diff --git a/CHANGELOG.md b/CHANGELOG.md
index 934f12ac8bf3953bbc6fe90f56e57c58f38e883b..2043f476033f5436b0f6be67dad136651473a513 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,9 +3,11 @@
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ---
-## [5.5.1-bb.6] - 2025-02-20
+<<<<<<< CHANGELOG.md
+## [5.5.1-bb.6] 2025-02-26
 ### Changed
 
+- Added pre-upgrade job to remove MinIO Tenant Pool prior to upgrade
 - Set `.Values.nginx.enabled` to `false` as this is deprecated in favor of `gateway`
 
 ## [5.5.1-bb.5] - 2025-02-14
diff --git a/README.md b/README.md
index b855641232101a1c8249c16b2c57e81d9195d70a..bcc2bd43a8e3aebd99afee2fb2dc90e75ba30cc4 100644
--- a/README.md
+++ b/README.md
@@ -56,6 +56,15 @@ helm install mimir chart/
 | istio.enabled | bool | `false` | Toggle istio configuration |
 | istio.hardened | object | `{"alloy":{"enabled":true,"namespaces":["monitoring"],"principals":["cluster.local/ns/monitoring/sa/monitoring-alloy"]},"customAuthorizationPolicies":[],"customServiceEntries":[],"enabled":false,"grafana":{"enabled":true,"namespaces":["monitoring"],"principals":["cluster.local/ns/monitoring/sa/monitoring-grafana"]},"minio":{"enabled":true},"minioOperator":{"enabled":true,"namespaces":["minio-operator"],"principals":["cluster.local/ns/minio-operator/sa/minio-operator"]},"outboundTrafficPolicyMode":"REGISTRY_ONLY","prometheus":{"enabled":true,"namespaces":["monitoring"],"principals":["cluster.local/ns/monitoring/sa/monitoring-monitoring-kube-prometheus"]}}` | Default peer authentication values |
 | istio.mtls.mode | string | `"STRICT"` | STRICT = Allow only mutual TLS traffic, PERMISSIVE = Allow both plain text and mutual TLS traffic |
+| upgradeJob.enabled | bool | `true` |  |
+| upgradeJob.name | string | `"mimir-upgrade-job"` |  |
+| upgradeJob.image.repository | string | `"registry1.dso.mil/ironbank/big-bang/base"` | image repository for upgradeJob |
+| upgradeJob.image.tag | string | `"2.1.0"` | image tag for upgradeJob |
+| upgradeJob.image.imagePullPolicy | string | `"IfNotPresent"` |  |
+| upgradeJob.image.pullSecrets | string | `"private-registry"` |  |
+| upgradeJob.serviceAccount | string | `"upgrade-job-svc-account"` |  |
+| upgradeJob.role | string | `"upgrade-role"` |  |
+| upgradeJob.roleBinding | string | `"upgrade-rolebinding"` |  |
 | bbtests.enabled | bool | `false` |  |
 | bbtests.cypress.enabled | bool | `true` |  |
 | bbtests.cypress.artifacts | bool | `true` |  |
diff --git a/chart/templates/bigbang/upgrade/_helpers.tpl b/chart/templates/bigbang/upgrade/_helpers.tpl
new file mode 100644
index 0000000000000000000000000000000000000000..c97114d5270acf29e3bef2d33f303ae0c27afcc1
--- /dev/null
+++ b/chart/templates/bigbang/upgrade/_helpers.tpl
@@ -0,0 +1,13 @@
+{{- define "mimir.shouldDeployUpgradeResources" -}}
+{{/* Define upgradeVersion inside the template so it's available when the template is used */}}
+{{- $upgradeVersion := "5.5.1-bb.5" -}}
+{{- if and .Release.IsUpgrade (index .Values "minio-tenant" "enabled") .Values.upgradeJob.enabled -}}
+  {{- $helmRelease := lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" "bigbang" "mimir" -}}
+  {{- if $helmRelease -}}
+    {{- $currentVersion := index $helmRelease.status.history 0 "chartVersion" -}}
+    {{- if semverCompare (print "<" $upgradeVersion) $currentVersion -}}
+true
+    {{- end -}}
+  {{- end -}}
+{{- end -}}
+{{- end -}}
\ No newline at end of file
diff --git a/chart/templates/bigbang/upgrade/job.yaml b/chart/templates/bigbang/upgrade/job.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..9392fa512d5204ad452758a9a452810931a62207
--- /dev/null
+++ b/chart/templates/bigbang/upgrade/job.yaml
@@ -0,0 +1,98 @@
+{{- if eq (include "mimir.shouldDeployUpgradeResources" .) "true" }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ .Values.upgradeJob.name }}
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": pre-upgrade
+    "helm.sh/hook-weight": "0"
+    "helm.sh/hook-delete-policy": hook-succeeded,hook-failed,before-hook-creation
+spec:
+  template:
+    metadata:
+    spec:
+      automountServiceAccountToken: true
+      imagePullSecrets:
+        - name: {{ .Values.upgradeJob.image.pullSecrets }}
+      serviceAccountName: {{ .Values.upgradeJob.serviceAccount }}
+      containers:
+      - name: {{ .Values.upgradeJob.name }}
+        image: {{ .Values.upgradeJob.image.repository }}:{{ .Values.upgradeJob.image.tag }}
+        imagePullPolicy: {{ .Values.upgradeJob.image.imagePullPolicy }}
+        command:
+        - "/bin/bash"
+        - "-c"
+        - |
+          set -e  # Exit on first error
+          trap 'echo "Error occurred at line $LINENO"; exit 1' ERR
+
+          # Step 1: Delete the tenant
+          echo "Deleting tenant 'mimir-mimir-minio-tenant' in namespace 'mimir'..."
+          kubectl delete tenant mimir-mimir-minio-tenant -n mimir  || {
+              echo "Tenant deletion failed or was already deleted.";
+              exit 1;
+          }
+
+          # Step 2: Remove finalizers from all matching PVs
+          echo "Removing finalizers from Persistent Volumes..."
+
+          # Create an array to hold PV names that will be patched
+          pv_list=()
+
+          kubectl get pv -o json | jq -r '
+          .items[] | 
+          select(.spec.claimRef.namespace=="mimir" and (.spec.claimRef.name | test("^data[0-9]-mimir-mimir-minio-tenant-pool-.*"))) | 
+          .metadata.name' | while read -r pv; do
+              echo "Patching PV: $pv"
+              kubectl patch pv "$pv" --type=json -p '[{"op": "remove", "path": "/metadata/finalizers"}]' || {
+                  echo "Failed to remove finalizer from PV: $pv";
+                  exit 1;
+              }
+              
+              # If patching is successful, add PV to the list for deletion later
+              pv_list+=("$pv")
+          done
+
+          # Step 3: Delete all matching PVs
+          echo "Deleting Persistent Volumes..."
+          for pv in "${pv_list[@]}"; do
+              echo "Deleting PV: $pv"
+              kubectl delete pv "$pv" || {
+                  echo "Failed to delete PV: $pv";
+                  exit 1;
+              }
+          done
+
+          # Step 4: Delete all PVCs that contain 'data*-mimir*' in their name
+          echo "Deleting Persistent Volume Claims (PVCs) that match 'data*-mimir*'..."
+
+          kubectl get pvc -n mimir -o json | jq -r '
+          .items[] | 
+          select(.metadata.name | test("data.*-mimir.*")) | 
+          .metadata.name' | while read -r pvc; do
+              echo "Deleting PVC: $pvc"
+              kubectl delete pvc "$pvc" -n mimir || {
+                  echo "Failed to delete PVC: $pvc";
+                  exit 1;
+              }
+          done
+
+          echo "MinIO Tenant Cleanup completed!"
+
+        resources:
+          requests:
+            cpu: 100m
+            memory: 256Mi
+          limits:
+            cpu: 100m
+            memory: 256Mi
+        securityContext:
+          capabilities:
+            drop: ["ALL"]
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          runAsUser: 1000
+          runAsGroup: 1000
+      restartPolicy: Never
+{{- end }}
\ No newline at end of file
diff --git a/chart/templates/bigbang/upgrade/networkPolicy.yaml b/chart/templates/bigbang/upgrade/networkPolicy.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..30824449a7f2d2d213a44f9b372059c5bad2893a
--- /dev/null
+++ b/chart/templates/bigbang/upgrade/networkPolicy.yaml
@@ -0,0 +1,28 @@
+{{- if eq (include "mimir.shouldDeployUpgradeResources" .) "true" }}
+  {{- if .Values.networkPolicies.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: api-egress-upgrade-job
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": pre-upgrade
+    "helm.sh/hook-weight": "-10"
+    "helm.sh/hook-delete-policy": hook-succeeded,hook-failed,before-hook-creation
+spec:
+  egress:
+  - to:
+    - ipBlock:
+        cidr: {{ .Values.networkPolicies.controlPlaneCidr }}
+        {{- if eq .Values.networkPolicies.controlPlaneCidr "0.0.0.0/0" }}
+        # ONLY Block requests to AWS metadata IP
+        except:
+        - 169.254.169.254/32
+        {{- end }}
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: {{ .Values.upgradeJob.name }}
+  policyTypes:
+  - Egress
+  {{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/chart/templates/bigbang/upgrade/role.yaml b/chart/templates/bigbang/upgrade/role.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..5c69cfb626c9de2aa628d500c60023844337609d
--- /dev/null
+++ b/chart/templates/bigbang/upgrade/role.yaml
@@ -0,0 +1,15 @@
+{{- if include "mimir.shouldDeployUpgradeResources" . }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Values.upgradeJob.role }}
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": pre-upgrade
+    "helm.sh/hook-weight": "-10"
+    "helm.sh/hook-delete-policy": hook-succeeded,hook-failed,before-hook-creation
+rules:
+- apiGroups: ["minio.min.io",""]
+  resources: ["tenants","persistentvolumeclaims","persistentvolumes"]
+  verbs: ["get", "list", "delete"]
+{{- end }}
\ No newline at end of file
diff --git a/chart/templates/bigbang/upgrade/roleBinding.yaml b/chart/templates/bigbang/upgrade/roleBinding.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..6b28782bf594553d59c2d73f34474723edf97119
--- /dev/null
+++ b/chart/templates/bigbang/upgrade/roleBinding.yaml
@@ -0,0 +1,19 @@
+{{- if include "mimir.shouldDeployUpgradeResources" . }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ .Values.upgradeJob.roleBinding }}
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": pre-upgrade
+    "helm.sh/hook-weight": "-10"
+    "helm.sh/hook-delete-policy": hook-succeeded,hook-failed,before-hook-creation
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ .Values.upgradeJob.role }}
+subjects:
+- kind: ServiceAccount
+  name: {{ .Values.upgradeJob.serviceAccount }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}
\ No newline at end of file
diff --git a/chart/templates/bigbang/upgrade/serviceAccount.yaml b/chart/templates/bigbang/upgrade/serviceAccount.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..e8b59370946eb22e8983688413c4b2c82a37491a
--- /dev/null
+++ b/chart/templates/bigbang/upgrade/serviceAccount.yaml
@@ -0,0 +1,11 @@
+{{- if include "mimir.shouldDeployUpgradeResources" . }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Values.upgradeJob.serviceAccount }}
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": pre-upgrade
+    "helm.sh/hook-weight": "-10"
+    "helm.sh/hook-delete-policy": hook-succeeded,hook-failed,before-hook-creation
+{{- end }}
\ No newline at end of file
diff --git a/chart/values.yaml b/chart/values.yaml
index 748ae099003838c370630e7bdb779a155553c157..2f61edab3407eeda516df37a1bb081ba501216f0 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -219,6 +219,20 @@ istio:
     # PERMISSIVE = Allow both plain text and mutual TLS traffic
     mode: STRICT
 
+upgradeJob:
+  enabled: true
+  name: mimir-upgrade-job
+  image:
+    # -- image repository for upgradeJob
+    repository: registry1.dso.mil/ironbank/big-bang/base
+    # -- image tag for upgradeJob
+    tag: 2.1.0
+    imagePullPolicy: IfNotPresent
+    pullSecrets: private-registry
+  serviceAccount: upgrade-job-svc-account
+  role: upgrade-role
+  roleBinding: upgrade-rolebinding
+
 bbtests:
   enabled: false
   cypress: