apiVersion: v1
kind: ConfigMap
metadata:
  name: authentik-grafana-blueprint
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/part-of: authentik
    app.kubernetes.io/managed-by: helm
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/component: grafana-blueprint
data:
  grafana.yaml: |
    version: 1
    metadata:
      name: grafana-sso
      labels:
        managed-by: helm
    entries:
      - model: authentik_providers_oauth2.oauth2provider
        id: grafana-provider
        attrs:
          name: Grafana
          client_id: grafana
          client_secret: !secret authentik-client-secret-grafana@monitoring#GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET
          redirect_uris:
            - https://grafana.noxxos.nl/login/generic_oauth
          authorization_flow: !Flow default-provider-authorization-flow
          invalidation_flow: !Flow default-provider-invalidation-flow
          property_mappings:
            - !PropertyMapping property-mapping-provider-openid-groups
          signing_key: !Keypair authentik-self-signed-certificate
      - model: authentik_core.application
        id: grafana-app
        attrs:
          name: Grafana
          slug: grafana
          provider: !provider grafana-provider
          launch_url: https://grafana.noxxos.nl
          icon: https://static.goauthentik.io/img/icon/provider/grafana.png
          group: Dashboards
          policy_engine_mode: any
      - model: authentik_policies_policybinding.policybinding
        id: grafana-app-binding
        attrs:
          target: !application grafana-app
          order: 0
          enabled: true
          policy: !Policy policy-everyone