--- apiVersion: grafana.integreatly.org/v1beta1 kind: Grafana metadata: name: grafana namespace: grafana labels: dashboards: "grafana" spec: deployment: spec: template: spec: containers: - name: grafana env: # DB password + OAuth client secret injected from the # Vault-synced secrets (GF_ env overrides grafana.ini). - name: GF_DATABASE_PASSWORD valueFrom: secretKeyRef: name: postgres-credentials key: password - name: GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET valueFrom: secretKeyRef: name: oauth-credentials key: client_secret resources: requests: cpu: 100m memory: 256Mi limits: cpu: "1" memory: 1Gi config: server: root_url: "https://grafana.k8s.syd1.au.unkin.net" database: type: "postgres" host: "postgres-pooler-rw.grafana.svc.cluster.local:5432" name: "grafana" user: "grafana" ssl_mode: "require" auth: disable_login_form: "false" oauth_auto_login: "false" "auth.generic_oauth": enabled: "true" name: "Authentik" allow_sign_up: "true" use_pkce: "true" client_id: "grafana" scopes: "openid email profile" auth_url: "https://identity.unkin.net/application/o/authorize/" token_url: "https://identity.unkin.net/application/o/token/" api_url: "https://identity.unkin.net/application/o/userinfo/" # Authentik groups -> Grafana roles (adjust group name as needed). role_attribute_path: "contains(groups[*], 'grafana-admins') && 'Admin' || 'Viewer'" role_attribute_strict: "false"