flux-infra/apps/grafana/release.yaml

apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
  name: grafana
spec:
  chart:
    spec:
      chart: grafana
      reconcileStrategy: ChartVersion
      sourceRef:
        kind: HelmRepository
        name: grafana
      version: 8.8.2
  interval: 15m
  values:
    replicas: 2

    ingress:
      enabled: true
      hosts:
        - grafana.${domain}
      tls:
        - secretName: ${domain//./-}-tls
      annotations:
        traefik.ingress.kubernetes.io/router.entryPoints: "websecure"
        traefik.ingress.kubernetes.io/router.middlewares: "authelia-forwardauth-authelia@kubernetescrd"
        traefik.ingress.kubernetes.io/router.tls: "true"

    envValueFrom:
      BIND_DN:
        secretKeyRef:
          name: grafana-lldap-credentials
          key: bind_dn
      LDAP_PASSWORD:
        secretKeyRef:
          name: grafana-lldap-credentials
          key: password

    grafana.ini:
      auth.ldap:
        enabled: true

      auth.proxy:
        enabled: true
        header_name: Remote-User
        header_property: username
        auto_sign_up: true
        headers: Groups:Remote-Group
        enable_login_token: false
        sync_ttl: 0
        signout_redirect_url: https://login.${domain}/logout?rd=https://grafana.${domain}

      database:
        type: postgres
        host: $__file{/etc/secrets/db/host}
        name: $__file{/etc/secrets/db/dbname}
        user: $__file{/etc/secrets/db/user}
        password: $__file{/etc/secrets/db/password}

      remote_cache:
        type: redis
        connstr: addr=dragonflydb.grafana:6379

    ldap:
      enabled: true
      existingSecret: grafana-ldap-toml

    sidecar:
      datasources:
        enabled: true
        searchNamespace: ALL
        labelValue: "1"

    extraSecretMounts:
      - name: postgres-app-mount
        secretName: postgres-app
        defaultMode: 0440
        mountPath: /etc/secrets/db
        readOnly: true