common/prometheus-server/values.yaml

global:
  # The OpenStack region.
  region:

  # The TLD as used in the URL.
  domain:

  # Type of the cluster to which the Prometheus is deployed.
  # Choose between: controlplane, kubernikus-controlplane, kubernikus-scaleout.
  clusterType: controlplane

  # Optional name of the cluster to which the Prometheus is deployed.
  # Defaults to region if not set.
  # cluster:

  # Optional tier for Prometheus alerts.
  # tier: k8s

  # Optional targets to create Prometheus names.
  # targets:

  linkerd_requested: false

# The image for the Prometheus server. The tag equals the .Chart.appVersion.
image:
  repository: keppel.eu-de-1.cloud.sap/ccloud-dockerhub-mirror/prom/prometheus

# Mandatory name for a single Prometheus. To setup multiple, define a list of .Values.names or .Values.global.targets.
# The name is used to find relevant aggregation and alerting rules.
# Examples: kubernetes, openstack, infrastructure, maia, vmware etc.
name: 

# A list to deploy multiple Prometheis with the same configuration but different names.
# names:

# Defines how long data is stored. Format: `[0-9]+(ms|s|m|h|d|w|y)`
retentionTime: 7d

# Reference a secret containing additional Prometheus scrape configurations.
# Injecting an invalid configuration might break the Prometheus server instance.
additionalScrapeConfigs: {}
  # Name of the secret.
  # name:

  # Key in the secret.
  # key:

  # Specify whether the Secret is optional.
  # Setting `optional: false` causes an error when the secret does not exist.
  # optional: true

# Interval between consecutive scrapes.
scrapeInterval: "60s"

# List of configmaps in the same namespace as the Prometheus that should be mounted to /etc/prometheus/configmaps/<configmap-name>.
# Can be used to add targets found by a custom service discovery.
configMaps: []
  # - < name of configmap >

# List of secrets in the same namespace as the Prometheus that should be mounted to /etc/prometheus/secrets/<secret-name>.
secrets: []
# - < name of secret >

# Alertmanager configuration.
alertmanagers:
  # Configuration if the Alertmanager has client certificate authentication enabled.
  authentication:
    enabled: false
    # The certificate used for authentication with the Alertmanager..
    ssoCert:
    # The key used for authentication with the Alertmanager.
    ssoKey:

  # List of Alertmanagers (AM) to send alerts to.
  # If multiple AMs are used in an HA setup, alerts must be send to every AM.
  hosts: []
  # - alertmanager1.tld
  # - alertmanager2.tld

# Configuration for the Service created for this Prometheus.
service:
  annotations: {}

# Will explicitly set ingressClassName to nginx. If the cluster has traefik deployed only, this needs to be set to true
traefik:
  enabled: false

# Optional ingress for this Prometheus.
ingress:
  enabled: false

  # List of hostnames for this Prometheus server. If empty, the FQDN will be generated using the pattern  prometheus-<name>.<region>.<domain> otherwise <host>.<region>.<domain>.
  # The first host is used to generate the external URL for the Prometheus. Remaining hosts will be used as SANs.
  # If the ingress is enabled, it's also used for the ingress host.
  hosts: []

  # List of fully qualified host names to be used for this Prometheus server. Mutually exclusive with hosts.
  # The first host is used to generate the external URL for the Prometheus. Remaining hosts will be used as SANs.
  # If the ingress is enabled, it's also used for the ingress host.
  hostsFQDN: []

  # Client certificate authentication on ingress level.
  authentication:
    oauth:
      enabled: false

      # The URL to the authentication service.
      authURL:

      # Optional URL to specify the location of the error page.
      authSignInURL:

    sso:
      enabled: true
      # The key (<namespace>/<name>) of the secret containing the CA certificate (`ca.crt`) that is enabled to authenticate against this Ingress.
      authTLSSecret: kube-system/ingress-cacrt

      # The validation depth between the provided client certificate and the certification authority chain.
      authTLSVerifyDepth: 3

      # Enables verification of client certificates.
      authTLSVerifyClient: on

  # Additional annotations for the ingress.
  annotations:
    cloud.sap/no-http-keep-alive-monitor: "true"

# Optional additional ingress for this Prometheus.
internalIngress:
  enabled: false

  # List of hostnames for this Prometheus server. If empty, the FQDN will be generated using the pattern  prometheus-<name>-internal.<region>.<domain> otherwise <host>.<region>.<domain>.
  # The first host is used to generate the external URL for the Prometheus. Remaining hosts will be used as SANs.
  # If the ingress is enabled, it's also used for the ingress host.
  hosts: []

  # List of fully qualified host names to be used for this Prometheus server. Mutually exclusive with hosts.
  # The first host is used to generate the external URL for the Prometheus. Remaining hosts will be used as SANs.
  # If the ingress is enabled, it's also used for the ingress host.
  hostsFQDN: []

  # Client certificate authentication on ingress level.
  authentication:
    oauth:
      enabled: false

      # The URL to the authentication service.
      authURL:

      # Optional URL to specify the location of the error page.
      authSignInURL:

    sso:
      enabled: true
      # The key (<namespace>/<name>) of the secret containing the CA certificate (`ca.crt`) that is enabled to authenticate against this Ingress.
      authTLSSecret: kube-system/ingress-cacrt

      # The validation depth between the provided client certificate and the certification authority chain.
      authTLSVerifyDepth: 3

      # Enables verification of client certificates.
      authTLSVerifyClient: on

  # Additional annotations for the ingress.
  annotations:
    cloud.sap/no-http-keep-alive-monitor: "true"

# Enable persistent storage.
# If disabled, data will be stored in memory.
persistence:
  enabled: false

  # Optional name of the PVC. Default: < .Values.name >
  # name:

  # Access mode of the PVC.
  accessMode: ReadWriteOnce

  # Size of the PVC.
  size: 100Gi

  # Label selector to be be applied to the PVC.
  selector: {}

# Create RBAC resources.
rbac:
  create: true

# ServiceAccount to use for the Prometheus server.
# Note that a ServiceAccount with name `default` cannot be created.
# Instead the generated name will be used.
serviceAccount:
  create: true

  # Optional name of the service account.
  # If not provided one will be generated in the format: prometheus-<name>.
  name: ""

# Thanos configuration.
thanos:
  # Enables Prometheus sidecar. This is now the default setting for global monitoring integration.
  # Only disable this, if you don't want to have your Prometheus being queried by global Thanos.
  # Important: needed thanos swift seed configuration is provided by system/thanos-seeds and specified with thanosSeeds below
  enabled: true

  objectStorageConfig:
    # set false to only add thanos-sidecar gRPC store API. Usually you now do want sidecarDiscovery to be set, see below.
    enabled: true
    # Note:
    # The name of the secret specified below will be prefixed with `prometheus-<name>`
    # to avoid multiple configurations with the same name.
    name: thanos-storage-config
    key: thanos.yaml
    optional: true

  # When there is no store activated (objectStorageConfig.enabled = false) you can have this sidecar detected by the operator
  # using a StoreEndpoint. You need to specify which thanos should pick up the sidecar. This Thanos needs to run QueryDiscovery.
  # domain defaults to cluster.local and only needs to be set if it differs
  # thanosNamespace needs to be set, if the thanos specified with thanosName resides in a Sidecar disjunct namespace. 
  sidecarDiscovery:
    - thanosName:
      # thanosNamespace:
      namespace:
      # domain:

  # Specification for Thanos sidecar to Prometheus server.
  # See https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#thanosspec .
  spec:
    baseImage: keppel.eu-de-1.cloud.sap/ccloud-quay-mirror/thanos/thanos
    version: v0.31.0

  # Being one of debug, info, warn, error. Defaults to warn.
  # logLevel: info

thanosSeeds:
  seed:
    # If disabled the user and container need to exist, or you are in another cluster but metal. In this case leverage the dedicated system/thanos-seeds chart instead of this default, prometheus-bundled seed.
    enabled: true

    # List of required OpenstackSeeds that need to be resolved before.
    # Warning: This list is rather specific to SAP Converged Cloud.
    requires:
      - swift/swift-seed
      - monsoon3/domain-ccadmin-seed
      - monsoon3/domain-default-seed

    # optional cluster type appended to container name to prevent same names for different prometheus
    clusterType:

  # Configuration for OpenStack Swift Thanos storage backend.
  # Deploy an OpenstackSeed custom resource triggering creation of an Openstack user and Swift container used to persist Prometheus metrics.
  # See: https://github.com/sapcc/kubernetes-operators/tree/master/openstack-seeder
  swiftStorageConfig:
    authURL:
    userDomainName:
    password:
    domainName:
    projectName:
    projectDomainName:
    # all settings below are not mandatory and auto-generated
    userName:
    containerName:

    # Currently not supported are:
    # tenantID:
    # domainID:
    # userID:

  # needs to be enabled for vmware-monitoring only
  vmware: false

# The labels to add to any time series or alerts when communicating with
# external systems (federation, remote storage, Alertmanager).
externalLabels: {}
  # labelName: labelValue

# The log level of the Prometheus. Defaults to warn.
# logLevel: info

# Kubernetes resource requests and limits for this Prometheus.
# See: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container .
resources:
  requests:
    cpu: "1"
    memory: 8Gi
    ephemeral-storage: 200M

# specifying container specific maximal values.
vpaResources:
  # if prometheus needs more than 10Gi memory, this needs to be increased otherwise the VPA will not set it accordingly
  prometheus:
    containerName: "prometheus"
    maxAllowed:
      cpu: "3"
      memory: "10Gi"
  configReloader:
    containerName: "config-reloader"
    maxAllowed:
      cpu: "100"
      memory: "200Mi"
  thanosSidecar:
    containerName: "thanos-sidecar"
    maxAllowed:
      cpu: "1"
      memory: "3Gi"

# If set to Auto, make sure to enable alerts.thanos.enabled and alerts.thanos.name if you are in any Prometheus but kubernetes and kubernikus. This will deploy needed alerts to Thanos Ruler.
vpaUpdateMode: "Off"

# A security context defines privilege and access control settings for a Pod or Container.
# See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context .
securityContext:
  fsGroup: 0
  runAsUser: 0

# Enabled default Prometheus Service Discoveries (SD).
# The relabeling allows the actual service scrape endpoint to be configured
# via the following annotations:
#
# * `prometheus.io/scrape`:   Only scrape services that have a value of `true`
# * `prometheus.io/targets`:  List of target Prometheis by which the metrics should be scraped.
# * `prometheus.io/scheme`:   If the metrics endpoint is secured then you will need to set this to `https` & most likely set the `tls_config` of the scrape config.
# * `prometheus.io/path`:     If the metrics path is not `/metrics` override this.
# * `prometheus.io/port`:     If the metrics are exposed on a different port to the service then set this appropriately.
serviceDiscoveries:
  # Targets found via SD are only kept if the `prometheus.io/targets` annotation matches the name of this Prometheus.
  # However this can be overridden using the following parameter.
  # The result is a regex like `.*$prometheusName.*|.*$additionalTargets[i].*`
  # additionalTargets:
  #   - ...

  # Scrape interval for all jobs.
  scrapeInterval: 30s

  # Scrape timeout for all jobs.
  scrapeTimeout: 25s

  # SD for Kubernetes services and endpoints.
  endpoints:
    enabled: true
    # Only scrape services and endpoints with annotation prometheus.io/targets: $prometheusName.
    # If set to false, all targets are scraped.
    limitToPrometheusTargets: true
    # Scrape all metrics by default.
    forbiddenMetrics: []

  # SD for Kubernetes Pods. See https://github.com/coreos/prometheus-operator/issues/38.
  pods:
    enabled: false
    # Only scrape pods with annotation prometheus.io/targets: $prometheusName.
    # If set to false, all targets are scraped.
    limitToPrometheusTargets: true
    # Scrape all metrics by default.
    forbiddenMetrics: []
    # Custom metric relabelings
    # See https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs
    # metricRelabelings:

  # SD for Kubernetes Probes.
  probes:
    enabled: false

  # SD for kubernetes API server.
  kubeAPIServer:
    enabled: false
    # Full list of APIserver metrics: https://github.com/kubernetes/apiserver/blob/master/pkg/endpoints/metrics/metrics.go .
    allowedMetrics:
      - apiserver_request_total
      - apiserver_longrunning_requests
      - apiserver_request_duration_seconds
      - apiserver_dropped_requests_total
      - apiserver_requested_deprecated_apis
      - apiserver_current_inflight_requests
      - etcd_request_latency_seconds
      - apiserver_object_counts
      - process_max_fds
      - process_open_fds
      - aggregator_unavailable_apiservice


  # Scrape cAdvisor metrics.
  cAdvisor:
    enabled: false
    # Full list of cAdvisor metrics: https://github.com/google/cadvisor/blob/master/docs/storage/prometheus.md .
    allowedMetrics:
      - container_cpu_cfs_periods_total
      - container_cpu_cfs_throttled_seconds_total
      - container_cpu_cfs_throttled_periods_total
      - container_cpu_usage_seconds_total
      - container_cpu_user_seconds_total
      - container_cpu_system_seconds_total
      - container_fs_inodes_total
      - container_fs_limit_bytes
      - container_fs_usage_bytes
      - container_last_seen
      - container_memory_usage_bytes
      - container_memory_working_set_bytes
      - container_network_receive_bytes_total
      - container_network_transmit_bytes_total
      - container_start_time_seconds
      - container_oom_events_total

  # Scrape kubelet metrics.
  kubelet:
    enabled: false
    # Full list of kubelet metrics: https://github.com/kubernetes/kubernetes/blob/master/pkg/kubelet/metrics/metrics.go#L33 .
    # Scrape all kubelet metrics by default.
    allowedMetrics: []

  # Scrape kube-dns pods.
  kubeDNS:
    enabled: false

  # Scrape all node exporters.
  nodeExporter:
    enabled: false

  # Scrape kubernikus k8s API component metrics
  kubernikus:
    enabled: false
    namespace: kubernikus

# The pod's tolerations.
# See https://kubernetes.io/docs/concepts/configuration/taint-and-toleration
tolerations: []

# Assign custom affinity rules to the prometheus instance.
# See https://kubernetes.io/docs/concepts/configuration/assign-pod-node
affinity: {}

# Define which Nodes the Pods are scheduled on.
# See https://kubernetes.io/docs/user-guide/node-selection
nodeSelector: {}

# The tier of the alerts.
# If set .Values.global.tier takes precedence.
alerts:
  # prometheus name picking up the prometheus self metrics, defaults to prometheus.name
  prometheus:
  # thanos name that picks up the alerts from Prometheus - mainly used when kube_ metrics needs to be present
  thanos:
    enabled: false
    # name:
  # service name routing the alerts, defaults to `metrics`
  service:
  # support_group routing the alerts, defaults to `observability`
  support_group:

  multipleTargetScrapes:
    enabled: true
    # List of exceptions for scrape jobs. This is joined together with a `|`.
    exceptions: []

  # This alert requires kube state metrics. Disable if not present
  multiplePodScrapes:
    enabled: true

# If true, a custom Prometheus naming will take place. Only needed for vmware-monitoring.
vmware: false

# Add remoteWrite configurations as a list. It expects a certificate with the specified key. It can be the same secret, if it has both, the cert and the key, it can be different too.
remoteWriteTargets: []
#   - name: randomName
#     url: some.url.foo.bar.xyz
#     tlsConfig:
#       cert:
#         secret:
#           name: certs-spoken-name
#           key: cert
#       keySecret:
#         name: certs-spoken-name
#         key: key
#     remoteTimeout: 60s #defaults to 30s