##############################################################################
# Grafana - Visualization for M3DB metrics
# Deployed on dedicated grafana nodepool
# Exposed via LoadBalancer (no TLS - Grafana has built-in auth)
##############################################################################

---
apiVersion: v1
kind: Namespace
metadata:
  name: grafana
  labels:
    app.kubernetes.io/name: grafana

---
apiVersion: v1
kind: Secret
metadata:
  name: grafana-admin
  namespace: grafana
type: Opaque
stringData:
  admin-user: admin
  # REPLACE: Set from .env GRAFANA_ADMIN_PASSWORD
  admin-password: "REPLACE_WITH_GRAFANA_ADMIN_PASSWORD"

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: grafana-datasources
  namespace: grafana
  labels:
    grafana_datasource: "1"
data:
  datasources.yaml: |
    apiVersion: 1
    datasources:
      - name: M3DB
        type: prometheus
        access: proxy
        url: http://m3coordinator.m3db:7201
        basicAuth: true
        # REPLACE: Set from .env M3DB_USERNAME and M3DB_PASSWORD
        basicAuthUser: REPLACE_WITH_M3DB_USERNAME
        secureJsonData:
          basicAuthPassword: 'REPLACE_WITH_M3DB_PASSWORD'
        isDefault: true
        editable: false

---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: grafana-storage
  namespace: grafana
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 10Gi
  storageClassName: vultr-block-storage

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: grafana
  namespace: grafana
  labels:
    app.kubernetes.io/name: grafana
spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: grafana
  template:
    metadata:
      labels:
        app.kubernetes.io/name: grafana
    spec:
      # Schedule only on grafana nodepool
      nodeSelector:
        vke.vultr.com/node-pool: grafana
      securityContext:
        fsGroup: 472
        runAsUser: 472
        runAsGroup: 472
      containers:
        - name: grafana
          image: grafana/grafana:11.5.2
          ports:
            - name: http
              containerPort: 3000
              protocol: TCP
          env:
            - name: GF_SECURITY_ADMIN_USER
              valueFrom:
                secretKeyRef:
                  name: grafana-admin
                  key: admin-user
            - name: GF_SECURITY_ADMIN_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: grafana-admin
                  key: admin-password
            - name: GF_AUTH_ANONYMOUS_ENABLED
              value: "false"
            - name: GF_SERVER_ROOT_URL
              value: "%(protocol)s://%(domain)s:%(http_port)s/"
            - name: GF_INSTALL_PLUGINS
              value: ""
          volumeMounts:
            - name: storage
              mountPath: /var/lib/grafana
            - name: datasources
              mountPath: /etc/grafana/provisioning/datasources
              readOnly: true
          resources:
            requests:
              cpu: 250m
              memory: 512Mi
            limits:
              cpu: 500m
              memory: 1Gi
          livenessProbe:
            httpGet:
              path: /api/health
              port: http
            initialDelaySeconds: 30
            periodSeconds: 10
          readinessProbe:
            httpGet:
              path: /api/health
              port: http
            initialDelaySeconds: 5
            periodSeconds: 5
      volumes:
        - name: storage
          persistentVolumeClaim:
            claimName: grafana-storage
        - name: datasources
          configMap:
            name: grafana-datasources

---
apiVersion: v1
kind: Service
metadata:
  name: grafana
  namespace: grafana
  labels:
    app.kubernetes.io/name: grafana
spec:
  type: LoadBalancer
  ports:
    - name: http
      port: 80
      targetPort: http
      protocol: TCP
  selector:
    app.kubernetes.io/name: grafana