Release Notes - 3.25.0📜

Please see our documentation page for more information on how to consume and deploy Big Bang. This release was primarily tested on Kubernetes 1.35.4 (EKS).

Upgrade Notices📜

BigBang - MR 📜

With this release, Flux was upgraded using v2.8.6. Flux should be upgraded automatically if you are “fluxing the flux”. If not, it should be upgraded before this release. This introduces significant compatibility and behavior changes for Helm v4, particularly from the v2.8.0 release. This includes Helm breaking changes and many Flux updates to support that, see Flux release notes for 2.8.x and the Helm controller v1.5.0 CHANGELOG for more details. This is happening well ahead of the Helm v3 EoL on November 11th 2026. Flux supports the 3 most recent minor versions, e.g. 2.6.x, 2.7.x, 2.8.x for the CLI or 1.3.x, 1.4.x, 1.5.x for the helm-controller, on a best-effort basis.

Some notable changes: - Wait strategy now defaults to poller which uses kstatus - We are keeping legacy strategy on the umbrella in base to prevent BB from rolling back if any package fails, we will change this back to poller in the future - Post-renderers had significant changes and could be broken - Flux migration may be required - serverSideApply is now default which enforces strict schema validation during install/upgrade/rollback and changes how managed fields are handled, see k8s documentation for more information.

Things to check (non-exhaustive): - Validate umbrella switched to the legacy waitStrategy (HelmRelease.spec.waitStrategy=legacy) - Check Flux helm-controller events for wait/rollback changes during/after upgrade - Verify post-renderer workflows - Resolve field-management conflicts now that Flux is using SSA (e.g. manual edits could be reverted to Flux’s source of truth) - Ensure your values meet strict schema validation

Please test these changes before rolling out to production, there may be significant breaking changes for your packages.

Alloy - MR 📜

The Alloy package has been upgraded from upstream k8s-monitoring 3.8.4 to 4.0.1. This release includes breaking upstream values changes for log collection and destinations.

If you provide custom alloy.values.upstream overrides, review and update them before upgrading:

upstream.podLogs has been replaced by upstream.podLogsViaLoki for Loki-format pod log collection.
upstream.destinations now uses a map/object keyed by destination name instead of a list of destination objects.
Collector definitions now belong under upstream.collectors. In k8s-monitoring 4.x, collectors are explicitly configured and paired with presets such as deployment, singleton, daemonset, and filesystem-log-reader.
Features that use more than one collector should explicitly set collector, for example clusterEvents.collector: alloy-singleton, podLogsViaLoki.collector: alloy-logs, and applicationObservability.collector: alloy-receiver

Examples:

Old:

    alloy:
      values:
        upstream:
          destinations:
            - name: loki
              type: loki
              url: http://logging-loki-write.logging.svc.cluster.local:3100/loki/api/v1/push
          podLogs:
            enabled: true
            destinations:
              - loki
            collector: alloy-logs

New:

    alloy:
      values:
        upstream:
          destinations:
            loki:
              type: loki
              url: http://logging-loki-write.logging.svc.cluster.local:3100/loki/api/v1/push
          podLogsViaLoki:
            enabled: true
            destinations:
              - loki
            collector: alloy-logs

Upstream 4.0 also removed the old labelsToKeep-based pod log behavior as part of its log feature refactor. Review any custom pod log processing overrides for compatibility with k8s-monitoring 4.0.x.

Grafana has published a values conversion tool to use to update your values to the newest version: https://grafana.github.io/k8s-monitoring-helm-migrator/

Known Issues📜

bbctl Dashboards
CRON job output longer than 16kb will be split into multiple log entries when using the dockerd CRI causing invalid JSON structures to be imported into Loki. Use containerd as the CRI to ensure long log lines are parsed correctly
bbctl-violations-dashboard / bbctl-all-logs-dashboard(Violations Logs)
- These items will not populate if you have too large of a kubernetes cluster with too many violations. There is a limit to the amount of data that can be processed. If you hit this limit and need the information, you can still use the bbctl violations command to obtain the data.
Headlamp
Attempting to login using OIDC will create a login ‘loop’. See upstream issue for further information.
Loki/Elasticsearch-kibana
If loki and EK are both enabled, drift detection will continually trigger as they share a peer authentication: default-peer-auth in the logging namespace. Issue
Prometheus
Target scraping for Fluentbit targets may encounter 503 Service Unavailable errors even though the pods are functioning as expected
Target scraping for Kube Operator may encounter errors. Issue
Target scraping for the development instance of Redis deployed with ArgoCD may require explicit network policies to be created
Target scraping for Mimir service gateway fails becuase the endpoint does not exist. This target will be removed in a future release.

Upgrades from previous releases📜

If coming from a version pre-3.24.0, note the additional upgrade notices in any release in between. The BB team doesn’t test/guarantee upgrades from anything pre-3.24.0.

Packages📜

Click to show Packages Version Updates

| Package | Type | Package Version | BB Version | | ------- | ---- | --------------- | ---------- | |

[Authservice](https://repo1.dso.mil/big-bang/product/packages/authservice) | Addon | `1.1.5` | `1.1.5-bb.3` [🔗](#authservice) | | [Backstage](https://repo1.dso.mil/big-bang/product/packages/backstage) | Addon | `1.1.0` | `2.6.3-bb.3` | | [Bbctl](https://repo1.dso.mil/big-bang/product/packages/bbctl) | Core | `2.3.1` | `3.0.1-bb.3` | |

[Gitlab](https://repo1.dso.mil/big-bang/product/packages/gitlab) | Addon | `18.11.3` | `9.11.1-bb.1` [🔗](#gitlab) | | [Gitlab Runner](https://repo1.dso.mil/big-bang/product/packages/gitlab-runner) | Addon | `v18.11.1` | `0.88.1-bb.0` | | [Grafana](https://repo1.dso.mil/big-bang/product/packages/grafana) | Core | `12.4.2` | `10.5.15-bb.3` | | [Harbor](https://repo1.dso.mil/big-bang/product/packages/harbor) | Addon | `2.15.0` | `1.18.3-bb.0` | | [Headlamp](https://repo1.dso.mil/big-bang/product/packages/headlamp) | Addon | `0.40.0` | `0.40.0-bb.1` | | [Istio Cni](https://repo1.dso.mil/big-bang/product/packages/istio-cni) | Core | `1.29.2` | `1.29.2-bb.0` | | [Istio Crds](https://repo1.dso.mil/big-bang/product/packages/istio-crds) | Core | `1.29.2` | `1.29.2-bb.0` | | [Istio Gateway](https://repo1.dso.mil/big-bang/product/packages/istio-gateway) | Core | `1.29.2` | `1.29.2-bb.0` | | [Istiod](https://repo1.dso.mil/big-bang/product/packages/istiod) | Core | `1.29.2` | `1.29.2-bb.0` | | [Keycloak](https://repo1.dso.mil/big-bang/product/packages/keycloak) | Addon | `26.6.1` | `7.1.9-bb.3` | |

[Kiali](https://repo1.dso.mil/big-bang/product/packages/kiali) | Core | `2.26.0` | `2.26.0-bb.1` [🔗](#kiali) | | [Kyverno](https://repo1.dso.mil/big-bang/product/packages/kyverno) | Core | `v1.17.2` | `3.7.2-bb.1` | | [Kyverno Policies](https://repo1.dso.mil/big-bang/product/packages/kyverno-policies) | Core | `3.3.4` | `3.3.4-bb.65` | | [Kyverno Reporter](https://repo1.dso.mil/big-bang/product/packages/kyverno-reporter) | Core | `3.7.4` | `3.7.4-bb.0` | | [Loki](https://repo1.dso.mil/big-bang/product/packages/loki) | Core | `3.7.1` | `6.55.0-bb.1` | |

| Core | `43.31.7` | `46.31.6-bb.5` | | [Sonarqube](https://repo1.dso.mil/big-bang/product/packages/sonarqube) | Addon | `26.3.0.120487-community` | `2026.2.1-bb.0` | |

[Tempo](https://repo1.dso.mil/big-bang/product/packages/tempo) | Core | Tempo: `2.10.5` Tempo Query: `2.10.5` | `2.1.0-bb.1` [🔗](#tempo) | | [Thanos](https://repo1.dso.mil/big-bang/product/packages/thanos) | Addon | `v0.41.0` | `17.3.3-bb.4` | | [Twistlock](https://repo1.dso.mil/big-bang/product/packages/twistlock) | Core | `34.04.145` | `0.25.0-bb.2` | | [Vault](https://repo1.dso.mil/big-bang/product/packages/vault) | Addon | `1.21.4` | `0.32.0-bb.1` | | [Velero](https://repo1.dso.mil/big-bang/product/packages/velero) | Addon | `1.18.0` | `12.0.0-bb.0` | | [Wrapper](https://repo1.dso.mil/big-bang/product/packages/wrapper) | Core | `0.4.15` | `0.4.15` | | [Ztunnel](https://repo1.dso.mil/big-bang/product/packages/ztunnel) | Core | `1.29.1` | `1.29.1-bb.2` |

Changes in 3.25.0📜

Big Bang MRs📜

!7763 change waitStrategy to include .name
!7760 Updated logic to use correct value from package
!7755 Resolve “bug: new wait strategy with flux”
!7739 Remove Twistlock node mounts from k3d configuration
!7735 Resolve Duplicate Secret Creation Warning on Ambient
!7728 Fix k3d dev script
!7726 remove volumes from thanosSpec
!7720 3.24.0 cherrypick
!7717 Add test values for new “All packages” pipeline
!7711 Revert “Merge branch ‘revert-de26b492’ into ‘master’“
!7708 Templated bbtests values and removed from test-values

Alloy📜

!7702: alloy update to 4.0.1-bb.0

Click to show Changelog

# Changelog Updates

## [4.0.1-bb.0] (2026-04-13)
### Changed
- k8s-monitoring updated from 3.8.4 to 4.0.1
- bb-common updated from 0.14.1 to 0.14.2
- gluon updated from 0.9.8 to 1.0.0
- registry1.dso.mil/ironbank/opensource/grafana/alloy updated from v1.14.0 to v1.15.0
- registry1.dso.mil/ironbank/opensource/prometheus-operator/prometheus-config-reloader updated from v0.89.0 to v0.90.1

Anchore Enterprise📜

!7731: anchoreEnterprise update to 3.23.0-bb.2
!7703: anchoreEnterprise update to 3.23.0-bb.1

Click to show Changelog

# Changelog Updates

## [3.23.0-bb.2] (2026-05-19)
### Changed
- Removed default limits on pods and set default requests to follow upstream recommendations
- Removed resource requests and limits from cypress as they are the same as its defaults
- Removed TLSConfig and Scheme for Reports Service Monitor as it is no longer needed in Sidecar or Ambient mode

## [3.23.0-bb.1] (2026-05-05)
### Changed
- Removed SSO job Istio sidecar readiness and shutdown logic because native sidecars no longer require manual proxy termination.
- Updated stale Anchore documentation links so package link checks pass.

Argocd📜

!7719: argocd update to 9.5.11-bb.1

Click to show Changelog

# Changelog Updates

## [9.5.11-bb.1] (2026-05-06)
### Changed
- Removed obsolete Istio sidecar readiness and `/quitquitquit` shutdown logic from the upgrade job.

Authservice📜

!7718: authservice update to 1.1.5-bb.3

Click to show Changelog

# Changelog Updates

## [1.1.5-bb.3] (2026-05-11)
### Fixed
- Removed the Redis chart values-only `enabled` key from the `wait-for-redis` initContainer security context.

Eck Operator📜

!7722: eckOperator update to 3.4.0-bb.1
!7715: eckOperator update to 3.4.0-bb.0

Click to show Changelog

# Changelog Updates

## [3.4.0-bb.1] (2026-05-13)
### Changed
- Removed obsolete Istio sidecar shutdown logic from the CRD upgrade hook.

## [3.4.0-bb.0] (2026-05-06)
### Changed
- eck-operator updated from 3.3.2 to 3.4.0
- bb-common 0.14.2 -> 0.15.0
- eck-operator 3.3.2 -> 3.4.0
- registry1.dso.mil/ironbank/elastic/eck-operator/eck-operator 3.3.2 -> 3.4.0
- Corrected NetworkPolicy egress schema by moving ports outside the to block

Gatekeeper📜

!7745: gatekeeper update to 3.22.2-bb.1

Click to show Changelog

# Changelog Updates

## [3.22.2-bb.1] (2026-05-12)
### Fixed
- Removed invalid `readOnlyRootFilesystem` from pod-level securityContext in cleanupCRDs job (Helm 4 schema validation fix)
- Disabled `selinuxPolicy` constraint by default and fixed `allowedSELinuxOptions` schema for Helm 4 compliance

Gitlab📜

!7734: gitlab update to 9.11.1-bb.1

Click to show Changelog

# Changelog Updates

## [9.11.1-bb.1] (2026-05-19)
### Changed
- Updated Gitlab `18.11.1` -> `18.11.3`
- Updated registry1.dso.mil/ironbank/bitnami/analytics/redis-exporter v1.82.0 -> v1.83.0
- Updated registry1.dso.mil/ironbank/gitlab/gitlab/certificates 18.11.1 -> 18.11.3
- Updated registry1.dso.mil/ironbank/gitlab/gitlab/gitaly 18.11.1 -> 18.11.3
- Updated registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-base 18.11.1 -> 18.11.3
- Updated registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-container-registry 18.11.1 -> 18.11.3
- Updated registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-exporter 18.11.1 -> 18.11.3
- Updated registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-mailroom 18.11.1 -> 18.11.3
- Updated registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-pages 18.11.1 -> 18.11.3
- Updated registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-shell 18.11.1 -> 18.11.3
- Updated registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-sidekiq 18.11.1 -> 18.11.3
- Updated registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-toolbox 18.11.1 -> 18.11.3
- Updated registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-webservice 18.11.1 -> 18.11.3
- Updated registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-workhorse 18.11.1 -> 18.11.3
- Updated registry1.dso.mil/ironbank/gitlab/gitlab/kas 18.11.1 -> 18.11.3
- Updated registry1.dso.mil/ironbank/gitlab/gitlab/kubectl 18.11.1 -> 18.11.3

Kiali📜

!7727: kiali update to 2.26.0-bb.1

Click to show Changelog

# Changelog Updates

## [2.26.0-bb.1] (2026-05-18)
### Fixed
- Increased default Cypress timeout to 60 seconds to eliminate flaky test failures in ambient mode

## [2.26.0-bb.0] (2026-05-13)
### Changed
- bb-common 0.14.2 -> 0.15.0
- gluon 1.0.1 -> 1.1.0
- kiali-operator 2.25.0 -> 2.26.0
- registry1.dso.mil/ironbank/opensource/kiali/kiali v2.25.0 -> v2.26.0
- registry1.dso.mil/ironbank/opensource/kiali/kiali-operator v2.25.0 -> v2.26.0
- registry1.dso.mil/ironbank/opensource/kubernetes/kubectl v1.34.7 -> v1.35.5

Mattermost📜

!7721: mattermost update to 11.6.2-bb.0

Click to show Changelog

# Changelog Updates

## [11.6.2-bb.0] (2026-05-14)
### Changed
- bb-common updated from 0.14.2 to 0.15.0
- gluon updated from 1.0.1 to 1.1.0
- Updated registry1.dso.mil/ironbank/opensource/mattermost/mattermost (source) 11.6.1 -> 11.6.2
- Updated registry1.dso.mil/ironbank/opensource/kubernetes/kubectl (source) v1.34 -> v1.35

Mattermost Operator📜

!7743: mattermostOperator update to 1.25.6-bb.0

Click to show Changelog

# Changelog Updates

## [1.25.6-bb.0] (2026-05-06)
### Changed
- bb-common updated from 0.14.2 to 0.15.0
- Updated registry1.dso.mil/ironbank/opensource/mattermost/mattermost-operator v1.25.5 -> v1.25.6

Tempo📜

!7737: tempo update to 2.1.0-bb.1

Click to show Changelog

# Changelog Updates

## [2.1.0-bb.1] (2026-05-06)
### Fixed
- Sets routes.inbound.tempo-query.selector.app.kubernetes.io/name: tempo, so the bb-common route-generated NetworkPolicy and AuthorizationPolicy target the actual Tempo pods instead of the nonexistent tempo-query label
- Dashboard template now renders each dashboard as its own ConfigMap document with --- separators

Helpful Links📜

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

Open issues here
Join our Mattermost channel
Join our Slack
Check out the documentation for guidance on how to get started

Future📜

Don’t see your feature and/or bug fix? Check out our epics for estimates on when you can expect things to drop, and as always, feel free to comment or create issues if you have questions, comments, or concerns.

Release Notes - 3.25.0📜

Upgrade Notices📜

BigBang - MR📜

Alloy - MR📜

Known Issues📜

Upgrades from previous releases📜

Packages📜

Changes in 3.25.0📜

Big Bang MRs📜

Alloy📜

Anchore Enterprise📜

Argocd📜

Authservice📜

Eck Operator📜

Gatekeeper📜

Gitlab📜

Kiali📜

Mattermost📜

Mattermost Operator📜

Tempo📜

Helpful Links📜

Future📜

BigBang - MR 📜

Alloy - MR 📜