Release Notes - 3.9.0

Please see our documentation page for more information on how to consume and deploy BigBang.\ This release was primarily tested on Kubernetes 1.33.4 (EKS).

Deprecations

HAProxy

• Big Bang team is planning to deprecate support for the HAProxy package in BigBang. If your team/project relies on the big bang HAProxy package, please let us know, either on the Big Bang community Slack, or P1 Mattermost or by creating an issue in the big bang backlog. This will help us ensure we account for all user needs going forward. If we do not receive any feedback, we will assume the software is no longer used, and will proceed with our plan to deprecate support and updates. As of this announcement, plans are to remove HAProxy from the Big Bang umbrella in 3.11

Fortify

• Big Bang team is planning to deprecate support for the Fortify package in Big Bang. Platform One has migrated away from using Fortify scans in pipelines in favor of GitLab SAST. If you are with a team or program actively using this package. Please reach out and let us know on the Big Bang community slack, MM IL2 or by creating an issue in the big bang backlog. As of this announcement, plans are to remove Fortify from the Big Bang umbrella in 3.11

Upgrade Notices

BigBang - MR

The passthrough helper is now disabled by default. To enable the helper, set .Values.disableAutomaticPassthroughValues to false. If you want to enable the helper globally but disable it for specific packages, set .Values.disableAutomaticPassthroughValues to false (to turn on the helper globally), then set it to true for each package where you don’t want the helper to be used.

---

Bbctl - MR

• The preflight check registry credentials have been removed from the baseConfig section of bbctl values.yaml
• Use the credentialsFile section to provide registry credentials instead
• The preflight check image is now configurable
• Provide the registry hostname in the registryOverrides config and the correct credentials, then set preflightCheck.image to the image and tag value the command will use to deploy as the pod.

---

Grafana - MR

There are two major upgrade notices 1) passthrough refactor and 2) upgrade job for redeploying immutable deployment.

Passthrough Refactor: The grafana chart has been refactored to the Big Bang “passthrough” chart pattern - please read this upgrade notice is its entirety. All upstream chart value overrides in ./chart/values.yaml will need to be shifted under the upstream key.

Example:

Previous Values:

grafana:
  values:
    image:
     registry: registry1.dso.mil
     repository: ironbank/big-bang/grafana/grafana-plugins
     tag: "12.1.0"
 ...

Current Values:

grafana:
  values:
    upstream:
      image:
      registry: registry1.dso.mil
      repository: ironbank/big-bang/grafana/grafana-plugins
      tag: "12.1.0"
 ...

Please note, this change does not apply to Big Bang-added top-level keys, including: istio, networkPolicies, serviceMonitor, monitoring, openshift, enterprise, alertmanager, sso, autoRollingUpgrade, and bbtests.

Upgrade Job for Immutable Deployment: As apart of the conversion to the Big Bang passthrough chart pattern, immutable labels/selectors have been updated and will require a recreation of the Grafana deployment resource. Big Bang has added a job to automatically handle this as a pre-upgrade helm hook but requires an additional value to be set: .Values.autoRollingUpgrade.enabled

grafana:
  enabled: true
  ...
  values:
    autoRollingUpgrade:
      enabled: true

Upgrade Notices

Alloy - MR

All upstream chart values overrides in ./chart/values.yaml will need to be nested under the upstream key.

For example:

Previous Values:

alloy:
  values:
    k8s-monitoring:
      alloy-logs:
        enabled: true
      podLogs:
        enabled: true

Current Values:

alloy:
  values:
    upstream:
      alloy-logs:
        enabled: true
      podLogs:
        enabled: true

Please note, this change does not apply to Big Bang-added top-level keys, including: istio, networkPolicies, openshift, upgradeCrds.

---

Kyverno Policies - MR

Previously, the restrict-capabilities.yaml policy only allowed a single additional capability to be added. Now, it correctly supports multiple capabilities being added.

This should not result any any unexpected behavior because the new policy is more lenient and should allow it to be more easily consumed by downstream teams.

---

Sonarqube - MR

Breaking Changes

• This release resets the SonarQube StatefulSet label from app: upstream to app: sonarqube. Because this also changes the StatefulSet’s selector labels (.spec.selector.matchLabels), which are immutable, an upgrade may fail due to a conflict. To ensure a successful upgrade, follow the steps below.”

Follow these steps to upgrade your SonarQube instance. You should be able to run this prior-to or just-after upgrading Big Bang:

1. Delete the existing SonarQube StatefulSets. This will prevent the upgrade from failing due to immutable field errors.

   kubectl delete statefulset sonarqube-sonarqube -n sonarqube
   

---

Upgrades from previous releases

If coming from a version pre-3.8.0, note the additional upgrade notices in any release in between. The BB team doesn’t test/guarantee upgrades from anything pre-3.8.0.

Packages

Package	Type	Package Version	BB Version
Alloy	Core	v1.10.0	3.2.1-bb.3 🔗
Anchore Enterprise	Addon	5.20.2	3.14.2-bb.3 🔗
Argocd	Addon	v3.1.8	8.5.8-bb.2 🔗
Authservice	Addon	1.1.1	1.1.1-bb.2 🔗
Backstage	Addon	1.0.10	2.5.3-bb.1
Bbctl	Core	2.0.0	3.0.0-bb.0
Eck Operator	Core	3.1.0	3.1.0-bb.0
Elasticsearch Kibana	Core	Kibana: 9.1.4 Elasticsearch: 9.1.4	1.32.0-bb.0 🔗
External Secrets Operator	Addon	0.20.2	0.20.2-bb.0 🔗
Fluentbit	Core	4.0.8	0.52.0-bb.0
Fortify	Addon	25.2.1.0010	1.1.2320154-bb.34
Gatekeeper	Core	v3.20.0	3.20.0-bb.0 🔗
Gitlab	Addon	18.4.1	9.4.1-bb.1 🔗
Gitlab Runner	Addon	v18.4.0	0.81.0-bb.0 🔗
Grafana	Core	12.2.0	10.0.0-bb.0 🔗
Haproxy	Addon	v2.2.33	1.19.3-bb.10
Harbor	Addon	2.14.0	1.18.0-bb.2 🔗
Headlamp	Addon	0.35.0	0.35.0-bb.2 🔗
Istio Cni	Core	1.27.1	1.27.1-bb.0
Istio Crds	Core	1.27.1	1.27.1-bb.0
Istio Gateway	Core	1.27.1	1.27.1-bb.2 🔗
Istiod	Core	1.27.1	1.27.1-bb.0
Keycloak	Addon	26.1.4	7.1.4-bb.0 🔗
Kiali	Core	2.16.0	2.16.0-bb.2 🔗
Kyverno	Core	v1.15.2	3.5.2-bb.0 🔗
Kyverno Policies	Core	3.3.4	3.3.4-bb.14 🔗
Kyverno Reporter	Core	3.5.0	3.5.0-bb.2 🔗
Loki	Core	3.5.1	6.30.1-bb.6 🔗
Mattermost	Addon	10.12.0	10.12.0-bb.1 🔗
Mattermost Operator	Addon	1.25.2	1.25.2-bb.0 🔗
Metrics Server	Addon	v0.8.0	3.13.0-bb.0
Mimir	Addon	2.17.1	5.8.0-bb.1
Minio	Addon	RELEASE.2025-09-07T16-13-09Z	7.1.1-bb.11 🔗
Minio Operator	Addon	v7.1.1	7.1.1-bb.1
Monitoring	Core	Prometheus: 3.4.2 Grafana: 12.0.2 Alertmanager: 0.28.1	75.6.1-bb.5
Neuvector	Core	5.4.6	2.8.8-bb.2 🔗
Nexus Repository Manager	Addon	3.84.0-03	84.0.0-bb.1 🔗
Prometheus Operator Crds	Core	21.0.0	23.0.0-bb.0
Sonarqube	Addon	25.7.0.110598-community	2025.4.2-bb.2 🔗
Tempo	Core	Tempo: 2.7.2 Tempo Query: 2.7.2	1.21.1-bb.2
Thanos	Addon	v0.39.2	17.2.2-bb.0
Twistlock	Core	34.02.133	0.23.0-bb.1 🔗
Vault	Addon	1.20.4	0.31.0-bb.0 🔗
Velero	Addon	1.16.1	10.0.7-bb.1
Wrapper	Core	0.4.15	0.4.15

Changes in 3.9.0

Big Bang MRs

• !6950 Bugfix for Kiali grafana-auth-secret Template
• !6927 add logging-loki-script-test kyverno exception
• !6923 fix(test-values): Correct cypress env to correct Loki URL for Monolithic
• !6902 Add exeception for script-test job
• !6897 fix(keycloak): use templated full name for tls secrets
• !6885 docs(values): add a warning to keycloak’s values key about template keys
• !6881 PR-259
• !6876 refactor(test-values): replace inline keycloak resources with init container

Alloy

• !6932: alloy update to 3.2.1-bb.3

  # Changelog Updates
  
  ## [3.2.1-bb.3] (2025-09-29)
  ### Changed
  - Added upstream alias to k8s-monitoring chart dependency to conform with Big Bang passthrough standards.
  

Argocd

• !6933: argocd update to 8.5.8-bb.2
• !6914: argocd update to 8.5.8-bb.0
• !6903: argocd update to 8.3.5-bb.1

  # Changelog Updates
  
  ## [8.5.8-bb.2] (2025-10-09)
  ### Changed
  - redis 8.2.1 -> 8.2.2
  
  ## [8.5.8-bb.1] (2025-10-08)
  ### Changed
  - Fix renovate to consolidate changes into one MR
  
  ## [8.5.8-bb.0] (2025-10-03)
  ### Changed
  - Upgrade argo-cd helm chart 8.3.5 -> 8.5.8
  - redis (source) 22.0.4-bb.1 -> 22.0.7-bb.1
  - gluon 0.9.0 -> 0.9.2
  - ironbank/big-bang/argocd (source) 3.1.4 -> 3.1.8
  - registry1.dso.mil/ironbank/big-bang/argocd v3.1.3 -> v3.1.8
  - registry1.dso.mil/ironbank/bitnami/analytics/redis-exporter v1.74.0 -> v1.77.0
  - registry1.dso.mil/ironbank/bitnami/redis 8.0.3 -> 8.2.1
  
  ## [8.3.5-bb.1] (2025-10-02)
  ### Changed
  - Added redis and redis-exporter as dependencies to the chart annotation helm.sh/images
  

Authservice

• !6943: authservice update to 1.1.1-bb.2
• !6909: authservice update to 1.1.1-bb.1
• !6896: authservice update to 1.1.1-bb.0

  # Changelog Updates
  
  ## [1.1.1-bb.2] (2025-10-09)
  ### Changed
  - ironbank/bitnami/redis from 8.2.1 to 8.2.2
  
  ## [1.1.1-bb.1] (2025-09-30)
  ### Changed
  - add init container "wait-for-redis" to avoid initial CrashLoopBackOff as redis is starting up.
  - remove unused variable redis.image.tag. If an image change is desired, user can refer to the redis-bb chart to pass in those related options. (See upstream.image.registry, upstream.image.repository, upstream.image.tag in the redis-bb chart)
  - bump bb-common dependency to 0.8.2
  
  ## [1.1.1-bb.0] (2025-09-30)
  ### Changed
  - authservice updated from 1.0.4 to 1.1.1
  

Elasticsearch Kibana

• !6920: elasticsearchKibana update to 1.32.0-bb.0

  # Changelog Updates
  
  ## [1.32.0-bb.0] (2025-09-22)
  ### Changed
  - gluon updated from 0.9.0 to 0.9.1
  - registry1.dso.mil/ironbank/elastic/elasticsearch/elasticsearch updated from 9.1.3 to 9.1.4
  - registry1.dso.mil/ironbank/elastic/kibana/kibana updated from 9.1.3 to 9.1.4
  

External Secrets Operator

• !6924: externalSecrets update to 0.20.2-bb.0
• !6891: externalSecrets update to 0.20.1-bb.1
• !6871: externalSecrets update to 0.20.1-bb.0

  # Changelog Updates
  
  ## [0.20.2-bb.0] - 2025-10-7
  ### Updated
  - Updated registry1.dso.mil/ironbank/opensource/external-secrets/external-secrets (source) 0.20.1 -> 0.20.2
  
  ## [0.20.1-bb.1] - 2025-10-1
  ### Updated
  - Updated gluon 0.9.1 -> 0.9.2
  - Updated registry1.dso.mil/ironbank/opensource/kubernetes/kubectl (source) v1.32.9 -> v1.33.5
  
  ## [0.20.1-bb.0] - 2025-09-25
  ### Updated
  - Updated gluon 0.9.0 -> 0.9.1
  - Updated registry1.dso.mil/ironbank/opensource/external-secrets/external-secrets (source) minor 0.19.2 -> 0.20.1
  - Updated registry1.dso.mil/ironbank/opensource/kubernetes/kubectl (source) patch v1.33.4 -> v1.33.5
  

Gatekeeper

• !6809: gatekeeper update to 3.20.0-bb.0

  # Changelog Updates
  
  ## [3.20.0-bb.0] (2025-08-26)
  ### Changed
  - gluon 0.5.19 -> 0.7.0
  - registry1.dso.mil/ironbank/opensource/kubernetes/kubectl v1.32.4 -> v1.32.8
  - registry1.dso.mil/ironbank/opensource/openpolicyagent/gatekeeper v3.19.1 -> v3.20.0
  

Gitlab

• !6940: gitlab update to 9.4.1-bb.1

  # Changelog Updates
  
  ## [9.4.1-bb.1] (2025-10-09)
  ### Changed
  - registry1.dso.mil/ironbank/bitnami/analytics/redis-exporter v1.77.0 -> v1.78.0
  

Gitlab Runner

• !6872: gitlabRunner update to 0.81.0-bb.0

  # Changelog Updates
  
  ## [0.81.0-bb.0] (2025-09-25)
  ### Changed
  - Update gitlab-runner chart version minor v0.80.1 -> v0.81.0
  - gluon 0.9.0 -> 0.9.1
  - ironbank/gitlab/gitlab-runner/gitlab-runner (source) v18.3.0 -> v18.4.0
  - ironbank/gitlab/gitlab-runner/gitlab-runner-helper (source) v18.3.0 -> v18.4.0
  - registry1.dso.mil/ironbank/gitlab/gitlab-runner/gitlab-runner v18.3.0 -> v18.4.0
  - registry1.dso.mil/ironbank/gitlab/gitlab-runner/gitlab-runner-helper v18.3.0 -> v18.4.0
  

Grafana

• !6921: grafana update to 10.0.0-bb.0

  # Changelog Updates
  
  ## [10.0.0-bb.0] (2025-10-01)
  ### Changed
  - grafana updated from 9.3.1 to 10.0.0
  - gluon updated from 0.7.0 to 0.9.2
  - registry1.dso.mil/ironbank/big-bang/grafana/grafana-plugins updated from 12.1.0 to 12.2.0
  - registry1.dso.mil/ironbank/kiwigrid/k8s-sidecar updated from 1.30.7 to 1.30.10
  - registry1.dso.mil/ironbank/opensource/grafana/grafana-image-renderer updated from v4.0.10 to v4.0.15
  - Updated ImagePullPolicy to Always to ensure nightly IB image rebuilds are pulled
  - Updated istio custom resources apiVersion to v1 instead of v1beta1
  

Harbor

• !6941: harbor update to 1.18.0-bb.2
• !6922: harbor update to 1.18.0-bb.1
• !6900: harbor update to 1.18.0-bb.0

  # Changelog Updates
  
  ## [1.18.0-bb.2] (2025-10-09)
  ### Changed
  - redis 8.2.1 -> 8.2.2
  
  ## [1.18.0-bb.1] (2025-10-07)
  ### Changed
  - gluon 0.9.2 -> 0.9.3
  - postgresql 16.7.27 -> 18.0.7
  
  ## [1.18.0-bb.0] (2025-09-29)
  ### Changed
  - Updated Harbor chart version 1.17.2 -> 1.18.0
  - gluon 0.9.0 -> 0.9.2
  - goharbor/redis-photon v2.13.2 -> v2.14.0
  - goharbor/harbor-db v2.13.2 -> v2.14.0
  - registry1.dso.mil/ironbank/opensource/goharbor/harbor-core v2.13.2 -> v2.14.0
  - registry1.dso.mil/ironbank/opensource/goharbor/harbor-exporter v2.13.2 -> v2.14.0
  - registry1.dso.mil/ironbank/opensource/goharbor/harbor-jobservice v2.13.2 -> v2.14.0
  - registry1.dso.mil/ironbank/opensource/goharbor/harbor-portal v2.13.2 -> v2.14.0
  - registry1.dso.mil/ironbank/opensource/goharbor/harbor-registryctl v2.13.2-> v2.14.0
  - registry1.dso.mil/ironbank/opensource/goharbor/registry v2.13.2 -> v2.14.0
  - registry1.dso.mil/ironbank/opensource/goharbor/trivy-adapter v2.13.2 -> v2.14.0
  

Headlamp

• !6895: headlamp update to 0.35.0-bb.2

  # Changelog Updates
  
  ## [0.35.0-bb.2] (2025-09-26)
  ### Updated
  - Created a new pre-defined clusterrolebinding.yaml to include limited dev access
  - Created a .md file in the doc to summarize operations
  

Istio Gateway

• !6942: istioGateway update to 1.27.1-bb.2
• !6879: istioGateway update to 1.27.1-bb.1

  # Changelog Updates
  
  ## [1.27.1-bb.2] (2025-09-18)
  ### Changed
  - Updated gluon to 0.9.2
  
  ## [1.27.1-bb.1] (2025-09-18)
  ### Changed
  - Updated schema to match new bb-common schema
  - Incorporated bb-common netpol implementation
  

Keycloak

• !6929: keycloak update to 7.1.4-bb.0

  # Changelog Updates
  
  ## [7.1.4-bb.0] - 2025-10-6
  ### Changed
  - Added test to verify High Availability is functioning as expected
  - Removed legacy code for non native istio sidecars
  - Updated logic for default peer authentication
  - Removed imagePullSecrets from import-values in chart.yaml
  - Updated Gluon and Keycloak helm chart dependencies
  

Kiali

• !6916: kiali update to 2.16.0-bb.2
• !6904: kiali update to 2.16.0-bb.1
• !6866: kiali update to 2.16.0-bb.0

  # Changelog Updates
  
  ## [2.16.0-bb.2] - 2025-10-06
  ### Updated
  - Updated gluon to 0.9.2
  
  ## [2.16.0-bb.1] - 2025-09-24
  ### Updated
  - Updated bb-common to 0.8.1, moves VirtualService generation to bb-common
  
  ## [2.16.0-bb.0] - 2025-09-23
  ### Updated
  - Updated Kiali and Kiali-Operator from 2.15.0 to 2.16.0
  

Kyverno

• !6917: kyverno update to 3.5.2-bb.0

  # Changelog Updates
  
  ## [3.5.2-bb.0] - 2025-10-06
  ### Removed
  - Updated app version from `3.5.1-bb.0` to `3.5.2-bb.0`
  - Update gluon from `0.8.4` to `0.9.2`
  - Updated kubectl from `v1.33.4` to `v1.33.5`
  

Kyverno Policies

• !6841: kyvernoPolicies update to 3.3.4-bb.14

  # Changelog Updates
  
  ## [3.3.4-bb.14] (2025-08-20)
  ### Fixed
  - Fix restrict-capabilities policy to allow for multiple allowed capabilities
  

Kyverno Reporter

• !6888: kyvernoReporter update to 3.5.0-bb.2

  # Changelog Updates
  
  ## [3.5.0-bb.2] (2025-10-01)
  ### Changed
  - Update gluon v0.9.1 -> v0.9.2
  - Update registry1.dso.mil/ironbank/nirmata/policy-reporter/policy-reporter-ui v2.4.3 -> v2.4.4
  
  ## [3.5.0-bb.1] (2025-09-22)
  ### Changed
  - Update gluon v0.9.0 -> v0.9.1
  - Added reference to upstream values in comment for values.yaml
  

Mattermost

• !6889: mattermost update to 10.12.0-bb.1

  # Changelog Updates
  
  ## [10.12.0-bb.1] (2025-10-01)
  ### Changed
  - gluon updated from 0.9.1 -> 0.9.2
  

Mattermost Operator

• !6908: mattermostOperator update to 1.25.2-bb.0

  # Changelog Updates
  
  ## [1.25.2-bb.0] (2025-10-03)
  ### Changed
  - Updated registry1.dso.mil/ironbank/opensource/mattermost/mattermost-operator (source) v1.25.1 -> v1.25.2
  
  ## [1.25.1-bb.1] (2025-09-17)
  ### Changed
  - Removed mattermost-operator-crds-1.24.0
  

Minio

• !6928: minio update to 7.1.1-bb.11
• !6880: minio update to 7.1.1-bb.10

  # Changelog Updates
  
  ## [7.1.1-bb.11] - 2025-10-07
  ### Updated
  - Updated gluon from 0.9.2 -> 0.9.3
  
  ## [7.1.1-bb.10] - 2025-09-30
  ### Changed
  - Updated gluon from 0.9.0 -> 0.9.2
  - Updated registry1.dso.mil/ironbank/opensource/minio/operator-sidecar (source) v7.0.1 -> v7.1.0
  

Neuvector

• !6878: neuvector update to 2.8.8-bb.2

  # Changelog Updates
  
  ## [2.8.8-bb.2] (2025-09-26)
  ### Changed
  - update condition part of helm.sh/images
  

Nexus Repository Manager

• !6864: nexusRepositoryManager update to 84.0.0-bb.1

  # Changelog Updates
  
  ## [84.0.0-bb.1] - 2025-09-25
  ### Changed
  - Updated Gluon 0.9.0 -> 0.9.1
  

Sonarqube

• !6925: SKIP UPGRADE CHECK sonarqube update to 2025.4.2-bb.2
• !6910: sonarqube update to 2025.4.2-bb.1
• !6892: sonarqube update to 2025.4.2-bb.0

  # Changelog Updates
  
  ## [2025.4.2-bb.2] - 2025-10-06
  ### Updated
  - Allow HTTPS Egress Network Policy fix Incorrect podSelector
  - Set 'upstream.prometheusExporter.downloadURL' to use local JAR file from Ironbank image instead of downloading from Maven Central`
  
  ## [2025.4.2-bb.1] - 2025-10-03
  ### Updated
  - Disabled initFs by default
  
  ## [2025.4.2-bb.0] - 2025-09-19
  ### Updated
  - sonarqube chart minor 2025.3.1 -> 2025.4.2
  - sonarqube app 25.7.0.110598-community -> 25.8.0.112029-community
  

Twistlock

• !6905: twistlock update to 0.23.0-bb.1

  # Changelog Updates
  
  ## [0.23.0-bb.1] (2025-10-02)
  ### Changed
  - gluon updated from 0.8.4 to 0.9.2
  - Updated ironbank/opensource/kubernetes/kubectl  v1.33.4 -> v1.33.5
  

Vault

• !6898: vault update to 0.31.0-bb.0

  # Changelog Updates
  
  ## [0.31.0-bb.0] - 2025-09-30
  ### Changed
  - Updated chart to 0.31.0
  - gluon 0.9.0 -> 0.9.2
  - ironbank/hashicorp/vault (source) 1.20.3 -> 1.20.4
  - registry1.dso.mil/ironbank/hashicorp/vault (source) 1.20.3 -> 1.20.4
  - registry1.dso.mil/ironbank/hashicorp/vault-csi-provider (source) v1.5.1 -> v1.6.0
  

Known Issues

• bbctl Dashboards
• CRON job output longer than 16kb will be split into multiple log entries when using the dockerd CRI causing invalid JSON structures to be imported into Loki. Use containerd as the CRI to ensure long log lines are parsed correctly
• bbctl-violations-dashboard / bbctl-all-logs-dashboard(Violations Logs)
  • These items will not populate if you have too large of a kubernets cluster with too many violations. There is a limit to the amount of data that can be processed. If you hit this limit and need the information, you can still use the bbctl violations command to obtain the data.
• Headlamp
• An issue with the flux plugin being able to load certain menu items has been identified. This appears to be an issue with the javascript code used to create the plugin.
  • Menu items having an issue:
  • Kustomizations
  • HelmReleases
  • ImageAutomations
  • Notifications
• Attempting to login using OIDC will create a login ‘loop’. See upstream issue for further information.

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

• Open issues here
• Join our Mattermost channel
• Join our Slack
• Check out the documentation for guidance on how to get started

Future

Don’t see your feature and/or bug fix? Check out our epics for estimates on when you can expect things to drop, and as always, feel free to comment or create issues if you have questions, comments, or concerns.