apiVersion: apps/v1 kind: Deployment metadata: name: grafana namespace: grafana labels: app: grafana spec: replicas: 3 selector: matchLabels: app: grafana template: metadata: labels: app: grafana spec: securityContext: fsGroup: 472 supplementalGroups: - 0 containers: - name: grafana image: grafana/grafana:latest imagePullPolicy: IfNotPresent ports: - containerPort: 3000 name: http-grafana protocol: TCP readinessProbe: failureThreshold: 3 httpGet: path: /robots.txt port: 3000 scheme: HTTP initialDelaySeconds: 10 periodSeconds: 30 successThreshold: 1 timeoutSeconds: 2 livenessProbe: failureThreshold: 3 initialDelaySeconds: 30 periodSeconds: 10 successThreshold: 1 tcpSocket: port: 3000 timeoutSeconds: 1 env: - name: GF_SERVER_ROOT_URL value: "https://stats.prod.panic.haus/" - name: GF_SERVER_DOMAIN value: "stats.prod.panic.haus" # External database configuration (example using PostgreSQL) - name: GF_DATABASE_TYPE value: "postgres" - name: GF_DATABASE_HOST value: "postgres-base-rw.postgres:5432" - name: GF_DATABASE_NAME value: "grafanadb" - name: GF_DATABASE_USER valueFrom: secretKeyRef: name: grafana-db-secret key: username - name: GF_DATABASE_PASSWORD valueFrom: secretKeyRef: name: grafana-db-secret key: password - name: GF_SESSION_PROVIDER value: "redis" - name: GF_SESSION_PROVIDER_CONFIG value: "redis://redis-lb.redis.svc.cluster.local:6379" # Enable Generic OAuth - name: GF_AUTH_GENERIC_OAUTH_ENABLED value: "true" - name: GF_AUTH_GENERIC_OAUTH_CLIENT_ID value: "grafana" - name: GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET valueFrom: secretKeyRef: name: grafana-oauth-secret key: client-secret - name: GF_AUTH_GENERIC_OAUTH_AUTH_URL value: "https://sso.panic.haus/realms/panic-haus/protocol/openid-connect/auth" - name: GF_AUTH_GENERIC_OAUTH_TOKEN_URL value: "https://sso.panic.haus/realms/panic-haus/protocol/openid-connect/token" - name: GF_AUTH_GENERIC_OAUTH_API_URL value: "https://sso.panic.haus/realms/panic-haus/protocol/openid-connect/userinfo" - name: GF_AUTH_GENERIC_OAUTH_SCOPES value: "openid email profile offline_access roles" - name: GF_AUTH_GENERIC_OAUTH_DISCOVERY_URL value: "https://sso.panic.haus/realms/panic-haus/.well-known/openid-configuration" - name: GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP value: "true" - name: GF_AUTH_GENERIC_OAUTH_AUTO_LOGIN value: "false" - name: GF_AUTH_GENERIC_OAUTH_SIGNOUT_REDIRECT_URL value: "https://obs.prod.panic.haus/logout" - name: GF_AUTH_GENERIC_OAUTH_NAME_ATTRIBUTE_PATH value: "full_name" - name: GF_AUTH_GENERIC_OAUTH_LOGIN_ATTRIBUTE_PATH value: "username" - name: GF_AUTH_GENERIC_OAUTH_EMAIL_ATTRIBUTE_NAME value: "email:primary" - name: GF_AUTH_GENERIC_OAUTH_EMAIL_ATTRIBUTE_PATH value: "email" - name: GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH value: "contains(groups, 'grafana_admin') && 'GrafanaAdmin' || contains(groups, 'grafana_editor') && 'Editor' || 'Viewer'" - name: GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_STRICT value: "false" - name: GF_AUTH_GENERIC_OAUTH_ALLOW_ASSIGN_GRAFANA_ADMIN value: "true" - name: GF_AUTH_GENERIC_OAUTH_SKIP_ORG_ROLE_SYNC value: "false" resources: requests: cpu: 250m memory: 750Mi volumeMounts: - name: grafana-datasources mountPath: /etc/grafana/provisioning/datasources/datasources.yaml subPath: datasources.yaml volumes: - name: grafana-datasources configMap: name: grafana-datasources