From 98b063f2dd7b57413b3e7d672336b3a6f7dbd95f Mon Sep 17 00:00:00 2001
From: Brad Stein <Brad.Stein@gmail.com>
Date: Wed, 21 Jan 2026 11:45:11 -0300
Subject: [PATCH] grafana: allow email-based oauth user lookup

---
 services/monitoring/helmrelease.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/services/monitoring/helmrelease.yaml b/services/monitoring/helmrelease.yaml
index 304de05..02bc482 100644
--- a/services/monitoring/helmrelease.yaml
+++ b/services/monitoring/helmrelease.yaml
@@ -354,6 +354,8 @@ spec:
       GF_AUTH_GENERIC_OAUTH_ROLE_ATTRIBUTE_PATH: "contains(groups, 'admin') && 'Admin' || 'Viewer'"
       GF_AUTH_GENERIC_OAUTH_USE_PKCE: "true"
       GF_AUTH_GENERIC_OAUTH_TLS_SKIP_VERIFY_INSECURE: "false"
+      GF_AUTH_GENERIC_OAUTH_ALLOW_INSECURE_EMAIL_LOOKUP: "true"
+      GF_AUTH_GENERIC_OAUTH_EMAIL_ATTRIBUTE_PATH: "email"
       GF_AUTH_SIGNOUT_REDIRECT_URL: "https://sso.bstein.dev/realms/atlas/protocol/openid-connect/logout?redirect_uri=https://metrics.bstein.dev/"
     grafana.ini:
       server: