---
# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2beta1.json
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
  name: grafana
  namespace: monitoring
spec:
  chart:
    spec:
      chart: grafana
      interval: 30m
      sourceRef:
        kind: HelmRepository
        name: grafana
        namespace: flux-system
      version: 6.61.0
  interval: 30m
  timeout: 20m
  maxHistory: 2
  install:
    createNamespace: true
    remediation:
      retries: 3
  upgrade:
    cleanupOnFail: true
    remediation:
      retries: 3
  uninstall:
    keepHistory: false
  values:
    annotations:
    configmap.reloader.stakater.com/reload: grafana
    secret.reloader.stakater.com/reload: grafana-secrets
    replicas: 1
    envFromSecret: grafana-secrets

    grafana.ini:
      analytics:
        check_for_updates: false
        check_for_plugin_updates: false
        reporting_enabled: false
      auth:
        oauth_auto_login: true
        oauth_allow_insecure_email_lookup: true
        signout_redirect_url: https://auth.valinor.social/application/o/grafana/end-session/
      auth.basic:
        enabled: false
      auth.generic_oauth:
        enabled: true
        name: Authentik
        icon: signin
        scopes: openid profile email
        empty_scopes: false
        login_attribute_path: preferred_username
        groups_attribute_path: groups
        name_attribute_path: name
        use_pkce: true
        client_id: X9jnN2z3Ug0l0jgmua4uS6lHTF0HhtYhpdvJq3DC
        client_secret: # Set by env vars
        auth_url: https://auth.valinor.social/application/o/authorize/
        token_url: https://auth.valinor.social/application/o/token/
        api_url: https://auth.valinor.social/application/o/userinfo/
        # map user groups to Grafana roles
        role_attribute_path: |
          contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'
      date_formats:
        use_browser_locale: true
      explore:
        enabled: true
      news:
        news_feed_enabled: false
      panels:
        disable_sanitize_html: true
      paths:
        data: /var/lib/grafana/data
        logs: /var/log/grafana
        plugins: /var/lib/grafana/plugins
        provisioning: /etc/grafana/provisioning
      security:
        allow_embedding: true
        cookie_samesite: grafana
      server:
        root_url: https://grafana.valinor.social
    ingress:
      enabled: true
      annotations:
        external-dns.alpha.kubernetes.io/target: ingress.valinor.social
      ingressClassName: nginx
      hosts:
        - &host grafana.valinor.social
      tls:
        - hosts:
            - *host
    plugins:
      - natel-discrete-panel
      - pr0ps-trackmap-panel
      - grafana-piechart-panel
      - vonage-status-panel
      - grafana-worldmap-panel
      - grafana-clock-panel