Release Notes - 2.18.0📜
Please see our documentation page for more information on how to consume and deploy BigBang. This release was primarily tested on Kubernetes 1.27.6 (RKE2).
Upgrade Notices📜
Add any additional upgrade notices from the release issue here. You may also want to reach out to package maintainers for anything that looks like a major change. Changelog diffs for packages are included below in the
## Changes in 2.18.0
which may be helpful to identify “major changes”.
-
Flux:
- Flux gets a minor update to
2.2.2
and the following component versions: -
- kustomize-controller:
v1.2.1
- kustomize-controller:
-
- helm-controller:
v0.37.1
- helm-controller:
-
- notification-controller:
v1.2.3
- notification-controller:
-
- The HelmRelease kind was promoted from
v2beta1
tov2beta2
.
- The HelmRelease kind was promoted from
-
- The Alert and Provider kinds were promoted from
v1beta2
tov1beta3
.
- The Alert and Provider kinds were promoted from
-
- OCIRepository and HelmChart:
v1beta2
.
- OCIRepository and HelmChart:
-
- HelmRepository and ImageRepository:
v1beta2
.
- HelmRepository and ImageRepository:
- We recommend updating Flux to stay up to date - we only test releases against the latest Flux version in Big Bang. Running the Flux update script via
./scripts/install_flux.sh -s
will re-use your existing pull secret and update all components. - You will receive warnings if you are using one of the previous APIVersions listed above but resources with this version will still create and will not delete so while you should migrate to the above versions of (non-BigBang) resources it is not a breaking change.
- Flux gets a minor update to
-
Istio:
- Istio gets updated to
1.19.5
. BigBang apps should automatically cycle to get the latest sidecar config and version. Be sure to cycle pods for any community or tenant applications manually.
- Istio gets updated to
-
Gitlab: ###### Deprecations
- The JWKS endpoint at
https://gitlab.example.com/-/jwks
is deprecated in this release and will be removed entirely in a future release./-/jwks
is an alias for/oauth/discovery/keys
, so update any usage of/-/jwks
to use/oauth/discovery/keys
instead. - Dependency Proxy: Access tokens to have additional scope checks
- List repository directories Rake task
Removals📜
- The JWKS endpoint at
-
KyvernoPolicies:
- The policy
require-non-root-group
is now set to enforce. All BigBang provided packages have exceptions or configuration in place to satisfy this requirement. Non-BigBang deployments will need to ensure they are setting asecurityContext.runAsGroup
value or an exception will need to be added. - You can use the following values or ensure a Kyverno PolicyException resource is present in your app templates:
kyvernoPolicies: values: policies: require-non-root-group: exclude: any: - resources: namespaces: - NAMESPACE names: - POD-NAME-* ...
- The policy
Upgrades from previous releases📜
If coming from a version pre-2.17.0
, note the additional upgrade notices in any release in between. The BB team doesn’t test/guarantee upgrades from anything pre-2.17.0
.
Packages📜
Package | Type | Package Version | BB Version |
---|---|---|---|
Istio Controlplane | Core | Istio 1.19.5 Tetrate Istio Distro 1.19.5 |
1.19.5-bb.2 🔗 |
Istio Operator | Core | Istio Operator 1.19.5 Tetrate Istio Distro Operator 1.19.5 |
1.19.5-bb.1 🔗 |
Jaeger | Core | 1.47.0 |
2.47.0-bb.1 |
Kiali | Core | 1.78.0 |
1.78.0-bb.1 🔗 |
Cluster Auditor | Core | 0.0.7 |
1.5.0-bb.12 🔗 |
Gatekeeper | Core | 3.14.0 |
3.14.0-bb.0 |
Kyverno | Core | 1.11.0 |
3.1.1-bb.0 🔗 |
Kyverno Policies | Core | 3.0.4 |
3.0.4-bb.17 🔗 |
Kyverno Reporter | Core | 2.10.4 |
2.16.0-bb.6 |
Elasticsearch Kibana | Core | Kibana 8.11.3 Elasticsearch 8.11.3 |
1.8.0-bb.0 🔗 |
Eck Operator | Core | 2.10.0 |
2.10.0-bb.0 |
Fluentbit | Core | 2.1.10 |
0.39.0-bb.4 🔗 |
Promtail | Core | 2.9.2 |
6.15.3-bb.1 |
Loki | Core | 2.9.3 |
5.41.4-bb.1 🔗 |
Neuvector | Core | 5.2.2 |
2.6.3-bb.8 🔗 |
Tempo | Core | Tempo 2.3.0-ubi9 Tempo Query 2.3.1 |
1.7.1-bb.1 🔗 |
Monitoring | Core | Prometheus 2.48.1 Grafana 10.2.2 Alertmanager 0.26.0 |
55.5.1-bb.0 🔗 |
Grafana | Core | 10.1.5 |
6.60.6-bb.5 🔗 |
Twistlock | Core | 30.02.123 |
0.13.1-bb.0 🔗 |
Wrapper | Core | N / A | 0.4.3 🔗 |
Argocd | Addon | 2.8.4 |
5.46.7-bb.11 🔗 |
Authservice | Addon | 0.5.3 |
0.5.3-bb.23 🔗 |
Minio Operator | Addon | 5.0.11 |
5.0.11-bb.1 🔗 |
Minio | Addon | RELEASE.2023-11-20T22-40-07Z |
5.0.11-bb.0 |
Gitlab | Addon | 16.7.0 |
7.7.0-bb.0 🔗 |
Gitlab Runner | Addon | 16.6.0 |
0.59.1-bb.1 🔗 |
Nexus | Addon | 3.62.0-01 |
62.0.0-bb.2 🔗 |
Sonarqube | Addon | 9.9.3-community |
8.0.3-bb.0 |
Fortify | Addon | 23.2.0.0154 |
1.1.2320154-bb.0 🔗 |
Haproxy | Addon | 2.2.31 |
1.19.3-bb.1 🔗 |
Anchore Enterprise | Addon | Enterprise 4.9.3 Engine 1.1.0 |
1.27.4-bb.7 🔗 |
Mattermost Operator | Addon | 1.20.1 |
1.20.1-bb.0 |
Mattermost | Addon | 9.3.0 |
9.3.0-bb.1 🔗 |
Velero | Addon | 1.12.1 |
5.1.3-bb.2 |
Keycloak | Addon | 21.1.1 |
18.4.3-bb.11 🔗 |
Vault | Addon | 1.13.1 |
0.25.0-bb.8 🔗 |
Metrics Server | Addon | 0.6.4 |
3.11.0-bb.2 🔗 |
Harbor | Addon | 2.9.1 |
1.13.1-bb.4 🔗 |
Thanos | Addon | 0.32.5 |
12.16.1-bb.0 🔗 |
Changes in 2.18.0📜
Big Bang MRs📜
- !3541: Update Flux
- !3606: set run as non-root-group policy to Enforce
- !3602: Update Flux
- !3605: flux: update lookup call endpoints
- !3576: Resolve “Mitigate automountServiceAccountToken findings in fluentbit”
- !3477: Resolve “Mitigate automountServiceAccountToken findings in promtail”
- !3597: Moving thanos out of sandbox to product/packages
- !3460: Resolve “Per app flux settings don’t work when overriding with falsey values”
Istio Controlplane📜
# Changelog Updates
## [1.19.5-bb.2] - 2023-12-29
### Changed
- ironbank/tetrate/istio/install-cni updated from 1.19.3 to 1.19.6
- ironbank/tetrate/istio/pilot updated from 1.19.3 to 1.19.5
- ironbank/tetrate/istio/proxyv2 updated from 1.19.3 to 1.19.5
## [1.19.5-bb.1] - 2023-12-19
### Changed
- Allow Setting resources and limits for the postInstallHook
## [1.19.5-bb.0] - 2023-12-19
### Changed
- ironbank/opensource/istio/install-cni updated from 1.19.4 to 1.19.5
- ironbank/opensource/istio/pilot updated from 1.19.4 to 1.19.5
- ironbank/opensource/istio/proxyv2 updated from 1.19.4 to 1.19.5
## [1.19.4-bb.1] - 2023-11-28
### Changed
- Updating OSCAL Component file.
Istio Operator📜
- !3590: istioOperator & istio update to 1.19.5-bb.0
- !3553: Mitigating the automount service account token findings in Anchore
# Changelog Updates
## [1.19.5-bb.1] - 2023-1-04
### Added
- Updated TID image to `1.19.5`
## [1.19.5-bb.0] - 2023-12-18
### Added
- Updated repo1 image to `1.19.5`
Kiali📜
- !3574: kiali update to 1.78.0-bb.1
- !3537: Kiali: disabled automountserviceaccounttoken in the Kiali namespace
- !3562: Revert “Mitigate automountServiceAccountToken findings in Confluence”
# Changelog Updates
## [1.78.0-bb.1] - 2023-12-18
### Changed
- Updated registry1.dso.mil/ironbank/opensource/kiali/kiali-operator to 1.78.0
## [1.78.0-bb.0] - 2023-12-12
### Changed
- Updated registry1.dso.mil/ironbank/opensource/kiali/kiali to 1.78.0
Cluster Auditor📜
- !3635: clusterAuditor update to 1.5.0-bb.12
# Changelog Updates
## [1.5.0-bb.12] - 2024-1-3
### Changed
- Added support for Istio Authorization Policies
## [1.5.0-bb.11] - 2023-11-30
### Changed
- Updating OSCAL Component File.
Kyverno📜
# Changelog Updates
## [3.1.1-bb.0] - 2024-1-8
### Changed
- Updated upstream chart from `3.1.0` to `3.1.1`
- Updated `kyverno`, `background-controller`, `cleanup-controller`, `reports-controller`, `kyvernopre` from `v1.11.0` to `v1.11.1`
- Updated `gluon` from `0.3.1` to `0.4.6`
- Added `ServiceMonitor` CRD
## [3.1.0-bb.2] - 2023-12-14
### Changed
- Updated `ubi8-minimal:8.9` to `ubi9-minimal:9.3`
## [3.1.0-bb.1] - 2023-12-06
### Changed
- Updating OSCAL Component File.
Kyverno Policies📜
# Changelog Updates
## [3.0.4-bb.17] - 2023-12-21
### Changed
- Fixed issue with kyverno policy related to automountServiceAccountToken exemptions
- Added kyverno policy related to mutating pods with respect to automountServiceAccountToken hardening
## [3.0.4-bb.16] - 2023-12-15
### Changed
- add `ctlog.ignoreSCT: true` to `require-image-signature` policy
Elasticsearch Kibana📜
- !3632: elasticsearchKibana update to 1.8.0-bb.0
- !3630: Harden SA Token for eckOperator
- !3587: elasticsearchKibana update to 1.7.0-bb.1
- !3582: elasticsearchKibana update to 1.7.0-bb.0
# Changelog Updates
## [1.8.0-bb.0] - 2024-01-04
### Changed
- gluon updated from 0.4.5 to 0.4.6
- ironbank/elastic/elasticsearch/elasticsearch updated from 8.11.2 to 8.11.3
- ironbank/elastic/kibana/kibana updated from 8.11.1 to 8.11.3
## [1.7.0-bb.1] - 2023-12-18
### Changed
- updated elasticsearch-exporter security context
## [1.7.0-bb.0] - 2023-12-17
### Changed
- gluon updated from 0.4.4 to 0.4.5
- ironbank/elastic/elasticsearch/elasticsearch updated from 8.11.0 to 8.11.2
- ironbank/elastic/kibana/kibana updated from 8.11.0 to 8.11.1
## [1.6.1-bb.4] - 2023-12-15
### Updated
- Updated bb base image to 2.1.0
- ironbank/stedolan/jq updated from 1.6 to 1.7
- ironbank/elastic/kibana/kibana updated from 8.10.4 to 8.11.0
- ironbank/elastic/elasticsearch/elasticsearch updated from 8.10.3 to 8.11.2
- prometheus-elasticsearch-exporter updated from 4.14.0 to 4.15.0
## [1.6.1-bb.3] - 2023-11-30
### Changed
- Updating OSCAL Component File.
Fluentbit📜
- !3632: elasticsearchKibana update to 1.8.0-bb.0
- !3630: Harden SA Token for eckOperator
- !3617: fluentbit update to 0.39.0-bb.4
- !3587: elasticsearchKibana update to 1.7.0-bb.1
- !3582: elasticsearchKibana update to 1.7.0-bb.0
# Changelog Updates
## [0.39.0-bb.4]
### Added
- Added istio `allow-nothing` policy
- Added istio `allow-monitoring` policy
- Added istio custom policy template
Loki📜
# Changelog Updates
## [5.41.4-bb.1] - 2024-1-2
### Added
- Istio virtual service
- network policy for virtual service
- allow-intranamespace policy
- allow-nothing-policy
- ingressgateway-authz-policy
- monitoring-authz-policy
- promtail-authz-policy
- template for adding user defined policies
## [5.41.4-bb.0] - 2023-12-29
### Changed
- loki image 2.9.2 -> 2.9.3
Neuvector📜
# Changelog Updates
## [2.6.3-bb.8] - 2023-12-13
### Added
- Peerauthentication added for controller for upgrade support
Tempo📜
- !3646: tempo update to 1.7.1-bb.1
# Changelog Updates
## [1.7.1-bb.1] - 2023-12-20
### Added
- Added istio `allow-nothing` policy
- Added istio `allow-ingress` polic(y|ies)
- Added istio `allow-tempo` policy
- Added istio custom policy template
Monitoring📜
- !3618: monitoring update to 55.5.1-bb.0
- !3586: monitoring update to 55.0.0-bb.2
- !3524: Mitigating the automount service account token findings in harbor
# Changelog Updates
## [55.0.0-bb.3] - 2023-12-28
### Updated
- registry1.dso.mil/ironbank/kiwigrid/k8s-sidecar 1.25.2 -> 1.25.3
- registry1.dso.mil/ironbank/opensource/prometheus/prometheus v2.48.0 -> v2.48.1
## [55.0.0-bb.2] - 2023-12-15
### Updated
- Updated `ubi8-minimal:8.9` to `ubi9-minimal:9.3`
Grafana📜
- !3598: grafana update to 6.60.6-bb.5
- !3508: Resolve “Mitigate automountServiceAccountToken findings in Grafana”
# Changelog Updates
## [6.60.6-bb.5] - 2023-12-14
### Added
- Upgrade ubi8-minimal:8.8 to ubi9-minimal:9.3
## [6.60.6-bb.4] - 2023-12-07
### Added
- Adding OSCAL Component File.
Twistlock📜
# Changelog Updates
## [0.13.1-bb.0] - 2023-12-13
### Changed
- Added new value for Defender nodeSelector
- Updated Defender deployment to use new value
## [0.13.0-bb.10] - 2023-11-30
### Changed
- Updating OSCAL Component File.
## [0.13.0-bb.9] - 2023-11-27
### Changed
- Updated PVC ironbank/big-bang/base updated from 2.0.0 to 2.1.0
## [0.13.0-bb.8] - 2023-11-08
### Changed
- ironbank/big-bang/base updated from 2.0.0 to 2.1.0
Wrapper📜
- !3613: wrapper update to 0.4.3
# Changelog Updates
## [0.4.3] - 2023-12-22
### Changed
- Fixed support for multiple istio gateway network policies
Argocd📜
- !3647: update argocd to 5.46.7-bb.11
# Changelog Updates
## [5.46.7-bb.11] - 2024-01-05
### Changed
- Bumped Redis chart dependency to `18.3.2-bb.2`
## [5.46.7-bb.10] - 2023-12-11
### Added
- Added istio `allow-nothing` policy
- Added istio `allow-monitoring` policy
- Added istio `allow-http` policy
- Added istio `allow-http-envoy` policy
- Added istio `allow-redis` policy
- Added istio `argocd` policy
- Added istio custom policy template
Authservice📜
- !3627: authservice update to 0.5.3-bb.22
# Changelog Updates
## [0.5.3-bb.23] - 2024-01-04
### Changed
- Bumped Redis chart dependency to `18.3.2-bb.2`
## [0.5.3-bb.22] - 2023-12-22
### Added
- support for istio authorization policies and hardening
Minio Operator📜
- !3603: minioOperator: update minioOperator chart version
# Changelog Updates
## [5.0.11-bb.1] - 2023-12-20
### Upgrade
- Create a VirtualService and supporting NetworkPolicies / AuthorizationPolicies to expose the `console` UI if desired
Gitlab📜
- !3669: gitlab update to 7.7.0-bb.0
- !3601: gitlabRunner update to 0.59.1-bb.1
- !3570: gitlab update to 7.6.1-bb.1
- !3572: gitlabRunner update to 0.59.1-bb.0
# Changelog Updates
## [7.7.0-bb.0] - 2024-01-11
### Changed
- Update GitLab to appVersion 16.7.0
- Update chart version to 7.7.0
- ironbank/gitlab/gitlab/gitlab-webservice 16.6.1 -> 16.7.0
- registry1.dso.mil/ironbank/gitlab/gitlab/certificates 16.6.1 -> 16.7.0
- registry1.dso.mil/ironbank/gitlab/gitlab/gitaly 16.6.1 -> 16.7.0
- registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-container-registry 16.6.1 -> 16.7.0
- registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-exporter 16.6.1 -> 16.7.0
- registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-mailroom 16.6.1 -> 16.7.0
- registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-pages 16.6.1 -> 16.7.0
- registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-shell 16.6.1 -> 16.7.0
- registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-sidekiq 16.6.1 -> 16.7.0
- registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-toolbox 16.6.1 -> 16.7.0
- registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-webservice 16.6.1 -> 16.7.0-1
- registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-workhorse 16.6.1 -> 16.7.0
- registry1.dso.mil/ironbank/gitlab/gitlab/kubectl 16.6.1 -> 16.7.0
## [7.6.1-bb.1] - 2023-12-13
### Changed
- registry1.dso.mil/ironbank/redhat/ubi/ubi8 8.9 -> registry1.dso.mil/ironbank/redhat/ubi/ubi9 9.3
Gitlab Runner📜
# Changelog Updates
## [0.59.1-bb.1] - 2023-12-18
### Changed
- Update ubi base image ubi9:9.3
## [0.59.1-bb.0] - 2023-11-29
### Changed
- Updated chart to 0.59.1
- Updated images to v16.6.0
- Update ubi base image ubi8:8.9
- Fixed syntax in chart/templates/tests/test-gitlab-runners.yaml
- Increased available cypress test resources in chart/values.yaml
Nexus📜
- !3585: nexusRepositoryManager update to 62.0.0-bb.2
- !3504: nexusRepositoryManager update to 62.0.0-bb.1
# Changelog Updates
## [62.0.0-bb.2] - 2023-12-13
### Changed
- Updated ubi8-minimal:8.9 to ubi9-minimal:9.3
## [62.0.0-bb.1] - 2023-11-29
### Changed
- registry1.dso.mil/ironbank/google/go-containerregistry/crane v0.15.2 -> v0.16.1
Fortify📜
- !3622: Update fortify helmRepo in values.yaml
- !3560: Mitigating the automount service account token findings in Fortify
- !3557: fortify update to 1.1.2320154-bb.0
# Changelog Updates
## [1.2.0-bb.0] - 2023-12-12
### Changed
- ironbank/google/golang/golang-1.20 updated from 1.20.11 to 1.20.12
- ironbank/microfocus/fortify/ssc updated from 23.1.2.0005 to 23.2.0.0154
## [1.1.2311007-bb.9] - 2023-12-02
### Changed
- mysql updated from 9.14.2 to 9.14.4
- ironbank/google/golang/golang-1.20 updated from 1.20.10 to 1.20.11
## [1.1.2311007-bb.8] - 2023-12-01
### Changed
- mysql updated from 9.14.1 to 9.14.2
Haproxy📜
-!3628: haproxy update to 1.19.3-bb.1
# Changelog Updates
## [1.19.3-bb.1] - 2023-12-22
### Added
- support for istio authorization policies and hardening
Anchore Enterprise📜
- !3641: update anchore tag to 1.27.4-bb.7 to pick up new redis dep. chart
# Changelog Updates
## [1.27.4-bb.7] - 2024-01-04
### Changed
- Bumped Redis chart dependency to `18.3.2-bb.2`
Mattermost📜
# Changelog Updates
## [9.3.0-bb.1] - 2023-12-21
### Changed
- cypress resource allocation
## [9.3.0-bb.0] - 2023-12-21
### Changed
- registry1.dso.mil/ironbank/opensource/mattermost/mattermost v9.2.3 -> v9.3.0
- registry1.dso.mil/ironbank/opensource/postgres/postgresql12 12.16 -> 12.17
- Updated gluon from 0.4.1 to 0.4.5
## [9.2.3-bb.2] - 2023-12-19
### Changed
- Added an additionalPolicies value under networkPolicies to allow for additional custom policies to be specified
Keycloak📜
- !3604: keycloak update to 18.4.3-bb.11
# Changelog Updates
## [18.4.3-bb.11] - 2023-12-19
### Updated
- Update podSecurityContext to fix kyverno policy violation
Vault📜
- !3619: vault update to 0.25.0-bb.8
- !3580: vault update to 0.25.0-bb.7
- !3578: Mitigating the automount service account token findings in vault
# Changelog Updates
## [0.25.0-bb.8] - 2023-12-28
### Changed
- Updated `values.yaml` to configure Vault TLS configuration based on `global.tlsDiable`, `istio.vault.tls.key`, and `istio.vault.tls.cert`
- Updated Developer Documentation to provide guidance for configuring Vault with a `PASSTHROUGH` istio gateway
## [0.25.0-bb.7] - 2023-12-14
### Changed
- Increased Cypress test resources
## [0.25.0-bb.6] - 2023-12-12
### Changed
- Updated gluon 0.4.4 -> 0.4.5
Metrics Server📜
- !3626: metricsServer update to 3.11.0-bb.2
# Changelog Updates
## [3.11.0-bb.2] - 2023-12-15
### Added
- Add support for AuthorizationPolicies to harden Istio with `istio.harden.enabled: true`
Harbor📜
- !3614: harbor update to 1.13.1-bb.4
- !3524: Mitigating the automount service account token findings in harbor
# Changelog Updates
## [1.13.1-bb.4] - 2023-12-22
### Changed
- Removed chartmuseum as it was deprecated upstream
Thanos📜
- !3583: thanos update to 12.16.1-bb.0
# Changelog Updates
## [12.16.1-bb.0] - 2023-12-06
### Changed
- Updated chart version to 12.16.1
Known Issues📜
- Velero caCert template errors: Per app flux settings don’t work when overriding with falsey values
Helpful Links📜
As always, we welcome and appreciate feedback from our community of users. Please feel free to:
- Open issues here
- Join our chat
- Check out the documentation for guidance on how to get started
Future📜
Don’t see your feature and/or bug fix? Check out our epics for estimates on when you can expect things to drop, and as always, feel free to comment or create issues if you have questions, comments, or concerns.