apiVersion: v1
kind: Namespace
metadata:
  name: memelord-jake
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: grafana-datasources
  namespace: memelord-jake
data:
  datasources.yaml: |
    apiVersion: 1
    datasources:
      - name: Prometheus
        type: prometheus
        access: proxy
        url: http://prometheus-operated.monitoring.svc.cluster.local:9090
        isDefault: true
      - name: Loki
        type: loki
        access: proxy
        url: http://loki.monitoring.svc.cluster.local:3100
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: grafana
  namespace: memelord-jake
  labels:
    app: grafana
spec:
  serviceName: grafana
  replicas: 1
  selector:
    matchLabels:
      app: grafana
  template:
    metadata:
      labels:
        app: grafana
    spec:
      # Grafana official image runs as UID/GID 472
      securityContext:
        fsGroup: 472
      containers:
        - name: grafana
          image: grafana/grafana:latest
          imagePullPolicy: IfNotPresent
          ports:
            - containerPort: 3000
              name: http

          env:
            # sqlite DB on PVC
            - name: GF_DATABASE_TYPE
              value: sqlite3
            - name: GF_DATABASE_PATH
              value: /var/lib/grafana/grafana.db

            # Ingress URL (important for OAuth callback + absolute links)
            - name: GF_SERVER_ROOT_URL
              value: https://grafana-jake.ee-lte-1.codemowers.io/
            - name: GF_SERVER_SERVE_FROM_SUB_PATH
              value: "false"

            # ---- OIDC (Passmower) via Generic OAuth ----
            - name: GF_AUTH_GENERIC_OAUTH_ENABLED
              value: "true"
            - name: GF_AUTH_GENERIC_OAUTH_NAME
              value: "Passmower"
            - name: GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP
              value: "true"

            # pkce=false matches your OIDCClient style
            - name: GF_AUTH_GENERIC_OAUTH_USE_PKCE
              value: "false"

            # IMPORTANT:
            # Replace "grafana-jake-oidc" with the actual Secret created by the OIDCClient controller
            # (see "What to do next" section below)
            - name: GF_AUTH_GENERIC_OAUTH_CLIENT_ID
              valueFrom:
                secretKeyRef:
                  name: grafana-jake-oidc
                  key: client_id
            - name: GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET
              valueFrom:
                secretKeyRef:
                  name: grafana-jake-oidc
                  key: client_secret

            - name: GF_AUTH_GENERIC_OAUTH_SCOPES
              value: "openid profile email"

            # Passmower issuer base: https://auth.ee-lte-1.codemowers.io/
            # DO NOT GUESS THE PATHS: fetch .well-known/openid-configuration and paste exact endpoints.
            - name: GF_AUTH_GENERIC_OAUTH_AUTH_URL
              value: "https://auth.ee-lte-1.codemowers.io/<FILL_FROM_DISCOVERY_AUTHORIZATION_ENDPOINT>"
            - name: GF_AUTH_GENERIC_OAUTH_TOKEN_URL
              value: "https://auth.ee-lte-1.codemowers.io/<FILL_FROM_DISCOVERY_TOKEN_ENDPOINT>"
            - name: GF_AUTH_GENERIC_OAUTH_API_URL
              value: "https://auth.ee-lte-1.codemowers.io/<FILL_FROM_DISCOVERY_USERINFO_ENDPOINT>"

            - name: GF_AUTH_GENERIC_OAUTH_SIGNOUT_REDIRECT_URL
              value: https://grafana-jake.ee-lte-1.codemowers.io/

          volumeMounts:
            - name: grafana-storage
              mountPath: /var/lib/grafana
            - name: grafana-datasources
              mountPath: /etc/grafana/provisioning/datasources
              readOnly: true

          readinessProbe:
            httpGet:
              path: /api/health
              port: 3000
            initialDelaySeconds: 10
            periodSeconds: 10
          livenessProbe:
            httpGet:
              path: /api/health
              port: 3000
            initialDelaySeconds: 30
            periodSeconds: 10

      volumes:
        - name: grafana-datasources
          configMap:
            name: grafana-datasources

  volumeClaimTemplates:
    - metadata:
        name: grafana-storage
      spec:
        accessModes: [ReadWriteOnce]
        storageClassName: sqlite
        resources:
          requests:
            storage: 5Gi
---
apiVersion: v1
kind: Service
metadata:
  name: grafana
  namespace: memelord-jake
  labels:
    app: grafana
spec:
  type: ClusterIP
  selector:
    app: grafana
  ports:
    - name: http
      port: 3000
      targetPort: 3000
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: grafana-jake
  namespace: memelord-jake
spec:
  secretName: grafana-jake-tls
  dnsNames:
    - grafana-jake.ee-lte-1.codemowers.io
  issuerRef:
    name: letsencrypt
    kind: ClusterIssuer
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: grafana-jake
  namespace: memelord-jake
  annotations:
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
spec:
  rules:
    - host: grafana-jake.ee-lte-1.codemowers.io
      http:
        paths:
          - pathType: Prefix
            path: "/"
            backend:
              service:
                name: grafana
                port:
                  number: 3000
  tls:
    - secretName: grafana-jake-tls
---
apiVersion: codemowers.cloud/v1beta1
kind: OIDCClient
metadata:
  name: grafana-jake
  namespace: memelord-jake
spec:
  displayName: Grafana jake
  # Grafana Generic OAuth callback endpoint:
  # https://<host>/login/generic_oauth
  uri: https://grafana-jake.ee-lte-1.codemowers.io/login/generic_oauth
  redirectUris:
    - https://grafana-jake.ee-lte-1.codemowers.io/login/generic_oauth
  grantTypes:
    - authorization_code
    - refresh_token
  responseTypes:
    - code
  availableScopes:
    - openid
    - profile
    - email
  pkce: false