Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # values-service-cluster.yaml
- # kube-prometheus-stack for SERVICE cluster
- # ============================================
- # PROMETHEUS - optional, for local service cluster metrics
- # ============================================
- prometheus:
- prometheusSpec:
- externalLabels:
- cluster: "service-cluster"
- # Also push to local Thanos Receive (so all metrics go through same path)
- remoteWrite:
- - url: http://thanos-receive.monitoring.svc:19291/api/v1/receive
- retention: 24h
- resources:
- requests:
- cpu: 200m
- memory: 512Mi
- limits:
- memory: 2Gi
- # ============================================
- # ALERTMANAGER - central instance
- # ============================================
- alertmanager:
- enabled: true
- # Expose via MetalLB so site clusters can reach it
- service:
- type: LoadBalancer
- annotations:
- metallb.universe.tf/loadBalancerIPs: 10.x.x.51
- alertmanagerSpec:
- replicas: 2
- retention: 120h
- storage:
- volumeClaimTemplate:
- spec:
- accessModes: ["ReadWriteOnce"]
- resources:
- requests:
- storage: 10Gi
- resources:
- requests:
- cpu: 100m
- memory: 256Mi
- config:
- global:
- resolve_timeout: 5m
- route:
- receiver: 'default'
- group_by: ['alertname', 'cluster'] # Group by cluster!
- group_wait: 30s
- group_interval: 5m
- repeat_interval: 4h
- routes:
- - match:
- severity: critical
- receiver: 'critical'
- receivers:
- - name: 'default'
- # Configure your receivers (Slack, email, etc.)
- # slack_configs:
- # - channel: '#alerts'
- # api_url: 'https://hooks.slack.com/...'
- - name: 'critical'
- # pagerduty_configs:
- # - service_key: '<key>'
- # ============================================
- # GRAFANA - central with SSO
- # ============================================
- grafana:
- enabled: true
- replicas: 1
- # Persistence for dashboards
- persistence:
- enabled: true
- size: 5Gi
- # Keycloak OIDC
- grafana.ini:
- server:
- root_url: https://grafana.example.com
- auth:
- disable_login_form: false # Set true after SSO works
- auth.generic_oauth:
- enabled: true
- name: Keycloak
- allow_sign_up: true
- client_id: grafana
- client_secret: ${GRAFANA_OAUTH_SECRET}
- scopes: openid profile email groups
- auth_url: https://keycloak.example.com/realms/master/protocol/openid-connect/auth
- token_url: https://keycloak.example.com/realms/master/protocol/openid-connect/token
- api_url: https://keycloak.example.com/realms/master/protocol/openid-connect/userinfo
- role_attribute_path: contains(groups[*], 'grafana-admin') && 'Admin' || contains(groups[*], 'grafana-editor') && 'Editor' || 'Viewer'
- envFromSecret: grafana-oauth-secret
- # Thanos Query as datasource (added automatically via additionalDataSources)
- additionalDataSources:
- - name: Thanos
- type: prometheus
- url: http://thanos-query.monitoring.svc:9090
- access: proxy
- isDefault: true
- resources:
- requests:
- cpu: 100m
- memory: 256Mi
- # ============================================
- # EXPORTERS
- # ============================================
- nodeExporter:
- enabled: true
- kubeStateMetrics:
- enabled: true
- # ============================================
- # DEFAULT RULES
- # ============================================
- defaultRules:
- create: true
Advertisement
