Skip to content

Release Notes - 1.41.0💣

Please see our documentation page for more information on how to consume and deploy BigBang.

Upgrade Notices💣

Anchore:

  • The upstream helm chart went through a number of changes in this update for the UI, including one “breaking change” for the Redis deployment used by the UI

  • If you were previously overriding any Anchore Redis values via anchore-ui-redis, modify this key to ui-redis

  • As an example, addons.anchore.values.anchore-ui-redis.architecture would need to be modified to addons.anchore.values.ui-redis.architecture

  • No other issues were discovered in testing. Provided you update overrides appropriately, your deployment should function as it did previously

Istio mTLS:

  • As a reminder, the Big Bang team is incrementally turning on mTLS STRICT on packages to improve our security posture.

  • This release enables STRICT mTLS for Monitoring and Metrics Server. The mTLS column in packages.md can be reviewed for an up to date list at any point.

  • If you run into issues with mTLS STRICT mode, please report them to the team via Repo1 issues and turn mTLS to PERMISSIVE via values until the team is able to resolve the issue:

<package>:
  values:
    istio:
      mtls:
        mode: PERMISSIVE
  • Changes in this release have also provided the ability for Prometheus to scrape metrics from Istio injected endpoints with mTLS STRICT enforcement

  • Additional details on how to set this up for third party/tenant applications can be reviewed in this document

  • The Big Bang team will be incrementally enforcing/configuring mTLS STRICT on metrics exposed by other Big Bang applications in the coming releases

Loki:

  • In this release, the statefulset templates from upstream for loki-simple-scalable installations include enough changes that a direct upgrade is not possible.

  • After some testing, we’ve confirmed that data and PVCs persist and a flux upgrade is happy.

  • Users MUST perform the following before upgrade, or just after, within the timeout of the flux helmrelease, or the upgrade will not be successful:

# Pre-upgrade delete loki statefulsets
kubectl delete statefulset logging-loki-read logging-loki-write -n logging

# Post-upgrade restart fluent-bit pods
# Promtail does not require a restart after upgrade
kubectl rollout restart daemonset/logging-fluent-bit -n logging
  • Refer to the newly updated production documentation to see what has changed and what a new “minimal” AWS setup looks like.

  • Refer to this doc to see updates for configuring Grafana Enterprise Logs

MinIO:

  • The upstream helm chart went through a number of changes in this update, including specific changes to how tenant configuration is set.

  • Any overrides to the default configuration passed via addons.minio.values.tenants previously will now need to be passed in as addons.minio.values.tenant (note the lack of s in tenant).

  • Additional details on changes, as well as the new values required, can be viewed in the Minio package and the update MR.

  • MinIO metrics changed the scraping “mechanism” to align with our goal of STRICT mTLS scraping.

  • Metrics are now being gathered from the Istio sidecar by the monitoring-monitoring-kube-istio-envoy job instead of a standalone scraping job for MinIO

  • As a result, the MinIO dashboard should not be filtered on scrape_job = monitoring-monitoring-kube-istio-envoyto properly view metrics

Upgrades from previous releases💣

If coming from a version pre-1.40.0, note the additional upgrade notices in any release in between. The BB team doesn’t test/guarantee upgrades from anything pre-1.40.0.

Packages💣

Package Type Package Version BB Version
Updated Istio Controlplane Core Istio 1.14.3 Tetrate Istio Distro 1.13.5 1.14.3-bb.2 🔗
Istio Operator Core Istio Operator 1.14.3 Tetrate Istio Distro Operator 1.13.5 1.14.3-bb.0
Updated Jaeger Core 1.36.0 2.34.0-bb.0 🔗
Kiali Core 1.54.0 1.54.0-bb.0
Updated Cluster Auditor Core 0.0.4 1.4.0-bb.7 🔗
Updated Gatekeeper Core 3.9.0 3.9.0-bb.0 🔗
Updated Kyverno Core 1.7.2 2.5.2-bb.0 🔗
Kyverno Policies BETA Core 1.0.1 1.0.1-bb.0
Updated Elasticsearch Kibana Core Kibana 8.3.1 Elasticsearch 8.3.2 0.9.0-bb.1 🔗
Eck Operator Core 2.3.0 2.3.0-bb.0
Updated Fluentbit Core 1.9.6 0.20.3-bb.1 🔗
Promtail BETA Core 2.6.1 6.2.2-bb.0
Updated Loki BETA Core 2.6.0 1.7.6-bb.1 🔗
Tempo BETA Core Tempo 1.4.1 Tempo Query 1.4.1 0.15.1-bb.7
Updated Monitoring Core Prometheus 2.37.0 Grafana 9.0.6 Alertmanager 0.24.0 39.2.1-bb.5 🔗
Updated Twistlock Core 22.06.179 0.9.0-bb.4 🔗
Argocd Addon 2.4.7 4.10.0-bb.1
Updated Authservice Addon 0.5.2 0.5.2-bb.0 🔗
Minio Operator Addon 4.4.25 4.4.25-bb.0
Updated Minio Addon RELEASE.2022-07-08T00-05-23Z 4.4.25-bb.0 🔗
Updated Gitlab Addon 15.2.1 6.2.1-bb.1 🔗
Updated Gitlab Runner Addon 15.2.1 0.43.1-bb.1 🔗
Updated Nexus Addon 3.41.0-01 41.0.0-bb.0 🔗
Sonarqube Addon 8.9.9-community 1.0.29-bb.2
Haproxy Addon 2.2.21 1.12.0-bb.0
Updated Anchore Enterprise Addon Enterprise 4.0.3 Engine 1.1.0 1.19.2-bb.0 🔗
Mattermost Operator Addon 1.18.1 1.18.1-bb.0
Updated Mattermost Addon 7.1.2 7.1.2-bb.1 🔗
Velero Addon 1.9.0 2.30.1-bb.1
Keycloak Addon Keycloak 18.0.2-legacy PlatformOne Plugin 1.2.0 18.2.1-bb.3
Updated Vault BETA Addon 1.11.2 0.21.0-bb.0 🔗
Updated Metrics Server Addon 0.6.1 3.8.0-bb.4 🔗

Changes in 1.41.0💣

Big Bang MRs💣

  • !1969: Feat: creating promtail architecture document
  • !1987: Add new comments/variables for the clusterauditor no data check fix

Istio Controlplane💣

  • !1962: Istio: Remove unnecessary fluentd sidecar exception
  • !1991: Istio: Openshift DNS fix
# Changelog Updates

## [1.14.3-bb.2]

### Changed

- Added Openshift DNS to networkpolicy egress

## [1.14.3-bb.1]

### Changed

- Removed legacy fluentd exception

Jaeger💣

  • !1974: Update Jaeger to 1.36.0
# Changelog Updates

## [2.34.0-bb.0]

### Changed

- Updated Jaeger images to 1.36.0 (latest operator version)

Cluster Auditor💣

  • !1983: Fix Cluster Auditor CI check
  • !1994: Add alerts for cluster auditor
# Changelog Updates

## [1.4.0-bb.7]

### Updated

- PrometheusRule resource for OPA constraint alerts

## [1.4.0-bb.6]

### Updated

- Cypress test now checks the table with the list of violations and the "violations by kind" bar chart for a "no data" message.

Gatekeeper💣

  • !1978: Adding preUninstall/deleteWebhookConfigurations to chart/templates/gatekeeper/values.yaml
  • !1988: Update gatekeeper to 3.9.0
# Changelog Updates

## [3.9.0-bb.0]

### Changed

- Updated application and corresponding helm chart to v3.9.0

Kyverno💣

  • !1972: Update Kyverno to 1.7.2
# Changelog Updates

## [2.5.2-bb.0] - 2022-08-12

### Changed

- Updated Helm chart to v2.5.2
- Updated Kyverno to v1.7.2

Elasticsearch Kibana💣

  • !1971: EK Init Container drop capabilities and logging chart bump
  • !1976: Update EK to 8.3.x
  • !1995: Fix conditionals for EK drop capabilities SSO
# Changelog Updates

## [0.9.0-bb.1] - 2022-08-17

### Changed

- Added universal drops for capabilities to containers' securityContexts
- Edited naming of VolumeMounts to default

## [0.9.0-bb.0] - 2022-07-15

### Changed

- Updated chart version to `0.9.0-bb.0`
- Updated appVersion to `8.3.2`
- Updated Kibana to `8.3.1`
- Updated Elasticsearch to `8.3.2`

Fluentbit💣

  • !1973: Fluentbit: Fix storage buffer limits/Loki outputs
# Changelog Updates

## [0.20.3-bb.1]

### Changed

- Added storage buffer limit for all `additionalOutputs`

Loki💣

  • !1908: SKIP UPGRADE BB template changes for new Loki Chart Refactor
  • !1996: Fix Loki version annotation
# Changelog Updates

## [1.7.6-bb.1]

### Added

- Added appVersion annotation to Chart.yaml

## [1.7.6-bb.0]

### Changed

- Matching chart base to upstream `loki-simple-scalable` instead of utilizing as sub-chart
- `loki` value updated to `monolith`
- `gel` values migrated to `enterprise` for better native support of Grafana Enterprise Logs

Monitoring💣

  • !1900: Monitoring mTLS / Prometheus mTLS Scraping
# Changelog Updates

## [39.2.1-bb.5]

### Changed

- Helm dependency update for Grafana subchart

## [39.2.1-bb.4]

### Added

- Strict mTLS for monitoring

## [39.2.1-bb.3]

### Changed

- Updated images to latest IB image versions: kube-webhook-certgen -> `v1.3.0`, grafan-plugins -> `9.0.6`, -> k8s sidecar -> `v1.19.4`

Twistlock💣

  • !1984: Twistlock: Provide values for defender tolerations
# Changelog Updates

## [0.9.0-bb.4] - 2022-08-15

### Fixed

- Update Defender's daemonSet to support/add tolerations

Authservice💣

  • !1970: Authservice 0.5.2 Update
# Changelog Updates

## [0.5.2-bb.0]

### Changed

- Updated to 0.5.2 Authservice image version
- Add allow_unmatched_requests toggle with corresponding change to CUSTOM authz policy

MinIO💣

  • !1952: Update Minio to 4.4.25 and cleanup secrets
# Changelog Updates

## [4.4.25-bb.0] - 2022-07-11

### Changed

- Update to 4.4.25
- Update MinIO image to RELEASE.2022-07-08T00-05-23Z

GitLab💣

  • !1979: Updated gitlab git tag
  • !1981: Updated gitlab git tag
  • !1985: Updated gitlab git tag: Enhanced Monitoring
# Changelog Updates

## [6.2.1-bb.1] - 2022-08-18

### Changed

- Remove ServiceMonitor created by BigBang and enable upstream ones.

## [6.2.1-bb.0] - 2022-08-18

### Updated

- Updated to helm chart to 6.2.1 and appVersion to 15.2.1

GitLab Runner💣

  • !1977: Update Gitlab Runner to 15.2.1
# Changelog Updates

## [0.43.1-bb.0] - 2022-08-16

### Updated

- Update helm chart to v0.43.1 app version 15.2.1

Nexus💣

  • !1949: Nexus architecture documentation
  • !1992: Update Nexus to 3.41.0
# Changelog Updates

## [41.0.0-bb.0] - 2022-08-11

### Changed

- Updated chart to version: 41.0.0-bb.0 | appVersion: 3.41.0

Anchore Enterprise💣

  • !1980: Update Anchore Enterprise to 4.0.3
# Changelog Updates

## [1.19.2-bb.0]

### Changed

- Bumped chart version to `1.19.2`
- Bumped Anchore Enterprise image tag to `4.0.3`
- Bumped Anchore Enterprise UI image tag to `4.0.3`

Mattermost💣

  • !1958: Mattermost: Add grafana dashboard
# Changelog Updates

## [7.1.2-bb.1] - 2022-08-09

### Added

- Added grafana dashboard configmap and dashboard json when `monitoring.enabled` and `enterprise.enabled`

Vault💣

  • !1989: Update Vault to 1.11.2
# Changelog Updates

## [0.21.0-bb.0] - 2022-08-12

### Updated

- Updated `vault` to `1.11.2`, `vault-k8s` to `1.17.0`

Metrics Server💣

  • !1968: Metrics Server: Istio mTLS STRICT
# Changelog Updates

## [3.8.0-bb.4]

### Added

- Added default Istio `PeerAuthentication` for mTLS

## [3.8.0-bb.3]

### Added

- Added `renovate.json` to packge root for allowing renovate bot to create Issues/MR's for updates

Known Issues💣

  • On some k8s distros certain components in the kube-system namespace are unable to be scraped by Prometheus due to the services default network interface binding - More Information
  • Vault is in beta and therefore not recommended for operational use. We are still working on a few issues. If you set the extra environment variable AGENT_INJECT_VAULT_ADDR for the Injector ENVs you will encounter a helm install error due to duplicate ENVs. In our testing the Prometheus pod is not being injected with a Vault sidecar and Prometheus is not able to scrape metrics.
  • When deploying Monitoring with network policies disabled you will run into issues with Grafana. The current workaround is to delete a network policy that was missing conditionals, which can be done via kubectl delete networkpolicy -n monitoring allow-from-flux. Note that deploying without network policies is STRONGLY discouraged with the exception of development testing/debugging. This issue will be fixed in 1.42.0 via this change.

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

Future💣

Don’t see your feature and/or bug fix? Check out our epics for estimates on when you can expect things to drop, and as always, feel free to comment or create issues if you have questions, comments, or concerns.