Erich Blume
0c09177d08
Public dashboards don't support template variables or PostgreSQL datasources, so anonymous auth is required for Homepage embeds. Security relies on Tailscale ACLs - see zk grafana card. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
102 lines
2.6 KiB
YAML
102 lines
2.6 KiB
YAML
# Grafana Helm values for blumeops
|
|
# Chart: https://github.com/grafana/helm-charts/tree/main/charts/grafana
|
|
|
|
# Admin credentials from pre-created secret
|
|
# Secret must exist before deploying - see grafana-config/README.md
|
|
admin:
|
|
existingSecret: grafana-admin
|
|
userKey: admin-user
|
|
passwordKey: admin-password
|
|
|
|
# Environment variables from secrets (for datasource credentials)
|
|
envFromSecrets:
|
|
- name: grafana-teslamate-datasource
|
|
optional: true
|
|
|
|
# Persistence with PVC for SQLite database
|
|
persistence:
|
|
enabled: true
|
|
type: pvc
|
|
size: 1Gi
|
|
accessModes:
|
|
- ReadWriteOnce
|
|
|
|
# Grafana configuration via grafana.ini
|
|
grafana.ini:
|
|
server:
|
|
root_url: https://grafana.tail8d86e.ts.net
|
|
security:
|
|
# Allow embedding panels in iframes (for Homepage dashboard)
|
|
allow_embedding: true
|
|
# Required for iframe session cookies
|
|
cookie_samesite: lax
|
|
auth.anonymous:
|
|
# WARNING: All dashboards readable without login
|
|
# Security relies on Tailscale ACLs - only tailnet members can reach Grafana
|
|
# Required for iframe embeds with template variables and non-Prometheus datasources
|
|
enabled: true
|
|
org_role: Viewer
|
|
analytics:
|
|
check_for_updates: false
|
|
reporting_enabled: false
|
|
|
|
# Datasources - point to k8s-internal services
|
|
datasources:
|
|
datasources.yaml:
|
|
apiVersion: 1
|
|
datasources:
|
|
- name: Prometheus
|
|
type: prometheus
|
|
access: proxy
|
|
orgId: 1
|
|
uid: prometheus
|
|
url: http://prometheus.monitoring.svc.cluster.local:9090
|
|
isDefault: true
|
|
editable: false
|
|
- name: Loki
|
|
type: loki
|
|
access: proxy
|
|
orgId: 1
|
|
uid: loki
|
|
url: http://loki.monitoring.svc.cluster.local:3100
|
|
editable: false
|
|
- name: TeslaMate
|
|
type: postgres
|
|
access: proxy
|
|
orgId: 1
|
|
uid: TeslaMate
|
|
url: blumeops-pg-rw.databases.svc.cluster.local:5432
|
|
database: teslamate
|
|
user: teslamate
|
|
editable: false
|
|
jsonData:
|
|
sslmode: disable
|
|
maxOpenConns: 5
|
|
maxIdleConns: 2
|
|
connMaxLifetime: 14400
|
|
secureJsonData:
|
|
password: $TESLAMATE_DB_PASSWORD
|
|
|
|
# Dashboard provisioning - sidecar watches for ConfigMaps with label
|
|
sidecar:
|
|
dashboards:
|
|
enabled: true
|
|
label: grafana_dashboard
|
|
labelValue: "1"
|
|
folderAnnotation: grafana_folder
|
|
provider:
|
|
foldersFromFilesStructure: false
|
|
|
|
# Service configuration (Ingress will handle external access)
|
|
service:
|
|
type: ClusterIP
|
|
port: 80
|
|
|
|
# Resource limits for minikube
|
|
resources:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "512Mi"
|
|
cpu: "500m"
|