlimages/curl |
downloadDashboardsImage.tag |
Curl docker image tag | 7.73.0 |
downloadDashboardsImage.sha |
Curl docker image sha (optional) | "" |
downloadDashboardsImage.pullPolicy |
Curl docker image pull policy | IfNotPresent |
namespaceOverride |
Override the deployment namespace | "" (Release.Namespace ) |
serviceMonitor.enabled |
Use servicemonitor from prometheus operator | false |
serviceMonitor.namespace |
Namespace this servicemonitor is installed in | |
serviceMonitor.interval |
How frequently Prometheus should scrape | 1m |
serviceMonitor.path |
Path to scrape | /metrics |
serviceMonitor.scheme |
Scheme to use for metrics scraping | http |
serviceMonitor.tlsConfig |
TLS configuration block for the endpoint | {} |
serviceMonitor.labels |
Labels for the servicemonitor passed to Prometheus Operator | {} |
serviceMonitor.scrapeTimeout |
Timeout after which the scrape is ended | 30s |
serviceMonitor.relabelings |
RelabelConfigs to apply to samples before scraping. | [] |
serviceMonitor.metricRelabelings |
MetricRelabelConfigs to apply to samples before ingestion. | [] |
revisionHistoryLimit |
Number of old ReplicaSets to retain | 10 |
imageRenderer.enabled |
Enable the image-renderer deployment & service | false |
imageRenderer.image.registry |
image-renderer Image registry | docker.io |
imageRenderer.image.repository |
image-renderer Image repository | grafana/grafana-image-renderer |
imageRenderer.image.tag |
image-renderer Image tag | latest |
imageRenderer.image.sha |
image-renderer Image sha (optional) | "" |
imageRenderer.image.pullPolicy |
image-renderer ImagePullPolicy | Always |
imageRenderer.env |
extra env-vars for image-renderer | {} |
imageRenderer.envValueFrom |
Environment variables for image-renderer from alternate sources. See the API docs on EnvVarSource for format details. Can be templated | {} |
imageRenderer.extraConfigmapMounts |
Additional image-renderer configMap volume mounts (values are templated) | [] |
imageRenderer.extraSecretMounts |
Additional image-renderer secret volume mounts | [] |
imageRenderer.extraVolumeMounts |
Additional image-renderer volume mounts | [] |
imageRenderer.extraVolumes |
Additional image-renderer volumes | [] |
imageRenderer.serviceAccountName |
image-renderer deployment serviceAccountName | "" |
imageRenderer.securityContext |
image-renderer deployment securityContext | {} |
imageRenderer.podAnnotations |
image-renderer image-renderer pod annotation | {} |
imageRenderer.hostAliases |
image-renderer deployment Host Aliases | [] |
imageRenderer.priorityClassName |
image-renderer deployment priority class | '' |
imageRenderer.service.enabled |
Enable the image-renderer service | true |
imageRenderer.service.portName |
image-renderer service port name | http |
imageRenderer.service.port |
image-renderer port used by deployment | 8081 |
imageRenderer.service.targetPort |
image-renderer service port used by service | 8081 |
imageRenderer.appProtocol |
Adds the appProtocol field to the service | `` |
imageRenderer.grafanaSubPath |
Grafana sub path to use for image renderer callback url | '' |
imageRenderer.serverURL |
Remote image renderer url | '' |
imageRenderer.renderingCallbackURL |
Callback url for the Grafana image renderer | '' |
imageRenderer.podPortName |
name of the image-renderer port on the pod | http |
imageRenderer.revisionHistoryLimit |
number of image-renderer replica sets to keep | 10 |
imageRenderer.networkPolicy.limitIngress |
Enable a NetworkPolicy to limit inbound traffic from only the created grafana pods | true |
imageRenderer.networkPolicy.limitEgress |
Enable a NetworkPolicy to limit outbound traffic to only the created grafana pods | false |
imageRenderer.resources |
Set resource limits for image-renderer pods | {} |
imageRenderer.nodeSelector |
Node labels for pod assignment | {} |
imageRenderer.tolerations |
Toleration labels for pod assignment | [] |
imageRenderer.affinity |
Affinity settings for pod assignment | {} |
networkPolicy.enabled |
Enable creation of NetworkPolicy resources. | false |
networkPolicy.allowExternal |
Don't require client label for connections | true |
networkPolicy.explicitNamespacesSelector |
A Kubernetes LabelSelector to explicitly select namespaces from which traffic could be allowed | {} |
networkPolicy.ingress |
Enable the creation of an ingress network policy | true |
networkPolicy.egress.enabled |
Enable the creation of an egress network policy | false |
networkPolicy.egress.ports |
An array of ports to allow for the egress | [] |
enableKubeBackwardCompatibility |
Enable backward compatibility of kubernetes where pod's defintion version below 1.13 doesn't have the enableServiceLinks option | false |
Example ingress with path
With grafana 6.3 and above
grafana.ini:
server:
domain: monitoring.example.com
root_url: "%(protocol)s://%(domain)s/grafana"
serve_from_sub_path: true
ingress:
enabled: true
hosts:
- "monitoring.example.com"
path: "/grafana"
Example of extraVolumeMounts and extraVolumes
Configure additional volumes with extraVolumes
and volume mounts with extraVolumeMounts
.
Example for extraVolumeMounts
and corresponding extraVolumes
:
extraVolumeMounts:
- name: plugins
mountPath: /var/lib/grafana/plugins
subPath: configs/grafana/plugins
readOnly: false
- name: dashboards
mountPath: /var/lib/grafana/dashboards
hostPath: /usr/shared/grafana/dashboards
readOnly: false
extraVolumes:
- name: plugins
existingClaim: existing-grafana-claim
- name: dashboards
hostPath: /usr/shared/grafana/dashboards
Volumes default to emptyDir
. Set to persistentVolumeClaim
,
hostPath
, csi
, or configMap
for other types. For a
persistentVolumeClaim
, specify an existing claim name with
existingClaim
.
Import dashboards
There are a few methods to import dashboards to Grafana. Below are some examples and explanations as to how to use each method:
dashboards:
default:
some-dashboard:
json: |
{
"annotations":
...
# Complete json file here
...
"title": "Some Dashboard",
"uid": "abcd1234",
"version": 1
}
custom-dashboard:
# This is a path to a file inside the dashboards directory inside the chart directory
file: dashboards/custom-dashboard.json
prometheus-stats:
# Ref: https://grafana.com/dashboards/2
gnetId: 2
revision: 2
datasource: Prometheus
loki-dashboard-quick-search:
gnetId: 12019
revision: 2
datasource:
- name: DS_PROMETHEUS
value: Prometheus
- name: DS_LOKI
value: Loki
local-dashboard:
url: https://raw.githubusercontent.com/user/repository/master/dashboards/dashboard.json
BASE64 dashboards
Dashboards could be stored on a server that does not return JSON directly and instead of it returns a Base64 encoded file (e.g. Gerrit) A new parameter has been added to the url use case so if you specify a b64content value equals to true after the url entry a Base64 decoding is applied before save the file to disk. If this entry is not set or is equals to false not decoding is applied to the file before saving it to disk.
Gerrit use case
Gerrit API for download files has the following schema: https://yourgerritserver/a/{project-name}/branches/{branch-id}/files/{file-id}/content where {project-name} and {file-id} usually has '/' in their values and so they MUST be replaced by %2F so if project-name is user/repo, branch-id is master and file-id is equals to dir1/dir2/dashboard the url value is https://yourgerritserver/a/user%2Frepo/branches/master/files/dir1%2Fdir2%2Fdashboard/content
Sidecar for dashboards
If the parameter sidecar.dashboards.enabled
is set, a sidecar container is deployed in the grafana
pod. This container watches all configmaps (or secrets) in the cluster and filters out the ones with
a label as defined in sidecar.dashboards.label
. The files defined in those configmaps are written
to a folder and accessed by grafana. Changes to the configmaps are monitored and the imported
dashboards are deleted/updated.
A recommendation is to use one configmap per dashboard, as a reduction of multiple dashboards inside one configmap is currently not properly mirrored in grafana.
Example dashboard config:
apiVersion: v1
kind: ConfigMap
metadata:
name: sample-grafana-dashboard
labels:
grafana_dashboard: "1"
data:
k8s-dashboard.json: |-
[...]
Sidecar for datasources
If the parameter sidecar.datasources.enabled
is set, an init container is deployed in the grafana
pod. This container lists all secrets (or configmaps, though not recommended) in the cluster and
filters out the ones with a label as defined in sidecar.datasources.label
. The files defined in
those secrets are written to a folder and accessed by grafana on startup. Using these yaml files,
the data sources in grafana can be imported.
Should you aim for reloading datasources in Grafana each time the config is changed, set sidecar.datasources.skipReload: false
and adjust sidecar.datasources.reloadURL
to http://<svc-name>.<namespace>.svc.cluster.local/api/admin/provisioning/datasources/reload
.
Secrets are recommended over configmaps for this usecase because datasources usually contain private data like usernames and passwords. Secrets are the more appropriate cluster resource to manage those.
Example values to add a postgres datasource as a kubernetes secret:
apiVersion: v1
kind: Secret
metadata:
name: grafana-datasources
labels:
grafana_datasource: 'true' # default value for: sidecar.datasources.label
stringData:
pg-db.yaml: |-
apiVersion: 1
datasources:
- name: My pg db datasource
type: postgres
url: my-postgresql-db:5432
user: db-readonly-user
secureJsonData:
password: 'SUperSEcretPa$$word'
jsonData:
database: my_datase
sslmode: 'disable' # disable/require/verify-ca/verify-full
maxOpenConns: 0 # Grafana v5.4+
maxIdleConns: 2 # Grafana v5.4+
connMaxLifetime: 14400 # Grafana v5.4+
postgresVersion: 1000 # 903=9.3, 904=9.4, 905=9.5, 906=9.6, 1000=10
timescaledb: false
# <bool> allow users to edit datasources from the UI.
editable: false
Example values to add a datasource adapted from Grafana:
datasources:
datasources.yaml:
apiVersion: 1
datasources:
# <string, required> name of the datasource. Required
- name: Graphite
# <string, required> datasource type. Required
type: graphite
# <string, required> access mode. proxy or direct (Server or Browser in the UI). Required
access: proxy
# <int> org id. will default to orgId 1 if not specified
orgId: 1
# <string> url
url: http://localhost:8080
# <string> database password, if used
password:
# <string> database user, if used
user:
# <string> database name, if used
database:
# <bool> enable/disable basic auth
basicAuth:
# <string> basic auth username
basicAuthUser:
# <string> basic auth password
basicAuthPassword:
# <bool> enable/disable with credentials headers
withCredentials:
# <bool> mark as default datasource. Max one per org
isDefault:
# <map> fields that will be converted to json and stored in json_data
jsonData:
graphiteVersion: "1.1"
tlsAuth: true
tlsAuthWithCACert: true
# <string> json object of data that will be encrypted.
secureJsonData:
tlsCACert: "..."
tlsClientCert: "..."
tlsClientKey: "..."
version: 1
# <bool> allow users to edit datasources from the UI.
editable: false
Sidecar for notifiers
If the parameter sidecar.notifiers.enabled
is set, an init container is deployed in the grafana
pod. This container lists all secrets (or configmaps, though not recommended) in the cluster and
filters out the ones with a label as defined in sidecar.notifiers.label
. The files defined in
those secrets are written to a folder and accessed by grafana on startup. Using these yaml files,
the notification channels in grafana can be imported. The secrets must be created before
helm install
so that the notifiers init container can list the secrets.
Secrets are recommended over configmaps for this usecase because alert notification channels usually contain private data like SMTP usernames and passwords. Secrets are the more appropriate cluster resource to manage those.
Example datasource config adapted from Grafana:
notifiers:
- name: notification-channel-1
type: slack
uid: notifier1
# either
org_id: 2
# or
org_name: Main Org.
is_default: true
send_reminder: true
frequency: 1h
disable_resolve_message: false
# See `Supported Settings` section for settings supporter for each
# alert notification type.
settings:
recipient: 'XXX'
token: 'xoxb'
uploadImage: true
url: https://slack.com
delete_notifiers:
- name: notification-channel-1
uid: notifier1
org_id: 2
- name: notification-channel-2
# default org_id: 1
Sidecar for alerting resources
If the parameter sidecar.alerts.enabled
is set, a sidecar container is deployed in the grafana
pod. This container watches all configmaps (or secrets) in the cluster (namespace defined by sidecar.alerts.searchNamespace
) and filters out the ones with
a label as defined in sidecar.alerts.label
(default is grafana_alert
). The files defined in those configmaps are written
to a folder and accessed by grafana. Changes to the configmaps are monitored and the imported alerting resources are updated, however, deletions are a little more complicated (see below).
This sidecar can be used to provision alert rules, contact points, notification policies, notification templates and mute timings as shown in Grafana Documentation.
To fetch the alert config which will be provisioned, use the alert provisioning API (Grafana Documentation). You can use either JSON or YAML format.
Example config for an alert rule:
apiVersion: v1
kind: ConfigMap
metadata:
name: sample-grafana-alert
labels:
grafana_alert: "1"
data:
k8s-alert.yml: |-
apiVersion: 1
groups:
- orgId: 1
name: k8s-alert
[...]
To delete provisioned alert rules is a two step process, you need to delete the configmap which defined the alert rule and then create a configuration which deletes the alert rule.
Example deletion configuration:
apiVersion: v1
kind: ConfigMap
metadata:
name: delete-sample-grafana-alert
namespace: monitoring
labels:
grafana_alert: "1"
data:
delete-k8s-alert.yml: |-
apiVersion: 1
deleteRules:
- orgId: 1
uid: 16624780-6564-45dc-825c-8bded4ad92d3
Statically provision alerting resources
If you don't need to change alerting resources (alert rules, contact points, notification policies and notification templates) regularly you could use the alerting
config option instead of the sidecar option above.
This will grab the alerting config and apply it statically at build time for the helm file.
There are two methods to statically provision alerting configuration in Grafana. Below are some examples and explanations as to how to use each method:
alerting:
team1-alert-rules.yaml:
file: alerting/team1/rules.yaml
team2-alert-rules.yaml:
file: alerting/team2/rules.yaml
team3-alert-rules.yaml:
file: alerting/team3/rules.yaml
notification-policies.yaml:
file: alerting/shared/notification-policies.yaml
notification-templates.yaml:
file: alerting/shared/notification-templates.yaml
contactpoints.yaml:
apiVersion: 1
contactPoints:
- orgId: 1
name: Slack channel
receivers:
- uid: default-receiver
type: slack
settings:
# Webhook URL to be filled in
url: ""
# We need to escape double curly braces for the tpl function.
text: '{{ `{{ template "default.message" . }}` }}'
title: '{{ `{{ template "default.title" . }}` }}'
The two possibilities for static alerting resource provisioning are:
- Inlining the file contents as shown for contact points in the above example.
- Importing a file using a relative path starting from the chart root directory as shown for the alert rules in the above example.
Important notes on file provisioning
- The format of the files is defined in the Grafana documentation on file provisioning.
- The chart supports importing YAML and JSON files.
- The filename must be unique, otherwise one volume mount will overwrite the other.
- In case of inlining, double curly braces that arise from the Grafana configuration format and are not intended as templates for the chart must be escaped.
- The number of total files under
alerting:
is not limited. Each file will end up as a volume mount in the corresponding provisioning folder of the deployed Grafana instance. - The file size for each import is limited by what the function
.Files.Get
can handle, which suffices for most cases.
How to serve Grafana with a path prefix (/grafana)
In order to serve Grafana with a prefix (e.g., http://example.com/grafana), add the following to your values.yaml.
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/rewrite-target: /$1
nginx.ingress.kubernetes.io/use-regex: "true"
path: /grafana/?(.*)
hosts:
- k8s.example.dev
grafana.ini:
server:
root_url: http://localhost:3000/grafana # this host can be localhost
How to securely reference secrets in grafana.ini
This example uses Grafana file providers for secret values and the extraSecretMounts
configuration flag (Additional grafana server secret mounts) to mount the secrets.
In grafana.ini:
grafana.ini:
[auth.generic_oauth]
enabled = true
client_id = $__file{/etc/secrets/auth_generic_oauth/client_id}
client_secret = $__file{/etc/secrets/auth_generic_oauth/client_secret}
Existing secret, or created along with helm:
---
apiVersion: v1
kind: Secret
metadata:
name: auth-generic-oauth-secret
type: Opaque
stringData:
client_id: <value>
client_secret: <value>
Include in the extraSecretMounts
configuration flag:
extraSecretMounts:
- name: auth-generic-oauth-secret-mount
secretName: auth-generic-oauth-secret
defaultMode: 0440
mountPath: /etc/secrets/auth_generic_oauth
readOnly: true
extraSecretMounts using a Container Storage Interface (CSI) provider
This example uses a CSI driver e.g. retrieving secrets using Azure Key Vault Provider
extraSecretMounts:
- name: secrets-store-inline
mountPath: /run/secrets
readOnly: true
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: "my-provider"
nodePublishSecretRef:
name: akv-creds
Image Renderer Plug-In
This chart supports enabling remote image rendering
imageRenderer:
enabled: true
Image Renderer NetworkPolicy
By default the image-renderer pods will have a network policy which only allows ingress traffic from the created grafana instance
High Availability for unified alerting
If you want to run Grafana in a high availability cluster you need to enable
the headless service by setting headlessService: true
in your values.yaml
file.
As next step you have to setup the grafana.ini
in your values.yaml
in a way
that it will make use of the headless service to obtain all the IPs of the
cluster. You should replace {{ Name }}
with the name of your helm deployment.
grafana.ini:
...
unified_alerting:
enabled: true
ha_peers: {{ Name }}-headless:9094
ha_listen_address: ${POD_IP}:9094
ha_advertise_address: ${POD_IP}:9094
alerting:
enabled: false