Release Notes
5.20.0 (2024-09-23)β
π This release of Structsure Enterprise v5.20.0 introduces several important updates, including Big Bang Version 2.35.0. For detailed information on the new features and updates included in Big Bang Version 2.35.0, please refer to the Big Bang release notes.
π§ Upgrade Noticesβ
π¨ Big Bang Upgrade
- Istio-controlplane - MR:
- Istio gets updated to
1.22.4
. Big Bang apps should automatically cycle to get the latest sidecar version and config. Be sure to cycle pods for any community or tenant applications manually.
- Istio gets updated to
- Mattermost - MR:
- Postgresql using the builtin bitnami module does not upgrade gracefully. You must manually backup and restore your database before accepting this upgrade. Using the builtin postgresql module is not a supported configuration in production environments. If you are using the IaC module for Mattermost, this warning can be ignored.
- Automated the Velero temporary manual fix suggested by Big Bang. You donβt need to apply the temporary fix mentioned in the third bullet point yourself: https://repo1.dso.mil/big-bang/bigbang/-/releases/2.35.0#upgrade-notices
π’ Console Upgrade to v5.55.x
- Expand reliance on database tool records instead of env vars
- Use more reliable metadata to discover tools via virtual service queries
- Initialize tool records by querying virtual services instead of env vars
- Present extended platform tools in non-AMI use cases
π’ Dynamic dbconfig.xml for Jira and confluence
- Enabled dynamic creation of
dbconfig.xml
for Jira and Confluence. - Set
forceConfigUpdate
totrue
by default, ensuring thedbconfig.xml
is recreated on every pod restart. - Users can override this behavior by setting
forceConfigUpdate
tofalse
in their claim to preserve the file across restarts.
π’ Enhance eks-cluster
Terraform Module
- Clarified that
s3_kms_key_id
must be provided as a full ARN, not just the key name or ID. - Made object ownership configurable between "BucketOwnerPreferred" and "BucketOwnerEnforced."
- Enforced secure S3 bucket creation with
attach_deny_insecure_transport_policy = true
. - Added validation for
s3_object_ownership
to ensure valid values like "BucketOwnerPreferred" or "BucketOwnerEnforced."
πͺ² Bigbang HelmRelease Reconciles Before Zarf Deploy Finishes
- Starting with this release, the bigbang Flux HelmRelease object in the bigbang namespace will be temporarily suspended when starting the upgrade package deployment. If the bigbang HelmRelease is suspended outside of this automatic suspension, it will trigger a failure of the upgrade package deployment starting with this release, since suspension of the HelmRelease object will prevent the upgrade from completing successfully.
πͺ² Remove Temporary Neuvector Command
- Removed a pin that deleted crds
nvvulnerabilityprofiles.neuvector.com
andnvcomplianceprofiles.neuvector.com
at zarf start. No longer required after Big Bang 2.7.6-bb.0
πͺ² Vault-Agent Trust CAs
- Fixed an issue that prevented vault-agents from trusting Certificate Authorities when providing a CA cert as an input to the Zarf package. This update re-enables a Bigbang-managed integration between Prometheus and Vault. If you have deployed Vault prior to this update, ensure you followed the documented initialization instructions for Vault including the steps for configuring the Vault policies for Prometheus. Prometheus will be offline until Vault has been configured.
πͺ² Force Mattermost to use Database Connection String
- Fixed an issue where Mattermost wouldn't respect when database connection string changed. Database password and hostname can now be changed for Mattermost.
πͺ² Upgrade Gitlab to v17.2.7 to Resolve Critical CVE
- Upgraded GitLab to v17.2.7 in order to fix a critical CVE: https://about.gitlab.com/releases/2024/09/17/patch-release-gitlab-17-3-3-released/
𧩠Zarf Versionβ
- The packages for this release were built using Zarf v0.32.6.
π Kubernetes Distributions and Versionsβ
- The packages were tested across the following Kubernetes distributions:
- RKE2:
v1.29.8+rke2r1
- K3S:
v1.30.5+k3s1
- EKS:
v1.29.6
- RKE2:
π¦ AMI Versionsβ
- The following AMI versions were used for testing:
- RKE2 AMI:
structsure-rke2-v1.29.8-rke2r1-rocky-8-base-v1.1.1-stig-2024-09-23T08-14-20Z
- EKS AMI:
structsure-eks-1.29.6-rocky-8-base-v1.1.1-stig-2024-09-09T08-14-46Z
- Base AMI:
Rocky-8-EC2-LVM-8.10-20240528.0.x86_64
- RKE2 AMI:
π Changelogβ
:tools:οΈ Infrastructure as Code (IaC) Featuresβ
- iac: enhance eks-cluster terraform module
π¦ Package Featuresβ
- bump console to v5.55.x
- helm: dynamic dbconfig.xml for Jira & confluence
- upgrade BB to 2.35
πͺ² Bug Fixesβ
- bigbang HelmRelease reconciles before zarf deploy finishes
- force mattermost to use database connection string
- remove temp neuvector cmd
- upgrade gitlab to v17.2.7 to resolve critical CVE
- vault-agent trust CAs
π Known Issuesβ
- β Incorrect Virtual Service Host Configuration in Loki Scalable Mode
π Helpful Linksβ
- Refer to the Structsure documentation for additional guidance.
- For details on the Big Bang release, see the Big Bang Release Notes.
5.20.0-rc.3 (2024-09-20)β
5.20.0-rc.2 (2024-09-19)β
Package Bug Fixesβ
- force mattermost to use database connection string
- upgrade gitlab to v17.2.7 to resolve critical CVE
5.20.0-rc.1 (2024-09-16)β
IaC Featuresβ
- iac: enhance eks-cluster terraform module
Package Featuresβ
- bump console to v5.55.x
- helm: dynamic dbconfig.xml for Jira & confluence
- upgrade BB to 2.35
Package Bug Fixesβ
- bigbang HelmRelease reconciles before zarf deploy finishes
- rds password changes for yaml
- remove temp neuvector cmd
- vault-agent trust CAs
5.19.0 (2024-09-04)β
π This release of Structsure Enterprise v5.19.0 introduces several important updates, including Big Bang Version 2.34.0. For detailed information on the new features and updates included in Big Bang Version 2.34.0, please refer to the Big Bang release notes.
π§ Upgrade Noticesβ
π¨ Big Bang Upgradeβ
Nexus:
- β οΈ Breaking Changes:
- Nexus 3.71.0-06 removes support for internal OrientDB and replaces it with H2.
- Nexus 3.71.0-06 requires Java 17+ (previously supported Java 8 and 11).
- β οΈ Migration Required: If you are using an internal database, refer to the migration steps before upgrading.
- β οΈ Breaking Changes:
Minio-operator:
- The MinIO Operator Console has been deprecated and removed starting from version 6.0.0.
BigBang:
- Resolved an issue with an invalid value in the
images.txt
release artifact.
- Resolved an issue with an invalid value in the
π’ Confluence Upgradeβ
- This release includes a major version upgrade of Confluence from 8.9.4 to 9.0.2.
- For detailed upgrade notes from Atlassian, refer to the Confluence 9.0 upgrade notes.
π¨ Important: Please update the miniOrange SSO app and any other apps you are using to ensure compatibility with Confluence version 9.0.
β¨ Major Featuresβ
π οΈ Containerd Iron Bank Mirrorβ
- Structsure Enterprise now includes a built-in containerd mirror for mirroring Iron Bank images to Zarf's internal registry. This mirror is enabled by default, and instructions on how to disable it are available here.
π Compatibilityβ
𧩠Zarf Versionβ
- The packages for this release were built using Zarf v0.32.6.
π Kubernetes Distributions and Versionsβ
- The packages were tested across the following Kubernetes distributions:
- RKE2:
v1.29.7+rke2r1
- K3S:
v1.30.0
- EKS:
v1.29
- RKE2:
π¦ AMI Versionsβ
- The following AMI versions were used for testing:
- RKE2 AMI:
Structsure-rke2-v1.29.7-rke2r1-rocky-8-base-v1.1.1-stig-2024-08-12T08-14-46Z
- EKS AMI:
Structsure-eks-1.29.6-rocky-8-base-v1.1.1-stig-2024-07-29T08-12-23Z
- Base AMI:
Rocky-8-EC2-LVM-8.10-20240528.0.x86_64
- RKE2 AMI:
π Changelogβ
π οΈ Infrastructure as Code (IaC) Featuresβ
- iac: Added toggle for containerd Iron Bank mirror.
- iac: Changed
rds_engine_version
type to string.
π¦ Package Featuresβ
- Enabled Loki by default in DT and collab.
- Updated console to version 5.54.x.
- Upgraded Big Bang to version 2.34.0.
- Upgraded third-party Big Bang apps.
π Bug Fixesβ
- Fixed Kyverno policy exclusion and S3 region endpoint for GitLab backup.
- Restored broken cluster autoscaler functionality.
- Resolved cluster autoscaler issue.
π Documentation Updatesβ
- Updated Neuvector upgrade documentation.
- Added RKE2 IaC reference documentation.
- Corrected spelling errors.
- Updated console documentation.
π Known Issuesβ
- β Incorrect Virtual Service Host Configuration in Loki Scalable Mode
π Helpful Linksβ
- Refer to the Structsure documentation for additional guidance.
- For details on the Big Bang release, see the Big Bang Release Notes.
5.19.0-rc.1 (2024-09-02)β
π This release of Structsure Enterprise v5.19.0 introduces several important updates, including Big Bang Version 2.34.0. For detailed information on the new features and updates included in Big Bang Version 2.34.0, please refer to the Big Bang release notes.
π§ Upgrade Noticesβ
π¨ Big Bang Upgradeβ
Nexus:
- β οΈ Breaking Changes:
- Nexus 3.71.0-06 removes support for internal OrientDB and replaces it with H2.
- Nexus 3.71.0-06 requires Java 17+ (previously supported Java 8 and 11).
- β οΈ Migration Required: If you are using an internal database, refer to the migration steps before upgrading.
- β οΈ Breaking Changes:
Minio-operator:
- The MinIO Operator Console has been deprecated and removed starting from version 6.0.0.
BigBang:
- Resolved an issue with an invalid value in the
images.txt
release artifact.
- Resolved an issue with an invalid value in the
π’ Confluence Upgradeβ
- This release includes a major version upgrade of Confluence from 8.9.4 to 9.0.2.
- For detailed upgrade notes from Atlassian, refer to the Confluence 9.0 upgrade notes.
π¨ Important: Please update the miniOrange SSO app and any other apps you are using to ensure compatibility with Confluence version 9.0.
β¨ Major Featuresβ
π οΈ Containerd Iron Bank Mirrorβ
- Structsure Enterprise now includes a built-in containerd mirror for mirroring Iron Bank images to Zarf's internal registry. This mirror is enabled by default, and instructions on how to disable it are available here.
π Compatibilityβ
𧩠Zarf Versionβ
- The packages for this release were built using Zarf v0.32.6.
π Kubernetes Distributions and Versionsβ
- The packages were tested across the following Kubernetes distributions:
- RKE2:
v1.29.7+rke2r1
- K3S:
v1.30.0
- EKS:
v1.29
- RKE2:
π¦ AMI Versionsβ
- The following AMI versions were used for testing:
- RKE2 AMI:
Structsure-rke2-v1.29.7-rke2r1-rocky-8-base-v1.1.1-stig-2024-08-12T08-14-46Z
- EKS AMI:
Structsure-eks-1.29.6-rocky-8-base-v1.1.1-stig-2024-07-29T08-12-23Z
- Base AMI:
Rocky-8-EC2-LVM-8.10-20240528.0.x86_64
- RKE2 AMI:
π Changelogβ
π οΈ Infrastructure as Code (IaC) Featuresβ
- iac: Added toggle for containerd Iron Bank mirror.
- iac: Changed
rds_engine_version
type to string.
π¦ Package Featuresβ
- Enabled Loki by default in DT and collab.
- Updated console to version 5.54.x.
- Upgraded Big Bang to version 2.34.0.
- Upgraded third-party Big Bang apps.
π Bug Fixesβ
- Fixed Kyverno policy exclusion and S3 region endpoint for GitLab backup.
- Restored broken cluster autoscaler functionality.
- Resolved cluster autoscaler issue.
π Documentation Updatesβ
- Updated Neuvector upgrade documentation.
- Added RKE2 IaC reference documentation.
- Corrected spelling errors.
- Updated console documentation.
π Known Issuesβ
- β Incorrect Virtual Service Host Configuration in Loki Scalable Mode
π Helpful Linksβ
- Refer to the Structsure documentation for additional guidance.
- For details on the Big Bang release, see the Big Bang Release Notes.
5.18.0 (2024-08-21)β
This release of Structsure Enterprise v5.18.0 includes Big Bang Version 2.33.0. For more details on the features and updates included in Big Bang Version 2.33.0, please refer to the Big Bang release notes.
Upgrade Noticesβ
EKS Default Node Group Namingβ
The eks-cluster
IaC module now supports a variable called default_eks_node_group_name
, which allows specifying the name for the default node group and its EC2 instances. If the value is empty, the default node group will inherit the cluster's name.
If the node group name is changed, this will trigger a node group replacement. To avoid triggering node group replacement inadvertently on existing clusters, if this value is not set, the default will match the previous value, "structsure-nodes"
. If the default node group is disabled using the disable_default_node_groups
variable (usually used in conjunction with additional_eks_managed_groups
), the default_eks_node_group_name
variable will have no effect.
Compatibilityβ
Zarf Versionβ
The packages for this release were built using the following Zarf version:
- Zarf:
v0.32.6
Kubernetes Distributions and Versionsβ
The packages were tested across the following Kubernetes distributions and versions:
- Rancher Kubernetes Engine 2 (RKE2):
v1.29.7+rke2r1
- Kubernetes Lightweight (K3S):
v1.30.0
- Elastic Kubernetes Service (EKS):
v1.29
AMI Versionsβ
The following AMI versions were used for testing:
- RKE2 AMI:
Structsure-rke2-v1.29.7-rke2r1-rocky-8-base-v1.1.1-stig-2024-08-12T08-14-46Z
- EKS AMI:
Structsure-eks-1.29.6-rocky-8-base-v1.1.1-stig-2024-07-29T08-12-23Z
- Base AMI:
Rocky-8-EC2-LVM-8.10-20240528.0.x86_64
Changelogβ
IaC Featuresβ
- Iac: Allow configuration of the RDS backup retention period
- Iac: Allow passing root CAs as strings or base64
- Iac: EKS default node group name supports inherited cluster name
Package Featuresβ
- Upgrade Big Bang to v2.33.0
Package Bug Fixesβ
- Collect existing Big Bang values and merge into provided values
- Default values prevent Console deploy
- Handle empty existing bigbang-overrides
- Prevent failed upgrades from creating multiple XRs
Documentationβ
- Explicitly export
zarf_config
variable in upgrade documentation
Helpful Linksβ
- Check out the documentation for guidance
- Big Bang v2.33.0 Release Notes
5.18.0-rc.1 (2024-08-19)β
This release of Structsure Enterprise v5.18.0 includes Big Bang Version 2.33.0. For more details on the features and updates included in Big Bang Version 2.33.0, please refer to the Big Bang release notes.
Upgrade Noticesβ
EKS Default Node Group Namingβ
The eks-cluster
IaC module now supports a variable called default_eks_node_group_name
, which allows specifying the name for the default node group and its EC2 instances. If the value is empty, the default node group will inherit the cluster's name.
If the node group name is changed, this will trigger a node group replacement. To avoid triggering node group replacement inadvertently on existing clusters, if this value is not set, the default will match the previous value, "structsure-nodes"
. If the default node group is disabled using the disable_default_node_groups
variable (usually used in conjunction with additional_eks_managed_groups
), the default_eks_node_group_name
variable will have no effect.
Compatibilityβ
Zarf Versionβ
The packages for this release were built using the following Zarf version:
- Zarf:
v0.32.6
Kubernetes Distributions and Versionsβ
The packages were tested across the following Kubernetes distributions and versions:
- Rancher Kubernetes Engine 2 (RKE2):
v1.29.7+rke2r1
- Kubernetes Lightweight (K3S):
v1.30.0
- Elastic Kubernetes Service (EKS):
v1.29
AMI Versionsβ
The following AMI versions were used for testing:
- RKE2 AMI:
Structsure-rke2-v1.29.7-rke2r1-rocky-8-base-v1.1.1-stig-2024-08-12T08-14-46Z
- EKS AMI:
Structsure-eks-1.29.6-rocky-8-base-v1.1.1-stig-2024-07-29T08-12-23Z
- Base AMI:
Rocky-8-EC2-LVM-8.10-20240528.0.x86_64
Changelogβ
IaC Featuresβ
- Iac: Allow configuration of the RDS backup retention period
- Iac: Allow passing root CAs as strings or base64
- Iac: EKS default node group name supports inherited cluster name
Package Featuresβ
- Upgrade Big Bang to v2.33.0
Package Bug Fixesβ
- Collect existing Big Bang values and merge into provided values
- Default values prevent Console deploy
- Handle empty existing bigbang-overrides
- Prevent failed upgrades from creating multiple XRs
Documentationβ
- Explicitly export
zarf_config
variable in upgrade documentation
Helpful Linksβ
- Check out the documentation for guidance
- Big Bang Release Notes
5.17.1 (2024-08-26)β
Package Bug Fixesβ
- collect existing bigbang values and merge into provided values
- default values prevent console deploy
- handle empty existing bigbang-overrides
- prevent failed upgrades from creating multiple XRs
5.17.0 (2024-08-16)β
This release of Structsure Enterprise v5.17.0 includes Big Bang Version 2.32.0. For more details on the features and updates included in Big Bang Version 2.32.0, please refer to the Big Bang release notes.
Upgrade Noticesβ
Kubernetes Upgrade Requirementβ
This release requires Kubernetes native sidecars. Hence, an upgrade to Kubernetes v1.29 or later is required.
Post-Upgrade Instructionsβ
To ensure the istio-proxy
sidecar container switches to an init container (due to Kubernetes native sidecar support), restart all Istio-supporting pods immediately after the upgrade. Use the following commands:
for ns in $(kubectl get ns -l app.kubernetes.io/part-of=bigbang,istio-injection=enabled -o custom-columns=":metadata.name"); do
kubectl rollout restart deployment -n $ns
kubectl rollout restart statefulset -n $ns
kubectl rollout restart daemonset -n $ns
done
Backup Recommendationsβ
It is highly advised to create backups of current admin passwords before performing the Structsure upgrade for the following applications to prevent the loss of credentials:
- Grafana
- Keycloak
- SonarQube
- NeuVector
Default Admin Passwordsβ
If not changed manually, the default admin passwords are as follows:
- Grafana:
Monitoring-grafana
secret within themonitoring
namespace. This password will be overridden to a randomly generated strong password. - Keycloak:
keycloak-env
secret within thekeycloak
namespace. In tested upgrades, the admin password didnβt change when only the composition was applied, but it may change during the full upgrade with the Structsure Zarf package due to changes in the default chart values. - SonarQube: Default username and password are both
admin
. The password is prompted to change upon first login. Similar to Keycloak, the password may change during the full upgrade. - NeuVector: Default username and password are both
admin
. The admin and metrics users' passwords will be overridden to randomly generated strong passwords.
Major Featuresβ
Persistent Volumes for Monitoring Applicationsβ
We now offer persistence via Persistent Volume Claims (PVCs) for the following monitoring applications:
- Grafana
- Prometheus
- Alertmanager
Enabling Persistenceβ
To enable persistence, set persistence = true
in the cluster_inputs
object in your hcl
and rerun your Terragrunt stage. Caution: If you are currently overriding, providing custom PVCs, or using a third-party solution for these applications, your settings might be overwritten.
Specific Considerationsβ
- Grafana: When persistence is enabled, only one pod is allowed due to the
ReadWriteOnce
access mode of the default EBS storage class. Refer to the docs to configureReadWriteMany
(e.g., Amazon EFS) if multiple pods are desired. - Prometheus: Allows for adjusting the retention period and retention file size.
Compatibilityβ
Zarf Versionβ
The packages for this release were built using the following Zarf version:
- Zarf:
v0.32.6
Kubernetes Distributions and Versionsβ
The packages were tested across the following Kubernetes distributions and versions:
- Rancher Kubernetes Engine 2 (RKE2):
v1.29.7+rke2r1
- Kubernetes Lightweight (K3S):
v1.30.0
- Elastic Kubernetes Service (EKS):
v1.29
AMI Versionsβ
The following AMI versions were used for testing:
- RKE2 AMI:
structsure-rke2-v1.29.7-rke2r1-rocky-8-base-v1.1.1-stig-2024-08-12T08-14-46Z
- EKS AMI:
structsure-eks-1.29.6-rocky-8-base-v1.1.1-stig-2024-07-29T08-12-23Z
- Base AMI:
rocky-8-EC2-LVM-8.10-20240528.0.x86_64
Changelogβ
IaC Bug Fixesβ
- Iac: Always set S3 regionendpoint for Zarf init
- Iac: Automatically remove duplicates in allowed_security_groups
Package Featuresβ
- Bump Console version to 5.52.x
- Crossplane: Argo CD declarative SSO
- Crossplane: NeuVector is configured with read-only Prometheus user and admin user with random passwords
- Crossplane: Web app default passwords randomly generated
- Increment RKE2 K8s to 1.29, fail Zarf package deploy if K8s version < 1.29
- Persistent storage for monitoring apps
- Upgrade Big Bang to v2.32.0
Package Bug Fixesβ
- Dig Keycloak config realm to avoid nil pointer during Zarf deploy
- Prevent Kyverno policy from erroneously Helm templating values
- Revert rendering of values in Structsure-enterprise chart
- Use appropriate whitespace in generate Kyverno policy
Documentationβ
- Updated Zarf version in documentation
Helpful Linksβ
- Check out the documentation for guidance
- Big Bang v2.32.0 Release Notes
Warningβ
It is Highly advised to create backups of current admin passwords before this smoothglue upgrade of the following apps to ensure protection of lost credentials. Implementing this upgrade may change the admin passwords to randomly generated strings for the following listed apps. The new passwords can be found and overridden within this docs page: https://structsure.gitlab.io/-/jigsaw/structsure-enterprise/-/jobs/7548192629/artifacts/public/docs/unreleased/how-to/operations/how-to-change-app-credentials/
Once the full release is cut they can be found here: https://docs.structsure.io/docs/unreleased/how-to/operations/how-to-change-app-credentials/
The Default admin passwords are the following if they havenβt been changed manually:
Grafana (Monitoring-grafana secret within monitoring namespace. This admin password WILL be overridden to a randomly generated strong password.)
Keycloak (keycloak-env secret within keycloak namespace.)
Sonarqube (Default username is admin and so is the password, prompted to change it upon first login.)
Neuvector (Default username is admin and so is the password. This admin and metrics users' passwords WILL be overridden to a randomly generated strong password.)
5.17.0-rc.1 (2024-08-09)β
Package Featuresβ
- bump console version to 5.52.x
- crossplane: argocd declarative sso
- crossplane: Neuvector is configured with read-only prometheus user and admin user with random passwords
- crossplane: web app default passwords randomly generated
- persistent storage for monitoring apps
- upgrade Big Bang to v2.32.0
Package Bug Fixesβ
- dig keycloak config realm to avoid nil pointer during zarf deploy
- prevent kyverno policy from erroneously helm templating values
Documentationβ
- add self to maintainers, update onboarding template with devenv setup link
- update zarf version
5.16.1 (2024-08-26)β
Package Bug Fixesβ
- collect existing bigbang values and merge into provided values
- dig keycloak config realm to avoid nil pointer during zarf deploy
- handle empty existing bigbang-overrides
- prevent failed upgrades from creating multiple XRs
- prevent kyverno policy from erroneously helm templating values
- revert rendering of values in structsure-enterprise chart
- use appropriate whitespace in generate kyverno policy
5.16.0 (2024-07-25)β
Warningβ
- Included in this update is a fix for crossplane pods to be excluded from a kyverno policy that was blocking scheduling for crossplane pods. The fix will be applied automatically as part of the package. The IaC creates some values for kyverno policies that are no longer needed as those have been moved to the package. If you upgrading from a previous version, you will need to review the
kyverno-policies-overrides
config map in thestructsure-system
namespace and remove any entries that the IaC added. IaC specific entries can be identified by viewing the value file outputs of the IaC. - Included in this update is better support for a containerd mirror of registry1.dso.mil to the internal zarf registry. Running the IaC to apply these changes will generate a new launch template and will cycle EKS nodes onto the new config. If you are using a Structsure EKS AMI, you will need to use an AMI that was built on or before 07/11/2024. If using an AMI prior to that build date, the containerd mirror will stop functioning until a new AMI is used.
IaC Bug Fixesβ
- iac: eks registry mirror for all environments
Package Featuresβ
- enable NetworkPolicy in vpc cni by default
- Upgrade Big Bang to v2.31
Documentationβ
- don't render wiki/style guide as part of public docs site
Helpful Linksβ
- Big Bang v2.31.0 Release Notes
5.15.1 (2024-08-26)β
Package Bug Fixesβ
- collect existing bigbang values and merge into provided values
- dig keycloak config realm to avoid nil pointer during zarf deploy
- handle empty existing bigbang-overrides
- prevent failed upgrades from creating multiple XRs
- prevent helm rollback from deleteing claims
- prevent kyverno policy from erroneously helm templating values
- revert rendering of values in structsure-enterprise chart
- use appropriate whitespace in generate kyverno policy
5.15.0 (2024-07-11)β
Warningβ
Changes to Console password generation require Terraform to generate a new password for pre-existing deployments. As a result, Console will be down from the time the IaC is ran until the cluster has reconciled the outputted BigBang values files.
Additional Notesβ
As part of the Big Bang upgrade, Keycloak may have some trouble reconciling. We have tested that a way to ensure a smooth upgrade is to, before upgrading, delete the statefulsets for Keycloak in your cluster and let the new version upgrade the helm to bring it back. For more notes on this, please see the official documentation for Big Bang 2.30.
Kiali is now enabled by default.
The default storage location for SSH keys for cluster management have been moved from AWS Parameter Store to AWS Secrets Manager. As a result, the following IAM permissions are required in order to run the IAC:
{ "Effect": "Allow", "Action": [ "secretsmanager:CreateSecret", "secretsmanager:TagResource" ], "Resource": "*" }
iac: rds_engine_version as var Users can now set the versions of each modules RDS via {tool}_inputs, such as confluence_inputs, in the hcl file.
IaC Featuresβ
- iac: EKS containerd mirror for ironbank images
- For now, this is supported for Structsure AMIs. We have noticed that non-Structsure AMIs have an issue with the config and we are working on a follow-up solve.
- iac: eks node group sizes as obj var
- Users can now set the sizes (min, max, desired) of the default EKS nodegroup via hcl file.
- iac: rds engine_version as var
- Users can now set the versions of each modules RDS via {tool}-inputs in the hcl file. Note that users who have their Confluence RDS database version greater than
13.8
will revive an error upgrading infra until this release when they can set the RDS database version.
- Users can now set the versions of each modules RDS via {tool}-inputs in the hcl file. Note that users who have their Confluence RDS database version greater than
- iac: Save SSH private keys to AWS Parameter store from SSM
- The SSH key will now be found in the AWS Secrets Manager instead of the SSM Parameter store.
- iac: update default iac k8s version to 1.28
IaC Bug Fixesβ
- iac: special characters within console database password
Package Featuresβ
- crossplane: automatic kiali sso integration
- Enable docs search
- Upgrade Big Bang to 2.30.0
Package Bug Fixesβ
- crossplane: crossplane exempt from kyverno drop all policy
Documentationβ
- new section on High Availability Configuration
Helpful Linksβ
- Big Bang v2.30.0 Release Notes
5.14.2 (2024-08-26)β
Package Bug Fixesβ
- collect existing bigbang values and merge into provided values
- crossplane: crossplane exempt from kyverno drop all policy
- dig keycloak config realm to avoid nil pointer during zarf deploy
- handle empty existing bigbang-overrides
- prevent failed upgrades from creating multiple XRs
- prevent helm rollback from deleteing claims
- prevent kyverno policy from erroneously helm templating values
- revert rendering of values in structsure-enterprise chart
- use appropriate whitespace in generate kyverno policy
5.14.1 (2024-07-01)β
Additional Notesβ
Starting with Gitlab 17, runner registration tokens are no longer supported by default. Applying this version as an upgrade to a pre-existing cluster will require either re-enabling runner registration tokens (https://docs.gitlab.com/ee/administration/settings/continuous_integration.html#enable-runner-registrations-tokens) or creating a runner authentication token and updating the gitlab-gitlab-runner-secret
secret in the gitlab-runner
namespace with the new token (https://repo1.dso.mil/big-bang/product/packages/gitlab/-/blob/main/docs/gitlab17.md)
If SSO configuration has already been setup manually, disregard this. However, if you are using the new automated SSO configuration features, any crossplane-managed keycloak groups will need to be reassociated to their crossplane object. To do so, find groups that are currently failing by kubectl get groups.group.keycloak.crossplane.io
and for any that are Synched
= False
, you will need to manually get the UUID from keycloak and apply the crossplane.io/external-name: <UUID>
annotation to the object.
Package Bug Fixesβ
- zarf: upgrade gitlab to 17.1.1 to patch cve
5.14.0 (2024-06-27)β
Additional Notesβ
If SSO configuration has already been setup manually, disregard this. However, if you are using the new automated SSO configuration features, any crossplane-managed keycloak groups will need to be reassociated to their crossplane object. To do so, find groups that are currently failing by kubectl get groups.group.keycloak.crossplane.io
and for any that are Synched
= False
, you will need to manually get the UUID from keycloak and apply the crossplane.io/external-name: <UUID>
annotation to the object.
IaC Bug Fixesβ
- iac: set cluster_iam_role_dns_suffix in EKS module
- iac: set preserve_client_ip to null if compatibility_mode is true
Package Featuresβ
- monitoring apps sso with xrds
- bump console to 5.49.20240614000040
- console: update console to 5.50.x
- crossplane: grafana uses keycloak XRD provider
- crossplane: Keycloak-config is fully configurable from values.yaml
- crossplane: Neuvector declarative configuration
- Keycloak CVE fix
- update console to 5.49x and chart 1.7.0
- update to include console 5.49.20240614180839
- Upgrade Big Bang to 2.29.0
Package Bug Fixesβ
- crossplane: Keycloak-Config reports ready
- crossplane: secret management for keycloak-config
Documentationβ
- Create Release Notes Section in our Documentation
Helpful Linksβ
- Big Bang v2.29.0 Release Notes
5.13.1 (2024-08-26)β
Package Bug Fixesβ
- collect existing bigbang values and merge into provided values
- handle empty existing bigbang-overrides
- prevent failed upgrades from creating multiple XRs
- prevent helm rollback from deleteing claims
- prevent kyverno policy from erroneously helm templating values
- revert rendering of values in structsure-enterprise chart
- use appropriate whitespace in generate kyverno policy
5.11.1 (2024-06-17)β
π¨ Danger π¨β
This release has a significant refactor in how configmaps/secrets for the Bigbang HR are created. Crossplane will recreate all of the ones Structsure manages which can result in applications temporarily being undeployed. To prevent problems and outages, suspend the bigbang
helm release when performing the upgrade for this Structsure release. Afterwards, you can verify configmaps/secrets for the bigbang
helm release are present and can unsuspend the helm release.
Package Bug Fixesβ
- add kyverno policy exception for promtail capability