Release notes

This topic contains release notes for Tanzu Application Platform v1.4.


Release Date: January 10, 2023

Tanzu Application Platform new features

  • Shared Ingress Issuer for secure ingress communication by default. CNRs, AppSSO, and Tanzu Application Platform GUI use this issuer to secure ingress. Over future releases, VMware plans to incrementally update all Tanzu Application Platform components to support the shared ingress issuer.
  • Namespace Provisioner provides a secure, automated way for Platform Operators to provision namespaces with the resources and proper namespace-level privileges required for their workloads to function as intended.
  • Tanzu Application Platform Telemetry Reports offers the option to enroll in a usage reporting program that provides a usage summary of your Tanzu Application Platform.
  • Tanzu Developer Tools for Visual Studio is an IDE extension for Visual Studio to help you develop, providing the rapid iteration experience for .NET Core apps in Tanzu Application Platform.

New features by component and area

Application Single Sign-On (AppSSO)

  • Added ability to configure custom Redis storage for an AuthServer by using a ProvisionedService-style API. For more information, see Storage.
  • Added package field default_authserver_clusterissuer that inherits the shared.ingress_issuer value from Tanzu Application Platform if not set. For more information, see IssuerURI and TLS.
  • Added AuthServer.spec.tls.deactivated to deprecate AuthServer.spec.tls.disabled.
  • AuthServer.spec.tokenSignatures is now a required field.
  • In addition to globally trusted CA certificates, granular trust can be extended with AuthServer.spec.caCerts.
  • LDAP is now a supported identity provider protocol. For more information, see LDAP.
    • LDAP bind is validated on AuthServer creation when an LDAP identity provider is defined.
    • Introduced identityProviders.ldap.url in AuthServer.spec.
    • Introduced
    • is now optional in AuthServer.spec.

Application Live View

  • Users can now activate or deactivate the automatic configuration of Spring Boot actuators on Tanzu Application Platform and on workloads. For more information, see Configure and access Spring Boot actuators in Tanzu Application Platform.
  • Added App Live View Memory View panel in Visual Studio Code as part of Spring Boot Dashboard extension.
  • Added support for Spring Boot 3. Spring Boot 3 Native Image is not supported.
  • Added new App Live View pages HTTP Requests and Request Mappings for Steeltoe workloads.
  • Added appliveview_connnector.backend.sslDeactivated to deprecate appliveview_connnector.backend.sslDisabled.

Application Accelerator

  • Optional Git repository creation during project generation is supported in the Application Accelerator extension for VS Code.
  • Added custom types, which allows for 1-N number of repeating sets of options in an accelerator’s form during project creation.
  • Added the Loop transform to allow for transforms to be applied on list options.
  • Added generate-from-local command to the Application Accelerator plug-in for the Tanzu CLI to generate projects from local assets without needing to commit code.
  • Code completion & validation when authoring an accelerator.yaml:
  • Additional Application Accelerator plug-ins for Tanzu CLI improvements:
    • fragment create now supports --local-path and --source-image.
    • fragment update now supports --source-image.
  • Application Accelerator Samples:


  • can optionally install self-signed ClusterIssuers.


  • Upgraded Knative Eventing from v1.6 to v1.8.
  • Added a Kubernetes tracing attribute to ApiServerSource.
  • The ApiServerSource is a Knative Eventing Kubernetes custom resource that listens for events emitted by the Kubernetes API server. For example, pod creation, deployment updates, and so on. It then forwards them as CloudEvents to a sink.

External Secrets Operator (alpha)

  • The External Secrets Operator is a Kubernetes operator that integrates with external secret management systems. With this release, Tanzu Application Platform repackages this open source Kubernetes operator into a Carvel bundle that ships with Tanzu Application Platform. External Secrets Operator is currently in alpha and is intended for evaluation and test purposes only. Do not use in a production environment.

Services Toolkit

Tanzu Application Platform GUI Plug-ins

Supply Chain Choreographer Plug-in
  • Events are now emitted when resources are applied and when their output or health status changes. See Events reference.
  • Source Tester stage now includes a link to the Jenkins job when Jenkins is configured for use in the supply chain.
  • spec.source.git.url is added to the Overview section of the Source Provider stage in the supply chain.
  • Added support to include current and historical Kaniko build logs in the Stage Details section of the supply chain when Kaniko is used as the build service in the Image Provider stage.
  • Scanning stages now include a Show Unique CVEs filter so that the scan results show one CVE per ID as opposed to each CVE per package. This allows better alignment between the data in the Supply Chain Choreographer plug-in and the Security Analysis plug-in.
Security Analysis Plug-in
  • Understand the total number of affected packages and vulnerabilities on the Security Analysis Dashboard: The Vulnerabilities by Severity widget and the Workload Build Vulnerabilities table have updated logic to count all CVEs and packages, providing a better idea of the discrete, affected packages. Previously, the logic counted unique CVEs, even if a particular CVE affected multiple packages.
  • Quickly identify all affected workloads for a specific CVE, package, or dependency: The CVE and Package details pages include a new table that shows all affected workloads for a specific CVE or package. You access the CVE and Package details page on the source or image scan stage in the Supply Chain Choreographer Plug-in.

Supply Chain Security Tools - Scan

  • Users no longer need to create a package overlay to enable Grype in offline and air-gapped environments. See Using Grype in offline and air-gapped environments.
  • Increased compatibility with customers’ existing environments by supporting custom certificate authorities (CAs) by using the tap-values.yml for both Grype and Snyk scanners.
  • Alpha release of Prisma Scanner integration. See Install Prisma Scanner.

Supply Chain Security Tools - Policy

Tanzu Developer Tools for Visual Studio Code

  • The developer sandbox enables developers to Live Update their code, and simultaneously debug the updated code, without having to deactivate Live Update when debugging.

Tanzu Developer Tools for Visual Studio

  • See code updates running on-cluster in seconds: By using Live Update facilitated by Tilt, deploy your workload once, save changes to the code, and then in seconds see those changes reflected in the workload running on the cluster. All Live Update output is filtered to its own output pane window within Visual Studio.

  • Debug workloads directly on the cluster: Debug your application in a production-like environment by debugging on your Kubernetes cluster that has Tanzu Application Platform. An environment’s similarity to production relies on keeping dependencies updated, among other variables.

API Validation and Scoring Toolkit

  • API Validation and Scoring focuses on scanning and validating an OpenAPI specification. The API specification is generated from the API Auto Registration of Tanzu Application Platform. See API Validation and Scoring for more information.

Tanzu Developer Tools for IntelliJ

  • The developer sandbox enables developers to Live Update their code and simultaneously debug the updated code, without having to deactivate Live Update when debugging.
  • An Activity pane was added in the Tanzu Panel that allows developers to visualize the supply chain, delivery, and running application pods. It displays detailed error messages on each resource and enables developers to describe and view logs on these resources from within their IDE.
  • Tanzu workload apply and delete actions were added to ​IntelliJ.
  • Code snippets to create workload.yaml and catalog-info.yaml files were added to IntelliJ.

Apps plug-in for Tanzu CLI

  • Added --update-strategy flag to allow you to change tanzu apps workload apply behavior when contents from file are applied. See How-to-guides section for use and examples.
  • Added ability to pass URL for --file flag.
  • Show fully qualified resource name in the resources column of Supply chain and Delivery sections of the tanzu apps workload get command. Example output is found in tanzu apps workload get command description.
  • Added new shorthand flag aliases: -a for --app, -e for --env, -i for --image, -l for label, -p for --param, and -t for --type. For more information, see Tanzu apps workload apply.
  • Added emojis to tanzu apps workload create/apply/delete commands.
  • Do not print emojis when --no-color flag is set.
  • Added namespace to tanzu apps workload get command’s overview section.
  • Added progress bar to provide feedback to users when uploading source code to registry.
  • Removed color from tail command output when --no-color flag is passed.

Breaking changes

This release has the following breaking changes, listed by area and component.

Application Single Sign-On (AppSSO)

  • Removed{Filter,Base,Depth,SubTree} and introduced {}.
    • If is defined and is not defined, the LDAP is considered an ActiveDirectory style LDAP and groups are loaded from the user’s memberOf attribute.
    • If and are both defined, the LDAP is considered a Classic LDAP and group search is done by searching in the
    • There used to be a mixed mode, when both searches were attempted every time.
  • Removed AuthServer.spec.identityProviders.ldap.server field.
  • Removed AuthServer.status.deployments.authServer.lastParentGenerationWithRestart field.
  • Removed deprecated field AuthServer.spec.issuerURI. For more information, see IssuerURI and TLS.

Out of the Box Supply Chain Templates

  • In a multicluster setup, when a Deliverable is created on a Build profile cluster, the ConfigMap it is placed in is renamed from <workload-name> to <workload-name>-deliverable. Any automation depending on obtaining the Deliverable content by the former name must be updated to use the new name. For more information, see Multicluster Tanzu Application Platform overview.

Tanzu Developer Tools for IntelliJ

  • IntelliJ IDEA v2022.2 to v2022.3 is required to install the extension.

Tanzu Developer Tools for Visual Studio Code

  • Tanzu Debug no longer port forwards the application port (8080).

Tanzu Application Platform GUI

  • Ingress URL: As mentioned in the new features section, Tanzu Application Platform GUI participates in the shared ingress issuer feature. You might need to change your scheme from http to https. For more information, see Troubleshooting.

  • Communication with Supply Chain Security Tools - Store: In previous versions of Tanzu Application Platform, you configured Tanzu Application Platform GUI to use the read-only access token to communicate with Supply Chain Security Tools - Store.

    In v1.4, you must use the read-write access token to use new features in the Security Analysis GUI plug-in. If upgrading from v1.3, update your Tanzu Application Platform GUI configuration accordingly. See the updated instructions in Enable CVE scan results.

Supply Chain Security Tools - Image Policy Webhook

  • The Image Policy Webhook component is removed in Tanzu Application Platform v1.4. This component is deprecated in favor of the Policy Controller.

Supply Chain Security Tools - Policy Controller

  • Policy Controller no longer initializes TUF by default. TUF is required to support the keyless authorities in ClusterImagePolicy. To continue to use keyless authorities, provide the value policy.tuf_enabled: true by using the tap-values.yaml file while upgrading. By default, the public Sigstore The Update Framework (TUF) server is used. To target an alternative Sigstore stack, specify policy.tuf_mirror and policy.tuf_root.

Security fixes

This release has the following security fixes, listed by area and component.

Supply Chain Security Tools - Grype

  • python is updated to 3.7.5-22.ph3.

API Auto Registration

  • Base image updated to use the latest Paketo Jammy Base image.

Remediated vulnerabilities

The following is a list of vulnerabilities remediated with this release:

  • GHSA-7hfm-57qf-j43q, GHSA-crv7-7245-f45f, GHSA-mc84-pj99-q6hh, GHSA-xqfj-vm6h-2x34, CVE-2022-42003, CVE-2022-42004, GHSA-jjjh-jjxp-wpff, GHSA-rgv9-q543-rqg4, GHSA-3mc7-4q67-w48m, GHSA-36p3-wjmg-h94x, CVE-2022-23960, CVE-2022-43945, GHSA-crp2-qrr5-8pq7, GHSA-7qw8-847f-pggm, GHSA-c3xm-pvg7-gh7r, GHSA-f524-rf33-2jjr, CVE-2022-2509, CVE-2022-3171, CVE-2022-3509, CVE-2022-3510, GHSA-4gg5-vx3j-xwc7, GHSA-g5ww-5jh7-63cx, GHSA-66x3-6cw3-v5gj, CVE-2022-3515, CVE-2022-2602, CVE-2022-41222, CVE-2022-32212, CVE-2022-35255, CVE-2021-27478, CVE-2021-27482, CVE-2021-27498, CVE-2021-27500, CVE-2019-12900, CVE-2021-28861, CVE-2021-3737, CVE-2022-0391, GHSA-4w2j-2rg4-5mjw, CVE-2022-2586, CVE-2022-2588, CVE-2022-34918, GHSA-4wf5-vphf-c2xc, CVE-2022-42916, CVE-2022-43551, CVE-2022-43552, CVE-2021-3999, GHSA-m974-647v-whv7

Note about CVE-2022-4378

  • CVE-2022-4378 is a high severity, exploitable stack overflow flaw found in the Linux kernel’s SYSCTL subsystem. At this time, there is no available patch from Canonical in their upstream Ubuntu distribution. Once there is a patch available for the 22.04 release line, Tanzu Application Platform will release a patched base stack image. The current status for patching this vulnerability in the Jammy stack is available on Ubuntu’s security page.

    It is important for customers to understand CVE-2022-4378 is a kernel exploit, and the kernel runs on the customers’ container host VM, not the Tanzu Application Platform container image. Even with a patched image, the vulnerability will not be mitigated until customers deploy their containers on a host with a patched OS. An unpatched host OS may be exploitable if the base image is deployed allowing users to modify SYSCTL parameters.

    RedHat has published a potential mitigation preventing regular users from accessing sysctl files and increasing privileges until a patch becomes available.

Resolved issues

The following issues, listed by area and component, are resolved in this release.

API Auto Registration

  • API Auto Registration periodically checks the original API specification from the defined location to find changes and registers any changes into the API Descriptor. This triggers reconciliation into the Tanzu Application Platform GUI catalog. This synchronization period or frequency is configurable through the new value sync_period. The default value is 5 minutes.

Application Single Sign-On (AppSSO)

  • Fixed infinite redirect loops for an AuthServer configured with a single OIDC or SAML identity provider.
  • Authorization Code request rejected audit event from anonymous users logging proper IP address.
  • AuthServer no longer attempts to configure Redis event listeners.
  • OpenShift: custom SecurityContextConstraint resource is created for Kubernetes platforms versions 1.23.x and lower.
  • LDAP error log now contains proper error message.

Out of the Box Supply Chain Templates

Fixed deliverable content written into ConfigMaps in multicluster setup:

  • ConfigMap is renamed to avoid conflict with config-template.
  • Labels to attribute the Deliverable content with the supply chain and template are now added to be consistent with the ordinary Delivery on a non-Build profile cluster.

For more information, see Multicluster Tanzu Application Platform overview.

Tanzu CLI Apps Plug-in

  • Fixed tanzu apps workload tail command output, which was displaying extra init container log lines.
  • Fixed tanzu apps workload tail command not including all logs.

Tanzu Application Platform GUI Plug-ins

  • Immediate entity provider back-end plug-in

    • The entity provider, used mainly by API Auto Registration, now allows a body size of 5Mb to accept larger API specifications.
    • Considering the restriction of Backstage for Entity Provider mutations, whenever an existing entity is intended for a mutation through this plug-in, and its origin is a different entity provider, a 409 Conflict error is returned.

Supply Chain Choreographer Plug-In

  • The UI no longer shows the error Unable to retrieve details from Image Provider Stage when the Builder is not available or configured. It now correctly shows the same error as the CLI, Builder default is not ready.
  • Build logs are now displayed when the Image Provider stage fails

Known issues

This release has the following known issues, listed by area and component.

API Auto Registration

Application Accelerator for Visual Studio Code

  • When using custom types, if there is a check box in the list of attributes then re-ordering the inputs doesn’t work.

Cloud Native Runtimes for VMware Tanzu

  • Knative Serving: Certain app name, namespace, and domain combinations produce invalid HTTPProxy resources. See Cloud Native Runtimes Troubleshooting.
  • Knative Serving and Cert Manager: When auto-tls is enabled, the default in Tanzu Application Platform v1.4.0, Knative services fail with certificateNotReady if workload name, namespace, and domain are more than 64 bytes. See Cloud Native Runtimes Troubleshooting.

Tanzu Developer Tools for IntelliJ

  • If a workload is deployed onto a namespace by using Live Update, you must set that namespace as the namespace of the current context of your kubeconfig file. Otherwise, if you run Tanzu Debug, it causes the workload to re-deploy. For more information, see Troubleshooting.

  • On macOS, Tanzu Panel might be empty when using a GKE cluster. For more information, see Troubleshooting.

  • The Describe action in the pop-up menu in the Activity panel can fail when used on PodIntent resources. For more information, see Troubleshooting.

  • The Tanzu panel might show workloads without showing Kubernetes resources in the center panel of the activity pane. For more information, see Troubleshooting.

  • The Details table and Messages pane in the activity panel can show stale data because these views only refresh when the selection in the Resource tree is changed. As a workaround, make the views refresh by clicking somewhere in the Resource tree to change the current selection.

Tanzu Developer Tools for Visual Studio

  • The Tanzu: Delete Workload command can fail with the extension erroneously reporting that the workload isn’t running. For more information, see Troubleshooting.

  • The Tanzu: Start Live Update command can fail because the specified path was not found. For more information, see Troubleshooting.

Tanzu Developer Tools for Visual Studio Code

  • Could not find the task 'tanzuManagement: Kill Port Forward fortune-service'. You might see this error message if an app was deployed with a previous version of the Visual Studio Code extension. For more information, see Troubleshooting.

Grype scanner

  • Scanning Java source code that uses Gradle package manager might not reveal vulnerabilities:

    For most languages, Source Code Scanning only scans files present in the source code repository. Except for support added for Java projects using Maven, no network calls fetch dependencies. For languages using dependency lock files, such as Golang and Node.js, Grype uses the lock files to check dependencies for vulnerabilities.

    For Java using Gradle, dependency lock files are not guaranteed, so Grype uses dependencies present in the built binaries, such as .jar or .war files.

    Because VMware discourages committing binaries to source code repositories, Grype fails to find vulnerabilities during a source scan. The vulnerabilities are still found during the image scan after the binaries are built and packaged as images.

Namespace Provisioner

  • A deleted namespace may remain in a Terminating state indefinitely under certain conditions. For causes and solution, see Unable to delete namespace.
  • Applying the label selector used by the Namespace Provisioner controller to the developer namespace, which is configured at deployment time under the grype package values, will cause the provisioner Carvel app to crash due to ownership issues. This is because it’s trying to install Grype in a namespace where it’s already been installed.

Tanzu Application Platform GUI plug-ins

Supply Chain Choreographer plug-in
  • The Generation field and scan policy link in the Overview section does not update when you amend a scan policy. The correct version and details of the policy are shown in the CLI.
  • Customizing the Source Tester stage in an Out Of the Box supply chain does not show details in the Stage Details section.
  • When a GitOps PR flow is configured, the Approve a Request link no longer appears in the supply chain graph.
Security Analysis plug-in
  • The No Associated Policy tab in Workload Build Vulnerabilities does not show workloads that lack associated scan policies.
  • The CVEs bar graph in Workload Build Vulnerabilities sometimes cuts numbers off.


The following features, listed by component, are deprecated. Deprecated features will remain on this list until they are retired from Tanzu Application Platform.

Application Single Sign-On (AppSSO)

  • AuthServer.spec.tls.disabled is deprecated and marked for removal in the next release. For more information about how to migrate to AuthServer.spec.tls.deactivated, see Migration guides.

Application Live View

  • appliveview_connnector.backend.sslDisabled is deprecated and marked for removal in Tanzu Application Platform 1.7.0. For more information on the migration, see Deprecate the sslDisabled key.

Services Toolkit

  • The tanzu services claims CLI plug-in command is now deprecated. It is hidden from help text output, but continues to work until officially removed after the deprecation period. The new tanzu services resource-claims command provides the same functionality.

Supply Chain Security Tools - Image Policy Webhook

  • The Image Policy Webhook component is removed in Tanzu Application Platform v1.4. This component is deprecated in favor of the Policy Controller.

Supply Chain Security Tools - Scan

  • Removed deprecated ScanTemplates:
    • Deprecated Grype ScanTemplates shipped with versions prior to Tanzu Application Platform 1.2.0 are removed and no longer supported. Use Grype ScanTemplates v1.2 and later.
    • docker field and related sub-fields used in Supply Chain Security Tools - Scan are deprecated and marked for removal in Tanzu Application Platform 1.7.0.
    • The deprecation impacts the following components: Scan Controller, Grype Scanner, and Snyk Scanner. Carbon Black Scanner is not impacted.
    • For information about the migration path, see Troubleshooting.

Supply Chain Security Tools - Sign

Tanzu Build Service

  • The Ubuntu Bionic stack is deprecated: Ubuntu Bionic stops receiving support in April 2023. VMware recommends you migrate builds to Jammy stacks in advance. For how to migrate builds, see Use Jammy stacks for a workload.
  • The Cloud Native Buildpack Bill of Materials (CNB BOM) format is deprecated. It is still activated by default in Tanzu Application Platform v1.3 and v1.4. VMware plans to deactivate this format by default in Tanzu Application Platform v1.5 and remove support in Tanzu Application Platform v1.6. To manually deactivate legacy CNB BOM support, see Deactivate the CNB BOM format.

Tanzu CLI Apps plug-in

  • The default value for the --update-strategy flag will change from merge to replace in Tanzu Application Platform v1.7.0.
  • The tanzu apps workload update command is deprecated and marked for removal in Tanzu Application Platform 1.5.0. Use tanzu apps workload apply instead.
check-circle-line exclamation-circle-line close-line
Scroll to top icon