---
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: grafana
  labels:
    app: grafana
spec:
  serviceName: grafana
  replicas: 1
  selector:
    matchLabels:
      app: grafana
  template:
    metadata:
      labels:
        app: grafana
    spec:
      containers:
        - name: grafana
          image: grafana/grafana:latest
          imagePullPolicy: IfNotPresent
          ports:
            - containerPort: 3000
              name: http
          env:
            - name: GF_DATABASE_TYPE
              value: sqlite3
            - name: GF_DATABASE_PATH
              value: /var/lib/grafana/grafana.db
            - name: GF_AUTH_GENERIC_OAUTH_CLIENT_ID
              valueFrom:
                secretKeyRef:
                  name: oidc-client-grafana-owner-secrets
                  key: OIDC_CLIENT_ID
            - name: GF_AUTH_GENERIC_OAUTH_SCOPES
              valueFrom:
                secretKeyRef:
                  name: oidc-client-grafana-owner-secrets
                  key: OIDC_AVAILABLE_SCOPES
            - name: GF_AUTH_GENERIC_OAUTH_AUTH_URL
              valueFrom:
                secretKeyRef:
                  name: oidc-client-grafana-owner-secrets
                  key: OIDC_IDP_AUTH_URI
            - name: GF_AUTH_GENERIC_OAUTH_TOKEN_URL
              value: "https://auth.ee-lte-1.codemowers.io/token"
            - name: GF_AUTH_GENERIC_OAUTH_API_URL
              valueFrom:
                secretKeyRef:
                  name: oidc-client-grafana-owner-secrets
                  key: OIDC_IDP_URI
            - name: GF_AUTH_GENERIC_OAUTH_USE_ID_TOKEN
              value: "false"
            - name: GF_SERVER_DOMAIN
              value: grafana-sala.ee-lte-1.codemowers.io
            - name: GF_SERVER_ROOT_URL
              value: "https://%(domain)s/"
            - name: GF_AUTH_OAUTH_ALLOW_INSECURE_EMAIL_LOOKUP
              value: "true"
            - name: GF_AUTH_BASIC_ENABLED
              value: "false"
            - name: GF_AUTH_GENERIC_OAUTH_ENABLED
              value: "true"
            - name: GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP
              value: "true"
            - name: GF_AUTH_GENERIC_OAUTH_USE_PKCE
              value: "true"
            - name: GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH
              value: Admin
            - name: GF_AUTH_GENERIC_OAUTH_ALLOW_ASSIGN_GRAFANA_ADMIN
              value: "true"
            - name: GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION
              value: "true"
            - name: GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH
              value: "contains(groups[*], 'github.com:codemowers:admins') && 'Admin' || 'Viewer'"
          volumeMounts:
            - name: grafana-storage
              mountPath: /var/lib/grafana
          readinessProbe:
            httpGet:
              path: /api/health
              port: 3000
            initialDelaySeconds: 10
            periodSeconds: 10
          livenessProbe:
            httpGet:
              path: /api/health
              port: 3000
            initialDelaySeconds: 30
            periodSeconds: 10
  volumeClaimTemplates:
    - metadata:
        name: grafana-storage
      spec:
        accessModes:
          - ReadWriteOnce
        storageClassName: sqlite
        resources:
          requests:
            storage: 5Gi
---
apiVersion: codemowers.cloud/v1beta1
kind: OIDCClient
metadata:
  name: grafana
  namespace: memelord-sala
spec:
  displayName: Grafana sala
  uri: https://grafana-sala.ee-lte-1.codemowers.io/login/generic_oauth
  redirectUris:
    - https://grafana-sala.ee-lte-1.codemowers.io/login/generic_oauth
  grantTypes:
    - authorization_code
    - refresh_token
  responseTypes:
    - code
  availableScopes:
    - openid
    - profile
    - offline_access
  pkce: true