--- apiVersion: helm.toolkit.fluxcd.io/v2beta2 kind: HelmRelease metadata: name: kube-prometheus-stack spec: chart: spec: sourceRef: kind: HelmRepository name: "prometheus-community" chart: "kube-prometheus-stack" install: {{- toYaml .Values.commons.helm.release.install | nindent 4 }} test: {{- toYaml .Values.commons.helm.release.test | nindent 4 }} upgrade: {{- toYaml .Values.commons.helm.release.upgrade | nindent 4 }} driftDetection: {{- with .Values.commons.helm.release.driftDetection.mode }} mode: {{ . }} {{- end }} ignore: - target: kind: PrometheusRule paths: - "/metadata/annotations/prometheus-operator-validated" {{- with .Values.commons.helm.release.driftDetection.ignore }} {{- toYaml . | nindent 6 }} {{- end }} interval: 10m {{- with .Values.prometheus.valuesFrom }} valuesFrom: {{- toYaml . | nindent 4 }} {{- end }} values: commonLabels: prometheus: "default" defaultRules: rules: kubeProxy: false prometheus: {{- $hostPrometheus := .Values.prometheus.ingress.host | default (printf "prometheus.%s" .Values.commons.ingress.domain) }} prometheusSpec: {{- if .Values.prometheus.ingress.enabled }} externalUrl: "https://{{ $hostPrometheus }}" {{- end }} podMonitorSelector: matchLabels: prometheus: "default" probeMonitorSelector: matchLabels: prometheus: "default" probeSelector: matchLabels: prometheus: "default" ruleSelector: matchLabels: prometheus: "default" serviceMonitorSelector: matchLabels: prometheus: "default" scrapeConfigSelector: matchLabels: prometheus: "default" storageSpec: volumeClaimTemplate: spec: accessModes: ["ReadWriteOnce"] resources: requests: storage: 5Gi {{- with .Values.prometheus.ingress }} {{- if .enabled }} ingress: enabled: true annotations: {{- with $.Values.commons.ingress.annotations }} {{- toYaml . | nindent 10 }} {{- end }} {{- with $.Values.commons.auth }} {{- if and .enabled (eq .type "authentik") (not $.Values.prometheus.auth.anonymous.enabled) }} "traefik.ingress.kubernetes.io/router.middlewares": "{{ .namespace }}-mycloud-mycloud-authentik-outpost@kubernetescrd" {{- end }} {{- end }} {{- with .annotations }} {{- toYaml . | nindent 10 }} {{- end }} hosts: - "{{ $hostPrometheus }}" path: "/" {{- if $.Values.commons.ingress.tls.enabled }} tls: {{- with $.Values.commons.ingress.tls.override }} {{- toYaml . | nindent 10 }} {{- else }} - secretName: "infra-monitoring-prometheus-cert" hosts: - "{{ $hostPrometheus }}" {{- end }} {{- end }} {{- end }} {{- end }}{{/* end-with prometheus.ingress */}} alertmanager: {{- $hostAlertmanager := .Values.alertmanager.ingress.host | default (printf "alertmanager.%s" $.Values.commons.ingress.domain) }} alertmanagerSpec: {{- if .Values.alertmanager.ingress.enabled }} externalUrl: "https://{{ $hostAlertmanager }}" {{- end }} replicas: 1 alertmanagerConfiguration: name: "global-alertmanager-conf" alertmanagerConfigSelector: matchLabels: alertmanager: "default" {{- with .Values.alertmanager.ingress }} {{- if .enabled }} ingress: enabled: true annotations: {{- with $.Values.commons.ingress.annotations }} {{- toYaml . | nindent 10 }} {{- end }} {{- with $.Values.commons.auth }} {{- if and .enabled (eq .type "authentik") (not $.Values.alertmanager.auth.anonymous.enabled) }} "traefik.ingress.kubernetes.io/router.middlewares": "{{ .namespace }}-mycloud-mycloud-authentik-outpost@kubernetescrd" {{- end }} {{- end }} {{- with .annotations }} {{- toYaml . | nindent 10 }} {{- end }} hosts: - "{{ $hostAlertmanager }}" paths: [ "/" ] {{- if $.Values.commons.ingress.tls.enabled }} tls: {{- with $.Values.commons.ingress.tls.override }} {{- toYaml . | nindent 10 }} {{- else }} - secretName: "infra-monitoring-alertmanager-cert" hosts: - "{{ $hostAlertmanager }}" {{- end }} {{- end }} {{- end }} {{- end }}{{/* end-with alertmanager.ingress */}} grafana: adminPassword: {{ .Values.grafana.adminPassword | default (derivePassword 1 "long" .Values.commons.masterPassword "grafana" "adminPassword") | quote }} grafana.ini: server: # bug in grafana-helmchart needed for oauth redirect url (without port :3000) root_url: "https://%(domain)s/" auth: {{- if and .Values.commons.auth.enabled (eq .Values.commons.auth.type "authentik") }} signout_redirect_url: https://{{ .Values.commons.auth.authentik.domain }}/application/o/grafana/end-session/ oauth_auto_login: true {{- else }} disable_login_form: true disable_signout_menu: true {{- end }} {{- if .Values.grafana.auth.anonymous.enabled }} auth.anonymous: enabled: true {{- end }} {{- if and .Values.commons.auth.enabled (eq .Values.commons.auth.type "authentik") }} auth.generic_oauth: name: authentik enabled: true client_id: {{ .Values.grafana.auth.authentik.clientID | default (derivePassword 1 "long" .Values.commons.masterPassword "grafana" "clientID") | quote }} client_secret: {{ .Values.grafana.auth.authentik.clientSecret | default (derivePassword 1 "long" .Values.commons.masterPassword "grafana" "clientSecret") | quote }} scopes: openid email profile auth_url: https://{{ .Values.commons.auth.authentik.domain }}/application/o/authorize/ token_url: https://{{ .Values.commons.auth.authentik.domain }}/application/o/token/ api_url: https://{{ .Values.commons.auth.authentik.domain }}/application/o/userinfo/ role_attribute_path: "contains(groups[*], 'app: grafana - admin') && 'Admin' || contains(groups[*], 'app: grafana - editor') && 'Editor' || 'Viewer'" {{- end }} testFramework: enabled: false sidecar: dashboards: searchNamespace: ALL ## set option to grafana (and sidecar) to create folder in grafana based on annotations folderAnnotation: {{ .Values.grafana.dashboards.folderAnnotation }} provider: foldersFromFilesStructure: true ## put all default-dashboards to folder Kubernetes {{- with .Values.grafana.dashboards.annotations }} annotations: {{- toYaml . | nindent 12 }} {{- end }} datasources: searchNamespace: ALL {{- with .Values.grafana.ingress }} {{- if .enabled }} {{- $hostGrafana := .host | default (printf "grafana.%s" $.Values.commons.ingress.domain) }} ingress: enabled: true annotations: {{- with $.Values.commons.ingress.annotations }} {{- toYaml . | nindent 10 }} {{- end }} {{- with .annotations }} {{- toYaml . | nindent 10 }} {{- end }} hosts: - "{{ $hostGrafana }}" path: "/" {{- if $.Values.commons.ingress.tls.enabled }} tls: {{- with $.Values.commons.ingress.tls.override }} {{- toYaml . | nindent 10 }} {{- else }} - secretName: "infra-monitoring-grafana-cert" hosts: - "{{ $hostGrafana }}" {{- end }} {{- end }} {{- end }} {{- end }}{{/* end-with grafana.ingress */}} kube-state-metrics: prometheus: monitor: additionalLabels: prometheus: "default" prometheus-node-exporter: prometheus: monitor: additionalLabels: prometheus: "default" kubeScheduler: enabled: false kubeControllerManager: enabled: false