This topic contains release notes for Tanzu Application Platform v1.4.
Release Date: January 10, 2023
AuthServer
by using a ProvisionedService-style API. For more information, see Storage.default_authserver_clusterissuer
that inherits the shared.ingress_issuer
value from Tanzu Application Platform if not set. For more information, see IssuerURI and TLS.AuthServer.spec.tls.deactivated
to deprecate AuthServer.spec.tls.disabled
.AuthServer.spec.tokenSignatures
is now a required field.AuthServer.spec.caCerts
.AuthServer
creation when an LDAP identity provider is defined.identityProviders.ldap.url
in AuthServer.spec
.identityProviders.ldap.group.search
.identityProviders.ldap.group
is now optional in AuthServer.spec
.HTTP Requests
and Request Mappings
for Steeltoe workloads.appliveview_connnector.backend.sslDeactivated
to deprecate appliveview_connnector.backend.sslDisabled
..app_config.gitProviders.active
in tap-values.yaml
was added to deactivate optional Git repository creation in the VS Code extension during project creation.types
, which allows for 1-N number of repeating sets of options in an accelerator’s form during project creation.generate-from-local
command to the Application Accelerator plug-in for the Tanzu CLI to generate projects from local assets without needing to commit code.accelerator.yaml
:
fragment create
now supports --local-path
and --source-image
.fragment update
now supports --source-image
.cert-manager.tap.tanzu.vmware.com
can optionally install self-signed ClusterIssuer
s.ClassClaim
API that allows claims for service instances to be created by referring to a ClusterInstanceClass
. For more information, see When to use ClassClaim vs ResourceClaim and Introducing different service implementations in different environments.tanzu services class-claims
CLI plug-in command.spec.source.git.url
is added to the Overview section of the Source Provider stage in the supply chain.Show Unique CVEs
filter so that the scan results show one CVE per ID as opposed to each CVE per package. This allows better alignment between the data in the Supply Chain Choreographer plug-in and the Security Analysis plug-in.tap-values.yml
for both Grype and Snyk scanners.See code updates running on-cluster in seconds: By using Live Update facilitated by Tilt, deploy your workload once, save changes to the code, and then in seconds see those changes reflected in the workload running on the cluster. All Live Update output is filtered to its own output pane window within Visual Studio.
Debug workloads directly on the cluster: Debug your application in a production-like environment by debugging on your Kubernetes cluster that has Tanzu Application Platform. An environment’s similarity to production relies on keeping dependencies updated, among other variables.
apply
and delete
actions were added to IntelliJ.workload.yaml
and catalog-info.yaml
files were added to IntelliJ.--update-strategy
flag to allow you to change tanzu apps workload apply
behavior when contents from file are applied. See How-to-guides section for use and examples.--file
flag.tanzu apps workload get
command. Example output is found in tanzu apps workload get command description.-a
for --app
, -e
for --env
, -i
for --image
, -l
for label
, -p
for --param
, and -t
for --type
. For more information, see Tanzu apps workload apply.tanzu apps workload create/apply/delete
commands.--no-color
flag is set.tanzu apps workload get
command’s overview section.--no-color
flag is passed.This release has the following breaking changes, listed by area and component.
AuthServer.spec.identityProvider.ldap.group.search{Filter,Base,Depth,SubTree}
and introduced ldap.group.search: {}
.
ldap.group
is defined and ldap.group.search
is not defined, the LDAP is considered an ActiveDirectory style LDAP and groups are loaded from the user’s memberOf
attribute.ldap.group
and ldap.group.search
are both defined, the LDAP is considered a Classic LDAP and group search is done by searching in the ldap.group.search.base
.AuthServer.spec.identityProviders.ldap.server
field.AuthServer.status.deployments.authServer.lastParentGenerationWithRestart
field.AuthServer.spec.issuerURI
. For more information, see IssuerURI and TLS.<workload-name>
to <workload-name>-deliverable
. Any automation depending on obtaining the Deliverable content by the former name must be updated to use the new name. For more information, see Multicluster Tanzu Application Platform overview.Tanzu Debug
no longer port forwards the application port (8080).Ingress URL: As mentioned in the new features section, Tanzu Application Platform GUI participates in the shared ingress issuer feature. You might need to change your scheme from http to https. For more information, see Troubleshooting.
Communication with Supply Chain Security Tools - Store: In previous versions of Tanzu Application Platform, you configured Tanzu Application Platform GUI to use the read-only access token to communicate with Supply Chain Security Tools - Store.
In v1.4, you must use the read-write access token to use new features in the Security Analysis GUI plug-in. If upgrading from v1.3, update your Tanzu Application Platform GUI configuration accordingly. See the updated instructions in Enable CVE scan results.
ClusterImagePolicy
. To continue to use keyless authorities, provide the value policy.tuf_enabled: true
by using the tap-values.yaml
file while upgrading. By default, the public Sigstore The Update Framework (TUF) server is used. To target an alternative Sigstore stack, specify policy.tuf_mirror
and policy.tuf_root
.This release has the following security fixes, listed by area and component.
python
is updated to 3.7.5-22.ph3
.The following is a list of vulnerabilities remediated with this release:
CVE-2022-4378 is a high severity, exploitable stack overflow flaw found in the Linux kernel’s SYSCTL subsystem. At this time, there is no available patch from Canonical in their upstream Ubuntu distribution. Once there is a patch available for the 22.04 release line, Tanzu Application Platform will release a patched base stack image. The current status for patching this vulnerability in the Jammy stack is available on Ubuntu’s security page.
It is important for customers to understand CVE-2022-4378 is a kernel exploit, and the kernel runs on the customers’ container host VM, not the Tanzu Application Platform container image. Even with a patched image, the vulnerability will not be mitigated until customers deploy their containers on a host with a patched OS. An unpatched host OS may be exploitable if the base image is deployed allowing users to modify SYSCTL parameters.
RedHat has published a potential mitigation preventing regular users from accessing sysctl files and increasing privileges until a patch becomes available.
The following issues, listed by area and component, are resolved in this release.
API Descriptor
. This triggers reconciliation into the Tanzu Application Platform GUI catalog. This synchronization period or frequency is configurable through the new value sync_period
. The default value is 5 minutes.AuthServer
configured with a single OIDC or SAML identity provider.AuthServer
no longer attempts to configure Redis event listeners.SecurityContextConstraint
resource is created for Kubernetes platforms versions 1.23.x and lower.Fixed deliverable content written into ConfigMaps in multicluster setup:
config-template
.For more information, see Multicluster Tanzu Application Platform overview.
tanzu apps workload tail
command output, which was displaying extra init container log lines.tanzu apps workload tail
command not including all logs.Immediate entity provider back-end plug-in
5Mb
to accept larger API specifications.409 Conflict
error is returned.Unable to retrieve details from Image Provider Stage
when the Builder is not available or configured. It now correctly shows the same error as the CLI, Builder default is not ready
.This release has the following known issues, listed by area and component.
certificateNotReady
if workload name, namespace, and domain are more than 64 bytes. See Cloud Native Runtimes Troubleshooting.If a workload is deployed onto a namespace by using Live Update, you must set that namespace as the namespace of the current context of your kubeconfig file. Otherwise, if you run Tanzu Debug, it causes the workload to re-deploy. For more information, see Troubleshooting.
On macOS, Tanzu Panel might be empty when using a GKE cluster. For more information, see Troubleshooting.
The Describe action in the pop-up menu in the Activity panel can fail when used on PodIntent resources. For more information, see Troubleshooting.
The Tanzu panel might show workloads without showing Kubernetes resources in the center panel of the activity pane. For more information, see Troubleshooting.
The Details table and Messages pane in the activity panel can show stale data because these views only refresh when the selection in the Resource tree is changed. As a workaround, make the views refresh by clicking somewhere in the Resource tree to change the current selection.
The Tanzu: Delete Workload
command can fail with the extension erroneously reporting that the workload isn’t running. For more information, see Troubleshooting.
The Tanzu: Start Live Update
command can fail because the specified path was not found. For more information, see Troubleshooting.
Could not find the task 'tanzuManagement: Kill Port Forward fortune-service'
. You might see this error message if an app was deployed with a previous version of the Visual Studio Code extension. For more information, see Troubleshooting.Scanning Java source code that uses Gradle package manager might not reveal vulnerabilities:
For most languages, Source Code Scanning only scans files present in the source code repository. Except for support added for Java projects using Maven, no network calls fetch dependencies. For languages using dependency lock files, such as Golang and Node.js, Grype uses the lock files to check dependencies for vulnerabilities.
For Java using Gradle, dependency lock files are not guaranteed, so Grype uses dependencies present in the built binaries, such as .jar
or .war
files.
Because VMware discourages committing binaries to source code repositories, Grype fails to find vulnerabilities during a source scan. The vulnerabilities are still found during the image scan after the binaries are built and packaged as images.
Terminating
state indefinitely under certain conditions. For causes and solution, see Unable to delete namespace.grype
package values, will cause the provisioner
Carvel app to crash due to ownership issues. This is because it’s trying to install Grype in a namespace where it’s already been installed.Generation
field and scan policy link in the Overview section does not update when you amend a scan policy. The correct version and details of the policy are shown in the CLI.Source Tester
stage in an Out Of the Box supply chain does not show details in the Stage Details section.The following features, listed by component, are deprecated. Deprecated features will remain on this list until they are retired from Tanzu Application Platform.
AuthServer.spec.tls.disabled
is deprecated and marked for removal in the next release. For more information about how to migrate to AuthServer.spec.tls.deactivated
, see Migration guides.appliveview_connnector.backend.sslDisabled
is deprecated and marked for removal in Tanzu Application Platform 1.7.0. For more information on the migration, see Deprecate the sslDisabled key.tanzu services claims
CLI plug-in command is now deprecated. It is hidden from help text output, but continues to work until officially removed after the deprecation period. The new tanzu services resource-claims
command provides the same functionality.docker
field and related sub-fields used in Supply Chain Security Tools - Scan are deprecated and marked for removal in Tanzu Application Platform 1.7.0.--update-strategy
flag will change from merge
to replace
in Tanzu Application Platform v1.7.0.tanzu apps workload update
command is deprecated and marked for removal in Tanzu Application Platform 1.5.0. Use tanzu apps workload apply
instead.