grafana: # Admin credentials adminUser: admin adminPassword: changeme # TODO: Use secret management # Persistence persistence: enabled: true storageClassName: ceph-block size: 10Gi # Resources resources: requests: cpu: 100m memory: 256Mi limits: memory: 512Mi # Datasources datasources: datasources.yaml: apiVersion: 1 datasources: # Thanos datasource - name: Thanos type: prometheus access: proxy url: http://thanos-query-frontend.monitoring.svc.cluster.local:9090 isDefault: true editable: false jsonData: timeInterval: 30s queryTimeout: 60s # Loki datasource - name: Loki type: loki access: proxy url: http://loki-gateway.logging.svc.cluster.local editable: false jsonData: maxLines: 1000 derivedFields: - datasourceUid: Thanos matcherRegex: "traceID=(\\w+)" name: TraceID url: "$${__value.raw}" # Dashboard providers dashboardProviders: dashboardproviders.yaml: apiVersion: 1 providers: - name: 'default' orgId: 1 folder: '' type: file disableDeletion: false editable: true options: path: /var/lib/grafana/dashboards/default - name: 'kubernetes' orgId: 1 folder: 'Kubernetes' type: file disableDeletion: false editable: true options: path: /var/lib/grafana/dashboards/kubernetes # Preload dashboards dashboards: default: # Node exporter dashboard node-exporter: gnetId: 1860 revision: 37 datasource: Thanos # Kubernetes cluster monitoring k8s-cluster: gnetId: 7249 revision: 1 datasource: Thanos kubernetes: # Kubernetes pods k8s-pods: gnetId: 6417 revision: 1 datasource: Thanos # Loki logs dashboard loki-logs: gnetId: 13639 revision: 2 datasource: Loki # Grafana config grafana.ini: server: root_url: https://grafana.noxxos.nl serve_from_sub_path: false # Authentication - Authentik OIDC auth.generic_oauth: enabled: false # Enable after configuring secret name: Authentik client_id: grafana # client_secret should be set via envValueFrom or existingSecret scopes: openid profile email auth_url: https://auth.noxxos.nl/application/o/authorize/ token_url: https://auth.noxxos.nl/application/o/token/ api_url: https://auth.noxxos.nl/application/o/userinfo/ role_attribute_path: contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer' allow_sign_up: true analytics: reporting_enabled: false check_for_updates: false log: mode: console level: info users: auto_assign_org: true auto_assign_org_role: Viewer # Service Monitor serviceMonitor: enabled: true # Plugins plugins: - grafana-piechart-panel - grafana-clock-panel # Gateway API HTTPRoute extraObjects: # ReferenceGrant - apiVersion: gateway.networking.k8s.io/v1beta1 kind: ReferenceGrant metadata: name: traefik-gateway-access namespace: monitoring spec: from: - group: gateway.networking.k8s.io kind: HTTPRoute namespace: monitoring to: - group: "" kind: Service # Grafana HTTPRoute - apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute metadata: name: grafana namespace: monitoring spec: parentRefs: - name: traefik-gateway namespace: traefik sectionName: websecure hostnames: - "grafana.noxxos.nl" rules: - matches: - path: type: PathPrefix value: / backendRefs: - name: grafana port: 80