Release Notes - 1.41.0💣
Please see our documentation page for more information on how to consume and deploy BigBang.
Upgrade Notices💣
Anchore:
-
The upstream helm chart went through a number of changes in this update for the UI, including one “breaking change” for the Redis deployment used by the UI
-
If you were previously overriding any Anchore Redis values via anchore-ui-redis, modify this key to ui-redis
-
As an example,
addons.anchore.values.anchore-ui-redis.architecture
would need to be modified toaddons.anchore.values.ui-redis.architecture
-
No other issues were discovered in testing. Provided you update overrides appropriately, your deployment should function as it did previously
Istio mTLS:
-
As a reminder, the Big Bang team is incrementally turning on mTLS STRICT on packages to improve our security posture.
-
This release enables STRICT mTLS for
Monitoring
andMetrics Server
. The mTLS column in packages.md can be reviewed for an up to date list at any point. -
If you run into issues with mTLS STRICT mode, please report them to the team via Repo1 issues and turn mTLS to PERMISSIVE via values until the team is able to resolve the issue:
<package>:
values:
istio:
mtls:
mode: PERMISSIVE
-
Changes in this release have also provided the ability for Prometheus to scrape metrics from Istio injected endpoints with mTLS STRICT enforcement
-
Additional details on how to set this up for third party/tenant applications can be reviewed in this document
-
The Big Bang team will be incrementally enforcing/configuring mTLS STRICT on metrics exposed by other Big Bang applications in the coming releases
Loki:
-
In this release, the statefulset templates from upstream for loki-simple-scalable installations include enough changes that a direct upgrade is not possible.
-
After some testing, we’ve confirmed that data and PVCs persist and a flux upgrade is happy.
-
Users MUST perform the following before upgrade, or just after, within the timeout of the flux helmrelease, or the upgrade will not be successful:
# Pre-upgrade delete loki statefulsets
kubectl delete statefulset logging-loki-read logging-loki-write -n logging
# Post-upgrade restart fluent-bit pods
# Promtail does not require a restart after upgrade
kubectl rollout restart daemonset/logging-fluent-bit -n logging
-
Refer to the newly updated production documentation to see what has changed and what a new “minimal” AWS setup looks like.
-
Refer to this doc to see updates for configuring Grafana Enterprise Logs
MinIO:
-
The upstream helm chart went through a number of changes in this update, including specific changes to how tenant configuration is set.
-
Any overrides to the default configuration passed via
addons.minio.values.tenants
previously will now need to be passed in asaddons.minio.values.tenant
(note the lack of s in tenant). -
Additional details on changes, as well as the new values required, can be viewed in the Minio package and the update MR.
-
MinIO metrics changed the scraping “mechanism” to align with our goal of STRICT mTLS scraping.
-
Metrics are now being gathered from the Istio sidecar by the
monitoring-monitoring-kube-istio-envoy
job instead of a standalone scraping job for MinIO -
As a result, the MinIO dashboard should not be filtered on
scrape_job = monitoring-monitoring-kube-istio-envoy
to properly view metrics
Upgrades from previous releases💣
If coming from a version pre-1.40.0
, note the additional upgrade notices in any release in between. The BB team doesn’t test/guarantee upgrades from anything pre-1.40.0
.
Packages💣
Package | Type | Package Version | BB Version |
---|---|---|---|
Istio Controlplane | Core | Istio 1.14.3 Tetrate Istio Distro 1.13.5 |
1.14.3-bb.2 🔗 |
Istio Operator | Core | Istio Operator 1.14.3 Tetrate Istio Distro Operator 1.13.5 |
1.14.3-bb.0 |
Jaeger | Core | 1.36.0 |
2.34.0-bb.0 🔗 |
Kiali | Core | 1.54.0 |
1.54.0-bb.0 |
Cluster Auditor | Core | 0.0.4 |
1.4.0-bb.7 🔗 |
Gatekeeper | Core | 3.9.0 |
3.9.0-bb.0 🔗 |
Kyverno | Core | 1.7.2 |
2.5.2-bb.0 🔗 |
Kyverno Policies | Core | 1.0.1 |
1.0.1-bb.0 |
Elasticsearch Kibana | Core | Kibana 8.3.1 Elasticsearch 8.3.2 |
0.9.0-bb.1 🔗 |
Eck Operator | Core | 2.3.0 |
2.3.0-bb.0 |
Fluentbit | Core | 1.9.6 |
0.20.3-bb.1 🔗 |
Promtail | Core | 2.6.1 |
6.2.2-bb.0 |
Loki | Core | 2.6.0 |
1.7.6-bb.1 🔗 |
Tempo | Core | Tempo 1.4.1 Tempo Query 1.4.1 |
0.15.1-bb.7 |
Monitoring | Core | Prometheus 2.37.0 Grafana 9.0.6 Alertmanager 0.24.0 |
39.2.1-bb.5 🔗 |
Twistlock | Core | 22.06.179 |
0.9.0-bb.4 🔗 |
Argocd | Addon | 2.4.7 |
4.10.0-bb.1 |
Authservice | Addon | 0.5.2 |
0.5.2-bb.0 🔗 |
Minio Operator | Addon | 4.4.25 |
4.4.25-bb.0 |
Minio | Addon | RELEASE.2022-07-08T00-05-23Z |
4.4.25-bb.0 🔗 |
Gitlab | Addon | 15.2.1 |
6.2.1-bb.1 🔗 |
Gitlab Runner | Addon | 15.2.1 |
0.43.1-bb.1 🔗 |
Nexus | Addon | 3.41.0-01 |
41.0.0-bb.0 🔗 |
Sonarqube | Addon | 8.9.9-community |
1.0.29-bb.2 |
Haproxy | Addon | 2.2.21 |
1.12.0-bb.0 |
Anchore Enterprise | Addon | Enterprise 4.0.3 Engine 1.1.0 |
1.19.2-bb.0 🔗 |
Mattermost Operator | Addon | 1.18.1 |
1.18.1-bb.0 |
Mattermost | Addon | 7.1.2 |
7.1.2-bb.1 🔗 |
Velero | Addon | 1.9.0 |
2.30.1-bb.1 |
Keycloak | Addon | Keycloak 18.0.2-legacy PlatformOne Plugin 1.2.0 |
18.2.1-bb.3 |
Vault | Addon | 1.11.2 |
0.21.0-bb.0 🔗 |
Metrics Server | Addon | 0.6.1 |
3.8.0-bb.4 🔗 |
Changes in 1.41.0💣
Big Bang MRs💣
- !1969: Feat: creating promtail architecture document
- !1987: Add new comments/variables for the clusterauditor no data check fix
Istio Controlplane💣
# Changelog Updates
## [1.14.3-bb.2]
### Changed
- Added Openshift DNS to networkpolicy egress
## [1.14.3-bb.1]
### Changed
- Removed legacy fluentd exception
Jaeger💣
- !1974: Update Jaeger to 1.36.0
# Changelog Updates
## [2.34.0-bb.0]
### Changed
- Updated Jaeger images to 1.36.0 (latest operator version)
Cluster Auditor💣
# Changelog Updates
## [1.4.0-bb.7]
### Updated
- PrometheusRule resource for OPA constraint alerts
## [1.4.0-bb.6]
### Updated
- Cypress test now checks the table with the list of violations and the "violations by kind" bar chart for a "no data" message.
Gatekeeper💣
- !1978: Adding preUninstall/deleteWebhookConfigurations to chart/templates/gatekeeper/values.yaml
- !1988: Update gatekeeper to 3.9.0
# Changelog Updates
## [3.9.0-bb.0]
### Changed
- Updated application and corresponding helm chart to v3.9.0
Kyverno💣
- !1972: Update Kyverno to 1.7.2
# Changelog Updates
## [2.5.2-bb.0] - 2022-08-12
### Changed
- Updated Helm chart to v2.5.2
- Updated Kyverno to v1.7.2
Elasticsearch Kibana💣
- !1971: EK Init Container drop capabilities and logging chart bump
- !1976: Update EK to 8.3.x
- !1995: Fix conditionals for EK drop capabilities SSO
# Changelog Updates
## [0.9.0-bb.1] - 2022-08-17
### Changed
- Added universal drops for capabilities to containers' securityContexts
- Edited naming of VolumeMounts to default
## [0.9.0-bb.0] - 2022-07-15
### Changed
- Updated chart version to `0.9.0-bb.0`
- Updated appVersion to `8.3.2`
- Updated Kibana to `8.3.1`
- Updated Elasticsearch to `8.3.2`
Fluentbit💣
- !1973: Fluentbit: Fix storage buffer limits/Loki outputs
# Changelog Updates
## [0.20.3-bb.1]
### Changed
- Added storage buffer limit for all `additionalOutputs`
Loki💣
- !1908: SKIP UPGRADE BB template changes for new Loki Chart Refactor
- !1996: Fix Loki version annotation
# Changelog Updates
## [1.7.6-bb.1]
### Added
- Added appVersion annotation to Chart.yaml
## [1.7.6-bb.0]
### Changed
- Matching chart base to upstream `loki-simple-scalable` instead of utilizing as sub-chart
- `loki` value updated to `monolith`
- `gel` values migrated to `enterprise` for better native support of Grafana Enterprise Logs
Monitoring💣
- !1900: Monitoring mTLS / Prometheus mTLS Scraping
# Changelog Updates
## [39.2.1-bb.5]
### Changed
- Helm dependency update for Grafana subchart
## [39.2.1-bb.4]
### Added
- Strict mTLS for monitoring
## [39.2.1-bb.3]
### Changed
- Updated images to latest IB image versions: kube-webhook-certgen -> `v1.3.0`, grafan-plugins -> `9.0.6`, -> k8s sidecar -> `v1.19.4`
Twistlock💣
- !1984: Twistlock: Provide values for defender tolerations
# Changelog Updates
## [0.9.0-bb.4] - 2022-08-15
### Fixed
- Update Defender's daemonSet to support/add tolerations
Authservice💣
- !1970: Authservice 0.5.2 Update
# Changelog Updates
## [0.5.2-bb.0]
### Changed
- Updated to 0.5.2 Authservice image version
- Add allow_unmatched_requests toggle with corresponding change to CUSTOM authz policy
MinIO💣
- !1952: Update Minio to 4.4.25 and cleanup secrets
# Changelog Updates
## [4.4.25-bb.0] - 2022-07-11
### Changed
- Update to 4.4.25
- Update MinIO image to RELEASE.2022-07-08T00-05-23Z
GitLab💣
- !1979: Updated gitlab git tag
- !1981: Updated gitlab git tag
- !1985: Updated gitlab git tag: Enhanced Monitoring
# Changelog Updates
## [6.2.1-bb.1] - 2022-08-18
### Changed
- Remove ServiceMonitor created by BigBang and enable upstream ones.
## [6.2.1-bb.0] - 2022-08-18
### Updated
- Updated to helm chart to 6.2.1 and appVersion to 15.2.1
GitLab Runner💣
- !1977: Update Gitlab Runner to 15.2.1
# Changelog Updates
## [0.43.1-bb.0] - 2022-08-16
### Updated
- Update helm chart to v0.43.1 app version 15.2.1
Nexus💣
# Changelog Updates
## [41.0.0-bb.0] - 2022-08-11
### Changed
- Updated chart to version: 41.0.0-bb.0 | appVersion: 3.41.0
Anchore Enterprise💣
- !1980: Update Anchore Enterprise to 4.0.3
# Changelog Updates
## [1.19.2-bb.0]
### Changed
- Bumped chart version to `1.19.2`
- Bumped Anchore Enterprise image tag to `4.0.3`
- Bumped Anchore Enterprise UI image tag to `4.0.3`
Mattermost💣
- !1958: Mattermost: Add grafana dashboard
# Changelog Updates
## [7.1.2-bb.1] - 2022-08-09
### Added
- Added grafana dashboard configmap and dashboard json when `monitoring.enabled` and `enterprise.enabled`
Vault💣
- !1989: Update Vault to 1.11.2
# Changelog Updates
## [0.21.0-bb.0] - 2022-08-12
### Updated
- Updated `vault` to `1.11.2`, `vault-k8s` to `1.17.0`
Metrics Server💣
- !1968: Metrics Server: Istio mTLS STRICT
# Changelog Updates
## [3.8.0-bb.4]
### Added
- Added default Istio `PeerAuthentication` for mTLS
## [3.8.0-bb.3]
### Added
- Added `renovate.json` to packge root for allowing renovate bot to create Issues/MR's for updates
Known Issues💣
- On some k8s distros certain components in the kube-system namespace are unable to be scraped by Prometheus due to the services default network interface binding - More Information
- Vault is in beta and therefore not recommended for operational use. We are still working on a few issues. If you set the extra environment variable
AGENT_INJECT_VAULT_ADDR
for the Injector ENVs you will encounter a helm install error due to duplicate ENVs. In our testing the Prometheus pod is not being injected with a Vault sidecar and Prometheus is not able to scrape metrics. - When deploying Monitoring with network policies disabled you will run into issues with Grafana. The current workaround is to delete a network policy that was missing conditionals, which can be done via
kubectl delete networkpolicy -n monitoring allow-from-flux
. Note that deploying without network policies is STRONGLY discouraged with the exception of development testing/debugging. This issue will be fixed in 1.42.0 via this change.
Helpful Links💣
As always, we welcome and appreciate feedback from our community of users. Please feel free to:
- Open issues here
- Join our chat
- Check out the documentation for guidance on how to get started
Future💣
Don’t see your feature and/or bug fix? Check out our epics for estimates on when you can expect things to drop, and as always, feel free to comment or create issues if you have questions, comments, or concerns.