Release Notes - 2.23.0📜
Please see our documentation page for more information on how to consume and deploy BigBang. This release was primarily tested on Kubernetes 1.28.6 (RKE2).
Upgrade Notices📜
-
- A Sidecar resource has been added to the Kiali namespace that disallows egress to endpoints that are not part of the Istio service registry (a.k.a REGISTRY_ONLY). The outboundTrafficPolicy.mode in the Sidecar can be configured, however, to be something other than REGISTRY_ONLY if desired by setting istio.hardened.outboundTrafficPolicyMode. This provides a redundant layer of network security in addition to NetworkPolicies. This Sidecar is disabled by default but can be enabled by setting istio.enabled: true and istio.hardened.enabled: true. Additionally, custom ServiceEntries can be created by populating the istio.hardened.customServiceEntries list.
-
- A Sidecar resource has been added to the Neuvector namespace that disallows egress to endpoints that are not part of the Istio service registry (a.k.a REGISTRY_ONLY). The outboundTrafficPolicy.mode in the Sidecar can be configured, however, to be something other than REGISTRY_ONLY if desired by setting istio.hardened.outboundTrafficPolicyMode. This provides a redundant layer of network security in addition to NetworkPolicies. This Sidecar is disabled by default but can be enabled by setting istio.enabled: true and istio.hardened.enabled: true. Additionally, custom ServiceEntries can be created by populating the istio.hardened.customServiceEntries list.
-
- A Sidecar resource has been added to the Thanos namespace that disallows egress to endpoints that are not part of the Istio service registry (a.k.a REGISTRY_ONLY). The outboundTrafficPolicy.mode in the Sidecar can be configured, however, to be something other than REGISTRY_ONLY if desired by setting istio.hardened.outboundTrafficPolicyMode. This provides a redundant layer of network security in addition to NetworkPolicies. This Sidecar is disabled by default but can be enabled by setting istio.enabled: true and istio.hardened.enabled: true. Additionally, custom ServiceEntries can be created by populating the istio.hardened.customServiceEntries list.
-
- keycloak-p1-auth-plugin image must be on 3.3.0 for Keycloak version 23 support.
-
- Anchore-engine chart and images have been removed and are no longer available.
- feeds deployment and setting moved under
feeds:
key. anchore-feeds-db
key is nowfeeds.feeds-db
anchore-geeds-gem-db
key is nowfeeds.gem-db
- Resource names updated with a release name/prefix of
anchore-anchore-engine(-enterprise)
toanchore-anchore-enterprise
. PVCs and extra resources referencing these will need to have a snapshot taken by velero and restored with the new prefix. anchoreEnterpriseGlobal
has been removed as enterprise deployments is the new default. The BigBang mapping ofaddons.anchore.enterprise.licenseYaml
is still available for use.enterpriseLicenseYaml
is the direct value for injecting your license file into the package. Or it can still be pointed to an existing secret eglicenseSecretName
.
Upgrades from previous releases📜
If coming from a version pre-2.22.0
, note the additional upgrade notices in any release in between. The BB team doesn’t test/guarantee upgrades from anything pre-2.22.0
.
Packages📜
Package | Type | Package Version | BB Version |
---|---|---|---|
Istio Controlplane | Core | Istio 1.19.7 Tetrate Istio Distro 1.20.3 |
1.19.7-bb.0 |
Istio Operator | Core | Istio Operator 1.19.7 Tetrate Istio Distro Operator 1.20.3 |
1.19.7-bb.2 🔗 |
Jaeger | Core | 1.53.0 |
2.50.1-bb.0 |
Kiali | Core | 1.80.0 |
1.80.0-bb.1 🔗 |
Cluster Auditor | Core | 0.0.7 |
1.5.0-bb.14 |
Gatekeeper | Core | 3.15.0 |
3.15.0-bb.0 |
Kyverno | Core | 1.11.4 |
3.1.4-bb.4 🔗 |
Kyverno Policies | Core | 3.0.4 |
3.0.4-bb.27 🔗 |
Kyverno Reporter | Core | 2.18.0 |
2.22.4-bb.0 🔗 |
Elasticsearch Kibana | Core | Kibana 8.12.2 Elasticsearch 8.12.2 |
1.11.0-bb.0 |
Eck Operator | Core | 2.11.1 |
2.11.1-bb.0 |
Fluentbit | Core | 2.2.2 |
0.43.0-bb.2 🔗 |
Promtail | Core | 2.9.4 |
6.15.5-bb.2 🔗 |
Loki | Core | 2.9.4 |
5.42.0-bb.10 🔗 |
Neuvector | Core | 5.2.2 |
2.6.3-bb.14 🔗 |
Tempo | Core | Tempo 2.3.0-ubi9 Tempo Query 2.3.1 |
1.7.1-bb.3 |
Monitoring | Core | Prometheus 2.49.1 Grafana 10.3.1 Alertmanager 0.26.0 |
56.2.1-bb.9 🔗 |
Grafana | Core | 10.3.3 |
7.3.1-bb.5 🔗 |
Twistlock | Core | 32.01.128 |
0.15.0-bb.2 🔗 |
Wrapper | Core | N / A | 0.4.6 |
Argocd | Addon | 2.10.1 |
6.7.2-bb.1 🔗 |
Authservice | Addon | 0.5.3 |
0.5.3-bb.30 🔗 |
Minio Operator | Addon | 5.0.12 |
5.0.12-bb.3 🔗 |
Minio | Addon | RELEASE.2024-02-26T09-33-48Z |
5.0.12-bb.4 🔗 |
Gitlab | Addon | 16.9.2 |
7.9.2-bb.0 🔗 |
Gitlab Runner | Addon | 16.6.0 |
0.59.1-bb.3 |
Nexus | Addon | 3.65.0-02 |
65.0.0-bb.1 🔗 |
Sonarqube | Addon | 9.9.4-community |
8.0.4-bb.0 🔗 |
Fortify | Addon | 23.2.0.0154 |
1.1.2320154-bb.2 🔗 |
Haproxy | Addon | 2.2.32 |
1.19.3-bb.4 🔗 |
Anchore Enterprise | Addon | Enterprise 4.9.3 Engine 1.1.0 |
2.0.2-bb.1 |
Mattermost Operator | Addon | 1.20.1 |
1.20.1-bb.2 🔗 |
Mattermost | Addon | 9.5.1 |
9.5.1-bb.2 🔗 |
Velero | Addon | 1.12.3 |
5.2.2-bb.2 🔗 |
Keycloak | Addon | 23.0.7 |
23.0.7-bb.1 🔗 |
Vault | Addon | 1.14.10 |
0.25.0-bb.19 🔗 |
Metrics Server | Addon | 0.7.0 |
3.12.0-bb.1 🔗 |
Harbor | Addon | 2.10.0 |
1.14.0-bb.6 🔗 |
Holocron | Addon | 3.2.1 |
1.0.2 🔗 |
Thanos | Addon | 0.34.1 |
13.2.2-bb.1 🔗 |
Changes in 2.23.0📜
Big Bang MRs📜
- !4006: hardened should be in the values
- !3992: adding the test-package-against-bb doc
- !3976: updating the tag manually, robot didn’t pick it up for some reason
- !3935: Update dependency registry1.dso.mil/ironbank/big-bang/utilities to v1.0.2
Istio Operator📜
- !3948: istioOperator update to 1.19.7-bb.2
# Changelog Updates
## [1.19.7-bb.2] - 2024-03-06
### Added
- Added Openshift updates for deploying istio-operator into Openshift cluster
Kiali📜
# Changelog Updates
## [1.80.0-bb.1] - 2024-03-04
### Added
- New ServiceEntries for SSO, grafana, and tracing services
Kyverno📜
# Changelog Updates
## [3.1.4-bb.4] - 2024-03-11
### Changed
- Added Openshift updates for deploying kyverno into Openshift cluster
## [3.1.4-bb.3] - 2024-3-08
### Changed
- Updated `kubectl` from `1.28.6` to `1.28.7`
Kyverno Policies📜
# Changelog Updates
## [3.0.4-bb.27] - 2024-03-07
### Changed
- Removed duplicate `pod-policies.kyverno.io/autogen-controllers` annotation is disallow-tolerations ClusterPolicy.
## [3.0.4-bb.26] - 2024-02-29
### Changed
- Fixed audit and mutator for AutomountServiceAccountTokens for StatefulSet and Deployments
Kyverno Reporter📜
- !3943: kyvernoReporter update to 2.22.0-bb.2
- !3963: kyvernoReporter update to 2.22.4-bb.0
- !3934: kyvernoReporter update to 2.22.0-bb.1
# Changelog Updates
## [2.24.0-bb.0] - 2024-03-12
### Changed
- Updated upstream chart reference from `2.22.0` to `2.24.0`
## [2.22.0-bb.2] - 2024-03-08
### Changed
- Adding Sidecar to deny egress that is external to istio services
- Adding customServiceEntries to allow egress to override sidecar restraint
## [2.22.0-bb.1] - 2024-03-06
### Changed
- Updated image from `registry1.dso.mil/ironbank/opensource/kyverno/policy-reporter:2.18.0` to `registry1.dso.mil/ironbank/opensource/kyverno/policy-reporter:2.18.1`
- Updated `gluon` package dependency version from `0.4.7` to `0.4.8`
Fluentbit📜
- !3487: Mutator + Exceptions for Elastic Search Kibana automount-sa-token findings
- !3919: fluentbit update to 0.43.0-bb.2
# Changelog Updates
## [0.43.0-bb.2]
### Changed
- Added Openshift updates for deploying fluentbit into Openshift cluster
Promtail📜
# Changelog Updates
## [6.15.5-bb.2] - 2024-03-08
### Updated
- Openshift update for deploying Promtail into Openshift cluster
## [6.15.5-bb.1] - 2024-03-05
### Updated
- Moved machine-id volume mounts to default section to allow users to easily disable /var/log logging
Loki📜
# Changelog Updates
## [5.42.0-bb.10] - 2024-03-11
### Added
- Added workloadSelector for Loki Sidecar
## [5.42.0-bb.9] - 2024-03-05
### Added
- Added Openshift updates for deploying loki into Openshift cluster
Neuvector📜
- !3998: neuvector update to 2.6.3-bb.14
- !3991: neuvector update to 2.6.3-bb.13
- !3986: neuvector update to 2.6.3-bb.12
- !3954: neuvector update to 2.6.3-bb.10
# Changelog Updates
## [2.6.3-bb.14] - 2024-03-15
### Changed
- Update for reverting exporter
## [2.6.3-bb.13] - 2024-03-13
### Changed
- Adding Sidecar to deny egress that is external to istio services
- Adding customServiceEntries to allow egress to override sidecar restraint
## [2.6.3-bb.12] - 2024-03-12
### Changed
- Openshift update for deploying Neuvector into Openshift cluster
## [2.6.3-bb.11] - 2024-03-11
### Changed
- Moved and fixed all of the authorization policies
- Updated some documentation
## [2.6.3-bb.10] - 2024-03-11
### Changed
- Updated NeuVector Development Maintenance doc to reflect it is part of Bigbang
Grafana📜
# Changelog Updates
## [7.3.1-bb.5] - 2024-03-06
### Modified
- Modify Sidecar to include a workloadSelector, modified values.yaml to set default for `sso.enabled` to `false`
## [7.3.1-bb.4] - 2024-03-05
### Changed
- Added Openshift update for deploying grafana into Openshift cluster
## [7.3.1-bb.3] - 2024-02-29
### Changed
- renamed policies for clarity
## [7.3.1-bb.2] - 2024-02-28
### Added
- Added auth policy template
- renamed allow-nothing policy
## [7.3.1-bb.1] - 2024-02-26
### Added
- Add egress whitelist
Twistlock📜
- !4005: fix test-values
- !3957: twistlock update to 0.15.0-bb.2
- !3939: twistlock update to 0.15.0-bb.1
# Changelog Updates
## [0.15.0-bb.2] - 2024-03-11
### Changed
- Updated security context for defender
- Updated resources for defender containers
## [0.15.0-bb.1] - 2024-03-04
### Changed
- Openshift update for deploying Twistlock into Openshift cluster
Argocd📜
- !4013: argocd update to 6.7.2-bb.1
- !3995: argocd update to 6.7.2-bb.0
- !3971: argocd update to 6.1.0-bb.3
# Changelog Updates
## [6.7.2-bb.1] - 2024-03-19
### Changed
- Update ArgoCD chart name to `argocd`
## [6.7.2-bb.0] - 2024-03-14
### Updated
- Update ArgoCD chart to 6.7.2
- Updated ArgoCD application version to v2.10.3
- Update gluon to 0.4.8
## [6.1.0-bb.3] - 2024-03-12
### Fixed
- Fixed issue where the `argocd-secret` template was not having its `data` block populated, even if `sso.keycloakClientSecret` was set
Authservice📜
- !3926: authservice update to 0.5.3-bb.30
# Changelog Updates
## [0.5.3-bb.30] - 2024-03-04
### Changed
- Added Openshift update for deploying authservice into Openshift cluster
Minio Operator📜
# Changelog Updates
## [5.0.12-bb.3] - 2024-03-11
### Upgrade
- Openshift update for deploying Minio-Operator into Openshift cluster
## [5.0.12-bb.2] - 2024-03-07
### Added
- Added runAsGroup
- Added allow-helm-test-egress NetworkPolicy
### Changed
- Change to use kubernetes.io/metadata.name for test NetworkPolicy to get fixed namespace name
## [5.0.12-bb.1] - 2024-02-27
### Upgrade
- Added cypress test
Minio📜
# Changelog Updates
## [5.0.12-bb.4] - 2024-03-08
### Changed
- Openshift update for deploying Minio into Openshift cluster
## [5.0.12-bb.3] - 2024-02-13
### Changed
- Updated minio to `RELEASE.2024-02-26T09-33-48Z`
- Updated mc to `RELEASE.2024-02-24T01-33-20Z`
Gitlab📜
# Changelog Updates
## [7.9.2-bb.0] - 2024-03-12
### Changed (16 changes)
- Update GitLab to appVersion 16.9.2
- Update chart version 7.9.2
- Update ironbank/gitlab/gitlab/gitlab-webservice from 16.9.1 to 16.9.2
- Update registry1.dso.mil/ironbank/gitlab/gitlab/certificates from 16.9.1 to 16.9.2
- Update registry1.dso.mil/ironbank/gitlab/gitlab/gitaly from 16.9.1 to 16.9.2
- Update registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-container-registry from 16.9.1 to 16.9.2
- Update registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-exporter from 16.9.1 to 16.9.2
- Update registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-mailroom from 16.9.1 to 16.9.2
- Update registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-pages from 16.9.1 to 16.9.2
- Update registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-shell from 16.9.1 to 16.9.2
- Update registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-sidekiq from 16.9.1 to 16.9.2
- Update registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-toolbox from 16.9.1 to 16.9.2
- Update registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-webservice from 16.9.1 to 16.9.2
- Update registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-workhorse from 16.9.1 to 16.9.2
- Update registry1.dso.mil/ironbank/gitlab/gitlab/kubectl from 16.9.1 to 16.9.2
## [7.9.1-bb.1] - 2024-03-04
### Changed (1 change)
- Added Openshift update for deploying gitlab into Openshift cluster
Nexus📜
- !3932: nexusRepositoryManager update to 65.0.0-bb.1
# Changelog Updates
## [65.0.0-bb.1] - 2024-03-04
### Changed
- Openshift update for deploying Nexus into Openshift cluster
Sonarqube📜
- !3888: sonarqube update to 8.0.4-bb.0
# Changelog Updates
## [8.0.4-bb.0] - 2024-02-16
### Changed
- Update release to sonarqube-8.0.4-sonarqube-dce-7.0.4
- Updated postgresql12 image to 12.18
## [8.0.3-bb.3] - 2024-02-06
### Changed
- Updated SonarQube to gluon 0.4.7
Fortify📜
- !3968: fortify update to 1.1.2320154-bb.2
# Changelog Updates
## [1.1.2320154-bb.2] - 2024-03-04
### Changed
- Added Openshift update for deploying fortify into Openshift cluster
Haproxy📜
# Changelog Updates
## [1.19.3-bb.4] - 2024-03-05
### Added
- Added Openshift update for deploying haproxy into Openshift cluster
Mattermost Operator📜
- !3955: mattermostOperator update to 1.20.1-bb.2
# Changelog Updates
## [1.20.1-bb.2] - 2021-03-05
### Changed
- Added Openshift updates for deploying mattermost-operator into Openshift cluster
Velero📜
- !3962: velero update to 5.2.2-bb.2
# Changelog Updates
## [5.2.2-bb.2] - 2024-03-04
### Changed
- Openshift update for deploying Velero into Openshift cluster
Keycloak📜
- !3947: keycloak update to 23.0.7-bb.1
# Changelog Updates
## [23.0.7-bb.1] - 2024-03-011
### Updated
- Adding Openshift updates for keycloak to deploy in Openshift cluster
## [23.0.7-bb.0] - 2024-03-05
### Updated
- Update Keycloak version to 23.0.7
Vault📜
- !3975: vault update to 0.25.0-bb.19
- !3972: vault update to 0.25.0-bb.18
- !3960: vault update to 0.25.0-bb.17
- !3921: vault update to 0.25.0-bb.16
# Changelog Updates
## [0.25.0-bb.19] - 2024-03-13
### Updated
- Added value for openshift defaulting to false in values.yaml
## [0.25.0-bb.18] - 2024-03-11
### Updated
- Updated registry1.dso.mil/ironbank/hashicorp/vault 1.14.9 -> 1.14.10
## [0.25.0-bb.17] - 2024-03-04
### Changed
- Openshift update for deploying Vault into Openshift cluster
## [0.25.0-bb.16] - 2024-03-04
### Changed
- Updated minio-instance to 5.0.12-bb.2
Metrics Server📜
- !3949: metricsServer update to 3.12.0-bb.1
# Changelog Updates
## [3.12.0-bb.1] - 2024-03-11
### Added
- Added istio Sidecar and ServiceEntry resources
Harbor📜
# Changelog Updates
## [1.14.0-bb.6] - 2024-03-11
### Added
- Fixed issue with templating the containerSecurityContext
## [1.14.0-bb.5] - 2024-03-05
### Added
- Added Openshift update for deploying harbor into Openshift cluster
Holocron📜
- !3979: holocron update to 1.0.2
- !3953: fix issue where postgres host name was dropped from values
- !3945: holocron update to 1.0.1
# Changelog Updates
## [1.0.2] - 2024-03-14
### Updated
- Updated application version and API version to 3.3.0
- Updated Dashboard version to 3.3.3
### Added
- Added API environment variable `CIRCUIT_BREAKER_ENABLED`, defaults to `true`
- Added API environment variable `RATE_LIMITER_ENABLED`, defaults to `true`
## [1.0.1] - 2024-02-29
### Added
- Added istio `allow-nothing` policy
- Added istio `monitoring-authz` policy
- Added istio `allow-http-envoy-prom` policy
- Added istio `holocron-api` policy
- Added istio `tcp-postgresql` policy
- Added istio custom policy template
Thanos📜
- !3999: thanos update to 13.2.2-bb.1
# Changelog Updates
## [13.2.2-bb.1] - 2024-03-13
### Added
- Added Istio sidecar and serviceEntry resources for use with Istio whitelisting
Known Issues📜
- Twistlock Defender SecurityContext Capabilities bug: Twistlock Defender SecurityContext Capabilities bug
- Gitlab Runner ControlPlaneCidr passthrough issue: GitLab runner not passing control plane cidr
Helpful Links📜
As always, we welcome and appreciate feedback from our community of users. Please feel free to:
- Open issues here
- Join our chat
- Check out the documentation for guidance on how to get started
Future📜
Don’t see your feature and/or bug fix? Check out our epics for estimates on when you can expect things to drop, and as always, feel free to comment or create issues if you have questions, comments, or concerns.