---
apiVersion: codemowers.io/v1alpha1
kind: OIDCGWClient
metadata:
  name: grafana
spec:
  displayName: Grafana
  uri: https://grafana.k-space.ee/login/generic_oauth
  redirectUris:
    - https://grafana.k-space.ee/login/generic_oauth
  allowedGroups:
    - k-space:floor
  grantTypes:
    - authorization_code
    - refresh_token
  responseTypes:
    - code
  availableScopes:
    - openid
    - profile
  tokenEndpointAuthMethod: none
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: grafana-config
data:
  grafana.ini: |
    [log]
    level = warn
    [server]
    domain = grafana.k-space.ee
    root_url = https://%(domain)s/
    [auth.generic_oauth]
    name = OAuth
    icon = signin
    enabled = true
    empty_scopes = false
    allow_sign_up = true
    use_pkce = true
    role_attribute_path = contains(groups[*], 'github.com:codemowers') && 'Admin' || 'Viewer'
    [security]
    disable_initial_admin_creation = true
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
  labels:
    app: grafana
  name: grafana
spec:
  revisionHistoryLimit: 0
  serviceName: grafana
  selector:
    matchLabels:
      app: grafana
  template:
    metadata:
      labels:
        app: grafana
    spec:
      securityContext:
        fsGroup: 472
      containers:
        - name: grafana
          image: grafana/grafana:8.5.24
          securityContext:
            readOnlyRootFilesystem: true
            runAsNonRoot: true
            runAsUser: 472
          env:
            - name: GF_AUTH_GENERIC_OAUTH_SIGNOUT_REDIRECT_URL
              valueFrom:
                secretKeyRef:
                  name: oidc-client-grafana-owner-secrets
                  key: OIDC_GATEWAY_URI
            - name: GF_AUTH_GENERIC_OAUTH_CLIENT_ID
              valueFrom:
                secretKeyRef:
                  name: oidc-client-grafana-owner-secrets
                  key: OIDC_CLIENT_ID
            - name: GF_AUTH_GENERIC_OAUTH_SECRET
              valueFrom:
                secretKeyRef:
                  name: oidc-client-grafana-owner-secrets
                  key: OIDC_CLIENT_SECRET
            - name: GF_AUTH_GENERIC_OAUTH_SCOPES
              valueFrom:
                secretKeyRef:
                  name: oidc-client-grafana-owner-secrets
                  key: OIDC_AVAILABLE_SCOPES
            - name: GF_AUTH_GENERIC_OAUTH_AUTH_URL
              valueFrom:
                secretKeyRef:
                  name: oidc-client-grafana-owner-secrets
                  key: OIDC_GATEWAY_AUTH_URI
            - name: GF_AUTH_GENERIC_OAUTH_TOKEN_URL
              valueFrom:
                secretKeyRef:
                  name: oidc-client-grafana-owner-secrets
                  key: OIDC_GATEWAY_TOKEN_URI
            - name: GF_AUTH_GENERIC_OAUTH_API_URL
              valueFrom:
                secretKeyRef:
                  name: oidc-client-grafana-owner-secrets
                  key: OIDC_GATEWAY_USERINFO_URI
          ports:
            - containerPort: 3000
              name: http-grafana
              protocol: TCP
          readinessProbe:
            failureThreshold: 3
            httpGet:
              path: /robots.txt
              port: 3000
              scheme: HTTP
            initialDelaySeconds: 10
            periodSeconds: 30
            successThreshold: 1
            timeoutSeconds: 2
          livenessProbe:
            failureThreshold: 3
            initialDelaySeconds: 30
            periodSeconds: 10
            successThreshold: 1
            tcpSocket:
              port: 3000
            timeoutSeconds: 1
          resources:
            requests:
              cpu: 250m
              memory: 750Mi
          volumeMounts:
            - mountPath: /var/lib/grafana
              name: grafana-data
            - mountPath: /etc/grafana
              name: grafana-config
      volumes:
        - name: grafana-config
          configMap:
            name: grafana-config
  volumeClaimTemplates:
    - metadata:
        name: grafana-data
      spec:
        storageClassName: longhorn
        accessModes:
          - ReadWriteOnce
        resources:
          requests:
            storage: 1Gi
---
apiVersion: v1
kind: Service
metadata:
  name: grafana
spec:
  ports:
    - port: 80
      protocol: TCP
      targetPort: http-grafana
  selector:
    app: grafana
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: grafana
  annotations:
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
    traefik.ingress.kubernetes.io/router.tls: "true"
    external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
spec:
  rules:
  - host: grafana.k-space.ee
    http:
      paths:
      - pathType: Prefix
        path: "/"
        backend:
          service:
            name: grafana
            port:
              number: 80
  tls:
  - hosts:
    - "*.k-space.ee"
---
apiVersion: codemowers.cloud/v1beta1
kind: MysqlDatabaseClaim
metadata:
  name: grafana
spec:
  capacity: 1Gi
  class: shared