OBSDOCS-1596: Release notes for the Tempo 3.5.1 patch

max-cx · max-cx · commit b3e3202c1c30 · 2025-04-03T16:15:01.000+02:00
diff --git a/modules/distr-tracing-tempo-config-query-frontend.adoc b/modules/distr-tracing-tempo-config-query-frontend.adoc
@@ -96,7 +96,7 @@ The query frontend component is responsible for sharding the search space for an
 |type: boolean
 
 |`jaegerQuery.monitorTab.prometheusEndpoint`
-|The endpoint to the Prometheus instance that contains the span rate, error, and duration (RED) metrics. For example, `+https://thanos-querier.openshift-monitoring.svc.cluster.local:9091+`.
+|The endpoint to the Prometheus instance that contains the span rate, error, and duration (RED) metrics. For example, `+https://thanos-querier.openshift-monitoring.svc.cluster.local:9092+`.
 |type: string
 
 |===
diff --git a/modules/distr-tracing-tempo-config-spanmetrics.adoc b/modules/distr-tracing-tempo-config-spanmetrics.adoc
@@ -95,7 +95,7 @@ spec:
         enabled: true
         monitorTab:
           enabled: true # <1>
-          prometheusEndpoint: https://thanos-querier.openshift-monitoring.svc.cluster.local:9091 # <2>
+          prometheusEndpoint: https://thanos-querier.openshift-monitoring.svc.cluster.local:9092 # <2>
           redMetricsNamespace: "" <3>
         ingress:
           type: route
diff --git a/observability/distr_tracing/distr-tracing-rn.adoc b/observability/distr_tracing/distr-tracing-rn.adoc
@@ -17,6 +17,11 @@ include::snippets/distr-tracing-and-otel-disclaimer-about-docs-for-supported-fea
 
 This release of the {DTProductName} includes the {TempoName} and the deprecated {JaegerName}.
 
+[IMPORTANT]
+====
+The {TempoName} 3.5.1 patch release has been released.
+====
+
 ////
 [id="distr-tracing_3-5_cves_{context}"]
 === CVEs
@@ -27,7 +32,7 @@ This release fixes the following CVEs:
 ////
 
 [id="distr-tracing_3-5_tempo-release-notes_{context}"]
-=== {TempoName}
+=== {TempoName} 3.5
 
 The {TempoName} 3.5 is provided through the link:https://catalog.redhat.com/software/containers/rhosdt/tempo-operator-bundle/642c3e0eacf1b5bdbba7654a/history[{TempoOperator} 0.15.3].
 
@@ -55,8 +60,47 @@ This update introduces the following bug fix:
 
 * Before this update, the {TempoOperator} failed when the `TempoStack` custom resource had the `spec.storage.tls.enabled` field set to `true` and used an Amazon S3 object store with the Security Token Service (STS) authentication. With this update, such a `TempoStack` custom resource configuration does not cause the {TempoOperator} to fail.
 
+[id="distr-tracing_3-5_tempo-release-notes_known-issues_{context}"]
+==== Known issues
+
+There is currently a known issue:
+
+* Currently, when the OpenShift tenancy mode is enabled, the `ServiceAccount` object of the gateway component of a `TempoStack` or `TempoMonolithic` instance requires the `TokenReview` and `SubjectAccessReview` permissions for authorization.
++
+Workaround: Deploy the instance in a dedicated namespace, and carefully audit which users have the permission to read the secrets in this namespace.
+
+[id="distr-tracing_3-5-1_tempo-release-notes_{context}"]
+=== {TempoName} 3.5.1
+
+The {TempoName} 3.5.1 is a patch release.
+
+[id="distr-tracing_3-5-1_tempo-release-notes_cves_{context}"]
+==== CVEs
+
+The {TempoName} 3.5.1 patch release fixes the following CVEs:
+
+* link:https://access.redhat.com/security/cve/CVE-2025-2786[CVE-2025-2786]
+
+* link:https://access.redhat.com/security/cve/CVE-2025-2842[CVE-2025-2842]
+
+[id="distr-tracing_3-5-1_tempo-release-notes_breaking-changes_{context}"]
+==== Breaking changes
+
+The {TempoName} 3.5.1 update introduces the following breaking change:
+
+* With this update, for a user to create or modify a `TempoStack` or `TempoMonolithic` custom resource with enabled multi-tenancy, the user must have permissions to create a TokenReview and SubjectAccessReview.
+
+[id="distr-tracing_3-5-1_tempo-release-notes_known-issues_{context}"]
+==== Known issues
+
+There is currently a known issue:
+
+* Currently, when the OpenShift tenancy mode is enabled, the `ServiceAccount` object of the gateway component of a `TempoStack` or `TempoMonolithic` instance requires the `TokenReview` and `SubjectAccessReview` permissions for authorization.
++
+Workaround: Deploy the instance in a dedicated namespace, and carefully audit which users have the permission to read the secrets in this namespace.
+
 [id="distr-tracing_3-5_jaeger-release-notes_{context}"]
-=== {JaegerName}
+=== {JaegerName} 3.5
 
 The {JaegerName} 3.5 is the last release of the {JaegerName} that Red Hat plans to support.
 
