Chapter 1. Release notes for the Red Hat OpenShift Distributed Tracing Platform 3.9

This update extends the TempoStack Custom Resource Definition (CRD) with a network policy option that enables the Operator to reconcile network policies among all components. This option is enabled by default.

TRACING-5807

This update adds support for overriding the Operator configuration by using environment variables. You can configure Operator settings through the Subscription custom resource of the Operator Lifecycle Manager (OLM) without modifying ConfigMaps. The --config flag remains available for custom configuration files if needed.

TRACING-5745

This update introduces the size field for TempoStack deployments, which provides predefined t-shirt size configurations. Instead of manually calculating CPU, memory, and storage for each component, you can select a size that matches your workload scale. The following sizes are available: 1x.demo, 1x.pico, 1x.extra-small, 1x.small, and 1x.medium. This field is optional and existing configurations using resources.total or per-component overrides continue to work unchanged.

TRACING-5376

The Operator now automatically sets the GOMEMLIMIT soft memory limit for the Go garbage collector to 80% of the container memory limit for all Tempo components in a Tempo monolithic deployment. This reduces the likelihood of out-of-memory terminations.

TRACING-4554

This update requires tenant configuration and an enabled gateway for TempoStack and TempoMonolithic instances. If you do not enable the gateway, the Operator displays a warning. For a TempoStack instance, enable the gateway by setting .spec.template.gateway.enabled to true. For a TempoMonolithic instance, the gateway is enabled automatically when any tenant is configured. TempoStack and TempoMonolithic instances without an enabled gateway are not supported.

TRACING-5750

When Tempo Monolithic is configured with multitenancy.enabled: true and ingestion.otlp.http.tls.enabled: true, the gateway forwards OTLP HTTP traffic to the Tempo receiver using plain HTTP instead of HTTPS. As a consequence, the connection fails with a connection reset by peer error because the receiver expects TLS connections. OTLP gRPC ingestion through the gateway is not affected.

To work around this problem, disable TLS on the OTLP HTTP receiver by setting ingestion.otlp.http.tls.enabled: false.

TRACING-5973

Before this update, the Operator network policies used a hard-coded port 6443 for the API server. As a consequence, the Operator failed to connect to managed OpenShift services that expose the API on port 443. With this update, the Operator dynamically retrieves the control plane address from service endpoints. As a result, network policies work correctly on all OpenShift environments.

TRACING-5974

Before this update, a flaw existed in the net/url package in the Go standard library. As a consequence, a denial-of-service HTTP request with a massive number of query parameters could cause the application to consume an excessive amount of memory and eventually become unresponsive. This release eliminates this flaw.

CVE-2025-61726

Before this update, the HostnameError.Error() function in the Go crypto/x509 package used string concatenation in a loop without limiting the number of printed hostnames. As a consequence, processing a malicious certificate with many hostnames could cause excessive CPU and memory consumption, leading to a denial-of-service condition. This release includes the fix for this flaw.

CVE-2025-61729

Before this update, a flaw existed in the crypto/tls package in the Go standard library. As a consequence, during TLS session resumption, unauthorized clients or servers could bypass certificate validation if CA pools were mutated between handshakes. This release includes the fix for this flaw.

CVE-2025-68121