Skip to content

Release Notes - 3.20.0📜

Please see our documentation page for more information on how to consume and deploy BigBang.\ This release was primarily tested on Kubernetes 1.34.4 (EKS).

Upgrade Notices📜

BigBang - MR📜

Important: nexusRepositoryManager Addon Removed📜

The legacy nexusRepositoryManager addon has been removed from the Big Bang umbrella chart. Users requiring Nexus Repository Manager should migrate to the maintained NXRM-HA package.

NXRM-HA provides: - High Availability Support: Deploy Nexus Repository Manager Pro in a highly available, multi-node configuration - Production-Ready Architecture: Built-in support for external databases (PostgreSQL, AWS RDS) and object storage - Enterprise features including clustering and replication - Active maintenance directly from Sonatype - Better resource management and horizontal scaling capabilities

Migration Required📜

Upgrading from the legacy nexus-repository-manager chart to nxrm-ha requires a migration process. This is NOT a simple in-place upgrade. Key requirements:

  • Plan downtime for the migration
  • Back up all data before migrating
  • Test in non-production environments first
  • Note that the namespace, resource naming conventions, and configuration structure have changed
  • Configuration is now under an upstream: key
  • PostgreSQL is now required

See NXRM-HA MR#29 Upgrade Notices for full migration details.

BigBang - MR📜

Kubernetes 1.32 is EOL as of 2/28/2026, Kubernetes 1.33 is now required.

BigBang - MR📜

To better streamline and support deployments to CSP Kubernetes distros that support authentication with CSP registries, registry creds are no longer required. Users can provide registryCredentials: null and no private-registry secret is created in any namespace + imagePullSecrets stanza is emitted into any sub-chart values. Pods will rely entirely on external pull credentials.

Big Bang helm tests will still use imagePullSecrets – we will look at removing imagePullSecrets from the helm tests in the future.

bigbang/base/flux/kustomization.yaml sets imagePullSecrets via a kustomize patch. We’ve left this in as a default. You can remove the following 2 lines from that file to remove imagePullSecrets from your flux-system deployments.

            imagePullSecrets:
            - name: private-registry

Several packages run a “wait job”. These are run from our gluon package which invokes a package’s wait.sh script. We have an open issue to remove the imagePullSecrets dependency from these jobs.

If you discover any Pods or Service Accounts that still set imagePullSecrets, please open up an issue or reach out to someone on the Big Bang Team.

Anchore Enterprise - MR📜

Anchore Enterprise is now leveraging our bb-common integration for network policies and all istio-related resources. Please refer to this blog post for additional information on the integration.

As part of the integration two new package level definitions have been created with their defaults shown below:

      anchore-data-service:
        to:
          - ipBlock:
              cidr: 0.0.0.0/0
        ports:
          - port: 443
            protocol: TCP

      ldap-subnets:
        to:
          - ipBlock:
              cidr: 192.168.0.0/16
          - ipBlock:
              cidr: 172.16.0.0/12
          - ipBlock:
              cidr: 10.0.0.0/8
        ports:
          - port: 636
            protocol: TCP

      notification-services:
        to:
          - ipBlock:
              cidr: 0.0.0.0/0

      redis-subnets:
        to:
          - ipBlock:
              cidr: 192.168.0.0/16
          - ipBlock:
              cidr: 172.16.0.0/12
          - ipBlock:
              cidr: 10.0.0.0/8
        ports:
          - port: 6379
            protocol: TCP

      registry-subnets:
        to:
          - ipBlock:
              cidr: 0.0.0.0/0

The anchore-data-service definition is used to reach out to Anchore Enterprises default feed service and is enabled by default. The ldap-subnets definition is also enabled by default and is only required if LDAP integration is being leveraged by Anchore Enterprise. If this functionality is not in use it can be disabled as shown below:

networkPolicies:
  egress:
    from:
      ui:
        podSelector:
          matchLabels:
            app.kubernetes.io/component: ui
        to:
          definition:
            ldap-subnets: false

The notification-services and registry-subnets can be further locked down if the CIDRs of those services are known, but are open by default only from the services that require that communication by default.

The redis-subnets definition is enabled automatically only if Anchore Enterprise is configured to use an external Redis service.

It is also using the database-subnets definition which is defined globally in Big Bang and passed down to the anchoreEnterprise package. You’re encouraged to override the CIDRs defined there to match your infrastructure. Any changes made at that global level will propagate down into the anchoreEnterprise package and any other packages that leverage external databases.

Anchore Enterprise - MR📜

The internal PostgreSQL dependency has been migrated from a bundled chart to the upstream Bitnami chart. This migration requires two manual steps before running helm upgrade:

Warning: Platform One does not support the internal PostgreSQL database for production deployments. These steps are only applicable to development environments using the chart’s built-in PostgreSQL.

  1. Migrate the PostgreSQL secret keys:

The new chart expects different key names in the PostgreSQL secret. This must be done before the upgrade because Helm’s template rendering will fail if the expected keys are not present.

kubectl patch secret anchore-enterprise-postgresql -n anchore --type='json' -p="[
  {\"op\":\"add\",\"path\":\"/data/password\",\"value\":\"$(kubectl get secret anchore-enterprise-postgresql -n anchore -o jsonpath='{.data.postgresql-password}')\"},
  {\"op\":\"add\",\"path\":\"/data/postgres-password\",\"value\":\"$(kubectl get secret anchore-enterprise-postgresql -n anchore -o jsonpath='{.data.postgresql-postgres-password}')\"}
]"
  1. Delete the PostgreSQL StatefulSet while preserving the running pod:

The new chart changes an immutable field on the PostgreSQL StatefulSet, which will cause the upgrade to fail. The --cascade=orphan flag is critical, because it deletes the StatefulSet while leaving the database pod running, allowing the upgrade to recreate the StatefulSet and adopt the existing pod.

kubectl delete statefulset anchore-enterprise-postgresql -n anchore --cascade=orphan

After completing both steps, proceed with helm upgrade as normal.

The value postgresql.externalDBCheckEnabled along with the associated ensure-anchore-db-xyz job has been removed from this release. Prior to this release, the ensure-anchore-db job might cause issues and hang when using an external database. If the ensure-anchore-db job hangs on startup in earlier Big Bang releases, you can prevent that job from starting by setting externalDBCheckEnabled to true ( which is counter-intuitive due to a logic issue with that job’s deploymment ):

addons:
  anchoreEnterprise:
    values:
      postgresql:
        externalDBCheckEnabled: true

Elasticsearch Kibana - MR📜

Configuring sso.additional_oidc modifies Elasticsearch secure settings, which will trigger a rolling restart of all Elasticsearch pods.

Fluentbit - MR📜

Before upgrading Fluentbit, certain ClusterPolicies must be manually deleted to prevent resource conflicts if Elasticsearch/Kibana is enabled. Failure to do so will block the HelmRelease reconciliation.

  1. Suspend the Fluentbit HelmRelease 

    flux suspend hr fluentbit -n bigbang

  2. Delete ClusterPolicies - these policies will recreated on reconciliation 

    kubectl delete clusterpolicy sync-elastic-cert-secret -n fluentbit
kubectl delete clusterpolicy sync-elastic-password-secret -n fluentbit

  3. Perform Big Bang upgrade

  4. Resume the Fluentbit HelmRelease 
    flux resume hr fluentbit -n bigbang

Note: If you accidentally started the upgrade before performing these steps, simply run the kubectl delete commands above; the Flux controller will automatically detect the removal and complete the upgrade.

Fortify - MR📜

Fortify is now leveraging our bb-common integration for NetworkPolicies, Istio-related resources, and routes. Please refer to this blog post for additional information on the integration.

This update removes Fortify’s legacy broad fallback egress policy for external databases. If you are using the bundled MySQL subchart, no additional action is required.

If you are using an external MySQL instance, the upgrade now requires all of the following:

  1. Set addons.fortify.values.mysql.enabled: false to disable the bundled MySQL subchart.
  2. Update addons.fortify.values.fortify_autoconfig so the datasourceProperties and dbMigrationProperties point to the external database.
  3. Set addons.fortify.externalDatabase.host and, if needed, addons.fortify.externalDatabase.port so Big Bang can generate the outbound bb-common route for the external database when Istio is enabled.
  4. Set addons.fortify.values.networkPolicies.egress.definitions.external-mysql.to with the allowed destination CIDRs for the external database so the Fortify webapp NetworkPolicy is actually enabled.

Fortify’s external MySQL policy is now selector-scoped to the Fortify webapp and port-scoped to 3306. The route and the NetworkPolicy are configured separately:

  • addons.fortify.externalDatabase.host and addons.fortify.externalDatabase.port control the outbound bb-common route and, when Istio is enabled, the generated ServiceEntry.
  • addons.fortify.values.networkPolicies.egress.definitions.external-mysql.to controls whether the Fortify external-mysql egress NetworkPolicy is enabled.

Setting only addons.fortify.externalDatabase.host is not enough to allow database traffic. If the destination CIDRs are omitted, the Fortify chart still renders the external-mysql policy as disabled and the webapp will not be allowed to connect to the external database.

For instance, to disable the bundled MySQL chart and permit Fortify to connect to an external MySQL instance:

addons:
  fortify:
    externalDatabase:
      host: external-mysql.example.internal
      port: 3306
    values:
      mysql:
        enabled: false
      fortify_autoconfig: |
        appProperties:
          host.validation: false

        datasourceProperties:
          db.username: fortify
          db.password: change-me
          jdbc.url: 'jdbc:mysql://external-mysql.example.internal:3306/ssc_db?sessionVariables=collation_connection=latin1_general_cs&rewriteBatchedStatements=true'

        dbMigrationProperties:
          migration.enabled: true
          migration.username: fortify
          migration.password: change-me
      networkPolicies:
        egress:
          definitions:
            external-mysql:
              to:
                - ipBlock:
                    cidr: 10.20.30.40/32

If your external MySQL deployment is fronted by multiple addresses or subnets, add each allowed CIDR under addons.fortify.values.networkPolicies.egress.definitions.external-mysql.to. If those CIDRs are omitted, Fortify will not be able to reach the external database even if addons.fortify.externalDatabase.host is set and the outbound route is rendered. If Istio is disabled, the addons.fortify.externalDatabase.host and port values are not required for mesh registration. If you connect by IP instead of DNS, use that same address consistently in both addons.fortify.externalDatabase.host and the jdbc.url.

Keycloak - MR📜

The upstream Keycloak Iron Bank image has changed its default user from UID/GID 2000 to UID/GID 1000. If you have custom volume mounts, mounted configuration files, or persistent storage with ownership set to 2000:2000, you may need to update file permissions accordingly.

Mattermost - MR📜

If using the Mattermost-provided Postgresql in-cluster sub-chart database, you will be required to perform a pg_dump before upgrading. Then, you will need to restore the database using pg_restore to the updated postgresql pod. This in-cluster, sub-chart database is NOT a production setup/recommended installation. Documentation and other changes can be found here: https://www.postgresql.org/docs/18/release-18.html#RELEASE-18-MIGRATION

Monitoring - MR📜

This is part of the migration to bb-common. As part of this, we are focusing on layer 4 auth policies. Any layer 7 policies are being removed in favor of layer 4 policies which work in a broader number of environments.

Known Issues📜

  • bbctl Dashboards
  • CRON job output longer than 16kb will be split into multiple log entries when using the dockerd CRI causing invalid JSON structures to be imported into Loki. Use containerd as the CRI to ensure long log lines are parsed correctly
  • bbctl-violations-dashboard / bbctl-all-logs-dashboard(Violations Logs)
    • These items will not populate if you have too large of a kubernetes cluster with too many violations. There is a limit to the amount of data that can be processed. If you hit this limit and need the information, you can still use the bbctl violations command to obtain the data.
  • Headlamp
  • Attempting to login using OIDC will create a login ‘loop’. See upstream issue for further information.
  • Loki/Elasticsearch-kibana
  • If loki and EK are both enabled, drift detection will continually trigger as they share a peer authentication: default-peer-auth in the logging namespace. Issue
  • Prometheus
  • Target scraping for Fluentbit targets may encounter 503 Service Unavailable errors even though the pods are functioning as expected
  • Target scraping for Kube Operator may encounter errors. Issue

Upgrades from previous releases📜

If coming from a version pre-3.19.0, note the additional upgrade notices in any release in between. The BB team doesn’t test/guarantee upgrades from anything pre-3.19.0.

Packages📜

Click to show Packages Version Updates | Package | Type | Package Version | BB Version | | ------- | ---- | --------------- | ---------- | | updated [Alloy](https://repo1.dso.mil/big-bang/product/packages/alloy) | Core | `v1.10.0` | `3.8.4-bb.0` [🔗](#alloy) | | updated [Anchore Enterprise](https://repo1.dso.mil/big-bang/product/packages/anchore-enterprise) | Addon | `5.25.0` | `3.21.1-bb.2` [🔗](#anchore-enterprise) | | [Argocd](https://repo1.dso.mil/big-bang/product/packages/argocd) | Addon | `v3.3.0` | `9.4.2-bb.0` | | [Authservice](https://repo1.dso.mil/big-bang/product/packages/authservice) | Addon | `1.1.5` | `1.1.5-bb.1` | | [Backstage](https://repo1.dso.mil/big-bang/product/packages/backstage) | Addon | `1.1.0` | `2.6.3-bb.2` | | [Bbctl](https://repo1.dso.mil/big-bang/product/packages/bbctl) | Core | `2.3.1` | `3.0.1-bb.3` | | updated [Eck Operator](https://repo1.dso.mil/big-bang/product/packages/eck-operator) | Core | `3.3.1` | `3.3.1-bb.0` [🔗](#eck-operator) | | updated [Elasticsearch Kibana](https://repo1.dso.mil/big-bang/product/packages/elasticsearch-kibana) | Core | Kibana: `9.2.4` Elasticsearch: `9.2.4` | `1.35.0-bb.2` [🔗](#elasticsearch-kibana) | | [External Secrets Operator](https://repo1.dso.mil/big-bang/product/packages/external-secrets) | Addon | `1.3.1` | `1.3.1-bb.1` | | updated [Fluentbit](https://repo1.dso.mil/big-bang/product/packages/fluentbit) | Core | `4.2.3` | `0.56.0-bb.0` [🔗](#fluentbit) | | updated [Fortify](https://repo1.dso.mil/big-bang/product/packages/fortify) | Addon | `25.4.0.0137` | `25.4.0-bb.1` [🔗](#fortify) | | updated [Gatekeeper](https://repo1.dso.mil/big-bang/product/packages/policy) | Core | `v3.22.0` | `3.22.0-bb.0` [🔗](#gatekeeper) | | updated [Gitlab](https://repo1.dso.mil/big-bang/product/packages/gitlab) | Addon | `18.9.2` | `9.9.3-bb.1` [🔗](#gitlab) | | [Gitlab Runner](https://repo1.dso.mil/big-bang/product/packages/gitlab-runner) | Addon | `v18.8.0` | `0.85.0-bb.2` | | updated [Grafana](https://repo1.dso.mil/big-bang/product/packages/grafana) | Core | `12.4.0` | `10.5.15-bb.1` [🔗](#grafana) | | [Harbor](https://repo1.dso.mil/big-bang/product/packages/harbor) | Addon | `2.14.2` | `1.18.2-bb.0` | | [Headlamp](https://repo1.dso.mil/big-bang/product/packages/headlamp) | Addon | `0.40.0` | `0.40.0-bb.0` | | updated [Istio Cni](https://repo1.dso.mil/big-bang/product/packages/istio-cni) | Core | `1.29.1` | `1.29.1-bb.0` [🔗](#istio-cni) | | updated [Istio Crds](https://repo1.dso.mil/big-bang/product/packages/istio-crds) | Core | `1.29.1` | `1.29.1-bb.0` [🔗](#istio-crds) | | updated [Istio Gateway](https://repo1.dso.mil/big-bang/product/packages/istio-gateway) | Core | `1.29.1` | `1.29.1-bb.0` [🔗](#istio-gateway) | | updated [Istiod](https://repo1.dso.mil/big-bang/product/packages/istiod) | Core | `1.29.1` | `1.29.1-bb.0` [🔗](#istiod) | | updated [Keycloak](https://repo1.dso.mil/big-bang/product/packages/keycloak) | Addon | `26.5.5` | `7.1.8-bb.1` [🔗](#keycloak) | | [Kiali](https://repo1.dso.mil/big-bang/product/packages/kiali) | Core | `2.22.0` | `2.22.0-bb.0` | | [Kyverno](https://repo1.dso.mil/big-bang/product/packages/kyverno) | Core | `v1.17.0` | `3.7.0-bb.1` | | [Kyverno Policies](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies) | Core | `3.3.4` | `3.3.4-bb.19` | | updated [Kyverno Reporter](https://repo1.dso.mil/big-bang/product/packages/kyverno-reporter) | Core | `3.7.3` | `3.7.3-bb.0` [🔗](#kyverno-reporter) | | [Loki](https://repo1.dso.mil/big-bang/product/packages/loki) | Core | `3.5.5` | `6.46.0-bb.5` | | updated [Mattermost](https://repo1.dso.mil/big-bang/product/packages/mattermost) | Addon | `11.4.2` | `11.4.2-bb.2` [🔗](#mattermost) | | updated [Mattermost Operator](https://repo1.dso.mil/big-bang/product/packages/mattermost-operator) | Addon | `1.25.5` | `1.25.5-bb.0` [🔗](#mattermost-operator) | | [Metrics Server](https://repo1.dso.mil/big-bang/product/packages/metrics-server) | Addon | `v0.8.1` | `3.13.0-bb.5` | | [Mimir](https://repo1.dso.mil/big-bang/product/packages/mimir) | Addon | `2.17.1` | `5.8.0-bb.5` | | updated [Minio](https://repo1.dso.mil/big-bang/product/packages/minio) | Addon | `RELEASE.2025-10-15T17-29-55Z` | `7.1.1-bb.17` [🔗](#minio) | | [Minio Operator](https://repo1.dso.mil/big-bang/product/packages/minio-operator) | Addon | `v7.1.1` | `7.1.1-bb.4` | | updated [Monitoring](https://repo1.dso.mil/big-bang/product/packages/monitoring) | Core | Prometheus: `3.10.0` Grafana: `12.4.1` Alertmanager: `0.31.1` | `82.10.4-bb.2` [🔗](#monitoring) | | [Neuvector](https://repo1.dso.mil/big-bang/product/packages/neuvector) | Core | `5.4.9` | `2.8.11-bb.0` | | [Prometheus Operator Crds](https://repo1.dso.mil/big-bang/product/packages/prometheus-operator-crds) | Core | `v0.88.0` | `27.0.0-bb.0` | | [Sonarqube](https://repo1.dso.mil/big-bang/product/packages/sonarqube) | Addon | `26.2.0.119303-community` | `2025.6.1-bb.4` | | updated [Tempo](https://repo1.dso.mil/big-bang/product/packages/tempo) | Core | Tempo: `2.10.1` Tempo Query: `2.10.1` | `1.26.5-bb.0` [🔗](#tempo) | | updated [Thanos](https://repo1.dso.mil/big-bang/product/packages/thanos) | Addon | `v0.41.0` | `17.3.3-bb.4` [🔗](#thanos) | | [Twistlock](https://repo1.dso.mil/big-bang/product/packages/twistlock) | Core | `34.03.138` | `0.24.0-bb.5` | | [Vault](https://repo1.dso.mil/big-bang/product/packages/vault) | Addon | `1.21.2` | `0.32.0-bb.0` | | [Velero](https://repo1.dso.mil/big-bang/product/packages/velero) | Addon | `1.17.2` | `11.3.2-bb.2` | | [Wrapper](https://repo1.dso.mil/big-bang/product/packages/wrapper) | Core | `0.4.15` | `0.4.15` |

Changes in 3.20.0📜

Big Bang MRs📜

  • !7501 align kube-operator servicemonitor with the others in big bang
  • !7499 add podAnnotations to elasticsearch for istio sidecar metrics scraping if monitoring is enabled
  • !7485 Resolve “Bug: Failed Link Check - Job Failed #55896454”
  • !7483 Remove nexusRepositoryManager package from Big Bang umbrella
  • !7465 Resolve “default registryCredentials.registry”
  • !7449 add external db variable for mattermost, enable netpol for db subnet
  • !7439 docs: fixing broken links
  • !7430 feat: require k8s 1.33
  • !7411 allow disabling pullsecret, add helm unit tests, remove from schema as requirement

Alloy📜

  • !7484: alloy update to 3.8.4-bb.0
  • !7451: alloy update to 3.7.2-bb.6
  • !7447: alloy update to 3.7.2-bb.5
Click to show Changelog 
# Changelog Updates

## [3.8.4-bb.0] (2026-03-16)
### Changed
- k8s-monitoring updated from 3.7.2 to 3.8.4
- bb-common updated from 0.12.3 to 0.14.1
- gluon updated from 0.9.7 to 0.9.8

## [3.7.2-bb.6] (2026-03-09)
### Added
- Added alloy-singleton collector and clusterEvents feature for Kubernetes cluster event collection
- Added network policy ingress rules for alloy-singleton on port 12345 (metrics scraping)
- Added network policy egress rules for alloy-singleton to kubeAPI and Loki on port 3100

## [3.7.2-bb.5] (2026-02-17)
### Changed
- ironbank/opensource/grafana/alloy-operator updated from 0.3.15 to 1.6.0

### Changed
- added bb-common netpol to create alloy-upstream job -> kube api

Anchore Enterprise📜

  • !7500: anchoreEnterprise update to 3.21.1-bb.2
  • !7488: anchoreEnterprise update to 3.21.1-bb.1
  • !7469: anchoreEnterprise update to 3.21.1-bb.0
  • !7456: anchoreEnterprise update to 3.21.0-bb.3
  • !7445: anchoreEnterprise update to 3.21.0-bb.2
Click to show Changelog 
# Changelog Updates

## [3.21.1-bb.2] (2026-03-19)
### Changed
- allow wildcard patch and pre-release versions for kubeversion

## [3.21.1-bb.1] (2026-03-16)
### Changed
- Added bb-common to dynamically generate network policies and istio-based resources

## [3.21.1-bb.0] (2026-03-13)
### Changed
- enterprise 3.21.0 -> 3.21.1
- postgresql 18.5.1 -> 18.5.6
- redis 25.3.0-bb.0 -> 25.3.2-bb.0
- registry1.dso.mil/ironbank/anchore/enterprise/enterprise 5.24.2 -> 5.25.0
- registry1.dso.mil/ironbank/anchore/enterpriseui/enterpriseui 5.24.0 -> 5.25.0

## [3.21.0-bb.3] (2026-03-10)
### Changed
- change Chart.yaml to not include an upper-bound on kubeversion
- removed old chart/README.md

## [3.21.0-bb.2] (2026-03-06)
### Changed
- removed secretKeys overrides in favor of manual pre-upgrade secret key migration

## [3.21.0-bb.1] (2026-03-05)
### Changed
- migrated from bundled postgresql chart to upstream postgresql chart
- registry1.dso.mil/ironbank/opensource/postgres/postgresql 18.2 -> 18.3

Eck Operator📜

  • !7479: eckOperator update to 3.3.1-bb.0
Click to show Changelog 
# Changelog Updates

## [3.3.1-bb.0] (2026-03-05)
### Changed
- eck-operator updated from 3.2.0 to 3.3.1
- bb-common 0.11.2 -> 0.14.1
- eck-operator 3.2.0 -> 3.3.1
- registry1.dso.mil/ironbank/elastic/eck-operator/eck-operator 3.2.0 -> 3.3.1

Elasticsearch Kibana📜

  • !7446: elasticsearchKibana update to 1.35.0-bb.2
Click to show Changelog 
# Changelog Updates

## [1.35.0-bb.2]
### Added
- Multiple OIDC identity provider support via `sso.additional_oidc` MAP
  - Keyed by realm name for proper Helm values merge (secrets in SOPS merge with plain values)
  - Each provider gets unique order and Kibana provider key (oidc2, oidc3, etc.)
  - Default `requested_scopes` includes `groups` for role mapping support
- `sso.login_label` and `sso.additional_oidc.<realm>.login_label` for configuring login button text
### Changed
- Basic auth now ordered last after all OIDC providers on login page

Fluentbit📜

  • !7481: fluentbit update to 0.56.0-bb.0
  • !7349: fluentbit update to 0.55.0-bb.1
Click to show Changelog 
# Changelog Updates

## [0.56.0-bb.0] (2026-02-28)
### Changed
- bb-common updated from 0.13.0 to 0.14.1
- fluent-bit updated from 0.55.0 to 0.56.0
- gluon updated from 0.9.7 to 0.9.8

## [0.55.0-bb.1] (2026-02-04)
### Fixed
- Fixed Kyverno ClusterPolicies for elastic secret sync to trigger on Secret creation instead of Namespace creation, resolving race condition
- Reverted CI test backend from Loki to Elasticsearch

Fortify📜

  • !7457: fortify update to 25.4.0-bb.1
Click to show Changelog 
# Changelog Updates

## [25.4.0-bb.1] - 2026-03-09
### Changed
- Restructured NetworkPolicies with definitions for external MySQL database
- Added hbonePortInjection support for Istio ambient mesh
- Moved keystore-job network policy to bigbang directory
- Updated gluon to 0.9.8 so helm test network policies are rendered by the library chart
### Removed
- Removed allow-all-egress network policy
- Removed bb-tests egress network policies
### Added
- Added .gitignore file
- Added external-mysql egress definition for operator-provided external database CIDRs

Gatekeeper📜

  • !7460: gatekeeper update to 3.22.0-bb.0
Click to show Changelog 
# Changelog Updates

## [3.22.0-bb.0] (2026-03-11)
### Changed
- bb-common 0.14.0 -> 0.14.1
- gatekeeper 3.21.1 -> 3.22.0
- gluon 0.9.7 -> 0.9.8
- registry1.dso.mil/ironbank/opensource/openpolicyagent/gatekeeper v3.21.1 -> v3.22.0

Gitlab📜

  • !7486: gitlab update to 9.9.3-bb.1
  • !7468: gitlab update to 9.9.3-bb.0
Click to show Changelog 
# Changelog Updates

## [9.9.3-bb.1] (2026-03-17)
### Changed
- Updated values.yaml to disable kas ingress by default

## [9.9.3-bb.0] (2026-03-13)
### Changed
- Updated bb-common `0.13.0` -> `0.14.1`
- Updated gitlab `9.8.2` -> `9.9.3`
- Updated gluon `0.9.7` -> `0.9.8`
- Updated ironbank/gitlab/gitlab/gitlab-webservice 18.8.4 -> 18.9.2
- Updated registry1.dso.mil/ironbank/bitnami/analytics/redis-exporter v1.80.2 -> v1.82.0
- Updated registry1.dso.mil/ironbank/gitlab/gitlab/certificates 18.8.4 -> 18.9.2
- Updated registry1.dso.mil/ironbank/gitlab/gitlab/gitaly 18.8.4 -> 18.9.2
- Updated registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-base 18.8.4 -> 18.9.2
- Updated registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-container-registry 18.8.4 -> 18.9.2
- Updated registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-exporter 18.8.4 -> 18.9.2
- Updated registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-mailroom 18.8.4 -> 18.9.2
- Updated registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-pages 18.8.4 -> 18.9.2
- Updated registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-shell 18.8.4 -> 18.9.2
- Updated registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-sidekiq 18.8.4 -> 18.9.2
- Updated registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-toolbox 18.8.4 -> 18.9.2
- Updated registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-webservice 18.8.4 -> 18.9.2
- Updated registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-workhorse 18.8.4 -> 18.9.2
- Updated registry1.dso.mil/ironbank/gitlab/gitlab/kas 18.8.4 -> 18.9.2
- Updated registry1.dso.mil/ironbank/gitlab/gitlab/kubectl 18.8.4 -> 18.9.2

## [9.8.2-bb.3] (2026-02-24)
### Changed
- Updated values.yaml to use/set global image pull secrets

Grafana📜

  • !7466: grafana update to 10.5.15-bb.1
  • !7438: grafana update to 10.5.15-bb.0
Click to show Changelog 
# Changelog Updates

## [10.5.15-bb.1]
### Changed
- Migrated to bb-common for istio resources (PeerAuthentication, Sidecar, AuthorizationPolicies) and routes (VirtualService)

## [10.5.15-bb.0] (2026-02-27)
### Changed
- bb-common updated from 0.12.3 to 0.14.1
- gluon updated from 0.9.7 to 0.9.8
- grafana updated from 10.5.5 to 10.5.15

Istio Cni📜

  • !7471: istioCNI update to 1.29.1-bb.0
Click to show Changelog 
# Changelog Updates

## [1.29.1-bb.0] (2026-03-11)
### Changed
- cni 1.29.0 -> 1.29.1
- registry1.dso.mil/ironbank/opensource/istio/install-cni 1.29.0 -> 1.29.1

Istio Crds📜

  • !7472: istioCRDs update to 1.29.1-bb.0
Click to show Changelog 
# Changelog Updates

## [1.29.1-bb.0] (2026-03-11)
### Changed
- base 1.29.0 -> 1.29.1

Istio Gateway📜

  • !7473: istioGateway update to 1.29.1-bb.0
Click to show Changelog 
# Changelog Updates

## [1.29.1-bb.0] (2026-03-11)
### Changed
- bb-common 0.14.0 -> 0.14.1
- gateway 1.29.0 -> 1.29.1
- registry1.dso.mil/ironbank/opensource/istio/proxyv2 1.29.0 -> 1.29.1

Istiod📜

  • !7474: istiod update to 1.29.1-bb.0
Click to show Changelog 
# Changelog Updates

## [1.29.1-bb.0] (2026-03-11)
### Changed
- istiod 1.29.0 -> 1.29.1
- registry1.dso.mil/ironbank/opensource/istio/pilot 1.29.0 -> 1.29.1
- registry1.dso.mil/ironbank/opensource/istio/proxyv2 1.29.0 -> 1.29.1

Keycloak📜

  • !7461: keycloak update to 7.1.8-bb.1
Click to show Changelog 
# Changelog Updates

## [7.1.8-bb.1] (2026-03-10)
### Changed
- postgresql 18.4.0 -> 18.5.5
- registry1.dso.mil/ironbank/opensource/keycloak/keycloak 26.5.4 -> 26.5.5
- Updated podSecurityContext and securityContext uids and gids to reflect those in the new Iron Bank image.

Kyverno Reporter📜

  • !7443: kyvernoReporter update to 3.7.3-bb.0
Click to show Changelog 
# Changelog Updates

## [3.7.3-bb.0] (2026-03-05)
### Changed
- bb-common 0.14.0 -> 0.14.1
- policy-reporter 3.7.2 -> 3.7.3
- registry1.dso.mil/ironbank/opensource/kubernetes/kubectl v1.34.4 -> v1.34.5
- registry1.dso.mil/ironbank/opensource/kyverno/policy-reporter 3.7.2 -> 3.7.3

Mattermost📜

  • !7477: mattermost update to 11.4.2-bb.2
  • !7444: mattermost update to 11.4.2-bb.1
Click to show Changelog 
# Changelog Updates

## [11.4.2-bb.2] (2026-03-16)
### Added
- added the namespace to the jdnc connection url secret

## [11.4.2-bb.1] (2026-03-05)
### Changed
- registry1.dso.mil/ironbank/opensource/postgres/postgresql (source) 17.6 -> 18.3
- Renovate regex updated to track registry/repository/tag image blocks in values.yaml

Mattermost Operator📜

  • !7482: mattermostOperator update to 1.25.5-bb.0
Click to show Changelog 
# Changelog Updates

## [1.25.5-bb.0] (2026-03-10)
### Changed
- Updated registry1.dso.mil/ironbank/opensource/mattermost/mattermost-operator v1.25.4 -> v1.25.5

Minio📜

  • !7454: minio update to 7.1.1-bb.17
Click to show Changelog 
# Changelog Updates

## [7.1.1-bb.17] - 2025-03-10
### Changed
- Fixed pod selectors in network policies and routes to use `v1.min.io/tenant` label

Monitoring📜

  • !7503: monitoring update to 82.10.4-bb.2
  • !7478: monitoring update to 82.10.4-bb.0
  • !7453: monitoring update to 82.1.1-bb.0
  • !7448: monitoring update to 80.13.3-bb.4
  • !7441: monitoring update to 80.13.3-bb.3
  • !7435: monitoring update to 80.13.3-bb.2
Click to show Changelog 
# Changelog Updates

## [82.10.4-bb.2] (2026-03-19)
### Added
- Added shared-monitoring-authz-policy AuthorizationPolicy for SSO-protected endpoints

## [82.10.4-bb.1] (2026-03-18)
### Changed
- Set `serviceDiscoveryRole: "EndpointSlice"` for Prometheus service discovery, replacing the deprecated Endpoints API (Kubernetes v1.33+)

## [82.10.4-bb.0] (2026-03-16)
### Changed
- bb-common 0.14.0 -> 0.14.1
- kube-prometheus-stack 82.1.1 -> 82.10.4
- registry1.dso.mil/ironbank/big-bang/grafana/grafana-plugins 12.3.3 -> 12.4.1
- registry1.dso.mil/ironbank/opensource/ingress-nginx/kube-webhook-certgen v1.6.7 -> v1.6.8
- registry1.dso.mil/ironbank/opensource/kubernetes/kubectl v1.34.4 -> v1.34.5
- registry1.dso.mil/ironbank/opensource/prometheus/prometheus v3.9.1 -> v3.10.0

## [82.1.1-bb.0] (2026-03-10)
### Changed
- gluon 0.9.7 -> 0.9.8
- kube-prometheus-stack 80.13.3 -> 82.1.1
- prometheus-blackbox-exporter 11.7.0 -> 11.8.0
- prometheus-snmp-exporter 8.0.0 -> 9.12.1
- quay.io/prometheus-operator/prometheus-config-reloader v0.88.0 -> v0.89.0
- registry1.dso.mil/ironbank/big-bang/grafana/grafana-plugins 12.3.1 -> 12.3.3
- registry1.dso.mil/ironbank/kiwigrid/k8s-sidecar 2.2.3 -> 2.5.0
- registry1.dso.mil/ironbank/opensource/ingress-nginx/kube-webhook-certgen v1.6.5 -> v1.6.7
- registry1.dso.mil/ironbank/opensource/kubernetes/kube-state-metrics v2.17.0 -> v2.18.0
- registry1.dso.mil/ironbank/opensource/kubernetes/kubectl v1.34.3 -> v1.34.4
- registry1.dso.mil/ironbank/opensource/prometheus-operator/prometheus-config-reloader v0.88.0 -> v0.89.0
- registry1.dso.mil/ironbank/opensource/prometheus-operator/prometheus-operator v0.88.0 -> v0.89.0
- registry1.dso.mil/ironbank/opensource/prometheus/alertmanager v0.30.0 -> v0.31.1
- registry1.dso.mil/ironbank/opensource/thanos/thanos v0.40.1 -> v0.41.0
- registry1.dso.mil/ironbank/opensource/prometheus/snmp_exporter v0.28.0 -> v0.30.1

## [80.13.3-bb.4] (2026-03-06)
### Changed
- convert snmp-exporter to passthrough removing dependency on KPT

## [80.13.3-bb.3] (2026-03-05)
### Changed
- cypress test changed to reduce size of target check payload

## [80.13.3-bb.2] (2026-02-24)
### Changed
- Removed layer 7 authorization policies are part of the bb-common 

## [80.13.3-bb.1] (2026-01-13)
### Changed
- bb-common 0.12.3 -> 0.14.0

Tempo📜

  • !7429: tempo update to 1.26.5-bb.0
Click to show Changelog 
# Changelog Updates

## [1.26.5-bb.0] (2026-02-25)
### Changed
- bb-common 0.14.0 -> 0.14.1
- gluon 0.9.7 -> 0.9.8
- tempo chart 1.24.4 -> 1.26.5
- registry1.dso.mil/ironbank/opensource/grafana/tempo 2.10.0 -> 2.10.1
- registry1.dso.mil/ironbank/opensource/grafana/tempo-query 2.10.0 -> 2.10.1
- registry1.dso.mil/ironbank/opensource/kubernetes/kubectl v1.34.3 -> v1.34.4

Thanos📜

  • !7467: thanos update to 17.3.3-bb.4
Click to show Changelog 
# Changelog Updates

## [17.3.3-bb.4] (2026-03-10)
### Changed
- Migrated Cypress tests from `Cypress.env()` to `cy.env()` for gluon 0.9.8 compatibility
- Removed the upgrade job using to automate upgrade to Thanos `15.8.1-bb.0`
### Updated
- ironbank/thanos/thanos v0.40.1 -> v0.41.0
- ironbank/opensource/kubernetes/kubectl v1.34.2 -> v1.34.5
- gluon 0.9.6 -> 0.9.8
- bb-common 0.12.3 -> 0.14.1
- common 2.31.4 -> 2.36.0

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

Future📜

Don’t see your feature and/or bug fix? Check out our epics for estimates on when you can expect things to drop, and as always, feel free to comment or create issues if you have questions, comments, or concerns.