Releases: grafana/tempo-operator
Release v0.13.0
🧰 Bug fixes 🧰
operator
: Fix service account for monitoring-view cluster role binding when using oauth proxy. (#1016)tempostack
: Fix setting annotations for Gateway route (#1014)tempostack, tempomonolithic
: Fix infinite reconciliation on OpenShift when route for Jaeger UI is enabled. (#1018)tempostack, tempomonolithic
: Cleanup instance metrics from the operator on instance delete action. (#1019)
Components
- Tempo: v2.5.0
Release v0.12.0
💡 Enhancements 💡
-
tempostack, tempomonolithic
: Add support for AWS S3 STS authentication. (#978)
Now storage secret for S3 can containdata: bucket: # Bucket name region: # A valid AWS region, e.g. us-east-1 role_arn: # The AWS IAM Role associated with a trust relationship to Tempo serviceaccount
-
tempostack
: Use TLS via OpenShift service annotation when gateway/multitenancy is disabled (#963)
On OpenShift when operator configservingCertsService
is enabled and the following TempoStack CR is used.
The operator provisions OpenShift serving certificates for the distributor ingest APIsapiVersion: tempo.grafana.com/v1alpha1 kind: TempoStack spec: template: distributor: tls: enabled: true
No
certName
andcaName
should be provided, If you specify it, those will be used instead.In order to use this on the client side, the openshift CA certificate should be used, there are two ways of get
access to it. You can mount the configmap generated by the operator, which will have the name<tempostack-name>-serving-cabundle
Or you can access to it onvar/run/secrets/kubernetes.io/serviceaccount/service-ca.crt
.An example of OTel configuration used:
exporters: otlp: endpoint: tempo-simplest-distributor.chainsaw-tls-singletenant.svc.cluster.local:4317 tls: insecure: false ca_file: "/var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt"
-
tempomonolithic
: Use TLS via OpenShift service annotation when gateway/multitenancy is disabled (monolithic) (#963)
On OpenShift when operator configservingCertsService
is enabled and the following TempoMonolithic CR is used.
The operator provisions OpenShift serving certificates for the distributor ingest APIsapiVersion: tempo.grafana.com/v1alpha1 kind: TempoMonolithic spec: ingestion: otlp: grpc: tls: enabled: true
or
apiVersion: tempo.grafana.com/v1alpha1 kind: TempoMonolithic spec: ingestion: otlp: http: tls: enabled: true
No
certName
andcaName
should be provided, If you specify it, those will be used instead. -
tempostack, tempomonolithic
: Bump observatorium gateway, (#991)
In this version upstream certs and CA are reloaded if changed
🧰 Bug fixes 🧰
tempostack, tempomonolithic
: Allow configmaps and secrets with dot in the name (as it is valid for those objects to have dots as part of it's name) (#983)tempostack
: Assign correct replicas in gateway component if it is specified in the CR, default is 1 if not set (#993)tempomonolithic
: Allow create a monolithic with tls enabled on both grpc/http (#976)
Components
- Tempo: v2.5.0
Release v0.11.1
🧰 Bug fixes 🧰
-
operator
: Avoid certificate prompt when accessing UI via gateway (#967) -
operator
: Modify SA annotations managed by the operator, preserve others. (#970)
This prevents other controllers that modified the SA from create an infinite loop where the other controller modifies something,
and tempo-operator removes it, the other controller detect the changes and add its and so on and so on.This is specific for OpenShift case, where the openshift-controller-manager annotates the SA with
openshift.io/internal-registry-pull-secret-ref.See openshift/openshift-controller-manager#288 and
https://docs.openshift.com/container-platform/4.16/release_notes/ocp-4-16-release-notes.html section about
"Legacy service account API token secrets are no longer generated for each service account"
Components
- Tempo: v2.5.0
Release v0.11.0
🛑 Breaking changes 🛑
operator
: Update Tempo to 2.5.0 (#958)
Upstream Tempo 2.5.0 image switched user fromroot
totempo
(10001:10001) and ownership of/var/tempo
.
Therefore ingester's/var/tempo/wal
created by previous deployment using Tempo 2.4.1 needs to be updated and
changed ownership. The operator upgrades the/var/tempo
ownership by deploying ajob
withsecurityContext.runAsUser(0)
and it runschown -R /var/tempo 10001:10001
.
💡 Enhancements 💡
operator
: Enable OTLP HTTP on Gateway by default. (#948)operator
: Use golang 1.22 to build the operator (#959)operator
: Make configurable availability of the service names in Tempo monolithic (#942)operator
: Add oauth-proxy support for tempo monolithic (#922)operator
: Protect Jaeger UI when multi tenancy is disabled. (#909)
Components
- Tempo: v2.5.0
Release v0.10.0
🛑 Breaking changes 🛑
operator
: TempoMonolithic: Splittempo-<name>
service intotempo-<name>
andtempo-<name>-jaegerui
(#846)
💡 Enhancements 💡
-
operator
: Add the ability to configure an expiration time for jaeger UI services (#904) -
operator
: Prevent creation of TempoStack and TempoMonolithic with same name (#879) -
operator
: Bump tempo version to 2.4.1 (#901) -
operator
: Add storage and managed operands gauge metric to the operator metrics. (#838) -
operator
: Support Grafana instances in a different namespace (#840) -
operator
: Support custom ServiceAccount in TempoMonolithic CR (#836) -
operator
: Enable internal server for health checks in TempoMonolithic CR (#847) -
operator
: Support multi-tenancy in TempoMonolithic CR (#816) -
operator
: Support TLS Profile in TempoMonolithic CR (#862) -
operator
: Support upgrading TempoMonolithic CR (#850)
The metric seriestempooperator_upgrades_total{state="up-to-date"}
was removed.
A new labelkind
(TempoStack
orTempoMonolithic
) was added totempooperator_upgrades_total{}
. -
operator
: Updating Operator-sdk to 1.32 (#717) -
operator
: Add security context to tempo-query container (#864)
🧰 Bug fixes 🧰
operator
: Fix parsing ofnodeSelector
,tolerations
andaffinity
in TempoMonolithic CR (#867)
Components
- Tempo: v2.4.1
Release v0.9.0
💡 Enhancements 💡
operator
: Kubernetes 1.29 enablement (#735)operator
: Allow resource limits/requests override per component (#726)operator
: Support creating ServiceMonitors, PrometheusRules and Grafana Data Sources in TempoMonolithic CR (#793)operator
: Support scheduling rules (nodeSelector, tolerations and affinity) in TempoMonolithic CR (#782)operator
: Expose operand status in TempoMonolithic CR (#787)
🧰 Bug fixes 🧰
operator
: Fix infinite reconciliation of serving CA Bundle ConfigMap (#818)
Components
- Tempo: v2.3.1
Release v0.8.0
💡 Enhancements 💡
-
operator
: Make Tempo-Query forwarding on gateway optional (#628) -
operator
: Support monolithic deployment mode (#710)The operator exposes a new CRD
TempoMonolithic
, which manages a Tempo instance in monolithic mode.
The monolithic mode supports the following additional storage backends: in-memory and file system (persistent volume).
🧰 Bug fixes 🧰
operator
: Fix the cluster-monitoring-view RBAC when operator is deployed in arbitrary namespace (#741)operator
: NIL pointer dereference when OIDC not specified for tenants in static mode (#647)
Components
- Tempo: v2.3.1
Release v0.7.0
💡 Enhancements 💡
operator
: Divide assigned limits with replicas (#721)operator
: Allow override arbitrary tempo configurations (#629)operator
: Create Grafana Tempo Operator datasource (#423)operator
: Add .spec.hashRing.memberlist.enableIPv6 option to enable IPv6 support (#704)operator
: Propagating proxy env vars to component containers (#700)operator
: Upgrade tempo to v2.3.1 (#729)
🧰 Bug fixes 🧰
operator
: Configure the number of replicas for compactor, querier and query-frontend according to the CR (#712)
Components
- Tempo: v2.3.1
Release v0.6.0
🛑 Breaking changes 🛑
operator
: Move default images from operator configuration to environment variable (#591)operator
: Unset (default) images in TempoStack CR (#674)
This upgrade reverts any change to thespec.images
fields of any TempoStack instance.
Beginning with version 0.6.0, the image location is not stored in the TempoStack instance unless it is changed manually.
💡 Enhancements 💡
operator
: Support configuration of TLS in receiver settings (#527)operator
: Exposing the Tempo API through the gateway (#672)operator
: Reduce log level of certrotation messages (#623)operator
: Upgrade tempo to v2.3.0 (#688)
🧰 Bug fixes 🧰
gateway
: fix CVE-2023-45142 tempo-gateway-container: opentelemetry: DoS vulnerability in otelhttp (#691)
Components
- Tempo: v2.3.0
Release v0.5.0
🛑 Breaking changes 🛑
operator
: Install operator in tempo-operator-system namespace by default when installed with OLM or manifests of the OpenShift variant (#538)
💡 Enhancements 💡
operator
: Bump tempo version to 2.2.3 (#646)operands
: Bump operands to fix CVE-2023-39325 (#650)operator
: Expose the OTLP HTTP port in the distributor service. (#610)operator
: Add pprof flag to optionally expose pprof data (#242)operator
: Use tempo service account to query metrics from OpenShift monitoring stack. (#526)
On OpenShift tempo service account is used to query metrics from OpenShift monitoring stack for the monitor tab.operator
: Support setting a custom CA certificate for S3 object storage (#545)operator
: Enable ingress (or route) in samples, add MinLength validation to .spec.storage.secret.name of the TempoStack CR (#541)operator
: Support monitor tab in Jaeger console (#470)operator
: Explicitly specify log level for all components. (#550)operator
: Support Tempo 2.2.0 (#525)
🧰 Bug fixes 🧰
operator
: Fix ingester StatefulSet reconciliation if ingester is in an unhealthy state (#597)operator
: Enable mTLS for all components except query-frontend. (#561)
Only enable mTLS for query-frontend when the gateway is enabled.operator
: Fix for Http2 reset vulnerability CVE-2023-39325 (#642)operator
: Upgrade TempoStack instances once they are switched back from Unmanaged to Managed (#478)
Components
- Tempo: v2.2.3