Skip to content

Grafana

Usage example

Example
apiVersion: aiven.io/v1alpha1
kind: Grafana
metadata:
  name: my-grafana
spec:
  authSecretRef:
    name: aiven-token
    key: token

  connInfoSecretTarget:
    name: grafana-secret
    prefix: MY_SECRET_PREFIX_
    annotations:
      foo: bar
    labels:
      baz: egg

  project: my-aiven-project
  cloudName: google-europe-west1
  plan: startup-1

  maintenanceWindowDow: sunday
  maintenanceWindowTime: 11:00:00

  userConfig:
    public_access:
      grafana: true
    ip_filter:
      - network: 0.0.0.0
        description: whatever
      - network: 10.20.0.0/16

Info

To create this resource, a Secret containing Aiven token must be created first.

Apply the resource with:

kubectl apply -f example.yaml

Verify the newly created Grafana:

kubectl get grafanas my-grafana

The output is similar to the following:

Name          Project             Region                 Plan         State      
my-grafana    my-aiven-project    google-europe-west1    startup-1    RUNNING    

To view the details of the Secret, use the following command:

kubectl describe secret grafana-secret

You can use the jq to quickly decode the Secret:

kubectl get secret grafana-secret -o json | jq '.data | map_values(@base64d)'

The output is similar to the following:

{
    "GRAFANA_HOST": "<secret>",
    "GRAFANA_PORT": "<secret>",
    "GRAFANA_USER": "<secret>",
    "GRAFANA_PASSWORD": "<secret>",
    "GRAFANA_URI": "<secret>",
    "GRAFANA_HOSTS": "<secret>",
}

Grafana

Grafana is the Schema for the grafanas API.

Exposes secret keys

GRAFANA_HOST, GRAFANA_PORT, GRAFANA_USER, GRAFANA_PASSWORD, GRAFANA_URI, GRAFANA_HOSTS.

Required

  • apiVersion (string). Value aiven.io/v1alpha1.
  • kind (string). Value Grafana.
  • metadata (object). Data that identifies the object, including a name string and optional namespace.
  • spec (object). GrafanaSpec defines the desired state of Grafana. See below for nested schema.

spec

Appears on Grafana.

GrafanaSpec defines the desired state of Grafana.

Required

  • plan (string, MaxLength: 128). Subscription plan.
  • project (string, Immutable, Pattern: ^[a-zA-Z0-9_-]+$, MaxLength: 63). Identifies the project this resource belongs to.

Optional

  • authSecretRef (object). Authentication reference to Aiven token in a secret. See below for nested schema.
  • cloudName (string, MaxLength: 256). Cloud the service runs in.
  • connInfoSecretTarget (object). Secret configuration. See below for nested schema.
  • connInfoSecretTargetDisabled (boolean, Immutable). When true, the secret containing connection information will not be created, defaults to false. This field cannot be changed after resource creation.
  • disk_space (string, Pattern: (?i)^[1-9][0-9]*(GiB|G)?$). The disk space of the service, possible values depend on the service type, the cloud provider and the project. Reducing will result in the service re-balancing. The removal of this field does not change the value.
  • maintenanceWindowDow (string, Enum: monday, tuesday, wednesday, thursday, friday, saturday, sunday). Day of week when maintenance operations should be performed. One monday, tuesday, wednesday, etc.
  • maintenanceWindowTime (string, MaxLength: 8). Time of day when maintenance operations should be performed. UTC time in HH:mm:ss format.
  • projectVPCRef (object). ProjectVPCRef reference to ProjectVPC resource to use its ID as ProjectVPCID automatically. See below for nested schema.
  • projectVpcId (string, MaxLength: 36). Identifier of the VPC the service should be in, if any.
  • serviceIntegrations (array of objects, Immutable, MaxItems: 1). Service integrations to specify when creating a service. Not applied after initial service creation. See below for nested schema.
  • tags (object, AdditionalProperties: string). Tags are key-value pairs that allow you to categorize services.
  • technicalEmails (array of objects, MaxItems: 10). Defines the email addresses that will receive alerts about upcoming maintenance updates or warnings about service instability. See below for nested schema.
  • terminationProtection (boolean). Prevent service from being deleted. It is recommended to have this enabled for all services.
  • userConfig (object). Cassandra specific user configuration options. See below for nested schema.

authSecretRef

Appears on spec.

Authentication reference to Aiven token in a secret.

Required

  • key (string, MinLength: 1).
  • name (string, MinLength: 1).

connInfoSecretTarget

Appears on spec.

Secret configuration.

Required

  • name (string, Immutable). Name of the secret resource to be created. By default, it is equal to the resource name.

Optional

  • annotations (object, AdditionalProperties: string). Annotations added to the secret.
  • labels (object, AdditionalProperties: string). Labels added to the secret.
  • prefix (string). Prefix for the secret's keys. Added "as is" without any transformations. By default, is equal to the kind name in uppercase + underscore, e.g. KAFKA_, REDIS_, etc.

projectVPCRef

Appears on spec.

ProjectVPCRef reference to ProjectVPC resource to use its ID as ProjectVPCID automatically.

Required

  • name (string, MinLength: 1).

Optional

serviceIntegrations

Appears on spec.

Service integrations to specify when creating a service. Not applied after initial service creation.

Required

technicalEmails

Appears on spec.

Defines the email addresses that will receive alerts about upcoming maintenance updates or warnings about service instability.

Required

  • email (string). Email address.

userConfig

Appears on spec.

Cassandra specific user configuration options.

Optional

  • additional_backup_regions (array of strings, MaxItems: 1). Additional Cloud Regions for Backup Replication.
  • alerting_enabled (boolean). DEPRECATED: setting has no effect with Grafana 11 and onward. Enable or disable Grafana legacy alerting functionality. This should not be enabled with unified_alerting_enabled.
  • alerting_error_or_timeout (string, Enum: alerting, keep_state). Default error or timeout setting for new alerting rules.
  • alerting_max_annotations_to_keep (integer, Minimum: 0, Maximum: 1000000). Max number of alert annotations that Grafana stores. 0 (default) keeps all alert annotations.
  • alerting_nodata_or_nullvalues (string, Enum: alerting, keep_state, no_data, ok). Default value for 'no data or null values' for new alerting rules.
  • allow_embedding (boolean). Allow embedding Grafana dashboards with iframe/frame/object/embed tags. Disabled by default to limit impact of clickjacking.
  • auth_azuread (object). Azure AD OAuth integration. See below for nested schema.
  • auth_basic_enabled (boolean). Enable or disable basic authentication form, used by Grafana built-in login.
  • auth_generic_oauth (object). Generic OAuth integration. See below for nested schema.
  • auth_github (object). Github Auth integration. See below for nested schema.
  • auth_gitlab (object). GitLab Auth integration. See below for nested schema.
  • auth_google (object). Google Auth integration. See below for nested schema.
  • cookie_samesite (string, Enum: lax, none, strict). Cookie SameSite attribute: strict prevents sending cookie for cross-site requests, effectively disabling direct linking from other sites to Grafana. lax is the default value.
  • custom_domain (string, MaxLength: 255). Serve the web frontend using a custom CNAME pointing to the Aiven DNS name.
  • dashboard_previews_enabled (boolean). Enable browsing of dashboards in grid (pictures) mode. This feature is new in Grafana 9 and is quite resource intensive. It may cause low-end plans to work more slowly while the dashboard previews are rendering.
  • dashboards_min_refresh_interval (string, Pattern: ^[0-9]+(ms|s|m|h|d)$, MaxLength: 16). Signed sequence of decimal numbers, followed by a unit suffix (ms, s, m, h, d), e.g. 30s, 1h.
  • dashboards_versions_to_keep (integer, Minimum: 1, Maximum: 100). Dashboard versions to keep per dashboard.
  • dataproxy_send_user_header (boolean). Send X-Grafana-User header to data source.
  • dataproxy_timeout (integer, Minimum: 15, Maximum: 90). Timeout for data proxy requests in seconds.
  • date_formats (object). Grafana date format specifications. See below for nested schema.
  • disable_gravatar (boolean). Set to true to disable gravatar. Defaults to false (gravatar is enabled).
  • editors_can_admin (boolean). Editors can manage folders, teams and dashboards created by them.
  • external_image_storage (object). External image store settings. See below for nested schema.
  • google_analytics_ua_id (string, Pattern: ^(G|UA|YT|MO)-[a-zA-Z0-9-]+$, MaxLength: 64). Google Analytics ID.
  • ip_filter (array of objects, MaxItems: 1024). Allow incoming connections from CIDR address block, e.g. 10.20.0.0/16. See below for nested schema.
  • metrics_enabled (boolean). Enable Grafana's /metrics endpoint.
  • oauth_allow_insecure_email_lookup (boolean). Enforce user lookup based on email instead of the unique ID provided by the IdP.
  • private_access (object). Allow access to selected service ports from private networks. See below for nested schema.
  • privatelink_access (object). Allow access to selected service components through Privatelink. See below for nested schema.
  • project_to_fork_from (string, Immutable, Pattern: ^[a-z][-a-z0-9]{0,63}$|^$, MaxLength: 63). Name of another project to fork a service from. This has effect only when a new service is being created.
  • public_access (object). Allow access to selected service ports from the public Internet. See below for nested schema.
  • recovery_basebackup_name (string, Pattern: ^[a-zA-Z0-9-_:.]+$, MaxLength: 128). Name of the basebackup to restore in forked service.
  • service_log (boolean). Store logs for the service so that they are available in the HTTP API and console.
  • service_to_fork_from (string, Immutable, Pattern: ^[a-z][-a-z0-9]{0,63}$|^$, MaxLength: 64). Name of another service to fork from. This has effect only when a new service is being created.
  • smtp_server (object). SMTP server settings. See below for nested schema.
  • static_ips (boolean). Use static public IP addresses.
  • unified_alerting_enabled (boolean). Enable or disable Grafana unified alerting functionality. By default this is enabled and any legacy alerts will be migrated on upgrade to Grafana 9+. To stay on legacy alerting, set unified_alerting_enabled to false and alerting_enabled to true. See https://grafana.com/docs/grafana/latest/alerting/ for more details.
  • user_auto_assign_org (boolean). Auto-assign new users on signup to main organization. Defaults to false.
  • user_auto_assign_org_role (string, Enum: Admin, Editor, Viewer). Set role for new signups. Defaults to Viewer.
  • viewers_can_edit (boolean). Users with view-only permission can edit but not save dashboards.
  • wal (boolean). Setting to enable/disable Write-Ahead Logging. The default value is false (disabled).

auth_azuread

Appears on spec.userConfig.

Azure AD OAuth integration.

Required

  • auth_url (string, MaxLength: 2048). Authorization URL.
  • client_id (string, Pattern: ^[\040-\176]+$, MaxLength: 1024). Client ID from provider.
  • client_secret (string, Pattern: ^[\040-\176]+$, MaxLength: 1024). Client secret from provider.
  • token_url (string, MaxLength: 2048). Token URL.

Optional

  • allow_sign_up (boolean). Automatically sign-up users on successful sign-in.
  • allowed_domains (array of strings, MaxItems: 50). Allowed domains.
  • allowed_groups (array of strings, MaxItems: 50). Require users to belong to one of given groups.

auth_generic_oauth

Appears on spec.userConfig.

Generic OAuth integration.

Required

  • api_url (string, MaxLength: 2048). API URL.
  • auth_url (string, MaxLength: 2048). Authorization URL.
  • client_id (string, Pattern: ^[\040-\176]+$, MaxLength: 1024). Client ID from provider.
  • client_secret (string, Pattern: ^[\040-\176]+$, MaxLength: 1024). Client secret from provider.
  • token_url (string, MaxLength: 2048). Token URL.

Optional

  • allow_sign_up (boolean). Automatically sign-up users on successful sign-in.
  • allowed_domains (array of strings, MaxItems: 50). Allowed domains.
  • allowed_organizations (array of strings, MaxItems: 50). Require user to be member of one of the listed organizations.
  • auto_login (boolean). Allow users to bypass the login screen and automatically log in.
  • name (string, Pattern: ^[a-zA-Z0-9_\- ]+$, MaxLength: 128). Name of the OAuth integration.
  • scopes (array of strings, MaxItems: 50). OAuth scopes.
  • use_refresh_token (boolean). Set to true to use refresh token and check access token expiration.

auth_github

Appears on spec.userConfig.

Github Auth integration.

Required

  • client_id (string, Pattern: ^[\040-\176]+$, MaxLength: 1024). Client ID from provider.
  • client_secret (string, Pattern: ^[\040-\176]+$, MaxLength: 1024). Client secret from provider.

Optional

  • allow_sign_up (boolean). Automatically sign-up users on successful sign-in.
  • allowed_organizations (array of strings, MaxItems: 50). Require users to belong to one of given organizations.
  • auto_login (boolean). Allow users to bypass the login screen and automatically log in.
  • skip_org_role_sync (boolean). Stop automatically syncing user roles.
  • team_ids (array of integers, MaxItems: 50). Require users to belong to one of given team IDs.

auth_gitlab

Appears on spec.userConfig.

GitLab Auth integration.

Required

  • allowed_groups (array of strings, MaxItems: 50). Require users to belong to one of given groups.
  • client_id (string, Pattern: ^[\040-\176]+$, MaxLength: 1024). Client ID from provider.
  • client_secret (string, Pattern: ^[\040-\176]+$, MaxLength: 1024). Client secret from provider.

Optional

  • allow_sign_up (boolean). Automatically sign-up users on successful sign-in.
  • api_url (string, MaxLength: 2048). This only needs to be set when using self hosted GitLab.
  • auth_url (string, MaxLength: 2048). This only needs to be set when using self hosted GitLab.
  • token_url (string, MaxLength: 2048). This only needs to be set when using self hosted GitLab.

auth_google

Appears on spec.userConfig.

Google Auth integration.

Required

  • allowed_domains (array of strings, MaxItems: 64). Domains allowed to sign-in to this Grafana.
  • client_id (string, Pattern: ^[\040-\176]+$, MaxLength: 1024). Client ID from provider.
  • client_secret (string, Pattern: ^[\040-\176]+$, MaxLength: 1024). Client secret from provider.

Optional

  • allow_sign_up (boolean). Automatically sign-up users on successful sign-in.

date_formats

Appears on spec.userConfig.

Grafana date format specifications.

Optional

  • default_timezone (string, MaxLength: 64). Default time zone for user preferences. Value browser uses browser local time zone.
  • full_date (string, MaxLength: 128). Moment.js style format string for cases where full date is shown.
  • interval_day (string, MaxLength: 128). Moment.js style format string used when a time requiring day accuracy is shown.
  • interval_hour (string, MaxLength: 128). Moment.js style format string used when a time requiring hour accuracy is shown.
  • interval_minute (string, MaxLength: 128). Moment.js style format string used when a time requiring minute accuracy is shown.
  • interval_month (string, MaxLength: 128). Moment.js style format string used when a time requiring month accuracy is shown.
  • interval_second (string, MaxLength: 128). Moment.js style format string used when a time requiring second accuracy is shown.
  • interval_year (string, MaxLength: 128). Moment.js style format string used when a time requiring year accuracy is shown.

external_image_storage

Appears on spec.userConfig.

External image store settings.

Required

  • access_key (string, Pattern: ^[A-Z0-9]+$, MaxLength: 4096). S3 access key. Requires permissions to the S3 bucket for the s3:PutObject and s3:PutObjectAcl actions.
  • bucket_url (string, MaxLength: 2048). Bucket URL for S3.
  • provider (string, Enum: s3). External image store provider.
  • secret_key (string, Pattern: ^[A-Za-z0-9/+=]+$, MaxLength: 4096). S3 secret key.

ip_filter

Appears on spec.userConfig.

CIDR address block, either as a string, or in a dict with an optional description field.

Required

  • network (string, MaxLength: 43). CIDR address block.

Optional

  • description (string, MaxLength: 1024). Description for IP filter list entry.

private_access

Appears on spec.userConfig.

Allow access to selected service ports from private networks.

Required

  • grafana (boolean). Allow clients to connect to grafana with a DNS name that always resolves to the service's private IP addresses. Only available in certain network locations.

Appears on spec.userConfig.

Allow access to selected service components through Privatelink.

Required

  • grafana (boolean). Enable grafana.

public_access

Appears on spec.userConfig.

Allow access to selected service ports from the public Internet.

Required

  • grafana (boolean). Allow clients to connect to grafana from the public internet for service nodes that are in a project VPC or another type of private network.

smtp_server

Appears on spec.userConfig.

SMTP server settings.

Required

  • from_address (string, MaxLength: 319). Address used for sending emails.
  • host (string, MaxLength: 255). Server hostname or IP.
  • port (integer, Minimum: 1, Maximum: 65535). SMTP server port.

Optional

  • from_name (string, Pattern: ^[^\x00-\x1F]+$, MaxLength: 128). Name used in outgoing emails, defaults to Grafana.
  • password (string, Pattern: ^[^\x00-\x1F]+$, MaxLength: 255). Password for SMTP authentication.
  • skip_verify (boolean). Skip verifying server certificate. Defaults to false.
  • starttls_policy (string, Enum: MandatoryStartTLS, NoStartTLS, OpportunisticStartTLS). Either OpportunisticStartTLS, MandatoryStartTLS or NoStartTLS. Default is OpportunisticStartTLS.
  • username (string, Pattern: ^[^\x00-\x1F]+$, MaxLength: 255). Username for SMTP authentication.