auricom-home-cluster/kubernetes/apps/monitoring/thanos/app/helmrelease.yaml

---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
metadata:
  name: thanos
  namespace: monitoring
spec:
  interval: 30m
  chart:
    spec:
      chart: thanos
      version: 12.23.2
      sourceRef:
        kind: HelmRepository
        name: bitnami
        namespace: flux-system
  maxHistory: 2
  install:
    createNamespace: true
    remediation:
      retries: 3
  upgrade:
    cleanupOnFail: true
    remediation:
      retries: 3
  uninstall:
    keepHistory: false
  values:
    image:
      registry: quay.io
      repository: thanos/thanos
      tag: v0.34.0@sha256:2356a5f131fd80965d7a0617b70b14e4facae1aee5ec43f117f8bfbe20d987fc
    objstoreConfig:
      type: s3
      config:
        bucket: thanos
        endpoint: "minio.${SECRET_DOMAIN}:9000"
        region: ""
        # insecure: true
    query:
      enabled: true
      replicaCount: 2
      podAntiAffinityPreset: hard
      replicaLabels:
        - replica
      dnsDiscovery:
        sidecarsService: kube-prometheus-stack-thanos-discovery
        sidecarsNamespace: monitoring
        stores:
          - "dnssrv+_grpc._tcp.kube-prometheus-stack-thanos-discovery"
          - "thanos-store.${SECRET_DOMAIN}:443"
      ingress:
        enabled: true
        hostname: &host "thanos-query.${SECRET_CLUSTER_DOMAIN}"
        annotations:
          nginx.ingress.kubernetes.io/auth-method: GET
          nginx.ingress.kubernetes.io/auth-url: http://authelia.default.svc.cluster.local.:8888/api/verify
          nginx.ingress.kubernetes.io/auth-signin: https://auth.${SECRET_CLUSTER_DOMAIN}?rm=$request_method
          nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email
          nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method $request_method;
          hajimari.io/enable: "false"
        ingressClassName: "nginx"
        tls: true
        extraTls:
          - hosts:
              - *host
      resources:
        requests:
          cpu: 15m
          memory: 64M
        limits:
          memory: 99M
    queryFrontend:
      enabled: true
    bucketweb:
      enabled: true
      refresh: "10m"
    compactor:
      enabled: true
      extraFlags:
        - "--compact.concurrency"
        - "4"
      retentionResolutionRaw: 14d
      retentionResolution5m: 14d
      retentionResolution1h: 30d
      ingress:
        enabled: true
        hostname: &host "thanos-compactor.${SECRET_CLUSTER_DOMAIN}"
        ingressClassName: "nginx"
        annotations:
          hajimari.io/enable: "false"
        tls: true
        extraTls:
          - hosts:
              - *host
      persistence:
        enabled: true
        storageClass: "rook-ceph-block"
        size: 15Gi
    storegateway:
      enabled: true
      resources:
        requests:
          cpu: 23m
          memory: 204M
        limits:
          memory: 226M
      persistence:
        enabled: true
        storageClass: "rook-ceph-block"
        size: 4Gi
    ruler:
      enabled: false
    metrics:
      enabled: true
      serviceMonitor:
        enabled: true
  valuesFrom:
    - kind: Secret
      name: thanos-secret
      valuesKey: S3_ACCESS_KEY
      targetPath: objstoreConfig.config.access_key
    - kind: Secret
      name: thanos-secret
      valuesKey: S3_SECRET_KEY
      targetPath: objstoreConfig.config.secret_key