--- # Source: grafana/templates/podsecuritypolicy.yaml apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: graphs-grafana namespace: graphs labels: helm.sh/chart: grafana-5.2.1 app.kubernetes.io/name: grafana app.kubernetes.io/instance: graphs app.kubernetes.io/version: "7.0.3" app.kubernetes.io/managed-by: Helm annotations: seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default' seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' spec: privileged: false allowPrivilegeEscalation: false requiredDropCapabilities: # Default set from Docker, without DAC_OVERRIDE or CHOWN - FOWNER - FSETID - KILL - SETGID - SETUID - SETPCAP - NET_BIND_SERVICE - NET_RAW - SYS_CHROOT - MKNOD - AUDIT_WRITE - SETFCAP volumes: - 'configMap' - 'emptyDir' - 'projected' - 'secret' - 'downwardAPI' - 'persistentVolumeClaim' hostNetwork: false hostIPC: false hostPID: false runAsUser: rule: 'RunAsAny' seLinux: rule: 'RunAsAny' supplementalGroups: rule: 'RunAsAny' fsGroup: rule: 'RunAsAny' readOnlyRootFilesystem: false --- # Source: grafana/templates/tests/test-podsecuritypolicy.yaml apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: graphs-grafana-test namespace: graphs labels: helm.sh/chart: grafana-5.2.1 app.kubernetes.io/name: grafana app.kubernetes.io/instance: graphs app.kubernetes.io/version: "7.0.3" app.kubernetes.io/managed-by: Helm spec: allowPrivilegeEscalation: true privileged: false hostNetwork: false hostIPC: false hostPID: false fsGroup: rule: RunAsAny seLinux: rule: RunAsAny supplementalGroups: rule: RunAsAny runAsUser: rule: RunAsAny volumes: - configMap - downwardAPI - emptyDir - projected - secret --- # Source: grafana/templates/serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: labels: helm.sh/chart: grafana-5.2.1 app.kubernetes.io/name: grafana app.kubernetes.io/instance: graphs app.kubernetes.io/version: "7.0.3" app.kubernetes.io/managed-by: Helm name: graphs-grafana namespace: graphs --- # Source: grafana/templates/tests/test-serviceaccount.yaml apiVersion: v1 kind: ServiceAccount metadata: labels: helm.sh/chart: grafana-5.2.1 app.kubernetes.io/name: grafana app.kubernetes.io/instance: graphs app.kubernetes.io/version: "7.0.3" app.kubernetes.io/managed-by: Helm name: graphs-grafana-test namespace: graphs --- # Source: grafana/templates/configmap.yaml apiVersion: v1 kind: ConfigMap metadata: name: graphs-grafana namespace: graphs labels: helm.sh/chart: grafana-5.2.1 app.kubernetes.io/name: grafana app.kubernetes.io/instance: graphs app.kubernetes.io/version: "7.0.3" app.kubernetes.io/managed-by: Helm data: grafana.ini: | [analytics] check_for_updates = true [grafana_net] url = https://grafana.net [log] mode = console [paths] data = /var/lib/grafana/data logs = /var/log/grafana plugins = /var/lib/grafana/plugins provisioning = /etc/grafana/provisioning --- # Source: grafana/templates/tests/test-configmap.yaml apiVersion: v1 kind: ConfigMap metadata: name: graphs-grafana-test namespace: graphs labels: helm.sh/chart: grafana-5.2.1 app.kubernetes.io/name: grafana app.kubernetes.io/instance: graphs app.kubernetes.io/version: "7.0.3" app.kubernetes.io/managed-by: Helm data: run.sh: |- @test "Test Health" { url="http://graphs-grafana/api/health" code=$(wget --server-response --spider --timeout 10 --tries 1 ${url} 2>&1 | awk '/^ HTTP/{print $2}') [ "$code" == "200" ] } --- # Source: grafana/templates/pvc.yaml apiVersion: v1 kind: PersistentVolumeClaim metadata: name: graphs-grafana namespace: graphs labels: helm.sh/chart: grafana-5.2.1 app.kubernetes.io/name: grafana app.kubernetes.io/instance: graphs app.kubernetes.io/version: "7.0.3" app.kubernetes.io/managed-by: Helm finalizers: - kubernetes.io/pvc-protection spec: accessModes: - "ReadWriteOnce" resources: requests: storage: "1Gi" storageClassName: local-path --- # Source: grafana/templates/role.yaml apiVersion: rbac.authorization.k8s.io/v1beta1 kind: Role metadata: name: graphs-grafana namespace: graphs labels: helm.sh/chart: grafana-5.2.1 app.kubernetes.io/name: grafana app.kubernetes.io/instance: graphs app.kubernetes.io/version: "7.0.3" app.kubernetes.io/managed-by: Helm rules: - apiGroups: ['extensions'] resources: ['podsecuritypolicies'] verbs: ['use'] resourceNames: [graphs-grafana] --- # Source: grafana/templates/tests/test-role.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: graphs-grafana-test namespace: graphs labels: helm.sh/chart: grafana-5.2.1 app.kubernetes.io/name: grafana app.kubernetes.io/instance: graphs app.kubernetes.io/version: "7.0.3" app.kubernetes.io/managed-by: Helm rules: - apiGroups: ['policy'] resources: ['podsecuritypolicies'] verbs: ['use'] resourceNames: [graphs-grafana-test] --- # Source: grafana/templates/rolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1beta1 kind: RoleBinding metadata: name: graphs-grafana namespace: graphs labels: helm.sh/chart: grafana-5.2.1 app.kubernetes.io/name: grafana app.kubernetes.io/instance: graphs app.kubernetes.io/version: "7.0.3" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: graphs-grafana subjects: - kind: ServiceAccount name: graphs-grafana namespace: graphs --- # Source: grafana/templates/tests/test-rolebinding.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: graphs-grafana-test namespace: graphs labels: helm.sh/chart: grafana-5.2.1 app.kubernetes.io/name: grafana app.kubernetes.io/instance: graphs app.kubernetes.io/version: "7.0.3" app.kubernetes.io/managed-by: Helm roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: graphs-grafana-test subjects: - kind: ServiceAccount name: graphs-grafana-test namespace: graphs --- # Source: grafana/templates/service.yaml apiVersion: v1 kind: Service metadata: name: graphs-grafana namespace: graphs labels: helm.sh/chart: grafana-5.2.1 app.kubernetes.io/name: grafana app.kubernetes.io/instance: graphs app.kubernetes.io/version: "7.0.3" app.kubernetes.io/managed-by: Helm spec: type: ClusterIP ports: - name: service port: 80 protocol: TCP targetPort: 3000 selector: app.kubernetes.io/name: grafana app.kubernetes.io/instance: graphs --- # Source: grafana/templates/deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: name: graphs-grafana namespace: graphs labels: helm.sh/chart: grafana-5.2.1 app.kubernetes.io/name: grafana app.kubernetes.io/instance: graphs app.kubernetes.io/version: "7.0.3" app.kubernetes.io/managed-by: Helm spec: replicas: 1 selector: matchLabels: app.kubernetes.io/name: grafana app.kubernetes.io/instance: graphs strategy: type: RollingUpdate template: metadata: labels: app.kubernetes.io/name: grafana app.kubernetes.io/instance: graphs annotations: checksum/config: f34039c0df1008eed25ca27450db228f70591224ed3ceb5530368abccd411749 checksum/dashboards-json-config: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b checksum/sc-dashboard-provider-config: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b spec: serviceAccountName: graphs-grafana securityContext: fsGroup: 472 runAsGroup: 472 runAsUser: 472 initContainers: - name: init-chown-data image: "busybox:1.32.0" imagePullPolicy: IfNotPresent securityContext: runAsUser: 0 command: ["chown", "-R", "472:472", "/var/lib/grafana"] resources: {} volumeMounts: - name: storage mountPath: "/var/lib/grafana" containers: - name: grafana image: "grafana/grafana:7.4.3" imagePullPolicy: IfNotPresent volumeMounts: - name: config mountPath: "/etc/grafana/grafana.ini" subPath: grafana.ini - name: storage mountPath: "/var/lib/grafana" ports: - name: service containerPort: 80 protocol: TCP - name: grafana containerPort: 3000 protocol: TCP env: - name: GF_SECURITY_ADMIN_USER valueFrom: secretKeyRef: name: admin-creds key: admin-user - name: GF_SECURITY_ADMIN_PASSWORD valueFrom: secretKeyRef: name: admin-creds key: admin-password - name: "GF_AUTH_ANONYMOUS_ENABLED" value: "true" - name: "GF_SERVER_DOMAIN" value: "graphs.tbrnt.ch" - name: "GF_SERVER_ROOT_URL" value: "https://graphs.tbrnt.ch" livenessProbe: failureThreshold: 10 httpGet: path: /api/health port: 3000 initialDelaySeconds: 60 timeoutSeconds: 30 readinessProbe: httpGet: path: /api/health port: 3000 resources: {} volumes: - name: config configMap: name: graphs-grafana - name: storage persistentVolumeClaim: claimName: graphs-grafana --- # Source: grafana/templates/ingress.yaml apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: name: graphs-grafana namespace: graphs labels: helm.sh/chart: grafana-5.2.1 app.kubernetes.io/name: grafana app.kubernetes.io/instance: graphs app.kubernetes.io/version: "7.0.3" app.kubernetes.io/managed-by: Helm annotations: cert-manager.io/cluster-issuer: "letsencrypt-prod" ingress.kubernetes.io/ssl-redirect: "true" spec: tls: - hosts: - graphs.tbrnt.ch secretName: graphs-tbrnt-ch-cert rules: - host: graphs.tbrnt.ch http: paths: - path: / backend: serviceName: graphs-grafana servicePort: 80 --- # Source: grafana/templates/tests/test.yaml apiVersion: v1 kind: Pod metadata: name: graphs-grafana-test labels: helm.sh/chart: grafana-5.2.1 app.kubernetes.io/name: grafana app.kubernetes.io/instance: graphs app.kubernetes.io/version: "7.0.3" app.kubernetes.io/managed-by: Helm annotations: "helm.sh/hook": test-success namespace: graphs spec: serviceAccountName: graphs-grafana-test containers: - name: graphs-test image: "bats/bats:1.2.1" imagePullPolicy: "IfNotPresent" command: ["/opt/bats/bin/bats", "-t", "/tests/run.sh"] volumeMounts: - mountPath: /tests name: tests readOnly: true volumes: - name: tests configMap: name: graphs-grafana-test restartPolicy: Never