diff --git a/applications/base/services/observability/mimir/README.md b/applications/base/services/observability/mimir/README.md new file mode 100644 index 0000000..94faaf1 --- /dev/null +++ b/applications/base/services/observability/mimir/README.md @@ -0,0 +1,13 @@ +# Mimir – Base Configuration + +This directory contains the **base manifests** for deploying [Grafana Mimir](https://grafana.com/oss/mimir/), a horizontally-scalable, highly-available metrics storage system designed for cloud-native environments. +It is designed to be **consumed by cluster repositories** as a remote base, allowing each cluster to apply **custom overrides** as needed. + +**About Grafana Mimir:** + +- Provides a **centralized, multi-tenant metrics backend** fully compatible with Prometheus and PromQL. +- Designed for **high ingestion throughput** and **large-scale time-series storage** across multiple Kubernetes clusters. +- Stores long-term metrics in **object storage**, enabling **cost-efficient retention** and improved durability. +- Separates **read and write paths** to enable independent scaling for heavy queries or high ingestion workloads. +- Uses advanced **caching**, **sharding**, and **compaction** for efficient querying and optimized storage layout. +- Integrates natively with **Grafana** for unified visualization alongside logs and traces. diff --git a/applications/base/services/observability/mimir/helm-values/hardened-values-6.0.3.yaml b/applications/base/services/observability/mimir/helm-values/hardened-values-6.0.3.yaml new file mode 100644 index 0000000..dfdb782 --- /dev/null +++ b/applications/base/services/observability/mimir/helm-values/hardened-values-6.0.3.yaml @@ -0,0 +1,3901 @@ +# The default values specified in this file are enough to deploy all of the +# Grafana Mimir microservices but are not suitable for production load. +# To configure the resources for higher scale, refer to the small.yaml file. +# For production load with high availability, refer to the large.yaml values file. + +# Note: The values in this file are not backward compatible. Copying and pasting the values is discouraged, but if you do so, +# make sure to use the values.yaml from the branch or tag that matches the mimir-distributed Helm chart version that you +# want to install. You also can see values.yaml for a specific version by running +# `helm show values grafana/mimir-distributed --version ` + +# If you want to get the values file from Github, build the URL as follows because we git tag every release: +# `https://github.com/grafana/mimir/blob/mimir-distributed-/operations/helm/charts/mimir-distributed/values.yaml`. +# For example, https://github.com/grafana/mimir/blob/mimir-distributed-3.1.0/operations/helm/charts/mimir-distributed/values.yaml. + +# -- Overrides the version used to determine compatibility of resources with the target Kubernetes cluster. +# This is useful when using `helm template`, because then helm will use the client version of kubectl as the Kubernetes version, +# which may or may not match your cluster's server version. Example: 'v1.24.4'. Set to null to use the version that helm +# devises. +kubeVersionOverride: null + +# -- Overrides the chart's name. Used to change mimir/enterprise-metrics infix in the resource names. E.g. myRelease-mimir-ingester-1 to myRelease-nameOverride-ingester-1. +# This option is used to align resource names with Cortex, when doing a migration from Cortex to Grafana Mimir. +# Note: Grafana provided dashboards rely on the default naming and will need changes. +nameOverride: null + +# -- Overrides the chart's computed fullname. Used to change the full prefix of resource names. E.g. myRelease-mimir-ingester-1 to fullnameOverride-ingester-1. +# Note: Grafana provided dashboards rely on the default naming and will need changes. +fullnameOverride: null + +image: + # -- Grafana Mimir container image repository + repository: grafana/mimir + # -- Grafana Mimir container image tag + tag: 3.0.0 + # -- Container pull policy + pullPolicy: IfNotPresent + # -- Optionally specify an array of imagePullSecrets + # Secrets must be manually created in the namespace. + # ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + # pullSecrets: + # - myRegistryKeySecretName + +global: + # -- Definitions to set up nginx resolver + dnsService: kube-dns + dnsNamespace: kube-system + clusterDomain: cluster.local. + dnsConfig: {} + + # -- Common environment variables to add to all pods directly managed by this chart. + # scope: alertmanager, compactor, continuous-test, distributor, gateway, ingester, memcached, nginx, overrides-exporter, querier, query-frontend, query-scheduler, ruler, store-gateway, smoke-test + extraEnv: [] + + # -- Common source of environment injections to add to all pods directly managed by this chart. + # scope: alertmanager, compactor, continuous-test, distributor, gateway, ingester, memcached, nginx, overrides-exporter, querier, query-frontend, query-scheduler, ruler, store-gateway, smoke-test + # For example to inject values from a Secret, use: + # extraEnvFrom: + # - secretRef: + # name: mysecret + extraEnvFrom: [] + + # -- Common volumes to add to all pods directly managed by this chart. + # scope: alertmanager, compactor, continuous-test, distributor, gateway, ingester, memcached, nginx, overrides-exporter, querier, query-frontend, query-scheduler, ruler, store-gateway, smoke-test + extraVolumes: [] + + # -- Common mount points to add to all pods directly managed by this chart. + # scope: alertmanager, compactor, continuous-test, distributor, gateway, ingester, memcached, nginx, overrides-exporter, querier, query-frontend, query-scheduler, ruler, store-gateway, smoke-test + extraVolumeMounts: [] + + # -- Pod annotations for all pods directly managed by this chart. Usable for example to associate a version to 'global.extraEnv' and 'global.extraEnvFrom' and trigger a restart of the affected services. + # scope: alertmanager, compactor, distributor, gateway, ingester, memcached, nginx, overrides-exporter, querier, query-frontend, query-scheduler, ruler, store-gateway + podAnnotations: {} + + # -- Pod labels for all pods directly managed by this chart. + # scope: alertmanager, compactor, distributor, gateway, ingester, memcached, nginx, overrides-exporter, querier, query-frontend, query-scheduler, ruler, store-gateway + podLabels: {} + +serviceAccount: + # -- Whether to create a service account or not. In case 'create' is false, do set 'name' to an existing service account name. + create: true + # -- Override for the generated service account name. + name: + annotations: {} + labels: {} + +# -- Configuration is loaded from the secret called 'externalConfigSecretName'. If 'useExternalConfig' is true, then the configuration is not generated, just consumed. +useExternalConfig: false + +# -- Defines what kind of object stores the configuration, a ConfigMap or a Secret. +# In order to move sensitive information (such as credentials) from the ConfigMap/Secret to a more secure location (e.g. vault), it is possible to use [environment variables in the configuration](https://grafana.com/docs/mimir/latest/reference-configuration-parameters/#use-environment-variables-in-the-configuration). +# Such environment variables can be then stored in a separate Secret and injected via the global.extraEnvFrom value. For details about environment injection from a Secret please see [Secrets](https://kubernetes.io/docs/concepts/configuration/secret/#use-case-as-container-environment-variables). +configStorageType: ConfigMap + +# -- Name of the Secret or ConfigMap that contains the configuration (used for naming even if config is internal). +externalConfigSecretName: '{{ include "mimir.resourceName" (dict "ctx" . "component" "config") }}' + +# -- When 'useExternalConfig' is true, then changing 'externalConfigVersion' triggers restart of services - otherwise changes to the configuration cause a restart. +externalConfigVersion: "0" + +# --Vault Agent config to mount secrets to TLS configurable components. This requires Vault and Vault Agent to already be running. +vaultAgent: + enabled: false + # -- Vault Kubernetes Authentication role + roleName: "" + # -- Path to client certificate in Vault + clientCertPath: "" + # -- Path to client key in Vault + clientKeyPath: "" + # -- Path to server certificate in Vault + serverCertPath: "" + # -- Path to server key in Vault + serverKeyPath: "" + # -- Path to client CA certificate in Vault + caCertPath: "" + +mimir: + # -- Base config file for Grafana Mimir. Contains Helm templates that are evaulated at install/upgrade. + # To modify the resulting configuration, either copy and alter 'mimir.config' as a whole or use the 'mimir.structuredConfig' to add and modify certain YAML elements. + config: | + usage_stats: + installation_mode: helm + + activity_tracker: + filepath: /active-query-tracker/activity.log + + alertmanager: + data_dir: /data + enable_api: true + external_url: /alertmanager + {{- if .Values.alertmanager.zoneAwareReplication.enabled }} + sharding_ring: + zone_awareness_enabled: true + {{- end }} + {{- if .Values.alertmanager.fallbackConfig }} + fallback_config_file: /configs/alertmanager_fallback_config.yaml + {{- end }} + + {{- if .Values.minio.enabled }} + alertmanager_storage: + backend: s3 + s3: + access_key_id: {{ .Values.minio.rootUser }} + bucket_name: {{ include "mimir.minioBucketPrefix" . }}-ruler + endpoint: {{ template "minio.fullname" .Subcharts.minio }}.{{ .Release.Namespace }}.svc:{{ .Values.minio.service.port }} + insecure: true + secret_access_key: {{ .Values.minio.rootPassword }} + {{- end }} + + # This configures how the store-gateway synchronizes blocks stored in the bucket. It uses Minio by default for getting started (configured via flags) but this should be changed for production deployments. + blocks_storage: + backend: s3 + bucket_store: + {{- if index .Values "chunks-cache" "enabled" }} + chunks_cache: + backend: memcached + memcached: + addresses: {{ include "mimir.chunksCacheAddress" . }} + max_item_size: {{ mul (index .Values "chunks-cache").maxItemMemory 1024 1024 }} + timeout: 750ms + max_idle_connections: 150 + {{- end }} + {{- if index .Values "index-cache" "enabled" }} + index_cache: + backend: memcached + memcached: + addresses: {{ include "mimir.indexCacheAddress" . }} + max_item_size: {{ mul (index .Values "index-cache").maxItemMemory 1024 1024 }} + timeout: 750ms + max_idle_connections: 150 + {{- end }} + {{- if index .Values "metadata-cache" "enabled" }} + metadata_cache: + backend: memcached + memcached: + addresses: {{ include "mimir.metadataCacheAddress" . }} + max_item_size: {{ mul (index .Values "metadata-cache").maxItemMemory 1024 1024 }} + max_idle_connections: 150 + {{- end }} + sync_dir: /data/tsdb-sync + {{- if .Values.minio.enabled }} + s3: + access_key_id: {{ .Values.minio.rootUser }} + bucket_name: {{ include "mimir.minioBucketPrefix" . }}-tsdb + endpoint: {{ template "minio.fullname" .Subcharts.minio }}.{{ .Release.Namespace }}.svc:{{ .Values.minio.service.port }} + insecure: true + secret_access_key: {{ .Values.minio.rootPassword }} + {{- end }} + tsdb: + dir: /data/tsdb + head_compaction_interval: 15m + wal_replay_concurrency: 3 + + compactor: + compaction_interval: 30m + deletion_delay: 2h + max_closing_blocks_concurrency: 2 + max_opening_blocks_concurrency: 4 + symbols_flushers_concurrency: 4 + first_level_compaction_wait_period: 25m + data_dir: "/data" + sharding_ring: + wait_stability_min_duration: 1m + heartbeat_period: 1m + heartbeat_timeout: 4m + + distributor: + # Increase the default remote write timeout (applied to writing to Kafka too) because writing + # to Kafka-compatible backend may be slower than writing directly to ingesters. + remote_timeout: 5s + ring: + heartbeat_period: 1m + heartbeat_timeout: 4m + + frontend: + parallelize_shardable_queries: true + {{- if index .Values "results-cache" "enabled" }} + results_cache: + backend: memcached + memcached: + timeout: 500ms + addresses: {{ include "mimir.resultsCacheAddress" . }} + max_item_size: {{ mul (index .Values "results-cache").maxItemMemory 1024 1024 }} + cache_results: true + query_sharding_target_series_per_shard: 2500 + {{- end }} + scheduler_address: {{ template "mimir.fullname" . }}-query-scheduler-headless.{{ .Release.Namespace }}.svc:{{ include "mimir.serverGrpcListenPort" . }} + + frontend_worker: + grpc_client_config: + max_send_msg_size: 419430400 # 400MiB + scheduler_address: {{ template "mimir.fullname" . }}-query-scheduler-headless.{{ .Release.Namespace }}.svc:{{ include "mimir.serverGrpcListenPort" . }} + + ingest_storage: + enabled: true + kafka: + {{- if .Values.kafka.enabled }} + # Address of Kafka broker to bootstrap the connection. + address: {{ template "mimir.fullname" . }}-kafka.{{ .Release.Namespace }}.svc.{{ $.Values.global.clusterDomain }}:{{ $.Values.kafka.service.port }} + {{- end }} + # Topic name. + topic: mimir-ingest + # Mimir will auto-create the topic on start up. + # The topic MUST be provisioned with no fewer partitions than the maximum number of ingester replicas. The value of 100 is for demo purposes. + auto_create_topic_enabled: true + auto_create_topic_default_partitions: 100 + + ingester: + # Disallow Push gRPC API; everything comes through Kafka in the ingest storage architecture. + push_grpc_method_enabled: false + ring: + final_sleep: 0s + num_tokens: 512 + tokens_file_path: /data/tokens + unregister_on_shutdown: false + heartbeat_period: 2m + heartbeat_timeout: 10m + {{- if .Values.ingester.zoneAwareReplication.enabled }} + zone_awareness_enabled: true + {{- end }} + + ingester_client: + grpc_client_config: + max_recv_msg_size: 104857600 + max_send_msg_size: 104857600 + + limits: + # Limit queries to 500 days. You can override this on a per-tenant basis. + max_total_query_length: 12000h + # Adjust max query parallelism to 16x sharding, without sharding we can run 15d queries fully in parallel. + # With sharding we can further shard each day another 16 times. 15 days * 16 shards = 240 subqueries. + max_query_parallelism: 240 + # Avoid caching results newer than 10m because some samples can be delayed + # This presents caching incomplete results + max_cache_freshness: 10m + + memberlist: + abort_if_cluster_join_fails: false + compression_enabled: false + join_members: + - dns+{{ include "mimir.fullname" . }}-gossip-ring.{{ .Release.Namespace }}.svc.{{ .Values.global.clusterDomain }}:{{ include "mimir.memberlistBindPort" . }} + + querier: + # With query sharding we run more but smaller queries. We must strike a balance + # which allows us to process more sharded queries in parallel when requested, but not overload + # queriers during non-sharded queries. + max_concurrent: 16 + + query_scheduler: + # Increase from default of 100 to account for queries created by query sharding + max_outstanding_requests_per_tenant: 800 + + ruler: + alertmanager_url: dnssrvnoa+http://_http-metrics._tcp.{{ template "mimir.fullname" . }}-alertmanager-headless.{{ .Release.Namespace }}.svc.{{ .Values.global.clusterDomain }}/alertmanager + enable_api: true + rule_path: /data + {{- if .Values.ruler.remoteEvaluationDedicatedQueryPath }} + query_frontend: + address: dns:///{{ template "mimir.fullname" . }}-ruler-query-frontend.{{ .Release.Namespace }}.svc:{{ include "mimir.serverGrpcListenPort" . }} + {{- end }} + + {{- if or (.Values.minio.enabled) (index .Values "metadata-cache" "enabled") }} + ruler_storage: + {{- if .Values.minio.enabled }} + backend: s3 + s3: + endpoint: {{ template "minio.fullname" .Subcharts.minio }}.{{ .Release.Namespace }}.svc:{{ .Values.minio.service.port }} + bucket_name: {{ include "mimir.minioBucketPrefix" . }}-ruler + access_key_id: {{ .Values.minio.rootUser }} + secret_access_key: {{ .Values.minio.rootPassword }} + insecure: true + {{- end }} + {{- if index .Values "metadata-cache" "enabled" }} + cache: + backend: memcached + memcached: + addresses: {{ include "mimir.metadataCacheAddress" . }} + max_item_size: {{ mul (index .Values "metadata-cache").maxItemMemory 1024 1024 }} + timeout: 500ms + {{- end }} + {{- end }} + + runtime_config: + file: /var/{{ include "mimir.name" . }}/runtime.yaml + + store_gateway: + sharding_ring: + heartbeat_period: 1m + heartbeat_timeout: 10m + wait_stability_min_duration: 1m + {{- if .Values.store_gateway.zoneAwareReplication.enabled }} + kvstore: + prefix: multi-zone/ + {{- end }} + tokens_file_path: /data/tokens + unregister_on_shutdown: false + {{- if .Values.store_gateway.zoneAwareReplication.enabled }} + zone_awareness_enabled: true + {{- end }} + + # -- Additional structured values on top of the text based 'mimir.config'. Applied after the text based config is evaluated for templates. Enables adding and modifying YAML elements in the evaulated 'mimir.config'. + # + # Additionally, consider the optional "insecure_skip_verify" key below, it allows you to skip_verify_false in case the s3_endpoint certificate is not trusted. + # For more information see https://grafana.com/docs/mimir/latest/references/configuration-parameters/ + # + # Example: + # + # structuredConfig: + # common: + # storage: + # backend: s3 + # s3: + # bucket_name: "${BUCKET_NAME}" + # endpoint: "${BUCKET_HOST}:${BUCKET_PORT}" + # access_key_id: "${AWS_ACCESS_KEY_ID}" # This is a secret injected via an environment variable + # secret_access_key: "${AWS_SECRET_ACCESS_KEY}" # This is a secret injected via an environment variable + # http: + # insecure_skip_verify: true + structuredConfig: {} + +# -- runtimeConfig provides a reloadable runtime configuration. Changing the runtimeConfig doesn't require a restart of all components. +# For more infromation see https://grafana.com/docs/mimir/latest/configure/about-runtime-configuration/ +# +# Example: +# +# runtimeConfig: +# ingester_limits: # limits that each ingester replica enforces +# max_ingestion_rate: 20000 +# max_series: 1500000 +# max_tenants: 1000 +# max_inflight_push_requests: 30000 +# distributor_limits: # limits that each distributor replica enforces +# max_ingestion_rate: 20000 +# max_inflight_push_requests: 30000 +# max_inflight_push_requests_bytes: 50000000 +# overrides: +# tenant-1: # limits for tenant-1 that the whole cluster enforces +# ingestion_tenant_shard_size: 9 +# max_global_series_per_user: 1500000 +# max_fetched_series_per_query: 100000 +runtimeConfig: {} + +# RBAC configuration +rbac: + # -- If true, PodSecurityPolicy will be rendered by the chart on Kubernetes 1.24. + # By default the PodSecurityPolicy is not rendered on version 1.24. + create: true + # -- PSP configuration + podSecurityPolicy: + seccompProfile: runtime/default + privileged: false + allowPrivilegeEscalation: false + hostNetwork: false + hostIPC: false + hostPID: false + readOnlyRootFilesystem: true + runAsUser: + rule: "MustRunAsNonRoot" + seLinux: + rule: "RunAsAny" + supplementalGroups: + rule: "MustRunAs" + ranges: + - min: 1 + max: 65535 + fsGroup: + rule: "MustRunAs" + ranges: + - min: 1 + max: 65535 + additionalVolumes: [] + forcePSPOnKubernetes124: false + # -- For GKE/EKS/AKS use 'type: psp'. For OpenShift use 'type: scc' + type: psp + # -- podSecurityContext is the default pod security context for Mimir, gateway, and cache components. + # When installing on OpenShift, override podSecurityContext settings with + # + # rbac: + # podSecurityContext: + # fsGroup: null + # runAsGroup: null + # runAsUser: null + podSecurityContext: + fsGroup: 10001 + runAsGroup: 10001 + runAsNonRoot: true + runAsUser: 10001 + seccompProfile: + type: RuntimeDefault + +# -- KEDA Autoscaling configuration +kedaAutoscaling: + # -- A Prometheus-compatible URL. Cadvisor and Mimir metrics for the Mimir pods are expected in this server. + # For more information on the required metrics see [Monitor system health](https://grafana.com/docs/helm-charts/mimir-distributed/latest/run-production-environment-with-helm/monitor-system-health/). + # If empty, the helm chart uses the metamonitoring URL from metaMonitoring.grafanaAgent.metrics.remote.url. + # If that is empty, then the Mimir cluster is used. + prometheusAddress: "" + customHeaders: {} + pollingInterval: 10 + ignoreNullValues: true + unsafeSsl: false + + # If your metrics are stored in a datasource with multiple mimir instances extra labels to filter the data are required to get the right metric. + toPromQLLabelSelector: + # - cluster!="eu-west" + # - app="foobar" + + # --KEDA trigger authentication settings. + # ref: https://keda.sh/docs/2.16/scalers/pulsar/#authentication-parameters + authentication: + enabled: false + authModes: "" + secretTargetRef: [] + # - key: username + # name: my-secret-name + # parameter: username + # - key: password + # name: my-secret-name + # parameter: password +alertmanager: + enabled: true + # -- Total number of replicas for the alertmanager across all availability zones + # If alertmanager.zoneAwareReplication.enabled=false, this number is taken as is. + # Otherwise each zone starts `ceil(replicas / number_of_zones)` number of pods. + # E.g. if 'replicas' is set to 4 and there are 3 zones, then 4/3=1.33 and after rounding up it means 2 pods per zone are started. + replicas: 1 + revisionHistoryLimit: null + + # -- Allows to override the container image of the alertmanager component. + # When set it takes precedence over what is defined in global "image" . + image: + # repository: grafana/mimir + # tag: 2.16.0 + + statefulSet: + enabled: true + + # -- Dedicated service account for alertmanager pods. + # If not set, the default service account defined at the begining of this file will be used. + # This service account can be used even if the default one is not set. + serviceAccount: + create: false + # -- Alertmanager specific service account name. If not set and create is set to true, the default + # name will be the default mimir service account's name with the "-alertmanager" suffix. + name: "" + annotations: {} + labels: {} + + service: + annotations: {} + labels: {} + # -- https://kubernetes.io/docs/concepts/services-networking/service-traffic-policy/ + internalTrafficPolicy: Cluster + type: ClusterIP + extraPorts: [] + # - port: 11811 + # protocol: TCP + # name: reverse-proxy + # targetPort: 11811 + + # -- Optionally set the scheduler for pods of the alertmanager + schedulerName: "" + + resources: + requests: + cpu: 10m + memory: 32Mi + + # -- Fallback config for alertmanager. + # When a tenant doesn't have an Alertmanager configuration, the Grafana Mimir Alertmanager uses the fallback configuration. + fallbackConfig: | + receivers: + - name: default-receiver + route: + receiver: default-receiver + + extraArgs: {} + + # Pod Labels + podLabels: {} + + # Pod Annotations + podAnnotations: {} + + # -- Pod Disruption Budget for alertmanager, this will be applied across availability zones to prevent losing redundancy + podDisruptionBudget: + maxUnavailable: 1 + + # -- The name of the PriorityClass for alertmanager pods + priorityClassName: null + + dnsConfig: {} + # -- NodeSelector to pin alertmanager pods to certain set of nodes. This is ignored when alertmanager.zoneAwareReplication.enabled=true. + nodeSelector: {} + # -- Pod affinity settings for the alertmanager. This is ignored when alertmanager.zoneAwareReplication.enabled=true. + affinity: {} + + # -- topologySpreadConstraints allows to customize the default topologySpreadConstraints. This can be either a single dict as shown below or a slice of topologySpreadConstraints. + # labelSelector is taken from the constraint itself (if it exists) or is generated by the chart using the same selectors as for services. + topologySpreadConstraints: + maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: ScheduleAnyway + # minDomains: 1 + # nodeAffinityPolicy: Honor + # nodeTaintsPolicy: Honor + # matchLabelKeys: + # - pod-template-hash + annotations: {} + persistence: + # SubPath in emptyDir for persistence, only enabled if alertmanager.statefulSet.enabled is false + subPath: + + persistentVolume: + # If true and alertmanager.statefulSet.enabled is true, + # Alertmanager will create/use a Persistent Volume Claim + # If false, use emptyDir + enabled: true + + # Alertmanager data Persistent Volume Claim template name + # + name: storage + + # Alertmanager data Persistent Volume Claim annotations + # + annotations: {} + + # Alertmanager data Persistent Volume access modes + # Must match those of existing PV or dynamic provisioner + # Ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ + # + accessModes: + - ReadWriteOnce + + # Alertmanager data Persistent Volume size + # + size: 1Gi + + # Subdirectory of Alertmanager data Persistent Volume to mount + # Useful if the volume's root directory is not empty + # + subPath: "" + + # Alertmanager data Persistent Volume Storage Class + # If defined, storageClassName: + # If set to "-", storageClassName: "", which disables dynamic provisioning + # If undefined (the default) or set to null, no storageClassName spec is + # set, choosing the default provisioner. + # + # A per-zone storageClass configuration in `alertmanager.zoneAwareReplication.zones[*].storageClass` takes precedence over this field. + # storageClass: "-" + + # -- Enable StatefulSetAutoDeletePVC feature + # https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#persistentvolumeclaim-retention + enableRetentionPolicy: false + whenDeleted: Retain + whenScaled: Retain + + readinessProbe: + httpGet: + path: /ready + port: http-metrics + initialDelaySeconds: 45 + + # -- SecurityContext override for alermeneger pods + securityContext: {} + + # -- The SecurityContext for alertmanager containers + containerSecurityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: [ALL] + + # Tolerations for pod assignment + # ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + tolerations: [] + + strategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 0 + maxUnavailable: 1 + # -- updateStrategy of the alertmanager statefulset. This is ignored when alertmanager.zoneAwareReplication.enabled=true. + statefulStrategy: + type: RollingUpdate + + terminationGracePeriodSeconds: 900 + + initContainers: [] + # Init containers to be added to the alertmanager pod. + # - name: my-init-container + # image: busybox:latest + # command: ['sh', '-c', 'echo hello'] + + extraContainers: [] + # Additional containers to be added to the alertmanager pod. + # - name: reverse-proxy + # image: angelbarrera92/basic-auth-reverse-proxy:dev + # args: + # - "serve" + # - "--upstream=http://localhost:3100" + # - "--auth-config=/etc/reverse-proxy-conf/authn.yaml" + # ports: + # - name: http + # containerPort: 11811 + # protocol: TCP + # volumeMounts: + # - name: reverse-proxy-auth-config + # mountPath: /etc/reverse-proxy-conf + + extraVolumes: [] + # Additional volumes to the alertmanager pod. + # - name: reverse-proxy-auth-config + # secret: + # secretName: reverse-proxy-auth-config + + # Extra volume mounts that will be added to the alertmanager container + extraVolumeMounts: [] + + # Extra env variables to pass to the alertmanager container + env: [] + extraEnvFrom: [] + + # -- Options to configure zone-aware replication for alertmanager + # Example configuration with full geographical redundancy: + # rollout_operator: + # enabled: true + # alertmanager: + # zoneAwareReplication: + # enabled: true + # topologyKey: 'kubernetes.io/hostname' # This generates default anti-affinity rules + # zones: # Zone list has to be fully redefined for modification. Update with you actual zones or skip to use logical zones only. + # - name: zone-a + # nodeSelector: + # topology.kubernetes.io/zone: us-central1-a + # - name: zone-b + # nodeSelector: + # topology.kubernetes.io/zone: us-central1-b + # - name: zone-c + # nodeSelector: + # topology.kubernetes.io/zone: us-central1-c + # + zoneAwareReplication: + # -- Enable zone-aware replication for alertmanager + enabled: false + # -- Maximum number of alertmanagers that can be unavailable per zone during rollout + maxUnavailable: 2 + # -- topologyKey to use in pod anti-affinity. If unset, no anti-affinity rules are generated. If set, the generated anti-affinity rule makes sure that pods from different zones do not mix. + # E.g.: topologyKey: 'kubernetes.io/hostname' + topologyKey: null + # -- Auxiliary values for migration, see https://grafana.com/docs/helm-charts/mimir-distributed/latest/migration-guides/migrate-from-single-zone-with-helm/ + migration: + # -- Indicate if migration is ongoing for multi zone alertmanager + enabled: false + # -- Start zone-aware alertmanagers + writePath: false + # -- Zone definitions for alertmanager zones. Note: you have to redefine the whole list to change parts as YAML does not allow to modify parts of a list. + zones: + # -- Name of the zone, used in labels and selectors. Must follow Kubernetes naming restrictions: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + - name: zone-a + # -- nodeselector to restrict where pods of this zone can be placed. E.g.: + # nodeSelector: + # topology.kubernetes.io/zone: zone-a + nodeSelector: null + # -- extraAffinity adds user defined custom affinity rules (merged with generated rules) + extraAffinity: {} + # -- Alertmanager data Persistent Volume Storage Class + # If defined, storageClassName: + # If set to "-", then use `storageClassName: ""`, which disables dynamic provisioning + # If undefined or set to null (the default), then fall back to the value of `alertmanager.persistentVolume.storageClass`. + storageClass: null + # -- noDownscale adds a label that can be used by the rollout-operator as documented in the rollout-operator repo: https://github.com/grafana/rollout-operator#webhooks + noDownscale: false + # -- downscaleLeader is an Annotation used by the rollout-operator to coordinate downscaling across zones. + # Set to the StatefulSet name that should lead downscaling for this component (typically the previous zone). + # Example: "mimir-alertmanager-zone-a" for zone-b, "mimir-alertmanager-zone-b" for zone-c. + # If undefined or set to null (the default), this zone won't be designated as a downscale leader. + downscaleLeader: null + # -- Name of the zone, used in labels and selectors. Must follow Kubernetes naming restrictions: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + - name: zone-b + # -- nodeselector to restrict where pods of this zone can be placed. E.g.: + # nodeSelector: + # topology.kubernetes.io/zone: zone-b + nodeSelector: null + # -- extraAffinity adds user defined custom affinity rules (merged with generated rules) + extraAffinity: {} + # -- Alertmanager data Persistent Volume Storage Class + # If defined, storageClassName: + # If set to "-", then use `storageClassName: ""`, which disables dynamic provisioning + # If undefined or set to null (the default), then fall back to the value of `alertmanager.persistentVolume.storageClass`. + storageClass: null + # -- noDownscale adds a label that can be used by the rollout-operator as documented in the rollout-operator repo: https://github.com/grafana/rollout-operator#webhooks + noDownscale: false + # -- downscaleLeader is an Annotation used by the rollout-operator to coordinate downscaling across zones. + # Set to the StatefulSet name that should lead downscaling for this component (typically the previous zone). + # Example: "mimir-alertmanager-zone-a" for zone-b, "mimir-alertmanager-zone-b" for zone-c. + # If undefined or set to null (the default), this zone won't be designated as a downscale leader. + downscaleLeader: null + # -- Name of the zone, used in labels and selectors. Must follow Kubernetes naming restrictions: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + - name: zone-c + # -- nodeselector to restrict where pods of this zone can be placed. E.g.: + # nodeSelector: + # topology.kubernetes.io/zone: zone-c + nodeSelector: null + # -- extraAffinity adds user defined custom affinity rules (merged with generated rules) + extraAffinity: {} + # -- Alertmanager data Persistent Volume Storage Class + # If defined, storageClassName: + # If set to "-", then use `storageClassName: ""`, which disables dynamic provisioning + # If undefined or set to null (the default), then fall back to the value of `alertmanager.persistentVolume.storageClass`. + storageClass: null + # -- noDownscale adds a label that can be used by the rollout-operator as documented in the rollout-operator repo: https://github.com/grafana/rollout-operator#webhooks + noDownscale: false + # -- downscaleLeader is an Annotation used by the rollout-operator to coordinate downscaling across zones. + # Set to the StatefulSet name that should lead downscaling for this component (typically the previous zone). + # Example: "mimir-alertmanager-zone-a" for zone-b, "mimir-alertmanager-zone-b" for zone-c. + # If undefined or set to null (the default), this zone won't be designated as a downscale leader. + downscaleLeader: null + +distributor: + # -- Whether to render the manifests related to the distributor component. + enabled: true + + # -- Allows to override the container image of the distributor component. + # When set it takes precedence over what is defined in global "image" . + image: + # repository: grafana/mimir + # tag: 2.16.0 + + # Setting it to null will produce a deployment without replicas set, allowing you to use autoscaling with the deployment + replicas: 1 + revisionHistoryLimit: null + + # -- [Experimental] Configure autoscaling via KEDA (https://keda.sh). This requires having + # KEDA already installed in the Kubernetes cluster. The metrics for scaling are read + # according to top-level kedaAutoscaling.prometheusAddress (defaulting to metamonitoring remote-write destination). + # Basic auth and extra HTTP headers from metaMonitoring are ignored, please use customHeaders. + # The remote URL is used even if metamonitoring is disabled. + # For more details about migrating to autoscaling, refer to https://grafana.com/docs/helm-charts/mimir-distributed/latest/configure/configure-autoscaling/#migrate-existing-deployments + kedaAutoscaling: + enabled: false + # -- preserveReplicas gives you the option to migrate from non-autoscaled to autoscaled deployments without losing replicas. When set to true, the replica fields in the component will be left intact. + # For more details about migrating to autoscaling, refer to https://grafana.com/docs/helm-charts/mimir-distributed/latest/configure/configure-autoscaling/#migrate-existing-deployments + preserveReplicas: false + minReplicaCount: 1 + maxReplicaCount: 10 + # -- Target CPU utilization percentage for KEDA autoscaling. This controls the headroom each pod has compared to its current usage. + # targetting lower percentages overprovisions the containers, so they can handle bursts of traffic and tolerate failures without waiting to scale out. + targetCPUUtilizationPercentage: 100 + # -- Target memory utilization percentage for KEDA autoscaling. This controls the headroom each pod has compared to its current usage. + # targetting lower percentages overprovisions the containers, so they can handle bursts of traffic and tolerate failures without waiting to scale out. + targetMemoryUtilizationPercentage: 100 + behavior: + scaleDown: + policies: + - periodSeconds: 600 + type: Percent + value: 10 + + service: + annotations: {} + labels: {} + # -- https://kubernetes.io/docs/concepts/services-networking/service-traffic-policy/ + internalTrafficPolicy: Cluster + type: ClusterIP + extraPorts: [] + # -- https://kubernetes.io/docs/concepts/services-networking/service/#traffic-distribution + trafficDistribution: "" + + resources: + requests: + cpu: 100m + memory: 512Mi + + # Additional distributor container arguments, e.g. log level (debug, info, warn, error) + extraArgs: {} + + # Pod Labels + podLabels: {} + + # Pod Annotations + podAnnotations: {} + + # Pod Disruption Budget + podDisruptionBudget: + maxUnavailable: 1 + + # -- The name of the PriorityClass for distributor pods + priorityClassName: null + + dnsConfig: {} + nodeSelector: {} + affinity: {} + + # -- topologySpreadConstraints allows to customize the default topologySpreadConstraints. This can be either a single dict as shown below or a slice of topologySpreadConstraints. + # labelSelector is taken from the constraint itself (if it exists) or is generated by the chart using the same selectors as for services. + topologySpreadConstraints: + maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: ScheduleAnyway + # minDomains: 1 + # nodeAffinityPolicy: Honor + # nodeTaintsPolicy: Honor + # matchLabelKeys: + # - pod-template-hash + + annotations: {} + persistence: + subPath: + + readinessProbe: + httpGet: + path: /ready + port: http-metrics + initialDelaySeconds: 45 + + # -- SecurityContext override for distributor pods + securityContext: {} + + # -- The SecurityContext for distributor containers + containerSecurityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: [ALL] + + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 15% + + # Keep the termination grace period higher than the -shutdown-delay configured on the distributor. + terminationGracePeriodSeconds: 100 + + tolerations: [] + initContainers: [] + extraContainers: [] + extraVolumes: [] + extraVolumeMounts: [] + env: [] + extraEnvFrom: [] + +ingester: + # -- Whether to render the manifests related to the ingester component. + enabled: true + + # -- Allows to override the container image of the ingester component. + # When set it takes precedence over what is defined in global "image" . + image: + # repository: grafana/mimir + # tag: 2.16.0 + + # -- Total number of replicas for the ingester across all availability zones + # If ingester.zoneAwareReplication.enabled=false, this number is taken as is. + # Otherwise each zone starts `ceil(replicas / number_of_zones)` number of pods. + # E.g. if 'replicas' is set to 4 and there are 3 zones, then 4/3=1.33 and after rounding up it means 2 pods per zone are started. + replicas: 3 + + statefulSet: + enabled: true + + service: + annotations: {} + labels: {} + # -- https://kubernetes.io/docs/concepts/services-networking/service-traffic-policy/ + internalTrafficPolicy: Cluster + type: ClusterIP + extraPorts: [] + # -- https://kubernetes.io/docs/concepts/services-networking/service/#traffic-distribution + # Note: This service is only used for admin endpoints like TSDB statistics, not for write or read path traffic. + trafficDistribution: "" + + # -- Optionally set the scheduler for pods of the ingester + schedulerName: "" + + resources: + requests: + cpu: 100m + memory: 512Mi + + # Additional ingester container arguments, e.g. log level (debug, info, warn, error) + extraArgs: {} + # Pod Labels + podLabels: {} + + # Pod Annotations + podAnnotations: {} + + # -- The name of the PriorityClass for ingester pods + priorityClassName: null + + # -- Pod Disruption Budget for ingester, this will be applied across availability zones to prevent losing redundancy + podDisruptionBudget: + maxUnavailable: 1 + + podManagementPolicy: Parallel + + # -- NodeSelector to pin ingester pods to certain set of nodes. This is ignored when ingester.zoneAwareReplication.enabled=true. + nodeSelector: {} + # -- Pod affinity settings for the ingester. This is ignored when ingester.zoneAwareReplication.enabled=true. + affinity: {} + dnsConfig: {} + + # -- topologySpreadConstraints allows to customize the default topologySpreadConstraints. This can be either a single dict as shown below or a slice of topologySpreadConstraints. + # labelSelector is taken from the constraint itself (if it exists) or is generated by the chart using the same selectors as for services. + # It is recommended to replace this with requiredDuringSchedulingIgnoredDuringExecution podAntiAffinity rules when + # deploying to production. + topologySpreadConstraints: + maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: ScheduleAnyway + # minDomains: 1 + # nodeAffinityPolicy: Honor + # nodeTaintsPolicy: Honor + # matchLabelKeys: + # - pod-template-hash + + annotations: {} + + persistentVolume: + # If true and ingester.statefulSet.enabled is true, + # Ingester will create/use a Persistent Volume Claim + # If false, use emptyDir + # It is advisable to enable volume persistence in ingester to avoid losing metrics. + # + enabled: true + + # Ingester data Persistent Volume Claim template name + # + name: storage + + # Ingester data Persistent Volume Claim annotations + # + annotations: {} + + # Ingester data Persistent Volume access modes + # Must match those of existing PV or dynamic provisioner + # Ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ + accessModes: + - ReadWriteOnce + + # Ingester data Persistent Volume size + size: 2Gi + + # Subdirectory of Ingester data Persistent Volume to mount + # Useful if the volume's root directory is not empty + subPath: "" + + # -- Enable StatefulSetAutoDeletePVC feature + # https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#persistentvolumeclaim-retention + enableRetentionPolicy: false + whenDeleted: Retain + whenScaled: Retain + + # Ingester data Persistent Volume Storage Class + # If defined, storageClassName: + # If set to "-", storageClassName: "", which disables dynamic provisioning + # If undefined (the default) or set to null, no storageClassName spec is + # set, choosing the default provisioner. + # + # A per-zone storageClass configuration in `ingester.zoneAwareReplication.zones[*].storageClass` takes precedence over this field. + # + # storageClass: "-" + + livenessProbe: null + readinessProbe: + httpGet: + path: /ready + port: http-metrics + initialDelaySeconds: 60 + + # -- SecurityContext override for ingester pods + securityContext: {} + + # -- The SecurityContext for ingester containers + containerSecurityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: [ALL] + + # -- updateStrategy of the ingester statefulset. This is ignored when ingester.zoneAwareReplication.enabled=true. + statefulStrategy: + type: RollingUpdate + + terminationGracePeriodSeconds: 1200 + + tolerations: [] + initContainers: [] + extraContainers: [] + extraVolumes: [] + extraVolumeMounts: [] + env: [] + extraEnvFrom: [] + + # -- Options to configure zone-aware replication for ingester + # Example configuration with full geographical redundancy: + # rollout_operator: + # enabled: true + # ingester: + # zoneAwareReplication: + # enabled: true + # topologyKey: 'kubernetes.io/hostname' # This generates default anti-affinity rules + # zones: # Zone list has to be fully redefined for modification. Update with you actual zones or skip to use logical zones only. + # - name: zone-a + # nodeSelector: + # topology.kubernetes.io/zone: us-central1-a + # storageClass: storage-class-us-central1-a + # - name: zone-b + # nodeSelector: + # topology.kubernetes.io/zone: us-central1-b + # storageClass: storage-class-us-central1-b + # - name: zone-c + # nodeSelector: + # topology.kubernetes.io/zone: us-central1-c + # storageClass: storage-class-us-central1-c + # + zoneAwareReplication: + # -- Enable zone-aware replication for ingester + enabled: true + # -- Maximum number of ingesters that can be unavailable per zone during rollout + maxUnavailable: 50 + # -- topologyKey to use in pod anti-affinity. If unset, no anti-affinity rules are generated. If set, the generated anti-affinity rule makes sure that pods from different zones do not mix. + # E.g.: topologyKey: 'kubernetes.io/hostname' + topologyKey: null + # -- Auxiliary values for migration, see https://grafana.com/docs/helm-charts/mimir-distributed/latest/migration-guides/migrate-from-single-zone-with-helm/ + migration: + # -- Indicate if migration is ongoing for multi zone ingester + enabled: false + # -- Exclude default zone on write path + excludeDefaultZone: false + # -- Enable zone-awareness, read path only + readPath: false + # -- Total number of replicas to start in availability zones when migration is enabled + replicas: 0 + # -- Scale default zone ingesters to 0 + scaleDownDefaultZone: false + # -- Enable zone-awareness, write path only + writePath: false + # -- Zone definitions for ingester zones. Note: you have to redefine the whole list to change parts as YAML does not allow to modify parts of a list. + zones: + # -- Name of the zone, used in labels and selectors. Must follow Kubernetes naming restrictions: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + - name: zone-a + # -- nodeselector to restrict where pods of this zone can be placed. E.g.: + # nodeSelector: + # topology.kubernetes.io/zone: zone-a + nodeSelector: null + # -- extraAffinity adds user defined custom affinity rules (merged with generated rules) + extraAffinity: {} + # -- Ingester data Persistent Volume Storage Class + # If defined, storageClassName: + # If set to "-", then use `storageClassName: ""`, which disables dynamic provisioning + # If undefined or set to null (the default), then fall back to the value of `ingester.persistentVolume.storageClass`. + storageClass: null + # -- noDownscale adds a label that can be used by the rollout-operator as documented in the rollout-operator repo: https://github.com/grafana/rollout-operator#webhooks + noDownscale: false + # -- downscaleLeader is an Annotation used by the rollout-operator to coordinate downscaling across zones. + # Set to the StatefulSet name that should lead downscaling for this component (typically the previous zone). + # Example: "mimir-ingester-zone-a" for zone-b, "mimir-ingester-zone-b" for zone-c. + # If undefined or set to null (the default), this zone won't be designated as a downscale leader. + downscaleLeader: null + # -- prepareDownscale adds labels and annotations for the rollout-operator to prepare downscaling: https://github.com/grafana/rollout-operator#how-scaling-up-and-down-works + prepareDownscale: true + # -- Name of the zone, used in labels and selectors. Must follow Kubernetes naming restrictions: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + - name: zone-b + # -- nodeselector to restrict where pods of this zone can be placed. E.g.: + # nodeSelector: + # topology.kubernetes.io/zone: zone-b + nodeSelector: null + # -- extraAffinity adds user defined custom affinity rules (merged with generated rules) + extraAffinity: {} + # -- Ingester data Persistent Volume Storage Class + # If defined, storageClassName: + # If set to "-", then use `storageClassName: ""`, which disables dynamic provisioning + # If undefined or set to null (the default), then fall back to the value of `ingester.persistentVolume.storageClass`. + storageClass: null + # -- noDownscale adds a label that can be used by the rollout-operator as documented in the rollout-operator repo: https://github.com/grafana/rollout-operator#webhooks + noDownscale: false + # -- downscaleLeader is an Annotation used by the rollout-operator to coordinate downscaling across zones. + # Set to the StatefulSet name that should lead downscaling for this component (typically the previous zone). + # Example: "mimir-ingester-zone-a" for zone-b, "mimir-ingester-zone-b" for zone-c. + # If undefined or set to null (the default), this zone won't be designated as a downscale leader. + downscaleLeader: null + # -- prepareDownscale adds labels and annotations for the rollout-operator to prepare downscaling: https://github.com/grafana/rollout-operator#how-scaling-up-and-down-works + prepareDownscale: true + # -- Name of the zone, used in labels and selectors. Must follow Kubernetes naming restrictions: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + - name: zone-c + # -- nodeselector to restrict where pods of this zone can be placed. E.g.: + # nodeSelector: + # topology.kubernetes.io/zone: zone-c + nodeSelector: null + # -- extraAffinity adds user defined custom affinity rules (merged with generated rules) + extraAffinity: {} + # -- Ingester data Persistent Volume Storage Class + # If defined, storageClassName: + # If set to "-", then use `storageClassName: ""`, which disables dynamic provisioning + # If undefined or set to null (the default), then fall back to the value of `ingester.persistentVolume.storageClass`. + storageClass: null + # -- noDownscale adds a label that can be used by the rollout-operator as documented in the rollout-operator repo: https://github.com/grafana/rollout-operator#webhooks + noDownscale: false + # -- downscaleLeader is an Annotation used by the rollout-operator to coordinate downscaling across zones. + # Set to the StatefulSet name that should lead downscaling for this component (typically the previous zone). + # Example: "mimir-ingester-zone-a" for zone-b, "mimir-ingester-zone-b" for zone-c. + # If undefined or set to null (the default), this zone won't be designated as a downscale leader. + downscaleLeader: null + # -- prepareDownscale adds labels and annotations for the rollout-operator to prepare downscaling: https://github.com/grafana/rollout-operator#how-scaling-up-and-down-works + prepareDownscale: true + +overrides_exporter: + enabled: true + + # -- Allows to override the container image of the overrides-exporter component. + # When set it takes precedence over what is defined in global "image" . + image: + # repository: grafana/mimir + # tag: 2.16.0 + + replicas: 1 + revisionHistoryLimit: null + + annotations: {} + + initContainers: [] + + service: + annotations: {} + labels: {} + # -- https://kubernetes.io/docs/concepts/services-networking/service-traffic-policy/ + internalTrafficPolicy: Cluster + type: ClusterIP + extraPorts: [] + + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 15% + + podLabels: {} + podAnnotations: {} + # Pod Disruption Budget + podDisruptionBudget: + maxUnavailable: 1 + + # -- The name of the PriorityClass for overrides-exporter pods + priorityClassName: null + + dnsConfig: {} + nodeSelector: {} + affinity: {} + + # -- topologySpreadConstraints allows to customize the default topologySpreadConstraints. This can be either a single dict as shown below or a slice of topologySpreadConstraints. + # labelSelector is taken from the constraint itself (if it exists) or is generated by the chart using the same selectors as for services. + topologySpreadConstraints: {} + # maxSkew: 1 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: ScheduleAnyway + # minDomains: 1 + # nodeAffinityPolicy: Honor + # nodeTaintsPolicy: Honor + # matchLabelKeys: + # - pod-template-hash + + # -- SecurityContext override for overrides-exporter pods + securityContext: {} + + # -- The SecurityContext for overrides-exporter containers + containerSecurityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: [ALL] + + extraArgs: {} + + persistence: + subPath: + + livenessProbe: + httpGet: + path: /ready + port: http-metrics + initialDelaySeconds: 45 + readinessProbe: + httpGet: + path: /ready + port: http-metrics + initialDelaySeconds: 45 + + resources: + requests: + cpu: 100m + memory: 128Mi + + terminationGracePeriodSeconds: 30 + + tolerations: [] + extraContainers: [] + extraVolumes: [] + extraVolumeMounts: [] + env: [] + extraEnvFrom: [] + +ruler: + enabled: true + + # -- Allows to override the container image of the ruler component. + # When set it takes precedence over what is defined in global "image" . + image: + # repository: grafana/mimir + # tag: 2.16.0 + + replicas: 1 + revisionHistoryLimit: null + + # -- [Experimental] Configure autoscaling via KEDA (https://keda.sh). This requires having + # KEDA already installed in the Kubernetes cluster. The metrics for scaling are read + # according to top-level kedaAutoscaling.prometheusAddress (defaulting to metamonitoring remote-write destination). + # Basic auth and extra HTTP headers from metaMonitoring are ignored, please use customHeaders. + # The remote URL is used even if metamonitoring is disabled. + # For more details about migrating to autoscaling, refer to https://grafana.com/docs/helm-charts/mimir-distributed/latest/configure/configure-autoscaling/#migrate-existing-deployments + kedaAutoscaling: + enabled: false + # -- preserveReplicas gives you the option to migrate from non-autoscaled to autoscaled deployments without losing replicas. When set to true, the replica fields in the component will be left intact. + # For more details about migrating to autoscaling, refer to https://grafana.com/docs/helm-charts/mimir-distributed/latest/configure/configure-autoscaling/#migrate-existing-deployments + preserveReplicas: false + minReplicaCount: 1 + maxReplicaCount: 10 + # -- Target CPU utilization percentage for KEDA autoscaling. This controls the headroom each pod has compared to its current usage. + # targetting lower percentages overprovisions the containers, so they can handle bursts of traffic and tolerate failures without waiting to scale out. + targetCPUUtilizationPercentage: 100 + # -- Target memory utilization percentage for KEDA autoscaling. This controls the headroom each pod has compared to its current usage. + # targetting lower percentages overprovisions the containers, so they can handle bursts of traffic and tolerate failures without waiting to scale out. + targetMemoryUtilizationPercentage: 100 + behavior: + scaleDown: + policies: + - periodSeconds: 600 + type: Percent + value: 10 + + service: + annotations: {} + labels: {} + # -- https://kubernetes.io/docs/concepts/services-networking/service-traffic-policy/ + internalTrafficPolicy: Cluster + type: ClusterIP + extraPorts: [] + + # -- Dedicated service account for ruler pods. + # If not set, the default service account defined at the begining of this file will be used. + # This service account can be used even if the default one is not set. + serviceAccount: + create: false + # -- Ruler specific service account name. If not set and create is set to true, the default + # name will be the default mimir service account's name with the "-ruler" suffix. + name: "" + annotations: {} + labels: {} + + resources: + requests: + cpu: 100m + memory: 128Mi + + # Additional ruler container arguments, e.g. log level (debug, info, warn, error) + extraArgs: {} + # log.level: debug + + # Pod Labels + podLabels: {} + + # Pod Annotations + podAnnotations: {} + + # Pod Disruption Budget + podDisruptionBudget: + maxUnavailable: 1 + + dnsConfig: {} + nodeSelector: {} + affinity: {} + + # -- topologySpreadConstraints allows to customize the default topologySpreadConstraints. This can be either a single dict as shown below or a slice of topologySpreadConstraints. + # labelSelector is taken from the constraint itself (if it exists) or is generated by the chart using the same selectors as for services. + topologySpreadConstraints: + maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: ScheduleAnyway + # minDomains: 1 + # nodeAffinityPolicy: Honor + # nodeTaintsPolicy: Honor + # matchLabelKeys: + # - pod-template-hash + + annotations: {} + persistence: + subPath: + + readinessProbe: + httpGet: + path: /ready + port: http-metrics + initialDelaySeconds: 45 + + # -- SecurityContext override for ruler pods + securityContext: {} + + # -- The SecurityContext for ruler containers + containerSecurityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: [ALL] + + strategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 50% + maxUnavailable: 0 + + terminationGracePeriodSeconds: 600 + + tolerations: [] + initContainers: [] + extraContainers: [] + extraVolumes: [] + extraVolumeMounts: [] + env: [] + extraEnvFrom: [] + + # -- If set to true, a dedicated query path will be deployed for the ruler and operational mode will be set to use remote evaluation. https://grafana.com/docs/mimir/latest/references/architecture/components/ruler/#remote + # -- This is useful for isolating the ruler queries from other queriers (api/grafana). + remoteEvaluationDedicatedQueryPath: false + +# -- Only deployed if .Values.ruler.remoteEvaluationDedicatedQueryPath +ruler_querier: + # -- Allows to override the container image of the ruler-querier component. + # When set it takes precedence over what is defined in global "image" . + image: + # repository: grafana/mimir + # tag: 2.16.0 + + replicas: 2 + revisionHistoryLimit: null + + # -- [Experimental] Configure autoscaling via KEDA (https://keda.sh). This requires having + # KEDA already installed in the Kubernetes cluster. The metrics for scaling are read + # according to top-level kedaAutoscaling.prometheusAddress (defaulting to metamonitoring remote-write destination). + # Basic auth and extra HTTP headers from metaMonitoring are ignored, please use customHeaders. + # The remote URL is used even if metamonitoring is disabled. + # For more details about migrating to autoscaling, refer to https://grafana.com/docs/helm-charts/mimir-distributed/latest/configure/configure-autoscaling/#migrate-existing-deployments + kedaAutoscaling: + enabled: false + # -- preserveReplicas gives you the option to migrate from non-autoscaled to autoscaled deployments without losing replicas. When set to true, the replica fields in the component will be left intact. + # For more details about migrating to autoscaling, refer to https://grafana.com/docs/helm-charts/mimir-distributed/latest/configure/configure-autoscaling/#migrate-existing-deployments + preserveReplicas: false + minReplicaCount: 1 + maxReplicaCount: 10 + querySchedulerInflightRequestsThreshold: 12 + behavior: + scaleDown: + policies: + - periodSeconds: 120 + type: Percent + value: 10 + stabilizationWindowSeconds: 600 + scaleUp: + policies: + - periodSeconds: 120 + type: Percent + value: 50 + - periodSeconds: 120 + type: Pods + value: 15 + stabilizationWindowSeconds: 60 + + service: + annotations: {} + labels: {} + # -- https://kubernetes.io/docs/concepts/services-networking/service-traffic-policy/ + internalTrafficPolicy: Cluster + type: ClusterIP + extraPorts: [] + + resources: + requests: + cpu: 100m + memory: 128Mi + + # Additional ruler-querier container arguments, e.g. log level (debug, info, warn, error) + extraArgs: {} + + # Pod Labels + podLabels: {} + + # Pod Annotations + podAnnotations: {} + + # Pod Disruption Budget + podDisruptionBudget: + maxUnavailable: 1 + + # -- The name of the PriorityClass for ruler-querier pods + priorityClassName: null + + dnsConfig: {} + nodeSelector: {} + affinity: {} + + # -- topologySpreadConstraints allows to customize the default topologySpreadConstraints. This can be either a single dict as shown below or a slice of topologySpreadConstraints. + # labelSelector is taken from the constraint itself (if it exists) or is generated by the chart using the same selectors as for services. + topologySpreadConstraints: + maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: ScheduleAnyway + # minDomains: 1 + # nodeAffinityPolicy: Honor + # nodeTaintsPolicy: Honor + # matchLabelKeys: + # - pod-template-hash + + annotations: {} + persistence: + subPath: + + readinessProbe: + httpGet: + path: /ready + port: http-metrics + initialDelaySeconds: 45 + + # -- SecurityContext override for ruler-querier pods + securityContext: {} + + # -- The SecurityContext for ruler-querier containers + containerSecurityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: [ALL] + + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 15% + + terminationGracePeriodSeconds: 180 + + tolerations: [] + initContainers: [] + extraContainers: [] + extraVolumes: [] + extraVolumeMounts: [] + env: [] + extraEnvFrom: [] + +# -- Only deployed if .Values.ruler.remoteEvaluationDedicatedQueryPath +ruler_query_frontend: + # -- Allows to override the container image of the ruler-query-frontend component. + # When set it takes precedence over what is defined in global "image" . + image: + # repository: grafana/mimir + # tag: 2.16.0 + + # Setting it to null will produce a deployment without replicas set, allowing you to use autoscaling with the deployment + replicas: 1 + revisionHistoryLimit: null + + # -- [Experimental] Configure autoscaling via KEDA (https://keda.sh). This requires having + # KEDA already installed in the Kubernetes cluster. The metrics for scaling are read + # according to top-level kedaAutoscaling.prometheusAddress (defaulting to metamonitoring remote-write destination). + # Basic auth and extra HTTP headers from metaMonitoring are ignored, please use customHeaders. + # The remote URL is used even if metamonitoring is disabled. + # For more details about migrating to autoscaling, refer to https://grafana.com/docs/helm-charts/mimir-distributed/latest/configure/configure-autoscaling/#migrate-existing-deployments + kedaAutoscaling: + enabled: false + # -- preserveReplicas gives you the option to migrate from non-autoscaled to autoscaled deployments without losing replicas. When set to true, the replica fields in the component will be left intact. + # For more details about migrating to autoscaling, refer to https://grafana.com/docs/helm-charts/mimir-distributed/latest/configure/configure-autoscaling/#migrate-existing-deployments + preserveReplicas: false + minReplicaCount: 1 + maxReplicaCount: 10 + # -- Target CPU utilization percentage for KEDA autoscaling. This controls the headroom each pod has compared to its current usage. + # targetting lower percentages overprovisions the containers, so they can handle bursts of traffic and tolerate failures without waiting to scale out. + targetCPUUtilizationPercentage: 75 + # -- Target memory utilization percentage for KEDA autoscaling. This controls the headroom each pod has compared to its current usage. + # targetting lower percentages overprovisions the containers, so they can handle bursts of traffic and tolerate failures without waiting to scale out. + targetMemoryUtilizationPercentage: 100 + behavior: + scaleDown: + policies: + - periodSeconds: 60 + type: Percent + value: 10 + + service: + annotations: {} + labels: {} + # -- https://kubernetes.io/docs/concepts/services-networking/service-traffic-policy/ + internalTrafficPolicy: Cluster + type: ClusterIP + extraPorts: [] + + resources: + requests: + cpu: 100m + memory: 128Mi + + # Additional ruler-query-frontend container arguments, e.g. log level (debug, info, warn, error) + extraArgs: {} + + # Pod Labels + podLabels: {} + + # Pod Annotations + podAnnotations: {} + + # Pod Disruption Budget + podDisruptionBudget: + maxUnavailable: 1 + + # -- The name of the PriorityClass for ruler-query-frontend pods + priorityClassName: null + + dnsConfig: {} + nodeSelector: {} + affinity: {} + + # -- topologySpreadConstraints allows to customize the default topologySpreadConstraints. This can be either a single dict as shown below or a slice of topologySpreadConstraints. + # labelSelector is taken from the constraint itself (if it exists) or is generated by the chart using the same selectors as for services. + topologySpreadConstraints: + maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: ScheduleAnyway + # minDomains: 1 + # nodeAffinityPolicy: Honor + # nodeTaintsPolicy: Honor + # matchLabelKeys: + # - pod-template-hash + + annotations: {} + persistence: + subPath: + + readinessProbe: + httpGet: + path: /ready + port: http-metrics + initialDelaySeconds: 45 + + # -- SecurityContext override for query-fronted pods + securityContext: {} + + # -- The SecurityContext for ruler-query-frontend containers + containerSecurityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: [ALL] + + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 15% + + terminationGracePeriodSeconds: 390 + + tolerations: [] + initContainers: [] + extraContainers: [] + extraVolumes: [] + extraVolumeMounts: [] + env: [] + extraEnvFrom: [] + +# -- Only deployed if .Values.ruler.remoteEvaluationDedicatedQueryPath +ruler_query_scheduler: + # -- Allows to override the container image of the ruler-query-scheduler component. + # When set it takes precedence over what is defined in global "image" . + image: + # repository: grafana/mimir + # tag: 2.16.0 + + replicas: 2 + revisionHistoryLimit: null + + service: + annotations: {} + labels: {} + # -- https://kubernetes.io/docs/concepts/services-networking/service-traffic-policy/ + internalTrafficPolicy: Cluster + type: ClusterIP + extraPorts: [] + + resources: + requests: + cpu: 100m + memory: 128Mi + + # Additional ruler-query-scheduler container arguments, e.g. log level (debug, info, warn, error) + extraArgs: {} + + # Pod Labels + podLabels: {} + + # Pod Annotations + podAnnotations: {} + + # Pod Disruption Budget + podDisruptionBudget: + maxUnavailable: 1 + + # -- The name of the PriorityClass for ruler-query-scheduler pods + priorityClassName: null + + dnsConfig: {} + nodeSelector: {} + affinity: {} + + # -- topologySpreadConstraints allows to customize the default topologySpreadConstraints. This can be either a single dict as shown below or a slice of topologySpreadConstraints. + # labelSelector is taken from the constraint itself (if it exists) or is generated by the chart using the same selectors as for services. + topologySpreadConstraints: + maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: ScheduleAnyway + # minDomains: 1 + # nodeAffinityPolicy: Honor + # nodeTaintsPolicy: Honor + # matchLabelKeys: + # - pod-template-hash + + annotations: {} + persistence: + subPath: + + readinessProbe: + httpGet: + path: /ready + port: http-metrics + initialDelaySeconds: 45 + + # -- SecurityContext override for ruler-query-scheduler pods + securityContext: {} + + # -- The SecurityContext for ruler-query-scheduler containers + containerSecurityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: [ALL] + + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 1 + + terminationGracePeriodSeconds: 180 + + tolerations: [] + initContainers: [] + extraContainers: [] + extraVolumes: [] + extraVolumeMounts: [] + env: [] + extraEnvFrom: [] + +querier: + # -- Whether to render the manifests related to the querier component. + enabled: true + + # -- Allows to override the container image of the querier component. + # When set it takes precedence over what is defined in global "image" . + image: + # repository: grafana/mimir + # tag: 2.16.0 + + replicas: 2 + revisionHistoryLimit: null + + # -- [Experimental] Configure autoscaling via KEDA (https://keda.sh). This requires having + # KEDA already installed in the Kubernetes cluster. The metrics for scaling are read + # according to top-level kedaAutoscaling.prometheusAddress (defaulting to metamonitoring remote-write destination). + # Basic auth and extra HTTP headers from metaMonitoring are ignored, please use customHeaders. + # The remote URL is used even if metamonitoring is disabled. + # For more details about migrating to autoscaling, refer to https://grafana.com/docs/helm-charts/mimir-distributed/latest/configure/configure-autoscaling/#migrate-existing-deployments + kedaAutoscaling: + enabled: false + # -- preserveReplicas gives you the option to migrate from non-autoscaled to autoscaled deployments without losing replicas. When set to true, the replica fields in the component will be left intact. + # For more details about migrating to autoscaling, refer to https://grafana.com/docs/helm-charts/mimir-distributed/latest/configure/configure-autoscaling/#migrate-existing-deployments + preserveReplicas: false + minReplicaCount: 1 + maxReplicaCount: 10 + querySchedulerInflightRequestsThreshold: 12 + # -- predictiveScalingEnabled scales up the querier based on the inflight requests in the past. + # This helps with scaling up for predictable traffic patterns and minimizing HTTP 429 responses due to filled query queues. + # Due to false positive items it can increase the querier TCO. + predictiveScalingEnabled: false + # -- The period to consider when considering scheduler metrics for predictive scaling. + # This is usually slightly lower than the period of the repeating query events to give scaling up lead time. + predictiveScalingPeriod: 6d23h30m + # -- The time range to consider when considering scheduler metrics for predictive scaling. + # For example: if lookback is 30m and period is 6d23h30m, + # the querier will scale based on the maximum inflight queries between 6d23h30m and 7d ago. + predictiveScalingLookback: 30m + behavior: + scaleDown: + policies: + - periodSeconds: 120 + type: Percent + value: 10 + stabilizationWindowSeconds: 600 + scaleUp: + policies: + - periodSeconds: 120 + type: Percent + value: 50 + - periodSeconds: 120 + type: Pods + value: 15 + stabilizationWindowSeconds: 60 + + service: + annotations: {} + labels: {} + # -- https://kubernetes.io/docs/concepts/services-networking/service-traffic-policy/ + internalTrafficPolicy: Cluster + type: ClusterIP + extraPorts: [] + # -- https://kubernetes.io/docs/concepts/services-networking/service/#traffic-distribution + trafficDistribution: "" + + resources: + requests: + cpu: 100m + memory: 128Mi + + # Additional querier container arguments, e.g. log level (debug, info, warn, error) + extraArgs: {} + + # Pod Labels + podLabels: {} + + # Pod Annotations + podAnnotations: {} + + # Pod Disruption Budget + podDisruptionBudget: + maxUnavailable: 1 + + # -- The name of the PriorityClass for querier pods + priorityClassName: null + + dnsConfig: {} + nodeSelector: {} + affinity: {} + + # -- topologySpreadConstraints allows to customize the default topologySpreadConstraints. This can be either a single dict as shown below or a slice of topologySpreadConstraints. + # labelSelector is taken from the constraint itself (if it exists) or is generated by the chart using the same selectors as for services. + topologySpreadConstraints: + maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: ScheduleAnyway + # minDomains: 1 + # nodeAffinityPolicy: Honor + # nodeTaintsPolicy: Honor + # matchLabelKeys: + # - pod-template-hash + + annotations: {} + persistence: + subPath: + + readinessProbe: + httpGet: + path: /ready + port: http-metrics + initialDelaySeconds: 45 + + # -- SecurityContext override for querier pods + securityContext: {} + + # -- The SecurityContext for querier containers + containerSecurityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: [ALL] + + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 15% + + terminationGracePeriodSeconds: 180 + + tolerations: [] + initContainers: [] + extraContainers: [] + extraVolumes: [] + extraVolumeMounts: [] + env: [] + extraEnvFrom: [] + +query_frontend: + # -- Whether to render the manifests related to the query-frontend component. + enabled: true + + # -- Allows to override the container image of the query-frontend component. + # When set it takes precedence over what is defined in global "image" . + image: + # repository: grafana/mimir + # tag: 2.16.0 + + # Setting it to null will produce a deployment without replicas set, allowing you to use autoscaling with the deployment + replicas: 1 + revisionHistoryLimit: null + + # -- [Experimental] Configure autoscaling via KEDA (https://keda.sh). This requires having + # KEDA already installed in the Kubernetes cluster. The metrics for scaling are read + # according to top-level kedaAutoscaling.prometheusAddress (defaulting to metamonitoring remote-write destination). + # Basic auth and extra HTTP headers from metaMonitoring are ignored, please use customHeaders. + # The remote URL is used even if metamonitoring is disabled. + # For more details about migrating to autoscaling, refer to https://grafana.com/docs/helm-charts/mimir-distributed/latest/configure/configure-autoscaling/#migrate-existing-deployments + kedaAutoscaling: + enabled: false + # -- preserveReplicas gives you the option to migrate from non-autoscaled to autoscaled deployments without losing replicas. When set to true, the replica fields in the component will be left intact. + # For more details about migrating to autoscaling, refer to https://grafana.com/docs/helm-charts/mimir-distributed/latest/configure/configure-autoscaling/#migrate-existing-deployments + preserveReplicas: false + minReplicaCount: 1 + maxReplicaCount: 10 + # -- Target CPU utilization percentage for KEDA autoscaling. This controls the headroom each pod has compared to its current usage. + # targetting lower percentages overprovisions the containers, so they can handle bursts of traffic and tolerate failures without waiting to scale out. + targetCPUUtilizationPercentage: 75 + # -- Target memory utilization percentage for KEDA autoscaling. This controls the headroom each pod has compared to its current usage. + # targetting lower percentages overprovisions the containers, so they can handle bursts of traffic and tolerate failures without waiting to scale out. + targetMemoryUtilizationPercentage: 100 + behavior: + scaleDown: + policies: + - periodSeconds: 60 + type: Percent + value: 10 + + service: + annotations: {} + labels: {} + # -- https://kubernetes.io/docs/concepts/services-networking/service-traffic-policy/ + internalTrafficPolicy: Cluster + type: ClusterIP + extraPorts: [] + # -- https://kubernetes.io/docs/concepts/services-networking/service/#traffic-distribution + trafficDistribution: "" + + resources: + requests: + cpu: 100m + memory: 128Mi + + # Additional query-frontend container arguments, e.g. log level (debug, info, warn, error) + extraArgs: {} + + # Pod Labels + podLabels: {} + + # Pod Annotations + podAnnotations: {} + + # Pod Disruption Budget + podDisruptionBudget: + maxUnavailable: 1 + + # -- The name of the PriorityClass for query-frontend pods + priorityClassName: null + + dnsConfig: {} + nodeSelector: {} + affinity: {} + + # -- topologySpreadConstraints allows to customize the default topologySpreadConstraints. This can be either a single dict as shown below or a slice of topologySpreadConstraints. + # labelSelector is taken from the constraint itself (if it exists) or is generated by the chart using the same selectors as for services. + topologySpreadConstraints: + maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: ScheduleAnyway + # minDomains: 1 + # nodeAffinityPolicy: Honor + # nodeTaintsPolicy: Honor + # matchLabelKeys: + # - pod-template-hash + + annotations: {} + persistence: + subPath: + + readinessProbe: + httpGet: + path: /ready + port: http-metrics + initialDelaySeconds: 45 + + # -- SecurityContext override for query-fronted pods + securityContext: {} + + # -- The SecurityContext for query-frontend containers + containerSecurityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: [ALL] + + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 15% + + terminationGracePeriodSeconds: 390 + + tolerations: [] + initContainers: [] + extraContainers: [] + extraVolumes: [] + extraVolumeMounts: [] + env: [] + extraEnvFrom: [] + +query_scheduler: + enabled: true + + # -- Allows to override the container image of the query-scheduler component. + # When set it takes precedence over what is defined in global "image" . + image: + # repository: grafana/mimir + # tag: 2.16.0 + + replicas: 2 + revisionHistoryLimit: null + + service: + annotations: {} + labels: {} + # -- https://kubernetes.io/docs/concepts/services-networking/service-traffic-policy/ + internalTrafficPolicy: Cluster + type: ClusterIP + extraPorts: [] + # -- https://kubernetes.io/docs/concepts/services-networking/service/#traffic-distribution + trafficDistribution: "" + + resources: + requests: + cpu: 100m + memory: 128Mi + + # Additional query-scheduler container arguments, e.g. log level (debug, info, warn, error) + extraArgs: {} + + # Pod Labels + podLabels: {} + + # Pod Annotations + podAnnotations: {} + + # Pod Disruption Budget + podDisruptionBudget: + maxUnavailable: 1 + + # -- The name of the PriorityClass for query-scheduler pods + priorityClassName: null + + dnsConfig: {} + nodeSelector: {} + affinity: {} + + # -- topologySpreadConstraints allows to customize the default topologySpreadConstraints. This can be either a single dict as shown below or a slice of topologySpreadConstraints. + # labelSelector is taken from the constraint itself (if it exists) or is generated by the chart using the same selectors as for services. + topologySpreadConstraints: + maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: ScheduleAnyway + # minDomains: 1 + # nodeAffinityPolicy: Honor + # nodeTaintsPolicy: Honor + # matchLabelKeys: + # - pod-template-hash + + annotations: {} + persistence: + subPath: + + readinessProbe: + httpGet: + path: /ready + port: http-metrics + initialDelaySeconds: 45 + + # -- SecurityContext override for query-scheduler pods + securityContext: {} + + # -- The SecurityContext for query-scheduler containers + containerSecurityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: [ALL] + + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 1 + + terminationGracePeriodSeconds: 180 + + tolerations: [] + initContainers: [] + extraContainers: [] + extraVolumes: [] + extraVolumeMounts: [] + env: [] + extraEnvFrom: [] + +store_gateway: + # -- Whether to render the manifests related to the store-gateway component. + enabled: true + + # -- Allows to override the container image of the store-gateway component. + # When set it takes precedence over what is defined in global "image" . + image: + # repository: grafana/mimir + # tag: 2.16.0 + + # -- Total number of replicas for the store-gateway across all availability zones + # If store_gateway.zoneAwareReplication.enabled=false, this number is taken as is. + # Otherwise each zone starts `ceil(replicas / number_of_zones)` number of pods. + # E.g. if 'replicas' is set to 4 and there are 3 zones, then 4/3=1.33 and after rounding up it means 2 pods per zone are started. + replicas: 1 + + service: + annotations: {} + labels: {} + # -- https://kubernetes.io/docs/concepts/services-networking/service-traffic-policy/ + internalTrafficPolicy: Cluster + type: ClusterIP + extraPorts: [] + # -- https://kubernetes.io/docs/concepts/services-networking/service/#traffic-distribution + # Note: This service is not responsible for read path traffic. + trafficDistribution: "" + + # -- Optionally set the scheduler for pods of the store-gateway + schedulerName: "" + + resources: + requests: + cpu: 100m + memory: 512Mi + + # Additional store-gateway container arguments, e.g. log level (debug, info, warn, error) + extraArgs: {} + + # Pod Labels + podLabels: {} + + # Pod Annotations + podAnnotations: {} + + # -- Management policy for store-gateway pods + # New variable introduced with Helm chart version 5.1.0. For backwards compatibility it is set to `OrderedReady` + # On new deployments it is highly recommended to switch it to `Parallel` as this will be the new default from 6.0.0 + podManagementPolicy: OrderedReady + + # -- Pod Disruption Budget for store-gateway, this will be applied across availability zones to prevent losing redundancy + podDisruptionBudget: + maxUnavailable: 1 + + # -- The name of the PriorityClass for store-gateway pods + priorityClassName: null + + dnsConfig: {} + # -- NodeSelector to pin store-gateway pods to certain set of nodes. This is ignored when store_gateway.zoneAwareReplication.enabled=true. + nodeSelector: {} + # -- Pod affinity settings for the store_gateway. This is ignored when store_gateway.zoneAwareReplication.enabled=true. + affinity: {} + + # -- topologySpreadConstraints allows to customize the default topologySpreadConstraints. This can be either a single dict as shown below or a slice of topologySpreadConstraints. + # labelSelector is taken from the constraint itself (if it exists) or is generated by the chart using the same selectors as for services. + # It is recommended to replace this with requiredDuringSchedulingIgnoredDuringExecution podAntiAffinity rules when + # deploying to production. + topologySpreadConstraints: + maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: ScheduleAnyway + # minDomains: 1 + # nodeAffinityPolicy: Honor + # nodeTaintsPolicy: Honor + # matchLabelKeys: + # - pod-template-hash + + annotations: {} + + persistentVolume: + # If true Store-gateway will create/use a Persistent Volume Claim + # If false, use emptyDir + # + enabled: true + + # additional settings for emptyDir like medium or sizeLimit + # + emptyDir: {} + # medium: Memory + # sizeLimit: 1Gi + + # Store-gateway data Persistent Volume Claim template name + # + name: storage + + # Store-gateway data Persistent Volume Claim annotations + # + annotations: {} + + # Store-gateway data Persistent Volume access modes + # Must match those of existing PV or dynamic provisioner + # Ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ + # + accessModes: + - ReadWriteOnce + + # Store-gateway data Persistent Volume size + # + size: 2Gi + + # Subdirectory of Store-gateway data Persistent Volume to mount + # Useful if the volume's root directory is not empty + # + subPath: "" + + # Store-gateway data Persistent Volume Storage Class + # If defined, storageClassName: + # If set to "-", storageClassName: "", which disables dynamic provisioning + # If undefined (the default) or set to null, no storageClassName spec is + # set, choosing the default provisioner. + # + # A per-zone storageClass configuration in `store_gateway.zoneAwareReplication.zones[*].storageClass` takes precedence over this field. + # storageClass: "-" + + # -- Enable StatefulSetAutoDeletePVC feature + # https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#persistentvolumeclaim-retention + enableRetentionPolicy: false + whenDeleted: Retain + whenScaled: Retain + + readinessProbe: + httpGet: + path: /ready + port: http-metrics + initialDelaySeconds: 60 + + # -- SecurityContext override for store-gateway pods + securityContext: {} + + # -- The SecurityContext for store-gateway containers + containerSecurityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: [ALL] + + # -- updateStrategy of the store-gateway statefulset. This is ignored when store_gateway.zoneAwareReplication.enabled=true. + strategy: + type: RollingUpdate + + terminationGracePeriodSeconds: 120 + + # -- The maximum size of a query response in bytes. Sets max send size for store-gateway and receive size for queriers. + grpcMaxQueryResponseSizeBytes: "209715200" + + tolerations: [] + initContainers: [] + extraContainers: [] + extraVolumes: [] + extraVolumeMounts: [] + env: [] + extraEnvFrom: [] + + # -- Options to configure zone-aware replication for store-gateway + # Example configuration with full geographical redundancy: + # rollout_operator: + # enabled: true + # store_gateway: + # zoneAwareReplication: + # enabled: true + # topologyKey: 'kubernetes.io/hostname' # This generates default anti-affinity rules + # zones: # Zone list has to be fully redefined for modification. Update with you actual zones or skip to use logical zones only. + # - name: zone-a + # nodeSelector: + # topology.kubernetes.io/zone: us-central1-a + # - name: zone-b + # nodeSelector: + # topology.kubernetes.io/zone: us-central1-b + # - name: zone-c + # nodeSelector: + # topology.kubernetes.io/zone: us-central1-c + # + zoneAwareReplication: + # -- Enable zone-aware replication for store-gateway + enabled: true + # -- Maximum number of store-gateways that can be unavailable per zone during rollout + maxUnavailable: 50 + # -- topologyKey to use in pod anti-affinity. If unset, no anti-affinity rules are generated. If set, the generated anti-affinity rule makes sure that pods from different zones do not mix. + # E.g.: topologyKey: 'kubernetes.io/hostname' + topologyKey: null + # -- Auxiliary values for migration, see https://grafana.com/docs/helm-charts/mimir-distributed/latest/migration-guides/migrate-from-single-zone-with-helm/ + migration: + # -- Indicate if migration is ongoing for multi zone store-gateway + enabled: false + # -- Enable zone-awareness on the readPath + readPath: false + # -- Zone definitions for store-gateway zones. Note: you have to redefine the whole list to change parts as YAML does not allow to modify parts of a list. + zones: + # -- Name of the zone, used in labels and selectors. Must follow Kubernetes naming restrictions: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + - name: zone-a + # -- nodeselector to restrict where pods of this zone can be placed. E.g.: + # nodeSelector: + # topology.kubernetes.io/zone: zone-a + nodeSelector: null + # -- extraAffinity adds user defined custom affinity rules (merged with generated rules) + extraAffinity: {} + # -- StoreGateway data Persistent Volume Storage Class + # If defined, storageClassName: + # If set to "-", then use `storageClassName: ""`, which disables dynamic provisioning + # If undefined or set to null (the default), then fall back to the value of `store_gateway.persistentVolume.storageClass`. + storageClass: null + # -- noDownscale adds a label that can be used by the rollout-operator as documented in the rollout-operator repo: https://github.com/grafana/rollout-operator#webhooks + noDownscale: false + # -- downscaleLeader is an Annotation used by the rollout-operator to coordinate downscaling across zones. + # Set to the StatefulSet name that should lead downscaling for this component (typically the previous zone). + # Example: "mimir-store-gateway-zone-a" for zone-b, "mimir-store-gateway-zone-b" for zone-c. + # If undefined or set to null (the default), this zone won't be designated as a downscale leader. + downscaleLeader: null + # -- prepareDownscale adds labels and annotations for the rollout-operator to prepare downscaling: https://github.com/grafana/rollout-operator#how-scaling-up-and-down-works + prepareDownscale: true + # -- Name of the zone, used in labels and selectors. Must follow Kubernetes naming restrictions: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + - name: zone-b + # -- nodeselector to restrict where pods of this zone can be placed. E.g.: + # nodeSelector: + # topology.kubernetes.io/zone: zone-b + nodeSelector: null + # -- extraAffinity adds user defined custom affinity rules (merged with generated rules) + extraAffinity: {} + # -- StoreGateway data Persistent Volume Storage Class + # If defined, storageClassName: + # If set to "-", then use `storageClassName: ""`, which disables dynamic provisioning + # If undefined or set to null (the default), then fall back to the value of `store_gateway.persistentVolume.storageClass`. + storageClass: null + # -- noDownscale adds a label that can be used by the rollout-operator as documented in the rollout-operator repo: https://github.com/grafana/rollout-operator#webhooks + noDownscale: false + # -- downscaleLeader is an Annotation used by the rollout-operator to coordinate downscaling across zones. + # Set to the StatefulSet name that should lead downscaling for this component (typically the previous zone). + # Example: "mimir-store-gateway-zone-a" for zone-b, "mimir-store-gateway-zone-b" for zone-c. + # If undefined or set to null (the default), this zone won't be designated as a downscale leader. + downscaleLeader: null + # -- prepareDownscale adds labels and annotations for the rollout-operator to prepare downscaling: https://github.com/grafana/rollout-operator#how-scaling-up-and-down-works + prepareDownscale: true + # -- Name of the zone, used in labels and selectors. Must follow Kubernetes naming restrictions: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ + - name: zone-c + # -- nodeselector to restrict where pods of this zone can be placed. E.g.: + # nodeSelector: + # topology.kubernetes.io/zone: zone-c + nodeSelector: null + # -- extraAffinity adds user defined custom affinity rules (merged with generated rules) + extraAffinity: {} + # -- StoreGateway data Persistent Volume Storage Class + # If defined, storageClassName: + # If set to "-", then use `storageClassName: ""`, which disables dynamic provisioning + # If undefined or set to null (the default), then fall back to the value of `store_gateway.persistentVolume.storageClass`. + storageClass: null + # -- noDownscale adds a label that can be used by the rollout-operator as documented in the rollout-operator repo: https://github.com/grafana/rollout-operator#webhooks + noDownscale: false + # -- downscaleLeader is an Annotation used by the rollout-operator to coordinate downscaling across zones. + # Set to the StatefulSet name that should lead downscaling for this component (typically the previous zone). + # Example: "mimir-store-gateway-zone-a" for zone-b, "mimir-store-gateway-zone-b" for zone-c. + # If undefined or set to null (the default), this zone won't be designated as a downscale leader. + downscaleLeader: null + # -- prepareDownscale adds labels and annotations for the rollout-operator to prepare downscaling: https://github.com/grafana/rollout-operator#how-scaling-up-and-down-works + prepareDownscale: true + +compactor: + # -- Whether to render the manifests related to the compactor component. + enabled: true + + # -- Allows to override the container image of the compactor component. + # When set it takes precedence over what is defined in global "image" . + image: + # repository: grafana/mimir + # tag: 2.16.0 + + replicas: 1 + + service: + annotations: {} + labels: {} + # -- https://kubernetes.io/docs/concepts/services-networking/service-traffic-policy/ + internalTrafficPolicy: Cluster + type: ClusterIP + extraPorts: [] + + # -- Optionally set the scheduler for pods of the compactor + schedulerName: "" + + resources: + requests: + cpu: 100m + memory: 512Mi + + # Additional compactor container arguments, e.g. log level (debug, info, warn, error) + extraArgs: {} + + # Pod Labels + podLabels: {} + + # Pod Annotations + podAnnotations: {} + + # Pod Disruption Budget + podDisruptionBudget: + maxUnavailable: 1 + + podManagementPolicy: OrderedReady + + # -- The name of the PriorityClass for compactor pods + priorityClassName: null + + dnsConfig: {} + nodeSelector: {} + affinity: {} + + # -- topologySpreadConstraints allows to customize the default topologySpreadConstraints. This can be either a single dict as shown below or a slice of topologySpreadConstraints. + # labelSelector is taken from the constraint itself (if it exists) or is generated by the chart using the same selectors as for services. + topologySpreadConstraints: + maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: ScheduleAnyway + # minDomains: 1 + # nodeAffinityPolicy: Honor + # nodeTaintsPolicy: Honor + # matchLabelKeys: + # - pod-template-hash + + annotations: {} + + persistentVolume: + # If true compactor will create/use a Persistent Volume Claim + # If false, use emptyDir + # + enabled: true + + # compactor data Persistent Volume Claim template name + # + name: storage + + # compactor data Persistent Volume Claim annotations + # + annotations: {} + + # compactor data Persistent Volume access modes + # Must match those of existing PV or dynamic provisioner + # Ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ + # + accessModes: + - ReadWriteOnce + + # compactor data Persistent Volume size + # + size: 2Gi + + # Subdirectory of compactor data Persistent Volume to mount + # Useful if the volume's root directory is not empty + # + subPath: "" + + # compactor data Persistent Volume Storage Class + # If defined, storageClassName: + # If set to "-", storageClassName: "", which disables dynamic provisioning + # If undefined (the default) or set to null, no storageClassName spec is + # set, choosing the default provisioner. + # + # storageClass: "-" + + # -- Enable StatefulSetAutoDeletePVC feature + # https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#persistentvolumeclaim-retention + enableRetentionPolicy: false + whenDeleted: Retain + whenScaled: Retain + + readinessProbe: + httpGet: + path: /ready + port: http-metrics + initialDelaySeconds: 60 + + # -- SecurityContext override for compactor pods + securityContext: {} + + # -- The SecurityContext for compactor containers + containerSecurityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: [ALL] + + strategy: + type: RollingUpdate + + terminationGracePeriodSeconds: 900 + + tolerations: [] + initContainers: [] + extraContainers: [] + extraVolumes: [] + extraVolumeMounts: [] + env: [] + extraEnvFrom: [] + +gossip_ring: + service: + annotations: {} + +memcached: + image: + # -- Memcached Docker image repository + repository: memcached + # -- Memcached Docker image tag + tag: 1.6.39-alpine + # -- Memcached Docker image pull policy + pullPolicy: IfNotPresent + + # -- The SecurityContext override for memcached pods + podSecurityContext: {} + + # -- The name of the PriorityClass for memcached pods + priorityClassName: null + + # -- The SecurityContext for memcached containers + containerSecurityContext: + readOnlyRootFilesystem: true + capabilities: + drop: [ALL] + allowPrivilegeEscalation: false + +memcachedExporter: + # -- Whether memcached metrics should be exported + enabled: true + + image: + repository: prom/memcached-exporter + tag: v0.15.3 + pullPolicy: IfNotPresent + + resources: + requests: + cpu: 50m + memory: 50Mi + limits: + memory: 250Mi + + # -- The SecurityContext for memcached exporter containers + containerSecurityContext: + readOnlyRootFilesystem: true + capabilities: + drop: [ALL] + allowPrivilegeEscalation: false + + # -- Extra args to add to the exporter container. + # Example: + # extraArgs: + # memcached.tls.enable: true + # memcached.tls.cert-file: /certs/cert.crt + # memcached.tls.key-file: /certs/cert.key + # memcached.tls.ca-file: /certs/ca.crt + # memcached.tls.insecure-skip-verify: false + # memcached.tls.server-name: memcached + extraArgs: {} + +chunks-cache: + # -- Specifies whether memcached based chunks-cache should be enabled + enabled: false + + # -- Total number of chunks-cache replicas + replicas: 1 + + # -- Port of the chunks-cache service + port: 11211 + + # -- Amount of memory allocated to chunks-cache for object storage (in MB). + allocatedMemory: 8192 + + # -- Maximum item memory for chunks-cache (in MB). + maxItemMemory: 1 + + # -- Maximum number of connections allowed + connectionLimit: 16384 + + # -- Extra init containers for chunks-cache pods + initContainers: [] + + # -- Annotations for the chunks-cache pods + annotations: {} + # -- Node selector for chunks-cache pods + nodeSelector: {} + # -- Affinity for chunks-cache pods + affinity: {} + dnsConfig: {} + + # -- topologySpreadConstraints allows to customize the default topologySpreadConstraints. This can be either a single dict as shown below or a slice of topologySpreadConstraints. + # labelSelector is taken from the constraint itself (if it exists) or is generated by the chart using the same selectors as for services. + topologySpreadConstraints: {} + # maxSkew: 1 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: ScheduleAnyway + # minDomains: 1 + # nodeAffinityPolicy: Honor + # nodeTaintsPolicy: Honor + # matchLabelKeys: + # - pod-template-hash + + # -- Tolerations for chunks-cache pods + tolerations: [] + # -- Pod Disruption Budget + podDisruptionBudget: + maxUnavailable: 1 + # -- The name of the PriorityClass for chunks-cache pods + priorityClassName: null + # -- Labels for chunks-cache pods + podLabels: {} + # -- Annotations for chunks-cache pods + podAnnotations: {} + # -- Management policy for chunks-cache pods + podManagementPolicy: Parallel + # -- Grace period to allow the chunks-cache to shutdown before it is killed + terminationGracePeriodSeconds: 30 + + # -- Stateful chunks-cache strategy + statefulStrategy: + type: RollingUpdate + + # -- Add extended options for chunks-cache memcached container. The format is the same as for the memcached -o/--extend flag. + # Example: + # extraExtendedOptions: 'tls,no_hashexpand' + extraExtendedOptions: "" + + # -- Additional CLI args for chunks-cache + extraArgs: {} + + # -- Additional containers to be added to the chunks-cache pod. + extraContainers: [] + + # -- Additional volumes to be added to the chunks-cache pod (applies to both memcached and exporter containers). + # Example: + # extraVolumes: + # - name: extra-volume + # secret: + # secretName: extra-volume-secret + extraVolumes: [] + + # -- Additional volume mounts to be added to the chunks-cache pod (applies to both memcached and exporter containers). + # Example: + # extraVolumeMounts: + # - name: extra-volume + # mountPath: /etc/extra-volume + # readOnly: true + extraVolumeMounts: [] + + # -- List of additional PVCs to be created for the chunks-cache statefulset + volumeClaimTemplates: [] + + # -- Resource requests and limits for the chunks-cache + # By default a safe memory limit will be requested based on allocatedMemory value (floor (* 1.2 allocatedMemory)). + resources: null + + # -- Service annotations and labels + service: + annotations: {} + labels: {} + extraPorts: [] + +index-cache: + # -- Specifies whether memcached based index-cache should be enabled + enabled: false + + # -- Total number of index-cache replicas + replicas: 1 + + # -- Port of the index-cache service + port: 11211 + + # -- Amount of memory allocated to index-cache for object storage (in MB). + allocatedMemory: 2048 + + # -- Maximum item index-cache for memcached (in MB). + maxItemMemory: 5 + + # -- Maximum number of connections allowed + connectionLimit: 16384 + + # -- Extra init containers for index-cache pods + initContainers: [] + + # -- Annotations for the index-cache pods + annotations: {} + # -- Node selector for index-cache pods + nodeSelector: {} + # -- Affinity for index-cache pods + affinity: {} + dnsConfig: {} + + # -- topologySpreadConstraints allows to customize the default topologySpreadConstraints. This can be either a single dict as shown below or a slice of topologySpreadConstraints. + # labelSelector is taken from the constraint itself (if it exists) or is generated by the chart using the same selectors as for services. + topologySpreadConstraints: {} + # maxSkew: 1 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: ScheduleAnyway + # minDomains: 1 + # nodeAffinityPolicy: Honor + # nodeTaintsPolicy: Honor + # matchLabelKeys: + # - pod-template-hash + + # -- Tolerations for index-cache pods + tolerations: [] + # -- Pod Disruption Budget + podDisruptionBudget: + maxUnavailable: 1 + # -- The name of the PriorityClass for index-cache pods + priorityClassName: null + # -- Labels for index-cache pods + podLabels: {} + # -- Annotations for index-cache pods + podAnnotations: {} + # -- Management policy for index-cache pods + podManagementPolicy: Parallel + # -- Grace period to allow the index-cache to shutdown before it is killed + terminationGracePeriodSeconds: 30 + + # -- Stateful index-cache strategy + statefulStrategy: + type: RollingUpdate + + # -- Add extended options for index-cache memcached container. The format is the same as for the memcached -o/--extend flag. + # Example: + # extraExtendedOptions: 'tls,modern,track_sizes' + extraExtendedOptions: "" + + # -- Additional CLI args for index-cache + extraArgs: {} + + # -- Additional containers to be added to the index-cache pod. + extraContainers: [] + + # -- Additional volumes to be added to the index-cache pod (applies to both memcached and exporter containers). + # Example: + # extraVolumes: + # - name: extra-volume + # secret: + # secretName: extra-volume-secret + extraVolumes: [] + + # -- Additional volume mounts to be added to the index-cache pod (applies to both memcached and exporter containers). + # Example: + # extraVolumeMounts: + # - name: extra-volume + # mountPath: /etc/extra-volume + # readOnly: true + extraVolumeMounts: [] + + # -- List of additional PVCs to be created for the index-cache statefulset + volumeClaimTemplates: [] + + # -- Resource requests and limits for the index-cache + # By default a safe memory limit will be requested based on allocatedMemory value (floor (* 1.2 allocatedMemory)). + resources: null + + # -- Service annotations and labels + service: + annotations: {} + labels: {} + extraPorts: [] + +metadata-cache: + # -- Specifies whether memcached based metadata-cache should be enabled + enabled: false + + # -- Total number of metadata-cache replicas + replicas: 1 + + # -- Port of the metadata-cache service + port: 11211 + + # -- Amount of memory allocated to metadata-cache for object storage (in MB). + allocatedMemory: 512 + + # -- Maximum item metadata-cache for memcached (in MB). + maxItemMemory: 1 + + # -- Maximum number of connections allowed + connectionLimit: 16384 + + # -- Extra init containers for metadata-cache pods + initContainers: [] + + # -- Annotations for the metadata-cache pods + annotations: {} + # -- Node selector for metadata-cache pods + nodeSelector: {} + # -- Affinity for metadata-cache pods + affinity: {} + dnsConfig: {} + + # -- topologySpreadConstraints allows to customize the default topologySpreadConstraints. This can be either a single dict as shown below or a slice of topologySpreadConstraints. + # labelSelector is taken from the constraint itself (if it exists) or is generated by the chart using the same selectors as for services. + topologySpreadConstraints: {} + # maxSkew: 1 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: ScheduleAnyway + # minDomains: 1 + # nodeAffinityPolicy: Honor + # nodeTaintsPolicy: Honor + # matchLabelKeys: + # - pod-template-hash + + # -- Tolerations for metadata-cache pods + tolerations: [] + # -- Pod Disruption Budget + podDisruptionBudget: + maxUnavailable: 1 + # -- The name of the PriorityClass for metadata-cache pods + priorityClassName: null + # -- Labels for metadata-cache pods + podLabels: {} + # -- Annotations for metadata-cache pods + podAnnotations: {} + # -- Management policy for metadata-cache pods + podManagementPolicy: Parallel + # -- Grace period to allow the metadata-cache to shutdown before it is killed + terminationGracePeriodSeconds: 30 + + # -- Stateful metadata-cache strategy + statefulStrategy: + type: RollingUpdate + + # -- Add extended options for metadata-cache memcached container. The format is the same as for the memcached -o/--extend flag. + # Example: + # extraExtendedOptions: 'tls,modern,track_sizes' + extraExtendedOptions: "" + + # -- Additional CLI args for metadata-cache + extraArgs: {} + + # -- Additional containers to be added to the metadata-cache pod. + extraContainers: [] + + # -- Additional volumes to be added to the metadata-cache pod (applies to both memcached and exporter containers). + # Example: + # extraVolumes: + # - name: extra-volume + # secret: + # secretName: extra-volume-secret + extraVolumes: [] + + # -- Additional volume mounts to be added to the metadata-cache pod (applies to both memcached and exporter containers). + # Example: + # extraVolumeMounts: + # - name: extra-volume + # mountPath: /etc/extra-volume + # readOnly: true + extraVolumeMounts: [] + + # -- List of additional PVCs to be created for the metadata-cache statefulset + volumeClaimTemplates: [] + + # -- Resource requests and limits for the metadata-cache + # By default a safe memory limit will be requested based on allocatedMemory value (floor (* 1.2 allocatedMemory)). + resources: null + + # -- Service annotations and labels + service: + annotations: {} + labels: {} + extraPorts: [] + +results-cache: + # -- Specifies whether memcached based results-cache should be enabled + enabled: false + + # -- Total number of results-cache replicas + replicas: 1 + + # -- Port of the results-cache service + port: 11211 + + # -- Amount of memory allocated to results-cache for object storage (in MB). + allocatedMemory: 512 + + # -- Maximum item results-cache for memcached (in MB). + maxItemMemory: 5 + + # -- Maximum number of connections allowed + connectionLimit: 16384 + + # -- Extra init containers for results-cache pods + initContainers: [] + + # -- Annotations for the results-cache pods + annotations: {} + # -- Node selector for results-cache pods + nodeSelector: {} + # -- Affinity for results-cache pods + affinity: {} + dnsConfig: {} + + # -- topologySpreadConstraints allows to customize the default topologySpreadConstraints. This can be either a single dict as shown below or a slice of topologySpreadConstraints. + # labelSelector is taken from the constraint itself (if it exists) or is generated by the chart using the same selectors as for services. + topologySpreadConstraints: {} + # maxSkew: 1 + # topologyKey: kubernetes.io/hostname + # whenUnsatisfiable: ScheduleAnyway + # minDomains: 1 + # nodeAffinityPolicy: Honor + # nodeTaintsPolicy: Honor + # matchLabelKeys: + # - pod-template-hash + + # -- Tolerations for results-cache pods + tolerations: [] + # -- Pod Disruption Budget + podDisruptionBudget: + maxUnavailable: 1 + # -- The name of the PriorityClass for results-cache pods + priorityClassName: null + # -- Labels for results-cache pods + podLabels: {} + # -- Annotations for results-cache pods + podAnnotations: {} + # -- Management policy for results-cache pods + podManagementPolicy: Parallel + # -- Grace period to allow the results-cache to shutdown before it is killed + terminationGracePeriodSeconds: 30 + + # -- Stateful results-cache strategy + statefulStrategy: + type: RollingUpdate + + # -- Add extended options for results-cache memcached container. The format is the same as for the memcached -o/--extend flag. + # Example: + # extraExtendedOptions: 'tls,modern,track_sizes' + extraExtendedOptions: "" + + # -- Additional CLI args for results-cache + extraArgs: {} + + # -- Additional containers to be added to the results-cache pod. + extraContainers: [] + + # -- Additional volumes to be added to the results-cache pod (applies to both memcached and exporter containers). + # Example: + # extraVolumes: + # - name: extra-volume + # secret: + # secretName: extra-volume-secret + extraVolumes: [] + + # -- Additional volume mounts to be added to the results-cache pod (applies to both memcached and exporter containers). + # Example: + # extraVolumeMounts: + # - name: extra-volume + # mountPath: /etc/extra-volume + # readOnly: true + extraVolumeMounts: [] + + # -- List of additional PVCs to be created for the results-cache statefulset + volumeClaimTemplates: [] + + # -- Resource requests and limits for the results-cache + # By default a safe memory limit will be requested based on allocatedMemory value (floor (* 1.2 allocatedMemory)). + resources: null + + # -- Service annotations and labels + service: + annotations: {} + labels: {} + extraPorts: [] + +# -- Setting for the Grafana Rollout Operator https://github.com/grafana/helm-charts/tree/main/charts/rollout-operator +rollout_operator: + enabled: true + + # -- podSecurityContext is the pod security context for the rollout operator. + # When installing on OpenShift, override podSecurityContext settings with + # + # rollout_operator: + # podSecurityContext: + # fsGroup: null + # runAsGroup: null + # runAsUser: null + podSecurityContext: + fsGroup: 10001 + runAsGroup: 10001 + runAsNonRoot: true + runAsUser: 10001 + seccompProfile: + type: RuntimeDefault + + # Set the container security context + securityContext: + readOnlyRootFilesystem: true + capabilities: + drop: [ALL] + allowPrivilegeEscalation: false + +minio: + enabled: true + mode: standalone + rootUser: grafana-mimir + buckets: + - name: mimir-tsdb + policy: none + purge: false + - name: mimir-ruler + policy: none + purge: false + persistence: + size: 5Gi + resources: + requests: + cpu: 100m + memory: 128Mi + rootPassword: supersecret + # Changed the mc config path to '/tmp' from '/etc' as '/etc' is only writable by root and OpenShift will not permit this. + configPathmc: "/tmp/minio/mc/" + +kafka: + # -- Enable Kafka for ingest-storage architecture + enabled: true + + image: + # -- The container image registry + registry: docker.io + # -- The container image repository + repository: apache/kafka-native + # -- The container image tag + tag: 4.1.0 + # -- The container image pull policy + pullPolicy: IfNotPresent + + # -- Kafka service port + service: + port: 9092 + controllerPort: 9093 + # -- Service type + type: ClusterIP + # -- Service annotations + annotations: {} + # -- Service labels + labels: {} + # -- Kafka persistence configuration + persistence: + # If false, use emptyDir + enabled: true + size: 5Gi + storageClassName: "" + # Additional settings for emptyDir if persistence is disabled + emptyDir: {} + # -- Resource requests and limits for Kafka + resources: + requests: + cpu: 1 + memory: 1Gi + limits: {} + # -- DNS configuration for Kafka pods + dnsConfig: {} + # -- Node selector for Kafka pods + nodeSelector: {} + # -- Tolerations for Kafka pods + tolerations: [] + # -- Affinity for Kafka pods + affinity: {} + # -- Pod Disruption Budget + podDisruptionBudget: + maxUnavailable: 1 + # -- The name of the PriorityClass for Kafka pods + priorityClassName: null + # -- Labels for Kafka pods + podLabels: {} + # -- Annotations for Kafka pods + podAnnotations: {} + # -- Security context for Kafka pods + securityContext: + fsGroup: 1001 + runAsGroup: 1001 + runAsNonRoot: true + runAsUser: 1001 + seccompProfile: + type: RuntimeDefault + # -- Container security context for Kafka containers + containerSecurityContext: + readOnlyRootFilesystem: true + capabilities: + drop: [ALL] + allowPrivilegeEscalation: false + # -- Grace period to allow Kafka to shutdown before it is killed + terminationGracePeriodSeconds: 30 + # -- Additional environment variables for Kafka + extraEnv: [] + # -- Additional environment variables from secrets or configmaps + extraEnvFrom: [] + +# -- Use either this ingress or the gateway, but not both at once. +# If you enable this, make sure to disable the gateway's ingress. +ingress: + enabled: false + # ingressClassName: nginx + annotations: {} + paths: + distributor: + - path: /distributor + # -- pathType (e.g. ImplementationSpecific, Prefix, .. etc.) might also be required by some Ingress Controllers + # pathType: Prefix + - path: /api/v1/push + - path: /otlp/v1/metrics + alertmanager: + - path: /alertmanager + - path: /multitenant_alertmanager/status + - path: /multitenant_alertmanager/configs + - path: /api/v1/alerts + ruler: + - path: /prometheus/config/v1/rules + - path: /prometheus/api/v1/rules + - path: /prometheus/api/v1/alerts + query-frontend: + - path: /prometheus + - path: /api/v1/status/buildinfo + compactor: + - path: /api/v1/upload/block/ + hosts: + - mimir.example.com + # tls: + # - secretName: mimir-distributed-tls + # hosts: + # - mimir.example.com + +# -- An nginx reverse proxy deployment that is meant to receive traffic for Mimir. +gateway: + # -- Whether to render the manifests related to the gateway component. + enabled: true + + # -- Number of replicas for the Deployment + replicas: 1 + revisionHistoryLimit: null + dnsConfig: {} + + # -- HorizontalPodAutoscaler + autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 3 + # -- Target CPU utilization percentage for nginx HPA. This controls the averageUtilization value for the HPA. + # Setting it to null disables the CPU utilization autoscaling. + targetCPUUtilizationPercentage: 70 + # -- Target memory utilization percentage for nginx HPA. This controls the averageUtilization value for the HPA. + # Setting it to null disables the memory utilization autoscaling. + targetMemoryUtilizationPercentage: 70 + + # -- Deployment strategy. See `kubectl explain deployment.spec.strategy` for more, + # ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 0 + maxSurge: 15% + + # -- The name of the PriorityClass + priorityClassName: null + # -- Labels for Deployment Pods + podLabels: {} + # -- Annotations Deployment Pods + podAnnotations: {} + # -- PodDisruptionBudget https://kubernetes.io/docs/tasks/run-application/configure-pdb/ + podDisruptionBudget: + maxUnavailable: 1 + # -- Additional CLI args for the container + extraArgs: {} + # -- Environment variables to add to the Pods. https://kubernetes.io/docs/tasks/inject-data-application/define-environment-variable-container/ + env: [] + # -- Environment variables from secrets or configmaps to add to the Pods. + extraEnvFrom: [] + # -- Volumes to add to the Pods + extraVolumes: [] + # -- Volume mounts to add to the Pods + extraVolumeMounts: [] + # -- Additional containers to be added to the Pods. + extraContainers: [] + # - name: dnsmasq + # image: "janeczku/go-dnsmasq:release-1.0.7" + # imagePullPolicy: IfNotPresent + # args: + # - --listen + # - "127.0.0.1:8053" + # - --hostsfile=/etc/hosts + # - --enable-search + # - --verbose + + # -- Init containers https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ + initContainers: [] + + # -- SecurityContext override for gateway pods + securityContext: {} + # -- The SecurityContext for gateway containers + containerSecurityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: [ALL] + + # -- Resource requests and limits for the container + resources: {} + # -- Grace period to allow the gateway container to shut down before it is killed + terminationGracePeriodSeconds: 30 + + affinity: {} + + # -- topologySpreadConstraints allows to customize the default topologySpreadConstraints. This can be either a single dict as shown below or a slice of topologySpreadConstraints. + # labelSelector is taken from the constraint itself (if it exists) or is generated by the chart using the same selectors as for services. + topologySpreadConstraints: + maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: ScheduleAnyway + # minDomains: 1 + # nodeAffinityPolicy: Honor + # nodeTaintsPolicy: Honor + # matchLabelKeys: + # - pod-template-hash + + # Annotations for the Deployment + annotations: {} + + # -- Node selector for Deployment Pods + nodeSelector: {} + # -- Tolerations for Deployment Pods + tolerations: [] + # -- Gateway Service configuration + service: + # -- Port on which the Service listens + port: 80 + # -- Type of the Service + type: ClusterIP + # -- ClusterIP of the Service + clusterIP: null + # -- Node port if service type is NodePort + nodePort: null + # -- Load balancer IP address if service type is LoadBalancer + loadBalancerIP: null + # -- Annotations for the Service + annotations: {} + # -- Labels for the Service + labels: {} + # -- DEPRECATED Legacy compatibility port, set to 'null' to disable + legacyPort: 8080 + # -- Overrides the name of the Service. + # By using the same name as the nginx gateway Service, Helm will not delete the Service Resource. + # Instead, it will update the existing one in place. + # If left as an empty string, a name is generated. + nameOverride: "" + # -- https://kubernetes.io/docs/concepts/services-networking/service-traffic-policy/ + internalTrafficPolicy: Cluster + extraPorts: [] + # -- https://kubernetes.io/docs/concepts/services-networking/service/#traffic-distribution + trafficDistribution: "" + + ingress: + enabled: false + # -- Overrides the name of the Ingress. + # By using the same name as the nginx gateway Ingress, Helm will not delete the Ingress Resource. + # Instead, it will update the existing one in place. + # If left as an empty string, a name is generated. + nameOverride: "" + # -- Ingress Class Name. MAY be required for Kubernetes versions >= 1.18 + ingressClassName: "" + # -- Labels for the Ingress + labels: {} + # -- Annotations for the Ingress + annotations: {} + # -- Hosts configuration for the Ingress + hosts: + # -- Passed through the `tpl` function to allow templating. + - host: "{{ .Release.Name }}.mimir.example.com" + paths: + - path: / + # -- pathType (e.g. ImplementationSpecific, Prefix, .. etc.) might also be required by some Ingress Controllers + # pathType: Prefix + # -- TLS configuration for the nginx ingress + tls: + - secretName: mimir-tls + # -- Hosts included in the tls certificate. Passed through the `tpl` function to allow templating. + hosts: + - "{{ .Release.Name }}.mimir.example.com" + + # -- OpenShift Route configuration + route: + enabled: false + # -- Annotations for the Route + annotations: {} + # -- Passed through the `tpl` function to allow templating. + host: "{{ .Release.Name }}.mimir.example.com" + + tls: + # -- More details about TLS configuration and termination types: https://docs.openshift.com/container-platform/3.11/architecture/networking/routes.html#secured-routes + # For OpenShift 4: https://docs.openshift.com/container-platform/4.11/networking/routes/secured-routes.html + termination: edge + + readinessProbe: + httpGet: + path: /ready + port: http-metrics + initialDelaySeconds: 15 + timeoutSeconds: 1 + + nginx: + # -- Enable logging of 2xx and 3xx HTTP requests + verboseLogging: true + + # -- Image for the nginx. pullPolicy and optional pullSecrets are set in toplevel 'image' section, not here. + image: + # -- The Docker registry for nginx image + registry: docker.io + # -- The nginx image repository + repository: nginxinc/nginx-unprivileged + # -- The nginx image tag + tag: 1.29-alpine + + # -- Basic auth configuration + basicAuth: + # -- Enables basic authentication for nginx + enabled: false + # -- The basic auth username for nginx + username: null + # -- The basic auth password for nginx + password: null + # -- Uses the specified username and password to compute a htpasswd using Sprig's `htpasswd` function. + # The value is templated using `tpl`. Override this to use a custom htpasswd, e.g. in case the default causes + # high CPU load. + htpasswd: >- + {{ htpasswd (required "'gateway.nginx.basicAuth.username' is required" .Values.gateway.nginx.basicAuth.username) (required "'gateway.nginx.basicAuth.password' is required" .Values.gateway.nginx.basicAuth.password) }} + # -- Name of an existing basic auth secret to use instead of gateway.nginx.basicAuth.htpasswd. Must contain '.htpasswd' key + existingSecret: null + + config: + # -- NGINX log format + logFormat: |- + main '$remote_addr - $remote_user [$time_local] $status ' + '"$request" $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + # -- Sets the log level of the NGINX error log. One of `debug`, `info`, `notice`, `warn`, `error`, `crit`, `alert`, or `emerg` + errorLogLevel: error + # -- Enables NGINX access logs + accessLogEnabled: true + # -- Allows appending custom configuration to the server block + serverSnippet: "" + # -- Allows appending custom configuration to the http block + httpSnippet: "" + # -- Allow to set client_max_body_size in the nginx configuration + clientMaxBodySize: 540M + # -- Allows to set a custom resolver + resolver: null + # -- Configures whether or not NGINX bind IPv6 + enableIPv6: true + # -- Config file contents for Nginx. Passed through the `tpl` function to allow templating. + file: | + worker_processes 5; ## Default: 1 + error_log /dev/stderr {{ .Values.gateway.nginx.config.errorLogLevel }}; + pid /tmp/nginx.pid; + worker_rlimit_nofile 8192; + + events { + worker_connections 4096; ## Default: 1024 + } + + http { + client_body_temp_path /tmp/client_temp; + proxy_temp_path /tmp/proxy_temp_path; + fastcgi_temp_path /tmp/fastcgi_temp; + uwsgi_temp_path /tmp/uwsgi_temp; + scgi_temp_path /tmp/scgi_temp; + + default_type application/octet-stream; + log_format {{ .Values.gateway.nginx.config.logFormat }} + + {{- if .Values.gateway.nginx.verboseLogging }} + access_log /dev/stderr main; + {{- else }} + + map $status $loggable { + ~^[23] 0; + default 1; + } + access_log {{ .Values.gateway.nginx.config.accessLogEnabled | ternary "/dev/stderr main if=$loggable;" "off;" }} + {{- end }} + + sendfile on; + tcp_nopush on; + proxy_http_version 1.1; + + {{- if .Values.gateway.nginx.config.resolver }} + resolver {{ .Values.gateway.nginx.config.resolver }}; + {{- else }} + resolver {{ .Values.global.dnsService }}.{{ .Values.global.dnsNamespace }}.svc.{{ .Values.global.clusterDomain }}; + {{- end }} + + {{- with .Values.gateway.nginx.config.httpSnippet }} + {{ . | nindent 2 }} + {{- end }} + + # Ensure that X-Scope-OrgID is always present, default to the no_auth_tenant for backwards compatibility when multi-tenancy was turned off. + map $http_x_scope_orgid $ensured_x_scope_orgid { + default $http_x_scope_orgid; + "" "{{ include "mimir.noAuthTenant" . }}"; + } + + map $http_x_scope_orgid $has_multiple_orgid_headers { + default 0; + "~^.+,.+$" 1; + } + + proxy_read_timeout 300; + server { + listen {{ include "mimir.serverHttpListenPort" . }}; + {{- if .Values.gateway.nginx.config.enableIPv6 }} + listen [::]:{{ include "mimir.serverHttpListenPort" . }}; + {{- end }} + + {{- if .Values.gateway.nginx.config.clientMaxBodySize }} + client_max_body_size {{ .Values.gateway.nginx.config.clientMaxBodySize }}; + {{- end }} + + {{- if .Values.gateway.nginx.basicAuth.enabled }} + auth_basic "Mimir"; + auth_basic_user_file /etc/nginx/secrets/.htpasswd; + {{- end }} + + if ($has_multiple_orgid_headers = 1) { + return 400 'Sending multiple X-Scope-OrgID headers is not allowed. Use a single header with | as separator instead.'; + } + + location = / { + return 200 'OK'; + auth_basic off; + } + + location = /ready { + return 200 'OK'; + auth_basic off; + } + + proxy_set_header X-Scope-OrgID $ensured_x_scope_orgid; + + # Distributor endpoints + location /distributor { + set $distributor {{ template "mimir.fullname" . }}-distributor-headless.{{ .Release.Namespace }}.svc.{{ .Values.global.clusterDomain }}; + proxy_pass http://$distributor:{{ include "mimir.serverHttpListenPort" . }}$request_uri; + } + location = /api/v1/push { + set $distributor {{ template "mimir.fullname" . }}-distributor-headless.{{ .Release.Namespace }}.svc.{{ .Values.global.clusterDomain }}; + proxy_pass http://$distributor:{{ include "mimir.serverHttpListenPort" . }}$request_uri; + } + location /otlp/v1/metrics { + set $distributor {{ template "mimir.fullname" . }}-distributor-headless.{{ .Release.Namespace }}.svc.{{ .Values.global.clusterDomain }}; + proxy_pass http://$distributor:{{ include "mimir.serverHttpListenPort" . }}$request_uri; + } + + # Alertmanager endpoints + location {{ template "mimir.alertmanagerHttpPrefix" . }} { + set $alertmanager {{ template "mimir.fullname" . }}-alertmanager-headless.{{ .Release.Namespace }}.svc.{{ .Values.global.clusterDomain }}; + proxy_pass http://$alertmanager:{{ include "mimir.serverHttpListenPort" . }}$request_uri; + } + location = /multitenant_alertmanager/status { + set $alertmanager {{ template "mimir.fullname" . }}-alertmanager-headless.{{ .Release.Namespace }}.svc.{{ .Values.global.clusterDomain }}; + proxy_pass http://$alertmanager:{{ include "mimir.serverHttpListenPort" . }}$request_uri; + } + location = /multitenant_alertmanager/configs { + set $alertmanager {{ template "mimir.fullname" . }}-alertmanager-headless.{{ .Release.Namespace }}.svc.{{ .Values.global.clusterDomain }}; + proxy_pass http://$alertmanager:{{ include "mimir.serverHttpListenPort" . }}$request_uri; + } + location = /api/v1/alerts { + set $alertmanager {{ template "mimir.fullname" . }}-alertmanager-headless.{{ .Release.Namespace }}.svc.{{ .Values.global.clusterDomain }}; + proxy_pass http://$alertmanager:{{ include "mimir.serverHttpListenPort" . }}$request_uri; + } + + # Ruler endpoints + location {{ template "mimir.prometheusHttpPrefix" . }}/config/v1/rules { + set $ruler {{ template "mimir.fullname" . }}-ruler.{{ .Release.Namespace }}.svc.{{ .Values.global.clusterDomain }}; + proxy_pass http://$ruler:{{ include "mimir.serverHttpListenPort" . }}$request_uri; + } + location {{ template "mimir.prometheusHttpPrefix" . }}/api/v1/rules { + set $ruler {{ template "mimir.fullname" . }}-ruler.{{ .Release.Namespace }}.svc.{{ .Values.global.clusterDomain }}; + proxy_pass http://$ruler:{{ include "mimir.serverHttpListenPort" . }}$request_uri; + } + + location {{ template "mimir.prometheusHttpPrefix" . }}/api/v1/alerts { + set $ruler {{ template "mimir.fullname" . }}-ruler.{{ .Release.Namespace }}.svc.{{ .Values.global.clusterDomain }}; + proxy_pass http://$ruler:{{ include "mimir.serverHttpListenPort" . }}$request_uri; + } + location = /ruler/ring { + set $ruler {{ template "mimir.fullname" . }}-ruler.{{ .Release.Namespace }}.svc.{{ .Values.global.clusterDomain }}; + proxy_pass http://$ruler:{{ include "mimir.serverHttpListenPort" . }}$request_uri; + } + + # Rest of {{ template "mimir.prometheusHttpPrefix" . }} goes to the query frontend + location {{ template "mimir.prometheusHttpPrefix" . }} { + set $query_frontend {{ template "mimir.fullname" . }}-query-frontend.{{ .Release.Namespace }}.svc.{{ .Values.global.clusterDomain }}; + proxy_pass http://$query_frontend:{{ include "mimir.serverHttpListenPort" . }}$request_uri; + } + + # Buildinfo endpoint can go to any component + location = /api/v1/status/buildinfo { + set $query_frontend {{ template "mimir.fullname" . }}-query-frontend.{{ .Release.Namespace }}.svc.{{ .Values.global.clusterDomain }}; + proxy_pass http://$query_frontend:{{ include "mimir.serverHttpListenPort" . }}$request_uri; + } + + # Compactor endpoint for uploading blocks + location /api/v1/upload/block/ { + set $compactor {{ template "mimir.fullname" . }}-compactor.{{ .Release.Namespace }}.svc.{{ .Values.global.clusterDomain }}; + proxy_pass http://$compactor:{{ include "mimir.serverHttpListenPort" . }}$request_uri; + } + + {{- with .Values.gateway.nginx.config.serverSnippet }} + {{ . | nindent 4 }} + {{- end }} + } + } + +metaMonitoring: + # Dashboard configuration for deploying Grafana dashboards for Mimir + dashboards: + # -- If enabled, Grafana dashboards are deployed + enabled: false + # -- Alternative namespace to create dashboards ConfigMaps in. They are created in the Helm release namespace by default. + namespace: null + # -- Annotations to add to the Grafana dashboard ConfigMap + annotations: + k8s-sidecar-target-directory: /tmp/dashboards/Mimir Dashboards + # -- Labels to add to the Grafana dashboard ConfigMap + labels: + grafana_dashboard: "1" + + # ServiceMonitor configuration for monitoring Kubernetes Services with Prometheus Operator, Grafana Agent (deprecated), and/or Grafana Alloy + serviceMonitor: + # -- If enabled, ServiceMonitor resources for Prometheus Operator are created + enabled: false + # -- To disable setting a 'cluster' label in metrics, set to 'null'. + # To overwrite the 'cluster' label with your own value, set to a non-empty string. + # Keep empty string "" to have the default value in the 'cluster' label, which is the helm release name for Mimir. + clusterLabel: "" + # -- Alternative namespace for ServiceMonitor resources + # If left unset, the default is to install the ServiceMonitor resources in the namespace where the chart is installed, i.e. the namespace specified for the helm command. + namespace: null + # -- Namespace selector for ServiceMonitor resources + # If left unset, the default is to select the namespace where the chart is installed, i.e. the namespace specified for the helm command. + namespaceSelector: null + # -- ServiceMonitor annotations + annotations: {} + # -- Additional ServiceMonitor labels + labels: {} + # -- ServiceMonitor scrape interval + interval: null + # -- ServiceMonitor scrape timeout in Go duration format (e.g. 15s) + scrapeTimeout: null + # -- ServiceMonitor relabel configs to apply to targets before scraping + # https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#monitoring.coreos.com/v1.RelabelConfig + relabelings: [] + # -- ServiceMonitor metric relabel configs to apply to samples before ingestion + # https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#monitoring.coreos.com/v1.RelabelConfig + metricRelabelings: [] + # -- ServiceMonitor will use http by default, but you can pick https as well + scheme: http + # -- ServiceMonitor will use these tlsConfig settings to make the health check requests + tlsConfig: null + + # Rules for the Prometheus Operator + prometheusRule: + # -- If enabled, a PrometheusRule resource for Prometheus Operator is created + enabled: false + # -- Create standard Mimir alerts in Prometheus Operator via a PrometheusRule CRD + mimirAlerts: false + # -- Create standard Mimir recording rules in Prometheus Operator via a PrometheusRule CRD + mimirRules: false + # -- PrometheusRule annotations + annotations: {} + # -- Additional PrometheusRule labels. To find out what your Prometheus operator expects, + # see the Prometheus object and field spec.ruleSelector + labels: {} + # -- prometheusRule namespace. This should be the namespace where the Prometheus Operator is installed, + # unless the Prometheus Operator is set up to look for rules outside its namespace + namespace: null + # -- Contents of Prometheus rules file + groups: [] + # - name: mimir_api_1 + # rules: + # - expr: histogram_quantile(0.99, sum(rate(cortex_request_duration_seconds_bucket[1m])) + # by (le, cluster, job)) + # record: cluster_job:cortex_request_duration_seconds:99quantile + # - expr: histogram_quantile(0.50, sum(rate(cortex_request_duration_seconds_bucket[1m])) + # by (le, cluster, job)) + # record: cluster_job:cortex_request_duration_seconds:50quantile + # - expr: sum(rate(cortex_request_duration_seconds_sum[1m])) by (cluster, job) / sum(rate(cortex_request_duration_seconds_count[1m])) + # by (cluster, job) + # record: cluster_job:cortex_request_duration_seconds:avg + # - expr: sum(rate(cortex_request_duration_seconds_bucket[1m])) by (le, cluster, job) + # record: cluster_job:cortex_request_duration_seconds_bucket:sum_rate + # - expr: sum(rate(cortex_request_duration_seconds_sum[1m])) by (cluster, job) + # record: cluster_job:cortex_request_duration_seconds_sum:sum_rate + # - expr: sum(rate(cortex_request_duration_seconds_count[1m])) by (cluster, job) + # record: cluster_job:cortex_request_duration_seconds_count:sum_rate + + # -- DEPRECATED: Grafana Agent is deprecated and will reach the End-of-Support in the end of 2025. + # Users are recommended to switch to Grafana k8s-monitoring, that orchestrates the lifecycle of Grafana Alloy instances, and comes with built-in support for monitoring Grafana LGTM stacks (https://github.com/grafana/k8s-monitoring-helm/tree/k8s-monitoring-3.2.2/charts/k8s-monitoring) + # metaMonitoring.grafanaAgent configures the built in Grafana Agent that can scrape metrics and logs and send them to a local or remote destination + grafanaAgent: + # -- Controls whether to create PodLogs, MetricsInstance, LogsInstance, and GrafanaAgent CRs to scrape the + # ServiceMonitors of the chart and ship metrics and logs to the remote endpoints below. + # Note that you need to configure serviceMonitor in order to have some metrics available. + enabled: false + + # -- Controls the image repository and tag for config-reloader and grafana-agent containers in the meta-monitoring + # StatefulSet and DaemonSet created by the grafana-agent-operator. You can define one or both sections under imageRepo. + # If a section is defined, you must pass repo, image and tag keys. + imageRepo: + # configReloader: + # repo: quay.io + # image: prometheus-operator/prometheus-config-reloader + # tag: v0.47.0 + # grafanaAgent: + # repo: docker.io + # image: grafana/agent + # tag: v0.29.0 + + # -- Resource requests and limits for the grafana-agent and config-reloader containers in the meta-monitoring + # StatefulSet and DaemonSet created by the grafana-agent-operator. You can define one or both sections under resources. + resources: + # configReloader: + # requests: + # cpu: 5m + # memory: 10Mi + # limits: + # memory: 50Mi + # grafanaAgent: + # requests: + # cpu: 20m + # memory: 700Mi + # limits: + # memory: 1400Mi + + # -- Controls whether to install the Grafana Agent Operator and its CRDs. + # Note that helm will not install CRDs if this flag is enabled during an upgrade. + # In that case install the CRDs manually from https://github.com/grafana/agent/tree/main/operations/agent-static-operator/crds + installOperator: false + + logs: + # -- Controls whether to create resources PodLogs and LogsInstance resources + enabled: true + + # -- To disable setting a 'cluster' label in logs, set to 'null'. + # To overwrite the 'cluster' label with your own value, set to a non-empty string. + # Keep empty string "" to have the default value in the 'cluster' label, which is the helm release name for Mimir. + clusterLabel: "" + + # -- Default destination for logs. The config here is translated to Promtail client + # configuration to write logs to this Loki-compatible remote. Optional. + remote: + # -- Full URL for Loki push endpoint. Usually ends in /loki/api/v1/push + url: "" + + auth: + # -- Used to set X-Scope-OrgID header on requests. Usually not used in combination with username and password. + tenantId: "" + + # -- Basic authentication username. Optional. + username: "" + + # -- The value under key passwordSecretKey in this secret will be used as the basic authentication password. Required only if passwordSecretKey is set. + passwordSecretName: "" + # -- The value under this key in passwordSecretName will be used as the basic authentication password. Required only if passwordSecretName is set. + passwordSecretKey: "" + + # -- Client configurations for the LogsInstance that will scrape Mimir pods. Follows the format of .remote. + additionalClientConfigs: [] + + metrics: + # -- Controls whether to create MetricsInstance resources and ServiceMonitor resources for scraping Kubernetes (when .scrapeK8s.enabled=true). + enabled: true + + # -- Default destination for metrics. The config here is translated to remote_write + # configuration to push metrics to this Prometheus-compatible remote. Optional. + # Note that you need to configure serviceMonitor in order to have some metrics available. + # + # If you leave the metaMonitoring.grafanaAgent.metrics.remote.url field empty, + # then the chart automatically fills in the address of the Mimir NGINX Service. + # + # If metaMonitoring.grafanaAgent.metrics.remote.url is not set, + # then the metamonitoring metrics are sent to the Mimir cluster. + # You can query these metrics using the HTTP header X-Scope-OrgID: metamonitoring + remote: + # -- Full URL for Prometheus remote-write. Usually ends in /push. + # If you leave the url field empty, then the chart automatically fills in the + # address of the Mimir NGINX Service. + url: "" + + # -- Used to add HTTP headers to remote-write requests. + headers: {} + auth: + # -- Basic authentication username. Optional. + username: "" + + # -- The value under key passwordSecretKey in this secret will be used as the basic authentication password. Required only if passwordSecretKey is set. + passwordSecretName: "" + # -- The value under this key in passwordSecretName will be used as the basic authentication password. Required only if passwordSecretName is set. + passwordSecretKey: "" + + # -- Configuration for SigV4 authentication. + # sigv4: + # accessKey: abcd + # profile: default + # region: us-east-1 + # roleARN: arn:aws:iam::1234:role/1234 + # secretKey: abcd + sigv4: {} + + # -- Additional remote-write for the MetricsInstance that will scrape Mimir pods. Follows the format of .remote. + additionalRemoteWriteConfigs: [] + + scrapeK8s: + # -- When grafanaAgent.enabled and serviceMonitor.enabled, controls whether to create ServiceMonitors CRs + # for cadvisor, kubelet, and kube-state-metrics. The scraped metrics are reduced to those pertaining to + # Mimir pods only. + enabled: true + + # -- Controls service discovery of kube-state-metrics. + kubeStateMetrics: + namespace: kube-system + labelSelectors: + app.kubernetes.io/name: kube-state-metrics + service: + port: http-metrics + + # -- The scrape interval for all ServiceMonitors. + scrapeInterval: 60s + + # -- Sets the namespace of the resources. Leave empty or unset to use the same namespace as the Helm release. + namespace: "" + + # -- Labels to add to all monitoring.grafana.com custom resources. + # Does not affect the ServiceMonitors for kubernetes metrics; use serviceMonitor.labels for that. + labels: {} + + # -- Annotations to add to all monitoring.grafana.com custom resources. + # Does not affect the ServiceMonitors for kubernetes metrics; use serviceMonitor.annotations for that. + annotations: {} + + # -- SecurityContext of Grafana Agent pods. This is different from the SecurityContext that the operator pod runs with. + # The operator pod SecurityContext is configured in the grafana-agent-operator.podSecurityContext value. + # As of mimir-distributed 4.0.0 the Agent DaemonSet that collects logs needs to run as root and be able to access the + # pod logs on each host. Because of that the agent subchart is incompatible with the PodSecurityPolicy of the + # mimir-distributed chart and with the Restricted policy of Pod Security Standards https://kubernetes.io/docs/concepts/security/pod-security-standards/ + podSecurityContext: + # fsGroup: 10001 + # runAsGroup: 10001 + # runAsNonRoot: true + # runAsUser: 10001 + # seccompProfile: + # type: RuntimeDefault + + # -- SecurityContext of Grafana Agent containers. This is different from the SecurityContext that the operator container runs with. + # As of mimir-distributed 4.0.0 the agent subchart needs to have root file system write access so that the Agent pods can write temporary files where. + # This makes the subchart incompatible with the PodSecurityPolicy of the mimir-distributed chart. + containerSecurityContext: + # allowPrivilegeEscalation: false + # runAsUser: 10001 + # capabilities: + # drop: [ALL] + + # -- Node selector for Deployment Pods + nodeSelector: {} + # -- Tolerations for Deployment Pods + tolerations: [] + + # -- topologySpreadConstraints allows to customize the default topologySpreadConstraints. + # More info: https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/#topologyspreadconstraints-field + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: ScheduleAnyway + # minDomains: 1 + # nodeAffinityPolicy: Honor + # nodeTaintsPolicy: Honor + # matchLabelKeys: + # - pod-template-hash + +# -- DEPRECATED: Grafana Agent is deprecated and will reach the End-of-Support in the end of 2025. +# Users are recommended to switch to Grafana k8s-monitoring (https://github.com/grafana/k8s-monitoring-helm/tree/k8s-monitoring-3.2.2/charts/k8s-monitoring) +# -- Values exposed by the [Grafana agent-operator chart](https://github.com/grafana/helm-charts/blob/main/charts/agent-operator/values.yaml) +grafana-agent-operator: + podSecurityContext: + fsGroup: 10001 + runAsGroup: 10001 + runAsNonRoot: true + runAsUser: 10001 + seccompProfile: + type: RuntimeDefault + + containerSecurityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: [ALL] + +smoke_test: + # -- Allows to override the container image of the smoke-test component. + # When set it takes precedence over what is defined in global "image" . + image: + # repository: grafana/mimir + # tag: 2.16.0 + # -- Controls the backoffLimit on the Kubernetes Job. The Job is marked as failed after that many retries. + backoffLimit: 5 + # The image section has been removed as continuous test is now a module of the regular Mimir image. + # See settings for the image at the top image section. + tenantId: "" + extraArgs: {} + env: [] + extraEnvFrom: [] + annotations: {} + initContainers: [] + resources: {} + # -- The name of the PriorityClass for smoke-test pods + priorityClassName: null + dnsConfig: {} + +# -- Settings for mimir-continuous-test. +# This continuously writes and reads metrics from Mimir. +# https://grafana.com/docs/mimir/latest/manage/tools/mimir-continuous-test/ +continuous_test: + enabled: false + # -- Allows to override the container image of the continuous-test component. + # When set it takes precedence over what is defined in global "image" . + image: + # repository: grafana/mimir-continuous-test + # tag: 2.16.0 + # -- Number of replicas to start of continuous test + replicas: 1 + revisionHistoryLimit: null + # The image section has been removed as continuous test is now a module of the regular Mimir image. + # See settings for the image at the top image section. + # -- The endpoints to use for writing to and reading metrics from your instance. + # Defaults to the gateway URL, but you may want to test from an external ingress which you can configure here. + ## -- Mimir Write Endpoint to use for writing metrics to your instance. Defaults to mimir.gatewayUrl if not set. + write: + # -- Mimir Read Endpoint to use for querying metrics from your instance. Defaults to mimir.gatewayUrl if not set. Path /prometheus is appended to value. + read: + # -- Authentication settings of continuous test + auth: + # -- Type of authentication to use (tenantId, basicAuth, bearerToken) + type: tenantId + # -- The tenant to use for tenantId or basicAuth authentication type + # In case of tenantId authentication, it is injected as the X-Scope-OrgID header on requests. + # In case of basicAuth, it is set as the username. + tenant: "mimir-continuous-test" + # -- Password for basicAuth auth (note: can be environment variable from secret attached in extraEnvFrom, e.g. $(PASSWORD)) + password: null + # -- Bearer token for bearerToken auth (note: can be environment variable from secret attached in extraEnvFrom, e.g. $(TOKEN)) + bearerToken: null + # -- The maximum number of series to write in a single request. + numSeries: 1000 + # -- How far back in the past metrics can be queried at most. + maxQueryAge: "48h" + # -- Interval between test runs + runInterval: "5m" + + # -- Pod affinity settings for the continuous test replicas + affinity: {} + # -- Annotations for the continuous test Deployment + annotations: {} + # -- The SecurityContext for continuous test containers + containerSecurityContext: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: [ALL] + # -- Extra environment variables for continuous test containers + env: [] + # -- Extra command line arguments for the continuous test container + extraArgs: {} + # -- Extra environment from secret/configmap for continuous test containers + extraEnvFrom: [] + # -- Extra volumes for the continuous test container + extraVolumes: [] + # -- Extra volume mounts for the continuous test container + extraVolumeMounts: [] + # -- Extra containers for the continuous test Deployment + extraContainers: [] + # -- Extra initContainers for the continuous test Deployment + initContainers: [] + # -- Nodeselector of continuous test replicas + nodeSelector: {} + # -- The name of the PriorityClass for continuous test pods + priorityClassName: null + # -- Kubernetes resource requests and limits for continuous test + resources: + limits: + memory: 1Gi + requests: + cpu: "1" + memory: 512Mi + # -- Security context for the continuous test Deployment + securityContext: {} + # -- Service for monitoring continuous test + service: + annotations: {} + labels: {} + extraPorts: [] + # -- Upgrade strategy for the continuous test Deployment + strategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 0 + maxUnavailable: 1 + + dnsConfig: {} + tolerations: [] + terminationGracePeriodSeconds: 30 + +# -- Add dynamic manifests via values. Example: +# extraObjects: +# - kind: ConfigMap +# apiVersion: v1 +# metadata: +# name: extra-cm-{{ .Release.Name }} +# data: | +# extra.yml: "does-my-install-need-extra-info: true" +# alternatively, you can use strings, which lets you use the mimir defines: +# extraObjects: +# - | +# kind: ConfigMap +# apiVersion: v1 +# metadata: +# name: extra-cm-{{ .Release.Name }} +# data: | +# extra.yml: "{{ include some-mimir-define }}" +extraObjects: [] +enterprise: + image: + tag: r365-3fdf702d diff --git a/applications/base/services/observability/mimir/helmrelease.yaml b/applications/base/services/observability/mimir/helmrelease.yaml new file mode 100644 index 0000000..81dbb39 --- /dev/null +++ b/applications/base/services/observability/mimir/helmrelease.yaml @@ -0,0 +1,36 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: mimir + namespace: observability +spec: + interval: 5m + timeout: 10m + driftDetection: + mode: enabled + install: + remediation: + retries: 0 + remediateLastFailure: false + upgrade: + remediation: + retries: 0 + remediateLastFailure: false + targetNamespace: observability + chart: + spec: + chart: mimir-distributed + version: 6.0.3 + sourceRef: + kind: HelmRepository + name: grafana + namespace: observability + valuesFrom: + - kind: Secret + name: mimir-values-base + valuesKey: hardened.yaml + - kind: Secret + name: mimir-values-override + valuesKey: override.yaml + optional: true diff --git a/applications/base/services/observability/mimir/kustomization.yaml b/applications/base/services/observability/mimir/kustomization.yaml new file mode 100644 index 0000000..f8101de --- /dev/null +++ b/applications/base/services/observability/mimir/kustomization.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - "../sources/grafana.yaml" + - "helmrelease.yaml" +secretGenerator: + - name: mimir-values-base + namespace: observability + type: Opaque + files: + - hardened.yaml=helm-values/hardened-values-6.0.3.yaml + options: + disableNameSuffixHash: true diff --git a/applications/base/services/strimzi-kafka-operator/README.md b/applications/base/services/strimzi-kafka-operator/README.md new file mode 100644 index 0000000..22a9a4f --- /dev/null +++ b/applications/base/services/strimzi-kafka-operator/README.md @@ -0,0 +1,18 @@ +# Strimzi Kafka Operator – Base Configuration + +This directory contains the **base manifests** for deploying the +[Strimzi Kafka Operator](https://github.com/strimzi/strimzi-kafka-operator) +to run Apache Kafka on Kubernetes using a Kubernetes-native, operator-driven workflow. + +It is intended to be consumed by **cluster repositories** as a remote base, +with the option to provide cluster-specific overrides such as storage classes, +node placement, resource sizing, and exposure methods. + +## About Strimzi Kafka Operator + +- Provides a Kubernetes operator to deploy and manage **Apache Kafka** and its related components using Custom Resource Definitions (CRDs). +- Manages Kafka lifecycle operations including **scaling, rolling upgrades, configuration changes, and automated reconciliation**. +- Supports Kafka deployment using Kubernetes-native constructs such as **StatefulSets**, Services, and PodDisruptionBudgets. +- Enables secure Kafka clusters with built-in support for **TLS encryption**, authentication (TLS, SCRAM), and authorization patterns. +- Allows Kafka operational resources (topics, users, quotas) to be managed declaratively via **KafkaTopic** and **KafkaUser** CRDs. +- Commonly used to operate **production-grade Kafka on Kubernetes** with consistent configuration and standardized operational practices across environments. diff --git a/applications/base/services/strimzi-kafka-operator/helm-values/hardened-values-0.49.1.yaml b/applications/base/services/strimzi-kafka-operator/helm-values/hardened-values-0.49.1.yaml new file mode 100644 index 0000000..231f5a6 --- /dev/null +++ b/applications/base/services/strimzi-kafka-operator/helm-values/hardened-values-0.49.1.yaml @@ -0,0 +1,190 @@ +# Default values for strimzi-kafka-operator. + +# Default replicas for the cluster operator +replicas: 2 + +# If you set `watchNamespaces` to the same value as ``.Release.Namespace` (e.g. `helm ... --namespace $NAMESPACE`), +# the chart will fail because duplicate RoleBindings will be attempted to be created in the same namespace +watchNamespaces: [] +watchAnyNamespace: false + +defaultImageRegistry: quay.io +defaultImageRepository: strimzi +defaultImageTag: 0.49.1 + +image: + registry: "" + repository: "" + name: operator + tag: "" + # imagePullSecrets: + # - name: secretname +logVolume: co-config-volume +logConfigMap: strimzi-cluster-operator +logConfiguration: "" +logLevel: ${env:STRIMZI_LOG_LEVEL:-INFO} +fullReconciliationIntervalMs: 120000 +operationTimeoutMs: 300000 +kubernetesServiceDnsDomain: cluster.local +featureGates: "" +tmpDirSizeLimit: 1Mi + +# Example on how to configure extraEnvs +# extraEnvs: +# - name: JAVA_OPTS +# value: "-Xms256m -Xmx256m" + +extraEnvs: [] + +tolerations: [] +affinity: {} +annotations: {} +labels: {} +nodeSelector: {} +deploymentAnnotations: {} +deploymentStrategy: {} +priorityClassName: "" + +podSecurityContext: {} +securityContext: {} +rbac: + create: yes +serviceAccountCreate: yes +serviceAccount: strimzi-cluster-operator + +leaderElection: + enable: true + +# https://kubernetes.io/docs/tasks/run-application/configure-pdb/ +podDisruptionBudget: + enabled: true + # The PDB definition three attributes to control the availability requirements: + # minAvailable or maxUnavailable (mutually exclusive). + # unhealthyPodEvictionPolicy + # + # Field maxUnavailable tells how many pods can be down and minAvailable tells how many pods must be running in a cluster. + + # The pdb template will check values according to below order + # + # {{- if .Values.podDisruptionBudget.minAvailable }} + # minAvailable: {{ .Values.podDisruptionBudget.minAvailable }} + # {{- end }} + # {{- if .Values.podDisruptionBudget.maxUnavailable }} + # maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }} + # {{- end }} + # + # If both values are set, the template will use the first one and ignore the second one. currently by default minAvailable is set to 1 + minAvailable: 1 + maxUnavailable: + unhealthyPodEvictionPolicy: IfHealthyBudget + +# If you are using the grafana dashboard sidecar, +# you can import some default dashboards here +dashboards: + enabled: true + namespace: ~ + label: grafana_dashboard # this is the default value from the grafana chart + labelValue: "1" # this is the default value from the grafana chart + annotations: {} + extraLabels: {} + +# Docker images that operator uses to provision various components of Strimzi. +# To use your own registry or repository, define them for each component below or generally via defaultImageRegistry and defaultImageRepository above +kafka: + image: + registry: "" + repository: "" + name: kafka + tagPrefix: "" +kafkaConnect: + image: + registry: "" + repository: "" + name: kafka + tagPrefix: "" +topicOperator: + image: + registry: "" + repository: "" + name: operator + tag: "" +userOperator: + image: + registry: + repository: + name: operator + tag: "" +kafkaInit: + image: + registry: "" + repository: "" + name: operator + tag: "" +kafkaBridge: + image: + registry: "" + repository: + name: kafka-bridge + tag: 0.33.1 +kafkaExporter: + image: + registry: "" + repository: "" + name: kafka + tagPrefix: "" +kafkaMirrorMaker2: + image: + registry: "" + repository: "" + name: kafka + tagPrefix: "" +cruiseControl: + image: + registry: "" + repository: "" + name: kafka + tagPrefix: "" +kanikoExecutor: + image: + registry: "" + repository: "" + name: kaniko-executor + tag: "" +buildah: + image: + registry: "" + repository: "" + name: buildah + tag: "" +mavenBuilder: + image: + registry: "" + repository: "" + name: maven-builder + tag: "" +resources: + limits: + memory: 384Mi + cpu: 1000m + requests: + memory: 384Mi + cpu: 200m +livenessProbe: + initialDelaySeconds: 10 + periodSeconds: 30 +readinessProbe: + initialDelaySeconds: 10 + periodSeconds: 30 + +createGlobalResources: true +# Create clusterroles that extend existing clusterroles to interact with strimzi crds +# Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles +createAggregateRoles: false +# Override the exclude pattern for exclude some labels +labelsExclusionPattern: "" +# Controls whether Strimzi generates network policy resources (By default true) +generateNetworkPolicy: true +# Override the value for Connect build timeout +connectBuildTimeoutMs: 300000 +# Controls whether Strimzi generates pod disruption budget resources (By default true) +generatePodDisruptionBudget: true diff --git a/applications/base/services/strimzi-kafka-operator/helmrelease.yaml b/applications/base/services/strimzi-kafka-operator/helmrelease.yaml new file mode 100644 index 0000000..a4e6932 --- /dev/null +++ b/applications/base/services/strimzi-kafka-operator/helmrelease.yaml @@ -0,0 +1,37 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: strimzi-kafka-operator + namespace: kafka-system +spec: + releaseName: strimzi-kafka-operator + interval: 5m + timeout: 10m + driftDetection: + mode: enabled + install: + remediation: + retries: 3 + remediateLastFailure: true + upgrade: + remediation: + retries: 0 + remediateLastFailure: false + targetNamespace: kafka-system + chart: + spec: + chart: strimzi-kafka-operator + version: 0.49.1 + sourceRef: + kind: HelmRepository + name: strimzi-kafka-operator + namespace: kafka-system + valuesFrom: + - kind: Secret + name: kafka-api-values-base + valuesKey: hardened.yaml + - kind: Secret + name: kafka-api-values-override + valuesKey: override.yaml + optional: true diff --git a/applications/base/services/strimzi-kafka-operator/kustomization.yaml b/applications/base/services/strimzi-kafka-operator/kustomization.yaml new file mode 100644 index 0000000..382d307 --- /dev/null +++ b/applications/base/services/strimzi-kafka-operator/kustomization.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - "namespace.yaml" + - "source.yaml" + - "helmrelease.yaml" +secretGenerator: + - name: kafka-api-values-base + namespace: kafka-system + type: Opaque + files: + - hardened.yaml=helm-values/hardened-values-0.49.1.yaml + options: + disableNameSuffixHash: true diff --git a/applications/base/services/strimzi-kafka-operator/namespace.yaml b/applications/base/services/strimzi-kafka-operator/namespace.yaml new file mode 100644 index 0000000..bd055a1 --- /dev/null +++ b/applications/base/services/strimzi-kafka-operator/namespace.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: kafka-system diff --git a/applications/base/services/strimzi-kafka-operator/source.yaml b/applications/base/services/strimzi-kafka-operator/source.yaml new file mode 100644 index 0000000..0700f30 --- /dev/null +++ b/applications/base/services/strimzi-kafka-operator/source.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: strimzi-kafka-operator +spec: + url: oci://quay.io/strimzi-helm + interval: 1h + type: oci