Release Notes - 1.51.0💣
Please see our documentation page for more information on how to consume and deploy BigBang.
Upgrade Notices💣
Keycloak:
This release contains a major version upgrade to Keycloak 20.0.2 and a migration to the new Keycloak Quarkus deployment architecture. You should test in a staging/preprod environment before going to production. The migration was a 4 month long engineering effort by the Big Bang Team and the CNAP Team. Keycloak Legacy is now deprecated, unmaintained, and unsupported. What you need to know:
- There is no data migration needed.
- There are no client changes/migration needed.
- The deployment uses the Iron Bank image directly. There is no longer a custom P1 Keycloak image.
- The P1 plugin is now hosted in Iron Bank and gets injected into the Keycloak container on startup. You have the option of not using the P1 custom plugin if you want to use vanilla Keycloak and manually handle all authz and authn security controls yourself.
- The deployment configuration now allows you to inject your own custom theme and change the realm name to something other than “baby-yoda”. If you rename an existing realm the clients will need to be configured for the new URL path.
- The environment variables for setting the default admin credentials have changed.
- There are significant (but not technically hard) configuration changes. Reference the example production config
- The Big Bang helm chart is backwards compatible with Keycloak Legacy. It is possible to upgrade to this Big Bang release and pin to the last Keycloak Legacy tag if you need more time to upgrade to the new Keycloak Quarkus.
Keycloak Known Issues
- The Keycloak Admin Console is partially broken for SAML clients. Unable to import Nexus application certificate for “Signing keys config”. Existing Nexus deployments are not affected. This only affects new Nexus deployments. The workaround is to temporarily change the “Admin Console Theme” in the “master” realm to the old “keycloak” theme instead of the new default theme “keycloak.v2”.
https://github.com/keycloak/keycloak-ui/issues/4143
Gitlab:
This release contains a minor version upgrade to Gitlab 15.7.0. This contains several updates and changes with how FIPS is handled within Gitlab itself and the registry1 images. What you need to know:
- 15.7.0 from upstream reverted the change to auto-disable Personal Access Tokens by default when FIPS mode is enabled.
- Second, Gitlab images from registry1 post 15.6.1 have an environment variable available to disable FIPS_MODE on an global installation or container level.
FIPS_MODE=0
just needs to be set for theenv
orextraEnv
portion of a specific container, or to ensure it’s disabled across all containers you can override:
addons:
gitlab:
values:
global:
extraEnv:
FIPS_MODE: "0"
Kyverno:
- This release includes an update to Kyverno 1.8.5 which includes memory consumption fixes and other bug fixes, including a fix for CVE-2022-47633.
Velero:
- Velero has a number of changes in this release with the update to 1.10.0
- One major note is the renaming of
restic
(and all associated values/CRDs). Values are now undernodeAgent
. If usingrestic
make sure to review the values changes required. - Details about other specific changes and functionality can be reviewed in the upstream release announcement
Upgrades from previous releases💣
If coming from a version pre-1.50.0
, note the additional upgrade notices in any release in between. The BB team doesn’t test/guarantee upgrades from anything pre-1.50.0
.
Packages💣
Package | Type | Package Version | BB Version |
---|---|---|---|
Istio Controlplane | Core | Istio 1.16.1 Tetrate Istio Distro 1.15.1 |
1.16.1-bb.0 |
Istio Operator | Core | Istio Operator 1.16.1 Tetrate Istio Distro Operator 1.15.1 |
1.16.1-bb.0 |
Jaeger | Core | 1.39.0 |
2.37.0-bb.0 |
Kiali | Core | 1.60.0 |
1.60.0-bb.0 |
Cluster Auditor | Core | 0.0.7 |
1.5.0-bb.1 |
Gatekeeper | Core | 3.10.0 |
3.10.0-bb.0 |
Kyverno | Core | 1.8.5 |
2.6.5-bb.0 🔗 |
Kyverno Policies | Core | 1.0.1 |
1.0.1-bb.12 🔗 |
Kyverno Reporter | Core | 2.10.3 |
2.13.4-bb.1 |
Elasticsearch Kibana | Core | Kibana 8.5.2 Elasticsearch 8.5.2 |
0.14.0-bb.0 |
Eck Operator | Core | 2.5.0 |
2.5.0-bb.0 |
Fluentbit | Core | 2.0.6 |
0.21.4-bb.0 |
Promtail | Core | 2.7.0 |
6.7.2-bb.0 |
Loki | Core | 2.7.0 |
3.7.0-bb.0 |
Neuvector | Core | 5.0.2 |
2.2.2-bb.2 |
Tempo | Core | Tempo 1.5.0 Tempo Query 1.5.0 |
0.16.1-bb.2 |
Monitoring | Core | Prometheus 2.40.5 Grafana 9.3.2 Alertmanager 0.24.0 |
43.1.2-bb.0 |
Twistlock | Core | 22.06.197 |
0.11.4-bb.1 |
Argocd | Addon | 2.5.3 |
5.16.1-bb.0 🔗 |
Authservice | Addon | 0.5.3 |
0.5.3-bb.2 |
Minio Operator | Addon | 4.5.4 |
4.5.4-bb.0 |
Minio | Addon | RELEASE.2022-11-26T22-43-32Z |
4.5.4-bb.2 |
Gitlab | Addon | 15.7.0 |
6.7.0-bb.0 🔗 |
Gitlab Runner | Addon | 15.6.0 |
0.47.0-bb.1 |
Nexus | Addon | 3.44.0-01 |
44.0.0-bb.0 🔗 |
Sonarqube | Addon | 8.9.10-community |
1.0.31-bb.3 |
Haproxy | Addon | 2.2.21 |
1.12.0-bb.0 |
Anchore Enterprise | Addon | Enterprise 4.3.0 Engine 1.1.0 |
1.20.1-bb.0 🔗 |
Mattermost Operator | Addon | 1.19.0 |
1.19.0-bb.0 |
Mattermost | Addon | 7.5.1 |
7.5.1-bb.0 |
Velero | Addon | 1.10.0 |
3.1.0-bb.0 🔗 |
Keycloak | Addon | 20.0.2 |
18.3.0-bb.1 🔗 |
Vault | Addon | 1.12.1 |
0.23.0-bb.0 🔗 |
Metrics Server | Addon | 0.6.2 |
3.8.3-bb.0 |
Changes in 1.51.0💣
Big Bang MRs💣
- !2387: disable image verification policy
- !2383: Keycloak pa ispn patch
- !2279: Keycloak quarkus
- !2369: SKIP UPGRADE: Temporary fix for Kyverno Signature Failures
- !2348: Resolve “Investigate Enabling HorizontalPodAutoscaler Resource in ArgoCD chart”
- !2358: adding reference to how to deploy Big bang after flux install
- !2362: SKIP UPGRADE Kyverno policy keycloak exception
- !2356: Using New argocd CA options
- !2354: SKIP UPGRADE Disabling minio for vault, opened issue to get it working and verified
- !2344: Updating HA section of Keycloak arch doc
Kyverno💣
- !2364: Kyverno: Upgrade Kyverno Images
# Changelog Updates
## [2.6.5-bb.0] - 2022-01-06
### Changed
- Updated kubectl to v1.25.5
- Updated Helm chart to v2.6.5
- Updated appVersion to v1.8.5
Kyverno Policies💣
- !2360: Kyverno Policies: Update deprecated API policy for Kubernetes v1.27
- !2345: Updated kyverno-policies git tag
# Changelog Updates
## [1.0.1-bb.12] - 2022-01-06
### Changed
- Added support for checking deprecated API policy for Kubernetes v1.27.
## [1.0.1-bb.11] - 2022-12-20
### Changed
- Updated default values for require-image-signature to align with upstream documentation
## [1.0.1-bb.10] - 2022-12-5
### Changed
- Changed values.yaml to fail images from ironbank that are not signed.
Argocd💣
- !2339: Update argocd to v2.5.0
# Changelog Updates
## [5.16.1-bb.0] - 2022-12-21
### Updated
- ArgoCD version from v2.5.0 to v2.5.3
## [5.13.0-bb.0] - 2022-12-13
### Updated
- ArgoCD version from v2.4.12 to v2.5.0
- Chart version from 5.5.7 to 5.13.0
- SSO documentation for setting up SSO login with Keycloak
- Troubleshooting documentation with information about `argocd-server` TLS configuration
Gitlab💣
- !2373: SKIP UPGRADE Updated gitlab git tag
# Changelog Updates
## [6.7.0-bb.0] - 2023-01-05
### Changed
- Updated to helm chart to 6.7.0 and appVersion to 15.7.0
- ironbank/gitlab/gitlab/gitlab-webservice minor 15.6.1 -> 15.7.0
- registry1.dso.mil/ironbank/gitlab/gitlab/alpine-certificates minor 15.6.1 -> 15.7.0
- registry1.dso.mil/ironbank/gitlab/gitlab/gitaly minor 15.6.1 -> 15.7.0
- registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-container-registry minor 15.6.1 -> 15.7.0
- registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-exporter minor 15.6.1 -> 15.7.0
- registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-mailroom minor 15.6.1 -> 15.7.0
- registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-shell minor 15.6.1 -> 15.7.0
- registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-sidekiq minor 15.6.1 -> 15.7.0
- registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-toolbox minor 15.6.1 -> 15.7.0
- registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-webservice minor 15.6.1 -> 15.7.0
- registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-workhorse minor 15.6.1 -> 15.7.0
- registry1.dso.mil/ironbank/gitlab/gitlab/kubectl minor 15.6.1 -> 15.7.0
- registry1.dso.mil/ironbank/opensource/minio/mc patch RELEASE.2022-11-17T21-20-39Z -> RELEASE.2022-12-13T00-23-28Z
- registry1.dso.mil/ironbank/opensource/minio/minio patch RELEASE.2022-11-26T22-43-32Z -> RELEASE.2022-12-12T19-27-27Z
Nexus💣
- !2361: Nexus: Update to 3.44.0
# Changelog Updates
## [44.0.0-bb.0] - 2022-12-28
### Changed
- Updated chart to version: 44.0.0-bb.0 | appVersion: 3.44.0 | crane version v0.12.1
Anchore Enterprise💣
- !2365: Anchore: Update enterprise to 4.3.0
# Changelog Updates
## [1.20.1-bb.0]
### Changed
- Bumped chart version to `1.20.1`
- Bumped Anchore Enterprise image tag to `4.3.0`
- Bumped Anchore Enterprise UI image tag to `4.3.0`
Velero💣
- !2367: Update Velero to 1.10.0
# Changelog Updates
## [3.1.0-bb.0]
### Changed
- Updated to latest chart version `3.1.0` (support for 1.10.0)
## [2.32.5-bb.0]
### Update
- Updated velero to `1.10.0`, upstream chart version `velero-2.32.5`, nginx to `1.23.2`, kubectl to `1.25.5`, and azure plugin to `1.6.0`
Keycloak💣
- !2350: Updated keycloak git tag
# Changelog Updates
## [18.3.0-bb.1] - 2023-01-11
### Changed
- Fix PeerAuthentication exception policy for infinispan/jgroups communication
## [18.3.0-bb.0] - 2022-12-30
### Updated
- Update helm chart to 18.3.0
- Upgrade Keycloak image from version 18.0.1-legacy to version 20.0.2
- Update Java truststore to DoD trusted certificate authorities version 9.5
### Changed
- Migration to new Quarkus deployment architecture
## [18.2.1-bb.6] - 2022-12-12
### Added
- Added keycloak-primary-app-exception for JPGROUPS
Vault💣
# Changelog Updates
## [0.23.0-bb.0] - 2022-12-28
### Updated
- `vault` updated to 1.12.1 [GH-814](https://github.com/hashicorp/vault-helm/pull/814)
- `vault-k8s` updated to 1.1.0 [GH-814](https://github.com/hashicorp/vault-helm/pull/814)
- `vault-csi-provider` updated to 1.2.1 [GH-814](https://github.com/hashicorp/vault-helm/pull/814)
## [0.22.1-bb.3] - 2022-12-19
### Updated
- Migrated minio dep to OCI repository
## [0.22.1-bb.2] - 2022-12-02
### Updated
- Update Vault to appVersion `1.12.1` , `vault-k8s` to `1.1.0`
- Updated gluon to `0.3.1`
- update Minio dependency to `4.5.4-bb.2`
Known Issues💣
- On some k8s distros certain components in the kube-system namespace are unable to be scraped by Prometheus due to the services default network interface binding - More Information
Helpful Links💣
As always, we welcome and appreciate feedback from our community of users. Please feel free to:
- Open issues here
- Join our chat
- Check out the documentation for guidance on how to get started
Future💣
Don’t see your feature and/or bug fix? Check out our epics for estimates on when you can expect things to drop, and as always, feel free to comment or create issues if you have questions, comments, or concerns.