How to upgrade the Tempo Package chartπ
-
Navigate to the upstream chart repo and folder and find the tag that corresponds with the new chart version for this update
- Check the upstream release notes for upgrade notices.
-
Checkout the
renovate/ironbankbranch -
From the root of the repo run
kpt pkg update chart@<tag> --strategy alpha-git-patch, where tag is found in step 1 (Tempo ref:tempo-<tag>)-
Run a KPT package update
kpt pkg update chart@tempo-<tag> --strategy alpha-git-patch -
Restore all BigBang added templates and tests:
git checkout chart/templates/bigbang/ git checkout chart/tests/ git checkout chart/templates/tests - Follow the
Modifications made to upstreamsection of this document for a list of changes per file to be aware of, for how Big Bang differs from upstream.
-
-
Modify the version in
Chart.yamland append-bb.0to the chart version from upstream. SeeUpdate main chartsection of this document. -
Update dependencies and binaries using
helm dependency update ./chart- If needed, log into registry1
helm registry login https://registry1.dso.mil -u ${registry1.username} helm registry logout https://registry1.dso.mil
Pull assets and commit the binaries as well as the Chart.lock file that was generated.
Then log out.export HELM_EXPERIMENTAL_OCI=1 helm dependency update ./charthelm registry logout https://registry1.dso.mil - If needed, log into registry1
-
Update
CHANGELOG.mdadding an entry for the new version and noting all changes in a list (at minimum should include- Updated <chart or dependency> to x.x.x). -
Generate the
README.mdupdates by following the guide in gluon. -
Push up your changes, add upgrade notices if applicable, validate that CI passes.
-
If there are any failures, follow the information in the pipeline to make the necessary updates.
-
Add the
debuglabel to the MR for more detailed information. -
Reach out to the CODEOWNERS if needed.
-
-
Follow the
Testing new Tempo Versionsection of this document for manual testing.
Update main chartπ
chart/Chart.yaml
- Update tempo
versionandappVersion - Ensure Big Bang version suffix is appended to chart version
version: $VERSION-bb.0 - Ensure gluon dependencies and annotations are present and up to date
dependencies: - name: gluon version: $GLUON_VERSION repository: oci://registry1.dso.mil/bigbang annotations: bigbang.dev/applicationVersions: | - Tempo: $TEMPO_VERSION - Tempo Query: $TEMPO_VERSION helm.sh/images: | - name: tempo image: registry1.dso.mil/ironbank/opensource/grafana/tempo:$TEMPO_VERSION - name: tempo-query image: registry1.dso.mil/ironbank/opensource/grafana/tempo-query:$TEMPO_VERSION
Modifications made to upstreamπ
chart/values.yaml
-
line 14, update
tempo.repositoryto pull hardened images from registry1# -- Docker image repository repository: registry1.dso.mil/ironbank/opensource/grafana/tempo -
line 29, ensure
tempo.resourcesrequests and limits are setresources: limits: cpu: 500m memory: 4Gi requests: cpu: 500m memory: 4Gi -
line 46, ensure
tempo.ingestervalues are setingester: trace_idle_period: 10s max_block_bytes: 1_000_000 max_block_duration: 5m -
line 54, ensure
tempo.retentionis set to336hretention: 336h # 2 weeks retention -
line 97, ensure
tempo.receiverscontains values forzipkinzipkin: endpoint: 0.0.0.0:9411 -
line 106, ensure
tempo.securityContextis setsecurityContext: capabilities: drop: - ALL -
line 165, update
tempoQuery.repositoryto pull hardened images from registry1# -- Docker image repository repository: registry1.dso.mil/ironbank/opensource/grafana/tempo -
line 180, ensure
tempoQuery.resourcesrequests and limits are set# -- Resource for query container resources: limits: cpu: 300m memory: 256Mi requests: cpu: 300m memory: 256Mi -
line 181, ensure
tempoQuery.enabledis true
Note: this upstream commit disabled tempo-query by default in the chart. Evidently this is because tempo-query was always meant as a shim between Tempo and Grafana, but it hasnβt been necessary since 7.5.0, as Grafana is capable of querying Tempo directly now.
Currently, Big Bang uses tempo-query for Cypress testing and users may expect a basic web interface for Tempo without Grafana (Tempo has non natively, only a HTTP API). This may be changed in an upcoming release, but we will keep utilizing tempo-query for the benefits of the interface.
enabled: true
-
line 199, ensure
tempoQuery.securityContextis setsecurityContext: capabilities: drop: - ALL -
line 209, ensure
securityContextfor containers is set# -- securityContext for container securityContext: fsGroup: 1001 runAsGroup: 1001 runAsNonRoot: true runAsUser: 1001 -
line 223, ensure
serviceAccount.imagePullSecretscontainsprivate-registrypull secret for IronBank images# -- Image pull secrets for the service account imagePullSecrets: - name: private-registry -
line 245, ensure
persistenceis enabled and size is increased to15Gipersistence: enabled: true # storageClassName: local-path accessModes: - ReadWriteOnce size: 15Gi -
line 253, ensure
podAnnotationsincludes istio inbound portspodAnnotations: traffic.sidecar.istio.io/includeInboundPorts: "16687,16686,3100" -
line 262, ensure
serviceAccount.automountServiceAccountTokenis set tofalseThis helps maintain our NSA hardening guide-complianceautomountServiceAccountToken: false -
EOF, add default bigbang.dev hostname and addditional Big Bang values
chart/templates/service.yaml
Added protocols to each port name (i.e. tcp, http, etc)
- line 35, ensure
nameishttp-tempo-prom-metrics - line 39, ensure
nameishttp-jaeger-metrics - line 42, ensure
nameishttp-tempo-query-jaeger-ui - line 46, ensure
nameisudp-tempo-jaeger-thrift-compact - line 50, ensure
nameisudp-tempo-jaeger-thrift-binary - line 54, ensure
nameishttp-tempo-jaeger-thrift-http - line 62, ensure
nameistcp-tempo-zipkin - line 66, ensure
nameistcp-tempo-otlp-legacy - line 70, ensure
nameishttp-tempo-otlp-http-legacy - line 78, ensure
nameishttp-tempo-otlp-http - line 82, ensure
nameistcp-tempo-opencensus
chart/templates/servicemonitor.yaml
Modified ports to match naming convention with http- prefix
- line 26, ensure
portishttp-tempo-prom-metrics - line 40, ensure
portishttp-jaeger-metrics
chart/templates/statefulset.yaml
- line 79-83, add in envFrom section to the tempo container
{{- if and .Values.objectStorage.access_key_id .Values.objectStorage.secret_access_key }} envFrom: - secretRef: name: tempo-object-storage {{- end }}
chart/templates/bigbang/*π
- Add Big Bang network Policies as applicable
- Add
VirtualServicefor tempo-query UI access - Add openTelemetry collector deployment/configurations
chart/tests/*π
- Add cypress testing configuration and tests
- Add scripts for testing
Testing new Tempo Versionπ
NOTE: For these testing steps it is good to do them on both a clean install and an upgrade. For clean install, point Loki to your branch. For an upgrade do an install with Loki pointing to the latest tag, then perform a helm upgrade with Loki pointing to your branch.
You will want to install with: - Tempo, monitoring and Istio packages enabled - Jaeger disabled
overrides/tempo.yaml
domain: bigbang.dev
flux:
interval: 1m
rollback:
cleanupOnFail: false
clusterAuditor:
enabled: false
gatekeeper:
enabled: false
istioOperator:
enabled: true
istio:
enabled: true
monitoring:
enabled: true
loki:
enabled: false
promtail:
enabled: false
tempo:
enabled: true
git:
tag: null
branch: "renovate/ironbank"
jaeger:
enabled: false
- Visit
https://tracing.bigbang.dev - Ensure Services are listed and traces are being rendered
- Check the logs for the tempo pod and container and ensure traceIDs are getting sent over from the istio mesh
- Visit
https://grafana.bigbang.devand login with default credentials - Search for Data Sources -> click Tempo -> click
Save & Testdatasource at the bottom
When in doubt with any testing or upgrade steps, reach out to the CODEOWNERS for assistance.