Erich Blume
8cd2a19ea3
OAuth state cookie is set on the domain users visit (grafana.ops.eblu.me) but Grafana was constructing callbacks from root_url (grafana.tail8d86e.ts.net), causing "Missing saved oauth state" errors. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
108 lines
2.7 KiB
YAML
108 lines
2.7 KiB
YAML
# Grafana Helm values for blumeops
|
|
# Chart: https://github.com/grafana/helm-charts/tree/main/charts/grafana
|
|
|
|
# Admin credentials from pre-created secret
|
|
# Secret must exist before deploying - see grafana-config/README.md
|
|
admin:
|
|
existingSecret: grafana-admin
|
|
userKey: admin-user
|
|
passwordKey: admin-password
|
|
|
|
# Environment variables from secrets (for datasource credentials)
|
|
envFromSecrets:
|
|
- name: grafana-teslamate-datasource
|
|
optional: true
|
|
- name: grafana-dex-oauth
|
|
optional: true
|
|
|
|
# Persistence with PVC for SQLite database
|
|
persistence:
|
|
enabled: true
|
|
type: pvc
|
|
size: 1Gi
|
|
accessModes:
|
|
- ReadWriteOnce
|
|
|
|
# Grafana configuration via grafana.ini
|
|
grafana.ini:
|
|
server:
|
|
root_url: https://grafana.ops.eblu.me
|
|
security:
|
|
# Embedding disabled - iframe approach didn't work well for Homepage
|
|
allow_embedding: false
|
|
auth.generic_oauth:
|
|
enabled: true
|
|
name: Dex
|
|
client_id: grafana
|
|
client_secret: $__env{GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET}
|
|
scopes: openid profile email
|
|
auth_url: https://dex.ops.eblu.me/auth
|
|
token_url: https://dex.ops.eblu.me/token
|
|
api_url: https://dex.ops.eblu.me/userinfo
|
|
allow_sign_up: true
|
|
role_attribute_path: "'Admin'"
|
|
auto_login: false
|
|
analytics:
|
|
check_for_updates: false
|
|
reporting_enabled: false
|
|
|
|
# Datasources - point to k8s-internal services
|
|
datasources:
|
|
datasources.yaml:
|
|
apiVersion: 1
|
|
datasources:
|
|
- name: Prometheus
|
|
type: prometheus
|
|
access: proxy
|
|
orgId: 1
|
|
uid: prometheus
|
|
url: http://prometheus.monitoring.svc.cluster.local:9090
|
|
isDefault: true
|
|
editable: false
|
|
- name: Loki
|
|
type: loki
|
|
access: proxy
|
|
orgId: 1
|
|
uid: loki
|
|
url: http://loki.monitoring.svc.cluster.local:3100
|
|
editable: false
|
|
- name: TeslaMate
|
|
type: postgres
|
|
access: proxy
|
|
orgId: 1
|
|
uid: TeslaMate
|
|
url: blumeops-pg-rw.databases.svc.cluster.local:5432
|
|
database: teslamate
|
|
user: teslamate
|
|
editable: false
|
|
jsonData:
|
|
sslmode: disable
|
|
maxOpenConns: 5
|
|
maxIdleConns: 2
|
|
connMaxLifetime: 14400
|
|
secureJsonData:
|
|
password: $TESLAMATE_DB_PASSWORD
|
|
|
|
# Dashboard provisioning - sidecar watches for ConfigMaps with label
|
|
sidecar:
|
|
dashboards:
|
|
enabled: true
|
|
label: grafana_dashboard
|
|
labelValue: "1"
|
|
folderAnnotation: grafana_folder
|
|
provider:
|
|
foldersFromFilesStructure: false
|
|
|
|
# Service configuration (Ingress will handle external access)
|
|
service:
|
|
type: ClusterIP
|
|
port: 80
|
|
|
|
# Resource limits for minikube
|
|
resources:
|
|
requests:
|
|
memory: "128Mi"
|
|
cpu: "100m"
|
|
limits:
|
|
memory: "512Mi"
|
|
cpu: "500m"
|