Skip to content

Release Notes - 1.51.0💣

Please see our documentation page for more information on how to consume and deploy BigBang.

Upgrade Notices💣

Keycloak:

This release contains a major version upgrade to Keycloak 20.0.2 and a migration to the new Keycloak Quarkus deployment architecture. You should test in a staging/preprod environment before going to production. The migration was a 4 month long engineering effort by the Big Bang Team and the CNAP Team. Keycloak Legacy is now deprecated, unmaintained, and unsupported. What you need to know:

  • There is no data migration needed.
  • There are no client changes/migration needed.
  • The deployment uses the Iron Bank image directly. There is no longer a custom P1 Keycloak image.
  • The P1 plugin is now hosted in Iron Bank and gets injected into the Keycloak container on startup. You have the option of not using the P1 custom plugin if you want to use vanilla Keycloak and manually handle all authz and authn security controls yourself.
  • The deployment configuration now allows you to inject your own custom theme and change the realm name to something other than “baby-yoda”. If you rename an existing realm the clients will need to be configured for the new URL path.
  • The environment variables for setting the default admin credentials have changed.
  • There are significant (but not technically hard) configuration changes. Reference the example production config
  • The Big Bang helm chart is backwards compatible with Keycloak Legacy. It is possible to upgrade to this Big Bang release and pin to the last Keycloak Legacy tag if you need more time to upgrade to the new Keycloak Quarkus.

Keycloak Known Issues

  • The Keycloak Admin Console is partially broken for SAML clients. Unable to import Nexus application certificate for “Signing keys config”. Existing Nexus deployments are not affected. This only affects new Nexus deployments. The workaround is to temporarily change the “Admin Console Theme” in the “master” realm to the old “keycloak” theme instead of the new default theme “keycloak.v2”.
    https://github.com/keycloak/keycloak-ui/issues/4143

Gitlab:

This release contains a minor version upgrade to Gitlab 15.7.0. This contains several updates and changes with how FIPS is handled within Gitlab itself and the registry1 images. What you need to know:

  • 15.7.0 from upstream reverted the change to auto-disable Personal Access Tokens by default when FIPS mode is enabled.
  • Second, Gitlab images from registry1 post 15.6.1 have an environment variable available to disable FIPS_MODE on an global installation or container level. FIPS_MODE=0 just needs to be set for the env or extraEnv portion of a specific container, or to ensure it’s disabled across all containers you can override:
addons:
  gitlab:
    values:
      global:
        extraEnv:
          FIPS_MODE: "0"

Kyverno:

  • This release includes an update to Kyverno 1.8.5 which includes memory consumption fixes and other bug fixes, including a fix for CVE-2022-47633.

Velero:

  • Velero has a number of changes in this release with the update to 1.10.0
  • One major note is the renaming of restic (and all associated values/CRDs). Values are now under nodeAgent. If using restic make sure to review the values changes required.
  • Details about other specific changes and functionality can be reviewed in the upstream release announcement

Upgrades from previous releases💣

If coming from a version pre-1.50.0, note the additional upgrade notices in any release in between. The BB team doesn’t test/guarantee upgrades from anything pre-1.50.0.

Packages💣

Package Type Package Version BB Version
Istio Controlplane Core Istio 1.16.1 Tetrate Istio Distro 1.15.1 1.16.1-bb.0
Istio Operator Core Istio Operator 1.16.1 Tetrate Istio Distro Operator 1.15.1 1.16.1-bb.0
Jaeger Core 1.39.0 2.37.0-bb.0
Kiali Core 1.60.0 1.60.0-bb.0
Cluster Auditor Core 0.0.7 1.5.0-bb.1
Gatekeeper Core 3.10.0 3.10.0-bb.0
Updated Kyverno Core 1.8.5 2.6.5-bb.0 🔗
Updated Kyverno Policies Core 1.0.1 1.0.1-bb.12 🔗
Kyverno Reporter Core 2.10.3 2.13.4-bb.1
Elasticsearch Kibana Core Kibana 8.5.2 Elasticsearch 8.5.2 0.14.0-bb.0
Eck Operator Core 2.5.0 2.5.0-bb.0
Fluentbit Core 2.0.6 0.21.4-bb.0
Promtail Core 2.7.0 6.7.2-bb.0
Loki Core 2.7.0 3.7.0-bb.0
Neuvector BETA Core 5.0.2 2.2.2-bb.2
Tempo Core Tempo 1.5.0 Tempo Query 1.5.0 0.16.1-bb.2
Monitoring Core Prometheus 2.40.5 Grafana 9.3.2 Alertmanager 0.24.0 43.1.2-bb.0
Twistlock Core 22.06.197 0.11.4-bb.1
Updated Argocd Addon 2.5.3 5.16.1-bb.0 🔗
Authservice Addon 0.5.3 0.5.3-bb.2
Minio Operator Addon 4.5.4 4.5.4-bb.0
Minio Addon RELEASE.2022-11-26T22-43-32Z 4.5.4-bb.2
Updated Gitlab Addon 15.7.0 6.7.0-bb.0 🔗
Gitlab Runner Addon 15.6.0 0.47.0-bb.1
Updated Nexus Addon 3.44.0-01 44.0.0-bb.0 🔗
Sonarqube Addon 8.9.10-community 1.0.31-bb.3
Haproxy Addon 2.2.21 1.12.0-bb.0
Updated Anchore Enterprise Addon Enterprise 4.3.0 Engine 1.1.0 1.20.1-bb.0 🔗
Mattermost Operator Addon 1.19.0 1.19.0-bb.0
Mattermost Addon 7.5.1 7.5.1-bb.0
Updated Velero Addon 1.10.0 3.1.0-bb.0 🔗
Updated Keycloak Addon 20.0.2 18.3.0-bb.1 🔗
Updated Vault Addon 1.12.1 0.23.0-bb.0 🔗
Metrics Server Addon 0.6.2 3.8.3-bb.0

Changes in 1.51.0💣

Big Bang MRs💣

  • !2387: disable image verification policy
  • !2383: Keycloak pa ispn patch
  • !2279: Keycloak quarkus
  • !2369: SKIP UPGRADE: Temporary fix for Kyverno Signature Failures
  • !2348: Resolve “Investigate Enabling HorizontalPodAutoscaler Resource in ArgoCD chart”
  • !2358: adding reference to how to deploy Big bang after flux install
  • !2362: SKIP UPGRADE Kyverno policy keycloak exception
  • !2356: Using New argocd CA options
  • !2354: SKIP UPGRADE Disabling minio for vault, opened issue to get it working and verified
  • !2344: Updating HA section of Keycloak arch doc

Kyverno💣

  • !2364: Kyverno: Upgrade Kyverno Images
# Changelog Updates

## [2.6.5-bb.0] - 2022-01-06

### Changed

- Updated kubectl to v1.25.5
- Updated Helm chart to v2.6.5
- Updated appVersion to v1.8.5

Kyverno Policies💣

  • !2360: Kyverno Policies: Update deprecated API policy for Kubernetes v1.27
  • !2345: Updated kyverno-policies git tag
# Changelog Updates

## [1.0.1-bb.12] - 2022-01-06

### Changed

- Added support for checking deprecated API policy for Kubernetes v1.27.

## [1.0.1-bb.11] - 2022-12-20

### Changed

- Updated default values for require-image-signature to align with upstream documentation

## [1.0.1-bb.10] - 2022-12-5

### Changed

- Changed values.yaml to fail images from ironbank that are not signed.

Argocd💣

  • !2339: Update argocd to v2.5.0
# Changelog Updates

## [5.16.1-bb.0] - 2022-12-21

### Updated

- ArgoCD version from v2.5.0 to v2.5.3

## [5.13.0-bb.0] - 2022-12-13

### Updated

- ArgoCD version from v2.4.12 to v2.5.0
- Chart version from 5.5.7 to 5.13.0
- SSO documentation for setting up SSO login with Keycloak
- Troubleshooting documentation with information about `argocd-server` TLS configuration

Gitlab💣

  • !2373: SKIP UPGRADE Updated gitlab git tag
# Changelog Updates

## [6.7.0-bb.0] - 2023-01-05

### Changed

- Updated to helm chart to 6.7.0 and appVersion to 15.7.0
- ironbank/gitlab/gitlab/gitlab-webservice minor 15.6.1 -> 15.7.0
- registry1.dso.mil/ironbank/gitlab/gitlab/alpine-certificates minor 15.6.1 -> 15.7.0
- registry1.dso.mil/ironbank/gitlab/gitlab/gitaly minor 15.6.1 -> 15.7.0
- registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-container-registry minor 15.6.1 -> 15.7.0
- registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-exporter minor 15.6.1 -> 15.7.0
- registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-mailroom minor 15.6.1 -> 15.7.0
- registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-shell minor 15.6.1 -> 15.7.0
- registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-sidekiq minor 15.6.1 -> 15.7.0
- registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-toolbox minor 15.6.1 -> 15.7.0
- registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-webservice minor 15.6.1 -> 15.7.0
- registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-workhorse minor 15.6.1 -> 15.7.0
- registry1.dso.mil/ironbank/gitlab/gitlab/kubectl minor 15.6.1 -> 15.7.0
- registry1.dso.mil/ironbank/opensource/minio/mc patch RELEASE.2022-11-17T21-20-39Z -> RELEASE.2022-12-13T00-23-28Z
- registry1.dso.mil/ironbank/opensource/minio/minio patch RELEASE.2022-11-26T22-43-32Z -> RELEASE.2022-12-12T19-27-27Z

Nexus💣

  • !2361: Nexus: Update to 3.44.0
# Changelog Updates

## [44.0.0-bb.0] - 2022-12-28

### Changed

- Updated chart to version: 44.0.0-bb.0 | appVersion: 3.44.0 | crane version v0.12.1

Anchore Enterprise💣

  • !2365: Anchore: Update enterprise to 4.3.0
# Changelog Updates

## [1.20.1-bb.0]

### Changed

- Bumped chart version to `1.20.1`
- Bumped Anchore Enterprise image tag to `4.3.0`
- Bumped Anchore Enterprise UI image tag to `4.3.0`

Velero💣

  • !2367: Update Velero to 1.10.0
# Changelog Updates

## [3.1.0-bb.0]

### Changed

- Updated to latest chart version `3.1.0` (support for 1.10.0)

## [2.32.5-bb.0]

### Update

- Updated velero to `1.10.0`, upstream chart version `velero-2.32.5`, nginx to `1.23.2`, kubectl to `1.25.5`, and azure plugin to `1.6.0`

Keycloak💣

  • !2350: Updated keycloak git tag
# Changelog Updates

## [18.3.0-bb.1] - 2023-01-11

### Changed

- Fix PeerAuthentication exception policy for infinispan/jgroups communication

## [18.3.0-bb.0] - 2022-12-30

### Updated

- Update helm chart to 18.3.0
- Upgrade Keycloak image from version 18.0.1-legacy to version 20.0.2
- Update Java truststore to DoD trusted certificate authorities version 9.5

### Changed

- Migration to new Quarkus deployment architecture

## [18.2.1-bb.6] - 2022-12-12

### Added

- Added keycloak-primary-app-exception for JPGROUPS

Vault💣

  • !2329: Update vault to 1.12.1
  • !2352: SKIP UPGRADE Updated vault git tag
# Changelog Updates

## [0.23.0-bb.0] - 2022-12-28

### Updated

- `vault` updated to 1.12.1 [GH-814](https://github.com/hashicorp/vault-helm/pull/814)
- `vault-k8s` updated to 1.1.0 [GH-814](https://github.com/hashicorp/vault-helm/pull/814)
- `vault-csi-provider` updated to 1.2.1 [GH-814](https://github.com/hashicorp/vault-helm/pull/814)

## [0.22.1-bb.3] - 2022-12-19

### Updated

- Migrated minio dep to OCI repository

## [0.22.1-bb.2] - 2022-12-02

### Updated

- Update Vault to appVersion `1.12.1` , `vault-k8s` to `1.1.0`
- Updated gluon to `0.3.1`
- update Minio dependency to `4.5.4-bb.2`

Known Issues💣

  • On some k8s distros certain components in the kube-system namespace are unable to be scraped by Prometheus due to the services default network interface binding - More Information

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

Future💣

Don’t see your feature and/or bug fix? Check out our epics for estimates on when you can expect things to drop, and as always, feel free to comment or create issues if you have questions, comments, or concerns.