Skip to content

Release Notes - 3.23.0📜

Please see our documentation page for more information on how to consume and deploy BigBang.\ This release was primarily tested on Kubernetes 1.35.2 (EKS).

Upgrade Notices📜

BigBang - MR📜

Adds Renovate as a core package in the Big Bang umbrella chart. Previously, Renovate was only deployable via the generic packages: wrapper. This promotes it to a first-class core package with dedicated templates, values, schema validation, and full Big Bang integration.

  • Renovate is disabled by default (renovate.enabled: false), so existing deployments are unaffected.
  • To enable, set renovate.enabled: true and provide platform configuration via renovate.values.
  • Requires GitLab addon to be enabled (addons.gitlab.enabled: true) for the dependency chain.

BigBang - MR📜

You can now optionally set the release name for packages, no change to defaults. This will be used to normalize release names by default over time.

Keycloak - MR📜

This is a major Keycloak release. While there are no breaking changes specific to the chart shipped with Big Bang, there may be breaking changes specific to your Keycloak configuration. Please see the breaking changes section from the official Keycloak upgrading guide for more information.

Kyverno Reporter - MR📜

The UI for Kyverno Reporter now supports SSO authentication using OIDC. In support of this new authentication mechanism, the following values have been added:

kyvernoReporter:
  sso:
    enabled: true/false
    client_id: <Your Client Id Here>
    client_secret: <Your Client Secret Here>

The SSO Url is automatically configured based on the value specified under sso.url in the umbrella template.

Mimir - MR📜

Mimir is now leveraging our bb-common integration for all network policies and istio-related resources. Please refer to this blog post for additional information on the integration.

Sonarqube - MR📜

This is a major update to Sonarqube, during upgrade you may get a SonarQube is under maintenance error message on the Sonarqube UI. - To resolve this, once the HelmRelease upgrades you will be prompted to visit your sonarqube instance at a /setup URL. This is intended and launches a Database migration/update for sonarqube internally and the app will be available once that completes.

Known Issues📜

  • bbctl Dashboards
  • CRON job output longer than 16kb will be split into multiple log entries when using the dockerd CRI causing invalid JSON structures to be imported into Loki. Use containerd as the CRI to ensure long log lines are parsed correctly
  • bbctl-violations-dashboard / bbctl-all-logs-dashboard(Violations Logs)
    • These items will not populate if you have too large of a kubernetes cluster with too many violations. There is a limit to the amount of data that can be processed. If you hit this limit and need the information, you can still use the bbctl violations command to obtain the data.
  • Headlamp
  • Attempting to login using OIDC will create a login ‘loop’. See upstream issue for further information.
  • Loki/Elasticsearch-kibana
  • If loki and EK are both enabled, drift detection will continually trigger as they share a peer authentication: default-peer-auth in the logging namespace. Issue
  • Prometheus
  • Target scraping for Fluentbit targets may encounter 503 Service Unavailable errors even though the pods are functioning as expected
  • Target scraping for Kube Operator may encounter errors. Issue

Upgrades from previous releases📜

If coming from a version pre-3.22.1, note the additional upgrade notices in any release in between. The BB team doesn’t test/guarantee upgrades from anything pre-3.22.1.

Packages📜

Click to show Packages Version Updates | Package | Type | Package Version | BB Version | | ------- | ---- | --------------- | ---------- | | [Alloy](https://repo1.dso.mil/big-bang/product/packages/alloy) | Core | `v1.14.0` | `3.8.4-bb.1` | | updated [Anchore Enterprise](https://repo1.dso.mil/big-bang/product/packages/anchore-enterprise) | Addon | `5.26.0` | `3.23.0-bb.0` [🔗](#anchore-enterprise) | | updated [Argocd](https://repo1.dso.mil/big-bang/product/packages/argocd) | Addon | `v3.3.6` | `9.5.0-bb.0` [🔗](#argocd) | | updated [Authservice](https://repo1.dso.mil/big-bang/product/packages/authservice) | Addon | `1.1.5` | `1.1.5-bb.2` [🔗](#authservice) | | updated [Backstage](https://repo1.dso.mil/big-bang/product/packages/backstage) | Addon | `1.1.0` | `2.6.3-bb.3` [🔗](#backstage) | | [Bbctl](https://repo1.dso.mil/big-bang/product/packages/bbctl) | Core | `2.3.1` | `3.0.1-bb.3` | | [Eck Operator](https://repo1.dso.mil/big-bang/product/packages/eck-operator) | Core | `3.3.1` | `3.3.1-bb.0` | | updated [Elasticsearch Kibana](https://repo1.dso.mil/big-bang/product/packages/elasticsearch-kibana) | Core | Kibana: `9.3.1` Elasticsearch: `9.3.1` | `1.36.0-bb.0` [🔗](#elasticsearch-kibana) | | [External Secrets Operator](https://repo1.dso.mil/big-bang/product/packages/external-secrets) | Addon | `1.3.1` | `1.3.1-bb.1` | | updated [Fluentbit](https://repo1.dso.mil/big-bang/product/packages/fluentbit) | Core | `v5.0.2` | `0.57.2-bb.1` [🔗](#fluentbit) | | updated [Fortify](https://repo1.dso.mil/big-bang/product/packages/fortify) | Addon | `25.4.1.0006` | `25.4.1-bb.0` [🔗](#fortify) | | [Gatekeeper](https://repo1.dso.mil/big-bang/product/packages/policy) | Core | `v3.22.0` | `3.22.0-bb.0` | | [Gateway Api](https://repo1.dso.mil/big-bang/product/packages/gateway-api) | Core | `N/A` | `1.5.1-bb.1` | | updated [Gitlab](https://repo1.dso.mil/big-bang/product/packages/gitlab) | Addon | `18.11.1` | `9.11.1-bb.0` [🔗](#gitlab) | | updated [Gitlab Runner](https://repo1.dso.mil/big-bang/product/packages/gitlab-runner) | Addon | `v18.10.0` | `0.88.0-bb.0` [🔗](#gitlab-runner) | | [Grafana](https://repo1.dso.mil/big-bang/product/packages/grafana) | Core | `12.4.2` | `10.5.15-bb.3` | | [Harbor](https://repo1.dso.mil/big-bang/product/packages/harbor) | Addon | `2.15.0` | `1.18.3-bb.0` | | [Headlamp](https://repo1.dso.mil/big-bang/product/packages/headlamp) | Addon | `0.40.0` | `0.40.0-bb.0` | | updated [Istio Cni](https://repo1.dso.mil/big-bang/product/packages/istio-cni) | Core | `1.29.2` | `1.29.2-bb.0` [🔗](#istio-cni) | | updated [Istio Crds](https://repo1.dso.mil/big-bang/product/packages/istio-crds) | Core | `1.29.2` | `1.29.2-bb.0` [🔗](#istio-crds) | | updated [Istio Gateway](https://repo1.dso.mil/big-bang/product/packages/istio-gateway) | Core | `1.29.2` | `1.29.2-bb.0` [🔗](#istio-gateway) | | updated [Istiod](https://repo1.dso.mil/big-bang/product/packages/istiod) | Core | `1.29.2` | `1.29.2-bb.0` [🔗](#istiod) | | updated [Keycloak](https://repo1.dso.mil/big-bang/product/packages/keycloak) | Addon | `26.6.1` | `7.1.9-bb.3` [🔗](#keycloak) | | updated [Kiali](https://repo1.dso.mil/big-bang/product/packages/kiali) | Core | `2.25.0` | `2.25.0-bb.0` [🔗](#kiali) | | [Kyverno](https://repo1.dso.mil/big-bang/product/packages/kyverno) | Core | `v1.17.1` | `3.7.1-bb.0` | | [Kyverno Policies](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies) | Core | `3.3.4` | `3.3.4-bb.24` | | updated [Kyverno Reporter](https://repo1.dso.mil/big-bang/product/packages/kyverno-reporter) | Core | `3.7.3` | `3.7.3-bb.2` [🔗](#kyverno-reporter) | | [Loki](https://repo1.dso.mil/big-bang/product/packages/loki) | Core | `3.5.5` | `6.46.0-bb.5` | | updated [Mattermost](https://repo1.dso.mil/big-bang/product/packages/mattermost) | Addon | `11.6.1` | `11.6.1-bb.0` [🔗](#mattermost) | | [Mattermost Operator](https://repo1.dso.mil/big-bang/product/packages/mattermost-operator) | Addon | `1.25.5` | `1.25.5-bb.1` | | [Metrics Server](https://repo1.dso.mil/big-bang/product/packages/metrics-server) | Addon | `v0.8.1` | `3.13.0-bb.6` | | updated [Mimir](https://repo1.dso.mil/big-bang/product/packages/mimir) | Addon | `2.17.1` | `5.8.0-bb.6` [🔗](#mimir) | | updated [Minio](https://repo1.dso.mil/big-bang/product/packages/minio) | Addon | `RELEASE.2025-10-15T17-29-55Z` | `7.1.1-bb.18` [🔗](#minio) | | updated [Minio Operator](https://repo1.dso.mil/big-bang/product/packages/minio-operator) | Addon | `v7.1.1` | `7.1.1-bb.6` [🔗](#minio-operator) | | updated [Monitoring](https://repo1.dso.mil/big-bang/product/packages/monitoring) | Core | Prometheus: `3.11.1` Grafana: `12.4.2` Alertmanager: `0.32.0` | `83.4.0-bb.1` [🔗](#monitoring) | | [Neuvector](https://repo1.dso.mil/big-bang/product/packages/neuvector) | Core | `5.5.0` | `2.8.12-bb.0` | | [Prometheus Operator Crds](https://repo1.dso.mil/big-bang/product/packages/prometheus-operator-crds) | Core | `v0.88.0` | `28.0.0-bb.0` | | updated [Sonarqube](https://repo1.dso.mil/big-bang/product/packages/sonarqube) | Addon | `26.3.0.120487-community` | `2026.2.1-bb.0` [🔗](#sonarqube) | | [Tempo](https://repo1.dso.mil/big-bang/product/packages/tempo) | Core | Tempo: `2.10.1` Tempo Query: `2.10.1` | `1.26.5-bb.1` | | [Thanos](https://repo1.dso.mil/big-bang/product/packages/thanos) | Addon | `v0.41.0` | `17.3.3-bb.4` | | [Twistlock](https://repo1.dso.mil/big-bang/product/packages/twistlock) | Core | `34.04.145` | `0.25.0-bb.0` | | updated [Vault](https://repo1.dso.mil/big-bang/product/packages/vault) | Addon | `1.21.4` | `0.32.0-bb.1` [🔗](#vault) | | [Velero](https://repo1.dso.mil/big-bang/product/packages/velero) | Addon | `1.18.0` | `12.0.0-bb.0` | | [Wrapper](https://repo1.dso.mil/big-bang/product/packages/wrapper) | Core | `0.4.15` | `0.4.15` | | [Ztunnel](https://repo1.dso.mil/big-bang/product/packages/ztunnel) | Core | `1.29.1` | `1.29.1-bb.2` |

Changes in 3.23.0📜

Big Bang MRs📜

  • !7667 cue off consolidated object storage for dep proxy so migrations pod doesnt fail
  • !7651 Add common labels to all rendered helmreleases
  • !7650 add personas doc
  • !7642 fix: Revert “Merge branch ‘split-ambient-windows-doc’ into ‘master’“
  • !7638 docs: split ambient windows guide from renovate MR
  • !7636 feat: Attach Renovate Script
  • !7625 Resolve “Configure Test Values for Kyverno Reporter SSO”
  • !7619 fix minio-operator image pull secret
  • !7598 Honor global ambient flag for integrated packages
  • !7595 Add renovate package to core
  • !7561 Resolve “Update HelmRelease objects with ReleaseName setting to avoid redundancy in pod names”

Anchore Enterprise📜

  • !7600: anchoreEnterprise update to 3.23.0-bb.0
Click to show Changelog 
# Changelog Updates

## [3.23.0-bb.0] (2026-04-13)
### Changed
- bb-common 0.14.1 -> 0.14.2
- enterprise 3.21.3 -> 3.23.0
- gluon 0.9.8 -> 1.0.0
- postgresql 18.5.7 -> 18.5.17
- registry1.dso.mil/ironbank/anchore/enterprise/enterprise 5.25.1 -> 5.26.0
- registry1.dso.mil/ironbank/anchore/enterpriseui/enterpriseui 5.25.0 -> 5.26.0
- registry1.dso.mil/ironbank/bitnami/analytics/redis-exporter v1.81.0 -> v1.82.0
- registry1.dso.mil/ironbank/opensource/redis/redis8-slim 8.6.1 -> 8.6.2

Argocd📜

  • !7611: argocd update to 9.5.0-bb.0
Click to show Changelog 
# Changelog Updates

## [9.5.0-bb.0] (2026-04-10)
### Changed
- argo-cd 9.4.17 -> 9.5.0
- gluon 0.9.8 -> 1.0.0

Authservice📜

  • !7648: authservice update to 1.1.5-bb.2
Click to show Changelog 
# Changelog Updates

## [1.1.5-bb.2] (2026-04-21)
### Changed
- Added istio ambient mode support with conditional targetRef/selector in authorization policies
- Added helm unit tests for ambient mode targetRef configuration
- Upgraded istio policy API versions from v1beta1 to v1

Backstage📜

  • !7655: backstage update to 2.6.3-bb.3
Click to show Changelog 
# Changelog Updates

## [2.6.3-bb.3] - 2026-04-22
### Changed
- Updated gluon 0.9.7 ->1.0.1
- Updated common 2.31.4 -> 2.38.0
- Updated bb-common version 0.12.3 ->0.14.2

Elasticsearch Kibana📜

  • !7617: elasticsearchKibana update to 1.36.0-bb.0
Click to show Changelog 
# Changelog Updates

## [1.36.0-bb.0] (2026-03-25)
### Changed
- registry1.dso.mil/ironbank/elastic/elasticsearch/elasticsearch updated from 9.2.4 to 9.3.1
- registry1.dso.mil/ironbank/elastic/kibana/kibana updated from 9.2.4 to 9.3.1
- bb-common updated from 0.12.3 to 0.14.2
- gluon updated from 0.9.7 to 0.9.8

Fluentbit📜

  • !7628: fluentbit update to 0.57.2-bb.1
Click to show Changelog 
# Changelog Updates

## [0.57.2-bb.1] (2026-04-23)
### Changed
- Fixed and refactored silently failing api script test.

## [0.57.2-bb.0] (2026-04-09)
### Changed
- bb-common updated from 0.14.1 to 0.14.2
- fluent-bit updated from 0.56.0 to 0.57.2
- gluon updated from 0.9.8 to 1.0.0

Fortify📜

  • !7621: fortify update to 25.4.1-bb.0
Click to show Changelog 
# Changelog Updates

## [25.4.1-bb.0] - 2026-04-14
### Changed
- Updated Fortify SSC image from 25.4.0.0137 to 25.4.1.0006
- Updated upstream helm-ssc chart from 25.4.0-1 to 25.4.1-1
- Updated gluon from 0.9.8 to 1.0.0
- Updated bb-common from 0.14.0 to 0.14.2
- Updated ubi9 image from 9.5 to 9.7
- Removed deprecated `engine: gotpl` from Chart.yaml
- Fixed renovate.json to group all updates into a single MR
- Added mysql chart version constraint (<10.0.0) to prevent unsafe major upgrades

Gitlab📜

  • !7669: gitlab update to 9.11.1-bb.0
Click to show Changelog 
# Changelog Updates

## [9.11.1-bb.0] (2026-04-28)
### Changed
- Updated gitlab `9.10.3` -> `9.11.1`
- Updated ironbank/gitlab/gitlab/gitlab-webservice 18.10.3 -> 18.11.1
- Updated registry1.dso.mil/ironbank/gitlab/gitlab/certificates 18.10.3 -> 18.11.1
- Updated registry1.dso.mil/ironbank/gitlab/gitlab/gitaly 18.10.3 -> 18.11.1
- Updated registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-base 18.10.3 -> 18.11.1
- Updated registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-container-registry 18.10.3 -> 18.11.1
- Updated registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-exporter 18.10.3 -> 18.11.1
- Updated registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-mailroom 18.10.3 -> 18.11.1
- Updated registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-pages 18.10.3 -> 18.11.1
- Updated registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-shell 18.10.3 -> 18.11.1
- Updated registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-sidekiq 18.10.3 -> 18.11.1
- Updated registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-toolbox 18.10.3 -> 18.11.1
- Updated registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-webservice 18.10.3 -> 18.11.1
- Updated registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-workhorse 18.10.3 -> 18.11.1
- Updated registry1.dso.mil/ironbank/gitlab/gitlab/kas 18.10.3 -> 18.11.1
- Updated registry1.dso.mil/ironbank/gitlab/gitlab/kubectl 18.10.3 -> 18.11.1

Gitlab Runner📜

  • !7635: gitlabRunner update to 0.88.0-bb.0
Click to show Changelog 
# Changelog Updates

## [0.88.0-bb.0] (2026-04-20)
### Changed
- Updated [gitlab-runner](https://gitlab.com/gitlab-org/charts/gitlab-runner) `0.87.0` -> `0.88.0`
- Updated gluon `0.9.8` -> `1.0.1`

Istiod📜

  • !7609: istiod update to 1.29.2-bb.0
Click to show Changelog 
# Changelog Updates

## [1.29.2-bb.0] (2026-04-14)
### Changed
- bb-common 0.14.1 -> 0.14.2
- istiod 1.29.1 -> 1.29.2
- registry1.dso.mil/ironbank/opensource/istio/pilot 1.29.1 -> 1.29.2
- registry1.dso.mil/ironbank/opensource/istio/proxyv2 1.29.1 -> 1.29.2

Keycloak📜

  • !7633: keycloak update to 7.1.9-bb.3
  • !7599: keycloak update to 7.1.9-bb.2
  • !7575: keycloak update to 7.1.9-bb.1
Click to show Changelog 
# Changelog Updates

## [7.1.9-bb.3] (2026-04-20)
### Changed
- gluon 1.0.0 -> 1.0.1
- postgresql 18.5.17 -> 18.5.24
- registry1.dso.mil/ironbank/opensource/keycloak/keycloak 26.6.0 -> 26.6.1

## [7.1.9-bb.2] (2026-04-13)
### Changed
- gluon 0.9.8 -> 1.0.0
- postgresql 18.5.15 -> 18.5.17
- registry1.dso.mil/ironbank/opensource/keycloak/keycloak 26.5.7 -> 26.6.0

Kiali📜

  • !7639: kiali update to 2.25.0-bb.0
  • !7602: kiali update to 2.24.0-bb.1
Click to show Changelog 
# Changelog Updates

## [2.25.0-bb.0] (2026-04-21)
### Changed
- bb-common 0.14.1 -> 0.14.2
- gluon 0.9.8 -> 1.0.1
- kiali-operator 2.24.0 -> 2.25.0
- registry1.dso.mil/ironbank/opensource/kiali/kiali v2.24.0 -> v2.25.0
- registry1.dso.mil/ironbank/opensource/kiali/kiali-operator v2.24.0 -> v2.25.0
- registry1.dso.mil/ironbank/opensource/kubernetes/kubectl v1.34.6 -> v1.34.7

## [2.24.0-bb.1] (2026-04-14)
### Added
- Added ambient test values for Istio ambient mode support
- Adjusted Cypress tests for ambient mode compatibility

Kyverno Reporter📜

  • !7585: Kyvernoreporter sso auth for virtual service
Click to show Changelog 
# Changelog Updates

## [3.7.3-bb.2] (2026-03-20)
### Changed
- Added values to support openid auth via keycloak
- Added sso Service Entry file

Mattermost📜

  • !7637: mattermost update to 11.5.1-bb.4
Click to show Changelog 
# Changelog Updates

## [11.6.1-bb.0] (2026-04-23)
### Changed
- gluon updated from 1.0.0 to 1.0.1
- Updated registry1.dso.mil/ironbank/opensource/mattermost/mattermost (source) 11.5.1 -> 11.6.1

## [11.5.1-bb.4] (2026-04-10)
### Changed
- Modify wait.sh script in chart and tests/ to support deploying Mattermost instance to dynamic namespace
- Open netpol to allow MM wait script traffic to kube api

Mimir📜

  • !7643: mimir update to 5.8.0-bb.6
Click to show Changelog 
# Changelog Updates

## [5.8.0-bb.6]
### Changed (2026-04-21)
- Updated gluon from 0.9.7 to 1.0.1
- Updated bb-common to 0.9.1 to 0.14.2
- Removed static resources and replaced with bb-common generated resources

## [5.8.0-bb.3] (2025-10-24)

Minio📜

  • !7615: minio update to 7.1.1-bb.18
Click to show Changelog 
# Changelog Updates

## [7.1.1-bb.18] - 2026-04-15
### Added
- Added `bucket-init` post-install/post-upgrade Job to reliably create buckets declared in `upstream.tenant.buckets`; workaround for MinIO Operator reconciliation being blocked by namespace-scoped admission webhooks (e.g., rollout-operator) that intercept StatefulSet UPDATE operations
- Added `registry1.dso.mil/ironbank/big-bang/base:2.1.0` image to `Chart.yaml` for use by the bucket-init Job

Minio Operator📜

  • !7659: minioOperator update to 7.1.1-bb.6
Click to show Changelog 
# Changelog Updates

## [7.1.1-bb.6] (2026-04-17)
### Changed
- registry1.dso.mil/ironbank/opensource/minio/operator-sidecar v7.0.1 -> v7.1.0
### Added
- Opt-in post-install/post-upgrade `tenantWaitJob` (disabled by default) that blocks HelmRelease completion until managed MinIO Tenants reach `status.currentState: Initialized`. Enabled in `tests/test-values.yaml` so the upgrade test pipeline no longer races the sidecar-induced StatefulSet rollout.

Monitoring📜

  • !7601: monitoring update to 83.4.0-bb.1
Click to show Changelog 
# Changelog Updates

## [83.4.0-bb.1] (2026-04-14)
### Added
- Added helm unit tests for metrics-upgrade-job, istio PrometheusRule, and OpenShift templates
### Changed
- Improved Alertmanager Cypress test with API health check and resilience against uncaught exceptions
- Improved Prometheus Cypress test with query result validation

### Changed
- Removed layer 7 authorization policies are part of the bb-common

Sonarqube📜

  • !7622: sonarqube update to 2026.2.1-bb.0
Click to show Changelog 
# Changelog Updates

## [2026.2.1-bb.0] - 2026-04-14
### Updated
- Updated bb-common 0.14.0 -> 0.14.2
- Updated gluon 0.9.8 -> 1.0.0
- Updated ironbank/sonarsource/sonarqube/sonarqube-community-build (source) 26.2.0.119303-community -> 26.3.0.120487-community
- Updated registry1.dso.mil/ironbank/sonarsource/sonarqube/sonarqube-community-build (source) 26.2.0.119303-community -> 26.3.0.120487-community
- Updated sonarqube (source) 2026.1.0 -> 2026.2.1

Vault📜

  • !7613: vault update to 0.32.0-bb.1
Click to show Changelog 
# Changelog Updates

## [0.32.0-bb.1] - 2026-04-14
### Changed
- Updated bb-common 0.14.0 -> 0.14.2
- Updated gluon 0.9.7 -> 1.0.0
- Updated registry1.dso.mil/ironbank/hashicorp/vault 1.21.2 -> 1.21.4
- Updated registry1.dso.mil/ironbank/hashicorp/vault-csi-provider v1.7.0 -> v1.7.1
- Updated registry1.dso.mil/ironbank/hashicorp/vault/vault-k8s v1.7.2 -> v1.7.3

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

Future📜

Don’t see your feature and/or bug fix? Check out our epics for estimates on when you can expect things to drop, and as always, feel free to comment or create issues if you have questions, comments, or concerns.