Tanzu Application Platform release notes

This topic contains release notes for Tanzu Application Platform v1.10.

Important

Tanzu Application Platform v1.10 will be supported for 1 year with limited support. VMware will provide support during version upgrade and tested upgrade paths. For available upgrade paths for Tanzu Application Platform v1.10, see Supported upgrade paths. CVEs and known issues will be addressed in future minor releases.

Long-term support is planned for some future versions, but not all.

v1.10.1

Release Date: 18 June 2024

v1.10.1 Breaking changes

This release includes the following changes, listed by component and area.

v1.10.1 Breaking changes: Tanzu Application Platform

  • Tanzu Application Platform releases have migrated from VMware Tanzu Network to the Broadcom Support Portal and Broadcom registry. Using VMware Tanzu Network to install or upgrade Tanzu Application Platform is no longer supported.

    Before you upgrade, you must relocate the Tanzu Application Platform images from the Broadcom registry tanzu.packages.broadcom.com to your own registry. Make sure you relocate the images to your container image registry as part of the instructions in Upgrade Tanzu Application Platform.

v1.10.1 Security fixes

This release has the following security fixes, listed by component and area.

Package Name Vulnerabilities Resolved
application-configuration-service.tanzu.vmware.com
Expand to see the list
base-jammy-stack-lite.buildpacks.tanzu.vmware.com
Expand to see the list
cnrs.tanzu.vmware.com
Expand to see the list
config-server.spring.tanzu.vmware.com
Expand to see the list
crossplane.tanzu.vmware.com
Expand to see the list
managed-resource-controller.apps.tanzu.vmware.com
Expand to see the list
source.component.apps.tanzu.vmware.com
Expand to see the list
supply-chain.apps.tanzu.vmware.com
Expand to see the list

v1.10.1 Resolved issues

The following issues, listed by component and area, are resolved in this release.

v1.10.1 Resolved issues: cert-manager

  • Resolved an issue where cert-manager toggled Gateway API support in the presence of gateway.networking.k8s.io/v1beta1 and did not start.

v1.10.1 Resolved issues: Enterprise Config Server

  • Resolved an issue that prevented Enterprise Config Server from starting on OpenShift.

v1.10.1 Known issues

This release has the following known issues, listed by component and area.

v1.10.1 Known issues: Tanzu Application Platform

  • On Azure Kubernetes Service (AKS), the Datadog Cluster Agent cannot reconcile the webhook, which leads to an error. For troubleshooting information, see Datadog agent cannot reconcile webhook on AKS.

  • The Tanzu Application Platform integration with Tanzu Service Mesh does not work on vSphere with TKR v1.26. For more information about this integration, see Set up Tanzu Service Mesh. As a workaround, you can apply the label to update pod security on a TKr v1.26 Kubernetes namespace as advised by the release notes for TKr 1.26.5 for vSphere 8.x. However, applying this label provides more than the minimum necessary privilege to the resources in developer namespaces.

v1.10.1 Known issues: API Auto Registration

  • Registering conflicting groupId and version with API portal:

    If you create two CuratedAPIDescriptors with the same groupId and version combination, both reconcile without throwing an error, and the /openapi?groupId&version endpoint returns both specifications.

    If you add both specifications to the API portal, only one of them might appear in the API portal UI with a warning indicating that there is a conflict. If you add the route provider annotation for both of the CuratedAPIDescriptors to use Spring Cloud Gateway, the generated API specification includes API routes from both CuratedAPIDescriptors.

    You can see the groupId and version information from all CuratedAPIDescriptors by running:

    kubectl get curatedapidescriptors -A

  • When creating an APIDescriptor with differing apiSpec.url and server.url, the controller incorrectly uses the API specification URL as the server URL. To avoid this issue, use server.url only.

v1.10.1 Known issues: App Last Mile Catalog

  • The app-config-web, app-config-server, and app-config-worker components do not allow developers to override the default application ports. This means that applications that use non-standard ports do not work. To work around this, you can configure ports by providing values to the resulting Carvel package. This issue is planned to be fixed in a future release.

v1.10.1 Known issues: Application Accelerator

  • When you create a Java project using the accelerator new project wizard in IntelliJ, it might not build correctly when first opened.

    This issue mostly occurs in Maven projects. When you open the new project for the first time, a dialog box might appear in the lower-right side of IntelliJ asking you to Load Maven Project.

    For a workaround, see Troubleshoot Application Accelerator.

v1.10.1 Known issues: Application Configuration Service

  • Application Configuration Service is not compatible with the version of Flux CD in this release.

v1.10.1 Known issues: Application Live View

  • On the Run profile, Application Live View fails to reconcile if you use a non-default cluster issuer while installing through Tanzu Mission Control.

v1.10.1 Known issues: Artifact Metadata Repository Observer and CloudEvent Handler

  • Periodic reconciliation or restarting of the AMR Observer causes reattempted posting of ImageVulnerabilityScan results. You can ignore the error of a duplicate submission of identical ImageVulnerabilityScans if the previous submission was successful.

v1.10.1 Known issues: Bitnami Services

  • If you try to configure private registry integration for the Bitnami Services after having already created a claim for one or more of the services using the default configuration, the updated private registry configuration does not appear to take effect.

    This is due to caching behavior in the system that is not accounted for during configuration updates. For a workaround, see Troubleshoot Bitnami Services.

v1.10.1 Known issues: Cartographer Conventions

  • Before Tanzu Application Platform v1.9, the cartographer.tanzu.vmware.com package contained two products: Cartographer and Cartographer Conventions. In Tanzu Application Platform v1.9.0 the Cartographer Conventions product was removed from the cartographer.tanzu.vmware.com package and is now distributed in its own package named cartographer.conventions.apps.tanzu.vmware.com.

    When you upgrade to Tanzu Application Platform v1.9 or later, an issue might occur when installing the new package for Cartographer Conventions. The upgrade might fail to reconcile and show error messages similar to the following:

    Resource 'clusterrole/cartographer-conventions-manager-role (rbac.authorization.k8s.io/v1) cluster' \
is already associated with a different app 'cartographer.app'

    This message might appear more than once, and it can refer to several resources.

    These errors appear when kapp-controller on the cluster tries to install the new Cartographer Conventions package before the Cartographer package has reconciled. The new package for Cartographer Conventions tries to install resources that the existing Cartographer package still owns.

    Although it looks like the upgrade fails, if you wait a few minutes kapp-controller finishes the installation and the packages reconcile successfully. The system works normally after the reconciliation is complete.

    This error does not occur on a new installation of Tanzu Application Platform.

  • While processing workloads with large SBOMs, the Cartographer Convention controller manager pod can fail with the status CrashLoopBackOff or OOMKilled. For information about how to increase the memory limit for both the convention server and webhook servers, including app-live-view-conventions, spring-boot-webhook, and developer-conventions/webhook, see Troubleshoot Cartographer Conventions.

v1.10.1 Known issues: Crossplane

  • The Crossplane validatingwebhookconfiguration is not removed when you uninstall the Crossplane package. To work around this, delete the validatingwebhookconfiguration manually by running:

    kubectl delete validatingwebhookconfiguration crossplane

v1.10.1 Known issues: Scanning

  • When uninstalling Tanzu Application Platform v1.10, the removal of the scanning package can get stuck because of a failed namespace deletion in the scanning package. You might see the following error:

    Useful Error Message:  kapp: Error: Timed out waiting after 15m0s for resources: [namespace/metadata-store-secrets (v1) cluster]

    To work around this issue, do one of the following actions:

    • Remove the finalizer present on the namespace by running:
    kubectl edit namespace/metadata-store-secrets
    • If a finalizer is not already present, add a finalizer by adding the following YAML with the kubectl edit command:
    spec:
  finalizer:
  - kubernetes

v1.10.1 Known issues: Services Toolkit

  • An error occurs if additionalProperties is true in a CompositeResourceDefinition. For more information and a workaround, see Troubleshoot Services Toolkit.

v1.10.1 Known issues: Tanzu Supply Chain

  • Components cannot have more than one resumption defined. When there are multiple resumptions, WorkloadRuns are not correctly created after resumptions trigger changes. The current workaround is to assess all triggers in a single resumption.

  • Tanzu Supply Chain currently does not include support for Red Hat OpenShift. This means you cannot individually install components for Tanzu Supply Chain and Managed Resource Controller. You also cannot install the Authoring profile that includes those components as standard. Support for Red Hat OpenShift is planned for a later release.

  • Tanzu Supply Chain currently does not include support for CA certificates in the Out of the Box components. However, you can edit the components to support CA certificates and use them to construct a new Supply Chain. Support for CA certificates as standard is planned for future versions of Tanzu Supply Chain.

  • When you select the Supply Chains tab in Tanzu Developer Portal, you might encounter an error related to data.packaging.carvel.dev. The error message is related to permission issues and JSON parsing errors. The error message indicates that the user system:serviceaccount:tap-gui:tap-gui-viewer cannot list resource packages in the API group data.packaging.carvel.dev at the cluster scope. Additionally, an unexpected non-whitespace character is reported after JSON at position 4.

    As a temporary workaround, apply an RBAC configuration that includes the get, watch, and list permissions for the resources in the data.packaging.carvel.dev API group. This workaround must not be mandated for supply chains that do not generate Carvel packages.

    To eliminate the error message, configure RBAC to allow access to the Carvel package resource as follows:

    apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
- apiGroups: [data.packaging.carvel.dev]
  resources: [packages]
  verbs: ['get', 'watch', 'list']

v1.10.1 Known issues: Supply Chain Choreographer

  • The template for the external-deliverable-template does not respect the gitops_credentials_secret parameter. The value is not present on the deliverable if it is provided in the workload parameter gitops_credentials_secret or the supply chain tap-value ootb_supply_chain*.gitops.credentials_secret. As a workaround, operators must provide the value as a tap-value for the delivery: ootb_delivery_basic.source.credentials_secret.

    The supply chain’s GitOps credentials must authenticate to the same repository as the delivery’s source credentials. If a deliverable must use a secret different from that specified by the delivery tap-value, the deliverable must be manually altered when copied to the Run cluster. Add the secret name as a source_credentials_secret parameter on the deliverable.

  • By default, Server Workload Carvel packages generated by the Carvel package supply chains no longer contain OpenAPIv3 descriptions of their parameters. These descriptions were omitted to keep the size of the Carvel Package definition under 4 KB, which is the size limit for the string output of a Tekton Task. For information about these parameters, see Carvel Package Supply Chains.

  • When using the Carvel Package Supply Chains, if the operator updates the parameter carvel_package.name_suffix, existing workloads incorrectly output a Carvel package to the GitOps repository that uses the old value of carvel_package.name_suffix. You can ignore or delete this package.

  • If the size of the resulting OpenAPIv3 specification exceeds around 3 KB the Supply Chain does not function. If you use the default Carvel package parameters, this issue does not occur.

    If you use custom Carvel package parameters, you might encounter this size limit. If you exceed the size limit, you can either deactivate this feature, or use a workaround. The workaround requires enabling a Tekton feature flag. For more information, see the Tekton documentation.

v1.10.1 Known issues: Supply Chain Security Tools - Policy

  • Supply Chain Security Tools - Policy defaults to The Update Framework (TUF) enabled due to incorrect logic. This might cause the package to not reconcile correctly if the default TUF mirrors are not reachable. To work around this, explicitly configure the policy controller in tap-values.yaml to enable TUF:

    policy:
  tuf_enabled: true

v1.10.1 Known issues: Supply Chain Security Tools - Scan

  • The Snyk scanner outputs an incorrectly created date, resulting in an invalid date. If the workload is in a failed state due to an invalid date, wait approximately 10 hours for the workload to automatically go into the ready state. For more information about this issue, see the Snyk GitHub repository.

  • Recurring scan has a maximum of approximately 5000 container images that can be scanned at a single time due to size limits configMaps.

  • If the supply-chain container image-scanning is configured to use a different scanner or scanner version than the recurring scan, the vulnerabilities displayed in Tanzu Developer Portal might be inaccurate.

  • SCST - Scan 1.0 fails with the error secrets 'store-ca-cert' not found during deployment by using Tanzu Mission Control with a non-default issuer. For how to work around this issue, see Deployment failure with non-default issuer.

v1.10.1 Known issues: Supply Chain Security Tools - Scan 2.0

  • When installing the Tanzu Application Platform Build profile or Full profile, Supply Chain Security Tools (SCST) - Scan 2.0 is also installed on the cluster. If you installed SCST - Scan 2.0 manually in an earlier Tanzu Application Platform version, uninstall SCST - Scan 2.0 before upgrading to v1.10 to avoid conflict.

v1.10.1 Known issues: Supply Chain Security Tools - Store

  • SCST - Store returns an expired certificate error message when a CA certificate expires before the app certificate. For more information, see CA Cert expires.

  • When outputting CycloneDX v1.5 SBOMs, the report is found to be an invalid SBOM by CycloneDX validators. This issue is planned to be fixed in a future release.

  • SCST - Store automatically detects PostgreSQL database index corruptions. If SCST - Store finds a PostgreSQL database index has been corrupted, SCST - Store automatically attempts to repair it, which might cause reconciliation during package updates. When this happens, the included PostgreSQL database might take some time for the repair to finish before accepting connections. For more information, see Supply Chain Security Tools - Store Database Index Corruption.

  • If CA Certificate data is included in the shared Tanzu Application Platform values section, do not configure AMR Observer with CA Certificate data.

  • When observer.deploy_through_tmc is true, properties are auto-configured for Tanzu Mission Control (TMC). This causes the MultiClusterPropertyCollector resource to overwrite existing Tanzu Application Platform values for Observer.

    When using Let’s Encrypt ACME issuers, the resultant Kubernetes secret resource does not contain a ca.crt property. Therefore, when the MultiClusterPropertyCollector resource creates the Observer package configuration values secret, the required ca_cert_data is empty.

    To work around this issue, add the Certificate Authority (CA) Certificate to the shared.ca_cert_data key in the Tanzu Application Platform installation values.

v1.10.1 Known issues: Tanzu Build Service

  • During upgrades a large number of builds might be created due to buildpack and stack updates. Some of these builds might fail due to transient network issues, causing the workload to be in an unhealthy state. The is fixed automtically on subsequent builds after a code change and does not affect the running application.

    If you do not want to wait for subsequent builds to run, you can manually trigger a build. For instructions, see Troubleshooting.

v1.10.1 Known issues: Tanzu Developer Portal

  • If you do not configure any authentication providers, and do not allow guest access, the following message appears when loading Tanzu Developer Portal in a browser:

    No configured authentication providers. Please configure at least one.

    To resolve this issue, see Troubleshooting.

  • Ad-blocking browser extensions and standalone ad-blocking software can interfere with telemetry collection within the VMware Customer Experience Improvement Program and restrict access to all or parts of Tanzu Developer Portal. For more information, see Troubleshooting.

  • ScmAuth is a Backstage concept that abstracts Source Code Management (SCM) authentication into a package. An oversight in a recent code-base migration led to the accidental exclusion of custom ScmAuth functions. This exclusion affected some client operations, such as using Application Accelerators to create Git repositories on behalf of users.

  • The back-end Kubernetes plug-in reports failure in multicluster environments. In a multicluster environment when one request to a Kubernetes cluster fails, backstage-kubernetes-backend reports a failure to the front end. This is a known issue with upstream Backstage and it applies to all released versions of Tanzu Developer Portal. For more information, see this Backstage code in GitHub.

    This behavior arises from the API at the Backstage level. There are currently no known workarounds. There are plans for upstream commits to Backstage to resolve this issue.

  • Supply Chain UI plug-in: On the Workload Details page, the config writer step takes longer than 20 seconds to load when more than 149 workloads (deployed in a single namespace) are displayed in the Supply Chain UI.

v1.10.1 Known issues: Tanzu Developer Tools for IntelliJ

  • The error com.vdurmont.semver4j.SemverException: Invalid version (no major version) is shown in the error logs when attempting to perform a workload action before installing the Tanzu CLI apps plug-in.

  • If you restart your computer while running Live Update without terminating the Tilt process beforehand, there is a lock that incorrectly shows that Live Update is still running and prevents it from starting again. For the fix, see Troubleshooting.

  • Workload actions and Live Update do not work when in a project with spaces in its name, such as my app, or in its path, such as C:\Users\My User\my-app. For more information, see Troubleshooting.

  • An EDT Thread Exception error is logged or reported as a notification with a message similar to "com.intellij.diagnostic.PluginException: 2007 ms to call on EDT TanzuApplyAction#update@ProjectViewPopup". For more information, see Troubleshooting.

v1.10.1 Known issues: Tanzu Developer Tools for Visual Studio

  • Clicking the red square Stop button in the Visual Studio top toolbar can cause a workload to fail. For more information, see Troubleshooting.

v1.10.1 Component versions

The following table lists the Tanzu Application Platform package versions included with this release. For open-source component versions in this Tanzu Application Platform release, see Open-source component versions.

Component Name Version
API Auto Registration 0.5.0
API portal 1.5.0
Application Accelerator 1.10.0
Application Configuration Service 2.3.2
Application Live View APIServer 1.10.0
Application Live View back end 1.10.0
Application Live View connector 1.10.0
Application Live View conventions 1.10.0
Application Single Sign-On 5.1.6
Artifact Metadata Repository Observer 0.6.0
AWS Services 0.4.0
Bitnami Services 0.6.0
Carbon Black Scanner for SCST - Scan (beta) 1.4.0
Cartographer Conventions 0.9.1
cert-manager 2.9.1
Cloud Native Runtimes 2.6.2
Contour 2.4.0
Crossplane 0.6.1
Default Roles 1.1.0
Developer Conventions 0.16.1
Enterprise Config Server 1.0.1
External Secrets Operator 0.9.4+tanzu.3
Flux CD Source Controller 1.1.2+vmware.5.1715633984
Grype Scanner for SCST - Scan 1.9.1
Local Source Proxy 0.2.1
Managed Resource Controller (beta) 0.3.15
Namespace Provisioner 0.6.2
Out of the Box Delivery - Basic 0.16.9
Out of the Box Supply Chain - Basic 0.16.9
Out of the Box Supply Chain - Testing 0.16.9
Out of the Box Supply Chain - Testing and Scanning 0.16.9
Out of the Box Templates 0.16.9
Service Bindings 0.12.1
Service Registry 1.4.0
Services Toolkit 0.15.0
Snyk Scanner for SCST - Scan (beta) 1.3.0
Source Controller 0.9.1
Spring Boot conventions 1.10.0
Spring Cloud Gateway 2.2.4
Supply Chain Choreographer 0.9.1
Supply Chain Security Tools - Policy Controller 1.6.4
Supply Chain Security Tools - Scan 1.9.1
Supply Chain Security Tools - Scan 2.0 0.5.0
Supply Chain Security Tools - Store 1.10.0
Tanzu Application Platform Telemetry 0.7.0
Tanzu Build Service 1.13.0
Tanzu CLI 1.3.0
Tanzu Developer Portal 1.10.1
Tanzu Developer Portal Configurator (deprecated) 1.10.1
Tanzu Supply Chain (beta) 0.3.20
Tekton Pipelines 0.50.3+tanzu.4

v1.10.0

Release Date: 21 May 2024

What’s new in Tanzu Application Platform v1.10

This release includes the following platform-wide enhancements.

New components

  • Enterprise Config Server: Enterprise Config Server is an externalized configuration server based on the open-source Spring Cloud Config project. Config Server provides a centralized server for delivering external configuration properties to an application, and a central source for managing this configuration across deployment environments.

  • SonarQube Scan Tanzu Supply Chain component: You can add the SonarQube Scan Tanzu Supply Chain component to a Tanzu Supply Chain to perform Static Application Security Testing (SAST) scans on the source code configured. This component is in the alpha stage, and only supports scanning for Maven projects.

v1.10.0 New features by component and area

This release includes the following changes, listed by component and area.

v1.10.0 Features: Application Accelerator

  • Improves the accelerator syntax and authoring experience with a new Domain Specific Language (DSL) for authoring accelerators.

  • Provides a Language Server in the local engine server that the VS Code extension uses for syntax highlighting and code completion for accelerator authors using the new DSL.

  • Adds the Spring Secure Resource Server sample accelerator. This accelerator provides a multi-service demo application with Vue.js frontends and is backed by a secured Spring resource server.

v1.10.0 Features: AWS Services

  • Sets the default CompositionUpdatePolicy on Compositions to Manual. Previously, the default was Automatic.

  • Removes the default version on RDS services.

  • Updates Provider from v1.2.0 to v1.4.0.

v1.10.0 Features: Bitnami Services

  • Introduces the package value claim_namespace, which enables you to create services in the same namespace as the originating claim. This is now the default behavior. Previously, services were created in new namespaces. You can set this value globally or on a specific service. For more information, see Package values of Bitnami Services.

  • Updates Helm Charts to the latest versions:

    • MySQL to v10.1.0
    • PostgreSQL to v15.2.0
    • RabbitMQ to v13.0.0
    • Redis to v19.0.2
    • MongoDB to v15.1.1
    • Kafka to v28.0.1

v1.10.0 Known issues: cert-manager

  • cert-manager erroneously toggles Gateway API support in the presence of gateway.networking.k8s.io/v1beta1, and does not start successfully. As a workaround, either install gateway.networking.k8s.io/v1 or explicitly un-toggle the Gateway API support for cert-manager by adding these lines to tap-values.yaml:

       cert_manager:
    controller:
      feature_gates:
        ExperimentalGatewayAPISupport: false

v1.10.0 Features: Cloud Native Runtimes

v1.10.0 Features: Crossplane

  • Updates Universal Crossplane to v1.15.2.up-1.

    This update increases the default CPU limit from 100m to 500m and memory limits from 512Mi to 1024Mi for the Crossplane controller. This might affect clusters which are close to or already over-subscribed.

  • Updates provider-helm to v0.17.0.

v1.10.0 Features: Java Buildpack

  • Introduces the latest Spring Boot v3.3 optimization: Class Data Sharing (CDS). Add an environment variable to the build section of your Spring Boot v3.3 workload to make your app to start approximately 1.5 times faster and consume approximately 20% less memory. For more information about this optimization, see the Tanzu Java Buildpacks documentation.

v1.10.0 Breaking changes

This release includes the following changes, listed by component and area.

v1.10.0 Breaking changes: Bitnami Services

  • Bitnami Services are now created by default in the same namespace as the original claim rather than in a new dedicated namespace. You can configure this by using the claim_namespace package value.

    Existing instances that use the default behavior are unaffected unless the you have overridden compositionUpdatePolicy to Automatic or changed the compositionRevisionRef. In that case, the the Bitnami instances are recreated when the package is upgraded. To prevent instances being recreated, you can set the Bitnami package values to shared_namespace="" and claim_namespace=False, which was the previous default.

v1.10.0 Breaking changes: Flux CD Source Controller

  • Flux CD Source Controller updated the GitRepository API from v1beta2 to v1. The controller accepts resources with API versions v1beta1 and v1beta2, saving them as v1.

    Unsupported fields for the GitRepository API:

    • spec.gitImplementation is deprecated. GitImplementation defines the Git client library implementation. go-git is the default and only supported implementation. libgit2 is no longer supported.
    • spec.accessFrom is deprecated. AccessFrom, which defines an Access Control List for enabling cross-namespace references to this object, was never implemented.
    • status.contentConfigChecksum is deprecated in favor of the explicit fields defined in the observed artifact content config within the status.
    • status.artifact.checksum is deprecated in favor of status.artifact.digest.
    • status.url is deprecated in favor of status.artifact.url.

    Unsupported fields for the OCIRepository API:

    • status.contentConfigChecksum is deprecated in favor of the explicit fields defined in the observed artifact content config within the status.

v1.10.0 Breaking changes: Service Registry

  • Mutual transport later security (mTLS) between Eureka peers and clients are now deactivated by default. You can activate mTLS by using the tls flag in the EurekaServer specification. Update existing instances with tls: { activated: true } to continue with mTLS activated. For more information, see Create a EurekaServer resource.

v1.10.0 Security fixes

This release has the following security fixes, listed by component and area.

Package Name Vulnerabilities Resolved
accelerator.apps.tanzu.vmware.com
Expand to see the list
amr-observer.apps.tanzu.vmware.com
Expand to see the list
apiserver.appliveview.tanzu.vmware.com
Expand to see the list
aws.services.tanzu.vmware.com
Expand to see the list
cartographer.conventions.apps.tanzu.vmware.com
Expand to see the list
cartographer.tanzu.vmware.com
Expand to see the list
cert-manager.tanzu.vmware.com
Expand to see the list
cnrs.tanzu.vmware.com
Expand to see the list
connector.appliveview.tanzu.vmware.com
Expand to see the list
contour.tanzu.vmware.com
Expand to see the list
controller.source.apps.tanzu.vmware.com
Expand to see the list
crossplane.tanzu.vmware.com
Expand to see the list
fluxcd-source-controller.tanzu.vmware.com
Expand to see the list
java-lite.buildpacks.tanzu.vmware.com
Expand to see the list
metadata-store.apps.tanzu.vmware.com
Expand to see the list
nodejs-lite.buildpacks.tanzu.vmware.com
Expand to see the list
ruby-lite.buildpacks.tanzu.vmware.com
Expand to see the list
service-registry.spring.apps.tanzu.vmware.com
Expand to see the list
services-toolkit.tanzu.vmware.com
Expand to see the list
spring-cloud-gateway.tanzu.vmware.com
Expand to see the list
sso.apps.tanzu.vmware.com
Expand to see the list
tap-gui.tanzu.vmware.com
Expand to see the list
trivy.app-scanning.component.apps.tanzu.vmware.com
Expand to see the list
web-servers-lite.buildpacks.tanzu.vmware.com
Expand to see the list

v1.10.0 Resolved issues

The following issues, listed by component and area, are resolved in this release.

v1.10.0 Resolved issues: Services Toolkit

  • Fixed an issue in which the Services Toolkit controller manager deleted Carvel SecretExport resources that it did not own.

v1.10.0 Resolved issues: Supply Chain Security Tools - Scan 2.0

  • Fixed an issue that overwrote the scanning-image value with a wrong default value for ootb_supply_chain_testing_scanning.image_scanner_cli.image when using Supply Chain Security Tools (SCST) - Scan 2.0 with a ClusterImageTemplate for templates other than the default Trivy template.

v1.10.0 Resolved issues: Tanzu Developer Portal

  • Supply Chain UI plug-in:

    • Fixed performance issues in the Supply Chain UI that caused the Workloads page and Workload Details page to load slowly.

  • Runtime Resource View plug-in:

    • Fixed the issue where the RRV plug-in was querying for resources across all namespaces despite the presence of a Backstage namespace annotation on the entity.
    • Fixed the issue where the RRV plug-in was displaying error messages for resources that did not exist on a cluster.

v1.10.0 Known issues

This release has the following known issues, listed by component and area.

v1.10.0 Known issues: Tanzu Application Platform

  • On Azure Kubernetes Service (AKS), the Datadog Cluster Agent cannot reconcile the webhook, which leads to an error. For troubleshooting information, see Datadog agent cannot reconcile webhook on AKS.

  • The Tanzu Application Platform integration with Tanzu Service Mesh does not work on vSphere with TKR v1.26. For more information about this integration, see Set up Tanzu Service Mesh. As a workaround, you can apply the label to update pod security on a TKr v1.26 Kubernetes namespace as advised by the release notes for TKr 1.26.5 for vSphere 8.x. However, applying this label provides more than the minimum necessary privilege to the resources in developer namespaces.

v1.10.0 Known issues: API Auto Registration

  • Registering conflicting groupId and version with API portal:

    If you create two CuratedAPIDescriptors with the same groupId and version combination, both reconcile without throwing an error, and the /openapi?groupId&version endpoint returns both specifications.

    If you are adding both specifications to the API portal, only one of them might show up in the API portal UI with a warning indicating that there is a conflict. If you add the route provider annotation for both of the CuratedAPIDescriptors to use Spring Cloud Gateway, the generated API specspecification includes API routes from both CuratedAPIDescriptors.

    You can see the groupId and version information from all CuratedAPIDescriptors by running:

    $ kubectl get curatedapidescriptors -A

NAMESPACE           NAME         GROUPID            VERSION   STATUS   CURATED API SPEC URL
my-apps             petstore     test-api-group     1.2.3     Ready    http://AAR-CONTROLLER-FQDN/openapi/my-apps/petstore
default             mystery      test-api-group     1.2.3     Ready    http://AAR-CONTROLLER-FQDN/openapi/default/mystery

  • When creating an APIDescriptor with different apiSpec.url and server.url, the controller incorrectly uses the API spec URL as the server URL. To avoid this issue, use server.url only.

v1.10.0 Known issues: App Last Mile Catalog

  • The app-config-web, app-config-server, and app-config-worker components do not allow developers to override the default application ports. This means that applications that use non-standard ports do not work. To work around this, you can configure ports by providing values to the resulting Carvel package. This issue is planned to be fixed in a future release.

v1.10.0 Known issues: Application Accelerator

  • When you create a Java project using the accelerator new project wizard in IntelliJ, it might not build correctly when first opened.

    This issue mostly occurs in Maven projects. When you open the new project for the first time, a dialog box might appear in the bottom right side of IntelliJ asking you to Load Maven Project.

    For a workaround, see Troubleshoot Application Accelerator.

v1.10.0 Known issues: Application Live View

  • On the Run profile, Application Live View fails to reconcile if you use a non-default cluster issuer while installing through Tanzu Mission Control.

v1.10.0 Known issues: Artifact Metadata Repository Observer and CloudEvent Handler

  • Periodic reconciliation or restarting of the AMR Observer causes reattempted posting of ImageVulnerabilityScan results. There is an error on duplicate submission of identical ImageVulnerabilityScans you can ignore if the previous submission was successful.

v1.10.0 Known issues: Bitnami Services

  • If you try to configure private registry integration for the Bitnami Services after having already created a claim for one or more of the services using the default configuration, the updated private registry configuration does not appear to take effect. This is due to caching behavior in the system which is not accounted for during configuration updates. For a workaround, see Troubleshoot Bitnami Services.

v1.10.0 Known issues: Cartographer Conventions

  • Before Tanzu Application Platform v1.9, the cartographer.tanzu.vmware.com package contained two products: Cartographer and Cartographer Conventions. In Tanzu Application Platform v1.9.0 the Cartographer Conventions product was removed from the cartographer.tanzu.vmware.com package and is distributed in its own package named cartographer.conventions.apps.tanzu.vmware.com.

    When you upgrade to Tanzu Application Platform v1.9 or later, an issue might occur when installing the new package for Cartographer Conventions. The upgrade might fail to reconcile and show error messages similar to the following:

    Resource 'clusterrole/cartographer-conventions-manager-role (rbac.authorization.k8s.io/v1) cluster' is already associated with a different app 'cartographer.app'

    This message might appear more than once, and it can refer to several resources.

    These errors appear when kapp-controller on the cluster tries to install the new Cartographer Conventions package before the Cartographer package has reconciled. The new package for Cartographer Conventions tries to install resources that the existing Cartographer package still owns.

    Although it looks like the upgrade fails, if you wait a few minutes, kapp-controller finishes the installation and the packages will reconcile successfully. The system works normally after the reconciliation is complete.

    This error does not occur on a new installation of Tanzu Application Platform.

  • While processing workloads with large SBOMs, the Cartographer Convention controller manager pod can fail with the status CrashLoopBackOff or OOMKilled. For information about how to increase the memory limit for both the convention server and webhook servers, including app-live-view-conventions, spring-boot-webhook, and developer-conventions/webhook, see Troubleshoot Cartographer Conventions.

v1.10.0 Known issues: cert-manager

  • cert-manager erroneously toggles Gateway API support in the presence of gateway.networking.k8s.io/v1beta1, and does not start successfully. As a workaround, either install gateway.networking.k8s.io/v1 or explicitly un-toggle the Gateway API support for cert-manager by adding these lines to tap-values.yaml:

       cert_manager:
    controller:
      feature_gates:
        ExperimentalGatewayAPISupport: false

v1.10.0 Known issues: Crossplane

  • The Crossplane validatingwebhookconfiguration is not removed when you uninstall the Crossplane package. To workaround, delete the validatingwebhookconfiguration manually by running kubectl delete validatingwebhookconfiguration crossplane.

v1.10.0 Known issues: Enterprise Config Server

  • Enterprise Config Server is not supported on OpenShift.

v1.10.0 Known issues: Scanning

  • When uninstalling Tanzu Application Platform v1.10, the removal of the scanning package can get stuck because of a failed namespace deletion in the scanning package. You might see the following error:

    Useful Error Message:  kapp: Error: Timed out waiting after 15m0s for resources: [namespace/metadata-store-secrets (v1) cluster]

    To work around this issue, do one of the following actions:

    • Remove the finalizer present on the namespace by running:
    kubectl edit namespace/metadata-store-secrets
    • If a finalizer is not already present, add a finalizer by adding the following YAML with the kubectl edit command:
    spec:
  finalizer:
  - kubernetes

v1.10.0 Known issues: Services Toolkit

  • An error occurs if additionalProperties is true in a CompositeResourceDefinition. For more information and a workaround, see Troubleshoot Services Toolkit.

v1.10.0 Known issues: Tanzu Supply Chain

  • Components cannot have more than one resumption defined. When there are multiple resumptions, WorkloadRuns are not correctly created after resumptions trigger changes. The current workaround is to assess all triggers in a single resumption.

  • Tanzu Supply Chain currently does not include support for Red Hat OpenShift. This means you cannot individually install components for Tanzu Supply Chain and Managed Resource Controller. You also cannot install the Authoring profile that includes those components as standard. Support for Red Hat OpenShift is planned for a later release.

  • Tanzu Supply Chain currently does not include support for CA certificates in the Out of the Box components. However, you can edit the components to support CA certificates and use them to construct a new Supply Chain. Support for CA certificates as standard is planned for future versions of Tanzu Supply Chain.

  • When you select the Supply Chains tab in Tanzu Developer Portal, you might encounter an error related to data.packaging.carvel.dev. The error message is related to permission issues and JSON parsing errors. The error message indicates that the user system:serviceaccount:tap-gui:tap-gui-viewer cannot list resource packages in the API group data.packaging.carvel.dev at the cluster scope. Additionally, an unexpected non-whitespace character is reported after JSON at position 4.

    As a temporary workaround, apply an RBAC configuration that includes the get, watch, and list permissions for the resources in the data.packaging.carvel.dev API group. This workaround must not be mandated for supply chains that do not generate Carvel packages.

    To eliminate the error message, configure RBAC to allow access to the Carvel package resource as follows:

    apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
- apiGroups: [data.packaging.carvel.dev]
 resources: [packages]
 verbs: ['get', 'watch', 'list']

v1.10.0 Known issues: Supply Chain Choreographer

  • The template for the external-deliverable-template does not respect the gitops_credentials_secret parameter. The value is not present on the deliverable if it is provided in the workload parameter gitops_credentials_secret or the supply chain tap-value ootb_supply_chain*.gitops.credentials_secret. As a workaround, operators must provide the value as a tap-value for the delivery: ootb_delivery_basic.source.credentials_secret.

    The supply chain’s GitOps credentials must authenticate to the same repository as the delivery’s source credentials. If a deliverable must use a secret different from that specified by the delivery tap-value, the deliverable must be manually altered when being copied to the Run cluster. Add the secret name as a source_credentials_secret parameter on the deliverable.

  • By default, Server Workload Carvel packages generated by the Carvel package supply chains no longer contain OpenAPIv3 descriptions of their parameters.

    These descriptions were omitted to keep the size of the Carvel Package definition under 4 KB, which is the size limit for the string output of a Tekton Task. For information about these parameters, see Carvel Package Supply Chains.

  • When using the Carvel Package Supply Chains, if the operator updates the parameter carvel_package.name_suffix, existing workloads incorrectly output a Carvel package to the GitOps repository that uses the old value of carvel_package.name_suffix. You can ignore or delete this package.

  • If the size of the resulting OpenAPIv3 specification exceeds a certain size, approximately 3 KB, the Supply Chain does not function. If you use the default Carvel package parameters, this issue does not occur.

    If you use custom Carvel package parameters, you might encounter this size limit. If you exceed the size limit, you can either deactivate this feature, or use a workaround. The workaround requires enabling a Tekton feature flag. For more information, see the Tekton documentation.

v1.10.0 Known issues: Supply Chain Security Tools - Policy

  • Supply Chain Security Tools - Policy defaults to The Update Framework (TUF) enabled due to incorrect logic. This might cause the package to not reconcile correctly if the default TUF mirrors are not reachable. To work around this, explicitly configure policy controller in the tap-values.yaml file to enable TUF:

    policy:
  tuf_enabled: true

v1.10.0 Known issues: Supply Chain Security Tools - Scan

  • The Snyk scanner outputs an incorrectly created date, resulting in an invalid date. If the workload is in a failed state due to an invalid date, wait approximately 10 hours and the workload automatically goes into the ready state. For more about this issue information, see the Snyk GitHub repository.

  • Recurring scan has a maximum of approximately 5000 container images that can be scanned at a single time due to size limits configMaps.

  • If the supply chain container image scanning is configured to use a different scanner or scanner version than the recurring scanning, the vulnerabilities displayed in Tanzu Developer Portal might be inaccurate.

  • SCST - Scan 1.0 fails with the error secrets 'store-ca-cert' not found during deployment by using Tanzu Mission Control with a non-default issuer. For how to work around this issue, see Deployment failure with non-default issuer.

v1.10.0 Known issues: Supply Chain Security Tools - Scan 2.0

  • When installing the Tanzu Application Platform Build profile or Full profile, Supply Chain Security Tools (SCST) - Scan 2.0 is also installed on the cluster. If you installed SCST - Scan 2.0 manually in an earlier Tanzu Application Platform version, uninstall SCST - Scan 2.0 before upgrading to v1.10 to avoid conflict.

v1.10.0 Known issues: Supply Chain Security Tools - Store

  • SCST - Store returns an expired certificate error message when a CA certificate expires before the app certificate. For more information, see CA Cert expires.

  • When outputting CycloneDX v1.5 SBOMs, the report is found to be an invalid SBOM by CycloneDX validators. This issue is planned to be fixed in a future release.

  • SCST - Store automatically detects PostgreSQL database index corruptions. If SCST - Store finds a PostgresSQL database index has been corrupted, SCST - Store will automatically attempt to repair, which might cause reconciliation during package updates.

    When this happens, the included Postgres database might take some time to complete the repair and accept connections. For more information, see Fix Postgres Database Index Corruption.

  • If CA Certificate data is included in the shared Tanzu Application Platform values section, do not configure AMR Observer with CA Certificate data.

  • When observer.deploy_through_tmc is true, properties are auto-configured for Tanzu Mission Control (TMC). This causes the MultiClusterPropertyCollector resource to overwrite existing Tanzu Application Platform values for Observer.

    When using Let’s Encrypt ACME issuers, the resultant Kubernetes secret resource does not contain a ca.crt property. Therefore, when the MultiClusterPropertyCollector resource creates the Observer package configuration values secret, the required ca_cert_data is empty.

    To work around this issue, add the Certificate Authority (CA) Certificate to the shared.ca_cert_data key in the Tanzu Application Platform installation values.

v1.10.0 Known issues: Tanzu Build Service

  • During upgrades a large number of builds might be created due to buildpack and stack updates. Some of these builds might fail due to transient network issues, causing the workload to be in an unhealthy state. This resolves itself on subsequent builds after a code change and does not affect the running application.

    If you do not want to wait for subsequent builds to run, you can manually trigger a build. For instructions, see Troubleshooting.

v1.10.0 Known issues: Tanzu Developer Portal

  • If you do not configure any authentication providers, and do not allow guest access, the following message appears when loading Tanzu Developer Portal in a browser:

    No configured authentication providers. Please configure at least one.

    To resolve this issue, see Troubleshooting.

  • Ad-blocking browser extensions and standalone ad-blocking software can interfere with telemetry collection within the VMware Customer Experience Improvement Program and restrict access to all or parts of Tanzu Developer Portal. For more information, see Troubleshooting.

  • ScmAuth is a Backstage concept that abstracts Source Code Management (SCM) authentication into a package. An oversight in a recent code-base migration led to the accidental exclusion of custom ScmAuth functions. This exclusion affected some client operations, such as using Application Accelerators to create Git repositories on behalf of users.

  • The back-end Kubernetes plug-in reports failure in multicluster environments. In a multicluster environment when one request to a Kubernetes cluster fails, backstage-kubernetes-backend reports a failure to the front end.

    This is a known issue with upstream Backstage and it applies to all released versions of Tanzu Developer Portal. For more information, see this Backstage code in GitHub. This behavior arises from the API at the Backstage level. There are currently no known workarounds. There are plans for upstream commits to Backstage to resolve this issue.

  • Supply Chain UI plug-in: On the Workload Details page, the config writer step takes longer than 20 seconds to load when more than 149 workloads (deployed in a single namespace) are displayed in the Supply Chain UI.

v1.10.0 Known issues: Tanzu Developer Tools for IntelliJ

  • The error com.vdurmont.semver4j.SemverException: Invalid version (no major version) is shown in the error logs when attempting to perform a workload action before installing the Tanzu CLI apps plug-in.

  • If you restart your computer while running Live Update without terminating the Tilt process beforehand, there is a lock that incorrectly shows that Live Update is still running and prevents it from starting again. For the fix, see Troubleshooting.

  • Workload actions and Live Update do not work when in a project with spaces in its name, such as my app, or in its path, such as C:\Users\My User\my-app. For more information, see Troubleshooting.

  • An EDT Thread Exception error is logged or reported as a notification with a message similar to "com.intellij.diagnostic.PluginException: 2007 ms to call on EDT TanzuApplyAction#update@ProjectViewPopup". For more information, see Troubleshooting.

v1.10.0 Known issues: Tanzu Developer Tools for Visual Studio

  • Clicking the red square Stop button in the Visual Studio top toolbar can cause a workload to fail. For more information, see Troubleshooting.

v1.10.0 Component versions

The following table lists the Tanzu Application Platform package versions included with this release. For open source component versions in this Tanzu Application Platform release, see Open source component versions.

Component Name Version
API Auto Registration 0.5.0
API portal 1.5.0
Application Accelerator 1.10.0
Application Configuration Service 2.3.1
Application Live View APIServer 1.10.0
Application Live View back end 1.10.0
Application Live View connector 1.10.0
Application Live View conventions 1.10.0
Application Single Sign-On 5.1.6
Artifact Metadata Repository Observer 0.6.0
AWS Services 0.4.0
Bitnami Services 0.6.0
Carbon Black Scanner for SCST - Scan (deprecated) 1.4.0
Cartographer Conventions 0.9.1
cert-manager 2.9.0
Cloud Native Runtimes 2.6.0
Contour 2.4.0
Crossplane 0.6.0
Default Roles 1.1.0
Developer Conventions 0.16.1
Enterprise Config Server 1.0.0
External Secrets Operator 0.9.4+tanzu.3
Flux CD Source Controller 1.1.2+tanzu.4.1714385349
Grype Scanner for SCST - Scan 1.9.1
Local Source Proxy 0.2.1
Managed Resource Controller (beta) 0.3.7
Namespace Provisioner 0.6.2
Out of the Box Delivery - Basic 0.16.9
Out of the Box Supply Chain - Basic 0.16.9
Out of the Box Supply Chain - Testing 0.16.9
Out of the Box Supply Chain - Testing and Scanning 0.16.9
Out of the Box Templates 0.16.9
Service Bindings 0.12.1
Service Registry 1.4.0
Services Toolkit 0.15.0
Snyk Scanner for SCST - Scan (beta) 1.3.0
Source Controller 0.9.1
Spring Boot conventions 1.10.0
Spring Cloud Gateway 2.2.4
Supply Chain Choreographer 0.9.1
Supply Chain Security Tools - Policy Controller 1.6.4
Supply Chain Security Tools - Scan 1.9.1
Supply Chain Security Tools - Scan 2.0 0.5.0
Supply Chain Security Tools - Store 1.10.0
Tanzu Application Platform Telemetry 0.7.0
Tanzu Build Service 1.13.0
Tanzu CLI 1.3.0
Tanzu Developer Portal 1.10.1
Tanzu Developer Portal Configurator (deprecated) 1.10.1
Tanzu Supply Chain (beta) 0.3.8
Tekton Pipelines 0.50.3+tanzu.4

Deprecations

The following features, listed by component, are deprecated. Deprecated features remain on this list until they are retired from Tanzu Application Platform.

Carbon Black Scanner for SCST - Scan v1.0 deprecation

  • VMware Carbon Black Scanner for SCST - Scan v1.0 is deprecated and is marked for removal in Tanzu Application Platform v1.11.

Cloud Native Runtimes deprecations

  • default_tls_secret config option: This config option is now in contour.default_tls_secret and is marked for removal in a future Tanzu Application Platform version. In the meantime, both options are supported, and contour.default_tls_secret takes precedence over default_tls_secret.

  • ingress.[internal/external].namespace config options: These config options are now in contour.[internal/external].namespace are marked for removal in a future Tanzu Application Platform version. In the meantime, both options are supported, and contour.[internal/external].namespace takes precedence over ingress.[internal/external].namespace.

Services Toolkit deprecations

  • The following APIs are deprecated and are marked for removal in a future Tanzu Application Platform version:
    • clusterexampleusages.services.apps.tanzu.vmware.com/v1alpha1
    • clusterresources.services.apps.tanzu.vmware.com/v1alpha1

Source Controller deprecations

  • The Source Controller ImageRepository API is deprecated and is marked for removal. Use the OCIRepository API instead. The Flux Source Controller installation includes the OCIRepository API. For more information about the OCIRepository API, see the Flux documentation.

Supply Chain Security Tools - Scan v1.0 deprecation

  • SCST - Scan v1.0 is deprecated, but it remains the default option for online installation. SCST - Scan v2.0 will be the default in Tanzu Application Platform v1.11. SCST - Scan v1.0 will be removed in a future Tanzu Application Platform version. For more information, see SCST - Scan versions.

Supply Chain Security Tools - Store deprecations

  • The metadata-store (MDS) component within SCST - Store is deprecated and is marked for removal in a future Tanzu Application Platform version.

Tanzu CLI deprecations

  • The Tanzu Insight plug-in for the Tanzu CLI is deprecated and is marked for removal in a future Tanzu Application Platform version.

Tanzu Developer Portal deprecations

Tekton Pipelines deprecations

  • Tekton ClusterTask is deprecated and marked for removal. Use the Task API instead. For more information, see the Tekton documentation.

Linux Kernel CVEs

Kernel level vulnerabilities are regularly identified and patched by Canonical. Tanzu Application Platform releases with available images, which might contain known vulnerabilities. When Canonical makes patched images available, Tanzu Application Platform incorporates these fixed images into future releases.

The kernel runs on your container host VM, not the Tanzu Application Platform container image. Even with a patched Tanzu Application Platform image, the vulnerability is not mitigated until you deploy your containers on a host with a patched OS. An unpatched host OS might be exploitable if the base image is deployed.

check-circle-line exclamation-circle-line close-line
Scroll to top icon