veda/apps/monitoring/grafana/values.yaml

grafana:

  adminUser: admin
  adminPassword: changeme  # TODO: Use secret management

  # Disable local persistence - using PostgreSQL database
  persistence:
    enabled: false

  resources:
    requests:
      cpu: 100m
      memory: 256Mi
    limits:
      memory: 512Mi
  
  extraSecretMounts:
    - name: db-secret
      secretName: grafana-pg-cluster-app
      mountPath: /secrets/my-db
      readOnly: true

  envFromSecret: authentik-client-secret-grafana

  datasources:
    datasources.yaml:
      apiVersion: 1
      datasources:
        - name: Prometheus
          type: prometheus
          access: proxy
          url: http://prometheus-kube-prometheus-prometheus.monitoring.svc.cluster.local:9090
          isDefault: true
          editable: false
          jsonData:
            timeInterval: 30s
            queryTimeout: 60s
        
        - name: Loki
          type: loki
          access: proxy
          url: http://loki-gateway.logging.svc.cluster.local
          editable: false
          jsonData:
            maxLines: 1000
            derivedFields:
              - datasourceUid: Prometheus
                matcherRegex: "traceID=(\\w+)"
                name: TraceID
                url: "$${__value.raw}"

  dashboardProviders:
    dashboardproviders.yaml:
      apiVersion: 1
      providers:
        - name: 'default'
          orgId: 1
          folder: ''
          type: file
          disableDeletion: false
          editable: true
          options:
            path: /var/lib/grafana/dashboards/default
        - name: 'kubernetes'
          orgId: 1
          folder: 'Kubernetes'
          type: file
          disableDeletion: false
          editable: true
          options:
            path: /var/lib/grafana/dashboards/kubernetes

  dashboards:
    default:
      node-exporter:
        gnetId: 1860
        revision: 37
        datasource: Prometheus
      
      k8s-cluster:
        gnetId: 7249
        revision: 1
        datasource: Prometheus
    
    kubernetes:
      k8s-pods:
        gnetId: 6417
        revision: 1
        datasource: Prometheus
      
      loki-logs:
        gnetId: 13639
        revision: 2
        datasource: Loki

  grafana.ini:
    server:
      root_url: https://grafana.noxxos.nl
      serve_from_sub_path: false
    
    database:
      type: postgres
      host: "$__file{/secrets/my-db/host}:$__file{/secrets/my-db/port}"
      name: "$__file{/secrets/my-db/dbname}"
      user: "$__file{/secrets/my-db/user}"
      password: "$__file{/secrets/my-db/password}"

    auth.generic_oauth:
      enabled: true
      name: Authentik
      client_id: "$__from_env{GF_AUTH_GENERIC_OAUTH_CLIENT_ID}"
      scopes: openid profile email
      auth_url: https://auth.noxxos.nl/application/o/authorize/
      token_url: https://auth.noxxos.nl/application/o/token/
      api_url: https://auth.noxxos.nl/application/o/userinfo/
      role_attribute_path: contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'
      allow_sign_up: true
    
    analytics:
      reporting_enabled: false
      check_for_updates: false
    
    log:
      mode: console
      level: info
      console:
        format: json
    
    users:
      auto_assign_org: true
      auto_assign_org_role: Viewer

  serviceMonitor:
    enabled: false

  plugins:
    - grafana-piechart-panel
    - grafana-clock-panel

  route:
    main:
      enabled: true
      hostnames:
        - grafana.noxxos.nl
      parentRefs:
        - name: traefik-gateway
          namespace: traefik
          sectionName: websecure

  extraObjects:
  - apiVersion: postgresql.cnpg.io/v1
    kind: Cluster
    metadata:
      name: grafana-pg-cluster
      namespace: monitoring
    spec:
      instances: 2
      postgresql:
        parameters:
          max_connections: "20"
          shared_buffers: "25MB"
          effective_cache_size: "75MB"
          maintenance_work_mem: "6400kB"
          checkpoint_completion_target: "0.9"
          wal_buffers: "768kB"
          default_statistics_target: "100"
          random_page_cost: "1.1"
          effective_io_concurrency: "300"
          work_mem: "640kB"
          huge_pages: "off"
          max_wal_size: "128MB"
      bootstrap:
        initdb:
          database: grafana
          owner: grafana
      storage:
        size: 15Gi
        storageClass: local-path
      resources:
        requests:
          cpu: 100m
          memory: 100Mi
        limits:
          memory: 512Mi
      plugins:
        - enabled: true
          name: barman-cloud.cloudnative-pg.io
          isWALArchiver: true
          parameters:
            barmanObjectName: grafana-backup-store
  - apiVersion: barmancloud.cnpg.io/v1
    kind: ObjectStore
    metadata:
      name: grafana-backup-store
      namespace: monitoring
    spec:
      retentionPolicy: "30d"
      configuration:
        destinationPath: s3://cnpg-backup-grafana/
        endpointURL: http://rook-ceph-rgw-ceph-objectstore.rook-ceph.svc:80
        s3Credentials:
          accessKeyId:
            name: grafana-pg-backup-creds
            key: AWS_ACCESS_KEY_ID
          secretAccessKey:
            name: grafana-pg-backup-creds
            key: AWS_SECRET_ACCESS_KEY
        wal:
          compression: bzip2
        data:
          compression: bzip2
          immediateCheckpoint: true
  - apiVersion: postgresql.cnpg.io/v1
    kind: ScheduledBackup
    metadata:
      name: grafana-pg-backup
      namespace: monitoring
    spec:
      method: plugin
      immediate: true
      schedule: "0 30 2 * * *"  # 2:30 AM daily
      backupOwnerReference: self
      cluster:
        name: grafana-pg-cluster
      pluginConfiguration:
        name: barman-cloud.cloudnative-pg.io
  - apiVersion: objectbucket.io/v1alpha1
    kind: ObjectBucketClaim
    metadata:
      name: grafana-pg-backups
      namespace: monitoring
    spec:
      generateBucketName: cnpg-backup-grafana
      storageClassName: ceph-bucket
      additionalConfig:
        maxSize: "50Gi"