persistence:
  enabled: true
  storageClassName: nfs-client

grafana.ini:
  server:
    root_url: https://grafana.saerbeck.ib-hottgenroth.de
  smtp:
    enabled: true
    host: smtp.system.svc.cluster.local
    from_address: saerbeckgrafana@ib-hottgenroth.de
    from_name: "Saerbeck Grafana Pseudouser"
  log:
    level: debug
  emails:
    welcome_email_on_sign_up: true
  security:
    cookie_secure: true
    cookie_samesite: none
  auth:
    disable_login_form: false
  auth.anonymous:
    enabled: true
    org_name: "Main Org."
    org_role: Viewer
  auth.generic_oauth:
    enabled: true
    name: Hottis via Keycloak
    allow_sign_up: true
    client_id: saerbeckgrafana
    scopes: openid email profile offline_access roles
    email_attribute_path: email
    login_attribute_path: username
    name_attribute_path: fullname
    auth_url: https://auth2.hottis.de/realms/hottis/protocol/openid-connect/auth
    token_url: https://auth2.hottis.de/realms/hottis/protocol/openid-connect/token
    api_url: https://auth2.hottis.de/realms/hottis/protocol/openid-connect/userinfo
    role_attribute_path: "contains(roles[*], 'GrafanaAdmin') && 'GrafanaAdmin' || contains(roles[*], 'Admin') && 'Admin' || contains(roles[*], 'Editor') && 'Editor' || contains(roles[*], 'Viewer') && 'Viewer'"
    role_attribute_strict: true
    allow_assign_grafana_admin: true
    tls_skip_verify_insecure: true
  database:
    type: postgres
    host: database.database1.svc.cluster.local
    name: saerbeckgrafana
    ssl_mode: require

# add the oauth client secret in this secret with the key GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET
# example:
# kubectl create secret generic grafana-oauth-secret --from-literal=GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET="geheim"
envFromSecrets:
  - name: grafana-oauth-secret
  - name: grafana-db-cred