apiVersion: grafana.integreatly.org/v1beta1
kind: Grafana
metadata:
  name: grafana-main
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: grafana-main
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/part-of: {{ .Release.Name }}
    app: grafana-main
spec:
  config:
    analytics:
      enabled: "false"
      check_for_updates: "false"
      reporting_enabled: "false"
    server:
      domain: alexlebens.net
      root_url: https://grafana.alexlebens.net
    log:
      mode: "console"
    users:
      auto_assign_org: "true"
      auto_assign_org_id: "1"
    auth:
      disable_login_form: "true"
      auto_login: "true"
      signout_redirect_url: https://authentik.alexlebens.net/application/o/grafana/end-session/
    auth.generic_oauth:
      enabled: "true"
      name: Authentik
      allow_sign_up: "true"
      client_id: ${AUTH_CLIENT_ID}
      client_secret: ${AUTH_CLIENT_SECRET}
      scopes: openid profile email
      auth_url: https://authentik.alexlebens.net/application/o/authorize/
      token_url: https://authentik.alexlebens.net/application/o/token/
      api_url: https://authentik.alexlebens.net/application/o/userinfo/
      role_attribute_path: contains(groups, 'Grafana Admins') && 'Admin' || contains(groups, 'Grafana Editors') && 'Editor' || 'Viewer'
    database:
      type: postgres
      host: "${DB_HOST}:${DB_PORT}"
      name: ${DB_DATABASE}
      user: ${DB_USER}
      password: ${DB_PASSWORD}
    remote_cache:
      type: redis
      connstr: addr=remote-cache-valkey-primary.grafana-operator:6379,pool_size=100,db=0,ssl=false
    unified_alerting:
      enabled: "true"
      ha_redis_address: unified-alerting-valkey-primary.grafana-operator:6379
  deployment:
    spec:
      replicas: 3
      template:
        spec:
          containers:
            - name: grafana
              image: grafana/grafana:12.0.0
              resources:
                requests:
                  cpu: 100m
                  memory: 128Mi
              env:
                - name: AUTH_CLIENT_ID
                  valueFrom:
                    secretKeyRef:
                      name: grafana-oauth-secret
                      key: AUTH_CLIENT_ID
                - name: AUTH_CLIENT_SECRET
                  valueFrom:
                    secretKeyRef:
                      name: grafana-oauth-secret
                      key: AUTH_CLIENT_SECRET
                - name: ADMIN_USER
                  valueFrom:
                    secretKeyRef:
                      name: grafana-auth-secret
                      key: admin-user
                - name: ADMIN_PASSWORD
                  valueFrom:
                    secretKeyRef:
                      name: grafana-auth-secret
                      key: admin-password
                - name: DB_HOST
                  valueFrom:
                    secretKeyRef:
                      name: grafana-operator-postgresql-17-cluster-app
                      key: host
                - name: DB_DATABASE
                  valueFrom:
                    secretKeyRef:
                      name: grafana-operator-postgresql-17-cluster-app
                      key: dbname
                - name: DB_PORT
                  valueFrom:
                    secretKeyRef:
                      name: grafana-operator-postgresql-17-cluster-app
                      key: port
                - name: DB_USER
                  valueFrom:
                    secretKeyRef:
                      name: grafana-operator-postgresql-17-cluster-app
                      key: user
                - name: DB_PASSWORD
                  valueFrom:
                    secretKeyRef:
                      name: grafana-operator-postgresql-17-cluster-app
                      key: password