196 lines
5.2 KiB
YAML
196 lines
5.2 KiB
YAML
grafana:
|
|
admin:
|
|
existingSecret: grafana-admin
|
|
passwordKey: passwordKey
|
|
userKey: userKey
|
|
assertNoLeakedSecrets: true
|
|
automountServiceAccountToken: true
|
|
containerSecurityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
createConfigmap: true
|
|
defaultCurlOptions: -skf
|
|
deploymentStrategy:
|
|
type: Recreate
|
|
enableServiceLinks: true
|
|
envFromConfigMaps:
|
|
- name: grafana-env
|
|
envFromSecrets:
|
|
- name: grafana-secretenv
|
|
extraObjects:
|
|
- apiVersion: external-secrets.io/v1
|
|
kind: ExternalSecret
|
|
metadata:
|
|
name: grafana-admin
|
|
spec:
|
|
data:
|
|
- remoteRef:
|
|
conversionStrategy: Default
|
|
decodingStrategy: None
|
|
key: grafana
|
|
metadataPolicy: None
|
|
property: userKey
|
|
secretKey: userKey
|
|
- remoteRef:
|
|
conversionStrategy: Default
|
|
decodingStrategy: None
|
|
key: grafana
|
|
metadataPolicy: None
|
|
property: passwordKey
|
|
secretKey: passwordKey
|
|
refreshInterval: 1h
|
|
secretStoreRef:
|
|
kind: ClusterSecretStore
|
|
name: weyma-vault
|
|
target:
|
|
creationPolicy: Owner
|
|
deletionPolicy: Retain
|
|
name: grafana-admin
|
|
- apiVersion: external-secrets.io/v1
|
|
kind: ExternalSecret
|
|
metadata:
|
|
name: grafana-secretenv
|
|
spec:
|
|
data:
|
|
- remoteRef:
|
|
conversionStrategy: Default
|
|
decodingStrategy: None
|
|
key: grafana
|
|
metadataPolicy: None
|
|
property: GF_AUTH_GENERIC_OAUTH_CLIENT_ID
|
|
secretKey: GF_AUTH_GENERIC_OAUTH_CLIENT_ID
|
|
- remoteRef:
|
|
conversionStrategy: Default
|
|
decodingStrategy: None
|
|
key: grafana
|
|
metadataPolicy: None
|
|
property: GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET
|
|
secretKey: GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET
|
|
refreshInterval: 1h
|
|
secretStoreRef:
|
|
kind: ClusterSecretStore
|
|
name: weyma-vault
|
|
target:
|
|
creationPolicy: Owner
|
|
deletionPolicy: Retain
|
|
name: grafana-secretenv
|
|
- apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: grafana-env
|
|
data:
|
|
GF_AUTH_GENERIC_OAUTH_API_URL: https://auth.dubyatp.xyz/application/o/userinfo/
|
|
GF_AUTH_GENERIC_OAUTH_AUTH_URL: https://auth.dubyatp.xyz/application/o/authorize/
|
|
GF_AUTH_GENERIC_OAUTH_ENABLED: "true"
|
|
GF_AUTH_GENERIC_OAUTH_NAME: authentik
|
|
GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH: contains(groups, 'Grafana Admins') && 'Admin' || contains(groups, 'Grafana Editors') && 'Editor' || 'Viewer'
|
|
GF_AUTH_GENERIC_OAUTH_SCOPES: openid profile email
|
|
GF_AUTH_GENERIC_OAUTH_TOKEN_URL: https://auth.dubyatp.xyz/application/o/token/
|
|
GF_AUTH_OAUTH_AUTO_LOGIN: "true"
|
|
GF_AUTH_SIGNOUT_REDIRECT_URL: https://auth.dubyatp.xyz/application/o/grafana-slug/end-session/
|
|
GF_SERVER_ROOT_URL: https://grafana.infra.dubyatp.xyz
|
|
- apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: cert-dubyatp-xyz
|
|
annotations:
|
|
replicator.v1.mittwald.de/replicate-from: "cert-manager/cert-dubyatp-xyz"
|
|
replicator.v1.mittwald.de/replicated-keys: "tls.crt,tls.key"
|
|
data:
|
|
tls.crt: ""
|
|
tls.key: ""
|
|
grafana.ini:
|
|
analytics:
|
|
check_for_updates: true
|
|
grafana_net:
|
|
url: https://grafana.net
|
|
log:
|
|
mode: console
|
|
paths:
|
|
data: /var/lib/grafana/
|
|
logs: /var/log/grafana
|
|
plugins: /var/lib/grafana/plugins
|
|
provisioning: /etc/grafana/provisioning
|
|
server:
|
|
domain: '{{ if (and .Values.ingress.enabled .Values.ingress.hosts) }}{{ tpl (.Values.ingress.hosts
|
|
| first) . }}{{ else }}''''{{ end }}'
|
|
image:
|
|
pullPolicy: IfNotPresent
|
|
registry: docker.io
|
|
repository: grafana/grafana
|
|
ingress:
|
|
enabled: true
|
|
hosts:
|
|
- grafana.infra.dubyatp.xyz
|
|
path: /
|
|
pathType: Prefix
|
|
tls:
|
|
- hosts:
|
|
- grafana.infra.dubyatp.xyz
|
|
secretName: cert-dubyatp-xyz
|
|
initChownData:
|
|
enabled: true
|
|
securityContext:
|
|
capabilities:
|
|
add:
|
|
- CHOWN
|
|
drop:
|
|
- ALL
|
|
readOnlyRootFilesystem: false
|
|
runAsNonRoot: false
|
|
runAsUser: 0
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
livenessProbe:
|
|
failureThreshold: 10
|
|
httpGet:
|
|
path: /api/health
|
|
port: 3000
|
|
initialDelaySeconds: 60
|
|
timeoutSeconds: 30
|
|
persistence:
|
|
accessModes:
|
|
- ReadWriteOnce
|
|
enabled: true
|
|
finalizers:
|
|
- kubernetes.io/pvc-protection
|
|
size: 10Gi
|
|
type: pvc
|
|
podPortName: grafana
|
|
podAnnotations:
|
|
backup.velero.io/backup-volumes: "storage"
|
|
rbac:
|
|
create: true
|
|
namespaced: false
|
|
readinessProbe:
|
|
httpGet:
|
|
path: /api/health
|
|
port: 3000
|
|
replicas: 1
|
|
revisionHistoryLimit: 10
|
|
securityContext:
|
|
fsGroup: 472
|
|
runAsGroup: 472
|
|
runAsNonRoot: true
|
|
runAsUser: 472
|
|
service:
|
|
enabled: true
|
|
port: 80
|
|
portName: service
|
|
targetPort: 3000
|
|
type: ClusterIP
|
|
serviceAccount:
|
|
automountServiceAccountToken: false
|
|
create: true
|
|
testFramework:
|
|
enabled: true
|
|
image:
|
|
registry: docker.io
|
|
repository: bats/bats
|
|
tag: 1.13.0
|
|
imagePullPolicy: IfNotPresent
|
|
useStatefulSet: false |