kubernetes_monitoring/values.yaml

---

# All values within this helm chart values.yaml file are under namespace `nfc_monitoring`.
# this provides the opportunity to include this helm chart as a dependency without
# variable collision

nfc_monitoring:

  kubernetes:
    cluster_dns_name: cluster.local
    networking: calico


  alert_manager:
    image: 
      name: quay.io/prometheus/alertmanager
      tag: 'v0.26.0'


    ingress:
      annotations:
        cert-manager.io/cluster-issuer: "selfsigned-issuer"
        nginx.ingress.kubernetes.io/ssl-redirect: "true"
      # enabled: false # Optional, boolean.
      spec:
        tls:
          - hosts:
              - alert-manager.local
            secretName: certificate-tls-alert-manager
        rules:
          - host:  alert-manager.local
            http:
              paths:
                - path: /
                  pathType: Prefix
                  backend:
                    service:
                      name: alertmanager-main
                      port:
                        name: web
    
    labels:
      app.kubernetes.io/instance: main
      app.kubernetes.io/component: alert-router
      app.kubernetes.io/name: alertmanager

    namespace: alerting


  grafana:

    # Grafana Configuration
    # Type: Dict
    # See: https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana
    config:
      analytics:
        enabled: 'false'
      # database:
      #   type: mysql
      #   host: mariadb-galera.mariadb.svc:3306
      #   name: grafana
      #   user: root
      #   password: admin

      log:
        mode: "console"
      auth:
        disable_login_form: "false"
      security:
        admin_user: admin
        admin_password: admin

    image: 
      name: grafana/grafana
      tag: '10.1.2' # '10.0.5'

    ingress:
      annotations:
        cert-manager.io/cluster-issuer: "selfsigned-issuer"
        nginx.ingress.kubernetes.io/ssl-redirect: "true"
      # enabled: false # Optional, boolean.
      spec:
        tls:
          - hosts:
              - grafana.local
            secretName: certificate-tls-grafana
        rules:
          - host:  grafana.local
            http:
              paths:
                - path: /
                  pathType: Prefix
                  backend:
                    service:
                      name: grafana
                      port:
                        name: grafana-http

    labels:
      app.kubernetes.io/component: graphing
      app.kubernetes.io/instance: k8s
      app.kubernetes.io/name: grafana

    namespace: grafana

    replicas: 1

    # storage_accessModes: ReadWriteMany

    affinity: 
      nodeAffinity:
        preferredDuringSchedulingIgnoredDuringExecution:
        - preference:
            matchExpressions:
            - key: node-role.kubernetes.io/worker
              operator: Exists
          weight: 100
        - preference:
            matchExpressions:
            - key: node-role.kubernetes.io/storage
              operator: DoesNotExist
          weight: 100
      podAntiAffinity:
        preferredDuringSchedulingIgnoredDuringExecution:
        - podAffinityTerm:
            labelSelector:
              matchExpressions:
              - key: app.kubernetes.io/name
                operator: In
                values:
                - prometheus
            topologyKey: kubernetes.io/hostname
          weight: 10

    # To add Grafan datasources
    # Type: list
    # See: https://grafana.com/docs/grafana/latest/administration/provisioning/#data-sources
    DataSources:
      - name: alertmanager
        type: alertmanager
        access: proxy
        url: "http://alertmanager-main.{{ .Values.nfc_monitoring.alert_manager.namespace }}.svc:9093"
        isDefault: false
        jsonData:
          tlsSkipVerify: true
          timeInterval: "5s"
          implementation: prometheus
          handleGrafanaManagedAlerts: false
          orgId: 1
        editable: true

      - name: loki
        type: loki
        access: proxy
        url: "http://{{ .Values.nfc_monitoring.loki.service_name }}.{{ .Values.nfc_monitoring.loki.namespace }}.svc.{{ .Values.nfc_monitoring.kubernetes.cluster_dns_name }}:{{ .Values.nfc_monitoring.loki.service_port }}"
        isDefault: false
        jsonData:
          orgId: 1
        editable: true

      # - name: mimir
      #   type: prometheus
      #   access: proxy
      #   url: "http://mimir-gateway.metrics.svc.cluster.local/prometheus"
      #   isDefault: false
      #   jsonData:
      #     manageAlerts: true
      #     orgId: 1
      #     prometheusType: Mimir
      #   editable: true

      # - name: prometheus
      #   type: prometheus
      #   access: proxy
      #   url: "http://prometheus-k8s.{{ .Values.nfc_monitoring.prometheus.namespace }}.svc:9090"
      #   isDefault: true
      #   jsonData:
      #     manageAlerts: true
      #     orgId: 1
      #     prometheusType: Prometheus
      #     prometheusVersion: 2.42.0
      #   editable: true

      - name: thanos
        type: prometheus
        access: proxy
        url: "http://thanos-query.metrics.svc:9090"
        isDefault: true
        jsonData:
          manageAlerts: true
          orgId: 1
          prometheusType: Thanos
          prometheusVersion: 0.31.0
        editable: true


  grafana_agent:
    image: 
      name: grafana/agent
      tag: 'v0.36.1'

    labels:
      app.kubernetes.io/instance: k8s
      app.kubernetes.io/component: exporter
      app.kubernetes.io/name: grafana-agent

    namespace: monitoring


  loki:

    enabled: true

    image: 
      name: grafana/loki
      tag: 2.7.4

    namespace: logging

    # service name and port are used for the connection to your loki instance
    service_name: loki-gateway
    service_port: 80

    ServiceMonitor:
      selector:
        matchLabels:
          app.kubernetes.io/name: loki
          app.kubernetes.io/component: logging


  kube_monitor_proxy:
    namespace: monitoring


  kube_rbac_proxy:
    # This image is used as part of kube-monitor-proxy.
    image: 
      name: quay.io/brancz/kube-rbac-proxy
      tag: 'v0.14.2'


  kube_state_metrics:
    image: 
      name: registry.k8s.io/kube-state-metrics/kube-state-metrics
      tag: 'v2.8.1'
    namespace: monitoring


  prometheus:

    image:
      name: prom/prometheus
      tag: 'v2.47.0'

    ingress:
      annotations:
        cert-manager.io/cluster-issuer: "selfsigned-issuer"
        nginx.ingress.kubernetes.io/ssl-redirect: "true"
      # enabled: false # Optional, boolean.
      spec:
        tls:
          - hosts:
              - prometheus.local
            secretName: certificate-tls-prometheus
        rules:
          - host:  prometheus.local
            http:
              paths:
                - path: /
                  pathType: Prefix
                  backend:
                    service:
                      name: prometheus-k8s
                      port:
                        name: web
    
    # These labels are appended to all Prometheus items and are also the selector labels
    labels:
      app.kubernetes.io/component: prometheus
      app.kubernetes.io/instance: k8s
      app.kubernetes.io/name: prometheus

    namespace: monitoring

    affinity: 
      nodeAffinity:
        preferredDuringSchedulingIgnoredDuringExecution:
        - preference:
            matchExpressions:
            - key: node-role.kubernetes.io/worker
              operator: Exists
          weight: 100
        - preference:
            matchExpressions:
            - key: node-role.kubernetes.io/storage
              operator: DoesNotExist
          weight: 100
      podAntiAffinity:
        preferredDuringSchedulingIgnoredDuringExecution:
        - podAffinityTerm:
            labelSelector:
              matchExpressions:
              - key: app.kubernetes.io/name
                operator: In
                values:
                - prometheus
            topologyKey: kubernetes.io/hostname
          weight: 10

    # List of namespaces that prometheus is to monitor
    # used to create Roles and RoleBindings
    # type: list
    monitor_namespaces:
      - alerting
      - default
      # - ceph
      - grafana
      - monitoring
      # - kube-dashboard
      # - kube-metrics
      - kube-policy
      - kube-system
      - logging
      # - mariadb
      # - olm
      # - operators

    # Deploy a generate policy for kyverno to create Role and RoleBindings
    # for the prometheus service account so it can monitor
    # new/existing namespaces
    kyverno_role_policy: true

    storage:
      volumeClaimTemplate:
        spec:
          accessModes:
            - ReadWriteOnce
          resources:
            requests:
              storage: 40Gi

    # Additional settings for Prometheus.
    # See: https://prometheus-operator.dev/docs/operator/api/#monitoring.coreos.com/v1.PrometheusSpec
    # Type: dict
    additional:

      # remoteWrite: 
      #   - name: mimir
      #     url: http://mimir-gateway.metrics.svc.cluster.local/api/v1/push

      retention: 24h
      retentionSize: 20GB
      ruleSelector:
        matchLabels:
          role: alert-rules


  prometheus_adaptor:

    image:
      name: registry.k8s.io/prometheus-adapter/prometheus-adapter
      tag: 'v0.11.1'

    labels:
      app.kubernetes.io/component: metrics-adapter
      app.kubernetes.io/instance: main
      app.kubernetes.io/name: prometheus-adapter

    namespace: monitoring

    affinity: 
      nodeAffinity:
        preferredDuringSchedulingIgnoredDuringExecution:
        - preference:
            matchExpressions:
            - key: node-role.kubernetes.io/worker
              operator: Exists
          weight: 100
        - preference:
            matchExpressions:
            - key: node-role.kubernetes.io/storage
              operator: DoesNotExist
          weight: 100
      podAntiAffinity:
        preferredDuringSchedulingIgnoredDuringExecution:
        - podAffinityTerm:
            labelSelector:
              matchExpressions:
              - key: app.kubernetes.io/name
                operator: In
                values:
                - prometheus
            topologyKey: kubernetes.io/hostname
          weight: 10

  thanos:
    image:
      name: thanosio/thanos
      tag: v0.32.3

    # Prometheus thanos sidecar
    # see: https://thanos.io/tip/components/sidecar.md/
    # Type: Dict
    sidecar:

      enabled: true

      config:
        type: S3
        config:
          bucket: "thanos-metrics"
          endpoint: "rook-ceph-rgw-earth.ceph.svc:80"
          access_key: "7J5NM2MNCDB4T4Y9OKJ5"
          secret_key: "t9r69RzZdWEBL3NCKiUIpDk6j5625xc6HucusiGG"
          insecure: true


  additions:

    ceph:

      enabled: true

      namespace: ceph

      PrometheusRules: true

      ServiceMonitor:

        selector:
          matchLabels:
            app: rook-ceph-mgr

    # Add sidecar to grafana pod to load dashboards from configMap
    dashboard_sidecar: 
      
      enabled: true

      image:
        name: ghcr.io/kiwigrid/k8s-sidecar
        tag: '1.24.5'

      label_name: grafana_dashboard
      label_value: "1"


  network_policy:
    
    enabled: true

    # Network Policies to apply. These policies are automagically build using the values below.
    # What you would find under path root.spec belongs here.
    # 
    # Do:
    #   - Define 'Ingress'
    #   - Define 'Egress'
    #   - Ensure that the name matches the item name from values.yaml. i.e. nfc_monitoring.{item_name}
    #     for prometheus the item name is 'prometheus'. This value is used to select items pertaining to
    #     that item from values.yaml. for example the labels and namespace.
    # Dont:
    #   - Define 'podSelector' as this is alreaady included using the selector labels
    policies:

### SoF Network Policy: Prometheus ###

      - name: prometheus
        policy:
          egress: # ToDo: add further restrictions to egress. is variable lookup possible to obtain values????
              # - {}
            - to: # Alert Manager
                - namespaceSelector:
                    matchLabels:
                      kubernetes.io/metadata.name: alerting
                  podSelector:
                    matchLabels:
                      app.kubernetes.io/instance: main
                      app.kubernetes.io/component: alert-router
                      app.kubernetes.io/name: alertmanager
              ports:
                - port: 9093
                  protocol: TCP

            - to: # Ceph
                - ipBlock:
                    cidr: 172.16.10.0/24
              ports:
                - port: 9283
                  protocol: TCP

            - to: # Grafana
                - namespaceSelector:
                    matchLabels:
                      kubernetes.io/metadata.name: grafana
                  podSelector:
                    matchLabels:
                      app.kubernetes.io/component: graphing
                      app.kubernetes.io/instance: k8s
                      app.kubernetes.io/name: grafana
              ports:
                - port: 3000
                  protocol: TCP

            - to: # Grafana Agent
                - namespaceSelector:
                    matchLabels:
                      kubernetes.io/metadata.name: monitoring
                  podSelector:
                    matchLabels:
                      app.kubernetes.io/instance: k8s
                      app.kubernetes.io/component: exporter
                      app.kubernetes.io/name: grafana-agent
              ports:
                - port: 12345
                  protocol: TCP

            - to: # Kube DNS
                - namespaceSelector:
                    matchLabels:
                      kubernetes.io/metadata.name: kube-system
                  podSelector:
                    matchLabels:
                      k8s-app: kube-dns
              ports:
                - port: 53
                  protocol: TCP
                - port: 53
                  protocol: UDP

            - to:
                - podSelector:
                    matchLabels:
                      app.kubernetes.io/name: prometheus
                  # namespaceSelector:
                  #   matchLabels:
                  #     kubernetes.io/metadata.name: monitoiring
                - namespaceSelector:
                    matchLabels:
                      kubernetes.io/metadata.name: metrics
              ports: []

            - {} # ToDo: Temp rule: Allow All. this rule MUST be removed when egress has been refactored

          ingress: 

            - from:
                - podSelector:
                    matchLabels:
                      app.kubernetes.io/name: prometheus
                  # namespaceSelector:
                  #   matchLabels:
                  #     kubernetes.io/metadata.name: monitoiring
                - namespaceSelector:
                    matchLabels:
                      kubernetes.io/metadata.name: metrics
              ports: []
                # - port: 8080
                #   protocol: TCP
                # - port: 9090
                #   protocol: TCP
                # - port: 10901
                #   protocol: TCP

            - from:
                - podSelector:
                    matchLabels:
                      app.kubernetes.io/name: grafana
                  namespaceSelector:
                    matchLabels:
                      kubernetes.io/metadata.name: grafana
                - podSelector:
                    matchLabels:
                      app.kubernetes.io/name: prometheus-adapter
                  namespaceSelector:
                    matchLabels:
                      kubernetes.io/metadata.name: monitoring
              ports:
                - port: 9090
                  protocol: TCP

            - from: []
              ports: []

          policyTypes:
          - Egress
          - Ingress

### SoF Network Policy: Grafana ###

      - name: grafana
        policy:
            egress:

              - to:
                  - namespaceSelector:
                      matchLabels:
                        kubernetes.io/metadata.name: alerting
                    podSelector:
                      matchLabels:
                        app.kubernetes.io/instance: main
                        app.kubernetes.io/component: alert-router
                        app.kubernetes.io/name: alertmanager
                ports:
                  - port: 9093
                    protocol: TCP

              - to:
                  - namespaceSelector:
                      matchLabels:
                        kubernetes.io/metadata.name: logging
                    podSelector:
                      matchLabels:
                        app.kubernetes.io/component: gateway
                        app.kubernetes.io/instance: loki
                        app.kubernetes.io/name: loki
                ports:
                  - port: 80       # Service Port
                    protocol: TCP
                  - port: 8080     # Pod Port
                    protocol: TCP

              - to:
                  - namespaceSelector:
                      matchLabels:
                        kubernetes.io/metadata.name: monitoring
                    podSelector:
                      matchLabels:
                        app.kubernetes.io/component: prometheus
                        app.kubernetes.io/instance: k8s
                        app.kubernetes.io/name: prometheus
                  - namespaceSelector:
                      matchLabels:
                        kubernetes.io/metadata.name: metrics
                    podSelector:
                      matchLabels:
                        app.kubernetes.io/component: query-layer
                        app.kubernetes.io/instance: thanos-query
                        app.kubernetes.io/name: thanos-query
                ports:
                  - port: 9090
                    protocol: TCP

              - to: [] # Requires internet access for plugins and dashboard downloading
                ports:
                  - port: 443
                    protocol: TCP

              - to: # Kube DNS
                  - namespaceSelector:
                      matchLabels:
                        kubernetes.io/metadata.name: kube-system
                    podSelector:
                      matchLabels:
                        k8s-app: kube-dns
                ports:
                  - port: 53
                    protocol: TCP
                  - port: 53
                    protocol: UDP

            ingress:

              - from: []
                ports:
                  - port: 3000
                    protocol: TCP
            policyTypes:
              - Egress
              - Ingress

### SoF Network Policy: Grafana Agent ###

      - name: grafana_agent
        policy:
          egress:

            - to: # Logging
                - namespaceSelector:
                    matchLabels:
                      kubernetes.io/metadata.name: logging
                  podSelector:
                    matchLabels:
                      app.kubernetes.io/component: gateway
                      app.kubernetes.io/instance: loki
                      app.kubernetes.io/name: loki
              ports:
                - port: 80
                  protocol: TCP

            - to: # Kube DNS
                - namespaceSelector:
                    matchLabels:
                      kubernetes.io/metadata.name: kube-system
                  podSelector:
                    matchLabels:
                      k8s-app: kube-dns
              ports:
                - port: 53
                  protocol: TCP
                - port: 53
                  protocol: UDP

          ingress:

            - from: 
                - namespaceSelector:
                    matchLabels:
                      kubernetes.io/metadata.name: monitoring
                  podSelector:
                    matchLabels:
                      app.kubernetes.io/component: prometheus
                      app.kubernetes.io/instance: k8s
                      app.kubernetes.io/name: prometheus
              ports:
                - port: 12345
                  protocol: TCP

          policyTypes:
          - Egress
          - Ingress



loki_instance:
  image: 
    name: grafana/loki
    tag: 2.7.4
    # tag: 2.9.0
  namespace: loki


oncall_instance:
  image: 
    name: grafana/oncall
    tag: v1.1.40


# oncall:
  
#   # image:
#   #   # Grafana OnCall docker image repository
#   #   repository: grafana/oncall
#   #   tag: v1.1.38
#   #   pullPolicy: Always

#   service:
#     enabled: false
#     type: LoadBalancer
#     port: 8080
#     annotations: {}

#   engine:
#     replicaCount: 1
#     resources:
#       limits:
#         cpu: 100m
#         memory: 128Mi
#       requests:
#         cpu: 100m
#         memory: 128Mi

#   celery:
#     replicaCount: 1
#     resources:
#       limits:
#         cpu: 100m
#         memory: 128Mi
#       requests:
#         cpu: 100m
#         memory: 128Mi
#   database:
#     type: none