Skip to content

Release Notes - 2.23.0📜

Please see our documentation page for more information on how to consume and deploy BigBang. This release was primarily tested on Kubernetes 1.28.6 (RKE2).

Upgrade Notices📜

  • Kyverno Reporter - MR:

    • A Sidecar resource has been added to the Kiali namespace that disallows egress to endpoints that are not part of the Istio service registry (a.k.a REGISTRY_ONLY). The outboundTrafficPolicy.mode in the Sidecar can be configured, however, to be something other than REGISTRY_ONLY if desired by setting istio.hardened.outboundTrafficPolicyMode. This provides a redundant layer of network security in addition to NetworkPolicies. This Sidecar is disabled by default but can be enabled by setting istio.enabled: true and istio.hardened.enabled: true. Additionally, custom ServiceEntries can be created by populating the istio.hardened.customServiceEntries list.
  • Neuvector - MR:

    • A Sidecar resource has been added to the Neuvector namespace that disallows egress to endpoints that are not part of the Istio service registry (a.k.a REGISTRY_ONLY). The outboundTrafficPolicy.mode in the Sidecar can be configured, however, to be something other than REGISTRY_ONLY if desired by setting istio.hardened.outboundTrafficPolicyMode. This provides a redundant layer of network security in addition to NetworkPolicies. This Sidecar is disabled by default but can be enabled by setting istio.enabled: true and istio.hardened.enabled: true. Additionally, custom ServiceEntries can be created by populating the istio.hardened.customServiceEntries list.
  • Thanos - MR:

    • A Sidecar resource has been added to the Thanos namespace that disallows egress to endpoints that are not part of the Istio service registry (a.k.a REGISTRY_ONLY). The outboundTrafficPolicy.mode in the Sidecar can be configured, however, to be something other than REGISTRY_ONLY if desired by setting istio.hardened.outboundTrafficPolicyMode. This provides a redundant layer of network security in addition to NetworkPolicies. This Sidecar is disabled by default but can be enabled by setting istio.enabled: true and istio.hardened.enabled: true. Additionally, custom ServiceEntries can be created by populating the istio.hardened.customServiceEntries list.
  • Keycloak - MR:

    • keycloak-p1-auth-plugin image must be on 3.3.0 for Keycloak version 23 support.
  • Anchore - MR:

    • Anchore-engine chart and images have been removed and are no longer available.
    • feeds deployment and setting moved under feeds: key.
    • anchore-feeds-db key is now feeds.feeds-db
    • anchore-geeds-gem-db key is now feeds.gem-db
    • Resource names updated with a release name/prefix of anchore-anchore-engine(-enterprise) to anchore-anchore-enterprise. PVCs and extra resources referencing these will need to have a snapshot taken by velero and restored with the new prefix.
    • anchoreEnterpriseGlobal has been removed as enterprise deployments is the new default. The BigBang mapping of addons.anchore.enterprise.licenseYaml is still available for use. enterpriseLicenseYaml is the direct value for injecting your license file into the package. Or it can still be pointed to an existing secret eg licenseSecretName.

Upgrades from previous releases📜

If coming from a version pre-2.22.0, note the additional upgrade notices in any release in between. The BB team doesn’t test/guarantee upgrades from anything pre-2.22.0.

Packages📜

Package Type Package Version BB Version
Istio Controlplane Core Istio 1.19.7 Tetrate Istio Distro 1.20.3 1.19.7-bb.0
Updated Istio Operator Core Istio Operator 1.19.7 Tetrate Istio Distro Operator 1.20.3 1.19.7-bb.2 🔗
Jaeger Core 1.53.0 2.50.1-bb.0
Updated Kiali Core 1.80.0 1.80.0-bb.1 🔗
Cluster Auditor Core 0.0.7 1.5.0-bb.14
Gatekeeper Core 3.15.0 3.15.0-bb.0
Updated Kyverno Core 1.11.4 3.1.4-bb.4 🔗
Updated Kyverno Policies Core 3.0.4 3.0.4-bb.27 🔗
Updated Kyverno Reporter Core 2.18.0 2.22.4-bb.0 🔗
Elasticsearch Kibana Core Kibana 8.12.2 Elasticsearch 8.12.2 1.11.0-bb.0
Eck Operator Core 2.11.1 2.11.1-bb.0
Updated Fluentbit Core 2.2.2 0.43.0-bb.2 🔗
Updated Promtail Core 2.9.4 6.15.5-bb.2 🔗
Updated Loki Core 2.9.4 5.42.0-bb.10 🔗
Updated Neuvector Core 5.2.2 2.6.3-bb.14 🔗
Tempo Core Tempo 2.3.0-ubi9 Tempo Query 2.3.1 1.7.1-bb.3
Updated Monitoring Core Prometheus 2.49.1 Grafana 10.3.1 Alertmanager 0.26.0 56.2.1-bb.9 🔗
Updated Grafana Core 10.3.3 7.3.1-bb.5 🔗
Updated Twistlock Core 32.01.128 0.15.0-bb.2 🔗
Wrapper Core N / A 0.4.6
Updated Argocd Addon 2.10.1 6.7.2-bb.1 🔗
Updated Authservice Addon 0.5.3 0.5.3-bb.30 🔗
Updated Minio Operator Addon 5.0.12 5.0.12-bb.3 🔗
Updated Minio Addon RELEASE.2024-02-26T09-33-48Z 5.0.12-bb.4 🔗
Updated Gitlab Addon 16.9.2 7.9.2-bb.0 🔗
Gitlab Runner Addon 16.6.0 0.59.1-bb.3
Updated Nexus Addon 3.65.0-02 65.0.0-bb.1 🔗
Updated Sonarqube Addon 9.9.4-community 8.0.4-bb.0 🔗
Updated Fortify Addon 23.2.0.0154 1.1.2320154-bb.2 🔗
Updated Haproxy Addon 2.2.32 1.19.3-bb.4 🔗
Anchore Enterprise Addon Enterprise 4.9.3 Engine 1.1.0 2.0.2-bb.1
Updated Mattermost Operator Addon 1.20.1 1.20.1-bb.2 🔗
Updated Mattermost Addon 9.5.1 9.5.1-bb.2 🔗
Updated Velero Addon 1.12.3 5.2.2-bb.2 🔗
Updated Keycloak Addon 23.0.7 23.0.7-bb.1 🔗
Updated Vault Addon 1.14.10 0.25.0-bb.19 🔗
Updated Metrics Server Addon 0.7.0 3.12.0-bb.1 🔗
Updated Harbor Addon 2.10.0 1.14.0-bb.6 🔗
Updated Holocron BETA Addon 3.2.1 1.0.2 🔗
Updated Thanos BETA Addon 0.34.1 13.2.2-bb.1 🔗

Changes in 2.23.0📜

Big Bang MRs📜

  • !4006: hardened should be in the values
  • !3992: adding the test-package-against-bb doc
  • !3976: updating the tag manually, robot didn’t pick it up for some reason
  • !3935: Update dependency registry1.dso.mil/ironbank/big-bang/utilities to v1.0.2

Istio Operator📜

  • !3948: istioOperator update to 1.19.7-bb.2
# Changelog Updates

## [1.19.7-bb.2] - 2024-03-06
### Added
- Added Openshift updates for deploying istio-operator into Openshift cluster

Kiali📜

  • !3902: fixing the authorization policies
  • !3967: kiali update to 1.80.0-bb.1
# Changelog Updates

## [1.80.0-bb.1] - 2024-03-04
### Added
- New ServiceEntries for SSO, grafana, and tracing services

Kyverno📜

  • !3959: kyverno update to 3.1.4-bb.4
  • !3942: kyverno update to 3.1.4-bb.3
# Changelog Updates

## [3.1.4-bb.4] - 2024-03-11
### Changed
- Added Openshift updates for deploying kyverno into Openshift cluster

## [3.1.4-bb.3] - 2024-3-08
### Changed
- Updated `kubectl` from `1.28.6` to `1.28.7`

Kyverno Policies📜

  • !3937: kyvernoPolicies update to 3.0.4-bb.27
  • !3923: kyvernoPolicies update to 3.0.4-bb.26
# Changelog Updates

## [3.0.4-bb.27] - 2024-03-07
### Changed
- Removed duplicate `pod-policies.kyverno.io/autogen-controllers` annotation is disallow-tolerations ClusterPolicy.

## [3.0.4-bb.26] - 2024-02-29
### Changed
- Fixed audit and mutator for AutomountServiceAccountTokens for StatefulSet and Deployments

Kyverno Reporter📜

  • !3943: kyvernoReporter update to 2.22.0-bb.2
  • !3963: kyvernoReporter update to 2.22.4-bb.0
  • !3934: kyvernoReporter update to 2.22.0-bb.1
# Changelog Updates

## [2.24.0-bb.0] - 2024-03-12
### Changed
- Updated upstream chart reference from `2.22.0` to `2.24.0`

## [2.22.0-bb.2] - 2024-03-08
### Changed
- Adding Sidecar to deny egress that is external to istio services
- Adding customServiceEntries to allow egress to override sidecar restraint

## [2.22.0-bb.1] - 2024-03-06
### Changed
- Updated image from `registry1.dso.mil/ironbank/opensource/kyverno/policy-reporter:2.18.0` to `registry1.dso.mil/ironbank/opensource/kyverno/policy-reporter:2.18.1`
- Updated `gluon` package dependency version from `0.4.7` to `0.4.8`

Fluentbit📜

  • !3487: Mutator + Exceptions for Elastic Search Kibana automount-sa-token findings
  • !3919: fluentbit update to 0.43.0-bb.2
# Changelog Updates

## [0.43.0-bb.2]
### Changed
- Added Openshift updates for deploying fluentbit into Openshift cluster

Promtail📜

  • !3940: promtail update to 6.15.5-bb.2
  • !3931: promtail update to 6.15.5-bb.1
# Changelog Updates

## [6.15.5-bb.2] - 2024-03-08
### Updated
- Openshift update for deploying Promtail into Openshift cluster

## [6.15.5-bb.1] - 2024-03-05
### Updated
- Moved machine-id volume mounts to default section to allow users to easily disable /var/log logging

Loki📜

  • !3958: loki update to 5.42.0-bb.10
  • !3951: loki update to 5.42.0-bb.9
# Changelog Updates

## [5.42.0-bb.10] - 2024-03-11
### Added
- Added workloadSelector for Loki Sidecar

## [5.42.0-bb.9] - 2024-03-05
### Added
- Added Openshift updates for deploying loki into Openshift cluster

Neuvector📜

  • !3998: neuvector update to 2.6.3-bb.14
  • !3991: neuvector update to 2.6.3-bb.13
  • !3986: neuvector update to 2.6.3-bb.12
  • !3954: neuvector update to 2.6.3-bb.10
# Changelog Updates

## [2.6.3-bb.14] - 2024-03-15
### Changed
- Update for reverting exporter

## [2.6.3-bb.13] - 2024-03-13
### Changed
- Adding Sidecar to deny egress that is external to istio services
- Adding customServiceEntries to allow egress to override sidecar restraint

## [2.6.3-bb.12] - 2024-03-12
### Changed
- Openshift update for deploying Neuvector into Openshift cluster

## [2.6.3-bb.11] - 2024-03-11
### Changed
- Moved and fixed all of the authorization policies
- Updated some documentation

## [2.6.3-bb.10] - 2024-03-11
### Changed
- Updated NeuVector Development Maintenance doc to reflect it is part of Bigbang

Grafana📜

  • !3902: fixing the authorization policies
  • !3930: grafana update to 7.3.1-bb.5
# Changelog Updates

## [7.3.1-bb.5] - 2024-03-06
### Modified
- Modify Sidecar to include a workloadSelector, modified values.yaml to set default for `sso.enabled` to `false`

## [7.3.1-bb.4] - 2024-03-05
### Changed
- Added Openshift update for deploying grafana into Openshift cluster

## [7.3.1-bb.3] - 2024-02-29
### Changed
- renamed policies for clarity

## [7.3.1-bb.2] - 2024-02-28
### Added
- Added auth policy template
- renamed allow-nothing policy

## [7.3.1-bb.1] - 2024-02-26
### Added
- Add egress whitelist

Twistlock📜

  • !4005: fix test-values
  • !3957: twistlock update to 0.15.0-bb.2
  • !3939: twistlock update to 0.15.0-bb.1
# Changelog Updates

## [0.15.0-bb.2] - 2024-03-11
### Changed
- Updated security context for defender
- Updated resources for defender containers

## [0.15.0-bb.1] - 2024-03-04
### Changed
- Openshift update for deploying Twistlock into Openshift cluster

Argocd📜

  • !4013: argocd update to 6.7.2-bb.1
  • !3995: argocd update to 6.7.2-bb.0
  • !3971: argocd update to 6.1.0-bb.3
# Changelog Updates

## [6.7.2-bb.1] - 2024-03-19
### Changed
- Update ArgoCD chart name to `argocd`

## [6.7.2-bb.0] - 2024-03-14
### Updated
- Update ArgoCD chart to 6.7.2
- Updated ArgoCD application version to v2.10.3
- Update gluon to 0.4.8

## [6.1.0-bb.3] - 2024-03-12
### Fixed
- Fixed issue where the `argocd-secret` template was not having its `data` block populated, even if `sso.keycloakClientSecret` was set

Authservice📜

  • !3926: authservice update to 0.5.3-bb.30
# Changelog Updates

## [0.5.3-bb.30] - 2024-03-04
### Changed
- Added Openshift update for deploying authservice into Openshift cluster

Minio Operator📜

  • !3961: minioOperator update to 5.0.12-bb.3
  • !3929: minioOperator update to 5.0.12-bb.2
# Changelog Updates

## [5.0.12-bb.3] - 2024-03-11
### Upgrade
- Openshift update for deploying Minio-Operator into Openshift cluster

## [5.0.12-bb.2] - 2024-03-07
### Added
- Added runAsGroup
- Added allow-helm-test-egress NetworkPolicy

### Changed
- Change to use kubernetes.io/metadata.name for test NetworkPolicy to get fixed namespace name

## [5.0.12-bb.1] - 2024-02-27
### Upgrade
- Added cypress test

Minio📜

  • !3956: minio update to 5.0.12-bb.4
  • !3922: minio update to 5.0.12-bb.3
# Changelog Updates

## [5.0.12-bb.4] - 2024-03-08
### Changed
- Openshift update for deploying Minio into Openshift cluster

## [5.0.12-bb.3] - 2024-02-13
### Changed
- Updated minio to `RELEASE.2024-02-26T09-33-48Z`
- Updated mc to `RELEASE.2024-02-24T01-33-20Z`

Gitlab📜

  • !3970: gitlab update to 7.9.2-bb.0
  • !3933: gitlab update to 7.9.1-bb.1
# Changelog Updates

## [7.9.2-bb.0] - 2024-03-12
### Changed (16 changes)
- Update GitLab to appVersion 16.9.2
- Update chart version 7.9.2
- Update ironbank/gitlab/gitlab/gitlab-webservice from 16.9.1 to 16.9.2
- Update registry1.dso.mil/ironbank/gitlab/gitlab/certificates from 16.9.1 to 16.9.2
- Update registry1.dso.mil/ironbank/gitlab/gitlab/gitaly from 16.9.1 to 16.9.2
- Update registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-container-registry from 16.9.1 to 16.9.2
- Update registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-exporter from 16.9.1 to 16.9.2
- Update registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-mailroom from 16.9.1 to 16.9.2
- Update registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-pages from 16.9.1 to 16.9.2
- Update registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-shell from 16.9.1 to 16.9.2
- Update registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-sidekiq from 16.9.1 to 16.9.2
- Update registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-toolbox from 16.9.1 to 16.9.2
- Update registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-webservice from 16.9.1 to 16.9.2
- Update registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-workhorse from 16.9.1 to 16.9.2
- Update registry1.dso.mil/ironbank/gitlab/gitlab/kubectl from 16.9.1 to 16.9.2

## [7.9.1-bb.1] - 2024-03-04
### Changed (1 change)
- Added Openshift update for deploying gitlab into Openshift cluster

Nexus📜

  • !3932: nexusRepositoryManager update to 65.0.0-bb.1
# Changelog Updates

## [65.0.0-bb.1] - 2024-03-04
### Changed
- Openshift update for deploying Nexus into Openshift cluster

Sonarqube📜

  • !3888: sonarqube update to 8.0.4-bb.0
# Changelog Updates

## [8.0.4-bb.0] - 2024-02-16
### Changed
- Update release to sonarqube-8.0.4-sonarqube-dce-7.0.4
- Updated postgresql12 image to 12.18

## [8.0.3-bb.3] - 2024-02-06
### Changed
- Updated SonarQube to gluon 0.4.7

Fortify📜

  • !3968: fortify update to 1.1.2320154-bb.2
# Changelog Updates

## [1.1.2320154-bb.2] - 2024-03-04
### Changed
- Added Openshift update for deploying fortify into Openshift cluster

Haproxy📜

  • !3969: haproxy update to 1.19.3-bb.4
  • !3913: Resolve “Istio Values Not Passed To Haproxy”
# Changelog Updates

## [1.19.3-bb.4] - 2024-03-05
### Added
- Added Openshift update for deploying haproxy into Openshift cluster

Mattermost Operator📜

  • !3955: mattermostOperator update to 1.20.1-bb.2
# Changelog Updates

## [1.20.1-bb.2] - 2021-03-05
### Changed
- Added Openshift updates for deploying mattermost-operator into Openshift cluster

Velero📜

  • !3962: velero update to 5.2.2-bb.2
# Changelog Updates

## [5.2.2-bb.2] - 2024-03-04
### Changed
- Openshift update for deploying Velero into Openshift cluster

Keycloak📜

  • !3947: keycloak update to 23.0.7-bb.1
# Changelog Updates

## [23.0.7-bb.1] - 2024-03-011
### Updated
- Adding Openshift updates for keycloak to deploy in Openshift cluster

## [23.0.7-bb.0] - 2024-03-05
### Updated
- Update Keycloak version to 23.0.7

Vault📜

  • !3975: vault update to 0.25.0-bb.19
  • !3972: vault update to 0.25.0-bb.18
  • !3960: vault update to 0.25.0-bb.17
  • !3921: vault update to 0.25.0-bb.16
# Changelog Updates

## [0.25.0-bb.19] - 2024-03-13
### Updated
- Added value for openshift defaulting to false in values.yaml

## [0.25.0-bb.18] - 2024-03-11
### Updated
- Updated registry1.dso.mil/ironbank/hashicorp/vault 1.14.9 -> 1.14.10

## [0.25.0-bb.17] - 2024-03-04
### Changed
- Openshift update for deploying Vault into Openshift cluster

## [0.25.0-bb.16] - 2024-03-04
### Changed
- Updated minio-instance to 5.0.12-bb.2

Metrics Server📜

  • !3949: metricsServer update to 3.12.0-bb.1
# Changelog Updates

## [3.12.0-bb.1] - 2024-03-11
### Added
- Added istio Sidecar and ServiceEntry resources

Harbor📜

  • !3966: harbor update to 1.14.0-bb.6
  • !3938: harbor update to 1.14.0-bb.5
# Changelog Updates

## [1.14.0-bb.6] - 2024-03-11
### Added
- Fixed issue with templating the containerSecurityContext

## [1.14.0-bb.5] - 2024-03-05
### Added
- Added Openshift update for deploying harbor into Openshift cluster

Holocron📜

  • !3979: holocron update to 1.0.2
  • !3953: fix issue where postgres host name was dropped from values
  • !3945: holocron update to 1.0.1
# Changelog Updates

## [1.0.2] - 2024-03-14
### Updated
- Updated application version and API version to 3.3.0
- Updated Dashboard version to 3.3.3

### Added
- Added API environment variable `CIRCUIT_BREAKER_ENABLED`, defaults to `true`
- Added API environment variable `RATE_LIMITER_ENABLED`, defaults to `true`

## [1.0.1] - 2024-02-29
### Added
- Added istio `allow-nothing` policy
- Added istio `monitoring-authz` policy
- Added istio `allow-http-envoy-prom` policy
- Added istio `holocron-api` policy
- Added istio `tcp-postgresql` policy
- Added istio custom policy template

Thanos📜

  • !3999: thanos update to 13.2.2-bb.1
# Changelog Updates

## [13.2.2-bb.1] - 2024-03-13
### Added
- Added Istio sidecar and serviceEntry resources for use with Istio whitelisting

Known Issues📜

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

Future📜

Don’t see your feature and/or bug fix? Check out our epics for estimates on when you can expect things to drop, and as always, feel free to comment or create issues if you have questions, comments, or concerns.