apiVersion: apps/v1
kind: Deployment
metadata:
  name: grafana
  namespace: metrics
  labels:
    app.kubernetes.io/name: grafana
spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: grafana
  strategy:
    type: Recreate
  template:
    metadata:
      namespace: metrics
      labels:
        app.kubernetes.io/name: grafana
    spec:
      securityContext:
        runAsUser: 1000
        runAsGroup: 1000
        fsGroup: 1000
      containers:
        - name: grafana
          image: grafana/grafana:11.1.0
          env:
            - name: GF_AUTH_GENERIC_OAUTH_ALLOW_SIGN_UP
              value: "true"
            - name: GF_AUTH_GENERIC_OAUTH_API_URL
              value: https://sso.konfach.ru/realms/konfach/protocol/openid-connect/userinfo
            - name: GF_AUTH_GENERIC_OAUTH_AUTH_URL
              value: https://sso.konfach.ru/realms/konfach/protocol/openid-connect/auth
            - name: GF_AUTH_GENERIC_OAUTH_CLIENT_ID
              value: grafana
            - name: GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET
              value: oraMLSBuIaSPqZElSNRZ6gntM2xizjXL
            - name: GF_AUTH_GENERIC_OAUTH_EMAIL_ATTRIBUTE_PATH
              value: email
            - name: GF_AUTH_GENERIC_OAUTH_ENABLED
              value: "true"
            - name: GF_AUTH_GENERIC_OAUTH_LOGIN_ATTRIBUTE_PATH
              value: username
            - name: GF_AUTH_GENERIC_OAUTH_NAME
              value: KonfachSSO
            - name: GF_AUTH_GENERIC_OAUTH_NAME_ATTRIBUTE_PATH
              value: full_name
            - name: GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH
              value: contains(realm_access.roles[*], 'developer') && 'Editor'
            - name: GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_STRICT
              value: "true"
            - name: GF_AUTH_GENERIC_OAUTH_SCOPES
              value: openid email profile offline_access roles
            - name: GF_AUTH_GENERIC_OAUTH_TOKEN_URL
              value: https://sso.konfach.ru/realms/konfach/protocol/openid-connect/token
            - name: GF_SECURITY_ADMIN_PASSWORD
            - name: GF_SERVER_ROOT_URL
            - name: GF_SERVER_SERVE_FROM_SUB_PATH
              value: "false"
          resources:
            limits:
              memory: "512Mi"
              cpu: "500m"
            requests:
              memory: "256Mi"
              cpu: "250m"
          ports:
            - containerPort: 3000
              protocol: TCP
          volumeMounts:
            - mountPath: /var/lib/grafana
              name: grafana-data
            - mountPath: /etc/grafana/provisioning/datasources/ds.yaml
              name: grafana-config
              subPath: ds.yaml
      restartPolicy: Always
      volumes:
        - name: grafana-data
          persistentVolumeClaim:
            claimName: grafana-data
        - name: grafana-config
          configMap:
            name: grafana-config
            items:
              - key: datasources.yaml
                path: ds.yaml