found it like this

2025-01-15 04:23:04 +01:00
commit 6d4b60fc38
12 changed files with 433 additions and 0 deletions
--- a/chronograf.tf
+++ b/chronograf.tf
@@ -0,0 +1,92 @@
+
+resource "kubernetes_persistent_volume" "chronograf" {
+  metadata {
+    name = "pv-p9hostpath-chronograf"
+  }
+  spec {
+    capacity = { 
+      storage = "8Gi"
+    }   
+    access_modes = ["ReadWriteMany"]
+    persistent_volume_source {
+      host_path {
+        path = "/mnt/datastore/chronograf"
+      }   
+    }   
+  }
+}
+
+resource "random_password" "chronograf_token_secret" {
+  length = 80
+  special = true
+}
+
+resource "helm_release" "chronograf" {
+  name      = "chronograf"
+  namespace = kubernetes_namespace.this.metadata.0.name
+
+  repository = "https://helm.influxdata.com/"
+  chart      = "chronograf"
+  version    = "1.2.5"
+
+  values = [
+    jsonencode({
+      ingress = {
+        enabled = true
+        className = "traefik"
+        hostname   = local.chronograf_domain
+        tls = true
+        secretName = "chronograf-tls"
+        annotations = {
+          "cert-manager.io/cluster-issuer" = "acme-thomasklein-me"
+          # "kubernetes.io/ingress.class"                             = "traefik"
+          # "traefik.ingress.kubernetes.io/router.entrypoints"        = "websecure"
+          # "traefik.ingress.kubernetes.io/router.tls"                = "true"
+          # "traefik.ingress.kubernetes.io/router.tls.certresolver"   = "acme-thomasklein-me"
+          # "traefik.ingress.kubernetes.io/router.tls.domains.0.main" = local.ingress_domain
+          # "traefik.ingress.kubernetes.io/router.middlewares"        = "redirect-metrics@file" # hide /metrics from the internet
+        }
+        labels = {}
+      }
+    }),
+
+    jsonencode({
+      updateStrategy = {
+        type = "Recreate"
+      },
+      persistence = {
+        enabled       = "true"
+        accessMode = "ReadWriteMany"
+        storageClass = "-"
+      }
+    }),
+    jsonencode({
+      oauth = { 
+        enabled = true
+        token_secret = random_password.chronograf_token_secret.result
+        jwks = local.jwks_url
+        generic = {
+          enabled = true
+          name = "Cognito"
+          public_url = "https://${local.chronograf_domain}/"
+          auth_url  = local.cognito_authz_url
+          token_url = local.cognito_token_url
+          api_url = "${local.cognito_userinfo_url}"
+          api_key = "email"
+          scopes  = "email openid profile"
+        }
+      } 
+    })
+  ]
+
+
+  set_sensitive {
+    name  = "oauth.generic.client_id"
+    value = aws_cognito_user_pool_client.this.id
+  }
+  set_sensitive {
+    name  = "oauth.generic.client_secret"
+    value = aws_cognito_user_pool_client.this.client_secret
+  }
+
+}