--- apiVersion: v1 kind: ConfigMap metadata: name: {{ .Release.Name }}-grafana-datasources data: datasources.yaml: | apiVersion: 1 datasources: - name: Prometheus type: prometheus access: proxy url: http://prometheus-operated.monitoring.svc.cluster.local:9090 isDefault: true editable: true - name: Loki type: loki access: proxy url: http://loki.monitoring.svc.cluster.local:3100 editable: true --- apiVersion: apps/v1 kind: StatefulSet metadata: name: {{ .Release.Name }}-grafana labels: app: {{ .Release.Name }}-grafana spec: serviceName: {{ .Release.Name }}-grafana replicas: 1 selector: matchLabels: app: {{ .Release.Name }}-grafana template: metadata: labels: app: {{ .Release.Name }}-grafana spec: containers: - name: grafana image: grafana/grafana:latest imagePullPolicy: IfNotPresent ports: - containerPort: 3000 name: http env: - name: GF_DATABASE_TYPE value: sqlite3 - name: GF_DATABASE_PATH value: /var/lib/grafana/grafana.db - name: GF_SERVER_ROOT_URL value: https://{{ .Values.grafanaHostname }} - name: GF_AUTH_GENERIC_OAUTH_ENABLED value: "true" - name: GF_AUTH_GENERIC_OAUTH_NAME value: "Passmower" - name: GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP value: "true" - name: GF_AUTH_GENERIC_OAUTH_CLIENT_ID valueFrom: secretKeyRef: name: oidc-client-grafana-{{ .Release.Name }}-owner-secrets key: OIDC_CLIENT_ID - name: GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET valueFrom: secretKeyRef: name: oidc-client-grafana-{{ .Release.Name }}-owner-secrets key: OIDC_CLIENT_SECRET - name: GF_AUTH_GENERIC_OAUTH_SCOPES value: "openid profile groups" - name: GF_AUTH_GENERIC_OAUTH_AUTH_URL value: "https://auth.ee-lte-1.codemowers.io/auth" - name: GF_AUTH_GENERIC_OAUTH_TOKEN_URL value: "http://passmower.passmower.svc.cluster.local/token" - name: GF_AUTH_GENERIC_OAUTH_API_URL value: "http://passmower.passmower.svc.cluster.local/me" - name: GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH value: "contains(groups[*], 'github.com:codemowers:admins') && 'Admin' || Viewer" - name: GF_AUTH_ANONYMOUS_ENABLED value: "false" volumeMounts: - name: grafana-storage mountPath: /var/lib/grafana - name: datasources mountPath: /etc/grafana/provisioning/datasources volumes: - name: datasources configMap: name: {{ .Release.Name }}-grafana-datasources volumeClaimTemplates: - metadata: name: grafana-storage spec: accessModes: - ReadWriteOnce storageClassName: sqlite resources: requests: storage: 5Gi --- apiVersion: v1 kind: Service metadata: name: {{ .Release.Name }}-grafana labels: app: {{ .Release.Name }}-grafana spec: type: ClusterIP selector: app: {{ .Release.Name }}-grafana ports: - name: http port: 80 targetPort: 3000 --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: grafana-{{ .Release.Name }} spec: secretName: grafana-{{ .Release.Name }}-tls dnsNames: - {{ .Values.grafanaHostname }} issuerRef: name: letsencrypt kind: ClusterIssuer --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: grafana-{{ .Release.Name }} annotations: traefik.ingress.kubernetes.io/router.entrypoints: websecure spec: rules: - host: {{ .Values.grafanaHostname }} http: paths: - pathType: Prefix path: "/" backend: service: name: {{ .Release.Name }}-grafana port: number: 80 tls: - secretName: grafana-{{ .Release.Name }}-tls --- apiVersion: codemowers.cloud/v1beta1 kind: OIDCClient metadata: name: grafana-{{ .Release.Name }} spec: displayName: Grafana {{ .Release.Name }} uri: https://{{ .Values.grafanaHostname }}/ redirectUris: - https://{{ .Values.grafanaHostname }}/login/generic_oauth grantTypes: - authorization_code - refresh_token responseTypes: - code availableScopes: - openid - profile - groups allowedGroups: - github.com:codemowers:admins pkce: false