Skip to content

Release Notes - 3.16.0📜

Please see our documentation page for more information on how to consume and deploy BigBang.\ This release was primarily tested on Kubernetes 1.34.2 (EKS).

Deprecations📜

Nexus Repository Manager📜

  • Big Bang team is planning to deprecate support for the Nexus Repository Manager package in BigBang. The upstream chart has been deprecated on October 24, 2023. Update (3.16.0): The removal of Nexus Repository Manager has been delayed beyond this release. A revised timeline will be announced next week. The update in 3.14 remains the final update for Nexus Repository Manager. Our team has added a new Big Bang package, NXRM3-HA, this is the official high availability Nexus Repository Manager chart supported by Sonatype. This package will be updated and maintained by the Big Bang team for use on Repo1/Reg1 but will not be included in the Umbrella chart as an addon. See migration guide for details on how to install using the BYO packages: section of the umbrella. Migration detail for nxrm-ha can be found here

Upgrade Notices📜

Eck Operator - MR📜

eck-operator is now leveraging our bb-common integration for network policies and istio-related resources. Please refer to this blog post for additional information on the integration.

Elasticsearch Kibana - MR📜

elasticsearch-kibana is now leveraging our bb-common integration for network policies and istio-related resources. Please refer to this blog post for additional information on the integration.

Gitlab - MR📜

The gitlab package has been migrated to bb-common. While steps have been taken to maintain backwards compatibility with existing configurations by translating the old configuration into bb-common’s more explicit syntax, Big Bang consumers are encouraged to migrate their values directly as soon as possible. Some appropriate configuration changes when consumers migrate are outlined below.

Database and Storage (S3) Egress📜

Previously a wide-open (0.0.0.0/0) egress policy was created for the migrations, sidekiq, webservice, and registry pods in the event that upstream.postgresql.install or global.minio.enabled was set to false, indicating that an external database or external object storage was to be used. These policies were not in line with Big Bang’s wider security posture and have been removed. In their place, consumers are encouraged to define and use bb-common definitions for their database subnets and storage subnets when an external database or external object storage is to be used:

networkPolicies:
  egress:
    definitions:
      # You probably only want to override the storage-subnets definition 
      # if you're using privatelink or VPC endpoints for your S3 access
      storage-subnets:
        to:
        - ipBlock: 
            cidr: <private-s3-endpoint-cidr>
        ports:
        - port: 443
          protocol: TCP
      database-subnets:
        to:
        - ipBlock: 
            cidr: <db-subnet> # repeat for each subnet
        ports:
        - port: 5432 # change this port to match your database port
          protocol: TCP
    from:
      migrations: # repeat for registry, webservice, and sidekiq as needed
        to:
          definition:
            database-subnets: true
            storage-subnets: true

Default definitions for database-subnets and storage-subnets are defined globally in Big Bang and passed down to the gitlab package. You’re encouraged to override the CIDRs defined there to match your infrastructure. Any changes made at that global level will propagate down into the gitlab package.

Metadata Endpoint Egress📜

Previously, a toggle was available at the package top-level called use_iam_profile that created an egress policy allowing the webservice, sidekiq, toolbox, and registry pods to access the IMDS endpoint on the instance where those pods were scheduled, allowing them to assume the same role as the instance to perform privileged actions in AWS. This is not a best-practice and is not aligned with the principle of least privilege as other pods scheduled on the same node but in a non-network-policy-enforcing namespace would have this access as well. Users should instead use pod identities or IRSA or some other worload identity-based authorization to allow workloads to access cloud resources with short-lived, workload-scoped credentials.

If gitlab package users insist on using instance profiles, they must explicitly allow the necessary IMDS access:

networkPolicies:
  egress:
    from:
      registry: # repeat for sidekiq, toolbox, and webservice as needed
        to:
          cidr: 
            169.254.169.254/32: true
Ingress Config📜

bb-common creates a consistent ingress configuration syntax across all Big Bang packages with its routes functionality. Take a look at the routes documentation to understand how to use it to expose various gitlab services.

Kyverno - MR📜

Kyverno is now leveraging our bb-common integration for network policies. Please refer to this blog post for additional information on the integration.

Please note that two definitions have been created as part of this integration to allow these policies to be more tailored to a given environment:

kyverno:
  values:
    networkPolicies:
      ingress:
        definitions:
          kubeAPI:
            from:
              - ipBlock:
                  cidr: 172.16.0.0/12

The kubeAPI ingress definition will automatically allow all private IP ranges, but can be overridden within the package as shown above if needed to further restrict access. Previously, this network policy was allowing all IP addresses into the kyverno namespace.

[!NOTE] The ingress definition for kubeAPI is separate from the egress definition that exists

The private-registry egress definition has also been created and defaults to the IP address of Iron Bank using TCP port 443. If another registry is in use the CIDR and ports may need to be updated.

kyverno:
  values:
    networkPolicies:
      egress:
        definitions:
          private-registry:
            to:
              - ipBlock:
                  cidr: "15.205.173.153/32"
            ports:
              - port: 443
                protocol: TCP

Please note that this network policy is not enabled by default and is currently controlled by the following settings in the package:

neworkPolicies:
  externalRegistries:
    allowEgress: false
    ports: []

The above section will be deprecated in the next major version of Big Bang (4.0) and instead the network policy will automatically be enabled if the require-image-signature Kyverno policy is enabled as this communication is needed as part of that process. If you are currently leveraging the ports section no action is needed as this will continue to function as expected, however, it is recommended to switch over to using the new definition.

This rule can also be toggled on or off manually as shown below:

kyverno:
  values:
    networkPolicies:
      egress:
        from:
          kyverno-admission-controller:
            podSelector:
              matchLabels:
                app.kubernetes.io/component: admission-controller
            to:
              definition:
                private-registry: true # Set to false to disable

Kyverno Reporter - MR📜

Kyverno Reporter is now leveraging our bb-common integration for network policies and all istio-related resources. Please refer to this blog post for additional information on the integration.

Minio - MR📜

The minio package has been migrated to bb-common. While steps have been taken to maintain backwards compatibility with existing configurations by translating the old configuration into bb-commons more explicit syntax, Big Bang consumers are encouraged to migrate their values directly as soon as possible. Some appropriate configuration changes when consumers migrate are outlined below.

Ingress Config📜

bb-common creates a consistent ingress configuration syntax across all Big Bang packages with its routes functionality. Take a look at the routes documentation to understand how to use it to expose various minio services.

Neuvector - MR📜

Neuvector is now leveraging our bb-common integration for network policies and istio-related resources. Please refer to this blog post for additional information on the integration.

Sonarqube - MR📜

Sonarqube is now leveraging our bb-common integration for network policies and all istio-related resources. Please refer to this blog post for additional information on the integration.

Please note that two new definitions have been created as part of this integration to allow these policies to be more tailored to a given environment:

      sonarsource-marketplace:
        to:
          - ipBlock:
              cidr: "0.0.0.0/0"
              except:
                - 169.254.169.254/32
        ports:
          - port: 443
            protocol: TCP

This policy allows communication to the sonarsource marketplace which is required for receiving updates to any installed plugins. Currently, this will be enabled automatically if any plugins are specified in the helm chart for Sonarqube or if networkPolicies.egressHttps.enabled is set to true.

NOTE: Unfortunately, Sonarsource does not have a documented list of IP addresses or ranges they use, but if this changes in the future the cidr value can be updated to further restrict access.

      code-repository:
        to:
          - ipBlock:
              cidr: "0.0.0.0/0"
              except:
                - 169.254.169.254/32
        ports:
          - port: 443
            protocol: TCP

This network policy is enabled by default as it allows Sonarqube to access the code repository in order to perform its desired function. The cidr section can be updated to reflect the proper IP address for your code repository. It is also automatically enalbed if networkPolicies.egressHttps.enabled is set to true.

Both definitions can be disabled/enabled manually as well if needed as shown below:

networkPolicies:
  egress:
    from:
      sonarqube:
        podSelector:
          matchLabels:
            app: sonarqube
        to:
          definition:
            sonarsource-marketplace: false # To disable access to Sonarsource marketplace
            code-repository: false # To disable access to a code-repository

NOTE: Please note that the networkPolicies.egressHttps.enabled value will be deprecated in the next major Big Bang release (4.0) so it is recommended to switch over to using the new definitions provided by bb-common. If you wish to disable either of the above mentioned definitions the value of networkPolicies.egressHttps.enabled must also be set to false.

Twistlock - MR📜

This release of Twistlock introduces a variable to control the installation of the Istio Virtual Service for the Twistlock web console.

Should you want to not expose Twistlock through the Istio gateway, you can disable the Virtual Service installation: 

twistlock:
  values:
    istio:
      console:
        virtualService:
          enabled: false

By default, the virtual service is enabled.

Known Issues📜

  • bbctl Dashboards
  • CRON job output longer than 16kb will be split into multiple log entries when using the dockerd CRI causing invalid JSON structures to be imported into Loki. Use containerd as the CRI to ensure long log lines are parsed correctly
  • bbctl-violations-dashboard / bbctl-all-logs-dashboard(Violations Logs)
    • These items will not populate if you have too large of a kubernetes cluster with too many violations. There is a limit to the amount of data that can be processed. If you hit this limit and need the information, you can still use the bbctl violations command to obtain the data.
  • Headlamp
  • Attempting to login using OIDC will create a login ‘loop’. See upstream issue for further information.
  • Loki/Elasticsearch-kibana
  • if loki and EK are both enabled, drift detection will continually trigger as they share a peer authentication: default-peer-auth in the logging namespace. Issue
  • Prometheus Target Scraping
Package Target Issue
Elasticsearch-Kibana podMonitor/monitoring/monitoring-monitoring-istio-envoy/0 Issue

Upgrades from previous releases📜

If coming from a version pre-3.15.0, note the additional upgrade notices in any release in between. The BB team doesn’t test/guarantee upgrades from anything pre-3.15.0.

Packages📜

Click to show Packages Version Updates | Package | Type | Package Version | BB Version | |---------|------|-----------------|------------| | updated [Alloy](https://repo1.dso.mil/big-bang/product/packages/alloy) | Core | `v1.10.0` | `3.7.2-bb.2` [🔗](#alloy) | | [Anchore Enterprise](https://repo1.dso.mil/big-bang/product/packages/anchore-enterprise) | Addon | `5.20.2` | `3.14.2-bb.4` | | updated [Argocd](https://repo1.dso.mil/big-bang/product/packages/argocd) | Addon | `v3.2.3` | `9.3.0-bb.0` [🔗](#argocd) | | updated [Authservice](https://repo1.dso.mil/big-bang/product/packages/authservice) | Addon | `1.1.5` | `1.1.5-bb.0` [🔗](#authservice) | | [Backstage](https://repo1.dso.mil/big-bang/product/packages/backstage) | Addon | `1.1.0` | `2.6.3-bb.1` | | [Bbctl](https://repo1.dso.mil/big-bang/product/packages/bbctl) | Core | `2.2.0` | `3.0.1-bb.1` | | updated [Eck Operator](https://repo1.dso.mil/big-bang/product/packages/eck-operator) | Core | `3.2.0` | `3.2.0-bb.1` [🔗](#eck-operator) | | updated [Elasticsearch Kibana](https://repo1.dso.mil/big-bang/product/packages/elasticsearch-kibana) | Core | Kibana: `9.2.2` Elasticsearch: `9.2.1` | `1.34.0-bb.4` [🔗](#elasticsearch-kibana) | | updated [External Secrets Operator](https://repo1.dso.mil/big-bang/product/packages/external-secrets) | Addon | `0.20.4` | `0.20.4-bb.3` [🔗](#external-secrets-operator) | | updated [Fluentbit](https://repo1.dso.mil/big-bang/product/packages/fluentbit) | Core | `4.2.2` | `0.54.1-bb.0` [🔗](#fluentbit) | | [Fortify](https://repo1.dso.mil/big-bang/product/packages/fortify) | Addon | `25.4.0.0137` | `1.1.2320154-bb.39` | | [Gatekeeper](https://repo1.dso.mil/big-bang/product/packages/policy) | Core | `v3.21.0` | `3.21.0-bb.1` | | updated [Gitlab](https://repo1.dso.mil/big-bang/product/packages/gitlab) | Addon | `18.7.0` | `9.7.0-bb.2` [🔗](#gitlab) | | [Gitlab Runner](https://repo1.dso.mil/big-bang/product/packages/gitlab-runner) | Addon | `v18.5.0` | `0.83.2-bb.0` | | updated [Grafana](https://repo1.dso.mil/big-bang/product/packages/grafana) | Core | `12.3.1` | `10.5.5-bb.0` [🔗](#grafana) | | updated [Harbor](https://repo1.dso.mil/big-bang/product/packages/harbor) | Addon | `2.14.1` | `1.18.1-bb.2` [🔗](#harbor) | | [Headlamp](https://repo1.dso.mil/big-bang/product/packages/headlamp) | Addon | `0.39.0` | `0.39.0-bb.1` | | [Istio Cni](https://repo1.dso.mil/big-bang/product/packages/istio-cni) | Core | `1.28.2` | `1.28.2-bb.0` | | [Istio Crds](https://repo1.dso.mil/big-bang/product/packages/istio-crds) | Core | `1.28.2` | `1.28.2-bb.0` | | updated [Istio Gateway](https://repo1.dso.mil/big-bang/product/packages/istio-gateway) | Core | `1.28.0` | `1.28.2-bb.0` [🔗](#istio-gateway) | | updated [Istiod](https://repo1.dso.mil/big-bang/product/packages/istiod) | Core | `1.28.2` | `1.28.2-bb.0` [🔗](#istiod) | | [Keycloak](https://repo1.dso.mil/big-bang/product/packages/keycloak) | Addon | `26.4.7` | `7.1.5-bb.0` | | updated [Kiali](https://repo1.dso.mil/big-bang/product/packages/kiali) | Core | `2.20.0` | `2.20.0-bb.0` [🔗](#kiali) | | updated [Kyverno](https://repo1.dso.mil/big-bang/product/packages/kyverno) | Core | `v1.16.1` | `3.6.1-bb.1` [🔗](#kyverno) | | updated [Kyverno Policies](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies) | Core | `3.3.4` | `3.3.4-bb.17` [🔗](#kyverno-policies) | | updated [Kyverno Reporter](https://repo1.dso.mil/big-bang/product/packages/kyverno-reporter) | Core | `3.7.0` | `3.7.1-bb.1` [🔗](#kyverno-reporter) | | updated [Loki](https://repo1.dso.mil/big-bang/product/packages/loki) | Core | `3.5.5` | `6.46.0-bb.4` [🔗](#loki) | | updated [Mattermost](https://repo1.dso.mil/big-bang/product/packages/mattermost) | Addon | `11.3.0` | `11.3.0-bb.1` [🔗](#mattermost) | | [Mattermost Operator](https://repo1.dso.mil/big-bang/product/packages/mattermost-operator) | Addon | `1.25.3` | `1.25.3-bb.0` | | [Metrics Server](https://repo1.dso.mil/big-bang/product/packages/metrics-server) | Addon | `v0.8.0` | `3.13.0-bb.4` | | [Mimir](https://repo1.dso.mil/big-bang/product/packages/mimir) | Addon | `2.17.1` | `5.8.0-bb.4` | | updated [Minio](https://repo1.dso.mil/big-bang/product/packages/minio) | Addon | `RELEASE.2025-10-15T17-29-55Z` | `7.1.1-bb.16` [🔗](#minio) | | updated [Minio Operator](https://repo1.dso.mil/big-bang/product/packages/minio-operator) | Addon | `v7.1.1` | `7.1.1-bb.4` [🔗](#minio-operator) | | updated [Monitoring](https://repo1.dso.mil/big-bang/product/packages/monitoring) | Core | Prometheus: `3.9.1` Grafana: `12.3.1` Alertmanager: `0.30.0` | `80.13.3-bb.0` [🔗](#monitoring) | | updated [Neuvector](https://repo1.dso.mil/big-bang/product/packages/neuvector) | Core | `5.4.8` | `2.8.10-bb.0` [🔗](#neuvector) | | [Nexus Repository Manager](https://repo1.dso.mil/big-bang/product/packages/nexus) | Addon | `3.86.2-01` | `86.0.0-bb.0` | | updated [Prometheus Operator Crds](https://repo1.dso.mil/big-bang/product/packages/prometheus-operator-crds) | Core | `v0.88.0` | `26.0.0-bb.0` [🔗](#prometheus-operator-crds) | | updated [Sonarqube](https://repo1.dso.mil/big-bang/product/packages/sonarqube) | Addon | `25.12.0.117093-community` | `2025.6.1-bb.2` [🔗](#sonarqube) | | updated [Tempo](https://repo1.dso.mil/big-bang/product/packages/tempo) | Core | Tempo: `2.9.0` Tempo Query: `2.9.0` | `1.24.3-bb.0` [🔗](#tempo) | | [Thanos](https://repo1.dso.mil/big-bang/product/packages/thanos) | Addon | `v0.40.1` | `17.3.3-bb.1` | | updated [Twistlock](https://repo1.dso.mil/big-bang/product/packages/twistlock) | Core | `34.03.138` | `0.24.0-bb.1` [🔗](#twistlock) | | updated [Vault](https://repo1.dso.mil/big-bang/product/packages/vault) | Addon | `1.21.1` | `0.31.0-bb.8` [🔗](#vault) | | updated [Velero](https://repo1.dso.mil/big-bang/product/packages/velero) | Addon | `1.17.1` | `11.3.2-bb.0` [🔗](#velero) | | [Wrapper](https://repo1.dso.mil/big-bang/product/packages/wrapper) | Core | `0.4.15` | `0.4.15` |

Changes in 3.16.0📜

Big Bang MRs📜

  • !7283 fix gitlab hosts for upstream
  • !7281 revert anchore
  • !7269 Resolve “eck-operator requires vpccidr for kube api access”
  • !7266 Fix for Sonarqube Database Network Policy Logic
  • !7265 fix(neuvector): properly propagate top-level definitions into package values
  • !7254 Added rule to allow reports-controller access to KubeAPI
  • !7243 Resolve “Tempo storage-subnet netpol not enabled in some cases”
  • !7242 Include vpcCidr in default alloy KubeAPI egress netpol
  • !7237 Resolve “Update package onboarding docs for bb-common”

Alloy📜

  • !7278: alloy update to 3.7.2-bb.2
Click to show Changelog 
# Changelog Updates

## [3.7.2-bb.2] (2026-01-22)
### Changed
- added bb-common netpol to create alloy-upstream job -> kube api 

## [3.7.2-bb.1] (2026-01-15)
### Changed
- updated image versions in `Chart/values.yaml` to ensure they are in sync with `Chart/Chart.yaml`

## [3.7.2-bb.0] (2026-01-15)
### Changed
- k8s-monitoring updated from 3.2.1 to 3.7.2
- bb-common updated from 0.11.1 to 0.12.3
- gluon updated from 0.9.6 to 0.9.7

Argocd📜

  • !7232: argocd update to 9.3.0-bb.0
  • !7219: argocd update to 9.1.7-bb.0
Click to show Changelog 
# Changelog Updates

## [9.3.0-bb.0] (2026-01-13)
### Changed
- Upgrade argo-cd helm chart 9.1.7 -> 9.3.0
- Upgrade argocd-apps 2.0.2 -> 2.0.4
- redis (source) 24.0.0-bb.0 -> 24.1.0-bb.0

## [9.1.7-bb.0] (2026-01-07)
### Changed
- gluon 0.9.6 -> 0.9.7
- Upgrade argo-cd helm chart 9.1.4 -> 9.1.7
- redis (source) 23.2.12-bb.0 -> 24.0.0-bb.0
- registry1.dso.mil/ironbank/bitnami/analytics/redis-exporter v1.80.0 -> v1.80.1
- registry1.dso.mil/ironbank/big-bang/argocd v3.2.0 -> v3.2.3

Authservice📜

  • !7234: authservice update to 1.1.5-bb.0
  • !7212: authservice update to 1.1.4-bb.0
Click to show Changelog 
# Changelog Updates

## [1.1.5-bb.0] (2026-01-07)
### Changed
- Authservice updated from 1.1.4 -> 1.1.5
- bb-common updated from 0.10.0 to 0.12.2
- gluon updated from 0.9.6 to 0.9.7
- redis updated to 24.0.0-bb.0

## [1.1.4-bb.0] (2025-12-02)
### Changed
- Authservice updated from 1.1.1 -> 1.1.4
- updated Authservice image from 1.1.1-ubi9 to 1.1.4
- bb-common updated from 0.9.1 to 0.10.0
- redis updated from 23.1.1 to 23.2.12

Eck Operator📜

  • !7208: eckOperator update to 3.2.0-bb.1
Click to show Changelog 
# Changelog Updates

## [3.2.0-bb.1] (2025-12-16)
### Changed
- Adopt bb-common for Istio Resource creation
- Adopt bb-common for Network Policy creationn
- Adopt bb-common for Authorization Policy creation

Elasticsearch Kibana📜

  • !7271: elasticsearchKibana update to 1.34.0-bb.4
  • !7253: elasticsearchKibana update to 1.34.0-bb.3
  • !7222: elasticsearchKibana update to 1.34.0-bb.2
Click to show Changelog 
# Changelog Updates

## [1.34.0-bb.3] (2026-1-22)
### Changed
- Prepend release name to bb-common netpols

## [1.34.0-bb.3] (2026-1-09)
### Changed
- Adopt bb-common for Network Policy creation
- Adopt bb-common for Istio resource creation

## [1.34.0-bb.2] (2026-01-06)
### Added
- Support for map-based `packages`, `agentPolicies`, and `package_policies` configuration
  - Map keys are automatically used as `name` (for packages), `id` (for agentPolicies), and `id`/`name` (for package_policies) when not explicitly set
  - Maps are sorted alphabetically by key for deterministic output
  - Full backwards compatibility with existing list-based configurations

External Secrets Operator📜

  • !7209: externalSecrets update to 0.20.4-bb.3
Click to show Changelog 
# Changelog Updates

## [0.20.4-bb.3] - 2026-01-06
### Updated
- Commented out example values for externalSecret configuration.

## [0.20.4-bb.2] - 2025-12-23
### Updated
- Updated logic to data and dataFrom block to fetch single or multiple key and extract entire secret respectively.

## [0.20.4-bb.1] - 2025-12-17
### Updated
- Updated values to support multiple secrets fetch

Fluentbit📜

  • !7248: fluentbit update to 0.54.1-bb.0
  • !7227: fluentbit update to 0.54.0-bb.2
Click to show Changelog 
# Changelog Updates

## [0.54.1-bb.0] (2026-01-10)
### Changed
- fluent-bit updated from 0.54.0 to 0.54.1
- repo1.dso.mil/big-bang/product/packages/fluentbit/-/tree/renovate/ironbank updated from 4.2.1 to 4.2.2

## [0.54.0-bb.2] (2025-12-18) 
### Changed
- gluon updated from 0.9.6 to 0.9.7
- registry1.dso.mil/ironbank/opensource/fluent/fluent-bit updated from 4.2.0 to 4.2.1

Gitlab📜

  • !7244: gitlab update to 9.7.0-bb.2
  • !7206: gitlab update to 9.7.0-bb.1
Click to show Changelog 
# Changelog Updates

## [9.7.0-bb.2] (2026-01-15)
### Changed
- update values.yaml file with gitlab-kas Iron Bank overrides

## [9.7.0-bb.1] (2025-12-26)
### Changed
- migrated gitlab to bb-common

Grafana📜

  • !7229: grafana update to 10.5.5-bb.0
Click to show Changelog 
# Changelog Updates

## [10.5.5-bb.0] (2026-01-10)
### Changed
- bb-common updated from 0.11.3 to 0.12.3
- grafana updated from 10.3.1 to 10.5.5
- registry1.dso.mil/ironbank/big-bang/grafana/grafana-plugins updated from 12.3.0 -> 12.3.1
- registry1.dso.mil/ironbank/kiwigrid/k8s-sidecar updated from 2.1.4 -> 2.2.3
- registry1.dso.mil/ironbank/opensource/grafana/grafana-image-renderer updated from v5.0.13 -> v5.2.1

Harbor📜

  • !7261: harbor update to 1.18.1-bb.2
  • !7179: harbor update to 1.18.1-bb.0
Click to show Changelog 
# Changelog Updates

## [1.18.1-bb.2] - (2026-01-20)
### Changed
- Updated Redis image reference from registry1.dso.mil/ironbank/bitnami/redis 8.2.4 => registry1.dso.mil/ironbank/opensource/redis/redis8-slim:8.4.0 in the Chart

## [1.18.1-bb.1] - (2026-01-13)
### Changed
- Updated postgresql 18.1.13 -> 18.2.0
- Updated redis 23.2.12-bb.0 -> 24.1.0-bb.0
- Updated registry1.dso.mil/ironbank/opensource/nginx/nginx 1.29.3 -> 1.29.4
- Updated registry1.dso.mil/ironbank/bitnami/redis 8.2.3 -> 8.4.0

## [1.18.1-bb.0] (2025-12-08)
### Changed
- update harbor chart 1.18.0 -> 1.18.1
- gluon 0.9.6 -> 0.9.7
- goharbor/harbor-db v2.14.0 -> v2.14.1
- goharbor/redis-photon v2.14.0 -> v2.14.1
- postgresql 18.1.4 -> 18.1.13
- redis 23.1.1-bb.0 -> 23.2.12-bb.0
- registry1.dso.mil/ironbank/bitnami/redis 8.2.2 -> 8.2.3
- registry1.dso.mil/ironbank/opensource/goharbor/harbor-core v2.14.0 -> v2.14.1
- registry1.dso.mil/ironbank/opensource/goharbor/harbor-exporter v2.14.0 -> v2.14.1
- registry1.dso.mil/ironbank/opensource/goharbor/harbor-jobservice v2.14.0 -> v2.14.1
- registry1.dso.mil/ironbank/opensource/goharbor/harbor-portal v2.14.0 -> v2.14.1
- registry1.dso.mil/ironbank/opensource/goharbor/harbor-registryctl v2.14.0 -> v2.14.1
- registry1.dso.mil/ironbank/opensource/goharbor/registry v2.14.0 -> v2.14.1
- registry1.dso.mil/ironbank/opensource/goharbor/trivy-adapter v2.14.0 -> v2.14.1
- registry1.dso.mil/ironbank/opensource/postgres/postgresql 18.0 -> 18.1
- registry1.dso.mil/bigbang-ci/devops-tester:1.1.2 -> registry1.dso.mil/ironbank/big-bang/devops-tester:1.0

Istio Gateway📜

  • !7203: istioGateway update to 1.28.2-bb.0
Click to show Changelog 
# Changelog Updates

## [1.28.2-bb.0] (2025-12-31)
### Changed
- bb-common 0.10.0 -> 0.12.0
- gateway 1.28.0 -> 1.28.2
- gluon 0.9.6 -> 0.9.7
- registry1.dso.mil/ironbank/opensource/istio/proxyv2 1.28.0 -> 1.28.2

Istiod📜

  • !7204: istiod update to 1.28.2-bb.0
Click to show Changelog 
# Changelog Updates

## [1.28.2-bb.0] (2025-12-31)
### Changed
- bb-common 0.10.0 -> 0.12.1
- istiod 1.28.0 -> 1.28.2
- registry1.dso.mil/ironbank/opensource/istio/pilot 1.28.0 -> 1.28.2
- registry1.dso.mil/ironbank/opensource/istio/proxyv2 1.28.0 -> 1.28.2

Kiali📜

  • !7235: kiali update to 2.20.0-bb.0
Click to show Changelog 
# Changelog Updates

## [2.20.0-bb.0] (2025-12-23)
### Changed
- bb-common 0.11.2 -> 0.12.0
- kiali-operator 2.19.0 -> 2.20.0
- registry1.dso.mil/ironbank/opensource/kiali/kiali-operator v2.19.0 -> v2.20.0

Kyverno📜

  • !7200: kyverno update to 3.6.1-bb.1
Click to show Changelog 
# Changelog Updates

## [3.6.1-bb.1] (2025-12-19)
### Changed
- Added bb-common 0.12.0 as a helm dependency
- Replaced all network policies with bb-common generated network policies

Kyverno Policies📜

  • !7220: kyvernoPolicies update to 3.3.4-bb.17
Click to show Changelog 
# Changelog Updates

## [3.3.4-bb.17] (2026-01-07)
### Fixed
- kubectl updated from v1.33.5 to v1.34
- gluon updated from 0.9.5 to 0.9.7

## [3.3.4-bb.16] (2025-10-23)
### Fixed
- Updated URL references in comments of values.yaml
- Updated URL references in ServiceAccountTokenHardening.md
- Updated URL reference in exceptions.md

Kyverno Reporter📜

  • !7245: kyvernoReporter update to 3.7.1-bb.1
  • !7217: kyvernoReporter update to 3.7.1-bb.0
Click to show Changelog 
# Changelog Updates

## [3.7.1-bb.1] (2026-01-13)
### Changed
- Added bb-common 0.12.3 as a helm dependency
- Replaced all static network policies and istio-related resources with bb-common generated resources

## [3.7.1-bb.0] (2026-01-07)
### Changed
- Updated registry1.dso.mil/ironbank/opensource/kyverno/policy-reporter  v3.6.0 -> v3.7.0
- Updated registry1.dso.mil/ironbank/nirmata/policy-reporter/policy-reporter-ui v2.5.0 -> v2.5.1
- Updated registry1.dso.mil/ironbank/opensource/kyverno/policy-reporter/kyverno-plugin  v0.5.2 -> v0.5.3
- Updated policy-reporter subchart  v3.7.0 -> v3.7.1

## [3.7.0-bb.1] (2026-01-05)
### Changed
- Updated gluon v0.9.6 -> v0.9.7
- registry1.dso.mil/ironbank/opensource/kubernetes/kubectl v1.34.2 -> v1.34.3

Loki📜

  • !7272: loki update to 6.46.0-bb.4
  • !7215: DEBUG loki update to 6.46.0-bb.3
Click to show Changelog 
# Changelog Updates

## [6.46.0-bb.4] (2026-1-22)
### Changed
- Prepend release name to bb-common netpols

## [6.46.0-bb.3] (2025-12-19)
### Changed
- Changed Loki log length from 10 to 5
- Updated bb-common from 0.11.2 to 0.12.1

Mattermost📜

  • !7270: mattermost update to 11.3.0-bb.1
  • !7256: mattermost update to 11.3.0-bb.0
Click to show Changelog 
# Changelog Updates

## [11.3.0-bb.1] (2026-01-21)
### Changed
- Added VPCCIDR rule for the minio -> kubeapi network policy

## [11.3.0-bb.0] (2026-01-17)
### Changed
- Updated registry1.dso.mil/ironbank/opensource/mattermost/mattermost (source) 11.2.1 -> 11.3.0

## [11.2.1-bb.0] (2025-12-17)
### Changed
- Updated registry1.dso.mil/ironbank/opensource/mattermost/mattermost (source) 11.1.1 -> 11.2.1

Minio📜

  • !7233: minio update to 7.1.1-bb.16
Click to show Changelog 
# Changelog Updates

## [7.1.1-bb.16] - 2025-01-13
### Changed
- Migrated to bb-common for all istio and `NetworkPolicy` resource creation

Minio Operator📜

  • !7228: minioOperator update to 7.1.1-bb.4
Click to show Changelog 
# Changelog Updates

### Changed
- Migrated istio and NetworkPolicy resources to bb-common

Monitoring📜

  • !7240: monitoring update to 80.13.3-bb.0
Click to show Changelog 
# Changelog Updates

## [80.13.3-bb.0] (2026-01-13)
### Changed
- bb-common 0.11.3 -> 0.12.3
- kube-prometheus-stack 80.4.1 -> 80.13.3
- prometheus-blackbox-exporter 11.6.1 -> 11.7.0
- quay.io/prometheus-operator/prometheus-config-reloader v0.87.1 -> v0.88.0
- registry1.dso.mil/ironbank/big-bang/grafana/grafana-plugins 12.3.0 -> 12.3.1
- registry1.dso.mil/ironbank/kiwigrid/k8s-sidecar 1.30.9 -> 2.2.3
- registry1.dso.mil/ironbank/opensource/prometheus-operator/prometheus-config-reloader v0.87.1 -> v0.88.0
- registry1.dso.mil/ironbank/opensource/prometheus-operator/prometheus-operator v0.87.1 -> v0.88.0
- registry1.dso.mil/ironbank/opensource/prometheus/prometheus v3.8.1 -> v3.9.1
- registry1.dso.mil/ironbank/opensource/prometheus/snmp_exporter v0.29.0 -> v0.30.1
- serviceAccount name change in Alloy namespace for Authorization Policy

Neuvector📜

  • !7231: neuvector update to 2.8.10-bb.0
  • !7173: neuvector update to 2.8.9-bb.1
Click to show Changelog 
# Changelog Updates

## [2.8.10-bb.0] (2026-01-08)
### Changed
- registry1.dso.mil/ironbank/neuvector/neuvector/controller 5.4.7 -> 5.4.8
- registry1.dso.mil/ironbank/neuvector/neuvector/enforcer 5.4.7 -> 5.4.8
- registry1.dso.mil/ironbank/neuvector/neuvector/manager 5.4.7 -> 5.4.8
- registry1.dso.mil/ironbank/opensource/neuvector/registry-adapter 0.2.1 -> 0.2.2

## [2.8.9-bb.1] (2025-12-1)
### Changed
- Generate Istio resources with bb-common
- Generate Network Policy resources with bb-common

Prometheus Operator Crds📜

  • !7239: prometheusOperatorCRDs update to 26.0.0-bb.0
  • !7194: PrometheusOperatorCRDs update to 25.0.1-bb.0
Click to show Changelog 
# Changelog Updates

## [26.0.0-bb.0] (2026-01-13)
### Changed
- prometheus-operator-crds updated major from 25.0.1 to 26.0.0
- prometheus-operator minor from v0.87.1 to v0.88.0

Sonarqube📜

  • !7241: sonarqube update to 2025.6.1-bb.2
Click to show Changelog 
# Changelog Updates

## [2025.6.1-bb.2] - 2026-01-12
### Updated
- Integrated bb-common and replaced static resources with bb-common generated resources
- Disabled telemetry to reduce outbound calls
- Fixed label and tls config in service monitor so that it works properly
- Removed unnecessary peer authentication exclusion

## [2025.6.1-bb.1] - 2026-01-06

Tempo📜

  • !7238: tempo update to 1.24.3-bb.0
  • !7226: tempo update to 1.24.1-bb.0
Click to show Changelog 
# Changelog Updates

## [1.24.3-bb.0] (2026-01-14)
### Changed
- bb-common 0.12.2 -> 0.12.3
- tempo 1.24.1 -> 1.24.3

## [1.24.1-bb.0] (2026-01-07)
### Changed
- bb-common 0.11.2 -> 0.12.2
- registry1.dso.mil/ironbank/opensource/grafana/tempo 2.8.2 -> 2.9.0
- registry1.dso.mil/ironbank/opensource/grafana/tempo-query 2.8.2 -> 2.9.0
- registry1.dso.mil/ironbank/opensource/kubernetes/kubectl v1.32.7 -> v1.34.3
- tempo 1.23.3 -> 1.24.1

Twistlock📜

  • !7251: Resolve “twistlock update to 0.24.0-bb.1”
Click to show Changelog 
# Changelog Updates

## [0.24.0-bb.1] (2026-01-12)
### Changed
- added option to disable the Istio Virtual Service for the management console -- istio.console.virtualService.enabled . it's enabled by default.

Vault📜

  • !7213: vault update to 0.31.0-bb.8
Click to show Changelog 
# Changelog Updates

## [0.31.0-bb.8] - 2026-01-05
### Changed
- Updated gluon 0.9.6 -> 0.9.7
- Updated registry1.dso.mil/ironbank/hashicorp/vault-csi-provider (source) v1.6.0 -> v1.7.0

## [0.31.0-bb.7] - 2025-12-03
### Changed
- Updated registry1.dso.mil/ironbank/hashicorp/vault (source) 1.20.4 -> 1.21.1
- Updated registry1.dso.mil/ironbank/hashicorp/vault/vault-k8s (source) v1.7.0 -> v1.7.1

Velero📜

  • !7223: velero update to 11.3.2-bb.0
Click to show Changelog 
# Changelog Updates

## [11.3.2-bb.0] - 2026-01-07
### Updated
- Updated velero 11.1.1 -> 11.3.2
- Updated gluon 0.9.6 -> 0.9.7
- Updated ironbank/opensource/nginx/nginx 1.29.3 -> 1.29.4
- Updated registry1.dso.mil/ironbank/opensource/nginx/nginx (source) 1.29.3 -> 1.29.4

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

Future📜

Don’t see your feature and/or bug fix? Check out our epics for estimates on when you can expect things to drop, and as always, feel free to comment or create issues if you have questions, comments, or concerns.