Skip to content

Release Notes - 2.25.0📜

Please see our documentation page for more information on how to consume and deploy BigBang. This release was primarily tested on Kubernetes 1.29.3 (RKE2).

Upgrade Notices📜

  • Nexus - MR:
    • The Java option for UseCGroupMemoryLimitForHeap has been deprecated and no longer is supported. Please utilize UseContainerSupport instead. The default package values.yaml includes this change but if you have separate overrides that reference this java option as part of the INSTALL4J_ADD_VM_PARAMS env variable please change this appropriately.
  • Anchore - MR:
    • Anchore Enterprise upgrade job from v4.9.3 to v5.3.0 was timing out and preventing database migrations due to Istio proxy not shutting down. This will bump from 2.0.2-bb.1 to 2.4.2-bb.8. The upgrade jobs should be working now where hangs were introduced since the 2.4.2 upgrade. If you experience issues with incomplete upgrade, please try setting upgradeJob.force=true and disabling network policies temporarily to allow the upgrade job to egress to the external db. If you encounter issues with upgrade failure related to kubernetes resources not managed by helm, recreate the Anchore HelmRelease.

Upgrades from previous releases📜

If coming from a version pre-2.24.0, note the additional upgrade notices in any release in between. The BB team doesn’t test/guarantee upgrades from anything pre-2.24.0.

Packages📜

Package Type Package Version BB Version
Istio Controlplane Core Istio 1.20.4 Tetrate Istio Distro 1.20.4 1.20.4-bb.1
Istio Operator Core Istio Operator 1.20.4 Tetrate Istio Distro Operator 1.20.4 1.20.4-bb.0
Updated Jaeger Core 1.53.0 2.50.1-bb.2 🔗
Updated Kiali Core 1.82.0 1.82.0-bb.3 🔗
Updated Cluster Auditor Core 0.0.7 1.5.0-bb.15 🔗
Updated Gatekeeper Core 3.15.0 3.15.0-bb.4 🔗
Updated Kyverno Core 1.11.4 3.1.4-bb.5 🔗
Kyverno Policies Core 3.0.4 3.0.4-bb.28
Updated Kyverno Reporter Core 2.18.0 2.22.4-bb.2 🔗
Updated Elasticsearch Kibana Core Kibana 8.13.0 Elasticsearch 8.13.0 1.12.0-bb.1 🔗
Eck Operator Core 2.12.1 2.12.1-bb.0
Updated Fluentbit Core 3.0.0 0.46.0-bb.0 🔗
Promtail Core 2.9.4 6.15.5-bb.3
Updated Loki Core 2.9.6 5.47.2-bb.2 🔗
Updated Neuvector Core 5.3.0 2.6.3-bb.18 🔗
Updated Tempo Core Tempo 2.3.0-ubi9 Tempo Query 2.3.1 1.7.1-bb.6 🔗
Updated Monitoring Core Prometheus 2.51.1 Grafana 10.4.1 Alertmanager 0.27.0 58.0.0-bb.0 🔗
Grafana Core 10.4.0 7.3.7-bb.1
Updated Twistlock Core 32.01.128 0.15.0-bb.5 🔗
Updated Wrapper Core N / A 0.4.7 🔗
Argocd Addon 2.10.3 6.7.2-bb.1
Authservice Addon 1.0.0 1.0.0-bb.0
Updated Minio Operator Addon 5.0.14 5.0.14-bb.2 🔗
Updated Minio Addon RELEASE.2024-03-30T09-41-56Z 5.0.12-bb.11 🔗
Updated Gitlab Addon 16.10.2 7.10.2-bb.0 🔗
Updated Gitlab Runner Addon 16.10.0 0.63.0-bb.2 🔗
Updated Nexus Addon 3.67.1-01 67.1.0-bb.0 🔗
Updated Sonarqube Addon 9.9.4-community 8.0.4-bb.1 🔗
Fortify Addon 23.2.0.0154 1.1.2320154-bb.3
Haproxy Addon 2.2.32 1.19.3-bb.4
Updated Anchore Enterprise Addon 5.3.0 2.4.2-bb.8 🔗
Mattermost Operator Addon 1.21.0 1.21.0-bb.0
Updated Mattermost Addon 9.6.1 9.6.1-bb.0 🔗
Updated Velero Addon 1.13.1 6.0.0-bb.4 🔗
Updated Keycloak Addon 23.0.7 23.0.7-bb.3 🔗
Vault Addon 1.14.10 0.25.0-bb.20
Metrics Server Addon 0.7.0 3.12.0-bb.1
Updated Harbor Addon 2.10.1 1.14.1-bb.0 🔗
Updated Holocron Addon 3.3.0 1.0.4 🔗
Updated Thanos BETA Addon 0.34.1 13.2.2-bb.4 🔗

Changes in 2.25.0📜

Big Bang MRs📜

  • !4099: Resolve “Remove Cypress Artifacts from RKE2/EKS”
  • !4123: Adding harbor to default-creds.md
  • !4104: Patch to remove double-entries
  • !4094: updating to 1.29.3

Jaeger📜

  • !3952: Resolve “Ensure that istio.hardened.enabled is turned on for all packages in test-values.yaml for packages that support it”
# Changelog Updates

## [2.50.1-bb.2] - 2024-04-20
### Updated
- Fixing ingress gateway authz policy

Kiali📜

  • !4144: kiali update to 1.82.0-bb.3
  • !4122: kiali update to 1.82.0-bb.2
  • !4101: kiali update to 1.82.0-bb.1
  • !4080: consolidate ServiceEntry kinds into a single entry per package
# Changelog Updates

## [1.82.0-bb.3] - 2024-04-09
### Changed
- Update annotations tag to 1.82.0

## [1.82.0-bb.2] - 2024-04-08
### Added
- Custom network policies

## [1.82.0-bb.1] - 2024-04-02
### Changed
- Updated Renovate config to catch gluon

Cluster Auditor📜

  • !3952: Resolve “Ensure that istio.hardened.enabled is turned on for all packages in test-values.yaml for packages that support it”
  • !4089: testing cluster auditor values for mr 87
# Changelog Updates

## [1.5.0-bb.15] - 2024-03-18
### Changed
- Add istio egress whitelist

Gatekeeper📜

  • !4127: gatekeeper update to 3.15.0-bb.4
  • !4093: gatekeeper update to 3.15.0-bb.3
# Changelog Updates

## [3.15.0-bb.4] - 2024-04-10
### Changed
- Changed cypress test yaml files for k8s 1.29 compliance

## [3.15.0-bb.3] - 2024-04-01
### Changed
- Revert `K8sPSPSELinuxV2.yaml` and `selinux-policy` update.

## [3.15.0-bb.2] - 2024-04-01
### Changed
- Updated Development Maintenance doc

## [3.15.0-bb.1] - 2024-03-25
### Changed
- Updated `K8sPSPSELinuxV2.yaml` and `selinux-policy` violation.

Kyverno📜

  • !4124: kyverno update to 3.1.4-bb.5
# Changelog Updates

## [3.1.4-bb.5] - 2024-04-05
### Added
- Custom network policies

Kyverno Reporter📜

  • !4132: Update update-automountserviceaccounttokens-default
  • !4125: kyvernoReporter update to 2.22.4-bb.2
# Changelog Updates

## [2.22.4-bb.2] - 2024-04-05
### Added
- Custom network policies

## [2.22.4-bb.1] - 2024-03-27
### Changed
- Changed 01-prometheus.cy.js to wait before the test handle early network errors on cypress tests

Elasticsearch Kibana📜

  • !3973: Update ElasticSearchKibana to 1.12.0-bb.1
  • !3952: Resolve “Ensure that istio.hardened.enabled is turned on for all packages in test-values.yaml for packages that support it”
  • !4115: elasticsearchKibana update to 1.12.0-bb.0
  • !4080: consolidate ServiceEntry kinds into a single entry per package
# Changelog Updates

## [1.12.0-bb.1] - 2024-04-09
### Added
- Added Virtual Service for ElasticSearch

## [1.12.0-bb.0] - 2024-04-08
### Changed
- ironbank/elastic/elasticsearch/elasticsearch updated from 8.12.2 to 8.13.0
- ironbank/elastic/kibana/kibana updated from 8.12.2 to 8.13.0

Fluentbit📜

  • !3952: Resolve “Ensure that istio.hardened.enabled is turned on for all packages in test-values.yaml for packages that support it”
  • !4113: fluentbit update to 0.46.0-bb.0
  • !4080: consolidate ServiceEntry kinds into a single entry per package
# Changelog Updates

## [0.46.0-bb.0]
### Changed
- Updated upstream helm chart tag `0.46.0-bb.0`
- Updated fluent-bit image to `3.0.0` from IB

Loki📜

  • !3952: Resolve “Ensure that istio.hardened.enabled is turned on for all packages in test-values.yaml for packages that support it”
  • !4110: loki update to 5.47.2-bb.2
  • !4080: consolidate ServiceEntry kinds into a single entry per package
  • !4092: loki update to 5.47.2-bb.0
# Changelog Updates

## [5.47.2-bb.2] - 2024-04-04
### Added
- Added custom network policies

## [5.47.2-bb.1] - 2024-04-03
### Added
- Removed matchLabels for allow-intranamespace authorizationPolicy

## [5.47.2-bb.0] - 2024-04-01
### Upgrade
- Updated loki 2.9.4 -> 2.9.6
- Updated minio-instance 5.0.11-bb.3 -> 5.0.12-bb.6
- Updated grafana-agent-operator 0.3.15 -> 0.3.19
- Updated k8s-sidecar 1.25.3 -> 1.26.1
- Updated kubectl v1.28.6 -> v1.28.8
- Updated nginx 1.25.3 -> 1.25.4

Neuvector📜

  • !4129: neuvector update to 2.6.3-bb.18
# Changelog Updates

## [2.6.3-bb.18] - 2024-04-09
### Added
- Added custom network policies

Tempo📜

  • !4136: tempo update to 1.7.1-bb.6
  • !3952: Resolve “Ensure that istio.hardened.enabled is turned on for all packages in test-values.yaml for packages that support it”
# Changelog Updates

## [1.7.1-bb.6] - 2024-04-11
### Changed
- Changing type of Openshift SCC in clusterrolebinding

## [1.7.1-bb.5] - 2024-03-13
### Changed
- Updating IstioHardened.md to include exportTo
- Moving sidecar and serviceEntry to match other package implementations
- Updating sidecar to template label.

## [1.7.1-bb.4] - 2024-03-04
### Changed
- Openshift update for deploying Tempo into Openshift cluster

Monitoring📜

  • !4152: monitoring update to 58.0.0-bb.0
  • !4140: monitoring update to 57.2.0-bb.2
  • !3952: Resolve “Ensure that istio.hardened.enabled is turned on for all packages in test-values.yaml for packages that support it”
  • !4095: monitoring update to 57.2.0-bb.0
  • !4080: consolidate ServiceEntry kinds into a single entry per package
# Changelog Updates

## [58.0.0-bb.0] - 2024-04-15
### Updated
- Updated Monitoring chart to v0.73.0
- Updated Prometheus: 2.51.1
- Updated Gluon: 0.4.9
- Updated AlertManager: 0.27.0

## [57.2.0-bb.2] - 2024-04-10
### Fixed
- Fix IngressGateway Authorization Policies for AlertManager and Prometheus VirtualServices
- Fix IngressGateway Authorization Policies for AlertManager and Prometheus VirtualServices

## [57.2.0-bb.1] - 2024-04-05
### Added
- Custom network policies

## [57.2.0-bb.0] - 2024-04-03
### Updated
- Updated chart 57.0.3 -> 57.2.0
- Updated grafana-plugins 10.4.0 -> 10.4.1
- Updated kube-state-metrics 2.10.1 -> 2.11.0
- Updated prometheus 2.50.1 -> 2.51.1

Twistlock📜

  • !4137: twistlock update to 0.15.0-bb.5
  • !3952: Resolve “Ensure that istio.hardened.enabled is turned on for all packages in test-values.yaml for packages that support it”
  • !4080: consolidate ServiceEntry kinds into a single entry per package
# Changelog Updates

## [0.15.0-bb.5] - 2024-04-10
### Changed
- gluon updated from 0.4.8 to 0.4.9

Wrapper📜

  • !3952: Resolve “Ensure that istio.hardened.enabled is turned on for all packages in test-values.yaml for packages that support it”
  • !4112: wrapper update to 0.4.7
# Changelog Updates

## [0.4.7] - 2024-04-03
### Changed
- Made the ingress policy match all workloads if no matchlabels are provided

Minio Operator📜

  • !4130: minioOperator update to 5.0.14-bb.2
  • !3952: Resolve “Ensure that istio.hardened.enabled is turned on for all packages in test-values.yaml for packages that support it”
# Changelog Updates

## [5.0.14-bb.2] - 2024-04-09
### Added
- Added custom network polices

## [5.0.14-bb.1] - 2024-04-02
### Changed
- Added Istio Sidecar to restrict egress traffic to REGISTRY_ONLY
- Added Istio ServiceEntry to explicitly allow egress

Minio📜

  • !4126: minio update to 5.0.12-bb.11
  • !4119: minio update to 5.0.12-bb.10
  • !3952: Resolve “Ensure that istio.hardened.enabled is turned on for all packages in test-values.yaml for packages that support it”
  • !4098: minio update to 5.0.12-bb.9
# Changelog Updates

## [5.0.12-bb.11] - 2024-04-09
### Added
- Added custom network policies

## [5.0.12-bb.10] - 2024-04-04
### Changed
- Added Authpol to allow ingress from then minio-operator workload
- Added Istio Sidecar to restrict egress traffic to REGISTRY_ONLY
- Added Istio ServiceEntry to explicitly allow egress

## [5.0.12-bb.9] - 2024-04-02
### Changed
- Updated minio to `RELEASE.2024-03-30T09-41-56Z`
- Updated mc to `RELEASE.2024-03-30T15-29-52Z`

Gitlab📜

  • !4156: gitlab update to 7.10.2-bb.0
  • !4135: gitlab update to 7.10.1-bb.1
# Changelog Updates

## [7.10.2-bb.0] - 2024-04-12
### Changed
- Update Gitlab to appVersion 16.10.2
- Update chart version 7.10.2
- Update ironbank/gitlab/gitlab/gitlab-webservice PATCH 16.10.1 to 16.10.2
- Update registry1.dso.mil/ironbank/gitlab/gitlab/certificates PATCH 16.10.1 to 16.10.2
- Update registry1.dso.mil/ironbank/gitlab/gitlab/gitaly PATCH 16.10.1 to 16.10.2
- Update registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-container-registry PATCH 16.10.1 to 16.10.2
- Update registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-exporter PATCH 16.10.1 to 16.10.2
- Update registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-mailroom PATCH 16.10.1 to 16.10.2
- Update registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-pages PATCH 16.10.1 to 16.10.2
- Update registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-shell PATCH 16.10.1 to 16.10.2
- Update registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-sidekiq PATCH 16.10.1 to 16.10.2
- Update registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-toolbox PATCH 16.10.1 to 16.10.2
- Update registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-webservice PATCH 16.10.1 to 16.10.2
- Update registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-workhorse PATCH 16.10.1 to 16.10.2
- Update registry1.dso.mil/ironbank/gitlab/gitlab/kubectl PATCH 16.10.1 to 16.10.2

## [7.10.1-bb.1] - 2024-04-05
### Added
- Custom network policies

Gitlab Runner📜

  • !4165: gitlabRunner update to 0.63.0-bb.2
  • !4107: gitlabRunner update to 0.63.0-bb.1
# Changelog Updates

## [0.63.0-bb.2] - 2024-04-16
### Changed
- Updated gluon to 0.4.9

## [0.63.0-bb.1] - 2024-04-08
### Changed
- Fixed redirect issue with Cypress test

## [0.63.0-bb.0] - 2024-04-03
### Changed
- Updated images to v16.10.0

Nexus📜

  • !4153: nexusRepositoryManager update to 67.1.0-bb.0
# Changelog Updates

## [67.1.0-bb.0] - 2024-04-15
### Changed
- Updated chart to version: 67.1.0-bb.0 | appVersion: 3.67.1-01
- Updated Gluon 0.4.7 -> 0.4.9

## [66.0.0-bb.1] - 2024-03-27
### Updated
- Added allow-intranamespace policy
- Added allow-nothing-policy
- Added ingressgateway-authz-policy
- Added monitoring-authz-policy
- Added template for adding user defined policies

Sonarqube📜

  • !3952: Resolve “Ensure that istio.hardened.enabled is turned on for all packages in test-values.yaml for packages that support it”
# Changelog Updates

## [8.0.4-bb.1] - 2024-03-14
### Changed
- Updated the authorization policies for full BB integration

Anchore Enterprise📜

  • !4100: anchore update to 2.4.2-bb.5
  • !4117: anchore update to 2.4.2-bb.6
  • !4149: anchore update to 2.4.2-bb.8
# Changelog Updates

## [2.4.2-bb.8] - 2024-04-12
### Added
- Added Openshift resources

## [2.4.2-bb.7] - 2024-04-11
### Changed
- Added istio authorization polic(y|ies)

## [2.4.2-bb.6] - 2024-04-05
### Changed
- Added VirtualService for Anchore Enterprise API

## [2.4.2-bb.5] - 2024-04-04
### Changed
- Shutdown istio proxy in upgrade job

## [2.4.2-bb.4] - 2024-04-03
### Changed
- Updated versions to consistent 1.29.x

## [2.4.2-bb.3] - 2024-04-02
### Changed
- Updated security context for pods

## [2.4.2-bb.2] - 2024-03-29
### Changed
- Updated migration pod template

## [2.4.2-bb.1] - 2024-03-26
### Changed
- Updated Swagger API endpoint for tests

## [2.4.2-bb.0] - 2024-03-22
### Changed
- Bumped Anchore Enterprise tag to `5.3.0`
- Bumped Anchore Enterprise UI tag to `5.3.2`
- Bumped Anchore Enterprise chart to `2.4.2`
- Bumped Anchore Feeds chart to `2.2.0`
- Bumped Postgres chart to `12.5.9`

Mattermost📜

  • !4155: mattermost update to 9.6.1-bb.0
  • !3952: Resolve “Ensure that istio.hardened.enabled is turned on for all packages in test-values.yaml for packages that support it”
# Changelog Updates

## [9.6.1-bb.0] - 2024-04-06
### Changed
- gluon updated from 0.4.8 to 0.4.9
- ironbank/opensource/mattermost/mattermost updated from 9.6.0 to 9.6.1

Velero📜

  • !4147: velero update to 6.0.0-bb.4
  • !4145: velero update to 6.0.0-bb.3
  • !4080: consolidate ServiceEntry kinds into a single entry per package
  • !4086: velero update to 6.0.0-bb.2
# Changelog Updates

## [6.0.0-bb.4] - 2024-04-10
### Changed
- Update dependency registry1.dso.mil/ironbank/opensource/kubernetes/kubectl to v1.29.3

## [6.0.0-bb.3] - 2024-04-03
### Added
- Added custom network policies

## [6.0.0-bb.2] - 2024-03-26
### Changed
- Adding Sidecar to deny egress that is external to istio services
- Adding customServiceEntries to allow egress to override sidecar

Keycloak📜

  • !4128: keycloak update to 23.0.7-bb.3
# Changelog Updates

## [23.0.7-bb.3] - 2024-04-10
### Changed
- Renewing and refreshing DoD CAs in truststore.jks bundle shipped with the package

Harbor📜

  • !4131: harbor update to 1.14.1-bb.0
  • !3952: Resolve “Ensure that istio.hardened.enabled is turned on for all packages in test-values.yaml for packages that support it”
# Changelog Updates

## [1.14.1-bb.0] - 2024-04-08
### Changed
- Updated bitnami common chart dependency for postgresql MAJOR 1.x.x -> 2.x
- Updated redis MAJOR 16.12.3-bb.3 -> 18.15.0-bb.0
- Updated gluon PATCH 0.4.7 -> 0.4.9
- Updated redis-photon PATCH v2.10.0 -> v2.10.1
- Updated harbor-core PATCH v2.10.0 -> v2.10.1
- Updated harbor-exporter PATCH v2.10.0 -> v2.10.1
- Updated harbor-jobservice PATCH v2.10.0 -> v2.10.1
- Updated harbor-portal PATCH v2.10.0 -> v2.10.1
- Updated harbor-registryctl PATCH v2.10.0 -> v2.10.1
- Updated registry PATCH v2.10.0 -> v2.10.1
- Updated trivy-adapter PATCH v2.10.0 -> v2.10.1
- Updated nginx PATCH 1.25.3 -> 1.25.4
- Updated postgresql12 MINOR 12.17 -> 12.18

## [1.14.0-bb.7] - 2024-04-01
### Added
- Added new AuthorizationPolicy for istio hardening that allows the registry Harbor component to accept traffic from anywhere.  This change is needed in order to work around an issue where the Harbor core component exchanges the Basic Authorization header for a service token and then forwards the request to the registry component without any of the original istio headers (including `X-Forwarded-Client-Cert`).

Holocron📜

  • !4166: holocron update to 1.0.4
  • !4134: holocron update to 1.0.3
  • !3952: Resolve “Ensure that istio.hardened.enabled is turned on for all packages in test-values.yaml for packages that support it”
# Changelog Updates

## [1.0.4] - 2024-04-11
### Updated
- Moved base securityContext values into values.yaml file

### Added
- Added capabilities: drop: -ALL to securityContext

## [1.0.3] - 2024-04-11
### Updated
- Updated gluon dependency to 0.4.9

### Added
- Added bigbang.dev/applicationVersions annotation

Thanos📜

  • !4138: thanos update to 13.2.2-bb.4
  • !4108: thanos update to 13.2.2-bb.3
# Changelog Updates

## [13.2.2-bb.4] - 2024-04-04
### Added
- Added additional network policies via values yaml

## [13.2.2-bb.3] - 2024-04-04
### Added
- Update minio securityContext

Known Issues📜

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

Future📜

Don’t see your feature and/or bug fix? Check out our epics for estimates on when you can expect things to drop, and as always, feel free to comment or create issues if you have questions, comments, or concerns.