apiVersion: apps/v1
kind: Deployment
metadata:
  name: grafana
  namespace: monitoring
spec:
  selector:
    matchLabels:
      app: grafana
  template:
    metadata:
      labels:
        app: grafana
    spec:
      securityContext:
        fsGroup: 472
      containers:
      - name: grafana
        image: grafana/grafana
        ports:
        - containerPort: 3000
        env:
          - name: GF_AUTH_GENERIC_OAUTH_ENABLED
            value: "true"
          - name: GF_AUTH_GENERIC_OAUTH_NAME
            value: "authentk"
          - name: GF_AUTH_GENERIC_OAUTH_CLIENT_ID
            valueFrom:
              secretKeyRef:
                key: client-id
                name: grafana-oidc-secret
          - name: GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET
            valueFrom:
              secretKeyRef:
                key: client-secret
                name: grafana-oidc-secret
          - name: GF_AUTH_GENERIC_OAUTH_SCOPES
            value: "openid profile email"
          - name: GF_AUTH_GENERIC_OAUTH_AUTH_URL
            value: "https://auth.dontddos.me/application/o/authorize/"
          - name: GF_AUTH_GENERIC_OAUTH_TOKEN_URL
            value: "https://auth.dontddos.me/application/o/token/"
          - name: GF_AUTH_GENERIC_OAUTH_API_URL
            value: "https://auth.dontddos.me/application/o/userinfo/"
          - name: GF_AUTH_SIGNOUT_REDIRECT_URL
            value: "https://auth.dontddos.me/application/o/grafana/end-session/"
          - name: GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH
            value: "contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer'"
          - name: GF_SERVER_ROOT_URL
            value: "https://grafana.local.dontddos.me"
        volumeMounts:
        - name: grafana-storage
          mountPath: /var/lib/grafana
      volumes:
      - name: grafana-storage
        persistentVolumeClaim:
          claimName: grafana-pvc