apiVersion: v1
kind: Service
metadata: { name: grafana, namespace: monitoring }
spec:
  ports: [{ port: 80, targetPort: 3000 }]
  selector: { app: grafana }
---
apiVersion: apps/v1
kind: Deployment
metadata: { name: grafana, namespace: monitoring }
spec:
  replicas: 1
  selector: { matchLabels: { app: grafana } }
  template:
    metadata: { labels: { app: grafana } }
    spec:
      nodeSelector: { node: hetzner-2 }
      containers:
      - name: grafana
        image: grafana/grafana:10.4.3
        env:
          - { name: GF_SECURITY_ADMIN_USER, value: admin }
          - { name: GF_SECURITY_ADMIN_PASSWORD, value: "ADMINclaude-GRAFANA" }
        ports: [{ containerPort: 3000 }]
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: grafana
  namespace: monitoring
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    nginx.ingress.kubernetes.io/auth-type: basic
    nginx.ingress.kubernetes.io/auth-secret: basic-auth-grafana
    nginx.ingress.kubernetes.io/auth-realm: "Authentication Required"
spec:
  ingressClassName: nginx
  tls: [{ hosts: ["grafana.betelgeusebytes.io"], secretName: grafana-tls }]
  rules:
  - host: grafana.betelgeusebytes.io
    http:
      paths:
      - path: /
        pathType: Prefix
        backend: { service: { name: grafana, port: { number: 80 } } }