Big Bang Release Notes💣
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
[2.12.0]💣
- !2.12.0; List of merge requests in this release.
[2.11.1]💣
- !3146: Kyverno update to 3.0.0-bb.3
- !3170: GitlabRunner update to 0.52.0-bb.6
- !3178: Gitlab update to 7.3.4-bb.0
- !3187: fluentbit update to 0.37.0-bb.1
[2.11.0]💣
- !2.11.0; List of merge requests in this release.
[2.10.0]💣
- !2.10.0; List of merge requests in this release.
[2.9.0]💣
- !2.9.0; List of merge requests in this release.
[2.8.0]💣
-
List of merge requests in this release.
-
!2971: Grafana chart indentation 6 -> 4
- !2950: velero update to 4.0.3-bb.0
- !2973: gitlab update to 7.2.0-bb.0
- !2974: authservice update to 0.5.3-bb.12
- !2936: argocd update to 5.39.0-bb.0
- !2964: neuvector update to 2.4.5-bb.2
- !2966: loki update to 5.9.2-bb.0
- !2975: promtail update to 6.13.1-bb.0
- !2930: Re-add IB key to Kyverno Policies test-values
- !2963: kyvernoPolicies update to 1.1.0-bb.9
- !2972: istio & operator update to 1.18.2-bb.0
- !2938: Add ‘comments’ field to schema
- !2957: fix for ca-secret creation logic
- !2955: harbor update to 1.12.2-bb.7
- !2958: anchore update to 1.26.1-bb.0
- !2977: gitlab update to 7.2.2-bb.0
- !2961: Fixing conditional for grafana extraSecretMounts
[2.7.0]💣
- !2.7.0; List of merge requests in this release.
[2.6.0]💣
- !2.6.0; List of merge requests in this release.
[2.5.0]💣
- !2.5.0; List of merge requests in this release.
[2.4.0]💣
- !2.4.0; List of merge requests in this release.
[2.3.0]💣
- !2.3.0; List of merge requests in this release.
[2.2.0]💣
- !2.2.0; List of merge requests in this release.
[2.1.0]💣
- !2.1.0; List of merge requests in this release.
[2.0.1]💣
- !2713: Bug fix for Gitlab chart backup job template
- !2712: Bug fix for Gitlab Runner network policy ranging template
- !2707: Bug fix for missing Monitoring SSO keys in schema
- !2703: Bug fix for Mattermost and Nexus HelmRepos
[2.0.0]💣
- !2.0.0; List of merge requests in this release.
Breaking Changes💣
This major release contains breaking changes. Review the release notes or the blog post for more details before upgrading.
[1.57.1]💣
- !2659: Fix wrong ArgoCD image version
[1.57.0]💣
- !1.57.0; List of merge requests in this release.
[1.56.0]💣
- !1.56.0; List of merge requests in this release.
[1.55.0]💣
- !1.55.0; List of merge requests in this release.
[1.54.0]💣
- !1.54.0; List of merge requests in this release.
[1.53.0]💣
- !1.53.0; List of merge requests in this release.
[1.52.0]💣
- !1.52.0; List of merge requests in this release.
[1.51.0]💣
- !1.51.0; List of merge requests in this release.
[1.50.0]💣
- !1.50.0; List of merge requests in this release.
[1.49.0]💣
- !1.49.0; List of merge requests in this release.
[1.48.0]💣
- !1.48.0; List of merge requests in this release.
[1.47.0]💣
- !1.47.0; List of merge requests in this release.
[1.46.1]💣
- !2243: Fix Loki Monolith mTLS
[1.46.0]💣
- !1.46.0; List of merge requests in this release.
[1.45.0]💣
- !1.45.0; List of merge requests in this release.
[1.44.0]💣
- !1.44.0; List of merge requests in this release.
[1.43.0]💣
- !1.43.0; List of merge requests in this release.
[1.42.0]💣
- !1.42.0; List of merge requests in this release.
[1.41.0]💣
- !1.41.0; List of merge requests in this release.
[1.40.0]💣
- !1.40.0; List of merge requests in this release.
[1.39.0]💣
- !1.39.0; List of merge requests in this release.
[1.38.0]💣
- !1.38.0; List of merge requests in this release.
[1.37.0]💣
- !1.37.0; List of merge requests in this release.
[1.36.0]💣
- !1.36.0; List of merge requests in this release.
[1.35.0]💣
- !1.35.0; List of merge requests in this release.
[1.34.0]💣
- !1.34.0; List of merge requests in this release.
[1.33.0]💣
- !1.33.0; List of merge requests in this release.
[1.32.0]💣
- !1.32.0; List of merge requests in this release.
[1.31.0]💣
- !1.31.0; List of merge requests in this release
[1.30.1]💣
- !1495: Update ArgoCD image to 2.3.2
[1.30.0]💣
- !1.30.0; List of merge requests in this release.
[1.29.0]💣
- !1.29.0; List of merge requests in this release.
[1.28.0]💣
- !1.28.0; List of merge requests in this release.
[1.27.1]💣
- !1346: Update to re-enable Jaeger’s sidecars
[1.27.0]💣
- !1.27.0; List of merge requests in this release.
[1.26.0]💣
- !1.26.0; List of merge requests in this release.
[1.25.1]💣
- !1256: Gitlab version bump to
5.6.2-bb.0
app version14.6.2
[1.25.0]💣
- !1.25.0; List of merge requests in this release.
[1.24.0]💣
- !1.24.0; List of merge requests in this release.
[1.23.0]💣
- !1.23.0; List of merge requests in this release.
[1.22.0]💣
- !1.22.0; List of merge requests in this release.
[1.21.0]💣
- !1.21.0; List of merge requests in this release.
[1.20.0]💣
- !1.20.0; List of merge requests in this release.
[1.19.0]💣
- !1.19.0; List of merge requests in this release.
[1.18.0]💣
- !1.18.0; List of merge requests in this release.
[1.17.0]💣
- !1.17.0; List of merge requests in this release.
[1.16.2]💣
- !919: Sonarqube version
9.2.6-bb.17-1
version bump to address erroneous duplicate template definitions for tolerations, nodeSelector & affinity
[1.16.1]💣
- !887: Twistlock Network Policy & BigBang/Package value
networkPolicies.nodeCidr
for defender to console communication - !890: Adding violation exception for twistlock-defenders to use selinux
spc_t
settings
[1.16.0]💣
- !1.16.0; List of merge requests in this release.
[1.15.3]💣
- !887: Twistlock Network Policy & BigBang/Package value
networkPolicies.nodeCidr
for defender to console communication - !852: Adding violation exceptions to stop Gatekeeper blocking twistlock console deployment
- !890: Adding violation exception for twistlock-defenders to use selinux
spc_t
settings
[1.15.2]💣
- !846: Istio-cni hub correction to point to valid repo in registry1 & Add install-cni image to synker.yaml for air-gapped environments
[1.15.1]💣
- !834: Update istio to version 1.9.8
- !818: Fix minio istio pass down
- !831: Fix monitoring hostNetwork violation
- !835: Fix fluentbit hostFilesystem violation
[1.15.0]💣
- !1.15.0; List of merge requests in this release.
[1.14.1]💣
- !771: Intermediate update to authservice package to allow for cleaner certificate formatting
- !782: Bumping Authservice tag to 0.4.0-bb.13 to fix mapping for values passed to redis sub-chart and uploading correct dependency sub-chart
[1.14.0]💣
- !1.14.0; List of merge requests in this release.
[1.13.1]💣
- !722: Bumping Gatekeeper tag, reducing pod footprint, cleaning up constraints
- !730: Bumping Gatekeeper tag, properly excluding all of “kube-system” namespace from gatekeeper via upstream recommendation, removing “kube-system” exclusions from package values.
[1.13.0]💣
- !1.13.0 Merge Requests; List of Merge Requests in this Release
[1.12.1]💣
- !769: Add
kube-system
namespace exception to all constraints that cause violations
[1.12.0]💣
- !1.12.0 Merge Requests; List of Merge Requests in this Release
[1.11.0]💣
- !1.11.0 Merge Requests; List of Merge Requests in this Release
[1.10.0]💣
- !1.10.0 Merge Requests; List of Merge Requests in this Release
[1.9.1]💣
- !534: Bumping monitoring chart version - Addresses un-reconcilable state of monitoring package when upgrading from previous version of BigBang to 1.9.0
[1.9.0]💣
- !445: Nexus added to BB
- !488: Authservice support external redis service
- !490: New monitoring helm tests
- !492: Add new robot account to CI
- !495: Add shanks as maintainers
- !497: CAC CI upgrades
- !499: Mattermost Operator optional network policies
- !503: Sonarqube optional network policies
- !504: Gitlab optional network policies
- !509: feat: Bumping monitoring tag version
- !510: ECK Operator optional network policies
- !511: Authservice optional network policies
- !513: Monitoring optional network policies
- !514: Cluster Auditor & OPA Gatekeeper constraint-templates and added conditional enforcement
Upgrade Notices💣
This update includes network policies for multiple packages, please refer to each package’s individual documentation on implementation.
Known Issues💣
- If the following error is seen on any helm releases
scheme "" not supported
try updating flux to latest ib images. A simple way to do this is by adding registry credentials to the flux-system namespace and applying the flux.yaml:
kubectl create secret docker-registry private-registry --docker-server=registry1.dso.mil --docker-username=<Your IronBank Username> --docker-password=<Your IronBank Personal Access Token> --docker-email=<Your E-mail Address> -n flux-system
curl https://repo1.dso.mil/platform-one/big-bang/bigbang/-/raw/master/scripts/deploy/flux.yaml | kubectl apply -f -
- There is a known issue with Velero ability to restore PersistentVolumes.
[1.8.0]💣
- !447: Sonarqube upgrade app version 8.7.1 chart version 9.2.6-bb.8
- !406: Authservice Support For Non Keycloak OIDC Endpoints
- !459: Gitlab update to fix monitoring
- !463,!480: update codeowners
- !462: Document GitLab package architecture in charter
- !453: Set Global Timeout for Flux & Allow for HelmRelease Flux Settings to be Populated via Values File
- !466: Updating name for kiali oidc secret secret
- !465: Mattermost update app version 5.34.2 chart version 0.1.5-bb.0
- !467: update changelog for release 1.7.0
- !468: Modify continuous integration (CI) pipeline script execution
- !474: Update twistlock app version 21.04.412 chart version 0.0.4-bb.0
- !464: Documentation updates
- !475: Anchore upgrade app version 0.9.3 chart version 1.12.13-bb.0
- !430: Charter update for istio architecture
- !451,!481,!482: Breakout secrets into individual files in Package templates
- !417: update Kibana
- !350: Authservice Redirect URLs dont respect virtual service name overrides
- !485: ArgoCD upgrade app version 1.8.4 chart version 2.14.7-bb.5
- !476: Charter documentation updates
- !134,!489: BETA release of Keycloak app version 13.0.0 helm chart version 11.0.0
- !342: Upgrade elasticsearch-kibana package app version 7.10.x chart version 0.1.11-bb.0
- !457: Add labels to authservice namespace in compliance with charter
Upgrade Notices💣
- Release 1.8.0 upgrades Elasticsearch and Kibana to 7.10 versions and if the autoRollingUpgrade job does not complete successfully or is interfered with it could cause ECK data loss. Please leave autoRollingUpgrade enabled and read documentation to prepare for upgrade issues.
Known Issues💣
- If the following error is seen on any helm releases
scheme "" not supported
try updating flux to latest ib images. A simple way to do this is by adding registry credentials to the flux-system namespace and applying the flux.yaml:
kubectl create secret docker-registry private-registry --docker-server=registry1.dso.mil --docker-username=<Your IronBank Username> --docker-password=<Your IronBank Personal Access Token> --docker-email=<Your E-mail Address> -n flux-system
curl https://repo1.dso.mil/platform-one/big-bang/bigbang/-/raw/master/scripts/deploy/flux.yaml | kubectl apply -f -
- There is a known issue with Velero ability to restore PersistentVolumes.
[1.7.0]💣
- !453: Global Timeout for flux and allow for HR flux settings to be populated via values
- !459: Gitlab monitoring fix
- !406: Authservice Support For Non Keycloak OIDC Endpoints
- !447: Sonarqube updated to 8.7.1
- !446: Mattermost elastic integration
- !437: Postrenders
- !440: GitLab Upgrade to 13.10.3
-
!450: Ironbank image version check script
-
!369: Update development-environment
- !371: Update 2_getting_started
- !483: cluster auditor architecture
- !454: Storage Documentation
- !221: Add initial thoughts on Hugo
- !408: Adding Architecture Doc for ek package
- !462: Document GitLab package architecture in charter
- !463: Update CODEOWNERS
Upgrade Notice💣
Sonarqube Release Information💣
This release comes with a new version of Sonarqube which requires a manual database upgrade that can be easily done through the web interface. If you see a message stating Sonarqube is under maintenance go to the following url and click update database:
https://sonarqube.your.url/setup
After a few minutes you should be able to log back in.
Known Issues💣
If the following error is seen on any helm releases scheme "" not supported
try updating flux to latest ib images. A simple way to do this is by adding registry credentials to the flux-system namespace and applying the flux.yaml:
kubectl create -n flux-system secret docker-registry private-registry --docker-server="https://registry1.dso.mil" --docker-username='<IB_Username>' --docker-password="<CLI_TOKEN>"
kubectl apply -f scripts/deploy/flux.yaml
[1.6.2]💣
- !455: gatekeeper values not hardcoded
[1.6.1]💣
- #19: istio-cni image hub reverted to dsop.io domain
- #387: Latest Fluent-Bit release removed Grafana Dashboard Functionality
[1.6.0]💣
Upgrade Notice💣
This update includes several major changes to istio. Kiali and Jaeger are now separated into their own repos, helmreleases, and namespaces.
A manual cleanup task is required to delete the previous Kiali and Jaeger deployments post upgrade:
kubectl delete deploy -n istio-system -l app=kiali
kubectl delete deploy -n istio-system -l app=jaeger
Known Issues💣
This update includes an update to the Anchore chart. There is a known issue with running this version (and some previous versions) on FIPS enabled nodes. All Anchore services continue to function properly on non-FIPS nodes. Once an upstream fix is pushed, we will update the BB version accordingly.
Anchore’s default resource requests/limits (specifically for memory for the RBAC Manager) may be problematic depending on the customer and usage. Currently Big Bang consumes the defaults from the upstream chart, but Anchore also provides a list of requirements that address best practices for configuration for production workloads. These recommendations can be used as BB value overrides to specify resource limits and requests (example: RBAC Manager).
- !436: Resolve “fluentbit requires modification to work when selinux: Enforcing”
- !416: Fix Minio SecurityContext for Mattermost
- !385: update anchore to 1.12.7-bb.2
- !330: upgrade to istio 1.8.4, split jaeger and kiali into separate deployments
- !427: IronBank image for Cluster Auditor
- !428: feat: Bumping eck-operator to 1.4.0-bb.1
- !421: Resolve “Upgrade eck-operator to 1.4.0”
- !405: Upgrade OPA Gatekeeper
- !443: Resolve “Fluentbit upgrade to application version 1.7.4”
- !442: Resolve “feat: Update authservice to use latest IB image and templating”
- !432: feat: ek package to 0.1.8-bb.0 for pod lifecycle support
- !418: Minio VS update
There are additional minor changes and documentation updates that are included with this release. Full changes can always be seen by viewing the commit logs and completed MRs.
[1.5.0]💣
Upgrade Notice💣
This update includes several additions to fluent-bit which are recommended for production environments to increase reliability of log ingestion to the ECK stack.
This is mainly accomplished within fluent-bit by introducing a filesystem storage buffer interacting with a new hostPath
volume in fluent-bit containers.
By default, this is mounted to nodes at /var/log/flb-storage/
, however it can be updated in the package’s values in 3 places:
storage_buffer:
path: /var/log/flb-storage/
extraVolumes:
- hostPath:
path: /var/log/flb-storage/
type: DirectoryOrCreate
name: flb-storage
extraVolumeMounts:
- mountPath: /var/log/flb-storage/
name: flb-storage
- !386: Updated Fluentbit to 1.7.2 which fixes #335.
- !356: Enabled flux monitoring via Prometheus/Grafana in Monitoring package.
- !380: Fixed
eckoperator.enabled
conditional. - Added and Documented Affinity support.
- !379 Twistlock
- !393 Cluster Auditor
[1.4.0]💣
Upgrade Notice💣
This update includes updated EnvoyFilters
for authservice
to fix #65 and is a component of a future upgrade to istio 1.8 (#191).
After upgrading BigBang to this version, you must follow the steps below to ensure apps protected by authservice
are still protected.
In order to ensure sso for all services protected by authservice
remain functional (kiali
, jaeger
, prometheus
, and alertmanager
), the istio-proxy
sidecar attached to the haproxy
infront of the services must be updated to 1.7.7
.
The easiest way to do this is to cycle the pod:
kubectl delete po -n authservice -l app.kubernetes.io/instance=authservice-haproxy-sso
Note: these 4 services (
kiali
,jaeger
,prometheus
, andalertmanager
) will be unavailable for ~10s while the pod cycles. In the future we aim to provide an HA implementation of authservice’s haproxy so the above operations can happen without downtime.
- !300: Velero Addon Addition
- !308: BigBang values migrated to Secret objects parsed by
HelmRelease
objects within chart. (also fixes #221) - !357: Updated Anchore (Engine 0.9.3, Enterprise 3.0.2).
- !333: Updated Mattermost (Operator: 1.13.0, Instance: 5.32.1).
- !346: Redis Integration with Anchore Enterprise Package.
- !318: Redis Integration with ArgoCD Package.
[1.3.0]💣
- !322: Updated anchore to 0.9.2, enterprise 3.0.1, this also fixes #135
- !309: Add support for Gitlab CAC signed commits and custom CAs
- !311: Update minio to
RELEASE.2020-11-19T23-48-16Z
and expose more user configuration options - !220: Added consolidatedflux installation (without
flux
cli) - !319: Updated gitlab-runner to
13.9.0
IronBank image (note this uses a different chart schema than previous versions, see here for more information) - !340: Package
bigbang
repo inrepositories.tar.gz
release artifact
In addition, Big Bang Pre-requisites has been added as a location to store all (known) pre-requisites for running BigBang on various distributions. Over time, more distributions will be added as they are tested, community (and vendor) contributions are welcomed!
[1.2.0]💣
- !270: upgrade to flux 0.7.x, this requires updating flux and fixes #13
- !250: Filename spelling correction in scripts directory
- !259, !265, !274: documentation updates
- !263, !271: Update codeowners
- !263: add missing enterprise Anchore images to airgap bundle
- !237: add gitlab-runner to test values
- !266: update fluentbit package version
- !269: Update charter/PackageOwner.md
- !256: update developer documentation
- !272: Remove CI jobs that check for things no longer required as part of the developer workflow
- !264, !238: Update BigBang repo url references from “umbrella” to “bigbang”
- !249: image for gatekeeper is set in the chart and should not be hardcoded in the HelmRelease
- !202: add initial support for openshift (ocp)
- !272: upgrade argocd helm chart to 2.14.7-bb.0
- !232: Twistlock IB image and VirtualServcie customization
- !210: only run cluster tests when chart contents have changed
- !279: remove hardcoded ArgoCD server url config, allow users to set their own sso url
- !215: add sample sso values
- !286: add Ironbank defender image to synker config
- !287: add gitlab runner images to synker config
- !288: split minio into minio operator and minio and move to addons
- !255: Integrate Mattermost Operator as an addon
- !273: Integrate Mattermost as an addon
- !291: enable MinIO in CI tests
- !290: upgrade Mattermost chart version. Uses latest IronBank image
[1.1.0]💣
- &2: Add support for Gitlab (with sso) 13.8.0
- &3: Add support for Gitlab Runners 13.2.2
- &7: Add support for SonarQube (with sso) 8.6
- &15: Add support for Anchore (with sso) 0.8.1
- #129: Updated FluentBit to 1.6.3
- #63: Fix bug with elasticsearch failing to start due to invalid file permissions
- #49: Add consistent labels to authservice deployment
- #32: Add support for PodAntiAffinity and NodeAffinity for elasticsearch deployments
- #6: Add support for new elasticsearch cluster node types
- #16: Fix bug with incorrect git credentials being created when specifying a private repository
- #66: Fix bug with EnvoyFilter being applied in the wrong non-global namespace
- #99: Fix bug that allowed for incorrect ImagePullSecrets to be created when providing incomplete credentials
[1.0.8]💣
- Added support for deployment of Minio operator and instance deployment of minio.
[1.0.7]💣
- Added Kubernetes labels to all objects created by umbrella
- Add OIDC integration for Grafana
- Allow creation of wildcard cert for istio ingress to be passed to BigBang chart
[1.0.6]💣
- Added HAProxy Addon
- Added support for automatically populating configs and settings for the following placing SSO in front of apps without support:
istio:
sso:
enabled: true
prometheus:
client_id:
client_secret:
alertmanager:
client_id:
client_secret:
monitoring:
sso:
enabled: true
kiali:
client_id:
client_secret:
jaeger:
client_id:
client_secret:
- Added authservice namespace where authservice addon and haproxy deployment will be created.
- Added global sso options for umbrella which will be applied to all configured authservice chains:
sso:
oidc:
host: login.dso.mil
realm: baby-yoda
certificate_authority: ''
jwks: ""
client_id: ""
client_secret: ""
- Updated syntax for authservice chains definition.
[1.0.5]💣
- Bumped monitoring chart to consume kiwigrid/sidecar from IronBank
[1.0.4]💣
- Bug fix where argocd’s VirtualService wouldn’t recieve the top level hostname value.
[1.0.3]💣
- Added Gitlab
- Added ability to provide multiple registry credentials while maintaining current capabilities:
registryCredentials:
username: registry1user
password: somesecretpassword
or
registryCredentials:
- registry: registry1.dso.mil
username: registry1user
password: somesecretpassword
- registry: registry.dsop.io
username: registry1user
password: somesecretpassword
- registry: somewhere.else.io
username: someuser
password: someothersecret
will correctly create the ImagePullSecrets for all those registries
[1.0.2]💣
Changed💣
- Updated istio-controlplane to 1.7.3-bb.5 to allow for setting ingressgateway to use nodeports
[1.0.1]💣
Changed💣
- Updated Istio Control plane to support Node Ports for ingressGateway
- Update Istio Control plane to support SSO for Kiali and Jaeger
- Update Authservice to refact definitions of filter chains
- Updated documentation
[0.0.4] - 2020-12-16💣
Changed💣
- Update Monitoring to 11.0.0-bb.2
[0.0.3] - 2020-12-15💣
Added💣
- Documentation in docs
Changed💣
- Updated Argo to 2.9.5-bb.1 for Iron Bank images
- Updated Authservice to 0.1.3-bb.0 for authservice secret generation: https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/authservice/-/blob/master/CHANGELOG.md#013-bb0
- Updated ECK-Operator to 1.3.1-bb.1
- Updated Twistlock to 0.0.2-bb.0 to add istio.enabled flag
- Updated Elasticsearch Kibana to 0.1.2-bb.0 and Pass istio.enabled to Elasticsearch Kibana
[0.0.2] - 2020-12-11💣
Added💣
- Initial release of Big Bang