grafana:
  admin:
    existingSecret: grafana-admin
    passwordKey: passwordKey
    userKey: userKey
  assertNoLeakedSecrets: true
  automountServiceAccountToken: true
  containerSecurityContext:
    allowPrivilegeEscalation: false
    capabilities:
      drop:
      - ALL
    seccompProfile:
      type: RuntimeDefault
  createConfigmap: true
  defaultCurlOptions: -skf
  deploymentStrategy:
    type: Recreate
  downloadDashboardsImage:
    pullPolicy: IfNotPresent
    registry: docker.io
    repository: curlimages/curl
    tag: 8.9.1
  enableServiceLinks: true
  envFromConfigMaps:
  - name: grafana-env
  envFromSecrets:
  - name: grafana-secretenv
  extraObjects:
  - apiVersion: external-secrets.io/v1
    kind: ExternalSecret
    metadata:
      name: grafana-admin
    spec:
      data:
      - remoteRef:
          conversionStrategy: Default
          decodingStrategy: None
          key: grafana
          metadataPolicy: None
          property: userKey
        secretKey: userKey
      - remoteRef:
          conversionStrategy: Default
          decodingStrategy: None
          key: grafana
          metadataPolicy: None
          property: passwordKey
        secretKey: passwordKey
      refreshInterval: 1h
      secretStoreRef:
        kind: ClusterSecretStore
        name: weyma-vault
      target:
        creationPolicy: Owner
        deletionPolicy: Retain
        name: grafana-admin
  - apiVersion: external-secrets.io/v1
    kind: ExternalSecret
    metadata:
      name: grafana-secretenv
    spec:
      data:
      - remoteRef:
          conversionStrategy: Default
          decodingStrategy: None
          key: grafana
          metadataPolicy: None
          property: GF_AUTH_GENERIC_OAUTH_CLIENT_ID
        secretKey: GF_AUTH_GENERIC_OAUTH_CLIENT_ID
      - remoteRef:
          conversionStrategy: Default
          decodingStrategy: None
          key: grafana
          metadataPolicy: None
          property: GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET
        secretKey: GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET
      refreshInterval: 1h
      secretStoreRef:
        kind: ClusterSecretStore
        name: weyma-vault
      target:
        creationPolicy: Owner
        deletionPolicy: Retain
        name: grafana-secretenv
  - apiVersion: v1
    kind: ConfigMap
    metadata:
      name: grafana-env
    data:
      GF_AUTH_GENERIC_OAUTH_API_URL: https://auth.dubyatp.xyz/application/o/userinfo/
      GF_AUTH_GENERIC_OAUTH_AUTH_URL: https://auth.dubyatp.xyz/application/o/authorize/
      GF_AUTH_GENERIC_OAUTH_ENABLED: "true"
      GF_AUTH_GENERIC_OAUTH_NAME: authentik
      GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH: contains(groups, 'Grafana Admins') && 'Admin' || contains(groups, 'Grafana Editors') && 'Editor' || 'Viewer'
      GF_AUTH_GENERIC_OAUTH_SCOPES: openid profile email
      GF_AUTH_GENERIC_OAUTH_TOKEN_URL: https://auth.dubyatp.xyz/application/o/token/
      GF_AUTH_OAUTH_AUTO_LOGIN: "true"
      GF_AUTH_SIGNOUT_REDIRECT_URL: https://auth.dubyatp.xyz/application/o/grafana-slug/end-session/
      GF_SERVER_ROOT_URL: https://grafana.infra.dubyatp.xyz
  - apiVersion: v1
    kind: Secret
    metadata:
      name: cert-dubyatp-xyz
      annotations:
        replicator.v1.mittwald.de/replicate-from: "cert-manager/cert-dubyatp-xyz"
        replicator.v1.mittwald.de/replicated-keys: "tls.crt,tls.key"
    data:
      tls.crt: ""
      tls.key: ""
  grafana.ini:
    analytics:
      check_for_updates: true
    grafana_net:
      url: https://grafana.net
    log:
      mode: console
    paths:
      data: /var/lib/grafana/
      logs: /var/log/grafana
      plugins: /var/lib/grafana/plugins
      provisioning: /etc/grafana/provisioning
    server:
      domain: '{{ if (and .Values.ingress.enabled .Values.ingress.hosts) }}{{ tpl (.Values.ingress.hosts
        | first) . }}{{ else }}''''{{ end }}'
  image:
    pullPolicy: IfNotPresent
    registry: docker.io
    repository: grafana/grafana
  ingress:
    enabled: true
    hosts:
    - grafana.infra.dubyatp.xyz
    path: /
    pathType: Prefix
    tls:
    - hosts:
      - grafana.infra.dubyatp.xyz
      secretName: cert-dubyatp-xyz
  initChownData:
    enabled: true
    image:
      pullPolicy: IfNotPresent
      registry: docker.io
      repository: library/busybox
      tag: 1.37.0
    securityContext:
      capabilities:
        add:
        - CHOWN
        drop:
        - ALL
      readOnlyRootFilesystem: false
      runAsNonRoot: false
      runAsUser: 0
      seccompProfile:
        type: RuntimeDefault
  livenessProbe:
    failureThreshold: 10
    httpGet:
      path: /api/health
      port: 3000
    initialDelaySeconds: 60
    timeoutSeconds: 30
  persistence:
    accessModes:
    - ReadWriteOnce
    enabled: true
    finalizers:
    - kubernetes.io/pvc-protection
    size: 10Gi
    type: pvc
  podPortName: grafana
  podAnnotations:
    backup.velero.io/backup-volumes: "storage"
  rbac:
    create: true
    namespaced: false
  readinessProbe:
    httpGet:
      path: /api/health
      port: 3000
  replicas: 1
  revisionHistoryLimit: 10
  securityContext:
    fsGroup: 472
    runAsGroup: 472
    runAsNonRoot: true
    runAsUser: 472
  service:
    enabled: true
    port: 80
    portName: service
    targetPort: 3000
    type: ClusterIP
  serviceAccount:
    automountServiceAccountToken: false
    create: true
  testFramework:
    enabled: true
    image:
      registry: docker.io
      repository: bats/bats
      tag: 1.12.0
    imagePullPolicy: IfNotPresent
  useStatefulSet: false