apiVersion: v1
kind: ConfigMap
metadata:
  name: grafana-config
  namespace: monitoring  # Change if using a different namespace
data:
  grafana.ini: |
    [auth]
    signout_redirect_url = https://authentik.company/application/o/<Slug of the application>/end-session/
    oauth_auto_login = true

    [auth.generic_oauth]
    name = authentik
    enabled = true
    client_id = "<Client ID from above>"
    client_secret = "<Client Secret from above>"
    scopes = openid profile email
    auth_url = https://authentik.company/application/o/authorize/
    token_url = https://authentik.company/application/o/token/
    api_url = https://authentik.company/application/o/userinfo/
    role_attribute_path = contains(groups, 'Grafana Admins') && 'Admin' || contains(groups, 'Grafana Editors') && 'Editor' || 'Viewer'