---
# yaml-language-server: $schema=https://ks.hsn.dev/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
metadata:
  name: grafana
spec:
  interval: 30m
  chart:
    spec:
      chart: grafana
      version: 7.3.3
      sourceRef:
        kind: HelmRepository
        name: grafana
        namespace: flux-system
  install:
    remediation:
      retries: 3
  upgrade:
    cleanupOnFail: true
    remediation:
      retries: 3
  uninstall:
    keepHistory: false
  dependsOn:
    - name: kube-prometheus-stack
      namespace: observability
    - name: loki
      namespace: observability
  values:
    replicas: 2
    envFromSecret: grafana-secret
    grafana.ini:
      analytics:
        check_for_updates: false
        check_for_plugin_updates: false
        reporting_enabled: false
      auth:
        oauth_auto_login: true
        oauth_allow_insecure_email_lookup: true
      auth.generic_oauth:
        enabled: true
        name: Authentik
        icon: signin
        scopes: openid profile email
        empty_scopes: false
        login_attribute_path: preferred_username
        groups_attribute_path: groups
        name_attribute_path: name
        use_pkce: true
        client_id: CoV7ae1HxuNzwCbVPf3U7TfYMX2rVqC5T9RAUo5M
        client_secret: # Set by env vars
        auth_url: https://auth.hsn.dev/application/o/authorize/
        token_url: https://auth.hsn.dev/application/o/token/
        api_url: https://auth.hsn.dev/application/o/userinfo/
        role_attribute_path: |
          contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'
      auth.basic:
        enabled: false
      auth.anonymous:
        enabled: false
        # org_id: 1
        # org_role: Viewer
      news:
        news_feed_enabled: false