kube-prometheus

Helm chart

iamguarded

Last changed

Request a free trial

Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.

Tag:

# This file has been modified by Chainguard, Inc.

# Chainguard, Inc. modifications are subject to the license

# available at: https://www.chainguard.dev/legal/software-license-agreement

# SPDX-License-Identifier: APACHE-2.0

## @section Global parameters

## Global Docker image parameters

## Please, note that this will override the image parameters, including dependencies, configured to use the global value

## Current available global Docker image parameters: imageRegistry, imagePullSecrets and storageClass

## @param global.imageRegistry Global Docker image registry

## @param global.imagePullSecrets Global Docker registry secret names as an array

## @param global.defaultStorageClass Global default StorageClass for Persistent Volume(s)

global:

imageRegistry: ""

## E.g.

## imagePullSecrets:

## - myRegistryKeySecretName

imagePullSecrets: []

defaultStorageClass: ""

## Security parameters

security:

## @param global.security.allowInsecureImages Allows skipping image verification

allowInsecureImages: false

## Compatibility adaptations for Kubernetes platforms

compatibility:

## Compatibility adaptations for Openshift

openshift:

## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)

adaptSecurityContext: auto

org: ""

## @section Common parameters

## @param kubeVersion Force target Kubernetes version (using Helm capabilities if not set)

kubeVersion: ""

## @param nameOverride String to partially override `kube-prometheus.name` template with a string (will prepend the release name)

nameOverride: ""

## @param fullnameOverride String to fully override `kube-prometheus.fullname` template with a string

fullnameOverride: ""

## @param namespaceOverride String to fully override common.names.namespace

namespaceOverride: ""

## @param commonAnnotations Annotations to add to all deployed objects

commonAnnotations: {}

## @param commonLabels Labels to add to all deployed objects

commonLabels: {}

## @param extraDeploy Array of extra objects to deploy with the release

extraDeploy: []

## @param clusterDomain Kubernetes cluster domain name

clusterDomain: cluster.local

## @section Prometheus Operator Parameters

operator:

## @param operator.enabled Deploy Prometheus Operator to the cluster

enabled: true

## Iamguarded Prometheus Operator image version

## @param operator.image.registry [default: REGISTRY_NAME] Prometheus Operator image registry

## @param operator.image.repository [default: REPOSITORY_NAME/prometheus-operator] Prometheus Operator image repository

## @skip operator.image.tag Prometheus Operator image tag (immutable tags are recommended)

## @param operator.image.digest Prometheus Operator image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag

## @param operator.image.pullPolicy Prometheus Operator image pull policy

## @param operator.image.pullSecrets Specify docker-registry secret names as an array

image:

registry: cgr.dev

repository: chainguard-private/prometheus-operator-iamguarded

tag: 0.91.0

digest: ""

## Specify a imagePullPolicy

## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images

pullPolicy: IfNotPresent

## Optionally specify an array of imagePullSecrets.

## Secrets must be manually created in the namespace.

## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/

## Example:

## pullSecrets:

## - myRegistryKeySecretName

100

pullSecrets: []

101

## @param operator.extraArgs Additional arguments passed to Prometheus Operator

102

## Example:

103

## extraArgs:

104

## - --namespaces={{ include "common.names.namespace" . }}

105

106

extraArgs: []

107

## @param operator.command Override default container command (useful when using custom images)

108

109

command: []

110

## @param operator.args Override default container args (useful when using custom images)

111

112

args: []

113

## @param operator.lifecycleHooks for the Prometheus Operator container(s) to automate configuration before or after startup

114

115

lifecycleHooks: {}

116

## @param operator.extraEnvVars Array with extra environment variables to add to Prometheus Operator nodes

117

## e.g:

118

## extraEnvVars:

119

## - name: FOO

120

## value: "bar"

121

122

extraEnvVars: []

123

## @param operator.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for Prometheus Operator nodes

124

125

extraEnvVarsCM: ""

126

## @param operator.extraEnvVarsSecret Name of existing Secret containing extra env vars for Prometheus Operator nodes

127

128

extraEnvVarsSecret: ""

129

## @param operator.extraVolumes Optionally specify extra list of additional volumes for the Prometheus Operator pod(s)

130

131

extraVolumes: []

132

## @param operator.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Prometheus Operator container(s)

133

134

extraVolumeMounts: []

135

## @param operator.sidecars Add additional sidecar containers to the Prometheus Operator pod(s)

136

## e.g:

137

## sidecars:

138

## - name: your-image-name

139

## image: your-image

140

## imagePullPolicy: Always

141

## ports:

142

## - name: portname

143

## containerPort: 1234

144

145

sidecars: []

146

## @param operator.initContainers Add additional init containers to the Prometheus Operator pod(s)

147

## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/

148

## e.g:

149

## initContainers:

150

## - name: your-image-name

151

## image: your-image

152

## imagePullPolicy: Always

153

## command: ['sh', '-c', 'echo "hello world"']

154

155

initContainers: []

156

## @param operator.automountServiceAccountToken Mount Service Account token in pod

157

158

automountServiceAccountToken: true

159

## @param operator.hostAliases Add deployment host aliases

160

## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/

161

162

hostAliases: []

163

## Service account for Prometheus Operator to use.

164

## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/

165

166

serviceAccount:

167

## @param operator.serviceAccount.create Specify whether to create a ServiceAccount for Prometheus Operator

168

169

create: true

170

## @param operator.serviceAccount.name The name of the ServiceAccount to create

171

## If not set and create is true, a name is generated using the kube-prometheus.operator.fullname template

172

173

174

## @param operator.serviceAccount.automountServiceAccountToken Automount service account token for the server service account

175

176

automountServiceAccountToken: false

177

## @param operator.serviceAccount.annotations Annotations for service account. Evaluated as a template. Only used if `create` is `true`.

178

179

annotations: {}

180

## @param operator.schedulerName Name of the Kubernetess scheduler (other than default)

181

## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/

182

183

schedulerName: ""

184

## @param operator.terminationGracePeriodSeconds In seconds, time the given to the Prometheus Operator pod needs to terminate gracefully

185

## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods

186

187

terminationGracePeriodSeconds: ""

188

## @param operator.topologySpreadConstraints Topology Spread Constraints for pod assignment

189

## https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/

190

## The value is evaluated as a template

191

192

topologySpreadConstraints: []

193

## Prometheus Operator pods' Security Context

194

## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod

195

## @param operator.podSecurityContext.enabled Enable pod security context

196

## @param operator.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy

197

## @param operator.podSecurityContext.sysctls Set kernel settings using the sysctl interface

198

## @param operator.podSecurityContext.supplementalGroups Set filesystem extra groups

199

## @param operator.podSecurityContext.fsGroup Group ID for the container filesystem

200

201

podSecurityContext:

202

enabled: true

203

fsGroupChangePolicy: Always

204

sysctls: []

205

supplementalGroups: []

206

fsGroup: 1001

207

## Prometheus Operator containers' Security Context (only main container)

208

## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container

209

## @param operator.containerSecurityContext.enabled Enabled containers' Security Context

210

## @param operator.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container

211

## @param operator.containerSecurityContext.runAsUser Set containers' Security Context runAsUser

212

## @param operator.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup

213

## @param operator.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot

214

## @param operator.containerSecurityContext.privileged Set container's Security Context privileged

215

## @param operator.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem

216

## @param operator.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation

217

## @param operator.containerSecurityContext.capabilities.drop List of capabilities to be dropped

218

## @param operator.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile

219

220

containerSecurityContext:

221

enabled: true

222

seLinuxOptions: {}

223

runAsUser: 1001

224

runAsGroup: 1001

225

runAsNonRoot: true

226

privileged: false

227

readOnlyRootFilesystem: true

228

allowPrivilegeEscalation: false

229

capabilities:

230

drop: ["ALL"]

231

seccompProfile:

232

type: "RuntimeDefault"

233

## Prometheus Operator Service

234

235

service:

236

## @param operator.service.type Kubernetes service type

237

238

type: ClusterIP

239

## @param operator.service.ports.http Prometheus Operator service port

240

241

ports:

242

http: 8080

243

## @param operator.service.clusterIP Specific cluster IP when service type is cluster IP. Use `None` for headless service

244

## e.g:

245

## clusterIP: None

246

247

clusterIP: ""

248

## @param operator.service.nodePorts.http Kubernetes Service nodePort

249

## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport

250

## e.g:

251

## nodePort: 30080

252

253

nodePorts:

254

http: ""

255

## @param operator.service.loadBalancerIP `loadBalancerIP` if service type is `LoadBalancer`

256

## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer

257

258

loadBalancerIP: ""

259

## @param operator.service.loadBalancerClass Operator service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific)

260

## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer

261

262

loadBalancerClass: ""

263

## @param operator.service.loadBalancerSourceRanges Address that are allowed when svc is `LoadBalancer`

264

## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service

265

## e.g:

266

## loadBalancerSourceRanges:

267

## - 10.10.10.0/24

268

269

loadBalancerSourceRanges: []

270

## @param operator.service.externalTrafficPolicy Enable client source IP preservation

271

## Denotes if this Service desires to route external traffic to node-local or cluster-wide endpoints

272

## There are two available options: Cluster (default) and Local.

273

## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip

274

275

externalTrafficPolicy: Cluster

276

## @param operator.service.healthCheckNodePort Specifies the health check node port (numeric port number) for the service if `externalTrafficPolicy` is set to Local.

277

## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip

278

279

healthCheckNodePort: ""

280

## @param operator.service.labels Additional labels for Prometheus Operator service

281

282

labels: {}

283

## @param operator.service.annotations Additional annotations for Prometheus Operator service

284

285

annotations: {}

286

## @param operator.service.extraPorts Extra ports to expose (normally used with the `sidecar` value)

287

288

extraPorts: []

289

## @param operator.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP"

290

## If "ClientIP", consecutive client requests will be directed to the same Pod

291

## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies

292

293

sessionAffinity: None

294

## @param operator.service.sessionAffinityConfig Additional settings for the sessionAffinity

295

## sessionAffinityConfig:

296

## clientIP:

297

## timeoutSeconds: 300

298

299

sessionAffinityConfig: {}

300

## Network Policies

301

## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/

302

303

networkPolicy:

304

## @param operator.networkPolicy.enabled Specifies whether a NetworkPolicy should be created

305

306

enabled: true

307

## @param operator.networkPolicy.allowExternal Don't require server label for connections

308

## The Policy model to apply. When set to false, only pods with the correct

309

## server label will have network access to the ports server is listening

310

## on. When true, server will accept connections from any source

311

## (with the correct destination port).

312

313

allowExternal: true

314

## @param operator.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.

315

316

allowExternalEgress: true

317

## @param operator.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy

318

## e.g:

319

## extraIngress:

320

## - ports:

321

## - port: 1234

322

## from:

323

## - podSelector:

324

## - matchLabels:

325

## - role: frontend

326

## - podSelector:

327

## - matchExpressions:

328

## - key: role

329

## operator: In

330

## values:

331

## - frontend

332

extraIngress: []

333

## @param operator.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy

334

## e.g:

335

## extraEgress:

336

## - ports:

337

## - port: 1234

338

## to:

339

## - podSelector:

340

## - matchLabels:

341

## - role: frontend

342

## - podSelector:

343

## - matchExpressions:

344

## - key: role

345

## operator: In

346

## values:

347

## - frontend

348

349

extraEgress: []

350

## @param operator.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces

351

## @param operator.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces

352

353

ingressNSMatchLabels: {}

354

ingressNSPodMatchLabels: {}

355

## Create a servicemonitor for the operator

356

357

serviceMonitor:

358

## @param operator.serviceMonitor.enabled Creates a ServiceMonitor to monitor Prometheus Operator

359

360

enabled: true

361

## @param operator.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus.

362

363

jobLabel: ""

364

## @param operator.serviceMonitor.interval Scrape interval (use by default, falling back to Prometheus' default)

365

## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#endpoint

366

367

interval: ""

368

## @param operator.serviceMonitor.metricRelabelings Metric relabeling

369

## ref: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs

370

371

metricRelabelings: []

372

## @param operator.serviceMonitor.relabelings Relabel configs

373

## ref: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config

374

375

relabelings: []

376

## @param operator.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended

377

## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint

378

379

scrapeTimeout: ""

380

## @param operator.serviceMonitor.labels Extra labels for the ServiceMonitor

381

382

labels: {}

383

## @param operator.serviceMonitor.annotations Extra annotations for the ServiceMonitor

384

385

annotations: {}

386

## @param operator.serviceMonitor.extraParameters Any extra parameter to be added to the endpoint configured in the ServiceMonitor

387

## (e.g. tlsConfig for further customization of the HTTPS behavior)

388

## ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#monitoring.coreos.com/v1.Endpoint

389

390

extraParameters: {}

391

## @param operator.serviceMonitor.sampleLimit Per-scrape limit on number of scraped samples that will be accepted.

392

393

sampleLimit: ""

394

## @param operator.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if operator.resources is set (operator.resources is recommended for production).

395

396

resourcesPreset: "nano"

397

## @param operator.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)

398

## Example:

399

## resources:

400

## requests:

401

## cpu: 2

402

## memory: 512Mi

403

## limits:

404

## cpu: 3

405

## memory: 1024Mi

406

## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/

407

408

resources: {}

409

## @param operator.podAffinityPreset Pod affinity preset

410

## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity

411

412

podAffinityPreset: ""

413

## @param operator.podAntiAffinityPreset Prometheus Operator Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`

414

## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity

415

416

podAntiAffinityPreset: soft

417

## Node affinity preset

418

## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity

419

420

nodeAffinityPreset:

421

## @param operator.nodeAffinityPreset.type Prometheus Operator Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard`

422

423

type: ""

424

## @param operator.nodeAffinityPreset.key Prometheus Operator Node label key to match Ignored if `affinity` is set.

425

## E.g.

426

## key: "kubernetes.io/e2e-az-name"

427

428

key: ""

429

## @param operator.nodeAffinityPreset.values Prometheus Operator Node label values to match. Ignored if `affinity` is set.

430

## E.g.

431

## values:

432

## - e2e-az1

433

## - e2e-az2

434

435

values: []

436

## @param operator.affinity Prometheus Operator Affinity for pod assignment

437

## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity

438

## Note: operator.podAffinityPreset, operator.podAntiAffinityPreset, and operator.nodeAffinityPreset will be ignored when it's set

439

440

affinity: {}

441

## @param operator.nodeSelector Prometheus Operator Node labels for pod assignment

442

## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/

443

444

nodeSelector: {}

445

## @param operator.tolerations Prometheus Operator Tolerations for pod assignment

446

## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/

447

448

tolerations: []

449

## @param operator.podAnnotations Annotations for Prometheus Operator pods

450

## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/

451

452

podAnnotations: {}

453

## @param operator.podLabels Extra labels for Prometheus Operator pods

454

## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/

455

456

podLabels: {}

457

## @param operator.priorityClassName Priority class assigned to the Pods

458

459

priorityClassName: ""

460

## Configure extra options for liveness probe

461

## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes

462

## @param operator.livenessProbe.enabled Turn on and off liveness probe

463

## @param operator.livenessProbe.initialDelaySeconds Delay before liveness probe is initiated

464

## @param operator.livenessProbe.periodSeconds How often to perform the probe

465

## @param operator.livenessProbe.timeoutSeconds When the probe times out

466

## @param operator.livenessProbe.failureThreshold Minimum consecutive failures for the probe

467

## @param operator.livenessProbe.successThreshold Minimum consecutive successes for the probe

468

469

livenessProbe:

470

enabled: true

471

initialDelaySeconds: 120

472

periodSeconds: 10

473

timeoutSeconds: 5

474

failureThreshold: 6

475

successThreshold: 1

476

## Configure extra options for readiness probe

477

## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes

478

## @param operator.readinessProbe.enabled Turn on and off readiness probe

479

## @param operator.readinessProbe.initialDelaySeconds Delay before readiness probe is initiated

480

## @param operator.readinessProbe.periodSeconds How often to perform the probe

481

## @param operator.readinessProbe.timeoutSeconds When the probe times out

482

## @param operator.readinessProbe.failureThreshold Minimum consecutive failures for the probe

483

## @param operator.readinessProbe.successThreshold Minimum consecutive successes for the probe

484

485

readinessProbe:

486

enabled: true

487

initialDelaySeconds: 30

488

periodSeconds: 10

489

timeoutSeconds: 5

490

failureThreshold: 6

491

successThreshold: 1

492

## Configure extra options for startup probe

493

## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes

494

## @param operator.startupProbe.enabled Turn on and off startup probe

495

## @param operator.startupProbe.initialDelaySeconds Delay before startup probe is initiated

496

## @param operator.startupProbe.periodSeconds How often to perform the probe

497

## @param operator.startupProbe.timeoutSeconds When the probe times out

498

## @param operator.startupProbe.failureThreshold Minimum consecutive failures for the probe

499

## @param operator.startupProbe.successThreshold Minimum consecutive successes for the probe

500

501

startupProbe:

502

enabled: false

503

initialDelaySeconds: 30

504

periodSeconds: 10

505

timeoutSeconds: 5

506

failureThreshold: 6

507

successThreshold: 1

508

## @param operator.customLivenessProbe Custom livenessProbe that overrides the default one

509

510

customLivenessProbe: {}

511

## @param operator.customReadinessProbe Custom readinessProbe that overrides the default one

512

513

customReadinessProbe: {}

514

## @param operator.customStartupProbe Custom startupProbe that overrides the default one

515

516

customStartupProbe: {}

517

## @param operator.logLevel Log level for Prometheus Operator

518

519

logLevel: info

520

## @param operator.logFormat Log format for Prometheus Operator

521

522

logFormat: logfmt

523

## @param operator.configReloaderResources Set the prometheus config reloader side-car CPU and memory requests and limits.

524

## configReloaderResources:

525

## limits:

526

## cpu: 200m

527

## memory: 100Mi

528

## requests:

529

## cpu: 100m

530

## memory: 50Mi

531

532

configReloaderResources: {}

533

## @param operator.kubeletService.enabled If true, the operator will create and maintain a service for scraping kubelets

534

## @param operator.kubeletService.namespace Namespace to deploy the kubelet service

535

536

kubeletService:

537

enabled: true

538

namespace: kube-system

539

## Prometheus Configmap-reload image to use for reloading configmaps

540

541

prometheusConfigReloader:

542

## @param operator.prometheusConfigReloader.image Prometheus Config Reloader image. If not set, the same as `operator.image.registry`

543

## registry:

544

## repository:

545

## tag:

546

## digest: ""

547

## pullSecrets:

548

549

image: {}

550

## Prometheus config reload container's securityContext

551

## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container

552

## @param operator.prometheusConfigReloader.containerSecurityContext.enabled Enabled containers' Security Context

553

## @param operator.prometheusConfigReloader.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container

554

## @param operator.prometheusConfigReloader.containerSecurityContext.runAsUser Set containers' Security Context runAsUser

555

## @param operator.prometheusConfigReloader.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup

556

## @param operator.prometheusConfigReloader.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot

557

## @param operator.prometheusConfigReloader.containerSecurityContext.privileged Set container's Security Context privileged

558

## @param operator.prometheusConfigReloader.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem

559

## @param operator.prometheusConfigReloader.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation

560

## @param operator.prometheusConfigReloader.containerSecurityContext.capabilities.drop List of capabilities to be dropped

561

## @param operator.prometheusConfigReloader.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile

562

563

containerSecurityContext:

564

enabled: true

565

seLinuxOptions: {}

566

runAsUser: 1001

567

runAsGroup: 1001

568

runAsNonRoot: true

569

privileged: false

570

readOnlyRootFilesystem: true

571

allowPrivilegeEscalation: false

572

capabilities:

573

drop: ["ALL"]

574

seccompProfile:

575

type: "RuntimeDefault"

576

## Configure extra options for liveness probe

577

## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes

578

## @param operator.prometheusConfigReloader.livenessProbe.enabled Turn on and off liveness probe

579

## @param operator.prometheusConfigReloader.livenessProbe.initialDelaySeconds Delay before liveness probe is initiated

580

## @param operator.prometheusConfigReloader.livenessProbe.periodSeconds How often to perform the probe

581

## @param operator.prometheusConfigReloader.livenessProbe.timeoutSeconds When the probe times out

582

## @param operator.prometheusConfigReloader.livenessProbe.failureThreshold Minimum consecutive failures for the probe

583

## @param operator.prometheusConfigReloader.livenessProbe.successThreshold Minimum consecutive successes for the probe

584

585

livenessProbe:

586

enabled: true

587

initialDelaySeconds: 10

588

periodSeconds: 10

589

timeoutSeconds: 5

590

failureThreshold: 6

591

successThreshold: 1

592

## Configure extra options for readiness probe

593

## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes

594

## @param operator.prometheusConfigReloader.readinessProbe.enabled Turn on and off readiness probe

595

## @param operator.prometheusConfigReloader.readinessProbe.initialDelaySeconds Delay before readiness probe is initiated

596

## @param operator.prometheusConfigReloader.readinessProbe.periodSeconds How often to perform the probe

597

## @param operator.prometheusConfigReloader.readinessProbe.timeoutSeconds When the probe times out

598

## @param operator.prometheusConfigReloader.readinessProbe.failureThreshold Minimum consecutive failures for the probe

599

## @param operator.prometheusConfigReloader.readinessProbe.successThreshold Minimum consecutive successes for the probe

600

601

readinessProbe:

602

enabled: true

603

initialDelaySeconds: 15

604

periodSeconds: 20

605

timeoutSeconds: 5

606

failureThreshold: 6

607

successThreshold: 1

608

## Restrict the namespaces that the operator watches

609

## ref: `-namespaces` in https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/operator.md

610

## @param operator.namespaces Optional comma-separated list of namespaces to watch (default=all).

611

612

namespaces: ""

613

## Pod Disruption Budget configuration

614

## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb

615

## @param operator.pdb.create Enable/disable a Pod Disruption Budget creation

616

## @param operator.pdb.minAvailable Minimum number/percentage of pods that should remain scheduled

617

## @param operator.pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable

618

619

pdb:

620

create: true

621

minAvailable: ""

622

maxUnavailable: ""

623

## @section Prometheus Parameters

624

625

626

## Deploy a Prometheus instance

627

628

prometheus:

629

## @param prometheus.enabled Deploy Prometheus to the cluster

630

631

enabled: true

632

## Iamguarded Prometheus image version

633

## @param prometheus.image.registry [default: REGISTRY_NAME] Prometheus image registry

634

## @param prometheus.image.repository [default: REPOSITORY_NAME/prometheus] Prometheus image repository

635

## @skip prometheus.image.tag Prometheus image tag (immutable tags are recommended)

636

## @param prometheus.image.digest Prometheus image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag

637

## @param prometheus.image.pullPolicy Prometheus image pull policy

638

## @param prometheus.image.pullSecrets Specify docker-registry secret names as an array

639

640

image:

641

registry: cgr.dev

642

repository: chainguard-private/prometheus-iamguarded

643

tag: 3.11.3

644

digest: ""

645

pullPolicy: IfNotPresent

646

## Optionally specify an array of imagePullSecrets.

647

## Secrets must be manually created in the namespace.

648

## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/

649

## Example:

650

## pullSecrets:

651

## - myRegistryKeySecretName

652

653

pullSecrets: []

654

## @param prometheus.defaultRules.create Create default rules for Prometheus

655

## @param prometheus.defaultRules.rules [object] Set of default rules for Prometheus that can be enabled/disabled

656

657

defaultRules:

658

create: true

659

rules:

660

alertmanager: true

661

etcd: true

662

configReloaders: true

663

general: true

664

k8sContainerCpuUsageSecondsTotal: true

665

k8sContainerMemoryCache: true

666

k8sContainerMemoryRss: true

667

k8sContainerMemorySwap: true

668

k8sContainerResource: true

669

k8sContainerMemoryWorkingSetBytes: true

670

k8sPodOwner: true

671

kubeApiserverAvailability: true

672

kubeApiserverBurnrate: true

673

kubeApiserverHistogram: true

674

kubeApiserverSlos: true

675

kubeControllerManager: true

676

kubelet: true

677

kubeProxy: true

678

kubePrometheusGeneral: true

679

kubePrometheusNodeRecording: true

680

kubernetesApps: true

681

kubernetesResources: true

682

kubernetesStorage: true

683

kubernetesSystem: true

684

kubeSchedulerAlerting: true

685

kubeSchedulerRecording: true

686

kubeStateMetrics: true

687

network: true

688

node: true

689

nodeExporterAlerting: true

690

nodeExporterRecording: true

691

prometheus: true

692

prometheusOperator: true

693

## Service account for Prometheus to use.

694

## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/

695

696

serviceAccount:

697

## @param prometheus.serviceAccount.create Specify whether to create a ServiceAccount for Prometheus

698

699

create: true

700

## @param prometheus.serviceAccount.name The name of the ServiceAccount to create

701

## If not set and create is true, a name is generated using the kube-prometheus.prometheus.fullname template

702

703

704

## @param prometheus.serviceAccount.annotations Additional annotations for created Prometheus ServiceAccount

705

## annotations:

706

## eks.amazonaws.com/role-arn: arn:aws:iam::ACCOUNT:role/prometheus

707

708

annotations: {}

709

## @param prometheus.serviceAccount.automountServiceAccountToken Automount service account token for the server service account

710

711

automountServiceAccountToken: false

712

## Prometheus pods' Security Context

713

## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod

714

## @param prometheus.podSecurityContext.enabled Enable security context

715

## @param prometheus.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy

716

## @param prometheus.podSecurityContext.sysctls Set kernel settings using the sysctl interface

717

## @param prometheus.podSecurityContext.supplementalGroups Set filesystem extra groups

718

## @param prometheus.podSecurityContext.fsGroup Group ID for the container filesystem

719

720

podSecurityContext:

721

enabled: true

722

fsGroupChangePolicy: Always

723

sysctls: []

724

supplementalGroups: []

725

fsGroup: 1001

726

## Prometheus containers' Security Context

727

## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container

728

## @param prometheus.containerSecurityContext.enabled Enabled containers' Security Context

729

## @param prometheus.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container

730

## @param prometheus.containerSecurityContext.runAsUser Set containers' Security Context runAsUser

731

## @param prometheus.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup

732

## @param prometheus.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot

733

## @param prometheus.containerSecurityContext.privileged Set container's Security Context privileged

734

## @param prometheus.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem

735

## @param prometheus.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation

736

## @param prometheus.containerSecurityContext.capabilities.drop List of capabilities to be dropped

737

## @param prometheus.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile

738

739

containerSecurityContext:

740

enabled: true

741

seLinuxOptions: {}

742

runAsUser: 1001

743

runAsGroup: 1001

744

runAsNonRoot: true

745

privileged: false

746

readOnlyRootFilesystem: true

747

allowPrivilegeEscalation: false

748

capabilities:

749

drop: ["ALL"]

750

seccompProfile:

751

type: "RuntimeDefault"

752

## Configure pod disruption budgets for Prometheus

753

## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/#specifying-a-poddisruptionbudget

754

## @param prometheus.pdb.create Create a pod disruption budget for Prometheus

755

## @param prometheus.pdb.minAvailable Minimum number / percentage of pods that should remain scheduled

756

## @param prometheus.pdb.maxUnavailable Maximum number / percentage of pods that may be made unavailable

757

758

pdb:

759

create: true

760

minAvailable: ""

761

maxUnavailable: ""

762

## Network Policies

763

## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/

764

765

networkPolicy:

766

## @param prometheus.networkPolicy.enabled Specifies whether a NetworkPolicy should be created

767

768

enabled: true

769

## @param prometheus.networkPolicy.allowExternal Don't require server label for connections

770

## The Policy model to apply. When set to false, only pods with the correct

771

## server label will have network access to the ports server is listening

772

## on. When true, server will accept connections from any source

773

## (with the correct destination port).

774

775

allowExternal: true

776

## @param prometheus.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.

777

778

allowExternalEgress: true

779

## @param prometheus.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy

780

## e.g:

781

## extraIngress:

782

## - ports:

783

## - port: 1234

784

## from:

785

## - podSelector:

786

## - matchLabels:

787

## - role: frontend

788

## - podSelector:

789

## - matchExpressions:

790

## - key: role

791

## operator: In

792

## values:

793

## - frontend

794

extraIngress: []

795

## @param prometheus.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy

796

## e.g:

797

## extraEgress:

798

## - ports:

799

## - port: 1234

800

## to:

801

## - podSelector:

802

## - matchLabels:

803

## - role: frontend

804

## - podSelector:

805

## - matchExpressions:

806

## - key: role

807

## operator: In

808

## values:

809

## - frontend

810

811

extraEgress: []

812

## @param prometheus.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces

813

## @param prometheus.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces

814

815

ingressNSMatchLabels: {}

816

ingressNSPodMatchLabels: {}

817

## Prometheus Service

818

819

service:

820

## @param prometheus.service.type Kubernetes service type

821

822

type: ClusterIP

823

## @param prometheus.service.ports.http Prometheus service port

824

825

ports:

826

http: 9090

827

## @param prometheus.service.clusterIP Specific cluster IP when service type is cluster IP. Use `None` for headless service

828

## e.g: clusterIP: None

829

830

clusterIP: ""

831

## @param prometheus.service.nodePorts.http Specify the nodePort value for the LoadBalancer and NodePort service types.

832

## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport

833

## e.g:

834

## nodePort: 30090

835

836

nodePorts:

837

http: ""

838

## @param prometheus.service.loadBalancerIP `loadBalancerIP` if service type is `LoadBalancer`

839

## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer

840

841

loadBalancerIP: ""

842

## @param prometheus.service.loadBalancerClass Prometheus service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific)

843

## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer

844

845

loadBalancerClass: ""

846

## @param prometheus.service.loadBalancerSourceRanges Address that are allowed when service is `LoadBalancer`

847

## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service

848

## e.g:

849

## loadBalancerSourceRanges:

850

## - 10.10.10.0/24

851

852

loadBalancerSourceRanges: []

853

## @param prometheus.service.externalTrafficPolicy Enable client source IP preservation

854

## Denotes if this Service desires to route external traffic to node-local or cluster-wide endpoints

855

## There are two available options: Cluster (default) and Local

856

## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip

857

858

externalTrafficPolicy: Cluster

859

## @param prometheus.service.healthCheckNodePort Specifies the health check node port

860

## if externalTrafficPolicy is set to Local.

861

## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip

862

863

healthCheckNodePort: ""

864

## @param prometheus.service.labels Additional labels for Prometheus service (this value is evaluated as a template)

865

866

labels: {}

867

## @param prometheus.service.annotations Additional annotations for Prometheus service (this value is evaluated as a template)

868

869

annotations: {}

870

## @param prometheus.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP"

871

## If "ClientIP", consecutive client requests will be directed to the same Pod

872

## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies

873

874

sessionAffinity: None

875

## @param prometheus.service.sessionAffinityConfig Additional settings for the sessionAffinity

876

## sessionAffinityConfig:

877

## clientIP:

878

## timeoutSeconds: 300

879

880

sessionAffinityConfig: {}

881

serviceMonitor:

882

## @param prometheus.serviceMonitor.enabled Creates a ServiceMonitor to monitor Prometheus itself

883

884

enabled: true

885

## @param prometheus.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus.

886

887

jobLabel: ""

888

## @param prometheus.serviceMonitor.interval Scrape interval (use by default, falling back to Prometheus' default)

889

## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#endpoint

890

891

interval: ""

892

## @param prometheus.serviceMonitor.metricRelabelings Metric relabeling

893

## ref: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs

894

895

metricRelabelings: []

896

## @param prometheus.serviceMonitor.relabelings Relabel configs

897

## ref: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config

898

899

relabelings: []

900

## @param prometheus.serviceMonitor.sampleLimit Per-scrape limit on number of scraped samples that will be accepted.

901

902

sampleLimit: ""

903

## Configure the ingress resource that allows you to access the

904

## Prometheus installation. Set up the URL

905

## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/

906

907

ingress:

908

## @param prometheus.ingress.enabled Enable ingress controller resource

909

910

enabled: false

911

## @param prometheus.ingress.pathType Ingress Path type

912

913

pathType: ImplementationSpecific

914

## @param prometheus.ingress.apiVersion Override API Version (automatically detected if not set)

915

916

apiVersion: ""

917

## @param prometheus.ingress.hostname Default host for the ingress resource

918

919

hostname: prometheus.local

920

## @param prometheus.ingress.path The Path to Prometheus. You may need to set this to '/*' in order to use this with ALB ingress controllers

921

922

path: /

923

## @param prometheus.ingress.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations.

924

## For a full list of possible ingress annotations, please see

925

## ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md

926

## Use this parameter to set the required annotations for cert-manager, see

927

## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations

928

929

## e.g:

930

## annotations:

931

## kubernetes.io/ingress.class: nginx

932

## cert-manager.io/cluster-issuer: cluster-issuer-name

933

934

annotations: {}

935

## @param prometheus.ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+)

936

## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster .

937

## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/

938

939

ingressClassName: ""

940

## @param prometheus.ingress.tls Enable TLS configuration for the hostname defined at prometheus.ingress.hostname parameter

941

## TLS certificates will be retrieved from a TLS secret with name: {{- printf "%s-tls" .Values.prometheus.ingress.hostname }}

942

## You can use the prometheus.ingress.secrets parameter to create this TLS secret or relay on cert-manager to create it

943

944

tls: false

945

## @param prometheus.ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm

946

947

selfSigned: false

948

## @param prometheus.ingress.extraHosts The list of additional hostnames to be covered with this ingress record.

949

## Most likely the hostname above will be enough, but in the event more hosts are needed, this is an array

950

## extraHosts:

951

## - name: prometheus.local

952

## path: /

953

954

extraHosts: []

955

## @param prometheus.ingress.extraPaths Additional arbitrary path/backend objects

956

## For example: The ALB ingress controller requires a special rule for handling SSL redirection.

957

## extraPaths:

958

## - path: /*

959

## backend:

960

## serviceName: ssl-redirect

961

## servicePort: use-annotation

962

963

extraPaths: []

964

## @param prometheus.ingress.extraTls The tls configuration for additional hostnames to be covered with this ingress record.

965

## see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls

966

## extraTls:

967

## - hosts:

968

## - prometheus.local

969

## secretName: prometheus.local-tls

970

971

extraTls: []

972

## @param prometheus.ingress.secrets If you're providing your own certificates, please use this to add the certificates as secrets

973

## key and certificate should start with -----BEGIN CERTIFICATE----- or

974

## -----BEGIN RSA PRIVATE KEY-----

975

976

## name should line up with a tlsSecret set further up

977

## If you're using cert-manager, this is unneeded, as it will create the secret for you if it is not set

978

979

## It is also possible to create and manage the certificates outside of this helm chart

980

## Please see README.md for more information

981

## e.g:

982

## secrets:

983

## - name: prometheus.local-tls

984

## key:

985

## certificate:

986

987

## NOTE: the secret name MUST match {{ingress.hostname}}-tls to be used if selfSigned is false or no certManager is used

988

secrets: []

989

## @param prometheus.ingress.extraRules Additional rules to be covered with this ingress record

990

## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules

991

## e.g:

992

## extraRules:

993

## - host: example.local

994

## http:

995

## path: /

996

## backend:

997

## service:

998

## name: example-svc

999

## port:

1000

## name: http

1001

1002

extraRules: []

1003

## @param prometheus.externalUrl External URL used to access Prometheus

1004

## If not creating an ingress but still exposing the service some other way (like a proxy)

1005

## let Prometheus know what its external URL is so that it can properly create links

1006

## externalUrl: https://prometheus.example.com

1007

1008

externalUrl: ""

1009

## @param prometheus.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if prometheus.resources is set (prometheus.resources is recommended for production).

1010

1011

resourcesPreset: "small"

1012

## @param prometheus.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)

1013

## Example:

1014

## resources:

1015

## requests:

1016

## cpu: 2

1017

## memory: 512Mi

1018

## limits:

1019

## cpu: 3

1020

## memory: 1024Mi

1021

## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/

1022

1023

resources: {}

1024

## @param prometheus.podAffinityPreset Prometheus Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`

1025

## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity

1026

1027

podAffinityPreset: ""

1028

## @param prometheus.podAntiAffinityPreset Prometheus Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`

1029

## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity

1030

1031

podAntiAffinityPreset: soft

1032

## Node affinity preset

1033

## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity

1034

1035

nodeAffinityPreset:

1036

## @param prometheus.nodeAffinityPreset.type Prometheus Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard`

1037

1038

type: ""

1039

## @param prometheus.nodeAffinityPreset.key Prometheus Node label key to match Ignored if `affinity` is set.

1040

## E.g.

1041

## key: "kubernetes.io/e2e-az-name"

1042

1043

key: ""

1044

## @param prometheus.nodeAffinityPreset.values Prometheus Node label values to match. Ignored if `affinity` is set.

1045

## E.g.

1046

## values:

1047

## - e2e-az1

1048

## - e2e-az2

1049

1050

values: []

1051

## @param prometheus.affinity Prometheus Affinity for pod assignment

1052

## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity

1053

## Note: prometheus.podAffinityPreset, prometheus.podAntiAffinityPreset, and prometheus.nodeAffinityPreset will be ignored when it's set

1054

1055

affinity: {}

1056

## @param prometheus.nodeSelector Prometheus Node labels for pod assignment

1057

## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/

1058

1059

nodeSelector: {}

1060

## @param prometheus.topologySpreadConstraints Prometheus Topology Spread Constraints for pod assignment

1061

## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/

1062

## The value is evaluated as a template

1063

1064

topologySpreadConstraints: []

1065

## @param prometheus.tolerations Prometheus Tolerations for pod assignment

1066

## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/

1067

1068

tolerations: []

1069

## @param prometheus.scrapeInterval Interval between consecutive scrapes

1070

1071

scrapeInterval: ""

1072

## @param prometheus.evaluationInterval Interval between consecutive evaluations

1073

1074

evaluationInterval: ""

1075

## @param prometheus.scrapeTimeout Timeout after which the global scrape is ended

1076

## ref: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#scrape_config

1077

1078

scrapeTimeout: ""

1079

## @param prometheus.sampleLimit Per-scrape max number of scraped samples. Requires Prometheus v2.45.0 and newer

1080

## ref: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#scrape_config

1081

sampleLimit: ""

1082

## @param prometheus.enforcedSampleLimit Override sampleLimits set by ServiceMonitor, PodMonitor or Probe objects

1083

## ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#monitoring.coreos.com/v1.PrometheusSpec

1084

enforcedSampleLimit: ""

1085

## @param prometheus.keepDroppedTargets Limit per scrape config on the number of targets dropped by relabeling that will be kept in memory. 0 means no limit.

1086

## Requires Prometheus v2.47.0 and newer

1087

## ref: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#scrape_config

1088

keepDroppedTargets: ""

1089

## @param prometheus.listenLocal ListenLocal makes the Prometheus server listen on loopback

1090

1091

listenLocal: false

1092

## Configure extra options for liveness probe

1093

## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes

1094

## @param prometheus.livenessProbe.enabled Turn on and off liveness probe

1095

## @param prometheus.livenessProbe.path Path of the HTTP service for checking the healthy state

1096

## @param prometheus.livenessProbe.initialDelaySeconds Delay before liveness probe is initiated

1097

## @param prometheus.livenessProbe.periodSeconds How often to perform the probe

1098

## @param prometheus.livenessProbe.timeoutSeconds When the probe times out

1099

## @param prometheus.livenessProbe.failureThreshold Minimum consecutive failures for the probe

1100

## @param prometheus.livenessProbe.successThreshold Minimum consecutive successes for the probe

1101

1102

livenessProbe:

1103

enabled: true

1104

path: /-/healthy

1105

initialDelaySeconds: 0

1106

failureThreshold: 10

1107

periodSeconds: 10

1108

successThreshold: 1

1109

timeoutSeconds: 3

1110

## Configure extra options for readiness probe

1111

## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes

1112

## @param prometheus.readinessProbe.enabled Turn on and off readiness probe

1113

## @param prometheus.readinessProbe.path Path of the HTTP service for checking the ready state

1114

## @param prometheus.readinessProbe.initialDelaySeconds Delay before readiness probe is initiated

1115

## @param prometheus.readinessProbe.periodSeconds How often to perform the probe

1116

## @param prometheus.readinessProbe.timeoutSeconds When the probe times out

1117

## @param prometheus.readinessProbe.failureThreshold Minimum consecutive failures for the probe

1118

## @param prometheus.readinessProbe.successThreshold Minimum consecutive successes for the probe

1119

1120

readinessProbe:

1121

enabled: true

1122

path: /-/ready

1123

initialDelaySeconds: 0

1124

failureThreshold: 10

1125

periodSeconds: 10

1126

successThreshold: 1

1127

timeoutSeconds: 3

1128

## Configure extra options for startup probe

1129

## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes

1130

## @param prometheus.startupProbe.enabled Turn on and off readiness probe

1131

## @param prometheus.startupProbe.path Path of the HTTP service for checking the ready state

1132

## @param prometheus.startupProbe.initialDelaySeconds Delay before readiness probe is initiated

1133

## @param prometheus.startupProbe.periodSeconds How often to perform the probe

1134

## @param prometheus.startupProbe.timeoutSeconds When the probe times out

1135

## @param prometheus.startupProbe.failureThreshold Minimum consecutive failures for the probe

1136

## @param prometheus.startupProbe.successThreshold Minimum consecutive successes for the probe

1137

1138

startupProbe:

1139

enabled: true

1140

path: /-/ready

1141

initialDelaySeconds: 0

1142

failureThreshold: 60

1143

periodSeconds: 15

1144

successThreshold: 1

1145

timeoutSeconds: 3

1146

## @param prometheus.enableAdminAPI Enable Prometheus adminitrative API

1147

## ref: https://prometheus.io/docs/prometheus/latest/querying/api/#tsdb-admin-apis

1148

1149

enableAdminAPI: false

1150

## @param prometheus.enableFeatures Enable access to Prometheus disabled features.

1151

## ref: https://prometheus.io/docs/prometheus/latest/disabled_features/

1152

1153

enableFeatures: []

1154

## @param prometheus.alertingEndpoints Alertmanagers to which alerts will be sent

1155

## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#alertmanagerendpoints

1156

1157

alertingEndpoints: []

1158

## @param prometheus.externalLabels External labels to add to any time series or alerts when communicating with external systems

1159

1160

externalLabels: {}

1161

## @param prometheus.replicaExternalLabelName Name of the external label used to denote replica name

1162

1163

replicaExternalLabelName: ""

1164

## @param prometheus.replicaExternalLabelNameClear Clear external label used to denote replica name

1165

1166

replicaExternalLabelNameClear: false

1167

## @param prometheus.routePrefix Prefix used to register routes, overriding externalUrl route

1168

## Useful for proxies that rewrite URLs.

1169

1170

routePrefix: /

1171

## @param prometheus.prometheusExternalLabelName Name of the external label used to denote Prometheus instance name

1172

1173

prometheusExternalLabelName: ""

1174

## @param prometheus.prometheusExternalLabelNameClear Clear external label used to denote Prometheus instance name

1175

1176

prometheusExternalLabelNameClear: false

1177

## @param prometheus.secrets Secrets that should be mounted into the Prometheus Pods

1178

1179

secrets: []

1180

## @param prometheus.configMaps ConfigMaps that should be mounted into the Prometheus Pods

1181

1182

configMaps: []

1183

## @param prometheus.querySpec The query command line flags when starting Prometheus

1184

## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#queryspec

1185

1186

querySpec: {}

1187

## @param prometheus.ruleNamespaceSelector Namespaces to be selected for PrometheusRules discovery

1188

## See https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#namespaceselector for usage

1189

1190

ruleNamespaceSelector: {}

1191

## @param prometheus.ruleSelector PrometheusRules to be selected for target discovery

1192

## If {}, select all ServiceMonitors

1193

1194

ruleSelector: {}

1195

## @param prometheus.serviceMonitorSelector ServiceMonitors to be selected for target discovery

1196

## If {}, select all ServiceMonitors

1197

1198

serviceMonitorSelector: {}

1199

## @param prometheus.serviceMonitorNamespaceSelector Namespaces to be selected for ServiceMonitor discovery

1200

## See https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#namespaceselector for usage

1201

1202

serviceMonitorNamespaceSelector: {}

1203

## @param prometheus.podMonitorSelector PodMonitors to be selected for target discovery.

1204

## If {}, select all PodMonitors

1205

1206

podMonitorSelector: {}

1207

## @param prometheus.podMonitorNamespaceSelector Namespaces to be selected for PodMonitor discovery

1208

## See https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#namespaceselector for usage

1209

1210

podMonitorNamespaceSelector: {}

1211

## @param prometheus.probeSelector Probes to be selected for target discovery.

1212

## If {}, select all Probes

1213

1214

probeSelector: {}

1215

## @param prometheus.probeNamespaceSelector Namespaces to be selected for Probe discovery

1216

## See https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#namespaceselector for usage

1217

1218

probeNamespaceSelector: {}

1219

## @param prometheus.scrapeConfigSelector ScrapeConfig to be selected for target discovery.

1220

## If {}, select all ScrapeConfig

1221

1222

scrapeConfigSelector: {}

1223

## @param prometheus.scrapeConfigNamespaceSelector Namespaces to be selected for ScrapeConfig discovery

1224

## See https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#namespaceselector for usage

1225

1226

scrapeConfigNamespaceSelector: {}

1227

## @param prometheus.scrapeClasses List of scrape classes to expose to scraping objects

1228

## See https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#scrapeclass for usage

1229

1230

scrapeClasses: []

1231

## @param prometheus.retention Metrics retention days

1232

1233

retention: 10d

1234

## @param prometheus.retentionSize Maximum size of metrics

1235

1236

retentionSize: ""

1237

## @param prometheus.disableCompaction Disable the compaction of the Prometheus TSDB

1238

## See https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#prometheusspec

1239

## ref: https://prometheus.io/docs/prometheus/latest/storage/#compaction

1240

1241

disableCompaction: false

1242

## @param prometheus.walCompression Enable compression of the write-ahead log using Snappy

1243

1244

walCompression: false

1245

## @param prometheus.paused If true, the Operator won't process any Prometheus configuration changes

1246

1247

paused: false

1248

## @param prometheus.replicaCount Number of Prometheus replicas desired

1249

1250

replicaCount: 1

1251

## @param prometheus.shards Number of Prometheus shards desired

1252

1253

shards: 1

1254

## @param prometheus.logLevel Log level for Prometheus

1255

1256

logLevel: info

1257

## @param prometheus.logFormat Log format for Prometheus

1258

1259

logFormat: logfmt

1260

## @param prometheus.nameValidationScheme Specifies the validation scheme for metric and label names

1261

## See https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api-reference/api.md#monitoring.coreos.com/v1.NameValidationSchemeOptions

1262

1263

nameValidationScheme: "UTF8"

1264

## @param prometheus.podMetadata [object] Standard object's metadata

1265

## ref: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata

1266

1267

podMetadata:

1268

## labels:

1269

## app: prometheus

1270

## k8s-app: prometheus

1271

1272

labels: {}

1273

annotations: {}

1274

## @param prometheus.remoteRead The remote_read spec configuration for Prometheus

1275

## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#remotereadspec

1276

## remoteRead:

1277

## - url: http://remote1/read

1278

1279

remoteRead: []

1280

## @param prometheus.remoteWrite The remote_write spec configuration for Prometheus

1281

## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#remotewritespec

1282

## remoteWrite:

1283

## - url: http://remote1/push

1284

1285

remoteWrite: []

1286

## @param prometheus.enableRemoteWriteReceiver Enable Prometheus to be used as a receiver for the Prometheus remote write protocol.

1287

1288

enableRemoteWriteReceiver: false

1289

## @param prometheus.storageSpec Prometheus StorageSpec for persistent data

1290

## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/user-guides/storage.md

1291

1292

storageSpec: {}

1293

## Prometheus persistence parameters

1294

1295

persistence:

1296

## @param prometheus.persistence.enabled Use PVCs to persist data. If the storageSpec is provided this will not take effect.

1297

1298

enabled: false

1299

## @param prometheus.persistence.storageClass Persistent Volume Storage Class

1300

## If defined, storageClassName: <storageClass>

1301

## If set to "-", storageClassName: "", which disables dynamic provisioning

1302

## If undefined (the default) or set to null, no storageClassName spec is

1303

## set, choosing the default provisioner.

1304

1305

storageClass: ""

1306

## @param prometheus.persistence.accessModes Persistent Volume Access Modes

1307

1308

accessModes:

1309

- ReadWriteOnce

1310

## @param prometheus.persistence.size Persistent Volume Size

1311

1312

size: 8Gi

1313

## @param prometheus.persistence.annotations Persistent Volume Claim annotations

1314

1315

annotations: {}

1316

## @param prometheus.priorityClassName Priority class assigned to the Pods

1317

1318

priorityClassName: ""

1319

## @param prometheus.containers Containers allows injecting additional containers

1320

1321

containers: []

1322

## @param prometheus.initContainers Add additional init containers to the prometheus pod(s)

1323

## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/

1324

## e.g:

1325

## initContainers:

1326

## - name: your-image-name

1327

## image: your-image

1328

## imagePullPolicy: Always

1329

## command: ['sh', '-c', 'echo "hello world"']

1330

1331

initContainers: []

1332

## @param prometheus.volumes Volumes allows configuration of additional volumes

1333

## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#prometheusspec

1334

1335

volumes: []

1336

## @param prometheus.volumeMounts VolumeMounts allows configuration of additional VolumeMounts. Evaluated as a template

1337

## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#prometheusspec

1338

1339

volumeMounts: []

1340

## @param prometheus.additionalPrometheusRules PrometheusRule defines recording and alerting rules for a Prometheus instance.

1341

## - name: custom-recording-rules

1342

## groups:

1343

## - name: sum_node_by_job

1344

## rules:

1345

## - record: job:kube_node_labels:sum

1346

## expr: sum(kube_node_labels) by (job)

1347

## - name: sum_prometheus_config_reload_by_pod

1348

## rules:

1349

## - record: job:prometheus_config_last_reload_successful:sum

1350

## expr: sum(prometheus_config_last_reload_successful) by (pod)

1351

## - name: custom-alerting-rules

1352

## groups:

1353

## - name: prometheus-config

1354

## rules:

1355

## - alert: PrometheusConfigurationReload

1356

## expr: prometheus_config_last_reload_successful > 0

1357

## for: 1m

1358

## labels:

1359

## severity: error

1360

## annotations:

1361

## summary: "Prometheus configuration reload (instance {{ $labels.instance }})"

1362

## description: "Prometheus configuration reload error\n VALUE = {{ $value }}\n LABELS: {{ $labels }}"

1363

## - name: custom-node-exporter-alerting-rules

1364

## rules:

1365

## - alert: PhysicalComponentTooHot

1366

## expr: node_hwmon_temp_celsius > 75

1367

## for: 5m

1368

## labels:

1369

## severity: warning

1370

## annotations:

1371

## summary: "Physical component too hot (instance {{ $labels.instance }})"

1372

## description: "Physical hardware component too hot\n VALUE = {{ $value }}\n LABELS: {{ $labels }}"

1373

## - alert: NodeOvertemperatureAlarm

1374

## expr: node_hwmon_temp_alarm == 1

1375

## for: 5m

1376

## labels:

1377

## severity: critical

1378

## annotations:

1379

## summary: "Node overtemperature alarm (instance {{ $labels.instance }})"

1380

## description: "Physical node temperature alarm triggered\n VALUE = {{ $value }}\n LABELS: {{ $labels }}"

1381

1382

## @param prometheus.additionalArgs Allows setting additional arguments for the Prometheus container

1383

## ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#monitoring.coreos.com/v1.Prometheus

1384

1385

additionalArgs: []

1386

additionalPrometheusRules: []

1387

## Note that the prometheus will fail to provision if the correct secret does not exist.

1388

## @param prometheus.additionalScrapeConfigs.enabled Enable additional scrape configs

1389

## @param prometheus.additionalScrapeConfigs.type Indicates if the cart should use external additional scrape configs or internal configs

1390

## @param prometheus.additionalScrapeConfigs.external.name Name of the secret that Prometheus should use for the additional external scrape configuration

1391

## @param prometheus.additionalScrapeConfigs.external.key Name of the key inside the secret to be used for the additional external scrape configuration

1392

## @param prometheus.additionalScrapeConfigs.internal.jobList A list of Prometheus scrape jobs

1393

1394

additionalScrapeConfigs:

1395

enabled: false

1396

type: external

1397

external:

1398

## Name of the secret that Prometheus should use for the additional scrape configuration

1399

1400

1401

## Name of the key inside the secret to be used for the additional scrape configuration.

1402

1403

key: ""

1404

internal:

1405

jobList: []

1406

## Enable additional Prometheus alert relabel configs that are managed externally to this chart

1407

## Note that the prometheus will fail to provision if the correct secret does not exist.

1408

## @param prometheus.additionalAlertRelabelConfigsExternal.enabled Enable additional Prometheus alert relabel configs that are managed externally to this chart

1409

## @param prometheus.additionalAlertRelabelConfigsExternal.name Name of the secret that Prometheus should use for the additional Prometheus alert relabel configuration

1410

## @param prometheus.additionalAlertRelabelConfigsExternal.key Name of the key inside the secret to be used for the additional Prometheus alert relabel configuration

1411

1412

additionalAlertRelabelConfigsExternal:

1413

enabled: false

1414

1415

key: ""

1416

## Enable additional Prometheus AlertManager configs that are managed externally to this chart

1417

## Note that the prometheus will fail to provision if the correct secret does not exist.

1418

## @param prometheus.additionalAlertManagerExternal.enabled Enable additional Prometheus AlertManager configs that are managed externally to this chart

1419

## @param prometheus.additionalAlertManagerExternal.name Name of the secret that Prometheus should use for the additional Prometheus AlertManager configuration

1420

## @param prometheus.additionalAlertManagerExternal.key Name of the key inside the secret to be used for the additional Prometheus AlertManager configuration

1421

1422

additionalAlertManagerExternal:

1423

enabled: false

1424

1425

key: ""

1426

## Thanos sidecar container configuration

1427

1428

thanos:

1429

## @param prometheus.thanos.create Create a Thanos sidecar container

1430

1431

create: false

1432

## Iamguarded Thanos image

1433

## @param prometheus.thanos.image.registry [default: REGISTRY_NAME] Thanos image registry

1434

## @param prometheus.thanos.image.repository [default: REPOSITORY_NAME/thanos] Thanos image name

1435

## @skip prometheus.thanos.image.tag Thanos image tag

1436

## @param prometheus.thanos.image.digest Thanos image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag

1437

## @param prometheus.thanos.image.pullPolicy Thanos image pull policy

1438

## @param prometheus.thanos.image.pullSecrets Specify docker-registry secret names as an array

1439

1440

image:

1441

registry: cgr.dev

1442

repository: chainguard-private/thanos-iamguarded

1443

tag: 0.41.0

1444

digest: ""

1445

## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images

1446

1447

pullPolicy: IfNotPresent

1448

## Optionally specify an array of imagePullSecrets.

1449

## Secrets must be manually created in the namespace.

1450

## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/

1451

## Example:

1452

## pullSecrets:

1453

## - myRegistryKeySecretName

1454

1455

pullSecrets: []

1456

## Thanos Sidecar container's securityContext

1457

## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container

1458

## @param prometheus.thanos.containerSecurityContext.enabled Enabled containers' Security Context

1459

## @param prometheus.thanos.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container

1460

## @param prometheus.thanos.containerSecurityContext.runAsUser Set containers' Security Context runAsUser

1461

## @param prometheus.thanos.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup

1462

## @param prometheus.thanos.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot

1463

## @param prometheus.thanos.containerSecurityContext.privileged Set container's Security Context privileged

1464

## @param prometheus.thanos.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem

1465

## @param prometheus.thanos.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation

1466

## @param prometheus.thanos.containerSecurityContext.capabilities.drop List of capabilities to be dropped

1467

## @param prometheus.thanos.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile

1468

1469

containerSecurityContext:

1470

enabled: true

1471

seLinuxOptions: {}

1472

runAsUser: 1001

1473

runAsGroup: 1001

1474

runAsNonRoot: true

1475

privileged: false

1476

readOnlyRootFilesystem: true

1477

allowPrivilegeEscalation: false

1478

capabilities:

1479

drop: ["ALL"]

1480

seccompProfile:

1481

type: "RuntimeDefault"

1482

## @param prometheus.thanos.containerPorts.grpc Thanos grpc port

1483

## @param prometheus.thanos.containerPorts.http Thanos http port

1484

1485

containerPorts:

1486

grpc: 10901

1487

http: 10902

1488

## @param prometheus.thanos.prometheusUrl Override default prometheus url `http://localhost:9090`

1489

1490

prometheusUrl: ""

1491

## @param prometheus.thanos.extraArgs Additional arguments passed to the thanos sidecar container

1492

## extraArgs:

1493

## - --log.level=debug

1494

## - --tsdb.path=/data/

1495

1496

extraArgs: []

1497

## @param prometheus.thanos.objectStorageConfig.secretName Support mounting a Secret for the objectStorageConfig of the sideCar container.

1498

## @param prometheus.thanos.objectStorageConfig.secretKey Secret key with the configuration file.

1499

## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/thanos.md

1500

## objectStorageConfig:

1501

## secretName: thanos-objstore-config

1502

## secretKey: thanos.yaml

1503

1504

objectStorageConfig:

1505

secretName: ""

1506

secretKey: thanos.yaml

1507

## @param prometheus.thanos.extraEnvVars Array with extra environment variables to add to the thanos sidecar container

1508

## For example:

1509

## extraEnvVars:

1510

## - name: REQUEST_LOGGING_CONFIG

1511

## valueFrom:

1512

## secretKeyRef:

1513

## name: thanos-request-logging-config

1514

## key: request-logging-config.yml

1515

1516

extraEnvVars: []

1517

## @param prometheus.thanos.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for the thanos sidecar container

1518

1519

extraEnvVarsCM: ""

1520

## @param prometheus.thanos.extraEnvVarsSecret Name of existing Secret containing extra env vars for the thanos sidecar container

1521

1522

extraEnvVarsSecret: ""

1523

## ref: https://github.com/thanos-io/thanos/blob/main/docs/components/sidecar.md

1524

## @param prometheus.thanos.extraVolumeMounts Additional volumeMounts from `prometheus.volumes` for thanos sidecar container

1525

## extraVolumeMounts:

1526

## - name: my-secret-volume

1527

## mountPath: /etc/thanos/secrets/my-secret

1528

1529

extraVolumeMounts: []

1530

## Thanos sidecar container resource requests and limits.

1531

## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/

1532

## We usually recommend not to specify default resources and to leave this as a conscious

1533

## choice for the user. This also increases chances charts run on environments with little

1534

## resources, such as Minikube. If you do want to specify resources, uncomment the following

1535

## lines, adjust them as necessary, and remove the curly braces after 'resources:'.

1536

## @param prometheus.thanos.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if prometheus.thanos.resources is set (prometheus.thanos.resources is recommended for production).

1537

1538

resourcesPreset: "nano"

1539

## @param prometheus.thanos.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)

1540

## Example:

1541

## resources:

1542

## requests:

1543

## cpu: 2

1544

## memory: 512Mi

1545

## limits:

1546

## cpu: 3

1547

## memory: 1024Mi

1548

1549

resources: {}

1550

## Configure extra options for liveness probe

1551

## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes

1552

## @param prometheus.thanos.livenessProbe.enabled Turn on and off liveness probe

1553

## @param prometheus.thanos.livenessProbe.path Path of the HTTP service for checking the healthy state

1554

## @param prometheus.thanos.livenessProbe.initialDelaySeconds Delay before liveness probe is initiated

1555

## @param prometheus.thanos.livenessProbe.periodSeconds How often to perform the probe

1556

## @param prometheus.thanos.livenessProbe.timeoutSeconds When the probe times out

1557

## @param prometheus.thanos.livenessProbe.failureThreshold Minimum consecutive failures for the probe

1558

## @param prometheus.thanos.livenessProbe.successThreshold Minimum consecutive successes for the probe

1559

1560

livenessProbe:

1561

enabled: true

1562

path: /-/healthy

1563

initialDelaySeconds: 0

1564

periodSeconds: 5

1565

timeoutSeconds: 3

1566

failureThreshold: 120

1567

successThreshold: 1

1568

## Configure extra options for readiness probe

1569

## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes

1570

## @param prometheus.thanos.readinessProbe.enabled Turn on and off readiness probe

1571

## @param prometheus.thanos.readinessProbe.path Path of the HTTP service for checking the ready state

1572

## @param prometheus.thanos.readinessProbe.initialDelaySeconds Delay before readiness probe is initiated

1573

## @param prometheus.thanos.readinessProbe.periodSeconds How often to perform the probe

1574

## @param prometheus.thanos.readinessProbe.timeoutSeconds When the probe times out

1575

## @param prometheus.thanos.readinessProbe.failureThreshold Minimum consecutive failures for the probe

1576

## @param prometheus.thanos.readinessProbe.successThreshold Minimum consecutive successes for the probe

1577

1578

readinessProbe:

1579

enabled: true

1580

path: /-/ready

1581

initialDelaySeconds: 0

1582

periodSeconds: 5

1583

timeoutSeconds: 3

1584

failureThreshold: 120

1585

successThreshold: 1

1586

## Thanos Sidecar Service

1587

1588

service:

1589

## @param prometheus.thanos.service.type Kubernetes service type

1590

1591

type: ClusterIP

1592

## @param prometheus.thanos.service.ports.grpc Thanos service port

1593

## @param prometheus.thanos.service.ports.http Thanos service port

1594

1595

ports:

1596

grpc: 10901

1597

http: 10902

1598

## @param prometheus.thanos.service.clusterIP Specific cluster IP when service type is cluster IP. Use `None` to create headless service by default.

1599

## Use a "headless" service by default so it returns every pod's IP instead of loadbalancing requests.

1600

1601

clusterIP: None

1602

## @param prometheus.thanos.service.nodePorts.grpc Specify the nodePort value for the LoadBalancer and NodePort service types.

1603

## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport

1604

## e.g:

1605

## nodePort: 30901

1606

1607

nodePorts:

1608

grpc: ""

1609

## @param prometheus.thanos.service.loadBalancerIP `loadBalancerIP` if service type is `LoadBalancer`

1610

## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer

1611

1612

loadBalancerIP: ""

1613

## @param prometheus.thanos.service.loadBalancerClass Thanos service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific)

1614

## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer

1615

1616

loadBalancerClass: ""

1617

## @param prometheus.thanos.service.loadBalancerSourceRanges Address that are allowed when svc is `LoadBalancer`

1618

## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service

1619

## e.g:

1620

## loadBalancerSourceRanges:

1621

## - 10.10.10.0/24

1622

1623

loadBalancerSourceRanges: []

1624

## @param prometheus.thanos.service.labels Additional labels for Thanos service

1625

1626

labels: {}

1627

## @param prometheus.thanos.service.annotations Additional annotations for Thanos service

1628

1629

annotations: {}

1630

## @param prometheus.thanos.service.extraPorts Additional ports to expose from the Thanos sidecar container

1631

## extraPorts:

1632

## - name: http

1633

## port: 10902

1634

## targetPort: http

1635

## protocol: TCP

1636

1637

extraPorts: []

1638

## @param prometheus.thanos.service.externalTrafficPolicy Prometheus service external traffic policy

1639

## ref http://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip

1640

1641

externalTrafficPolicy: Cluster

1642

## @param prometheus.thanos.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP"

1643

## If "ClientIP", consecutive client requests will be directed to the same Pod

1644

## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies

1645

1646

sessionAffinity: None

1647

## @param prometheus.thanos.service.sessionAffinityConfig Additional settings for the sessionAffinity

1648

## sessionAffinityConfig:

1649

## clientIP:

1650

## timeoutSeconds: 300

1651

1652

sessionAffinityConfig: {}

1653

## Configure the ingress resource that allows you to access the

1654

## Thanos Sidecar installation. Set up the URL

1655

## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/

1656

1657

ingress:

1658

## @param prometheus.thanos.ingress.enabled Enable ingress controller resource

1659

1660

enabled: false

1661

## @param prometheus.thanos.ingress.pathType Ingress path type

1662

1663

pathType: ImplementationSpecific

1664

## @param prometheus.thanos.ingress.apiVersion Force Ingress API version (automatically detected if not set)

1665

1666

apiVersion: ""

1667

## @param prometheus.thanos.ingress.hostname Default host for the ingress record

1668

1669

hostname: thanos.prometheus.local

1670

## @param prometheus.thanos.ingress.path Default path for the ingress record

1671

## NOTE: You may need to set this to '/*' in order to use this with ALB ingress controllers

1672

1673

path: /

1674

## @param prometheus.thanos.ingress.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations.

1675

## For a full list of possible ingress annotations, please see

1676

## ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md

1677

## Use this parameter to set the required annotations for cert-manager, see

1678

## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations

1679

1680

## Examples:

1681

## kubernetes.io/ingress.class: nginx

1682

## cert-manager.io/cluster-issuer: cluster-issuer-name

1683

1684

annotations: {}

1685

## @param prometheus.thanos.ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+)

1686

## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster .

1687

## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/

1688

1689

ingressClassName: ""

1690

## @param prometheus.thanos.ingress.tls Enable TLS configuration for the host defined at `ingress.hostname` parameter

1691

## TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.ingress.hostname }}`

1692

## You can:

1693

## - Use the `ingress.secrets` parameter to create this TLS secret

1694

## - Relay on cert-manager to create it by setting `ingress.certManager=true`

1695

## - Relay on Helm to create self-signed certificates by setting `ingress.selfSigned=true`

1696

1697

tls: false

1698

## @param prometheus.thanos.ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm

1699

1700

selfSigned: false

1701

## @param prometheus.thanos.ingress.extraHosts An array with additional hostname(s) to be covered with the ingress record

1702

## e.g:

1703

## extraHosts:

1704

## - name: thanos.prometheus.local

1705

## path: /

1706

1707

extraHosts: []

1708

## @param prometheus.thanos.ingress.extraPaths An array with additional arbitrary paths that may need to be added to the ingress under the main host

1709

## e.g:

1710

## extraPaths:

1711

## - path: /*

1712

## backend:

1713

## serviceName: ssl-redirect

1714

## servicePort: use-annotation

1715

1716

extraPaths: []

1717

## @param prometheus.thanos.ingress.extraTls TLS configuration for additional hostname(s) to be covered with this ingress record

1718

## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls

1719

## e.g:

1720

## extraTls:

1721

## - hosts:

1722

## - thanos.prometheus.local

1723

## secretName: thanos.prometheus.local-tls

1724

1725

extraTls: []

1726

## @param prometheus.thanos.ingress.secrets Custom TLS certificates as secrets

1727

## NOTE: 'key' and 'certificate' are expected in PEM format

1728

## NOTE: 'name' should line up with a 'secretName' set further up

1729

## If it is not set and you're using cert-manager, this is unneeded, as it will create a secret for you with valid certificates

1730

## If it is not set and you're NOT using cert-manager either, self-signed certificates will be created valid for 365 days

1731

## It is also possible to create and manage the certificates outside of this helm chart

1732

## Please see README.md for more information

1733

## e.g:

1734

## secrets:

1735

## - name: thanos.prometheus.local-tls

1736

## key: |-

1737

## -----BEGIN RSA PRIVATE KEY-----

1738

## ...

1739

## -----END RSA PRIVATE KEY-----

1740

## certificate: |-

1741

## -----BEGIN CERTIFICATE-----

1742

## ...

1743

## -----END CERTIFICATE-----

1744

1745

secrets: []

1746

## @param prometheus.thanos.ingress.extraRules The list of additional rules to be added to this ingress record. Evaluated as a template

1747

## Useful when looking for additional customization, such as using different backend

1748

1749

extraRules: []

1750

## Create a ServiceMonitor to monitor Prometheus thanos sidecar

1751

1752

serviceMonitor:

1753

## @param prometheus.thanos.serviceMonitor.enabled Creates a ServiceMonitor to monitor Prometheus thanos sidecar

1754

1755

enabled: false

1756

## @param prometheus.thanos.serviceMonitor.interval Scrape interval (use by default, falling back to Prometheus' default)

1757

## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#endpoint

1758

1759

interval: ""

1760

## @param prometheus.thanos.serviceMonitor.path HTTP path to scrape for metrics

1761

1762

path: /metrics

1763

## @param prometheus.thanos.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus.

1764

1765

jobLabel: ""

1766

## @param prometheus.thanos.serviceMonitor.metricRelabelings Metric relabeling

1767

## ref: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs

1768

1769

metricRelabelings: []

1770

## @param prometheus.thanos.serviceMonitor.relabelings Relabel configs

1771

## ref: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config

1772

1773

relabelings: []

1774

## @param prometheus.thanos.serviceMonitor.sampleLimit Per-scrape limit on number of scraped samples that will be accepted.

1775

1776

sampleLimit: ""

1777

## config-reloader sidecar container configuration

1778

1779

configReloader:

1780

## config-reloader sidecar Service

1781

1782

service:

1783

## @param prometheus.configReloader.service.enabled Enable config-reloader sidecar service

1784

1785

enabled: false

1786

## @param prometheus.configReloader.service.type Kubernetes service type

1787

1788

type: ClusterIP

1789

## @param prometheus.configReloader.service.ports.http config-reloader sidecar container service port

1790

1791

ports:

1792

http: 8080

1793

## @param prometheus.configReloader.service.clusterIP Specific cluster IP when service type is cluster IP. Use `None` to create headless service by default.

1794

## Use a "headless" service by default so it returns every pod's IP instead of loadbalancing requests.

1795

1796

clusterIP: None

1797

## @param prometheus.configReloader.service.nodePorts.http Specify the nodePort value for the LoadBalancer and NodePort service types.

1798

## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport

1799

## e.g:

1800

## nodePort: 30901

1801

1802

nodePorts:

1803

http: ""

1804

## @param prometheus.configReloader.service.loadBalancerIP `loadBalancerIP` if service type is `LoadBalancer`

1805

## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer

1806

1807

loadBalancerIP: ""

1808

## @param prometheus.configReloader.service.loadBalancerClass Prometheus Config Reloader service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific)

1809

## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer

1810

1811

loadBalancerClass: ""

1812

## @param prometheus.configReloader.service.loadBalancerSourceRanges Address that are allowed when svc is `LoadBalancer`

1813

## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service

1814

## e.g:

1815

## loadBalancerSourceRanges:

1816

## - 10.10.10.0/24

1817

1818

loadBalancerSourceRanges: []

1819

## @param prometheus.configReloader.service.labels Additional labels for Prometheus service

1820

1821

labels: {}

1822

## @param prometheus.configReloader.service.annotations Additional annotations for Prometheus service

1823

1824

annotations: {}

1825

## @param prometheus.configReloader.service.extraPorts Additional ports to expose from the config-reloader sidecar container

1826

## extraPorts:

1827

## - name: http

1828

## port: 10902

1829

## targetPort: http

1830

## protocol: TCP

1831

1832

extraPorts: []

1833

## @param prometheus.configReloader.service.externalTrafficPolicy Prometheus service external traffic policy

1834

## ref http://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip

1835

1836

externalTrafficPolicy: Cluster

1837

## @param prometheus.configReloader.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP"

1838

## If "ClientIP", consecutive client requests will be directed to the same Pod

1839

## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies

1840

1841

sessionAffinity: None

1842

## @param prometheus.configReloader.service.sessionAffinityConfig Additional settings for the sessionAffinity

1843

## sessionAffinityConfig:

1844

## clientIP:

1845

## timeoutSeconds: 300

1846

1847

sessionAffinityConfig: {}

1848

## Create a ServiceMonitor to monitor Prometheus config-reloader sidecar

1849

1850

serviceMonitor:

1851

## @param prometheus.configReloader.serviceMonitor.enabled Creates a ServiceMonitor to monitor Prometheus config-reloader sidecar

1852

1853

enabled: false

1854

## @param prometheus.configReloader.serviceMonitor.interval Scrape interval (use by default, falling back to Prometheus' default)

1855

## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#endpoint

1856

1857

interval: ""

1858

## @param prometheus.configReloader.serviceMonitor.path HTTP path to scrape for metrics

1859

1860

path: /metrics

1861

## @param prometheus.configReloader.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus.

1862

1863

jobLabel: ""

1864

## @param prometheus.configReloader.serviceMonitor.metricRelabelings Metric relabeling

1865

## ref: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs

1866

1867

metricRelabelings: []

1868

## @param prometheus.configReloader.serviceMonitor.relabelings Relabel configs

1869

## ref: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config

1870

1871

relabelings: []

1872

## @param prometheus.configReloader.serviceMonitor.sampleLimit Per-scrape limit on number of scraped samples that will be accepted.

1873

1874

sampleLimit: ""

1875

## @param prometheus.portName Port name used for the pods and governing service. This defaults to web

1876

1877

portName: web

1878

## @section Alertmanager Parameters

1879

1880

1881

## Configuration for alertmanager

1882

## ref: https://prometheus.io/docs/alerting/alertmanager/

1883

1884

alertmanager:

1885

## @param alertmanager.enabled Deploy Alertmanager to the cluster

1886

1887

enabled: true

1888

## Iamguarded Alertmanager image version

1889

## @param alertmanager.image.registry [default: REGISTRY_NAME] Alertmanager image registry

1890

## @param alertmanager.image.repository [default: REPOSITORY_NAME/alertmanager] Alertmanager image repository

1891

## @skip alertmanager.image.tag Alertmanager image tag (immutable tags are recommended)

1892

## @param alertmanager.image.digest Alertmanager image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag

1893

## @param alertmanager.image.pullPolicy Alertmanager image pull policy

1894

## @param alertmanager.image.pullSecrets Specify docker-registry secret names as an array

1895

1896

image:

1897

registry: cgr.dev

1898

repository: chainguard-private/prometheus-alertmanager-iamguarded

1899

tag: 0.32.1

1900

digest: ""

1901

pullPolicy: IfNotPresent

1902

## Optionally specify an array of imagePullSecrets.

1903

## Secrets must be manually created in the namespace.

1904

## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/

1905

## Example:

1906

## pullSecrets:

1907

## - myRegistryKeySecretName

1908

1909

pullSecrets: []

1910

## Service account for Alertmanager to use.

1911

## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/

1912

1913

serviceAccount:

1914

## @param alertmanager.serviceAccount.create Specify whether to create a ServiceAccount for Alertmanager

1915

1916

create: true

1917

## @param alertmanager.serviceAccount.name The name of the ServiceAccount to create

1918

## If not set and create is true, a name is generated using the kube-prometheus.alertmanager.fullname template

1919

1920

1921

## @param alertmanager.serviceAccount.automountServiceAccountToken Automount service account token for the server service account

1922

1923

automountServiceAccountToken: false

1924

## @param alertmanager.serviceAccount.annotations Annotations for service account. Evaluated as a template. Only used if `create` is `true`.

1925

1926

annotations: {}

1927

## Prometheus Alertmanager pods' Security Context

1928

## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod

1929

## @param alertmanager.podSecurityContext.enabled Enable security context

1930

## @param alertmanager.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy

1931

## @param alertmanager.podSecurityContext.sysctls Set kernel settings using the sysctl interface

1932

## @param alertmanager.podSecurityContext.supplementalGroups Set filesystem extra groups

1933

## @param alertmanager.podSecurityContext.fsGroup Group ID for the container filesystem

1934

1935

podSecurityContext:

1936

enabled: true

1937

fsGroupChangePolicy: Always

1938

sysctls: []

1939

supplementalGroups: []

1940

fsGroup: 1001

1941

## Prometheus Alertmanager container's securityContext

1942

## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container

1943

## @param alertmanager.containerSecurityContext.enabled Enabled containers' Security Context

1944

## @param alertmanager.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container

1945

## @param alertmanager.containerSecurityContext.runAsUser Set containers' Security Context runAsUser

1946

## @param alertmanager.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup

1947

## @param alertmanager.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot

1948

## @param alertmanager.containerSecurityContext.privileged Set container's Security Context privileged

1949

## @param alertmanager.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem

1950

## @param alertmanager.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation

1951

## @param alertmanager.containerSecurityContext.capabilities.drop List of capabilities to be dropped

1952

## @param alertmanager.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile

1953

1954

containerSecurityContext:

1955

enabled: true

1956

seLinuxOptions: {}

1957

runAsUser: 1001

1958

runAsGroup: 1001

1959

runAsNonRoot: true

1960

privileged: false

1961

readOnlyRootFilesystem: true

1962

allowPrivilegeEscalation: false

1963

capabilities:

1964

drop: ["ALL"]

1965

seccompProfile:

1966

type: "RuntimeDefault"

1967

## Configure pod disruption budgets for Alertmanager

1968

## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/#specifying-a-poddisruptionbudget

1969

## @param alertmanager.pdb.create Create a pod disruption budget for Alertmanager

1970

## @param alertmanager.pdb.minAvailable Minimum number / percentage of pods that should remain scheduled

1971

## @param alertmanager.pdb.maxUnavailable Maximum number / percentage of pods that may be made unavailable

1972

1973

pdb:

1974

create: true

1975

minAvailable: ""

1976

maxUnavailable: ""

1977

## Alertmanager Service

1978

1979

service:

1980

## @param alertmanager.service.type Kubernetes service type

1981

1982

type: ClusterIP

1983

## @param alertmanager.service.ports.http Alertmanager service port

1984

1985

ports:

1986

http: 9093

1987

## @param alertmanager.service.clusterIP Specific cluster IP when service type is cluster IP. Use `None` for headless service

1988

## e.g:

1989

## clusterIP: None

1990

1991

clusterIP: ""

1992

## @param alertmanager.service.nodePorts.http Specify the nodePort value for the LoadBalancer and NodePort service types.

1993

## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport

1994

## e.g:

1995

## nodePort: 30903

1996

1997

nodePorts:

1998

http: ""

1999

## @param alertmanager.service.loadBalancerIP `loadBalancerIP` if service type is `LoadBalancer`

2000

## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer

2001

2002

loadBalancerIP: ""

2003

## @param alertmanager.service.loadBalancerClass Alertmanager service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific)

2004

## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer

2005

2006

loadBalancerClass: ""

2007

## @param alertmanager.service.loadBalancerSourceRanges Address that are allowed when svc is `LoadBalancer`

2008

## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service

2009

## e.g:

2010

## loadBalancerSourceRanges:

2011

## - 10.10.10.0/24

2012

2013

loadBalancerSourceRanges: []

2014

## @param alertmanager.service.externalTrafficPolicy Enable client source IP preservation

2015

## Denotes if this Service desires to route external traffic to node-local or cluster-wide endpoints

2016

## There are two available options: Cluster (default) and Local.

2017

## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip

2018

2019

externalTrafficPolicy: Cluster

2020

## @param alertmanager.service.healthCheckNodePort Specifies the health check node port

2021

## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip

2022

2023

healthCheckNodePort: ""

2024

## @param alertmanager.service.extraPorts Extra ports to expose (normally used with the `sidecar` value)

2025

2026

extraPorts: []

2027

## @param alertmanager.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP"

2028

## If "ClientIP", consecutive client requests will be directed to the same Pod

2029

## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies

2030

2031

sessionAffinity: None

2032

## @param alertmanager.service.sessionAffinityConfig Additional settings for the sessionAffinity

2033

## sessionAffinityConfig:

2034

## clientIP:

2035

## timeoutSeconds: 300

2036

2037

sessionAffinityConfig: {}

2038

## @param alertmanager.service.annotations Additional annotations for Alertmanager service (this value is evaluated as a template)

2039

2040

annotations: {}

2041

## Network Policies

2042

## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/

2043

2044

networkPolicy:

2045

## @param alertmanager.networkPolicy.enabled Specifies whether a NetworkPolicy should be created

2046

2047

enabled: true

2048

## @param alertmanager.networkPolicy.allowExternal Don't require server label for connections

2049

## The Policy model to apply. When set to false, only pods with the correct

2050

## server label will have network access to the ports server is listening

2051

## on. When true, server will accept connections from any source

2052

## (with the correct destination port).

2053

2054

allowExternal: true

2055

## @param alertmanager.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.

2056

2057

allowExternalEgress: true

2058

## @param alertmanager.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy

2059

## e.g:

2060

## extraIngress:

2061

## - ports:

2062

## - port: 1234

2063

## from:

2064

## - podSelector:

2065

## - matchLabels:

2066

## - role: frontend

2067

## - podSelector:

2068

## - matchExpressions:

2069

## - key: role

2070

## operator: In

2071

## values:

2072

## - frontend

2073

extraIngress: []

2074

## @param alertmanager.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy

2075

## e.g:

2076

## extraEgress:

2077

## - ports:

2078

## - port: 1234

2079

## to:

2080

## - podSelector:

2081

## - matchLabels:

2082

## - role: frontend

2083

## - podSelector:

2084

## - matchExpressions:

2085

## - key: role

2086

## operator: In

2087

## values:

2088

## - frontend

2089

2090

extraEgress: []

2091

## @param alertmanager.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces

2092

## @param alertmanager.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces

2093

2094

ingressNSMatchLabels: {}

2095

ingressNSPodMatchLabels: {}

2096

## If true, create a serviceMonitor for alertmanager

2097

2098

serviceMonitor:

2099

## @param alertmanager.serviceMonitor.enabled Creates a ServiceMonitor to monitor Alertmanager

2100

2101

enabled: true

2102

## @param alertmanager.serviceMonitor.interval Scrape interval. If not set, the Prometheus default scrape interval is used.

2103

## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#endpoint

2104

2105

interval: ""

2106

## @param alertmanager.serviceMonitor.metricRelabelings Metric relabeling

2107

## ref: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs

2108

2109

metricRelabelings: []

2110

## @param alertmanager.serviceMonitor.relabelings Relabel configs

2111

## ref: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config

2112

2113

relabelings: []

2114

## @param alertmanager.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus.

2115

2116

jobLabel: ""

2117

## @param alertmanager.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended

2118

## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint

2119

2120

scrapeTimeout: ""

2121

## @param alertmanager.serviceMonitor.selector ServiceMonitor selector labels

2122

2123

## selector:

2124

## prometheus: my-prometheus

2125

2126

selector: {}

2127

## @param alertmanager.serviceMonitor.labels Extra labels for the ServiceMonitor

2128

2129

labels: {}

2130

## @param alertmanager.serviceMonitor.annotations Extra annotations for the ServiceMonitor

2131

2132

annotations: {}

2133

## @param alertmanager.serviceMonitor.honorLabels honorLabels chooses the metric's labels on collisions with target labels

2134

2135

honorLabels: false

2136

## @param alertmanager.serviceMonitor.extraParameters Any extra parameter to be added to the endpoint configured in the ServiceMonitor

2137

## (e.g. tlsConfig for further customization of the HTTPS behavior)

2138

## ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#monitoring.coreos.com/v1.Endpoint

2139

2140

extraParameters: {}

2141

## @param alertmanager.serviceMonitor.sampleLimit Per-scrape limit on number of scraped samples that will be accepted.

2142

2143

sampleLimit: ""

2144

## Configure the ingress resource that allows you to access the

2145

## Alertmanager installation. Set up the URL

2146

## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/

2147

2148

ingress:

2149

## @param alertmanager.ingress.enabled Enable ingress controller resource

2150

2151

enabled: false

2152

## @param alertmanager.ingress.pathType Ingress Path type

2153

2154

pathType: ImplementationSpecific

2155

## @param alertmanager.ingress.apiVersion Override API Version (automatically detected if not set)

2156

2157

apiVersion: ""

2158

## @param alertmanager.ingress.hostname Default host for the ingress resource

2159

2160

hostname: alertmanager.local

2161

## @param alertmanager.ingress.path The Path to Alert Manager. You may need to set this to '/*' in order to use this with ALB ingress controllers.

2162

2163

path: /

2164

## @param alertmanager.ingress.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations.

2165

## For a full list of possible ingress annotations, please see

2166

## ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md

2167

## Use this parameter to set the required annotations for cert-manager, see

2168

## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations

2169

2170

## e.g:

2171

## annotations:

2172

## kubernetes.io/ingress.class: nginx

2173

## cert-manager.io/cluster-issuer: cluster-issuer-name

2174

2175

annotations: {}

2176

## @param alertmanager.ingress.ingressClassName IngressClass that will be be used to implement the Ingress (Kubernetes 1.18+)

2177

## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster .

2178

## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/

2179

2180

ingressClassName: ""

2181

## @param alertmanager.ingress.tls Enable TLS configuration for the hostname defined at alertmanager.ingress.hostname parameter

2182

## TLS certificates will be retrieved from a TLS secret with name: {{- printf "%s-tls" .Values.alertmanager.ingress.hostname }}

2183

## You can use the alertmanager.ingress.secrets parameter to create this TLS secret or relay on cert-manager to create it

2184

2185

tls: false

2186

## @param alertmanager.ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm

2187

2188

selfSigned: false

2189

## @param alertmanager.ingress.extraHosts The list of additional hostnames to be covered with this ingress record.

2190

## Most likely the hostname above will be enough, but in the event more hosts are needed, this is an array

2191

## extraHosts:

2192

## - name: alertmanager.local

2193

## path: /

2194

2195

extraHosts: []

2196

## @param alertmanager.ingress.extraPaths Additional arbitrary path/backend objects

2197

## For example: The ALB ingress controller requires a special rule for handling SSL redirection.

2198

## extraPaths:

2199

## - path: /*

2200

## backend:

2201

## serviceName: ssl-redirect

2202

## servicePort: use-annotation

2203

2204

extraPaths: []

2205

## @param alertmanager.ingress.extraTls The tls configuration for additional hostnames to be covered with this ingress record.

2206

## see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls

2207

## extraTls:

2208

## - hosts:

2209

## - alertmanager.local

2210

## secretName: alertmanager.local-tls

2211

2212

extraTls: []

2213

## @param alertmanager.ingress.secrets If you're providing your own certificates, please use this to add the certificates as secrets

2214

## key and certificate should start with -----BEGIN CERTIFICATE----- or

2215

## -----BEGIN RSA PRIVATE KEY-----

2216

2217

## name should line up with a tlsSecret set further up

2218

## If you're using cert-manager, this is unneeded, as it will create the secret for you if it is not set

2219

2220

## It is also possible to create and manage the certificates outside of this helm chart

2221

## Please see README.md for more information

2222

## secrets:

2223

## - name: alertmanager.local-tls

2224

## key:

2225

## certificate:

2226

2227

secrets: []

2228

## @param alertmanager.ingress.extraRules Additional rules to be covered with this ingress record

2229

## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules

2230

## e.g:

2231

## extraRules:

2232

## - host: example.local

2233

## http:

2234

## path: /

2235

## backend:

2236

## service:

2237

## name: example-svc

2238

## port:

2239

## name: http

2240

2241

extraRules: []

2242

## @param alertmanager.enableFeatures Enable access to Alertmanager disabled features.

2243

2244

enableFeatures: []

2245

## @param alertmanager.externalUrl External URL used to access Alertmanager

2246

## e.g:

2247

## externalUrl: https://alertmanager.example.com

2248

2249

externalUrl: ""

2250

## @param alertmanager.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if alertmanager.resources is set (alertmanager.resources is recommended for production).

2251

2252

resourcesPreset: "nano"

2253

## @param alertmanager.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)

2254

## Example:

2255

## resources:

2256

## requests:

2257

## cpu: 2

2258

## memory: 512Mi

2259

## limits:

2260

## cpu: 3

2261

## memory: 1024Mi

2262

## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/

2263

2264

resources: {}

2265

## @param alertmanager.podAffinityPreset Alertmanager Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`

2266

## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity

2267

2268

podAffinityPreset: ""

2269

## @param alertmanager.podAntiAffinityPreset Alertmanager Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`

2270

## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity

2271

2272

podAntiAffinityPreset: soft

2273

## Node affinity preset

2274

## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity

2275

2276

nodeAffinityPreset:

2277

## @param alertmanager.nodeAffinityPreset.type Alertmanager Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard`

2278

2279

type: ""

2280

## @param alertmanager.nodeAffinityPreset.key Alertmanager Node label key to match Ignored if `affinity` is set.

2281

## E.g.

2282

## key: "kubernetes.io/e2e-az-name"

2283

2284

key: ""

2285

## @param alertmanager.nodeAffinityPreset.values Alertmanager Node label values to match. Ignored if `affinity` is set.

2286

## E.g.

2287

## values:

2288

## - e2e-az1

2289

## - e2e-az2

2290

2291

values: []

2292

## @param alertmanager.affinity Alertmanager Affinity for pod assignment

2293

## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity

2294

## Note: alertmanager.podAffinityPreset, alertmanager.podAntiAffinityPreset, and alertmanager.nodeAffinityPreset will be ignored when it's set

2295

2296

affinity: {}

2297

## @param alertmanager.nodeSelector Alertmanager Node labels for pod assignment

2298

## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/

2299

2300

nodeSelector: {}

2301

## @param alertmanager.tolerations Alertmanager Tolerations for pod assignment

2302

## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/

2303

2304

tolerations: []

2305

## Alertmanager configuration

2306

## ref: https://prometheus.io/docs/alerting/configuration/#configuration-file

2307

## @param alertmanager.config [object] Alertmanager configuration directive

2308

## @skip alertmanager.config.route.group_by

2309

## @skip alertmanager.config.route.routes

2310

## @skip alertmanager.config.receivers

2311

2312

config:

2313

global:

2314

resolve_timeout: 5m

2315

route:

2316

group_by: ['job']

2317

group_wait: 30s

2318

group_interval: 5m

2319

repeat_interval: 12h

2320

receiver: 'null'

2321

routes:

2322

- match:

2323

alertname: Watchdog

2324

receiver: 'null'

2325

receivers:

2326

- name: 'null'

2327

## @param alertmanager.templateFiles Extra files to be added inside the `alertmanager-{{ template "kube-prometheus.alertmanager.fullname" . }}` secret.

2328

2329

templateFiles: {}

2330

## @param alertmanager.externalConfig Alertmanager configuration is created externally. If true, `alertmanager.config` is ignored, and a secret will not be created.

2331

## Alertmanager requires a secret named `alertmanager-{{ template "kube-prometheus.alertmanager.fullname" . }}`

2332

## It must contain:

2333

## alertmanager.yaml: <config>

2334

## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/user-guides/alerting.md#alerting

2335

2336

externalConfig: false

2337

## @param alertmanager.replicaCount Number of Alertmanager replicas desired

2338

2339

replicaCount: 1

2340

## Configure extra options for liveness probe

2341

## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes

2342

## @param alertmanager.livenessProbe.enabled Turn on and off liveness probe

2343

## @param alertmanager.livenessProbe.path Path of the HTTP service for checking the healthy state

2344

## @param alertmanager.livenessProbe.initialDelaySeconds Delay before liveness probe is initiated

2345

## @param alertmanager.livenessProbe.periodSeconds How often to perform the probe

2346

## @param alertmanager.livenessProbe.timeoutSeconds When the probe times out

2347

## @param alertmanager.livenessProbe.failureThreshold Minimum consecutive failures for the probe

2348

## @param alertmanager.livenessProbe.successThreshold Minimum consecutive successes for the probe

2349

2350

livenessProbe:

2351

enabled: true

2352

path: /-/healthy

2353

initialDelaySeconds: 0

2354

periodSeconds: 5

2355

timeoutSeconds: 3

2356

failureThreshold: 120

2357

successThreshold: 1

2358

## Configure extra options for readiness probe

2359

## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes

2360

## @param alertmanager.readinessProbe.enabled Turn on and off readiness probe

2361

## @param alertmanager.readinessProbe.path Path of the HTTP service for checking the ready state

2362

## @param alertmanager.readinessProbe.initialDelaySeconds Delay before readiness probe is initiated

2363

## @param alertmanager.readinessProbe.periodSeconds How often to perform the probe

2364

## @param alertmanager.readinessProbe.timeoutSeconds When the probe times out

2365

## @param alertmanager.readinessProbe.failureThreshold Minimum consecutive failures for the probe

2366

## @param alertmanager.readinessProbe.successThreshold Minimum consecutive successes for the probe

2367

2368

readinessProbe:

2369

enabled: true

2370

path: /-/ready

2371

initialDelaySeconds: 0

2372

periodSeconds: 5

2373

timeoutSeconds: 3

2374

failureThreshold: 120

2375

successThreshold: 1

2376

## @param alertmanager.logLevel Log level for Alertmanager

2377

2378

logLevel: info

2379

## @param alertmanager.logFormat Log format for Alertmanager

2380

2381

logFormat: logfmt

2382

## @param alertmanager.podMetadata [object] Standard object's metadata.

2383

## ref: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata

2384

2385

podMetadata:

2386

labels: {}

2387

annotations: {}

2388

## @param alertmanager.secrets Secrets that should be mounted into the Alertmanager Pods

2389

2390

secrets: []

2391

## @param alertmanager.configMaps ConfigMaps that should be mounted into the Alertmanager Pods

2392

2393

configMaps: []

2394

## @param alertmanager.retention Metrics retention days

2395

2396

retention: 120h

2397

## @param alertmanager.storageSpec Alertmanager StorageSpec for persistent data

2398

## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/user-guides/storage.md

2399

2400

storageSpec: {}

2401

## Alertmanager persistence parameters

2402

2403

persistence:

2404

## @param alertmanager.persistence.enabled Use PVCs to persist data. If the storageSpec is provided this will not take effect.

2405

## If you want to use this configuration make sure the storageSpec is not provided.

2406

2407

enabled: false

2408

## @param alertmanager.persistence.storageClass Persistent Volume Storage Class

2409

## If defined, storageClassName: <storageClass>

2410

## If set to "-", storageClassName: "", which disables dynamic provisioning

2411

## If undefined (the default) or set to null, no storageClassName spec is

2412

## set, choosing the default provisioner.

2413

2414

storageClass: ""

2415

## @param alertmanager.persistence.accessModes Persistent Volume Access Modes

2416

2417

accessModes:

2418

- ReadWriteOnce

2419

## @param alertmanager.persistence.size Persistent Volume Size

2420

2421

size: 8Gi

2422

## @param alertmanager.persistence.annotations Persistent Volume Claim annotations

2423

2424

annotations: {}

2425

## @param alertmanager.paused If true, the Operator won't process any Alertmanager configuration changes

2426

2427

paused: false

2428

## @param alertmanager.listenLocal ListenLocal makes the Alertmanager server listen on loopback

2429

2430

listenLocal: false

2431

## @param alertmanager.containers Containers allows injecting additional containers

2432

2433

containers: []

2434

## @param alertmanager.volumes Volumes allows configuration of additional volumes. Evaluated as a template

2435

## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#alertmanagerspec

2436

2437

volumes: []

2438

## @param alertmanager.volumeMounts VolumeMounts allows configuration of additional VolumeMounts. Evaluated as a template

2439

## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/pi.md#alertmanagerspec

2440

2441

volumeMounts: []

2442

## @param alertmanager.priorityClassName Priority class assigned to the Pods

2443

2444

priorityClassName: ""

2445

## @param alertmanager.additionalPeers AdditionalPeers allows injecting a set of additional Alertmanagers to peer with to form a highly available cluster

2446

2447

additionalPeers: []

2448

## @param alertmanager.routePrefix Prefix used to register routes, overriding externalUrl route

2449

## Useful for proxies that rewrite URLs.

2450

2451

routePrefix: /

2452

## @param alertmanager.portName Port name used for the pods and governing service. This defaults to web

2453

2454

portName: web

2455

## @param alertmanager.configNamespaceSelector Namespaces to be selected for AlertmanagerConfig discovery. If nil, only check own namespace. This defaults to {}

2456

2457

configNamespaceSelector: {}

2458

## @param alertmanager.configSelector AlertmanagerConfigs to be selected for to merge and configure Alertmanager with. This defaults to {}

2459

2460

configSelector: {}

2461

## @param alertmanager.configuration EXPERIMENTAL: alertmanagerConfiguration specifies the global Alertmanager configuration. If defined, it takes precedence over the `configSecret` field. This field may change in future releases. The specified global alertmanager config will not force add a namespace label in routes and inhibitRules

2462

2463

configuration: {}

2464

## @param alertmanager.configMatcherStrategy alertmanagerConfigMatcherStrategy defines how AlertmanagerConfig objects match the alerts.

2465

## E.g.

2466

## configMatcherStrategy:

2467

## type: OnNamespace

2468

## If type set to `OnNamespace`, the operator injects a label matcher matching the

2469

## namespace of the AlertmanagerConfig object for all its routes and inhibition

2470

## rules. `None` will not add any additional matchers other than the ones

2471

## specified in the AlertmanagerConfig. Default is `OnNamespace`.

2472

configMatcherStrategy: {}

2473

## @section Exporters

2474

2475

2476

## Exporters

2477

2478

exporters:

2479

node-exporter:

2480

## @param exporters.node-exporter.enabled Enable node-exporter

2481

2482

enabled: true

2483

kube-state-metrics:

2484

## @param exporters.kube-state-metrics.enabled Enable kube-state-metrics

2485

2486

enabled: true

2487

## @param node-exporter [object] Node Exporter deployment configuration

2488

2489

node-exporter:

2490

image:

2491

registry: cgr.dev

2492

repository: chainguard-private/prometheus-node-exporter-iamguarded

2493

tag: 1.11.1

2494

digest: ""

2495

service:

2496

labels:

2497

jobLabel: node-exporter

2498

serviceMonitor:

2499

enabled: true

2500

jobLabel: jobLabel

2501

extraArgs:

2502

collector.filesystem.mount-points-exclude: "^/(dev|proc|sys|var/lib/docker/.+)($|/)"

2503

2504

## @param kube-state-metrics [object] Kube State Metrics deployment configuration

2505

2506

kube-state-metrics:

2507

image:

2508

registry: cgr.dev

2509

repository: chainguard-private/kube-state-metrics-iamguarded

2510

tag: 2.18.0

2511

digest: ""

2512

serviceMonitor:

2513

enabled: true

2514

honorLabels: true

2515

## Component scraping for kubelet and kubelet hosted cAdvisor

2516

2517

kubelet:

2518

## @param kubelet.enabled Create a ServiceMonitor to scrape kubelet service

2519

2520

enabled: true

2521

## @param kubelet.namespace Namespace where kubelet service is deployed. Related configuration `operator.kubeletService.namespace`

2522

2523

namespace: kube-system

2524

serviceMonitor:

2525

## @param kubelet.serviceMonitor.https Enable scraping of the kubelet over HTTPS

2526

2527

https: true

2528

## @param kubelet.serviceMonitor.interval Scrape interval (use by default, falling back to Prometheus' default)

2529

## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#endpoint

2530

2531

interval: ""

2532

## @param kubelet.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus.

2533

2534

jobLabel: k8s-app

2535

## @param kubelet.serviceMonitor.resource Enable scraping /metrics/resource from kubelet's service

2536

2537

resource: false

2538

## @param kubelet.serviceMonitor.resourcePath From kubernetes 1.18, /metrics/resource/v1alpha1 was renamed to /metrics/resource

2539

2540

resourcePath: "/metrics/resource/v1alpha1"

2541

## @param kubelet.serviceMonitor.resourceRelabelings Metric relabeling

2542

## ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#relabelconfig

2543

2544

resourceRelabelings: []

2545

## @param kubelet.serviceMonitor.resourceMetricRelabelings Metric relabeling

2546

## ref: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs

2547

2548

resourceMetricRelabelings: []

2549

## @param kubelet.serviceMonitor.metricRelabelings Metric relabeling

2550

## ref: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs

2551

2552

metricRelabelings: []

2553

## @param kubelet.serviceMonitor.relabelings Relabel configs

2554

## ref: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config

2555

2556

relabelings: []

2557

## @param kubelet.serviceMonitor.cAdvisor Enable scraping /metrics/cadvisor from kubelet's service

2558

## ref: https://prometheus.io/docs/guides/cadvisor/#exploring-metrics-in-the-expression-browser

2559

2560

cAdvisor: true

2561

## @param kubelet.serviceMonitor.cAdvisorMetricRelabelings Metric relabeling for scraping cAdvisor

2562

## ref: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs

2563

2564

cAdvisorMetricRelabelings: []

2565

## @param kubelet.serviceMonitor.cAdvisorRelabelings Relabel configs for scraping cAdvisor

2566

## ref: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs

2567

2568

cAdvisorRelabelings: []

2569

## @param kubelet.serviceMonitor.labels Extra labels for the ServiceMonitor

2570

2571

labels: {}

2572

## @param kubelet.serviceMonitor.annotations Extra annotations for the ServiceMonitor

2573

2574

annotations: {}

2575

## @param kubelet.serviceMonitor.sampleLimit Per-scrape limit on number of scraped samples that will be accepted.

2576

2577

sampleLimit: ""

2578

## @section Blackbox Exporter Deployment Parameters

2579

2580

blackboxExporter:

2581

## @param blackboxExporter.enabled Enable Blackbox Exporter deployment

2582

2583

enabled: true

2584

## Iamguarded Alertmanager image version

2585

## @param blackboxExporter.image.registry [default: REGISTRY_NAME] Blackbox Exporter image registry

2586

## @param blackboxExporter.image.repository [default: REPOSITORY_NAME/blackbox-exporter] Blackbox Exporter image repository

2587

## @param blackboxExporter.image.pullPolicy Blackbox Exporter image pull policy

2588

## @skip blackboxExporter.image.tag Blackbox Exporter image tag (immutable tags are recommended)

2589

## @param blackboxExporter.image.digest Blackbox Exporter image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag

2590

## @param blackboxExporter.image.pullSecrets Specify docker-registry secret names as an array

2591

2592

image:

2593

registry: cgr.dev

2594

repository: chainguard-private/prometheus-blackbox-exporter-iamguarded

2595

tag: 0.28.0

2596

digest: ""

2597

pullPolicy: IfNotPresent

2598

## Optionally specify an array of imagePullSecrets.

2599

## Secrets must be manually created in the namespace.

2600

## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/

2601

## Example:

2602

## pullSecrets:

2603

## - myRegistryKeySecretName

2604

2605

pullSecrets: []

2606

## @param blackboxExporter.extraEnvVars Array with extra environment variables to add to blackboxExporter nodes

2607

## e.g:

2608

## extraEnvVars:

2609

## - name: FOO

2610

## value: "bar"

2611

2612

extraEnvVars: []

2613

## @param blackboxExporter.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for blackboxExporter nodes

2614

2615

extraEnvVarsCM: ""

2616

## @param blackboxExporter.extraEnvVarsSecret Name of existing Secret containing extra env vars for blackboxExporter nodes

2617

2618

extraEnvVarsSecret: ""

2619

## @param blackboxExporter.command Override default container command (useful when using custom images)

2620

2621

command: []

2622

## @param blackboxExporter.args Override default container args (useful when using custom images)

2623

2624

args: []

2625

## @param blackboxExporter.replicaCount Number of Blackbox Exporter replicas to deploy

2626

2627

replicaCount: 1

2628

## Configure extra options for Blackbox Exporter container liveness, readiness and startup probes

2629

## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes

2630

## @param blackboxExporter.livenessProbe.enabled Enable livenessProbe on Blackbox Exporter nodes

2631

## @param blackboxExporter.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe

2632

## @param blackboxExporter.livenessProbe.periodSeconds Period seconds for livenessProbe

2633

## @param blackboxExporter.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe

2634

## @param blackboxExporter.livenessProbe.failureThreshold Failure threshold for livenessProbe

2635

## @param blackboxExporter.livenessProbe.successThreshold Success threshold for livenessProbe

2636

2637

livenessProbe:

2638

enabled: true

2639

failureThreshold: 3

2640

initialDelaySeconds: 30

2641

periodSeconds: 10

2642

successThreshold: 1

2643

timeoutSeconds: 1

2644

## @param blackboxExporter.readinessProbe.enabled Enable readinessProbe on Blackbox Exporter nodes

2645

## @param blackboxExporter.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe

2646

## @param blackboxExporter.readinessProbe.periodSeconds Period seconds for readinessProbe

2647

## @param blackboxExporter.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe

2648

## @param blackboxExporter.readinessProbe.failureThreshold Failure threshold for readinessProbe

2649

## @param blackboxExporter.readinessProbe.successThreshold Success threshold for readinessProbe

2650

2651

readinessProbe:

2652

enabled: true

2653

failureThreshold: 3

2654

initialDelaySeconds: 60

2655

periodSeconds: 10

2656

successThreshold: 1

2657

timeoutSeconds: 1

2658

## @param blackboxExporter.startupProbe.enabled Enable startupProbe on Blackbox Exporter containers

2659

## @param blackboxExporter.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe

2660

## @param blackboxExporter.startupProbe.periodSeconds Period seconds for startupProbe

2661

## @param blackboxExporter.startupProbe.timeoutSeconds Timeout seconds for startupProbe

2662

## @param blackboxExporter.startupProbe.failureThreshold Failure threshold for startupProbe

2663

## @param blackboxExporter.startupProbe.successThreshold Success threshold for startupProbe

2664

2665

startupProbe:

2666

enabled: false

2667

initialDelaySeconds: 30

2668

periodSeconds: 10

2669

timeoutSeconds: 1

2670

failureThreshold: 15

2671

successThreshold: 1

2672

## @param blackboxExporter.customLivenessProbe Custom livenessProbe that overrides the default one

2673

2674

customLivenessProbe: {}

2675

## @param blackboxExporter.customReadinessProbe Custom readinessProbe that overrides the default one

2676

2677

customReadinessProbe: {}

2678

## @param blackboxExporter.customStartupProbe Custom startupProbe that overrides the default one

2679

2680

customStartupProbe: {}

2681

## @param blackboxExporter.configuration [object] Blackbox Exporter configuration

2682

2683

configuration: |

2684

"modules":

2685

"http_2xx":

2686

"http":

2687

"preferred_ip_protocol": "ip4"

2688

"prober": "http"

2689

"http_post_2xx":

2690

"http":

2691

"method": "POST"

2692

"preferred_ip_protocol": "ip4"

2693

"prober": "http"

2694

"irc_banner":

2695

"prober": "tcp"

2696

"tcp":

2697

"preferred_ip_protocol": "ip4"

2698

"query_response":

2699

- "send": "NICK prober"

2700

- "send": "USER prober prober prober :prober"

2701

- "expect": "PING :([^ ]+)"

2702

"send": "PONG ${1}"

2703

- "expect": "^:[^ ]+ 001"

2704

"pop3s_banner":

2705

"prober": "tcp"

2706

"tcp":

2707

"preferred_ip_protocol": "ip4"

2708

"query_response":

2709

- "expect": "^+OK"

2710

"tls": true

2711

"tls_config":

2712

"insecure_skip_verify": false

2713

"ssh_banner":

2714

"prober": "tcp"

2715

"tcp":

2716

"preferred_ip_protocol": "ip4"

2717

"query_response":

2718

- "expect": "^SSH-2.0-"

2719

"tcp_connect":

2720

"prober": "tcp"

2721

"tcp":

2722

"preferred_ip_protocol": "ip4"

2723

## @param blackboxExporter.existingConfigMap ConfigMap pointing to the Blackbox Exporter configuration

2724

2725

existingConfigMap: ""

2726

## @param blackboxExporter.containerPorts.http Blackbox Exporter HTTP container port

2727

2728

containerPorts:

2729

http: 19115

2730

serviceAccount:

2731

## @param blackboxExporter.serviceAccount.create Enable creation of ServiceAccount for Prometheus Operator pod

2732

2733

create: true

2734

## @param blackboxExporter.serviceAccount.name The name of the ServiceAccount to use.

2735

## If not set and create is true, a name is generated using the common.names.fullname template

2736

2737

2738

## @param blackboxExporter.serviceAccount.automountServiceAccountToken Allows auto mount of ServiceAccountToken on the serviceAccount created

2739

## Can be set to false if pods using this serviceAccount do not need to use K8s API

2740

2741

automountServiceAccountToken: false

2742

## @param blackboxExporter.serviceAccount.annotations Additional custom annotations for the ServiceAccount

2743

2744

annotations: {}

2745

## Blackbox Exporter resource requests and limits

2746

## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/

2747

## @param blackboxExporter.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if blackboxExporter.resources is set (blackboxExporter.resources is recommended for production).

2748

2749

resourcesPreset: "nano"

2750

## @param blackboxExporter.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)

2751

## Example:

2752

## resources:

2753

## requests:

2754

## cpu: 2

2755

## memory: 512Mi

2756

## limits:

2757

## cpu: 3

2758

## memory: 1024Mi

2759

2760

resources: {}

2761

## Configure Pods Security Context

2762

## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod

2763

## @param blackboxExporter.podSecurityContext.enabled Enabled Blackbox Exporter pods' Security Context

2764

## @param blackboxExporter.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy

2765

## @param blackboxExporter.podSecurityContext.sysctls Set kernel settings using the sysctl interface

2766

## @param blackboxExporter.podSecurityContext.supplementalGroups Set filesystem extra groups

2767

## @param blackboxExporter.podSecurityContext.fsGroup Set Blackbox Exporter pod's Security Context fsGroup

2768

2769

podSecurityContext:

2770

enabled: true

2771

fsGroupChangePolicy: Always

2772

sysctls: []

2773

supplementalGroups: []

2774

fsGroup: 1001

2775

## Configure Container Security Context

2776

## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod

2777

## @param blackboxExporter.containerSecurityContext.enabled Enabled containers' Security Context

2778

## @param blackboxExporter.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container

2779

## @param blackboxExporter.containerSecurityContext.runAsUser Set containers' Security Context runAsUser

2780

## @param blackboxExporter.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup

2781

## @param blackboxExporter.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot

2782

## @param blackboxExporter.containerSecurityContext.privileged Set container's Security Context privileged

2783

## @param blackboxExporter.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem

2784

## @param blackboxExporter.containerSecurityContext.allowPrivilegeEscalation Set container's Security Context allowPrivilegeEscalation

2785

## @param blackboxExporter.containerSecurityContext.capabilities.drop List of capabilities to be dropped

2786

## @param blackboxExporter.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile

2787

2788

containerSecurityContext:

2789

enabled: true

2790

seLinuxOptions: {}

2791

runAsUser: 1001

2792

runAsGroup: 1001

2793

runAsNonRoot: true

2794

privileged: false

2795

readOnlyRootFilesystem: true

2796

allowPrivilegeEscalation: false

2797

capabilities:

2798

drop: ["ALL"]

2799

seccompProfile:

2800

type: "RuntimeDefault"

2801

## @param blackboxExporter.lifecycleHooks for the blackboxExporter container(s) to automate configuration before or after startup

2802

2803

lifecycleHooks: {}

2804

## @param blackboxExporter.automountServiceAccountToken Mount Service Account token in pod

2805

2806

automountServiceAccountToken: false

2807

## @param blackboxExporter.hostAliases blackboxExporter pods host aliases

2808

## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/

2809

2810

hostAliases: []

2811

## @param blackboxExporter.podLabels Extra labels for blackboxExporter pods

2812

## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/

2813

2814

podLabels: {}

2815

## @param blackboxExporter.podAnnotations Annotations for blackboxExporter pods

2816

## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/

2817

2818

podAnnotations: {}

2819

## @param blackboxExporter.podAffinityPreset Pod affinity preset. Ignored if `blackboxExporter.affinity` is set. Allowed values: `soft` or `hard`

2820

## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity

2821

2822

podAffinityPreset: ""

2823

## @param blackboxExporter.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `blackboxExporter.affinity` is set. Allowed values: `soft` or `hard`

2824

## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity

2825

2826

podAntiAffinityPreset: soft

2827

## Node blackboxExporter.affinity preset

2828

## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity

2829

2830

nodeAffinityPreset:

2831

## @param blackboxExporter.nodeAffinityPreset.type Node affinity preset type. Ignored if `blackboxExporter.affinity` is set. Allowed values: `soft` or `hard`

2832

2833

type: ""

2834

## @param blackboxExporter.nodeAffinityPreset.key Node label key to match. Ignored if `blackboxExporter.affinity` is set

2835

2836

key: ""

2837

## @param blackboxExporter.nodeAffinityPreset.values Node label values to match. Ignored if `blackboxExporter.affinity` is set

2838

## E.g.

2839

## values:

2840

## - e2e-az1

2841

## - e2e-az2

2842

2843

values: []

2844

## @param blackboxExporter.affinity Affinity for Blackbox Exporter pods assignment

2845

## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity

2846

## NOTE: `blackboxExporter.podAffinityPreset`, `blackboxExporter.podAntiAffinityPreset`, and `blackboxExporter.nodeAffinityPreset` will be ignored when it's set

2847

2848

affinity: {}

2849

## @param blackboxExporter.nodeSelector Node labels for Blackbox Exporter pods assignment

2850

## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/

2851

2852

nodeSelector: {}

2853

## @param blackboxExporter.tolerations Tolerations for Blackbox Exporter pods assignment

2854

## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/

2855

2856

tolerations: []

2857

## @param blackboxExporter.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains

2858

## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods

2859

2860

topologySpreadConstraints: []

2861

## @param blackboxExporter.priorityClassName Blackbox Exporter pods' priorityClassName

2862

2863

priorityClassName: ""

2864

## @param blackboxExporter.schedulerName Kubernetes pod scheduler registry

2865

## https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/

2866

2867

schedulerName: ""

2868

## @param blackboxExporter.terminationGracePeriodSeconds In seconds, time the given to the Blackbox Exporter pod needs to terminate gracefully

2869

## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods

2870

2871

terminationGracePeriodSeconds: ""

2872

## @param blackboxExporter.updateStrategy.type Blackbox Exporter statefulset strategy type

2873

## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies

2874

2875

updateStrategy:

2876

type: RollingUpdate

2877

## @param blackboxExporter.extraVolumes Optionally specify extra list of additional volumes for the Blackbox Exporter pod(s)

2878

2879

extraVolumes: []

2880

## @param blackboxExporter.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the Blackbox Exporter container(s)

2881

2882

extraVolumeMounts: []

2883

## @param blackboxExporter.sidecars Add additional sidecar containers to the Blackbox Exporter pod(s)

2884

## e.g:

2885

## sidecars:

2886

## - name: your-image-name

2887

## image: your-image

2888

## imagePullPolicy: Always

2889

## ports:

2890

## - name: portname

2891

## containerPort: 1234

2892

2893

sidecars: []

2894

## @param blackboxExporter.initContainers Add additional init containers to the Blackbox Exporter pod(s)

2895

## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/

2896

## e.g:

2897

## initContainers:

2898

## - name: your-image-name

2899

## image: your-image

2900

## imagePullPolicy: Always

2901

## command: ['sh', '-c', 'echo "hello world"']

2902

2903

initContainers: []

2904

## @section Blackbox Exporter Traffic Exposure Parameters

2905

2906

2907

## blackboxExporter service parameters

2908

2909

service:

2910

## @param blackboxExporter.service.type Blackbox Exporter service type

2911

2912

type: ClusterIP

2913

## @param blackboxExporter.service.ports.http Blackbox Exporter HTTP service port

2914

2915

ports:

2916

http: 19115

2917

## Node ports to expose

2918

## NOTE: choose port between <30000-32767>

2919

## @param blackboxExporter.service.nodePorts.http Node port for HTTP

2920

2921

nodePorts:

2922

http: ""

2923

## @param blackboxExporter.service.sessionAffinity Control where client requests go, to the same pod or round-robin

2924

## Values: ClientIP or None

2925

## ref: https://kubernetes.io/docs/concepts/services-networking/service/

2926

2927

sessionAffinity: None

2928

## @param blackboxExporter.service.sessionAffinityConfig Additional settings for the sessionAffinity

2929

## sessionAffinityConfig:

2930

## clientIP:

2931

## timeoutSeconds: 300

2932

2933

sessionAffinityConfig: {}

2934

## @param blackboxExporter.service.clusterIP Blackbox Exporter service Cluster IP

2935

## e.g.:

2936

## clusterIP: None

2937

2938

clusterIP: ""

2939

## @param blackboxExporter.service.loadBalancerIP Blackbox Exporter service Load Balancer IP

2940

## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer

2941

2942

loadBalancerIP: ""

2943

## @param blackboxExporter.service.loadBalancerClass Blackbox Exporter service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific)

2944

## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer

2945

2946

loadBalancerClass: ""

2947

## @param blackboxExporter.service.loadBalancerSourceRanges Blackbox Exporter service Load Balancer sources

2948

## ref: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service

2949

## e.g:

2950

## loadBalancerSourceRanges:

2951

## - 10.10.10.0/24

2952

2953

loadBalancerSourceRanges: []

2954

## @param blackboxExporter.service.externalTrafficPolicy Blackbox Exporter service external traffic policy

2955

## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip

2956

2957

externalTrafficPolicy: Cluster

2958

## @param blackboxExporter.service.annotations Additional custom annotations for Blackbox Exporter service

2959

2960

annotations: {}

2961

## @param blackboxExporter.service.extraPorts Extra ports to expose in the Blackbox Exporter service

2962

2963

extraPorts: []

2964

## Network Policies

2965

## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/

2966

2967

networkPolicy:

2968

## @param blackboxExporter.networkPolicy.enabled Specifies whether a NetworkPolicy should be created

2969

2970

enabled: true

2971

## @param blackboxExporter.networkPolicy.allowExternal Don't require server label for connections

2972

## The Policy model to apply. When set to false, only pods with the correct

2973

## server label will have network access to the ports server is listening

2974

## on. When true, server will accept connections from any source

2975

## (with the correct destination port).

2976

2977

allowExternal: true

2978

## @param blackboxExporter.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.

2979

2980

allowExternalEgress: true

2981

## @param blackboxExporter.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy

2982

## e.g:

2983

## extraIngress:

2984

## - ports:

2985

## - port: 1234

2986

## from:

2987

## - podSelector:

2988

## - matchLabels:

2989

## - role: frontend

2990

## - podSelector:

2991

## - matchExpressions:

2992

## - key: role

2993

## operator: In

2994

## values:

2995

## - frontend

2996

extraIngress: []

2997

## @param blackboxExporter.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy

2998

## e.g:

2999

## extraEgress:

3000

## - ports:

3001

## - port: 1234

3002

## to:

3003

## - podSelector:

3004

## - matchLabels:

3005

## - role: frontend

3006

## - podSelector:

3007

## - matchExpressions:

3008

## - key: role

3009

## operator: In

3010

## values:

3011

## - frontend

3012

3013

extraEgress: []

3014

## @param blackboxExporter.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces

3015

## @param blackboxExporter.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces

3016

3017

ingressNSMatchLabels: {}

3018

ingressNSPodMatchLabels: {}

3019

## Pod Disruption Budget configuration

3020

## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb

3021

## @param blackboxExporter.pdb.create Enable/disable a Pod Disruption Budget creation

3022

## @param blackboxExporter.pdb.minAvailable Minimum number/percentage of pods that should remain scheduled

3023

## @param blackboxExporter.pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable

3024

3025

pdb:

3026

create: true

3027

minAvailable: ""

3028

maxUnavailable: ""

3029

## Component scraping the kube-apiserver

3030

3031

kubeApiServer:

3032

## @param kubeApiServer.enabled Create a ServiceMonitor to scrape kube-apiserver service

3033

3034

enabled: true

3035

serviceMonitor:

3036

## @param kubeApiServer.serviceMonitor.interval Scrape interval. If not set, the Prometheus default scrape interval is used.

3037

## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#endpoint

3038

3039

interval: ""

3040

## @param kubeApiServer.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus.

3041

3042

jobLabel: component

3043

## @param kubeApiServer.serviceMonitor.metricRelabelings Metric relabeling

3044

## ref: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs

3045

3046

metricRelabelings: []

3047

## @param kubeApiServer.serviceMonitor.relabelings Relabel configs

3048

## ref: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config

3049

3050

relabelings: []

3051

## @param kubeApiServer.serviceMonitor.labels Extra labels for the ServiceMonitor

3052

3053

labels: {}

3054

## @param kubeApiServer.serviceMonitor.annotations Extra annotations for the ServiceMonitor

3055

3056

annotations: {}

3057

## @param kubeApiServer.serviceMonitor.sampleLimit Per-scrape limit on number of scraped samples that will be accepted.

3058

3059

sampleLimit: ""

3060

## Component scraping the kube-controller-manager

3061

3062

kubeControllerManager:

3063

## @param kubeControllerManager.enabled Create a ServiceMonitor to scrape kube-controller-manager service

3064

3065

enabled: true

3066

## @param kubeControllerManager.endpoints If your kube controller manager is not deployed as a pod, specify IPs it can be found on

3067

## endpoints:

3068

## - 10.141.4.22

3069

## - 10.141.4.23

3070

## - 10.141.4.24

3071

3072

endpoints: []

3073

## @param kubeControllerManager.namespace Namespace where kube-controller-manager service is deployed.

3074

3075

namespace: kube-system

3076

## Service ports and selector information

3077

## @param kubeControllerManager.service.enabled Whether or not to create a Service object for kube-controller-manager

3078

## @param kubeControllerManager.service.ports.http Listening port of the kube-controller-manager Service object

3079

## @param kubeControllerManager.service.targetPorts.http Port to target on the kube-controller-manager Pods. This should be the port that kube-controller-manager is exposing metrics on

3080

## @param kubeControllerManager.service.selector Optional PODs Label selector for the service

3081

3082

service:

3083

enabled: true

3084

ports:

3085

http: 10252

3086

targetPorts:

3087

http: 10252

3088

## selector:

3089

## component: kube-controller-manager

3090

3091

selector: {}

3092

## @param kubeControllerManager.service.labels Additional labels for kube-controller-manaer service

3093

3094

labels: {}

3095

serviceMonitor:

3096

## @param kubeControllerManager.serviceMonitor.interval Scrape interval (use by default, falling back to Prometheus' default)

3097

## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#endpoint

3098

3099

interval: ""

3100

## @param kubeControllerManager.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus.

3101

3102

jobLabel: component

3103

## @param kubeControllerManager.serviceMonitor.https Enable scraping kube-controller-manager over https

3104

## Requires proper certs (not self-signed) and delegated authentication/authorization checks

3105

3106

https: false

3107

## @param kubeControllerManager.serviceMonitor.insecureSkipVerify Skip TLS certificate validation when scraping

3108

3109

insecureSkipVerify: ""

3110

## @param kubeControllerManager.serviceMonitor.serverName Name of the server to use when validating TLS certificate

3111

3112

serverName: ""

3113

## @param kubeControllerManager.serviceMonitor.metricRelabelings Metric relabeling

3114

## ref: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs

3115

3116

metricRelabelings: []

3117

## @param kubeControllerManager.serviceMonitor.relabelings Relabel configs

3118

## ref: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config

3119

3120

relabelings: []

3121

## @param kubeControllerManager.serviceMonitor.labels Extra labels for the ServiceMonitor

3122

3123

labels: {}

3124

## @param kubeControllerManager.serviceMonitor.annotations Extra annotations for the ServiceMonitor

3125

3126

annotations: {}

3127

## @param kubeControllerManager.serviceMonitor.sampleLimit Per-scrape limit on number of scraped samples that will be accepted.

3128

3129

sampleLimit: ""

3130

## Component scraping kube scheduler

3131

3132

kubeScheduler:

3133

## @param kubeScheduler.enabled Create a ServiceMonitor to scrape kube-scheduler service

3134

3135

enabled: true

3136

## @param kubeScheduler.endpoints If your kube scheduler is not deployed as a pod, specify IPs it can be found on

3137

## endpoints:

3138

## - 10.141.4.22

3139

## - 10.141.4.23

3140

## - 10.141.4.24

3141

3142

endpoints: []

3143

## @param kubeScheduler.namespace Namespace where kube-scheduler service is deployed.

3144

3145

namespace: kube-system

3146

## If using kubeScheduler.endpoints only the port and targetPort are used

3147

## @param kubeScheduler.service.enabled Whether or not to create a Service object for kube-scheduler

3148

## @param kubeScheduler.service.ports.http Listening port of the kube scheduler Service object

3149

## @param kubeScheduler.service.targetPorts.http Port to target on the kube scheduler Pods. This should be the port that kube scheduler is exposing metrics on

3150

## @param kubeScheduler.service.selector Optional PODs Label selector for the service

3151

3152

service:

3153

enabled: true

3154

ports:

3155

http: 10251

3156

targetPorts:

3157

http: 10251

3158

## selector:

3159

## component: kube-scheduler

3160

3161

selector: {}

3162

## @param kubeScheduler.service.labels Additional labels for kube-scheduler service

3163

3164

labels: {}

3165

serviceMonitor:

3166

## @param kubeScheduler.serviceMonitor.interval Scrape interval (use by default, falling back to Prometheus' default)

3167

3168

interval: ""

3169

## @param kubeScheduler.serviceMonitor.https Enable scraping kube-scheduler over https

3170

## Requires proper certs (not self-signed) and delegated authentication/authorization checks

3171

3172

https: false

3173

## @param kubeScheduler.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus.

3174

3175

jobLabel: component

3176

## @param kubeScheduler.serviceMonitor.insecureSkipVerify Skip TLS certificate validation when scraping

3177

3178

insecureSkipVerify: ""

3179

## @param kubeScheduler.serviceMonitor.serverName Name of the server to use when validating TLS certificate

3180

3181

serverName: ""

3182

## @param kubeScheduler.serviceMonitor.metricRelabelings Metric relabeling

3183

## metricRelabelings:

3184

## - action: keep

3185

3186

## sourceLabels: [__name__]

3187

3188

metricRelabelings: []

3189

## @param kubeScheduler.serviceMonitor.relabelings Relabel configs

3190

## relabelings:

3191

## - sourceLabels: [__meta_kubernetes_pod_node_name]

3192

## separator: ;

3193

## regex: ^(.*)$

3194

## targetLabel: nodename

3195

## replacement: $1

3196

## action: replace

3197

3198

relabelings: []

3199

## @param kubeScheduler.serviceMonitor.labels Extra labels for the ServiceMonitor

3200

3201

labels: {}

3202

## @param kubeScheduler.serviceMonitor.annotations Extra annotations for the ServiceMonitor

3203

3204

annotations: {}

3205

## @param kubeScheduler.serviceMonitor.sampleLimit Per-scrape limit on number of scraped samples that will be accepted.

3206

3207

sampleLimit: ""

3208

## Component scraping coreDns

3209

3210

coreDns:

3211

## @param coreDns.enabled Create a ServiceMonitor to scrape coredns service

3212

3213

enabled: true

3214

## @param coreDns.namespace Namespace where core dns service is deployed.

3215

3216

namespace: kube-system

3217

## Create a ServiceMonitor to scrape coredns service

3218

## @param coreDns.service.enabled Whether or not to create a Service object for coredns

3219

## @param coreDns.service.ports.http Listening port of the coredns Service object

3220

## @param coreDns.service.targetPorts.http Port to target on the coredns Pods. This should be the port that coredns is exposing metrics on

3221

## @param coreDns.service.selector Optional PODs Label selector for the service

3222

3223

service:

3224

enabled: true

3225

ports:

3226

http: 9153

3227

targetPorts:

3228

http: 9153

3229

## selector:

3230

## component: kube-dns

3231

3232

selector: {}

3233

## @param coreDns.service.labels Additional labels for coredns service

3234

3235

labels: {}

3236

serviceMonitor:

3237

## @param coreDns.serviceMonitor.interval Scrape interval. If not set, the Prometheus default scrape interval is used.

3238

3239

interval: ""

3240

## @param coreDns.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus.

3241

3242

jobLabel: k8s-app

3243

## @param coreDns.serviceMonitor.metricRelabelings Metric relabel configs to apply to samples before ingestion.

3244

## metricRelabelings:

3245

## - action: keep

3246

3247

## sourceLabels: [__name__]

3248

3249

metricRelabelings: []

3250

## @param coreDns.serviceMonitor.relabelings Relabel configs to apply to samples before ingestion.

3251

## relabelings:

3252

## - sourceLabels: [__meta_kubernetes_pod_node_name]

3253

## separator: ;

3254

## regex: ^(.*)$

3255

## targetLabel: nodename

3256

## replacement: $1

3257

## action: replace

3258

3259

relabelings: []

3260

## @param coreDns.serviceMonitor.labels Extra labels for the ServiceMonitor

3261

3262

labels: {}

3263

## @param coreDns.serviceMonitor.annotations Extra annotations for the ServiceMonitor

3264

3265

annotations: {}

3266

## @param coreDns.serviceMonitor.sampleLimit Per-scrape limit on number of scraped samples that will be accepted.

3267

3268

sampleLimit: ""

3269

## Component scraping the kube-proxy

3270

3271

kubeProxy:

3272

## @param kubeProxy.enabled Create a ServiceMonitor to scrape the kube-proxy Service

3273

3274

enabled: true

3275

## @param kubeProxy.endpoints If your kube-proxy is not deployed as a pod, specify IPs it can be found on

3276

## endpoints:

3277

## - 10.141.4.22

3278

## - 10.141.4.23

3279

## - 10.141.4.24

3280

3281

endpoints: []

3282

## @param kubeProxy.namespace Namespace where kube-proxy service is deployed.

3283

3284

namespace: kube-system

3285

## @param kubeProxy.service.enabled Whether or not to create a Service object for kube-proxy

3286

## @param kubeProxy.service.ports.http Listening port of the kube-proxy Service object

3287

## @param kubeProxy.service.targetPorts.http Port to target on the kube-proxy Pods. This should be the port that kube-proxy is exposing metrics on

3288

## @param kubeProxy.service.selector Optional PODs Label selector for the service

3289

3290

service:

3291

enabled: true

3292

ports:

3293

http: 10249

3294

targetPorts:

3295

http: 10249

3296

## selector:

3297

## k8s-app: kube-proxy

3298

3299

selector: {}

3300

## @param kubeProxy.service.labels Additional labels for kube-proxy service

3301

3302

labels: {}

3303

serviceMonitor:

3304

## @param kubeProxy.serviceMonitor.https Enable scraping kube-proxy over https.

3305

## Requires proper certs (not self-signed) and delegated authentication/authorization checks

3306

3307

https: false

3308

## @param kubeProxy.serviceMonitor.interval Scrape interval (use by default, falling back to Prometheus' default)

3309

## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#endpoint

3310

3311

interval: ""

3312

## @param kubeProxy.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus.

3313

3314

jobLabel: k8s-app

3315

## @param kubeProxy.serviceMonitor.metricRelabelings Metric relabeling

3316

## ref: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs

3317

3318

metricRelabelings: []

3319

## @param kubeProxy.serviceMonitor.relabelings Relabel configs

3320

## ref: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config

3321

3322

relabelings: []

3323

## @param kubeProxy.serviceMonitor.labels Extra labels for the ServiceMonitor

3324

3325

labels: {}

3326

## @param kubeProxy.serviceMonitor.annotations Extra annotations for the ServiceMonitor

3327

3328

annotations: {}

3329

## @param kubeProxy.serviceMonitor.sampleLimit Per-scrape limit on number of scraped samples that will be accepted.

3330

3331

sampleLimit: ""

3332

## @section RBAC parameters

3333

3334

3335

## Role Based Access

3336

## ref: https://kubernetes.io/docs/admin/authorization/rbac/

3337

## @param rbac.create Whether to create and use RBAC resources or not

3338

## @param rbac.pspEnabled Whether to create a PodSecurityPolicy and bound it with RBAC. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later

3339

rbac:

3340

create: true

3341

pspEnabled: true

3342

## @param rbac.rules.operator Custom RBAC rules to set on Prometheus Operator ClusterRole

3343

## @param rbac.rules.prometheus Custom RBAC rules to set on Prometheus ClusterRole

3344

## e.g:

3345

## rbac:

3346

## rules:

3347

## operator: []

3348

## prometheus:

3349

## - apiGroups:

3350

## - ""

3351

## resources:

3352

## - pods

3353

## verbs:

3354

## - get

3355

## - list

3356

3357

rules:

3358

operator: []

3359

prometheus: []

3360

## @section Thanos Ruler Parameters

3361

3362

thanosRuler:

3363

## @param thanosRuler.enabled Enable/disable Thanos Ruler component

3364

3365

enabled: false

3366

## Iamguarded Thanos image

3367

## @param thanosRuler.image.registry [default: REGISTRY_NAME] Thanos image registry

3368

## @param thanosRuler.image.repository Thanos image repository

3369

## @skip thanosRuler.image.tag Thanos image tag

3370

## @param thanosRuler.image.digest Thanos image digest

3371

## @param thanosRuler.image.pullPolicy Thanos image pull policy

3372

## @param thanosRuler.image.pullSecrets Specify docker-registry secret names as an array

3373

3374

image:

3375

registry: cgr.dev

3376

repository: chainguard-private/thanos-iamguarded

3377

tag: 0.41.0

3378

digest: ""

3379

pullPolicy: IfNotPresent

3380

pullSecrets: []

3381

## @param thanosRuler.replicaCount Number of Thanos Ruler replicas to deploy

3382

3383

replicaCount: 1

3384

## @param thanosRuler.paused When a ThanosRuler deployment is paused, no actions except for deletion will be performed on the underlying objects

3385

3386

paused: false

3387

## @param thanosRuler.logFormat Log format for Thanos Ruler

3388

3389

logFormat: logfmt

3390

## @param thanosRuler.logLevel Log level for Thanos ruler

3391

3392

logLevel: info

3393

## @param thanosRuler.retention Time duration ThanosRuler shall retain data for

3394

## Must match the regular expression [0-9]+(ms|s|m|h|d|w|y) (milliseconds seconds minutes hours days weeks years)

3395

## The field has no effect when remote-write is configured since the Ruler operates in stateless mode

3396

3397

retention: "24h"

3398

## @param thanosRuler.evaluationInterval Interval between consecutive evaluations

3399

3400

evaluationInterval: ""

3401

## @param thanosRuler.labels Configures the external label pairs of the ThanosRuler resource

3402

## A default replica label 'thanos_ruler_replica' will always be added as a label with the value of the pod’s name

3403

3404

labels: {}

3405

## @param thanosRuler.storage Storage spec to specify how storage shall be used.

3406

## ref: https://prometheus-operator.dev/docs/api-reference/api/#monitoring.coreos.com/v1.StorageSpec

3407

storage: {}

3408

## @param thanosRuler.volumes Additional volumes on the output StatefulSet definition

3409

## Volumes specified will be appended to other volumes that are generated as a result of thanosRuler.storage configuration

3410

3411

volumes: []

3412

## @param thanosRuler.volumeMounts Additional VolumeMounts on the output StatefulSet definition.

3413

## VolumeMounts specified will be appended to other VolumeMounts that are generated as a result of thanosRuler.storage configuration

3414

3415

volumeMounts: []

3416

## @param thanosRuler.listenLocal Makes Thanos Ruler listen on loopback, so that it does not bind against the Pod IP

3417

3418

listenLocal: false

3419

## @param thanosRuler.externalPrefix The external URL the Thanos Ruler instances will be available under. Maps to --web.external-prefix on Thanos Ruler

3420

3421

externalPrefix: ""

3422

## Service parameters

3423

3424

service:

3425

## @param thanosRuler.service.type Kubernetes service type

3426

3427

type: ClusterIP

3428

## @param thanosRuler.service.ports.http Thanos Ruler service HTTP port

3429

## @param thanosRuler.service.ports.grpc Thanos Ruler service GRPC port

3430

3431

ports:

3432

http: 10902

3433

grpc: 10901

3434

## @param thanosRuler.service.nodePorts.http Specify the Thanos Ruler HTTP nodePort value for the LoadBalancer and NodePort service types

3435

## @param thanosRuler.service.nodePorts.grpc Specify the Thanos Ruler GRPC nodePort value for the LoadBalancer and NodePort service types

3436

## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport

3437

3438

nodePorts:

3439

http: ""

3440

grpc: ""

3441

## @param thanosRuler.service.clusterIP Thanos Ruler service clusterIP IP

3442

## e.g:

3443

## clusterIP: None

3444

3445

clusterIP: ""

3446

## @param thanosRuler.service.loadBalancerIP Load balancer IP if service type is `LoadBalancer`

3447

## Set the LoadBalancer service type to internal only

3448

## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer

3449

3450

loadBalancerIP: ""

3451

## @param thanosRuler.service.loadBalancerSourceRanges Address that are allowed when service is LoadBalancer

3452

## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service

3453

## e.g:

3454

## loadBalancerSourceRanges:

3455

## - 10.10.10.0/24

3456

3457

loadBalancerSourceRanges: []

3458

## @param thanosRuler.service.externalTrafficPolicy Thanos Ruler service externalTrafficPolicy

3459

## Denotes if this Service desires to route external traffic to node-local or cluster-wide endpoints

3460

3461

externalTrafficPolicy: Cluster

3462

## @param thanosRuler.service.labels Extra labels for Thanos Ruler service

3463

3464

labels: {}

3465

## @param thanosRuler.service.annotations Annotations for Thanos Ruler service

3466

3467

annotations: {}

3468

## @param thanosRuler.service.extraPorts Extra ports to expose in the Thanos Ruler service

3469

3470

extraPorts: []

3471

## @param thanosRuler.service.labelSelectorsOverride Selector for Thanos Query service

3472

3473

labelSelectorsOverride: {}

3474

## @param thanosRuler.service.additionalHeadless Additional Headless service

3475

3476

additionalHeadless: false

3477

## Headless service properties

3478

3479

headless:

3480

## @param thanosRuler.service.headless.annotations Annotations for the headless service.

3481

3482

annotations: {}

3483

## Network Policies

3484

## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/

3485

3486

networkPolicy:

3487

## @param thanosRuler.networkPolicy.enabled Specifies whether a NetworkPolicy should be created

3488

3489

enabled: true

3490

## @param thanosRuler.networkPolicy.allowExternal Don't require client label for connections

3491

## The Policy model to apply. When set to false, only pods with the correct

3492

## client label will have network access to the ports the application is listening

3493

## on. When true, the app will accept connections from any source (with the correct destination port).

3494

3495

allowExternal: true

3496

## @param thanosRuler.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.

3497

## If set to 'false', set 'extraEgress' to allow communicating to your Thanos Query/Frontend Query services.

3498

3499

allowExternalEgress: true

3500

## @param thanosRuler.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy

3501

## e.g:

3502

## extraIngress:

3503

## - ports:

3504

## - port: 1234

3505

## from:

3506

## - podSelector:

3507

## - matchLabels:

3508

## - role: frontend

3509

## - podSelector:

3510

## - matchExpressions:

3511

## - key: role

3512

## operator: In

3513

## values:

3514

## - frontend

3515

extraIngress: []

3516

## @param thanosRuler.networkPolicy.extraEgress [array] Add extra egress rules to the NetworkPolicy

3517

## e.g:

3518

## extraEgress:

3519

## - ports:

3520

## - port: 1234

3521

## to:

3522

## - podSelector:

3523

## - matchLabels:

3524

## - role: frontend

3525

## - podSelector:

3526

## - matchExpressions:

3527

## - key: role

3528

## operator: In

3529

## values:

3530

## - frontend

3531

3532

extraEgress: []

3533

## @param thanosRuler.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces

3534

## @param thanosRuler.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces

3535

3536

ingressNSMatchLabels: {}

3537

ingressNSPodMatchLabels: {}

3538

## @param thanosRuler.routePrefix Prefix used to register routes. Useful for proxies that rewrite URLs.

3539

3540

routePrefix: /

3541

## Configure the ingress resource that allows you to access Thanos Ruler

3542

## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/

3543

3544

ingress:

3545

## @param thanosRuler.ingress.enabled Enable ingress controller resource

3546

3547

enabled: false

3548

## @param thanosRuler.ingress.hostname Default host for the ingress resource

3549

3550

hostname: thanos-ruler.local

3551

## @param thanosRuler.ingress.ingressClassName IngressClass that will be used to implement the Ingress (Kubernetes 1.18+)

3552

## This is supported in Kubernetes 1.18+ and required if you have more than one IngressClass marked as the default for your cluster .

3553

## ref: https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/

3554

3555

ingressClassName: ""

3556

## @param thanosRuler.ingress.labels Additional label for the Ingress resource.

3557

## Use this parameter to set the required labels for your needs

3558

## e.g.:

3559

## labels:

3560

## dns-managed-by-external-dns: 'true'

3561

3562

labels: {}

3563

## @param thanosRuler.ingress.annotations Additional annotations for the Ingress resource. To enable certificate autogeneration, place here your cert-manager annotations.

3564

## For a full list of possible ingress annotations, please see

3565

## ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md

3566

## Use this parameter to set the required annotations for cert-manager, see

3567

## ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations

3568

3569

## e.g.:

3570

## annotations:

3571

## kubernetes.io/ingress.class: nginx

3572

## cert-manager.io/cluster-issuer: cluster-issuer-name

3573

3574

annotations: {}

3575

## @param thanosRuler.ingress.extraHosts The list of additional hostnames to be covered with this ingress record.

3576

## Most likely the hostname above will be enough, but in the event more hosts are needed, this is an array

3577

## extraHosts:

3578

## - name: thanos.local

3579

## path: /

3580

## pathType: ImplementationSpecific

3581

3582

extraHosts: []

3583

## @param thanosRuler.ingress.extraTls The tls configuration for additional hostnames to be covered with this ingress record.

3584

## see: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls

3585

## extraTls:

3586

## - hosts:

3587

## - thanos.local

3588

## secretName: thanos.local-tls

3589

3590

extraTls: []

3591

## @param thanosRuler.ingress.secrets If you're providing your own certificates, please use this to add the certificates as secrets

3592

## key and certificate should start with -----BEGIN CERTIFICATE----- or

3593

## -----BEGIN RSA PRIVATE KEY-----

3594

3595

## name should line up with a tlsSecret set further up

3596

## If you're using cert-manager, this is unneeded, as it will create the secret for you if it is not set

3597

3598

## It is also possible to create and manage the certificates outside of this helm chart

3599

## Please see README.md for more information

3600

## e.g:

3601

## - name: thanos.local-tls

3602

## key:

3603

## certificate:

3604

3605

secrets: []

3606

## @param thanosRuler.ingress.extraRules Additional rules to be covered with this ingress record

3607

## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-rules

3608

## e.g.:

3609

## extraRules:

3610

## - host: example.local

3611

## http:

3612

## path: /

3613

## backend:

3614

## service:

3615

## name: example-svc

3616

## port:

3617

## name: http

3618

3619

extraRules: []

3620

## @param thanosRuler.ingress.apiVersion Force Ingress API version (automatically detected if not set)

3621

3622

apiVersion: ""

3623

## @param thanosRuler.ingress.path Ingress path

3624

3625

path: /

3626

## @param thanosRuler.ingress.pathType Ingress path type

3627

3628

pathType: ImplementationSpecific

3629

## @param thanosRuler.ingress.tls Enable TLS configuration for the hostname defined at `thanosRuler.ingress.hostname` parameter

3630

## TLS certificates will be retrieved from a TLS secret with name: `{{- printf "%s-tls" .Values.thanosRuler.ingress.hostname }}`

3631

## You can:

3632

## - Use the `thanosRuler.ingress.secrets` parameter to create this TLS secret

3633

## - Rely on cert-manager to create it by setting the corresponding annotations

3634

## - Rely on Helm to create self-signed certificates by setting `thanosRuler.ingress.selfSigned=true`

3635

3636

tls: false

3637

## @param thanosRuler.ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm

3638

3639

selfSigned: false

3640

## Service account for Thanos Ruler to use

3641

## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/

3642

3643

serviceAccount:

3644

## @param thanosRuler.serviceAccount.create Specify whether to create a ServiceAccount for Thanos Ruler

3645

3646

create: true

3647

## @param thanosRuler.serviceAccount.name The name of the ServiceAccount to create

3648

## If not set and create is true, a name is generated using the kube-prometheus.thanosRuler.fullname template

3649

3650

3651

## @param thanosRuler.serviceAccount.annotations Additional annotations for the ServiceAccount

3652

## annotations:

3653

## eks.amazonaws.com/role-arn: arn:aws:iam::ACCOUNT:role/thanosruler

3654

3655

annotations: {}

3656

## @param thanosRuler.serviceAccount.automountServiceAccountToken Automount service account token for the server service account

3657

3658

automountServiceAccountToken: false

3659

## Thanos Ruler pods' Security Context

3660

## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod

3661

## @param thanosRuler.podSecurityContext.enabled Enable security context

3662

## @param thanosRuler.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy

3663

## @param thanosRuler.podSecurityContext.sysctls Set kernel settings using the sysctl interface

3664

## @param thanosRuler.podSecurityContext.supplementalGroups Set filesystem extra groups

3665

## @param thanosRuler.podSecurityContext.fsGroup Group ID for the container filesystem

3666

3667

podSecurityContext:

3668

enabled: true

3669

fsGroupChangePolicy: Always

3670

sysctls: []

3671

supplementalGroups: []

3672

fsGroup: 1001

3673

## @param thanosRuler.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge).

3674

## This is ignored if operator.resources is set (operator.resources is recommended for production).

3675

3676

resourcesPreset: "nano"

3677

## @param thanosRuler.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)

3678

## Example:

3679

## resources:

3680

## requests:

3681

## cpu: 2

3682

## memory: 512Mi

3683

## limits:

3684

## cpu: 3

3685

## memory: 1024Mi

3686

## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/

3687

3688

resources: {}

3689

## @param thanosRuler.containerPorts.http HTTP container port

3690

## @param thanosRuler.containerPorts.grpc GRPC container port

3691

3692

containerPorts:

3693

grpc: 10901

3694

http: 10902

3695

## @param thanosRuler.alertQueryUrl The external Query URL the Thanos Ruler will set in the ‘Source’ field of all alerts

3696

## Maps to the ‘–alert.query-url’ CLI arg

3697

3698

alertQueryUrl: ""

3699

## Configuration for connecting to alertmanager

3700

## Maps to --alertmanagers.config Thanos Ruler argument

3701

## NOTE: This field takes precedence over alertmanagersUrl.

3702

3703

alertmanagersConfig:

3704

## @param thanosRuler.alertmanagersConfig.existingSecret.name Name of an existing secret to use for Alert Manager config

3705

## If configured, thanosRuler.alertmanagersConfig.config will not be used

3706

## @param thanosRuler.alertmanagersConfig.existingSecret.key Name of a key in the existing secret to use for Alert Manager config

3707

3708

existingSecret:

3709

3710

key: ""

3711

## @param thanosRuler.alertmanagersConfig.config Alert Manager configuration

3712

## Unused if thanosRuler.alertmanagersConfig.existingSecret.name is configured

3713

## If empty, Thanos Ruler will use this chart's Alertmanager when 'alertmanager.enabled' is 'true'

3714

## ref: https://thanos.io/tip/components/rule.md/#alertmanager

3715

## e.g:

3716

## alertmanagers:

3717

## - http_config:

3718

## basic_auth:

3719

## username: some_user

3720

## password: some_pass

3721

## static_configs:

3722

## - alertmanager.thanos.io

3723

## scheme: http

3724

## timeout: 10s

3725

## api_version: v2

3726

3727

config: {}

3728

## @param thanosRuler.alertDropLabels Configures the label names which should be dropped in Thanos Ruler alerts

3729

## The replica label `thanos_ruler_replica` will always be dropped from the alerts.

3730

3731

alertDropLabels: []

3732

## Configures the list of Thanos Query endpoints from which to query metrics.

3733

## Maps to --query.config Thanos Ruler argument

3734

## The configuration format is defined at https://thanos.io/tip/components/rule.md/#query-api

3735

queryConfig:

3736

## @param thanosRuler.queryConfig.existingSecret.name Name of an existing secret to use for Alert Manager config

3737

## If configured, thanosRuler.queryConfig.config will not be used

3738

## @param thanosRuler.queryConfig.existingSecret.key Key in the existing secret to use for Query config

3739

3740

existingSecret:

3741

3742

key: "query-config.yaml"

3743

## @param thanosRuler.queryConfig.config

3744

## Unused if thanosRuler.queryConfig.existingSecret.name is configured

3745

3746

## e.g:

3747

## config:

3748

## - static_configs:

3749

## - "dnssrv+_http._tcp.thanos-query.thanos.svc.cluster.local"

3750

config: []

3751

## Configures object storage

3752

## Maps to --objstore.config Thanos Ruler argument

3753

## ref: https://thanos.io/tip/thanos/storage.md/#configuring-access-to-object-storage

3754

3755

objectStorageConfig:

3756

## @param thanosRuler.objectStorageConfig.existingSecret.name Name of an existing secret to use for Object Storage config

3757

## If configured, thanosRuler.objectStorageConfig.config will not be used

3758

## @param thanosRuler.objectStorageConfig.existingSecret.key Key in the existing secret to use for Object Storage config

3759

3760

existingSecret:

3761

3762

key: ""

3763

## @param thanosRuler.objectStorageConfig.config

3764

## Unused if thanosRuler.objectStorageConfig.existingSecret.name is configured

3765

3766

config: {}

3767

## @param thanosRuler.ruleNamespaceSelector Namespaces to be selected for PrometheusRules discovery

3768

## If nil, select own namespace

3769

3770

ruleNamespaceSelector: {}

3771

## @param thanosRuler.ruleSelector PrometheusRule selector labels

3772

## ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/user-guides/getting-started.md

3773

## If nil, select all PrometheusRules

3774

3775

ruleSelector: {}

3776

## @param thanosRuler.evalInterval How frequently to evaluate rules

3777

3778

evalInterval: "1m"

3779

## @param thanosRuler.clusterName Used to set the 'ruler_cluster' label

3780

3781

clusterName: ""

3782

## @param thanosRuler.additionalArgs [array] Additional arguments for the ThanosRuler container.

3783

## It is intended for e.g. activating hidden flags which are not supported by the dedicated configuration options yet.

3784

3785

additionalArgs:

3786

- name: grpc-address

3787

value: "0.0.0.0:{{ .Values.thanosRuler.containerPorts.grpc }}"

3788

- name: http-address

3789

value: "0.0.0.0:{{ .Values.thanosRuler.containerPorts.http }}"

3790

## Thanos Ruler Pod Disruption Budget configuration

3791

## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb

3792

## @param thanosRuler.pdb.create Enable/disable a Pod Disruption Budget creation for Thanos Ruler

3793

## @param thanosRuler.pdb.minAvailable Minimum number/percentage of pods that should remain scheduled

3794

## @param thanosRuler.pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable

3795

3796

pdb:

3797

create: true

3798

minAvailable: ""

3799

maxUnavailable: ""

3800

## @param thanosRuler.nodeSelector Node labels for Thanos Ruler pods assignment

3801

## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/

3802

3803

nodeSelector: {}

3804

## Create a servicemonitor for Thanos ruler

3805

3806

serviceMonitor:

3807

## @param thanosRuler.serviceMonitor.enabled Creates a ServiceMonitor to monitor Thanos Ruler

3808

3809

enabled: true

3810

## @param thanosRuler.serviceMonitor.https Enable scraping Thanos Ruler over https.

3811

## Requires proper certs (not self-signed) and delegated authentication/authorization checks

3812

3813

https: false

3814

## @param thanosRuler.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus.

3815

3816

jobLabel: ""

3817

## @param thanosRuler.serviceMonitor.interval Scrape interval (use by default, falling back to Prometheus' default)

3818

## ref: https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#endpoint

3819

3820

interval: ""

3821

## @param thanosRuler.serviceMonitor.metricRelabelings Metric relabeling

3822

## ref: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs

3823

3824

metricRelabelings: []

3825

## @param thanosRuler.serviceMonitor.relabelings Relabel configs

3826

## ref: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config

3827

3828

relabelings: []

3829

## @param thanosRuler.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended

3830

## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint

3831

3832

scrapeTimeout: ""

3833

## @param thanosRuler.serviceMonitor.labels Extra labels for the ServiceMonitor

3834

3835

labels: {}

3836

## @param thanosRuler.serviceMonitor.annotations Extra annotations for the ServiceMonitor

3837

3838

annotations: {}

3839

## @param thanosRuler.serviceMonitor.extraParameters Any extra parameter to be added to the endpoint configured in the ServiceMonitor

3840

## (e.g. tlsConfig for further customization of the HTTPS behavior)

3841

## ref: https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#monitoring.coreos.com/v1.Endpoint

3842

3843

extraParameters: {}

3844

## @param thanosRuler.serviceMonitor.sampleLimit Per-scrape limit on number of scraped samples that will be accepted.

3845

3846

sampleLimit: ""

3847

## @param thanosRuler.podAffinityPreset Prometheus Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`

3848

## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity

3849

3850

podAffinityPreset: ""

3851

## @param thanosRuler.podAntiAffinityPreset Thanos Ruler Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`

3852

## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity

3853

3854

podAntiAffinityPreset: soft

3855

## Node affinity preset

3856

## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity

3857

3858

nodeAffinityPreset:

3859

## @param thanosRuler.nodeAffinityPreset.type Thanos Ruler Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard`

3860

3861

type: ""

3862

## @param thanosRuler.nodeAffinityPreset.key Thanos Ruler Node label key to match. Ignored if `affinity` is set

3863

## E.g.

3864

## key: "kubernetes.io/e2e-az-name"

3865

3866

key: ""

3867

## @param thanosRuler.nodeAffinityPreset.values Thanos Ruler Node label values to match. Ignored if `affinity` is set

3868

## E.g.

3869

## values:

3870

## - e2e-az1

3871

## - e2e-az2

3872

3873

values: []

3874

## @param thanosRuler.affinity Thanos Ruler Affinity for pod assignment

3875

## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity

3876

## Note: thanosRuler.podAffinityPreset, thanosRuler.podAntiAffinityPreset, and thanosRuler.nodeAffinityPreset will be ignored when it's set

3877

3878

affinity: {}

3879

## @param thanosRuler.podMetadata [object] Standard object's metadata

3880

## ref: https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata

3881

3882

podMetadata:

3883

labels: {}

3884

annotations: {}

3885

## @param thanosRuler.tolerations Thanos Ruler Tolerations for pod assignment

3886

## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/

3887

3888

tolerations: []

3889

## @param thanosRuler.topologySpreadConstraints Topology Spread Constraints for pod assignment

3890

## https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/

3891

## The value is evaluated as a template

3892

3893

topologySpreadConstraints: []

3894

## @param thanosRuler.containers Containers allows injecting additional containers or modifying operator generated containers

3895

## The current container names are: thanos-ruler and config-reloader

3896

3897

containers: []

3898

## @param thanosRuler.initContainers InitContainers allows adding initContainers to the pod definition

3899

## Those can be used to e.g. fetch secrets for injection into the ThanosRuler configuration from external sources.

3900

3901

initContainers: []

3902

## @param thanosRuler.priorityClassName Priority class assigned to the Pods

3903

3904

priorityClassName: ""

3905

## @param thanosRuler.portName Port name used for the pods and governing service

3906

3907

portName: http

3908

## @param thanosRuler.web Defines the configuration of the ThanosRuler web server

3909

3910

web: {}

3911

## @param thanosRuler.remoteWrite Defines the list of remote write configurations

3912

## When the list isn’t empty, the ruler is configured with stateless mode

3913

## ref: https://prometheus-operator.dev/docs/api-reference/api/#monitoring.coreos.com/v1.RemoteWriteSpec

3914

3915

remoteWrite: {}

3916

The trusted source for open source

Talk to an expert

Privacy

Terms

© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.

kube-prometheus

The trusted source for open source

Product

Solutions

Customers

Resources

Company