k3s-cluster/cluster/apps/monitoring/grafana/helm-release.yaml

apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
  name: grafana
  namespace: monitoring
spec:
  interval: 5m
  chart:
    spec:
      chart: grafana
      version: "6.61.2"
      sourceRef:
        kind: HelmRepository
        name: grafana-charts
        namespace: flux-system

  values:
    ingress:
      enabled: true
      annotations:
        cert-manager.io/cluster-issuer: letsencrypt-production
        traefik.ingress.kubernetes.io/router.entrypoints: websecure
      hosts:
        - &grafana-host grafana.${SECRET_NEW_DOMAIN}
      path: "/"
      tls:
        - hosts:
            - *grafana-host
          secretName: wildcard-main-tls

    grafana.ini:
      server:
        root_url: https://grafana.${SECRET_NEW_DOMAIN}/

      auth:
        disable_login_form: true
        oauth_auto_login: true

      auth.generic_oauth:
        enabled: true
        allow_sign_up: true # creates new users after authentik login
        auto_login: true
        name: Authentik
        client_id: $__file{/etc/secrets/auth_generic_oauth/client_id}
        client_secret: $__file{/etc/secrets/auth_generic_oauth/client_secret}
        scopes: openid profile email offline_access
        auth_url: https://auth.${SECRET_NEW_DOMAIN}/application/o/authorize/
        token_url: https://auth.${SECRET_NEW_DOMAIN}/application/o/token/
        api_url: https://auth.${SECRET_NEW_DOMAIN}/application/o/userinfo/
        role_attribute_path: contains(groups[*], 'authentik Admins') && 'GrafanaAdmin' #|| contains(info.groups[*], 'editor') && 'Editor' || 'Viewer'
        groups_attribute_path: groups
        name_attribute_path: preferred_username
        login_attribute_path: email
        allow_assign_grafana_admin: true
        use_pkce: true
        use_refresh_token: true

    # Provide oauth creds
    extraSecretMounts:
    - name: grafana-secrets-mount
      secretName: grafana-secrets
      defaultMode: 0440
      mountPath: /etc/secrets/auth_generic_oauth
      readOnly: true

    # Add Victoria Metrics as the default datasource
    datasources:
      victoria.yaml:
        apiVersion: 1
        datasources:
        - name: Victoria
          type: prometheus
          jsonData:
            tlsSkipVerify: true
          url: http://victoria-metrics-server.monitoring.svc:8428
          editable: false
          isDefault: true

#    datasources:
#    - name: Victoria
#      uid: victoria-metrics-server
#      type: prometheus
#      jsonData:
#        tlsSkipVerify: "true"
#      editable: false"
#      url: http://victoria-metrics-server.monitoring.svc:8428
#      version: "1"
#      isDefault: "true"

    sidecar:
      dashboards:
        enabled: true
        label: grafana_dashboard
        labelValue: "1"