This topic contains release notes for Tanzu Application Platform v1.4.
Release Date: January 10, 2023
AuthServer by using a ProvisionedService-style API. For more information, see Storage.default_authserver_clusterissuer that inherits the shared.ingress_issuer value from Tanzu Application Platform if not set. For more information, see IssuerURI and TLS.AuthServer.spec.tls.deactivated to deprecate AuthServer.spec.tls.disabled.AuthServer.spec.tokenSignatures is now a required field.AuthServer.spec.caCerts.AuthServer creation when an LDAP identity provider is defined.identityProviders.ldap.url in AuthServer.spec.identityProviders.ldap.group.search.identityProviders.ldap.group is now optional in AuthServer.spec.HTTP Requests and Request Mappings for Steeltoe workloads.appliveview_connnector.backend.sslDeactivated to deprecate appliveview_connnector.backend.sslDisabled..app_config.gitProviders.active in tap-values.yaml was added to deactivate optional Git repository creation in the VS Code extension during project creation.types, which allows for 1-N number of repeating sets of options in an accelerator’s form during project creation.generate-from-local command to the Application Accelerator plug-in for the Tanzu CLI to generate projects from local assets without needing to commit code.accelerator.yaml:
fragment create now supports --local-path and --source-image.fragment update now supports --source-image.cert-manager.tap.tanzu.vmware.com can optionally install self-signed ClusterIssuers.ClassClaim API that allows claims for service instances to be created by referring to a ClusterInstanceClass. For more information, see When to use ClassClaim vs ResourceClaim and Introducing different service implementations in different environments.tanzu services class-claims CLI plug-in command.spec.source.git.url is added to the Overview section of the Source Provider stage in the supply chain.Show Unique CVEs filter so that the scan results show one CVE per ID as opposed to each CVE per package. This allows better alignment between the data in the Supply Chain Choreographer plug-in and the Security Analysis plug-in.tap-values.yml for both Grype and Snyk scanners.See code updates running on-cluster in seconds: By using Live Update facilitated by Tilt, deploy your workload once, save changes to the code, and then in seconds see those changes reflected in the workload running on the cluster. All Live Update output is filtered to its own output pane window within Visual Studio.
Debug workloads directly on the cluster: Debug your application in a production-like environment by debugging on your Kubernetes cluster that has Tanzu Application Platform. An environment’s similarity to production relies on keeping dependencies updated, among other variables.
apply and delete actions were added to IntelliJ.workload.yaml and catalog-info.yaml files were added to IntelliJ.--update-strategy flag to allow you to change tanzu apps workload apply behavior when contents from file are applied. See How-to-guides section for use and examples.--file flag.tanzu apps workload get command. Example output is found in tanzu apps workload get command description.-a for --app, -e for --env, -i for --image, -l for label, -p for --param, and -t for --type. For more information, see Tanzu apps workload apply.tanzu apps workload create/apply/delete commands.--no-color flag is set.tanzu apps workload get command’s overview section.--no-color flag is passed.This release has the following breaking changes, listed by area and component.
AuthServer.spec.identityProvider.ldap.group.search{Filter,Base,Depth,SubTree} and introduced ldap.group.search: {}.
ldap.group is defined and ldap.group.search is not defined, the LDAP is considered an ActiveDirectory style LDAP and groups are loaded from the user’s memberOf attribute.ldap.group and ldap.group.search are both defined, the LDAP is considered a Classic LDAP and group search is done by searching in the ldap.group.search.base.AuthServer.spec.identityProviders.ldap.server field.AuthServer.status.deployments.authServer.lastParentGenerationWithRestart field.AuthServer.spec.issuerURI. For more information, see IssuerURI and TLS.<workload-name> to <workload-name>-deliverable. Any automation depending on obtaining the Deliverable content by the former name must be updated to use the new name. For more information, see Multicluster Tanzu Application Platform overview.Tanzu Debug no longer port forwards the application port (8080).Ingress URL: As mentioned in the new features section, Tanzu Application Platform GUI participates in the shared ingress issuer feature. You might need to change your scheme from http to https. For more information, see Troubleshooting.
Communication with Supply Chain Security Tools - Store: In previous versions of Tanzu Application Platform, you configured Tanzu Application Platform GUI to use the read-only access token to communicate with Supply Chain Security Tools - Store.
In v1.4, you must use the read-write access token to use new features in the Security Analysis GUI plug-in. If upgrading from v1.3, update your Tanzu Application Platform GUI configuration accordingly. See the updated instructions in Enable CVE scan results.
ClusterImagePolicy. To continue to use keyless authorities, provide the value policy.tuf_enabled: true by using the tap-values.yaml file while upgrading. By default, the public Sigstore The Update Framework (TUF) server is used. To target an alternative Sigstore stack, specify policy.tuf_mirror and policy.tuf_root.This release has the following security fixes, listed by area and component.
python is updated to 3.7.5-22.ph3.The following is a list of vulnerabilities remediated with this release:
CVE-2022-4378 is a high severity, exploitable stack overflow flaw found in the Linux kernel’s SYSCTL subsystem. At this time, there is no available patch from Canonical in their upstream Ubuntu distribution. Once there is a patch available for the 22.04 release line, Tanzu Application Platform will release a patched base stack image. The current status for patching this vulnerability in the Jammy stack is available on Ubuntu’s security page.
It is important for customers to understand CVE-2022-4378 is a kernel exploit, and the kernel runs on the customers’ container host VM, not the Tanzu Application Platform container image. Even with a patched image, the vulnerability will not be mitigated until customers deploy their containers on a host with a patched OS. An unpatched host OS may be exploitable if the base image is deployed allowing users to modify SYSCTL parameters.
RedHat has published a potential mitigation preventing regular users from accessing sysctl files and increasing privileges until a patch becomes available.
The following issues, listed by area and component, are resolved in this release.
API Descriptor. This triggers reconciliation into the Tanzu Application Platform GUI catalog. This synchronization period or frequency is configurable through the new value sync_period. The default value is 5 minutes.AuthServer configured with a single OIDC or SAML identity provider.AuthServer no longer attempts to configure Redis event listeners.SecurityContextConstraint resource is created for Kubernetes platforms versions 1.23.x and lower.Fixed deliverable content written into ConfigMaps in multicluster setup:
config-template.For more information, see Multicluster Tanzu Application Platform overview.
tanzu apps workload tail command output, which was displaying extra init container log lines.tanzu apps workload tail command not including all logs.Immediate entity provider back-end plug-in
5Mb to accept larger API specifications.409 Conflict error is returned.Unable to retrieve details from Image Provider Stage when the Builder is not available or configured. It now correctly shows the same error as the CLI, Builder default is not ready.This release has the following known issues, listed by area and component.
certificateNotReady if workload name, namespace, and domain are more than 64 bytes. See Cloud Native Runtimes Troubleshooting.If a workload is deployed onto a namespace by using Live Update, you must set that namespace as the namespace of the current context of your kubeconfig file. Otherwise, if you run Tanzu Debug, it causes the workload to re-deploy. For more information, see Troubleshooting.
On macOS, Tanzu Panel might be empty when using a GKE cluster. For more information, see Troubleshooting.
The Describe action in the pop-up menu in the Activity panel can fail when used on PodIntent resources. For more information, see Troubleshooting.
The Tanzu panel might show workloads without showing Kubernetes resources in the center panel of the activity pane. For more information, see Troubleshooting.
The Details table and Messages pane in the activity panel can show stale data because these views only refresh when the selection in the Resource tree is changed. As a workaround, make the views refresh by clicking somewhere in the Resource tree to change the current selection.
The Tanzu: Delete Workload command can fail with the extension erroneously reporting that the workload isn’t running. For more information, see Troubleshooting.
The Tanzu: Start Live Update command can fail because the specified path was not found. For more information, see Troubleshooting.
Could not find the task 'tanzuManagement: Kill Port Forward fortune-service'. You might see this error message if an app was deployed with a previous version of the Visual Studio Code extension. For more information, see Troubleshooting.Scanning Java source code that uses Gradle package manager might not reveal vulnerabilities:
For most languages, Source Code Scanning only scans files present in the source code repository. Except for support added for Java projects using Maven, no network calls fetch dependencies. For languages using dependency lock files, such as Golang and Node.js, Grype uses the lock files to check dependencies for vulnerabilities.
For Java using Gradle, dependency lock files are not guaranteed, so Grype uses dependencies present in the built binaries, such as .jar or .war files.
Because VMware discourages committing binaries to source code repositories, Grype fails to find vulnerabilities during a source scan. The vulnerabilities are still found during the image scan after the binaries are built and packaged as images.
Terminating state indefinitely under certain conditions. For causes and solution, see Unable to delete namespace.grype package values, will cause the provisioner Carvel app to crash due to ownership issues. This is because it’s trying to install Grype in a namespace where it’s already been installed.Generation field and scan policy link in the Overview section does not update when you amend a scan policy. The correct version and details of the policy are shown in the CLI.Source Tester stage in an Out Of the Box supply chain does not show details in the Stage Details section.The following features, listed by component, are deprecated. Deprecated features will remain on this list until they are retired from Tanzu Application Platform.
AuthServer.spec.tls.disabled is deprecated and marked for removal in the next release. For more information about how to migrate to AuthServer.spec.tls.deactivated, see Migration guides.appliveview_connnector.backend.sslDisabled is deprecated and marked for removal in Tanzu Application Platform 1.7.0. For more information on the migration, see Deprecate the sslDisabled key.tanzu services claims CLI plug-in command is now deprecated. It is hidden from help text output, but continues to work until officially removed after the deprecation period. The new tanzu services resource-claims command provides the same functionality.docker field and related sub-fields used in Supply Chain Security Tools - Scan are deprecated and marked for removal in Tanzu Application Platform 1.7.0.--update-strategy flag will change from merge to replace in Tanzu Application Platform v1.7.0.tanzu apps workload update command is deprecated and marked for removal in Tanzu Application Platform 1.5.0. Use tanzu apps workload apply instead.