tempo update to 1.23.3-bb.1

Package Merge Request

Package Changes

https://repo1.dso.mil/big-bang/product/packages/tempo/-/blob/1.23.3-bb.1/CHANGELOG.md

Package MR

big-bang/product/packages/tempo!191 (merged)

For Issue

Closes (big-bang/product/packages/tempo#128)

Upgrade Notices

Tempo is now leveraging our bb-common integration for network policies and istio-related resources. Please refer to this blog post for additional information on the integration.

During this process the network policy allowing access to Authservice has been removed as it is no longer needed. A previously undiscovered bug that was allowing all TCP traffic from Grafana to Tempo has also been fixed so it now only allows traffic from Grafana to Tempo on TCP port 3200.

There is also a new reusable rule that has been created in the umbrella template for storage-subnets that allows users to configure access to external storage CIDRs via the values.yaml file. By default, this network policy is wide open as there is no way to know the CIDRs in advance, however, if you are using AWS you can retrieve this data by executing the following command:

curl -s https://ip-ranges.amazonaws.com/ip-ranges.json | jq -r '.prefixes[] | select(.service=="S3") | select(.region=="us-gov-east-1") | .ip_prefix'

Note

Make sure to update the region in the above command to match the region you are using in AWS.

Once the CIDR's are retrieved you can update the values.yaml accordingly as shown in the below example to restrict access further:

networkPolicies:
  enabled: true
  egress:
    definitions:
      storage-subnets:
        to:
          - ipBlock:
              cidr: "108.175.52.0/22"
          - ipBlock:
              cidr: "108.175.60.0/22"
          - ipBlock:
              cidr: "18.252.145.192/28"
          - ipBlock:
              cidr: "18.252.145.208/28"

Note

This network policy for Tempo is only enabled if the storage backend is anything other than local (default setting)