Prometheus, Grafana, and AlertManager with Kosmos SSO
This application template deploys a full monitoring stack—Prometheus, Grafana, and AlertManager—integrated with Kosmos SSO for centralized authentication and authorization.
The template provides:
- Pre-configured integration between components
- Persistent storage support
- Resource optimization for Kubernetes environments
It is designed to be deployed to a target vCluster using a Kosmos Task.
Key components
- Prometheus – Collects and stores metrics
- Grafana – Visualizes metrics and integrates with Kosmos SSO
- AlertManager – Handles alerts (disabled by default)
- Kube State Metrics – Exposes Kubernetes object state metrics
For advanced configuration, refer to the original Helm chart documentation .
Parameters
| Name | Type | Required | Created by Kosmos Controller | Description | Example or Default Value |
|---|---|---|---|---|---|
| grafana_root_url | string | ✅ | ❌ | Base URL to access Grafana application | http(s)://<GRAFANA_URL> or http://localhost:3000 |
| storage_type | string | ❌ | ❌ | Storage type for persistent data. Default is ephemeral (emptyDir). Choose between ephemeral (temporary, data lost on restart) or persistent (requires storage setup, not supported in vClusters). | ephemeral |
| storage_class | string | ❌ | ❌ | (Configure if Storage Type is persistent) StorageClass name used for PVCs (e.g. gp2, gp3, standard). Leave empty for default storage class. | gp2 |
| app_secret | string | ✅ | ✅ | Grafana secret name to be created and distributed to the target cluster | grafana-secret |
| app_redirect_url | string | ✅ | ✅ | URL hit after successful login | http(s)://<GRAFANA_URL>/login/generic_oauth or http://localhost:3000/login/generic_oauth |
| kubelet_enabled | string | ❌ | ❌ | Enable kubelet metrics collection. Recommended false for vClusters (default: false). | false |
| node_exporter_enabled | string | ❌ | ❌ | Enable node exporter as daemonset. Recommended false for vClusters (default: false). | false |
| alertmanager_enabled | string | ❌ | ❌ | Enable AlertManager with Prometheus (default: false). | false |
| approle_users_admin | Comma-separated String | ✅ | ✅ | Usernames with Grafana admin role | user1,user2 |
| approle_teams_admin | Comma-separated String | ✅ | ✅ | Teams with Grafana admin role | team1,team2 |
| approle_users_editor | Comma-separated String | ✅ | ✅ | Usernames with Grafana editor role | user3,user4 |
| approle_teams_editor | Comma-separated String | ✅ | ✅ | Teams with Grafana editor role | team3,team4 |
| approle_users_viewer | Comma-separated String | ✅ | ✅ | Usernames with Grafana viewer role | user5,user6 |
| approle_teams_viewer | Comma-separated String | ✅ | ✅ | Teams with Grafana viewer role | team5,team6 |
| grafana_ingress_values | string | ❌ | ❌ | Grafana ingress configuration with TLS. Secrets must be created manually. | See YAML example grafana_ingress_values |
| prometheus_ingress_values | string | ❌ | ❌ | Prometheus ingress configuration with TLS. Secrets must be created manually. | See YAML example prometheus_ingress_values |
| app_values | string | ❌ | ❌ | Additional Helm values for the application | See YAML example app_values |
Example grafana_ingress_values
enabled: true
ingressClassName: nginx
annotations:
nginx.org/redirect-to-https: "true"
hosts:
- <GRAFANA_DOMAIN>
tls:
- secretName: "<GRAFANA_TLS_SECRET>"
hosts:
- <GRAFANA_DOMAIN>
Example prometheus_ingress_values
enabled: true
ingressClassName: nginx
annotations:
nginx.org/redirect-to-https: "true"
hosts:
- <PROMETHEUS_DOMAIN>
tls:
- secretName: "<PROMETHEUS_TLS_SECRET>"
hosts:
- <PROMETHEUS_DOMAIN>
Example app_values
grafana:
resources:
requests:
cpu: "300m"
memory: "512Mi"
limits:
cpu: "1000m"
memory: "1Gi"
service:
type: ClusterIP
port: 80
targetPort: 3000
prometheus:
prometheusSpec:
resources:
requests:
cpu: "300m"
memory: "512Mi"
limits:
cpu: "1000m"
memory: "1Gi"
service:
type: ClusterIP
Installation setup
Prerequisites
- Fleet cluster or DevSpace vCluster access
- Kosmos CLI: Version
v4.3.15or later- Refer to the latest available version
- Target namespace already exists in the cluster where the app will be deployed
Installation via Kosmos CLI
Step 1: Login to Kosmos CLI
Login to the Kosmos staging environment:
kosmos login https://console.kosmos.spcplatform.com/ --access-key $ACCESS_KEY
Example output:
09:02:17 done Successfully logged into Kosmos instance https://console.kosmos.spcplatform.com
Verify your user:
kosmos get currentuser
┌─────────────┬─────────────────────┬──────────────────┬────────────────┬───────────────────┐
│ USERNAME │ KUBERNETES NAME │ DISPLAY NAME │ EMAIL │ TEAMS │
├─────────────┼─────────────────────┼──────────────────┼────────────────┼───────────────────┤
│ user │ user │ user@mail.com │ user@mail.com │ Kosmos User Team │
└─────────────┴─────────────────────┴──────────────────┴────────────────┴───────────────────┘
Step 2: Check existing Kosmos app
Make sure grafana-prometheus-auth exists:
kosmos get app --name grafana-prometheus-auth
┌─────────────────────────┬──────────────────────────────────────┬──────────────────────────────────────────────────────────────────────┬───────┐
│ NAME │ DISPLAY NAME │ DESCRIPTION │ OWNER │
├─────────────────────────┼──────────────────────────────────────┼──────────────────────────────────────────────────────────────────────┼───────┤
│ grafana-prometheus-auth │ Grafana and Prometheus w/ Kosmos SSO │ Monitoring App (Prometheus + Grafana + AlertManager) w/ Kosmos SSO │ admin │
└─────────────────────────┴──────────────────────────────────────┴──────────────────────────────────────────────────────────────────────┴───────┘
Step 3: Create parameters file
Create a file named app-parameters.yaml:
# Users Role Assignments
approle_users_admin: user1,user2 # Admin users (comma-separated)
approle_users_editor: "" # Editor users (comma-separated)
approle_users_viewer: user3 # Viewer users (comma-separated)
# Team Role Assignments
approle_teams_admin: team1 # Optional admin teams (comma-separated)
approle_teams_editor: "" # Optional editor teams (comma-separated)
approle_teams_viewer: team2 # Optional viewer teams (comma-separated)
# OAuth Configuration
app_redirect_url: "http://<GRAFANA_URL>/login/generic_oauth"
app_secret: grafana-secret # Secret name for OAuth credentials
# Grafana Configuration
grafana_root_url: "http://<GRAFANA_URL>" # Public access server URL
# (Optional) Storage Configuration
storage_type: "ephemeral" # Options: ephemeral, persistent
storage_class: "" # The StorageClass name used for PVCs
# (e.g. gp2, gp3, standard, etc).
# Use values matching your cluster's storage classes.
# Leave empty for default storage class.
# (Optional) Additional resources
kubelet_enabled: "false" # Enable to collect kubelet metrics.
# Recommended to set to false for vClusters
node_exporter_enabled: "false" # Enable to deploy node exporter as a daemonset to all nodes.
# Recommended to set to false for vClusters
alertmanager_enabled: "false" # Enable to deploy AlertManager along with Prometheus.
# Recommended to set to false for vClusters
# (Optional) Additional Ingress Configuration for Grafana and Prometheus
grafana_ingress_values: |
enabled: true
ingressClassName: nginx
annotations:
nginx.org/redirect-to-https: "true"
hosts:
- <GRAFANA_DOMAIN>
tls:
- secretName: "<GRAFANA_TLS_SECRET>"
hosts:
- <GRAFANA_DOMAIN>
prometheus_ingress_values: |
enabled: false
ingressClassName: nginx
hosts:
- <PROMETHEUS_DOMAIN>
tls:
- secretName: "<PROMETHEUS_TLS_SECRET>"
hosts:
- <PROMETHEUS_DOMAIN>
# (Optional) Additional Configuration
app_values: |
grafana:
resources:
requests:
cpu: "300m"
memory: "512Mi"
limits:
cpu: "1000m"
memory: "1Gi"
service:
type: ClusterIP
port: 80
targetPort: 3000
prometheus:
prometheusSpec:
resources:
requests:
cpu: "500m"
memory: "1Gi"
limits:
cpu: "2000m"
memory: "4Gi"
service:
type: ClusterIP
Step 4: Install the app
Example using DevSpace sample-devspace and vCluster sample-vcluster:
kosmos install app --name grafana-prometheus-auth
--parameter-file app-parameters.yaml \ # App parameter YAML file
--release-name grafana-prometheus-auth \ # Name of the App
--target-cluster sample-vcluster \ # Target v/cluster
--devspace sample-devspace \ # Name of the Fleet or DevSpace. Use --fleet <FLEET_NAME> instead for Fleet.
--target-namespace sample # Namespace where the App is deployed
09:32:40 done Successfully installed App 'sample-devspace'
09:32:40 done Successfully installed App 'sample-devspace'
Method 2: Using Kosmos UI
Step 1: Login
Go to:
https://console.kosmos.spcplatform.com/
Step 2: Go to your v/cluster
DevSpace vCluster:
https://console.kosmos.spcplatform.com/devspaces/[DEVSPACE_NAME]/vclusters/[VCLUSTER_NAME]Fleet cluster:
https://console.kosmos.spcplatform.com/fleets/[FLEET_NAME]/clusters/[CLUSTER_NAME]
Step 3: Open Apps tab
Choose the Apps section.
Step 4: Click Install App
Click Install App.
Select grafana-prometheus-auth and choose namespace sample.
Step 5: Fill parameters
Fill all required fields using app-parameters.yaml as reference.
At the bottom, assign users and teams to:
- ADMIN
- EDITOR
- VIEWER
Step 6: Install
Click Install and review the Helm logs.
Installed resources
Main components
- Grafana – Visualization
- Prometheus – Metrics collection
- Role/RoleBinding – RBAC
Default deployed components
Prometheus Operator
Prometheus (StatefulSet, 30-day retention)
Grafana (Deployment) with:
- Kosmos SSO (OAuth2)
- Default Prometheus datasource
- Kubernetes dashboards
- Dashboard sidecar
Kube State Metrics – enabled
AlertManager – disabled
Node Exporter – disabled
Kubelet metrics – disabled
Storage options
- Ephemeral (default): emptyDir, data lost on restart
- Persistent: PVC with configurable StorageClass
Authentication & authorization
- Grafana uses Kosmos SSO (OAuth2)
- RBAC roles: Admin, Editor, Viewer
Default resources
- Prometheus: 100m CPU, 256Mi memory
- Grafana: default values
- AlertManager: 50m CPU, 128Mi memory
- Kube State Metrics: default values
Deployment
Pods
Service
Role/RoleBinding
Role:
RoleBinding:
Testing scenario
Prerequisites
- Kosmos CLI: Version
v4.3.15or later. Refer to the latest available version - kubectl
Update Kubernetes context
DevSpace vCluster
kosmos use vcluster --name sample-vcluster --devspace sample-devspace
Fleet cluster
kosmos use cluster sample-cluster --fleet sample-fleet
Authorization testing
Port-forward the Grafana service
After switching to the correct Kubernetes context, port-forward the Grafana service to your local machine:
kubectl port-forward -n sample svc/grafana-prometheus-auth 3000:80
Note:
- Local port 3000 must match the port in
app_redirect_url(http://localhost:3000) - Port 80 is the default Grafana service port
Check roles and permissions
Open the following URL in your browser:
http://localhost:3000You will be redirected to the Kosmos Auth login page. If this is your first login, click Grant when prompted.
After successful login, you will be redirected to the Grafana dashboard with your assigned role.
Viewer role
- Simplified UI
- Limited permissions
Admin role
- Full UI access
- All administrative features enabled
Grafana Admin
Prometheus metrics verification
kubectl port-forward -n sample svc/prometheus-operated 9090:9090
Then:
Open
http://localhost:9090Go to Status → Targets and verify targets are active
Run a sample query such as:
up
Dashboard persistence testing
Create a test dashboard in Grafana
Delete the Grafana pod:
kubectl delete pod -n sample -l app.kubernetes.io/name=grafanaWait for the pod to be recreated
Verify the dashboard still exists
Alerting testing (if enabled)
Check AlertManager pod:
kubectl get pods -n sample | grep alertmanager
Port forward to AlertManager:
kubectl port-forward -n sample svc/alertmanager-operated 9093:9093