grafana: Add Chart

grafana/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

grafana/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: common
+  repository: file://../common
+  version: 0.1.0
+digest: sha256:636a65e9846bdff17cc4e65b0849061f783759a37aa51fb85ff6fd8ba5e68467
+generated: "2025-11-01T17:06:01.710190989+01:00"

grafana/Chart.yaml

@@ -0,0 +1,11 @@
+apiVersion: v2
+name: grafana
+description: A Helm chart for Grafana
+type: application
+version: 0.1.0
+appVersion: "1.16.0"
+
+dependencies:
+  - name: common
+    version: 0.1.0
+    repository: "file://../common"

grafana/templates/deployment.yaml

@@ -0,0 +1,118 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: grafana
+  labels: {{- include "common.app.labels" . | nindent 4 }}
+spec:
+  selector:
+    matchLabels: {{- include "common.app.labels" . | nindent 6 }}
+  template:
+    metadata:
+      labels: {{- include "common.app.labels" . | nindent 8 }}
+        {{- range $label, $value := default .Values.deployment.podLabels dict }}
+        {{ $label }}: {{ $value | quote }}
+        {{- end }}
+    spec:
+      containers:
+        - name: grafana
+          image: "{{ .Values.image }}:{{ .Values.imageTag }}"
+          env:
+            - name: GF_ANALYTICS_ENABLED
+              value: "false"
+            - name: GF_ANALYTICS_REPORTING_ENABLED
+              value: "false"
+            - name: GF_ANALYTICS_CHECK_FOR_UPDATES
+              value: "false"
+            - name: GF_USERS_ALLOW_SIGN_UP
+              value: "{{ default .Values.config.allowSignup false }}"
+            - name: GF_SECURITY_DISABLE_GRAVATAR
+              value: "true"
+            - name: GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION
+              value: "true"
+            - name: GF_SERVER_ROOT_URL
+              value: "{{ .Values.config.externalProtocol }}://{{ .Values.config.domain }}"
+            - name: GF_SERVER_PROTOCOL
+              value: {{ .Values.config.protocol }}
+            - name: GF_SERVER_HTTP_ADDR
+              value: 0.0.0.0
+            - name: GF_SERVER_HTTP_PORT
+              value: "3000"
+            - name: GF_SERVER_DOMAIN
+              value: {{ .Values.config.domain }}
+            {{- if .Values.config.database.enabled }}
+            - name: GF_DATABASE_USER
+              value: {{ .Values.config.database.user }}
+            - name: GF_DATABASE_TYPE
+              value: {{ .Values.config.database.type }}
+            - name: GF_DATABASE_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  key: {{ .Values.config.database.passwordRef.key }}
+                  name: {{ .Values.config.database.passwordRef.secretName }}
+            - name: GF_DATABASE_NAME
+              value: {{ .Values.config.database.database }}
+            - name: GF_DATABASE_HOST
+              value: {{ .Values.config.database.host }}
+            {{- end }}
+            {{- if default .Values.config.oauth.enabled false }}
+            - name: GF_AUTH_GENERIC_OAUTH_ENABLED
+              value: "true"
+            - name: GF_AUTH_GENERIC_OAUTH_NAME
+              value: {{ .Values.config.oauth.name | quote }}
+            - name: GF_AUTH_GENERIC_OAUTH_CLIENT_ID
+              value: {{ .Values.config.oauth.clientId }}
+            - name: GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  key: {{ .Values.config.oauth.clientSecretRef.key }}
+                  name: {{ .Values.config.oauth.clientSecretRef.secretName }}
+            - name: GF_AUTH_GENERIC_OAUTH_SCOPES
+              value: openid email profile
+            - name: GF_AUTH_GENERIC_OAUTH_AUTH_URL
+              value: {{ .Values.config.oauth.authUrl }}
+            - name: GF_AUTH_GENERIC_OAUTH_TOKEN_URL
+              value: {{ .Values.config.oauth.tokenUrl }}
+            - name: GF_AUTH_GENERIC_OAUTH_API_URL
+              value: {{ .Values.config.oauth.apiUrl }}
+            - name: GF_AUTH_SIGNOUT_REDIRECT_URL
+              value: {{ .Values.config.oauth.signoutRedirectUrl }}
+            - name: GF_AUTH_OAUTH_AUTO_LOGIN
+              value: {{ .Values.config.oauth.autoLogin | quote }}
+            - name: GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH
+              value: {{ .Values.config.oauth.roleAttributePath }}
+            - name: GF_AUTH_GENERIC_OAUTH_ALLOW_ASSIGN_GRAFANA_ADMIN
+              value: {{ .Values.config.oauth.allowAssignAdmin | quote }}
+            {{- end }}
+          volumeMounts:
+            - mountPath: /var/lib/grafana
+              name: data
+          ports:
+            - containerPort: 3000
+              name: http
+              protocol: TCP
+          readinessProbe:
+            httpGet:
+              port: 3000
+              path: /api/health
+          livenessProbe:
+            httpGet:
+              port: 3000
+              path: /api/health
+            initialDelaySeconds: 60
+            timeoutSeconds: 30
+            failureThreshold: 10
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 10001
+            runAsGroup: 10001
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
+      automountServiceAccountToken: false
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: grafana

grafana/templates/extra.yaml

@@ -0,0 +1,8 @@
+{{ range .Values.extraObjects }}
+---
+{{- if typeIs "string" . }}
+{{ tpl . $ }}
+{{ else }}
+{{ tpl (. | toYaml) $ }}
+{{- end }}
+{{ end }}

grafana/templates/pvc.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: grafana
+  labels: {{- include "common.app.labels" . | nindent 4 }}
+spec:
+  storageClassName: {{ .Values.pvc.storageClass }}
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 500Mi

grafana/templates/service.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: grafana
+  labels: {{- include "common.app.labels" . | nindent 4 }}
+spec:
+  selector: {{- include "common.app.labels" . | nindent 4 }}
+  type: ClusterIP
+  ports:
+    - port: 3000
+      protocol: TCP
+      name: http

grafana/values.yaml

@@ -0,0 +1,45 @@
+image: "grafana/grafana-oss"
+imageTag: "11.3.4"
+
+config:
+  # Allow user registration
+  allowSignup: false
+  # Protocol Grafana is served as
+  protocol: http
+  # Protocol that Grafana is externally visible under
+  externalProtocol: https
+  # Domain under which Grafana will be accessible
+  domain: example.org
+
+  database:
+    enabled: true
+    type: postgres
+    user: grafana
+    passwordRef:
+      secretName: grafana
+      key: database-password
+    host: db.example.org
+    database: grafana
+
+  oauth:
+    enabled: false
+    name: example login
+    clientId: <...>
+    clientSecretRef:
+      secretName: grafana
+      key: client-secret
+    authUrl: <...>
+    tokenUrl: <...>
+    apiUrl: <...>
+    signoutRedirectUrl: <...>
+    autoLogin: true
+    allowAssignAdmin: true
+    roleAttributePath: ""
+extraObjects: []
+
+deployment:
+  # Extra labels
+  podLabels: {}
+
+pvc:
+  storageClass: local-storage