Grafana

Usage example

Example

apiVersion: aiven.io/v1alpha1
kind: Grafana
metadata:
  name: my-grafana
spec:
  authSecretRef:
    name: aiven-token
    key: token

  connInfoSecretTarget:
    name: grafana-secret
    prefix: MY_SECRET_PREFIX_
    annotations:
      foo: bar
    labels:
      baz: egg

  project: my-aiven-project
  cloudName: google-europe-west1
  plan: startup-1

  maintenanceWindowDow: sunday
  maintenanceWindowTime: 11:00:00

  userConfig:
    public_access:
      grafana: true
    ip_filter:
      - network: 0.0.0.0
        description: whatever
      - network: 10.20.0.0/16

Info

To create this resource, a Secret containing Aiven token must be created first.

Apply the resource with:

kubectl apply -f example.yaml

Verify the newly created Grafana:

kubectl get grafanas my-grafana

The output is similar to the following:

Name          Project             Region                 Plan         State      
my-grafana    my-aiven-project    google-europe-west1    startup-1    RUNNING    

To view the details of the Secret, use the following command:

kubectl describe secret grafana-secret

You can use the jq to quickly decode the Secret:

kubectl get secret grafana-secret -o json | jq '.data | map_values(@base64d)'

The output is similar to the following:

{
    "GRAFANA_HOST": "<secret>",
    "GRAFANA_PORT": "<secret>",
    "GRAFANA_USER": "<secret>",
    "GRAFANA_PASSWORD": "<secret>",
    "GRAFANA_URI": "<secret>",
    "GRAFANA_HOSTS": "<secret>",
}

Grafana

Grafana is the Schema for the grafanas API.

Exposes secret keys

GRAFANA_HOST, GRAFANA_PORT, GRAFANA_USER, GRAFANA_PASSWORD, GRAFANA_URI, GRAFANA_HOSTS.

Required

• apiVersion (string). Value aiven.io/v1alpha1.
• kind (string). Value Grafana.
• metadata (object). Data that identifies the object, including a name string and optional namespace.
• spec (object). GrafanaSpec defines the desired state of Grafana. See below for nested schema.

spec

Appears on Grafana.

GrafanaSpec defines the desired state of Grafana.

Required

• plan (string, MaxLength: 128). Subscription plan.
• project (string, Immutable, Pattern: ^[a-zA-Z0-9_-]+$, MaxLength: 63). Identifies the project this resource belongs to.

Optional

• authSecretRef (object). Authentication reference to Aiven token in a secret. See below for nested schema.
• cloudName (string, MaxLength: 256). Cloud the service runs in.
• connInfoSecretTarget (object). Secret configuration. See below for nested schema.
• connInfoSecretTargetDisabled (boolean, Immutable). When true, the secret containing connection information will not be created, defaults to false. This field cannot be changed after resource creation.
• disk_space (string, Pattern: (?i)^[1-9][0-9]*(GiB|G)?$). The disk space of the service, possible values depend on the service type, the cloud provider and the project. Reducing will result in the service re-balancing. The removal of this field does not change the value.
• maintenanceWindowDow (string, Enum: monday, tuesday, wednesday, thursday, friday, saturday, sunday). Day of week when maintenance operations should be performed. One monday, tuesday, wednesday, etc.
• maintenanceWindowTime (string, MaxLength: 8). Time of day when maintenance operations should be performed. UTC time in HH:mm:ss format.
• projectVPCRef (object). ProjectVPCRef reference to ProjectVPC resource to use its ID as ProjectVPCID automatically. See below for nested schema.
• projectVpcId (string, MaxLength: 36). Identifier of the VPC the service should be in, if any.
• serviceIntegrations (array of objects, Immutable, MaxItems: 1). Service integrations to specify when creating a service. Not applied after initial service creation. See below for nested schema.
• tags (object, AdditionalProperties: string). Tags are key-value pairs that allow you to categorize services.
• technicalEmails (array of objects, MaxItems: 10). Defines the email addresses that will receive alerts about upcoming maintenance updates or warnings about service instability. See below for nested schema.
• terminationProtection (boolean). Prevent service from being deleted. It is recommended to have this enabled for all services.
• userConfig (object). Cassandra specific user configuration options. See below for nested schema.

authSecretRef

Appears on spec.

Authentication reference to Aiven token in a secret.

Required

• key (string, MinLength: 1).
• name (string, MinLength: 1).

connInfoSecretTarget

Appears on spec.

Secret configuration.

Required

• name (string, Immutable). Name of the secret resource to be created. By default, it is equal to the resource name.

Optional

• annotations (object, AdditionalProperties: string). Annotations added to the secret.
• labels (object, AdditionalProperties: string). Labels added to the secret.
• prefix (string). Prefix for the secret's keys. Added "as is" without any transformations. By default, is equal to the kind name in uppercase + underscore, e.g. KAFKA_, REDIS_, etc.

projectVPCRef

Appears on spec.

ProjectVPCRef reference to ProjectVPC resource to use its ID as ProjectVPCID automatically.

Required

• name (string, MinLength: 1).

Optional

• namespace (string, MinLength: 1).

serviceIntegrations

Appears on spec.

Service integrations to specify when creating a service. Not applied after initial service creation.

Required

• integrationType (string, Enum: read_replica).
• sourceServiceName (string, MinLength: 1, MaxLength: 64).

technicalEmails

Appears on spec.

Defines the email addresses that will receive alerts about upcoming maintenance updates or warnings about service instability.

Required

• email (string). Email address.

userConfig

Appears on spec.

Cassandra specific user configuration options.

Optional

• additional_backup_regions (array of strings, MaxItems: 1). Additional Cloud Regions for Backup Replication.
• alerting_enabled (boolean). Enable or disable Grafana legacy alerting functionality. This should not be enabled with unified_alerting_enabled.
• alerting_error_or_timeout (string, Enum: alerting, keep_state). Default error or timeout setting for new alerting rules.
• alerting_max_annotations_to_keep (integer, Minimum: 0, Maximum: 1000000). Max number of alert annotations that Grafana stores. 0 (default) keeps all alert annotations.
• alerting_nodata_or_nullvalues (string, Enum: alerting, no_data, keep_state, ok). Default value for 'no data or null values' for new alerting rules.
• allow_embedding (boolean). Allow embedding Grafana dashboards with iframe/frame/object/embed tags. Disabled by default to limit impact of clickjacking.
• auth_azuread (object). Azure AD OAuth integration. See below for nested schema.
• auth_basic_enabled (boolean). Enable or disable basic authentication form, used by Grafana built-in login.
• auth_generic_oauth (object). Generic OAuth integration. See below for nested schema.
• auth_github (object). Github Auth integration. See below for nested schema.
• auth_gitlab (object). GitLab Auth integration. See below for nested schema.
• auth_google (object). Google Auth integration. See below for nested schema.
• cookie_samesite (string, Enum: lax, strict, none). Cookie SameSite attribute: strict prevents sending cookie for cross-site requests, effectively disabling direct linking from other sites to Grafana. lax is the default value.
• custom_domain (string, MaxLength: 255). Serve the web frontend using a custom CNAME pointing to the Aiven DNS name.
• dashboard_previews_enabled (boolean). This feature is new in Grafana 9 and is quite resource intensive. It may cause low-end plans to work more slowly while the dashboard previews are rendering.
• dashboards_min_refresh_interval (string, Pattern: ^[0-9]+(ms|s|m|h|d)$, MaxLength: 16). Signed sequence of decimal numbers, followed by a unit suffix (ms, s, m, h, d), e.g. 30s, 1h.
• dashboards_versions_to_keep (integer, Minimum: 1, Maximum: 100). Dashboard versions to keep per dashboard.
• dataproxy_send_user_header (boolean). Send X-Grafana-User header to data source.
• dataproxy_timeout (integer, Minimum: 15, Maximum: 90). Timeout for data proxy requests in seconds.
• date_formats (object). Grafana date format specifications. See below for nested schema.
• disable_gravatar (boolean). Set to true to disable gravatar. Defaults to false (gravatar is enabled).
• editors_can_admin (boolean). Editors can manage folders, teams and dashboards created by them.
• external_image_storage (object). External image store settings. See below for nested schema.
• google_analytics_ua_id (string, Pattern: ^(G|UA|YT|MO)-[a-zA-Z0-9-]+$, MaxLength: 64). Google Analytics ID.
• ip_filter (array of objects, MaxItems: 1024). Allow incoming connections from CIDR address block, e.g. 10.20.0.0/16. See below for nested schema.
• metrics_enabled (boolean). Enable Grafana /metrics endpoint.
• oauth_allow_insecure_email_lookup (boolean). Enforce user lookup based on email instead of the unique ID provided by the IdP.
• private_access (object). Allow access to selected service ports from private networks. See below for nested schema.
• privatelink_access (object). Allow access to selected service components through Privatelink. See below for nested schema.
• project_to_fork_from (string, Immutable, Pattern: ^[a-z][-a-z0-9]{0,63}$|^$, MaxLength: 63). Name of another project to fork a service from. This has effect only when a new service is being created.
• public_access (object). Allow access to selected service ports from the public Internet. See below for nested schema.
• recovery_basebackup_name (string, Pattern: ^[a-zA-Z0-9-_:.]+$, MaxLength: 128). Name of the basebackup to restore in forked service.
• service_log (boolean). Store logs for the service so that they are available in the HTTP API and console.
• service_to_fork_from (string, Immutable, Pattern: ^[a-z][-a-z0-9]{0,63}$|^$, MaxLength: 64). Name of another service to fork from. This has effect only when a new service is being created.
• smtp_server (object). SMTP server settings. See below for nested schema.
• static_ips (boolean). Use static public IP addresses.
• unified_alerting_enabled (boolean). Enable or disable Grafana unified alerting functionality. By default this is enabled and any legacy alerts will be migrated on upgrade to Grafana 9+. To stay on legacy alerting, set unified_alerting_enabled to false and alerting_enabled to true. See https://grafana.com/docs/grafana/latest/alerting/set-up/migrating-alerts/ for more details.
• user_auto_assign_org (boolean). Auto-assign new users on signup to main organization. Defaults to false.
• user_auto_assign_org_role (string, Enum: Viewer, Admin, Editor). Set role for new signups. Defaults to Viewer.
• viewers_can_edit (boolean). Users with view-only permission can edit but not save dashboards.
• wal (boolean). Setting to enable/disable Write-Ahead Logging. The default value is false (disabled).

auth_azuread

Appears on spec.userConfig.

Azure AD OAuth integration.

Required

• auth_url (string, MaxLength: 2048). Authorization URL.
• client_id (string, Pattern: ^[\040-\176]+$, MaxLength: 1024). Client ID from provider.
• client_secret (string, Pattern: ^[\040-\176]+$, MaxLength: 1024). Client secret from provider.
• token_url (string, MaxLength: 2048). Token URL.

Optional

• allow_sign_up (boolean). Automatically sign-up users on successful sign-in.
• allowed_domains (array of strings, MaxItems: 50). Allowed domains.
• allowed_groups (array of strings, MaxItems: 50). Require users to belong to one of given groups.

auth_generic_oauth

Appears on spec.userConfig.

Generic OAuth integration.

Required

• api_url (string, MaxLength: 2048). API URL.
• auth_url (string, MaxLength: 2048). Authorization URL.
• client_id (string, Pattern: ^[\040-\176]+$, MaxLength: 1024). Client ID from provider.
• client_secret (string, Pattern: ^[\040-\176]+$, MaxLength: 1024). Client secret from provider.
• token_url (string, MaxLength: 2048). Token URL.

Optional

• allow_sign_up (boolean). Automatically sign-up users on successful sign-in.
• allowed_domains (array of strings, MaxItems: 50). Allowed domains.
• allowed_organizations (array of strings, MaxItems: 50). Require user to be member of one of the listed organizations.
• auto_login (boolean). Allow users to bypass the login screen and automatically log in.
• name (string, Pattern: ^[a-zA-Z0-9_\- ]+$, MaxLength: 128). Name of the OAuth integration.
• scopes (array of strings, MaxItems: 50). OAuth scopes.
• use_refresh_token (boolean). Set to true to use refresh token and check access token expiration.

auth_github

Appears on spec.userConfig.

Github Auth integration.

Required

• client_id (string, Pattern: ^[\040-\176]+$, MaxLength: 1024). Client ID from provider.
• client_secret (string, Pattern: ^[\040-\176]+$, MaxLength: 1024). Client secret from provider.

Optional

• allow_sign_up (boolean). Automatically sign-up users on successful sign-in.
• allowed_organizations (array of strings, MaxItems: 50). Require users to belong to one of given organizations.
• auto_login (boolean). Allow users to bypass the login screen and automatically log in.
• skip_org_role_sync (boolean). Stop automatically syncing user roles.
• team_ids (array of integers, MaxItems: 50). Require users to belong to one of given team IDs.

auth_gitlab

Appears on spec.userConfig.

GitLab Auth integration.

Required

• allowed_groups (array of strings, MaxItems: 50). Require users to belong to one of given groups.
• client_id (string, Pattern: ^[\040-\176]+$, MaxLength: 1024). Client ID from provider.
• client_secret (string, Pattern: ^[\040-\176]+$, MaxLength: 1024). Client secret from provider.

Optional

• allow_sign_up (boolean). Automatically sign-up users on successful sign-in.
• api_url (string, MaxLength: 2048). API URL. This only needs to be set when using self hosted GitLab.
• auth_url (string, MaxLength: 2048). Authorization URL. This only needs to be set when using self hosted GitLab.
• token_url (string, MaxLength: 2048). Token URL. This only needs to be set when using self hosted GitLab.

auth_google

Appears on spec.userConfig.

Google Auth integration.

Required

• allowed_domains (array of strings, MaxItems: 64). Domains allowed to sign-in to this Grafana.
• client_id (string, Pattern: ^[\040-\176]+$, MaxLength: 1024). Client ID from provider.
• client_secret (string, Pattern: ^[\040-\176]+$, MaxLength: 1024). Client secret from provider.

Optional

• allow_sign_up (boolean). Automatically sign-up users on successful sign-in.

date_formats

Appears on spec.userConfig.

Grafana date format specifications.

Optional

• default_timezone (string, MaxLength: 64). Default time zone for user preferences. Value browser uses browser local time zone.
• full_date (string, MaxLength: 128). Moment.js style format string for cases where full date is shown.
• interval_day (string, MaxLength: 128). Moment.js style format string used when a time requiring day accuracy is shown.
• interval_hour (string, MaxLength: 128). Moment.js style format string used when a time requiring hour accuracy is shown.
• interval_minute (string, MaxLength: 128). Moment.js style format string used when a time requiring minute accuracy is shown.
• interval_month (string, MaxLength: 128). Moment.js style format string used when a time requiring month accuracy is shown.
• interval_second (string, MaxLength: 128). Moment.js style format string used when a time requiring second accuracy is shown.
• interval_year (string, MaxLength: 128). Moment.js style format string used when a time requiring year accuracy is shown.

external_image_storage

Appears on spec.userConfig.

External image store settings.

Required

• access_key (string, Pattern: ^[A-Z0-9]+$, MaxLength: 4096). S3 access key. Requires permissions to the S3 bucket for the s3:PutObject and s3:PutObjectAcl actions.
• bucket_url (string, MaxLength: 2048). Bucket URL for S3.
• provider (string, Enum: s3). Provider type.
• secret_key (string, Pattern: ^[A-Za-z0-9/+=]+$, MaxLength: 4096). S3 secret key.

ip_filter

Appears on spec.userConfig.

CIDR address block, either as a string, or in a dict with an optional description field.

Required

• network (string, MaxLength: 43). CIDR address block.

Optional

• description (string, MaxLength: 1024). Description for IP filter list entry.

private_access

Appears on spec.userConfig.

Allow access to selected service ports from private networks.

Required

• grafana (boolean). Allow clients to connect to grafana with a DNS name that always resolves to the service's private IP addresses. Only available in certain network locations.

privatelink_access

Appears on spec.userConfig.

Allow access to selected service components through Privatelink.

Required

• grafana (boolean). Enable grafana.

public_access

Appears on spec.userConfig.

Allow access to selected service ports from the public Internet.

Required

• grafana (boolean). Allow clients to connect to grafana from the public internet for service nodes that are in a project VPC or another type of private network.

smtp_server

Appears on spec.userConfig.

SMTP server settings.

Required

• from_address (string, MaxLength: 319). Address used for sending emails.
• host (string, MaxLength: 255). Server hostname or IP.
• port (integer, Minimum: 1, Maximum: 65535). SMTP server port.

Optional

• from_name (string, Pattern: ^[^\x00-\x1F]+$, MaxLength: 128). Name used in outgoing emails, defaults to Grafana.
• password (string, Pattern: ^[^\x00-\x1F]+$, MaxLength: 255). Password for SMTP authentication.
• skip_verify (boolean). Skip verifying server certificate. Defaults to false.
• starttls_policy (string, Enum: OpportunisticStartTLS, MandatoryStartTLS, NoStartTLS). Either OpportunisticStartTLS, MandatoryStartTLS or NoStartTLS. Default is OpportunisticStartTLS.
• username (string, Pattern: ^[^\x00-\x1F]+$, MaxLength: 255). Username for SMTP authentication.