Skip to content

Release Notes - 2.18.0📜

Please see our documentation page for more information on how to consume and deploy BigBang. This release was primarily tested on Kubernetes 1.27.6 (RKE2).

Upgrade Notices📜

Add any additional upgrade notices from the release issue here. You may also want to reach out to package maintainers for anything that looks like a major change. Changelog diffs for packages are included below in the ## Changes in 2.18.0 which may be helpful to identify “major changes”.

  • Flux:

    • Flux gets a minor update to 2.2.2 and the following component versions:
      • kustomize-controller: v1.2.1
      • helm-controller: v0.37.1
      • notification-controller: v1.2.3
      • The HelmRelease kind was promoted from v2beta1 to v2beta2.
      • The Alert and Provider kinds were promoted from v1beta2 to v1beta3.
      • OCIRepository and HelmChart: v1beta2.
      • HelmRepository and ImageRepository: v1beta2.
    • We recommend updating Flux to stay up to date - we only test releases against the latest Flux version in Big Bang. Running the Flux update script via ./scripts/install_flux.sh -s will re-use your existing pull secret and update all components.
    • You will receive warnings if you are using one of the previous APIVersions listed above but resources with this version will still create and will not delete so while you should migrate to the above versions of (non-BigBang) resources it is not a breaking change.
  • Istio:

    • Istio gets updated to 1.19.5. BigBang apps should automatically cycle to get the latest sidecar config and version. Be sure to cycle pods for any community or tenant applications manually.
  • Gitlab: ###### Deprecations

    Removals📜
  • KyvernoPolicies:

    • The policy require-non-root-group is now set to enforce. All BigBang provided packages have exceptions or configuration in place to satisfy this requirement. Non-BigBang deployments will need to ensure they are setting a securityContext.runAsGroup value or an exception will need to be added.
    • You can use the following values or ensure a Kyverno PolicyException resource is present in your app templates:
      kyvernoPolicies:
        values:
          policies:
            require-non-root-group:
              exclude:
                any:
                - resources:
                    namespaces:
                    - NAMESPACE
                    names:
                    - POD-NAME-*
      ...
      

Upgrades from previous releases📜

If coming from a version pre-2.17.0, note the additional upgrade notices in any release in between. The BB team doesn’t test/guarantee upgrades from anything pre-2.17.0.

Packages📜

Package Type Package Version BB Version
Updated Istio Controlplane Core Istio 1.19.5 Tetrate Istio Distro 1.19.5 1.19.5-bb.2 🔗
Updated Istio Operator Core Istio Operator 1.19.5 Tetrate Istio Distro Operator 1.19.5 1.19.5-bb.1 🔗
Jaeger Core 1.47.0 2.47.0-bb.1
Updated Kiali Core 1.78.0 1.78.0-bb.1 🔗
Updated Cluster Auditor Core 0.0.7 1.5.0-bb.12 🔗
Gatekeeper Core 3.14.0 3.14.0-bb.0
Updated Kyverno Core 1.11.0 3.1.1-bb.0 🔗
Updated Kyverno Policies Core 3.0.4 3.0.4-bb.17 🔗
Kyverno Reporter Core 2.10.4 2.16.0-bb.6
Updated Elasticsearch Kibana Core Kibana 8.11.3 Elasticsearch 8.11.3 1.8.0-bb.0 🔗
Eck Operator Core 2.10.0 2.10.0-bb.0
Updated Fluentbit Core 2.1.10 0.39.0-bb.4 🔗
Promtail Core 2.9.2 6.15.3-bb.1
Updated Loki Core 2.9.3 5.41.4-bb.1 🔗
Updated Neuvector Core 5.2.2 2.6.3-bb.8 🔗
Updated Tempo Core Tempo 2.3.0-ubi9 Tempo Query 2.3.1 1.7.1-bb.1 🔗
Updated Monitoring Core Prometheus 2.48.1 Grafana 10.2.2 Alertmanager 0.26.0 55.5.1-bb.0 🔗
Updated Grafana Core 10.1.5 6.60.6-bb.5 🔗
Updated Twistlock Core 30.02.123 0.13.1-bb.0 🔗
Updated Wrapper Core N / A 0.4.3 🔗
Updated Argocd Addon 2.8.4 5.46.7-bb.11 🔗
Updated Authservice Addon 0.5.3 0.5.3-bb.23 🔗
Updated Minio Operator Addon 5.0.11 5.0.11-bb.1 🔗
Minio Addon RELEASE.2023-11-20T22-40-07Z 5.0.11-bb.0
Updated Gitlab Addon 16.7.0 7.7.0-bb.0 🔗
Updated Gitlab Runner Addon 16.6.0 0.59.1-bb.1 🔗
Updated Nexus Addon 3.62.0-01 62.0.0-bb.2 🔗
Sonarqube Addon 9.9.3-community 8.0.3-bb.0
Updated Fortify Addon 23.2.0.0154 1.1.2320154-bb.0 🔗
Updated Haproxy Addon 2.2.31 1.19.3-bb.1 🔗
Updated Anchore Enterprise Addon Enterprise 4.9.3 Engine 1.1.0 1.27.4-bb.7 🔗
Mattermost Operator Addon 1.20.1 1.20.1-bb.0
Updated Mattermost Addon 9.3.0 9.3.0-bb.1 🔗
Velero Addon 1.12.1 5.1.3-bb.2
Updated Keycloak Addon 21.1.1 18.4.3-bb.11 🔗
Updated Vault Addon 1.13.1 0.25.0-bb.8 🔗
Updated Metrics Server Addon 0.6.4 3.11.0-bb.2 🔗
Updated Harbor Addon 2.9.1 1.13.1-bb.4 🔗
Updated Thanos BETA Addon 0.32.5 12.16.1-bb.0 🔗

Changes in 2.18.0📜

Big Bang MRs📜

  • !3541: Update Flux
  • !3606: set run as non-root-group policy to Enforce
  • !3602: Update Flux
  • !3605: flux: update lookup call endpoints
  • !3576: Resolve “Mitigate automountServiceAccountToken findings in fluentbit”
  • !3477: Resolve “Mitigate automountServiceAccountToken findings in promtail”
  • !3597: Moving thanos out of sandbox to product/packages
  • !3460: Resolve “Per app flux settings don’t work when overriding with falsey values”

Istio Controlplane📜

  • !3594: istio update to 1.19.5-bb.1
  • !3590: istioOperator & istio update to 1.19.5-bb.0
# Changelog Updates

## [1.19.5-bb.2] - 2023-12-29
### Changed
- ironbank/tetrate/istio/install-cni updated from 1.19.3 to 1.19.6
- ironbank/tetrate/istio/pilot updated from 1.19.3 to 1.19.5
- ironbank/tetrate/istio/proxyv2 updated from 1.19.3 to 1.19.5

## [1.19.5-bb.1] - 2023-12-19
### Changed
- Allow Setting resources and limits for the postInstallHook

## [1.19.5-bb.0] - 2023-12-19
### Changed
- ironbank/opensource/istio/install-cni updated from 1.19.4 to 1.19.5
- ironbank/opensource/istio/pilot updated from 1.19.4 to 1.19.5
- ironbank/opensource/istio/proxyv2 updated from 1.19.4 to 1.19.5

## [1.19.4-bb.1] - 2023-11-28
### Changed
- Updating OSCAL Component file.

Istio Operator📜

  • !3590: istioOperator & istio update to 1.19.5-bb.0
  • !3553: Mitigating the automount service account token findings in Anchore
# Changelog Updates

## [1.19.5-bb.1] - 2023-1-04
### Added
- Updated TID image to `1.19.5`

## [1.19.5-bb.0] - 2023-12-18
### Added
- Updated repo1 image to `1.19.5`

Kiali📜

  • !3574: kiali update to 1.78.0-bb.1
  • !3537: Kiali: disabled automountserviceaccounttoken in the Kiali namespace
  • !3562: Revert “Mitigate automountServiceAccountToken findings in Confluence”
# Changelog Updates

## [1.78.0-bb.1] - 2023-12-18
### Changed
- Updated registry1.dso.mil/ironbank/opensource/kiali/kiali-operator to 1.78.0

## [1.78.0-bb.0] - 2023-12-12
### Changed
- Updated registry1.dso.mil/ironbank/opensource/kiali/kiali to 1.78.0

Cluster Auditor📜

  • !3635: clusterAuditor update to 1.5.0-bb.12
# Changelog Updates

## [1.5.0-bb.12] - 2024-1-3
### Changed
- Added support for Istio Authorization Policies

## [1.5.0-bb.11] - 2023-11-30
### Changed
- Updating OSCAL Component File.

Kyverno📜

  • !3569: kyvernoPolicies update to 3.0.4-bb.16
  • !3573: kyverno update to 3.1.0-bb.2
# Changelog Updates

## [3.1.1-bb.0] - 2024-1-8
### Changed
- Updated upstream chart from `3.1.0` to `3.1.1`
- Updated `kyverno`, `background-controller`, `cleanup-controller`, `reports-controller`, `kyvernopre`  from `v1.11.0` to `v1.11.1`
- Updated `gluon` from `0.3.1` to `0.4.6`
- Added `ServiceMonitor` CRD

## [3.1.0-bb.2] - 2023-12-14
### Changed
- Updated `ubi8-minimal:8.9` to `ubi9-minimal:9.3`

## [3.1.0-bb.1] - 2023-12-06
### Changed
- Updating OSCAL Component File.

Kyverno Policies📜

  • !3633: kyvernoPolicies update to 3.0.4-bb.17
  • !3569: kyvernoPolicies update to 3.0.4-bb.16
# Changelog Updates

## [3.0.4-bb.17] - 2023-12-21
### Changed
- Fixed issue with kyverno policy related to automountServiceAccountToken exemptions
- Added kyverno policy related to mutating pods with respect to automountServiceAccountToken hardening

## [3.0.4-bb.16] - 2023-12-15
### Changed
- add `ctlog.ignoreSCT: true` to `require-image-signature` policy

Elasticsearch Kibana📜

  • !3632: elasticsearchKibana update to 1.8.0-bb.0
  • !3630: Harden SA Token for eckOperator
  • !3587: elasticsearchKibana update to 1.7.0-bb.1
  • !3582: elasticsearchKibana update to 1.7.0-bb.0
# Changelog Updates

## [1.8.0-bb.0] - 2024-01-04
### Changed
- gluon updated from 0.4.5 to 0.4.6
- ironbank/elastic/elasticsearch/elasticsearch updated from 8.11.2 to 8.11.3
- ironbank/elastic/kibana/kibana updated from 8.11.1 to 8.11.3

## [1.7.0-bb.1] - 2023-12-18
### Changed
- updated elasticsearch-exporter security context

## [1.7.0-bb.0] - 2023-12-17
### Changed
- gluon updated from 0.4.4 to 0.4.5
- ironbank/elastic/elasticsearch/elasticsearch updated from 8.11.0 to 8.11.2
- ironbank/elastic/kibana/kibana updated from 8.11.0 to 8.11.1

## [1.6.1-bb.4] - 2023-12-15
### Updated
- Updated bb base image to 2.1.0
- ironbank/stedolan/jq updated from 1.6 to 1.7
- ironbank/elastic/kibana/kibana updated from 8.10.4 to 8.11.0
- ironbank/elastic/elasticsearch/elasticsearch updated from 8.10.3 to 8.11.2
- prometheus-elasticsearch-exporter updated from 4.14.0 to 4.15.0

## [1.6.1-bb.3] - 2023-11-30
### Changed
- Updating OSCAL Component File.

Fluentbit📜

  • !3632: elasticsearchKibana update to 1.8.0-bb.0
  • !3630: Harden SA Token for eckOperator
  • !3617: fluentbit update to 0.39.0-bb.4
  • !3587: elasticsearchKibana update to 1.7.0-bb.1
  • !3582: elasticsearchKibana update to 1.7.0-bb.0
# Changelog Updates

## [0.39.0-bb.4]
### Added
- Added istio `allow-nothing` policy
- Added istio `allow-monitoring` policy
- Added istio custom policy template

Loki📜

  • !3620: loki update to 5.41.4-bb.1
  • !3615: loki update to 5.41.4-bb.0
# Changelog Updates

## [5.41.4-bb.1] - 2024-1-2
### Added
- Istio virtual service
- network policy for virtual service
- allow-intranamespace policy
- allow-nothing-policy
- ingressgateway-authz-policy
- monitoring-authz-policy
- promtail-authz-policy
- template for adding user defined policies

## [5.41.4-bb.0] - 2023-12-29
### Changed
- loki image 2.9.2 -> 2.9.3

Neuvector📜

  • !3558: neuvector update to 2.6.3-bb.8
  • !2905: Resolve “Expose additional fields for Neuvector SSO”
# Changelog Updates

## [2.6.3-bb.8] - 2023-12-13
### Added
- Peerauthentication added for controller for upgrade support

Tempo📜

  • !3646: tempo update to 1.7.1-bb.1
# Changelog Updates

## [1.7.1-bb.1] - 2023-12-20
### Added
- Added istio `allow-nothing` policy
- Added istio `allow-ingress` polic(y|ies)
- Added istio `allow-tempo` policy
- Added istio custom policy template

Monitoring📜

  • !3618: monitoring update to 55.5.1-bb.0
  • !3586: monitoring update to 55.0.0-bb.2
  • !3524: Mitigating the automount service account token findings in harbor
# Changelog Updates

## [55.0.0-bb.3] - 2023-12-28
### Updated
- registry1.dso.mil/ironbank/kiwigrid/k8s-sidecar 1.25.2 -> 1.25.3
- registry1.dso.mil/ironbank/opensource/prometheus/prometheus v2.48.0 -> v2.48.1

## [55.0.0-bb.2] - 2023-12-15
### Updated
- Updated `ubi8-minimal:8.9` to `ubi9-minimal:9.3`

Grafana📜

  • !3598: grafana update to 6.60.6-bb.5
  • !3508: Resolve “Mitigate automountServiceAccountToken findings in Grafana”
# Changelog Updates

## [6.60.6-bb.5] - 2023-12-14
### Added
- Upgrade ubi8-minimal:8.8 to ubi9-minimal:9.3

## [6.60.6-bb.4] - 2023-12-07
### Added
- Adding OSCAL Component File.

Twistlock📜

  • !3571: twistlock update to 0.13.1-bb.0
  • !3501: twistlock update to 0.13.0-bb.9
# Changelog Updates

## [0.13.1-bb.0] - 2023-12-13
### Changed
- Added new value for Defender nodeSelector
- Updated Defender deployment to use new value

## [0.13.0-bb.10] - 2023-11-30
### Changed
- Updating OSCAL Component File.

## [0.13.0-bb.9] - 2023-11-27
### Changed
- Updated PVC ironbank/big-bang/base updated from 2.0.0 to 2.1.0

## [0.13.0-bb.8] - 2023-11-08
### Changed
- ironbank/big-bang/base updated from 2.0.0 to 2.1.0

Wrapper📜

  • !3613: wrapper update to 0.4.3
# Changelog Updates

## [0.4.3] - 2023-12-22
### Changed
- Fixed support for multiple istio gateway network policies

Argocd📜

  • !3647: update argocd to 5.46.7-bb.11
# Changelog Updates

## [5.46.7-bb.11] - 2024-01-05
### Changed
- Bumped Redis chart dependency to `18.3.2-bb.2`

## [5.46.7-bb.10] - 2023-12-11
### Added
- Added istio `allow-nothing` policy
- Added istio `allow-monitoring` policy
- Added istio `allow-http` policy
- Added istio `allow-http-envoy` policy
- Added istio `allow-redis` policy
- Added istio `argocd` policy
- Added istio custom policy template

Authservice📜

  • !3627: authservice update to 0.5.3-bb.22
# Changelog Updates

## [0.5.3-bb.23] - 2024-01-04
### Changed
- Bumped Redis chart dependency to `18.3.2-bb.2`

## [0.5.3-bb.22] - 2023-12-22
### Added
- support for istio authorization policies and hardening

Minio Operator📜

  • !3603: minioOperator: update minioOperator chart version
# Changelog Updates

## [5.0.11-bb.1] - 2023-12-20
### Upgrade
- Create a VirtualService and supporting NetworkPolicies / AuthorizationPolicies to expose the `console` UI if desired

Gitlab📜

  • !3669: gitlab update to 7.7.0-bb.0
  • !3601: gitlabRunner update to 0.59.1-bb.1
  • !3570: gitlab update to 7.6.1-bb.1
  • !3572: gitlabRunner update to 0.59.1-bb.0
# Changelog Updates

## [7.7.0-bb.0] - 2024-01-11
### Changed
- Update GitLab to appVersion 16.7.0
- Update chart version to 7.7.0
- ironbank/gitlab/gitlab/gitlab-webservice 16.6.1 -> 16.7.0
- registry1.dso.mil/ironbank/gitlab/gitlab/certificates 16.6.1 -> 16.7.0
- registry1.dso.mil/ironbank/gitlab/gitlab/gitaly 16.6.1 -> 16.7.0
- registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-container-registry 16.6.1 -> 16.7.0
- registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-exporter 16.6.1 -> 16.7.0
- registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-mailroom 16.6.1 -> 16.7.0
- registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-pages 16.6.1 -> 16.7.0
- registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-shell 16.6.1 -> 16.7.0
- registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-sidekiq 16.6.1 -> 16.7.0
- registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-toolbox 16.6.1 -> 16.7.0
- registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-webservice 16.6.1 -> 16.7.0-1
- registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-workhorse 16.6.1 -> 16.7.0
- registry1.dso.mil/ironbank/gitlab/gitlab/kubectl 16.6.1 -> 16.7.0

## [7.6.1-bb.1] - 2023-12-13
### Changed
- registry1.dso.mil/ironbank/redhat/ubi/ubi8 8.9 -> registry1.dso.mil/ironbank/redhat/ubi/ubi9 9.3

Gitlab Runner📜

  • !3601: gitlabRunner update to 0.59.1-bb.1
  • !3572: gitlabRunner update to 0.59.1-bb.0
# Changelog Updates

## [0.59.1-bb.1] - 2023-12-18
### Changed
- Update ubi base image ubi9:9.3

## [0.59.1-bb.0] - 2023-11-29
### Changed
- Updated chart to 0.59.1
- Updated images to v16.6.0
- Update ubi base image ubi8:8.9
- Fixed syntax in chart/templates/tests/test-gitlab-runners.yaml
- Increased available cypress test resources in chart/values.yaml

Nexus📜

  • !3585: nexusRepositoryManager update to 62.0.0-bb.2
  • !3504: nexusRepositoryManager update to 62.0.0-bb.1
# Changelog Updates

## [62.0.0-bb.2] - 2023-12-13
### Changed
- Updated ubi8-minimal:8.9 to ubi9-minimal:9.3

## [62.0.0-bb.1] - 2023-11-29
### Changed
- registry1.dso.mil/ironbank/google/go-containerregistry/crane v0.15.2 -> v0.16.1

Fortify📜

  • !3622: Update fortify helmRepo in values.yaml
  • !3560: Mitigating the automount service account token findings in Fortify
  • !3557: fortify update to 1.1.2320154-bb.0
# Changelog Updates

## [1.2.0-bb.0] - 2023-12-12
### Changed
- ironbank/google/golang/golang-1.20 updated from 1.20.11 to 1.20.12
- ironbank/microfocus/fortify/ssc updated from 23.1.2.0005 to 23.2.0.0154

## [1.1.2311007-bb.9] - 2023-12-02
### Changed
- mysql updated from 9.14.2 to 9.14.4
- ironbank/google/golang/golang-1.20 updated from 1.20.10 to 1.20.11

## [1.1.2311007-bb.8] - 2023-12-01
### Changed
- mysql updated from 9.14.1 to 9.14.2

Haproxy📜

-!3628: haproxy update to 1.19.3-bb.1

# Changelog Updates

## [1.19.3-bb.1] - 2023-12-22
### Added
- support for istio authorization policies and hardening

Anchore Enterprise📜

  • !3641: update anchore tag to 1.27.4-bb.7 to pick up new redis dep. chart
# Changelog Updates

## [1.27.4-bb.7] - 2024-01-04
### Changed
- Bumped Redis chart dependency to `18.3.2-bb.2`

Mattermost📜

  • !3662: mattermost update to 9.3.0-bb.1
  • !3612: mattermost update to v9.2.3-bb.2
# Changelog Updates

## [9.3.0-bb.1] - 2023-12-21
### Changed
- cypress resource allocation

## [9.3.0-bb.0] - 2023-12-21
### Changed
- registry1.dso.mil/ironbank/opensource/mattermost/mattermost v9.2.3 -> v9.3.0
- registry1.dso.mil/ironbank/opensource/postgres/postgresql12 12.16 -> 12.17
- Updated gluon from 0.4.1 to 0.4.5

## [9.2.3-bb.2] - 2023-12-19
### Changed
- Added an additionalPolicies value under networkPolicies to allow for additional custom policies to be specified

Keycloak📜

  • !3604: keycloak update to 18.4.3-bb.11
# Changelog Updates

## [18.4.3-bb.11] - 2023-12-19
### Updated
- Update podSecurityContext to fix kyverno policy violation

Vault📜

  • !3619: vault update to 0.25.0-bb.8
  • !3580: vault update to 0.25.0-bb.7
  • !3578: Mitigating the automount service account token findings in vault
# Changelog Updates

## [0.25.0-bb.8] - 2023-12-28
### Changed
- Updated `values.yaml` to configure Vault TLS configuration based on `global.tlsDiable`, `istio.vault.tls.key`, and `istio.vault.tls.cert`
- Updated Developer Documentation to provide guidance for configuring Vault with a `PASSTHROUGH` istio gateway

## [0.25.0-bb.7] - 2023-12-14
### Changed
- Increased Cypress test resources

## [0.25.0-bb.6] - 2023-12-12
### Changed
- Updated gluon 0.4.4 -> 0.4.5

Metrics Server📜

  • !3626: metricsServer update to 3.11.0-bb.2
# Changelog Updates

## [3.11.0-bb.2] - 2023-12-15
### Added
- Add support for AuthorizationPolicies to harden Istio with `istio.harden.enabled: true`

Harbor📜

  • !3614: harbor update to 1.13.1-bb.4
  • !3524: Mitigating the automount service account token findings in harbor
# Changelog Updates

## [1.13.1-bb.4] - 2023-12-22
### Changed
- Removed chartmuseum as it was deprecated upstream

Thanos📜

  • !3583: thanos update to 12.16.1-bb.0
# Changelog Updates

## [12.16.1-bb.0] - 2023-12-06
### Changed
- Updated chart version to 12.16.1

Known Issues📜

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

Future📜

Don’t see your feature and/or bug fix? Check out our epics for estimates on when you can expect things to drop, and as always, feel free to comment or create issues if you have questions, comments, or concerns.