Release Notes - 3.15.0

Please see our documentation page for more information on how to consume and deploy BigBang.\ This release was primarily tested on Kubernetes 1.33.5 (EKS).

Deprecations

Nexus Repository Manager

• Big Bang team is planning to deprecate support for the Nexus Repository Manager package in BigBang. The upstream chart has been deprecated on October 24, 2023. As of this announcement, plans are to remove the Nexus Repository Manager package from the Big Bang umbrella in release 3.16.0. The update in 3.14 will be the final update for Nexus Repository Manager. Our team has added a new Big Bang package, NXRM3-HA, this is the official high availability Nexus Repository Manager chart supported by Sonatype. This package will be updated and maintained by the Big Bang team for use on Repo1/Reg1 but will not be included in the Umbrella chart as an addon. See migration guide for details on how to install using the BYO packages: section of the umbrella. Migration detail for nxrm-ha can be found here

Upgrade Notices

Gatekeeper - MR

Breaking changes

Gatekeeper has moved to passthrough and certain values will need to be migrated under the upstream label. For example

gatekeeper:
  # -- Toggle deployment of OPA Gatekeeper.
  enabled: false

  # -- Values to passthrough to the gatekeeper chart: https://repo1.dso.mil/big-bang/product/packages/policy.git
  values: 
    upstream:
      replicas: 1

These upstream value are defined here: https://github.com/open-policy-agent/gatekeeper/blob/master/charts/gatekeeper/values.yaml

---

Headlamp - MR

The headlamp package has been migrated to bb-common. While steps have been taken to maintain backwards compatibility with existing configurations by translating the old configuration into bb-common’s more explicit syntax, Big Bang consumers are encouraged to migrate their values directly as soon as possible. Some appropriate configuration changes when consumers migrate are outlined below.

Ingress Config

bb-common creates a consistent ingress configuration syntax across all Big Bang packages with its routes functionality. Take a look at the routes documentation to understand how to use it to expose headlamp’s UI.

---

Loki - MR

Loki is now leveraging our bb-common integration for network policies and istio-related resources. Please refer to this blog post for additional information on the integration. During this process a previously unknown bug was found where the network policy allowing traffic from Grafana to Loki’s gateway was actually allowing all traffic into that gateway. The network policy has been updated as part of this work so that it functions as intended.

This update for Loki also uses a new reusable rule that has been created in the umbrella template for storage-subnets that allows users to configure access to external storage CIDRs via the values.yaml file. By default, this network policy is wide open to all CIDR’s over TCP port 443 as there is no way to know the CIDRs in advance, however, if you are using AWS you can retrieve this data by executing the following command:

curl -s https://ip-ranges.amazonaws.com/ip-ranges.json | jq -r '.prefixes[] | select(.service=="S3") | select(.region=="us-gov-east-1") | .ip_prefix'

[!NOTE] Make sure to update the region in the above command to match the region you are using in AWS.

Once the CIDR’s are retrieved you can update the values.yaml accordingly as shown in the below example to restrict access further:

networkPolicies:
  enabled: true
  egress:
    definitions:
      storage-subnets:
        to:
          - ipBlock:
              cidr: "108.175.52.0/22"
          - ipBlock:
              cidr: "108.175.60.0/22"
          - ipBlock:
              cidr: "18.252.145.192/28"
          - ipBlock:
              cidr: "18.252.145.208/28"
        ports:
          - port: 443
            protocol: TCP
          - port: 80
            protocol: TCP

You can also add any additional TCP ports if needed as shown in the example above.

---

Mimir - MR

Mimir 5.8.0-bb.4 upgrade updates Big Bang MinIO dependency chart to 7.1.1-bb.15. MinIO chart now follows a passthrough refactor which are included in this upgrade. If you are planning to use MinIO with Loki please see the breaking change for MinIO in the 7.1.1-bb.9 Upgrade Notice as shown below:

MinIO 7.1.1-bb.9 Upgrade Notice

This release of MinIO migrates the chart to the passthrough pattern.

Values overrides are now nested under the upstream key. For example:

mimir:
  values:
    minio-tenant:
      tenant:
        pools:
        - name: pool-0
          servers: 3
          volumesPerServer: 4

becomes:

mimir:
  values:
    minio-tenant:
      upstream:
        tenant:
          pools:
          - name: pool-0
            servers: 3
            volumesPerServer: 4

---

Upgrades from previous releases

If coming from a version pre-3.14.0, note the additional upgrade notices in any release in between. The BB team doesn’t test/guarantee upgrades from anything pre-3.14.0.

Packages

Package	Type	Package Version	BB Version
Alloy	Core	v1.10.0	3.2.1-bb.6
Anchore Enterprise	Addon	5.20.2	3.14.2-bb.4
Argocd	Addon	v3.2.0	9.1.4-bb.0
Authservice	Addon	1.1.1	1.1.1-bb.5
Backstage	Addon	1.1.0	2.6.3-bb.1 🔗
Bbctl	Core	2.2.0	3.0.1-bb.1 🔗
Eck Operator	Core	3.2.0	3.2.0-bb.0
Elasticsearch Kibana	Core	Kibana: 9.2.2 Elasticsearch: 9.2.1	1.34.0-bb.1
External Secrets Operator	Addon	0.20.4	0.20.4-bb.0
Fluentbit	Core	4.2.0	0.54.0-bb.1
Fortify	Addon	25.4.0.0137	1.1.2320154-bb.39
Gatekeeper	Core	v3.21.0	3.21.0-bb.1 🔗
Gitlab	Addon	18.7.0	9.7.0-bb.0 🔗
Gitlab Runner	Addon	v18.5.0	0.83.2-bb.0
Grafana	Core	12.3.0	10.3.1-bb.0 🔗
Harbor	Addon	2.14.0	1.18.0-bb.6
Headlamp	Addon	0.39.0	0.39.0-bb.1 🔗
Istio Cni	Core	1.28.2	1.28.2-bb.0 🔗
Istio Crds	Core	1.28.2	1.28.2-bb.0 🔗
Istio Gateway	Core	1.28.0	1.28.0-bb.0
Istiod	Core	1.28.0	1.28.0-bb.0
Keycloak	Addon	26.4.7	7.1.5-bb.0 🔗
Kiali	Core	2.19.0	2.19.0-bb.2
Kyverno	Core	v1.16.1	3.6.1-bb.0
Kyverno Policies	Core	3.3.4	3.3.4-bb.15
Kyverno Reporter	Core	3.6.0	3.7.0-bb.0
Loki	Core	3.5.5	6.46.0-bb.2 🔗
Mattermost	Addon	11.1.1	11.1.1-bb.2
Mattermost Operator	Addon	1.25.3	1.25.3-bb.0
Metrics Server	Addon	v0.8.0	3.13.0-bb.4
Mimir	Addon	2.17.1	5.8.0-bb.4 🔗
Minio	Addon	RELEASE.2025-10-15T17-29-55Z	7.1.1-bb.15
Minio Operator	Addon	v7.1.1	7.1.1-bb.3
Monitoring	Core	Prometheus: 3.8.1 Grafana: 12.3.0 Alertmanager: 0.30.0	80.4.1-bb.1 🔗
Neuvector	Core	5.4.7	2.8.9-bb.0
Nexus Repository Manager	Addon	3.86.2-01	86.0.0-bb.0
Prometheus Operator Crds	Core	25.0.1	25.0.1-bb.0 🔗
Sonarqube	Addon	25.11.0.114957-community	2025.6.1-bb.0 🔗
Tempo	Core	Tempo: 2.8.2 Tempo Query: 2.8.2	1.23.3-bb.2
Thanos	Addon	v0.40.1	17.3.3-bb.1
Twistlock	Core	34.03.138	0.24.0-bb.0
Vault	Addon	1.20.4	0.31.0-bb.6
Velero	Addon	1.17.1	11.1.1-bb.2
Wrapper	Core	0.4.15	0.4.15

Changes in 3.15.0

Big Bang MRs

• !7207 Fixed incorrect reference in Loki Gateway
• !7187 Update version references to 3.14.0
• !7181 Removed Authservice Labels from Tempo Template
• !7175 docs: updating some of the package integration docs
• !7163 Fix authservice wiring in istiod when enabled via monitoring/tempo/thanos SSO

Backstage

• !7190: backstage update to 2.6.3-bb.1

  # Changelog Updates
  
  ## [2.6.3-bb.1] - 2025-12-22
  ### Changed
  - Updated gluon 0.9.6 ->0.9.7
  

Bbctl

• !7205: bbctl update to 3.0.1-bb.1

  # Changelog Updates
  
  ## [3.0.1-bb.1] (2026-1-2)
  ### Changed
  - updated bbctl to application version 2.2.0
  - gluon updated from 0.9.5 to 0.9.7
  - updated registry1.dso.mil/ironbank/opensource/yq/yq (source) 4.48.1 -> 4.50.1
  - updated registry1.dso.mil/ironbank/redhat/ubi/ubi8-minimal (source) 9.6 -> 9.7
  

Gatekeeper

• !7186: gatekeeper update to 3.21.0-bb.1

  # Changelog Updates
  
  ## [3.21.0-bb.1] (2025-12-11)
  ### Changed
  - Moved to passthrough pattern
  

Gitlab

• !7192: gitlab update to 9.7.0-bb.0

  # Changelog Updates
  
  ## [9.7.0-bb.0] (2025-12-24)
  ### Changed
  - update gitlab chart 9.6.2 -> 9.7.0
  - ironbank/gitlab/gitlab/gitlab-webservice (source) 18.6.2 -> 18.7.0
  - registry1.dso.mil/ironbank/gitlab/gitlab/certificates 18.6.2 -> 18.7.0
  - registry1.dso.mil/ironbank/gitlab/gitlab/gitaly 18.6.2 -> 18.7.0
  - registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-base 18.6.2 -> 18.7.0
  - registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-container-registry 18.6.2 -> 18.7.0
  - registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-exporter 18.6.2 -> 18.7.0
  - registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-mailroom 18.6.2 -> 18.7.0
  - registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-pages 18.6.2 -> 18.7.0
  - registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-shell 18.6.2 -> 18.7.0
  - registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-sidekiq 18.6.2 -> 18.7.0
  - registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-toolbox 18.6.2 -> 18.7.0
  - registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-webservice 18.6.2 -> 18.7.0
  - registry1.dso.mil/ironbank/gitlab/gitlab/gitlab-workhorse 18.6.2 -> 18.7.0
  - registry1.dso.mil/ironbank/gitlab/gitlab/kubectl 18.6.2 -> 18.7.0
  

Grafana

• !7185: grafana update to 10.3.1-bb.0

  # Changelog Updates
  
  ## [10.3.1-bb.0] (2025-12-17)
  ### Changed
  - bb-common updated from 0.10.0 to 0.11.3
  - gluon updated from 0.9.6 to 0.9.7
  - grafana updated from 10.2.0 to 10.3.1
  

Headlamp

• !7202: headlamp update to 0.39.0-bb.1

  # Changelog Updates
  
  ## [0.39.0-bb.1] (2025-12-30)
  ### Changed
  - Migrated to bb-common istio and network policy implementation
  
  ## [0.39.0-bb.0] (2025-12-23)
  ### Updated
  - Updated registry1.dso.mil/ironbank/opensource/headlamp-k8s/headlamp (source) v0.38.0 -> v0.39.0
  - Updated registry1.dso.mil/ironbank/opensource/headlamp-k8s/headlamp (source) 0.38.0 -> 0.39.0
  - Updated headlamp dependency chart 0.38.0 -> 0.39.0
  - Updated gluon dependency chart 0.9.6 -> 0.9.7
  - Updated cypress test
  - Updated cypress (source) 15.7.0 -> 15.8.1
  
  ## [0.38.0-bb.0] (2025-11-24)
  ### Updated
  - Updated registry1.dso.mil/ironbank/opensource/headlamp-k8s/headlamp (source) v0.37.0 -> v0.38.0
  - Updated registry1.dso.mil/ironbank/opensource/headlamp-k8s/headlamp (source) 0.37.0 -> 0.38.0
  - Updated registry1.dso.mil/ironbank/opensource/kubernetes/kubectl (source) v1.33.5 -> v1.33.6
  - Updated cypress (source) 15.6.0 -> 15.7.0
  

Istio Cni

• !7198: istioCNI update to 1.28.2-bb.0

  # Changelog Updates
  
  ## [1.28.2-bb.0] (2025-12-23)
  ### Changed
  - cni updated from 1.28.0 to 1.28.2
  

Istio Crds

• !7195: istioCRDs update to 1.28.2-bb.0

  # Changelog Updates
  
  ## [1.28.2-bb.0] (2025-12-23)
  ### Changed
  - base updated from 1.28.0 to 1.28.2
  

Keycloak

• !7177: keycloak update to 7.1.5-bb.0

  # Changelog Updates
  
  ## [7.1.5-bb.0] - 2025-12-18
  ### Updated
  - Updated Keycloak to 26.4.6
  
  ## [7.1.4-bb.6] - 2025-12-08
  ### Changed 
  - Remove extra postgres subchart from local git repo
  

Loki

• !7169: loki update to 6.46.0-bb.2

  # Changelog Updates
  
  ## [6.46.0-bb.2] (2025-12-17)
  ### Changed
  - Add bb-common 0.11.3 as chart dependency
  - Replaced netpols, authpols, peerauths, and virtual service with bb-common generated resources
  

Mimir

• !7172: mimir update to 5.8.0-bb.4

  # Changelog Updates
  
  ## [5.8.0-bb.4] (2025-12-11)
  ### Changed
  - Updated the MinIO dependency chart from 7.1.1-bb.8 -> 7.1.1-bb.15
  - Updated the gluon dependency chart from 0.9.5 -> 0.9.7
  - Updated enterprise-metrics from 2.17.0 -> 2.17.3
  - Updated nginx from 1.29.3 -> 1.29.4
  
      ## [5.8.0-bb.3] (2025-10-24)
  

Monitoring

• !7182: monitoring update to 80.4.1-bb.1

  # Changelog Updates
  
  ## [80.4.1-bb.1] (2025-12-17)
  ### Changed
  - bb-common 0.11.2 -> 0.11.3
  - registry1.dso.mil/ironbank/opensource/prometheus/alertmanager v0.29.0 -> v0.30.0
  - registry1.dso.mil/ironbank/opensource/prometheus/prometheus v3.8.0 -> v3.8.1
  

Sonarqube

• !7201: sonarqube update to 2025.6.1-bb.0

  # Changelog Updates
  
  ## [2025.6.1-bb.0] - 2025-12-29
  ### Updated
  - sonarqube chart minor 2025.6.0 -> 2025.6.1
  
  ## [2025.6.0-bb.0] - 2025-12-18
  ### Updated
  - sonarqube chart minor 2025.5.0 -> 2025.6.0
  

Known Issues

• bbctl Dashboards
• CRON job output longer than 16kb will be split into multiple log entries when using the dockerd CRI causing invalid JSON structures to be imported into Loki. Use containerd as the CRI to ensure long log lines are parsed correctly
• bbctl-violations-dashboard / bbctl-all-logs-dashboard(Violations Logs)
  • These items will not populate if you have too large of a kubernetes cluster with too many violations. There is a limit to the amount of data that can be processed. If you hit this limit and need the information, you can still use the bbctl violations command to obtain the data.
• Headlamp
• An issue with the flux plugin being able to load certain menu items has been identified. This appears to be an issue with the javascript code used to create the plugin.
  • Menu items having an issue:
  • Kustomizations
  • HelmReleases
  • ImageAutomations
  • Notifications
• Attempting to login using OIDC will create a login ‘loop’. See upstream issue for further information.
• Tempo
• Tempo no longer has a UI, however, the template still has logic that will add labels for Authservice when enabled. This causes authorization policies to get applied to it unnecessarily causing 403 errors when connections are attempted from Grafana, Prometheus, and Kiali. This logic will be removed in a future release.
  • As a workaround setting the .tempo.sso.enabled key to false will prevent the labels from being applied

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

• Open issues here
• Join our Mattermost channel
• Join our Slack
• Check out the documentation for guidance on how to get started

Future

Don’t see your feature and/or bug fix? Check out our epics for estimates on when you can expect things to drop, and as always, feel free to comment or create issues if you have questions, comments, or concerns.