add thanos to prometheus and query service

Author: marcel-dempers

monitoring/prometheus/kubernetes/thanos/README.md

@@ -8,7 +8,7 @@ To follow this walkthrough , you will need [Kubernetes Monitoring](../1.33/READM
 You may need to build the applications first using docker
 
 ```
-docker compose -f monitoring\prometheus\docker-compose.yaml build 
+docker compose -f monitoring/prometheus/docker-compose.yaml build 
 ```
 
 Load the images into our cluster created in the monitoring guide:
@@ -18,6 +18,7 @@ kind load docker-image docker.io/library/go-application:latest --name monitoring
 kind load docker-image docker.io/library/dotnet-application:latest --name monitoring
 kind load docker-image docker.io/library/python-application:latest --name monitoring
 kind load docker-image docker.io/library/nodejs-application:latest --name monitoring
+
 ```
 
 Deploy our microservices: 
@@ -27,74 +28,110 @@ kubectl apply -f monitoring/prometheus/go-application/deployment.yaml
 kubectl apply -f monitoring/prometheus/dotnet-application/deployment.yaml
 kubectl apply -f monitoring/prometheus/python-application/deployment.yaml
 kubectl apply -f monitoring/prometheus/nodejs-application/deployment.yaml
-```
 
-## Deploy Prometheus Instances:
+# see all our apps 
+kubectl get pods
+NAME                                  READY   STATUS    RESTARTS   AGE
+dotnet-application-74dbc8b5d9-tjtxk   1/1     Running   0          3s
+go-application-65bbc698f-92jdr        1/1     Running   0          2m7s
+nodejs-application-c47c5f4c8-b9jhg    1/1     Running   0          2m7s
+python-application-759b44fff7-5fn8r   1/1     Running   0          2m7s
+```
 
+## Create Service Monitors 
 
-We will need a service account with RBAC permissions for our new Prometheus instances to access service monitors and allow scraping of service endpoints
-In this guide I will use a single service account in two Prometheus instance:
+We'll need `ServiceMonitor` objects to point to our applications. In my guide I generally have one `ServiceMonitor` for each application.
 
 ```
-kubectl apply -f monitoring/prometheus/kubernetes/prometheus-operator/serviceaccount.yaml
+kubectl apply -f monitoring/prometheus/kubernetes/prometheus-operator/servicemonitors.yaml
 ```
 
-To showcase Thanos, we want to have more than one instance of `Prometheus` running, so that we can demonstrate the sidecar functionality & the global query view that Thanos provides. </br>
+Each service monitor has an extra label which called `prometheus-shard` which indicates which Prometheus instance should scrape it. The manual shards will use this label to manually select services to scrape. 
+Two service monitors will be scraped by instance `prometheus-00` and the other two will be scraped by `prometheus-01`.
 
-Apply Prometheus instances. </br>
-We can either apply both manual shards, or use a single defined automated shard which will split into two `StatefulSet` objects. In this guide I will keep it simple and use two `Prometheus` instances. 
+For automated sharding, the automated shard will select `ServiceMonitor`'s based on label `monitoring` and `Prometheus` will automatically split each of the selected `ServiceMonitor` items into different `StatefulSets` . </br>
+See my Prometheus Sharding video in Kubernetes for more on that. </br>
+
+## Create an S3 storage for Thanos
+
+Thanos needs an S3 compatible storage for storing its data and long term retention.
+
+In this guide I have created a very basic simple S3 storage using [Minio](https://github.com/minio/minio). Please note my example is not a highly available minio instance and not production ready either.
+
+Deploy our test Minio instance:
 
 ```
-kubectl apply -f monitoring/prometheus/kubernetes/thanos/prometheus-00.yaml
-kubectl apply -f monitoring/prometheus/kubernetes/thanos/prometheus-00.yaml
+kubectl apply -f monitoring/prometheus/kubernetes/thanos/minio.yaml
+```
+
+This will create an S3 storage for testing purpose and a `Job` that will create a bucket for our Thanos data. </br>
+
+## Create Thanos storage secret 
+
+Before we apply Prometheus instances, we will need a secret that Thanos sidecars in each Prometheus instance will use to connect to store data in S3. 
 
+Let's create a secret for minio:
+
+```
+kubectl apply -f monitoring/prometheus/kubernetes/thanos/thanos-secret.yaml
 ```
 
-Apply Service Monitors 
+## Deploy Prometheus Instances:
+
+We will need a service account with RBAC permissions for our new Prometheus instances to access service monitors and allow scraping of service endpoints
+In this guide I will use a single service account in two Prometheus instance:
 
 ```
-kubectl apply -f monitoring/prometheus/kubernetes/prometheus-operator/servicemonitors.yaml
+kubectl apply -f monitoring/prometheus/kubernetes/prometheus-operator/serviceaccount.yaml
 ```
 
-Each service monitor has an extra label which called `prometheus-shard` which indicates which Prometheus instance should scrape it. The manual shards will use this label to manually select services to scrape. 
-Two service monitors will be scraped by instance `prometheus-00` and the other two will be scraped by `prometheus-01`.
+To showcase Thanos, we want to have more than one instance of `Prometheus` running, so that we can demonstrate the sidecar functionality & the global query view that Thanos provides. </br>
 
-For automated sharding, the automated shard will select `ServiceMonitor`'s based on label `monitoring` and `Prometheus` will automatically split each of the selected `ServiceMonitor` items into different `StatefulSets` . </br>
+We can either apply both manual shards, or use a single defined automated shard which will split into two `StatefulSet` objects. In this guide I will keep it simple and use two `Prometheus` instances.
 
-We can now see our Prometheus instances in the `default` namespace:
+To understand Thanos, we'll take a closer look at the `Prometheus` spec in our instances we are going to deploy: 
 
 ```
-NAME                                  READY   STATUS    RESTARTS   AGE
-dotnet-application-74dbc8b5d9-fq2p5   1/1     Running   0          24h
-go-application-65bbc698f-jxnls        1/1     Running   0          24h
-nodejs-application-c47c5f4c8-cj7jl    1/1     Running   0          24h
-prometheus-prometheus-0               2/2     Running   0          17h
-prometheus-prometheus-00-0            2/2     Running   0          23h
-prometheus-prometheus-01-0            2/2     Running   0          23h
-prometheus-prometheus-shard-1-0       2/2     Running   0          17h
-python-application-759b44fff7-s276f   1/1     Running   0          24h
+kubectl apply -f monitoring/prometheus/kubernetes/thanos/prometheus-00.yaml
+kubectl apply -f monitoring/prometheus/kubernetes/thanos/prometheus-01.yaml
+
 ```
 
-Checkout each of the automated Prometheus shards
+We can now see our Prometheus instances in the `default` namespace:
 
 ```
-kubectl port-forward prometheus-prometheus-0 9090
-kubectl port-forward prometheus-prometheus-shard-1-0 9091:9090
+kubectl get pods
+NAME                                  READY   STATUS            RESTARTS   AGE
+dotnet-application-74dbc8b5d9-tjtxk   1/1     Running           0          60m
+go-application-65bbc698f-92jdr        1/1     Running           0          62m
+nodejs-application-c47c5f4c8-b9jhg    1/1     Running           0          62m
+prometheus-prometheus-00-0            3/3     Running           0          21s
+prometheus-prometheus-01-0            3/3     Running           0          17s
+python-application-759b44fff7-5fn8r   1/1     Running           0          62m
 ```
 
-Now that we have applications to monitor and we have `Prometheus` instances scraping these applications in different instances, we can finally implement Thanos into our solution
+Checkout each of the `Prometheus` instances and see our 4 applications sharded to 2 instances evenly. </br>
 
+```
+kubectl port-forward prometheus-prometheus-00-0  9090
+kubectl port-forward prometheus-prometheus-01-0  9091:9090
+```
 
-## Create an S3 storage for Thanos
+## Deploying the Thanos Query Service
 
-Thanos needs an S3 compatible storage for storing its data and long term retention.
+Thanos is now enabled on our `Prometheus` instances, which means the sidecars are shipping metrics data from each instance to our S3. </br>
+For us to create a global query service we need to deploy the Thanos Query component which will link up to each Thanos sidecar, using the service created by the Prometheus operator
 
-In this guide I have created a very basic simple S3 storage using [Minio](https://github.com/minio/minio). Please note my example is not a highly available minio instance and not production ready either.
+```
+kubectl apply -f monitoring/prometheus/kubernetes/thanos/thanos-query.yaml
+```
 
-Deploy our test Minio instance:
+## Test in Grafana 
+
+We can now verify that we can query Thanos in Grafana by using `port-forward` to access Grafana.
 
 ```
-kubectl apply -f monitoring/prometheus/kubernetes/thanos/minio.yaml
+kubectl -n monitoring port-forward svc/grafana 3000:80
 ```
 
-This will create an S3 storage for testing purpose and a `Job` that will create a bucket for our Thanos data. </br>
+Then access Grafana on [localhost:3000](http://localhost:3000/)

monitoring/prometheus/kubernetes/thanos/prometheus-00.yaml

@@ -11,7 +11,7 @@ spec:
   nodeSelector:
     kubernetes.io/os: linux
   replicas: 1
-  retention: 30d
+  retention: 2d # Thanos will now have long term storage
   scrapeInterval: 30s
   serviceAccountName: prometheus-applications
   serviceMonitorNamespaceSelector:
@@ -23,4 +23,15 @@ spec:
   shards: 1
   version: v3.4.1
   externalLabels:
-    prometheus-shard: prometheus-00
+    prometheus: applications
+    prometheus-shard: prometheus-00
+  thanos:
+    baseImage: quay.io/thanos/thanos:v0.38.0
+    objectStorageConfig:
+      name: thanos-secret
+      key: objstore.yml
+  securityContext:
+    fsGroup: 2000
+    runAsGroup: 2000
+    runAsNonRoot: true
+    runAsUser: 1000

monitoring/prometheus/kubernetes/thanos/prometheus-01.yaml

@@ -11,7 +11,7 @@ spec:
   nodeSelector:
     kubernetes.io/os: linux
   replicas: 1
-  retention: 30d
+  retention: 2d # Thanos will now have long term storage
   scrapeInterval: 30s
   serviceAccountName: prometheus-applications
   serviceMonitorNamespaceSelector:
@@ -23,4 +23,15 @@ spec:
   shards: 1
   version: v3.4.1
   externalLabels:
-    prometheus-shard: prometheus-01
+    prometheus: applications
+    prometheus-shard: prometheus-01
+  thanos:
+    baseImage: quay.io/thanos/thanos:v0.38.0
+    objectStorageConfig:
+      name: thanos-secret
+      key: objstore.yml
+  securityContext:
+    fsGroup: 2000
+    runAsGroup: 2000
+    runAsNonRoot: true
+    runAsUser: 1000

monitoring/prometheus/kubernetes/thanos/thanos-query.yaml

@@ -0,0 +1,62 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: thanos-query
+  labels:
+    app: thanos-query
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: thanos-query
+  template:
+    metadata:
+      labels:
+        app: thanos-query
+    spec:
+      containers:
+      - name: thanos-query
+        image: quay.io/thanos/thanos:v0.38.0
+        args:
+        - "query"
+        - "--http-address=0.0.0.0:19090" # Thanos Query HTTP API, for Grafana and UI
+        - "--grpc-address=0.0.0.0:19091" # Thanos Query gRPC API, for other Thanos components
+        # Connect to Prometheus Thanos sidecars.
+        # These should be the Kubernetes Service names exposing the Thanos sidecar's gRPC port (10901 or 19091).
+        - --endpoint=dnssrv+_grpc._tcp.prometheus-operated.default.svc.cluster.local
+        ports:
+        - name: http
+          containerPort: 19090
+          protocol: TCP
+        - name: grpc
+          containerPort: 19091
+          protocol: TCP
+        resources:
+          requests:
+            cpu: 100m
+            memory: 256Mi
+          limits:
+            cpu: 500m
+            memory: 1Gi
+      # Optional: Add a service account if you need to grant specific RBAC permissions
+      # serviceAccountName: thanos-query-sa
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: thanos-query
+  labels:
+    app: thanos-query
+spec:
+  selector:
+    app: thanos-query
+  ports:
+  - name: http
+    protocol: TCP
+    port: 19090
+    targetPort: http
+  - name: grpc
+    protocol: TCP
+    port: 19091
+    targetPort: grpc
+  type: ClusterIP # Use ClusterIP for internal access. For external, consider NodePort or Ingress.

monitoring/prometheus/kubernetes/thanos/thanos-secret.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: thanos-secret
+type: Opaque
+stringData:
+  objstore.yml: |
+    type: s3
+    config:
+      bucket: "thanos-blocks"
+      endpoint: "minio-service:9000"
+      region: "us-east-1"      # MinIO doesn't care about region, but S3 requires it
+      access_key: "thanos"
+      secret_key: "supersecretpassword"
+      insecure: true # Use insecure connection for MinIO (HTTP, not HTTPS)