Skip to content

Release Notes - 3.18.0📜

Please see our documentation page for more information on how to consume and deploy BigBang.\ This release was primarily tested on Kubernetes 1.34.3 (EKS).

Deprecations📜

Nexus Repository Manager📜

Big Bang will remove support for Nexus Repository Manager in a future release (upstream chart was deprecated October 24, 2023). Big Bang version 3.14 contained the final Nexus Repository Manager update. - Update (3.18.0): Deprecation has been delayed to release 3.19.0. - Migration path: Use NXRM3-HA, the official high availability chart by Sonatype. Install via the BYO packages: section.

Upgrade Notices📜

BigBang - MR📜

Flux GitRepositories are now generated per package using a shared helper in the bb umbrella chart/templates/_helpers.tpl file. Labels have also been normalized per gitRepository. Existing functionality should be unaffected by this change.

Anchore Enterprise - MR📜

After an upgrade, a kustomize patch may need to be forcibly applied in order for the anchore-enterprise services to have the appProtocol: http value added. This can be done running this command:

flux reconcile -n bigbang helmrelease anchore-enterprise --with-source --force

A successful upgrade will show appProtocol: http on all the anchore-enterprise-anchore-enterprise-* services.

e.g.:

running: 

kubectl get services -n anchore anchore-enterprise-anchore-enterprise-catalog -o yaml | grep appProtocol

will result in a match

  - appProtocol: http

Argocd - MR📜

ArgoCD is now leveraging our bb-common integration for network policies and istio-related resources. Please refer to this blog post for additional information on the integration.

Backstage - MR📜

Backstage is now leveraging our bb-common integration for network policies and istio-related resources. Please refer to this blog post for additional information on the integration.

Bbctl - MR📜

BBCTL is now leveraging our bb-common integration for network policies and all istio-related resources. Please refer to this blog post for additional information on the integration.

As part of the integration a new package level definition has been created called private-registry which enables outbound access to external registries for the bbctl-bigbang-updater cronjob. By default this definition is already set up to allow it to repo1.dso.mil and registry1.dso.mil so no action is needed if these are the only registries in use.

Fortify - MR📜

Fortify SSC Passthrough and bb-common Migration📜

This release migrates Fortify SSC to the passthrough chart pattern and integrates the bb-common library chart for Istio and NetworkPolicy management. These are two coordinated BigBang-wide initiatives affecting all packages.

What Changed📜
1. Passthrough Pattern📜

The upstream fortifydocker/helm-ssc chart is now included as an unmodified subchart (alias: upstream) instead of being forked via KPT. All upstream template files have been removed from the chart and are now provided by the subchart dependency.

2. bb-common Library Chart📜

Static Istio and NetworkPolicy templates under chart/templates/bigbang/ have been replaced with bb-common generated resources. The bb-common library chart centralizes generation of:

  • NetworkPolicies (with smart naming from policy content)
  • PeerAuthentication
  • AuthorizationPolicies
  • Sidecars
  • ServiceEntries
  • VirtualServices
Breaking Changes for Users with Custom Values📜
Values must shift under the upstream: key📜

Any values that configure the upstream Fortify SSC chart must now be nested under upstream:. BigBang-specific top-level keys (domain, istio, networkPolicies, bbtests, mysql, fortify_autoconfig, fortify_license) remain unchanged at the chart root.

  addons:
    fortify:
      values:
+       upstream:
+         image:
+           tag: "25.4.0.0137"
+         resources:
+           limits:
+             cpu: 4
+             memory: 16Gi
-       image:
-         tag: "25.4.0.0137"
-       resources:
-         limits:
-           cpu: 4
-           memory: 16Gi

        # These BigBang keys are NOT affected:
        mysql:
          enabled: true
        networkPolicies:
          enabled: true
        fortify_autoconfig: |
            ...
Removed templates📜

The following static templates have been deleted and are now provided by either the upstream subchart or bb-common:

Removed Replaced By
templates/webapp.yaml Upstream subchart
templates/service.yaml Upstream subchart
templates/pvc.yaml Upstream subchart
templates/secrets.yaml templates/keystore-job.yaml
templates/script-configmap.yaml templates/keystore-job.yaml
templates/tomcat-configmap.yaml fortify_autoconfig values
templates/bigbang/istio/* bb-common (templates/bigbang/istio.yaml)
templates/bigbang/virtualservice.yaml bb-common (templates/bigbang/routes.yaml)
templates/bigbang/defaultPeerAuthentication.yaml bb-common (templates/bigbang/istio.yaml)
templates/bigbang/networkpolicies/* (8 of 9) bb-common (templates/bigbang/network-policies.yaml)
templates/bigbang/log4j2-configmap.yaml fortify_autoconfig values
templates/bigbang/network-attachment-definition.yaml Removed (unused)
Keystore generation moved to a Job📜

The init container that generated the JKS keystore has been replaced with a Kubernetes Job (keystore-job.yaml) that runs as a pre-install/pre-upgrade hook. This creates the fortify-ssc-secret before the main deployment starts.

NetworkPolicy naming changes📜

bb-common generates NetworkPolicy names based on their content (e.g., allow-ingress-to-fortify-8080-from-ns-istio-gateway-pod-public-ingressgateway). If you reference Fortify NetworkPolicies by name in external tooling, those names will change.

No Changes Required For📜
  • BigBang umbrella users who do not override Fortify upstream values (the chart defaults already have correct upstream: nesting)
  • fortify_autoconfig, fortify_license, mysql, bbtests, istio, networkPolicies, domain values (these remain at chart root level)
  • Cypress test configuration
  • SSO/SAML configuration via BigBang

For additional information on the bb-common integration, refer to Streamlining Integration with bb-common.

Gatekeeper - MR📜

Gatekeeper now leverages the bb-common network policy DSL. This replaces the legacy netpol templates and standardizes default ingress/egress policies at the namespace level. A new egress rule was added for the crd-cleanup job to preserve Kubernetes API access during post-upgrade cleanup. Also webhook access was reduced in scope under the kubeAPI definition. This is limited to port 8443 and only to set ip blocks like 192.168.0.0/16, 172.16.0.0/12 10.0.0.0/8. These will be set to your controlPlaneCIDR when deployed with BB

Gitlab Runner - MR📜

GitLab Runner is now leveraging our bb-common integration for network policies and all Istio-related resources. Please refer to this blog post for additional information on the integration.

Loki - MR📜

*** Potential Breaking Change ***

Prior to this release, a Loki VirtualService (logging/loki) was always installed and would expose cluster metrics on the Istio gateway.

In order to limit what is exposed by default, Big Bang no longer installs this VirtualService by default. The logging/loki VirtualService must now be explicitly enabled if you require access to Loki’s metrics through the VirtualSerivce.

This VirtualService can be enabled using the following common routes overrides values:

loki:
  values:
    routes:
      inbound:
        loki:
          enabled: true

For additional information on using Big Bang common routes and this VirtualService:

https://repo1.dso.mil/big-bang/product/packages/bb-common/-/blob/main/docs/routes/README.md

https://repo1.dso.mil/big-bang/product/packages/loki/-/blob/main/docs/IstioHardened.md?ref_type=heads#loki-virtualservice-access

Mattermost Operator - MR📜

Mattermost Operator is now leveraging our bb-common integration for network policies and istio-related resources. Please refer to this blog post for additional information on the integration.

Thanos - MR📜

The thanos package has been migrated to bb-common. While steps have been taken to maintain backwards compatibility with existing configurations by translating the old configuration into bb-common’s more explicit syntax, Big Bang consumers are encouraged to migrate their values directly as soon as possible. Some appropriate configuration changes when consumers migrate are outlined below.

Storage (S3) Egress📜

Previously a wide-open (0.0.0.0/0) egress policy was created for the thanos-storegateway when the bundled minio was disabled, indicating the user wanted to store metrics in an external object storage implementation. This policy was not in line with Big Bang’s wider security posture and has been removed. In its place, consumers are encouraged to define and use a bb-common definition for their storage subnets when external object storage is to be used:

networkPolicies:
  egress:
    definitions:
      storage-subnets:
        to:
        # repeat for each S3 CIDR
        - ipBlock:
            cidr: <private-s3-endpoint-cidr>
        ports:
        - port: 443
          protocol: TCP
    from:
      thanos-storegateway:
        to:
          definition:
            database-subnets: true

A default definition for storage-subnets is defined globally in Big Bang and passed down to the thanos package. You’re encouraged to override the CIDRs defined there to match your infrastructure. Any changes made at that global level will propagate down into the thanos package.

Ingress Config📜

bb-common creates a consistent ingress configuration syntax across all Big Bang packages with its routes functionality. Take a look at the routes documentation to understand how to use it to expose various thanos services.

Twistlock - MR📜

Twistlock is now leveraging our bb-common integration for network policies and istio-related resources. Please refer to this blog post for additional information on the integration.

Vault - MR📜

Vault is now leveraging our bb-common integration for network policies and all istio-related resources. Please refer to this blog post for additional information on the integration.

Vault now has a new definition called kms which is intended to allow egress access to the KMS service it is using. Please note that some of the network policies that were previously in place were too lenient resulting in KMS traffic working even when it should not have. For that reason it is recommended to start using this new definition instead of the original networkPolicies.vpcCidr as that value will eventually be deprecated, however, it will continue to work for the time being if specified. For more details on this please refer to our documentation on setting up KMS access for Vault.

Additionally, the tls section no longer exists under the istio section. If you are using the Values.addons.vault.ingress.cert and Values.addons.vault.ingress.key values from the umbrella chart, then this change should have no impact as it is still being mapped from that location. However, if you are using those package values directly please make sure they are updated to allow TLS termination to continue functioning as expected.

Known Issues📜

  • bbctl Dashboards
  • CRON job output longer than 16kb will be split into multiple log entries when using the dockerd CRI causing invalid JSON structures to be imported into Loki. Use containerd as the CRI to ensure long log lines are parsed correctly
  • bbctl-violations-dashboard / bbctl-all-logs-dashboard(Violations Logs)
    • These items will not populate if you have too large of a kubernetes cluster with too many violations. There is a limit to the amount of data that can be processed. If you hit this limit and need the information, you can still use the bbctl violations command to obtain the data.
  • Headlamp
  • Attempting to login using OIDC will create a login ‘loop’. See upstream issue for further information.
  • Loki/Elasticsearch-kibana
  • If loki and EK are both enabled, drift detection will continually trigger as they share a peer authentication: default-peer-auth in the logging namespace. Issue
  • Mattermost/MattermostOperator
  • If Mattermost is enabled, MattermostOperator needs to be enabled in order to avoid a secrets not found error. This is resolved for the 3.19 release.
  • Vault
  • There is a bug in the vault template referencing a non-existant value that may prevent the chart from deploying. As a workaround, add addons.vault.sso.enabled = false to your values file. This bug is corrected in version 3.19
  • Prometheus Target Scraping
Package Target Issue
Elasticsearch-Kibana podMonitor/monitoring/monitoring-monitoring-istio-envoy/0 Issue

Upgrades from previous releases📜

If coming from a version pre-3.17.0, note the additional upgrade notices in any release in between. The BB team doesn’t test/guarantee upgrades from anything pre-3.17.0.

Packages📜

Click to show Packages Version Updates | Package | Type | Package Version | BB Version | | ------- | ---- | --------------- | ---------- | | [Alloy](https://repo1.dso.mil/big-bang/product/packages/alloy) | Core | `v1.10.0` | `3.7.2-bb.3` | | updated [Anchore Enterprise](https://repo1.dso.mil/big-bang/product/packages/anchore-enterprise) | Addon | `5.23.0` | `3.19.2-bb.2` [🔗](#anchore-enterprise) | | updated [Argocd](https://repo1.dso.mil/big-bang/product/packages/argocd) | Addon | `v3.2.5` | `9.3.4-bb.1` [🔗](#argocd) | | [Authservice](https://repo1.dso.mil/big-bang/product/packages/authservice) | Addon | `1.1.5` | `1.1.5-bb.0` | | updated [Backstage](https://repo1.dso.mil/big-bang/product/packages/backstage) | Addon | `1.1.0` | `2.6.3-bb.2` [🔗](#backstage) | | updated [Bbctl](https://repo1.dso.mil/big-bang/product/packages/bbctl) | Core | `2.3.1` | `3.0.1-bb.3` [🔗](#bbctl) | | [Eck Operator](https://repo1.dso.mil/big-bang/product/packages/eck-operator) | Core | `3.2.0` | `3.2.0-bb.1` | | [Elasticsearch Kibana](https://repo1.dso.mil/big-bang/product/packages/elasticsearch-kibana) | Core | Kibana: `9.2.4` Elasticsearch: `9.2.4` | `1.35.0-bb.0` | | updated [External Secrets Operator](https://repo1.dso.mil/big-bang/product/packages/external-secrets) | Addon | `1.3.1` | `1.3.1-bb.0` [🔗](#external-secrets-operator) | | updated [Fluentbit](https://repo1.dso.mil/big-bang/product/packages/fluentbit) | Core | `4.2.2` | `0.55.0-bb.0` [🔗](#fluentbit) | | updated [Fortify](https://repo1.dso.mil/big-bang/product/packages/fortify) | Addon | `25.4.0.0137` | `25.4.0-bb.0` [🔗](#fortify) | | updated [Gatekeeper](https://repo1.dso.mil/big-bang/product/packages/policy) | Core | `v3.21.1` | `3.21.1-bb.0` [🔗](#gatekeeper) | | updated [Gitlab](https://repo1.dso.mil/big-bang/product/packages/gitlab) | Addon | `18.8.4` | `9.8.2-bb.2` [🔗](#gitlab) | | updated [Gitlab Runner](https://repo1.dso.mil/big-bang/product/packages/gitlab-runner) | Addon | `v18.8.0` | `0.85.0-bb.2` [🔗](#gitlab-runner) | | [Grafana](https://repo1.dso.mil/big-bang/product/packages/grafana) | Core | `12.3.1` | `10.5.5-bb.1` | | [Harbor](https://repo1.dso.mil/big-bang/product/packages/harbor) | Addon | `2.14.2` | `1.18.2-bb.0` | | [Headlamp](https://repo1.dso.mil/big-bang/product/packages/headlamp) | Addon | `0.39.0` | `0.39.0-bb.2` | | [Istio Cni](https://repo1.dso.mil/big-bang/product/packages/istio-cni) | Core | `1.28.3` | `1.28.3-bb.0` | | [Istio Crds](https://repo1.dso.mil/big-bang/product/packages/istio-crds) | Core | `1.28.3` | `1.28.3-bb.0` | | [Istio Gateway](https://repo1.dso.mil/big-bang/product/packages/istio-gateway) | Core | `1.28.3` | `1.28.3-bb.0` | | [Istiod](https://repo1.dso.mil/big-bang/product/packages/istiod) | Core | `1.28.3` | `1.28.3-bb.0` | | updated [Keycloak](https://repo1.dso.mil/big-bang/product/packages/keycloak) | Addon | `26.5.3` | `7.1.7-bb.0` [🔗](#keycloak) | | updated [Kiali](https://repo1.dso.mil/big-bang/product/packages/kiali) | Core | `2.21.0` | `2.21.0-bb.1` [🔗](#kiali) | | updated [Kyverno](https://repo1.dso.mil/big-bang/product/packages/kyverno) | Core | `v1.17.0` | `3.7.0-bb.1` [🔗](#kyverno) | | [Kyverno Policies](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies) | Core | `3.3.4` | `3.3.4-bb.19` | | updated [Kyverno Reporter](https://repo1.dso.mil/big-bang/product/packages/kyverno-reporter) | Core | `3.7.0` | `3.7.1-bb.3` [🔗](#kyverno-reporter) | | updated [Loki](https://repo1.dso.mil/big-bang/product/packages/loki) | Core | `3.5.5` | `6.46.0-bb.5` [🔗](#loki) | | updated [Mattermost](https://repo1.dso.mil/big-bang/product/packages/mattermost) | Addon | `11.4.0` | `11.4.0-bb.0` [🔗](#mattermost) | | updated [Mattermost Operator](https://repo1.dso.mil/big-bang/product/packages/mattermost-operator) | Addon | `1.25.3` | `1.25.3-bb.1` [🔗](#mattermost-operator) | | [Metrics Server](https://repo1.dso.mil/big-bang/product/packages/metrics-server) | Addon | `v0.8.0` | `3.13.0-bb.4` | | updated [Mimir](https://repo1.dso.mil/big-bang/product/packages/mimir) | Addon | `2.17.1` | `5.8.0-bb.5` [🔗](#mimir) | | [Minio](https://repo1.dso.mil/big-bang/product/packages/minio) | Addon | `RELEASE.2025-10-15T17-29-55Z` | `7.1.1-bb.16` | | [Minio Operator](https://repo1.dso.mil/big-bang/product/packages/minio-operator) | Addon | `v7.1.1` | `7.1.1-bb.4` | | [Monitoring](https://repo1.dso.mil/big-bang/product/packages/monitoring) | Core | Prometheus: `3.9.1` Grafana: `12.3.1` Alertmanager: `0.30.0` | `80.13.3-bb.0` | | updated [Neuvector](https://repo1.dso.mil/big-bang/product/packages/neuvector) | Core | `5.4.9` | `2.8.11-bb.0` [🔗](#neuvector) | | updated [Nexus Repository Manager](https://repo1.dso.mil/big-bang/product/packages/nexus) | Addon | `3.88.0-08-4909530` | `88.0.0-bb.0` [🔗](#nexus-repository-manager) | | [Prometheus Operator Crds](https://repo1.dso.mil/big-bang/product/packages/prometheus-operator-crds) | Core | `v0.88.0` | `26.0.0-bb.0` | | [Sonarqube](https://repo1.dso.mil/big-bang/product/packages/sonarqube) | Addon | `25.12.0.117093-community` | `2025.6.1-bb.3` | | updated [Tempo](https://repo1.dso.mil/big-bang/product/packages/tempo) | Core | Tempo: `2.10.0` Tempo Query: `2.10.0` | `1.24.4-bb.1` [🔗](#tempo) | | updated [Thanos](https://repo1.dso.mil/big-bang/product/packages/thanos) | Addon | `v0.40.1` | `17.3.3-bb.3` [🔗](#thanos) | | updated [Twistlock](https://repo1.dso.mil/big-bang/product/packages/twistlock) | Core | `34.03.138` | `0.24.0-bb.5` [🔗](#twistlock) | | updated [Vault](https://repo1.dso.mil/big-bang/product/packages/vault) | Addon | `1.21.2` | `0.32.0-bb.0` [🔗](#vault) | | updated [Velero](https://repo1.dso.mil/big-bang/product/packages/velero) | Addon | `1.17.2` | `11.3.2-bb.2` [🔗](#velero) | | [Wrapper](https://repo1.dso.mil/big-bang/product/packages/wrapper) | Core | `0.4.15` | `0.4.15` |

Changes in 3.18.0📜

Big Bang MRs📜

  • !7388 add ingress kubeapi definition for gatekeeper and kyverno
  • !7378 fix: add ztunnel hbone port injection for kiali
  • !7371 add gitRepository helper template
  • !7370 Resolve “Remove Stale Script”
  • !7357 Fixed bb-common inconsistencies across remaining packages
  • !7356 Fix k3d-dev race conditions, add timeout for k3d hang, improve /etc/hosts output
  • !7341 Adds k3d-dev.sh BATS test suite and lefthook git hooks
  • !7330 Update Thanos serviceMonitor
  • !7324 Elasticsearch K8s Labels bug fix
  • !7323 refactor(bb-common): align bb-common patterns across packages
  • !7321 gitlab kas bug fix

Anchore Enterprise📜

  • !7375: anchoreEnterprise update to 3.19.2-bb.2
  • !7362: Resolve “anchore service monitor postrenderer for appProtocol”
  • !7361: anchoreEnterprise update to 3.19.2-bb.1
Click to show Changelog 
# Changelog Updates

## [3.19.2-bb.2] - 2026-02-17
### Changed
- Fixed issue with prometheus servicemonitor

## [3.19.2-bb.1] - 2026-01-09
### Changed
- Fixed issue with cypress test running locally.
- Updated gluon 0.9.7 -> 0.9.8
- Updated anchore-health-spec.cy.js to replace `Cypress.env()` with `cy.env()` for Cypress 15.10.0 compatibility.

Argocd📜

  • !7373: argocd update to 9.3.4-bb.1
Click to show Changelog 
# Changelog Updates

## [9.3.4-bb.1] (2026-02-05)
### Changed
- Migrated to bb-common version 0.14.0 to generate network policies and istio resources

Backstage📜

  • !7339: backstage update to 2.6.3-bb.2
Click to show Changelog 
# Changelog Updates

## [2.6.3-bb.2] - 2026-02-02
### Changed
- Migrated to bb-common version 0.12.3 to generate network policies and istio resources with bb-common

Bbctl📜

  • !7365: bbctl update to 3.0.1-bb.3
Click to show Changelog 
# Changelog Updates

## [3.0.1-bb.3] (2026-02-11)
### Changed
- Updated gluon from 0.9.7 to 0.9.8
- Added bb-common library chart to dynamically generate network policies and istio related resources

External Secrets Operator📜

  • !7347: externalSecrets update to 1.3.1-bb.0
Click to show Changelog 
# Changelog Updates

## [1.3.1-bb.0] - 2026-01-30
### Updated
- Updated registry1.dso.mil/ironbank/opensource/external-secrets/external-secrets 1.2.1 -> 1.3.1
- Updated chart https://charts.external-secrets.io 1.2.1 -> 1.3.1

Fluentbit📜

  • !7332: fluentbit update to 0.55.0-bb.0
Click to show Changelog 
# Changelog Updates

## [0.55.0-bb.0] (2026-01-23)
### Changed
- bb-common updated from 0.12.3 to 0.13.0
- fluent-bit updated from 0.54.1 to 0.55.0

## [0.54.0-bb.2] (2025-12-18)

Fortify📜

  • !7352: fortify update to 25.4.0-bb.0
Click to show Changelog 
# Changelog Updates

## [25.4.0-bb.0] - 2026-02-09
### Changed
- Refactored to passthrough subchart pattern for Fortify
- Migrated to bb-common library chart for Istio, NetworkPolicies, and Routes
- Updated upstream helm-ssc chart to 25.4.0-1
- Updated SSC image to 25.4.0.0137
- Replaced golang init container with ubi9:9.5 for keystore generation

Gatekeeper📜

  • !7338: gatekeeper update to 3.21.1-bb.0
  • !7316: gatekeeper update to 3.21.0-bb.2
Click to show Changelog 
# Changelog Updates

## [3.21.1-bb.0] (2026-02-06)
### Changed
- Updated bb-common chart from `0.13.0` -> `0.14.0`
- Updated gatekeeper from `3.21.0` -> `3.21.1`
- Updated registry1.dso.mil/ironbank/opensource/openpolicyagent/gatekeeper from `v3.21.0` -> `v3.21.1`

## [3.21.0-bb.2] (2026-01-09)
### Changed
- Migrated network policies to bb-common DSL and removed legacy netpol templates
- Added bb-common dependency and unit tests for network policies

Gitlab📜

  • !7359: gitlab update to 9.8.2-bb.2
Click to show Changelog 
# Changelog Updates

## [9.8.2-bb.2] (2026-02-12)
### Changed
- registry1.dso.mil/ironbank/big-bang/devops-tester 1.0 -> 1.1
- ironbank/gitlab/gitlab/gitlab-webservice 18.8.2 -> 18.8.4
- registry1.dso.mil/ironbank/gitlab/gitlab/certificates 18.8.2 -> 18.8.4
- registry1.dso.mil/ironbank/gitlab/gitlab/gitaly 18.8.2 -> 18.8.4
- registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-base 18.8.2 -> 18.8.4
- registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-container-registry 18.8.2 -> 18.8.4
- registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-exporter 18.8.2 -> 18.8.4
- registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-mailroom 18.8.2 -> 18.8.4
- registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-pages 18.8.2 -> 18.8.4
- registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-shell 18.8.2 -> 18.8.4
- registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-sidekiq 18.8.2 -> 18.8.4
- registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-toolbox 18.8.2 -> 18.8.4
- registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-webservice 18.8.2 -> 18.8.4
- registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-workhorse 18.8.2 -> 18.8.4
- registry1.dso.mil/ironbank/gitlab/gitlab/kas 18.8.2 -> 18.8.4
- registry1.dso.mil/ironbank/gitlab/gitlab/kubectl 18.8.2 -> 18.8.4

### Changed
- ironbank/gitlab/gitlab/gitlab-webservice 18.8.2 -> 18.8.4
- registry1.dso.mil/ironbank/gitlab/gitlab/certificates 18.8.2 -> 18.8.4
- registry1.dso.mil/ironbank/gitlab/gitlab/gitaly 18.8.2 -> 18.8.4
- registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-base 18.8.2 -> 18.8.4
- registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-container-registry 18.8.2 -> 18.8.4
- registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-exporter 18.8.2 -> 18.8.4
- registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-mailroom 18.8.2 -> 18.8.4
- registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-pages 18.8.2 -> 18.8.4
- registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-shell 18.8.2 -> 18.8.4
- registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-sidekiq 18.8.2 -> 18.8.4
- registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-toolbox 18.8.2 -> 18.8.4
- registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-webservice 18.8.2 -> 18.8.4
- registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-workhorse 18.8.2 -> 18.8.4
- registry1.dso.mil/ironbank/gitlab/gitlab/kas 18.8.2 -> 18.8.4
- registry1.dso.mil/ironbank/gitlab/gitlab/kubectl 18.8.2 -> 18.8.4

Gitlab Runner📜

  • !7396: gitlabRunner update to 0.85.0-bb.2
  • !7340: gitlabRunner update to 0.85.0-bb.1
Click to show Changelog 
# Changelog Updates

## [0.85.0-bb.2] (2026-02-19)
### Changed
- Update gitlab-runner network policy selectors to target ephemeral runner job pods using `app: gitlab-runner`
- Add unit test coverage for gitlab-runner network policy selectors

## [0.85.0-bb.1] (2026-03-3)
### Added
- Added bb-common integration. Network policies and authorization policies are now managed via bb-common. See https://docs-bigbang.dso.mil/3.15.0/blog/streamlining-integration-with-bb-common/ for more information.

Keycloak📜

  • !7355: keycloak update to 7.1.7-bb.0
Click to show Changelog 
# Changelog Updates

## [7.1.7-bb.0] - 2026-02-11
### Updated
- Updated registry1.dso.mil/ironbank/opensource/keycloak/keycloak from 26.4.7 -> 26.5.3
- Updated bb-common chart from 0.11.0 -> 0.14.0
- Updated gluon chart from 0.9.7 -> 0.9.8
- Updated keycloakx chart from 7.1.5 -> 7.1.7
- Updated postgresql chart from 18.1.3 -> 18.2.6

Kiali📜

  • !7369: kiali update to 2.21.0-bb.1
Click to show Changelog 
# Changelog Updates

## [2.21.0-bb.1] (2026-02-13)
### Changed
- gluon 0.9.7 -> 0.9.8
- registry1.dso.mil/ironbank/opensource/kubernetes/kubectl v1.34.3 -> v1.34.4
- Updated Cypress tests for compatibility with 15.10.0

Kyverno📜

  • !7346: kyverno update to 3.7.0-bb.1
  • !7335: kyverno update to 3.7.0-bb.0
Click to show Changelog 
# Changelog Updates

## [3.7.0-bb.1] (2026-02-10)
### Changed
- Use kyverno's new readiness-checker image for helm tests.

## [3.7.0-bb.0] (2026-02-04)
### Changed
- Updated chart version `3.6.2` -> `3.7.0` and app version from `v1.16.3` -> `v1.17.0`
- Updated bb-common from `0.12.0` -> `0.14.0`
- Updated ironbank/opensource/kyverno `v1.16.3` -> `v1.17.0`
- Updated ironbank/opensource/kyverno/kyverno/background-controller `v1.16.3` -> `v1.17.0`
- Updated ironbank/opensource/kyverno/kyverno/cleanup-controller `v1.16.3` -> `v1.17.0`
- Updated ironbank/opensource/kyverno/kyverno/reports-controller `v1.16.3` -> `v1.17.0`
- Updated ironbank/opensource/kyverno/kyvernocli `v1.16.3` -> `v1.17.0`
- Updated ironbank/opensource/kyverno/kyvernopre `v1.16.3` -> `v1.17.0`

Kyverno Reporter📜

  • !7363: kyvernoReporter update to 3.7.1-bb.3
Click to show Changelog 
# Changelog Updates

## [3.7.1-bb.3] (2026-02-12)
### Changed
- Updated bb-common 0.12.3 -> 0.14.0
- Updated gluon 0.9.7 -> 0.9.8
- Updated cypress 14.0.0 -> 15.10.0
- Migrated deprecated Cypress.env() to cy.env()

Loki📜

  • !7368: loki update to 6.46.0-bb.5
Click to show Changelog 
# Changelog Updates

## [6.46.0-bb.5] (2026-2-11)
### Changed
- Disabled default VirtualService route for Loki (`routes.inbound.loki.enabled` set to `false`)

Mattermost📜

  • !7377: mattermost update to 11.4.0-bb.0
Click to show Changelog 
# Changelog Updates

## [11.4.0-bb.0] (2026-02-17)
### Changed
- gluon updated from 0.9.7 to 0.9.8
- registry1.dso.mil/ironbank/opensource/mattermost/mattermost (source) 11.3.0 -> 11.4.0
- registry1.dso.mil/ironbank/opensource/postgres/postgresql (source) 18.1 -> 18.2

Mattermost Operator📜

  • !7364: mattermostOperator update to 1.25.3-bb.1
Click to show Changelog 
# Changelog Updates

## [1.25.3-bb.1] (2026-02-11)
### Changed
- Migrated to bb-common version 0.14.0 to generate network policies and istio resources

Mimir📜

  • !7343: mimir update to 5.8.0-bb.5
Click to show Changelog 
# Changelog Updates

## [5.8.0-bb.5]
### Added
- Added VirtualService support via bb-common routes pattern for external Grafana access to Mimir (Issue #91)

Neuvector📜

  • !7374: neuvector update to 2.8.11-bb.0
  • !7358: neuvector update to 2.8.10-bb.4
  • !7333: neuvector update to 2.8.10-bb.3
Click to show Changelog 
# Changelog Updates

## [2.8.11-bb.0] (2026-02-13)
### Changed
- core 2.8.10 -> 2.8.11
- crd 2.8.10 -> 2.8.11
- monitor 2.8.10 -> 2.8.11
- registry1.dso.mil/ironbank/neuvector/neuvector/controller 5.4.8 -> 5.4.9
- registry1.dso.mil/ironbank/neuvector/neuvector/enforcer 5.4.8 -> 5.4.9
- registry1.dso.mil/ironbank/neuvector/neuvector/manager 5.4.8 -> 5.4.9
- registry1.dso.mil/ironbank/opensource/neuvector/registry-adapter v0.2.2 -> v0.2.3

## [2.8.10-bb.4] (2026-02-12)
### Changed
- bb-common 0.13.0 -> 0.14.0
- gluon 0.9.7 -> 0.9.8
- Migrated Cypress tests from Cypress.env() to cy.env() for Cypress 15.10.0 compatibility

## [2.8.10-bb.3] (2026-02-04)
### Changed
- Fixed an invalid reference to iron bank's registry-adapter image.
- Added a netpol to allow registry-adapter to communicate with kube-api.
- Fixed registry-adapter's pod annotations to allow cert-upgrader to communicate with its healthz endpoint.

Nexus Repository Manager📜

  • !7354: nexusRepositoryManager update to 88.0.0-bb.0
Click to show Changelog 
# Changelog Updates

## [88.0.0-bb.0] - 2026-02-03
### Changed
- update gluon 0.9.6 -> 0.9.7
- update nexus app image 3.86.2-01 -> 3.88.0-08-4909530

Tempo📜

  • !7353: tempo update to 1.24.4-bb.1
  • !7348: Tempo update to 1.24.4-bb.0
Click to show Changelog 
# Changelog Updates

## [1.24.4-bb.1] (2026-02-10)
### Changed
- Added tempo-query virtual service

## [1.24.4-bb.0] (2026-01-30)
### Changed
- bb-common 0.13.0 -> 0.14.0
- registry1.dso.mil/ironbank/opensource/grafana/tempo 2.9.1 -> 2.10.0
- registry1.dso.mil/ironbank/opensource/grafana/tempo-query 2.9.1 -> 2.10.0
- tempo chart 1.24.3 -> 1.24.4

## [1.24.3-bb.1] (2026-01-27)
### Changed
- updated bb-common from 0.12.3 to 0.13.0
- updated registry1.dso.mil/ironbank/opensource/grafana/tempo from 2.9.0 to 2.9.1
- updated registry1.dso.mil/ironbank/opensource/grafana/tempo-query from 2.9.0 to 2.9.1

### Changed
- updated bb-common from 0.12.2 to 0.12.3
- updated tempo from 1.24.1 to 1.24.3

Thanos📜

  • !7329: thanos update to 17.3.3-bb.3
Click to show Changelog 
# Changelog Updates

## [17.3.3-bb.3] (2026-02-02)
### Changed
- Migrated to bb-common for istio and `NetworkPolicy` resources

Twistlock📜

  • !7360: twistlock update to 0.24.0-bb.5
  • !7325: twistlock update to 0.24.0-bb.4
Click to show Changelog 
# Changelog Updates

## [0.24.0-bb.5] (2026-02-12)
### Changed
- bb-common updated from 0.12.3 to 0.14.0
- gluon updated from 0.9.7 to 0.9.8
- Updated Cypress tests for Cypress 15.10.0 compatibility (migrated Cypress.env() to cy.env())

## [0.24.0-bb.4] (2026-01-26)
### Changed
- Generate Network Policies with bb-common
- Generate Istio resources with bb-common

Vault📜

  • !7366: vault update to 0.32.0-bb.0
  • !7342: vault update to 0.31.0-bb.9
Click to show Changelog 
# Changelog Updates

## [0.32.0-bb.0] - 2026-02-09
### Changed
- vault (source) 0.31.0 -> 0.32.0
- ironbank/hashicorp/vault (source) 1.21.1 -> 1.21.2
- registry1.dso.mil/ironbank/hashicorp/vault (source) 1.21.1 -> 1.21.2
- registry1.dso.mil/ironbank/hashicorp/vault/vault-k8s (source) v1.7.1 -> v1.7.2

## [0.31.0-bb.9] - 2026-02-03
### Changed
- Integrated bb-common and replaced static resources with dynamically generated resources

Velero📜

  • !7336: velero update to 11.3.2-bb.2
Click to show Changelog 
# Changelog Updates

## [11.3.2-bb.2] - 2026-02-05
### Updated
- bb-common 0.13.0 -> 0.14.0
- ironbank/opensource/nginx/nginx (source) 1.29.4 -> 1.29.5
- registry1.dso.mil/ironbank/opensource/nginx/nginx (source) 1.29.4 -> 1.29.5
- registry1.dso.mil/ironbank/opensource/velero/velero (source) v1.17.1 -> v1.17.2
- registry1.dso.mil/ironbank/opensource/velero/velero (source) 1.17.1 -> 1.17.2
- registry1.dso.mil/ironbank/opensource/velero/velero-plugin-for-aws (source) v1.13.1 -> v1.13.2
- registry1.dso.mil/ironbank/opensource/velero/velero-plugin-for-microsoft-azure (source) v1.13.1 -> v1.13.2

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

Future📜

Don’t see your feature and/or bug fix? Check out our epics for estimates on when you can expect things to drop, and as always, feel free to comment or create issues if you have questions, comments, or concerns.