# Hydra OAuth2Client for Grafana OIDC sign-in.
#
# Hydra Maester watches this CRD and:
#   1. Registers the client with Hydra
#   2. Creates K8s Secret "grafana-oidc" in monitoring namespace
#      with CLIENT_ID and CLIENT_SECRET keys.
#
# Grafana picks up the secret via envFromSecret and interpolates
# ${CLIENT_ID} / ${CLIENT_SECRET} in grafana.ini at startup.
#
# DOMAIN_SUFFIX is substituted by sunbeam apply.
---
apiVersion: hydra.ory.sh/v1alpha1
kind: OAuth2Client
metadata:
  name: grafana
  namespace: monitoring
spec:
  clientName: Grafana
  grantTypes:
    - authorization_code
    - refresh_token
  responseTypes:
    - code
  scope: openid email profile
  redirectUris:
    - https://metrics.DOMAIN_SUFFIX/login/generic_oauth
  postLogoutRedirectUris:
    - https://metrics.DOMAIN_SUFFIX/
  tokenEndpointAuthMethod: client_secret_post
  secretName: grafana-oidc
  skipConsent: true