From cd7b16d1f8dab3b7aaca4a71051b1154e3b5e4d2 Mon Sep 17 00:00:00 2001 From: Aaron Riedel Date: Wed, 2 Oct 2024 21:09:23 +0200 Subject: [PATCH] add thanos deployment --- thanos/0-namespace.yaml | 5 + thanos/1-service-account.yaml | 6 + thanos/2-objectstore-secret.enc.yaml | 45 ++++ thanos/3-querier.yaml | 111 ++++++++++ thanos/4-storegateway.yaml | 118 ++++++++++ thanos/5-compactor.yaml | 105 +++++++++ thanos/6-receiver.yaml | 315 +++++++++++++++++++++++++++ 7 files changed, 705 insertions(+) create mode 100644 thanos/0-namespace.yaml create mode 100644 thanos/1-service-account.yaml create mode 100644 thanos/2-objectstore-secret.enc.yaml create mode 100644 thanos/3-querier.yaml create mode 100644 thanos/4-storegateway.yaml create mode 100644 thanos/5-compactor.yaml create mode 100644 thanos/6-receiver.yaml diff --git a/thanos/0-namespace.yaml b/thanos/0-namespace.yaml new file mode 100644 index 0000000..a96b8af --- /dev/null +++ b/thanos/0-namespace.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: thanos diff --git a/thanos/1-service-account.yaml b/thanos/1-service-account.yaml new file mode 100644 index 0000000..307fa9b --- /dev/null +++ b/thanos/1-service-account.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: thanos + namespace: thanos diff --git a/thanos/2-objectstore-secret.enc.yaml b/thanos/2-objectstore-secret.enc.yaml new file mode 100644 index 0000000..9c62e4c --- /dev/null +++ b/thanos/2-objectstore-secret.enc.yaml @@ -0,0 +1,45 @@ +apiVersion: v1 +kind: Secret +metadata: + namespace: thanos + name: objstore +stringData: + objstore.yml: ENC[AES256_GCM,data:qsYeR6sqW88D3+38dkKazcrY84UmihQcJQaUZmQKOMb4Cz0M4jwGOMd0RcKMdCF5iPRCj3/3KhGKzeeoZC1OCfUk5gQxjcEptFRjwiK2FWQcg/Ddq+2Htk1yL5kNWgXYuCSeHiCPXnnl+ys4ST3StaSO01fWD38Bxf/Koqm28Z8xpUOlBlu6SShLh4vHCA0iQbTe4wewuitVA/csCNZ2Gxx94ptTChQEqSJFdXx0pGwsS98=,iv:Iit7bfMnzYTrxvrw6YHvR+8sYi1IXtO0xWO7Ds0vDFw=,tag:O09md7EQE6bEEkHZ/w5njQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1mraede6gqxkh2rkeq5fjrcflp7emenl2qn885asxvtx5erga2pdqujuexz + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmU1l0WDBFQ2V6M2RTQzhS + RCtLSlFRdGxMU29samt0TmJ0NDFJYlh3aFVBCkR5T3dkMEk1LzNabkJheWpoYmkx + QUtSZG1wRWVOTXlGVHVVSGRySUkzekEKLS0tIHhQU1lyMGFPZEhqMUhtN3grUXlW + MXNaUjBCSjlycDRqcU9wcmtFL1VUdk0KhK+4GJ7Rfckegjul1Fcm1lCuIqkKcbcf + dqrjCMNXFktkeVuYsxyNoNpHn9AXQu4dt/3hKcmQOqmkA45Ro3xnNg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1s9nvc4rxj3kaj4apmzzn8fmjrudrvdhgu70rg04we9hyse5aadsq7kmckn + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3WEt1ekFaM0xJYk4rKzFX + WURJb2NRUmRCQW5jRktYTlp1cHMxWWgyVEhvCnNuRWZhT0U2Rm1vWFVQbHBKeVJi + ZlpjZTVYZm9LeXJaWnczM0h4dFg5NUUKLS0tIGZ2MWtQTzhxSVBtY0hGYlFLTDl1 + K0xqVE4zZUN1aVdTemsxb2hURG9nWWsKhfbSLoYYvovM+CuFwxYyKtd8J6qj91nx + bH0xspOG5prCPgZkPkzv5wkCdbdyyq6+IQkX4FR88PSvSjTGSPYeeg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1z5wtjmk0jw0j9qz9k5rrnp30nzqxrl3v6wgl7eryvqus28zekp4qpx9jc2 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1Zm04R0ZWUllMbGJnUWhG + NUJOWHpiTzhITXRlMG1CTlFNOGErRyszSms4CkQybTZTNlkrQ1ZIRkV6LzAwQ1gr + dTcyMkFqKy9jNTVqVHVEblhuTCsvWTgKLS0tIHRvOGFwUEhuYkszYTFQWkwzSGI0 + VkYvNjZOVDBTdFJJUFZIYnNhb2hWRnMKAWseSbZvJVARlBxfF1c02D6k+RDUw23H + /mIWAjW5IhFOU2oiP3qyl8vWk67z4rEro0+MMWaiPFY6V9wfjQlKWQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-10-02T18:44:40Z" + mac: ENC[AES256_GCM,data:e4ZUc6HyoMP+36hC+Z5H+uSY4WQhdabfRmsYsvmDoduiFrjcgIB5BuvWcsguS7X9ppAw5xWxXPMVQKguwNwInvrDGpyNtv2uLmEt17QakhGwSFMuQS/0jWVtOKa3o7YofbrEe7HiTsEhKY7ltyc0OEsv64w+x3Bk4F9dbbONfv0=,iv:IQiIClmY7pluN/4CIHJkka5U6TscgzbxCxRODp0HD/s=,tag:RxVdqnLa032JU90+LeS0Fg==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.9.0 diff --git a/thanos/3-querier.yaml b/thanos/3-querier.yaml new file mode 100644 index 0000000..cededff --- /dev/null +++ b/thanos/3-querier.yaml @@ -0,0 +1,111 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: thanos + name: querier +spec: + replicas: 2 + strategy: + type: RollingUpdate + selector: + matchLabels: + app.kubernetes.io/name: querier + template: + metadata: + labels: + app.kubernetes.io/name: querier + spec: + serviceAccount: thanos + securityContext: + runAsUser: 1001 + fsGroup: 1001 + containers: + - name: querier + image: quay.io/thanos/thanos:v0.36.1 + args: + - query + - --log.level=info + - --endpoint.info-timeout=30s + - --grpc-address=0.0.0.0:10901 + - --http-address=0.0.0.0:10902 + - --query.replica-label=prometheus_replica + - --store=storegateway.thanos.svc.cluster.local:10901 + - --store=receiver-store-1.thanos.svc.cluster.local:10907 + - --store=receiver-store-2.thanos.svc.cluster.local:10907 + ports: + - name: http + containerPort: 10902 + protocol: TCP + - name: grpc + containerPort: 10901 + protocol: TCP + livenessProbe: + failureThreshold: 6 + httpGet: + path: /-/healthy + port: http + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 30 + readinessProbe: + failureThreshold: 6 + httpGet: + path: /-/ready + port: http + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 30 + resources: + requests: + cpu: 100m + memory: 256Mi + limits: + cpu: 500m + memory: 2Gi +--- +apiVersion: v1 +kind: Service +metadata: + namespace: thanos + name: querier +spec: + type: ClusterIP + ports: + - port: 9090 + targetPort: http + protocol: TCP + name: http + - port: 10901 + targetPort: grpc + protocol: TCP + name: grpc + selector: + app.kubernetes.io/name: querier +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + kubernetes.io/tls-acme: "true" + traefik.ingress.kubernetes.io/router.middlewares: authentik-authentik@kubernetescrd + name: thanos-ingress + namespace: thanos +spec: + rules: + - host: "thanos.services.yolokube.de" + http: + paths: + - pathType: Prefix + path: "/" + backend: + service: + name: querier + port: + name: http + tls: + - hosts: + - thanos.services.yolokube.de + secretName: thanos-tls-key diff --git a/thanos/4-storegateway.yaml b/thanos/4-storegateway.yaml new file mode 100644 index 0000000..5930f33 --- /dev/null +++ b/thanos/4-storegateway.yaml @@ -0,0 +1,118 @@ +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + namespace: thanos + name: storegateway +spec: + replicas: 1 + serviceName: storegateway + updateStrategy: + type: RollingUpdate + selector: + matchLabels: + app.kubernetes.io/name: storegateway + template: + metadata: + labels: + app.kubernetes.io/name: storegateway + spec: + serviceAccount: thanos + securityContext: + fsGroup: 1001 + initContainers: + - name: init-chmod-data + image: docker.io/bitnami/minideb:buster + command: + - sh + - -c + - | + mkdir -p /data + chown -R "1001:1001" /data + securityContext: + runAsUser: 0 + volumeMounts: + - name: data + mountPath: /data + containers: + - name: storegateway + image: quay.io/thanos/thanos:v0.36.1 + securityContext: + runAsUser: 1001 + args: + - store + - --chunk-pool-size=2GB + - --log.level=debug + - --grpc-address=0.0.0.0:10901 + - --http-address=0.0.0.0:10902 + - --data-dir=/data + - --objstore.config-file=/conf/objstore.yml + ports: + - name: http + containerPort: 10902 + protocol: TCP + - name: grpc + containerPort: 10901 + protocol: TCP + livenessProbe: + failureThreshold: 6 + httpGet: + path: /-/healthy + port: http + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 30 + readinessProbe: + failureThreshold: 6 + httpGet: + path: /-/ready + port: http + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 30 + resources: + requests: + cpu: 100m + memory: 256Mi + limits: + cpu: 500m + memory: 1Gi + volumeMounts: + - name: objstore + mountPath: /conf/objstore.yml + subPath: objstore.yml + - name: data + mountPath: /data + volumes: + - name: objstore + secret: + secretName: objstore + volumeClaimTemplates: + - metadata: + name: data + spec: + accessModes: [ReadWriteOnce] + resources: + requests: + storage: 20Gi +--- +apiVersion: v1 +kind: Service +metadata: + namespace: thanos + name: storegateway +spec: + type: ClusterIP + ports: + - port: 9090 + targetPort: http + protocol: TCP + name: http + - port: 10901 + targetPort: grpc + protocol: TCP + name: grpc + selector: + app.kubernetes.io/name: storegateway diff --git a/thanos/5-compactor.yaml b/thanos/5-compactor.yaml new file mode 100644 index 0000000..f5669fa --- /dev/null +++ b/thanos/5-compactor.yaml @@ -0,0 +1,105 @@ +--- +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + namespace: thanos + name: compactor +spec: + accessModes: [ReadWriteOnce] + resources: + requests: + storage: 20Gi +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: thanos + name: compactor +spec: + replicas: 1 + strategy: + type: Recreate + selector: + matchLabels: + app.kubernetes.io/name: compactor + template: + metadata: + labels: + app.kubernetes.io/name: compactor + spec: + serviceAccount: thanos + securityContext: + fsGroup: 1001 + initContainers: + - name: init-chmod-data + image: docker.io/bitnami/minideb:buster + command: + - sh + - -c + - | + mkdir -p /data + chown -R "1001:1001" /data + securityContext: + runAsUser: 0 + volumeMounts: + - name: data + mountPath: /data + containers: + - name: compactor + image: quay.io/thanos/thanos:v0.36.1 + imagePullPolicy: IfNotPresent + securityContext: + runAsUser: 1001 + args: + - compact + - --log.level=info + - --http-address=0.0.0.0:10902 + - --data-dir=/data + - --retention.resolution-raw=7d + - --retention.resolution-5m=30d + - --retention.resolution-1h=180d + - --consistency-delay=30m + - --objstore.config-file=/conf/objstore.yml + - --wait + ports: + - name: http + containerPort: 10902 + protocol: TCP + livenessProbe: + failureThreshold: 6 + httpGet: + path: /-/healthy + port: http + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 30 + readinessProbe: + failureThreshold: 6 + httpGet: + path: /-/ready + port: http + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 30 + resources: + requests: + cpu: 100m + memory: 256Mi + limits: + cpu: 500m + memory: 256Mi + volumeMounts: + - name: objstore + mountPath: /conf/objstore.yml + subPath: objstore.yml + - name: data + mountPath: /data + volumes: + - name: objstore + secret: + secretName: objstore + - name: data + persistentVolumeClaim: + claimName: compactor diff --git a/thanos/6-receiver.yaml b/thanos/6-receiver.yaml new file mode 100644 index 0000000..d582ccd --- /dev/null +++ b/thanos/6-receiver.yaml @@ -0,0 +1,315 @@ +--- +apiVersion: v1 +kind: Secret +metadata: + name: hashring + namespace: thanos +stringData: + hashring.json: |- + [ + { + "endpoints": [ + "receiver-store-1.thanos.svc.cluster.local:10907", + "receiver-store-2.thanos.svc.cluster.local:10907" + ] + } + ] +--- +apiVersion: v1 +kind: Service +metadata: + name: receiver-store-1 + namespace: thanos +spec: + type: ClusterIP + ports: + - port: 10907 + targetPort: grpc + protocol: TCP + name: grpc + selector: + app.kubernetes.io/name: receiver + app.kubernetes.io/instance: receiver-1 +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: receiver-1 + namespace: thanos +spec: + replicas: 1 + serviceName: receiver + updateStrategy: + type: RollingUpdate + selector: + matchLabels: + app.kubernetes.io/name: receiver + app.kubernetes.io/instance: receiver-1 + template: + metadata: + labels: + app.kubernetes.io/name: receiver + app.kubernetes.io/instance: receiver-1 + spec: + serviceAccount: thanos + securityContext: + fsGroup: 1001 + initContainers: + - name: init-chmod-data + image: docker.io/bitnami/minideb:buster + imagePullPolicy: Always + command: + - sh + - -c + - | + mkdir -p /data + chown -R "1001:1001" /data + securityContext: + runAsUser: 0 + volumeMounts: + - name: data + mountPath: /data + containers: + - name: receiver + image: quay.io/thanos/thanos:v0.36.1 + imagePullPolicy: IfNotPresent + securityContext: + runAsUser: 1001 + args: + - receive + - --tsdb.path=/data + - --tsdb.retention=15d + - --log.level=info + - --grpc-address=0.0.0.0:10907 + - --http-address=0.0.0.0:10909 + - --receive.replication-factor=1 + - --label + - receive_replica="0" + - --label + - receive_cluster="main" + - --receive.tenant-label-name + - yolokube + - --objstore.config-file=/conf/objstore.yml + - --remote-write.address=0.0.0.0:10908 + - --receive.hashrings-algorithm=ketama + - --receive.hashrings-file=/conf/hashring.json + - --receive.local-endpoint=receiver-store-1.thanos.svc.cluster.local:10907 + ports: + - name: http + containerPort: 10909 + protocol: TCP + - name: grpc + containerPort: 10907 + protocol: TCP + - name: remote-write + containerPort: 10908 + protocol: TCP + livenessProbe: + failureThreshold: 6 + httpGet: + path: /-/healthy + port: http + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 30 + readinessProbe: + failureThreshold: 6 + httpGet: + path: /-/ready + port: http + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 30 + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 500m + memory: 512Mi + volumeMounts: + - name: objstore + mountPath: /conf/objstore.yml + subPath: objstore.yml + - name: data + mountPath: /data + - name: hashring + mountPath: /conf/hashring.json + subPath: hashring.json + volumes: + - name: objstore + secret: + secretName: objstore + - name: receiver-tls + secret: + secretName: receiver-tls + - name: hashring + secret: + secretName: hashring + volumeClaimTemplates: + - metadata: + name: data + spec: + accessModes: [ReadWriteOnce] + resources: + requests: + storage: 20Gi +--- +apiVersion: v1 +kind: Service +metadata: + name: receiver-store-2 + namespace: thanos +spec: + type: ClusterIP + ports: + - port: 10907 + targetPort: grpc + protocol: TCP + name: grpc + selector: + app.kubernetes.io/name: receiver + app.kubernetes.io/instance: receiver-2 +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: receiver-2 + namespace: thanos +spec: + replicas: 1 + serviceName: receiver + updateStrategy: + type: RollingUpdate + selector: + matchLabels: + app.kubernetes.io/name: receiver + app.kubernetes.io/instance: receiver-2 + template: + metadata: + labels: + app.kubernetes.io/name: receiver + app.kubernetes.io/instance: receiver-2 + spec: + serviceAccount: thanos + securityContext: + fsGroup: 1001 + initContainers: + - name: init-chmod-data + image: docker.io/bitnami/minideb:buster + imagePullPolicy: Always + command: + - sh + - -c + - | + mkdir -p /data + chown -R "1001:1001" /data + securityContext: + runAsUser: 0 + volumeMounts: + - name: data + mountPath: /data + containers: + - name: receiver + image: quay.io/thanos/thanos:v0.36.1 + imagePullPolicy: IfNotPresent + securityContext: + runAsUser: 1001 + args: + - receive + - --tsdb.path=/data + - --tsdb.retention=15d + - --log.level=info + - --grpc-address=0.0.0.0:10907 + - --http-address=0.0.0.0:10909 + - --receive.replication-factor=1 + - --label + - receive_replica="0" + - --label + - receive_cluster="main" + - --receive.tenant-label-name + - yolokube + - --objstore.config-file=/conf/objstore.yml + - --remote-write.address=0.0.0.0:10908 + - --receive.hashrings-algorithm=ketama + - --receive.hashrings-file=/conf/hashring.json + - --receive.local-endpoint=receiver-store-2.thanos.svc.cluster.local:10907 + ports: + - name: http + containerPort: 10909 + protocol: TCP + - name: grpc + containerPort: 10907 + protocol: TCP + - name: remote-write + containerPort: 10908 + protocol: TCP + livenessProbe: + failureThreshold: 6 + httpGet: + path: /-/healthy + port: http + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 30 + readinessProbe: + failureThreshold: 6 + httpGet: + path: /-/ready + port: http + initialDelaySeconds: 30 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 30 + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 500m + memory: 512Mi + volumeMounts: + - name: objstore + mountPath: /conf/objstore.yml + subPath: objstore.yml + - name: data + mountPath: /data + - name: hashring + mountPath: /conf/hashring.json + subPath: hashring.json + volumes: + - name: objstore + secret: + secretName: objstore + - name: receiver-tls + secret: + secretName: receiver-tls + - name: hashring + secret: + secretName: hashring + volumeClaimTemplates: + - metadata: + name: data + spec: + accessModes: [ReadWriteOnce] + resources: + requests: + storage: 20Gi +--- +apiVersion: v1 +kind: Service +metadata: + name: receiver-write + namespace: thanos +spec: + type: ClusterIP + ports: + - port: 10908 + targetPort: remote-write + protocol: TCP + name: remote-write + selector: + app.kubernetes.io/name: receiver