--- apiVersion: apps/v1 kind: Deployment metadata: name: grafana labels: {{- include "common.app.labels" . | nindent 4 }} spec: selector: matchLabels: {{- include "common.app.labels" . | nindent 6 }} template: metadata: labels: {{- include "common.app.labels" . | nindent 8 }} {{- range $label, $value := default .Values.deployment.podLabels dict }} {{ $label }}: {{ $value | quote }} {{- end }} spec: containers: - name: grafana image: "{{ .Values.image }}:{{ .Values.imageTag }}" env: - name: GF_ANALYTICS_ENABLED value: "false" - name: GF_ANALYTICS_REPORTING_ENABLED value: "false" - name: GF_ANALYTICS_CHECK_FOR_UPDATES value: "false" - name: GF_USERS_ALLOW_SIGN_UP value: "{{ default .Values.config.allowSignup false }}" - name: GF_SECURITY_DISABLE_GRAVATAR value: "true" - name: GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION value: "true" - name: GF_SERVER_ROOT_URL value: "{{ .Values.config.externalProtocol }}://{{ .Values.config.domain }}" - name: GF_SERVER_PROTOCOL value: {{ .Values.config.protocol }} - name: GF_SERVER_HTTP_ADDR value: 0.0.0.0 - name: GF_SERVER_HTTP_PORT value: "3000" - name: GF_SERVER_DOMAIN value: {{ .Values.config.domain }} {{- if .Values.config.database.enabled }} - name: GF_DATABASE_USER value: {{ .Values.config.database.user }} - name: GF_DATABASE_TYPE value: {{ .Values.config.database.type }} - name: GF_DATABASE_PASSWORD valueFrom: secretKeyRef: key: {{ .Values.config.database.passwordRef.key }} name: {{ .Values.config.database.passwordRef.secretName }} - name: GF_DATABASE_NAME value: {{ .Values.config.database.database }} - name: GF_DATABASE_HOST value: {{ .Values.config.database.host }} {{- end }} {{- if default .Values.config.oauth.enabled false }} - name: GF_AUTH_GENERIC_OAUTH_ENABLED value: "true" - name: GF_AUTH_GENERIC_OAUTH_NAME value: {{ .Values.config.oauth.name | quote }} - name: GF_AUTH_GENERIC_OAUTH_CLIENT_ID value: {{ .Values.config.oauth.clientId }} - name: GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET valueFrom: secretKeyRef: key: {{ .Values.config.oauth.clientSecretRef.key }} name: {{ .Values.config.oauth.clientSecretRef.secretName }} - name: GF_AUTH_GENERIC_OAUTH_SCOPES value: openid email profile - name: GF_AUTH_GENERIC_OAUTH_AUTH_URL value: {{ .Values.config.oauth.authUrl }} - name: GF_AUTH_GENERIC_OAUTH_TOKEN_URL value: {{ .Values.config.oauth.tokenUrl }} - name: GF_AUTH_GENERIC_OAUTH_API_URL value: {{ .Values.config.oauth.apiUrl }} - name: GF_AUTH_SIGNOUT_REDIRECT_URL value: {{ .Values.config.oauth.signoutRedirectUrl }} - name: GF_AUTH_OAUTH_AUTO_LOGIN value: {{ .Values.config.oauth.autoLogin | quote }} - name: GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH value: {{ .Values.config.oauth.roleAttributePath }} - name: GF_AUTH_GENERIC_OAUTH_ALLOW_ASSIGN_GRAFANA_ADMIN value: {{ .Values.config.oauth.allowAssignAdmin | quote }} {{- end }} volumeMounts: - mountPath: /var/lib/grafana name: data ports: - containerPort: 3000 name: http protocol: TCP readinessProbe: httpGet: port: 3000 path: /api/health livenessProbe: httpGet: port: 3000 path: /api/health initialDelaySeconds: 60 timeoutSeconds: 30 failureThreshold: 10 securityContext: runAsNonRoot: true runAsUser: 10001 runAsGroup: 10001 allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true automountServiceAccountToken: false volumes: - name: data persistentVolumeClaim: claimName: grafana