Release Notes - 2.28.1📜
Please see our documentation page for more information on how to consume and deploy BigBang. This release was primarily tested on Kubernetes 1.29.3 (RKE2).
Patch-Specific Changes📜
Gitlab📜
Upgrade Notices📜
- BigBang - MR:
- Resolves a bug in the flux settings for each HelmRelease. The previous logic would override flux settings for every deployed package if flux settings were overridden for any package at the package level. This fix will allow users to define global flux settings and also override for specific packages deployed with big bang. If you override your flux settings in any big bang packages please review these changes.
- Loki - MR:
- Loki 3.0 is a major version increase and comes with several breaking changes.
- Here is the shortlist of things we think most people may encounter:
-
- Structured metadata is enabled by default and requires
tsdb
andv13
schema or Loki won’t start. Refer to Structured Metadata, Open Telemetry, Schemas and Indexes.
- Structured metadata is enabled by default and requires
-
- The
shared_store
config is removed. Refer to Removedshared_store
andshared_store_key_prefix
from shipper configuration.
- The
-
- Loki now enforces a max line size of 256KB by default (you can disable this or increase this but this is how Grafana Labs runs Loki). Refer to Changes to default configure values.
-
- Loki now enforces a max label limit of 15 labels per series, down from 30. Extra labels inflate the size of the index and reduce performance, you should almost never need more than 15 labels. Refer to Changes to default configure values.
-
- Loki will automatically attempt to populate a
service_name
label on ingestion. Refer toservice_name
label.
- Loki will automatically attempt to populate a
-
- There are many metric name changes. Refer to Distributor metric changes, Embedded cache metric changes, and Metrics namespace.
-
loki.index_gateway.mode
must remain set tosimple
. Setting it toring
will result in pod crashes due to a bug in loki 3.0.0. Reference: https://github.com/grafana/loki/issues/12270
-
- Distributed deployment mode is now available using the Loki chart. However not yet supported/available using the umbrella Big Bang chart. This will be implemented and tested in a future release.
- Gitlab-runner - MR:
- A New Package Value for Gitlab Runner has been added “.Values.networkPolicies.kubeapiPort”. This is currently implemented in the network policy for Gitlab Runner to allow explicit Kube API access in conjunction with “.Values.networkPolicies.controlPlaneCidr”.
- Defaults for values above if not set:
- “.Values.networkPolicies.controlPlaneCidr” default value is “0.0.0.0/0”
- “.Values.networkPolicies.kubeapiPort” default value is (“443”, “6443”)
Potential breaking change notice for upcoming release in 2.29📜
Release 2.29.0📜
Gitlab📜
- Gitlab v17 will contain a breaking change which now will disable the runner registration token method of provisioning a new runner, in favor of a new workflow that uses runner authentication tokens to register runners. More information about how to prepare for this change, or to re-enable the legacy mode until v18 can found here
Kyverno📜
- The Kyverno policy require-drop-all-capabilities will be set to Enforce. All BigBang provided packages have exceptions or configuration in place to satisfy this requirement.
- For any non-BigBang applications, exceptions can be added via values as below, or ensure a Kyverno PolicyException resource is present in your app templates:
kyvernoPolicies: values: policies: require-drop-all-capabilities: exclude: any: # Neuvector needs access to host to inspect network traffic - resources: namespaces: - neuvector names: - neuvector-enforcer-pod* - neuvector-controller-pod* - neuvector-prometheus-exporter-pod*
- For any non-BigBang applications, exceptions can be added via values as below, or ensure a Kyverno PolicyException resource is present in your app templates:
Upgrades from previous releases📜
If coming from a version pre-2.27.0
, note the additional upgrade notices in any release in between. The BB team doesn’t test/guarantee upgrades from anything pre-2.27.0
.
Packages📜
Package | Type | Package Version | BB Version |
---|---|---|---|
Istio Controlplane | Core | Istio 1.21.2 Tetrate Istio Distro 1.21.2 |
1.21.2-bb.0 🔗 |
Istio Operator | Core | Istio Operator 1.21.2 Tetrate Istio Distro Operator 1.21.2 |
1.21.2-bb.0 🔗 |
Jaeger | Core | 1.56.0 |
2.53.0-bb.1 |
Kiali | Core | 1.84.0 |
1.84.0-bb.0 |
Cluster Auditor | Core | 0.0.7 |
1.5.0-bb.16 |
Gatekeeper | Core | 3.16.2 |
3.16.0-bb.1 🔗 |
Kyverno | Core | 1.11.4 |
3.1.4-bb.8 |
Kyverno Policies | Core | 3.0.4 |
3.0.4-bb.32 🔗 |
Kyverno Reporter | Core | 2.18.0 |
2.22.4-bb.5 🔗 |
Elasticsearch Kibana | Core | Kibana 8.13.4 Elasticsearch 8.13.4 |
1.15.0-bb.0 🔗 |
Eck Operator | Core | 2.12.1 |
2.12.1-bb.1 |
Fluentbit | Core | 3.0.4 |
0.46.7-bb.0 🔗 |
Promtail | Core | 2.9.4 |
6.15.5-bb.5 |
Loki | Core | 3.0.0 |
6.5.2-bb.1 🔗 |
Neuvector | Core | 5.3.2 |
2.7.6-bb.2 🔗 |
Tempo | Core | Tempo 2.3.0-ubi9 Tempo Query 2.3.1 |
1.7.1-bb.8 |
Monitoring | Core | Prometheus 2.52.0 Grafana 11.0.0 Alertmanager 0.27.0 |
58.6.0-bb.0 🔗 |
Grafana | Core | 10.4.2 |
7.3.9-bb.2 |
Twistlock | Core | 32.01.128 |
0.15.0-bb.11 🔗 |
Wrapper | Core | N / A | 0.4.7 |
Argocd | Addon | 2.10.7 |
6.7.15-bb.5 🔗 |
Authservice | Addon | 1.0.0 |
1.0.0-bb.1 |
Minio Operator | Addon | 5.0.15 |
5.0.15-bb.0 🔗 |
Minio | Addon | RELEASE.2024-05-10T01-41-38Z |
5.0.15-bb.0 🔗 |
Gitlab | Addon | 16.11.3 |
7.11.2-bb.5 🔗 |
Gitlab Runner | Addon | 16.11.0 |
0.64.0-bb.0 🔗 |
Nexus | Addon | 3.68.1-02 |
68.1.0-bb.0 🔗 |
Sonarqube | Addon | 9.9.4-community |
8.0.4-bb.5 🔗 |
Fortify | Addon | 23.2.0.0154 |
1.1.2320154-bb.5 |
Haproxy | Addon | 2.2.33 |
1.19.3-bb.5 |
Anchore Enterprise | Addon | 5.4.1 |
2.4.2-bb.15 🔗 |
Mattermost Operator | Addon | 1.21.0 |
1.21.0-bb.1 |
Mattermost | Addon | 9.8.0 |
9.8.0-bb.0 🔗 |
Velero | Addon | 1.13.2 |
6.4.0-bb.0 🔗 |
Keycloak | Addon | 23.0.7 |
23.0.7-bb.8 🔗 |
Vault | Addon | 1.14.10 |
0.25.0-bb.30 🔗 |
Metrics Server | Addon | 0.7.1 |
3.12.1-bb.1 |
Harbor | Addon | 2.10.2 |
1.14.2-bb.6 🔗 |
Holocron | Addon | 3.3.0 |
1.0.7 🔗 |
Thanos | Addon | 0.34.1 |
13.2.2-bb.7 🔗 |
Changes in 2.28.0📜
Big Bang MRs📜
- !4246: Adding OpenShift Test Values
- !4263: #1993 : Pass big bang values through to package charts
- !4230: Add values file for fips tests
- !4389: add loki cluster tags to promtail
- !4372: revert changed README.md
- !4273: Fixing Flux Logic
- !4357: Keycloak documentation update for UI credentials
- !4365: Reenabling hardening gitlab/runner
Istio Controlplane📜
- !4358: istio update to 1.21.2-bb.0
# Changelog Updates
## [1.21.2-bb.0] - 2024-05-16
### Changed
- ironbank/opensource/istio/install-cni updated from 1.21.1 to 1.21.2
- ironbank/opensource/istio/pilot updated from 1.21.1 to 1.21.2
- ironbank/opensource/istio/proxyv2 updated from 1.21.1 to 1.21.2
- ironbank/tetrate/istio/install-cni updated from 1.21.1 to 1.21.2
- ironbank/tetrate/istio/pilot updated from 1.21.1 to 1.21.2
- ironbank/tetrate/istio/proxyv2 updated from 1.21.1 to 1.21.2
Istio Operator📜
- !4361: istioOperator update to 1.21.2-bb.0
# Changelog Updates
## [1.21.2-bb.0] - 2024-05-16
### Changed
- Updated repo1 image to `1.21.2`
- Updated TID image to `1.21.2`
- Added default value for `operatorNamespace` so helm lint passes
- Documented existing modifications to upstream chart in `docs/DEVELOPMENT_MAINTENANCE.md`
Gatekeeper📜
# Changelog Updates
## [3.16.0-bb.1] - 2024-05-24
### Changed
- Updated registry1.dso.mil/ironbank/opensource/openpolicyagent/gatekeeper `v3.16.0` -> `v3.16.2`
- Updated registry1.dso.mil/ironbank/opensource/kubernetes/kubectl `v1.29.4` -> `v1.29.5`
## [3.16.0-bb.0] - 2024-05-14
### Changed
- Updated registry1.dso.mil/ironbank/opensource/openpolicyagent/gatekeeper `v3.15.1` -> `v3.16.0`
- Updated ironbank/opensource/openpolicyagent/gatekeeper `v3.15.1` -> `v3.16.0`
- Updated to latest gluon `0.4.9` -> `0.5.0`
- Updated registry1.dso.mil/ironbank/opensource/kubernetes/kubectl `v1.29.3` -> `v1.29.4`
Kyverno Policies📜
# Changelog Updates
## [3.0.4-bb.32] - 2024-05-23
### Changed
- setting autogen rules to `Deployment,ReplicaSet,DaemonSet,StatefulSet` as default to mitagate false positive behavior
## [3.0.4-bb.31] - 2024-05-16
### Changed
- updated commentted example in values.yaml file for `update-automountserviceaccounttokens:`
Kyverno Reporter📜
- !4337: kyvernoReporter update to 2.22.4-bb.5
# Changelog Updates
## [2.22.4-bb.5] - 2024-05-12
### Changed
- Updated `gluon` package dependency version from `0.4.10` to `0.5.0`
Elasticsearch Kibana📜
- !4374: elasticsearchKibana update to 1.15.0-bb.0
# Changelog Updates
## [1.15.0-bb.0] - 2024-05-14
### Changed
- gluon updated from 0.4.10 to 0.5.0
- ironbank/elastic/elasticsearch/elasticsearch updated from 8.13.2 to 8.13.4
- ironbank/elastic/kibana/kibana updated from 8.13.2 to 8.13.4
Fluentbit📜
- !4395: fluentbit update to 0.46.7-bb.0
# Changelog Updates
## [0.46.7-bb.00] - 2024-05-22
### Changed
- Updated fluent-bit: 3.0.3 -> 3.0.4
Loki📜
- !4376: loki update to 6.5.2-bb.1
- !4373: loki update to 6.5.2-bb.0
- !4229: Update loki values and update loki to 6.3.4-bb.0
# Changelog Updates
## [6.5.2-bb.1] - 2024-05-20
### Fixed
- Fixed typo in README.md
## [6.5.2-bb.0] - 2024-05-17
### Upgrade
- Updated k8s-sidecar 1.26.1 -> 1.27.1
- Updated kubectl 1.29.3 -> 1.29.5
- Updated memcached 1.6.23 -> 1.6.27
- Updated nginx 1.25.4 -> 1.26.0
- Updated rollout-operator 0.13.0 -> 0.15.0
- Updated grafana-agent-operator 0.3.21 -> 0.3.22
## [6.3.4-bb.0] - 2024-05-14
### Upgrade
- Updated loki 2.9.6 -> 3.0.0
- Updated minio-instance 5.0.12-bb.6 -> 5.0.12-bb.13
- Updated grafana-agent-operator 0.3.19 -> 0.3.20
- Updated gluon 0.4.9 -> 0.5.0
- Added rollout-operator 0.13.0
Neuvector📜
- !4407: neuvector update to 2.7.6-bb.2
# Changelog Updates
## [2.7.6-bb.2] - 2024-05-22
### Changed
- Fix monitoring sub chart dependency. Update to 2.6.3.
- Update from gluon 0.4.8 to 0.5.0
Monitoring📜
- !4391: Update monitoring to 58.6.0-bb.0
- !4379: monitoring update to 58.5.3-bb.1
- !4368: monitoring update to 58.5.3-bb.0
# Changelog Updates
## [58.6.0-bb.0] - 2024-05-21
### Updated
- Updated prometheus-config-reloader: v0.73.2 -> v0.74.0
- Updated prometheus-operator: v0.73.2 -> v0.74.0
## [58.5.3-bb.1] - 2024-05-17
### Added
- Added additional namespace and port for hardened thanos
## [58.5.3-bb.0] - 2024-05-16
### Updated
- Updated Grafana: 10.4.2 -> 11.0.0
- Updated k8s-sidecar: 1.26.2 -> 1.27.1
- Updated kubectl: v1.29.4 -> v1.29.5
Twistlock📜
- !4396: twistlock update to 0.15.0-bb.11
- !4347: twistlock update to 0.15.0-bb.10
- !4345: twistlock update to 0.15.0-bb.9
- !4333: twistlock update to 0.15.0-bb.8
# Changelog Updates
## [0.15.0-bb.11] - 2024-05-22
### Changed
- Add resource requests and limits for Defender DaemonSet
## [0.15.0-bb.10] - 2024-05-15
### Changed
- Add Priority Class argument for defenders
## [0.15.0-bb.9] - 2024-05-15
### Changed
- Fixed minor typo error on twistlock/allow-sidecar-scraping
## [0.15.0-bb.8] - 2024-05-10
### Changed
- gluon updated from 0.4.9 to 0.5.0
Argocd📜
- !4366: Resolve “Reenabling hardening argocd gitlab/runner”
- !4378: argocd update to 6.7.15-bb.5
- !4330: argocd update to 6.7.15-bb.4
# Changelog Updates
## [6.7.15-bb.5] - 2024-05-20
### Fixed
- Argocd Authz Authorization Policy
## [6.7.15-bb.4] - 2024-05-08
### Added
- Added Istio Sidecar to restrict egress traffic to REGISTRY_ONLY
- Added Istio ServiceEntry
- Added istiohardened doc
Minio Operator📜
- !4334: minioOperator update to 5.0.15-bb.0
# Changelog Updates
## [5.0.15-bb.0] - 2024-05-09
### Upgrade
- ironbank/opensource/minio/operator v5.0.14 -> v5.0.15
- registry1.dso.mil/ironbank/opensource/minio/operator v5.0.14 -> v5.0.15
Minio📜
# Changelog Updates
## [5.0.15-bb.0] - 2024-05-17
### Changed
- Updated minio to `RELEASE.2024-05-10T01-41-38Z`
- Updated registry1.dso.mil/ironbank/opensource/minio/mc to `RELEASE.2024-05-09T17-04-24Z`
- Updated chart to 5.0.15
## [5.0.12-bb.14] - 2024-05-09
### Changed
- Updated minio to `RELEASE.2024-05-07T06-41-25Z`
Gitlab📜
- !4419: gitlab update to 7.11.2-bb.2
- !4371: gitlab update to 7.11.2-bb.1
- !4370: gitlab update to 7.11.2-bb.0
- !4288: gitlab update to 7.11.1-bb.2
# Changelog Updates
## [7.11.2-bb.2] - 2024-05-29
### Changed
- Fixed the securityContext for webservice-test-runner
## [7.11.2-bb.1] - 2024-05-17
### Changed
- Update securityContext for webservice-test-runner
## [7.11.2-bb.0] - 2024-05-15
### Changed
- Update ironbank/gitlab/gitlab/gitlab-webservice 16.11.1 -> 16.11.2
- Update registry1.dso.mil/ironbank/bitnami/analytics/redis-exporter 1.58.0 -> 1.59.0
- Update registry1.dso.mil/ironbank/gitlab/gitlab/certificates 16.11.1 -> 16.11.2
- Update registry1.dso.mil/ironbank/gitlab/gitlab/gitaly 16.11.1 -> 16.11.2
- Update registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-container-registry 16.11.1 -> 16.11.2
- Update registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-exporter 16.11.1 -> 16.11.2
- Update registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-mailroom 16.11.1 -> 16.11.2
- Update registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-pages 16.11.1 -> 16.11.2
- Update registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-shell 16.11.1 -> 16.11.2
- Update registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-sidekiq 16.11.1 -> 16.11.2
- Update registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-toolbox 16.11.1 -> 16.11.2
- Update registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-webservice 16.11.1 -> 16.11.2
- Update registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-workhorse 16.11.1 -> 16.11.2
- Update registry1.dso.mil/ironbank/gitlab/gitlab/kubectl 16.11.1 -> 16.11.2
Gitlab Runner📜
- !4369: gitlabRunner update to 0.64.0-bb.0
- !4329: gitlabRunner update to 0.63.0-bb.10
- !4344: gitlabRunner update to 0.63.0-bb.9
# Changelog Updates
## [0.64.0-bb.0] - 2024-05-02
### Changed
- Updated gluon 0.4.10 -> 0.5.0
- Updated registry1.dso.mil/ironbank/gitlab/gitlab-runner/gitlab-runner 16.10.0 -> 16.11.0
- Updated registry1.dso.mil/ironbank/gitlab/gitlab-runner/gitlab-runner-helper 16.10.0 -> 16.11.0
- Updated registry1.dso.mil/ironbank/redhat/ubi/ubi9 9.3 -> 9.4
## [0.63.0-bb.10] - 2024-05-14
### Changed
- Refactored kubeapiPort to kubeAPIPort and added documentation for kubeAPIPort
## [0.63.0-bb.9] - 2024-05-14
### Changed
- Updated grafana dashboards to work with both prometheus and thanos datasource's
## [0.63.0-bb.8] - 2024-05-13
### Removed
- Removed the kubeversion from chart
## [0.63.0-bb.7] - 2024-05-08
### Changed
- Fixed bug with Control Plane CIDR for Network Policies. Refactored egress network policies for Gitlab Runner.
Nexus📜
- !4393: nexusRepositoryManager update to 68.1.0-bb.0
# Changelog Updates
## [68.1.0-bb.0] - 2024-05-21
### Changed
- Updated chart to version: 68.1.0-bb.0 | appVersion: 3.68.1-02
- Updated Gluon 0.4.9 -> 0.5.0
Sonarqube📜
- !4381: sonarqube update to 8.0.4-bb.5
# Changelog Updates
## [8.0.4-bb.5] - 2024-05-16
### Changed
- Update documentation development_maintenance.md for prometheus exporter
- Updated documentation Prometheus.md with prometheus exporter and podmonitor
- Added the ability to monitor sonarqube pods using prometheus targets
- Added /templete/bigbang/prometheus-podmonitor.yaml
- Added istio peerauthentication policy `peer-authentication-podmonitor`
- Updated istio `allow-http-envoy` policy to allow podmonitor ports (8000, 8001)
Anchore Enterprise📜
- !4408: anchore update to 2.4.2-bb.15
# Changelog Updates
## [2.4.2-bb.15] - 2024-05-22
### Changed
- Added new label to upgrade job containers to allow access if network policies are enabled
Mattermost📜
- !4406: mattermost update to 9.8.0-bb.0
- !4394: mattermost update to 9.7.3-bb.3
- !4388: mattermost update to 9.7.3-bb.2
# Changelog Updates
## [9.8.0-bb.0] - 2024-05-23
### Changed
- gluon updated from 0.4.10 to 0.5.0
- ironbank/opensource/mattermost/mattermost updated from 9.7.3 to 9.8.0
- ironbank/opensource/postgres/postgresql12 updated from 12.18 to 12.19
## [9.7.3-bb.3] - 2024-05-22
### Added
- IAM Roles for Service Accounts (IRSA) using fileStore.roleARN
## [9.7.3-bb.2] - 2024-05-03
### Changed
- Added ./tests/images.txt to include postgres12 image
Velero📜
- !4390: velero update to 6.4.0-bb.0
- !4346: velero update to 6.1.0-bb.0
- !4335: velero update to 6.0.0-bb.6
# Changelog Updates
## [6.4.0-bb.0] - 2024-05-20
### Changed
- Updated to latest chart version `6.4.0`
- registry1.dso.mil/ironbank/opensource/kubernetes/kubectl v1.29.4 -> v1.29.5
## [6.1.0-bb.0] - 2024-05-15
### Changed
- Updated to latest chart version `6.1.0`
- ironbank/opensource/nginx/nginx 1.25.4 -> 1.26.0
- registry1.dso.mil/ironbank/opensource/velero/velero-plugin-for-csi v0.7.0 -> v0.7.1
## [6.0.0-bb.6] - 2024-04-29
### Changed
- registry1.dso.mil/ironbank/opensource/kubernetes/kubectl v1.29.3 -> v1.29.4
- registry1.dso.mil/ironbank/opensource/velero/velero v1.13.1 -> v1.13.2
- registry1.dso.mil/ironbank/opensource/velero/velero-plugin-for-aws v1.9.1 -> v1.9.2
- registry1.dso.mil/ironbank/opensource/velero/velero-plugin-for-microsoft-azure v1.9.1 -> v1.9.2
Keycloak📜
# Changelog Updates
## [23.0.7-bb.8] - 2024-05-20
### Added
- Added thanos client to ci json for baby yoda realm
## [23.0.7-bb.7] - 2024-05-014
### Added
- Added thanos client for development SSO to baby yoda realm
Vault📜
# Changelog Updates
## [0.25.0-bb.30] - 2024-05-21
### Added
- Update grafana dashboard to use `piechart`instead of broken `grafana-piechart-panel`
## [0.25.0-bb.29] - 2024-05-21
### Added
- gluon 0.4.9 -> 0.4.10
- registry1.dso.mil/ironbank/hashicorp/vault/vault-k8s v1.4.0 -> v1.4.1
Harbor📜
- !4383: harbor update to 1.14.2-bb.6
# Changelog Updates
## [1.14.2-bb.6] - 2024-05-21
### Changed
- Updated gluon to 0.5.0
- Updated redis chart to 19.3.2-bb.0
- Updated nginx to 1.26.0
- Updated postgres to 12.19
Holocron📜
- !4401: holocron update to 1.0.7
# Changelog Updates
## [1.0.7] - 2024-05-08
### Updated
- Updated gluon dependency to 0.5.0
Thanos📜
- !4392: thanos update to 13.2.2-bb.7
# Changelog Updates
## [13.2.2-bb.7] - 2024-05-15
### Added
- Added support for Istio Authorization Policies
## [13.2.2-bb.6] - 2024-05-14
### Fixed
- Fixed broken minIO subchart
## [13.2.2-bb.5] - 2024-05-14
### Added
- Added SSO/authservice integration
Known Issues📜
- CAC user registration issues in 23.0.7: CAC user registration issues in 23.0.7
Helpful Links📜
As always, we welcome and appreciate feedback from our community of users. Please feel free to:
- Open issues here
- Join our chat
- Check out the documentation for guidance on how to get started
Future📜
Don’t see your feature and/or bug fix? Check out our epics for estimates on when you can expect things to drop, and as always, feel free to comment or create issues if you have questions, comments, or concerns.