---
# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: grafana-secret
  namespace: observability
spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: onepassword-connect
  target:
    name: grafana-secret
    creationPolicy: Owner
    template:
      engineVersion: v2
      data:
        GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET: "{{ .authentik_grafana_oauth_client_secret }}"
        GF_DATE_FORMATS_USE_BROWSER_LOCALE: "true"
        GF_SERVER_ROOT_URL: https://grafana.hsn.dev
        GF_DATABASE_NAME: ${DB_NAME}
        GF_DATABASE_HOST: "grafana-primary.observability.svc:5432"
        GF_DATABASE_USER: "{{ .grafana_postgres_user }}"
        GF_DATABASE_PASSWORD: "{{ .grafana_postgres_password }}"
        GF_DATABASE_SSL_MODE: "require"
        GF_DATABASE_TYPE: postgres
        GF_ANALYTICS_CHECK_FOR_UPDATES: "false"
        GF_ANALYTICS_CHECK_FOR_PLUGIN_UPDATES: "false"
        GF_ANALYTICS_REPORTING_ENABLED: "false"
        GF_AUTH_ANONYMOUS_ENABLED: "false"
        GF_AUTH_BASIC_ENABLED: "false"
        GF_AUTH_GENERIC_OAUTH_ENABLED: "true"
        GF_AUTH_GENERIC_OAUTH_API_URL: https://auth.hsn.dev/application/o/userinfo/
        GF_AUTH_GENERIC_OAUTH_AUTH_URL: https://auth.hsn.dev/application/o/authorize/
        GF_AUTH_GENERIC_OAUTH_TOKEN_URL: https://auth.hsn.dev/application/o/token/
        GF_AUTH_GENERIC_OAUTH_CLIENT_ID: CoV7ae1HxuNzwCbVPf3U7TfYMX2rVqC5T9RAUo5M
        GF_AUTH_GENERIC_OAUTH_EMPTY_SCOPES: "false"
        GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH: "contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'"
        GF_AUTH_GENERIC_OAUTH_SCOPES: openid profile email groups
        GF_AUTH_OAUTH_AUTO_LOGIN: "true"
        GF_EXPLORE_ENABLED: "true"
        GF_FEATURE_TOGGLES_ENABLE: publicDashboards
        GF_LOG_MODE: console
        GF_NEWS_NEWS_FEED_ENABLED: "false"
        GF_PLUGINS_ALLOW_LOADING_UNSIGNED_PLUGINS: natel-discrete-panel,pr0ps-trackmap-panel,panodata-map-panel
        GF_SECURITY_COOKIE_SAMESITE: grafana
        GF_SECURITY_ANGULAR_SUPPORT_ENABLED: "true"

  dataFrom:
    - extract:
        key: Authentik
      rewrite:
        - regexp:
            source: "(.*)"
            target: "authentik_$1"
    - extract:
        key: grafana
      rewrite:
        - regexp:
            source: "(.*)"
            target: "grafana_$1"