# Helm chart values for Prometheus Operator with HTTPS and basic auth
# Explicitly enable RBAC resource creation
rbac:
  create: true


kube-prometheus-stack:

  # Disable the default ServiceMonitor configuration paths to prevent duplicates
  prometheus-node-exporter:
    serviceMonitor:
      enabled: false
  nodeExporter:
    serviceMonitor:
      enabled: false

  prometheus:
    ingress:
      enabled: true
      pathType: Prefix
      annotations:
        kubernetes.io/ingress.class: nginx
        #nginx.ingress.kubernetes.io/rewrite-target: /$2
        cert-manager.io/cluster-issuer: letsencrypt-nginx-production
        nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
        nginx.ingress.kubernetes.io/auth-type: basic
        nginx.ingress.kubernetes.io/auth-secret: monitoring-basic-auth 
        nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required'
      hosts:
      - monitoring.video.jamkazam.com
      paths:
      - /prometheus
      tls:
      - secretName: monitoring
        hosts:
        - monitoring.video.jamkazam.com
    prometheusSpec:
      retention: 60d
      retentionSize: 20GB
      routePrefix: /prometheus
      externalUrl: https://monitoring.video.jamkazam.com/prometheus
      storageSpec:
        volumeClaimTemplate:
          spec:
            storageClassName: linode-block-storage-retain
            resources:
              requests:
                storage: 30Gi
      # 2. !!! CRUCIAL: Ensure the default ServiceMonitor is ignored !!!
      # This prevents duplicate metrics by telling Prometheus to ignore the default SM.
      serviceMonitorSelector:
        matchExpressions:
          # Exclude the default node-exporter ServiceMonitor
          - key: app.kubernetes.io/name
            operator: NotIn
            values:
              # Use the label identified above
              - prometheus-node-exporter
      # Add the manual scrape configuration
      additionalScrapeConfigs:
        - job_name: 'node-exporter'
          kubernetes_sd_configs:
            - role: endpoints
          
          relabel_configs:
            # 1. Filter: Precisely target the node-exporter service in the monitoring namespace.
            - source_labels: [__meta_kubernetes_namespace, __meta_kubernetes_service_name]
              separator: '/'
              # Assuming the service name is 'monitoring-prometheus-node-exporter'
              regex: 'monitoring/monitoring-prometheus-node-exporter'
              action: keep
            
            # 2. Filter: Ensure we are targeting the standard port (usually 9100)
            - source_labels: [__address__]
              regex: '.*:9100$' 
              action: keep

            # 3. THE FIX: Set the instance label correctly
            - source_labels: [__meta_kubernetes_endpoint_node_name]
              target_label: instance
              action: replace
            - source_labels: [__address__]
              target_label: ip_address
              action: replace

            # 4. Replicate standard labels for dashboard compatibility
            - action: labelmap
              regex: __meta_kubernetes_pod_label_(.+)
            # Ensure standard labels are present for dashboard compatibility
            - source_labels: [__meta_kubernetes_namespace]
              target_label: namespace
            - source_labels: [__meta_kubernetes_pod_name]
              target_label: pod
            - source_labels: [__meta_kubernetes_endpoint_node_name]
              target_label: node
  alertmanager:
    ingress:
      enabled: true
      pathType: Prefix
      annotations:
        kubernetes.io/ingress.class: nginx
        #nginx.ingress.kubernetes.io/rewrite-target: /$2
        cert-manager.io/cluster-issuer: letsencrypt-nginx-production
        nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
        nginx.ingress.kubernetes.io/auth-type: basic
        nginx.ingress.kubernetes.io/auth-secret: monitoring-basic-auth 
        nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required'
      hosts:
      - monitoring.video.jamkazam.com
      paths:
      - /alertmanager
      tls:
      - secretName: monitoring
        hosts:
        - monitoring.video.jamkazam.com
    alertmanagerSpec:
      routePrefix: /alertmanager
      externalUrl: https://monitoring.video.jamkazam.com/alertmanager
      storage:
        volumeClaimTemplate:
          spec:
            storageClassName: linode-block-storage-retain
            resources:
              requests:
                storage: 30Gi

  grafana:
    persistence:
      enabled: true
      storageClassName: linode-block-storage-retain
      size: 30Gi
    ingress:
      enabled: true
      pathType: Prefix
      annotations:
        kubernetes.io/ingress.class: nginx
        #nginx.ingress.kubernetes.io/rewrite-target: /$2
        cert-manager.io/cluster-issuer: letsencrypt-nginx-production
        nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
        #nginx.ingress.kubernetes.io/auth-type: basic
        #nginx.ingress.kubernetes.io/auth-secret: monitoring-basic-auth 
        #nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required'
      hosts:
      - monitoring.video.jamkazam.com
      path: /grafana
      tls:
      - secretName: monitoring
        hosts:
        - monitoring.video.jamkazam.com
    grafana.ini:
      server:
        domain: monitoring.video.jamkazam.com
        root_url: "%(protocol)s://%(domain)s/grafana/"
        enable_gzip: "true"
        serve_from_sub_path: true

  # Disable control plane metrics
  kubeEtcd:
    enabled: false

  kubeControllerManager:
    enabled: false

  kubeScheduler:
    enabled: false