k8s-deployment/values/badhouseplants/values.grafana.yaml

assertNoLeakedSecrets: false
ingress:
  enabled: true
  ingressClassName: traefik
  annotations:
    kubernetes.io/ingress.class: traefik
    kubernetes.io/tls-acme: "true"
    kubernetes.io/ingress.allow-http: "false"
    kubernetes.io/ingress.global-static-ip-name: ""
    cert-manager.io/cluster-issuer: badhouseplants-issuer-http01
    traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
  path: /
  pathType: Prefix
  hosts:
    - grafana.badhouseplants.net
  tls:
    - secretName: grafana.badhouseplants.net
      hosts:
        - grafana.badhouseplants.net
datasources:
  datasources.yaml:
    apiVersion: 1
    datasources:
      - name: Prometheus
        type: prometheus
        url: http://prometheus-operated.observability.svc.cluster.local:9090
        access: proxy
        isDefault: true
      - name: Loki
        type: loki
        url: http://loki-gateway.observability.svc.cluster.local:80
        access: proxy
        isDefault: false
        jsonData:
          httpHeaderName1: 'X-Scope-OrgID'
        secureJsonData:
          httpHeaderValue1: 'badhouseplants'
grafana.ini:
  server:
    root_url: https://grafana.badhouseplants.net
  auth:
    signout_redirect_url: "https://authentik.badhouseplants.net/application/o/grafana/end-session/"
    oauth_auto_login: true
  auth.generic_oauth:
    name: authentik
    enabled: true
    client_id: "grafana"
    scopes: "openid profile email"
    auth_url: "https://authentik.badhouseplants.net/application/o/authorize/"
    token_url: "https://authentik.badhouseplants.net/application/o/token/"
    api_url: "https://authentik.badhouseplants.net/application/o/userinfo/"
    # Optionally map user groups to Grafana roles
    role_attribute_path: contains(groups, 'Admins') && 'Admin' || contains(groups, 'DevOps') && 'Editor' || 'Viewer'