This is a cache of https://docs.okd.io/4.18/observability/cluster_observability_operator/api-monitoring-package.html. It is a snapshot of the page at 2025-06-28T22:56:48.641+0000.
Monitoring API reference - Cluster Observability Operator | Observability | OKD 4.18
  1. Documentation
×

monitoring.rhobs/v1alpha1

The resource types are MonitoringStack and ThanosQuerier.

MonitoringStack

MonitoringStack is the Schema for the monitoringstacks API.

Name Type Description Required

apiVersion

string

monitoring.rhobs/v1alpha1

true

kind

string

MonitoringStack

true

metadata

object

Refer to the Kubernetes API documentation for the fields of the metadata field.

true

spec

object

MonitoringStackSpec is the specification for the desired MonitoringStack object.

true

status

object

MonitoringStackStatus defines the observed state of the MonitoringStack object. It should always be reconstructable from the state of the cluster and/or outside world.

false

MonitoringStack.spec

MonitoringStackSpec is the specification for the desired MonitoringStack object.

Name Type Description Required

alertmanagerConfig

object

Define Alertmanager config.

Default: map[disabled:false]

false

logLevel

enum

Set log levels of configured components.

Enum: debug, info, warn, error

Default: info

false

namespaceSelector

object

Namespace selector for MonitoringStack resources.

  • To monitor everything, set to empty map selector. For example, namespaceSelector: {}.

  • To monitor resources in the namespace where MonitoringStack instance was created, set to null. For example, namespaceSelector:.

false

nodeSelector

map[string]string

Define node selector for MonitoringStack pods.

false

prometheusConfig

object

Define prometheus config.

Default: map[replicas:2]

false

resourceSelector

object

Label selector for MonitoringStack resources.

  • To monitor everything, set to empty map selector. For example, resourceSelector: {}.

  • To disable service discovery, set to null. For example, resourceSelector:.

false

resources

object

Define resources requests and limits for MonitoringStack pods.

Default: map[limits:map[cpu:500m memory:512Mi] requests:map[cpu:100m memory:256Mi]]

false

retention

string

Time duration to retain data. The string must match the regular expression [0-9]+(ms|s|m|h|d|w|y) (milliseconds seconds minutes hours days weeks years).

Default: 120h

false

tolerations

[]object

Define tolerations for MonitoringStack pods.

false

MonitoringStack.spec.alertmanagerConfig

Define Alertmanager config.

Name Type Description Required

disabled

boolean

Disables the deployment of Alertmanager.

Default: false

false

webTLSConfig

object

Configure TLS options for the Alertmanager web server.

false

MonitoringStack.spec.alertmanagerConfig.webTLSConfig

Configure TLS options for the Alertmanager web server.

Name Type Description Required

certificate

object

Reference to the TLS public certificate for the web server.

true

certificateAuthority

object

Reference to the root Certificate Authority used to verify the web server’s certificate.

true

privateKey

object

Reference to the TLS private key for the web server.

true

MonitoringStack.spec.alertmanagerConfig.webTLSConfig.certificate

Reference to the TLS public certificate for the web server.

Name Type Description Required

key

string

The key of the secret to select from. Must be a valid secret key.

true

name

string

The name of the secret in the object’s namespace to select from.

true

MonitoringStack.spec.alertmanagerConfig.webTLSConfig.certificateAuthority

Reference to the root Certificate Authority used to verify the web server’s certificate.

Name Type Description Required

key

string

The key of the secret to select from. Must be a valid secret key.

true

name

string

The name of the secret in the object’s namespace to select from.

true

MonitoringStack.spec.alertmanagerConfig.webTLSConfig.privateKey

Reference to the TLS private key for the web server.

Name Type Description Required

key

string

The key of the secret to select from. Must be a valid secret key.

true

name

string

The name of the secret in the object’s namespace to select from.

true

MonitoringStack.spec.namespaceSelector

Namespace selector for MonitoringStack resources.

  • To monitor everything, set to empty map selector. For example, namespaceSelector: {}.

  • To monitor resources in the namespace where the MonitoringStack instance was created, set to null. For example, namespaceSelector:.

Name Type Description Required

matchExpressions

[]object

matchExpressions is a list of label selector requirements. The requirements are ANDed.

false

matchLabels

map[string]string

matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.

false

MonitoringStack.spec.namespaceSelector.matchExpressions[index]

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

Name Type Description Required

key

string

key is the label key that the selector applies to.

true

operator

string

operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

true

values

[]string

values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.

false

MonitoringStack.spec.prometheusConfig

Define Prometheus configuration.

Name Type Description Required

enableOtlpHttpReceiver

boolean

Enable Prometheus to accept OpenTelemetry Metrics via the otlp/http`protocol. Defaults to the value of `false. The resulting endpoint is /api/v1/otlp/v1/metrics.

false

enableRemoteWriteReceiver

boolean

Enable Prometheus to be used as a receiver for the Prometheus remote write protocol. Defaults to the value of false.

false

externalLabels

map[string]string

Define ExternalLabels for Prometheus.

false

persistentVolumeClaim

object

Define persistent volume claim for Prometheus.

false

remoteWrite

[]object

Define remote write for Prometheus.

false

replicas

integer

Number of replicas/pods to deploy for a Prometheus deployment.

Format: int32

Default: 2

Minimum: 0

false

scrapeInterval

string

Default interval between scrapes.

false

webTLSConfig

object

Configure TLS options for the Prometheus web server.

false

MonitoringStack.spec.prometheusConfig.persistentVolumeClaim

Define persistent volume claim for Prometheus.

Name Type Description Required

accessModes

[]string

accessModes contains the desired access modes the volume should have. For more information, see Kubernetes Docs.

false

dataSource

object

dataSource field can be used to specify either:

  • An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot)

  • An existing PVC (PersistentVolumeClaim)

If the provisioner or an external controller can support the specified data source, it will create a new volume based on the contents of the specified data source.

When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. If the namespace is specified, then dataSourceRef will not be copied to dataSource.

false

dataSourceRef

object

dataSourceRef specifies the object from which to populate the volume with data, if a non-empty volume is desired. This may be any object from a non-empty API group (non core object) or a PersistentVolumeClaim object.

When this field is specified, volume binding will only succeed if the type of the specified object matches some installed volume populator or dynamic provisioner. This field will replace the functionality of the dataSource field and as such if both fields are non-empty, they must have the same value.

For backwards compatibility, when namespace is not specified in dataSourceRef, both fields (dataSource and dataSourceRef) will be set to the same value automatically if one of them is empty and the other is non-empty. When namespace is specified in dataSourceRef, dataSource isn’t set to the same value and must be empty.

There are three important differences between dataSource and dataSourceRef:

  • While dataSource only allows two specific types of objects, dataSourceRef allows any non-core object, as well as PersistentVolumeClaim objects.

  • While dataSource ignores disallowed values (dropping them), dataSourceRef preserves all values, and generates an error if a disallowed value is specified.

  • While dataSource only allows local objects, dataSourceRef allows objects in any namespaces.

Beta: Using this field requires the AnyVolumeDataSource feature gate to be enabled.

Alpha: Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled.

false

resources

object

resources represents the minimum resources the volume should have.

If RecoverVolumeExpansionFailure feature is enabled, users are allowed to specify resource requirements that are lower than the previous value but must still be higher than the capacity recorded in the status field of the claim.

For more information, see Kubernetes Docs

false

selector

object

selector is a label query over volumes to consider for binding.

false

storageClassName

string

storageClassName is the name of the StorageClass required by the claim. For more information, see Kubernetes Docs

false

volumeAttributesClassName

string

volumeAttributesClassName may be used to set the VolumeAttributesClass used by this claim.

If specified, the CSI driver will create or update the volume with the attributes defined in the corresponding VolumeAttributesClass. This has a different purpose than storageClassName, as it can be changed after the claim is created. An empty string value means that no VolumeAttributesClass will be applied to the claim but it is not allowed to reset this field to the empty string once it is set.

If unspecified and the PersistentVolumeClaim is unbound, the default VolumeAttributesClass will be set by the persistentvolume controller if it exists. If the resource referred to by volumeAttributesClass does not exist, this PersistentVolumeClaim will be set to a Pending state, as reflected by the modifyVolumeStatus field, until such as a resource exists.

For more information, see Kubernetes Docs

Beta: Using this field requires the VolumeAttributesClass feature gate to be enabled (off by default).

false

volumeMode

string

volumeMode defines what type of volume is required by the claim. Value of Filesystem is implied when not included in claim spec.

false

volumeName

string

volumeName is the binding reference to the PersistentVolume backing this claim.

false

MonitoringStack.spec.prometheusConfig.persistentVolumeClaim.dataSource

dataSource field can be used to specify either:

  • An existing VolumeSnapshot object (snapshot.storage.k8s.io/VolumeSnapshot)

  • An existing PVC (PersistentVolumeClaim)

If the provisioner or an external controller can support the specified data source, it will create a new volume based on the contents of the specified data source. When the AnyVolumeDataSource feature gate is enabled, dataSource contents will be copied to dataSourceRef, and dataSourceRef contents will be copied to dataSource when dataSourceRef.namespace is not specified. If the namespace is specified, then dataSourceRef will not be copied to dataSource.

Name Type Description Required

kind

string

kind is the type of resource being referenced

true

name

string

name is the name of resource being referenced

true

apiGroup

string

apiGroup is the group for the resource being referenced. If apiGroup is not specified, the specified kind must be in the core API group. For any other third-party types, apiGroup is required.

false

MonitoringStack.spec.prometheusConfig.persistentVolumeClaim.dataSourceRef

dataSourceRef specifies the object from which to populate the volume with data, if a non-empty volume is desired. This may be any object from a non-empty API group (non core object) or a PersistentVolumeClaim object. When this field is specified, volume binding will only succeed if the type of the specified object matches some installed volume populator or dynamic provisioner.

This field will replace the functionality of the dataSource field and as such if both fields are non-empty, they must have the same value. For backwards compatibility, when namespace isn’t specified in dataSourceRef, both fields (dataSource and dataSourceRef) will be set to the same value automatically if one of them is empty and the other is non-empty. When namespace is specified in dataSourceRef, dataSource isn’t set to the same value and must be empty.

There are three important differences between dataSource and dataSourceRef:

  • While dataSource only allows two specific types of objects, dataSourceRef allows any non-core object, as well as PersistentVolumeClaim objects.

  • While dataSource ignores disallowed values (dropping them), dataSourceRef preserves all values, and generates an error if a disallowed value is specified.

  • While dataSource only allows local objects, dataSourceRef allows objects in any namespaces.

Beta: Using this field requires the AnyVolumeDataSource feature gate to be enabled.

Alpha: Using the namespace field of dataSourceRef requires the CrossNamespaceVolumeDataSource feature gate to be enabled.

Name Type Description Required

kind

string

kind is the type of resource being referenced

true

name

string

name is the name of resource being referenced

true

apiGroup

string

apiGroup is the group for the resource being referenced.

If apiGroup is not specified, the specified kind must be in the core API group. For any other third-party types, apiGroup is required.

false

namespace

string

namespace is the namespace of resource being referenced.

Note that when a namespace is specified, a gateway.networking.k8s.io/ReferenceGrant object is required in the referent namespace to allow that namespace’s owner to accept the reference. See the ReferenceGrant documentation for details.

Alpha: This field requires the CrossNamespaceVolumeDataSource feature gate to be enabled.

false

MonitoringStack.spec.prometheusConfig.persistentVolumeClaim.resources

resources represents the minimum resources the volume should have.

If RecoverVolumeExpansionFailure feature is enabled users are allowed to specify resource requirements that are lower than the previous value but must still be higher than the capacity recorded in the status field of the claim.

For more information, see Kubernetes Docs

Name Type Description Required

limits

map[string]int or string

Limits describes the maximum amount of compute resources allowed.

For more information, see Kubernetes Docs

false

requests

map[string]int or string

Requests describes the minimum amount of compute resources required.

If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot exceed Limits.

For more information, see Kubernetes Docs

false

MonitoringStack.spec.prometheusConfig.persistentVolumeClaim.selector

selector is a label query over volumes to consider for binding.

Name Type Description Required

matchExpressions

[]object

matchExpressions is a list of label selector requirements. The requirements are ANDed.

false

matchLabels

map[string]string

matchLabels is a map of {key,value} pairs.

A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.

false

MonitoringStack.spec.prometheusConfig.persistentVolumeClaim.selector.matchExpressions[index]

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

Name Type Description Required

key

string

key is the label key that the selector applies to.

true

operator

string

operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

true

values

[]string

values is an array of string values.

If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.

false

MonitoringStack.spec.prometheusConfig.remoteWrite[index]

RemoteWriteSpec defines the configuration to write samples from Prometheus to a remote endpoint.

Name Type Description Required

url

string

The URL of the endpoint to send samples to.

true

authorization

object

Authorization section for the URL.

  • It requires Prometheus >= v2.26.0.

  • Cannot be set at the same time as sigv4, basicAuth, oauth2, or azureAd.

false

azureAd

object

AzureAD for the URL.

  • It requires Prometheus >= v2.45.0.

  • Cannot be set at the same time as authorization, basicAuth, oauth2, or sigv4.

false

basicAuth

object

BasicAuth configuration for the URL.

  • Cannot be set at the same time as sigv4, authorization, oauth2, or azureAd.

false

bearerToken

string

Warning: this field should not be used because the token value appears in clear-text. Prefer using authorization.

Deprecated: this will be removed in a future release.

false

bearerTokenFile

string

File from which to read bearer token for the URL.

Deprecated: this will be removed in a future release. Prefer using authorization.

false

enableHTTP2

boolean

Whether to enable HTTP2.

false

followRedirects

boolean

Configure whether HTTP requests follow HTTP 3xx redirects.

It requires Prometheus >= v2.26.0.

false

headers

map[string]string

Custom HTTP headers to be sent along with each remote write request. Be aware that headers that are set by Prometheus itself can’t be overwritten.

It requires Prometheus >= v2.25.0.

false

messageVersion

enum

The Remote Write message’s version to use when writing to the endpoint.

  • Version1.0 corresponds to the prometheus.WriteRequest protobuf message introduced in Remote Write 1.0. *Version2.0 corresponds to the io.prometheus.write.v2.Request protobuf message introduced in Remote Write 2.0.

  • When Version2.0 is selected, Prometheus will automatically be configured to append the metadata of scraped metrics to the WAL.

  • Before setting this field, consult with your remote storage provider what message version it supports.

  • It requires Prometheus >= v2.54.0.

Enum: V1.0, V2.0

false

metadataConfig

object

MetadataConfig configures the sending of series metadata to the remote storage.

false

name

string

The name of the remote write queue, it must be unique if specified. The name is used in metrics and logging in order to differentiate queues.

It requires Prometheus >= v2.15.0.

false

noProxy

string

noProxy is a comma-separated string that can contain IPs, CIDR notation, or domain names that should be excluded from proxying. IP and domain names can contain port numbers.

It requires Prometheus >= v2.43.0 or Alertmanager >= 0.25.0.

false

oauth2

object

OAuth2 configuration for the URL.

  • It requires Prometheus >= v2.27.0.

  • Cannot be set at the same time as sigv4, authorization, basicAuth, or azureAd.

false

proxyConnectHeader

map[string][]object

ProxyConnectHeader optionally specifies headers to send to proxies during CONNECT requests.

It requires Prometheus >= v2.43.0 or Alertmanager >= 0.25.0.

false

proxyFromEnvironment

boolean

Whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).

It requires Prometheus >= v2.43.0 or Alertmanager >= 0.25.0.

false

proxyUrl

string

proxyURL defines the HTTP proxy server to use.

false

queueConfig

object

QueueConfig allows tuning of the remote write queue parameters.

false

remoteTimeout

string

Timeout for requests to the remote write endpoint.

false

sendExemplars

boolean

Enables sending of exemplars over remote write. Note that exemplar-storage itself must be enabled using the spec.enableFeatures option for exemplars to be scraped in the first place.

It requires Prometheus >= v2.27.0.

false

sendNativeHistograms

boolean

Enables sending of native histograms, also known as sparse histograms over remote write.

It requires Prometheus >= v2.40.0.

false

sigv4

object

Sigv4 allows to configures AWS’s Signature Verification 4 for the URL.

  • It requires Prometheus >= v2.26.0.

  • Cannot be set at the same time as authorization, basicAuth, oauth2, or azureAd.

false

tlsConfig

object

TLS Config to use for the URL.

false

writeRelabelConfigs

[]object

The list of remote write relabel configurations.

false

MonitoringStack.spec.prometheusConfig.remoteWrite[index].authorization

Authorization section for the URL.

  • It requires Prometheus >= v2.26.0.

  • Cannot be set at the same time as sigv4, basicAuth, oauth2, or azureAd.

Name Type Description Required

credentials

object

Selects a key of a Secret in the namespace that contains the credentials for authentication.

false

credentialsFile

string

File to read a secret from, mutually exclusive with credentials.

false

type

string

Defines the authentication type. The value is case-insensitive.

"Basic" is not a supported value.

Default: "Bearer"

false

MonitoringStack.spec.prometheusConfig.remoteWrite[index].authorization.credentials

Selects a key of a Secret in the namespace that contains the credentials for authentication.

Name Type Description Required

key

string

The key of the secret to select from. Must be a valid secret key.

true

name

string

Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. For more information, see Kubernetes Docs

false

optional

boolean

Specify whether the Secret or its key must be defined

false

MonitoringStack.spec.prometheusConfig.remoteWrite[index].azureAd

AzureAD for the URL.

  • It requires Prometheus >= v2.45.0.

  • Cannot be set at the same time as authorization, basicAuth, oauth2, or sigv4.

Name Type Description Required

cloud

enum

The Azure Cloud. Options are 'AzurePublic', 'AzureChina', or 'AzureGovernment'.

Enum: AzureChina, AzureGovernment, AzurePublic

false

managedIdentity

object

ManagedIdentity defines the Azure User-assigned Managed identity. Cannot be set at the same time as oauth or sdk.

false

oauth

object

OAuth defines the oauth config that is being used to authenticate.

  • Cannot be set at the same time as managedIdentity or sdk.

  • It requires Prometheus >= v2.48.0.

false

sdk

object

SDK defines the Azure SDK config that is being used to authenticate. See Azure SDK Authentication.

  • Cannot be set at the same time as oauth or managedIdentity.

  • It requires Prometheus >= 2.52.0.

false

MonitoringStack.spec.prometheusConfig.remoteWrite[index].azureAd.managedIdentity

ManagedIdentity defines the Azure User-assigned Managed identity.

  • Cannot be set at the same time as oauth or sdk.

Name Type Description Required

clientId

string

The client id

true

MonitoringStack.spec.prometheusConfig.remoteWrite[index].azureAd.oauth

OAuth defines the oauth config that is being used to authenticate.

  • Cannot be set at the same time as managedIdentity or sdk.

  • It requires Prometheus >= v2.48.0.

Name Type Description Required

clientId

string

clientID is the clientId of the Azure Active Directory application that is being used to authenticate.

true

clientSecret

object

clientSecret specifies a key of a Secret containing the client secret of the Azure Active Directory application that is being used to authenticate.

true

tenantId

string

tenantId is the tenant ID of the Azure Active Directory application that is being used to authenticate.

true

MonitoringStack.spec.prometheusConfig.remoteWrite[index].azureAd.oauth.clientSecret

clientSecret specifies a key of a Secret containing the client secret of the Azure Active Directory application that is being used to authenticate.

Name Type Description Required

key

string

The key of the secret to select from. Must be a valid secret key.

true

name

string

Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong.

For more information, see Kubernetes Docs

false

optional

boolean

Specify whether the Secret or its key must be defined

false

MonitoringStack.spec.prometheusConfig.remoteWrite[index].azureAd.sdk

SDK defines the Azure SDK config that is being used to authenticate.

For more information, see Azure SDK Authentication.

  • Cannot be set at the same time as oauth or managedIdentity.

  • It requires Prometheus >= 2.52.0.

Name Type Description Required

tenantId

string

tenantId is the tenant ID of the azure active directory application that is being used to authenticate.

false

MonitoringStack.spec.prometheusConfig.remoteWrite[index].basicAuth

BasicAuth configuration for the URL.

  • Cannot be set at the same time as sigv4, authorization, oauth2, or azureAd.

Name Type Description Required

password

object

password specifies a key of a Secret containing the password for authentication.

false

username

object

username specifies a key of a Secret containing the username for authentication.

false

MonitoringStack.spec.prometheusConfig.remoteWrite[index].basicAuth.password

password specifies a key of a Secret containing the password for authentication.

Name Type Description Required

key

string

The key of the secret to select from. Must be a valid secret key.

true

name

string

Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong.

For more information, see Kubernetes Docs

false

optional

boolean

Specify whether the Secret or its key must be defined

false

MonitoringStack.spec.prometheusConfig.remoteWrite[index].basicAuth.username

username specifies a key of a Secret containing the username for authentication.

Name Type Description Required

key

string

The key of the secret to select from. Must be a valid secret key.

true

name

string

Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong.

For more information, see Kubernetes Docs

false

optional

boolean

Specify whether the Secret or its key must be defined

false

MonitoringStack.spec.prometheusConfig.remoteWrite[index].metadataConfig

MetadataConfig configures the sending of series metadata to the remote storage.

Name Type Description Required

send

boolean

Defines whether metric metadata is sent to the remote storage or not.

false

sendInterval

string

Defines how frequently metric metadata is sent to the remote storage.

false

MonitoringStack.spec.prometheusConfig.remoteWrite[index].oauth2

OAuth2 configuration for the URL.

  • It requires Prometheus >= v2.27.0.

  • Cannot be set at the same time as sigv4, authorization, basicAuth, or azureAd.

Name Type Description Required

clientId

object

clientId specifies a key of a Secret or ConfigMap object containing the OAuth2 client’s ID.

true

clientSecret

object

clientSecret specifies a key of a Secret containing the OAuth2 client’s secret.

true

tokenUrl

string

tokenURL configures the URL to fetch the token from.

true

endpointParams

map[string]string

endpointParams configures the HTTP parameters to append to the token URL.

false

noProxy

string

noProxy is a comma-separated string that can contain IPs, CIDR notation, or domain names that should be excluded from proxying. IP and domain names can contain port numbers.

It requires Prometheus >= v2.43.0 or Alertmanager >= 0.25.0.

false

proxyConnectHeader

map[string][]object

ProxyConnectHeader optionally specifies headers to send to proxies during CONNECT requests.

It requires Prometheus >= v2.43.0 or Alertmanager >= 0.25.0.

false

proxyFromEnvironment

boolean

Whether to use the proxy configuration defined by environment variables (HTTP_PROXY, HTTPS_PROXY, and NO_PROXY).

It requires Prometheus >= v2.43.0 or Alertmanager >= 0.25.0.

false

proxyUrl

string

proxyURL defines the HTTP proxy server to use.

false

scopes

[]string

scopes defines the OAuth2 scopes used for the token request.

false

tlsConfig

object

TLS configuration to use when connecting to the OAuth2 server.

It requires Prometheus >= v2.43.0.

false

MonitoringStack.spec.prometheusConfig.remoteWrite[index].oauth2.clientId

clientId specifies a key of a Secret or ConfigMap containing the OAuth2 client’s ID.

Name Type Description Required

configMap

object

ConfigMap containing data to use for the targets.

false

secret

object

Secret containing data to use for the targets.

false

MonitoringStack.spec.prometheusConfig.remoteWrite[index].oauth2.clientId.configMap

ConfigMap containing data to use for the targets.

Name Type Description Required

key

string

The key to select.

true

name

string

Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong.

For more information, see Kubernetes Docs

false

optional

boolean

Specify whether the ConfigMap or its key must be defined

false

MonitoringStack.spec.prometheusConfig.remoteWrite[index].oauth2.clientId.secret

Secret containing data to use for the targets.

Name Type Description Required

key

string

The key of the secret to select from. Must be a valid secret key.

true

name

string

Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong.

For more information, see Kubernetes Docs

false

optional

boolean

Specify whether the Secret or its key must be defined

false

MonitoringStack.spec.prometheusConfig.remoteWrite[index].oauth2.clientSecret

clientSecret specifies a key of a Secret containing the OAuth2 client’s secret.

Name Type Description Required

key

string

The key of the secret to select from. Must be a valid secret key.

true

name

string

Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong.

For more information, see Kubernetes Docs

false

optional

boolean

Specify whether the Secret or its key must be defined

false

MonitoringStack.spec.prometheusConfig.remoteWrite[index].oauth2.proxyConnectHeader[key][index]

SecretKeySelector selects a key of a Secret.

Name Type Description Required

key

string

The key of the secret to select from. Must be a valid secret key.

true

name

string

Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong.

For more information, see Kubernetes Docs

false

optional

boolean

Specify whether the Secret or its key must be defined

false

MonitoringStack.spec.prometheusConfig.remoteWrite[index].oauth2.tlsConfig

TLS configuration to use when connecting to the OAuth2 server.

  • It requires Prometheus >= v2.43.0.

Name Type Description Required

ca

object

Certificate authority used when verifying server certificates.

false

cert

object

Client certificate to present when doing client-authentication.

false

insecureSkipVerify

boolean

Disable target certificate validation.

false

keySecret

object

Secret containing the client key file for the targets.

false

maxVersion

enum

Maximum acceptable TLS version.

It requires Prometheus >= v2.41.0.

Enum: TLS10, TLS11, TLS12, TLS13

false

minVersion

enum

Minimum acceptable TLS version.

It requires Prometheus >= v2.35.0.

Enum: TLS10, TLS11, TLS12, TLS13

false

serverName

string

Used to verify the hostname for the targets.

false

MonitoringStack.spec.prometheusConfig.remoteWrite[index].oauth2.tlsConfig.ca

Certificate authority used when verifying server certificates.

Name Type Description Required

configMap

object

ConfigMap containing data to use for the targets.

false

secret

object

Secret containing data to use for the targets.

false

MonitoringStack.spec.prometheusConfig.remoteWrite[index].oauth2.tlsConfig.ca.configMap

ConfigMap containing data to use for the targets.

Name Type Description Required

key

string

The key to select.

true

name

string

Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong.

For more information, see Kubernetes Docs

false

optional

boolean

Specify whether the ConfigMap or its key must be defined

false

MonitoringStack.spec.prometheusConfig.remoteWrite[index].oauth2.tlsConfig.ca.secret

Secret containing data to use for the targets.

Name Type Description Required

key

string

The key of the secret to select from. Must be a valid secret key.

true

name

string

Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong.

For more information, see Kubernetes Docs

false

optional

boolean

Specify whether the Secret or its key must be defined

false

MonitoringStack.spec.prometheusConfig.remoteWrite[index].oauth2.tlsConfig.cert

Client certificate to present when doing client-authentication.

Name Type Description Required

configMap

object

ConfigMap containing data to use for the targets.

false

secret

object

Secret containing data to use for the targets.

false

MonitoringStack.spec.prometheusConfig.remoteWrite[index].oauth2.tlsConfig.cert.configMap

ConfigMap containing data to use for the targets.

Name Type Description Required

key

string

The key to select.

true

name

string

Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong.

For more information, see Kubernetes Docs

false

optional

boolean

Specify whether the ConfigMap or its key must be defined

false

MonitoringStack.spec.prometheusConfig.remoteWrite[index].oauth2.tlsConfig.cert.secret

Secret containing data to use for the targets.

Name Type Description Required

key

string

The key of the secret to select from. Must be a valid secret key.

true

name

string

Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong.

For more information, see Kubernetes Docs

false

optional

boolean

Specify whether the Secret or its key must be defined

false

MonitoringStack.spec.prometheusConfig.remoteWrite[index].oauth2.tlsConfig.keySecret

Secret containing the client key file for the targets.

Name Type Description Required

key

string

The key of the secret to select from. Must be a valid secret key.

true

name

string

Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong.

For more information, see Kubernetes Docs

false

optional

boolean

Specify whether the Secret or its key must be defined

false

MonitoringStack.spec.prometheusConfig.remoteWrite[index].proxyConnectHeader[key][index]

SecretKeySelector selects a key of a Secret.

Name Type Description Required

key

string

The key of the secret to select from. Must be a valid secret key.

true

name

string

Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong.

For more information, see Kubernetes Docs

false

optional

boolean

Specify whether the Secret or its key must be defined

false

MonitoringStack.spec.prometheusConfig.remoteWrite[index].queueConfig

QueueConfig allows tuning of the remote write queue parameters.

Name Type Description Required

batchSendDeadline

string

BatchSendDeadline is the maximum time a sample will wait in buffer.

false

capacity

integer

Capacity is the number of samples to buffer per shard before we start dropping them.

false

maxBackoff

string

MaxBackoff is the maximum retry delay.

false

maxRetries

integer

MaxRetries is the maximum number of times to retry a batch on recoverable errors.

false

maxSamplesPerSend

integer

MaxSamplesPerSend is the maximum number of samples per send.

false

maxShards

integer

MaxShards is the maximum number of shards, that is, the amount of concurrency.

false

minBackoff

string

MinBackoff is the initial retry delay. Gets doubled for every retry.

false

minShards

integer

MinShards is the minimum number of shards, that is, the amount of concurrency.

false

retryOnRateLimit

boolean

Retry upon receiving a 429 status code from the remote-write storage.

This is an experimental feature, it may change in any upcoming release in a breaking way.

false

sampleAgeLimit

string

SampleAgeLimit drops samples older than the limit.

It requires Prometheus >= v2.50.0.

false

MonitoringStack.spec.prometheusConfig.remoteWrite[index].sigv4

Sigv4 allows to configures AWS’s Signature Verification 4 for the URL.

  • It requires Prometheus >= v2.26.0.

  • Cannot be set at the same time as authorization, basicAuth, oauth2, or azureAd.

Name Type Description Required

accessKey

object

AccessKey is the AWS API key. If not specified, the environment variable AWS_ACCESS_KEY_ID is used.

false

profile

string

Profile is the named AWS profile used to authenticate.

false

region

string

Region is the AWS region. If blank, the region from the default credentials chain used.

false

roleArn

string

RoleArn is the named AWS profile used to authenticate.

false

secretKey

object

SecretKey is the AWS API secret. If not specified, the environment variable AWS_SECRET_ACCESS_KEY is used.

false

MonitoringStack.spec.prometheusConfig.remoteWrite[index].sigv4.accessKey

AccessKey is the AWS API key. If not specified, the environment variable AWS_ACCESS_KEY_ID is used.

Name Type Description Required

key

string

The key of the secret to select from. Must be a valid secret key.

true

name

string

Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong.

For more information, see Kubernetes Docs

false

optional

boolean

Specify whether the Secret or its key must be defined

false

MonitoringStack.spec.prometheusConfig.remoteWrite[index].sigv4.secretKey

SecretKey is the AWS API secret. If not specified, the environment variable AWS_SECRET_ACCESS_KEY is used.

Name Type Description Required

key

string

The key of the secret to select from. Must be a valid secret key.

true

name

string

Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong.

For more information, see Kubernetes Docs

false

optional

boolean

Specify whether the Secret or its key must be defined

false

MonitoringStack.spec.prometheusConfig.remoteWrite[index].tlsConfig

TLS Config to use for the URL.

Name Type Description Required

ca

object

Certificate authority used when verifying server certificates.

false

caFile

string

Path to the CA cert in the Prometheus container to use for the targets.

false

cert

object

Client certificate to present when doing client-authentication.

false

certFile

string

Path to the client cert file in the Prometheus container for the targets.

false

insecureSkipVerify

boolean

Disable target certificate validation.

false

keyFile

string

Path to the client key file in the Prometheus container for the targets.

false

keySecret

object

Secret containing the client key file for the targets.

false

maxVersion

enum

Maximum acceptable TLS version.

It requires Prometheus >= v2.41.0.

Enum: TLS10, TLS11, TLS12, TLS13

false

minVersion

enum

Minimum acceptable TLS version.

It requires Prometheus >= v2.35.0.

Enum: TLS10, TLS11, TLS12, TLS13

false

serverName

string

Used to verify the hostname for the targets.

false

MonitoringStack.spec.prometheusConfig.remoteWrite[index].tlsConfig.ca

Certificate authority used when verifying server certificates.

Name Type Description Required

configMap

object

ConfigMap containing data to use for the targets.

false

secret

object

Secret containing data to use for the targets.

false

MonitoringStack.spec.prometheusConfig.remoteWrite[index].tlsConfig.ca.configMap

ConfigMap containing data to use for the targets.

Name Type Description Required

key

string

The key to select.

true

name

string

Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong.

For more information, see Kubernetes Docs

false

optional

boolean

Specify whether the ConfigMap or its key must be defined

false

MonitoringStack.spec.prometheusConfig.remoteWrite[index].tlsConfig.ca.secret

Secret containing data to use for the targets.

Name Type Description Required

key

string

The key of the secret to select from. Must be a valid secret key.

true

name

string

Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong.

For more information, see Kubernetes Docs

false

optional

boolean

Specify whether the Secret or its key must be defined

false

MonitoringStack.spec.prometheusConfig.remoteWrite[index].tlsConfig.cert

Client certificate to present when doing client-authentication.

Name Type Description Required

configMap

object

ConfigMap containing data to use for the targets.

false

secret

object

Secret containing data to use for the targets.

false

MonitoringStack.spec.prometheusConfig.remoteWrite[index].tlsConfig.cert.configMap

ConfigMap containing data to use for the targets.

Name Type Description Required

key

string

The key to select.

true

name

string

Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong.

For more information, see Kubernetes Docs

false

optional

boolean

Specify whether the ConfigMap or its key must be defined

false

MonitoringStack.spec.prometheusConfig.remoteWrite[index].tlsConfig.cert.secret

Secret containing data to use for the targets.

Name Type Description Required

key

string

The key of the secret to select from. Must be a valid secret key.

true

name

string

Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong.

For more information, see Kubernetes Docs

false

optional

boolean

Specify whether the Secret or its key must be defined

false

MonitoringStack.spec.prometheusConfig.remoteWrite[index].tlsConfig.keySecret

Secret containing the client key file for the targets.

Name Type Description Required

key

string

The key of the secret to select from. Must be a valid secret key.

true

name

string

Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong.

For more information, see Kubernetes Docs

false

optional

boolean

Specify whether the Secret or its key must be defined

false

MonitoringStack.spec.prometheusConfig.remoteWrite[index].writeRelabelConfigs[index]

RelabelConfig allows dynamic rewriting of the label set for targets, alerts, scraped samples and remote write samples.

For more information, see Prometheus Docs

Name Type Description Required

action

enum

Action to perform based on the regex matching.

  • Uppercase and Lowercase actions require Prometheus >= v2.36.0.

  • DropEqual and KeepEqual actions require Prometheus >= v2.41.0.

Enum: replace, Replace, keep, Keep, drop, Drop, hashmod, HashMod, labelmap, LabelMap, labeldrop, LabelDrop, labelkeep, LabelKeep, lowercase, Lowercase, uppercase, Uppercase, keepequal, KeepEqual, dropequal, DropEqual

Default: replace

false

modulus

integer

Modulus to take of the hash of the source label values.

Only applicable when the action is HashMod.

Format: int64

false

regex

string

Regular expression against which the extracted value is matched.

false

replacement

string

Replacement value against which a Replace action is performed if the regular expression matches.

Regex capture groups are available.

false

separator

string

Separator is the string between concatenated SourceLabels.

false

sourceLabels

[]string

The source labels select values from existing labels. Their content is concatenated using the configured Separator and matched against the configured regular expression.

false

targetLabel

string

Label to which the resulting string is written in a replacement.

It is mandatory for Replace, HashMod, Lowercase, Uppercase, KeepEqual and DropEqual actions.

Regex capture groups are available.

false

MonitoringStack.spec.prometheusConfig.webTLSConfig

Configure TLS options for the Prometheus web server.

Name Type Description Required

certificate

object

Reference to the TLS public certificate for the web server.

true

certificateAuthority

object

Reference to the root Certificate Authority used to verify the web server’s certificate.

true

privateKey

object

Reference to the TLS private key for the web server.

true

MonitoringStack.spec.prometheusConfig.webTLSConfig.certificate

Reference to the TLS public certificate for the web server.

Name Type Description Required

key

string

The key of the secret to select from. Must be a valid secret key.

true

name

string

The name of the secret in the object’s namespace to select from.

true

MonitoringStack.spec.prometheusConfig.webTLSConfig.certificateAuthority

Reference to the root Certificate Authority used to verify the web server’s certificate.

Name Type Description Required

key

string

The key of the secret to select from. Must be a valid secret key.

true

name

string

The name of the secret in the object’s namespace to select from.

true

MonitoringStack.spec.prometheusConfig.webTLSConfig.privateKey

Reference to the TLS private key for the web server.

Name Type Description Required

key

string

The key of the secret to select from. Must be a valid secret key.

true

name

string

The name of the secret in the object’s namespace to select from.

true

MonitoringStack.spec.resourceSelector

Label selector for MonitoringStack resources.

  • To monitor everything, set to empty map selector. For example, resourceSelector: {}.

  • To disable service discovery, set to null. For example, resourceSelector:.

Name Type Description Required

matchExpressions

[]object

matchExpressions is a list of label selector requirements. The requirements are ANDed.

false

matchLabels

map[string]string

matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.

false

MonitoringStack.spec.resourceSelector.matchExpressions[index]

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

Name Type Description Required

key

string

key is the label key that the selector applies to.

true

operator

string

operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

true

values

[]string

values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.

false

MonitoringStack.spec.resources

Define resources requests and limits for MonitoringStack pods.

Name Type Description Required

claims

[]object

Claims lists the names of resources, defined in spec.resourceClaims, that are used by this container.

This is an alpha field and requires enabling the DynamicResourceAllocation feature gate.

This field is immutable. It can only be set for containers.

false

limits

map[string]int or string

Limits describes the maximum amount of compute resources allowed.

For more information, see Kubernetes Docs

false

requests

map[string]int or string

Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. Requests cannot exceed Limits.

For more information, see Kubernetes Docs

false

MonitoringStack.spec.resources.claims[index]

ResourceClaim references one entry in PodSpec.ResourceClaims.

Name Type Description Required

name

string

Name must match the name of one entry in pod.spec.resourceClaims of the Pod where this field is used. It makes that resource available inside a container.

true

request

string

Request is the name chosen for a request in the referenced claim. If empty, everything from the claim is made available, otherwise only the result of this request.

false

MonitoringStack.spec.tolerations[index]

The pod this Toleration is attached to tolerates any taint that matches the triple <key,value,effect> using the matching operator <operator>.

Name Type Description Required

effect

string

Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.

false

key

string

Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.

false

operator

string

Operator represents a key’s relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.

false

tolerationSeconds

integer

TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.

Format: int64

false

value

string

Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.

false

MonitoringStack.status

MonitoringStackStatus defines the observed state of the MonitoringStack instance. It should always be reconstructable from the state of the cluster and/or outside world.

Name Type Description Required

conditions

[]object

Conditions provide status information about the MonitoringStack instance.

true

MonitoringStack.status.conditions[index]

Name Type Description Required

lastTransitionTime

string

lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.

Format: date-time

true

message

string

message is a human readable message indicating details about the transition. This may be an empty string.

true

reason

string

reason contains a programmatic identifier indicating the reason for the condition’s last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.

true

status

enum

status of the condition

Enum: True, False, Unknown, Degraded

true

type

string

type of condition in CamelCase or in foo.example.com/CamelCase. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)

true

observedGeneration

integer

observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.

Format: int64

Minimum: 0

false

ThanosQuerier

ThanosQuerier outlines the Thanos querier components, managed by this stack

Name Type Description Required

apiVersion

string

monitoring.rhobs/v1alpha1

true

kind

string

ThanosQuerier

true

metadata

object

Refer to the Kubernetes API documentation for the fields of the metadata field.

true

spec

object

ThanosQuerierSpec defines a single Thanos Querier instance. This means a label selector by which MonitoringStack instances to query are selected, and an optional namespace selector and a list of replica labels by which to deduplicate.

false

status

object

ThanosQuerierStatus defines the observed state of ThanosQuerier. It should always be reconstructable from the state of the cluster and/or outside world.

false

ThanosQuerier.spec

ThanosQuerierSpec defines a single Thanos Querier instance. This means a label selector by which MonitoringStack instances to query are selected, and an optional namespace selector and a list of replica labels by which to deduplicate.

Name Type Description Required

selector

object

Selector to select monitoring stacks to unify.

true

namespaceSelector

object

Selector to select which namespaces the MonitoringStack objects are discovered from.

false

replicaLabels

[]string

false

webTLSConfig

object

Configure TLS options for the Thanos web server.

false

ThanosQuerier.spec.selector

Selector to select monitoring stacks to unify.

Name Type Description Required

matchExpressions

[]object

matchExpressions is a list of label selector requirements. The requirements are ANDed.

false

matchLabels

map[string]string

matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.

false

ThanosQuerier.spec.selector.matchExpressions[index]

A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.

Name Type Description Required

key

string

key is the label key that the selector applies to.

true

operator

string

operator represents a key’s relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.

true

values

[]string

values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.

false

ThanosQuerier.spec.namespaceSelector

Selector to select which namespaces the MonitoringStack objects are discovered from.

Name Type Description Required

any

boolean

Boolean describing whether all namespaces are selected in contrast to a list restricting them.

false

matchNames

[]string

List of namespace names.

false

ThanosQuerier.spec.webTLSConfig

Configure TLS options for the Thanos web server.

Name Type Description Required

certificate

object

Reference to the TLS public certificate for the web server.

true

certificateAuthority

object

Reference to the root Certificate Authority used to verify the web server’s certificate.

true

privateKey

object

Reference to the TLS private key for the web server.

true

ThanosQuerier.spec.webTLSConfig.certificate

Reference to the TLS public certificate for the web server.

Name Type Description Required

key

string

The key of the secret to select from. Must be a valid secret key.

true

name

string

The name of the secret in the object’s namespace to select from.

true

ThanosQuerier.spec.webTLSConfig.certificateAuthority

Reference to the root Certificate Authority used to verify the web server’s certificate.

Name Type Description Required

key

string

The key of the secret to select from. Must be a valid secret key.

true

name

string

The name of the secret in the object’s namespace to select from.

true

ThanosQuerier.spec.webTLSConfig.privateKey

Reference to the TLS private key for the web server.

Name Type Description Required

key

string

The key of the secret to select from. Must be a valid secret key.

true

name

string

The name of the secret in the object’s namespace to select from.

true