Tanzu Application Platform release notes

This topic describes the changes in Tanzu Application Platform (commonly known as TAP) v1.4.

v1.4.11

Release Date: 14 November 2023

v1.4.11 Security fixes

This release has the following security fixes, listed by component and area.

Package Name Vulnerabilities Resolved
contour.tanzu.vmware.com
Expand to see the list
eventing.tanzu.vmware.com
Expand to see the list

v1.4.11 Known issues

This release introduces no new known issues.


v1.4.10

Release Date: 10 October 2023

v1.4.10 Security fixes

This release has the following security fixes, listed by component and area.

Package Name Vulnerabilities Resolved
accelerator.apps.tanzu.vmware.com
Expand to see the list
buildservice.tanzu.vmware.com
Expand to see the list
learningcenter.tanzu.vmware.com
Expand to see the list
services-toolkit.tanzu.vmware.com
Expand to see the list
tekton.tanzu.vmware.com
Expand to see the list
workshops.learningcenter.tanzu.vmware.com
Expand to see the list

v1.4.10 Known issues

This release introduces no new known issues.


v1.4.9

Release Date: 12 September 2023

v1.4.9 Security fixes

This release has the following security fixes, listed by component and area.

Package Name Vulnerabilities Resolved
api-portal.tanzu.vmware.com
Expand to see the list
buildservice.tanzu.vmware.com
Expand to see the list
learningcenter.tanzu.vmware.com
Expand to see the list
tap-gui.tanzu.vmware.com
Expand to see the list
tekton.tanzu.vmware.com
Expand to see the list
workshops.learningcenter.tanzu.vmware.com
Expand to see the list

v1.4.9 Resolved issues

The following issues, listed by component and area, are resolved in this release.

v1.4.9 Resolved issues: Tanzu CLI and plug-ins

  • This release includes Tanzu CLI v1.0.0 and a set of installable plug-in groups that are versioned so that the CLI is compatible with all supported Tanzu Application Platform versions. For more information see Install Tanzu CLI.

v1.4.9 Known issues

This release has the following known issues, listed by component and area.

v1.4.9 Known issues: Tanzu Build Service

  • Tanzu Application Platform installation temporarily fails with this error related to the deactivate_smart_warmer key: waiting on reconcile packageinstall/buildservice. Overlaying data values (in following order: ca-cert.yaml, cert-injection-webhook/upstream/imagevalues.yaml, cert-injection-webhook/values.yaml, additional data values) . This issue resolves after a few minutes.

v1.4.8

Release Date: 15 August 2023

v1.4.8 Security fixes

This release has the following security fixes, listed by component and area.

Package Name Vulnerabilities Resolved
ootb-templates.tanzu.vmware.com
Expand to see the list
buildservice.tanzu.vmware.com
Expand to see the list

v1.4.8 Resolved issues

The following issues, listed by component and area, are resolved in this release.

v1.4.8 Resolved issues: Tanzu Build Service

  • Fixed an issue where some buildpacks caused the builder image to become excessively large.

v1.4.8 Known issues

This release has the following known issues, listed by component and area.

v1.4.8 Known issues: Tanzu Build Service

  • Tanzu Application Platform installation fails if the automatic dependency updater is used with a Kubernetes secret ref, that is, using the fields buildservice.tanzunet_secret.name and buildservice.tanzunet_secret.name in the tap-values.yaml file. For a workaround, use plaintext secrets by using the fields buildservice.tanzunet_username and buildservice.tanzunet_password in the tap-values.yaml file.

v1.4.7

Release Date: 11 July 2023

v1.4.7 Security fixes

This release has the following security fixes, listed by component and area.

Package Name Vulnerabilities Resolved
sso.apps.tanzu.vmware.com
Expand to see the list
learningcenter.tanzu.vmware.com
Expand to see the list
workshops.learningcenter.tanzu.vmware.com
Expand to see the list

v1.4.7 Known issues

This release introduces no new known issues.


v1.4.6

Release Date: 13 June 2023

v1.4.6 Security fixes

This release has the following security fixes, listed by component and area.

Package Name Vulnerabilities Resolved
api-portal.tanzu.vmware.com
Expand to see the list
buildservice.tanzu.vmware.com
Expand to see the list
cert-manager.tanzu.vmware.com
Expand to see the list
sso.apps.tanzu.vmware.com
Expand to see the list
tap-gui.tanzu.vmware.com
Expand to see the list

v1.4.6 Resolved issues

The following issues, listed by component and area, are resolved in this release.

v1.4.6 Resolved issues: Tanzu Developer Tools for IntelliJ

  • Resolved permission-denied errors encountered during Live Update when operating against platforms configured to use the Jammy build stack.

v1.4.6 Resolved issues: Tanzu Developer Tools for Visual Studio

  • Resolved permission-denied errors encountered during Live Update when operating against platforms configured to use the Jammy build stack.

v1.4.6 Resolved issues: Tanzu Developer Tools for VS Code

  • Resolved permission-denied errors encountered during Live Update when operating against platforms configured to use the Jammy build stack.

v1.4.6 Known issues

This release introduces no new known issues.


v1.4.5

Release Date: 09 May 2023

v1.4.5 Security fixes

This release has the following security fixes, listed by component and area.

Package Name Vulnerabilities Resolved
accelerator.apps.tanzu.vmware.com
Expand to see the list
api-portal.tanzu.vmware.com
Expand to see the list
sso.apps.tanzu.vmware.com
Expand to see the list
buildservice.tanzu.vmware.com
Expand to see the list
ootb-templates.tanzu.vmware.com
Expand to see the list

v1.4.4

Release Date: 12 April 2023

v1.4.4 Security fixes

This release has the following security fixes, listed by package name and vulnerabilities.

Package Name Vulnerabilities Resolved
buildservice.tanzu.vmware.com
Expand to see the list
eventing.tanzu.vmware.com
Expand to see the list
learningcenter.tanzu.vmware.com
Expand to see the list
policy.apps.tanzu.vmware.com
Expand to see the list
snyk.scanning.apps.tanzu.vmware.com
Expand to see the list
tap-gui.tanzu.vmware.com
Expand to see the list
workshops.learningcenter.tanzu.vmware.com
Expand to see the list

v1.4.4 Resolved issues

The following issues, listed by component and area, are resolved in this release.

v1.4.4 Resolved issues: Grype Scanner

  • Updated Syft version to fix image scans failing with panic. This fixes an issue that caused the scanner to fail with an index out of range error. This happened when parsing APK metadata to identify the installed OS packages if a package’s list of provided files is empty.

v1.4.4 Resolved issues: Source Controller

  • Updated imgpkg API to v0.36.0 to fix file permissions after extracting the source tarball. File permissions were stripped from source files while using IMGPKG v0.25.0. This issue is fixed in IMGPKG v0.29.0 and later.

v1.4.4 Known issues

This release has the following known issues, listed by component and area.

v1.4.4 Known issues: API Auto Registration

  • Users cannot update their APIs through API Auto Registration due to a issue with the ID used to retrieve APIs. This issue causes errors in the API Descriptor CRD similar to the following: Unable to find API entity's uid within TAP GUI. Retrying the sync.

v1.4.4 Known issues: Grype Scanner

  • Scanning Java source code that uses Gradle package manager might not reveal vulnerabilities:

    For most languages, source code scanning only scans files present in the source code repository. Except for support added for Java projects using Maven, no network calls fetch dependencies. For languages using dependency lock files, such as golang and Node.js, Grype uses the lock files to verify dependencies for vulnerabilities.

    For Java using Gradle, dependency lock files are not guaranteed, so Grype uses dependencies present in the built binaries, such as .jar or .war files.

    Because VMware discourages committing binaries to source code repositories, Grype fails to find vulnerabilities during a source scan. The vulnerabilities are still found during the image scan after the binaries are built and packaged as images.


v1.4.2

Release Date: 06 March 2023

v1.4.2 Security fixes

This release has the following security fixes, listed by package name and vulnerabilities.

  • accelerator.apps.tanzu.vmware.com: GHSA-69cg-p879-7622 and CVE-2023-0286
  • api-portal.tanzu.vmware.com: CVE-2023-0286
  • apis.apps.tanzu.vmware.com: CVE-2023-0286
  • buildservice.tanzu.vmware.com: GHSA-69cg-p879-7622, CVE-2023-0286, and GHSA-69ch-w2m2-3vjp
  • cartographer.tanzu.vmware.com: CVE-2023-0286 and GHSA-fxg5-wq6x-vr4w
  • cert-manager.tanzu.vmware.com: GHSA-69cg-p879-7622, GHSA-69ch-w2m2-3vjp, and GHSA-83g2-8m93-v3w7
  • cnrs.tanzu.vmware.com: GHSA-69cg-p879-7622, CVE-2023-0286, GHSA-fxg5-wq6x-vr4w, and GHSA-69ch-w2m2-3vjp
  • controller.conventions.apps.tanzu.vmware.com: GHSA-69cg-p879-7622, CVE-2023-0286, GHSA-fxg5-wq6x-vr4w, and GHSA-69ch-w2m2-3vjp
  • controller.source.apps.tanzu.vmware.com: CVE-2023-0286 and GHSA-fxg5-wq6x-vr4w
  • conventions.appliveview.tanzu.vmware.com: GHSA-69cg-p879-7622 and GHSA-fxg5-wq6x-vr4w
  • developer-conventions.tanzu.vmware.com: CVE-2023-0286
  • eventing.tanzu.vmware.com: CVE-2023-0286
  • external-secrets.apps.tanzu.vmware.com: CVE-2023-0286
  • fluxcd.source.controller.tanzu.vmware.com: CVE-2023-0286
  • metadata-store.apps.tanzu.vmware.com: GHSA-69cg-p879-7622, CVE-2023-0286, GHSA-fxg5-wq6x-vr4w, GHSA-69ch-w2m2-3vjp, GHSA-8c26-wmh5-6g9v, and GHSA-r48q-9g5r-8q2h
  • namespace-provisioner.apps.tanzu.vmware.com: GHSA-fxg5-wq6x-vr4w
  • ootb-templates.tanzu.vmware.com: GHSA-69cg-p879-7622, CVE-2023-0286, GHSA-fxg5-wq6x-vr4w, GHSA-69ch-w2m2-3vjp, GHSA-3vm4-22fp-5rfm, GHSA-8c26-wmh5-6g9v, GHSA-gwc9-m7rh-j2ww, GHSA-83g2-8m93-v3w7, and GHSA-ppp9-7jff-5vj2
  • policy.apps.tanzu.vmware.com: CVE-2023-0286
  • services-toolkit.tanzu.vmware.com: GHSA-69cg-p879-7622 and GHSA-fxg5-wq6x-vr4w
  • spring-boot-conventions.tanzu.vmware.com: GHSA-69cg-p879-7622 and GHSA-fxg5-wq6x-vr4w
  • sso.apps.tanzu.vmware.com: CVE-2023-0286, CVE-2022-4450, and CVE-2023-0215
  • tekton.tanzu.vmware.com: CVE-2023-0286, CVE-2022-45061, CVE-2022-42703, and CVE-2022-4378

v1.4.2 Resolved issues

The following issues, listed by area and component, are resolved in this release.

v1.4.2 Resolved issues: Tanzu Build Service

  • Fixed an issue that prevented the Cloud Native Buildpacks lifecycle component from upgrading with Tanzu Build Service.
    • Outdated lifecycle components can be built with older versions of Golang containing CVEs in the standard library.
    • Upgrading to Tanzu Application Platform v1.4.2 ensures the lifecycle component is updated to the latest version.

v1.4.2 Known issues

This release has the following known issues, listed by area and component.

v1.4.2 Known issues: Grype scanner

  • Scanning Java source code that uses Gradle package manager might not reveal vulnerabilities:

    For most languages, source code scanning only scans files present in the source code repository. Except for support added for Java projects using Maven, no network calls fetch dependencies. For languages using dependency lock files, such as Golang and Node.js, Grype uses the lock files to check dependencies for vulnerabilities.

    For Java using Gradle, dependency lock files are not guaranteed, so Grype uses dependencies present in the built binaries, such as .jar or .war files.

    Because VMware discourages committing binaries to source code repositories, Grype fails to find vulnerabilities during a source scan. The vulnerabilities are still found during the image scan after the binaries are built and packaged as images.

  • Scanning some Alpine-based container images fails with a panic:

    An issue in Syft causes the scanner to crash with index out of range, while parsing APK metadata to identify installed OS packages if a package’s list of provided files is empty. This problem is resolved in SCST - Scan (Grype) version 1.4.1 or in the Tanzu Application Platform version 1.5.0+.


v1.4.1

Release Date: 16 February 2023

v1.4.1 Security fixes

This release has the following security fixes, listed by area and component.

v1.4.1 Security fixes: Tanzu Application Platform GUI


v1.4.1 Resolved issues

The following issues, listed by area and component, are resolved in this release.

v1.4.1 Resolved issues: Source Controller

  • Fixed an issue that caused some registries, including DockerHub, to incur higher than expected pulls because all HTTP GET calls are considered to be pulls. With this fix, HTTP requests use HEAD operations instead of GET operations, which reduces the number of pulls while checking updated image versions.

v1.4.1 Resolved issues: Tanzu Application Platform GUI

  • Fixed SVG icons that appeared overly large on the sidebar.
  • Added catalog graph cards and diagram defaults to align with upstream Backstage.

v1.4.1 Resolved issues: Tanzu Application Platform plug-ins

API Validation and Scoring Toolkit plug-in
  • Better error-handling for when a scoring value is missing in the API YAML.
  • Adjusted some styles of the components to meet requirements.
Application Accelerator plug-in
  • Fixed the rendering of options that share an identical dependsOn array value. Added system property configuration for the Git repository creation feature.
  • Added a workflow scope to the Git repository creation feature.
Application Live View plug-in
  • Fixed the reset button in the root logger of the Application Live View log levels page.
Out of the Box Supply Chain Templates plug-in
  • Fixed deliverable content written into ConfigMaps in a multicluster setup. Added labels to attribute the deliverable content with the supply chain and the template. This was done to be consistent with the delivery on a non-Build profile cluster. For more information, see Multicluster Tanzu Application Platform overview.
Security Analysis plug-in
  • Updated the data model for the response of metadata-store.
  • Changed the table’s position on the index page.
  • Updated the filter for workloads with no associated policy.
  • Updated the bar graph for workloads with big and small values for different severities.
  • Fixed a discrepancy between the widget and the information in Workload Build Vulnerabilities.
Supply Chain Choreographer plug-in
  • The Generation box now shows the correct amended scan policy version. Clicking the scan policy link displays the amended policy.
  • The Approve a Request button now appears in the Stage Details section of the Supply Chain view when the Config Writer stage is selected and the GitOps PR flow is configured.
  • When an error occurs and the scan policy documentation link appears, the link now targets the latest version of the Tanzu Application Platform documentation.
Supply Chain Security Tools plug-in
  • Fixed view approval failing to display in the Config Writer stage.
  • Fixed the check box status in the Table filter.
  • Updated the Scan policy documentation URL.
  • Fixed the Generation number displayed after the scan policy is updated.

v1.4.1 Known issues

This release has the following known issues, listed by area and component.

v1.4.1 Known issues: Grype scanner

  • Scanning Java source code that uses Gradle package manager might not reveal vulnerabilities:

    For most languages, source code scanning only scans files present in the source code repository. Except for support added for Java projects using Maven, no network calls fetch dependencies. For languages using dependency lock files, such as Golang and Node.js, Grype uses the lock files to check dependencies for vulnerabilities.

    For Java using Gradle, dependency lock files are not guaranteed, so Grype uses dependencies present in the built binaries, such as .jar or .war files.

    Because VMware discourages committing binaries to source code repositories, Grype fails to find vulnerabilities during a source scan. The vulnerabilities are still found during the image scan after the binaries are built and packaged as images.

  • Scanning some Alpine-based container images fails with a panic:

    An issue in Syft causes the scanner to crash with index out of range, while parsing APK metadata to identify installed OS packages if a package’s list of provided files is empty. This problem is resolved in SCST - Scan (Grype) version 1.4.1 or in the Tanzu Application Platform version 1.5.0+.

v1.4.1 Known issues: Security Analysis GUI

  • After upgrading to Tanzu Application Platform v1.4 from v1.3, the Security Analysis GUI dashboard might appear empty because the dashboard now displays information from the Metadata Store. To repopulate the dashboard, see Troubleshooting.

v1.4.0

Release Date: 10 January 2023

v1.4.0 Tanzu Application Platform new features

This release includes the following platform-wide enhancements.

  • Shared Ingress Issuer for secure ingress communication by default. CNRs, AppSSO, and Tanzu Application Platform GUI use this issuer to secure ingress. Over future releases, VMware plans to incrementally update all Tanzu Application Platform components to support the shared ingress issuer.
  • Namespace Provisioner provides a secure, automated way for Platform Operators to provision namespaces with the resources and proper namespace-level privileges required for their workloads to function as intended.
  • Tanzu Application Platform Telemetry Reports offers the option to enroll in a usage reporting program that provides a usage summary of your Tanzu Application Platform.
  • Tanzu Developer Tools for Visual Studio is an IDE extension for Visual Studio to help you develop, providing the rapid iteration experience for .NET Core apps in Tanzu Application Platform.

v1.4.0 New features by component and area

This release includes the following changes, listed by component and area.

v1.4.0 Features: API Validation and Scoring Toolkit

  • API Validation and Scoring focuses on scanning and validating an OpenAPI specification. The API specification is generated from the API Auto Registration of Tanzu Application Platform. See API Validation and Scoring for more information.

v1.4.0 Features: Application Single Sign-On (AppSSO)

  • Added ability to configure custom Redis storage for an AuthServer by using a ProvisionedService-style API. For more information, see Storage.
  • Added package field default_authserver_clusterissuer that inherits the shared.ingress_issuer value from Tanzu Application Platform if not set. For more information, see IssuerURI and TLS.
  • Added AuthServer.spec.tls.deactivated to deprecate AuthServer.spec.tls.disabled.
  • AuthServer.spec.tokenSignatures is now a required field.
  • In addition to globally trusted CA certificates, granular trust can be extended with AuthServer.spec.caCerts.
  • LDAP is now a supported identity provider protocol. For more information, see LDAP.
    • LDAP bind is validated on AuthServer creation when an LDAP identity provider is defined.
    • Introduced identityProviders.ldap.url in AuthServer.spec.
    • Introduced identityProviders.ldap.group.search.
    • identityProviders.ldap.group is now optional in AuthServer.spec.

v1.4.0 Features: Application Accelerator

  • Optional Git repository creation during project generation is supported in the Application Accelerator extension for VS Code.
  • Added custom types, which allows for 1-N number of repeating sets of options in an accelerator’s form during project creation.
  • Added the Loop transform to allow for transforms to be applied on list options.
  • Added generate-from-local command to the Application Accelerator plug-in for the Tanzu CLI to generate projects from local assets without needing to commit code.
  • Additional Application Accelerator plug-ins for Tanzu CLI improvements:
    • fragment create now supports --local-path and --source-image.
    • fragment update now supports --source-image.
  • Application Accelerator Samples:

v1.4.0 Features: Application Live View

  • Users can now activate or deactivate the automatic configuration of Spring Boot actuators on Tanzu Application Platform and on workloads. For more information, see Configure and access Spring Boot actuators in Tanzu Application Platform.
  • Added Application Live View Memory View panel in Visual Studio Code as part of Spring Boot Dashboard extension.
  • Added support for Spring Boot 3. Spring Boot 3 Native Image is not supported.
  • Added new Application Live View pages HTTP Requests and Request Mappings for Steeltoe workloads.
  • Added appliveview_connnector.backend.sslDeactivated to deprecate appliveview_connnector.backend.sslDisabled.

v1.4.0 Features: Apps plug-in for Tanzu CLI

  • Added --update-strategy flag to allow you to change tanzu apps workload apply behavior when contents from file are applied. See How-to-guides section for use and examples.
  • Added ability to pass URL for --file flag.
  • Show fully qualified resource name in the resources column of Supply chain and Delivery sections of the tanzu apps workload get command. Example output is found in tanzu apps workload get command description.
  • Added new shorthand flag aliases: -a for --app, -e for --env, -i for --image, -l for label, -p for --param, and -t for --type. For more information, see Tanzu apps workload apply flags list.
  • Added emojis to tanzu apps workload create/apply/delete commands.
  • Do not print emojis when --no-color flag is set.
  • Added namespace to tanzu apps workload get command’s overview section.
  • Added progress bar to provide feedback to users when uploading source code to registry.
  • Removed color from tail command output when --no-color flag is passed.

v1.4.0 Features: cert-manager

  • cert-manager.tap.tanzu.vmware.com can optionally install self-signed ClusterIssuers.

v1.4.0 Features: Eventing

  • Upgraded Knative Eventing version from 1.6 to 1.8.
  • Added a Kubernetes tracing attribute to ApiServerSource.
  • The ApiServerSource is a Knative Eventing Kubernetes custom resource that listens for events emitted by the Kubernetes API server. For example, pod creation, deployment updates, and so on. It then forwards them as CloudEvents to a sink.

v1.4.0 Features: External Secrets Operator (alpha)

  • The External Secrets Operator is a Kubernetes operator that integrates with external secret management systems. With this release, Tanzu Application Platform repackages this open source Kubernetes operator into a Carvel bundle that ships with Tanzu Application Platform. External Secrets Operator is currently in alpha and is intended for evaluation and test purposes only. Do not use in a production environment.

v1.4.0 Features: Services Toolkit

v1.4.0 Features: Tanzu Application Platform GUI plug-ins

Security Analysis Plug-in
  • Understand the total number of affected packages and vulnerabilities on the Security Analysis Dashboard: The Vulnerabilities by Severity widget and the Workload Build Vulnerabilities table have updated logic to count all CVEs and packages, providing a better idea of the discrete, affected packages. Previously, the logic counted unique CVEs, even if a particular CVE affected multiple packages.
  • Quickly identify all affected workloads for a specific CVE, package, or dependency: The CVE and Package details pages include a new table that shows all affected workloads for a specific CVE or package. You access the CVE and Package details page on the source or image scan stage in the Supply Chain Choreographer Plug-in.
Supply Chain Choreographer plug-in
  • Events are now emitted when resources are applied and when their output or health status changes. See Events reference.
  • Source Tester stage now includes a link to the Jenkins job when Jenkins is configured for use in the supply chain.
  • spec.source.git.url is added to the Overview section of the Source Provider stage in the supply chain.
  • Added support to include current and historical Kaniko build logs in the Stage Details section of the supply chain when Kaniko is used as the build service in the Image Provider stage.
  • Scanning stages now include a Show Unique CVEs filter so that the scan results show one CVE per ID as opposed to each CVE per package. This allows better alignment between the data in the Supply Chain Choreographer plug-in and the Security Analysis plug-in.

v1.4.0 Features: Supply Chain Security Tools - Policy

v1.4.0 Features: Supply Chain Security Tools - Scan

  • Users no longer need to create a package overlay to enable Grype in offline and air-gapped environments. See Using Grype in offline and air-gapped environments.
  • Increased compatibility with customers’ existing environments by supporting custom certificate authorities (CAs) by using the tap-values.yml for both Grype and Snyk scanners.
  • Alpha release of Prisma Scanner integration. See Install Prisma Scanner.

v1.4.0 Features: Tanzu Developer Tools for IntelliJ

  • The developer sandbox enables developers to Live Update their code and simultaneously debug the updated code, without having to deactivate Live Update when debugging.
  • An Activity pane was added in the Tanzu Panel that allows developers to visualize the supply chain, delivery, and running application pods. It displays detailed error messages on each resource and enables developers to describe and view logs on these resources from within their IDE.
  • Tanzu workload apply and delete actions were added to ​IntelliJ.
  • Code snippets to create workload.yaml and catalog-info.yaml files were added to IntelliJ.

v1.4.0 Features: Tanzu Developer Tools for Visual Studio

  • See code updates running on-cluster in seconds: By using Live Update facilitated by Tilt, deploy your workload once, save changes to the code, and then in seconds see those changes reflected in the workload running on the cluster. All Live Update output is filtered to its own output pane window within Visual Studio.

  • Debug workloads directly on the cluster: Debug your application in a production-like environment by debugging on your Kubernetes cluster that has Tanzu Application Platform. An environment’s similarity to production relies on keeping dependencies updated, among other variables.

v1.4.0 Features: Tanzu Developer Tools for Visual Studio Code

  • The developer sandbox enables developers to Live Update their code, and simultaneously debug the updated code, without having to deactivate Live Update when debugging.

v1.4.0 Breaking changes

This release has the following breaking changes, listed by area and component.

v1.4.0 Breaking changes: Application Single Sign-On (AppSSO)

  • Removed AuthServer.spec.identityProvider.ldap.group.search{Filter,Base,Depth,SubTree} and introduced ldap.group.search: {}.
    • If ldap.group is defined and ldap.group.search is not defined, the LDAP is considered an ActiveDirectory style LDAP and groups are loaded from the user’s memberOf attribute.
    • If ldap.group and ldap.group.search are both defined, the LDAP is considered a Classic LDAP and group search is done by searching in the ldap.group.search.base.
    • There used to be a mixed mode, when both searches were attempted every time.
  • Removed AuthServer.spec.identityProviders.ldap.server field.
  • Removed AuthServer.status.deployments.authServer.lastParentGenerationWithRestart field.
  • Removed deprecated field AuthServer.spec.issuerURI. For more information, see IssuerURI and TLS.

v1.4.0 Breaking changes: Out of the Box Supply Chain Templates

  • In a multicluster setup, when a Deliverable is created on a Build profile cluster, the ConfigMap it’s in is renamed from <workload-name> to <workload-name>-deliverable. Any automation that depends on obtaining the Deliverable content by the former name must be updated with the new name. For more information, see Multicluster Tanzu Application Platform overview.

v1.4.0 Breaking changes: Supply Chain Security Tools - Image Policy Webhook

  • The Image Policy Webhook component is removed in Tanzu Application Platform v1.4. This component is deprecated in favor of the Policy Controller.

v1.4.0 Breaking changes: Supply Chain Security Tools - Policy Controller

  • Policy Controller no longer initializes TUF by default. TUF is required to support the keyless authorities in ClusterImagePolicy. To continue to use keyless authorities, provide the value policy.tuf_enabled: true by using the tap-values.yaml file while upgrading. By default, the public Sigstore The Update Framework (TUF) server is used. To target an alternative Sigstore stack, specify policy.tuf_mirror and policy.tuf_root.

v1.4.0 Breaking changes: Tanzu Application Platform GUI

  • Ingress URL: As mentioned in the new features section, Tanzu Application Platform GUI participates in the shared ingress issuer feature. You might need to change your scheme from http to https. For more information, see Troubleshooting.

  • Communication with Supply Chain Security Tools - Store: In previous versions of Tanzu Application Platform, you configured Tanzu Application Platform GUI to use the read-only access token to communicate with Supply

    In v1.4, you must use the read-write access token to use new features in the Security Analysis GUI plug-in. If upgrading from v1.3, update your Tanzu Application Platform GUI configuration accordingly. See the updated instructions in Enable CVE scan results.

v1.4.0 Breaking changes: Tanzu Developer Tools for IntelliJ

  • IntelliJ IDEA v2022.2 to v2022.3 is required to install the extension.

v1.4.0 Breaking changes: Tanzu Developer Tools for Visual Studio Code

  • Tanzu Debug no longer port forwards the application port (8080).

v1.4.0 Security fixes

This release has the following security fixes, listed by area and component.

v1.4.0 Security fixes: API Auto Registration

  • Base image updated to use the latest Paketo Jammy Base image.

v1.4.0 Security fixes: Contour

  • Update to Contour v1.22.3. Includes an update to go v1.19.4, which contains security fixes to the net/http and os packages.

v1.4.0 Security fixes: Supply Chain Security Tools - Grype

  • python is updated to 3.7.5-22.ph3.

v1.4.0 Security fixes: Remediated vulnerabilities

The following is a list of vulnerabilities remediated with this release:

  • GHSA-7hfm-57qf-j43q, GHSA-crv7-7245-f45f, GHSA-mc84-pj99-q6hh, GHSA-xqfj-vm6h-2x34, CVE-2022-42003, CVE-2022-42004, GHSA-jjjh-jjxp-wpff, GHSA-rgv9-q543-rqg4, GHSA-3mc7-4q67-w48m, GHSA-36p3-wjmg-h94x, CVE-2022-23960, CVE-2022-43945, GHSA-crp2-qrr5-8pq7, GHSA-7qw8-847f-pggm, GHSA-c3xm-pvg7-gh7r, GHSA-f524-rf33-2jjr, CVE-2022-2509, CVE-2022-3171, CVE-2022-3509, CVE-2022-3510, GHSA-4gg5-vx3j-xwc7, GHSA-g5ww-5jh7-63cx, GHSA-66x3-6cw3-v5gj, CVE-2022-3515, CVE-2022-2602, CVE-2022-41222, CVE-2022-32212, CVE-2022-35255, CVE-2021-27478, CVE-2021-27482, CVE-2021-27498, CVE-2021-27500, CVE-2019-12900, CVE-2021-28861, CVE-2021-3737, CVE-2022-0391, GHSA-4w2j-2rg4-5mjw, CVE-2022-2586, CVE-2022-2588, CVE-2022-34918, GHSA-4wf5-vphf-c2xc, CVE-2022-42916, CVE-2022-43551, CVE-2022-43552, CVE-2021-3999, GHSA-m974-647v-whv7

Note about CVE-2022-4378

  • CVE-2022-4378 is a high severity, exploitable stack overflow flaw found in the Linux kernel’s SYSCTL subsystem. At this time, there is no available patch from Canonical in their upstream Ubuntu distribution. Once there is a patch available for the 22.04 release line, Tanzu Application Platform will release a patched base stack image. The current status for patching this vulnerability in the Jammy stack is available on Ubuntu’s security page.

    It is important for customers to understand CVE-2022-4378 is a kernel exploit, and the kernel runs on the customers’ container host VM, not the Tanzu Application Platform container image. Even with a patched image, the vulnerability will not be mitigated until customers deploy their containers on a host with a patched OS. An unpatched host OS may be exploitable if the base image is deployed allowing users to modify SYSCTL parameters.

    RedHat has published a potential mitigation preventing regular users from accessing sysctl files and increasing privileges until a patch becomes available.


v1.4.0 Resolved issues

The following issues, listed by area and component, are resolved in this release.

v1.4.0 Resolved issues: API Auto Registration

  • API Auto Registration periodically checks the original API specification from the defined location to find changes and registers any changes into the API Descriptor. This triggers reconciliation into the Tanzu Application Platform GUI catalog. This synchronization period or frequency is configurable through the new value sync_period. The default value is 5 minutes.

v1.4.0 Resolved issues: Application Single Sign-On (AppSSO)

  • Fixed infinite redirect loops for an AuthServer configured with a single OIDC or SAML identity provider.
  • Authorization Code request rejected audit event from anonymous users logging proper IP address.
  • AuthServer no longer attempts to configure Redis event listeners.
  • OpenShift: custom SecurityContextConstraint resource is created for Kubernetes platforms versions 1.23.x and lower.
  • LDAP error log now contains proper error message.

v1.4.0 Resolved issues: Out of the Box Supply Chain Templates

Fixed deliverable content written into ConfigMaps in multicluster setup. ConfigMap is renamed to avoid conflict with config-template.

For more information, see Multicluster Tanzu Application Platform overview.

v1.4.0 Resolved issues: Tanzu CLI Apps Plug-in

  • Fixed tanzu apps workload tail command output, which was displaying extra init container log lines.
  • Fixed tanzu apps workload tail command not including all logs.

v1.4.0 Resolved issues: Tanzu Application Platform GUI plug-ins

  • Immediate entity provider back-end plug-in

    • The entity provider, used mainly by API Auto Registration, now allows a body size of 5Mb to accept larger API specifications.
    • Considering the restriction of Backstage for Entity Provider mutations, whenever an existing entity is intended for a mutation through this plug-in, and its origin is a different entity provider, a 409 Conflict error is returned.
v1.4.0 Resolved issues: Supply Chain Choreographer plug-in
  • The UI no longer shows the error Unable to retrieve details from Image Provider Stage when the Builder is not available or configured. It now correctly shows the same error as the CLI, Builder default is not ready.
  • Build logs are now displayed when the Image Provider stage fails

v1.4.0 Known issues

This release has the following known issues, listed by area and component.

v1.4.0 Known issues: API Auto Registration

v1.4.0 Known issues: Application Accelerator for Visual Studio Code

  • When using custom types, if there is a check box in the list of attributes then re-ordering the inputs doesn’t work.

v1.4.0 Known issues: Cloud Native Runtimes for VMware Tanzu

  • Knative Serving: Certain app name, namespace, and domain combinations produce invalid HTTPProxy resources. See Cloud Native Runtimes Troubleshooting.
  • Knative Serving and Cert Manager: When auto-tls is enabled, the default in Tanzu Application Platform v1.4.0, Knative services fail with certificateNotReady if workload name, namespace, and domain are more than 64 bytes. See Cloud Native Runtimes Troubleshooting.

v1.4.0 Known issues: Grype scanner

  • Scanning Java source code that uses Gradle package manager might not reveal vulnerabilities:

    For most languages, Source Code Scanning only scans files present in the source code repository. Except for support added for Java projects using Maven, no network calls fetch dependencies. For languages using dependency lock files, such as Golang and Node.js, Grype uses the lock files to check dependencies for vulnerabilities.

    For Java using Gradle, dependency lock files are not guaranteed, so Grype uses dependencies present in the built binaries, such as .jar or .war files.

    Because VMware discourages committing binaries to source code repositories, Grype fails to find vulnerabilities during a source scan. The vulnerabilities are still found during the image scan after the binaries are built and packaged as images.

  • Scanning some Alpine-based container images fails with a panic:

    An issue in Syft causes the scanner to crash with index out of range, while parsing APK metadata to identify installed OS packages if a package’s list of provided files is empty. This problem is resolved in SCST - Scan (Grype) version 1.4.1 or in the Tanzu Application Platform version 1.5.0+.

v1.4.0 Known issues: Namespace Provisioner

  • Applying the label selector used by the namespace provisioner controller to the developer namespace, which is configured at deployment time under the grype package values, will cause the provisioner Carvel app to crash due to ownership issues. This is because it’s trying to install Grype in a namespace where it’s already been installed.

v1.4.0 Known issues: Out of the Box Supply Chain Templates

In a Build profile cluster, Deliverables will be created with the labels to associate them with their Workload missing. As a workaround, they will have to be manually injected. For more information, see Multicluster Tanzu Application Platform overview.

v1.4.0 Known issues: Tanzu Application Platform GUI plug-ins

Security Analysis plug-in
  • The No Associated Policy tab in Workload Build Vulnerabilities does not show workloads that lack associated scan policies.
  • The CVEs bar graph in Workload Build Vulnerabilities sometimes cuts numbers off.
Supply Chain Choreographer plug-in
  • The Generation field and scan policy link in the Overview section does not update when you amend a scan policy. The correct version and details of the policy are shown in the CLI.
  • Customizing the Source Tester stage in an Out Of the Box supply chain does not show details in the Stage Details section.
  • When a GitOps PR flow is configured, the Approve a Request link no longer appears in the supply chain graph.

v1.4.0 Known issues: Tanzu Developer Tools for IntelliJ

  • If a workload is deployed onto a namespace by using Live Update, you must set that namespace as the namespace of the current context of your kubeconfig file. Otherwise, if you run Tanzu Debug, it causes the workload to re-deploy. For more information, see Troubleshooting.

  • On macOS, Tanzu Panel might be empty when using a GKE cluster. For more information, see Troubleshooting.

  • The Describe action in the pop-up menu in the Activity panel can fail when used on PodIntent resources. For more information, see Troubleshooting.

  • The Tanzu panel might show workloads without showing Kubernetes resources in the center panel of the activity pane. For more information, see Troubleshooting.

  • The Details table and Messages pane in the activity panel can show stale data because these views only refresh when the selection in the Resource tree is changed. As a workaround, make the views refresh by clicking somewhere in the Resource tree to change the current selection.

  • Live Update does not work when using the Jammy ClusterBuilder.

v1.4.0 Known issues: Tanzu Developer Tools for Visual Studio

  • The Tanzu: Delete Workload command can fail with the extension erroneously reporting that the workload isn’t running. For more information, see Troubleshooting.

  • The Tanzu: Start Live Update command can fail because the specified path was not found. For more information, see Troubleshooting.

  • Live Update does not work when using the Jammy ClusterBuilder.

v1.4.0 Known issues: Tanzu Developer Tools for Visual Studio Code

  • Could not find the task 'tanzuManagement: Kill Port Forward fortune-service'. You might see this error message if an app was deployed with a previous version of the Visual Studio Code extension. For more information, see Troubleshooting.

Deprecations

The following features, listed by component, are deprecated. Deprecated features will remain on this list until they are retired from Tanzu Application Platform.

Application Live View deprecations

  • appliveview_connnector.backend.sslDisabled is deprecated and marked for removal in Tanzu Application Platform 1.7.0. For more information on the migration, see Deprecate the sslDisabled key.

Application Single Sign-On (AppSSO) deprecations

  • AuthServer.spec.tls.disabled is deprecated and marked for removal in the next release. For more information about how to migrate to AuthServer.spec.tls.deactivated, see Migration guides.

Services Toolkit deprecations

  • The tanzu services claims CLI plug-in command is now deprecated. It is hidden from help text output, but continues to work until officially removed after the deprecation period. The new tanzu services resource-claims command provides the same functionality.

Supply Chain Security Tools - Image Policy Webhook deprecations

  • The Image Policy Webhook component is removed in Tanzu Application Platform v1.4. This component is deprecated in favor of the Policy Controller.

Supply Chain Security Tools - Scan deprecations

  • Removed deprecated ScanTemplates:
    • Deprecated Grype ScanTemplates shipped with versions prior to Tanzu Application Platform 1.2.0 are removed and no longer supported. Use Grype ScanTemplates v1.2 and later.
    • docker field and related sub-fields used in Supply Chain Security Tools - Scan are deprecated and marked for removal in Tanzu Application Platform 1.7.0.
    • The deprecation impacts the following components: Scan Controller, Grype Scanner, and Snyk Scanner. Carbon Black Scanner is not impacted.
    • For information about the migration path, see Troubleshooting.

Supply Chain Security Tools - Sign deprecations

Tanzu Build Service deprecations

  • The Ubuntu Bionic stack is deprecated: Ubuntu Bionic stops receiving support in April 2023. VMware recommends you migrate builds to Jammy stacks in advance. For how to migrate builds, see Use Jammy stacks for a workload.
  • The Cloud Native Buildpack Bill of Materials (CNB BOM) format is deprecated. It is still activated by default in Tanzu Application Platform v1.3 and v1.4. VMware plans to deactivate this format by default in Tanzu Application Platform v1.6 and remove support in Tanzu Application Platform v1.8. To manually deactivate legacy CNB BOM support, see Deactivate the CNB BOM format.

Tanzu CLI Apps plug-in deprecations

  • The default value for the --update-strategy flag will change from merge to replace in Tanzu Application Platform v1.7.0.
  • The tanzu apps workload update command is deprecated and marked for removal in Tanzu Application Platform 1.5.0. Use tanzu apps workload apply instead.

Linux Kernel CVEs

Kernel level vulnerabilities are regularly identified and patched by Canonical. Tanzu Application Platform releases with available images, which might contain known vulnerabilities. When Canonical makes patched images available, Tanzu Application Platform incorporates these fixed images into future releases.

The kernel runs on your container host VM, not the Tanzu Application Platform container image. Even with a patched Tanzu Application Platform image, the vulnerability is not mitigated until you deploy your containers on a host with a patched OS. An unpatched host OS might be exploitable if the base image is deployed.

check-circle-line exclamation-circle-line close-line
Scroll to top icon