grafana
Bitnami Helm chart for Grafana
1M+
Grafana is an open source metric analytics and visualization suite for visualizing time series data that supports various types of data sources.
Trademarks: This software listing is packaged by Bitnami. The respective trademarks mentioned in the offering are owned by the respective companies, and use of them does not imply any affiliation or endorsement.
helm install my-release oci://REGISTRY_NAME/REPOSITORY_NAME/grafana
Note: You need to substitute the placeholders
REGISTRY_NAMEandREPOSITORY_NAMEwith a reference to your Helm chart registry and repository.
This chart bootstraps a grafana deployment on a Kubernetes cluster using the Helm package manager.
In the Bitnami catalog we offer both the bitnami/grafana and bitnami/grafana-operator charts. Each solution covers different needs and use cases.
The bitnami/grafana chart deploys a single Grafana installation using a Kubernetes Deployment object (together with Services, PVCs, ConfigMaps, etc.) or a Kubernetes StatefulSet object (with headless service, volumeClaimTemplate and ConfigMaps). The figure below shows the deployed objects in the cluster after executing helm install:
+--------------+ +-----+
| | | |
Service & Ingress | Grafana +<------------+ PVC |
<-------------------+ | | |
| Deployment/ | +-----+
| StatefulSet |
+-----------+--+
^ +------------+
| | |
+----------------+ Configmaps |
| Secrets |
| |
+------------+
Its lifecycle is managed using Helm and, at the Grafana container level, the following operations are automated: persistence management, configuration based on environment variables and plugin initialization. The chart also allows deploying dashboards and data sources using ConfigMaps. The Deployments do not require any ServiceAccounts with special RBAC privileges so this solution would fit better in more restricted Kubernetes installations.
The bitnami/grafana-operator chart deploys a Grafana Operator installation using a Kubernetes Deployment. The figure below shows the Grafana operator deployment after executing helm install:
+--------------------+
| | +---------------+
| Grafana Operator | | |
| | | RBAC |
| Deployment | | Privileges |
| | | |
+-------+------------+ +-------+-------+
^ |
| +-----------------+ |
+---+ Service Account +<----+
+-----------------+
The operator will extend the Kubernetes API with the following objects: Grafana, GrafanaDashboards and GrafanaDataSources. From that moment, the user will be able to deploy objects of these kinds and the previously deployed Operator will take care of deploying all the required Deployments, ConfigMaps and Services for running a Grafana instance. Its lifecycle is managed using kubectl on the Grafana, GrafanaDashboards and GrafanaDataSource objects. The following figure shows the deployed objects after deploying a Grafana object using kubectl:
+--------------------+
| | +---------------+
| Grafana Operator | | |
| | | RBAC |
| Deployment | | Privileges |
| | | |
+--+----+------------+ +-------+-------+
| ^ |
| | +-----------------+ |
| +---+ Service Account +<----+
| +-----------------+
|
|
|
|
| Grafana
| +---------------------------------------------------------------------------+
| | |
| | +--------------+ +-----+ |
| | | | | | |
+-------------------->+ Service & Ingress | Grafana +<------------+ PVC | |
| <-------------------+ | | | |
| | Deployment | +-----+ |
| | | |
| +-----------+--+ |
| ^ +------------+ |
| | | | |
| +----------------+ Configmaps | |
| | Secrets | |
| | | |
| +------------+ |
| |
+---------------------------------------------------------------------------+
This solution allows to easily deploy multiple Grafana instances compared to the bitnami/grafana chart. As the operator automatically deploys Grafana installations, the Grafana Operator pods will require a ServiceAccount with privileges to create and destroy multiple Kubernetes objects. This may be problematic for Kubernetes clusters with strict role-based access policies.
To install the chart with the release name my-release:
helm install my-release oci://REGISTRY_NAME/REPOSITORY_NAME/grafana
Note: You need to substitute the placeholders
REGISTRY_NAMEandREPOSITORY_NAMEwith a reference to your Helm chart registry and repository. For example, in the case of Bitnami, you need to useREGISTRY_NAME=registry-1.docker.ioandREPOSITORY_NAME=bitnamicharts.
These commands deploy grafana on the Kubernetes cluster in the default configuration. The Parameters section lists the parameters that can be configured during installation.
Tip: List all releases using
helm list
This section describes credentials, configuration, and other installation options.
Bitnami charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the resources value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case.
To make this process easier, the chart contains the resourcesPreset values, which automatically sets the resources section according to different presets. Check these presets in the bitnami/common chart. However, in production workloads using resourcesPreset is discouraged as it may not fully adapt to your specific needs. Find more information on container resource management in the official Kubernetes documentation.
The Bitnami Redis chart, when upgrading, reuses the secret previously rendered by the chart or the one specified in auth.existingSecret. To update credentials, use one of the following:
helm upgrade specifying a new password in admin.passwordhelm upgrade specifying a new secret in admin.existingSecretIt is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image.
Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist.
This chart can be integrated with Prometheus by setting metrics.enabled to true. This will expose Grafana native Prometheus endpoint in the service. It will have the necessary annotations to be automatically scraped by Prometheus.
It is necessary to have a working installation of Prometheus or Prometheus Operator for the integration to work. Install the Bitnami Prometheus helm chart or the Bitnami Kube Prometheus helm chart to easily have a working Prometheus in your cluster.
The chart can deploy ServiceMonitor objects for integration with Prometheus Operator installations. To do so, set the value metrics.serviceMonitor.enabled=true. Ensure that the Prometheus Operator CustomResourceDefinitions are installed in the cluster or it will fail with the following error:
no matches for kind "ServiceMonitor" in version "monitoring.coreos.com/v1"
Install the Bitnami Kube Prometheus helm chart for having the necessary CRDs and the Prometheus Operator.
This chart includes an optional MCP (Model Context Protocol) component that provides a standardized interface for AI assistants and LLMs to interact with Grafana. When enabled, it deploys a separate service that exposes Grafana functionality through the MCP protocol. To enable the MCP component, set mcp.enabled=true:
By default (mcp.useGrafanaAdminCredentials=true), the MCP component automatically connects to the main Grafana instance using the admin credentials. The following environment variables are configured automatically:
GRAFANA_USERNAME: Set to the Grafana admin usernameGRAFANA_PASSWORD: Retrieved from the Grafana admin secretGRAFANA_URL: Automatically configured to point to the Grafana serviceIf you want to use custom Grafana credentials instead, set mcp.useGrafanaAdminCredentials=false and provide your own credentials:
mcp:
enabled: true
useGrafanaAdminCredentials: false
extraEnvVars:
- name: GRAFANA_USERNAME
value: my-custom-user
- name: GRAFANA_PASSWORD
valueFrom:
secretKeyRef:
name: my-grafana-credentials
key: password
- name: GRAFANA_URL
value: http://my-grafana-service:3000
The MCP server listens on port 8000 by default and uses Server-Sent Events (SSE) as the transport protocol.
For enhanced security, you can enable authentication and authorization using a kube-rbac-proxy sidecar:
mcp:
enabled: true
auth:
enabled: true
allowedServiceAccounts:
- namespace: default
name: my-ai-assistant
- namespace: ai-namespace
name: another-service
When mcp.auth.enabled is set to true:
mcp.auth.allowedServiceAccounts can access the endpointThis provides Kubernetes-native authentication and authorization, ensuring that only authorized service accounts can interact with the MCP Grafana server.
When authentication is enabled, TLS is always enabled and automatically configured for the kube-rbac-proxy sidecar. By default, the chart will auto-generate a self-signed certificate using Helm capabilities:
mcp:
enabled: true
auth:
enabled: true
tls:
autoGenerated:
enabled: true
engine: helm # or cert-manager
You can also provide your own TLS certificate:
mcp:
enabled: true
auth:
enabled: true
tls:
autoGenerated:
enabled: false
cert: |
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
key: |
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
Or use an existing secret:
mcp:
enabled: true
auth:
enabled: true
tls:
existingSecret: my-tls-secret
The chart also supports using cert-manager for automatic certificate management:
mcp:
enabled: true
auth:
enabled: true
tls:
autoGenerated:
enabled: true
engine: cert-manager
certManager:
existingIssuer: my-issuer # optional
existingIssuerKind: ClusterIssuer # optional
Grafana supports multiples configuration files. Using kubernetes you can mount a file using a ConfigMap or a Secret. For example, to mount a custom grafana.ini file or custom.ini file you can create a ConfigMap like the following:
apiVersion: v1
kind: ConfigMap
metadata:
name: myconfig
data:
grafana.ini: |-
# Raw text of the file
And now you need to pass the ConfigMap name, to the corresponding parameters: config.useGrafanaIniFile=true and config.grafanaIniConfigMap=myconfig.
To provide dashboards on deployment time, Grafana needs a dashboards provider and the dashboards themselves.
A default provider is created if enabled, or you can mount your own provider using a ConfigMap, but have in mind that the path to the dashboard folder must be /opt/bitnami/grafana/dashboards.
json file that defines the dashboard and set the array with the ConfigMap names into the dashboardsConfigMaps parameter.
Note the difference between the datasources and the dashboards creation. For the datasources we can use just one secret with all of the files, while for the dashboards we need one ConfigMap per file.For example, create the dashboard ConfigMap(s) and datasource Secret as described below:
kubectl create secret generic datasource-secret --from-file=datasource-secret.yaml
kubectl create configmap my-dashboard-1 --from-file=my-dashboard-1.json
kubectl create configmap my-dashboard-2 --from-file=my-dashboard-2.json
Note: the commands above assume you had previously exported your dashboards in the JSON files: my-dashboard-1.json and my-dashboard-2.json Note: the commands above assume you had previously created a datasource config file datasource-secret.yaml. Find an example at https://grafana.com/docs/grafana/latest/administration/provisioning/#example-datasource-config-file
Once you have them, use the following parameters to deploy Grafana with 2 custom dashboards:
dashboardsProvider.enabled=true
datasources.secretName=datasource-secret
dashboardsConfigMaps[0].configMapName=my-dashboard-1
dashboardsConfigMaps[0].fileName=my-dashboard-1.json
dashboardsConfigMaps[1].configMapName=my-dashboard-2
dashboardsConfigMaps[1].fileName=my-dashboard-2.json
More info at Grafana documentation.
To enable LDAP authentication it is necessary to provide a ConfigMap with the Grafana LDAP configuration file. For instance:
configmap.yaml:
apiVersion: v1
kind: ConfigMap
metadata:
name: ldap-config
data:
ldap.toml: |-
[[servers]]
# Ldap server host (specify multiple hosts space separated)
host = "ldap"
# Default port is 389 or 636 if use_ssl = true
port = 389
# Set to true if ldap server supports TLS
use_ssl = false
# Set to true if connect ldap server with STARTTLS pattern (create connection in insecure, then upgrade to secure connection with TLS)
start_tls = false
# set to true if you want to skip ssl cert validation
ssl_skip_verify = false
# set to the path to your root CA certificate or leave unset to use system defaults
# root_ca_cert = "/path/to/certificate.crt"
# Authentication against LDAP servers requiring client certificates
# client_cert = "/path/to/client.crt"
# client_key = "/path/to/client.key"
# Search user bind dn
bind_dn = "cn=admin,dc=example,dc=org"
# Search user bind password
# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
bind_password = 'admin'
# User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)"
# Allow login from email or username, example "(|(sAMAccountName=%s)(userPrincipalName=%s))"
search_filter = "(uid=%s)"
# An array of base dns to search through
search_base_dns = ["ou=People,dc=support,dc=example,dc=org"]
# group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))"
# group_search_filter_user_attribute = "distinguishedName"
# group_search_base_dns = ["ou=groups,dc=grafana,dc=org"]
# Specify names of the ldap attributes your ldap uses
[servers.attributes]
name = "givenName"
surname = "sn"
username = "cn"
member_of = "memberOf"
email = "email"
Create the ConfigMap into the cluster and deploy the Grafana Helm Chart using the existing ConfigMap and the following parameters:
ldap.enabled=true
ldap.configMapName=ldap-config
ldap.allowSignUp=true
In order to install the Grafana Image Renderer Plugin so you rely on it to render images and save memory on Grafana pods, follow the steps below:
# deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: grafana-image-renderer
namespace: default
labels:
app.kubernetes.io/name: grafana-image-renderer
app.kubernetes.io/instance: grafana-image-renderer
app.kubernetes.io/component: image-renderer-plugin
app.kubernetes.io/part-of: grafana
spec:
replicas: 1
strategy:
type: RollingUpdate
selector:
matchLabels:
app.kubernetes.io/name: grafana-image-renderer
app.kubernetes.io/instance: grafana-image-renderer
app.kubernetes.io/component: image-renderer-plugin
template:
metadata:
labels:
app.kubernetes.io/name: grafana-image-renderer
app.kubernetes.io/instance: grafana-image-renderer
app.kubernetes.io/component: image-renderer-plugin
app.kubernetes.io/part-of: grafana
spec:
securityContext:
fsGroup: 1001
runAsNonRoot: true
runAsUser: 1001
containers:
- name: grafana-image-renderer
image: docker.io/bitnami/grafana-image-renderer:3
securityContext:
runAsUser: 1001
env:
- name: HTTP_HOST
value: "::"
- name: HTTP_PORT
value: "8080"
ports:
- name: http
containerPort: 8080
protocol: TCP
# service.yaml
apiVersion: v1
kind: Service
metadata:
name: grafana-image-renderer
namespace: default
labels:
app.kubernetes.io/name: grafana-image-renderer
app.kubernetes.io/instance: grafana-image-renderer
app.kubernetes.io/component: image-renderer-plugin
app.kubernetes.io/part-of: grafana
spec:
type: ClusterIP
sessionAffinity: None
ports:
- port: 8080
targetPort: http
protocol: TCP
name: http
selector:
app.kubernetes.io/name: grafana-image-renderer
app.kubernetes.io/instance: grafana-image-renderer
app.kubernetes.io/component: image-renderer-plugin
values.yaml file:imageRenderer:
enabled: true
serverURL: "http://grafana-image-renderer.default.svc.cluster.local:8080/render"
callbackURL: "http://grafana.default.svc.cluster.local:3000/"
Note: the steps above assume an installation in the
defaultnamespace. If you are installing the chart in a different namespace, adjust the manifests and theserverURL&callbackURLvalues accordingly.
To support HA Grafana just need an external database where store dashboards, users and other persistent data. To configure the external database provide a configuration file containing the database section
It's also recommended to use a StatefulSet kind instead of a Deployment kind to leverage the volumeClaimTemplates.
More information about Grafana HA here
This chart provides support for exposing Grafana using the Gateway API and its HTTPRoute resource. If you have a Gateway controller installed on your cluster, such as APISIX, Contour, Envoy Gateway, NGINX Gateway Fabric or Kong Ingress Controller you can utilize the Gateway controller to serve your application. To enable Gateway API integration, set httpRoute.enabled to true.
The Gateway to be used can be customized by setting the httpRoute.parentRefs parameter. By default, it will reference a Gateway named gateway in the same namespace as the release.
You can specify the list of hostnames to be mapped to the deployment using the httpRoute.hostnames parameter. Additionally, you can customize the rules used to route the traffic to the service by modifying the httpRoute.matches and httpRoute.filters parameters or adding new rules using the httpRoute.extraRules parameter.
This chart provides support for Ingress resources. If you have an ingress controller installed on your cluster, such as NGINX Ingress Controller or Contour you can utilize the ingress controller to serve your application. To enable Ingress integration, set ingress.enabled to true.
The most common scenario is to have one host name mapped to the deployment. In this case, the ingress.hostname property can be used to set the
Note: the README for this chart is longer than the DockerHub length limit of 25000, so it has been trimmed. The full README can be found at https://techdocs.broadcom.com/us/en/vmware-tanzu/bitnami-secure-images/bitnami-secure-images/services/bsi-app-doc/apps-charts-grafana-index.html
Content type
Image
Digest
sha256:0177f87ac…
Size
7.8 kB
Last updated
11 months ago
docker pull bitnamicharts/grafana:sha256-97131b25ffc1ed1a0cc46fce49b58e040552d4acc1a7352fe437db49778cc72aPulls:
7,170
Jun 29 to Jul 5