openstack-helm-infra/grafana/values.yaml
Lo, Chi (cl566n) 87e3a02dd5 Enable TLS for grafana
This patchset updates grafana chart manifests to enable TLS with
osh-infra mariadb.  TLS for osh-infra mariadb is completed as part
of TLS phase 1, no additional mariadb chart work is required to
work with this patch.

Change-Id: Ic01e7c012ab2167d59b2117eb985386666f2bb2a
2021-03-01 12:21:31 -08:00

497 lines
12 KiB
YAML

# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Default values for grafana
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
---
images:
tags:
grafana: docker.io/grafana/grafana:7.3.6
dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0
db_init: docker.io/openstackhelm/heat:stein-ubuntu_bionic
grafana_db_session_sync: docker.io/openstackhelm/heat:stein-ubuntu_bionic
selenium_tests: docker.io/openstackhelm/osh-selenium:latest-ubuntu_bionic
image_repo_sync: docker.io/docker:17.07.0
pull_policy: IfNotPresent
local_registry:
active: false
exclude:
- dep_check
- image_repo_sync
labels:
grafana:
node_selector_key: openstack-control-plane
node_selector_value: enabled
job:
node_selector_key: openstack-control-plane
node_selector_value: enabled
test:
node_selector_key: openstack-control-plane
node_selector_value: enabled
pod:
env:
grafana: null
security_context:
dashboard:
pod:
runAsUser: 104
container:
grafana:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
db_init:
pod:
runAsUser: 104
container:
grafana_db_init_session:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
grafana_db_init:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
db_session_sync:
pod:
runAsUser: 104
container:
grafana_db_session_sync:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
set_admin_user:
pod:
runAsUser: 104
container:
grafana_set_admin_password:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
test:
pod:
runAsUser: 104
container:
helm_tests:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
affinity:
anti:
type:
default: preferredDuringSchedulingIgnoredDuringExecution
topologyKey:
default: kubernetes.io/hostname
weight:
default: 10
mounts:
grafana:
init_container: null
grafana:
replicas:
grafana: 1
lifecycle:
upgrades:
deployments:
revision_history: 3
pod_replacement_strategy: RollingUpdate
rolling_update:
max_unavailable: 1
max_surge: 3
termination_grace_period:
grafana:
timeout: 600
resources:
enabled: false
jobs:
image_repo_sync:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
bootstrap:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
db_init:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
db_init_session:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
grafana_db_session_sync:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
set_admin_user:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
tests:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
grafana:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "1024Mi"
cpu: "2000m"
endpoints:
cluster_domain_suffix: cluster.local
local_image_registry:
name: docker-registry
namespace: docker-registry
hosts:
default: localhost
internal: docker-registry
node: localhost
host_fqdn_override:
default: null
port:
registry:
node: 5000
oslo_db:
namespace: null
auth:
admin:
username: root
password: password
secret:
tls:
internal: mariadb-tls-direct
user:
username: grafana
password: password
hosts:
default: mariadb
host_fqdn_override:
default: null
path: /grafana
scheme: mysql+pymysql
port:
mysql:
default: 3306
oslo_db_session:
namespace: null
auth:
admin:
username: root
password: password
secret:
tls:
internal: mariadb-tls-direct
user:
username: grafana_session
password: password
hosts:
default: mariadb
host_fqdn_override:
default: null
path: /grafana_session
scheme: mysql+pymysql
port:
mysql:
default: 3306
grafana:
name: grafana
namespace: null
auth:
admin:
username: admin
password: password
hosts:
default: grafana-dashboard
public: grafana
host_fqdn_override:
default: null
# NOTE(srwilkers): this chart supports TLS for fqdn over-ridden public
# endpoints using the following format:
# public:
# host: null
# tls:
# crt: null
# key: null
path:
default: null
scheme:
default: http
port:
grafana:
default: 3000
public: 80
monitoring:
name: prometheus
namespace: null
auth:
user:
username: admin
password: changeme
hosts:
default: prom-metrics
public: prometheus
host_fqdn_override:
default: null
path:
default: null
scheme:
default: http
port:
api:
default: 80
public: 80
ldap:
hosts:
default: ldap
auth:
admin:
bind_dn: "cn=admin,dc=cluster,dc=local"
password: password
host_fqdn_override:
default: null
path:
default: "ou=People,dc=cluster,dc=local"
scheme:
default: ldap
port:
ldap:
default: 389
dependencies:
dynamic:
common:
local_image_registry:
jobs:
- grafana-image-repo-sync
services:
- endpoint: node
service: local_image_registry
static:
db_init:
services:
- endpoint: internal
service: oslo_db
db_init_session:
services:
- endpoint: internal
service: oslo_db
db_session_sync:
jobs:
- grafana-db-init-session
services:
- endpoint: internal
service: oslo_db
grafana:
jobs:
- grafana-db-init
- grafana-db-session-sync
- grafana-set-admin-user
services:
- endpoint: internal
service: oslo_db
image_repo_sync:
services:
- endpoint: internal
service: local_image_registry
set_admin_user:
jobs:
- grafana-db-init
services:
- endpoint: internal
service: oslo_db
tests:
services:
- endpoint: internal
service: grafana
network:
grafana:
node_port:
enabled: false
port: 30902
ingress:
public: true
classes:
namespace: "nginx"
cluster: "nginx-cluster"
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
network_policy:
grafana:
ingress:
- {}
egress:
- {}
secrets:
oslo_db:
admin: grafana-db-admin
user: grafana-db-user
oslo_db_session:
admin: grafana-session-db-admin
user: grafana-session-db-user
tls:
grafana:
grafana:
public: grafana-tls-public
internal: grafana-tls-api
prometheus:
user: prometheus-user-creds
manifests:
certificates: false
configmap_bin: true
configmap_etc: true
configmap_dashboards: true
deployment: true
ingress: true
helm_tests: true
job_db_init: true
job_db_init_session: true
job_db_session_sync: true
job_image_repo_sync: true
job_set_admin_user: true
network_policy: false
secret_db: true
secret_db_session: true
secret_admin_creds: true
secret_ingress_tls: true
secret_prom_creds: true
service: true
service_ingress: true
conf:
ldap:
config:
base_dns:
search: "dc=cluster,dc=local"
group_search: "ou=Groups,dc=cluster,dc=local"
filters:
search: "(uid=%s)"
group_search: "(&(objectclass=posixGroup)(memberUID=uid=%s,ou=People,dc=cluster,dc=local))"
template: |
verbose_logging = false
[[servers]]
host = "{{ tuple "ldap" "internal" . | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}"
port = {{ tuple "ldap" "internal" "ldap" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }}
use_ssl = false
start_tls = false
ssl_skip_verify = false
bind_dn = "{{ .Values.endpoints.ldap.auth.admin.bind_dn }}"
bind_password = '{{ .Values.endpoints.ldap.auth.admin.password }}'
search_filter = "{{ .Values.conf.ldap.config.filters.search }}"
search_base_dns = ["{{ .Values.conf.ldap.config.base_dns.search }}"]
group_search_filter = "{{ .Values.conf.ldap.config.filters.group_search }}"
group_search_base_dns = ["{{ .Values.conf.ldap.config.base_dns.group_search }}"]
[servers.attributes]
username = "uid"
surname = "sn"
member_of = "cn"
email = "mail"
[[servers.group_mappings]]
group_dn = "{{.Values.endpoints.ldap.auth.admin.bind_dn }}"
org_role = "Admin"
[[servers.group_mappings]]
group_dn = "*"
org_role = "Viewer"
provisioning:
dashboards:
apiVersion: 1
providers:
- name: 'osh-infra-dashboards'
orgId: 1
folder: ''
type: file
disableDeletion: false
editable: false
options:
path: /etc/grafana/dashboards
datasources:
template: |
apiVersion: 1
datasources:
- name: prometheus
type: prometheus
access: proxy
orgId: 1
editable: true
basicAuth: true
basicAuthUser: {{ .Values.endpoints.monitoring.auth.user.username }}
secureJsonData:
basicAuthPassword: {{ .Values.endpoints.monitoring.auth.user.password }}
url: {{ tuple "monitoring" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_uri_lookup" }}
grafana:
analytics:
reporting_enabled: false
check_for_updates: false
auth.ldap:
enabled: true
config_file: /etc/grafana/ldap.toml
paths:
data: /var/lib/grafana/data
plugins: /var/lib/grafana/plugins
provisioning: /etc/grafana/provisioning
server:
protocol: http
http_port: 3000
database:
type: mysql
session:
provider: mysql
provider_config: null
cookie_name: grafana_sess
cookie_secure: false
session_life_time: 86400
security:
admin_user: ${GF_SECURITY_ADMIN_USER}
admin_password: ${GF_SECURITY_ADMIN_PASSWORD}
cookie_username: grafana_user
cookie_remember_name: grafana_remember
login_remember_days: 7
dashboards:
default_home_dashboard_path: /etc/grafana/dashboards/home_dashboard.json
users:
allow_sign_up: false
allow_org_create: false
auto_assign_org: true
default_theme: dark
log:
mode: console
level: info
grafana_net:
url: https://grafana.net
dashboards: {}
...