Release Notes - 2.25.0📜
Please see our documentation page for more information on how to consume and deploy BigBang. This release was primarily tested on Kubernetes 1.29.3 (RKE2).
Upgrade Notices📜
- Nexus - MR:
- The Java option for UseCGroupMemoryLimitForHeap has been deprecated and no longer is supported. Please utilize UseContainerSupport instead. The default package values.yaml includes this change but if you have separate overrides that reference this java option as part of the INSTALL4J_ADD_VM_PARAMS env variable please change this appropriately.
- Anchore - MR:
- Anchore Enterprise upgrade job from v4.9.3 to v5.3.0 was timing out and preventing database migrations due to Istio proxy not shutting down. This will bump from 2.0.2-bb.1 to 2.4.2-bb.8. The upgrade jobs should be working now where hangs were introduced since the 2.4.2 upgrade. If you experience issues with incomplete upgrade, please try setting upgradeJob.force=true and disabling network policies temporarily to allow the upgrade job to egress to the external db. If you encounter issues with upgrade failure related to kubernetes resources not managed by helm, recreate the Anchore HelmRelease.
Upgrades from previous releases📜
If coming from a version pre-2.24.0
, note the additional upgrade notices in any release in between. The BB team doesn’t test/guarantee upgrades from anything pre-2.24.0
.
Packages📜
Package | Type | Package Version | BB Version |
---|---|---|---|
Istio Controlplane | Core | Istio 1.20.4 Tetrate Istio Distro 1.20.4 |
1.20.4-bb.1 |
Istio Operator | Core | Istio Operator 1.20.4 Tetrate Istio Distro Operator 1.20.4 |
1.20.4-bb.0 |
Jaeger | Core | 1.53.0 |
2.50.1-bb.2 🔗 |
Kiali | Core | 1.82.0 |
1.82.0-bb.3 🔗 |
Cluster Auditor | Core | 0.0.7 |
1.5.0-bb.15 🔗 |
Gatekeeper | Core | 3.15.0 |
3.15.0-bb.4 🔗 |
Kyverno | Core | 1.11.4 |
3.1.4-bb.5 🔗 |
Kyverno Policies | Core | 3.0.4 |
3.0.4-bb.28 |
Kyverno Reporter | Core | 2.18.0 |
2.22.4-bb.2 🔗 |
Elasticsearch Kibana | Core | Kibana 8.13.0 Elasticsearch 8.13.0 |
1.12.0-bb.1 🔗 |
Eck Operator | Core | 2.12.1 |
2.12.1-bb.0 |
Fluentbit | Core | 3.0.0 |
0.46.0-bb.0 🔗 |
Promtail | Core | 2.9.4 |
6.15.5-bb.3 |
Loki | Core | 2.9.6 |
5.47.2-bb.2 🔗 |
Neuvector | Core | 5.3.0 |
2.6.3-bb.18 🔗 |
Tempo | Core | Tempo 2.3.0-ubi9 Tempo Query 2.3.1 |
1.7.1-bb.6 🔗 |
Monitoring | Core | Prometheus 2.51.1 Grafana 10.4.1 Alertmanager 0.27.0 |
58.0.0-bb.0 🔗 |
Grafana | Core | 10.4.0 |
7.3.7-bb.1 |
Twistlock | Core | 32.01.128 |
0.15.0-bb.5 🔗 |
Wrapper | Core | N / A | 0.4.7 🔗 |
Argocd | Addon | 2.10.3 |
6.7.2-bb.1 |
Authservice | Addon | 1.0.0 |
1.0.0-bb.0 |
Minio Operator | Addon | 5.0.14 |
5.0.14-bb.2 🔗 |
Minio | Addon | RELEASE.2024-03-30T09-41-56Z |
5.0.12-bb.11 🔗 |
Gitlab | Addon | 16.10.2 |
7.10.2-bb.0 🔗 |
Gitlab Runner | Addon | 16.10.0 |
0.63.0-bb.2 🔗 |
Nexus | Addon | 3.67.1-01 |
67.1.0-bb.0 🔗 |
Sonarqube | Addon | 9.9.4-community |
8.0.4-bb.1 🔗 |
Fortify | Addon | 23.2.0.0154 |
1.1.2320154-bb.3 |
Haproxy | Addon | 2.2.32 |
1.19.3-bb.4 |
Anchore Enterprise | Addon | 5.3.0 |
2.4.2-bb.8 🔗 |
Mattermost Operator | Addon | 1.21.0 |
1.21.0-bb.0 |
Mattermost | Addon | 9.6.1 |
9.6.1-bb.0 🔗 |
Velero | Addon | 1.13.1 |
6.0.0-bb.4 🔗 |
Keycloak | Addon | 23.0.7 |
23.0.7-bb.3 🔗 |
Vault | Addon | 1.14.10 |
0.25.0-bb.20 |
Metrics Server | Addon | 0.7.0 |
3.12.0-bb.1 |
Harbor | Addon | 2.10.1 |
1.14.1-bb.0 🔗 |
Holocron | Addon | 3.3.0 |
1.0.4 🔗 |
Thanos | Addon | 0.34.1 |
13.2.2-bb.4 🔗 |
Changes in 2.25.0📜
Big Bang MRs📜
- !4099: Resolve “Remove Cypress Artifacts from RKE2/EKS”
- !4123: Adding harbor to default-creds.md
- !4104: Patch to remove double-entries
- !4094: updating to 1.29.3
Jaeger📜
- !3952: Resolve “Ensure that istio.hardened.enabled is turned on for all packages in test-values.yaml for packages that support it”
# Changelog Updates
## [2.50.1-bb.2] - 2024-04-20
### Updated
- Fixing ingress gateway authz policy
Kiali📜
- !4144: kiali update to 1.82.0-bb.3
- !4122: kiali update to 1.82.0-bb.2
- !4101: kiali update to 1.82.0-bb.1
- !4080: consolidate ServiceEntry kinds into a single entry per package
# Changelog Updates
## [1.82.0-bb.3] - 2024-04-09
### Changed
- Update annotations tag to 1.82.0
## [1.82.0-bb.2] - 2024-04-08
### Added
- Custom network policies
## [1.82.0-bb.1] - 2024-04-02
### Changed
- Updated Renovate config to catch gluon
Cluster Auditor📜
- !3952: Resolve “Ensure that istio.hardened.enabled is turned on for all packages in test-values.yaml for packages that support it”
- !4089: testing cluster auditor values for mr 87
# Changelog Updates
## [1.5.0-bb.15] - 2024-03-18
### Changed
- Add istio egress whitelist
Gatekeeper📜
# Changelog Updates
## [3.15.0-bb.4] - 2024-04-10
### Changed
- Changed cypress test yaml files for k8s 1.29 compliance
## [3.15.0-bb.3] - 2024-04-01
### Changed
- Revert `K8sPSPSELinuxV2.yaml` and `selinux-policy` update.
## [3.15.0-bb.2] - 2024-04-01
### Changed
- Updated Development Maintenance doc
## [3.15.0-bb.1] - 2024-03-25
### Changed
- Updated `K8sPSPSELinuxV2.yaml` and `selinux-policy` violation.
Kyverno📜
- !4124: kyverno update to 3.1.4-bb.5
# Changelog Updates
## [3.1.4-bb.5] - 2024-04-05
### Added
- Custom network policies
Kyverno Reporter📜
- !4132: Update update-automountserviceaccounttokens-default
- !4125: kyvernoReporter update to 2.22.4-bb.2
# Changelog Updates
## [2.22.4-bb.2] - 2024-04-05
### Added
- Custom network policies
## [2.22.4-bb.1] - 2024-03-27
### Changed
- Changed 01-prometheus.cy.js to wait before the test handle early network errors on cypress tests
Elasticsearch Kibana📜
- !3973: Update ElasticSearchKibana to 1.12.0-bb.1
- !3952: Resolve “Ensure that istio.hardened.enabled is turned on for all packages in test-values.yaml for packages that support it”
- !4115: elasticsearchKibana update to 1.12.0-bb.0
- !4080: consolidate ServiceEntry kinds into a single entry per package
# Changelog Updates
## [1.12.0-bb.1] - 2024-04-09
### Added
- Added Virtual Service for ElasticSearch
## [1.12.0-bb.0] - 2024-04-08
### Changed
- ironbank/elastic/elasticsearch/elasticsearch updated from 8.12.2 to 8.13.0
- ironbank/elastic/kibana/kibana updated from 8.12.2 to 8.13.0
Fluentbit📜
- !3952: Resolve “Ensure that istio.hardened.enabled is turned on for all packages in test-values.yaml for packages that support it”
- !4113: fluentbit update to 0.46.0-bb.0
- !4080: consolidate ServiceEntry kinds into a single entry per package
# Changelog Updates
## [0.46.0-bb.0]
### Changed
- Updated upstream helm chart tag `0.46.0-bb.0`
- Updated fluent-bit image to `3.0.0` from IB
Loki📜
- !3952: Resolve “Ensure that istio.hardened.enabled is turned on for all packages in test-values.yaml for packages that support it”
- !4110: loki update to 5.47.2-bb.2
- !4080: consolidate ServiceEntry kinds into a single entry per package
- !4092: loki update to 5.47.2-bb.0
# Changelog Updates
## [5.47.2-bb.2] - 2024-04-04
### Added
- Added custom network policies
## [5.47.2-bb.1] - 2024-04-03
### Added
- Removed matchLabels for allow-intranamespace authorizationPolicy
## [5.47.2-bb.0] - 2024-04-01
### Upgrade
- Updated loki 2.9.4 -> 2.9.6
- Updated minio-instance 5.0.11-bb.3 -> 5.0.12-bb.6
- Updated grafana-agent-operator 0.3.15 -> 0.3.19
- Updated k8s-sidecar 1.25.3 -> 1.26.1
- Updated kubectl v1.28.6 -> v1.28.8
- Updated nginx 1.25.3 -> 1.25.4
Neuvector📜
- !4129: neuvector update to 2.6.3-bb.18
# Changelog Updates
## [2.6.3-bb.18] - 2024-04-09
### Added
- Added custom network policies
Tempo📜
- !4136: tempo update to 1.7.1-bb.6
- !3952: Resolve “Ensure that istio.hardened.enabled is turned on for all packages in test-values.yaml for packages that support it”
# Changelog Updates
## [1.7.1-bb.6] - 2024-04-11
### Changed
- Changing type of Openshift SCC in clusterrolebinding
## [1.7.1-bb.5] - 2024-03-13
### Changed
- Updating IstioHardened.md to include exportTo
- Moving sidecar and serviceEntry to match other package implementations
- Updating sidecar to template label.
## [1.7.1-bb.4] - 2024-03-04
### Changed
- Openshift update for deploying Tempo into Openshift cluster
Monitoring📜
- !4152: monitoring update to 58.0.0-bb.0
- !4140: monitoring update to 57.2.0-bb.2
- !3952: Resolve “Ensure that istio.hardened.enabled is turned on for all packages in test-values.yaml for packages that support it”
- !4095: monitoring update to 57.2.0-bb.0
- !4080: consolidate ServiceEntry kinds into a single entry per package
# Changelog Updates
## [58.0.0-bb.0] - 2024-04-15
### Updated
- Updated Monitoring chart to v0.73.0
- Updated Prometheus: 2.51.1
- Updated Gluon: 0.4.9
- Updated AlertManager: 0.27.0
## [57.2.0-bb.2] - 2024-04-10
### Fixed
- Fix IngressGateway Authorization Policies for AlertManager and Prometheus VirtualServices
- Fix IngressGateway Authorization Policies for AlertManager and Prometheus VirtualServices
## [57.2.0-bb.1] - 2024-04-05
### Added
- Custom network policies
## [57.2.0-bb.0] - 2024-04-03
### Updated
- Updated chart 57.0.3 -> 57.2.0
- Updated grafana-plugins 10.4.0 -> 10.4.1
- Updated kube-state-metrics 2.10.1 -> 2.11.0
- Updated prometheus 2.50.1 -> 2.51.1
Twistlock📜
- !4137: twistlock update to 0.15.0-bb.5
- !3952: Resolve “Ensure that istio.hardened.enabled is turned on for all packages in test-values.yaml for packages that support it”
- !4080: consolidate ServiceEntry kinds into a single entry per package
# Changelog Updates
## [0.15.0-bb.5] - 2024-04-10
### Changed
- gluon updated from 0.4.8 to 0.4.9
Wrapper📜
- !3952: Resolve “Ensure that istio.hardened.enabled is turned on for all packages in test-values.yaml for packages that support it”
- !4112: wrapper update to 0.4.7
# Changelog Updates
## [0.4.7] - 2024-04-03
### Changed
- Made the ingress policy match all workloads if no matchlabels are provided
Minio Operator📜
- !4130: minioOperator update to 5.0.14-bb.2
- !3952: Resolve “Ensure that istio.hardened.enabled is turned on for all packages in test-values.yaml for packages that support it”
# Changelog Updates
## [5.0.14-bb.2] - 2024-04-09
### Added
- Added custom network polices
## [5.0.14-bb.1] - 2024-04-02
### Changed
- Added Istio Sidecar to restrict egress traffic to REGISTRY_ONLY
- Added Istio ServiceEntry to explicitly allow egress
Minio📜
- !4126: minio update to 5.0.12-bb.11
- !4119: minio update to 5.0.12-bb.10
- !3952: Resolve “Ensure that istio.hardened.enabled is turned on for all packages in test-values.yaml for packages that support it”
- !4098: minio update to 5.0.12-bb.9
# Changelog Updates
## [5.0.12-bb.11] - 2024-04-09
### Added
- Added custom network policies
## [5.0.12-bb.10] - 2024-04-04
### Changed
- Added Authpol to allow ingress from then minio-operator workload
- Added Istio Sidecar to restrict egress traffic to REGISTRY_ONLY
- Added Istio ServiceEntry to explicitly allow egress
## [5.0.12-bb.9] - 2024-04-02
### Changed
- Updated minio to `RELEASE.2024-03-30T09-41-56Z`
- Updated mc to `RELEASE.2024-03-30T15-29-52Z`
Gitlab📜
# Changelog Updates
## [7.10.2-bb.0] - 2024-04-12
### Changed
- Update Gitlab to appVersion 16.10.2
- Update chart version 7.10.2
- Update ironbank/gitlab/gitlab/gitlab-webservice PATCH 16.10.1 to 16.10.2
- Update registry1.dso.mil/ironbank/gitlab/gitlab/certificates PATCH 16.10.1 to 16.10.2
- Update registry1.dso.mil/ironbank/gitlab/gitlab/gitaly PATCH 16.10.1 to 16.10.2
- Update registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-container-registry PATCH 16.10.1 to 16.10.2
- Update registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-exporter PATCH 16.10.1 to 16.10.2
- Update registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-mailroom PATCH 16.10.1 to 16.10.2
- Update registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-pages PATCH 16.10.1 to 16.10.2
- Update registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-shell PATCH 16.10.1 to 16.10.2
- Update registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-sidekiq PATCH 16.10.1 to 16.10.2
- Update registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-toolbox PATCH 16.10.1 to 16.10.2
- Update registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-webservice PATCH 16.10.1 to 16.10.2
- Update registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-workhorse PATCH 16.10.1 to 16.10.2
- Update registry1.dso.mil/ironbank/gitlab/gitlab/kubectl PATCH 16.10.1 to 16.10.2
## [7.10.1-bb.1] - 2024-04-05
### Added
- Custom network policies
Gitlab Runner📜
# Changelog Updates
## [0.63.0-bb.2] - 2024-04-16
### Changed
- Updated gluon to 0.4.9
## [0.63.0-bb.1] - 2024-04-08
### Changed
- Fixed redirect issue with Cypress test
## [0.63.0-bb.0] - 2024-04-03
### Changed
- Updated images to v16.10.0
Nexus📜
- !4153: nexusRepositoryManager update to 67.1.0-bb.0
# Changelog Updates
## [67.1.0-bb.0] - 2024-04-15
### Changed
- Updated chart to version: 67.1.0-bb.0 | appVersion: 3.67.1-01
- Updated Gluon 0.4.7 -> 0.4.9
## [66.0.0-bb.1] - 2024-03-27
### Updated
- Added allow-intranamespace policy
- Added allow-nothing-policy
- Added ingressgateway-authz-policy
- Added monitoring-authz-policy
- Added template for adding user defined policies
Sonarqube📜
- !3952: Resolve “Ensure that istio.hardened.enabled is turned on for all packages in test-values.yaml for packages that support it”
# Changelog Updates
## [8.0.4-bb.1] - 2024-03-14
### Changed
- Updated the authorization policies for full BB integration
Anchore Enterprise📜
- !4100: anchore update to 2.4.2-bb.5
- !4117: anchore update to 2.4.2-bb.6
- !4149: anchore update to 2.4.2-bb.8
# Changelog Updates
## [2.4.2-bb.8] - 2024-04-12
### Added
- Added Openshift resources
## [2.4.2-bb.7] - 2024-04-11
### Changed
- Added istio authorization polic(y|ies)
## [2.4.2-bb.6] - 2024-04-05
### Changed
- Added VirtualService for Anchore Enterprise API
## [2.4.2-bb.5] - 2024-04-04
### Changed
- Shutdown istio proxy in upgrade job
## [2.4.2-bb.4] - 2024-04-03
### Changed
- Updated versions to consistent 1.29.x
## [2.4.2-bb.3] - 2024-04-02
### Changed
- Updated security context for pods
## [2.4.2-bb.2] - 2024-03-29
### Changed
- Updated migration pod template
## [2.4.2-bb.1] - 2024-03-26
### Changed
- Updated Swagger API endpoint for tests
## [2.4.2-bb.0] - 2024-03-22
### Changed
- Bumped Anchore Enterprise tag to `5.3.0`
- Bumped Anchore Enterprise UI tag to `5.3.2`
- Bumped Anchore Enterprise chart to `2.4.2`
- Bumped Anchore Feeds chart to `2.2.0`
- Bumped Postgres chart to `12.5.9`
Mattermost📜
- !4155: mattermost update to 9.6.1-bb.0
- !3952: Resolve “Ensure that istio.hardened.enabled is turned on for all packages in test-values.yaml for packages that support it”
# Changelog Updates
## [9.6.1-bb.0] - 2024-04-06
### Changed
- gluon updated from 0.4.8 to 0.4.9
- ironbank/opensource/mattermost/mattermost updated from 9.6.0 to 9.6.1
Velero📜
- !4147: velero update to 6.0.0-bb.4
- !4145: velero update to 6.0.0-bb.3
- !4080: consolidate ServiceEntry kinds into a single entry per package
- !4086: velero update to 6.0.0-bb.2
# Changelog Updates
## [6.0.0-bb.4] - 2024-04-10
### Changed
- Update dependency registry1.dso.mil/ironbank/opensource/kubernetes/kubectl to v1.29.3
## [6.0.0-bb.3] - 2024-04-03
### Added
- Added custom network policies
## [6.0.0-bb.2] - 2024-03-26
### Changed
- Adding Sidecar to deny egress that is external to istio services
- Adding customServiceEntries to allow egress to override sidecar
Keycloak📜
- !4128: keycloak update to 23.0.7-bb.3
# Changelog Updates
## [23.0.7-bb.3] - 2024-04-10
### Changed
- Renewing and refreshing DoD CAs in truststore.jks bundle shipped with the package
Harbor📜
- !4131: harbor update to 1.14.1-bb.0
- !3952: Resolve “Ensure that istio.hardened.enabled is turned on for all packages in test-values.yaml for packages that support it”
# Changelog Updates
## [1.14.1-bb.0] - 2024-04-08
### Changed
- Updated bitnami common chart dependency for postgresql MAJOR 1.x.x -> 2.x
- Updated redis MAJOR 16.12.3-bb.3 -> 18.15.0-bb.0
- Updated gluon PATCH 0.4.7 -> 0.4.9
- Updated redis-photon PATCH v2.10.0 -> v2.10.1
- Updated harbor-core PATCH v2.10.0 -> v2.10.1
- Updated harbor-exporter PATCH v2.10.0 -> v2.10.1
- Updated harbor-jobservice PATCH v2.10.0 -> v2.10.1
- Updated harbor-portal PATCH v2.10.0 -> v2.10.1
- Updated harbor-registryctl PATCH v2.10.0 -> v2.10.1
- Updated registry PATCH v2.10.0 -> v2.10.1
- Updated trivy-adapter PATCH v2.10.0 -> v2.10.1
- Updated nginx PATCH 1.25.3 -> 1.25.4
- Updated postgresql12 MINOR 12.17 -> 12.18
## [1.14.0-bb.7] - 2024-04-01
### Added
- Added new AuthorizationPolicy for istio hardening that allows the registry Harbor component to accept traffic from anywhere. This change is needed in order to work around an issue where the Harbor core component exchanges the Basic Authorization header for a service token and then forwards the request to the registry component without any of the original istio headers (including `X-Forwarded-Client-Cert`).
Holocron📜
- !4166: holocron update to 1.0.4
- !4134: holocron update to 1.0.3
- !3952: Resolve “Ensure that istio.hardened.enabled is turned on for all packages in test-values.yaml for packages that support it”
# Changelog Updates
## [1.0.4] - 2024-04-11
### Updated
- Moved base securityContext values into values.yaml file
### Added
- Added capabilities: drop: -ALL to securityContext
## [1.0.3] - 2024-04-11
### Updated
- Updated gluon dependency to 0.4.9
### Added
- Added bigbang.dev/applicationVersions annotation
Thanos📜
# Changelog Updates
## [13.2.2-bb.4] - 2024-04-04
### Added
- Added additional network policies via values yaml
## [13.2.2-bb.3] - 2024-04-04
### Added
- Update minio securityContext
Known Issues📜
- Gitlab Runner ControlPlaneCidr passthrough issue: GitLab runner not passing control plane cidr+
- Anchore Enterprise API VirtualService Missing: Add API VirtualService back
- CAC user registration issues in 23.0.7: CAC user registration issues in 23.0.7
Helpful Links📜
As always, we welcome and appreciate feedback from our community of users. Please feel free to:
- Open issues here
- Join our chat
- Check out the documentation for guidance on how to get started
Future📜
Don’t see your feature and/or bug fix? Check out our epics for estimates on when you can expect things to drop, and as always, feel free to comment or create issues if you have questions, comments, or concerns.