diff --git a/charts/grafana/Chart.yaml b/charts/grafana/Chart.yaml
index 230e328b7f..801e09433b 100644
--- a/charts/grafana/Chart.yaml
+++ b/charts/grafana/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: grafana
-version: 6.17.11
+version: 6.18.1
 appVersion: 8.3.0
 kubeVersion: "^1.8.0-0"
 description: The leading tool for querying and visualizing time series and metrics.
diff --git a/charts/grafana/README.md b/charts/grafana/README.md
index 8b09875c41..96dc902900 100644
--- a/charts/grafana/README.md
+++ b/charts/grafana/README.md
@@ -234,6 +234,11 @@ This version requires Helm >= 3.1.0.
 | `imageRenderer.networkPolicy.limitIngress` | Enable a NetworkPolicy to limit inbound traffic from only the created grafana pods  | `true`                           |
 | `imageRenderer.networkPolicy.limitEgress`  | Enable a NetworkPolicy to limit outbound traffic to only the created grafana pods   | `false`                          |
 | `imageRenderer.resources`                  | Set resource limits for image-renderer pdos                                        | `{}`                             |
+| `networkPolicy.enabled`                    | Enable creation of NetworkPolicy resources.                                                                              | `false`             |
+| `networkPolicy.allowExternal`              | Don't require client label for connections                                                                               | `true`              |
+| `networkPolicy.explicitNamespacesSelector` | A Kubernetes LabelSelector to explicitly select namespaces from which traffic could be allowed                           | `{}`                |
+
+
 
 ### Example ingress with path
 
@@ -533,12 +538,12 @@ By default the image-renderer pods will have a network policy which only allows
 
 ### High Availability for unified alerting
 
-If you want to run Grafana in a high availability cluster you need to enable 
+If you want to run Grafana in a high availability cluster you need to enable
 the headless service by setting `headlessService: true` in your `values.yaml`
 file.
 
-As next step you have to setup the `grafana.ini` in your `values.yaml` in a way 
-that it will make use of the headless service to obtain all the IPs of the 
+As next step you have to setup the `grafana.ini` in your `values.yaml` in a way
+that it will make use of the headless service to obtain all the IPs of the
 cluster. You should replace ``{{ Name }}`` with the name of your helm deployment.
 
 ```yaml
diff --git a/charts/grafana/templates/networkpolicy.yaml b/charts/grafana/templates/networkpolicy.yaml
new file mode 100644
index 0000000000..fc243828e0
--- /dev/null
+++ b/charts/grafana/templates/networkpolicy.yaml
@@ -0,0 +1,37 @@
+{{- if .Values.networkPolicy.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ template "grafana.fullname" . }}
+  namespace: {{ template "grafana.namespace" . }}
+  labels:
+    {{- include "grafana.labels" . | nindent 4 }}
+{{- if .Values.labels }}
+{{ toYaml .Values.labels | indent 4 }}
+{{- end }}
+{{- with .Values.annotations }}
+  annotations:
+{{ toYaml . | indent 4 }}
+{{- end }}
+spec:
+  podSelector:
+    matchLabels:
+    {{- include "grafana.selectorLabels" . | nindent 6 }}
+  ingress:
+    - ports:
+      - port: {{ .Values.service.targetPort }}
+      {{- if not .Values.networkPolicy.allowExternal }}
+      from:
+        - podSelector:
+            matchLabels:
+              {{ template "grafana.fullname" . }}-client: "true"
+          {{- if .Values.networkPolicy.explicitNamespacesSelector }}
+          namespaceSelector:
+          {{ toYaml .Values.networkPolicy.explicitNamespacesSelector | indent 12 }}
+          {{- end }}
+        - podSelector:
+            matchLabels:
+              {{- include "grafana.labels" . | nindent 14 }}
+              role: read
+      {{- end }}
+{{- end }}
diff --git a/charts/grafana/values.yaml b/charts/grafana/values.yaml
index 5da339c1a3..8b5e74d7ec 100644
--- a/charts/grafana/values.yaml
+++ b/charts/grafana/values.yaml
@@ -760,3 +760,29 @@ imageRenderer:
 #   requests:
 #     cpu: 50m
 #     memory: 50Mi
+
+networkPolicy:
+  ## @param networkPolicy.enabled Enable creation of NetworkPolicy resources. Only Ingress traffic is filtered for now.
+  ##
+  enabled: false
+  ## @param networkPolicy.allowExternal Don't require client label for connections
+  ## The Policy model to apply. When set to false, only pods with the correct
+  ## client label will have network access to  grafana port defined.
+  ## When true, grafana will accept connections from any source
+  ## (with the correct destination port).
+  ##
+  allowExternal: true
+  ## @param networkPolicy.explicitNamespacesSelector A Kubernetes LabelSelector to explicitly select namespaces from which traffic could be allowed
+  ## If explicitNamespacesSelector is missing or set to {}, only client Pods that are in the networkPolicy's namespace
+  ## and that match other criteria, the ones that have the good label, can reach the grafana.
+  ## But sometimes, we want the grafana to be accessible to clients from other namespaces, in this case, we can use this
+  ## LabelSelector to select these namespaces, note that the networkPolicy's namespace should also be explicitly added.
+  ##
+  ## Example:
+  ## explicitNamespacesSelector:
+  ##   matchLabels:
+  ##     role: frontend
+  ##   matchExpressions:
+  ##    - {key: role, operator: In, values: [frontend]}
+  ##
+  explicitNamespacesSelector: {}
diff --git a/charts/tempo/Chart.yaml b/charts/tempo/Chart.yaml
index 64677efd0d..d6550762e1 100644
--- a/charts/tempo/Chart.yaml
+++ b/charts/tempo/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: tempo
 description: Grafana Tempo Single Binary Mode
 type: application
-version: 0.12.0
+version: 0.12.1
 appVersion: 1.2.1
 engine: gotpl
 home: https://grafana.net
diff --git a/charts/tempo/README.md b/charts/tempo/README.md
index 4e695b7454..1fabe07af3 100644
--- a/charts/tempo/README.md
+++ b/charts/tempo/README.md
@@ -1,6 +1,6 @@
 # tempo
 
-![Version: 0.12.0](https://img.shields.io/badge/Version-0.12.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.2.1](https://img.shields.io/badge/AppVersion-1.2.1-informational?style=flat-square)
+![Version: 0.12.1](https://img.shields.io/badge/Version-0.12.1-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.2.1](https://img.shields.io/badge/AppVersion-1.2.1-informational?style=flat-square)
 
 Grafana Tempo Single Binary Mode
 
@@ -40,6 +40,7 @@ Grafana Tempo Single Binary Mode
 | tempo.extraVolumeMounts | list | `[]` | Volume mounts to add |
 | tempo.ingester | object | `{}` |  |
 | tempo.memBallastSizeMbs | int | `1024` |  |
+| tempo.overrides | object | `{}` |  |
 | tempo.pullPolicy | string | `"IfNotPresent"` |  |
 | tempo.receivers.jaeger.protocols.grpc.endpoint | string | `"0.0.0.0:14250"` |  |
 | tempo.receivers.jaeger.protocols.thrift_binary.endpoint | string | `"0.0.0.0:6832"` |  |
diff --git a/charts/tempo/templates/configmap-tempo.yaml b/charts/tempo/templates/configmap-tempo.yaml
index 19d4f1b56c..979deda151 100644
--- a/charts/tempo/templates/configmap-tempo.yaml
+++ b/charts/tempo/templates/configmap-tempo.yaml
@@ -8,6 +8,7 @@ metadata:
 data:
   overrides.yaml: |
     overrides:
+      {{- toYaml .Values.tempo.overrides | nindent 6 }}
   tempo.yaml: |
     auth_enabled: {{ .Values.tempo.authEnabled }}
     search_enabled: {{ .Values.tempo.searchEnabled }}
diff --git a/charts/tempo/values.yaml b/charts/tempo/values.yaml
index 22d4c56a03..4e121f2538 100644
--- a/charts/tempo/values.yaml
+++ b/charts/tempo/values.yaml
@@ -31,6 +31,7 @@ tempo:
   searchEnabled: false
   ingester: {}
   retention: 24h
+  overrides: {}
 
   # Tempo server configuration
   # Refers to https://grafana.com/docs/tempo/latest/configuration/#server