feat(charts)!: Update Helm release thanos to 15.9.2

[renovate]

This PR contains the following updates:

Package	Update	Change
thanos (source)	major	11.5.5 -> 15.9.2

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

bitnami/charts (thanos)

v15.9.2

• [bitnami/thanos] Add concurrency value to compactor (#​30722)

v15.9.1

• [bitnami/thanos] Release 15.9.1 (#​30983)

v15.9.0

• [bitnami/*] Add Bitnami Premium to NOTES.txt (#​30854) (3dfc003), closes #​30854
• [bitnami/thanos] Detect non-standard images (#​30948) (f094a30), closes #​30948

v15.8.5

• [bitnami/thanos] Allow for shards that are both time and hash partitioned. (#​30826) (bb42a7e), closes #​30826

v15.8.4

• [bitnami/thanos] Release 15.8.4 (#​30783)

v15.8.3

• [bitnami/*] docs: 📝 Add "Backup & Restore" section (#​30711) (35ab536), closes #​30711
• [bitnami/*] docs: 📝 Add "Prometheus metrics" (batch 6) (#​30675) (7b9cd04), closes #​30675
• [bitnami/*] docs: 📝 Unify "Securing Traffic using TLS" section (#​30707) (b572333), closes #​30707
• [bitnami/thanos] Release 15.8.3 (#​30779) (963e102), closes #​30779

v15.8.2

• [bitnami/thanos] Release 15.8.2 (#​30626)

v15.8.1

• [bitnami/thanos] Release 15.8.1 (#​30293)

v15.8.0

• [bitnami/thanos] Add compactor dataDir setting (#​29856)

v15.7.29

• [bitnami/thanos] Add customAutoScaling flag (#​29849)

v15.7.28

• [bitnami/thanos] Revert #​29673 (#​29763) (0e20117), closes #​29673 #​29763

v15.7.27

• [bitnami/thanos] Release 15.7.27 (#​29720) (cd99907), closes #​29720

v15.7.26

• [bitnami/thanos] Fix serviceNames based on additionalHeadless (#​29673) (418a890), closes #​29673

v15.7.25

• [bitnami/thanos] Release 15.7.25 (#​29260) (254365c), closes #​29260

v15.7.24

• [bitnami/thanos] Added apiVersion and kind to volumeClaimTemplates (#​29200) (44aca55), closes #​29200 #​29178

v15.7.23

• [bitnami/thanos] Release 15.7.23 (#​29068) (9ed3b18), closes #​29068

v15.7.22

• add custom relabel config while thanos storegateway hash shard (#​28969) (10a31bd), closes #​28969

v15.7.21

• [bitnami/thanos] Update index cache config for sharded store gateway (#​28747) (f7caac5), closes #​28747

v15.7.20

• [bitnami/thanos] Release 15.7.20 (#​28859) (73a02f4), closes #​28859

v15.7.19

• [bitnami/thanos] add receive distributor termination grace period (#​28793) (6838ae1), closes #​28793

v15.7.18

• [bitnami/thanos] Release 15.7.18 (#​28752) (8994d7b), closes #​28752

v15.7.17

• [bitnami/thanos] add ruler custom data path (#​28606) (125fb1b), closes #​28606

v15.7.16

• [bitnami/thanos] Release 15.7.16 (#​28607) (d966dfe), closes #​28607

v15.7.15

• [bitnami/thanos] Release 15.7.15 (#​28508) (5dbafa2), closes #​28508

v15.7.14

• [bitnami/thanos] Release 15.7.14 (#​28386) (edf6bd2), closes #​28386

v15.7.13

• [bitnami/thanos] Global StorageClass as default value (#​28103) (e239a85), closes #​28103

v15.7.12

• [bitnami/thanos] Release 15.7.12 (#​27792) (f4bd712), closes #​27792

v15.7.11

• [bitnami/thanos] Release 15.7.11 (#​27678) (a0a34ce), closes #​27678

v15.7.10

• [bitnami/*] Update README changing TAC wording (#​27530) (52dfed6), closes #​27530
• [bitnami/thanos] Add validation for Thanos receive configuration (#​27501) (fbf31b7), closes #​27501

v15.7.9

• [bitnami/thanos] Release 15.7.9 (#​27424) (ef0b51e), closes #​27424

v15.7.8

• [bitnami/thanos] fix thanos dual-stack receive monitoring (#​27112) (017b2fb), closes #​27112

v15.7.7

• [bitnami/thanos] Release 15.7.7 (#​27294) (7e339f1), closes #​27294

v15.7.6

• [bitnami/thanos] Fix sharded storegateway cache configs (again) (#​27101) (e6d16b4), closes #​27101

v15.7.5

• [bitnami/thanos] only deploy networkPolicy when component is enabled (#​27070) (1bd3b34), closes #​27070

v15.7.4

• [bitnami/thanos] Fix sharded storegateway cache configs (#​26490) (54afe30), closes #​26490

v15.7.3

• [bitnami/thanos] add service monitor labels (#​26880) (162d466), closes #​26880

v15.7.2

• [bitnami/thanos] Add customAutoScaling flag (#​29849) (6cf283d), closes #​29849

v15.7.1

• [bitnami/thanos] add receive distributor termination grace period (#​28793) (6838ae1), closes #​28793

v15.7.0

• [bitnami/thanos] Enable PodDisruptionBudgets (#​26709) (4796dad), closes #​26709

v15.6.2

• [bitnami/thanos] Bump chart version (#​26808) (f0b10e8), closes #​26808

v15.6.1

• [bitnami/thanos] Release 15.6.1 (#​26755) (4e3585e), closes #​26755

v15.6.0

• [bitnami/thanos] Receive, ruler & storegateway statefulsets persistentVolumeClaimRetentionPolicy sup (c955b0e), closes #​25676

v15.5.1

• [bitnami/thanos] Release 15.5.1 (#​26517) (06b7586), closes #​26517

v15.5.0

• [bitnami/*] ci: 👷 Add tag and changelog support (#​25359) (91c707c), closes #​25359
• [bitnami/thanos] feat: ✨ 🔒 Add warning when original images are replaced (#​26283) (2a39de8), closes #​26283

v15.4.7

• [bitnami/thanos] Release 15.4.7 updating components versions (#​26083) (e4c2454), closes #​26083

v15.4.6

• [bitnami/thanos] Release 15.4.6 updating components versions (#​25829) (bf6b3ec), closes #​25829

v15.4.4

• [bitnami/*] Set new header/owner (#​25558) (8d1dc11), closes #​25558
• [bitnami/thanos] Release 15.4.4 updating components versions (#​25622) (8f47d6a), closes #​25622

v15.4.3

• [bitnami/thanos] Release 15.4.3 updating components versions (#​25503) (b63467f), closes #​25503

v15.4.2

• correct thanos statefulset-sharded cache config mounts (#​25487) (bb1ece6), closes #​25487

v15.4.1

• [bitnami/thanos] Fix mountPath conflict thanos store (#​25384) (057cc2b), closes #​25384

v15.4.0

• [bitnami/multiple charts] Fix typo: "NetworkPolice" vs "NetworkPolicy" (#​25348) (6970c1b), closes #​25348
• [bitnami/thanos] Add custom tsdb path (#​25334) (77c4c6f), closes #​25334
• [bitnami/thanos] Use endpoint group optionally for Store Gateways (#​25336) (e416257), closes #​25336
• Replace VMware by Broadcom copyright text (#​25306) (a5e4bd0), closes #​25306

v15.3.0

• [bitnami/thanos] Fix thanos query downstream URL with HTTPS enabled (#​25175) (252c4ef), closes #​25175

v15.2.2

• [bitnami/thanos] Fix thanos checksum annotations (#​24737) (b67cc70), closes #​24737

v15.2.1

• [bitnami/thanos] Fix storegateway cache configs (#​25242) (b2b8c91), closes #​25242

v15.2.0

• [bitnami/thanos] added pvc labels to thanos-receive (#​24934) (2acf132), closes #​24934 #​24927

v15.1.3

• [bitnami/thanos] add terminationGracePeriodSeconds (#​25315) (aff45b2), closes #​25315

v15.1.2

• [bitnami/thanos] Fix compaction prometheusRule template (#​25188) (05ca034), closes #​25188

v15.1.1

• Remove service monitor labels from headless services (#​25171) (38947e0), closes #​25171

v15.1.0

• [bitnami/thanos] Allow disabling mTLS for GRPC (#​25189) (a892573), closes #​25189

v15.0.5

• fix(thanos): enable Ingress only when component is enabled (#​25103) (f696f8c), closes #​25103

v15.0.4

• [bitnami/thanos] Release 15.0.4 updating components versions (#​24978) (5a26c10), closes #​24978

v15.0.3

• [bitnami/thanos] Release 15.0.3 (#​24921) (273bce4), closes #​24921

v15.0.2

• [bitnami/thanos]Fix: Make prometheus rules reliable with release name (#​24655) (a2a6eab), closes #​24655 #​24651 #​24651
• Update resourcesPreset comments (#​24467) (92e3e8a), closes #​24467

v15.0.1

• [bitnami/thanos] fix: use https for queryURL when ingress is tls (#​24456) (78e9746), closes #​24456

v15.0.0

• [bitnami/thanos] feat!: 🔒 💥 Improve security defaults (#​24715) (566b718), closes #​24715

v14.0.2

• [bitnami/*] Reorder Chart sections (#​24455) (0cf4048), closes #​24455
• [bitnami/thanos] Fix thanos objstoreConfig and storegatewayConfigMap (#​24603) (9a0fece), closes #​24603

v14.0.1

• [bitnami/thanos] Fine-granted checksum calculation for deployment re-trigger (#​24014) (7469e43), closes #​24014

v14.0.0

• [bitnami/thanos] Update bundled MinIO (#​24477) (8dbd383), closes #​24477

v13.4.1

• [bitnami/thanos] Release 13.4.1 updating components versions (#​24231) (57995fd), closes #​24231

v13.4.0

• [bitnami/thanos] feat: ✨ 🔒 Add automatic adaptation for Openshift restricted-v2 SCC (# (8583f41), closes #​24161

v13.3.0

• [bitnami/thanos] feat: ✨ 🔒 Add runAsGroup (#​23995) (0011046), closes #​23995

v13.2.2

• [bitnami/thanos] Release 13.2.2 updating components versions (#​23833) (4440601), closes #​23833

v13.2.1

• [bitnami/thanos] Release 13.2.1 updating components versions (#​23699) (e2491f9), closes #​23699

v13.1.0

• [bitnami/thanos] feat: ✨ 🔒 Add resource preset support (#​23527) (1c268f3), closes #​23527

v13.0.0

• [bitnami/thanos] feat!: ♻️ 🔒 Refactor and enable NetworkPolicy by default (#​22687) (89643fd), closes #​22687

v12.23.2

• [bitnami/thanos] Release 12.23.2 updating components versions (#​23279) (f03c904), closes #​23279

v12.23.1

• [bitnami/thanos] Release 12.23.1 updating components versions (#​23145) (7cccb85), closes #​23145

v12.23.0

• [bitnami/thanos] feat: Option to enable ephemeral persistent volume for compactor (#​22808) (055c8ed), closes #​22808
• [bitnami/thanos] Fix revisionHistoryLimit for thanos storegateway (#​22751) (bc4b1dc), closes #​22751

v12.22.1

• [bitnami/thanos] Release 12.22.1 updating components versions (#​22803) (dc6bce1), closes #​22803

v12.22.0

• [bitnami/*] Move documentation sections from docs.bitnami.com back to the README (#​22203) (7564f36), closes #​22203
• [bitnami/thanos] Add revisionHistoryLimit option for each component (#​22698) (0413c10), closes #​22698

v12.21.1

• [bitnami/thanos] Release 12.21.1 updating components versions (#​22343) (106af76), closes #​22343

v12.21.0

• [bitnami/thanos] fix: 🔒 Improve podSecurityContext and containerSecurityContext with essential (c6fc750), closes #​22195

v12.20.4

• [bitnami/thanos] fix: 🔒 Do not use the default service account (#​22031) (5ba6305), closes #​22031

v12.20.3

• [bitnami/*] Fix ref links (in comments) (#​21822) (e4fa296), closes #​21822
• [bitnami/thanos] Release 12.20.3 updating components versions (#​22010) (af1b1c9), closes #​22010

v12.20.2

• [bitnami/*] Fix docs.bitnami.com broken links (#​21901) (f35506d), closes #​21901
• [bitnami/*] Update copyright: Year and company (#​21815) (6c4bf75), closes #​21815
• [bitnami/thanos] Release 12.20.2 updating components versions (#​21972) (d6544fb), closes #​21972

v12.20.1

• [bitnami/thanos]: Removing replicas in storegateway in sharded mode when autoscaling is enabled (#​21 (fcb2dbb), closes #​21515

v12.20.0

• [bitnami/thanos] Add Configurability for runbookUrl Parameter (#​21628) (83d8843), closes #​21628

v12.19.1

• [bitnami/thanos] Release 12.19.1 updating components versions (#​21645) (e21d642), closes #​21645

v12.19.0

• [bitnami/thanos] Add minReadySeconds to Thanos Receive (#​21583) (0c325af), closes #​21583

v12.18.0

• [bitnami/thanos] Implement tpl for ingress hostname/extraTls (#​21351) (daa7324), closes #​21351

v12.17.0

• [bitnami/thanos] feat: expose compactor cronjob ttlSecondsAfterFinished (#​21411) (d2a41e2), closes #​21411

v12.16.2

• [bitnami/thanos] Release 12.16.2 updating components versions (#​21436) (f1d93a5), closes #​21436

v12.16.1

• [bitnami/*] Rename solutions to "Bitnami package for ..." (#​21038) (b82f979), closes #​21038
• [bitnami/thanos] Release 12.16.1 updating components versions (#​21180) (1d867ec), closes #​21180

v12.16.0

• [bitnami/*] Remove relative links to non-README sections, add verification for that and update TL;DR (1103633), closes #​20967
• [bitnami/thanos] feat: add generic ephemeral volume option for compactor (#​21030) (5f9344f), closes #​21030

v12.15.0

• [bitnami/thanos] Automatically apply query-frontend's ingress hostname to alert.queryURL (#​20795) (fe05d92), closes #​20795

v12.14.2

• [bitnami/thanos] Release 12.14.2 updating components versions (#​20831) (f017cfa), closes #​20831

v12.14.1

• [bitnami/thanos] Release 12.14.1 updating components versions (#​20788) (8560811), closes #​20788

v12.14.0

• [bitnami/thanos] feat: ✨ Add support for PSA restricted policy (#​20553) (af354f2), closes #​20553

v12.13.13

• [bitnami/*] Rename VMware Application Catalog (#​20361) (3acc734), closes #​20361
• [bitnami/*] Skip image's tag in the README files of the Bitnami Charts (#​19841) (bb9a01b), closes #​19841
• [bitnami/*] Standardize documentation (#​19835) (af5f753), closes #​19835
• [bitnami/thanos] Fix dup common labels in the query pdb (#​20340) (f762fd2), closes #​20340

v12.13.12

• [bitnami/thanos] Release 12.13.12 (#​20320) (71d96f9), closes #​20320

v12.13.11

• [bitnami/thanos] Release 12.13.11 (#​20194) (1071560), closes #​20194

v12.13.10

• [bitnami/thanos] Release 12.13.10 (#​20065) (ff73e64), closes #​20065

v12.13.9

• [bitnami/thanos] Release 12.13.9 (#​19988) (23fc196), closes #​19988

v12.13.8

• [bitnami/*] Update Helm charts prerequisites (#​19745) (eb755dd), closes #​19745
• [bitnami/thanos] Release 12.13.8 (#​19944) (0b59eb2), closes #​19944

v12.13.7

• [bitnami/thanos] Release 12.13.7 (#​19753) (b2abc7a), closes #​19753

v12.13.6

• [bitnami/thanos] Use common capabilities for PSP (#​19641) (3bcbd9a), closes #​19641

v12.13.5

• [bitnami/thanos] Release 12.13.5 (#​19432) (9a0c3f9), closes #​19432
• Revert "Autogenerate schema files (#​19194)" (#​19335) (73d80be), closes #​19194 #​19335

v12.13.4

• [bitnami/thanos] Fix line break issue with serviceMonitor selector labels (#​19286) (c4e23e0), closes #​19286
• Autogenerate schema files (#​19194) (a2c2090), closes #​19194

v12.13.3

• [bitnami/thanos]: Use merge helper (#​19119) (9f4fe77), closes #​19119

v12.13.2

• [bitnami/thanos] Release 12.13.2 (#​19134) (fe00bbb), closes #​19134

v12.13.1

• [bitnami/*] Rename VMware Application Catalog (#​20361) (3acc734), closes #​20361
• [bitnami/*] Skip image's tag in the README files of the Bitnami Charts (#​19841) (bb9a01b), closes #​19841
• [bitnami/*] Standardize documentation (#​19835) (af5f753), closes #​19835
• [bitnami/thanos] Fix dup common labels in the query pdb (#​20340) (f762fd2), closes #​20340

v12.13.0

• bitnami/thanos enable custom secretName for query.ingress and query.ingress.grpc (#​18409) (c78083c), closes #​18409

v12.12.1

• [bitnami/thanos] Release 12.12.1 (#​18915) (3edf0a1), closes #​18915

v12.12.0

• [bitnami/thanos] Support for customizing standard labels (#​18756) (065a727), closes #​18756

v12.11.4

• [bitnami/thanos] thanos/receive/ingress.yaml: support custom portName on extraHosts (#​17173) (d81bc2c), closes #​17173

v12.11.3

• [bitnami/thanos] Release 12.11.3 ([#​1882

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Path: cluster/core/monitoring/thanos/helm-release.yaml
Version: 11.5.5 -> 15.0.0

@@ -1,71 +1,266 @@
+# Source: thanos/templates/bucketweb/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-bucketweb
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: bucketweb
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: bucketweb
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 8080
+        - port: 8080
+---
+# Source: thanos/templates/compactor/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-compactor
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: compactor
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: compactor
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 10902
+        - port: 9090
+---
+# Source: thanos/templates/query-frontend/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-query-frontend
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: query-frontend
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: query-frontend
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 9090
+        - port: 9090
+---
+# Source: thanos/templates/query/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-query
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: query
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: query
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 10902
+        - port: 10901
+        - port: 9090
+        - port: 10901
+---
+# Source: thanos/templates/receive/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-receive
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: receive
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: receive
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 10902
+        - port: 10902
+        - port: 10901
+        - port: 10901
+        - port: 19291
+        - port: 19291
+---
+# Source: thanos/templates/ruler/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-ruler
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: ruler
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: ruler
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 10902
+        - port: 9090
+        - port: 10901
+        - port: 10901
+---
+# Source: thanos/templates/storegateway/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-storegateway
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: storegateway
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: storegateway
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 10902
+        - port: 9090
+        - port: 10901
+        - port: 10901
+---
 # Source: thanos/templates/bucketweb/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: thanos-bucketweb
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
-  annotations:
-automountServiceAccountToken: true
+automountServiceAccountToken: false
 ---
 # Source: thanos/templates/compactor/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: thanos-compactor
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
-  annotations:
-automountServiceAccountToken: true
+automountServiceAccountToken: false
 ---
 # Source: thanos/templates/query/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: thanos-query
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
-  annotations:
-automountServiceAccountToken: true
+automountServiceAccountToken: false
 ---
 # Source: thanos/templates/storegateway/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: thanos-storegateway
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
-  annotations:
-automountServiceAccountToken: true
+automountServiceAccountToken: false
 ---
 # Source: thanos/templates/bucketweb/service.yaml
 apiVersion: v1
 kind: Service
 metadata:
   name: thanos-bucketweb
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
-  annotations:
+    prometheus-operator/monitor: 'true'
 spec:
   type: ClusterIP
   ports:
@@ -75,8 +270,8 @@
       name: http
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
 ---
 # Source: thanos/templates/compactor/service.yaml
@@ -84,13 +279,13 @@
 kind: Service
 metadata:
   name: thanos-compactor
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
-  annotations:
+    prometheus-operator/monitor: 'true'
 spec:
   type: ClusterIP
   ports:
@@ -100,8 +295,8 @@
       name: http
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
 ---
 # Source: thanos/templates/query/service-grpc.yaml
@@ -109,13 +304,12 @@
 kind: Service
 metadata:
   name: thanos-query-grpc
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
-  annotations:
 spec:
   type: ClusterIP
   ports:
@@ -125,8 +319,8 @@
       name: grpc
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
 ---
 # Source: thanos/templates/query/service.yaml
@@ -134,13 +328,13 @@
 kind: Service
 metadata:
   name: thanos-query
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
-  annotations:
+    prometheus-operator/monitor: 'true'
 spec:
   type: ClusterIP
   ports:
@@ -150,8 +344,8 @@
       name: http
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
 ---
 # Source: thanos/templates/storegateway/service.yaml
@@ -159,14 +353,13 @@
 kind: Service
 metadata:
   name: thanos-storegateway
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
     prometheus-operator/monitor: 'true'
-  annotations:
 spec:
   type: ClusterIP
   ports:
@@ -181,8 +374,8 @@
       name: grpc
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
 ---
 # Source: thanos/templates/bucketweb/deployment.yaml
@@ -190,32 +383,32 @@
 kind: Deployment
 metadata:
   name: thanos-bucketweb
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
 spec:
   replicas: 1
+  revisionHistoryLimit: 10
   strategy:
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: bucketweb
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: thanos
         app.kubernetes.io/instance: thanos
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: thanos
         app.kubernetes.io/component: bucketweb
       annotations:
-        checksum/objstore-configuration: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
     spec:
-      serviceAccount: thanos-bucketweb
+      serviceAccountName: thanos-bucketweb
       automountServiceAccountToken: true
       affinity:
         podAffinity:
@@ -224,25 +417,34 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/instance: thanos
+                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/component: bucketweb
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       containers:
         - name: bucketweb
-          image: public.ecr.aws/bitnami/thanos:0.28.1-scratch-r0
+          image: public.ecr.aws/bitnami/thanos:0.34.1-debian-12-r1
           imagePullPolicy: "IfNotPresent"
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
             readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           args:
             - tools
             - bucket
@@ -297,32 +499,32 @@
 kind: Deployment
 metadata:
   name: thanos-compactor
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
 spec:
   replicas: 1
+  revisionHistoryLimit: 10
   strategy:
     type: Recreate
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: compactor
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: thanos
         app.kubernetes.io/instance: thanos
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: thanos
         app.kubernetes.io/component: compactor
       annotations:
-        checksum/objstore-configuration: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
     spec:
-      serviceAccount: thanos-compactor
+      serviceAccountName: thanos-compactor
       automountServiceAccountToken: true
       affinity:
         podAffinity:
@@ -331,25 +533,34 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/instance: thanos
+                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/component: compactor
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       containers:
         - name: compactor
-          image: public.ecr.aws/bitnami/thanos:0.28.1-scratch-r0
+          image: public.ecr.aws/bitnami/thanos:0.34.1-debian-12-r1
           imagePullPolicy: "IfNotPresent"
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
             readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           args:
             - compact
             - --log.level=info
@@ -410,30 +621,31 @@
 kind: Deployment
 metadata:
   name: thanos-query
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
 spec:
   replicas: 1
+  revisionHistoryLimit: 10
   strategy:
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: query
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: thanos
         app.kubernetes.io/instance: thanos
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: thanos
         app.kubernetes.io/component: query
     spec:
-      serviceAccount: thanos-query
+      serviceAccountName: thanos-query
       automountServiceAccountToken: true
       affinity:
         podAffinity:
@@ -442,25 +654,34 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/instance: thanos
+                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/component: query
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       containers:
         - name: query
-          image: public.ecr.aws/bitnami/thanos:0.28.1-scratch-r0
+          image: public.ecr.aws/bitnami/thanos:0.34.1-debian-12-r1
           imagePullPolicy: "IfNotPresent"
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
             readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           args:
             - query
             - --log.level=info
@@ -498,8 +719,14 @@
               port: http
               scheme: HTTP
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
       volumes:
 ---
@@ -508,34 +735,34 @@
 kind: StatefulSet
 metadata:
   name: thanos-storegateway
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
 spec:
   replicas: 1
+  revisionHistoryLimit: 10
   podManagementPolicy: OrderedReady
   serviceName: thanos-storegateway-headless
   updateStrategy:
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: storegateway
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: thanos
         app.kubernetes.io/instance: thanos
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: thanos
         app.kubernetes.io/component: storegateway
       annotations:
-        checksum/objstore-configuration: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
     spec:
-      serviceAccount: thanos-storegateway
+      serviceAccountName: thanos-storegateway
       automountServiceAccountToken: true
       affinity:
         podAffinity:
@@ -544,25 +771,34 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/instance: thanos
+                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/component: storegateway
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       containers:
         - name: storegateway
-          image: public.ecr.aws/bitnami/thanos:0.28.1-scratch-r0
+          image: public.ecr.aws/bitnami/thanos:0.34.1-debian-12-r1
           imagePullPolicy: "IfNotPresent"
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
             readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           args:
             - store
             - --log.level=info
@@ -599,8 +835,14 @@
               port: http
               scheme: HTTP
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
             - name: objstore-config
               mountPath: /conf
@@ -625,11 +867,11 @@
 kind: Ingress
 metadata:
   name: thanos-query
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
   annotations:
     app: thanos
@@ -655,9 +897,9 @@
   name: thanos-bucketweb
   namespace: "default"
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
 spec:
   endpoints:
@@ -667,9 +909,10 @@
       - "default"
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: bucketweb
+      prometheus-operator/monitor: 'true'
 ---
 # Source: thanos/templates/compactor/servicemonitor.yaml
 apiVersion: monitoring.coreos.com/v1
@@ -678,9 +921,9 @@
   name: thanos-compactor
   namespace: "default"
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
 spec:
   endpoints:
@@ -690,9 +933,10 @@
       - "default"
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: compactor
+      prometheus-operator/monitor: 'true'
 ---
 # Source: thanos/templates/query/servicemonitor.yaml
 apiVersion: monitoring.coreos.com/v1
@@ -701,9 +945,9 @@
   name: thanos-query
   namespace: "default"
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
 spec:
   endpoints:
@@ -713,9 +957,10 @@
       - "default"
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: query
+      prometheus-operator/monitor: 'true'
 ---
 # Source: thanos/templates/storegateway/servicemonitor.yaml
 apiVersion: monitoring.coreos.com/v1
@@ -724,9 +969,9 @@
   name: thanos-storegateway
   namespace: "default"
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
 spec:
   endpoints:
@@ -736,6 +981,7 @@
       - "default"
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: storegateway
+      prometheus-operator/monitor: 'true'

[github-actions]

Path: cluster/core/monitoring/thanos/helm-release.yaml
Version: 11.5.5 -> 15.0.2

@@ -1,71 +1,266 @@
+# Source: thanos/templates/bucketweb/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-bucketweb
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: bucketweb
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: bucketweb
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 8080
+        - port: 8080
+---
+# Source: thanos/templates/compactor/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-compactor
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: compactor
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: compactor
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 10902
+        - port: 9090
+---
+# Source: thanos/templates/query-frontend/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-query-frontend
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: query-frontend
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: query-frontend
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 9090
+        - port: 9090
+---
+# Source: thanos/templates/query/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-query
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: query
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: query
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 10902
+        - port: 10901
+        - port: 9090
+        - port: 10901
+---
+# Source: thanos/templates/receive/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-receive
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: receive
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: receive
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 10902
+        - port: 10902
+        - port: 10901
+        - port: 10901
+        - port: 19291
+        - port: 19291
+---
+# Source: thanos/templates/ruler/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-ruler
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: ruler
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: ruler
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 10902
+        - port: 9090
+        - port: 10901
+        - port: 10901
+---
+# Source: thanos/templates/storegateway/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-storegateway
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: storegateway
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: storegateway
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 10902
+        - port: 9090
+        - port: 10901
+        - port: 10901
+---
 # Source: thanos/templates/bucketweb/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: thanos-bucketweb
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
-  annotations:
-automountServiceAccountToken: true
+automountServiceAccountToken: false
 ---
 # Source: thanos/templates/compactor/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: thanos-compactor
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
-  annotations:
-automountServiceAccountToken: true
+automountServiceAccountToken: false
 ---
 # Source: thanos/templates/query/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: thanos-query
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
-  annotations:
-automountServiceAccountToken: true
+automountServiceAccountToken: false
 ---
 # Source: thanos/templates/storegateway/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: thanos-storegateway
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
-  annotations:
-automountServiceAccountToken: true
+automountServiceAccountToken: false
 ---
 # Source: thanos/templates/bucketweb/service.yaml
 apiVersion: v1
 kind: Service
 metadata:
   name: thanos-bucketweb
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
-  annotations:
+    prometheus-operator/monitor: 'true'
 spec:
   type: ClusterIP
   ports:
@@ -75,8 +270,8 @@
       name: http
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
 ---
 # Source: thanos/templates/compactor/service.yaml
@@ -84,13 +279,13 @@
 kind: Service
 metadata:
   name: thanos-compactor
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
-  annotations:
+    prometheus-operator/monitor: 'true'
 spec:
   type: ClusterIP
   ports:
@@ -100,8 +295,8 @@
       name: http
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
 ---
 # Source: thanos/templates/query/service-grpc.yaml
@@ -109,13 +304,12 @@
 kind: Service
 metadata:
   name: thanos-query-grpc
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
-  annotations:
 spec:
   type: ClusterIP
   ports:
@@ -125,8 +319,8 @@
       name: grpc
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
 ---
 # Source: thanos/templates/query/service.yaml
@@ -134,13 +328,13 @@
 kind: Service
 metadata:
   name: thanos-query
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
-  annotations:
+    prometheus-operator/monitor: 'true'
 spec:
   type: ClusterIP
   ports:
@@ -150,8 +344,8 @@
       name: http
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
 ---
 # Source: thanos/templates/storegateway/service.yaml
@@ -159,14 +353,13 @@
 kind: Service
 metadata:
   name: thanos-storegateway
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
     prometheus-operator/monitor: 'true'
-  annotations:
 spec:
   type: ClusterIP
   ports:
@@ -181,8 +374,8 @@
       name: grpc
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
 ---
 # Source: thanos/templates/bucketweb/deployment.yaml
@@ -190,32 +383,32 @@
 kind: Deployment
 metadata:
   name: thanos-bucketweb
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
 spec:
   replicas: 1
+  revisionHistoryLimit: 10
   strategy:
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: bucketweb
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: thanos
         app.kubernetes.io/instance: thanos
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: thanos
         app.kubernetes.io/component: bucketweb
       annotations:
-        checksum/objstore-configuration: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
     spec:
-      serviceAccount: thanos-bucketweb
+      serviceAccountName: thanos-bucketweb
       automountServiceAccountToken: true
       affinity:
         podAffinity:
@@ -224,25 +417,34 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/instance: thanos
+                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/component: bucketweb
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       containers:
         - name: bucketweb
-          image: public.ecr.aws/bitnami/thanos:0.28.1-scratch-r0
+          image: public.ecr.aws/bitnami/thanos:0.34.1-debian-12-r1
           imagePullPolicy: "IfNotPresent"
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
             readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           args:
             - tools
             - bucket
@@ -297,32 +499,32 @@
 kind: Deployment
 metadata:
   name: thanos-compactor
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
 spec:
   replicas: 1
+  revisionHistoryLimit: 10
   strategy:
     type: Recreate
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: compactor
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: thanos
         app.kubernetes.io/instance: thanos
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: thanos
         app.kubernetes.io/component: compactor
       annotations:
-        checksum/objstore-configuration: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
     spec:
-      serviceAccount: thanos-compactor
+      serviceAccountName: thanos-compactor
       automountServiceAccountToken: true
       affinity:
         podAffinity:
@@ -331,25 +533,34 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/instance: thanos
+                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/component: compactor
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       containers:
         - name: compactor
-          image: public.ecr.aws/bitnami/thanos:0.28.1-scratch-r0
+          image: public.ecr.aws/bitnami/thanos:0.34.1-debian-12-r1
           imagePullPolicy: "IfNotPresent"
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
             readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           args:
             - compact
             - --log.level=info
@@ -410,30 +621,31 @@
 kind: Deployment
 metadata:
   name: thanos-query
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
 spec:
   replicas: 1
+  revisionHistoryLimit: 10
   strategy:
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: query
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: thanos
         app.kubernetes.io/instance: thanos
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: thanos
         app.kubernetes.io/component: query
     spec:
-      serviceAccount: thanos-query
+      serviceAccountName: thanos-query
       automountServiceAccountToken: true
       affinity:
         podAffinity:
@@ -442,25 +654,34 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/instance: thanos
+                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/component: query
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       containers:
         - name: query
-          image: public.ecr.aws/bitnami/thanos:0.28.1-scratch-r0
+          image: public.ecr.aws/bitnami/thanos:0.34.1-debian-12-r1
           imagePullPolicy: "IfNotPresent"
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
             readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           args:
             - query
             - --log.level=info
@@ -470,6 +691,7 @@
             - --query.replica-label=replica
             - --endpoint=dnssrv+_grpc._tcp.prometheus-thanos-discovery.monitoring.svc.cluster.local
             - --endpoint=dnssrv+_grpc._tcp.thanos-storegateway.default.svc.cluster.local
+            - --alert.query-url=http://thanos-query.default.svc.cluster.local:9090
           ports:
             - name: http
               containerPort: 10902
@@ -498,8 +720,14 @@
               port: http
               scheme: HTTP
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
       volumes:
 ---
@@ -508,34 +736,34 @@
 kind: StatefulSet
 metadata:
   name: thanos-storegateway
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
 spec:
   replicas: 1
+  revisionHistoryLimit: 10
   podManagementPolicy: OrderedReady
   serviceName: thanos-storegateway-headless
   updateStrategy:
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: storegateway
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: thanos
         app.kubernetes.io/instance: thanos
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: thanos
         app.kubernetes.io/component: storegateway
       annotations:
-        checksum/objstore-configuration: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
     spec:
-      serviceAccount: thanos-storegateway
+      serviceAccountName: thanos-storegateway
       automountServiceAccountToken: true
       affinity:
         podAffinity:
@@ -544,25 +772,34 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/instance: thanos
+                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/component: storegateway
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       containers:
         - name: storegateway
-          image: public.ecr.aws/bitnami/thanos:0.28.1-scratch-r0
+          image: public.ecr.aws/bitnami/thanos:0.34.1-debian-12-r1
           imagePullPolicy: "IfNotPresent"
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
             readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           args:
             - store
             - --log.level=info
@@ -599,8 +836,14 @@
               port: http
               scheme: HTTP
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
             - name: objstore-config
               mountPath: /conf
@@ -625,11 +868,11 @@
 kind: Ingress
 metadata:
   name: thanos-query
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
   annotations:
     app: thanos
@@ -655,9 +898,9 @@
   name: thanos-bucketweb
   namespace: "default"
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
 spec:
   endpoints:
@@ -667,9 +910,10 @@
       - "default"
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: bucketweb
+      prometheus-operator/monitor: 'true'
 ---
 # Source: thanos/templates/compactor/servicemonitor.yaml
 apiVersion: monitoring.coreos.com/v1
@@ -678,9 +922,9 @@
   name: thanos-compactor
   namespace: "default"
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
 spec:
   endpoints:
@@ -690,9 +934,10 @@
       - "default"
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: compactor
+      prometheus-operator/monitor: 'true'
 ---
 # Source: thanos/templates/query/servicemonitor.yaml
 apiVersion: monitoring.coreos.com/v1
@@ -701,9 +946,9 @@
   name: thanos-query
   namespace: "default"
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
 spec:
   endpoints:
@@ -713,9 +958,10 @@
       - "default"
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: query
+      prometheus-operator/monitor: 'true'
 ---
 # Source: thanos/templates/storegateway/servicemonitor.yaml
 apiVersion: monitoring.coreos.com/v1
@@ -724,9 +970,9 @@
   name: thanos-storegateway
   namespace: "default"
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
 spec:
   endpoints:
@@ -736,6 +982,7 @@
       - "default"
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: storegateway
+      prometheus-operator/monitor: 'true'

[github-actions]

Path: cluster/core/monitoring/thanos/helm-release.yaml
Version: 11.5.5 -> 15.0.3

@@ -1,71 +1,266 @@
+# Source: thanos/templates/bucketweb/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-bucketweb
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: bucketweb
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: bucketweb
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 8080
+        - port: 8080
+---
+# Source: thanos/templates/compactor/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-compactor
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: compactor
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: compactor
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 10902
+        - port: 9090
+---
+# Source: thanos/templates/query-frontend/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-query-frontend
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: query-frontend
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: query-frontend
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 9090
+        - port: 9090
+---
+# Source: thanos/templates/query/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-query
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: query
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: query
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 10902
+        - port: 10901
+        - port: 9090
+        - port: 10901
+---
+# Source: thanos/templates/receive/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-receive
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: receive
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: receive
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 10902
+        - port: 10902
+        - port: 10901
+        - port: 10901
+        - port: 19291
+        - port: 19291
+---
+# Source: thanos/templates/ruler/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-ruler
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: ruler
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: ruler
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 10902
+        - port: 9090
+        - port: 10901
+        - port: 10901
+---
+# Source: thanos/templates/storegateway/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-storegateway
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: storegateway
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: storegateway
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 10902
+        - port: 9090
+        - port: 10901
+        - port: 10901
+---
 # Source: thanos/templates/bucketweb/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: thanos-bucketweb
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
-  annotations:
-automountServiceAccountToken: true
+automountServiceAccountToken: false
 ---
 # Source: thanos/templates/compactor/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: thanos-compactor
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
-  annotations:
-automountServiceAccountToken: true
+automountServiceAccountToken: false
 ---
 # Source: thanos/templates/query/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: thanos-query
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
-  annotations:
-automountServiceAccountToken: true
+automountServiceAccountToken: false
 ---
 # Source: thanos/templates/storegateway/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: thanos-storegateway
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
-  annotations:
-automountServiceAccountToken: true
+automountServiceAccountToken: false
 ---
 # Source: thanos/templates/bucketweb/service.yaml
 apiVersion: v1
 kind: Service
 metadata:
   name: thanos-bucketweb
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
-  annotations:
+    prometheus-operator/monitor: 'true'
 spec:
   type: ClusterIP
   ports:
@@ -75,8 +270,8 @@
       name: http
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
 ---
 # Source: thanos/templates/compactor/service.yaml
@@ -84,13 +279,13 @@
 kind: Service
 metadata:
   name: thanos-compactor
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
-  annotations:
+    prometheus-operator/monitor: 'true'
 spec:
   type: ClusterIP
   ports:
@@ -100,8 +295,8 @@
       name: http
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
 ---
 # Source: thanos/templates/query/service-grpc.yaml
@@ -109,13 +304,12 @@
 kind: Service
 metadata:
   name: thanos-query-grpc
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
-  annotations:
 spec:
   type: ClusterIP
   ports:
@@ -125,8 +319,8 @@
       name: grpc
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
 ---
 # Source: thanos/templates/query/service.yaml
@@ -134,13 +328,13 @@
 kind: Service
 metadata:
   name: thanos-query
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
-  annotations:
+    prometheus-operator/monitor: 'true'
 spec:
   type: ClusterIP
   ports:
@@ -150,8 +344,8 @@
       name: http
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
 ---
 # Source: thanos/templates/storegateway/service.yaml
@@ -159,14 +353,13 @@
 kind: Service
 metadata:
   name: thanos-storegateway
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
     prometheus-operator/monitor: 'true'
-  annotations:
 spec:
   type: ClusterIP
   ports:
@@ -181,8 +374,8 @@
       name: grpc
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
 ---
 # Source: thanos/templates/bucketweb/deployment.yaml
@@ -190,32 +383,32 @@
 kind: Deployment
 metadata:
   name: thanos-bucketweb
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
 spec:
   replicas: 1
+  revisionHistoryLimit: 10
   strategy:
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: bucketweb
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: thanos
         app.kubernetes.io/instance: thanos
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: thanos
         app.kubernetes.io/component: bucketweb
       annotations:
-        checksum/objstore-configuration: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
     spec:
-      serviceAccount: thanos-bucketweb
+      serviceAccountName: thanos-bucketweb
       automountServiceAccountToken: true
       affinity:
         podAffinity:
@@ -224,25 +417,34 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/instance: thanos
+                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/component: bucketweb
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       containers:
         - name: bucketweb
-          image: public.ecr.aws/bitnami/thanos:0.28.1-scratch-r0
+          image: public.ecr.aws/bitnami/thanos:0.34.1-debian-12-r2
           imagePullPolicy: "IfNotPresent"
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
             readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           args:
             - tools
             - bucket
@@ -297,32 +499,32 @@
 kind: Deployment
 metadata:
   name: thanos-compactor
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
 spec:
   replicas: 1
+  revisionHistoryLimit: 10
   strategy:
     type: Recreate
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: compactor
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: thanos
         app.kubernetes.io/instance: thanos
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: thanos
         app.kubernetes.io/component: compactor
       annotations:
-        checksum/objstore-configuration: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
     spec:
-      serviceAccount: thanos-compactor
+      serviceAccountName: thanos-compactor
       automountServiceAccountToken: true
       affinity:
         podAffinity:
@@ -331,25 +533,34 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/instance: thanos
+                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/component: compactor
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       containers:
         - name: compactor
-          image: public.ecr.aws/bitnami/thanos:0.28.1-scratch-r0
+          image: public.ecr.aws/bitnami/thanos:0.34.1-debian-12-r2
           imagePullPolicy: "IfNotPresent"
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
             readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           args:
             - compact
             - --log.level=info
@@ -410,30 +621,31 @@
 kind: Deployment
 metadata:
   name: thanos-query
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
 spec:
   replicas: 1
+  revisionHistoryLimit: 10
   strategy:
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: query
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: thanos
         app.kubernetes.io/instance: thanos
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: thanos
         app.kubernetes.io/component: query
     spec:
-      serviceAccount: thanos-query
+      serviceAccountName: thanos-query
       automountServiceAccountToken: true
       affinity:
         podAffinity:
@@ -442,25 +654,34 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/instance: thanos
+                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/component: query
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       containers:
         - name: query
-          image: public.ecr.aws/bitnami/thanos:0.28.1-scratch-r0
+          image: public.ecr.aws/bitnami/thanos:0.34.1-debian-12-r2
           imagePullPolicy: "IfNotPresent"
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
             readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           args:
             - query
             - --log.level=info
@@ -470,6 +691,7 @@
             - --query.replica-label=replica
             - --endpoint=dnssrv+_grpc._tcp.prometheus-thanos-discovery.monitoring.svc.cluster.local
             - --endpoint=dnssrv+_grpc._tcp.thanos-storegateway.default.svc.cluster.local
+            - --alert.query-url=http://thanos-query.default.svc.cluster.local:9090
           ports:
             - name: http
               containerPort: 10902
@@ -498,8 +720,14 @@
               port: http
               scheme: HTTP
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
       volumes:
 ---
@@ -508,34 +736,34 @@
 kind: StatefulSet
 metadata:
   name: thanos-storegateway
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
 spec:
   replicas: 1
+  revisionHistoryLimit: 10
   podManagementPolicy: OrderedReady
   serviceName: thanos-storegateway-headless
   updateStrategy:
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: storegateway
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: thanos
         app.kubernetes.io/instance: thanos
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: thanos
         app.kubernetes.io/component: storegateway
       annotations:
-        checksum/objstore-configuration: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
     spec:
-      serviceAccount: thanos-storegateway
+      serviceAccountName: thanos-storegateway
       automountServiceAccountToken: true
       affinity:
         podAffinity:
@@ -544,25 +772,34 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/instance: thanos
+                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/component: storegateway
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       containers:
         - name: storegateway
-          image: public.ecr.aws/bitnami/thanos:0.28.1-scratch-r0
+          image: public.ecr.aws/bitnami/thanos:0.34.1-debian-12-r2
           imagePullPolicy: "IfNotPresent"
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
             readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           args:
             - store
             - --log.level=info
@@ -599,8 +836,14 @@
               port: http
               scheme: HTTP
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
             - name: objstore-config
               mountPath: /conf
@@ -625,11 +868,11 @@
 kind: Ingress
 metadata:
   name: thanos-query
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
   annotations:
     app: thanos
@@ -655,9 +898,9 @@
   name: thanos-bucketweb
   namespace: "default"
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
 spec:
   endpoints:
@@ -667,9 +910,10 @@
       - "default"
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: bucketweb
+      prometheus-operator/monitor: 'true'
 ---
 # Source: thanos/templates/compactor/servicemonitor.yaml
 apiVersion: monitoring.coreos.com/v1
@@ -678,9 +922,9 @@
   name: thanos-compactor
   namespace: "default"
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
 spec:
   endpoints:
@@ -690,9 +934,10 @@
       - "default"
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: compactor
+      prometheus-operator/monitor: 'true'
 ---
 # Source: thanos/templates/query/servicemonitor.yaml
 apiVersion: monitoring.coreos.com/v1
@@ -701,9 +946,9 @@
   name: thanos-query
   namespace: "default"
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
 spec:
   endpoints:
@@ -713,9 +958,10 @@
       - "default"
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: query
+      prometheus-operator/monitor: 'true'
 ---
 # Source: thanos/templates/storegateway/servicemonitor.yaml
 apiVersion: monitoring.coreos.com/v1
@@ -724,9 +970,9 @@
   name: thanos-storegateway
   namespace: "default"
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
 spec:
   endpoints:
@@ -736,6 +982,7 @@
       - "default"
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: storegateway
+      prometheus-operator/monitor: 'true'

[github-actions]

Path: cluster/core/monitoring/thanos/helm-release.yaml
Version: 11.5.5 -> 15.0.4

@@ -1,71 +1,266 @@
+# Source: thanos/templates/bucketweb/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-bucketweb
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: bucketweb
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: bucketweb
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 8080
+        - port: 8080
+---
+# Source: thanos/templates/compactor/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-compactor
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: compactor
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: compactor
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 10902
+        - port: 9090
+---
+# Source: thanos/templates/query-frontend/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-query-frontend
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: query-frontend
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: query-frontend
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 9090
+        - port: 9090
+---
+# Source: thanos/templates/query/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-query
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: query
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: query
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 10902
+        - port: 10901
+        - port: 9090
+        - port: 10901
+---
+# Source: thanos/templates/receive/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-receive
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: receive
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: receive
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 10902
+        - port: 10902
+        - port: 10901
+        - port: 10901
+        - port: 19291
+        - port: 19291
+---
+# Source: thanos/templates/ruler/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-ruler
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: ruler
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: ruler
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 10902
+        - port: 9090
+        - port: 10901
+        - port: 10901
+---
+# Source: thanos/templates/storegateway/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-storegateway
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: storegateway
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: storegateway
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 10902
+        - port: 9090
+        - port: 10901
+        - port: 10901
+---
 # Source: thanos/templates/bucketweb/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: thanos-bucketweb
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
-  annotations:
-automountServiceAccountToken: true
+automountServiceAccountToken: false
 ---
 # Source: thanos/templates/compactor/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: thanos-compactor
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
-  annotations:
-automountServiceAccountToken: true
+automountServiceAccountToken: false
 ---
 # Source: thanos/templates/query/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: thanos-query
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
-  annotations:
-automountServiceAccountToken: true
+automountServiceAccountToken: false
 ---
 # Source: thanos/templates/storegateway/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: thanos-storegateway
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
-  annotations:
-automountServiceAccountToken: true
+automountServiceAccountToken: false
 ---
 # Source: thanos/templates/bucketweb/service.yaml
 apiVersion: v1
 kind: Service
 metadata:
   name: thanos-bucketweb
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
-  annotations:
+    prometheus-operator/monitor: 'true'
 spec:
   type: ClusterIP
   ports:
@@ -75,8 +270,8 @@
       name: http
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
 ---
 # Source: thanos/templates/compactor/service.yaml
@@ -84,13 +279,13 @@
 kind: Service
 metadata:
   name: thanos-compactor
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
-  annotations:
+    prometheus-operator/monitor: 'true'
 spec:
   type: ClusterIP
   ports:
@@ -100,8 +295,8 @@
       name: http
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
 ---
 # Source: thanos/templates/query/service-grpc.yaml
@@ -109,13 +304,12 @@
 kind: Service
 metadata:
   name: thanos-query-grpc
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
-  annotations:
 spec:
   type: ClusterIP
   ports:
@@ -125,8 +319,8 @@
       name: grpc
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
 ---
 # Source: thanos/templates/query/service.yaml
@@ -134,13 +328,13 @@
 kind: Service
 metadata:
   name: thanos-query
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
-  annotations:
+    prometheus-operator/monitor: 'true'
 spec:
   type: ClusterIP
   ports:
@@ -150,8 +344,8 @@
       name: http
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
 ---
 # Source: thanos/templates/storegateway/service.yaml
@@ -159,14 +353,13 @@
 kind: Service
 metadata:
   name: thanos-storegateway
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
     prometheus-operator/monitor: 'true'
-  annotations:
 spec:
   type: ClusterIP
   ports:
@@ -181,8 +374,8 @@
       name: grpc
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
 ---
 # Source: thanos/templates/bucketweb/deployment.yaml
@@ -190,32 +383,32 @@
 kind: Deployment
 metadata:
   name: thanos-bucketweb
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
 spec:
   replicas: 1
+  revisionHistoryLimit: 10
   strategy:
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: bucketweb
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: thanos
         app.kubernetes.io/instance: thanos
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: thanos
         app.kubernetes.io/component: bucketweb
       annotations:
-        checksum/objstore-configuration: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
     spec:
-      serviceAccount: thanos-bucketweb
+      serviceAccountName: thanos-bucketweb
       automountServiceAccountToken: true
       affinity:
         podAffinity:
@@ -224,25 +417,34 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/instance: thanos
+                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/component: bucketweb
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       containers:
         - name: bucketweb
-          image: public.ecr.aws/bitnami/thanos:0.28.1-scratch-r0
+          image: public.ecr.aws/bitnami/thanos:0.34.1-debian-12-r3
           imagePullPolicy: "IfNotPresent"
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
             readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           args:
             - tools
             - bucket
@@ -297,32 +499,32 @@
 kind: Deployment
 metadata:
   name: thanos-compactor
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
 spec:
   replicas: 1
+  revisionHistoryLimit: 10
   strategy:
     type: Recreate
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: compactor
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: thanos
         app.kubernetes.io/instance: thanos
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: thanos
         app.kubernetes.io/component: compactor
       annotations:
-        checksum/objstore-configuration: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
     spec:
-      serviceAccount: thanos-compactor
+      serviceAccountName: thanos-compactor
       automountServiceAccountToken: true
       affinity:
         podAffinity:
@@ -331,25 +533,34 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/instance: thanos
+                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/component: compactor
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       containers:
         - name: compactor
-          image: public.ecr.aws/bitnami/thanos:0.28.1-scratch-r0
+          image: public.ecr.aws/bitnami/thanos:0.34.1-debian-12-r3
           imagePullPolicy: "IfNotPresent"
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
             readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           args:
             - compact
             - --log.level=info
@@ -410,30 +621,31 @@
 kind: Deployment
 metadata:
   name: thanos-query
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
 spec:
   replicas: 1
+  revisionHistoryLimit: 10
   strategy:
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: query
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: thanos
         app.kubernetes.io/instance: thanos
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: thanos
         app.kubernetes.io/component: query
     spec:
-      serviceAccount: thanos-query
+      serviceAccountName: thanos-query
       automountServiceAccountToken: true
       affinity:
         podAffinity:
@@ -442,25 +654,34 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/instance: thanos
+                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/component: query
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       containers:
         - name: query
-          image: public.ecr.aws/bitnami/thanos:0.28.1-scratch-r0
+          image: public.ecr.aws/bitnami/thanos:0.34.1-debian-12-r3
           imagePullPolicy: "IfNotPresent"
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
             readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           args:
             - query
             - --log.level=info
@@ -470,6 +691,7 @@
             - --query.replica-label=replica
             - --endpoint=dnssrv+_grpc._tcp.prometheus-thanos-discovery.monitoring.svc.cluster.local
             - --endpoint=dnssrv+_grpc._tcp.thanos-storegateway.default.svc.cluster.local
+            - --alert.query-url=http://thanos-query.default.svc.cluster.local:9090
           ports:
             - name: http
               containerPort: 10902
@@ -498,8 +720,14 @@
               port: http
               scheme: HTTP
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
       volumes:
 ---
@@ -508,34 +736,34 @@
 kind: StatefulSet
 metadata:
   name: thanos-storegateway
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
 spec:
   replicas: 1
+  revisionHistoryLimit: 10
   podManagementPolicy: OrderedReady
   serviceName: thanos-storegateway-headless
   updateStrategy:
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: storegateway
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: thanos
         app.kubernetes.io/instance: thanos
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: thanos
         app.kubernetes.io/component: storegateway
       annotations:
-        checksum/objstore-configuration: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
     spec:
-      serviceAccount: thanos-storegateway
+      serviceAccountName: thanos-storegateway
       automountServiceAccountToken: true
       affinity:
         podAffinity:
@@ -544,25 +772,34 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/instance: thanos
+                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/component: storegateway
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       containers:
         - name: storegateway
-          image: public.ecr.aws/bitnami/thanos:0.28.1-scratch-r0
+          image: public.ecr.aws/bitnami/thanos:0.34.1-debian-12-r3
           imagePullPolicy: "IfNotPresent"
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
             readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           args:
             - store
             - --log.level=info
@@ -599,8 +836,14 @@
               port: http
               scheme: HTTP
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
             - name: objstore-config
               mountPath: /conf
@@ -625,11 +868,11 @@
 kind: Ingress
 metadata:
   name: thanos-query
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
   annotations:
     app: thanos
@@ -655,9 +898,9 @@
   name: thanos-bucketweb
   namespace: "default"
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
 spec:
   endpoints:
@@ -667,9 +910,10 @@
       - "default"
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: bucketweb
+      prometheus-operator/monitor: 'true'
 ---
 # Source: thanos/templates/compactor/servicemonitor.yaml
 apiVersion: monitoring.coreos.com/v1
@@ -678,9 +922,9 @@
   name: thanos-compactor
   namespace: "default"
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
 spec:
   endpoints:
@@ -690,9 +934,10 @@
       - "default"
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: compactor
+      prometheus-operator/monitor: 'true'
 ---
 # Source: thanos/templates/query/servicemonitor.yaml
 apiVersion: monitoring.coreos.com/v1
@@ -701,9 +946,9 @@
   name: thanos-query
   namespace: "default"
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
 spec:
   endpoints:
@@ -713,9 +958,10 @@
       - "default"
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: query
+      prometheus-operator/monitor: 'true'
 ---
 # Source: thanos/templates/storegateway/servicemonitor.yaml
 apiVersion: monitoring.coreos.com/v1
@@ -724,9 +970,9 @@
   name: thanos-storegateway
   namespace: "default"
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
 spec:
   endpoints:
@@ -736,6 +982,7 @@
       - "default"
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: storegateway
+      prometheus-operator/monitor: 'true'

[github-actions]

Path: cluster/core/monitoring/thanos/helm-release.yaml
Version: 11.5.5 -> 15.0.5

@@ -1,71 +1,266 @@
+# Source: thanos/templates/bucketweb/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-bucketweb
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: bucketweb
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: bucketweb
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 8080
+        - port: 8080
+---
+# Source: thanos/templates/compactor/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-compactor
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: compactor
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: compactor
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 10902
+        - port: 9090
+---
+# Source: thanos/templates/query-frontend/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-query-frontend
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: query-frontend
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: query-frontend
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 9090
+        - port: 9090
+---
+# Source: thanos/templates/query/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-query
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: query
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: query
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 10902
+        - port: 10901
+        - port: 9090
+        - port: 10901
+---
+# Source: thanos/templates/receive/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-receive
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: receive
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: receive
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 10902
+        - port: 10902
+        - port: 10901
+        - port: 10901
+        - port: 19291
+        - port: 19291
+---
+# Source: thanos/templates/ruler/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-ruler
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: ruler
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: ruler
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 10902
+        - port: 9090
+        - port: 10901
+        - port: 10901
+---
+# Source: thanos/templates/storegateway/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-storegateway
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: storegateway
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: storegateway
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 10902
+        - port: 9090
+        - port: 10901
+        - port: 10901
+---
 # Source: thanos/templates/bucketweb/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: thanos-bucketweb
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
-  annotations:
-automountServiceAccountToken: true
+automountServiceAccountToken: false
 ---
 # Source: thanos/templates/compactor/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: thanos-compactor
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
-  annotations:
-automountServiceAccountToken: true
+automountServiceAccountToken: false
 ---
 # Source: thanos/templates/query/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: thanos-query
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
-  annotations:
-automountServiceAccountToken: true
+automountServiceAccountToken: false
 ---
 # Source: thanos/templates/storegateway/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: thanos-storegateway
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
-  annotations:
-automountServiceAccountToken: true
+automountServiceAccountToken: false
 ---
 # Source: thanos/templates/bucketweb/service.yaml
 apiVersion: v1
 kind: Service
 metadata:
   name: thanos-bucketweb
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
-  annotations:
+    prometheus-operator/monitor: 'true'
 spec:
   type: ClusterIP
   ports:
@@ -75,8 +270,8 @@
       name: http
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
 ---
 # Source: thanos/templates/compactor/service.yaml
@@ -84,13 +279,13 @@
 kind: Service
 metadata:
   name: thanos-compactor
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
-  annotations:
+    prometheus-operator/monitor: 'true'
 spec:
   type: ClusterIP
   ports:
@@ -100,8 +295,8 @@
       name: http
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
 ---
 # Source: thanos/templates/query/service-grpc.yaml
@@ -109,13 +304,12 @@
 kind: Service
 metadata:
   name: thanos-query-grpc
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
-  annotations:
 spec:
   type: ClusterIP
   ports:
@@ -125,8 +319,8 @@
       name: grpc
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
 ---
 # Source: thanos/templates/query/service.yaml
@@ -134,13 +328,13 @@
 kind: Service
 metadata:
   name: thanos-query
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
-  annotations:
+    prometheus-operator/monitor: 'true'
 spec:
   type: ClusterIP
   ports:
@@ -150,8 +344,8 @@
       name: http
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
 ---
 # Source: thanos/templates/storegateway/service.yaml
@@ -159,14 +353,13 @@
 kind: Service
 metadata:
   name: thanos-storegateway
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
     prometheus-operator/monitor: 'true'
-  annotations:
 spec:
   type: ClusterIP
   ports:
@@ -181,8 +374,8 @@
       name: grpc
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
 ---
 # Source: thanos/templates/bucketweb/deployment.yaml
@@ -190,32 +383,32 @@
 kind: Deployment
 metadata:
   name: thanos-bucketweb
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
 spec:
   replicas: 1
+  revisionHistoryLimit: 10
   strategy:
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: bucketweb
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: thanos
         app.kubernetes.io/instance: thanos
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: thanos
         app.kubernetes.io/component: bucketweb
       annotations:
-        checksum/objstore-configuration: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
     spec:
-      serviceAccount: thanos-bucketweb
+      serviceAccountName: thanos-bucketweb
       automountServiceAccountToken: true
       affinity:
         podAffinity:
@@ -224,25 +417,34 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/instance: thanos
+                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/component: bucketweb
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       containers:
         - name: bucketweb
-          image: public.ecr.aws/bitnami/thanos:0.28.1-scratch-r0
+          image: public.ecr.aws/bitnami/thanos:0.34.1-debian-12-r3
           imagePullPolicy: "IfNotPresent"
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
             readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           args:
             - tools
             - bucket
@@ -297,32 +499,32 @@
 kind: Deployment
 metadata:
   name: thanos-compactor
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
 spec:
   replicas: 1
+  revisionHistoryLimit: 10
   strategy:
     type: Recreate
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: compactor
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: thanos
         app.kubernetes.io/instance: thanos
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: thanos
         app.kubernetes.io/component: compactor
       annotations:
-        checksum/objstore-configuration: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
     spec:
-      serviceAccount: thanos-compactor
+      serviceAccountName: thanos-compactor
       automountServiceAccountToken: true
       affinity:
         podAffinity:
@@ -331,25 +533,34 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/instance: thanos
+                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/component: compactor
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       containers:
         - name: compactor
-          image: public.ecr.aws/bitnami/thanos:0.28.1-scratch-r0
+          image: public.ecr.aws/bitnami/thanos:0.34.1-debian-12-r3
           imagePullPolicy: "IfNotPresent"
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
             readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           args:
             - compact
             - --log.level=info
@@ -410,30 +621,31 @@
 kind: Deployment
 metadata:
   name: thanos-query
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
 spec:
   replicas: 1
+  revisionHistoryLimit: 10
   strategy:
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: query
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: thanos
         app.kubernetes.io/instance: thanos
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: thanos
         app.kubernetes.io/component: query
     spec:
-      serviceAccount: thanos-query
+      serviceAccountName: thanos-query
       automountServiceAccountToken: true
       affinity:
         podAffinity:
@@ -442,25 +654,34 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/instance: thanos
+                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/component: query
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       containers:
         - name: query
-          image: public.ecr.aws/bitnami/thanos:0.28.1-scratch-r0
+          image: public.ecr.aws/bitnami/thanos:0.34.1-debian-12-r3
           imagePullPolicy: "IfNotPresent"
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
             readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           args:
             - query
             - --log.level=info
@@ -470,6 +691,7 @@
             - --query.replica-label=replica
             - --endpoint=dnssrv+_grpc._tcp.prometheus-thanos-discovery.monitoring.svc.cluster.local
             - --endpoint=dnssrv+_grpc._tcp.thanos-storegateway.default.svc.cluster.local
+            - --alert.query-url=http://thanos-query.default.svc.cluster.local:9090
           ports:
             - name: http
               containerPort: 10902
@@ -498,8 +720,14 @@
               port: http
               scheme: HTTP
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
       volumes:
 ---
@@ -508,34 +736,34 @@
 kind: StatefulSet
 metadata:
   name: thanos-storegateway
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
 spec:
   replicas: 1
+  revisionHistoryLimit: 10
   podManagementPolicy: OrderedReady
   serviceName: thanos-storegateway-headless
   updateStrategy:
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: storegateway
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: thanos
         app.kubernetes.io/instance: thanos
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: thanos
         app.kubernetes.io/component: storegateway
       annotations:
-        checksum/objstore-configuration: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
     spec:
-      serviceAccount: thanos-storegateway
+      serviceAccountName: thanos-storegateway
       automountServiceAccountToken: true
       affinity:
         podAffinity:
@@ -544,25 +772,34 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/instance: thanos
+                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/component: storegateway
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       containers:
         - name: storegateway
-          image: public.ecr.aws/bitnami/thanos:0.28.1-scratch-r0
+          image: public.ecr.aws/bitnami/thanos:0.34.1-debian-12-r3
           imagePullPolicy: "IfNotPresent"
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
             readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           args:
             - store
             - --log.level=info
@@ -599,8 +836,14 @@
               port: http
               scheme: HTTP
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
             - name: objstore-config
               mountPath: /conf
@@ -625,11 +868,11 @@
 kind: Ingress
 metadata:
   name: thanos-query
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
   annotations:
     app: thanos
@@ -655,9 +898,9 @@
   name: thanos-bucketweb
   namespace: "default"
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
 spec:
   endpoints:
@@ -667,9 +910,10 @@
       - "default"
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: bucketweb
+      prometheus-operator/monitor: 'true'
 ---
 # Source: thanos/templates/compactor/servicemonitor.yaml
 apiVersion: monitoring.coreos.com/v1
@@ -678,9 +922,9 @@
   name: thanos-compactor
   namespace: "default"
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
 spec:
   endpoints:
@@ -690,9 +934,10 @@
       - "default"
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: compactor
+      prometheus-operator/monitor: 'true'
 ---
 # Source: thanos/templates/query/servicemonitor.yaml
 apiVersion: monitoring.coreos.com/v1
@@ -701,9 +946,9 @@
   name: thanos-query
   namespace: "default"
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
 spec:
   endpoints:
@@ -713,9 +958,10 @@
       - "default"
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: query
+      prometheus-operator/monitor: 'true'
 ---
 # Source: thanos/templates/storegateway/servicemonitor.yaml
 apiVersion: monitoring.coreos.com/v1
@@ -724,9 +970,9 @@
   name: thanos-storegateway
   namespace: "default"
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
 spec:
   endpoints:
@@ -736,6 +982,7 @@
       - "default"
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: storegateway
+      prometheus-operator/monitor: 'true'

[github-actions]

Path: cluster/core/monitoring/thanos/helm-release.yaml
Version: 11.5.5 -> 15.1.0

@@ -1,71 +1,266 @@
+# Source: thanos/templates/bucketweb/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-bucketweb
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: bucketweb
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: bucketweb
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 8080
+        - port: 8080
+---
+# Source: thanos/templates/compactor/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-compactor
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: compactor
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: compactor
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 10902
+        - port: 9090
+---
+# Source: thanos/templates/query-frontend/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-query-frontend
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: query-frontend
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: query-frontend
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 9090
+        - port: 9090
+---
+# Source: thanos/templates/query/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-query
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: query
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: query
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 10902
+        - port: 10901
+        - port: 9090
+        - port: 10901
+---
+# Source: thanos/templates/receive/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-receive
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: receive
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: receive
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 10902
+        - port: 10902
+        - port: 10901
+        - port: 10901
+        - port: 19291
+        - port: 19291
+---
+# Source: thanos/templates/ruler/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-ruler
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: ruler
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: ruler
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 10902
+        - port: 9090
+        - port: 10901
+        - port: 10901
+---
+# Source: thanos/templates/storegateway/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-storegateway
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: storegateway
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: storegateway
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 10902
+        - port: 9090
+        - port: 10901
+        - port: 10901
+---
 # Source: thanos/templates/bucketweb/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: thanos-bucketweb
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
-  annotations:
-automountServiceAccountToken: true
+automountServiceAccountToken: false
 ---
 # Source: thanos/templates/compactor/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: thanos-compactor
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
-  annotations:
-automountServiceAccountToken: true
+automountServiceAccountToken: false
 ---
 # Source: thanos/templates/query/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: thanos-query
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
-  annotations:
-automountServiceAccountToken: true
+automountServiceAccountToken: false
 ---
 # Source: thanos/templates/storegateway/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: thanos-storegateway
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
-  annotations:
-automountServiceAccountToken: true
+automountServiceAccountToken: false
 ---
 # Source: thanos/templates/bucketweb/service.yaml
 apiVersion: v1
 kind: Service
 metadata:
   name: thanos-bucketweb
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
-  annotations:
+    prometheus-operator/monitor: 'true'
 spec:
   type: ClusterIP
   ports:
@@ -75,8 +270,8 @@
       name: http
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
 ---
 # Source: thanos/templates/compactor/service.yaml
@@ -84,13 +279,13 @@
 kind: Service
 metadata:
   name: thanos-compactor
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
-  annotations:
+    prometheus-operator/monitor: 'true'
 spec:
   type: ClusterIP
   ports:
@@ -100,8 +295,8 @@
       name: http
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
 ---
 # Source: thanos/templates/query/service-grpc.yaml
@@ -109,13 +304,12 @@
 kind: Service
 metadata:
   name: thanos-query-grpc
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
-  annotations:
 spec:
   type: ClusterIP
   ports:
@@ -125,8 +319,8 @@
       name: grpc
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
 ---
 # Source: thanos/templates/query/service.yaml
@@ -134,13 +328,13 @@
 kind: Service
 metadata:
   name: thanos-query
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
-  annotations:
+    prometheus-operator/monitor: 'true'
 spec:
   type: ClusterIP
   ports:
@@ -150,8 +344,8 @@
       name: http
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
 ---
 # Source: thanos/templates/storegateway/service.yaml
@@ -159,14 +353,13 @@
 kind: Service
 metadata:
   name: thanos-storegateway
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
     prometheus-operator/monitor: 'true'
-  annotations:
 spec:
   type: ClusterIP
   ports:
@@ -181,8 +374,8 @@
       name: grpc
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
 ---
 # Source: thanos/templates/bucketweb/deployment.yaml
@@ -190,32 +383,32 @@
 kind: Deployment
 metadata:
   name: thanos-bucketweb
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
 spec:
   replicas: 1
+  revisionHistoryLimit: 10
   strategy:
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: bucketweb
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: thanos
         app.kubernetes.io/instance: thanos
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: thanos
         app.kubernetes.io/component: bucketweb
       annotations:
-        checksum/objstore-configuration: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
     spec:
-      serviceAccount: thanos-bucketweb
+      serviceAccountName: thanos-bucketweb
       automountServiceAccountToken: true
       affinity:
         podAffinity:
@@ -224,25 +417,34 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/instance: thanos
+                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/component: bucketweb
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       containers:
         - name: bucketweb
-          image: public.ecr.aws/bitnami/thanos:0.28.1-scratch-r0
+          image: public.ecr.aws/bitnami/thanos:0.34.1-debian-12-r3
           imagePullPolicy: "IfNotPresent"
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
             readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           args:
             - tools
             - bucket
@@ -297,32 +499,32 @@
 kind: Deployment
 metadata:
   name: thanos-compactor
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
 spec:
   replicas: 1
+  revisionHistoryLimit: 10
   strategy:
     type: Recreate
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: compactor
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: thanos
         app.kubernetes.io/instance: thanos
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: thanos
         app.kubernetes.io/component: compactor
       annotations:
-        checksum/objstore-configuration: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
     spec:
-      serviceAccount: thanos-compactor
+      serviceAccountName: thanos-compactor
       automountServiceAccountToken: true
       affinity:
         podAffinity:
@@ -331,25 +533,34 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/instance: thanos
+                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/component: compactor
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       containers:
         - name: compactor
-          image: public.ecr.aws/bitnami/thanos:0.28.1-scratch-r0
+          image: public.ecr.aws/bitnami/thanos:0.34.1-debian-12-r3
           imagePullPolicy: "IfNotPresent"
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
             readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           args:
             - compact
             - --log.level=info
@@ -410,30 +621,31 @@
 kind: Deployment
 metadata:
   name: thanos-query
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
 spec:
   replicas: 1
+  revisionHistoryLimit: 10
   strategy:
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: query
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: thanos
         app.kubernetes.io/instance: thanos
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: thanos
         app.kubernetes.io/component: query
     spec:
-      serviceAccount: thanos-query
+      serviceAccountName: thanos-query
       automountServiceAccountToken: true
       affinity:
         podAffinity:
@@ -442,25 +654,34 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/instance: thanos
+                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/component: query
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       containers:
         - name: query
-          image: public.ecr.aws/bitnami/thanos:0.28.1-scratch-r0
+          image: public.ecr.aws/bitnami/thanos:0.34.1-debian-12-r3
           imagePullPolicy: "IfNotPresent"
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
             readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           args:
             - query
             - --log.level=info
@@ -470,6 +691,7 @@
             - --query.replica-label=replica
             - --endpoint=dnssrv+_grpc._tcp.prometheus-thanos-discovery.monitoring.svc.cluster.local
             - --endpoint=dnssrv+_grpc._tcp.thanos-storegateway.default.svc.cluster.local
+            - --alert.query-url=http://thanos-query.default.svc.cluster.local:9090
           ports:
             - name: http
               containerPort: 10902
@@ -498,8 +720,14 @@
               port: http
               scheme: HTTP
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
       volumes:
 ---
@@ -508,34 +736,34 @@
 kind: StatefulSet
 metadata:
   name: thanos-storegateway
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
 spec:
   replicas: 1
+  revisionHistoryLimit: 10
   podManagementPolicy: OrderedReady
   serviceName: thanos-storegateway-headless
   updateStrategy:
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: storegateway
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: thanos
         app.kubernetes.io/instance: thanos
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: thanos
         app.kubernetes.io/component: storegateway
       annotations:
-        checksum/objstore-configuration: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
     spec:
-      serviceAccount: thanos-storegateway
+      serviceAccountName: thanos-storegateway
       automountServiceAccountToken: true
       affinity:
         podAffinity:
@@ -544,25 +772,34 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/instance: thanos
+                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/component: storegateway
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       containers:
         - name: storegateway
-          image: public.ecr.aws/bitnami/thanos:0.28.1-scratch-r0
+          image: public.ecr.aws/bitnami/thanos:0.34.1-debian-12-r3
           imagePullPolicy: "IfNotPresent"
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
             readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           args:
             - store
             - --log.level=info
@@ -599,8 +836,14 @@
               port: http
               scheme: HTTP
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
             - name: objstore-config
               mountPath: /conf
@@ -625,11 +868,11 @@
 kind: Ingress
 metadata:
   name: thanos-query
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
   annotations:
     app: thanos
@@ -655,9 +898,9 @@
   name: thanos-bucketweb
   namespace: "default"
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
 spec:
   endpoints:
@@ -667,9 +910,10 @@
       - "default"
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: bucketweb
+      prometheus-operator/monitor: 'true'
 ---
 # Source: thanos/templates/compactor/servicemonitor.yaml
 apiVersion: monitoring.coreos.com/v1
@@ -678,9 +922,9 @@
   name: thanos-compactor
   namespace: "default"
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
 spec:
   endpoints:
@@ -690,9 +934,10 @@
       - "default"
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: compactor
+      prometheus-operator/monitor: 'true'
 ---
 # Source: thanos/templates/query/servicemonitor.yaml
 apiVersion: monitoring.coreos.com/v1
@@ -701,9 +946,9 @@
   name: thanos-query
   namespace: "default"
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
 spec:
   endpoints:
@@ -713,9 +958,10 @@
       - "default"
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: query
+      prometheus-operator/monitor: 'true'
 ---
 # Source: thanos/templates/storegateway/servicemonitor.yaml
 apiVersion: monitoring.coreos.com/v1
@@ -724,9 +970,9 @@
   name: thanos-storegateway
   namespace: "default"
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
 spec:
   endpoints:
@@ -736,6 +982,7 @@
       - "default"
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: storegateway
+      prometheus-operator/monitor: 'true'

[github-actions]

Path: cluster/core/monitoring/thanos/helm-release.yaml
Version: 11.5.5 -> 15.1.1

@@ -1,71 +1,266 @@
+# Source: thanos/templates/bucketweb/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-bucketweb
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: bucketweb
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: bucketweb
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 8080
+        - port: 8080
+---
+# Source: thanos/templates/compactor/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-compactor
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: compactor
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: compactor
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 10902
+        - port: 9090
+---
+# Source: thanos/templates/query-frontend/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-query-frontend
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: query-frontend
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: query-frontend
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 9090
+        - port: 9090
+---
+# Source: thanos/templates/query/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-query
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: query
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: query
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 10902
+        - port: 10901
+        - port: 9090
+        - port: 10901
+---
+# Source: thanos/templates/receive/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-receive
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: receive
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: receive
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 10902
+        - port: 10902
+        - port: 10901
+        - port: 10901
+        - port: 19291
+        - port: 19291
+---
+# Source: thanos/templates/ruler/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-ruler
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: ruler
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: ruler
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 10902
+        - port: 9090
+        - port: 10901
+        - port: 10901
+---
+# Source: thanos/templates/storegateway/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-storegateway
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: storegateway
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: storegateway
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 10902
+        - port: 9090
+        - port: 10901
+        - port: 10901
+---
 # Source: thanos/templates/bucketweb/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: thanos-bucketweb
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
-  annotations:
-automountServiceAccountToken: true
+automountServiceAccountToken: false
 ---
 # Source: thanos/templates/compactor/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: thanos-compactor
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
-  annotations:
-automountServiceAccountToken: true
+automountServiceAccountToken: false
 ---
 # Source: thanos/templates/query/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: thanos-query
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
-  annotations:
-automountServiceAccountToken: true
+automountServiceAccountToken: false
 ---
 # Source: thanos/templates/storegateway/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: thanos-storegateway
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
-  annotations:
-automountServiceAccountToken: true
+automountServiceAccountToken: false
 ---
 # Source: thanos/templates/bucketweb/service.yaml
 apiVersion: v1
 kind: Service
 metadata:
   name: thanos-bucketweb
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
-  annotations:
+    prometheus-operator/monitor: 'true'
 spec:
   type: ClusterIP
   ports:
@@ -75,8 +270,8 @@
       name: http
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
 ---
 # Source: thanos/templates/compactor/service.yaml
@@ -84,13 +279,13 @@
 kind: Service
 metadata:
   name: thanos-compactor
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
-  annotations:
+    prometheus-operator/monitor: 'true'
 spec:
   type: ClusterIP
   ports:
@@ -100,8 +295,8 @@
       name: http
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
 ---
 # Source: thanos/templates/query/service-grpc.yaml
@@ -109,13 +304,12 @@
 kind: Service
 metadata:
   name: thanos-query-grpc
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
-  annotations:
 spec:
   type: ClusterIP
   ports:
@@ -125,8 +319,8 @@
       name: grpc
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
 ---
 # Source: thanos/templates/query/service.yaml
@@ -134,13 +328,13 @@
 kind: Service
 metadata:
   name: thanos-query
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
-  annotations:
+    prometheus-operator/monitor: 'true'
 spec:
   type: ClusterIP
   ports:
@@ -150,8 +344,8 @@
       name: http
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
 ---
 # Source: thanos/templates/storegateway/service.yaml
@@ -159,14 +353,13 @@
 kind: Service
 metadata:
   name: thanos-storegateway
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
     prometheus-operator/monitor: 'true'
-  annotations:
 spec:
   type: ClusterIP
   ports:
@@ -181,8 +374,8 @@
       name: grpc
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
 ---
 # Source: thanos/templates/bucketweb/deployment.yaml
@@ -190,32 +383,32 @@
 kind: Deployment
 metadata:
   name: thanos-bucketweb
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
 spec:
   replicas: 1
+  revisionHistoryLimit: 10
   strategy:
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: bucketweb
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: thanos
         app.kubernetes.io/instance: thanos
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: thanos
         app.kubernetes.io/component: bucketweb
       annotations:
-        checksum/objstore-configuration: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
     spec:
-      serviceAccount: thanos-bucketweb
+      serviceAccountName: thanos-bucketweb
       automountServiceAccountToken: true
       affinity:
         podAffinity:
@@ -224,25 +417,34 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/instance: thanos
+                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/component: bucketweb
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       containers:
         - name: bucketweb
-          image: public.ecr.aws/bitnami/thanos:0.28.1-scratch-r0
+          image: public.ecr.aws/bitnami/thanos:0.34.1-debian-12-r3
           imagePullPolicy: "IfNotPresent"
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
             readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           args:
             - tools
             - bucket
@@ -297,32 +499,32 @@
 kind: Deployment
 metadata:
   name: thanos-compactor
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
 spec:
   replicas: 1
+  revisionHistoryLimit: 10
   strategy:
     type: Recreate
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: compactor
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: thanos
         app.kubernetes.io/instance: thanos
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: thanos
         app.kubernetes.io/component: compactor
       annotations:
-        checksum/objstore-configuration: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
     spec:
-      serviceAccount: thanos-compactor
+      serviceAccountName: thanos-compactor
       automountServiceAccountToken: true
       affinity:
         podAffinity:
@@ -331,25 +533,34 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/instance: thanos
+                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/component: compactor
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       containers:
         - name: compactor
-          image: public.ecr.aws/bitnami/thanos:0.28.1-scratch-r0
+          image: public.ecr.aws/bitnami/thanos:0.34.1-debian-12-r3
           imagePullPolicy: "IfNotPresent"
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
             readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           args:
             - compact
             - --log.level=info
@@ -410,30 +621,31 @@
 kind: Deployment
 metadata:
   name: thanos-query
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
 spec:
   replicas: 1
+  revisionHistoryLimit: 10
   strategy:
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: query
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: thanos
         app.kubernetes.io/instance: thanos
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: thanos
         app.kubernetes.io/component: query
     spec:
-      serviceAccount: thanos-query
+      serviceAccountName: thanos-query
       automountServiceAccountToken: true
       affinity:
         podAffinity:
@@ -442,25 +654,34 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/instance: thanos
+                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/component: query
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       containers:
         - name: query
-          image: public.ecr.aws/bitnami/thanos:0.28.1-scratch-r0
+          image: public.ecr.aws/bitnami/thanos:0.34.1-debian-12-r3
           imagePullPolicy: "IfNotPresent"
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
             readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           args:
             - query
             - --log.level=info
@@ -470,6 +691,7 @@
             - --query.replica-label=replica
             - --endpoint=dnssrv+_grpc._tcp.prometheus-thanos-discovery.monitoring.svc.cluster.local
             - --endpoint=dnssrv+_grpc._tcp.thanos-storegateway.default.svc.cluster.local
+            - --alert.query-url=http://thanos-query.default.svc.cluster.local:9090
           ports:
             - name: http
               containerPort: 10902
@@ -498,8 +720,14 @@
               port: http
               scheme: HTTP
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
       volumes:
 ---
@@ -508,34 +736,34 @@
 kind: StatefulSet
 metadata:
   name: thanos-storegateway
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
 spec:
   replicas: 1
+  revisionHistoryLimit: 10
   podManagementPolicy: OrderedReady
   serviceName: thanos-storegateway-headless
   updateStrategy:
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: storegateway
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: thanos
         app.kubernetes.io/instance: thanos
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: thanos
         app.kubernetes.io/component: storegateway
       annotations:
-        checksum/objstore-configuration: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
     spec:
-      serviceAccount: thanos-storegateway
+      serviceAccountName: thanos-storegateway
       automountServiceAccountToken: true
       affinity:
         podAffinity:
@@ -544,25 +772,34 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/instance: thanos
+                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/component: storegateway
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       containers:
         - name: storegateway
-          image: public.ecr.aws/bitnami/thanos:0.28.1-scratch-r0
+          image: public.ecr.aws/bitnami/thanos:0.34.1-debian-12-r3
           imagePullPolicy: "IfNotPresent"
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
             readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           args:
             - store
             - --log.level=info
@@ -599,8 +836,14 @@
               port: http
               scheme: HTTP
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
             - name: objstore-config
               mountPath: /conf
@@ -625,11 +868,11 @@
 kind: Ingress
 metadata:
   name: thanos-query
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
   annotations:
     app: thanos
@@ -655,9 +898,9 @@
   name: thanos-bucketweb
   namespace: "default"
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
 spec:
   endpoints:
@@ -667,9 +910,10 @@
       - "default"
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: bucketweb
+      prometheus-operator/monitor: 'true'
 ---
 # Source: thanos/templates/compactor/servicemonitor.yaml
 apiVersion: monitoring.coreos.com/v1
@@ -678,9 +922,9 @@
   name: thanos-compactor
   namespace: "default"
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
 spec:
   endpoints:
@@ -690,9 +934,10 @@
       - "default"
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: compactor
+      prometheus-operator/monitor: 'true'
 ---
 # Source: thanos/templates/query/servicemonitor.yaml
 apiVersion: monitoring.coreos.com/v1
@@ -701,9 +946,9 @@
   name: thanos-query
   namespace: "default"
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
 spec:
   endpoints:
@@ -713,9 +958,10 @@
       - "default"
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: query
+      prometheus-operator/monitor: 'true'
 ---
 # Source: thanos/templates/storegateway/servicemonitor.yaml
 apiVersion: monitoring.coreos.com/v1
@@ -724,9 +970,9 @@
   name: thanos-storegateway
   namespace: "default"
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
 spec:
   endpoints:
@@ -736,6 +982,7 @@
       - "default"
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: storegateway
+      prometheus-operator/monitor: 'true'

[github-actions]

Path: cluster/core/monitoring/thanos/helm-release.yaml
Version: 11.5.5 -> 15.1.2

@@ -1,71 +1,266 @@
+# Source: thanos/templates/bucketweb/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-bucketweb
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: bucketweb
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: bucketweb
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 8080
+        - port: 8080
+---
+# Source: thanos/templates/compactor/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-compactor
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: compactor
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: compactor
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 10902
+        - port: 9090
+---
+# Source: thanos/templates/query-frontend/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-query-frontend
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: query-frontend
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: query-frontend
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 9090
+        - port: 9090
+---
+# Source: thanos/templates/query/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-query
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: query
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: query
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 10902
+        - port: 10901
+        - port: 9090
+        - port: 10901
+---
+# Source: thanos/templates/receive/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-receive
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: receive
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: receive
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 10902
+        - port: 10902
+        - port: 10901
+        - port: 10901
+        - port: 19291
+        - port: 19291
+---
+# Source: thanos/templates/ruler/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-ruler
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: ruler
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: ruler
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 10902
+        - port: 9090
+        - port: 10901
+        - port: 10901
+---
+# Source: thanos/templates/storegateway/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-storegateway
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: storegateway
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: storegateway
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 10902
+        - port: 9090
+        - port: 10901
+        - port: 10901
+---
 # Source: thanos/templates/bucketweb/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: thanos-bucketweb
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
-  annotations:
-automountServiceAccountToken: true
+automountServiceAccountToken: false
 ---
 # Source: thanos/templates/compactor/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: thanos-compactor
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
-  annotations:
-automountServiceAccountToken: true
+automountServiceAccountToken: false
 ---
 # Source: thanos/templates/query/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: thanos-query
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
-  annotations:
-automountServiceAccountToken: true
+automountServiceAccountToken: false
 ---
 # Source: thanos/templates/storegateway/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: thanos-storegateway
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
-  annotations:
-automountServiceAccountToken: true
+automountServiceAccountToken: false
 ---
 # Source: thanos/templates/bucketweb/service.yaml
 apiVersion: v1
 kind: Service
 metadata:
   name: thanos-bucketweb
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
-  annotations:
+    prometheus-operator/monitor: 'true'
 spec:
   type: ClusterIP
   ports:
@@ -75,8 +270,8 @@
       name: http
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
 ---
 # Source: thanos/templates/compactor/service.yaml
@@ -84,13 +279,13 @@
 kind: Service
 metadata:
   name: thanos-compactor
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
-  annotations:
+    prometheus-operator/monitor: 'true'
 spec:
   type: ClusterIP
   ports:
@@ -100,8 +295,8 @@
       name: http
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
 ---
 # Source: thanos/templates/query/service-grpc.yaml
@@ -109,13 +304,12 @@
 kind: Service
 metadata:
   name: thanos-query-grpc
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
-  annotations:
 spec:
   type: ClusterIP
   ports:
@@ -125,8 +319,8 @@
       name: grpc
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
 ---
 # Source: thanos/templates/query/service.yaml
@@ -134,13 +328,13 @@
 kind: Service
 metadata:
   name: thanos-query
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
-  annotations:
+    prometheus-operator/monitor: 'true'
 spec:
   type: ClusterIP
   ports:
@@ -150,8 +344,8 @@
       name: http
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
 ---
 # Source: thanos/templates/storegateway/service.yaml
@@ -159,14 +353,13 @@
 kind: Service
 metadata:
   name: thanos-storegateway
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
     prometheus-operator/monitor: 'true'
-  annotations:
 spec:
   type: ClusterIP
   ports:
@@ -181,8 +374,8 @@
       name: grpc
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
 ---
 # Source: thanos/templates/bucketweb/deployment.yaml
@@ -190,32 +383,32 @@
 kind: Deployment
 metadata:
   name: thanos-bucketweb
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
 spec:
   replicas: 1
+  revisionHistoryLimit: 10
   strategy:
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: bucketweb
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: thanos
         app.kubernetes.io/instance: thanos
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: thanos
         app.kubernetes.io/component: bucketweb
       annotations:
-        checksum/objstore-configuration: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
     spec:
-      serviceAccount: thanos-bucketweb
+      serviceAccountName: thanos-bucketweb
       automountServiceAccountToken: true
       affinity:
         podAffinity:
@@ -224,25 +417,34 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/instance: thanos
+                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/component: bucketweb
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       containers:
         - name: bucketweb
-          image: public.ecr.aws/bitnami/thanos:0.28.1-scratch-r0
+          image: public.ecr.aws/bitnami/thanos:0.34.1-debian-12-r3
           imagePullPolicy: "IfNotPresent"
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
             readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           args:
             - tools
             - bucket
@@ -297,32 +499,32 @@
 kind: Deployment
 metadata:
   name: thanos-compactor
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
 spec:
   replicas: 1
+  revisionHistoryLimit: 10
   strategy:
     type: Recreate
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: compactor
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: thanos
         app.kubernetes.io/instance: thanos
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: thanos
         app.kubernetes.io/component: compactor
       annotations:
-        checksum/objstore-configuration: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
     spec:
-      serviceAccount: thanos-compactor
+      serviceAccountName: thanos-compactor
       automountServiceAccountToken: true
       affinity:
         podAffinity:
@@ -331,25 +533,34 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/instance: thanos
+                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/component: compactor
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       containers:
         - name: compactor
-          image: public.ecr.aws/bitnami/thanos:0.28.1-scratch-r0
+          image: public.ecr.aws/bitnami/thanos:0.34.1-debian-12-r3
           imagePullPolicy: "IfNotPresent"
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
             readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           args:
             - compact
             - --log.level=info
@@ -410,30 +621,31 @@
 kind: Deployment
 metadata:
   name: thanos-query
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
 spec:
   replicas: 1
+  revisionHistoryLimit: 10
   strategy:
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: query
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: thanos
         app.kubernetes.io/instance: thanos
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: thanos
         app.kubernetes.io/component: query
     spec:
-      serviceAccount: thanos-query
+      serviceAccountName: thanos-query
       automountServiceAccountToken: true
       affinity:
         podAffinity:
@@ -442,25 +654,34 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/instance: thanos
+                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/component: query
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       containers:
         - name: query
-          image: public.ecr.aws/bitnami/thanos:0.28.1-scratch-r0
+          image: public.ecr.aws/bitnami/thanos:0.34.1-debian-12-r3
           imagePullPolicy: "IfNotPresent"
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
             readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           args:
             - query
             - --log.level=info
@@ -470,6 +691,7 @@
             - --query.replica-label=replica
             - --endpoint=dnssrv+_grpc._tcp.prometheus-thanos-discovery.monitoring.svc.cluster.local
             - --endpoint=dnssrv+_grpc._tcp.thanos-storegateway.default.svc.cluster.local
+            - --alert.query-url=http://thanos-query.default.svc.cluster.local:9090
           ports:
             - name: http
               containerPort: 10902
@@ -498,8 +720,14 @@
               port: http
               scheme: HTTP
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
       volumes:
 ---
@@ -508,34 +736,34 @@
 kind: StatefulSet
 metadata:
   name: thanos-storegateway
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
 spec:
   replicas: 1
+  revisionHistoryLimit: 10
   podManagementPolicy: OrderedReady
   serviceName: thanos-storegateway-headless
   updateStrategy:
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: storegateway
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: thanos
         app.kubernetes.io/instance: thanos
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: thanos
         app.kubernetes.io/component: storegateway
       annotations:
-        checksum/objstore-configuration: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
     spec:
-      serviceAccount: thanos-storegateway
+      serviceAccountName: thanos-storegateway
       automountServiceAccountToken: true
       affinity:
         podAffinity:
@@ -544,25 +772,34 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/instance: thanos
+                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/component: storegateway
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       containers:
         - name: storegateway
-          image: public.ecr.aws/bitnami/thanos:0.28.1-scratch-r0
+          image: public.ecr.aws/bitnami/thanos:0.34.1-debian-12-r3
           imagePullPolicy: "IfNotPresent"
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
             readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           args:
             - store
             - --log.level=info
@@ -599,8 +836,14 @@
               port: http
               scheme: HTTP
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
             - name: objstore-config
               mountPath: /conf
@@ -625,11 +868,11 @@
 kind: Ingress
 metadata:
   name: thanos-query
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
   annotations:
     app: thanos
@@ -655,9 +898,9 @@
   name: thanos-bucketweb
   namespace: "default"
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
 spec:
   endpoints:
@@ -667,9 +910,10 @@
       - "default"
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: bucketweb
+      prometheus-operator/monitor: 'true'
 ---
 # Source: thanos/templates/compactor/servicemonitor.yaml
 apiVersion: monitoring.coreos.com/v1
@@ -678,9 +922,9 @@
   name: thanos-compactor
   namespace: "default"
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
 spec:
   endpoints:
@@ -690,9 +934,10 @@
       - "default"
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: compactor
+      prometheus-operator/monitor: 'true'
 ---
 # Source: thanos/templates/query/servicemonitor.yaml
 apiVersion: monitoring.coreos.com/v1
@@ -701,9 +946,9 @@
   name: thanos-query
   namespace: "default"
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
 spec:
   endpoints:
@@ -713,9 +958,10 @@
       - "default"
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: query
+      prometheus-operator/monitor: 'true'
 ---
 # Source: thanos/templates/storegateway/servicemonitor.yaml
 apiVersion: monitoring.coreos.com/v1
@@ -724,9 +970,9 @@
   name: thanos-storegateway
   namespace: "default"
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
 spec:
   endpoints:
@@ -736,6 +982,7 @@
       - "default"
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: storegateway
+      prometheus-operator/monitor: 'true'

[github-actions]

Path: cluster/core/monitoring/thanos/helm-release.yaml
Version: 11.5.5 -> 15.1.3

@@ -1,71 +1,266 @@
+# Source: thanos/templates/bucketweb/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-bucketweb
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: bucketweb
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: bucketweb
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 8080
+        - port: 8080
+---
+# Source: thanos/templates/compactor/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-compactor
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: compactor
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: compactor
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 10902
+        - port: 9090
+---
+# Source: thanos/templates/query-frontend/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-query-frontend
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: query-frontend
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: query-frontend
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 9090
+        - port: 9090
+---
+# Source: thanos/templates/query/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-query
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: query
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: query
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 10902
+        - port: 10901
+        - port: 9090
+        - port: 10901
+---
+# Source: thanos/templates/receive/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-receive
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: receive
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: receive
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 10902
+        - port: 10902
+        - port: 10901
+        - port: 10901
+        - port: 19291
+        - port: 19291
+---
+# Source: thanos/templates/ruler/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-ruler
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: ruler
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: ruler
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 10902
+        - port: 9090
+        - port: 10901
+        - port: 10901
+---
+# Source: thanos/templates/storegateway/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-storegateway
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: storegateway
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: storegateway
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 10902
+        - port: 9090
+        - port: 10901
+        - port: 10901
+---
 # Source: thanos/templates/bucketweb/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: thanos-bucketweb
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
-  annotations:
-automountServiceAccountToken: true
+automountServiceAccountToken: false
 ---
 # Source: thanos/templates/compactor/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: thanos-compactor
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
-  annotations:
-automountServiceAccountToken: true
+automountServiceAccountToken: false
 ---
 # Source: thanos/templates/query/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: thanos-query
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
-  annotations:
-automountServiceAccountToken: true
+automountServiceAccountToken: false
 ---
 # Source: thanos/templates/storegateway/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: thanos-storegateway
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
-  annotations:
-automountServiceAccountToken: true
+automountServiceAccountToken: false
 ---
 # Source: thanos/templates/bucketweb/service.yaml
 apiVersion: v1
 kind: Service
 metadata:
   name: thanos-bucketweb
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
-  annotations:
+    prometheus-operator/monitor: 'true'
 spec:
   type: ClusterIP
   ports:
@@ -75,8 +270,8 @@
       name: http
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
 ---
 # Source: thanos/templates/compactor/service.yaml
@@ -84,13 +279,13 @@
 kind: Service
 metadata:
   name: thanos-compactor
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
-  annotations:
+    prometheus-operator/monitor: 'true'
 spec:
   type: ClusterIP
   ports:
@@ -100,8 +295,8 @@
       name: http
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
 ---
 # Source: thanos/templates/query/service-grpc.yaml
@@ -109,13 +304,12 @@
 kind: Service
 metadata:
   name: thanos-query-grpc
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
-  annotations:
 spec:
   type: ClusterIP
   ports:
@@ -125,8 +319,8 @@
       name: grpc
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
 ---
 # Source: thanos/templates/query/service.yaml
@@ -134,13 +328,13 @@
 kind: Service
 metadata:
   name: thanos-query
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
-  annotations:
+    prometheus-operator/monitor: 'true'
 spec:
   type: ClusterIP
   ports:
@@ -150,8 +344,8 @@
       name: http
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
 ---
 # Source: thanos/templates/storegateway/service.yaml
@@ -159,14 +353,13 @@
 kind: Service
 metadata:
   name: thanos-storegateway
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
     prometheus-operator/monitor: 'true'
-  annotations:
 spec:
   type: ClusterIP
   ports:
@@ -181,8 +374,8 @@
       name: grpc
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
 ---
 # Source: thanos/templates/bucketweb/deployment.yaml
@@ -190,32 +383,32 @@
 kind: Deployment
 metadata:
   name: thanos-bucketweb
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
 spec:
   replicas: 1
+  revisionHistoryLimit: 10
   strategy:
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: bucketweb
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: thanos
         app.kubernetes.io/instance: thanos
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: thanos
         app.kubernetes.io/component: bucketweb
       annotations:
-        checksum/objstore-configuration: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
     spec:
-      serviceAccount: thanos-bucketweb
+      serviceAccountName: thanos-bucketweb
       automountServiceAccountToken: true
       affinity:
         podAffinity:
@@ -224,25 +417,34 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/instance: thanos
+                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/component: bucketweb
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       containers:
         - name: bucketweb
-          image: public.ecr.aws/bitnami/thanos:0.28.1-scratch-r0
+          image: public.ecr.aws/bitnami/thanos:0.34.1-debian-12-r3
           imagePullPolicy: "IfNotPresent"
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
             readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           args:
             - tools
             - bucket
@@ -297,32 +499,32 @@
 kind: Deployment
 metadata:
   name: thanos-compactor
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
 spec:
   replicas: 1
+  revisionHistoryLimit: 10
   strategy:
     type: Recreate
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: compactor
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: thanos
         app.kubernetes.io/instance: thanos
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: thanos
         app.kubernetes.io/component: compactor
       annotations:
-        checksum/objstore-configuration: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
     spec:
-      serviceAccount: thanos-compactor
+      serviceAccountName: thanos-compactor
       automountServiceAccountToken: true
       affinity:
         podAffinity:
@@ -331,25 +533,34 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/instance: thanos
+                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/component: compactor
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       containers:
         - name: compactor
-          image: public.ecr.aws/bitnami/thanos:0.28.1-scratch-r0
+          image: public.ecr.aws/bitnami/thanos:0.34.1-debian-12-r3
           imagePullPolicy: "IfNotPresent"
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
             readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           args:
             - compact
             - --log.level=info
@@ -410,30 +621,31 @@
 kind: Deployment
 metadata:
   name: thanos-query
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
 spec:
   replicas: 1
+  revisionHistoryLimit: 10
   strategy:
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: query
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: thanos
         app.kubernetes.io/instance: thanos
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: thanos
         app.kubernetes.io/component: query
     spec:
-      serviceAccount: thanos-query
+      serviceAccountName: thanos-query
       automountServiceAccountToken: true
       affinity:
         podAffinity:
@@ -442,25 +654,34 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/instance: thanos
+                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/component: query
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       containers:
         - name: query
-          image: public.ecr.aws/bitnami/thanos:0.28.1-scratch-r0
+          image: public.ecr.aws/bitnami/thanos:0.34.1-debian-12-r3
           imagePullPolicy: "IfNotPresent"
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
             readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           args:
             - query
             - --log.level=info
@@ -470,6 +691,7 @@
             - --query.replica-label=replica
             - --endpoint=dnssrv+_grpc._tcp.prometheus-thanos-discovery.monitoring.svc.cluster.local
             - --endpoint=dnssrv+_grpc._tcp.thanos-storegateway.default.svc.cluster.local
+            - --alert.query-url=http://thanos-query.default.svc.cluster.local:9090
           ports:
             - name: http
               containerPort: 10902
@@ -498,8 +720,14 @@
               port: http
               scheme: HTTP
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
       volumes:
 ---
@@ -508,34 +736,34 @@
 kind: StatefulSet
 metadata:
   name: thanos-storegateway
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
 spec:
   replicas: 1
+  revisionHistoryLimit: 10
   podManagementPolicy: OrderedReady
   serviceName: thanos-storegateway-headless
   updateStrategy:
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: storegateway
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: thanos
         app.kubernetes.io/instance: thanos
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: thanos
         app.kubernetes.io/component: storegateway
       annotations:
-        checksum/objstore-configuration: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
     spec:
-      serviceAccount: thanos-storegateway
+      serviceAccountName: thanos-storegateway
       automountServiceAccountToken: true
       affinity:
         podAffinity:
@@ -544,25 +772,34 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/instance: thanos
+                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/component: storegateway
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       containers:
         - name: storegateway
-          image: public.ecr.aws/bitnami/thanos:0.28.1-scratch-r0
+          image: public.ecr.aws/bitnami/thanos:0.34.1-debian-12-r3
           imagePullPolicy: "IfNotPresent"
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
             readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           args:
             - store
             - --log.level=info
@@ -599,8 +836,14 @@
               port: http
               scheme: HTTP
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
             - name: objstore-config
               mountPath: /conf
@@ -625,11 +868,11 @@
 kind: Ingress
 metadata:
   name: thanos-query
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
   annotations:
     app: thanos
@@ -655,9 +898,9 @@
   name: thanos-bucketweb
   namespace: "default"
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
 spec:
   endpoints:
@@ -667,9 +910,10 @@
       - "default"
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: bucketweb
+      prometheus-operator/monitor: 'true'
 ---
 # Source: thanos/templates/compactor/servicemonitor.yaml
 apiVersion: monitoring.coreos.com/v1
@@ -678,9 +922,9 @@
   name: thanos-compactor
   namespace: "default"
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
 spec:
   endpoints:
@@ -690,9 +934,10 @@
       - "default"
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: compactor
+      prometheus-operator/monitor: 'true'
 ---
 # Source: thanos/templates/query/servicemonitor.yaml
 apiVersion: monitoring.coreos.com/v1
@@ -701,9 +946,9 @@
   name: thanos-query
   namespace: "default"
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
 spec:
   endpoints:
@@ -713,9 +958,10 @@
       - "default"
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: query
+      prometheus-operator/monitor: 'true'
 ---
 # Source: thanos/templates/storegateway/servicemonitor.yaml
 apiVersion: monitoring.coreos.com/v1
@@ -724,9 +970,9 @@
   name: thanos-storegateway
   namespace: "default"
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
 spec:
   endpoints:
@@ -736,6 +982,7 @@
       - "default"
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: storegateway
+      prometheus-operator/monitor: 'true'

[github-actions]

Path: cluster/core/monitoring/thanos/helm-release.yaml
Version: 11.5.5 -> 15.2.1

@@ -1,71 +1,266 @@
+# Source: thanos/templates/bucketweb/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-bucketweb
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: bucketweb
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: bucketweb
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 8080
+        - port: 8080
+---
+# Source: thanos/templates/compactor/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-compactor
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: compactor
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: compactor
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 10902
+        - port: 9090
+---
+# Source: thanos/templates/query-frontend/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-query-frontend
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: query-frontend
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: query-frontend
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 9090
+        - port: 9090
+---
+# Source: thanos/templates/query/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-query
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: query
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: query
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 10902
+        - port: 10901
+        - port: 9090
+        - port: 10901
+---
+# Source: thanos/templates/receive/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-receive
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: receive
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: receive
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 10902
+        - port: 10902
+        - port: 10901
+        - port: 10901
+        - port: 19291
+        - port: 19291
+---
+# Source: thanos/templates/ruler/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-ruler
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: ruler
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: ruler
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 10902
+        - port: 9090
+        - port: 10901
+        - port: 10901
+---
+# Source: thanos/templates/storegateway/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-storegateway
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: storegateway
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: storegateway
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 10902
+        - port: 9090
+        - port: 10901
+        - port: 10901
+---
 # Source: thanos/templates/bucketweb/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: thanos-bucketweb
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
-  annotations:
-automountServiceAccountToken: true
+automountServiceAccountToken: false
 ---
 # Source: thanos/templates/compactor/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: thanos-compactor
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
-  annotations:
-automountServiceAccountToken: true
+automountServiceAccountToken: false
 ---
 # Source: thanos/templates/query/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: thanos-query
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
-  annotations:
-automountServiceAccountToken: true
+automountServiceAccountToken: false
 ---
 # Source: thanos/templates/storegateway/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: thanos-storegateway
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
-  annotations:
-automountServiceAccountToken: true
+automountServiceAccountToken: false
 ---
 # Source: thanos/templates/bucketweb/service.yaml
 apiVersion: v1
 kind: Service
 metadata:
   name: thanos-bucketweb
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
-  annotations:
+    prometheus-operator/monitor: 'true'
 spec:
   type: ClusterIP
   ports:
@@ -75,8 +270,8 @@
       name: http
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
 ---
 # Source: thanos/templates/compactor/service.yaml
@@ -84,13 +279,13 @@
 kind: Service
 metadata:
   name: thanos-compactor
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
-  annotations:
+    prometheus-operator/monitor: 'true'
 spec:
   type: ClusterIP
   ports:
@@ -100,8 +295,8 @@
       name: http
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
 ---
 # Source: thanos/templates/query/service-grpc.yaml
@@ -109,13 +304,12 @@
 kind: Service
 metadata:
   name: thanos-query-grpc
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
-  annotations:
 spec:
   type: ClusterIP
   ports:
@@ -125,8 +319,8 @@
       name: grpc
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
 ---
 # Source: thanos/templates/query/service.yaml
@@ -134,13 +328,13 @@
 kind: Service
 metadata:
   name: thanos-query
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
-  annotations:
+    prometheus-operator/monitor: 'true'
 spec:
   type: ClusterIP
   ports:
@@ -150,8 +344,8 @@
       name: http
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
 ---
 # Source: thanos/templates/storegateway/service.yaml
@@ -159,14 +353,13 @@
 kind: Service
 metadata:
   name: thanos-storegateway
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
     prometheus-operator/monitor: 'true'
-  annotations:
 spec:
   type: ClusterIP
   ports:
@@ -181,8 +374,8 @@
       name: grpc
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
 ---
 # Source: thanos/templates/bucketweb/deployment.yaml
@@ -190,32 +383,32 @@
 kind: Deployment
 metadata:
   name: thanos-bucketweb
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
 spec:
   replicas: 1
+  revisionHistoryLimit: 10
   strategy:
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: bucketweb
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: thanos
         app.kubernetes.io/instance: thanos
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: thanos
         app.kubernetes.io/component: bucketweb
       annotations:
-        checksum/objstore-configuration: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
     spec:
-      serviceAccount: thanos-bucketweb
+      serviceAccountName: thanos-bucketweb
       automountServiceAccountToken: true
       affinity:
         podAffinity:
@@ -224,25 +417,34 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/instance: thanos
+                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/component: bucketweb
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       containers:
         - name: bucketweb
-          image: public.ecr.aws/bitnami/thanos:0.28.1-scratch-r0
+          image: public.ecr.aws/bitnami/thanos:0.34.1-debian-12-r3
           imagePullPolicy: "IfNotPresent"
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
             readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           args:
             - tools
             - bucket
@@ -297,32 +499,32 @@
 kind: Deployment
 metadata:
   name: thanos-compactor
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
 spec:
   replicas: 1
+  revisionHistoryLimit: 10
   strategy:
     type: Recreate
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: compactor
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: thanos
         app.kubernetes.io/instance: thanos
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: thanos
         app.kubernetes.io/component: compactor
       annotations:
-        checksum/objstore-configuration: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
     spec:
-      serviceAccount: thanos-compactor
+      serviceAccountName: thanos-compactor
       automountServiceAccountToken: true
       affinity:
         podAffinity:
@@ -331,25 +533,34 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/instance: thanos
+                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/component: compactor
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       containers:
         - name: compactor
-          image: public.ecr.aws/bitnami/thanos:0.28.1-scratch-r0
+          image: public.ecr.aws/bitnami/thanos:0.34.1-debian-12-r3
           imagePullPolicy: "IfNotPresent"
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
             readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           args:
             - compact
             - --log.level=info
@@ -410,30 +621,31 @@
 kind: Deployment
 metadata:
   name: thanos-query
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
 spec:
   replicas: 1
+  revisionHistoryLimit: 10
   strategy:
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: query
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: thanos
         app.kubernetes.io/instance: thanos
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: thanos
         app.kubernetes.io/component: query
     spec:
-      serviceAccount: thanos-query
+      serviceAccountName: thanos-query
       automountServiceAccountToken: true
       affinity:
         podAffinity:
@@ -442,25 +654,34 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/instance: thanos
+                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/component: query
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       containers:
         - name: query
-          image: public.ecr.aws/bitnami/thanos:0.28.1-scratch-r0
+          image: public.ecr.aws/bitnami/thanos:0.34.1-debian-12-r3
           imagePullPolicy: "IfNotPresent"
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
             readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           args:
             - query
             - --log.level=info
@@ -470,6 +691,7 @@
             - --query.replica-label=replica
             - --endpoint=dnssrv+_grpc._tcp.prometheus-thanos-discovery.monitoring.svc.cluster.local
             - --endpoint=dnssrv+_grpc._tcp.thanos-storegateway.default.svc.cluster.local
+            - --alert.query-url=http://thanos-query.default.svc.cluster.local:9090
           ports:
             - name: http
               containerPort: 10902
@@ -498,8 +720,14 @@
               port: http
               scheme: HTTP
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
       volumes:
 ---
@@ -508,34 +736,34 @@
 kind: StatefulSet
 metadata:
   name: thanos-storegateway
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
 spec:
   replicas: 1
+  revisionHistoryLimit: 10
   podManagementPolicy: OrderedReady
   serviceName: thanos-storegateway-headless
   updateStrategy:
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: storegateway
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: thanos
         app.kubernetes.io/instance: thanos
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: thanos
         app.kubernetes.io/component: storegateway
       annotations:
-        checksum/objstore-configuration: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
     spec:
-      serviceAccount: thanos-storegateway
+      serviceAccountName: thanos-storegateway
       automountServiceAccountToken: true
       affinity:
         podAffinity:
@@ -544,25 +772,34 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/instance: thanos
+                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/component: storegateway
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       containers:
         - name: storegateway
-          image: public.ecr.aws/bitnami/thanos:0.28.1-scratch-r0
+          image: public.ecr.aws/bitnami/thanos:0.34.1-debian-12-r3
           imagePullPolicy: "IfNotPresent"
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
             readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           args:
             - store
             - --log.level=info
@@ -599,8 +836,14 @@
               port: http
               scheme: HTTP
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 1024Mi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
             - name: objstore-config
               mountPath: /conf
@@ -625,11 +868,11 @@
 kind: Ingress
 metadata:
   name: thanos-query
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
   annotations:
     app: thanos
@@ -655,9 +898,9 @@
   name: thanos-bucketweb
   namespace: "default"
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
 spec:
   endpoints:
@@ -667,9 +910,10 @@
       - "default"
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: bucketweb
+      prometheus-operator/monitor: 'true'
 ---
 # Source: thanos/templates/compactor/servicemonitor.yaml
 apiVersion: monitoring.coreos.com/v1
@@ -678,9 +922,9 @@
   name: thanos-compactor
   namespace: "default"
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
 spec:
   endpoints:
@@ -690,9 +934,10 @@
       - "default"
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: compactor
+      prometheus-operator/monitor: 'true'
 ---
 # Source: thanos/templates/query/servicemonitor.yaml
 apiVersion: monitoring.coreos.com/v1
@@ -701,9 +946,9 @@
   name: thanos-query
   namespace: "default"
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
 spec:
   endpoints:
@@ -713,9 +958,10 @@
       - "default"
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: query
+      prometheus-operator/monitor: 'true'
 ---
 # Source: thanos/templates/storegateway/servicemonitor.yaml
 apiVersion: monitoring.coreos.com/v1
@@ -724,9 +970,9 @@
   name: thanos-storegateway
   namespace: "default"
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
 spec:
   endpoints:
@@ -736,6 +982,7 @@
       - "default"
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: storegateway
+      prometheus-operator/monitor: 'true'

[github-actions]

Path: cluster/core/monitoring/thanos/helm-release.yaml
Version: 11.5.5 -> 15.7.28

@@ -1,71 +1,236 @@
+# Source: thanos/templates/bucketweb/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-bucketweb
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: bucketweb
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: bucketweb
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 8080
+        - port: 8080
+---
+# Source: thanos/templates/compactor/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-compactor
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: compactor
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: compactor
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 10902
+        - port: 9090
+---
+# Source: thanos/templates/query/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-query
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: query
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: query
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 10902
+        - port: 10901
+        - port: 9090
+        - port: 10901
+---
+# Source: thanos/templates/storegateway/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-storegateway
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: storegateway
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: storegateway
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 10902
+        - port: 9090
+        - port: 10901
+        - port: 10901
+---
+# Source: thanos/templates/bucketweb/pdb.yaml
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: thanos-bucketweb
+  namespace: default
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: bucketweb
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: bucketweb
+---
+# Source: thanos/templates/query/pdb.yaml
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: thanos-query
+  namespace: default
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: query
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: query
+---
+# Source: thanos/templates/storegateway/pdb.yaml
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: thanos-storegateway
+  namespace: default
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: storegateway
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: storegateway
+---
 # Source: thanos/templates/bucketweb/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: thanos-bucketweb
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
-  annotations:
-automountServiceAccountToken: true
+automountServiceAccountToken: false
 ---
 # Source: thanos/templates/compactor/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: thanos-compactor
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
-  annotations:
-automountServiceAccountToken: true
+automountServiceAccountToken: false
 ---
 # Source: thanos/templates/query/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: thanos-query
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
-  annotations:
-automountServiceAccountToken: true
+automountServiceAccountToken: false
 ---
 # Source: thanos/templates/storegateway/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: thanos-storegateway
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
-  annotations:
-automountServiceAccountToken: true
+automountServiceAccountToken: false
 ---
 # Source: thanos/templates/bucketweb/service.yaml
 apiVersion: v1
 kind: Service
 metadata:
   name: thanos-bucketweb
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
-  annotations:
+    prometheus-operator/monitor: 'true'
 spec:
   type: ClusterIP
   ports:
@@ -75,8 +240,8 @@
       name: http
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
 ---
 # Source: thanos/templates/compactor/service.yaml
@@ -84,13 +249,13 @@
 kind: Service
 metadata:
   name: thanos-compactor
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
-  annotations:
+    prometheus-operator/monitor: 'true'
 spec:
   type: ClusterIP
   ports:
@@ -100,8 +265,8 @@
       name: http
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
 ---
 # Source: thanos/templates/query/service-grpc.yaml
@@ -109,13 +274,12 @@
 kind: Service
 metadata:
   name: thanos-query-grpc
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
-  annotations:
 spec:
   type: ClusterIP
   ports:
@@ -125,8 +289,8 @@
       name: grpc
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
 ---
 # Source: thanos/templates/query/service.yaml
@@ -134,13 +298,13 @@
 kind: Service
 metadata:
   name: thanos-query
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
-  annotations:
+    prometheus-operator/monitor: 'true'
 spec:
   type: ClusterIP
   ports:
@@ -150,8 +314,8 @@
       name: http
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
 ---
 # Source: thanos/templates/storegateway/service.yaml
@@ -159,14 +323,13 @@
 kind: Service
 metadata:
   name: thanos-storegateway
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
     prometheus-operator/monitor: 'true'
-  annotations:
 spec:
   type: ClusterIP
   ports:
@@ -181,8 +344,8 @@
       name: grpc
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
 ---
 # Source: thanos/templates/bucketweb/deployment.yaml
@@ -190,32 +353,31 @@
 kind: Deployment
 metadata:
   name: thanos-bucketweb
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
 spec:
   replicas: 1
+  revisionHistoryLimit: 10
   strategy:
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: bucketweb
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: thanos
         app.kubernetes.io/instance: thanos
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: thanos
         app.kubernetes.io/component: bucketweb
-      annotations:
-        checksum/objstore-configuration: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
     spec:
-      serviceAccount: thanos-bucketweb
+      serviceAccountName: thanos-bucketweb
       automountServiceAccountToken: true
       affinity:
         podAffinity:
@@ -224,25 +386,34 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/instance: thanos
+                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/component: bucketweb
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       containers:
         - name: bucketweb
-          image: public.ecr.aws/bitnami/thanos:0.28.1-scratch-r0
+          image: public.ecr.aws/bitnami/thanos:0.36.1-debian-12-r3
           imagePullPolicy: "IfNotPresent"
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
             readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           args:
             - tools
             - bucket
@@ -297,32 +468,31 @@
 kind: Deployment
 metadata:
   name: thanos-compactor
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
 spec:
   replicas: 1
+  revisionHistoryLimit: 10
   strategy:
     type: Recreate
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: compactor
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: thanos
         app.kubernetes.io/instance: thanos
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: thanos
         app.kubernetes.io/component: compactor
-      annotations:
-        checksum/objstore-configuration: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
     spec:
-      serviceAccount: thanos-compactor
+      serviceAccountName: thanos-compactor
       automountServiceAccountToken: true
       affinity:
         podAffinity:
@@ -331,25 +501,34 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/instance: thanos
+                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/component: compactor
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       containers:
         - name: compactor
-          image: public.ecr.aws/bitnami/thanos:0.28.1-scratch-r0
+          image: public.ecr.aws/bitnami/thanos:0.36.1-debian-12-r3
           imagePullPolicy: "IfNotPresent"
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
             readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           args:
             - compact
             - --log.level=info
@@ -410,30 +589,31 @@
 kind: Deployment
 metadata:
   name: thanos-query
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
 spec:
   replicas: 1
+  revisionHistoryLimit: 10
   strategy:
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: query
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: thanos
         app.kubernetes.io/instance: thanos
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: thanos
         app.kubernetes.io/component: query
     spec:
-      serviceAccount: thanos-query
+      serviceAccountName: thanos-query
       automountServiceAccountToken: true
       affinity:
         podAffinity:
@@ -442,25 +622,34 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/instance: thanos
+                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/component: query
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       containers:
         - name: query
-          image: public.ecr.aws/bitnami/thanos:0.28.1-scratch-r0
+          image: public.ecr.aws/bitnami/thanos:0.36.1-debian-12-r3
           imagePullPolicy: "IfNotPresent"
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
             readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           args:
             - query
             - --log.level=info
@@ -470,6 +659,7 @@
             - --query.replica-label=replica
             - --endpoint=dnssrv+_grpc._tcp.prometheus-thanos-discovery.monitoring.svc.cluster.local
             - --endpoint=dnssrv+_grpc._tcp.thanos-storegateway.default.svc.cluster.local
+            - --alert.query-url=http://thanos-query.default.svc.cluster.local:9090
           ports:
             - name: http
               containerPort: 10902
@@ -498,8 +688,14 @@
               port: http
               scheme: HTTP
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
       volumes:
 ---
@@ -508,34 +704,33 @@
 kind: StatefulSet
 metadata:
   name: thanos-storegateway
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
 spec:
   replicas: 1
+  revisionHistoryLimit: 10
   podManagementPolicy: OrderedReady
   serviceName: thanos-storegateway-headless
   updateStrategy:
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: storegateway
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: thanos
         app.kubernetes.io/instance: thanos
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: thanos
         app.kubernetes.io/component: storegateway
-      annotations:
-        checksum/objstore-configuration: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
     spec:
-      serviceAccount: thanos-storegateway
+      serviceAccountName: thanos-storegateway
       automountServiceAccountToken: true
       affinity:
         podAffinity:
@@ -544,25 +739,34 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/instance: thanos
+                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/component: storegateway
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       containers:
         - name: storegateway
-          image: public.ecr.aws/bitnami/thanos:0.28.1-scratch-r0
+          image: public.ecr.aws/bitnami/thanos:0.36.1-debian-12-r3
           imagePullPolicy: "IfNotPresent"
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
             readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           args:
             - store
             - --log.level=info
@@ -599,8 +803,14 @@
               port: http
               scheme: HTTP
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
             - name: objstore-config
               mountPath: /conf
@@ -611,7 +821,9 @@
           secret:
             secretName: thanos-objstore
   volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
         name: data
       spec:
         accessModes:
@@ -625,11 +837,11 @@
 kind: Ingress
 metadata:
   name: thanos-query
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
   annotations:
     app: thanos
@@ -655,9 +867,9 @@
   name: thanos-bucketweb
   namespace: "default"
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
 spec:
   endpoints:
@@ -667,9 +879,10 @@
       - "default"
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: bucketweb
+      prometheus-operator/monitor: 'true'
 ---
 # Source: thanos/templates/compactor/servicemonitor.yaml
 apiVersion: monitoring.coreos.com/v1
@@ -678,9 +891,9 @@
   name: thanos-compactor
   namespace: "default"
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
 spec:
   endpoints:
@@ -690,9 +903,10 @@
       - "default"
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: compactor
+      prometheus-operator/monitor: 'true'
 ---
 # Source: thanos/templates/query/servicemonitor.yaml
 apiVersion: monitoring.coreos.com/v1
@@ -701,9 +915,9 @@
   name: thanos-query
   namespace: "default"
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
 spec:
   endpoints:
@@ -713,9 +927,10 @@
       - "default"
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: query
+      prometheus-operator/monitor: 'true'
 ---
 # Source: thanos/templates/storegateway/servicemonitor.yaml
 apiVersion: monitoring.coreos.com/v1
@@ -724,9 +939,9 @@
   name: thanos-storegateway
   namespace: "default"
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
 spec:
   endpoints:
@@ -736,6 +951,7 @@
       - "default"
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: storegateway
+      prometheus-operator/monitor: 'true'

[github-actions]

Path: cluster/core/monitoring/thanos/helm-release.yaml
Version: 11.5.5 -> 15.7.29

@@ -1,71 +1,236 @@
+# Source: thanos/templates/bucketweb/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-bucketweb
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: bucketweb
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: bucketweb
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 8080
+        - port: 8080
+---
+# Source: thanos/templates/compactor/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-compactor
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: compactor
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: compactor
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 10902
+        - port: 9090
+---
+# Source: thanos/templates/query/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-query
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: query
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: query
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 10902
+        - port: 10901
+        - port: 9090
+        - port: 10901
+---
+# Source: thanos/templates/storegateway/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-storegateway
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: storegateway
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: storegateway
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 10902
+        - port: 9090
+        - port: 10901
+        - port: 10901
+---
+# Source: thanos/templates/bucketweb/pdb.yaml
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: thanos-bucketweb
+  namespace: default
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: bucketweb
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: bucketweb
+---
+# Source: thanos/templates/query/pdb.yaml
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: thanos-query
+  namespace: default
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: query
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: query
+---
+# Source: thanos/templates/storegateway/pdb.yaml
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: thanos-storegateway
+  namespace: default
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: storegateway
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: storegateway
+---
 # Source: thanos/templates/bucketweb/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: thanos-bucketweb
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
-  annotations:
-automountServiceAccountToken: true
+automountServiceAccountToken: false
 ---
 # Source: thanos/templates/compactor/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: thanos-compactor
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
-  annotations:
-automountServiceAccountToken: true
+automountServiceAccountToken: false
 ---
 # Source: thanos/templates/query/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: thanos-query
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
-  annotations:
-automountServiceAccountToken: true
+automountServiceAccountToken: false
 ---
 # Source: thanos/templates/storegateway/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: thanos-storegateway
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
-  annotations:
-automountServiceAccountToken: true
+automountServiceAccountToken: false
 ---
 # Source: thanos/templates/bucketweb/service.yaml
 apiVersion: v1
 kind: Service
 metadata:
   name: thanos-bucketweb
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
-  annotations:
+    prometheus-operator/monitor: 'true'
 spec:
   type: ClusterIP
   ports:
@@ -75,8 +240,8 @@
       name: http
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
 ---
 # Source: thanos/templates/compactor/service.yaml
@@ -84,13 +249,13 @@
 kind: Service
 metadata:
   name: thanos-compactor
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
-  annotations:
+    prometheus-operator/monitor: 'true'
 spec:
   type: ClusterIP
   ports:
@@ -100,8 +265,8 @@
       name: http
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
 ---
 # Source: thanos/templates/query/service-grpc.yaml
@@ -109,13 +274,12 @@
 kind: Service
 metadata:
   name: thanos-query-grpc
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
-  annotations:
 spec:
   type: ClusterIP
   ports:
@@ -125,8 +289,8 @@
       name: grpc
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
 ---
 # Source: thanos/templates/query/service.yaml
@@ -134,13 +298,13 @@
 kind: Service
 metadata:
   name: thanos-query
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
-  annotations:
+    prometheus-operator/monitor: 'true'
 spec:
   type: ClusterIP
   ports:
@@ -150,8 +314,8 @@
       name: http
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
 ---
 # Source: thanos/templates/storegateway/service.yaml
@@ -159,14 +323,13 @@
 kind: Service
 metadata:
   name: thanos-storegateway
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
     prometheus-operator/monitor: 'true'
-  annotations:
 spec:
   type: ClusterIP
   ports:
@@ -181,8 +344,8 @@
       name: grpc
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
 ---
 # Source: thanos/templates/bucketweb/deployment.yaml
@@ -190,32 +353,31 @@
 kind: Deployment
 metadata:
   name: thanos-bucketweb
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
 spec:
   replicas: 1
+  revisionHistoryLimit: 10
   strategy:
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: bucketweb
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: thanos
         app.kubernetes.io/instance: thanos
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: thanos
         app.kubernetes.io/component: bucketweb
-      annotations:
-        checksum/objstore-configuration: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
     spec:
-      serviceAccount: thanos-bucketweb
+      serviceAccountName: thanos-bucketweb
       automountServiceAccountToken: true
       affinity:
         podAffinity:
@@ -224,25 +386,34 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/instance: thanos
+                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/component: bucketweb
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       containers:
         - name: bucketweb
-          image: public.ecr.aws/bitnami/thanos:0.28.1-scratch-r0
+          image: public.ecr.aws/bitnami/thanos:0.36.1-debian-12-r3
           imagePullPolicy: "IfNotPresent"
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
             readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           args:
             - tools
             - bucket
@@ -297,32 +468,31 @@
 kind: Deployment
 metadata:
   name: thanos-compactor
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
 spec:
   replicas: 1
+  revisionHistoryLimit: 10
   strategy:
     type: Recreate
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: compactor
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: thanos
         app.kubernetes.io/instance: thanos
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: thanos
         app.kubernetes.io/component: compactor
-      annotations:
-        checksum/objstore-configuration: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
     spec:
-      serviceAccount: thanos-compactor
+      serviceAccountName: thanos-compactor
       automountServiceAccountToken: true
       affinity:
         podAffinity:
@@ -331,25 +501,34 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/instance: thanos
+                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/component: compactor
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       containers:
         - name: compactor
-          image: public.ecr.aws/bitnami/thanos:0.28.1-scratch-r0
+          image: public.ecr.aws/bitnami/thanos:0.36.1-debian-12-r3
           imagePullPolicy: "IfNotPresent"
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
             readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           args:
             - compact
             - --log.level=info
@@ -410,30 +589,31 @@
 kind: Deployment
 metadata:
   name: thanos-query
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
 spec:
   replicas: 1
+  revisionHistoryLimit: 10
   strategy:
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: query
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: thanos
         app.kubernetes.io/instance: thanos
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: thanos
         app.kubernetes.io/component: query
     spec:
-      serviceAccount: thanos-query
+      serviceAccountName: thanos-query
       automountServiceAccountToken: true
       affinity:
         podAffinity:
@@ -442,25 +622,34 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/instance: thanos
+                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/component: query
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       containers:
         - name: query
-          image: public.ecr.aws/bitnami/thanos:0.28.1-scratch-r0
+          image: public.ecr.aws/bitnami/thanos:0.36.1-debian-12-r3
           imagePullPolicy: "IfNotPresent"
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
             readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           args:
             - query
             - --log.level=info
@@ -470,6 +659,7 @@
             - --query.replica-label=replica
             - --endpoint=dnssrv+_grpc._tcp.prometheus-thanos-discovery.monitoring.svc.cluster.local
             - --endpoint=dnssrv+_grpc._tcp.thanos-storegateway.default.svc.cluster.local
+            - --alert.query-url=http://thanos-query.default.svc.cluster.local:9090
           ports:
             - name: http
               containerPort: 10902
@@ -498,8 +688,14 @@
               port: http
               scheme: HTTP
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
       volumes:
 ---
@@ -508,34 +704,33 @@
 kind: StatefulSet
 metadata:
   name: thanos-storegateway
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
 spec:
   replicas: 1
+  revisionHistoryLimit: 10
   podManagementPolicy: OrderedReady
   serviceName: thanos-storegateway-headless
   updateStrategy:
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: storegateway
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: thanos
         app.kubernetes.io/instance: thanos
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: thanos
         app.kubernetes.io/component: storegateway
-      annotations:
-        checksum/objstore-configuration: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
     spec:
-      serviceAccount: thanos-storegateway
+      serviceAccountName: thanos-storegateway
       automountServiceAccountToken: true
       affinity:
         podAffinity:
@@ -544,25 +739,34 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/instance: thanos
+                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/component: storegateway
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       containers:
         - name: storegateway
-          image: public.ecr.aws/bitnami/thanos:0.28.1-scratch-r0
+          image: public.ecr.aws/bitnami/thanos:0.36.1-debian-12-r3
           imagePullPolicy: "IfNotPresent"
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
             readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           args:
             - store
             - --log.level=info
@@ -599,8 +803,14 @@
               port: http
               scheme: HTTP
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
             - name: objstore-config
               mountPath: /conf
@@ -611,7 +821,9 @@
           secret:
             secretName: thanos-objstore
   volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
         name: data
       spec:
         accessModes:
@@ -625,11 +837,11 @@
 kind: Ingress
 metadata:
   name: thanos-query
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
   annotations:
     app: thanos
@@ -655,9 +867,9 @@
   name: thanos-bucketweb
   namespace: "default"
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
 spec:
   endpoints:
@@ -667,9 +879,10 @@
       - "default"
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: bucketweb
+      prometheus-operator/monitor: 'true'
 ---
 # Source: thanos/templates/compactor/servicemonitor.yaml
 apiVersion: monitoring.coreos.com/v1
@@ -678,9 +891,9 @@
   name: thanos-compactor
   namespace: "default"
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
 spec:
   endpoints:
@@ -690,9 +903,10 @@
       - "default"
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: compactor
+      prometheus-operator/monitor: 'true'
 ---
 # Source: thanos/templates/query/servicemonitor.yaml
 apiVersion: monitoring.coreos.com/v1
@@ -701,9 +915,9 @@
   name: thanos-query
   namespace: "default"
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
 spec:
   endpoints:
@@ -713,9 +927,10 @@
       - "default"
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: query
+      prometheus-operator/monitor: 'true'
 ---
 # Source: thanos/templates/storegateway/servicemonitor.yaml
 apiVersion: monitoring.coreos.com/v1
@@ -724,9 +939,9 @@
   name: thanos-storegateway
   namespace: "default"
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
 spec:
   endpoints:
@@ -736,6 +951,7 @@
       - "default"
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: storegateway
+      prometheus-operator/monitor: 'true'

[github-actions]

Path: cluster/core/monitoring/thanos/helm-release.yaml
Version: 11.5.5 -> 15.8.0

@@ -1,71 +1,236 @@
+# Source: thanos/templates/bucketweb/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-bucketweb
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: bucketweb
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: bucketweb
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 8080
+        - port: 8080
+---
+# Source: thanos/templates/compactor/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-compactor
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: compactor
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: compactor
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 10902
+        - port: 9090
+---
+# Source: thanos/templates/query/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-query
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: query
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: query
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 10902
+        - port: 10901
+        - port: 9090
+        - port: 10901
+---
+# Source: thanos/templates/storegateway/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-storegateway
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: storegateway
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: storegateway
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 10902
+        - port: 9090
+        - port: 10901
+        - port: 10901
+---
+# Source: thanos/templates/bucketweb/pdb.yaml
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: thanos-bucketweb
+  namespace: default
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: bucketweb
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: bucketweb
+---
+# Source: thanos/templates/query/pdb.yaml
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: thanos-query
+  namespace: default
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: query
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: query
+---
+# Source: thanos/templates/storegateway/pdb.yaml
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: thanos-storegateway
+  namespace: default
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: storegateway
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: storegateway
+---
 # Source: thanos/templates/bucketweb/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: thanos-bucketweb
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
-  annotations:
-automountServiceAccountToken: true
+automountServiceAccountToken: false
 ---
 # Source: thanos/templates/compactor/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: thanos-compactor
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
-  annotations:
-automountServiceAccountToken: true
+automountServiceAccountToken: false
 ---
 # Source: thanos/templates/query/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: thanos-query
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
-  annotations:
-automountServiceAccountToken: true
+automountServiceAccountToken: false
 ---
 # Source: thanos/templates/storegateway/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: thanos-storegateway
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
-  annotations:
-automountServiceAccountToken: true
+automountServiceAccountToken: false
 ---
 # Source: thanos/templates/bucketweb/service.yaml
 apiVersion: v1
 kind: Service
 metadata:
   name: thanos-bucketweb
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
-  annotations:
+    prometheus-operator/monitor: 'true'
 spec:
   type: ClusterIP
   ports:
@@ -75,8 +240,8 @@
       name: http
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
 ---
 # Source: thanos/templates/compactor/service.yaml
@@ -84,13 +249,13 @@
 kind: Service
 metadata:
   name: thanos-compactor
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
-  annotations:
+    prometheus-operator/monitor: 'true'
 spec:
   type: ClusterIP
   ports:
@@ -100,8 +265,8 @@
       name: http
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
 ---
 # Source: thanos/templates/query/service-grpc.yaml
@@ -109,13 +274,12 @@
 kind: Service
 metadata:
   name: thanos-query-grpc
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
-  annotations:
 spec:
   type: ClusterIP
   ports:
@@ -125,8 +289,8 @@
       name: grpc
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
 ---
 # Source: thanos/templates/query/service.yaml
@@ -134,13 +298,13 @@
 kind: Service
 metadata:
   name: thanos-query
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
-  annotations:
+    prometheus-operator/monitor: 'true'
 spec:
   type: ClusterIP
   ports:
@@ -150,8 +314,8 @@
       name: http
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
 ---
 # Source: thanos/templates/storegateway/service.yaml
@@ -159,14 +323,13 @@
 kind: Service
 metadata:
   name: thanos-storegateway
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
     prometheus-operator/monitor: 'true'
-  annotations:
 spec:
   type: ClusterIP
   ports:
@@ -181,8 +344,8 @@
       name: grpc
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
 ---
 # Source: thanos/templates/bucketweb/deployment.yaml
@@ -190,32 +353,31 @@
 kind: Deployment
 metadata:
   name: thanos-bucketweb
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
 spec:
   replicas: 1
+  revisionHistoryLimit: 10
   strategy:
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: bucketweb
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: thanos
         app.kubernetes.io/instance: thanos
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: thanos
         app.kubernetes.io/component: bucketweb
-      annotations:
-        checksum/objstore-configuration: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
     spec:
-      serviceAccount: thanos-bucketweb
+      serviceAccountName: thanos-bucketweb
       automountServiceAccountToken: true
       affinity:
         podAffinity:
@@ -224,25 +386,34 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/instance: thanos
+                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/component: bucketweb
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       containers:
         - name: bucketweb
-          image: public.ecr.aws/bitnami/thanos:0.28.1-scratch-r0
+          image: public.ecr.aws/bitnami/thanos:0.36.1-debian-12-r3
           imagePullPolicy: "IfNotPresent"
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
             readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           args:
             - tools
             - bucket
@@ -297,32 +468,31 @@
 kind: Deployment
 metadata:
   name: thanos-compactor
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
 spec:
   replicas: 1
+  revisionHistoryLimit: 10
   strategy:
     type: Recreate
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: compactor
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: thanos
         app.kubernetes.io/instance: thanos
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: thanos
         app.kubernetes.io/component: compactor
-      annotations:
-        checksum/objstore-configuration: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
     spec:
-      serviceAccount: thanos-compactor
+      serviceAccountName: thanos-compactor
       automountServiceAccountToken: true
       affinity:
         podAffinity:
@@ -331,25 +501,34 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/instance: thanos
+                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/component: compactor
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       containers:
         - name: compactor
-          image: public.ecr.aws/bitnami/thanos:0.28.1-scratch-r0
+          image: public.ecr.aws/bitnami/thanos:0.36.1-debian-12-r3
           imagePullPolicy: "IfNotPresent"
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
             readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           args:
             - compact
             - --log.level=info
@@ -410,30 +589,31 @@
 kind: Deployment
 metadata:
   name: thanos-query
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
 spec:
   replicas: 1
+  revisionHistoryLimit: 10
   strategy:
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: query
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: thanos
         app.kubernetes.io/instance: thanos
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: thanos
         app.kubernetes.io/component: query
     spec:
-      serviceAccount: thanos-query
+      serviceAccountName: thanos-query
       automountServiceAccountToken: true
       affinity:
         podAffinity:
@@ -442,25 +622,34 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/instance: thanos
+                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/component: query
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       containers:
         - name: query
-          image: public.ecr.aws/bitnami/thanos:0.28.1-scratch-r0
+          image: public.ecr.aws/bitnami/thanos:0.36.1-debian-12-r3
           imagePullPolicy: "IfNotPresent"
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
             readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           args:
             - query
             - --log.level=info
@@ -470,6 +659,7 @@
             - --query.replica-label=replica
             - --endpoint=dnssrv+_grpc._tcp.prometheus-thanos-discovery.monitoring.svc.cluster.local
             - --endpoint=dnssrv+_grpc._tcp.thanos-storegateway.default.svc.cluster.local
+            - --alert.query-url=http://thanos-query.default.svc.cluster.local:9090
           ports:
             - name: http
               containerPort: 10902
@@ -498,8 +688,14 @@
               port: http
               scheme: HTTP
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
       volumes:
 ---
@@ -508,34 +704,33 @@
 kind: StatefulSet
 metadata:
   name: thanos-storegateway
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
 spec:
   replicas: 1
+  revisionHistoryLimit: 10
   podManagementPolicy: OrderedReady
   serviceName: thanos-storegateway-headless
   updateStrategy:
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: storegateway
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: thanos
         app.kubernetes.io/instance: thanos
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: thanos
         app.kubernetes.io/component: storegateway
-      annotations:
-        checksum/objstore-configuration: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
     spec:
-      serviceAccount: thanos-storegateway
+      serviceAccountName: thanos-storegateway
       automountServiceAccountToken: true
       affinity:
         podAffinity:
@@ -544,25 +739,34 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/instance: thanos
+                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/component: storegateway
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       containers:
         - name: storegateway
-          image: public.ecr.aws/bitnami/thanos:0.28.1-scratch-r0
+          image: public.ecr.aws/bitnami/thanos:0.36.1-debian-12-r3
           imagePullPolicy: "IfNotPresent"
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
             readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           args:
             - store
             - --log.level=info
@@ -599,8 +803,14 @@
               port: http
               scheme: HTTP
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
             - name: objstore-config
               mountPath: /conf
@@ -611,7 +821,9 @@
           secret:
             secretName: thanos-objstore
   volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
         name: data
       spec:
         accessModes:
@@ -625,11 +837,11 @@
 kind: Ingress
 metadata:
   name: thanos-query
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
   annotations:
     app: thanos
@@ -655,9 +867,9 @@
   name: thanos-bucketweb
   namespace: "default"
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
 spec:
   endpoints:
@@ -667,9 +879,10 @@
       - "default"
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: bucketweb
+      prometheus-operator/monitor: 'true'
 ---
 # Source: thanos/templates/compactor/servicemonitor.yaml
 apiVersion: monitoring.coreos.com/v1
@@ -678,9 +891,9 @@
   name: thanos-compactor
   namespace: "default"
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
 spec:
   endpoints:
@@ -690,9 +903,10 @@
       - "default"
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: compactor
+      prometheus-operator/monitor: 'true'
 ---
 # Source: thanos/templates/query/servicemonitor.yaml
 apiVersion: monitoring.coreos.com/v1
@@ -701,9 +915,9 @@
   name: thanos-query
   namespace: "default"
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
 spec:
   endpoints:
@@ -713,9 +927,10 @@
       - "default"
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: query
+      prometheus-operator/monitor: 'true'
 ---
 # Source: thanos/templates/storegateway/servicemonitor.yaml
 apiVersion: monitoring.coreos.com/v1
@@ -724,9 +939,9 @@
   name: thanos-storegateway
   namespace: "default"
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
 spec:
   endpoints:
@@ -736,6 +951,7 @@
       - "default"
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: storegateway
+      prometheus-operator/monitor: 'true'

[github-actions]

Path: cluster/core/monitoring/thanos/helm-release.yaml
Version: 11.5.5 -> 15.8.1

@@ -1,71 +1,236 @@
+# Source: thanos/templates/bucketweb/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-bucketweb
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: bucketweb
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: bucketweb
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 8080
+        - port: 8080
+---
+# Source: thanos/templates/compactor/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-compactor
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: compactor
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: compactor
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 10902
+        - port: 9090
+---
+# Source: thanos/templates/query/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-query
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: query
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: query
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 10902
+        - port: 10901
+        - port: 9090
+        - port: 10901
+---
+# Source: thanos/templates/storegateway/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-storegateway
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: storegateway
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: storegateway
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 10902
+        - port: 9090
+        - port: 10901
+        - port: 10901
+---
+# Source: thanos/templates/bucketweb/pdb.yaml
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: thanos-bucketweb
+  namespace: default
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: bucketweb
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: bucketweb
+---
+# Source: thanos/templates/query/pdb.yaml
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: thanos-query
+  namespace: default
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: query
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: query
+---
+# Source: thanos/templates/storegateway/pdb.yaml
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: thanos-storegateway
+  namespace: default
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: storegateway
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: storegateway
+---
 # Source: thanos/templates/bucketweb/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: thanos-bucketweb
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
-  annotations:
-automountServiceAccountToken: true
+automountServiceAccountToken: false
 ---
 # Source: thanos/templates/compactor/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: thanos-compactor
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
-  annotations:
-automountServiceAccountToken: true
+automountServiceAccountToken: false
 ---
 # Source: thanos/templates/query/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: thanos-query
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
-  annotations:
-automountServiceAccountToken: true
+automountServiceAccountToken: false
 ---
 # Source: thanos/templates/storegateway/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: thanos-storegateway
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
-  annotations:
-automountServiceAccountToken: true
+automountServiceAccountToken: false
 ---
 # Source: thanos/templates/bucketweb/service.yaml
 apiVersion: v1
 kind: Service
 metadata:
   name: thanos-bucketweb
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
-  annotations:
+    prometheus-operator/monitor: 'true'
 spec:
   type: ClusterIP
   ports:
@@ -75,8 +240,8 @@
       name: http
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
 ---
 # Source: thanos/templates/compactor/service.yaml
@@ -84,13 +249,13 @@
 kind: Service
 metadata:
   name: thanos-compactor
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
-  annotations:
+    prometheus-operator/monitor: 'true'
 spec:
   type: ClusterIP
   ports:
@@ -100,8 +265,8 @@
       name: http
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
 ---
 # Source: thanos/templates/query/service-grpc.yaml
@@ -109,13 +274,12 @@
 kind: Service
 metadata:
   name: thanos-query-grpc
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
-  annotations:
 spec:
   type: ClusterIP
   ports:
@@ -125,8 +289,8 @@
       name: grpc
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
 ---
 # Source: thanos/templates/query/service.yaml
@@ -134,13 +298,13 @@
 kind: Service
 metadata:
   name: thanos-query
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
-  annotations:
+    prometheus-operator/monitor: 'true'
 spec:
   type: ClusterIP
   ports:
@@ -150,8 +314,8 @@
       name: http
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
 ---
 # Source: thanos/templates/storegateway/service.yaml
@@ -159,14 +323,13 @@
 kind: Service
 metadata:
   name: thanos-storegateway
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
     prometheus-operator/monitor: 'true'
-  annotations:
 spec:
   type: ClusterIP
   ports:
@@ -181,8 +344,8 @@
       name: grpc
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
 ---
 # Source: thanos/templates/bucketweb/deployment.yaml
@@ -190,32 +353,31 @@
 kind: Deployment
 metadata:
   name: thanos-bucketweb
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
 spec:
   replicas: 1
+  revisionHistoryLimit: 10
   strategy:
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: bucketweb
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: thanos
         app.kubernetes.io/instance: thanos
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: thanos
         app.kubernetes.io/component: bucketweb
-      annotations:
-        checksum/objstore-configuration: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
     spec:
-      serviceAccount: thanos-bucketweb
+      serviceAccountName: thanos-bucketweb
       automountServiceAccountToken: true
       affinity:
         podAffinity:
@@ -224,25 +386,34 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/instance: thanos
+                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/component: bucketweb
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       containers:
         - name: bucketweb
-          image: public.ecr.aws/bitnami/thanos:0.28.1-scratch-r0
+          image: public.ecr.aws/bitnami/thanos:0.36.1-debian-12-r5
           imagePullPolicy: "IfNotPresent"
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
             readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           args:
             - tools
             - bucket
@@ -297,32 +468,31 @@
 kind: Deployment
 metadata:
   name: thanos-compactor
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
 spec:
   replicas: 1
+  revisionHistoryLimit: 10
   strategy:
     type: Recreate
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: compactor
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: thanos
         app.kubernetes.io/instance: thanos
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: thanos
         app.kubernetes.io/component: compactor
-      annotations:
-        checksum/objstore-configuration: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
     spec:
-      serviceAccount: thanos-compactor
+      serviceAccountName: thanos-compactor
       automountServiceAccountToken: true
       affinity:
         podAffinity:
@@ -331,25 +501,34 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/instance: thanos
+                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/component: compactor
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       containers:
         - name: compactor
-          image: public.ecr.aws/bitnami/thanos:0.28.1-scratch-r0
+          image: public.ecr.aws/bitnami/thanos:0.36.1-debian-12-r5
           imagePullPolicy: "IfNotPresent"
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
             readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           args:
             - compact
             - --log.level=info
@@ -410,30 +589,31 @@
 kind: Deployment
 metadata:
   name: thanos-query
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
 spec:
   replicas: 1
+  revisionHistoryLimit: 10
   strategy:
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: query
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: thanos
         app.kubernetes.io/instance: thanos
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: thanos
         app.kubernetes.io/component: query
     spec:
-      serviceAccount: thanos-query
+      serviceAccountName: thanos-query
       automountServiceAccountToken: true
       affinity:
         podAffinity:
@@ -442,25 +622,34 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/instance: thanos
+                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/component: query
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       containers:
         - name: query
-          image: public.ecr.aws/bitnami/thanos:0.28.1-scratch-r0
+          image: public.ecr.aws/bitnami/thanos:0.36.1-debian-12-r5
           imagePullPolicy: "IfNotPresent"
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
             readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           args:
             - query
             - --log.level=info
@@ -470,6 +659,7 @@
             - --query.replica-label=replica
             - --endpoint=dnssrv+_grpc._tcp.prometheus-thanos-discovery.monitoring.svc.cluster.local
             - --endpoint=dnssrv+_grpc._tcp.thanos-storegateway.default.svc.cluster.local
+            - --alert.query-url=http://thanos-query.default.svc.cluster.local:9090
           ports:
             - name: http
               containerPort: 10902
@@ -498,8 +688,14 @@
               port: http
               scheme: HTTP
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
       volumes:
 ---
@@ -508,34 +704,33 @@
 kind: StatefulSet
 metadata:
   name: thanos-storegateway
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
 spec:
   replicas: 1
+  revisionHistoryLimit: 10
   podManagementPolicy: OrderedReady
   serviceName: thanos-storegateway-headless
   updateStrategy:
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: storegateway
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: thanos
         app.kubernetes.io/instance: thanos
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: thanos
         app.kubernetes.io/component: storegateway
-      annotations:
-        checksum/objstore-configuration: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
     spec:
-      serviceAccount: thanos-storegateway
+      serviceAccountName: thanos-storegateway
       automountServiceAccountToken: true
       affinity:
         podAffinity:
@@ -544,25 +739,34 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/instance: thanos
+                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/component: storegateway
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       containers:
         - name: storegateway
-          image: public.ecr.aws/bitnami/thanos:0.28.1-scratch-r0
+          image: public.ecr.aws/bitnami/thanos:0.36.1-debian-12-r5
           imagePullPolicy: "IfNotPresent"
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
             readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           args:
             - store
             - --log.level=info
@@ -599,8 +803,14 @@
               port: http
               scheme: HTTP
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
             - name: objstore-config
               mountPath: /conf
@@ -611,7 +821,9 @@
           secret:
             secretName: thanos-objstore
   volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
         name: data
       spec:
         accessModes:
@@ -625,11 +837,11 @@
 kind: Ingress
 metadata:
   name: thanos-query
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
   annotations:
     app: thanos
@@ -655,9 +867,9 @@
   name: thanos-bucketweb
   namespace: "default"
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
 spec:
   endpoints:
@@ -667,9 +879,10 @@
       - "default"
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: bucketweb
+      prometheus-operator/monitor: 'true'
 ---
 # Source: thanos/templates/compactor/servicemonitor.yaml
 apiVersion: monitoring.coreos.com/v1
@@ -678,9 +891,9 @@
   name: thanos-compactor
   namespace: "default"
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
 spec:
   endpoints:
@@ -690,9 +903,10 @@
       - "default"
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: compactor
+      prometheus-operator/monitor: 'true'
 ---
 # Source: thanos/templates/query/servicemonitor.yaml
 apiVersion: monitoring.coreos.com/v1
@@ -701,9 +915,9 @@
   name: thanos-query
   namespace: "default"
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
 spec:
   endpoints:
@@ -713,9 +927,10 @@
       - "default"
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: query
+      prometheus-operator/monitor: 'true'
 ---
 # Source: thanos/templates/storegateway/servicemonitor.yaml
 apiVersion: monitoring.coreos.com/v1
@@ -724,9 +939,9 @@
   name: thanos-storegateway
   namespace: "default"
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
 spec:
   endpoints:
@@ -736,6 +951,7 @@
       - "default"
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: storegateway
+      prometheus-operator/monitor: 'true'

[github-actions]

Path: cluster/core/monitoring/thanos/helm-release.yaml
Version: 11.5.5 -> 15.8.2

@@ -1,71 +1,236 @@
+# Source: thanos/templates/bucketweb/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-bucketweb
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: bucketweb
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: bucketweb
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 8080
+        - port: 8080
+---
+# Source: thanos/templates/compactor/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-compactor
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: compactor
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: compactor
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 10902
+        - port: 9090
+---
+# Source: thanos/templates/query/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-query
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: query
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: query
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 10902
+        - port: 10901
+        - port: 9090
+        - port: 10901
+---
+# Source: thanos/templates/storegateway/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-storegateway
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: storegateway
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: storegateway
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 10902
+        - port: 9090
+        - port: 10901
+        - port: 10901
+---
+# Source: thanos/templates/bucketweb/pdb.yaml
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: thanos-bucketweb
+  namespace: default
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: bucketweb
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: bucketweb
+---
+# Source: thanos/templates/query/pdb.yaml
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: thanos-query
+  namespace: default
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: query
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: query
+---
+# Source: thanos/templates/storegateway/pdb.yaml
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: thanos-storegateway
+  namespace: default
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: storegateway
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: storegateway
+---
 # Source: thanos/templates/bucketweb/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: thanos-bucketweb
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
-  annotations:
-automountServiceAccountToken: true
+automountServiceAccountToken: false
 ---
 # Source: thanos/templates/compactor/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: thanos-compactor
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
-  annotations:
-automountServiceAccountToken: true
+automountServiceAccountToken: false
 ---
 # Source: thanos/templates/query/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: thanos-query
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
-  annotations:
-automountServiceAccountToken: true
+automountServiceAccountToken: false
 ---
 # Source: thanos/templates/storegateway/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: thanos-storegateway
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
-  annotations:
-automountServiceAccountToken: true
+automountServiceAccountToken: false
 ---
 # Source: thanos/templates/bucketweb/service.yaml
 apiVersion: v1
 kind: Service
 metadata:
   name: thanos-bucketweb
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
-  annotations:
+    prometheus-operator/monitor: 'true'
 spec:
   type: ClusterIP
   ports:
@@ -75,8 +240,8 @@
       name: http
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
 ---
 # Source: thanos/templates/compactor/service.yaml
@@ -84,13 +249,13 @@
 kind: Service
 metadata:
   name: thanos-compactor
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
-  annotations:
+    prometheus-operator/monitor: 'true'
 spec:
   type: ClusterIP
   ports:
@@ -100,8 +265,8 @@
       name: http
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
 ---
 # Source: thanos/templates/query/service-grpc.yaml
@@ -109,13 +274,12 @@
 kind: Service
 metadata:
   name: thanos-query-grpc
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
-  annotations:
 spec:
   type: ClusterIP
   ports:
@@ -125,8 +289,8 @@
       name: grpc
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
 ---
 # Source: thanos/templates/query/service.yaml
@@ -134,13 +298,13 @@
 kind: Service
 metadata:
   name: thanos-query
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
-  annotations:
+    prometheus-operator/monitor: 'true'
 spec:
   type: ClusterIP
   ports:
@@ -150,8 +314,8 @@
       name: http
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
 ---
 # Source: thanos/templates/storegateway/service.yaml
@@ -159,14 +323,13 @@
 kind: Service
 metadata:
   name: thanos-storegateway
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
     prometheus-operator/monitor: 'true'
-  annotations:
 spec:
   type: ClusterIP
   ports:
@@ -181,8 +344,8 @@
       name: grpc
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
 ---
 # Source: thanos/templates/bucketweb/deployment.yaml
@@ -190,32 +353,31 @@
 kind: Deployment
 metadata:
   name: thanos-bucketweb
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
 spec:
   replicas: 1
+  revisionHistoryLimit: 10
   strategy:
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: bucketweb
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: thanos
         app.kubernetes.io/instance: thanos
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: thanos
         app.kubernetes.io/component: bucketweb
-      annotations:
-        checksum/objstore-configuration: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
     spec:
-      serviceAccount: thanos-bucketweb
+      serviceAccountName: thanos-bucketweb
       automountServiceAccountToken: true
       affinity:
         podAffinity:
@@ -224,25 +386,34 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/instance: thanos
+                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/component: bucketweb
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       containers:
         - name: bucketweb
-          image: public.ecr.aws/bitnami/thanos:0.28.1-scratch-r0
+          image: public.ecr.aws/bitnami/thanos:0.37.0-debian-12-r0
           imagePullPolicy: "IfNotPresent"
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
             readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           args:
             - tools
             - bucket
@@ -297,32 +468,31 @@
 kind: Deployment
 metadata:
   name: thanos-compactor
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
 spec:
   replicas: 1
+  revisionHistoryLimit: 10
   strategy:
     type: Recreate
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: compactor
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: thanos
         app.kubernetes.io/instance: thanos
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: thanos
         app.kubernetes.io/component: compactor
-      annotations:
-        checksum/objstore-configuration: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
     spec:
-      serviceAccount: thanos-compactor
+      serviceAccountName: thanos-compactor
       automountServiceAccountToken: true
       affinity:
         podAffinity:
@@ -331,25 +501,34 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/instance: thanos
+                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/component: compactor
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       containers:
         - name: compactor
-          image: public.ecr.aws/bitnami/thanos:0.28.1-scratch-r0
+          image: public.ecr.aws/bitnami/thanos:0.37.0-debian-12-r0
           imagePullPolicy: "IfNotPresent"
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
             readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           args:
             - compact
             - --log.level=info
@@ -410,30 +589,31 @@
 kind: Deployment
 metadata:
   name: thanos-query
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
 spec:
   replicas: 1
+  revisionHistoryLimit: 10
   strategy:
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: query
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: thanos
         app.kubernetes.io/instance: thanos
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: thanos
         app.kubernetes.io/component: query
     spec:
-      serviceAccount: thanos-query
+      serviceAccountName: thanos-query
       automountServiceAccountToken: true
       affinity:
         podAffinity:
@@ -442,25 +622,34 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/instance: thanos
+                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/component: query
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       containers:
         - name: query
-          image: public.ecr.aws/bitnami/thanos:0.28.1-scratch-r0
+          image: public.ecr.aws/bitnami/thanos:0.37.0-debian-12-r0
           imagePullPolicy: "IfNotPresent"
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
             readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           args:
             - query
             - --log.level=info
@@ -470,6 +659,7 @@
             - --query.replica-label=replica
             - --endpoint=dnssrv+_grpc._tcp.prometheus-thanos-discovery.monitoring.svc.cluster.local
             - --endpoint=dnssrv+_grpc._tcp.thanos-storegateway.default.svc.cluster.local
+            - --alert.query-url=http://thanos-query.default.svc.cluster.local:9090
           ports:
             - name: http
               containerPort: 10902
@@ -498,8 +688,14 @@
               port: http
               scheme: HTTP
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
       volumes:
 ---
@@ -508,34 +704,33 @@
 kind: StatefulSet
 metadata:
   name: thanos-storegateway
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
 spec:
   replicas: 1
+  revisionHistoryLimit: 10
   podManagementPolicy: OrderedReady
   serviceName: thanos-storegateway-headless
   updateStrategy:
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: storegateway
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: thanos
         app.kubernetes.io/instance: thanos
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: thanos
         app.kubernetes.io/component: storegateway
-      annotations:
-        checksum/objstore-configuration: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
     spec:
-      serviceAccount: thanos-storegateway
+      serviceAccountName: thanos-storegateway
       automountServiceAccountToken: true
       affinity:
         podAffinity:
@@ -544,25 +739,34 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/instance: thanos
+                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/component: storegateway
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       containers:
         - name: storegateway
-          image: public.ecr.aws/bitnami/thanos:0.28.1-scratch-r0
+          image: public.ecr.aws/bitnami/thanos:0.37.0-debian-12-r0
           imagePullPolicy: "IfNotPresent"
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
             readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           args:
             - store
             - --log.level=info
@@ -599,8 +803,14 @@
               port: http
               scheme: HTTP
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
             - name: objstore-config
               mountPath: /conf
@@ -611,7 +821,9 @@
           secret:
             secretName: thanos-objstore
   volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
         name: data
       spec:
         accessModes:
@@ -625,11 +837,11 @@
 kind: Ingress
 metadata:
   name: thanos-query
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
   annotations:
     app: thanos
@@ -655,9 +867,9 @@
   name: thanos-bucketweb
   namespace: "default"
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
 spec:
   endpoints:
@@ -667,9 +879,10 @@
       - "default"
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: bucketweb
+      prometheus-operator/monitor: 'true'
 ---
 # Source: thanos/templates/compactor/servicemonitor.yaml
 apiVersion: monitoring.coreos.com/v1
@@ -678,9 +891,9 @@
   name: thanos-compactor
   namespace: "default"
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
 spec:
   endpoints:
@@ -690,9 +903,10 @@
       - "default"
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: compactor
+      prometheus-operator/monitor: 'true'
 ---
 # Source: thanos/templates/query/servicemonitor.yaml
 apiVersion: monitoring.coreos.com/v1
@@ -701,9 +915,9 @@
   name: thanos-query
   namespace: "default"
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
 spec:
   endpoints:
@@ -713,9 +927,10 @@
       - "default"
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: query
+      prometheus-operator/monitor: 'true'
 ---
 # Source: thanos/templates/storegateway/servicemonitor.yaml
 apiVersion: monitoring.coreos.com/v1
@@ -724,9 +939,9 @@
   name: thanos-storegateway
   namespace: "default"
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
 spec:
   endpoints:
@@ -736,6 +951,7 @@
       - "default"
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: storegateway
+      prometheus-operator/monitor: 'true'

[github-actions]

Path: cluster/core/monitoring/thanos/helm-release.yaml
Version: 11.5.5 -> 15.8.3

@@ -1,71 +1,236 @@
+# Source: thanos/templates/bucketweb/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-bucketweb
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: bucketweb
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: bucketweb
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 8080
+        - port: 8080
+---
+# Source: thanos/templates/compactor/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-compactor
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: compactor
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: compactor
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 10902
+        - port: 9090
+---
+# Source: thanos/templates/query/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-query
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: query
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: query
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 10902
+        - port: 10901
+        - port: 9090
+        - port: 10901
+---
+# Source: thanos/templates/storegateway/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-storegateway
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: storegateway
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: storegateway
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 10902
+        - port: 9090
+        - port: 10901
+        - port: 10901
+---
+# Source: thanos/templates/bucketweb/pdb.yaml
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: thanos-bucketweb
+  namespace: default
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: bucketweb
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: bucketweb
+---
+# Source: thanos/templates/query/pdb.yaml
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: thanos-query
+  namespace: default
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: query
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: query
+---
+# Source: thanos/templates/storegateway/pdb.yaml
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: thanos-storegateway
+  namespace: default
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: storegateway
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: storegateway
+---
 # Source: thanos/templates/bucketweb/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: thanos-bucketweb
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
-  annotations:
-automountServiceAccountToken: true
+automountServiceAccountToken: false
 ---
 # Source: thanos/templates/compactor/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: thanos-compactor
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
-  annotations:
-automountServiceAccountToken: true
+automountServiceAccountToken: false
 ---
 # Source: thanos/templates/query/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: thanos-query
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
-  annotations:
-automountServiceAccountToken: true
+automountServiceAccountToken: false
 ---
 # Source: thanos/templates/storegateway/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: thanos-storegateway
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
-  annotations:
-automountServiceAccountToken: true
+automountServiceAccountToken: false
 ---
 # Source: thanos/templates/bucketweb/service.yaml
 apiVersion: v1
 kind: Service
 metadata:
   name: thanos-bucketweb
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
-  annotations:
+    prometheus-operator/monitor: 'true'
 spec:
   type: ClusterIP
   ports:
@@ -75,8 +240,8 @@
       name: http
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
 ---
 # Source: thanos/templates/compactor/service.yaml
@@ -84,13 +249,13 @@
 kind: Service
 metadata:
   name: thanos-compactor
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
-  annotations:
+    prometheus-operator/monitor: 'true'
 spec:
   type: ClusterIP
   ports:
@@ -100,8 +265,8 @@
       name: http
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
 ---
 # Source: thanos/templates/query/service-grpc.yaml
@@ -109,13 +274,12 @@
 kind: Service
 metadata:
   name: thanos-query-grpc
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
-  annotations:
 spec:
   type: ClusterIP
   ports:
@@ -125,8 +289,8 @@
       name: grpc
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
 ---
 # Source: thanos/templates/query/service.yaml
@@ -134,13 +298,13 @@
 kind: Service
 metadata:
   name: thanos-query
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
-  annotations:
+    prometheus-operator/monitor: 'true'
 spec:
   type: ClusterIP
   ports:
@@ -150,8 +314,8 @@
       name: http
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
 ---
 # Source: thanos/templates/storegateway/service.yaml
@@ -159,14 +323,13 @@
 kind: Service
 metadata:
   name: thanos-storegateway
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
     prometheus-operator/monitor: 'true'
-  annotations:
 spec:
   type: ClusterIP
   ports:
@@ -181,8 +344,8 @@
       name: grpc
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
 ---
 # Source: thanos/templates/bucketweb/deployment.yaml
@@ -190,32 +353,31 @@
 kind: Deployment
 metadata:
   name: thanos-bucketweb
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
 spec:
   replicas: 1
+  revisionHistoryLimit: 10
   strategy:
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: bucketweb
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: thanos
         app.kubernetes.io/instance: thanos
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: thanos
         app.kubernetes.io/component: bucketweb
-      annotations:
-        checksum/objstore-configuration: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
     spec:
-      serviceAccount: thanos-bucketweb
+      serviceAccountName: thanos-bucketweb
       automountServiceAccountToken: true
       affinity:
         podAffinity:
@@ -224,25 +386,34 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/instance: thanos
+                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/component: bucketweb
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       containers:
         - name: bucketweb
-          image: public.ecr.aws/bitnami/thanos:0.28.1-scratch-r0
+          image: public.ecr.aws/bitnami/thanos:0.37.0-debian-12-r1
           imagePullPolicy: "IfNotPresent"
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
             readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           args:
             - tools
             - bucket
@@ -297,32 +468,31 @@
 kind: Deployment
 metadata:
   name: thanos-compactor
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
 spec:
   replicas: 1
+  revisionHistoryLimit: 10
   strategy:
     type: Recreate
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: compactor
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: thanos
         app.kubernetes.io/instance: thanos
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: thanos
         app.kubernetes.io/component: compactor
-      annotations:
-        checksum/objstore-configuration: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
     spec:
-      serviceAccount: thanos-compactor
+      serviceAccountName: thanos-compactor
       automountServiceAccountToken: true
       affinity:
         podAffinity:
@@ -331,25 +501,34 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/instance: thanos
+                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/component: compactor
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       containers:
         - name: compactor
-          image: public.ecr.aws/bitnami/thanos:0.28.1-scratch-r0
+          image: public.ecr.aws/bitnami/thanos:0.37.0-debian-12-r1
           imagePullPolicy: "IfNotPresent"
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
             readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           args:
             - compact
             - --log.level=info
@@ -410,30 +589,31 @@
 kind: Deployment
 metadata:
   name: thanos-query
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
 spec:
   replicas: 1
+  revisionHistoryLimit: 10
   strategy:
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: query
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: thanos
         app.kubernetes.io/instance: thanos
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: thanos
         app.kubernetes.io/component: query
     spec:
-      serviceAccount: thanos-query
+      serviceAccountName: thanos-query
       automountServiceAccountToken: true
       affinity:
         podAffinity:
@@ -442,25 +622,34 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/instance: thanos
+                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/component: query
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       containers:
         - name: query
-          image: public.ecr.aws/bitnami/thanos:0.28.1-scratch-r0
+          image: public.ecr.aws/bitnami/thanos:0.37.0-debian-12-r1
           imagePullPolicy: "IfNotPresent"
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
             readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           args:
             - query
             - --log.level=info
@@ -470,6 +659,7 @@
             - --query.replica-label=replica
             - --endpoint=dnssrv+_grpc._tcp.prometheus-thanos-discovery.monitoring.svc.cluster.local
             - --endpoint=dnssrv+_grpc._tcp.thanos-storegateway.default.svc.cluster.local
+            - --alert.query-url=http://thanos-query.default.svc.cluster.local:9090
           ports:
             - name: http
               containerPort: 10902
@@ -498,8 +688,14 @@
               port: http
               scheme: HTTP
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
       volumes:
 ---
@@ -508,34 +704,33 @@
 kind: StatefulSet
 metadata:
   name: thanos-storegateway
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
 spec:
   replicas: 1
+  revisionHistoryLimit: 10
   podManagementPolicy: OrderedReady
   serviceName: thanos-storegateway-headless
   updateStrategy:
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: storegateway
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: thanos
         app.kubernetes.io/instance: thanos
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: thanos
         app.kubernetes.io/component: storegateway
-      annotations:
-        checksum/objstore-configuration: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
     spec:
-      serviceAccount: thanos-storegateway
+      serviceAccountName: thanos-storegateway
       automountServiceAccountToken: true
       affinity:
         podAffinity:
@@ -544,25 +739,34 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/instance: thanos
+                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/component: storegateway
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       containers:
         - name: storegateway
-          image: public.ecr.aws/bitnami/thanos:0.28.1-scratch-r0
+          image: public.ecr.aws/bitnami/thanos:0.37.0-debian-12-r1
           imagePullPolicy: "IfNotPresent"
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
             readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           args:
             - store
             - --log.level=info
@@ -599,8 +803,14 @@
               port: http
               scheme: HTTP
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
             - name: objstore-config
               mountPath: /conf
@@ -611,7 +821,9 @@
           secret:
             secretName: thanos-objstore
   volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
         name: data
       spec:
         accessModes:
@@ -625,11 +837,11 @@
 kind: Ingress
 metadata:
   name: thanos-query
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
   annotations:
     app: thanos
@@ -655,9 +867,9 @@
   name: thanos-bucketweb
   namespace: "default"
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
 spec:
   endpoints:
@@ -667,9 +879,10 @@
       - "default"
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: bucketweb
+      prometheus-operator/monitor: 'true'
 ---
 # Source: thanos/templates/compactor/servicemonitor.yaml
 apiVersion: monitoring.coreos.com/v1
@@ -678,9 +891,9 @@
   name: thanos-compactor
   namespace: "default"
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
 spec:
   endpoints:
@@ -690,9 +903,10 @@
       - "default"
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: compactor
+      prometheus-operator/monitor: 'true'
 ---
 # Source: thanos/templates/query/servicemonitor.yaml
 apiVersion: monitoring.coreos.com/v1
@@ -701,9 +915,9 @@
   name: thanos-query
   namespace: "default"
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
 spec:
   endpoints:
@@ -713,9 +927,10 @@
       - "default"
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: query
+      prometheus-operator/monitor: 'true'
 ---
 # Source: thanos/templates/storegateway/servicemonitor.yaml
 apiVersion: monitoring.coreos.com/v1
@@ -724,9 +939,9 @@
   name: thanos-storegateway
   namespace: "default"
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
 spec:
   endpoints:
@@ -736,6 +951,7 @@
       - "default"
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: storegateway
+      prometheus-operator/monitor: 'true'

[github-actions]

Path: cluster/core/monitoring/thanos/helm-release.yaml
Version: 11.5.5 -> 15.8.4

@@ -1,71 +1,236 @@
+# Source: thanos/templates/bucketweb/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-bucketweb
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: bucketweb
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: bucketweb
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 8080
+        - port: 8080
+---
+# Source: thanos/templates/compactor/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-compactor
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: compactor
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: compactor
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 10902
+        - port: 9090
+---
+# Source: thanos/templates/query/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-query
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: query
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: query
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 10902
+        - port: 10901
+        - port: 9090
+        - port: 10901
+---
+# Source: thanos/templates/storegateway/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-storegateway
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: storegateway
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: storegateway
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 10902
+        - port: 9090
+        - port: 10901
+        - port: 10901
+---
+# Source: thanos/templates/bucketweb/pdb.yaml
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: thanos-bucketweb
+  namespace: default
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: bucketweb
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: bucketweb
+---
+# Source: thanos/templates/query/pdb.yaml
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: thanos-query
+  namespace: default
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: query
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: query
+---
+# Source: thanos/templates/storegateway/pdb.yaml
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: thanos-storegateway
+  namespace: default
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: storegateway
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: storegateway
+---
 # Source: thanos/templates/bucketweb/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: thanos-bucketweb
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
-  annotations:
-automountServiceAccountToken: true
+automountServiceAccountToken: false
 ---
 # Source: thanos/templates/compactor/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: thanos-compactor
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
-  annotations:
-automountServiceAccountToken: true
+automountServiceAccountToken: false
 ---
 # Source: thanos/templates/query/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: thanos-query
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
-  annotations:
-automountServiceAccountToken: true
+automountServiceAccountToken: false
 ---
 # Source: thanos/templates/storegateway/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: thanos-storegateway
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
-  annotations:
-automountServiceAccountToken: true
+automountServiceAccountToken: false
 ---
 # Source: thanos/templates/bucketweb/service.yaml
 apiVersion: v1
 kind: Service
 metadata:
   name: thanos-bucketweb
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
-  annotations:
+    prometheus-operator/monitor: 'true'
 spec:
   type: ClusterIP
   ports:
@@ -75,8 +240,8 @@
       name: http
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
 ---
 # Source: thanos/templates/compactor/service.yaml
@@ -84,13 +249,13 @@
 kind: Service
 metadata:
   name: thanos-compactor
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
-  annotations:
+    prometheus-operator/monitor: 'true'
 spec:
   type: ClusterIP
   ports:
@@ -100,8 +265,8 @@
       name: http
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
 ---
 # Source: thanos/templates/query/service-grpc.yaml
@@ -109,13 +274,12 @@
 kind: Service
 metadata:
   name: thanos-query-grpc
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
-  annotations:
 spec:
   type: ClusterIP
   ports:
@@ -125,8 +289,8 @@
       name: grpc
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
 ---
 # Source: thanos/templates/query/service.yaml
@@ -134,13 +298,13 @@
 kind: Service
 metadata:
   name: thanos-query
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
-  annotations:
+    prometheus-operator/monitor: 'true'
 spec:
   type: ClusterIP
   ports:
@@ -150,8 +314,8 @@
       name: http
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
 ---
 # Source: thanos/templates/storegateway/service.yaml
@@ -159,14 +323,13 @@
 kind: Service
 metadata:
   name: thanos-storegateway
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
     prometheus-operator/monitor: 'true'
-  annotations:
 spec:
   type: ClusterIP
   ports:
@@ -181,8 +344,8 @@
       name: grpc
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
 ---
 # Source: thanos/templates/bucketweb/deployment.yaml
@@ -190,32 +353,31 @@
 kind: Deployment
 metadata:
   name: thanos-bucketweb
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
 spec:
   replicas: 1
+  revisionHistoryLimit: 10
   strategy:
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: bucketweb
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: thanos
         app.kubernetes.io/instance: thanos
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: thanos
         app.kubernetes.io/component: bucketweb
-      annotations:
-        checksum/objstore-configuration: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
     spec:
-      serviceAccount: thanos-bucketweb
+      serviceAccountName: thanos-bucketweb
       automountServiceAccountToken: true
       affinity:
         podAffinity:
@@ -224,25 +386,34 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/instance: thanos
+                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/component: bucketweb
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       containers:
         - name: bucketweb
-          image: public.ecr.aws/bitnami/thanos:0.28.1-scratch-r0
+          image: public.ecr.aws/bitnami/thanos:0.37.1-debian-12-r0
           imagePullPolicy: "IfNotPresent"
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
             readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           args:
             - tools
             - bucket
@@ -297,32 +468,31 @@
 kind: Deployment
 metadata:
   name: thanos-compactor
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
 spec:
   replicas: 1
+  revisionHistoryLimit: 10
   strategy:
     type: Recreate
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: compactor
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: thanos
         app.kubernetes.io/instance: thanos
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: thanos
         app.kubernetes.io/component: compactor
-      annotations:
-        checksum/objstore-configuration: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
     spec:
-      serviceAccount: thanos-compactor
+      serviceAccountName: thanos-compactor
       automountServiceAccountToken: true
       affinity:
         podAffinity:
@@ -331,25 +501,34 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/instance: thanos
+                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/component: compactor
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       containers:
         - name: compactor
-          image: public.ecr.aws/bitnami/thanos:0.28.1-scratch-r0
+          image: public.ecr.aws/bitnami/thanos:0.37.1-debian-12-r0
           imagePullPolicy: "IfNotPresent"
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
             readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           args:
             - compact
             - --log.level=info
@@ -410,30 +589,31 @@
 kind: Deployment
 metadata:
   name: thanos-query
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
 spec:
   replicas: 1
+  revisionHistoryLimit: 10
   strategy:
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: query
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: thanos
         app.kubernetes.io/instance: thanos
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: thanos
         app.kubernetes.io/component: query
     spec:
-      serviceAccount: thanos-query
+      serviceAccountName: thanos-query
       automountServiceAccountToken: true
       affinity:
         podAffinity:
@@ -442,25 +622,34 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/instance: thanos
+                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/component: query
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       containers:
         - name: query
-          image: public.ecr.aws/bitnami/thanos:0.28.1-scratch-r0
+          image: public.ecr.aws/bitnami/thanos:0.37.1-debian-12-r0
           imagePullPolicy: "IfNotPresent"
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
             readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           args:
             - query
             - --log.level=info
@@ -470,6 +659,7 @@
             - --query.replica-label=replica
             - --endpoint=dnssrv+_grpc._tcp.prometheus-thanos-discovery.monitoring.svc.cluster.local
             - --endpoint=dnssrv+_grpc._tcp.thanos-storegateway.default.svc.cluster.local
+            - --alert.query-url=http://thanos-query.default.svc.cluster.local:9090
           ports:
             - name: http
               containerPort: 10902
@@ -498,8 +688,14 @@
               port: http
               scheme: HTTP
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
       volumes:
 ---
@@ -508,34 +704,33 @@
 kind: StatefulSet
 metadata:
   name: thanos-storegateway
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
 spec:
   replicas: 1
+  revisionHistoryLimit: 10
   podManagementPolicy: OrderedReady
   serviceName: thanos-storegateway-headless
   updateStrategy:
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: storegateway
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: thanos
         app.kubernetes.io/instance: thanos
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: thanos
         app.kubernetes.io/component: storegateway
-      annotations:
-        checksum/objstore-configuration: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
     spec:
-      serviceAccount: thanos-storegateway
+      serviceAccountName: thanos-storegateway
       automountServiceAccountToken: true
       affinity:
         podAffinity:
@@ -544,25 +739,34 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/instance: thanos
+                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/component: storegateway
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       containers:
         - name: storegateway
-          image: public.ecr.aws/bitnami/thanos:0.28.1-scratch-r0
+          image: public.ecr.aws/bitnami/thanos:0.37.1-debian-12-r0
           imagePullPolicy: "IfNotPresent"
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
             readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           args:
             - store
             - --log.level=info
@@ -599,8 +803,14 @@
               port: http
               scheme: HTTP
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
             - name: objstore-config
               mountPath: /conf
@@ -611,7 +821,9 @@
           secret:
             secretName: thanos-objstore
   volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
         name: data
       spec:
         accessModes:
@@ -625,11 +837,11 @@
 kind: Ingress
 metadata:
   name: thanos-query
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
   annotations:
     app: thanos
@@ -655,9 +867,9 @@
   name: thanos-bucketweb
   namespace: "default"
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
 spec:
   endpoints:
@@ -667,9 +879,10 @@
       - "default"
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: bucketweb
+      prometheus-operator/monitor: 'true'
 ---
 # Source: thanos/templates/compactor/servicemonitor.yaml
 apiVersion: monitoring.coreos.com/v1
@@ -678,9 +891,9 @@
   name: thanos-compactor
   namespace: "default"
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
 spec:
   endpoints:
@@ -690,9 +903,10 @@
       - "default"
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: compactor
+      prometheus-operator/monitor: 'true'
 ---
 # Source: thanos/templates/query/servicemonitor.yaml
 apiVersion: monitoring.coreos.com/v1
@@ -701,9 +915,9 @@
   name: thanos-query
   namespace: "default"
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
 spec:
   endpoints:
@@ -713,9 +927,10 @@
       - "default"
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: query
+      prometheus-operator/monitor: 'true'
 ---
 # Source: thanos/templates/storegateway/servicemonitor.yaml
 apiVersion: monitoring.coreos.com/v1
@@ -724,9 +939,9 @@
   name: thanos-storegateway
   namespace: "default"
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
 spec:
   endpoints:
@@ -736,6 +951,7 @@
       - "default"
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: storegateway
+      prometheus-operator/monitor: 'true'

[github-actions]

Path: cluster/core/monitoring/thanos/helm-release.yaml
Version: 11.5.5 -> 15.8.5

@@ -1,71 +1,236 @@
+# Source: thanos/templates/bucketweb/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-bucketweb
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: bucketweb
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: bucketweb
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 8080
+        - port: 8080
+---
+# Source: thanos/templates/compactor/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-compactor
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: compactor
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: compactor
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 10902
+        - port: 9090
+---
+# Source: thanos/templates/query/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-query
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: query
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: query
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 10902
+        - port: 10901
+        - port: 9090
+        - port: 10901
+---
+# Source: thanos/templates/storegateway/networkpolicy.yaml
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: thanos-storegateway
+  namespace: "default"
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: storegateway
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: storegateway
+  policyTypes:
+    - Ingress
+    - Egress
+  egress:
+    - {}
+  ingress:
+    - ports:
+        - port: 10902
+        - port: 9090
+        - port: 10901
+        - port: 10901
+---
+# Source: thanos/templates/bucketweb/pdb.yaml
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: thanos-bucketweb
+  namespace: default
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: bucketweb
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: bucketweb
+---
+# Source: thanos/templates/query/pdb.yaml
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: thanos-query
+  namespace: default
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: query
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: query
+---
+# Source: thanos/templates/storegateway/pdb.yaml
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: thanos-storegateway
+  namespace: default
+  labels:
+    app.kubernetes.io/instance: thanos
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
+    app.kubernetes.io/component: storegateway
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
+      app.kubernetes.io/component: storegateway
+---
 # Source: thanos/templates/bucketweb/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: thanos-bucketweb
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
-  annotations:
-automountServiceAccountToken: true
+automountServiceAccountToken: false
 ---
 # Source: thanos/templates/compactor/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: thanos-compactor
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
-  annotations:
-automountServiceAccountToken: true
+automountServiceAccountToken: false
 ---
 # Source: thanos/templates/query/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: thanos-query
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
-  annotations:
-automountServiceAccountToken: true
+automountServiceAccountToken: false
 ---
 # Source: thanos/templates/storegateway/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: thanos-storegateway
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
-  annotations:
-automountServiceAccountToken: true
+automountServiceAccountToken: false
 ---
 # Source: thanos/templates/bucketweb/service.yaml
 apiVersion: v1
 kind: Service
 metadata:
   name: thanos-bucketweb
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
-  annotations:
+    prometheus-operator/monitor: 'true'
 spec:
   type: ClusterIP
   ports:
@@ -75,8 +240,8 @@
       name: http
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
 ---
 # Source: thanos/templates/compactor/service.yaml
@@ -84,13 +249,13 @@
 kind: Service
 metadata:
   name: thanos-compactor
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
-  annotations:
+    prometheus-operator/monitor: 'true'
 spec:
   type: ClusterIP
   ports:
@@ -100,8 +265,8 @@
       name: http
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
 ---
 # Source: thanos/templates/query/service-grpc.yaml
@@ -109,13 +274,12 @@
 kind: Service
 metadata:
   name: thanos-query-grpc
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
-  annotations:
 spec:
   type: ClusterIP
   ports:
@@ -125,8 +289,8 @@
       name: grpc
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
 ---
 # Source: thanos/templates/query/service.yaml
@@ -134,13 +298,13 @@
 kind: Service
 metadata:
   name: thanos-query
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
-  annotations:
+    prometheus-operator/monitor: 'true'
 spec:
   type: ClusterIP
   ports:
@@ -150,8 +314,8 @@
       name: http
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
 ---
 # Source: thanos/templates/storegateway/service.yaml
@@ -159,14 +323,13 @@
 kind: Service
 metadata:
   name: thanos-storegateway
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
     prometheus-operator/monitor: 'true'
-  annotations:
 spec:
   type: ClusterIP
   ports:
@@ -181,8 +344,8 @@
       name: grpc
       nodePort: null
   selector:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
 ---
 # Source: thanos/templates/bucketweb/deployment.yaml
@@ -190,32 +353,31 @@
 kind: Deployment
 metadata:
   name: thanos-bucketweb
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
 spec:
   replicas: 1
+  revisionHistoryLimit: 10
   strategy:
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: bucketweb
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: thanos
         app.kubernetes.io/instance: thanos
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: thanos
         app.kubernetes.io/component: bucketweb
-      annotations:
-        checksum/objstore-configuration: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
     spec:
-      serviceAccount: thanos-bucketweb
+      serviceAccountName: thanos-bucketweb
       automountServiceAccountToken: true
       affinity:
         podAffinity:
@@ -224,25 +386,34 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/instance: thanos
+                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/component: bucketweb
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       containers:
         - name: bucketweb
-          image: public.ecr.aws/bitnami/thanos:0.28.1-scratch-r0
+          image: public.ecr.aws/bitnami/thanos:0.37.1-debian-12-r0
           imagePullPolicy: "IfNotPresent"
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
             readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           args:
             - tools
             - bucket
@@ -297,32 +468,31 @@
 kind: Deployment
 metadata:
   name: thanos-compactor
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
 spec:
   replicas: 1
+  revisionHistoryLimit: 10
   strategy:
     type: Recreate
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: compactor
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: thanos
         app.kubernetes.io/instance: thanos
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: thanos
         app.kubernetes.io/component: compactor
-      annotations:
-        checksum/objstore-configuration: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
     spec:
-      serviceAccount: thanos-compactor
+      serviceAccountName: thanos-compactor
       automountServiceAccountToken: true
       affinity:
         podAffinity:
@@ -331,25 +501,34 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/instance: thanos
+                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/component: compactor
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       containers:
         - name: compactor
-          image: public.ecr.aws/bitnami/thanos:0.28.1-scratch-r0
+          image: public.ecr.aws/bitnami/thanos:0.37.1-debian-12-r0
           imagePullPolicy: "IfNotPresent"
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
             readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           args:
             - compact
             - --log.level=info
@@ -410,30 +589,31 @@
 kind: Deployment
 metadata:
   name: thanos-query
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
 spec:
   replicas: 1
+  revisionHistoryLimit: 10
   strategy:
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: query
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: thanos
         app.kubernetes.io/instance: thanos
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: thanos
         app.kubernetes.io/component: query
     spec:
-      serviceAccount: thanos-query
+      serviceAccountName: thanos-query
       automountServiceAccountToken: true
       affinity:
         podAffinity:
@@ -442,25 +622,34 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/instance: thanos
+                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/component: query
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       containers:
         - name: query
-          image: public.ecr.aws/bitnami/thanos:0.28.1-scratch-r0
+          image: public.ecr.aws/bitnami/thanos:0.37.1-debian-12-r0
           imagePullPolicy: "IfNotPresent"
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
             readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           args:
             - query
             - --log.level=info
@@ -470,6 +659,7 @@
             - --query.replica-label=replica
             - --endpoint=dnssrv+_grpc._tcp.prometheus-thanos-discovery.monitoring.svc.cluster.local
             - --endpoint=dnssrv+_grpc._tcp.thanos-storegateway.default.svc.cluster.local
+            - --alert.query-url=http://thanos-query.default.svc.cluster.local:9090
           ports:
             - name: http
               containerPort: 10902
@@ -498,8 +688,14 @@
               port: http
               scheme: HTTP
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
       volumes:
 ---
@@ -508,34 +704,33 @@
 kind: StatefulSet
 metadata:
   name: thanos-storegateway
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
 spec:
   replicas: 1
+  revisionHistoryLimit: 10
   podManagementPolicy: OrderedReady
   serviceName: thanos-storegateway-headless
   updateStrategy:
     type: RollingUpdate
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: storegateway
   template:
     metadata:
       labels:
-        app.kubernetes.io/name: thanos
         app.kubernetes.io/instance: thanos
         app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: thanos
         app.kubernetes.io/component: storegateway
-      annotations:
-        checksum/objstore-configuration: 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
     spec:
-      serviceAccount: thanos-storegateway
+      serviceAccountName: thanos-storegateway
       automountServiceAccountToken: true
       affinity:
         podAffinity:
@@ -544,25 +739,34 @@
             - podAffinityTerm:
                 labelSelector:
                   matchLabels:
-                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/instance: thanos
+                    app.kubernetes.io/name: thanos
                     app.kubernetes.io/component: storegateway
-                namespaces:
-                  - "default"
                 topologyKey: kubernetes.io/hostname
               weight: 1
         nodeAffinity:
       securityContext:
         fsGroup: 1001
+        fsGroupChangePolicy: Always
+        supplementalGroups: []
+        sysctls: []
       containers:
         - name: storegateway
-          image: public.ecr.aws/bitnami/thanos:0.28.1-scratch-r0
+          image: public.ecr.aws/bitnami/thanos:0.37.1-debian-12-r0
           imagePullPolicy: "IfNotPresent"
           securityContext:
             allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
             readOnlyRootFilesystem: true
+            runAsGroup: 1001
             runAsNonRoot: true
             runAsUser: 1001
+            seLinuxOptions: {}
+            seccompProfile:
+              type: RuntimeDefault
           args:
             - store
             - --log.level=info
@@ -599,8 +803,14 @@
               port: http
               scheme: HTTP
           resources:
-            limits: {}
-            requests: {}
+            limits:
+              cpu: 150m
+              ephemeral-storage: 2Gi
+              memory: 192Mi
+            requests:
+              cpu: 100m
+              ephemeral-storage: 50Mi
+              memory: 128Mi
           volumeMounts:
             - name: objstore-config
               mountPath: /conf
@@ -611,7 +821,9 @@
           secret:
             secretName: thanos-objstore
   volumeClaimTemplates:
-    - metadata:
+    - apiVersion: v1
+      kind: PersistentVolumeClaim
+      metadata:
         name: data
       spec:
         accessModes:
@@ -625,11 +837,11 @@
 kind: Ingress
 metadata:
   name: thanos-query
-  namespace: "default"
+  namespace: default
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
   annotations:
     app: thanos
@@ -655,9 +867,9 @@
   name: thanos-bucketweb
   namespace: "default"
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: bucketweb
 spec:
   endpoints:
@@ -667,9 +879,10 @@
       - "default"
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: bucketweb
+      prometheus-operator/monitor: 'true'
 ---
 # Source: thanos/templates/compactor/servicemonitor.yaml
 apiVersion: monitoring.coreos.com/v1
@@ -678,9 +891,9 @@
   name: thanos-compactor
   namespace: "default"
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: compactor
 spec:
   endpoints:
@@ -690,9 +903,10 @@
       - "default"
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: compactor
+      prometheus-operator/monitor: 'true'
 ---
 # Source: thanos/templates/query/servicemonitor.yaml
 apiVersion: monitoring.coreos.com/v1
@@ -701,9 +915,9 @@
   name: thanos-query
   namespace: "default"
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: query
 spec:
   endpoints:
@@ -713,9 +927,10 @@
       - "default"
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: query
+      prometheus-operator/monitor: 'true'
 ---
 # Source: thanos/templates/storegateway/servicemonitor.yaml
 apiVersion: monitoring.coreos.com/v1
@@ -724,9 +939,9 @@
   name: thanos-storegateway
   namespace: "default"
   labels:
-    app.kubernetes.io/name: thanos
     app.kubernetes.io/instance: thanos
     app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: thanos
     app.kubernetes.io/component: storegateway
 spec:
   endpoints:
@@ -736,6 +951,7 @@
       - "default"
   selector:
     matchLabels:
-      app.kubernetes.io/name: thanos
       app.kubernetes.io/instance: thanos
+      app.kubernetes.io/name: thanos
       app.kubernetes.io/component: storegateway
+      prometheus-operator/monitor: 'true'