--- apiVersion: codemowers.cloud/v1beta1 kind: OIDCClient metadata: name: grafana spec: displayName: Grafana uri: https://grafana.k-space.ee/login/generic_oauth redirectUris: - https://grafana.k-space.ee/login/generic_oauth allowedGroups: - k-space:floor grantTypes: - authorization_code - refresh_token responseTypes: - code availableScopes: - openid - profile - groups tokenEndpointAuthMethod: none --- apiVersion: v1 kind: ConfigMap metadata: name: grafana-datasources data: prometheus.yaml: | apiVersion: 1 prune: true datasources: - name: Prometheus type: prometheus orgId: 1 url: http://prometheus-operated.monitoring.svc.cluster.local:9090 version: 1 editable: false --- apiVersion: v1 kind: ConfigMap metadata: name: grafana-config data: grafana.ini: | [log] level = warn [server] domain = grafana.k-space.ee root_url = https://%(domain)s/ [auth] oauth_allow_insecure_email_lookup=true [auth.basic] enabled = false [auth.generic_oauth] name = OAuth icon = signin enabled = true scopes = openid profile groups allow_sign_up = true use_pkce = true role_attribute_path = contains(groups[*], 'k-space:kubernetes:admins') && 'Admin' || contains(groups[*], 'k-space:floor') && 'Editor' || Viewer allow_assign_grafana_admin = true [security] disable_initial_admin_creation = true --- apiVersion: apps/v1 kind: StatefulSet metadata: labels: app: grafana name: grafana spec: revisionHistoryLimit: 0 serviceName: grafana selector: matchLabels: app: grafana template: metadata: labels: app: grafana spec: securityContext: fsGroup: 472 containers: - name: grafana image: grafana/grafana:11.1.0 securityContext: readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 472 env: - name: GF_AUTH_GENERIC_OAUTH_SIGNOUT_REDIRECT_URL valueFrom: secretKeyRef: name: oidc-client-grafana-owner-secrets key: OIDC_IDP_URI - name: GF_AUTH_GENERIC_OAUTH_CLIENT_ID valueFrom: secretKeyRef: name: oidc-client-grafana-owner-secrets key: OIDC_CLIENT_ID - name: GF_AUTH_GENERIC_OAUTH_SECRET valueFrom: secretKeyRef: name: oidc-client-grafana-owner-secrets key: OIDC_CLIENT_SECRET - name: GF_AUTH_GENERIC_OAUTH_SCOPES valueFrom: secretKeyRef: name: oidc-client-grafana-owner-secrets key: OIDC_AVAILABLE_SCOPES - name: GF_AUTH_GENERIC_OAUTH_AUTH_URL valueFrom: secretKeyRef: name: oidc-client-grafana-owner-secrets key: OIDC_IDP_AUTH_URI - name: GF_AUTH_GENERIC_OAUTH_TOKEN_URL valueFrom: secretKeyRef: name: oidc-client-grafana-owner-secrets key: OIDC_IDP_TOKEN_URI - name: GF_AUTH_GENERIC_OAUTH_API_URL valueFrom: secretKeyRef: name: oidc-client-grafana-owner-secrets key: OIDC_IDP_USERINFO_URI - name: GF_DATABASE_TYPE value: mysql - name: GF_DATABASE_HOST value: 172.20.36.1:3306 - name: GF_DATABASE_SSL_MODE value: disable - name: GF_DATABASE_NAME value: kspace_grafana - name: GF_DATABASE_USER value: kspace_grafana - name: GF_DATABASE_PASSWORD valueFrom: secretKeyRef: name: grafana-database key: password ports: - containerPort: 3000 name: http-grafana protocol: TCP readinessProbe: failureThreshold: 3 httpGet: path: /robots.txt port: 3000 scheme: HTTP initialDelaySeconds: 10 periodSeconds: 30 successThreshold: 1 timeoutSeconds: 2 livenessProbe: failureThreshold: 3 initialDelaySeconds: 30 periodSeconds: 10 successThreshold: 1 tcpSocket: port: 3000 timeoutSeconds: 1 resources: requests: cpu: 250m memory: 750Mi volumeMounts: - mountPath: /var/lib/grafana name: grafana-data - mountPath: /etc/grafana name: grafana-config - mountPath: /etc/grafana/provisioning/datasources name: grafana-datasources volumes: - name: grafana-config configMap: name: grafana-config - name: grafana-datasources configMap: name: grafana-datasources - name: grafana-data emptyDir: sizeLimit: 500Mi --- apiVersion: v1 kind: Service metadata: name: grafana spec: ports: - port: 80 protocol: TCP targetPort: http-grafana selector: app: grafana --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: grafana annotations: traefik.ingress.kubernetes.io/router.entrypoints: websecure traefik.ingress.kubernetes.io/router.tls: "true" external-dns.alpha.kubernetes.io/target: traefik.k-space.ee spec: rules: - host: grafana.k-space.ee http: paths: - pathType: Prefix path: "/" backend: service: name: grafana port: number: 80 tls: - hosts: - "*.k-space.ee" --- apiVersion: codemowers.cloud/v1beta1 kind: MysqlDatabaseClaim metadata: name: grafana spec: capacity: 1Gi class: shared