Appearance
Mimir (Metrics Storage)
Namespace: mimir | Chart: grafana/mimir-distributed | Manifests: infrastructure/monitoring/mimir/
Configured from the small.yaml reference profile. See Grafana docs and the small.yaml reference.
Deployment Mode
Distributed — same reasoning as Loki: independent scaling per component.
Key components and their sizing:
| Component | Replicas | Memory limit |
|---|---|---|
| Ingester | 3 | 12Gi |
| Distributor | 2 | 5.7Gi |
| Querier | 1 | 5.6Gi |
| Query Frontend | 1 | 2.8Gi |
| Store Gateway | 3 | 2.1Gi |
| Compactor | 1 | 2.1Gi |
| Alertmanager | 2 | 1.4Gi (deployed by chart, not actively used) |
| Ruler | 1 | 2.8Gi (deployed by chart, not actively used) |
Key Config Choices
minio.enabled: false— using Garage instead of the bundled MinIO- Zone-aware replication for ingesters and store-gateways uses
kubernetes.io/hostnameas the topology key, spreading replicas across nodes - Caches (chunks, index, metadata, results) all enabled with 3 replicas — avoids repeated S3 fetches on repeated queries, significantly reduces read latency
- Kafka persistence uses
ssd-replicated-retain(20Gi) for write-ahead durability
Storage
Three separate S3 buckets in Garage: blocks, alertmanager, ruler. Each gets its own COSI BucketClaim/BucketAccess, and the mimir-s3-setup Job merges all credentials into a single mimir-s3-credentials secret. See overview — COSI pattern.
Ingesters (50Gi), store-gateways (10Gi), and compactor (20Gi) also have persistent volumes for local working data.
Networking
Alloy remote-writes to mimir-gateway. Grafana queries via the same gateway. The X-Scope-OrgID: anonymous header must be sent on every request because Mimir requires a tenant ID even in effectively-single-tenant mode.
Istio AuthorizationPolicies:
allow-intra-namespace— Mimir components talk to each other freelyallow-alloy—alloynamespace can remote-writeallow-grafana—grafananamespace can queryallow-rollout-operator-webhook— kube-apiserver has no mesh identity (no SPIFFE cert) so it can't match namespace/principal rules; this policy targets port 8443 directly to allow admission webhook calls