apiVersion: v1
kind: Namespace
metadata:
  name: memelord-jake
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: grafana-datasources
  namespace: memelord-jake
data:
  datasources.yaml: |
    apiVersion: 1
    datasources:
      - name: Prometheus
        type: prometheus
        access: proxy
        url: http://prometheus-operated.monitoring.svc.cluster.local:9090
        isDefault: true
      - name: Loki
        type: loki
        access: proxy
        url: http://loki.monitoring.svc.cluster.local:3100
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: grafana
  namespace: memelord-jake
  labels:
    app: grafana
spec:
  serviceName: grafana
  replicas: 1
  selector:
    matchLabels:
      app: grafana
  template:
    metadata:
      labels:
        app: grafana
    spec:
      securityContext:
        fsGroup: 472
      containers:
        - name: grafana
          image: grafana/grafana:latest
          imagePullPolicy: IfNotPresent
          ports:
            - containerPort: 3000
              name: http
          env:
            # sqlite DB on PVC
            - name: GF_DATABASE_TYPE
              value: sqlite3
            - name: GF_DATABASE_PATH
              value: /var/lib/grafana/grafana.db

            # Ingress URL (important for OAuth callback + links)
            - name: GF_SERVER_ROOT_URL
              value: https://grafana-jake.ee-lte-1.codemowers.io/
            - name: GF_SERVER_SERVE_FROM_SUB_PATH
              value: "false"

            # ---- OIDC (Passmower) via Generic OAuth ----
            - name: GF_AUTH_GENERIC_OAUTH_ENABLED
              value: "true"
            - name: GF_AUTH_GENERIC_OAUTH_NAME
              value: "Passmower"
            - name: GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP
              value: "true"
            
            - name: GF_AUTH_GENERIC_OAUTH_USE_ID_TOKEN
              value: "false"
            - name: GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH
              value: "contains(groups[*], 'github.com:codemowers:admins') && 'Admin' || 'Viewer'"
            # matches OIDCClient pkce: false
            - name: GF_AUTH_GENERIC_OAUTH_USE_PKCE
              value: "false"

            # IMPORTANT:
            # After OIDCClient grafana-jake is created successfully,
            # set this secret name to the generated one (likely oidc-client-grafana-jake-owner-secrets)
            - name: GF_AUTH_GENERIC_OAUTH_CLIENT_ID
              valueFrom:
                secretKeyRef:
                  name: oidc-client-grafana-jake-owner-secrets
                  key: OIDC_CLIENT_ID
            - name: GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET
              valueFrom:
                secretKeyRef:
                  name: oidc-client-grafana-jake-owner-secrets
                  key: OIDC_CLIENT_SECRET

            - name: GF_AUTH_GENERIC_OAUTH_SCOPES
              value: "openid profile"

            # From your existing OIDC secret: auth/token/me endpoints
            - name: GF_AUTH_GENERIC_OAUTH_AUTH_URL
              value: "https://auth.ee-lte-1.codemowers.io/auth"
            - name: GF_AUTH_GENERIC_OAUTH_TOKEN_URL
              value: "https://auth.ee-lte-1.codemowers.io/token"
            - name: GF_AUTH_GENERIC_OAUTH_API_URL
              value: "https://auth.ee-lte-1.codemowers.io/me"

            - name: GF_AUTH_GENERIC_OAUTH_SIGNOUT_REDIRECT_URL
              value: https://grafana-jake.ee-lte-1.codemowers.io/

          volumeMounts:
            - name: grafana-storage
              mountPath: /var/lib/grafana
            - name: grafana-datasources
              mountPath: /etc/grafana/provisioning/datasources
              readOnly: true
          readinessProbe:
            httpGet:
              path: /api/health
              port: 3000
            initialDelaySeconds: 10
            periodSeconds: 10
          livenessProbe:
            httpGet:
              path: /api/health
              port: 3000
            initialDelaySeconds: 30
            periodSeconds: 10
      volumes:
        - name: grafana-datasources
          configMap:
            name: grafana-datasources
  volumeClaimTemplates:
    - metadata:
        name: grafana-storage
      spec:
        accessModes: [ReadWriteOnce]
        storageClassName: sqlite
        resources:
          requests:
            storage: 5Gi
---
apiVersion: v1
kind: Service
metadata:
  name: grafana
  namespace: memelord-jake
  labels:
    app: grafana
spec:
  type: ClusterIP
  selector:
    app: grafana
  ports:
    - name: http
      port: 3000
      targetPort: 3000
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: grafana-jake
  namespace: memelord-jake
spec:
  secretName: grafana-jake-tls
  dnsNames:
    - grafana-jake.ee-lte-1.codemowers.io
  issuerRef:
    name: letsencrypt
    kind: ClusterIssuer
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: grafana-jake
  namespace: memelord-jake
  annotations:
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
spec:
  rules:
    - host: grafana-jake.ee-lte-1.codemowers.io
      http:
        paths:
          - pathType: Prefix
            path: "/"
            backend:
              service:
                name: grafana
                port:
                  number: 3000
  tls:
    - secretName: grafana-jake-tls
---
apiVersion: codemowers.cloud/v1beta1
kind: OIDCClient
metadata:
  name: grafana-jake
  namespace: memelord-jake
spec:
  displayName: Grafana jake
  uri: https://grafana-jake.ee-lte-1.codemowers.io/login/generic_oauth
  redirectUris:
    - https://grafana-jake.ee-lte-1.codemowers.io/login/generic_oauth
  grantTypes:
    - authorization_code
    - refresh_token
  responseTypes:
    - code
  availableScopes:
    - openid
    - profile
    - offline_access
  pkce: false