Release 1.18.0
1. Release Prep
-
Verify that the previous release branch commit hash matches the last release tag. Investigate with previous RE if they do not match -
Create release branch with name. Ex: release-1.16.x
-
Build draft release notes, see release_notes_template.md -
Release specific code changes. Make the following changes in a single commit so it can be cherry picked into master later. -
Bump self-reference version in base/gitrepository.yaml
-
Update chart release version chart/Chart.yaml
-
Bump badge at the top of README.md
-
Update /Packages.md
with any new Packages -
Update CHANGELOG.md with links to MRs and any upgrade notices/known issues. release-diff update link for release -
Update README.md using helm-docs
. Overwrite the existing readme file.# from root dir of your release branch docker run -v "$(pwd):/helm-docs" -u $(id -u) jnorwood/helm-docs:v1.5.0 -s file -t .gitlab-ci/README.md.gotmpl --dry-run > README.md
-
2. Test and Validate Release Candidate
Deploy release branch on Dogfood cluster
-
Connect to Cluster -
Update bigbang/base/kustomization.yaml
&bigbang/prod/kustomization.yaml
with release branch. -
Verify cluster has updated to the new release -
Packages have fetched the new revision and match the new release -
Packages have reconciled # check release watch kubectl get gitrepositories,kustomizations,hr,po -A # if flux has not updated after 10 minutes. flux reconcile hr -n bigbang bigbang --with-source # if it is still not updating, delete the flux source controller kubectl get all -n flux-system kubectl delete pod/source-controller-xxxxxxxx-xxxxx -n flux-system
-
Confirm app UIs are loading
-
anchore -
argocd -
gitlab -
tracing -
kiali -
kibana -
mattermost -
minio -
alertmanager -
grafana -
prometheus -
sonarqube -
twistlock -
nexus -
TLS/SSL certs are valid
Logging
-
Login to kibana with SSO -
Kibana is actively indexing/logging.
Cluster Auditor
-
Login to kibana with SSO -
violations index is present and contains images that aren't from registry1
Monitoring
-
Login to grafana with SSO -
Contains Kubernetes Dashboards and metrics -
contains istio dashboards -
Login to prometheus -
All apps are being scraped, no errors
Kiali
-
Login to kiali with SSO
Sonarqube
-
Login to sonarqube with SSO
GitLab & Runners
-
Login to gitlab with SSO -
Create new public group with release name. Example release-1-17-0
-
Create new public project with release name. Example release-1-17-0
-
git clone and git push to new project -
docker push and docker pull image to registry docker pull alpine docker tag alpine registry.dogfood.bigbang.dev/GROUPNAMEHERE/PROJECTNAMEHERE/alpine:latest docker login registry.dogfood.bigbang.dev docker push registry.dogfood.bigbang.dev/GROUPNAMEHERE/PROJECTNAMEHERE/alpine:latest
-
Edit profile and change user avatar -
Test simple CI pipeline. sample_ci.yaml
Anchore
-
Login to anchore with SSO -
Scan image in dogfood registry, registry.dogfood.bigbang.dev/GROUPNAMEHERE/PROJECTNAMEHERE/alpine:latest
Argocd
-
Login to argocd with SSO -
Logout and login with admin
. password reset -
Create application *click* create application application name: argocd-test Project: default Sync Policy: Automatic Sync Policy: check both boxes Sync Options: check both boxes Repository URL: https://github.com/argoproj/argocd-example-apps Revision: HEAD Path: helm-guestbook Cluster URL: https://kubernetes.default.svc Namespace: argocd-test *click* Create (top of page)
-
Delete application
Minio
-
Log into the minio UI as minio
with passwordminio123
-
Create bucket -
Store file to bucket -
Download file from bucket -
Delete bucket and files
Mattermost
-
Login to mattermost with SSO -
Elastic integration
Twistlock
-
Login to twistlock/prisma cloud with the credentials encrypted in bigbang/prod/environment-bb-secret.enc.yaml -
Navigate to Manage -> Defenders -> Deploy -
Turn off "Use the official Twistlock registry" and in "Enter the full Defender image name" paste the latest IB image for defenders -
Toggle on "Monitor Istio" -
TBD other settings? -
From 17b, download the yaml files
-
-
Apply the yaml to the dogfood cluster and validate that defender pods come online and register in the console (Manage -> Defenders -> Manage should show them)
Velero
-
Backup PVCs velero_test.yaml kubectl apply -f ./velero_test.yaml # exec into velero_test container cat /mnt/velero-test/test.log # take note of log entries and exit exec
velero backup create velero-test-backup-1-8-0 -l app=velero-test velero backup get kubectl delete -f ./velero_test.yaml kubectl get pv | grep velero-test kubectl delete pv INSERT-PV-ID
-
Restore PVCs velero restore create velero-test-restore-1-8-0 --from-backup velero-test-backup-1-8-0 # exec into velero_test container cat /mnt/velero-test/test.log # old log entires and new should be in log if backup was done correctly
-
Cleanup test kubectl delete -f ./velero_test.yaml kubectl get pv | grep velero-test kubectl delete pv INSERT-PV-ID
Keycloak
-
Login to Keycloak admin console. The credentials are in the encrypted environment-bb values file.
3. Create Release
-
Create release candidate tag based on release branch. Tag EX: 1.16.0-rc.0
.Message: release candidate Release Notes: **Leave Blank**
-
Passed tag pipeline. -
Create release tag based on release branch. Tag EX: 1.16.0
.Message: release 1.x.x Release Notes: **Leave Blank**
-
Passed release pipeline. -
Add release notes to release. -
Cherry-pick release commit(s) as needed with merge request back to master branch -
Celebrate and announce release
RELEASE NOTES
Release 1.17.0 Release Notes
Please see our documentation page for more information on how to consume and deploy BigBang.
Upgrade Notices
Hostname Changed to Domain
Value hostname
has been changed to domain
. MR
# -- Domain used for BigBang created exposed services, can be overridden by individual packages.
domain: bigbang.dev
Resources
Bigbang is in the process of implementing resource requests and limits on all pods in preparation of setting OPA constraints to deny. If you notice multiple pod restarts check for OOMKill
termination errors and pod limits may need to be increased.
Upgrades from previous releases
If coming from a version pre-1.15 note the additional upgrade notices in any release in between. The BB team doesn't test/guarantee upgrades from anything pre-1.15.
Packages
Package | Type | Package Version | BB Version |
---|---|---|---|
Istio Controlplane | Core | 1.10.4 |
1.10.4-bb.3 |
Istio Operator | Core | 1.10.4 |
1.10.4-bb.1 |
Jaeger | Core | 2.23.0 |
2.23.0-bb.2 |
Kiali | Core | 1.39.0 |
1.39.0-bb.2 |
Cluster Auditor | Core | 1.16.0 |
0.3.0-bb.7 |
OPA Gatekeeper | Core | 3.5.2 |
3.5.2-bb.1 |
Elasticsearch Kibana | Core | 7.13.4 |
0.1.21-bb.0 |
ECK Operator | Core | 1.6.0 |
1.6.0-bb.2 |
Fluentbit | Core | 1.8.6 |
0.16.6-bb.0 |
Monitoring | Core | G: 7.5.2 , P: 2.25.0 , A: 0.21.0
|
14.0.0-bb.8 |
Twistlock | Core | 21.04.439 |
0.0.9-bb.0 |
Argocd | Addon |
2.0.1 (w/ p1 plugins) |
3.6.8-bb.8 |
Authservice | Addon | 0.4.0 |
0.4.0-bb.17 |
MinIO Operator | Addon | 4.1.2 |
4.1.2-bb.3 |
MinIO | Addon | RELEASE.2020-11-19T23-48-16Z |
4.1.2-bb.6 |
Gitlab | Addon | 13.12.9 |
4.12.9-bb.6 |
Gitlab Runners | Addon | 13.12.0 |
0.29.0-bb.1 |
Nexus | Addon | 3.34.0 |
34.0.0-bb.0 |
SonarQube | Addon |
8.9 (w/ p1 plugins) |
9.6.3-bb.1 |
Anchore | Addon | ENG: 0.10.0 , ENT: 3.1.0
|
1.13.0-bb.8 |
Mattermost Operator | Addon | 1.14.0 |
1.14.0-bb.4 |
Mattermost | Addon | 5.38.2 |
0.2.0-bb.1 |
Velero | Addon | 1.6.3 |
2.23.6-bb.1 |
Keycloak | Addon | 14.0.0 |
11.0.1-bb.6 |
Changes in v1.17.0
Big Bang
- https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/856 Conditionally Create the SSO.Certificate_Authority value as a Kubernetes Secret
- https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/881 update istio-proxy resource requests and limits
- https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/843 Rename hostname to domain
Istio Controlplane
- https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/900 Resolve "Istio ingressgateway extraLabels value being stripped out"
- https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/847 Istio/Authservice: use extauthz custom action
Gatekeeper
- https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/890 Update gatekeeper violations for twistlock-defenders selinuxPolicy
- https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/874 Gatekeeper: Delete Disabled or Orphaned constraints
Kiali
Jaeger
- https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/892 Resolve issues with Authservice labeling on Jaeger/HAProxy
Logging
- https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/863 Update Elastic/Kibana to Gluon
Keycloak
- https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/904 Keycloak network policy for SMTP egress and custom plugin code
SonarQube
- https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/898 Update SonarQube to use IB image
- https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/875 Synced SonarQube to upstream chart
- https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/845 SonarQube changed SSO label
Anchore
- https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/907 Enable istio injection for Anchore
- https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/893 Fix Anchore SSO bug
ARgoCD
- https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/903 Increase ArgoCD redis resources
- https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/869 Update Argo Testing NP
Authservice
- https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/894 Resolve "Global cookie_name_prefix is incompatible with redis"
- https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/847 Istio/Authservice: use extauthz custom action
Gitlab
FluentBit
- https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/872 Fluentbit: Update to 1.8.6
- https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/866 Increased storage
Twistlock
- https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/890 Update gatekeeper violations for twistlock-defenders selinuxPolicy
- https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/887 Bump Twistlock for defenders NP template & values
Velero
- https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/859 Update Velero to 1.6.3
HAProxy
- https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/892 Resolve issues with Authservice labeling on Jaeger/HAProxy
Documentation
- https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/861 Sample Keycloak Values file
- https://repo1.dso.mil/platform-one/big-bang/bigbang/-/merge_requests/895 Dev environment update
Big Bang CI
There were also a number of internal CI changes made over the past release period, for more details you can check the relevant MRs.
Known Issues
- On some k8s distros certain components in the kube-system namespace are unable to be scraped by Prometheus
- Nexus needs nodeAffity set to FIPS enable nodes. Issue
Helpful Links
As always, we welcome and appreciate feedback from our community of users. Please feel free to:
- Open issues here
- Join our chat
- Check out the documentation for guidance on how to get started
Future
Don't see your feature and/or bug fix? Check out our roadmap for estimates on when you can expect