apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

namespace: grafana

# spec: https://kubectl.docs.kubernetes.io/references/kustomize/builtins/#_helmchartinflationgenerator_
helmCharts:
- includeCRDs: true
  name: &name grafana
  releaseName: *name
  repo: https://grafana.github.io/helm-charts
  valuesInline: # https://github.com/grafana/helm-charts/blob/main/charts/grafana/values.yaml
    ingress:
      enabled: true
      annotations:
        traefik.ingress.kubernetes.io/router.entrypoints: websecure
        external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
      hosts: [grafana.k-space.ee]
      tls: [hosts: ["*.k-space.ee"]]
    persistence:
      inMemory:
        enabled: true
    grafana.ini:
      log: {level: warn}
      server:
        root_url: https://grafana.k-space.ee/
      security:
        disable_initial_admin_creation: true
      auth:
        oauth_allow_insecure_email_lookup: true
      auth.basic:
          enabled: false
      auth.generic_oauth:
          enabled: true
          auto_login: true
          name: auth.k-space.ee
          role_attribute_path: contains(groups[*], 'k-space:kubernetes:admins') && 'Admin' || contains(groups[*], 'k-space:floor') && 'Editor' || Viewer
          allow_assign_grafana_admin: true
          client_id: $__file{/etc/secrets/oidc-client-grafana-owner-secrets/OIDC_CLIENT_ID}
          client_secret: $__file{/etc/secrets/oidc-client-grafana-owner-secrets/OIDC_CLIENT_SECRET}
          scopes: $__file{/etc/secrets/oidc-client-grafana-owner-secrets/OIDC_AVAILABLE_SCOPES}
          auth_url: $__file{/etc/secrets/oidc-client-grafana-owner-secrets/OIDC_IDP_AUTH_URI}
          token_url: $__file{/etc/secrets/oidc-client-grafana-owner-secrets/OIDC_IDP_TOKEN_URI}
          api_url: $__file{/etc/secrets/oidc-client-grafana-owner-secrets/OIDC_IDP_USERINFO_URI}
          signout_redirect_url: $__file{/etc/secrets/oidc-client-grafana-owner-secrets/OIDC_IDP_URI}
          use_pkce: true
    extraSecretMounts:
      - name: oidc-client-grafana-owner-secrets
        secretName: oidc-client-grafana-owner-secrets
        mountPath: /etc/secrets/oidc-client-grafana-owner-secrets
        defaultMode: 0440
        subPath: .
        readOnly: true
    envFromSecrets:
     - name: grafana-database
    datasources:
      prometheus.yaml:
        apiVersion: 1
        prune: true
        datasources:
        - name: Prometheus
          type: prometheus
          url: http://prometheus-prometheus-server
          orgId: 1
          version: 1
          editable: false
  version: v9.2.10

resources:
- ./passmower.yaml
- ssh://git@git.k-space.ee/secretspace/kube/grafana # secret: grafana-database