The most common question for the Tracing UI is: "Why is my Tempo instance not showing up?"
The reason why non-multitenancy instances are not supported is because they don't deploy a gateway, and therefore don't have any authentication/authorization.
To support these instances, we can add a RBAC check on the UI plugin backend (check if user has access to the namespace of the Tempo instance).

• Add a required field to Tempo CRs to indicate a non secure instance is going to be created (e.g. tenants.mode=insecure)
• Add oauth proxy for Tempo query frontend
• Show non secure instances in the UI

The service account of the oauth-proxy pod requires TokenReview and SubjectAccessReview to verify the bearer token. However, granting these roles poses a security issue, as it can lead to privilege escalation (ownership of one namespace could lead to getting cluster-wide SubjectAccessReview access). Therefore, we won't support this and will show a warning in the docs and in the validating webhook.