Release Notes - 3.14.0📜
Please see our documentation page for more information on how to consume and deploy BigBang.\ This release was primarily tested on Kubernetes 1.33.5 (EKS).
Deprecations📜
Nexus Repository Manager📜
- Big Bang team is planning to deprecate support for the Nexus Repository Manager package in BigBang. The upstream chart has been deprecated on October 24, 2023. As of this announcement, plans are to remove the Nexus Repository Manager package from the Big Bang umbrella in release 3.16.0. The update in 3.14 will be the final update for Nexus Repository Manager.
Our team has added a new Big Bang package, NXRM3-HA, this is the official high availability Nexus Repository Manager chart supported by Sonatype. This package will be updated and maintained by the Big Bang team for use on Repo1/Reg1 but will not be included in the Umbrella chart as an addon. See migration guide for details on how to install using the BYO
packages:section of the umbrella. Migration detail for nxrm-ha can be found here
Upgrade Notices📜
BigBang - MR📜
Update your Flux CLI to the latest version possible based on available IB images. Note, if installing with homebrew on mac, use command brew upgrade fluxcd/tap/flux. This specific tap is needed to grab the latest version.
| Package | Update | Change |
|---|---|---|
| registry1.dso.mil/ironbank/fluxcd/helm-controller (source) | patch | v1.4.2 -> v1.4.5 |
| registry1.dso.mil/ironbank/fluxcd/kustomize-controller (source) | patch | v1.7.1 -> v1.7.3 |
| registry1.dso.mil/ironbank/fluxcd/notification-controller (source) | patch | v1.7.3 -> v1.7.5 |
| registry1.dso.mil/ironbank/fluxcd/source-controller (source) | patch | v1.7.2 -> v1.7.4 |
Alloy - MR📜
Alloy is now leveraging our bb-common integration for network policies and istio-related resources. Please refer to this blog post for additional information on the integration.
Previously, non-default enabled components like alloy-receiver were not included in default-deny policies unless explicitly included via defaultSelectorValues. This update includes all pods in the namespace in the default-deny policy and only permits traffic for alloy-logs by default. If you are enabling alloy-receiver or other components besides alloy-logs, you must create additional network policies to permit that traffic.
For instance to enable alloy-receiver and permit ingress traffic to it:
alloy:
values:
upstream:
alloy-receiver:
enabled: true
alloy:
extraPorts:
- name: "otlp-grpc"
port: 4317
targetPort: 4317
protocol: "TCP"
networkPolicies:
ingress:
to:
alloy-receiver:4317:
from:
k8s:
"*/*": true
Keycloak - MR📜
Keycloak upstream has broken out TLS configs for its management interface, meaning Big Bang users no longer need to set addons.keycloak.values.upstream.http.internalScheme to HTTPS for health checks to pass when TLS is enabled.
Because of this change upstream, this release removes the mesh exclusion for Keycloak’s management interface, allowing prometheus to scrape metrics with mTLS encryption. If you are overriding addons.keycloak.values.upstream.extraEnv and are not setting addons.keycloak.values.upstream.http.internalScheme to HTTPS, you must add the following to your addons.keycloak.values.upstream.extraEnv key to continue scraping Keycloak’s prometheus metrics:
- name: KC_HTTP_MANAGEMENT_SCHEME
value: http
Loki - MR📜
Loki 6.46.0-bb.1 upgrade updates Big Bang MinIO dependency chart to 7.1.1-bb.15, as part of 7.1.1-bb.9 upgrade the Big Bang MinIO chart follows a passthrough refactor which are included in this upgrade. If you are planning to use MinIO with Loki please see the breaking change for MinIO 7.1.1-bb.9 Upgrade Notice.
MinIO 7.1.1-bb.9 Upgrade Notice📜
This release of MinIO migrates the chart to the passthrough pattern.
Values overrides nested under the minio key are now nested under the minio.upstream key. For example:
loki:
values:
minio:
tenant:
pools:
- name: pool-0
servers: 3
volumesPerServer: 4
becomes:
loki:
values:
minio:
upstream:
tenant:
pools:
- name: pool-0
servers: 3
volumesPerServer: 4
Tempo - MR📜
Tempo is now leveraging our bb-common integration for network policies and istio-related resources. Please refer to this blog post for additional information on the integration.
During this process the network policy allowing access to Authservice has been removed as it is no longer needed. A previously undiscovered bug that was allowing all TCP traffic from Grafana to Tempo has also been fixed so it now only allows traffic from Grafana to Tempo on TCP port 3200.
There is also a new reusable rule that has been created in the umbrella template for storage-subnets that allows users to configure access to external storage CIDRs via the values.yaml file. By default, this network policy is wide open to all CIDR’s over TCP port 443 as there is no way to know the CIDRs in advance, however, if you are using AWS you can retrieve this data by executing the following command:
curl -s https://ip-ranges.amazonaws.com/ip-ranges.json | jq -r '.prefixes[] | select(.service=="S3") | select(.region=="us-gov-east-1") | .ip_prefix'
[!NOTE] Make sure to update the region in the above command to match the region you are using in AWS.
Once the CIDR’s are retrieved you can update the values.yaml accordingly as shown in the below example to restrict access further:
networkPolicies:
enabled: true
egress:
definitions:
storage-subnets:
to:
- ipBlock:
cidr: "108.175.52.0/22"
- ipBlock:
cidr: "108.175.60.0/22"
- ipBlock:
cidr: "18.252.145.192/28"
- ipBlock:
cidr: "18.252.145.208/28"
ports:
- port: 443
protocol: TCP
- port: 80
protocol: TCP
You can also add any additional TCP ports if needed as shown in the example above.
[!NOTE] This network policy for Tempo is only enabled if the storage backend is anything other than
local(default setting)
Upgrades from previous releases📜
If coming from a version pre-3.13.0, note the additional upgrade notices in any release in between. The BB team doesn’t test/guarantee upgrades from anything pre-3.13.0.
Packages📜
| Package | Type | Package Version | BB Version |
|---|---|---|---|
 Alloy |
Core | v1.10.0 |
3.2.1-bb.6 🔗 |
| Anchore Enterprise | Addon | 5.20.2 |
3.14.2-bb.4 |
| Argocd | Addon | v3.2.0 |
9.1.4-bb.0 |
| Authservice | Addon | 1.1.1 |
1.1.1-bb.5 |
Backstage  |
Addon | 1.1.0 |
2.6.3-bb.0 |
| Bbctl | Core | 2.0.0 |
3.0.1-bb.0 |
| Eck Operator | Core | 3.2.0 |
3.2.0-bb.0 |
| Elasticsearch Kibana |
Core | Kibana: 9.2.2 Elasticsearch: 9.2.1 |
1.34.0-bb.1 🔗 |
| External Secrets Operator | Addon | 0.20.4 |
0.20.4-bb.0 |
| Fluentbit | Core | 4.2.0 |
0.54.0-bb.1 |
| Fortify |
Addon | 25.4.0.0137 |
1.1.2320154-bb.39 🔗 |
| Gatekeeper |
Core | v3.21.0 |
3.21.0-bb.0 🔗 |
| Gitlab |
Addon | 18.6.2 |
9.6.2-bb.0 🔗 |
| Gitlab Runner |
Addon | v18.5.0 |
0.83.2-bb.0 🔗 |
| Grafana | Core | 12.3.0 |
10.2.0-bb.1 |
| Harbor | Addon | 2.14.0 |
1.18.0-bb.6 |
| Headlamp |
Addon | 0.37.0 |
0.37.0-bb.1 |
| Istio Cni | Core | 1.28.0 |
1.28.0-bb.0 |
| Istio Crds | Core | 1.28.0 |
1.28.0-bb.0 |
| Istio Gateway | Core | 1.28.0 |
1.28.0-bb.0 |
| Istiod | Core | 1.28.0 |
1.28.0-bb.0 |
| Keycloak |
Addon | 26.4.2 |
7.1.4-bb.5 🔗 |
| Kiali |
Core | 2.19.0 |
2.19.0-bb.2 🔗 |
| Kyverno |
Core | v1.16.1 |
3.6.1-bb.0 🔗 |
| Kyverno Policies | Core | 3.3.4 |
3.3.4-bb.15 |
| Kyverno Reporter | Core | 3.6.0 |
3.7.0-bb.0 |
| Loki |
Core | 3.5.5 |
6.46.0-bb.1 🔗 |
| Mattermost |
Addon | 11.1.1 |
11.1.1-bb.2 🔗 |
| Mattermost Operator | Addon | 1.25.3 |
1.25.3-bb.0 |
| Metrics Server |
Addon | v0.8.0 |
3.13.0-bb.4 🔗 |
| Mimir | Addon | 2.17.1 |
5.8.0-bb.3 |
| Minio | Addon | RELEASE.2025-10-15T17-29-55Z |
7.1.1-bb.15 |
| Minio Operator | Addon | v7.1.1 |
7.1.1-bb.3 |
| Monitoring |
Core | Prometheus: 3.8.0 Grafana: 12.3.0 Alertmanager: 0.29.0 |
80.4.1-bb.0 🔗 |
| Neuvector | Core | 5.4.7 |
2.8.9-bb.0 |
| Nexus Repository Manager |
Addon | 3.86.2-01 |
86.0.0-bb.0 🔗 |
| Prometheus Operator Crds |
Core | 21.0.0 |
25.0.0-bb.0 🔗 |
| Sonarqube |
Addon | 25.11.0.114957-community |
2025.5.0-bb.2 🔗 |
| Tempo |
Core | Tempo: 2.8.2 Tempo Query: 2.8.2 |
1.23.3-bb.2 🔗 |
| Thanos |
Addon | v0.40.1 |
17.3.3-bb.1 🔗 |
| Twistlock |
Core | 34.03.138 |
0.24.0-bb.0 🔗 |
| Vault | Addon | 1.20.4 |
0.31.0-bb.6 |
| Velero | Addon | 1.17.1 |
11.1.1-bb.2 |
| Wrapper | Core | 0.4.15 |
0.4.15 |
Changes in 3.14.0📜
Big Bang MRs📜
- !7166 update metallb and k3d
- !7161 update quickstart.sh script with moved docs and script paths
- !7149 Resolve “Add Support for Custom SSO Icon in GitLab Configuration”
- !7142 Enforce istioGateway values are nested under gateways
- !7140 Update grafana template - remove old values
- !7138 docs(gateways): added doc for gateways; removed old gateway references
- !7137 Fix Kiali trace correlation by setting explicit canonical-name labels
- !7136 Resolve “Job Failed #52359367”
- !7135 update grafana template for SSO / custom CA usage
- !7020 chore(deps): update flux
Alloy📜
- !7152: alloy update to 3.2.1-bb.6
# Changelog Updates ## [3.2.1-bb.6] (2025-12-10) ### Added - Added script test to verify logs are shipped to Loki ### Changed - Generating NetworkPolicies with bb-common - Generating Istio resources with bb-common
Elasticsearch Kibana📜
- !7159: elasticsearchKibana update to 1.34.0-bb.1
# Changelog Updates ## [1.34.0-bb.1] (2025-12-11) ### Changed - gluon updated from 0.9.6 to 0.9.7 - kibana updated from 9.2.1 to 9.2.2 - elasticsearch-exporter chart upgraded from v1.9.0 to v1.10.0 - kubectl updated from v1.34.2 to v1.34.3
Fortify📜
- !7158: fortify update to 1.1.2320154-bb.39
# Changelog Updates ## [1.1.2320154-bb.39] - 2025-11-07 ### Fixed - registry1.dso.mil/ironbank/google/golang/ubi9/golang-1.24.9 (source) -> 1.24.10
Gatekeeper📜
- !7144: gatekeeper update to 3.21.0-bb.0
# Changelog Updates ## [3.21.0-bb.0] (2025-12-09) ### Changed - gluon 0.9.6 -> 0.9.7 - registry1.dso.mil/ironbank/opensource/kubernetes/kubectl v1.33 -> v1.34.2 - registry1.dso.mil/ironbank/opensource/openpolicyagent/gatekeeper v3.20.1 -> v3.21.0
Gitlab📜
- !7155: gitlab update to 9.6.2-bb.0
# Changelog Updates ## [9.6.2-bb.0] (2025-12-12) ### Changed - update gitlab chart 9.6.1 -> 9.6.2 - ironbank/gitlab/gitlab/gitlab-webservice (source) 18.6.1 -> 18.6.2 - registry1.dso.mil/ironbank/gitlab/gitlab/certificates 18.6.1 -> 18.6.2 - registry1.dso.mil/ironbank/gitlab/gitlab/gitaly 18.6.1 -> 18.6.2 - registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-base 18.6.1 -> 18.6.2 - registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-container-registry 18.6.1 -> 18.6.2 - registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-exporter 18.6.1 -> 18.6.2 - registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-mailroom 18.6.1 -> 18.6.2 - registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-pages 18.6.1 -> 18.6.2 - registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-shell 18.6.1 -> 18.6.2 - registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-sidekiq 18.6.1 -> 18.6.2 - registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-toolbox 18.6.1 -> 18.6.2 - registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-webservice 18.6.1 -> 18.6.2 - registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-workhorse 18.6.1 -> 18.6.2 - registry1.dso.mil/ironbank/gitlab/gitlab/kubectl 18.6.1 -> 18.6.2
Gitlab Runner📜
- !7130: gitlabRunner update to 0.83.2-bb.0
# Changelog Updates ## [0.83.2-bb.0] (2025-11-28) ### Changed - Update gitlab-runner chart version minor v0.83.1 -> v0.83.2 - gluon 0.9.6 -> 0.9.7 ## [0.83.1-bb.0] (2025-11-24) ### Changed - Update gitlab-runner chart version minor v0.82.0 -> v0.83.1
Keycloak📜
- !7134: keycloak update to 7.1.4-bb.5
# Changelog Updates ## [7.1.4-bb.5] - 2025-12-09 ### Changed - Removed the port 9000 istio exclusion annotation from keycloak pods
Kiali📜
- !7174: kiali update to 2.19.0-bb.2
- !7154: kiali update to 2.19.0-bb.1
# Changelog Updates ## [2.19.0-bb.2] (2025-12-15) ### Updated - bb-common 0.10.0 -> 0.11.2 - registry1.dso.mil/ironbank/opensource/kubernetes/kubectl v1.34.2 -> v1.34.3 ## [2.19.0-bb.1] (2025-12-10) ### Updated - bb-common 0.10.0 -> 0.11.1 - gluon 0.9.6 -> 0.9.7
Kyverno📜
- !7131: kyverno update to 3.6.1-bb.0
# Changelog Updates ## [3.6.1-bb.0] (2025-12-05) ### Changed - Updated chart version `3.6.0` -> `3.6.1` and app version from `v1.16.0` -> `v1.16.1` - Updated gluon from `v0.9.6` to `v0.9.7` - Updated ironbank/opensource/kyverno `v1.16.0` -> `v1.16.1` - Updated ironbank/opensource/kyverno/kyverno/background-controller `v1.16.0` -> `v1.16.1` - Updated ironbank/opensource/kyverno/kyverno/cleanup-controller `v1.16.0` -> `v1.16.1` - Updated ironbank/opensource/kyverno/kyverno/reports-controller `v1.16.0` -> `v1.16.1` - Updated ironbank/opensource/kyverno/kyvernocli `v1.16.0` -> `v1.16.1` - Updated ironbank/opensource/kyverno/kyvernopre `v1.16.0` -> `v1.16.1` - Updated ironbank/opensource/kubernetes/kubectl `v1.33.5` -> `v1.34.2` - Updated ironbank/opensource/kyverno `v1.16.0` -> `v1.16.1` - Updated ironbank/opensource/kyverno/kyverno/background-controller `v1.16.0` -> `v1.16.1` - Updated ironbank/opensource/kyverno/kyverno/cleanup-controller `v1.16.0` -> `v1.16.1` - Updated dead links in docs
Loki📜
- !7148: loki update to 6.46.0-bb.1
# Changelog Updates ## [6.46.0-bb.1] (2025-12-09) ### Changed - Update the MinIO chart from 7.1.1-bb.0 -> 7.1.1-bb.15 - Update kubectl from v1.33.5 -> v1.33.6 - Update nginx from 1.29.1 -> 1.29.3 - Updated gluon chart from 0.9.3 -> 0.9.7
Mattermost📜
- !7133: mattermost update to 11.1.1-bb.2
# Changelog Updates ## [11.1.1-bb.2] (2025-12-05) ### Changed - gluon updated from 0.9.6 to 0.9.7
Metrics Server📜
- !7147: metricsServer update to 3.13.0-bb.4
# Changelog Updates ## [3.13.0-bb.4] (2025-12-10) ### Changed - gluon 0.9.5 -> 0.9.7 - kubectl v1.33 -> v1.34
Monitoring📜
- !7160: monitoring update to 80.4.1-bb.0
# Changelog Updates ## [80.4.1-bb.0] (2025-12-13) ### Changed - bb-common 0.10.0 -> 0.11.2 - kube-prometheus-stack 79.11.0 -> 80.4.1 - prometheus-blackbox-exporter 11.5.0 -> 11.6.1 - quay.io/prometheus-operator/prometheus-config-reloader v0.87.0 -> v0.87.1 - registry1.dso.mil/ironbank/opensource/kubernetes/kubectl v1.34.2 -> v1.34.3 - registry1.dso.mil/ironbank/opensource/prometheus-operator/prometheus-config-reloader v0.87.0 -> v0.87.1 - registry1.dso.mil/ironbank/opensource/prometheus-operator/prometheus-operator v0.87.0 -> v0.87.1 - registry1.dso.mil/ironbank/opensource/prometheus/blackbox_exporter v0.27.0 -> v0.28.0 - registry1.dso.mil/ironbank/kiwigrid/k8s-sidecar 1.30.11 -> 1.30.9
Nexus Repository Manager📜
- !7143: nexusRepositoryManager update to 86.0.0-bb.0
# Changelog Updates ## [86.0.0-bb.0] - 2025-12-09 ### Changed - update gluon 0.9.1 -> 0.9.6 - update nexus app image 3.84.0-03 -> 3.86.2-01 - update ubi9-minimal 9.6 -> 9.7
Prometheus Operator Crds📜
- !7139: prometheusOperatorCRDs update to 25.0.0-bb.0
# Changelog Updates ## [25.0.0-bb.0] (2025-11-25) ### Changed - prometheus-operator-crds updated from 24.0.0 to 25.0.0
Sonarqube📜
- !7146: SKIP UPGRADE sonarqube update to 2025.5.0-bb.2
# Changelog Updates ## [2025.5.0-bb.2] - 2025-12-10 ### Updated - update gluon patch 0.9.3 -> 0.9.7 - update sonarqube app 25.10.0.114319--community -> 25.11.0.114957-community - update registry1.dso.mil/ironbank/redhat/ubi/ubi9 (source) 9.6 -> 9.7 - update registry1.dso.mil/ironbank/opensource/postgres/postgresql (source) 16.2 -> 18.1
Tempo📜
- !7150: tempo update to 1.23.3-bb.2
# Changelog Updates ## [1.23.3-bb.2] (2025-12-11) ### Updated - Updated bb-common from 0.11.1 to 0.11.2 to address resolved bug ## [1.23.3-bb.1] (2025-12-10) ### Updated - Integrated bb-common and removed static resources for network policies, authorization policies, and peer authentications - Updated Gluon from 0.9.2 to 0.9.7 - Removed legacy values and configuration settings related to Tempo's UI functionality
Thanos📜
- !7119: thanos update to 17.3.3-bb.1
# Changelog Updates ### Changed - MinIO Dependency Helm Chart bump from 7.1.1.-bb.1 -> 7.1.1-bb.15 - kubernetes/kubectl upgrade from v1.33.6 -> v1.34.2
Twistlock📜
- !7167: twistlock update to 0.24.0-bb.0
# Changelog Updates ## [0.24.0-bb.0] (2025-12-11) ### Changed - gluon updated from 0.9.6 to 0.9.7
Known Issues📜
- bbctl Dashboards
- CRON job output longer than 16kb will be split into multiple log entries when using the dockerd CRI causing invalid JSON structures to be imported into Loki. Use containerd as the CRI to ensure long log lines are parsed correctly
- bbctl-violations-dashboard / bbctl-all-logs-dashboard(Violations Logs)
- These items will not populate if you have too large of a kubernets cluster with too many violations. There is a limit to the amount of data that can be processed. If you hit this limit and need the information, you can still use the
bbctl violationscommand to obtain the data.
- These items will not populate if you have too large of a kubernets cluster with too many violations. There is a limit to the amount of data that can be processed. If you hit this limit and need the information, you can still use the
- Headlamp
- An issue with the flux plugin being able to load certain menu items has been identified. This appears to be an issue with the javascript code used to create the plugin.
- Menu items having an issue:
- Kustomizations
- HelmReleases
- ImageAutomations
- Notifications
- Attempting to login using OIDC will create a login ‘loop’. See upstream issue for further information.
- Tempo
- Tempo no longer has a UI, however, the template still has logic that will add labels for Authservice when enabled. This causes authorization policies to get applied to it unnecessarily causing 403 errors when connections are attempted from Grafana, Prometheus, and Kiali. This logic will be removed in a future release.
- As a workaround setting the
.tempo.sso.enabledkey tofalsewill prevent the labels from being applied
Helpful Links📜
As always, we welcome and appreciate feedback from our community of users. Please feel free to:
- Open issues here
- Join our Mattermost channel
- Join our Slack
- Check out the documentation for guidance on how to get started
Future📜
Don’t see your feature and/or bug fix? Check out our epics for estimates on when you can expect things to drop, and as always, feel free to comment or create issues if you have questions, comments, or concerns.