Release 1.1.0

Checklist for things to validate for release 1.1.0

Deploy an RKE instance from the Dogfood repo for a release enviornmemnt:

https://repo1.dso.mil/platform-one/big-bang/customers/bigbang

• Stand up RKE cluster
• Deploy all the apps with SSO
• Apps stand up and are healthy
  • Virtual Services and cert are correct
  • image pull secret
• Confirm SSO works correctly
• Logging
  • Get logs from all apps.
• Cluster Auditor
  • violations index is present and contains images that aren't from registry1
• Monitoring
  • Contains Kubernetes Dashboards and metrics
  • contains instio dashboards (no data coming in #65 (closed) )
• Kiali shows no errors
• Sonarqube - Deploys, can get tokens
• GitLab + Runners
  • Push repos
  • Push containers
  • talks to Sonarqube via API token
  • host and deploy BigBang from inside the cluster!
  • Add mission pipelines and run them on hello-python, hello-go, etc
• Anchore
• Argocd
  • Create application
  • connect to our Gitlab
  • Deploys hello-python repo to cluster
  • Sops works correctly
• Twistlock Deploys
  • Setup defenders (known issue? #73 (closed))
• Minio deploys.
  • manually add a virtual service, or use kubectl port forward. Make sure the mc client works as expected. See examples in https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/190

changed milestone to %1.1.0

documenting workflow below:

1. created release candidate branch release-1.1 from current master
2. updated dogfood repo to track off HEAD of release-1.1
3. ensured bigbang upgrade on dogfood cluster was successful (strictly from k8s perspective for now), document anything relevant found during upgrade on this issue
4. create RDS for mysql and postgresql with terraform/terragrunt
5. create databases within the provisioned rds to support all the applications that need databases

# Run postgresql pod (with psql client) in the bigbang namespace and connect it to the external database
kubectl run postgresql-postgresql-client --rm --tty -i --restart='Never' --namespace bigbang --image registry1.dso.mil/ironbank/opensource/postgres/postgresql12:12.5 --overrides='{ "spec": { "imagePullSecrets": [{"name": "private-registry"}] } }' --env="PGPASSWORD=$DB_PASSWORD" --command -- psql --host $DB_HOST -U $DB_USERNAME -d $DB_NAME -p 5432

# Create the applications database
CREATE DATABASE $DBNAME;
CREATE USER $DB_USER WITH ENCRYPTED PASSWORD '$DB_PASSWORD';
GRANT ALL PRIVILEGES ON DATABASE $DBNAME to $DB_USER;

# Ensure proper extensions are enabled for gitlab
CREATE EXTENSION IF NOT EXISTS pg_trgm;
CREATE EXTENSION IF NOT EXISTS btree_gist;
CREATE EXTENSION IF NOT EXISTS plpgsql;

6. create s3 buckets for applications that need object storage via terraofmr/terragrunt, also create iam user with accesskey/secretkey who can access the s3 buckets

documenting anything relevant during upgrade below:

• minio/minio-operator (or any new namespace) originally tried to pull from registry.dsop.io for istio sidecar images, but after ~10m post istio controlplane reconciliation, it changed and things came up healthy
• bigbang values.yaml changed to no longer include registryCredentials.registry: registry1.dso.mil, customers not explicitly defining this will need to do so
• flux incorrectly caches charts sometimes, can be resolved by deleting the {kustomize,source,helm}-controller pod from the flux-system namespace and bouncing the bigbang helm release
• argocd with sops support is not included in this release, afaik the container we're using still doesn't have sops or the plugins that PB needs
• authservice requires adding the certificate authority of the keycloak being used for SSO

marked the checklist item Stand up RKE cluster as completed

assigned to @joshwolf, @kevin.wilder, and @jasonkrause

bugs needing to fix:

• artifacts cannot be uploaded via gitlab runner, general issues with the IB gitlab-runner container, not going to make it into 1.1 but issue tracked via #143 (closed)

marked the checklist item GitLab + Runners as completed

marked the checklist item Push repos as completed

marked the checklist item Push containers as completed

marked the checklist item Monitoring as completed

marked the checklist item contains instio dashboards (no data coming in #65 (closed) ) as completed

marked the checklist item Contains Kubernetes Dashboards and metrics as completed

marked the checklist item Cluster Auditor as completed

marked the checklist item Logging as completed

marked the checklist item violations index is present and contains images that aren't from registry1 as completed

marked the checklist item Get logs from all apps. as completed

marked the checklist item Sonarqube - Deploys, can get tokens as completed

marked the checklist item Minio deploys. as completed

marked the checklist item Anchore as completed

marked the checklist item image pull secret as completed

marked the checklist item Apps stand up and are healthy as completed

marked the checklist item Virtual Services and cert are correct as completed

marked the checklist item Argocd as completed

marked the checklist item Create application as completed

marked the checklist item connect to our Gitlab as completed

marked the checklist item Deploy all the apps with SSO as completed

marked the checklist item Confirm SSO works correctly as completed

draft release notes:

This is the first minor release of BigBang.

Please see our documentations page for more information on how to consume and deploy BigBang.

Packages

Package	Version
Gitlab	13.8.0
Gitlab Runners	13.2.2
Anchore	0.8.1
SonarQube	8.6
Istio Operator	1.7.3
Istio Controlplane	1.7.3
Monitoring	G: 7.1.3, P: 2.22.0, A: 0.21.0
ECK Operator	1.3.0
Elasticsearch Kibana	7.9.2
Fluentbit	1.6.3
OPA Gatekeeper	3.1.2
Argocd	1.7.8
Cluster Auditor	0.1.8

Changes since 1.0.7

• &2 (closed): Add support for Gitlab (with sso) 13.8.0
• &3 (closed): Add support for Gitlab Runners 13.2.2
• &7 (closed): Add support for SonarQube (with sso) 8.6
• &15 (closed): Add support for Anchore (with sso) 0.8.1
• #129 (closed): Updated FluentBit to 1.6.3
• #63 (closed): Fix bug with elasticsearch failing to start due to invalid file permissions
• #49 (closed): Add consistent labels to authservice deployment
• #32 (closed): Add support for PodAntiAffinity and NodeAffinity for elasticsearch deployments
• #6 (closed): Add support for new elasticsearch cluster node types
• #16 (closed): Fix bug with incorrect git credentials being created when specifying a private repository
• #66 (closed): Fix bug with EnvoyFilter being applied in the wrong non-global namespace
• #99 (closed): Fix bug that allowed for incorrect ImagePullSecrets to be created when providing incomplete credentials

Known Issues

The following issues are known issues that are currently being addressed that will be fixed in future releases.

• #147 (closed): Gitlab Runner version mismatch with Gitlab may cause some discrepancies related to features that exist "server side" vs those that exist "client side"
• #13 (closed): Airgap deployments require this workaround to correctly resolve chart dependencies.

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

• Open issues here
• Join our chat
• Check out the documentation for guidance on how to get started

Release notes look good.

I think this is a typo?
Add support for Gitlab Runners 13.2.1
should be
Add support for Gitlab Runners 13.2.2 ?

good catch! fixed

marked the checklist item Kiali shows no errors as completed

released! https://repo1.dso.mil/platform-one/big-bang/bigbang/-/releases/1.1.0

closed

I was working on issue #140 (closed) and realized that BigBang has a reference to itself
https://repo1.dso.mil/platform-one/big-bang/bigbang/-/blob/master/base/gitrepository.yaml

kind: GitRepository
spec:
  url: https://repo1.dso.mil/platform-one/big-bang/umbrella.git
  ref:
    tag: 1.0.7

This file needs the ref tag version bumped as part of the release process.