postgresai/postgres_ai_helm/values.yaml at main · postgres-ai/postgresai · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
namespaceOverride: ""

imagePullSecrets: []

commonLabels: {}

serviceAccount:
  create: true
  annotations: {}
  name: ""

ingress:
  enabled: true
  className: nginx
  annotations: {}
  hosts:
    grafana: postgres-ai-monitoring.example.com
  tls: []

storage:
  postgresSize: 50Gi
  victoriaMetricsSize: 150Gi
  grafanaSize: 5Gi
  accessModes: ["ReadWriteOnce"]
  # Storage class for persistent volumes.
  # For encryption at rest (required for DPA/SOC2 compliance), use an
  # encrypted storage class. Examples:
  #   AWS EKS:  create a StorageClass with "encrypted: true" parameter,
  #             or enable account-level default EBS encryption
  #   GCP GKE:  "standard" or "premium-rwo" (encrypted at rest by default with Google-managed keys)
  #   Azure AKS: "managed-premium" (encrypted by default with platform-managed keys)
  #   Hetzner HCloud: "hcloud-volumes" (encrypted at rest by default)
  # Leave empty to use the cluster default storage class.
  storageClassName: ""

global:
  clusterName: default
  nodeName: default
  customTags: {}

sinkPostgres:
  image: postgres:17
  database: measurements
  user: pgwatch
  resources: {}

postgresExporter:
  enabled: true
  image: prometheuscommunity/postgres-exporter:v0.19.1
  resources: {}

victoriaMetrics:
  image: victoriametrics/victoria-metrics:v1.140.0
  retentionPeriod: 336h
  scrapeInterval: 15s
  # Bound expensive dashboard/API queries so VictoriaMetrics stays responsive under high-cardinality pg_stat_statements data.
  extraArgs:
    # Maximum wall time per query; raise only if dashboards legitimately need longer searches.
    - -search.maxQueryDuration=30s
    # Maximum concurrent search requests; lower reduces memory pressure, higher improves dashboard fan-out.
    - -search.maxConcurrentRequests=16
  auth:
    enabled: false
    username: "vmauth"
    # password stored in K8s secret (key: vm-auth-password)
  service:
    type: ClusterIP
    port: 8428
  resources: {}

pgwatchPostgres:
  enabled: true
  image: cybertecpostgresql/pgwatch:4.1.0
  logLevel: error
  resources: {}

pgwatchPrometheus:
  enabled: true
  image: cybertecpostgresql/pgwatch:4.1.0
  logLevel: error
  resources: {}

flask:
  enabled: true
  image: postgresai/monitoring-flask-backend:0.14.0
  imagePullPolicy: IfNotPresent
  containerPort: 8000
  healthPath: /health
  queryInfo:
    # Minutes a queryid remains active in /query_info_metrics; keep above the pgwatch scrape interval.
    activeMinutes: 10
    # Hours to retain stale queryid rows in the sink before background cleanup deletes them.
    retentionHours: 720
    # Rows deleted per cleanup batch; higher catches up faster but holds locks longer.
    retentionBatchSize: 10000
    # Maximum cleanup batches per scrape-triggered run; caps background work per invocation.
    retentionMaxIterations: 10
  env: {}
  service:
    type: ClusterIP
    port: 8000
  resources:
    requests:
      cpu: 500m
      memory: 256Mi
    limits:
      cpu: 500m
      memory: 1Gi

reporter:
  enabled: true
  image: postgresai/reporter:1.0.3
  imagePullPolicy: IfNotPresent
  schedule: "0 0 * * *"
  # Legacy: If clusterName/nodeName are set here, they override global settings
  # for backward compatibility. For multiple clusters, leave empty and set
  # clusterName/nodeName per database in monitoredDatabases.
  clusterName: ""
  nodeName: ""
  apiUrl: https://postgres.ai/api/general
  successfulJobsHistoryLimit: 3
  failedJobsHistoryLimit: 3
  env: {}
  resources: {}
  # When multiple clusters are configured in monitoredDatabases, a separate
  # reporter cronjob will be created for each unique cluster/node combination.

nodeExporter:
  # Disabled on k8s: host /proc and /sys mounts require a privileged
  # DaemonSet, which we don't ship yet. Re-enable once the DaemonSet
  # manifest lands. docker-compose retains this for self-monitoring.
  enabled: false
  image: prom/node-exporter:v1.11.1
  resources: {}

cadvisor:
  # Disabled on k8s: requires privileged access to the container runtime
  # socket, which we don't ship yet. Image registry migrated from gcr.io
  # to ghcr.io/google/cadvisor; tags omit the 'v' prefix (upstream
  # registry convention, unlike other images here).
  enabled: false
  image: ghcr.io/google/cadvisor:0.56.2
  resources:
    requests:
      cpu: 100m
      memory: 192Mi
    limits:
      cpu: 250m
      memory: 384Mi

monitoredDatabases:
  # Example: Database with default cluster/node from global settings
  - name: example-database
    # Connection details (password stored in secrets.monitoredDatabases)
    host: postgres-host
    port: 5432
    database: database_name
    user: monitor
    passwordSecretKey: example-database-password  # References secrets.monitoredDatabases[example-database-password]
    presetMetrics: full
    customMetrics: {}
    isEnabled: true
    group: default
    customTags:
      env: production

  # Example: Database with custom cluster/node name
  # - name: production-db-cluster-2
  #   host: postgres-host-2
  #   port: 5432
  #   database: database_name
  #   user: monitor
  #   passwordSecretKey: production-db-cluster-2-password
  #   presetMetrics: full
  #   customMetrics: {}
  #   isEnabled: true
  #   group: production
  #   clusterName: production-cluster-2
  #   nodeName: node-02
  #   customTags:
  #     env: production
  #     region: us-east-1

# Secret configuration
# IMPORTANT: By default, secrets should be provided via Kubernetes secrets, not values.yaml
# This is more secure and follows Kubernetes best practices.

# Option 1: Use existing Kubernetes secret (RECOMMENDED for production)
# Create the secret manually before installation:
#   kubectl create secret generic postgres-ai-monitoring-secrets \
#     --namespace postgres_ai \
#     --from-literal=postgres-password='...' \
#     --from-literal=grafana-admin-user='admin' \
#     --from-literal=grafana-admin-password='...' \
#     --from-literal=pgai-api-key='...' \
#     --from-literal=db-password-example-database='...'
#
# Then set existingSecret.name to reference it:
existingSecret:
  name: ""  # Set to your secret name (e.g., "postgres-ai-monitoring-secrets")

# Option 2: Create secret from values.yaml (ONLY for development/testing)
# WARNING: Never commit secrets to version control!
# Set createFromValues: true to enable this (disabled by default)
secrets:
  createFromValues: false  # Set to true ONLY for development/testing
  postgres:
    password: "CHANGE_ME_postgres_password"
  grafana:
    adminUser: admin
    adminPassword: "CHANGE_ME_grafana_password"
  vmAuth:
    password: "CHANGE_ME_vm_auth_password"
  pgwatchConfig:
    apiKey: ""
  # Passwords for monitored databases
  # Key names should match passwordSecretKey values in monitoredDatabases entries
  monitoredDatabases:
    example-database-password: "CHANGE_ME_database_password"

grafana:
  enabled: true
  # Pin the Grafana app version to match docker-compose.yml so both deploy
  # paths ship the same major. The grafana subchart's default appVersion
  # may lag behind; override explicitly to stay in sync with compose.
  # Pin repository too so a subchart default change can't silently move us
  # to a different image.
  image:
    repository: grafana/grafana
    tag: "12.3.2"
  # Admin credentials are stored in secrets
  # Secret name pattern: <release-name>-postgres-ai-monitoring-secrets (or <fullnameOverride>-secrets)
  # Set admin.existingSecret manually if using custom release name or fullnameOverride
  admin:
    existingSecret: ""  # Set to: <your-release-name>-postgres-ai-monitoring-secrets (or configure manually)
    userKey: grafana-admin-user
    passwordKey: grafana-admin-password
  plugins:
    - yesoreyeram-infinity-datasource


  persistence:
    enabled: true
    size: 5Gi
    storageClassName: ""

  service:
    type: ClusterIP
    port: 80

  ingress:
    enabled: false

  sidecar:
    datasources:
      enabled: true
      label: grafana_datasource
    dashboards:
      enabled: true
      label: grafana_dashboard

  dashboardProviders:
    dashboardproviders.yaml:
      apiVersion: 1
      providers:
        - name: default
          orgId: 1
          folder: ''
          type: file
          disableDeletion: false
          editable: true
          options:
            path: /tmp/dashboards