forked from k-space/kube
rasmus
67c97adc96
3 layers of jumala eest sa secretit grafanale ei annaks probably the key in secret reference is getting flagged no error message, it is just dropped, but still overrides env.. This seems to be a problem again since Jan/Feb, with the accepted workaround being enving it. Do as the docs don't say and agains, four times over?
69 lines
2.4 KiB
YAML
69 lines
2.4 KiB
YAML
apiVersion: kustomize.config.k8s.io/v1beta1
|
|
kind: Kustomization
|
|
|
|
namespace: grafana
|
|
|
|
# spec: https://kubectl.docs.kubernetes.io/references/kustomize/builtins/#_helmchartinflationgenerator_
|
|
helmCharts:
|
|
- includeCRDs: true
|
|
name: &name grafana
|
|
releaseName: *name
|
|
repo: https://grafana.github.io/helm-charts
|
|
valuesInline: # https://github.com/grafana/helm-charts/blob/main/charts/grafana/values.yaml
|
|
ingress:
|
|
enabled: true
|
|
annotations:
|
|
traefik.ingress.kubernetes.io/router.entrypoints: websecure
|
|
external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
|
|
hosts: [grafana.k-space.ee]
|
|
tls: [hosts: ["*.k-space.ee"]]
|
|
persistence:
|
|
inMemory:
|
|
enabled: true
|
|
grafana.ini:
|
|
log: {level: warn}
|
|
server:
|
|
root_url: https://grafana.k-space.ee/
|
|
auth:
|
|
oauth_allow_insecure_email_lookup: true
|
|
auth.basic:
|
|
enabled: false
|
|
auth.generic_oauth:
|
|
enabled: true
|
|
auto_login: true
|
|
name: auth.k-space.ee
|
|
role_attribute_path: contains(groups[*], 'k-space:kubernetes:admins') && 'Admin' || contains(groups[*], 'k-space:floor') && 'Editor' || Viewer
|
|
allow_sign_up: true
|
|
allow_assign_grafana_admin: true
|
|
use_pkce: true
|
|
use_refresh_token: true
|
|
env:
|
|
GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION: true # not supported by helm chart through grafana.ini, only env
|
|
# helm chart says to use file ref in grafana.ini, but it doesn't work since the secrets are fitlered out there
|
|
GF_AUTH_GENERIC_OAUTH_CLIENT_ID: "$(OIDC_CLIENT_ID)"
|
|
GF_AUTH_GENERIC_OAUTH_SECRET: "$(OIDC_CLIENT_SECRET)"
|
|
GF_AUTH_GENERIC_OAUTH_SCOPES: "$(OIDC_AVAILABLE_SCOPES)"
|
|
GF_AUTH_GENERIC_OAUTH_AUTH_URL: "$(OIDC_IDP_AUTH_URI)"
|
|
GF_AUTH_GENERIC_OAUTH_TOKEN_URL: "$(OIDC_IDP_TOKEN_URI)"
|
|
GF_AUTH_GENERIC_OAUTH_API_URL: "$(OIDC_IDP_USERINFO_URI)"
|
|
GF_AUTH_GENERIC_OAUTH_SIGNOUT_REDIRECT_URL: "$(OIDC_IDP_URI)"
|
|
envFromSecrets:
|
|
- name: oidc-client-grafana-owner-secrets
|
|
- name: grafana-database
|
|
datasources:
|
|
prometheus.yaml:
|
|
apiVersion: 1
|
|
prune: true
|
|
datasources:
|
|
- name: Prometheus
|
|
type: prometheus
|
|
url: http://prometheus-prometheus-server
|
|
orgId: 1
|
|
version: 1
|
|
editable: false
|
|
version: v9.2.10
|
|
|
|
resources:
|
|
- ./passmower.yaml
|
|
- ssh://git@git.k-space.ee/secretspace/kube/grafana # secret: grafana-database
|