apiVersion: v1
kind: Service
metadata: { name: prometheus, namespace: monitoring }
spec:
  ports: [{ port: 9090, targetPort: 9090 }]
  selector: { app: prometheus }
---
apiVersion: apps/v1
kind: StatefulSet
metadata: { name: prometheus, namespace: monitoring }
spec:
  serviceName: prometheus
  replicas: 1
  selector: { matchLabels: { app: prometheus } }
  template:
    metadata: { labels: { app: prometheus } }
    spec:
      nodeSelector: { node: hetzner-2 }
      containers:
      - name: prometheus
        image: prom/prometheus:v2.53.0
        args: ["--config.file=/etc/prometheus/prometheus.yml","--storage.tsdb.path=/prometheus"]
        ports: [{ containerPort: 9090 }]
        volumeMounts:
          - { name: data, mountPath: /prometheus }
          - { name: config, mountPath: /etc/prometheus }
      volumes:
        - { name: config, configMap: { name: prometheus-config } }
  volumeClaimTemplates:
  - metadata: { name: data }
    spec:
      accessModes: ["ReadWriteOnce"]
      storageClassName: local-ssd-hetzner
      resources: { requests: { storage: 50Gi } }
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: prometheus
  namespace: monitoring
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    nginx.ingress.kubernetes.io/auth-type: basic
    nginx.ingress.kubernetes.io/auth-secret: basic-auth-prometheus
    nginx.ingress.kubernetes.io/auth-realm: "Authentication Required"
spec:
  ingressClassName: nginx
  tls: [{ hosts: ["prometheus.betelgeusebytes.io"], secretName: prometheus-tls }]
  rules:
  - host: prometheus.betelgeusebytes.io
    http:
      paths:
      - path: /
        pathType: Prefix
        backend: { service: { name: prometheus, port: { number: 9090 } } }