DevOps · K8s · Volleyball · Travel  •  DevOps · K8s · Volleyball · Travel  •  DevOps · K8s · Volleyball · Travel
Explore NY Tech

Simplifying Helm Configurations For

July 09, 2026 — LiveStream

🛒 Recommended gear on Amazon

Disclosure: some links above are affiliate links — if you buy through them I may earn a small commission at no extra cost to you. Thanks for supporting the channel!

🛒 Today's Picks on Amazon
As an Amazon Associate I earn from qualifying purchases.

Deploying Grafana using Helm can be complex, especially when managing the configuration of the Kubernetes service. Ensuring your configurations are accurate is crucial for the security and functionality of your deployment. This guide will help you understand the key components of both old and new configurations, highlight common mistakes, and ensure a smooth transition to the new configuration.

The AWS EKS Load Balancer Controller (AWS LB Controller) can sometimes change settings due to several reasons related to its management of Elastic Load Balancers (ELBs) and Network Load Balancers (NLBs) within an Amazon EKS cluster. Here are some common reasons why settings might be changed:

  1. Automatic Updates: The AWS LB Controller automatically manages and updates load balancer configurations based on changes in the Kubernetes resources (like Services and Ingresses) or changes in associated annotations and configurations.
  2. Annotation Changes: Annotations on Kubernetes resources (such as Services or Ingresses) can trigger updates or changes in the load balancer configuration. For example, modifying annotations related to SSL certificates, health checks, or backend protocols can lead to corresponding changes in the AWS load balancer settings.
  3. Resource Lifecycle Events: Events such as scaling events (scaling up or down pods or nodes), changes in service configurations (like changing service types or annotations), or updates to the Kubernetes resources that affect load balancer behavior can cause the AWS LB Controller to adjust settings to maintain consistency or reflect the updated configurations.
  4. Integration with AWS Services: The AWS LB Controller integrates closely with AWS services like ACM (AWS Certificate Manager) for SSL certificates, IAM (Identity and Access Management) for permissions, and CloudFormation for resource provisioning. Changes or updates in these AWS services or their configurations can influence how the AWS LB Controller manages and updates load balancer settings.
  5. Policy and Compliance: AWS LB Controller might enforce certain policies or best practices by automatically adjusting settings. For example, ensuring that SSL certificates are correctly configured and up-to-date, enforcing health check configurations, or adhering to AWS security group rules.
  6. Bug Fixes and Enhancements: Updates to the AWS LB Controller itself, including bug fixes, security patches, or enhancements, may result in changes to load balancer settings to improve stability, security, or performance.
  7. Operator Intervention: In some cases, manual interventions by administrators or operators to change load balancer configurations via Kubernetes resources or directly through AWS APIs can lead to changes managed by the AWS LB Controller.

Understanding these reasons helps in troubleshooting and managing configurations effectively when using the AWS LB Controller with Amazon EKS. It's essential to monitor changes and understand how annotations, Kubernetes resource configurations, and AWS service integrations impact load balancer settings to maintain the desired operational state and security posture.

When setting up Grafana with Helm, the old configuration involved several critical settings to establish a LoadBalancer service. Here’s a detailed look at the old configuration:

service:
  enabled: true
  type: LoadBalancer
  loadBalancerIP: ""
  loadBalancerClass: ""

  loadBalancerAnnotations:
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:eu-west-2:REDACTED:certificate/REDACTED"  # Replace Me******
    service.beta.kubernetes.io/aws-load-balancer-scheme: "internal"
    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"  # Expose port 443 (HTTPS)
    service.beta.kubernetes.io/aws-load-balancer-ssl-protocol: "TLS"
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "http"  # Forward traffic to port 80 internally
    service.beta.kubernetes.io/aws-load-balancer-healthcheck-port: "80"  # Health check on port 80
    service.beta.kubernetes.io/aws-load-balancer-security-groups: "sg-REDACTED"  # Replace Me******
    service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip"
    service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
    service.beta.kubernetes.io/aws-load-balancer-internal: "true"
    service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags: "grafana-service=true"
    service.beta.kubernetes.io/aws-load-balancer-security-policy: "ELBSecurityPolicy-TLS-1-2-2017-01"
  labels: {}
  portName: service
  appProtocol: ""

Key Components of the Old Configuration

  1. enabled: Activates the service.
  2. type: Specifies the service type as LoadBalancer.
  3. loadBalancerIP and loadBalancerClass: Initially left empty, these can be set for specific IP addresses or classes.
  4. loadBalancerSourceRanges: Defines the IP ranges allowed to access the service.
  5. loadBalancerAnnotations: Contains various AWS Load Balancer settings such as SSL certificate ARN, scheme, ports, protocols, security groups, health checks, and resource tags.

Common Mistakes in the Old Configuration

  1. Incorrect SSL Certificate ARN: Not replacing placeholder values.
  2. Improper Security Groups: Failing to update security group IDs.
  3. Misconfigured Source Ranges: Allowing unintended IP ranges access.

These mistakes can lead to security vulnerabilities and connectivity issues, making it essential to handle these configurations with care.

Transitioning to the New Configuration

The new configuration aims to streamline and improve the management of the LoadBalancer service. Here's the updated configuration:

service:
  enabled: true
  type: LoadBalancer
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:eu-west-2:REDACTED:certificate/REDACTED"
    service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing"
    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
    service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
    service.beta.kubernetes.io/aws-load-balancer-ssl-protocol: "HTTPS"
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "http"
    service.beta.kubernetes.io/aws-load-balancer-security-groups: "sg-REDACTED"
    service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags: "grafana-service=true"
    service.beta.kubernetes.io/aws-load-balancer-healthcheck-protocol: "tcp"
  labels: {}
  ports:
    - name: http
      port: 80
      targetPort: 3000
      protocol: TCP
    - name: https
      port: 443
      targetPort: 3000
      protocol: TCP
extraExposePorts:
  - name: https
    port: 443
    targetPort: 3000
healthCheck:
  path: "/"  # Health check path for ALB to monitor Grafana health
  intervalSeconds: 10
  timeoutSeconds: 5
  unhealthyThresholdCount: 6
  healthyThresholdCount: 2
externalTrafficPolicy: Cluster  # Use Cluster to preserve client source IP

Key Improvements in the New Configuration

  1. annotations: Consolidates LoadBalancer settings into annotations, making the configuration cleaner.
  2. ports: Defines both HTTP and HTTPS ports, specifying target ports and protocols.
  3. extraExposePorts: Ensures HTTPS traffic is correctly routed to the appropriate target port.
  4. healthCheck: Configures detailed health check settings for better monitoring.
  5. externalTrafficPolicy: Uses the Cluster policy to preserve the client source IP.

Benefits of the New Configuration

  • Simplified Management: Consolidated settings reduce complexity.
  • Enhanced Security: Explicit annotations improve clarity and reduce the risk of misconfiguration.
  • Better Monitoring: Detailed health check settings allow for more effective monitoring of Grafana's health.

Conclusion

Transitioning from the old to the new configuration for Grafana deployment using Helm can significantly enhance your deployment’s security and manageability. By understanding and correctly implementing these configurations, you can avoid common pitfalls and ensure a robust and efficient setup.

Remember, always double-check sensitive data like SSL certificates and security group IDs to avoid common mistakes. With this guide, you’re now better equipped to handle these configurations and ensure a smooth and secure Grafana deployment.

https://github.com/grafana/helm-charts/issues/1251#issuecomment-2167881691

##
  
 ################################################################################################################
service:
  enabled: true
  
  type: LoadBalancer
  
  annotations:
  
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:eu-west-2:851465799644:certificate/f1"
  
    service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing"
  
    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
  
    service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
  
    service.beta.kubernetes.io/aws-load-balancer-ssl-protocol: "HTTPS"
  
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "http"
  
    service.beta.kubernetes.io/aws-load-balancer-security-groups: "sg-0bxxxxx"
  
    service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags: "grafana-service=true"
  
    service.beta.kubernetes.io/aws-load-balancer-healthcheck-protocol: "tcp"
  
  labels: {}
  
  ports:
  
    - name: http
  
      port: 80
  
      targetPort: 3000
  
      protocol: TCP
  
    - name: https
  
      port: 443
  
      targetPort: 3000
  
       protocol: TCP
extraExposePorts:
  - name: https
  
    port: 443
  
    targetPort: 3000
healthCheck:
  path: "/"  # Health check path for ALB to monitor Grafana health
  
  intervalSeconds: 10
  
  timeoutSeconds: 5
  
  unhealthyThresholdCount: 6
  
  healthyThresholdCount: 2
externalTrafficPolicy: Cluster  # Use Cluster to preserve client source IP

Let’s break down each section of the Helm chart configuration for the service component:

1. service Section

service:
  enabled: true
  type: LoadBalancer
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:eu-west-2:851465799644:certificate/f1"
    service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing"
    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
    service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
    service.beta.kubernetes.io/aws-load-balancer-ssl-protocol: "HTTPS"
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "http"
    service.beta.kubernetes.io/aws-load-balancer-security-groups: "sg-0bxxxxx"
    service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags: "grafana-service=true"
    service.beta.kubernetes.io/aws-load-balancer-healthcheck-protocol: "tcp"
  labels: {}
  • enabled: true: Indicates that the service should be enabled.
  • type: LoadBalancer: Specifies that this service should be exposed externally using an AWS Elastic Load Balancer (ELB) configured by Kubernetes.
  • annotations: This section provides specific instructions to Kubernetes on how to configure the AWS ELB associated with this service:
    • service.beta.kubernetes.io/aws-load-balancer-ssl-cert: Specifies the ACM (AWS Certificate Manager) ARN for the SSL certificate used for HTTPS.
    • service.beta.kubernetes.io/aws-load-balancer-scheme: Specifies whether the ELB should be internet-facing or internal.
    • service.beta.kubernetes.io/aws-load-balancer-ssl-ports: Specifies the ports on which SSL should be enabled.
    • service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: Enables the Proxy Protocol to pass the client's information to the backend service.
    • service.beta.kubernetes.io/aws-load-balancer-ssl-protocol: Specifies the SSL protocol to be used (HTTPS).
    • service.beta.kubernetes.io/aws-load-balancer-backend-protocol: Specifies the protocol used between the ELB and the backend service (HTTP).
    • service.beta.kubernetes.io/aws-load-balancer-security-groups: Specifies the AWS security group to associate with the ELB.
    • service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags: Adds additional AWS tags to the ELB for easier management.
    • service.beta.kubernetes.io/aws-load-balancer-healthcheck-protocol: Specifies the protocol used for health checks by the ELB (TCP).
  • labels: {}: This section allows you to specify Kubernetes labels for the service, which can be used for querying and selecting objects.

2. ports Section

ports:
  - name: http
    port: 80
    targetPort: 3000
    protocol: TCP
  - name: https
    port: 443
    targetPort: 3000
    protocol: TCP
  • ports: Defines the ports that the service exposes:
    • name: Friendly name for the port.
    • port: Port number exposed on the ELB.
    • targetPort: Port on the container where traffic is sent (in this case, Grafana's port).
    • protocol: Protocol used (TCP in this case).

3. extraExposePorts Section

extraExposePorts:
  - name: https
    port: 443
    targetPort: 3000
  • extraExposePorts: Additional ports to expose beyond those defined in the ports section. In this case, it reiterates the HTTPS configuration, specifying port 443 to target Grafana's port 3000.

4. healthCheck Section

healthCheck:
  path: "/"
  intervalSeconds: 10
  timeoutSeconds: 5
  unhealthyThresholdCount: 6
  healthyThresholdCount: 2
  • healthCheck: Configures health checks for the AWS ELB:
    • path: The endpoint path used for health checks (root path "/" in this case).
    • intervalSeconds: Interval between health checks.
    • timeoutSeconds: Timeout for each health check.
    • unhealthyThresholdCount: Number of consecutive health check failures before considering the instance unhealthy.
    • healthyThresholdCount: Number of consecutive health check successes before considering the instance healthy again.

5. externalTrafficPolicy Section

externalTrafficPolicy: Cluster
  • externalTrafficPolicy: Specifies how the external traffic is routed to the service:
    • Cluster: Preserves the client source IP, ensuring that the source IP is maintained when the traffic hits the backend service.

Summary

This Helm chart configuration snippet effectively sets up a Grafana service on AWS EKS with an AWS ELB configured for HTTPS, SSL termination, health checks, and traffic preservation policies. Each parameter plays a crucial role in ensuring the secure and reliable operation of Grafana within a Kubernetes cluster on AWS.

This breakdown provides insights into configuring AWS EKS load balancer settings via Helm for deploying Grafana securely with HTTPS support.

Grafana Helm Chart

  • Installs the web dashboarding system Grafana

Get Repo Info

 helm repo add grafana https://grafana.github.io/helm-charts
 helm repo update

_See helm repo for command documentation._

Installing the Chart

To install the chart with the release name my-release:

 helm install my-release grafana/grafana

Uninstalling the Chart

To uninstall/delete the my-release deployment:

 helm delete my-release

The command removes all the Kubernetes components associated with the chart and deletes the release.

Upgrading an existing Release to a new major version

A major chart version change (like v1.2.3 -> v2.0.0) indicates that there is an

incompatible breaking change needing manual actions.

To 4.0.0 (And 3.12.1)

This version requires Helm >= 2.12.0.

To 5.0.0

You have to add --force to your helm upgrade command as the labels of the chart have changed.

To 6.0.0

This version requires Helm >= 3.1.0.

To 7.0.0

For consistency with other Helm charts, the global.image.registry parameter was renamed

to global.imageRegistry. If you were not previously setting global.image.registry, no action

is required on upgrade. If you were previously setting global.image.registry, you will

need to instead set global.imageRegistry.

Configuration

ParameterDescriptionDefault
replicasNumber of nodes1
podDisruptionBudget.minAvailablePod disruption minimum availablenil
podDisruptionBudget.maxUnavailablePod disruption maximum unavailablenil
podDisruptionBudget.apiVersionPod disruption apiVersionnil
deploymentStrategyDeployment strategy{ "type": "RollingUpdate" }
livenessProbeLiveness Probe settings{ "httpGet": { "path": "/api/health", "port": 3000 } "initialDelaySeconds": 60, "timeoutSeconds": 30, "failureThreshold": 10 }
readinessProbeReadiness Probe settings{ "httpGet": { "path": "/api/health", "port": 3000 } }
securityContextDeployment securityContext{"runAsUser": 472, "runAsGroup": 472, "fsGroup": 472}
priorityClassNameName of Priority Class to assign podsnil
image.registryImage registrydocker.io
image.repositoryImage repositorygrafana/grafana
image.tagOverrides the Grafana image tag whose default is the chart appVersion (Must be >= 5.0.0)
image.shaImage sha (optional)
image.pullPolicyImage pull policyIfNotPresent
image.pullSecretsImage pull secrets (can be templated)[]
service.enabledEnable grafana servicetrue
service.typeKubernetes service typeClusterIP
service.portKubernetes port where service is exposed80
service.portNameName of the port on the serviceservice
service.appProtocolAdds the appProtocol field to the service
service.targetPortInternal service is port3000
service.nodePortKubernetes service nodePortnil
service.annotationsService annotations (can be templated){}
service.labelsCustom labels{}
service.clusterIPinternal cluster service IPnil
service.loadBalancerIPIP address to assign to load balancer (if supported)nil
service.loadBalancerSourceRangeslist of IP CIDRs allowed access to lb (if supported)[]
service.externalIPsservice external IP addresses[]
service.externalTrafficPolicychange the default externalTrafficPolicynil
headlessServiceCreate a headless servicefalse
extraExposePortsAdditional service ports for sidecar containers[]
hostAliasesadds rules to the pod's /etc/hosts[]
ingress.enabledEnables Ingressfalse
ingress.annotationsIngress annotations (values are templated){}
ingress.labelsCustom labels{}
ingress.pathIngress accepted path/
ingress.pathTypeIngress type of pathPrefix
ingress.hostsIngress accepted hostnames["chart-example.local"]
ingress.extraPathsIngress extra paths to prepend to every host configuration. Useful when configuring custom actions with AWS ALB Ingress Controller. Requires ingress.hosts to have one or more host entries.[]
ingress.tlsIngress TLS configuration[]
ingress.ingressClassNameIngress Class Name. MAY be required for Kubernetes versions >= 1.18""
resourcesCPU/Memory resource requests/limits{}
nodeSelectorNode labels for pod assignment{}
tolerationsToleration labels for pod assignment[]
affinityAffinity settings for pod assignment{}
extraInitContainersInit containers to add to the grafana pod{}
extraContainersSidecar containers to add to the grafana pod""
extraContainerVolumesVolumes that can be mounted in sidecar containers[]
extraLabelsCustom labels for all manifests{}
schedulerNameName of the k8s scheduler (other than default)nil
persistence.enabledUse persistent volume to store datafalse
persistence.typeType of persistence (pvc or statefulset)pvc
persistence.sizeSize of persistent volume claim10Gi
persistence.existingClaimUse an existing PVC to persist data (can be templated)nil
persistence.storageClassNameType of persistent volume claimnil
persistence.accessModesPersistence access modes[ReadWriteOnce]
persistence.annotationsPersistentVolumeClaim annotations{}
persistence.finalizersPersistentVolumeClaim finalizers[ "kubernetes.io/pvc-protection" ]
persistence.extraPvcLabelsExtra labels to apply to a PVC.{}
persistence.subPathMount a sub dir of the persistent volume (can be templated)nil
persistence.inMemory.enabledIf persistence is not enabled, whether to mount the local storage in-memory to improve performancefalse
persistence.inMemory.sizeLimitSizeLimit for the in-memory local storagenil
initChownData.enabledIf false, don't reset data ownership at startuptrue
initChownData.image.registryinit-chown-data container image registrydocker.io
initChownData.image.repositoryinit-chown-data container image repositorybusybox
initChownData.image.taginit-chown-data container image tag1.31.1
initChownData.image.shainit-chown-data container image sha (optional)""
initChownData.image.pullPolicyinit-chown-data container image pull policyIfNotPresent
initChownData.resourcesinit-chown-data pod resource requests & limits{}
schedulerNameAlternate scheduler namenil
envExtra environment variables passed to pods{}
envValueFromEnvironment variables from alternate sources. See the API docs on EnvVarSource for format details. Can be templated{}
envFromSecretName of a Kubernetes secret (must be manually created in the same namespace) containing values to be added to the environment. Can be templated""
envFromSecretsList of Kubernetes secrets (must be manually created in the same namespace) containing values to be added to the environment. Can be templated[]
envFromConfigMapsList of Kubernetes ConfigMaps (must be manually created in the same namespace) containing values to be added to the environment. Can be templated[]
envRenderSecretSensible environment variables passed to pods and stored as secret. (passed through tpl){}
enableServiceLinksInject Kubernetes services as environment variables.true
extraSecretMountsAdditional grafana server secret mounts[]
extraVolumeMountsAdditional grafana server volume mounts[]
extraVolumesAdditional Grafana server volumes[]
automountServiceAccountTokenMounted the service account token on the grafana pod. Mandatory, if sidecars are enabledtrue
createConfigmapEnable creating the grafana configmaptrue
extraConfigmapMountsAdditional grafana server configMap volume mounts (values are templated)[]
extraEmptyDirMountsAdditional grafana server emptyDir volume mounts[]
pluginsPlugins to be loaded along with Grafana[]
datasourcesConfigure grafana datasources (passed through tpl){}
alertingConfigure grafana alerting (passed through tpl){}
notifiersConfigure grafana notifiers{}
dashboardProvidersConfigure grafana dashboard providers{}
dashboardsDashboards to import{}
dashboardsConfigMapsConfigMaps reference that contains dashboards{}
grafana.iniGrafana's primary configuration{}
global.imageRegistryGlobal image pull registry for all images.null
global.imagePullSecretsGlobal image pull secrets (can be templated). Allows either an array of {name: pullSecret} maps (k8s-style), or an array of strings (more common helm-style).[]
ldap.enabledEnable LDAP authenticationfalse
ldap.existingSecretThe name of an existing secret containing the ldap.toml file, this must have the key ldap-toml.""
ldap.configGrafana's LDAP configuration""
annotationsDeployment annotations{}
labelsDeployment labels{}
podAnnotationsPod annotations{}
podLabelsPod labels{}
podPortNameName of the grafana port on the podgrafana
lifecycleHooksLifecycle hooks for podStart and preStop Example{}
sidecar.image.registrySidecar image registryquay.io
sidecar.image.repositorySidecar image repositorykiwigrid/k8s-sidecar
sidecar.image.tagSidecar image tag1.26.0
sidecar.image.shaSidecar image sha (optional)""
sidecar.imagePullPolicySidecar image pull policyIfNotPresent
sidecar.resourcesSidecar resources{}
sidecar.securityContextSidecar securityContext{}
sidecar.enableUniqueFilenamesSets the kiwigrid/k8s-sidecar UNIQUE_FILENAMES environment variable. If set to true the sidecar will create unique filenames where duplicate data keys exist between ConfigMaps and/or Secrets within the same or multiple Namespaces.false
sidecar.alerts.enabledEnables the cluster wide search for alerts and adds/updates/deletes them in grafanafalse
sidecar.alerts.labelLabel that config maps with alerts should have to be addedgrafana_alert
sidecar.alerts.labelValueLabel value that config maps with alerts should have to be added""
sidecar.alerts.searchNamespaceNamespaces list. If specified, the sidecar will search for alerts config-maps inside these namespaces. Otherwise the namespace in which the sidecar is running will be used. It's also possible to specify ALL to search in all namespaces.nil
sidecar.alerts.watchMethodMethod to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds.WATCH
sidecar.alerts.resourceShould the sidecar looks into secrets, configmaps or both.both
sidecar.alerts.reloadURLFull url of datasource configuration reload API endpoint, to invoke after a config-map change"http://localhost:3000/api/admin/provisioning/alerting/reload"
sidecar.alerts.skipReloadEnabling this omits defining the REQ_URL and REQ_METHOD environment variablesfalse
sidecar.alerts.initAlertsSet to true to deploy the alerts sidecar as an initContainer. This is needed if skipReload is true, to load any alerts defined at startup time.false
sidecar.alerts.extraMountsAdditional alerts sidecar volume mounts.[]
sidecar.dashboards.enabledEnables the cluster wide search for dashboards and adds/updates/deletes them in grafanafalse
sidecar.dashboards.SCProviderEnables creation of sidecar providertrue
sidecar.dashboards.provider.nameUnique name of the grafana providersidecarProvider
sidecar.dashboards.provider.orgidId of the organisation, to which the dashboards should be added1
sidecar.dashboards.provider.folderLogical folder in which grafana groups dashboards""
sidecar.dashboards.provider.folderUidAllows you to specify the static UID for the logical folder above""
sidecar.dashboards.provider.disableDeleteActivate to avoid the deletion of imported dashboardsfalse
sidecar.dashboards.provider.allowUiUpdatesAllow updating provisioned dashboards from the UIfalse
sidecar.dashboards.provider.typeProvider typefile
sidecar.dashboards.provider.foldersFromFilesStructureAllow Grafana to replicate dashboard structure from filesystem.false
sidecar.dashboards.watchMethodMethod to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds.WATCH
sidecar.skipTlsVerifySet to true to skip tls verification for kube api callsnil
sidecar.dashboards.labelLabel that config maps with dashboards should have to be addedgrafana_dashboard
sidecar.dashboards.labelValueLabel value that config maps with dashboards should have to be added""
sidecar.dashboards.folderFolder in the pod that should hold the collected dashboards (unless sidecar.dashboards.defaultFolderName is set). This path will be mounted./tmp/dashboards
sidecar.dashboards.folderAnnotationThe annotation the sidecar will look for in configmaps to override the destination folder for filesnil
sidecar.dashboards.defaultFolderNameThe default folder name, it will create a subfolder under the sidecar.dashboards.folder and put dashboards in there insteadnil
sidecar.dashboards.searchNamespaceNamespaces list. If specified, the sidecar will search for dashboards config-maps inside these namespaces. Otherwise the namespace in which the sidecar is running will be used. It's also possible to specify ALL to search in all namespaces.nil
sidecar.dashboards.scriptAbsolute path to shell script to execute after a configmap got reloaded.nil
sidecar.dashboards.reloadURLFull url of dashboards configuration reload API endpoint, to invoke after a config-map change"http://localhost:3000/api/admin/provisioning/dashboards/reload"
sidecar.dashboards.skipReloadEnabling this omits defining the REQ_USERNAME, REQ_PASSWORD, REQ_URL and REQ_METHOD environment variablesfalse
sidecar.dashboards.resourceShould the sidecar looks into secrets, configmaps or both.both
sidecar.dashboards.extraMountsAdditional dashboard sidecar volume mounts.[]
sidecar.datasources.enabledEnables the cluster wide search for datasources and adds/updates/deletes them in grafanafalse
sidecar.datasources.labelLabel that config maps with datasources should have to be addedgrafana_datasource
sidecar.datasources.labelValueLabel value that config maps with datasources should have to be added""
sidecar.datasources.searchNamespaceNamespaces list. If specified, the sidecar will search for datasources config-maps inside these namespaces. Otherwise the namespace in which the sidecar is running will be used. It's also possible to specify ALL to search in all namespaces.nil
sidecar.datasources.watchMethodMethod to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds.WATCH
sidecar.datasources.resourceShould the sidecar looks into secrets, configmaps or both.both
sidecar.datasources.reloadURLFull url of datasource configuration reload API endpoint, to invoke after a config-map change"http://localhost:3000/api/admin/provisioning/datasources/reload"
sidecar.datasources.skipReloadEnabling this omits defining the REQ_URL and REQ_METHOD environment variablesfalse
sidecar.datasources.initDatasourcesSet to true to deploy the datasource sidecar as an initContainer in addition to a container. This is needed if skipReload is true, to load any datasources defined at startup time.false
sidecar.notifiers.enabledEnables the cluster wide search for notifiers and adds/updates/deletes them in grafanafalse
sidecar.notifiers.labelLabel that config maps with notifiers should have to be addedgrafana_notifier
sidecar.notifiers.labelValueLabel value that config maps with notifiers should have to be added""
sidecar.notifiers.searchNamespaceNamespaces list. If specified, the sidecar will search for notifiers config-maps (or secrets) inside these namespaces. Otherwise the namespace in which the sidecar is running will be used. It's also possible to specify ALL to search in all namespaces.nil
sidecar.notifiers.watchMethodMethod to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds.WATCH
sidecar.notifiers.resourceShould the sidecar looks into secrets, configmaps or both.both
sidecar.notifiers.reloadURLFull url of notifier configuration reload API endpoint, to invoke after a config-map change"http://localhost:3000/api/admin/provisioning/notifications/reload"
sidecar.notifiers.skipReloadEnabling this omits defining the REQ_URL and REQ_METHOD environment variablesfalse
sidecar.notifiers.initNotifiersSet to true to deploy the notifier sidecar as an initContainer in addition to a container. This is needed if skipReload is true, to load any notifiers defined at startup time.false
smtp.existingSecretThe name of an existing secret containing the SMTP credentials.""
smtp.userKeyThe key in the existing SMTP secret containing the username."user"
smtp.passwordKeyThe key in the existing SMTP secret containing the password."password"
admin.existingSecretThe name of an existing secret containing the admin credentials (can be templated).""
admin.userKeyThe key in the existing admin secret containing the username."admin-user"
admin.passwordKeyThe key in the existing admin secret containing the password."admin-password"
serviceAccount.automountServiceAccountTokenAutomount the service account token on all pods where is service account is usedfalse
serviceAccount.annotationsServiceAccount annotations
serviceAccount.createCreate service accounttrue
serviceAccount.labelsServiceAccount labels{}
serviceAccount.nameService account name to use, when empty will be set to created account if serviceAccount.create is set else to default
serviceAccount.nameTestService account name to use for test, when empty will be set to created account if serviceAccount.create is set else to defaultnil
rbac.createCreate and use RBAC resourcestrue
rbac.namespacedCreates Role and Rolebinding instead of the default ClusterRole and ClusteRoleBindings for the grafana instancefalse
rbac.useExistingRoleSet to a rolename to use existing role - skipping role creating - but still doing serviceaccount and rolebinding to the rolename set here.nil
rbac.pspEnabledCreate PodSecurityPolicy (with rbac.create, grant roles permissions as well)false
rbac.pspUseAppArmorEnforce AppArmor in created PodSecurityPolicy (requires rbac.pspEnabled)false
rbac.extraRoleRulesAdditional rules to add to the Role[]
rbac.extraClusterRoleRulesAdditional rules to add to the ClusterRole[]
commandDefine command to be executed by grafana container at startupnil
argsDefine additional args if command is usednil
testFramework.enabledWhether to create test-related resourcestrue
testFramework.image.registrytest-framework image registry.docker.io
testFramework.image.repositorytest-framework image repository.bats/bats
testFramework.image.tagtest-framework image tag.v1.4.1
testFramework.imagePullPolicytest-framework image pull policy.IfNotPresent
testFramework.securityContexttest-framework securityContext{}
downloadDashboards.envEnvironment variables to be passed to the download-dashboards container{}
downloadDashboards.envFromSecretName of a Kubernetes secret (must be manually created in the same namespace) containing values to be added to the environment. Can be templated""
downloadDashboards.resourcesResources of download-dashboards container{}
downloadDashboardsImage.registryCurl docker image registrydocker.io
downloadDashboardsImage.repositoryCurl docker image repositorycurlimages/curl
downloadDashboardsImage.tagCurl docker image tag7.73.0
downloadDashboardsImage.shaCurl docker image sha (optional)""
downloadDashboardsImage.pullPolicyCurl docker image pull policyIfNotPresent
namespaceOverrideOverride the deployment namespace"" (Release.Namespace)
serviceMonitor.enabledUse servicemonitor from prometheus operatorfalse
serviceMonitor.namespaceNamespace this servicemonitor is installed in
serviceMonitor.intervalHow frequently Prometheus should scrape1m
serviceMonitor.pathPath to scrape/metrics
serviceMonitor.schemeScheme to use for metrics scrapinghttp
serviceMonitor.tlsConfigTLS configuration block for the endpoint{}
serviceMonitor.labelsLabels for the servicemonitor passed to Prometheus Operator{}
serviceMonitor.scrapeTimeoutTimeout after which the scrape is ended30s
serviceMonitor.relabelingsRelabelConfigs to apply to samples before scraping.[]
serviceMonitor.metricRelabelingsMetricRelabelConfigs to apply to samples before ingestion.[]
revisionHistoryLimitNumber of old ReplicaSets to retain10
imageRenderer.enabledEnable the image-renderer deployment & servicefalse
imageRenderer.image.registryimage-renderer Image registrydocker.io
imageRenderer.image.repositoryimage-renderer Image repositorygrafana/grafana-image-renderer
imageRenderer.image.tagimage-renderer Image taglatest
imageRenderer.image.shaimage-renderer Image sha (optional)""
imageRenderer.image.pullPolicyimage-renderer ImagePullPolicyAlways
imageRenderer.envextra env-vars for image-renderer{}
imageRenderer.envValueFromEnvironment variables for image-renderer from alternate sources. See the API docs on EnvVarSource for format details. Can be templated{}
imageRenderer.serviceAccountNameimage-renderer deployment serviceAccountName""
imageRenderer.securityContextimage-renderer deployment securityContext{}
imageRenderer.podAnnotations image-renderer image-renderer pod annotation{}
imageRenderer.hostAliasesimage-renderer deployment Host Aliases[]
imageRenderer.priorityClassNameimage-renderer deployment priority class''
imageRenderer.service.enabledEnable the image-renderer servicetrue
imageRenderer.service.portNameimage-renderer service port namehttp
imageRenderer.service.portimage-renderer port used by deployment8081
imageRenderer.service.targetPortimage-renderer service port used by service8081
imageRenderer.appProtocolAdds the appProtocol field to the service
imageRenderer.grafanaSubPathGrafana sub path to use for image renderer callback url''
imageRenderer.podPortNamename of the image-renderer port on the podhttp
imageRenderer.revisionHistoryLimitnumber of image-renderer replica sets to keep10
imageRenderer.networkPolicy.limitIngressEnable a NetworkPolicy to limit inbound traffic from only the created grafana podstrue
imageRenderer.networkPolicy.limitEgressEnable a NetworkPolicy to limit outbound traffic to only the created grafana podsfalse
imageRenderer.resourcesSet resource limits for image-renderer pods{}
imageRenderer.nodeSelectorNode labels for pod assignment{}
imageRenderer.tolerationsToleration labels for pod assignment[]
imageRenderer.affinityAffinity settings for pod assignment{}
networkPolicy.enabledEnable creation of NetworkPolicy resources.false
networkPolicy.allowExternalDon't require client label for connectionstrue
networkPolicy.explicitNamespacesSelectorA Kubernetes LabelSelector to explicitly select namespaces from which traffic could be allowed{}
networkPolicy.ingressEnable the creation of an ingress network policytrue
networkPolicy.egress.enabledEnable the creation of an egress network policyfalse
networkPolicy.egress.portsAn array of ports to allow for the egress[]
enableKubeBackwardCompatibilityEnable backward compatibility of kubernetes where pod's defintion version below 1.13 doesn't have the enableServiceLinks optionfalse

Example ingress with path

With grafana 6.3 and above

grafana.ini:
  server:
     domain: monitoring.example.com
    root_url: "%(protocol)s://%(domain)s/grafana"
    serve_from_sub_path: true
 ingress:
  enabled: true
  hosts:
    - "monitoring.example.com"
  path: "/grafana"

Example of extraVolumeMounts and extraVolumes

Configure additional volumes with extraVolumes and volume mounts with extraVolumeMounts.

Example for extraVolumeMounts and corresponding extraVolumes:

extraVolumeMounts:
  - name: plugins
    mountPath: /var/lib/grafana/plugins
    subPath: configs/grafana/plugins
    readOnly: false
  - name: dashboards
    mountPath: /var/lib/grafana/dashboards
    hostPath: /usr/shared/grafana/dashboards
    readOnly: false
extraVolumes:
  - name: plugins
    existingClaim: existing-grafana-claim
  - name: dashboards
    hostPath: /usr/shared/grafana/dashboards

Volumes default to emptyDir. Set to persistentVolumeClaim,

hostPath, csi, or configMap for other types. For a

persistentVolumeClaim, specify an existing claim name with

existingClaim.

Import dashboards

There are a few methods to import dashboards to Grafana. Below are some examples and explanations as to how to use each method:

 dashboards:
  default:
    some-dashboard:
      json: |
        {
          "annotations":
          ...
          # Complete json file here
          ...
          "title": "Some Dashboard",
          "uid": "abcd1234",
           "version": 1
        }
    custom-dashboard:
      # This is a path to a file inside the dashboards directory inside the chart directory
      file: dashboards/custom-dashboard.json
    prometheus-stats:
      # Ref: https://grafana.com/dashboards/2
       gnetId: 2
      revision: 2
      datasource: Prometheus
    loki-dashboard-quick-search:
      gnetId: 12019
      revision: 2
      datasource:
      - name: DS_PROMETHEUS
        value: Prometheus
      - name: DS_LOKI
        value: Loki
    local-dashboard:
      url: https://raw.githubusercontent.com/user/repository/master/dashboards/dashboard.json

BASE64 dashboards

Dashboards could be stored on a server that does not return JSON directly and instead of it returns a Base64 encoded file (e.g. Gerrit)

A new parameter has been added to the url use case so if you specify a b64content value equals to true after the url entry a Base64 decoding is applied before save the file to disk.

If this entry is not set or is equals to false not decoding is applied to the file before saving it to disk.

Gerrit use case

Gerrit API for download files has the following schema: <https://yourgerritserver/a/{project-name}/branches/{branch-id}/files/{file-id}/content> where {project-name} and

{file-id} usually has '/' in their values and so they MUST be replaced by %2F so if project-name is user/repo, branch-id is master and file-id is equals to dir1/dir2/dashboard

the url value is <https://yourgerritserver/a/user%2Frepo/branches/master/files/dir1%2Fdir2%2Fdashboard/content>

Sidecar for dashboards

If the parameter sidecar.dashboards.enabled is set, a sidecar container is deployed in the grafana

pod. This container watches all configmaps (or secrets) in the cluster and filters out the ones with

a label as defined in sidecar.dashboards.label. The files defined in those configmaps are written

to a folder and accessed by grafana. Changes to the configmaps are monitored and the imported

dashboards are deleted/updated.

A recommendation is to use one configmap per dashboard, as a reduction of multiple dashboards inside

one configmap is currently not properly mirrored in grafana.

Example dashboard config:

apiVersion: v1
 kind: ConfigMap
 metadata:
  name: sample-grafana-dashboard
  labels:
     grafana_dashboard: "1"
 data:
  k8s-dashboard.json: |-
  [...]

Sidecar for datasources

If the parameter sidecar.datasources.enabled is set, an init container is deployed in the grafana

pod. This container lists all secrets (or configmaps, though not recommended) in the cluster and

filters out the ones with a label as defined in sidecar.datasources.label. The files defined in

those secrets are written to a folder and accessed by grafana on startup. Using these yaml files,

the data sources in grafana can be imported.

Should you aim for reloading datasources in Grafana each time the config is changed, set sidecar.datasources.skipReload: false and adjust sidecar.datasources.reloadURL to http://<svc-name>.<namespace>.svc.cluster.local/api/admin/provisioning/datasources/reload.

Secrets are recommended over configmaps for this usecase because datasources usually contain private

data like usernames and passwords. Secrets are the more appropriate cluster resource to manage those.

Example values to add a postgres datasource as a kubernetes secret:

apiVersion: v1
 kind: Secret
metadata:
  name: grafana-datasources
  labels:
    grafana_datasource: 'true' # default value for: sidecar.datasources.label
stringData:
  pg-db.yaml: |-
    apiVersion: 1
    datasources:
       - name: My pg db datasource
        type: postgres
        url: my-postgresql-db:5432
        user: db-readonly-user
        secureJsonData:
          password: 'SUperSEcretPa$$word'
         jsonData:
          database: my_datase
          sslmode: 'disable' # disable/require/verify-ca/verify-full
          maxOpenConns: 0 # Grafana v5.4+
          maxIdleConns: 2 # Grafana v5.4+
          connMaxLifetime: 14400 # Grafana v5.4+
          postgresVersion: 1000 # 903=9.3, 904=9.4, 905=9.5, 906=9.6, 1000=10
          timescaledb: false
        # <bool> allow users to edit datasources from the UI.
        editable: false

Example values to add a datasource adapted from Grafana:

datasources:
  datasources.yaml:
   apiVersion: 1
   datasources:
      # <string, required> name of the datasource. Required
    - name: Graphite
      # <string, required> datasource type. Required
      type: graphite
      # <string, required> access mode. proxy or direct (Server or Browser in the UI). Required
      access: proxy
      # <int> org id. will default to orgId 1 if not specified
      orgId: 1
      # <string> url
      url: http://localhost:8080
      # <string> database password, if used
      password:
      # <string> database user, if used
      user:
      # <string> database name, if used
       database:
      # <bool> enable/disable basic auth
      basicAuth:
      # <string> basic auth username
      basicAuthUser:
      # <string> basic auth password
      basicAuthPassword:
      # <bool> enable/disable with credentials headers
      withCredentials:
      # <bool> mark as default datasource. Max one per org
      isDefault:
      # <map> fields that will be converted to json and stored in json_data
      jsonData:
         graphiteVersion: "1.1"
         tlsAuth: true
         tlsAuthWithCACert: true
      # <string> json object of data that will be encrypted.
      secureJsonData:
        tlsCACert: "..."
         tlsClientCert: "..."
        tlsClientKey: "..."
      version: 1
      # <bool> allow users to edit datasources from the UI.
      editable: false

Sidecar for notifiers

If the parameter sidecar.notifiers.enabled is set, an init container is deployed in the grafana

pod. This container lists all secrets (or configmaps, though not recommended) in the cluster and

filters out the ones with a label as defined in sidecar.notifiers.label. The files defined in

those secrets are written to a folder and accessed by grafana on startup. Using these yaml files,

the notification channels in grafana can be imported. The secrets must be created before

helm install so that the notifiers init container can list the secrets.

Secrets are recommended over configmaps for this usecase because alert notification channels usually contain

private data like SMTP usernames and passwords. Secrets are the more appropriate cluster resource to manage those.

Example datasource config adapted from Grafana:

 notifiers:
  - name: notification-channel-1
    type: slack
    uid: notifier1
    # either
    org_id: 2
    # or
    org_name: Main Org.
    is_default: true
    send_reminder: true
    frequency: 1h
    disable_resolve_message: false
    # See `Supported Settings` section for settings supporter for each
    # alert notification type.
    settings:
      recipient: 'XXX'
      token: 'xoxb'
      uploadImage: true
      url: https://slack.com
delete_notifiers:
  - name: notification-channel-1
    uid: notifier1
    org_id: 2
  - name: notification-channel-2
    # default org_id: 1

Sidecar for alerting resources

If the parameter sidecar.alerts.enabled is set, a sidecar container is deployed in the grafana

pod. This container watches all configmaps (or secrets) in the cluster (namespace defined by sidecar.alerts.searchNamespace) and filters out the ones with

a label as defined in sidecar.alerts.label (default is grafana_alert). The files defined in those configmaps are written

to a folder and accessed by grafana. Changes to the configmaps are monitored and the imported alerting resources are updated, however, deletions are a little more complicated (see below).

This sidecar can be used to provision alert rules, contact points, notification policies, notification templates and mute timings as shown in Grafana Documentation.

To fetch the alert config which will be provisioned, use the alert provisioning API (Grafana Documentation).

You can use either JSON or YAML format.

Example config for an alert rule:

apiVersion: v1
 kind: ConfigMap
 metadata:
  name: sample-grafana-alert
  labels:
     grafana_alert: "1"
 data:
  k8s-alert.yml: |-
    apiVersion: 1
    groups:
        - orgId: 1
          name: k8s-alert
          [...]

To delete provisioned alert rules is a two step process, you need to delete the configmap which defined the alert rule

and then create a configuration which deletes the alert rule.

Example deletion configuration:

apiVersion: v1
 kind: ConfigMap
metadata:
  name: delete-sample-grafana-alert
  namespace: monitoring
  labels:
    grafana_alert: "1"
 data:
  delete-k8s-alert.yml: |-
    apiVersion: 1
    deleteRules:
      - orgId: 1
         uid: 16624780-6564-45dc-825c-8bded4ad92d3

Statically provision alerting resources

If you don't need to change alerting resources (alert rules, contact points, notification policies and notification templates) regularly you could use the alerting config option instead of the sidecar option above.

This will grab the alerting config and apply it statically at build time for the helm file.

There are two methods to statically provision alerting configuration in Grafana. Below are some examples and explanations as to how to use each method:

 alerting:
  team1-alert-rules.yaml:
    file: alerting/team1/rules.yaml
  team2-alert-rules.yaml:
    file: alerting/team2/rules.yaml
  team3-alert-rules.yaml:
    file: alerting/team3/rules.yaml
  notification-policies.yaml:
    file: alerting/shared/notification-policies.yaml
  notification-templates.yaml:
    file: alerting/shared/notification-templates.yaml
  contactpoints.yaml:
    apiVersion: 1
    contactPoints:
      - orgId: 1
        name: Slack channel
        receivers:
          - uid: default-receiver
             type: slack
            settings:
              # Webhook URL to be filled in
              url: ""
              # We need to escape double curly braces for the tpl function.
               text: '{{ `{{ template "default.message" . }}` }}'
               title: '{{ `{{ template "default.title" . }}` }}'

The two possibilities for static alerting resource provisioning are:

  • Inlining the file contents as shown for contact points in the above example.
  • Importing a file using a relative path starting from the chart root directory as shown for the alert rules in the above example.

Important notes on file provisioning

  • The format of the files is defined in the Grafana documentation on file provisioning.
  • The chart supports importing YAML and JSON files.
  • The filename must be unique, otherwise one volume mount will overwrite the other.
  • In case of inlining, double curly braces that arise from the Grafana configuration format and are not intended as templates for the chart must be escaped.
  • The number of total files under alerting: is not limited. Each file will end up as a volume mount in the corresponding provisioning folder of the deployed Grafana instance.
  • The file size for each import is limited by what the function .Files.Get can handle, which suffices for most cases.

How to serve Grafana with a path prefix (/grafana)

In order to serve Grafana with a prefix (e.g., <http://example.com/grafana>), add the following to your values.yaml.

 ingress:
  enabled: true
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/rewrite-target: /$1
    nginx.ingress.kubernetes.io/use-regex: "true"
  path: /grafana/?(.*)
  hosts:
    - k8s.example.dev
grafana.ini:
  server:
    root_url: http://localhost:3000/grafana # this host can be localhost

How to securely reference secrets in grafana.ini

This example uses Grafana file providers for secret values and the extraSecretMounts configuration flag (Additional grafana server secret mounts) to mount the secrets.

In grafana.ini:

grafana.ini:
  [auth.generic_oauth]
  enabled = true
  client_id = $__file{/etc/secrets/auth_generic_oauth/client_id}
  client_secret = $__file{/etc/secrets/auth_generic_oauth/client_secret}

Existing secret, or created along with helm:

 ---
apiVersion: v1
 kind: Secret
 metadata:
  name: auth-generic-oauth-secret
 type: Opaque
stringData:
  client_id: <value>
  client_secret: <value>

Include in the extraSecretMounts configuration flag:

 - extraSecretMounts:
  - name: auth-generic-oauth-secret-mount
    secretName: auth-generic-oauth-secret
    defaultMode: 0440
    mountPath: /etc/secrets/auth_generic_oauth
    readOnly: true

extraSecretMounts using a Container Storage Interface (CSI) provider

This example uses a CSI driver e.g. retrieving secrets using Azure Key Vault Provider

 - extraSecretMounts:
  - name: secrets-store-inline
    mountPath: /run/secrets
    readOnly: true
    csi:
      driver: secrets-store.csi.k8s.io
      readOnly: true
      volumeAttributes:
        secretProviderClass: "my-provider"
      nodePublishSecretRef:
        name: akv-creds

Image Renderer Plug-In

This chart supports enabling remote image rendering

imageRenderer:
  enabled: true

Image Renderer NetworkPolicy

By default the image-renderer pods will have a network policy which only allows ingress traffic from the created grafana instance

High Availability for unified alerting

If you want to run Grafana in a high availability cluster you need to enable

the headless service by setting headlessService: true in your values.yaml

file.

As next step you have to setup the grafana.ini in your values.yaml in a way

that it will make use of the headless service to obtain all the IPs of the

cluster. You should replace {{ Name }} with the name of your helm deployment.

grafana.ini:
  ...
  unified_alerting:
    enabled: true
    ha_peers: {{ Name }}-headless:9094
    ha_listen_address: ${POD_IP}:9094
    ha_advertise_address: ${POD_IP}:9094
  alerting:
    enabled: false