258 lines
8.6 KiB
YAML
258 lines
8.6 KiB
YAML
---
|
|
apiVersion: helm.toolkit.fluxcd.io/v2beta2
|
|
kind: HelmRelease
|
|
metadata:
|
|
name: kube-prometheus-stack
|
|
spec:
|
|
chart:
|
|
spec:
|
|
sourceRef:
|
|
kind: HelmRepository
|
|
name: "prometheus-community"
|
|
chart: "kube-prometheus-stack"
|
|
install:
|
|
{{- toYaml .Values.commons.helm.release.install | nindent 4 }}
|
|
test:
|
|
{{- toYaml .Values.commons.helm.release.test | nindent 4 }}
|
|
upgrade:
|
|
{{- toYaml .Values.commons.helm.release.upgrade | nindent 4 }}
|
|
driftDetection:
|
|
{{- with .Values.commons.helm.release.driftDetection.mode }}
|
|
mode: {{ . }}
|
|
{{- end }}
|
|
ignore:
|
|
- target:
|
|
kind: PrometheusRule
|
|
paths:
|
|
- "/metadata/annotations/prometheus-operator-validated"
|
|
{{- with .Values.commons.helm.release.driftDetection.ignore }}
|
|
{{- toYaml . | nindent 6 }}
|
|
{{- end }}
|
|
interval: 10m
|
|
{{- with .Values.prometheus.valuesFrom }}
|
|
valuesFrom:
|
|
{{- toYaml . | nindent 4 }}
|
|
{{- end }}
|
|
values:
|
|
commonLabels:
|
|
prometheus: "default"
|
|
|
|
defaultRules:
|
|
rules:
|
|
kubeProxy: false
|
|
# just parts:
|
|
# kubernetesApps: false
|
|
disabled:
|
|
KubePodNotReady: true
|
|
KubePodCrashLooping: true
|
|
KubeContainerWaiting: true
|
|
|
|
prometheus:
|
|
{{- $hostPrometheus := .Values.prometheus.ingress.host | default (printf "prometheus.%s" .Values.commons.ingress.domain) }}
|
|
prometheusSpec:
|
|
{{- if .Values.prometheus.ingress.enabled }}
|
|
externalUrl: "https://{{ $hostPrometheus }}"
|
|
{{- end }}
|
|
podMonitorSelector:
|
|
matchLabels:
|
|
prometheus: "default"
|
|
probeMonitorSelector:
|
|
matchLabels:
|
|
prometheus: "default"
|
|
probeSelector:
|
|
matchLabels:
|
|
prometheus: "default"
|
|
ruleSelector:
|
|
matchLabels:
|
|
prometheus: "default"
|
|
serviceMonitorSelector:
|
|
matchLabels:
|
|
prometheus: "default"
|
|
scrapeConfigSelector:
|
|
matchLabels:
|
|
prometheus: "default"
|
|
storageSpec:
|
|
volumeClaimTemplate:
|
|
spec:
|
|
accessModes: ["ReadWriteOnce"]
|
|
resources:
|
|
requests:
|
|
storage: 5Gi
|
|
{{- with .Values.prometheus.ingress }}
|
|
{{- if .enabled }}
|
|
ingress:
|
|
enabled: true
|
|
annotations:
|
|
{{- with $.Values.commons.ingress.annotations }}
|
|
{{- toYaml . | nindent 10 }}
|
|
{{- end }}
|
|
{{- with $.Values.commons.auth }}
|
|
{{- if and .enabled (eq .type "authentik") (not $.Values.prometheus.auth.anonymous.enabled) }}
|
|
"traefik.ingress.kubernetes.io/router.middlewares": "{{ .namespace }}-mycloud-authentik-outpost@kubernetescrd"
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- with .annotations }}
|
|
{{- toYaml . | nindent 10 }}
|
|
{{- end }}
|
|
hosts:
|
|
- "{{ $hostPrometheus }}"
|
|
path: "/"
|
|
{{- if $.Values.commons.ingress.tls.enabled }}
|
|
tls:
|
|
{{- with $.Values.commons.ingress.tls.override }}
|
|
{{- toYaml . | nindent 10 }}
|
|
{{- else }}
|
|
- secretName: "infra-monitoring-prometheus-cert"
|
|
hosts:
|
|
- "{{ $hostPrometheus }}"
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- end }}{{/* end-with prometheus.ingress */}}
|
|
|
|
alertmanager:
|
|
{{- $hostAlertmanager := .Values.alertmanager.ingress.host | default (printf "alertmanager.%s" $.Values.commons.ingress.domain) }}
|
|
alertmanagerSpec:
|
|
{{- if .Values.alertmanager.ingress.enabled }}
|
|
externalUrl: "https://{{ $hostAlertmanager }}"
|
|
{{- end }}
|
|
replicas: 2
|
|
alertmanagerConfiguration:
|
|
name: "global-alertmanager-conf"
|
|
alertmanagerConfigSelector:
|
|
matchLabels:
|
|
alertmanager: "default"
|
|
|
|
{{- with .Values.alertmanager.ingress }}
|
|
{{- if .enabled }}
|
|
ingress:
|
|
enabled: true
|
|
annotations:
|
|
{{- with $.Values.commons.ingress.annotations }}
|
|
{{- toYaml . | nindent 10 }}
|
|
{{- end }}
|
|
{{- with $.Values.commons.auth }}
|
|
{{- if and .enabled (eq .type "authentik") (not $.Values.alertmanager.auth.anonymous.enabled) }}
|
|
"traefik.ingress.kubernetes.io/router.middlewares": "{{ .namespace }}-mycloud-authentik-outpost@kubernetescrd"
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- with .annotations }}
|
|
{{- toYaml . | nindent 10 }}
|
|
{{- end }}
|
|
hosts:
|
|
- "{{ $hostAlertmanager }}"
|
|
paths: [ "/" ]
|
|
{{- if $.Values.commons.ingress.tls.enabled }}
|
|
tls:
|
|
{{- with $.Values.commons.ingress.tls.override }}
|
|
{{- toYaml . | nindent 10 }}
|
|
{{- else }}
|
|
- secretName: "infra-monitoring-alertmanager-cert"
|
|
hosts:
|
|
- "{{ $hostAlertmanager }}"
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- end }}{{/* end-with alertmanager.ingress */}}
|
|
|
|
grafana:
|
|
adminPassword: {{ .Values.grafana.adminPassword | default (derivePassword 1 "long" .Values.commons.masterPassword "grafana" "adminPassword") | quote }}
|
|
grafana.ini:
|
|
server:
|
|
# bug in grafana-helmchart needed for oauth redirect url (without port :3000)
|
|
root_url: "https://%(domain)s/"
|
|
auth:
|
|
{{- if and .Values.commons.auth.enabled (eq .Values.commons.auth.type "authentik") }}
|
|
signout_redirect_url: https://{{ .Values.commons.auth.authentik.domain }}/application/o/grafana/end-session/
|
|
oauth_auto_login: true
|
|
{{- else }}
|
|
disable_login_form: true
|
|
disable_signout_menu: true
|
|
{{- end }}
|
|
|
|
{{- if .Values.grafana.auth.anonymous.enabled }}
|
|
auth.anonymous:
|
|
enabled: true
|
|
{{- end }}
|
|
|
|
{{- if and .Values.commons.auth.enabled (eq .Values.commons.auth.type "authentik") }}
|
|
auth.generic_oauth:
|
|
name: authentik
|
|
enabled: true
|
|
client_id: $__file{/etc/secrets/auth_generic_oauth/client_id}
|
|
client_secret: $__file{/etc/secrets/auth_generic_oauth/client_secret}
|
|
scopes: openid email profile
|
|
auth_url: https://{{ .Values.commons.auth.authentik.domain }}/application/o/authorize/
|
|
token_url: https://{{ .Values.commons.auth.authentik.domain }}/application/o/token/
|
|
api_url: https://{{ .Values.commons.auth.authentik.domain }}/application/o/userinfo/
|
|
role_attribute_path: "contains(groups[*], 'app: grafana - admin') && 'Admin' || contains(groups[*], 'app: grafana - editor') && 'Editor' || 'Viewer'"
|
|
extraSecretMounts:
|
|
- name: auth-generic-oauth-secret-mount
|
|
secretName: monitoring-grafana-auth-generic-oauth
|
|
defaultMode: 0440
|
|
mountPath: /etc/secrets/auth_generic_oauth
|
|
readOnly: true
|
|
{{- end }}
|
|
testFramework:
|
|
enabled: false
|
|
sidecar:
|
|
dashboards:
|
|
searchNamespace: ALL
|
|
|
|
## set option to grafana (and sidecar) to create folder in grafana based on annotations
|
|
folderAnnotation: {{ .Values.grafana.dashboards.folderAnnotation }}
|
|
provider:
|
|
foldersFromFilesStructure: true
|
|
|
|
## put all default-dashboards to folder Kubernetes
|
|
{{- with .Values.grafana.dashboards.annotations }}
|
|
annotations:
|
|
{{- toYaml . | nindent 12 }}
|
|
{{- end }}
|
|
datasources:
|
|
searchNamespace: ALL
|
|
{{- with .Values.grafana.ingress }}
|
|
{{- if .enabled }}
|
|
{{- $hostGrafana := .host | default (printf "grafana.%s" $.Values.commons.ingress.domain) }}
|
|
ingress:
|
|
enabled: true
|
|
annotations:
|
|
{{- with $.Values.commons.ingress.annotations }}
|
|
{{- toYaml . | nindent 10 }}
|
|
{{- end }}
|
|
{{- with .annotations }}
|
|
{{- toYaml . | nindent 10 }}
|
|
{{- end }}
|
|
hosts:
|
|
- "{{ $hostGrafana }}"
|
|
path: "/"
|
|
{{- if $.Values.commons.ingress.tls.enabled }}
|
|
tls:
|
|
{{- with $.Values.commons.ingress.tls.override }}
|
|
{{- toYaml . | nindent 10 }}
|
|
{{- else }}
|
|
- secretName: "infra-monitoring-grafana-cert"
|
|
hosts:
|
|
- "{{ $hostGrafana }}"
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- end }}
|
|
{{- end }}{{/* end-with grafana.ingress */}}
|
|
|
|
kube-state-metrics:
|
|
prometheus:
|
|
monitor:
|
|
additionalLabels:
|
|
prometheus: "default"
|
|
|
|
prometheus-node-exporter:
|
|
prometheus:
|
|
monitor:
|
|
additionalLabels:
|
|
prometheus: "default"
|
|
|
|
kubeScheduler:
|
|
enabled: false
|
|
|
|
kubeControllerManager:
|
|
enabled: false
|