Release Notes - 2.40.0📜
Please see our documentation page for more information on how to consume and deploy BigBang. This release was primarily tested on Kubernetes 1.30.3 (RKE2).
Upgrade Notices📜
- Twistlock - MR:
- As part of this upgrade, there is an automated deletion and recreation of deployments, daemonsets, and PVC (while retaining the PV).
- You should run a manual backup. The data should be safe and retained, but you should still have a back up.
- As part of this upgrade, there is an automated deletion and recreation of deployments, daemonsets, and PVC (while retaining the PV).
- Loki - MR:
- Any users that were using the Loki API
VirtualService
(loki.<yourdomain>
) without explicitly enabling it will now need to setloki.values.istio.loki.enabled
totrue
when upgrading/installing BigBang.
- Any users that were using the Loki API
- BigBang - MR:
- Users can now provide a provider field for Flux HelmRepositories in Big Bang umbrella. This enables usage of OIDC for authenticating with cloud providers to pull charts.
- Istio-controlplane - MR:
- This release adds a default
EnvoyFilter
to increase the security of the Istio cluster. This filter which defaults toenabled
can be disabled using e.g.istio.Values.defaultSecurityHeaders.enabled: false
. The filter will add the following HTTP headers when the backend service does not already provide the header.- StrictTransportSecurity: maxage=31536000; includeSubDomains
- XFrameOptions: SAMEORIGIN
- XContentTypeOptions: nosniff
- ReferrerPolicy: strictorigin
- In the event these additional headers cause issues with any deployment, you can disable the filter and reach out to the Big Bang team.
- This release adds a default
- BigBang - MR:
- Nexus realms configuration has been moved and is no longer nested under
sso
. Therealm
key has been renamed torealms
. e.g:addons: nexusRepositoryManager: values: realms: "DockerToken"
- Nexus realms configuration has been moved and is no longer nested under
- Elasticsearch-kibana - MR:
- Important: If
prometheuselasticsearchexporter
is enabled (metrics.enabled
to true) in the ElasticsearchKibana package, upgrading to1.20.0bb.0
involves changes to immutable selector labels that requires theelasticsearchmetrics
deployment to be deleted before upgrading the release. - The ElasticsearchKibana
autoRollingUpgrade
field in values.yaml can deploy apreupgrade
job
that automates the required deployment deletion without any additional steps by using a helmpreupgrade
hook, so no additional actions is required. It should be noted, a brief outage is expected during upgrade while theelasticsearchmetrics
deployment is being rolled out. - However, if you would rather manually delete the
elasticsearchmetrics
deployment prior to upgrade, then you would need to set theautoRollingUpgrade.enabled=false
in the values.yaml and follow steps outlined below. The below command assumes that the ElasticsearchKibana package is deployed in the default Big Banglogging
namespace for ElasticsearchKibana, one should look to confirm the namespace of their ElasticsearchKibana deployment:kubectl delete deploy l app=metrics n logging
- Once the resources have been deleted, you can upgrade the release.
- Important: If
Upgrades from previous releases📜
If coming from a version pre-2.39.1
, note the additional upgrade notices in any release in between. The BB team doesn’t test/guarantee upgrades from anything pre-2.39.1
.
Packages📜
Package | Type | Package Version | BB Version |
---|---|---|---|
Alloy | Addon | 1.4.2 |
1.6.4-bb.0 🔗 |
Anchore Enterprise | Addon | 5.10.0 |
3.0.0-bb.2 🔗 |
Argocd | Addon | 2.12.4 |
7.6.6-bb.0 |
Authservice | Addon | 1.0.2 |
1.0.2-bb.1 🔗 |
Cluster Auditor | Core | 0.0.7 |
1.5.0-bb.22 |
Eck Operator | Core | 2.14.0 |
2.14.0-bb.0 |
Elasticsearch Kibana | Core | Kibana 8.15.3 Elasticsearch 8.15.3 |
1.21.0-bb.0 🔗 |
External Secrets | Addon | 0.10.2 |
0.10.2-bb.1 |
Fluentbit | Core | 3.1.9 |
0.47.10-bb.1 |
Fortify | Addon | 24.2.0.0186 |
1.1.2320154-bb.19 |
Gatekeeper | Core | 3.17.1 |
3.17.1-bb.2 🔗 |
Gitlab | Addon | 17.3.6 |
8.3.6-bb.3 🔗 |
Gitlab Runner | Addon | 17.2.1 |
0.67.1-bb.1 |
Grafana | Core | 11.2.2 |
8.5.5-bb.0 |
Haproxy | Addon | 2.2.33 |
1.19.3-bb.8 |
Harbor | Addon | 2.11.0 |
1.15.1-bb.1 |
Holocron | Addon | 3.3.2 |
1.0.12 🔗 |
Istio Controlplane | Core | Istio 1.23.2 Tetrate Istio Distro 1.23.2 |
1.23.2-bb.1 🔗 |
Istio Operator | Core | Istio Operator 1.23.2 Tetrate Istio Distro Operator 1.23.2 |
1.23.2-bb.0 |
Jaeger | Core | 1.61.0 |
2.57.0-bb.0 |
Keycloak | Addon | 25.0.6 |
2.5.1-bb.0 |
Kiali | Core | 1.89.7 |
1.89.7-bb.1 |
Kyverno | Core | 1.12.6 |
3.2.7-bb.0 |
Kyverno Policies | Core | 3.2.6 |
3.2.6-bb.0 |
Kyverno Reporter | Core | 2.20.2 |
2.24.2-bb.1 |
Loki | Core | 3.2.0 |
6.18.0-bb.1 🔗 |
Mattermost | Addon | 10.1.2 |
10.1.2-bb.0 |
Mattermost Operator | Addon | 1.22.1 |
1.22.1-bb.0 |
Metrics Server | Addon | 0.7.2 |
3.12.2-bb.1 |
Minio | Addon | RELEASE.2024-06-04T19-20-08Z |
6.0.4-bb.2 🔗 |
Minio Operator | Addon | 6.0.4 |
6.0.4-bb.0 |
Monitoring | Core | Prometheus 2.54.1 Grafana 11.1.0 Alertmanager 0.27.0 |
62.4.0-bb.1 🔗 |
Neuvector | Core | 5.4.0 |
2.8.2-bb.1 🔗 |
Nexus | Addon | 3.73.0-12 |
73.0.0-bb.1 🔗 |
Promtail | Core | 3.0.0 |
6.16.2-bb.4 |
Sonarqube | Addon | 10.6.0-community |
10.6.1-bb.2 |
Tempo | Core | Tempo 2.5.0 Tempo Query 2.5.0 |
1.10.3-bb.6 🔗 |
Thanos | Addon | 0.36.1 |
15.7.27-bb.3 🔗 |
Twistlock | Core | 32.07.123 |
0.17.0-bb.2 🔗 |
Vault | Addon | 1.18.1 |
0.28.1-bb.12 🔗 |
Velero | Addon | 1.14.1 |
7.2.2-bb.0 🔗 |
Wrapper | Core | N / A | 0.4.10 |
Changes in 2.40.0📜
Big Bang MRs📜
- !5252: Add provider to the helmRepositories spec and set a default value of generic
- !5351: added minio logic
Istio Controlplane📜
- !5331: istio update to 1.23.2-bb.1
# Changelog Updates
## [1.23.2-bb.1] - 2024-10-21
### Added
- added default, global envoy filter for HSTS and other security headers
Gatekeeper📜
- !5347: gatekeeper update to 3.17.1-bb.2
# Changelog Updates
## [3.17.1-bb.2] - 2024-10-21
### Changed
- `container.apparmor.security.beta.kubernetes.io` annotations are now deprecated replaced by the `securityContext.appArmorProfile` field for pods and containers
Elasticsearch Kibana📜
# Changelog Updates
## [1.21.0-bb.0] - 2024-10-25
### Changed
- gluon updated from 0.5.4 to 0.5.8
- ironbank/elastic/elasticsearch/elasticsearch updated from 8.15.2 to 8.15.3
- ironbank/elastic/kibana/kibana updated from 8.15.2 to 8.15.3
- ironbank/opensource/kubernetes/kubectl updated from v1.30.5 to v1.30.6
## [1.20.0-bb.1] - 2024-10-25
### Changed
- Moved upgrade job into a separate directory in the bigbang folder
## [1.20.0-bb.0] - 2024-10-17
### Changed
- ironbank/elastic/elasticsearch/elasticsearch updated from 8.15.1 to 8.15.2
- ironbank/elastic/kibana/kibana updated from 8.15.1 to 8.15.2
- ironbank/opensource/bitnami/elasticsearch-exporter updated from 1.7.0 to 1.8.0
- prometheus-elasticsearch-exporter to 6.5.0
- Added an upgrade job to manually delete the prometheus-elasticsearch-exporter deployment as part of upgrade
Loki📜
# Changelog Updates
## [6.18.0-bb.1] - 2024-11-06
### Changed
- Now setting `istio.loki.enabled` to `false` by default
## [6.18.0-bb.0] - 2024-10-18
### Updated
- Updated `loki` from `v3.1.1` -> `v3.2.0`
- Updated `gluon` from `0.5.4` -> `0.5.8`
- Updated `k8s-sidecar` from `1.27.5` -> `1.28.0`
- Updated `kubectl` from `v1.29.8` -> `v1.30.5`
- Updated `memcached` from `1.6.30` -> `1.6.31`
- Updated `nginx` from `1.26.2` -> `1.27.2`
Neuvector📜
- !5398: neuvector update to 2.8.2-bb.1
# Changelog Updates
## [2.8.2-bb.1] - 2024-11-13
### Changed
- Added an initContainer to fix the cert permissions until an upstream fix comes in
## [2.8.2-bb.0] - 2024-10-17
### Changed
- Updated chart version to `2.8.0`
- Updated registry1.dso.mil/ironbank/neuvector/neuvector/controller from `5.3.4` to `5.4.0`
- Updated registry1.dso.mil/ironbank/neuvector/neuvector/enforcer from `5.3.4` to `5.4.0`
- Updated registry1.dso.mil/ironbank/neuvector/neuvector/manager from `5.3.4` to `5.4.0`
Tempo📜
- !5320: tempo update to 1.10.3-bb.6
# Changelog Updates
## [1.10.3-bb.6] - 2024-10-14
### Added
- Added authorization policy to allow communication from Kiali
Monitoring📜
-!5388: monitoring update to 62.4.0-bb.1
# Changelog Updates
## [62.4.0-bb.1] - 2024-11-04
### Changed
- Changed Gluon: 0.5.0 -> 0.5.9
- Changed cypress tests to check for variable number of running pods
- Changed Grafana: 8.5.1 -> 8.5.12
Twistlock📜
- !5387: twistlock update to 0.17.0-bb.2
- !5366: twistlock update to 0.17.0-bb.1
- !5345: twistlock update to 0.17.0-bb.0
# Changelog Updates
## [0.17.0-bb.2] - 2024-11-05
### Changed
- Created the upgrade job for the label changes
- Brought back the changes from 0.16.0-bb.4
- Updated the volume upgrade job to be compatible with the upgrade job
## [0.17.0-bb.1] - 2024-11-04
### Added
- Added contributor scripts folder to allow for further setup of Twistlock deployments
## [0.17.0-bb.0] - 2024-10-31
### Changed
- ironbank/opensource/kubernetes/kubectl updated from v1.29.6 to v1.30.5
- ironbank/twistlock/console/console updated from 32.03.125 to 32.07.123
- ironbank/twistlock/defender/defender updated from 32.03.125 to 32.07.123
Authservice📜
- !5356: authservice update to 1.0.2-bb.1
# Changelog Updates
## [1.0.2-bb.1] - 2024-11-04
### Changed
- Updated pod labels to use authservice.labels so version will be included
Minio📜
# Changelog Updates
## [6.0.4-bb.2] - 2024-11-08
### Changed
- Upgraded gluon from 0.5.8 to 0.5.10
## [6.0.4-bb.1] - 2024-11-04
### Changed
- Patch registry1.dso.mil/ironbank/opensource/minio/mc RELEASE.2024-10-08T09-37-26Z -> RELEASE.2024-10-29T15-34-59Z
Gitlab📜
- !5382: gitlab update to 8.3.6-bb.3
# Changelog Updates
## [8.3.6-bb.3] - 2024-11-07
### Changed
- move token job for GCPE to GCPE prep for subchart
## [8.3.6-bb.2] - 2024-11-05
### Changed
- add webhook token job for GCPE integration
Nexus📜
- !5328: nexusRepositoryManager update to 73.0.0-bb.1
# Changelog Updates
## [73.0.0-bb.1] - 2024-09-17
### Changed
- Refactored realm configuration from under sso configuration. Renamed to realms.
Anchore Enterprise📜
# Changelog Updates
## [3.0.0-bb.2] - 2024-11-07
### Changed
- Updated startmigrationpod value to false
## [3.0.0-bb.1] - 2024-11-04
### Changed
- fix istio error
## [3.0.0-bb.0] - 2024-10-22
### Changed
- Updated Anchore Enterprise chart to `3.0.0`
- Updated gluon to `0.5.8`
- Updated enterprise to `5.10.0`
- Updated enterpriseui to `5.10.0`
- Updated redis to `20.2.1-bb.0`
- Updated redis patch to `7.4.1`
- Updated kubectl to `1.30.5`
Velero📜
# Changelog Updates
## [7.2.2-bb.0] - 2024-10-31
### Changed
- Upgrade to upstream chart version 7.2.2
## [7.2.1-bb.5] - 2024-10-30
### Changed
- Fixed caCert issue preventing tls certs from being used with Backupstoragelocations
## [7.2.1-bb.4] - 2024-10-25
### Removed
- Reverted old Kiali Label commits
Vault📜
- !5375: vault update to 0.28.1-bb.12
# Changelog Updates
## [0.28.1-bb.12] - 2024-11-06
### Changed
- Updated ironbank image to 1.18.1
- Updated gluon to 0.5.9
Holocron📜
- !5355: holocron update to 1.0.12
# Changelog Updates
## [1.0.12] - 2024-11-04
### Updated
- Removed repeated literals in templates
- Configured templates to pass resource name and index to labels function in helpers template
- Updated labels to be correct on both deployment and pod resources
Thanos📜
- !5363: thanos update to 15.7.27-bb.3
# Changelog Updates
## [15.7.27-bb.3] - 2024-10-25
### Changed
- Moved pre-upgrade hook resources to separate charts
## [15.7.27-bb.2] - 2024-10-21
### Added
- Added pre-upgrade hook to automate upgrade process
## [15.7.27-bb.1] - 2024-10-10
### Upgraded
- Removed hardcoded minio matchLabels
## [15.7.27-bb.0] - 2024-10-03
### Upgraded
- Upgraded gluon from `0.5.3` -> `0.5.4`
- Upgraded minio-instance from `5.0.15-bb.2` -> `6.0.3-bb.2`
Alloy📜
# Changelog Updates
## [1.6.4-bb.0] - 2024-11-02
### Changed
- k8s-monitoring updated from 1.6.0 to 1.6.4
## [1.6.0-bb.0] - 2024-10-22
### Changed
- k8s-monitoring updated from 1.5.4 to 1.6.0
- gluon updated from 0.5.4 to 0.5.8
- ironbank/opensource/grafana/alloy updated from v1.3.1 to v1.4.2
Known Issues📜
- Kiali - ISSUE
- On Kubernetes 1.29+, the kiali operator may fail with a 404 while running the kiali-deploy playbook if the cluster returns the
flowcontrol.apiserver.k8s.io/v1beta2
api version (no longer served as of v1.29).
In this case, removing the invalid api version should resolve the issue and allow the kiali operator to run successfully.
$ kubectl delete apiservices.apiregistration.k8s.io v1beta2.flowcontrol.apiserver.k8s.io
Helpful Links📜
As always, we welcome and appreciate feedback from our community of users. Please feel free to:
- Open issues here
- Join our chat
- Check out the documentation for guidance on how to get started
Future📜
Don’t see your feature and/or bug fix? Check out our epics for estimates on when you can expect things to drop, and as always, feel free to comment or create issues if you have questions, comments, or concerns.