diff --git a/grafana.yaml b/grafana.yaml index aa53805..be5b44d 100644 --- a/grafana.yaml +++ b/grafana.yaml @@ -3,6 +3,25 @@ kind: Namespace metadata: name: memelord-jake --- +apiVersion: v1 +kind: ConfigMap +metadata: + name: grafana-datasources + namespace: memelord-jake +data: + datasources.yaml: | + apiVersion: 1 + datasources: + - name: Prometheus + type: prometheus + access: proxy + url: http://prometheus-operated.monitoring.svc.cluster.local:9090 + isDefault: true + - name: Loki + type: loki + access: proxy + url: http://loki.monitoring.svc.cluster.local:3100 +--- apiVersion: apps/v1 kind: StatefulSet metadata: @@ -21,6 +40,7 @@ spec: labels: app: grafana spec: + # Grafana official image runs as UID/GID 472 securityContext: fsGroup: 472 containers: @@ -30,17 +50,68 @@ spec: ports: - containerPort: 3000 name: http + env: + # sqlite DB on PVC - name: GF_DATABASE_TYPE value: sqlite3 - name: GF_DATABASE_PATH value: /var/lib/grafana/grafana.db - # important when running behind ingress: + + # Ingress URL (important for OAuth callback + absolute links) - name: GF_SERVER_ROOT_URL - value: https://grafana-jake.ee-lte-1.codemowers.io + value: https://grafana-jake.ee-lte-1.codemowers.io/ + - name: GF_SERVER_SERVE_FROM_SUB_PATH + value: "false" + + # ---- OIDC (Passmower) via Generic OAuth ---- + - name: GF_AUTH_GENERIC_OAUTH_ENABLED + value: "true" + - name: GF_AUTH_GENERIC_OAUTH_NAME + value: "Passmower" + - name: GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP + value: "true" + + # pkce=false matches your OIDCClient style + - name: GF_AUTH_GENERIC_OAUTH_USE_PKCE + value: "false" + + # IMPORTANT: + # Replace "grafana-jake-oidc" with the actual Secret created by the OIDCClient controller + # (see "What to do next" section below) + - name: GF_AUTH_GENERIC_OAUTH_CLIENT_ID + valueFrom: + secretKeyRef: + name: grafana-jake-oidc + key: client_id + - name: GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: grafana-jake-oidc + key: client_secret + + - name: GF_AUTH_GENERIC_OAUTH_SCOPES + value: "openid profile email" + + # Passmower issuer base: https://auth.ee-lte-1.codemowers.io/ + # DO NOT GUESS THE PATHS: fetch .well-known/openid-configuration and paste exact endpoints. + - name: GF_AUTH_GENERIC_OAUTH_AUTH_URL + value: "https://auth.ee-lte-1.codemowers.io/" + - name: GF_AUTH_GENERIC_OAUTH_TOKEN_URL + value: "https://auth.ee-lte-1.codemowers.io/" + - name: GF_AUTH_GENERIC_OAUTH_API_URL + value: "https://auth.ee-lte-1.codemowers.io/" + + - name: GF_AUTH_GENERIC_OAUTH_SIGNOUT_REDIRECT_URL + value: https://grafana-jake.ee-lte-1.codemowers.io/ + volumeMounts: - name: grafana-storage mountPath: /var/lib/grafana + - name: grafana-datasources + mountPath: /etc/grafana/provisioning/datasources + readOnly: true + readinessProbe: httpGet: path: /api/health @@ -53,6 +124,12 @@ spec: port: 3000 initialDelaySeconds: 30 periodSeconds: 10 + + volumes: + - name: grafana-datasources + configMap: + name: grafana-datasources + volumeClaimTemplates: - metadata: name: grafana-storage @@ -95,18 +172,17 @@ spec: apiVersion: networking.k8s.io/v1 kind: Ingress metadata: - name: grafana + name: grafana-jake namespace: memelord-jake annotations: traefik.ingress.kubernetes.io/router.entrypoints: websecure spec: - ingressClassName: traefik rules: - host: grafana-jake.ee-lte-1.codemowers.io http: paths: - - path: / - pathType: Prefix + - pathType: Prefix + path: "/" backend: service: name: grafana @@ -114,3 +190,26 @@ spec: number: 3000 tls: - secretName: grafana-jake-tls +--- +apiVersion: codemowers.cloud/v1beta1 +kind: OIDCClient +metadata: + name: grafana-jake + namespace: memelord-jake +spec: + displayName: Grafana jake + # Grafana Generic OAuth callback endpoint: + # https:///login/generic_oauth + uri: https://grafana-jake.ee-lte-1.codemowers.io/login/generic_oauth + redirectUris: + - https://grafana-jake.ee-lte-1.codemowers.io/login/generic_oauth + grantTypes: + - authorization_code + - refresh_token + responseTypes: + - code + availableScopes: + - openid + - profile + - email + pkce: false