apiVersion: apps/v1 kind: StatefulSet metadata: annotations: meta.helm.sh/release-name: kube-prometheus-stack meta.helm.sh/release-namespace: monitoring prometheus-operator-input-hash: "2188563648576455591" creationTimestamp: "2026-04-14T07:38:02Z" generation: 1 labels: app: kube-prometheus-stack-prometheus app.kubernetes.io/instance: kube-prometheus-stack app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: kube-prometheus-stack app.kubernetes.io/version: 60.2.0 chart: kube-prometheus-stack-60.2.0 heritage: Helm managed-by: prometheus-operator operator.prometheus.io/mode: server operator.prometheus.io/name: kube-prometheus-stack-prometheus operator.prometheus.io/shard: "0" release: kube-prometheus-stack name: prometheus-kube-prometheus-stack-prometheus namespace: monitoring ownerReferences: - apiVersion: monitoring.coreos.com/v1 blockOwnerDeletion: true controller: true kind: Prometheus name: kube-prometheus-stack-prometheus uid: a5b3f148-40a7-45ad-b5ec-d218cc4b2123 resourceVersion: "5439" uid: 6e7b7c4b-fdf4-4d1f-a029-c6b308a86f5b spec: persistentVolumeClaimRetentionPolicy: whenDeleted: Retain whenScaled: Retain podManagementPolicy: Parallel replicas: 1 revisionHistoryLimit: 10 selector: matchLabels: app.kubernetes.io/instance: kube-prometheus-stack-prometheus app.kubernetes.io/managed-by: prometheus-operator app.kubernetes.io/name: prometheus operator.prometheus.io/name: kube-prometheus-stack-prometheus operator.prometheus.io/shard: "0" prometheus: kube-prometheus-stack-prometheus serviceName: prometheus-operated template: metadata: annotations: kubectl.kubernetes.io/default-container: prometheus creationTimestamp: null labels: app.kubernetes.io/instance: kube-prometheus-stack-prometheus app.kubernetes.io/managed-by: prometheus-operator app.kubernetes.io/name: prometheus app.kubernetes.io/version: 2.51.2 operator.prometheus.io/name: kube-prometheus-stack-prometheus operator.prometheus.io/shard: "0" prometheus: kube-prometheus-stack-prometheus spec: automountServiceAccountToken: true containers: - args: - --web.console.templates=/etc/prometheus/consoles - --web.console.libraries=/etc/prometheus/console_libraries - --config.file=/etc/prometheus/config_out/prometheus.env.yaml - --web.enable-lifecycle - --web.external-url=http://prometheus.199-204-45-223.nip.io/ - --web.route-prefix=/ - --storage.tsdb.retention.time=10d - --storage.tsdb.path=/prometheus - --storage.tsdb.wal-compression - --web.config.file=/etc/prometheus/web_config/web-config.yaml image: harbor.atmosphere.dev/quay.io/prometheus/prometheus:v2.51.2 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 6 httpGet: path: /-/healthy port: http-web scheme: HTTP periodSeconds: 5 successThreshold: 1 timeoutSeconds: 3 name: prometheus ports: - containerPort: 9090 name: http-web protocol: TCP readinessProbe: failureThreshold: 3 httpGet: path: /-/ready port: http-web scheme: HTTP periodSeconds: 5 successThreshold: 1 timeoutSeconds: 3 resources: {} securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true startupProbe: failureThreshold: 60 httpGet: path: /-/ready port: http-web scheme: HTTP periodSeconds: 15 successThreshold: 1 timeoutSeconds: 3 terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/prometheus/config_out name: config-out readOnly: true - mountPath: /etc/prometheus/certs name: tls-assets readOnly: true - mountPath: /prometheus name: prometheus-kube-prometheus-stack-prometheus-db subPath: prometheus-db - mountPath: /certs name: certs - mountPath: /etc/prometheus/secrets/kube-prometheus-stack-etcd-client-cert name: secret-kube-prometheus-stack-etcd-client-cert readOnly: true - mountPath: /etc/prometheus/rules/prometheus-kube-prometheus-stack-prometheus-rulefiles-0 name: prometheus-kube-prometheus-stack-prometheus-rulefiles-0 - mountPath: /etc/prometheus/web_config/web-config.yaml name: web-config readOnly: true subPath: web-config.yaml - args: - --listen-address=:8080 - --reload-url=http://127.0.0.1:9090/-/reload - --config-file=/etc/prometheus/config/prometheus.yaml.gz - --config-envsubst-file=/etc/prometheus/config_out/prometheus.env.yaml - --watched-dir=/etc/prometheus/rules/prometheus-kube-prometheus-stack-prometheus-rulefiles-0 command: - /bin/prometheus-config-reloader env: - name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: SHARD value: "0" image: harbor.atmosphere.dev/quay.io/prometheus-operator/prometheus-config-reloader:v0.73.0 imagePullPolicy: IfNotPresent name: config-reloader ports: - containerPort: 8080 name: reloader-web protocol: TCP resources: {} securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/prometheus/config name: config - mountPath: /etc/prometheus/config_out name: config-out - mountPath: /etc/prometheus/rules/prometheus-kube-prometheus-stack-prometheus-rulefiles-0 name: prometheus-kube-prometheus-stack-prometheus-rulefiles-0 - args: - --template=/config/certificate-template.yml - --ca-path=/certs/ca.crt - --cert-path=/certs/tls.crt - --key-path=/certs/tls.key env: - name: POD_UID valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.uid - name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: POD_IP valueFrom: fieldRef: apiVersion: v1 fieldPath: status.podIP image: harbor.atmosphere.dev/ghcr.io/vexxhost/pod-tls-sidecar:v1.0.0@sha256:7a030f8b86c1503006e7d82312a3c8e98769c3b8e3a2e834aee3c60df184161a imagePullPolicy: IfNotPresent name: pod-tls-sidecar resources: {} terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /config name: kube-prometheus-stack-prometheus-tls - mountPath: /certs name: certs - envFrom: - secretRef: name: kube-prometheus-stack-prometheus-oauth2-proxy image: harbor.atmosphere.dev/quay.io/oauth2-proxy/oauth2-proxy:v7.6.0 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 3 httpGet: path: /ping port: oauth2-proxy scheme: HTTP periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 name: oauth2-proxy ports: - containerPort: 8081 name: oauth2-proxy protocol: TCP - containerPort: 8082 name: oauth2-metrics protocol: TCP readinessProbe: failureThreshold: 3 httpGet: path: /ready port: oauth2-proxy scheme: HTTP periodSeconds: 10 successThreshold: 1 timeoutSeconds: 5 resources: limits: cpu: 100m memory: 300Mi requests: cpu: 100m memory: 300Mi terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /etc/ssl/certs/ca-certificates.crt name: ca-certificates readOnly: true dnsPolicy: ClusterFirst initContainers: - args: - --watch-interval=0 - --listen-address=:8080 - --config-file=/etc/prometheus/config/prometheus.yaml.gz - --config-envsubst-file=/etc/prometheus/config_out/prometheus.env.yaml - --watched-dir=/etc/prometheus/rules/prometheus-kube-prometheus-stack-prometheus-rulefiles-0 command: - /bin/prometheus-config-reloader env: - name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: SHARD value: "0" image: harbor.atmosphere.dev/quay.io/prometheus-operator/prometheus-config-reloader:v0.73.0 imagePullPolicy: IfNotPresent name: init-config-reloader ports: - containerPort: 8080 name: reloader-web protocol: TCP resources: {} securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true terminationMessagePath: /dev/termination-log terminationMessagePolicy: FallbackToLogsOnError volumeMounts: - mountPath: /etc/prometheus/config name: config - mountPath: /etc/prometheus/config_out name: config-out - mountPath: /etc/prometheus/rules/prometheus-kube-prometheus-stack-prometheus-rulefiles-0 name: prometheus-kube-prometheus-stack-prometheus-rulefiles-0 nodeSelector: openstack-control-plane: enabled restartPolicy: Always schedulerName: default-scheduler securityContext: fsGroup: 2000 runAsGroup: 2000 runAsNonRoot: true runAsUser: 1000 seccompProfile: type: RuntimeDefault serviceAccount: kube-prometheus-stack-prometheus serviceAccountName: kube-prometheus-stack-prometheus shareProcessNamespace: false terminationGracePeriodSeconds: 600 volumes: - name: config secret: defaultMode: 420 secretName: prometheus-kube-prometheus-stack-prometheus - name: tls-assets projected: defaultMode: 420 sources: - secret: name: prometheus-kube-prometheus-stack-prometheus-tls-assets-0 - emptyDir: medium: Memory name: config-out - name: secret-kube-prometheus-stack-etcd-client-cert secret: defaultMode: 420 secretName: kube-prometheus-stack-etcd-client-cert - configMap: defaultMode: 420 name: prometheus-kube-prometheus-stack-prometheus-rulefiles-0 name: prometheus-kube-prometheus-stack-prometheus-rulefiles-0 - name: web-config secret: defaultMode: 420 secretName: prometheus-kube-prometheus-stack-prometheus-web-config - hostPath: path: /etc/ssl/certs/ca-certificates.crt type: "" name: ca-certificates - emptyDir: medium: Memory name: certs - configMap: defaultMode: 420 name: kube-prometheus-stack-prometheus-tls name: kube-prometheus-stack-prometheus-tls updateStrategy: type: RollingUpdate volumeClaimTemplates: - apiVersion: v1 kind: PersistentVolumeClaim metadata: creationTimestamp: null name: prometheus-kube-prometheus-stack-prometheus-db spec: accessModes: - ReadWriteOnce resources: requests: storage: 100Gi storageClassName: general volumeMode: Filesystem status: phase: Pending status: availableReplicas: 1 collisionCount: 0 currentReplicas: 1 currentRevision: prometheus-kube-prometheus-stack-prometheus-5cc67c6bf5 observedGeneration: 1 readyReplicas: 1 replicas: 1 updateRevision: prometheus-kube-prometheus-stack-prometheus-5cc67c6bf5 updatedReplicas: 1