--- apiVersion: codemowers.io/v1alpha1 kind: OIDCGWClient metadata: name: grafana spec: displayName: Grafana uri: https://grafana.k-space.ee/login/generic_oauth redirectUris: - https://grafana.k-space.ee/login/generic_oauth allowedGroups: - k-space:floor grantTypes: - authorization_code - refresh_token responseTypes: - code availableScopes: - openid - profile tokenEndpointAuthMethod: none --- apiVersion: v1 kind: ConfigMap metadata: name: grafana-config data: grafana.ini: | [log] level = warn [server] domain = grafana.k-space.ee root_url = https://%(domain)s/ [auth.generic_oauth] name = OAuth icon = signin enabled = true empty_scopes = false allow_sign_up = true use_pkce = true role_attribute_path = contains(groups[*], 'github.com:codemowers') && 'Admin' || 'Viewer' [security] disable_initial_admin_creation = true --- apiVersion: apps/v1 kind: StatefulSet metadata: labels: app: grafana name: grafana spec: revisionHistoryLimit: 0 serviceName: grafana selector: matchLabels: app: grafana template: metadata: labels: app: grafana spec: securityContext: fsGroup: 472 containers: - name: grafana image: grafana/grafana:8.5.24 securityContext: readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 472 env: - name: GF_AUTH_GENERIC_OAUTH_SIGNOUT_REDIRECT_URL valueFrom: secretKeyRef: name: oidc-client-grafana-owner-secrets key: OIDC_GATEWAY_URI - name: GF_AUTH_GENERIC_OAUTH_CLIENT_ID valueFrom: secretKeyRef: name: oidc-client-grafana-owner-secrets key: OIDC_CLIENT_ID - name: GF_AUTH_GENERIC_OAUTH_SECRET valueFrom: secretKeyRef: name: oidc-client-grafana-owner-secrets key: OIDC_CLIENT_SECRET - name: GF_AUTH_GENERIC_OAUTH_SCOPES valueFrom: secretKeyRef: name: oidc-client-grafana-owner-secrets key: OIDC_AVAILABLE_SCOPES - name: GF_AUTH_GENERIC_OAUTH_AUTH_URL valueFrom: secretKeyRef: name: oidc-client-grafana-owner-secrets key: OIDC_GATEWAY_AUTH_URI - name: GF_AUTH_GENERIC_OAUTH_TOKEN_URL valueFrom: secretKeyRef: name: oidc-client-grafana-owner-secrets key: OIDC_GATEWAY_TOKEN_URI - name: GF_AUTH_GENERIC_OAUTH_API_URL valueFrom: secretKeyRef: name: oidc-client-grafana-owner-secrets key: OIDC_GATEWAY_USERINFO_URI ports: - containerPort: 3000 name: http-grafana protocol: TCP readinessProbe: failureThreshold: 3 httpGet: path: /robots.txt port: 3000 scheme: HTTP initialDelaySeconds: 10 periodSeconds: 30 successThreshold: 1 timeoutSeconds: 2 livenessProbe: failureThreshold: 3 initialDelaySeconds: 30 periodSeconds: 10 successThreshold: 1 tcpSocket: port: 3000 timeoutSeconds: 1 resources: requests: cpu: 250m memory: 750Mi volumeMounts: - mountPath: /var/lib/grafana name: grafana-data - mountPath: /etc/grafana name: grafana-config volumes: - name: grafana-config configMap: name: grafana-config volumeClaimTemplates: - metadata: name: grafana-data spec: storageClassName: longhorn accessModes: - ReadWriteOnce resources: requests: storage: 1Gi --- apiVersion: v1 kind: Service metadata: name: grafana spec: ports: - port: 80 protocol: TCP targetPort: http-grafana selector: app: grafana --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: grafana annotations: traefik.ingress.kubernetes.io/router.entrypoints: websecure traefik.ingress.kubernetes.io/router.tls: "true" external-dns.alpha.kubernetes.io/target: traefik.k-space.ee spec: rules: - host: grafana.k-space.ee http: paths: - pathType: Prefix path: "/" backend: service: name: grafana port: number: 80 tls: - hosts: - "*.k-space.ee" --- apiVersion: codemowers.cloud/v1beta1 kind: MysqlDatabaseClaim metadata: name: grafana spec: capacity: 1Gi class: shared