Release notes

This topic contains release notes for Tanzu Application Platform v1.2.

v1.2.1

Release Date: August 9, 2022

Resolved issues

The following issues, listed by area and component, are resolved in this release.

Tanzu Application Platform GUI

  • Supply Chain plug-in
    • ConfigMap has no conditions and as a result its status is Unknown.
    • ConfigWriter shows an error but no error details are displayed.
    • Kaniko-based image builds cannot show data in the UI.
    • Need to refresh browser to show successful or error messages.

Tanzu Build Service

  • Improved error messaging.
  • Removed noisy logging from AWS credential helper.

Known issues

This release has the following known issues, listed by area and component.

Tanzu Application Platform

Supply Chain Security Tools - Scan

  • Blob source scan is reporting wrong source URL: When running a source scan of a blob compressed file, it looks for a .git directory present in the files to extract information that is useful for the report sent to the Supply Chain Security Tools - Store deployment. This problem happens when you use Grype Scanner ScanTemplates earlier than version v1.2.0 because the Scan Controller has a deprecated path to support previous ScanTemplates. VMware plans to resolve this issue by Supply Chain Security Tools - Scan v1.3.0. For the solution, see Observability and troubleshooting.

Grype scanner

  • Scanning Java source code that uses Gradle package manager may not reveal vulnerabilities:
    • For most languages, source code scanning only scans files present in the source code repository. Except for support added for Java projects using Maven, no network calls are made to fetch dependencies. For languages using dependency lock files, such as Golang and Node.js, Grype uses the lock files to check the dependencies for vulnerabilities.
    • For Java using Gradle, dependency lock files are not guaranteed, so Grype uses the dependencies present in the built binaries (.jar or .war files) instead.
    • Because VMware does not encourage committing binaries to source code repositories, Grype fails to find vulnerabilities during a source scan. The vulnerabilities are still found during the image scan after the binaries are built and packaged as images.

v1.2.0

Release Date: July 12, 2022

New features

This release includes the following changes, listed by component and area.

Application Accelerator

  • Accelerator fragments are now available.
    • Allows for re-usable accelerator fragments to be imported into other accelerators.
  • Tanzu Application Accelerator for VS Code Extension is now available.
    • Allows for developers to quickly generate projects from their organization’s Accelerator Catalog right from within VS Code.
  • Added the subPath field for Accelerators and Fragments.
    • Provides the option for altering the location of the root of an accelerator or fragment.

Application Live View

  • Live Hover Integration with Spring Tools Suite:
    • Users can hover over Spring Actuator endpoints to see live data. You can enable this feature from Preferences.

Application Single Sign-On

  • Application Single Sign-On package comes installed with iterate, run, and full profiles.
  • Secure a workload with AppSSO. For more information, see AppSSO documentation.
  • AppSSO Starter Java Accelerator shows how to enable SSO on a Spring Boot application.
  • OpenID Connect Identity Providers are supported.
  • Grant types supported: authorization code, client credentials, refresh token.
  • Audit logs for troubleshooting.
  • Secure tokens - Token signature keys are created and applied to AuthServer so that tokens can be signed and verified.
  • TLS secured.

Tanzu CLI - Apps plug-in

  • Added support for --sub-path flag where users can specify a relative path inside the repository or image to treat as application root for source.
  • Added --service-account flag to specify ServiceAccount name used by the workload to create resources submitted by the supply chain.
  • Added shorthand -s for --source-image flag.
  • Added support for --output flag to workloads list command.
  • Added support for JSON or YAML params using new flag --param-yaml.
  • Added support for creating workloads from JAR, WAR, and ZIP files through the --local-path flag.
  • Added source information from workload in the workload get command output.
  • Added new command tanzu apps cluster-supply-chain get.
  • Added support for excluding files on local path using .tanzuignore file.
  • Added supply chain step information in workload get command output.
  • Added support for short names for Cartographer workload (wld) and cluster-supply-chain commands (csc).
  • Added support for providing ServiceAccount name in workload commands through file input.

Source Controller

  • Added support for pulling Artifacts from a Maven repository using the MavenArtifact CR.

    Note: Fetching RELEASE version from GitHub packages is not currently supported. The metadata.xml in GitHub packages does not have the release tag that contains the released version number. For more information, see Maven-metadata.xml is corrupted on upload to registry on GitHub.

Snyk Scanner (beta)

Supply Chain Choreographer

  • View resource status on a workload:
    • Added ability to indicate how Cartographer can read the state of the resource and reflect it on the owner status.
    • Surfaces information about the health of resources directly on the owner status.
    • Adds a field in the spec healthRule where authors can specify how to determine the health of the underlying resource for that template. The resource can be in one of the following states: A stamped resource can be in one of three states: Healthy (status True), Unhealthy (status False), or Unknown (status Unknown). If no healthRule is defined, Cartographer defaults to listing the resource as Healthy once it is successfully applied to the cluster and any outputs are read off the resource.
  • Cartographer Conventions v0.1.0 is now bundled with Supply Chain Choreographer.

Supply Chain Security Tools - Scan

  • Scan-Link’s controller abstraction from the scanners’ output format allows more flexibility when you integrate new scanners.
  • Supply Chain Security Tools - Scan is decoupled from the Supply Chain Security Tools - Store to ease future integration with different storage methods.
  • Beta scanner support released in the Snyk Scanner package.
  • Documentation is available on how to use Grype in offline and air-gapped environments.

Note: The Grype Scanner ScanTemplates shipped with versions before Supply Chain Security Tools - Scan v1.2.0 are now deprecated and are no longer supported in future releases. See Upgrading Supply Chain Security Tools - Scan for step-by-step instructions.

Supply Chain Security Tools - Sign

  • Updated cosign to v1.9.0.
  • Fixed resources without namespace defined causing errors.

Important: Supply Chain Security Tools - Sign is being deprecated and is being replaced by Supply Chain Security Tools - Policy Controller. Supply Chain Security Tools - Sign is no longer supported after Tanzu Application Platform v1.4.0. See Migration From Supply Chain Security Tools - Sign for migration instructions.

Supply Chain Security Tools - Policy Controller

  • Initial release of Policy Controller, which uses Sigstore Policy Controller.

Supply Chain Security Tools - Store

  • Added more accepted vulnerability method types (CVSSv31, OWASP).
  • Updated logging format to follow the Logging RFC recommendations.
  • Bumped PostgreSQL and paketo images to fix CVE-2022-1292.
  • Added support for insight plug-in to consume vulnerabilities through VEX in CycloneDX 1.4 reports.
  • Added support for insight plug-in to consume SPDX 2.2/3.0 reports and introduced the new --spdxtype option to the tanzu insight image add and tanzu insight source add commands.
  • Changed insight plug-in text response to return only highest CVE.
  • Added aliases for insight plug-in vulnerabilities command.

Tanzu Application Platform GUI

  Plug-in improvements and additions include:

  • Runtime Resources Visibility plug-in:

    • Added support for pod logs and the ability to change log levels (where application live view is supported).
    • Added memory and CPU limit configuration.
    • Added quick links to access app memory and threads usage.
    • Added additional current status information when viewing runtime resources.
    • Added Tanzu Workload integration with a workload detail page for all runtime resources.
    • Added support for Supply Chain resources.
    • UX updates to the Runtime Resource landing page.
  • Supply Chain plug-in:

    • Added ability to visualize CVE scan results in the Details pane for both Source and Image Scan stages, as well as scan policy information without using the CLI.
    • Added ability to visualize the deployment of a workload as a deliverable in a multicluster environment in the supply chain graph.
    • Added a deeplink to view approvals for PRs in a GitOps repository so that PRs can be reviewed and approved, resulting in the deployment of a workload to any cluster configured to accept a deployment.
    • Added Reason column to the Workloads table to indicate causes for errors encountered during supply chain execution.
    • Added links to a downloadable log output for each execution of the Test and Build stages of the out of the box supply chains to enable more enhanced troubleshooting methods for workloads.

Tanzu Developer Tools for VS Code

Tanzu Developer Tools for IntelliJ

Functions (beta)

Tanzu Build Service

  • Updates to dependencies are now provided as part of Tanzu Application Platform patches.
  • The automatic dependency update feature is deprecated. VMware discourages configuring Tanzu Application Platform with automatic dependency updates due to compatibility risks. This feature is still supported until stated otherwise.

Services Toolkit

  • Services Toolkit now integrates with Amazon RDS using the ACK Operator or Crossplane. For more information, see the Services Toolkit documentation.
  • New ClusterInstanceClass supports service instance abstraction. It is available using tanzu service classes list in v0.3.0 of the Services plug-in for Tanzu CLI.
  • Claimable resources are now discoverable through the InstanceQuery API. It is available using tanzu service claimable list --class CLASS-NAME in v0.3.0 of the Services plug-in for Tanzu CLI.
  • ResourceClaims now aggregate on ClusterRoles for service resources with the standard servicebinding.io/controller: "true" label from the Service Binding specification for Kubernetes.
  • Deprecation warning: tanzu service types list and tanzu service instances list commands are now deprecated. These commands are hidden from help text but remain functional if invoked. VMware intends to continue to support these commands for either two additional minor releases (v0.6.0 of the CLI plug-in) or after one year (2023-07-12), whichever comes later. VMware recommends using tanzu service class and tanzu service claimable commands in place of tanzu service type and tanzu service instance from now on.

Breaking changes

This release has the following breaking changes, listed by area and component.

Application Accelerator

  • App Accelerator now ships with Open Rewrite 7.24.0 (up from 7.21.x in TAP 1.1). As a consequence, some configuration properties of the OpenRewriteRecipe transform may need to be revised. For example, when using the ChangePackage recipe.

Supply Chain Security Tools - Scan

  • You must configure integration with Supply Chain Security Tools - Store for the Grype Scanner and Snyk Scanner packages to enable this feature. The configuration for Supply Chain Security Tools - Store in Supply Chain Security Tools - Scan is only for the deprecated Grype Scanner ScanTemplates.
  • For the profile configuration of Supply Chain Security Tools - Scan, the scanning component no longer takes the metadata store configurations as of v1.2.0.

    Note: This doesn’t apply if you are using the deprecated Grype Scanner ScanTemplates prior to Grype Scanner v1.2.0.

    • The package name changed from package policies to package main.
    • The deny rule changed from the boolean isCompliant to the array of strings deny[msg].
    • The sample ScanPolicy is different if you’re using Grype Scanner with a CycloneDX structure or Snyk Scanner with a SPDX JSON structure. See Install Snyk Scanner for an example of a Scan Policy.
    • See Enforce compliance policy using Open Policy Agent for an example of the current ScanPolicy format for v1.2.0 and later.

Tanzu Build Service

Note: If your Tanzu Application Platform v1.1 installation is configured with enable_automatic_updates: false, you can ignore this breaking change.

  • When upgrading Tanzu Application Platform to v1.2, Tanzu Build Service image resources automatically run a build that fails due to a missing dependency. This error does not persist and subsequent builds automatically resolve this error. Users can safely wait for the next build of their workloads, which is triggered by source code changes. To manually re-run builds, follow the instructions in the troubleshooting item Builds fail after upgrading to Tanzu Application Platform v1.2.

Grype Scanner

  • Provide information to integrate with the Supply Chain Security Tools - Store in the tap-values.yaml file for the Grype Scanner v1.2 and later.

Resolved issues

The following issues, listed by area and component, are resolved in this release.

Application Accelerator

  • Limit server logging to startup and generate zip requests.
  • Update engine to use Spring Boot v2.7.0.

Supply Chain Security Tools - Scan

  • Go updated to v1.18.2.
  • Open Policy Agent updated to v0.40.0.

Grype Scanner

  • ncurses updated to v6.1-5.ph3.

Tanzu CLI - Apps plug-in

  • Updated output for list when there are no workloads. It now shows a more user-friendly message No workloads found.
  • Fixed error messaging for empty kubeconfig and invalid kube context.
  • Fixed incorrect error message for workload create when the user did not have enough permissions to create a workload.
  • Removing namespace from --service-ref is not ignored.
  • Issue for Windows error x509: certificate signed by unknown authority by upgrading imgpkg v0.29.0. The new version supports loading Windows root CA certificates.

Services Toolkit

  • ResourceClaims no longer mutate service resources with an annotation to mark a claimed resource.
  • ResourceClaims no longer require the update permission when adding new service resources to Tanzu Application Platform.

Service Bindings

  • Added a new ClusterRole service-binding-provisioned-services with label selector servicebinding.io/controller: "true" for get, list, and watch, which fixes the issue where Service Binding controller was aggregating non-provisioned service RBAC to the controller manager.

Spring Boot Conventions

  • No environment variables are added if conventions are not applied. Fixes the issue where JAVA_TOOL_OPTS was added to non-JAVA apps.
  • Controller does not error out if no image metadata is present. Fixes the edge case when the image metadata is missing.

Tanzu Application Platform GUI

  • Supply Chain plug-in:

    • Details for ConfigMap CRD now appear as expected: The error Unable to retrieve conditions for ConfigMap... no longer appears in the details section after clicking on the ConfigMap stage in the graph view of a supply chain.
    • Scan results now appear as expected: Current CVEs found during Image or Source scanning now appear as expected.

Known issues

This release has the following known issues, listed by area and component.

Tanzu Application Platform

  • Failure to connect to AWS EKS clusters: When connecting to AWS EKS clusters, an error might appear with the text Error: Unable to connect: connection refused. Confirm kubeconfig details and try again or invalid apiVersion "client.authentication.k8s.io/v1alpha1". To prevent this, see Failure to connect to AWS EKS clusters.

  • Failure to add Tanzu Application Platform repo: Unable to add Tanzu Application Platform repo into clusters attached to Tanzu Mission Control with pre-installed Cluster Essentials v1.2. For the solution, see Troubleshoot installing Tanzu Application Platform.

Application Live View

  • Application Live View with custom CA does not support air-gapped installation.

Application Single Sign-On

  • Application Single Sign-On with custom CA does not support air-gapped installation.

Convention Service

  • Issue: If the self-signed certificate authority (CA) for a registry is provided through convention-controller.ca_cert_data, it is not successfully propagated to the convention service. For the solution, see Troubleshoot Convention Serviced.

Functions (beta)

  • When using Live Update, hot reload of your function on your cluster might not display changes made to your function. To manually push changes to the cluster, run the tilt up command.

Supply Chain Security Tools - Scan

  • Blob Source Scan is reporting wrong source URL: When running a Source Scan of a blob compressed file, it looks for a .git directory present in the files to extract information that is usefull for the report sent to the Supply Chain Security Tools - Store deployment. This problem happens when you use Grype Scanner ScanTemplates earlier than version v1.2.0 because the Scan Controller has a deprecated path to support previous ScanTemplates. This will be removed by Supply Chain Security Tools - Scan v1.3.0. For the solution, see Observability and troubleshooting.

Grype scanner

  • Scanning Java source code that uses Gradle package manager may not reveal vulnerabilities:
    • For most languages, Source Code Scanning only scans files present in the source code repository. Except for support added for Java projects using Maven, no network calls are made to fetch dependencies. For languages using dependency lock files, such as Golang and Node.js, Grype uses the lock files to check the dependencies for vulnerabilities.
    • For Java using Gradle, dependency lock files are not guaranteed, so Grype uses the dependencies present in the built binaries (.jar or .war files) instead.
    • Because VMware does not encourage committing binaries to source code repositories, Grype fails to find vulnerabilities during a Source Scan. The vulnerabilities are still found during the Image Scan after the binaries are built and packaged as images.

Tanzu Application Platform GUI

  • Supply Chain plug-in:
    • Delivery section of the supply chain graph might show deliverables that do not pertain to the selected workload. This occurs if there are more than one Build cluster per namespace.
    • For Deliverables to show up for a Workload, they must have the following labels in both resources: carto.run/workload-name,app.kubernetes.io/part-of,carto.run/supply-chain-name.
    • ConfigMap has no conditions and as a result its status is Unknown.
    • ConfigWriter shows an error but no error details are displayed.
    • You might receive an error: TypeError: Cannot read properties of undefined (reading 'data') when viewing a workload in a supply chain. Use the CLI tools instead to view the status of the workload in the supply chain.

VS Code Extension

  • When debugging an application with service bindings, debug sessions might prematurely end on the first run only. This is because of services being late-bound.

  • The workload panel only supports the default kubeconfig file usually located at ~/.kube/config.

Intellij Extension

  • When debugging an application with service bindings, debug sessions might prematurely end on the first run only. This is because of services being late-bound.

Supply Chain Security Tools - Store

  • Querying by insight source returns zero CVEs even though there are CVEs in the source scan: When attempting to look up CVE and affected packages, querying insight source get (or other insight source commands) may return zero results due to supply chain configuration and repo URL. See Troubleshoot Supply Chain Security Tools - Store
check-circle-line exclamation-circle-line close-line
Scroll to top icon