k3s-cluster/cluster/apps/monitoring/grafana/helm-release.yaml

apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
metadata:
  name: grafana
  namespace: monitoring
spec:
  interval: 5m
  chart:
    spec:
      chart: grafana
      version: "7.3.11"
      sourceRef:
        kind: HelmRepository
        name: grafana-charts
        namespace: flux-system

  values:
    ingress:
      enabled: true
      annotations:
        cert-manager.io/cluster-issuer: letsencrypt-production
        traefik.ingress.kubernetes.io/router.entrypoints: websecure
      hosts:
        - &grafana-host grafana.${SECRET_NEW_DOMAIN}
      path: "/"
      tls:
        - hosts:
            - *grafana-host

    grafana.ini:
      server:
        root_url: https://grafana.${SECRET_NEW_DOMAIN}/

      auth:
        disable_login_form: true
        oauth_auto_login: true

      auth.generic_oauth:
        enabled: true
        allow_sign_up: true # creates new users after authentik login
        auto_login: true
        name: Authentik
        client_id: $__file{/etc/secrets/auth_generic_oauth/client_id}
        client_secret: $__file{/etc/secrets/auth_generic_oauth/client_secret}
        scopes: openid profile email offline_access
        auth_url: https://auth.${SECRET_NEW_DOMAIN}/application/o/authorize/
        token_url: https://auth.${SECRET_NEW_DOMAIN}/application/o/token/
        api_url: https://auth.${SECRET_NEW_DOMAIN}/application/o/userinfo/
        role_attribute_path: contains(groups[*], 'authentik Admins') && 'GrafanaAdmin' #|| contains(info.groups[*], 'editor') && 'Editor' || 'Viewer'
        groups_attribute_path: groups
        name_attribute_path: preferred_username
        login_attribute_path: email
        allow_assign_grafana_admin: true
        use_pkce: true
        use_refresh_token: true

    # Provide oauth creds
    extraSecretMounts:
    - name: grafana-secrets-mount
      secretName: grafana-secrets
      defaultMode: 0440
      mountPath: /etc/secrets/auth_generic_oauth
      readOnly: true

    # Add Victoria Metrics as the default datasource
    datasources:
      victoria.yaml:
        apiVersion: 1
        datasources:
        - name: Victoria
          type: prometheus
          jsonData:
            tlsSkipVerify: true
          url: http://victoria-metrics-server.monitoring.svc:8428
          editable: false
          isDefault: true

#    datasources:
#    - name: Victoria
#      uid: victoria-metrics-server
#      type: prometheus
#      jsonData:
#        tlsSkipVerify: "true"
#      editable: false"
#      url: http://victoria-metrics-server.monitoring.svc:8428
#      version: "1"
#      isDefault: "true"

    sidecar:
      dashboards:
        enabled: true
        label: grafana_dashboard
        labelValue: "1"
        folderAnnotation: grafana_folder
        provider:
          foldersFromFilesStructure: true

    serviceMonitor:
      enabled: true

    dashboardProviders:
      dashboardproviders.yaml:
        apiVersion: 1
        providers:
          - name: default
            orgId: 1
            folder: ""
            type: file
            disableDeletion: false
            editable: true
            options:
              path: /var/lib/grafana/dashboards/default
          - name: kubernetes
            orgId: 1
            folder: Kubernetes
            type: file
            disableDeletion: false
            editable: true
            options:
              path: /var/lib/grafana/dashboards/kubernetes

    dashboards:
      default:
        node-exporter-full:
          # renovate: depName="Node Exporter Full"
          gnetId: 1860
          revision: 33
          datasource: Victoria
        cert-manager:
          url: https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/cert-manager/dashboards/cert-manager.json
          datasource: Victoria
        longhorn:
          # renovate: depName="Longhorn"
          gnetId: 16888
          revision: 8
          datasource: Victoria
        spegel:
          # renovate: depName="Spegel"
          gnetId: 18089
          revision: 1
          datasource:
            - name: DS_PROMETHEUS
              value: Victoria
        minio:
          # renovate: depName="MinIO Dashboard"
          gnetId: 13502
          revision: 24
          datasource:
            - { name: DS_PROMETHEUS, value: Victoria }
      kubernetes:
        kubernetes-api-server:
          # renovate: depName="Kubernetes / System / API Server"
          gnetId: 15761
          revision: 16
          datasource: Victoria
        kubernetes-coredns:
          # renovate: depName="Kubernetes / System / CoreDNS"
          gnetId: 15762
          revision: 17
          datasource: Victoria
        kubernetes-global:
          # renovate: depName="Kubernetes / Views / Global"
          gnetId: 15757
          revision: 36
          datasource: Victoria
        kubernetes-namespaces:
          # renovate: depName="Kubernetes / Views / Namespaces"
          gnetId: 15758
          revision: 32
          datasource: Victoria
        kubernetes-nodes:
          # renovate: depName="Kubernetes / Views / Nodes"
          gnetId: 15759
          revision: 28
          datasource: Victoria
        kubernetes-pods:
          # renovate: depName="Kubernetes / Views / Pods"
          gnetId: 15760
          revision: 21
          datasource: Prometheus