Merge branch 'renovate/ironbank' into 'main'

Update Ironbank See merge request !144

Merge branch 'renovate/ironbank' into 'main'
02f5aa1e · Peter Sigur · 208c24dc · e7cc74f3 · 02f5aa1e · 02f5aa1e
Commit 02f5aa1e authored 2 months ago by Peter Sigur
--- a/.gitignore
+++ b/.gitignore
+.idea/
+
+.DS_Store
+
+# ignore developer specific files
+# (used frequently in deployments)
+patch.yaml
+notes
+ignore/*
+
+# Visual Studio Code
+.vscode/*
+!.vscode/settings.json
+!.vscode/tasks.json
+!.vscode/launch.json
+!.vscode/extensions.json
+*.code-workspace
+
+# Local History for Visual Studio Code
+.history/
+
+node_modules
+
+# Helm Docs
+*.gotmpl
\ No newline at end of file
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,18 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),

 ---

+## [1.16.0-bb.0] - 2024-12-31
+
+### Updated
+
+- Updated gluon: `0.5.9` -> `0.5.12`
+- Updated tempo: `2.5.0` -> `2.6.1`
+- Updated tempo-query: `2.5.0` -> `2.6.1`
+
+### Changed
+
+- Disabled tempo-query to match upstream and avoid breaking changes
+
 ## [1.11.0-bb.1] - 2024-12-18

 ### Added

--- a/README.md
+++ b/README.md
 <!-- Warning: Do not manually edit this file. See notes on gluon + helm-docs at the end of this file for more information. -->
 # tempo

-![Version: 1.11.0-bb.1](https://img.shields.io/badge/Version-1.11.0--bb.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.5.0](https://img.shields.io/badge/AppVersion-2.5.0-informational?style=flat-square) ![Maintenance Track: bb_integrated](https://img.shields.io/badge/Maintenance_Track-bb_integrated-green?style=flat-square)
+![Version: 1.16.0-bb.0](https://img.shields.io/badge/Version-1.16.0--bb.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.6.1](https://img.shields.io/badge/AppVersion-2.6.1-informational?style=flat-square) ![Maintenance Track: bb_integrated](https://img.shields.io/badge/Maintenance_Track-bb_integrated-green?style=flat-square)

 Grafana Tempo Single Binary Mode

@@ -50,7 +50,7 @@ helm install tempo chart/
 | labels | object | `{}` | labels for tempo |
 | annotations | object | `{}` | Annotations for the StatefulSet |
 | tempo.repository | string | `"registry1.dso.mil/ironbank/opensource/grafana/tempo"` | Docker image repository |
-| tempo.tag | string | `"2.5.0"` | Docker image tag |
+| tempo.tag | string | `"2.6.1"` | Docker image tag |
 | tempo.pullPolicy | string | `"IfNotPresent"` | Docker image pull policy |
 | tempo.updateStrategy | string | `"RollingUpdate"` |  |
 | tempo.resources.limits.cpu | string | `"500m"` |  |
@@ -69,6 +69,20 @@ helm install tempo chart/
 | tempo.global_overrides.per_tenant_override_config | string | `"/conf/overrides.yaml"` |  |
 | tempo.overrides | object | `{}` |  |
 | tempo.server.http_listen_port | int | `3100` | HTTP server listen port |
+| tempo.livenessProbe.httpGet.path | string | `"/ready"` |  |
+| tempo.livenessProbe.httpGet.port | int | `3100` |  |
+| tempo.livenessProbe.initialDelaySeconds | int | `30` |  |
+| tempo.livenessProbe.periodSeconds | int | `10` |  |
+| tempo.livenessProbe.timeoutSeconds | int | `5` |  |
+| tempo.livenessProbe.failureThreshold | int | `3` |  |
+| tempo.livenessProbe.successThreshold | int | `1` |  |
+| tempo.readinessProbe.httpGet.path | string | `"/ready"` |  |
+| tempo.readinessProbe.httpGet.port | int | `3100` |  |
+| tempo.readinessProbe.initialDelaySeconds | int | `20` |  |
+| tempo.readinessProbe.periodSeconds | int | `10` |  |
+| tempo.readinessProbe.timeoutSeconds | int | `5` |  |
+| tempo.readinessProbe.failureThreshold | int | `3` |  |
+| tempo.readinessProbe.successThreshold | int | `1` |  |
 | tempo.storage.trace.backend | string | `"local"` |  |
 | tempo.storage.trace.local.path | string | `"/var/tempo/traces"` |  |
 | tempo.storage.trace.wal.path | string | `"/var/tempo/wal"` |  |
@@ -87,9 +101,9 @@ helm install tempo chart/
 | tempo.extraVolumeMounts | list | `[]` | Volume mounts to add |
 | config | string | Dynamically generated tempo configmap | Tempo configuration file contents |
 | tempoQuery.repository | string | `"registry1.dso.mil/ironbank/opensource/grafana/tempo-query"` | Docker image repository |
-| tempoQuery.tag | string | `"2.5.0"` | Docker image tag |
+| tempoQuery.tag | string | `"2.6.1"` | Docker image tag |
 | tempoQuery.pullPolicy | string | `"IfNotPresent"` | Docker image pull policy |
-| tempoQuery.enabled | bool | `true` | if False the tempo-query container is not deployed |
+| tempoQuery.enabled | bool | `false` | if False the tempo-query container is not deployed |
 | tempoQuery.service.port | int | `16686` |  |
 | tempoQuery.ingress.enabled | bool | `false` |  |
 | tempoQuery.ingress.annotations | object | `{}` |  |
@@ -112,6 +126,9 @@ helm install tempo chart/
 | serviceAccount.labels | object | `{}` | Labels for the service account |
 | serviceAccount.automountServiceAccountToken | bool | `false` |  |
 | service.type | string | `"ClusterIP"` |  |
+| service.clusterIP | string | `""` |  |
+| service.loadBalancerIP | string | `nil` | IP address, in case of 'type: LoadBalancer' |
+| service.protocol | string | `"TCP"` | If service type is LoadBalancer, the exposed protocol can either be "UDP", "TCP" or "UDP,TCP" |
 | service.annotations | object | `{}` |  |
 | service.labels | object | `{}` |  |
 | service.targetPort | string | `""` |  |
@@ -122,9 +139,10 @@ helm install tempo chart/
 | serviceMonitor.scheme | string | `""` |  |
 | serviceMonitor.tlsConfig | object | `{}` |  |
 | persistence.enabled | bool | `true` |  |
+| persistence.enableStatefulSetAutoDeletePVC | bool | `true` | Enable StatefulSetAutoDeletePVC feature |
 | persistence.accessModes[0] | string | `"ReadWriteOnce"` |  |
 | persistence.size | string | `"15Gi"` |  |
-| podAnnotations | object | `{"traffic.sidecar.istio.io/includeInboundPorts":"16687,16686,3100,4317,4318"}` | Pod Annotations |
+| podAnnotations | object | `{"traffic.sidecar.istio.io/includeInboundPorts":"3100,4317,4318"}` | Pod Annotations |
 | podLabels | object | `{}` | Pod (extra) Labels |
 | extraLabels | object | `{}` |  |
 | extraVolumes | list | `[]` | Volumes to add |
@@ -141,11 +159,11 @@ helm install tempo chart/
 | networkPolicy.egress.ports | list | `[]` |  |
 | networkPolicy.egress.to | list | `[]` |  |
 | domain | string | `"dev.bigbang.mil"` | Domain used for BigBang created exposed services |
-| istio | object | `{"enabled":false,"hardened":{"customAuthorizationPolicies":[],"customServiceEntries":[],"enabled":false,"outboundTrafficPolicyMode":"REGISTRY_ONLY"},"mtls":{"mode":"STRICT"},"tempoQuery":{"annotations":{},"enabled":true,"gateways":["istio-system/main"],"hosts":["tracing.{{ .Values.domain }}"],"labels":{}}}` | Toggle istio integration. Intended to be controlled via BigBang passthrough of istio package status |
+| istio | object | `{"enabled":false,"hardened":{"customAuthorizationPolicies":[],"customServiceEntries":[],"enabled":false,"outboundTrafficPolicyMode":"REGISTRY_ONLY"},"mtls":{"mode":"STRICT"},"tempoQuery":{"annotations":{},"enabled":false,"gateways":["istio-system/main"],"hosts":["tracing.{{ .Values.domain }}"],"labels":{}}}` | Toggle istio integration. Intended to be controlled via BigBang passthrough of istio package status |
 | istio.hardened | object | `{"customAuthorizationPolicies":[],"customServiceEntries":[],"enabled":false,"outboundTrafficPolicyMode":"REGISTRY_ONLY"}` | Default peer authentication values |
 | istio.mtls.mode | string | `"STRICT"` | STRICT = Allow only mutual TLS traffic, PERMISSIVE = Allow both plain text and mutual TLS traffic |
-| istio.tempoQuery | object | `{"annotations":{},"enabled":true,"gateways":["istio-system/main"],"hosts":["tracing.{{ .Values.domain }}"],"labels":{}}` | Tempo-Query specific VirtualService values |
-| istio.tempoQuery.enabled | bool | `true` | Toggle VirtualService creation |
+| istio.tempoQuery | object | `{"annotations":{},"enabled":false,"gateways":["istio-system/main"],"hosts":["tracing.{{ .Values.domain }}"],"labels":{}}` | Tempo-Query specific VirtualService values |
+| istio.tempoQuery.enabled | bool | `false` | Toggle VirtualService creation |
 | objectStorage.access_key_id | string | `""` | AWS access_key_id for External ObjectStorage configuration |
 | objectStorage.secret_access_key | string | `""` | AWS secret_access_key for External ObjectStorage configuration |
 | networkPolicies | object | `{"additionalPolicies":[],"controlPlaneCidr":"0.0.0.0/0","enabled":false,"ingressLabels":{"app":"istio-ingressgateway","istio":"ingressgateway"}}` | Toggle for BigBang specific NetworkPolicies. If disabled no NetworkPolicies will be installed with package ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ |

--- a/chart/Chart.lock
+++ b/chart/Chart.lock
 dependencies:
 - name: gluon
  repository: oci://registry1.dso.mil/bigbang
-  version: 0.5.9
-digest: sha256:1fad64ed7e02ece92dbd03f626dc502a94d220050377e0045eafc3de34ad1db0
-generated: "2024-11-06T07:15:52.895452596Z"
+  version: 0.5.12
+digest: sha256:23ae84928f9f951a0376b933f631acac3d59b386a3e77bf5c64860e2d0b74bff
+generated: "2024-11-26T07:16:25.34441368Z"
--- a/chart/Chart.yaml
+++ b/chart/Chart.yaml
@@ -2,8 +2,9 @@ apiVersion: v2
 name: tempo
 description: Grafana Tempo Single Binary Mode
 type: application
-version: 1.11.0-bb.1
-appVersion: 2.5.0
+version: 1.16.0-bb.0
+appVersion: 2.6.1
+engine: gotpl
 home: https://grafana.net
 icon: https://raw.githubusercontent.com/grafana/tempo/master/docs/tempo/website/logo_and_name.png
 sources:
@@ -21,18 +22,18 @@ maintainers:
    email: sheikhabubaker761@gmail.com
 dependencies:
  - name: gluon
-    version: "0.5.9"
+    version: "0.5.12"
    repository: oci://registry1.dso.mil/bigbang
 annotations:
  bigbang.dev/maintenanceTrack: bb_integrated
  bigbang.dev/applicationVersions: |
-    - Tempo: 2.5.0
-    - Tempo Query: 2.5.0
+    - Tempo: 2.6.1
+    - Tempo Query: 2.6.1
  bigbang.dev/upstreamReleaseNotesMarkdown: |
    - [Find upstream chart's release notes and CHANGELOG here](https://github.com/grafana/helm-charts/releases?q=tempo&expanded=true)
    - [Find upstream applications's release notes and CHANGELOG here](https://grafana.com/docs/tempo/latest/release-notes/)
  helm.sh/images: |
    - name: tempo
-      image: registry1.dso.mil/ironbank/opensource/grafana/tempo:2.5.0
+      image: registry1.dso.mil/ironbank/opensource/grafana/tempo:2.6.1
    - name: tempo-query
-      image: registry1.dso.mil/ironbank/opensource/grafana/tempo-query:2.5.0
+      image: registry1.dso.mil/ironbank/opensource/grafana/tempo-query:2.6.1
--- a/chart/Kptfile
+++ b/chart/Kptfile
@@ -5,7 +5,7 @@ metadata:
 upstream:
  type: git
  git:
-    commit: 0d5f0b15901a95aed96a3a21994cae87df62fff2
+    commit: 27953cb5e65e76782cce44a20caf206bacd6579c
    repo: https://github.com/grafana/helm-charts
    directory: /charts/tempo
-    ref: tempo-1.11.0
+    ref: tempo-1.16.0
--- a/chart/README.md
+++ b/chart/README.md
 # tempo

-![Version: 1.11.0](https://img.shields.io/badge/Version-1.11.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.5.0](https://img.shields.io/badge/AppVersion-2.5.0-informational?style=flat-square)
+![Version: 1.16.0](https://img.shields.io/badge/Version-1.16.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 2.6.1](https://img.shields.io/badge/AppVersion-2.6.1-informational?style=flat-square)

 Grafana Tempo Single Binary Mode

@@ -31,6 +31,7 @@ Grafana Tempo Single Binary Mode
 | networkPolicy.ingress | bool | `true` |  |
 | nodeSelector | object | `{}` | Node labels for pod assignment. See: https://kubernetes.io/docs/user-guide/node-selection/ |
 | persistence.accessModes[0] | string | `"ReadWriteOnce"` |  |
+| persistence.enableStatefulSetAutoDeletePVC | bool | `false` | Enable StatefulSetAutoDeletePVC feature |
 | persistence.enabled | bool | `false` |  |
 | persistence.size | string | `"10Gi"` |  |
 | podAnnotations | object | `{}` | Pod Annotations |
@@ -39,7 +40,10 @@ Grafana Tempo Single Binary Mode
 | replicas | int | `1` | Define the amount of instances |
 | securityContext | object | `{"fsGroup":10001,"runAsGroup":10001,"runAsNonRoot":true,"runAsUser":10001}` | securityContext for container |
 | service.annotations | object | `{}` |  |
+| service.clusterIP | string | `""` |  |
 | service.labels | object | `{}` |  |
+| service.loadBalancerIP | string | `nil` | IP address, in case of 'type: LoadBalancer' |
+| service.protocol | string | `"TCP"` | If service type is LoadBalancer, the exposed protocol can either be "UDP", "TCP" or "UDP,TCP" |
 | service.targetPort | string | `""` |  |
 | service.type | string | `"ClusterIP"` |  |
 | serviceAccount.annotations | object | `{}` | Annotations for the service account |
@@ -58,6 +62,13 @@ Grafana Tempo Single Binary Mode
 | tempo.extraVolumeMounts | list | `[]` | Volume mounts to add |
 | tempo.global_overrides.per_tenant_override_config | string | `"/conf/overrides.yaml"` |  |
 | tempo.ingester | object | `{}` | Configuration options for the ingester |
+| tempo.livenessProbe.failureThreshold | int | `3` |  |
+| tempo.livenessProbe.httpGet.path | string | `"/ready"` |  |
+| tempo.livenessProbe.httpGet.port | int | `3100` |  |
+| tempo.livenessProbe.initialDelaySeconds | int | `30` |  |
+| tempo.livenessProbe.periodSeconds | int | `10` |  |
+| tempo.livenessProbe.successThreshold | int | `1` |  |
+| tempo.livenessProbe.timeoutSeconds | int | `5` |  |
 | tempo.memBallastSizeMbs | int | `1024` |  |
 | tempo.metricsGenerator.enabled | bool | `false` | If true, enables Tempo's metrics generator (https://grafana.com/docs/tempo/next/metrics-generator/) |
 | tempo.metricsGenerator.remoteWriteUrl | string | `"http://prometheus.monitoring:9090/api/v1/write"` |  |
@@ -66,6 +77,13 @@ Grafana Tempo Single Binary Mode
 | tempo.pullPolicy | string | `"IfNotPresent"` |  |
 | tempo.querier | object | `{}` | Configuration options for the querier |
 | tempo.queryFrontend | object | `{}` | Configuration options for the query-fronted |
+| tempo.readinessProbe.failureThreshold | int | `3` |  |
+| tempo.readinessProbe.httpGet.path | string | `"/ready"` |  |
+| tempo.readinessProbe.httpGet.port | int | `3100` |  |
+| tempo.readinessProbe.initialDelaySeconds | int | `20` |  |
+| tempo.readinessProbe.periodSeconds | int | `10` |  |
+| tempo.readinessProbe.successThreshold | int | `1` |  |
+| tempo.readinessProbe.timeoutSeconds | int | `5` |  |
 | tempo.receivers.jaeger.protocols.grpc.endpoint | string | `"0.0.0.0:14250"` |  |
 | tempo.receivers.jaeger.protocols.thrift_binary.endpoint | string | `"0.0.0.0:6832"` |  |
 | tempo.receivers.jaeger.protocols.thrift_compact.endpoint | string | `"0.0.0.0:6831"` |  |
@@ -134,6 +152,11 @@ The command removes all the Kubernetes components associated with the chart and

 A major chart version change indicates that there is an incompatible breaking change needing manual actions.

+### From Chart versions < 1.12.0
+
+Upgrading to chart 1.12.0 will set the memberlist cluster_label config option. During rollout your cluster will temporarilly be split into two memberlist clusters until all components are rolled out.
+This will interrupt reads and writes. This config option is set to prevent cross talk between Tempo and other memberlist clusters.
+
 ### From Chart versions < 1.2.0

 Please be aware that we've updated the minor version to Tempo 2.1, which includes breaking changes.

--- a/chart/charts/gluon-0.5.12.tgz
+++ b/chart/charts/gluon-0.5.12.tgz
--- a/chart/charts/gluon-0.5.9.tgz
+++ b/chart/charts/gluon-0.5.9.tgz
--- a/chart/templates/_ports.tpl
+++ b/chart/templates/_ports.tpl
+{{/* ~=~=~ Partial Templates of exposed Ports ~=~=~ */}}
+
+{{/* UDP sockets */}}
+{{- define "tempo.udp"}}
+{{- $endpoint := .Values.tempo.receivers.jaeger.protocols.thrift_compact }}
+{{- with $endpoint.endpoint }}
+{{- $port := regexSplit ":" . -1 | last }}
+- name: tempo-jaeger-thrift-compact
+  port: {{ $port }}
+  protocol: UDP
+  targetPort: 6831
+{{- end }}
+{{- $endpoint := .Values.tempo.receivers.jaeger.protocols.thrift_binary }}
+{{- with $endpoint.endpoint }}
+{{- $port := regexSplit ":" . -1 | last }}
+- name: tempo-jaeger-thrift-binary
+  port: {{ $port }}
+  protocol: UDP
+  targetPort: 6832
+{{- end }}
+{{- /* end of define */}}
+{{- end }}
+
+{{/* TCP sockets */}}
+{{- define "tempo.tcp"}}
+- name: tempo-prom-metrics
+  port: 3100
+  protocol: TCP
+  targetPort: 3100
+{{- if .Values.tempoQuery.enabled }}
+- name: jaeger-metrics
+  port: 16687
+  protocol: TCP
+  targetPort: 16687
+- name: tempo-query-jaeger-ui
+  port: {{ .Values.tempoQuery.service.port }}
+  targetPort: {{ .Values.tempoQuery.service.port }}
+{{- end }}
+{{- $endpoint := .Values.tempo.receivers.jaeger.protocols.thrift_http }}
+{{- with $endpoint.endpoint }}
+{{- $port := regexSplit ":" . -1 | last }}
+- name: tempo-jaeger-thrift-http
+  port: {{ $port }}
+  protocol: TCP
+  targetPort: 14268
+{{- end }}
+{{- $endpoint := .Values.tempo.receivers.jaeger.protocols.grpc }}
+{{- with $endpoint.endpoint }}
+{{- $port := regexSplit ":" . -1 | last }}
+- name: grpc-tempo-jaeger
+  port: {{ $port }}
+  protocol: TCP
+  targetPort: 14250
+{{- end }}
+- name: tempo-zipkin
+  port: 9411
+  protocol: TCP
+  targetPort: 9411
+- name: tempo-otlp-legacy
+  port: 55680
+  protocol: TCP
+  targetPort: 55680
+- name: tempo-otlp-http-legacy
+  port: 55681
+  protocol: TCP
+  targetPort: 55681
+{{- $endpoint := .Values.tempo.receivers.otlp.protocols.grpc }}
+{{- with $endpoint.endpoint }}
+{{- $port := regexSplit ":" . -1 | last }}
+- name: grpc-tempo-otlp
+  port: {{ $port }}
+  protocol: TCP
+  targetPort: 4317
+{{- end }}
+{{- $endpoint := .Values.tempo.receivers.otlp.protocols.http }}
+{{- with $endpoint.endpoint }}
+{{- $port := regexSplit ":" . -1 | last }}
+- name: tempo-otlp-http
+  port: {{ $port }}
+  protocol: TCP
+  targetPort: 4318
+{{- end }}
+- name: tempo-opencensus
+  port: 55678
+  protocol: TCP
+  targetPort: 55678
+{{- /* end of define */}}
+{{- end  }}
\ No newline at end of file
--- a/chart/templates/bigbang/networkpolicies/ingress-istio-ingressgateway.yml
+++ b/chart/templates/bigbang/networkpolicies/ingress-istio-ingressgateway.yml
-{{- if and .Values.networkPolicies.enabled .Values.istio.enabled }}
+{{- if and .Values.networkPolicies.enabled .Values.istio.enabled .Values.istio.tempoQuery.enabled }}
 # Allow traffic from the IngressGateway to the tempo query UI
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy

--- a/chart/templates/bigbang/networkpolicies/ingress-kiali.yaml
+++ b/chart/templates/bigbang/networkpolicies/ingress-kiali.yaml
-{{- if and .Values.networkPolicies.enabled }}
+{{- if and .Values.networkPolicies.enabled .Values.tempoQuery.enabled }}
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:

--- a/chart/templates/bigbang/networkpolicies/ingress-prometheus-operator-metrics.yaml
+++ b/chart/templates/bigbang/networkpolicies/ingress-prometheus-operator-metrics.yaml
@@ -21,6 +21,8 @@ spec:
    ports:
    - port: 3100
      protocol: TCP
+    {{- if .Values.tempoQuery.enabled }}
    - port: 16687
      protocol: TCP
+    {{- end }}
 {{- end }}
--- a/chart/templates/service.yaml
+++ b/chart/templates/service.yaml
+
 apiVersion: v1
 kind: Service
 metadata:
@@ -32,56 +33,17 @@ spec:
  {{- end }}
 {{- end }}
  ports:
-  - name: http-tempo-prom-metrics
-    port: 3100
-    targetPort: 3100
-  {{- if .Values.tempoQuery.enabled }}
-  - name: http-jaeger-metrics
-    port: 16687
-    targetPort: 16687
-  - name: http-tempo-query-jaeger-ui
-    port: {{ .Values.tempoQuery.service.port }}
-    targetPort: {{ .Values.tempoQuery.service.port }}
+  {{- if (eq .Values.service.type "LoadBalancer") }}
+    {{- $protocol := .Values.service.protocol | default "TCP" }}
+    {{- if contains "UDP" $protocol }}
+      {{- include "tempo.udp" . | indent 2 }}
+    {{- end }}
+    {{- if contains "TCP" $protocol }}
+      {{- include "tempo.tcp" . | indent 2 }}
+    {{- end }}
+  {{- else }}
+    {{- include "tempo.udp" . | indent 2 }}
+    {{- include "tempo.tcp" . | indent 2 }}
  {{- end }}
-  - name: udp-tempo-jaeger-thrift-compact
-    port: 6831
-    protocol: UDP
-    targetPort: 6831
-  - name: udp-tempo-jaeger-thrift-binary
-    port: 6832
-    protocol: UDP
-    targetPort: 6832
-  - name: http-tempo-jaeger-thrift-http
-    port: 14268
-    protocol: TCP
-    targetPort: 14268
-  - name: grpc-tempo-jaeger
-    port: 14250
-    protocol: TCP
-    targetPort: 14250
-  - name: tcp-tempo-zipkin
-    port: 9411
-    protocol: TCP
-    targetPort: 9411
-  - name: tcp-tempo-otlp-legacy
-    port: 55680
-    protocol: TCP
-    targetPort: 55680
-  - name: http-tempo-otlp-http-legacy
-    port: 55681
-    protocol: TCP
-    targetPort: 4318
-  - name: grpc-tempo-otlp
-    port: 4317
-    protocol: TCP
-    targetPort: 4317
-  - name: http-tempo-otlp-http
-    port: 4318
-    protocol: TCP
-    targetPort: 4318
-  - name: tcp-tempo-opencensus
-    port: 55678
-    protocol: TCP
-    targetPort: 55678
  selector:
    {{- include "tempo.selectorLabels" . | nindent 4 }}
--- a/chart/templates/statefulset.yaml
+++ b/chart/templates/statefulset.yaml
@@ -14,6 +14,11 @@ spec:
  {{- if .Values.revisionHistoryLimit }}
  revisionHistoryLimit: {{ .Values.revisionHistoryLimit }}
  {{- end }}
+  {{- if and (semverCompare ">= 1.23-0" .Capabilities.KubeVersion.Version) (.Values.persistence.enableStatefulSetAutoDeletePVC) (.Values.persistence.enabled) }}
+  persistentVolumeClaimRetentionPolicy:
+    whenDeleted: Delete
+    whenScaled: Delete
+  {{- end }}
  selector:
    matchLabels:
      {{- include "tempo.selectorLabels" . | nindent 6 }}
@@ -82,6 +87,10 @@ spec:
          name: otlp-http
        - containerPort: 55678
          name: opencensus
+        livenessProbe:
+          {{- toYaml .Values.tempo.livenessProbe | nindent 12 }}
+        readinessProbe:
+          {{- toYaml .Values.tempo.readinessProbe | nindent 12 }}
        resources:
          {{- toYaml .Values.tempo.resources | nindent 10 }}
        {{- with .Values.tempo.securityContext }}

--- a/chart/tests/cypress/e2e/01-tempo-health.cy.js
+++ b/chart/tests/cypress/e2e/01-tempo-health.cy.js
@@ -10,21 +10,6 @@ describe('Tempo Test', function () {
    return false;
  });

-  // Basic test that validates pages are accessible, basic error check
-  it('Check Tempo is accessible w/ services', function () {
-    cy.visit(Cypress.env('url'), { failOnStatusCode: false });
-    if (Cypress.env('keycloak_test_enable')) {
-      cy.performKeycloakLogin(Cypress.env('tnr_username'), Cypress.env('tnr_password'))
-    }
-    cy.title().should('contain', 'Jaeger UI');
-    // Check to ensure more than zero services are populated
-    cy.intercept('GET', '**/api/services').as('servicesLoaded')
-    cy.reload()
-    cy.wait('@servicesLoaded').then((interception) => {
-      expect(interception.response.statusCode).to.equal(200)
-    });
-  });
-
  if (Cypress.env('check_datasource')) {
    it('Check Tempo is available as a data source in grafana ', function () {
      cy.visit(Cypress.env('grafana_url'));

--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -24,7 +24,7 @@ tempo:
  # -- Docker image repository
  repository: registry1.dso.mil/ironbank/opensource/grafana/tempo
  # -- Docker image tag
-  tag: 2.5.0
+  tag: 2.6.1
  # -- Docker image pull policy
  pullPolicy: IfNotPresent

@@ -72,6 +72,25 @@ tempo:
  server:
    # -- HTTP server listen port
    http_listen_port: 3100
+  # Readiness and Liveness Probe Configuration Options
+  livenessProbe:
+    httpGet:
+      path: /ready
+      port: 3100
+    initialDelaySeconds: 30
+    periodSeconds: 10
+    timeoutSeconds: 5
+    failureThreshold: 3
+    successThreshold: 1
+  readinessProbe:
+    httpGet:
+      path: /ready
+      port: 3100
+    initialDelaySeconds: 20
+    periodSeconds: 10
+    timeoutSeconds: 5
+    failureThreshold: 3
+    successThreshold: 1
  storage:
    trace:
      # tempo storage backend
@@ -138,6 +157,8 @@ tempo:
 # -- Tempo configuration file contents
 # @default -- Dynamically generated tempo configmap
 config: |
+    memberlist:
+      cluster_label: "{{ .Release.Name }}.{{ .Release.Namespace }}"
    multitenancy_enabled: {{ .Values.tempo.multitenancyEnabled }}
    usage_report:
      reporting_enabled: {{ .Values.tempo.reportingEnabled }}
@@ -174,7 +195,7 @@ tempoQuery:
  # -- Docker image repository
  repository: registry1.dso.mil/ironbank/opensource/grafana/tempo-query
  # -- Docker image tag
-  tag: 2.5.0
+  tag: 2.6.1
  # -- Docker image pull policy
  pullPolicy: IfNotPresent
  ## Optionally specify an array of imagePullSecrets.
@@ -185,7 +206,7 @@ tempoQuery:
  #   - myRegistryKeySecretName

  # -- if False the tempo-query container is not deployed
-  enabled: true
+  enabled: false


      
@@ -283,6 +304,12 @@ serviceAccount:

 service:
  type: ClusterIP
+  clusterIP: ""
+  # -- (string) IP address, in case of 'type: LoadBalancer'
+  loadBalancerIP:
+  # -- If service type is LoadBalancer, the exposed protocol can either be "UDP", "TCP" or "UDP,TCP"
+  protocol: "TCP"
+
  annotations: {}
  labels: {}
  targetPort: ""
@@ -298,6 +325,8 @@ serviceMonitor:

 persistence:
  enabled: true
+  # -- Enable StatefulSetAutoDeletePVC feature
+  enableStatefulSetAutoDeletePVC: true
  # storageClassName: local-path
  accessModes:
    - ReadWriteOnce
@@ -305,7 +334,7 @@ persistence:

 # -- Pod Annotations
 podAnnotations:
-  traffic.sidecar.istio.io/includeInboundPorts: "16687,16686,3100,4317,4318"
+  traffic.sidecar.istio.io/includeInboundPorts: "3100,4317,4318"

 # -- Pod (extra) Labels
 podLabels: {}
@@ -415,7 +444,7 @@ istio:
  # -- Tempo-Query specific VirtualService values
  tempoQuery:
    # -- Toggle VirtualService creation
-    enabled: true
+    enabled: false
    annotations: {}
    labels: {}
    gateways:

--- a/docs/DEVELOPMENT_MAINTENANCE.md
+++ b/docs/DEVELOPMENT_MAINTENANCE.md
@@ -44,38 +44,39 @@

 7. Generate the `README.md` updates by following the [guide in gluon](https://repo1.dso.mil/big-bang/product/packages/gluon/-/blob/master/docs/bb-package-readme.md).

-8. Push up your changes, add upgrade notices if applicable, validate that CI passes. 
+8. Push up your changes, add upgrade notices if applicable, validate that CI passes.

-    - If there are any failures, follow the information in the pipeline to make the necessary updates. 
+    - If there are any failures, follow the information in the pipeline to make the necessary updates.

-    - Add the `debug` label to the MR for more detailed information. 
+    - Add the `debug` label to the MR for more detailed information.
    
    - Reach out to the CODEOWNERS if needed.

-9.  As part of your MR that modifies bigbang packages, you should modify the bigbang  [bigbang/tests/test-values.yaml](https://repo1.dso.mil/big-bang/bigbang/-/blob/master/tests/test-values.yaml?ref_type=heads) against your branch for the CI/CD MR testing by enabling your packages. 
+9. As part of your MR that modifies bigbang packages, you should modify the bigbang  [bigbang/tests/test-values.yaml](https://repo1.dso.mil/big-bang/bigbang/-/blob/master/tests/test-values.yaml?ref_type=heads) against your branch for the CI/CD MR testing by enabling your packages.

    - To do this, at a minimum, you will need to follow the instructions at [bigbang/docs/developer/test-package-against-bb.md](https://repo1.dso.mil/big-bang/bigbang/-/blob/master/docs/developer/test-package-against-bb.md?ref_type=heads) with changes for Tempo enabled (the below is a reference, actual changes could be more depending on what changes where made to Tempo in the pakcage MR).

 ### [test-values.yaml](https://repo1.dso.mil/big-bang/bigbang/-/blob/master/tests/test-values.yaml?ref_type=heads)
-    ```yaml
-    tempo:
-      enabled: true
-      git:
-        tag: null
-        branch: <my-package-branch-that-needs-testing>
-      values:
-        istio:
-          hardened:
-            enabled: true
-      ### Additional compononents of Tempo should be changed to reflect testing changes introduced in the package MR
-    ```
+
+```yaml
+tempo:
+  enabled: true
+  git:
+    tag: null
+    branch: <my-package-branch-that-needs-testing>
+  values:
+    istio:
+      hardened:
+        enabled: true
+  ### Additional components of Tempo should be changed to reflect testing changes introduced in the package MR
+```
 

 10. Follow the `Testing new Tempo Version` section of this document for manual testing.

 ## Update main chart

-```chart/Chart.yaml```
+### `chart/Chart.yaml`

 - Update tempo `version` and `appVersion`
 - Ensure Big Bang version suffix is appended to chart version
@@ -101,15 +102,15 @@ annotations:

 ## Modifications made to upstream 

-```chart/values.yaml```
+### `chart/values.yaml`

- line 21, update `tempo.repository` to pull hardened images from registry1
+- Update `tempo.repository` to pull hardened images from registry1
 ```yaml
  # -- Docker image repository
  repository: registry1.dso.mil/ironbank/opensource/grafana/tempo
 ```

- line 35, ensure `tempo.resources` requests and limits are set
+- Ensure `tempo.resources` requests and limits are set
 ```yaml
  resources:
    limits:
@@ -120,12 +121,12 @@ annotations:
      memory: 4Gi
 ```

- line 46, ensure `tempo.reportingEnabled` is set to `false`
+- Ensure `tempo.reportingEnabled` is set to `false`
 ```yaml
  reportingEnabled: false
 ```

- line 52, ensure `tempo.ingester` values are set
+- Ensure `tempo.ingester` values are set
 ```yaml
  ingester:
    trace_idle_period: 10s
@@ -133,18 +134,18 @@ annotations:
    max_block_duration: 5m
 ```

- line 60, ensure `tempo.retention` is set to `336h`
+- Ensure `tempo.retention` is set to `336h`
 ```yaml
  retention: 336h # 2 weeks retention
 ```

- line 103, ensure `tempo.receivers` contains values for `zipkin`
+- Ensure `tempo.receivers` contains values for `zipkin`
 ```yaml
    zipkin:
      endpoint: 0.0.0.0:9411
 ```

- line 112, ensure `tempo.securityContext` is set
+- Ensure `tempo.securityContext` is set
 ```yaml
  securityContext:
     capabilities:
@@ -152,22 +153,22 @@ annotations:
       - ALL
 ```

- line 171, update `tempoQuery.repository` to pull hardened images from registry1
+- Update `tempoQuery.repository` to pull hardened images from registry1
 ```yaml
  # -- Docker image repository
  repository: registry1.dso.mil/ironbank/opensource/grafana/tempo-query
 ```

- line 184, ensure `tempoQuery.enabled` is true
+- Ensure `tempoQuery.enabled` is `false`

 Note: [this](https://github.com/grafana/helm-charts/commit/4c77fa7b3a54977d094071b446ff8b5b86982858) upstream commit disabled `tempo-query` by default in the chart. Evidently this is because `tempo-query` was always meant as a shim between Tempo and Grafana, but it hasn't been necessary [since 7.5.0](https://github.com/grafana/tempo/issues/456#issuecomment-815813684), as Grafana is capable of querying Tempo directly now.

-Currently, Big Bang uses `tempo-query` for Cypress testing and users may expect a basic web interface for Tempo without Grafana (Tempo has non natively, only a HTTP API). This may be changed in an upcoming release, but we will keep utilizing `tempo-query` for the benefits of the interface.
+Previously, Big Bang used `tempo-query` for Cypress testing and to provide users a basic web interface for Tempo without Grafana (Tempo offers only an HTTP API natively). This was changed after breaking changes to the `tempo-query` deployment model were [introduced in version 2.6.0](https://grafana.com/docs/tempo/next/release-notes/v2-6/#other-breaking-changes). Other `tempoQuery` configuration settings remain below, in the event users wish to deploy it with the associated Iron Bank container image.
 ```yaml
-  enabled: true
+  enabled: false
 ```

- line 230, ensure `tempoQuery.resources` requests and limits are set
+- Ensure `tempoQuery.resources` requests and limits are set
 ```yaml
  # -- Resource for query container
  resources:
@@ -179,7 +180,7 @@ Currently, Big Bang uses `tempo-query` for Cypress testing and users may expect
      memory: 256Mi
 ```

- line 248, ensure `tempoQuery.securityContext` is set
+- Ensure `tempoQuery.securityContext` is set
 ```yaml
  securityContext:
     capabilities:
@@ -187,7 +188,7 @@ Currently, Big Bang uses `tempo-query` for Cypress testing and users may expect
       - ALL
 ```

- line 259, ensure `securityContext` for containers is set
+- Ensure `securityContext` for containers is set
 ```yaml
 # -- securityContext for container
 securityContext:
@@ -197,20 +198,20 @@ securityContext:
  runAsUser: 1001
 ```

- line 272, ensure `serviceAccount.imagePullSecrets` contains `private-registry` pull secret for IronBank images
+- Ensure `serviceAccount.imagePullSecrets` contains `private-registry` pull secret for IronBank images
 ```yaml
  # -- Image pull secrets for the service account
  imagePullSecrets:
    - name: private-registry
 ```

- line 278, ensure `serviceAccount.automountServiceAccountToken` is set to `false`
+- Ensure `serviceAccount.automountServiceAccountToken` is set to `false`
 This helps maintain our NSA hardening guide-compliance
 ```yaml
  automountServiceAccountToken: false
 ```

- line 286, ensure `serviceAccount` has `scheme` and `tlsConfig` values shown below:
+- Ensure `serviceMonitor` has `scheme` and `tlsConfig` values shown below:
 ```yaml
 serviceMonitor:
  enabled: false
@@ -222,23 +223,25 @@ serviceMonitor:
  # scrapeTimeout: 10s
 ```

- line 295, ensure `persistence` is enabled and size is increased to `15Gi`
+- Ensure `persistence` is enabled and size is increased to `15Gi`
 ```yaml
 persistence:
  enabled: true
+  # -- Enable StatefulSetAutoDeletePVC feature
+  enableStatefulSetAutoDeletePVC: false
  # storageClassName: local-path
  accessModes:
    - ReadWriteOnce
  size: 15Gi
 ```

- line 303, ensure `podAnnotations` includes istio inbound ports
+- Ensure `podAnnotations` includes istio inbound ports
 ```yaml
 podAnnotations:
-  traffic.sidecar.istio.io/includeInboundPorts: "16687,16686,3100"
+  traffic.sidecar.istio.io/includeInboundPorts: "3100,4317,4318"
 ```

- EOF, add default dev.bigbang.mil hostname and addditional Big Bang values
+- EOF, add default dev.bigbang.mil hostname and additional Big Bang values

 ```yaml
 # -- Domain used for BigBang created exposed services
@@ -266,12 +269,6 @@ istio:
    # - name: "allow-nothing"
    #   enabled: true
    #   spec: {}
-    tempo:
-        enabled: false
-        namespaces:
-        - tempo
-        principals:
-        - cluster.local/ns/tempo/sa/tempo-tempo  
  mtls:
    # -- STRICT = Allow only mutual TLS traffic,
    # PERMISSIVE = Allow both plain text and mutual TLS traffic
@@ -341,28 +338,28 @@ bbtests:
 openshift: false
 ```

-```chart/templates/service.yaml```
+### `chart/templates/service.yaml`

 Added protocols to each port name (i.e. tcp, http, etc)

- line 35, ensure `name` is `http-tempo-prom-metrics`
- line 39, ensure `name` is `http-jaeger-metrics`
- line 42, ensure `name` is `http-tempo-query-jaeger-ui`
- line 46, ensure `name` is `udp-tempo-jaeger-thrift-compact`
- line 50, ensure `name` is `udp-tempo-jaeger-thrift-binary`
- line 54, ensure `name` is `http-tempo-jaeger-thrift-http`
- line 62, ensure `name` is `tcp-tempo-zipkin`
- line 66, ensure `name` is `tcp-tempo-otlp-legacy`
- line 70, ensure `name` is `http-tempo-otlp-http-legacy`
- line 78, ensure `name` is `http-tempo-otlp-http`
- line 82, ensure `name` is `tcp-tempo-opencensus`
+- Ensure `name` is `http-tempo-prom-metrics` for `port: 3100`
+- Ensure `name` is `http-jaeger-metrics` for `port: 16687`
+- Ensure `name` is `http-tempo-query-jaeger-ui` for `port: {{ .Values.tempoQuery.service.port }}`
+- Ensure `name` is `udp-tempo-jaeger-thrift-compact` for `port: 6831`
+- Ensure `name` is `udp-tempo-jaeger-thrift-binary` for `port: 6832`
+- Ensure `name` is `http-tempo-jaeger-thrift-http` for `port: 14268`
+- Ensure `name` is `tcp-tempo-zipkin` for `port: 9411`
+- Ensure `name` is `tcp-tempo-otlp-legacy` for `port: 55680`
+- Ensure `name` is `http-tempo-otlp-http-legacy` for `port: 55681`
+- Ensure `name` is `http-tempo-otlp-http` for `port: 4318`
+- Ensure `name` is `tcp-tempo-opencensus` for `port: 55678`

-```chart/templates/servicemonitor.yaml```
+### `chart/templates/servicemonitor.yaml`

 Modified ports to match naming convention with `http-` prefix

- line 26, ensure `port` is `http-tempo-prom-metrics`
- line 33-39, ensure this section is added for `http-tempo-prom-metrics`:
+- Ensure `spec.endpoints` includes `port: http-tempo-prom-metrics`
+- Ensure this section is added for `http-tempo-prom-metrics`:
    ```yaml
          {{- if .Values.serviceMonitor.scheme }}
          scheme: {{ .Values.serviceMonitor.scheme }}
@@ -372,8 +369,8 @@ Modified ports to match naming convention with `http-` prefix
            {{- toYaml .Values.serviceMonitor.tlsConfig | nindent 8 }}
          {{- end }}
    ```
- line 40, ensure `port` is `http-jaeger-metrics`
- line 47-53, ensure this section is added for `http-jaeger-metrics`:
+- Ensure `spec.endpoints` includes `port: http-jaeger-metrics`
+- Ensure this section is added for `http-jaeger-metrics`:
    ```yaml
          {{- if .Values.serviceMonitor.scheme }}
          scheme: {{ .Values.serviceMonitor.scheme }}
@@ -384,9 +381,16 @@ Modified ports to match naming convention with `http-` prefix
          {{- end }}
    ```

-```chart/templates/statefulset.yaml```
+### `chart/templates/statefulset.yaml`

- line 95-99, add in envFrom section to the tempo container
+- Update templating to include tpl for `spec.template.metadata.labels`
+    ```yaml
+    {{- with .Values.podLabels }}
+      {{- tpl (toYaml . | nindent 8) $ }}
+    {{- end }}
+    ```
+
+- Add in `envFrom` section to the tempo container
    ```yaml
    {{- if and .Values.objectStorage.access_key_id .Values.objectStorage.secret_access_key }}
    envFrom:
@@ -395,28 +399,8 @@ Modified ports to match naming convention with `http-` prefix
    {{- end }}
    ```

- Line 26, Updated templating to include tpl for spec.template.metadata.labels
-    ```yaml
-    {{- tpl (toYaml . | nindent 8) $ }}
-    ```
-
-## chart/templates/authorization-policies/*
-
- Add the Istio Authorization Policies
-
-## chart/templates/bigbang/*
-
- Add Big Bang network Policies as applicable
- Add `VirtualService` for tempo-query UI access
- Add openTelemetry collector deployment/configurations
-
-## chart/tests/*
-
- Add cypress testing configuration and tests
- Add scripts for testing
-
-# Testing new Tempo Version
-> NOTE: For these testing steps it is good to do them on both a clean install and an upgrade. For clean install, point Loki to your branch. For an upgrade do an install with Loki pointing to the latest tag, then perform a helm upgrade with Loki pointing to your branch.
+## Testing new Tempo Version
+> NOTE: For these testing steps it is good to do them on both a clean install and an upgrade. For clean install, point Tempo to your branch. For an upgrade do an install with Tempo pointing to the latest tag, then perform a helm upgrade with Tempo pointing to your branch.

 You will want to install with:
 - Tempo, monitoring and Istio packages enabled
@@ -486,7 +470,6 @@ kyverno:

 kyvernoPolicies:
  enabled: true
-kyvernoPolicies:
  values:
    exclude:
      any:
@@ -502,10 +485,9 @@ kyvernoPolicies:
          allow:
          - /var/lib/rancher/k3s/storage/pvc-*
 ```
-
- Visit `https://tracing.dev.bigbang.mil` 
-  - Ensure Services are listed and traces are being rendered
-  - Check the logs for the tempo pod and container and ensure traceIDs are getting sent over from the istio mesh
+- Visit `https://kiali.dev.bigbang.mil` and login with a [generated token](https://repo1.dso.mil/big-bang/bigbang/-/blob/master/docs/guides/using-bigbang/default-credentials.md)
+  - Check the 'Applications', 'Workloads', and 'Services' views for Tempo resources (they should be healthy)
+  - Note: if no resources are appearing, make sure the 'Tempo' namespace is selected in each view
 - Visit `https://grafana.dev.bigbang.mil` and login with [default credentials](https://repo1.dso.mil/big-bang/bigbang/-/blob/master/docs/guides/using-bigbang/default-credentials.md)
  - Search for Data Sources -> click Tempo -> click `Save & Test` datasource at the bottom