theshire/.archive/kubernetes/observability/grafana/app/externalsecret.yaml

61 lines
2.5 KiB
YAML

---
# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: grafana-secret
namespace: observability
spec:
secretStoreRef:
kind: ClusterSecretStore
name: onepassword-connect
target:
name: grafana-secret
creationPolicy: Owner
template:
engineVersion: v2
data:
GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET: "{{ .authentik_grafana_oauth_client_secret }}"
GF_DATE_FORMATS_USE_BROWSER_LOCALE: "true"
GF_SERVER_ROOT_URL: https://grafana.hsn.dev
GF_DATABASE_NAME: "{{ .grafana_GF_DATABASE_NAME }}"
GF_DATABASE_HOST: "postgres-primary-real.database.svc"
GF_DATABASE_USER: "{{ .grafana_GF_DATABASE_USER }}"
GF_DATABASE_PASSWORD: "{{ .grafana_GF_DATABASE_PASSWORD }}"
GF_DATABASE_SSL_MODE: "require"
GF_DATABASE_TYPE: postgres
GF_ANALYTICS_CHECK_FOR_UPDATES: "false"
GF_ANALYTICS_CHECK_FOR_PLUGIN_UPDATES: "false"
GF_ANALYTICS_REPORTING_ENABLED: "false"
GF_AUTH_ANONYMOUS_ENABLED: "false"
GF_AUTH_BASIC_ENABLED: "false"
GF_AUTH_GENERIC_OAUTH_ENABLED: "true"
GF_AUTH_GENERIC_OAUTH_API_URL: https://auth.hsn.dev/application/o/userinfo/
GF_AUTH_GENERIC_OAUTH_AUTH_URL: https://auth.hsn.dev/application/o/authorize/
GF_AUTH_GENERIC_OAUTH_TOKEN_URL: https://auth.hsn.dev/application/o/token/
GF_AUTH_GENERIC_OAUTH_CLIENT_ID: CoV7ae1HxuNzwCbVPf3U7TfYMX2rVqC5T9RAUo5M
GF_AUTH_GENERIC_OAUTH_EMPTY_SCOPES: "false"
GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH: "contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'"
GF_AUTH_GENERIC_OAUTH_SCOPES: openid profile email groups
GF_AUTH_OAUTH_AUTO_LOGIN: "true"
GF_EXPLORE_ENABLED: "true"
GF_FEATURE_TOGGLES_ENABLE: publicDashboards
GF_LOG_MODE: console
GF_NEWS_NEWS_FEED_ENABLED: "false"
GF_PLUGINS_ALLOW_LOADING_UNSIGNED_PLUGINS: natel-discrete-panel,pr0ps-trackmap-panel,panodata-map-panel
GF_SECURITY_COOKIE_SAMESITE: grafana
GF_SECURITY_ANGULAR_SUPPORT_ENABLED: "true"
dataFrom:
- extract:
key: Authentik
rewrite:
- regexp:
source: "(.*)"
target: "authentik_$1"
- extract:
key: grafana
rewrite:
- regexp:
source: "(.*)"
target: "grafana_$1"