This topic describes the changes in Tanzu Application Platform (commonly known as TAP) v1.4.
Release Date: 14 November 2023
This release has the following security fixes, listed by component and area.
Package Name | Vulnerabilities Resolved |
---|---|
contour.tanzu.vmware.com |
Expand to see the list |
eventing.tanzu.vmware.com |
Expand to see the list |
This release introduces no new known issues.
Release Date: 10 October 2023
This release has the following security fixes, listed by component and area.
Package Name | Vulnerabilities Resolved |
---|---|
accelerator.apps.tanzu.vmware.com |
Expand to see the list |
buildservice.tanzu.vmware.com |
Expand to see the list |
learningcenter.tanzu.vmware.com |
Expand to see the list |
services-toolkit.tanzu.vmware.com |
Expand to see the list |
tekton.tanzu.vmware.com |
Expand to see the list |
workshops.learningcenter.tanzu.vmware.com |
Expand to see the list |
This release introduces no new known issues.
Release Date: 12 September 2023
This release has the following security fixes, listed by component and area.
Package Name | Vulnerabilities Resolved |
---|---|
api-portal.tanzu.vmware.com |
Expand to see the list |
buildservice.tanzu.vmware.com |
Expand to see the list
|
learningcenter.tanzu.vmware.com | |
tap-gui.tanzu.vmware.com |
Expand to see the list |
tekton.tanzu.vmware.com |
Expand to see the list |
workshops.learningcenter.tanzu.vmware.com |
Expand to see the list |
The following issues, listed by component and area, are resolved in this release.
This release has the following known issues, listed by component and area.
deactivate_smart_warmer
key: waiting on reconcile packageinstall/buildservice. Overlaying data values (in following order: ca-cert.yaml, cert-injection-webhook/upstream/imagevalues.yaml, cert-injection-webhook/values.yaml, additional data values)
. This issue resolves after a few minutes.Release Date: 15 August 2023
This release has the following security fixes, listed by component and area.
Package Name | Vulnerabilities Resolved |
---|---|
ootb-templates.tanzu.vmware.com | |
buildservice.tanzu.vmware.com |
Expand to see the list |
The following issues, listed by component and area, are resolved in this release.
This release has the following known issues, listed by component and area.
buildservice.tanzunet_secret.name
and buildservice.tanzunet_secret.name
in the tap-values.yaml
file. For a workaround, use plaintext secrets by using the fields buildservice.tanzunet_username
and buildservice.tanzunet_password
in the tap-values.yaml
file.Release Date: 11 July 2023
This release has the following security fixes, listed by component and area.
Package Name | Vulnerabilities Resolved |
---|---|
sso.apps.tanzu.vmware.com | |
learningcenter.tanzu.vmware.com |
Expand to see the list |
workshops.learningcenter.tanzu.vmware.com |
Expand to see the list |
This release introduces no new known issues.
Release Date: 13 June 2023
This release has the following security fixes, listed by component and area.
Package Name | Vulnerabilities Resolved |
---|---|
api-portal.tanzu.vmware.com |
Expand to see the list |
buildservice.tanzu.vmware.com |
Expand to see the list |
cert-manager.tanzu.vmware.com |
Expand to see the list |
sso.apps.tanzu.vmware.com |
Expand to see the list |
tap-gui.tanzu.vmware.com |
Expand to see the list |
The following issues, listed by component and area, are resolved in this release.
This release introduces no new known issues.
Release Date: 09 May 2023
This release has the following security fixes, listed by component and area.
Package Name | Vulnerabilities Resolved |
---|---|
accelerator.apps.tanzu.vmware.com |
Expand to see the list |
api-portal.tanzu.vmware.com |
Expand to see the list |
sso.apps.tanzu.vmware.com |
Expand to see the list |
buildservice.tanzu.vmware.com |
Expand to see the list |
ootb-templates.tanzu.vmware.com |
Expand to see the list |
Release Date: 12 April 2023
This release has the following security fixes, listed by package name and vulnerabilities.
Package Name | Vulnerabilities Resolved |
---|---|
buildservice.tanzu.vmware.com |
Expand to see the list |
eventing.tanzu.vmware.com |
Expand to see the list |
learningcenter.tanzu.vmware.com | |
policy.apps.tanzu.vmware.com |
Expand to see the list |
snyk.scanning.apps.tanzu.vmware.com |
Expand to see the list |
tap-gui.tanzu.vmware.com |
Expand to see the list |
workshops.learningcenter.tanzu.vmware.com |
The following issues, listed by component and area, are resolved in this release.
This release has the following known issues, listed by component and area.
Unable to find API entity's uid within TAP GUI. Retrying the sync
.Scanning Java source code that uses Gradle package manager might not reveal vulnerabilities:
For most languages, source code scanning only scans files present in the source code repository. Except for support added for Java projects using Maven, no network calls fetch dependencies. For languages using dependency lock files, such as golang and Node.js, Grype uses the lock files to verify dependencies for vulnerabilities.
For Java using Gradle, dependency lock files are not guaranteed, so Grype uses dependencies present in the built binaries, such as .jar
or .war
files.
Because VMware discourages committing binaries to source code repositories, Grype fails to find vulnerabilities during a source scan. The vulnerabilities are still found during the image scan after the binaries are built and packaged as images.
Release Date: 06 March 2023
This release has the following security fixes, listed by package name and vulnerabilities.
The following issues, listed by area and component, are resolved in this release.
This release has the following known issues, listed by area and component.
Scanning Java source code that uses Gradle package manager might not reveal vulnerabilities:
For most languages, source code scanning only scans files present in the source code repository. Except for support added for Java projects using Maven, no network calls fetch dependencies. For languages using dependency lock files, such as Golang and Node.js, Grype uses the lock files to check dependencies for vulnerabilities.
For Java using Gradle, dependency lock files are not guaranteed, so Grype uses dependencies present in the built binaries, such as .jar
or .war
files.
Because VMware discourages committing binaries to source code repositories, Grype fails to find vulnerabilities during a source scan. The vulnerabilities are still found during the image scan after the binaries are built and packaged as images.
Scanning some Alpine-based container images fails with a panic:
An issue in Syft causes the scanner to crash with index out of range, while parsing APK metadata to identify installed OS packages if a package’s list of provided files is empty. This problem is resolved in SCST - Scan (Grype) version 1.4.1
or in the Tanzu Application Platform version 1.5.0+
.
Release Date: 16 February 2023
This release has the following security fixes, listed by area and component.
The following issues, listed by area and component, are resolved in this release.
dependsOn
array value. Added system property configuration for the Git repository creation feature.metadata-store
.This release has the following known issues, listed by area and component.
Scanning Java source code that uses Gradle package manager might not reveal vulnerabilities:
For most languages, source code scanning only scans files present in the source code repository. Except for support added for Java projects using Maven, no network calls fetch dependencies. For languages using dependency lock files, such as Golang and Node.js, Grype uses the lock files to check dependencies for vulnerabilities.
For Java using Gradle, dependency lock files are not guaranteed, so Grype uses dependencies present in the built binaries, such as .jar
or .war
files.
Because VMware discourages committing binaries to source code repositories, Grype fails to find vulnerabilities during a source scan. The vulnerabilities are still found during the image scan after the binaries are built and packaged as images.
Scanning some Alpine-based container images fails with a panic:
An issue in Syft causes the scanner to crash with index out of range, while parsing APK metadata to identify installed OS packages if a package’s list of provided files is empty. This problem is resolved in SCST - Scan (Grype) version 1.4.1
or in the Tanzu Application Platform version 1.5.0+
.
Release Date: 10 January 2023
This release includes the following platform-wide enhancements.
This release includes the following changes, listed by component and area.
AuthServer
by using a ProvisionedService-style API. For more information, see Storage.default_authserver_clusterissuer
that inherits the shared.ingress_issuer
value from Tanzu Application Platform if not set. For more information, see IssuerURI and TLS.AuthServer.spec.tls.deactivated
to deprecate AuthServer.spec.tls.disabled
.AuthServer.spec.tokenSignatures
is now a required field.AuthServer.spec.caCerts
.AuthServer
creation when an LDAP identity provider is defined.identityProviders.ldap.url
in AuthServer.spec
.identityProviders.ldap.group.search
.identityProviders.ldap.group
is now optional in AuthServer.spec
..app_config.gitProviders.active
in tap-values.yaml
was added to deactivate optional Git repository creation in the VS Code extension during project creation.types
, which allows for 1-N number of repeating sets of options in an accelerator’s form during project creation.generate-from-local
command to the Application Accelerator plug-in for the Tanzu CLI to generate projects from local assets without needing to commit code.fragment create
now supports --local-path
and --source-image
.fragment update
now supports --source-image
.HTTP Requests
and Request Mappings
for Steeltoe workloads.appliveview_connnector.backend.sslDeactivated
to deprecate appliveview_connnector.backend.sslDisabled
.--update-strategy
flag to allow you to change tanzu apps workload apply
behavior when contents from file are applied. See How-to-guides section for use and examples.--file
flag.tanzu apps workload get
command. Example output is found in tanzu apps workload get command description.-a
for --app
, -e
for --env
, -i
for --image
, -l
for label
, -p
for --param
, and -t
for --type
. For more information, see Tanzu apps workload apply flags list.tanzu apps workload create/apply/delete
commands.--no-color
flag is set.tanzu apps workload get
command’s overview section.--no-color
flag is passed.cert-manager.tap.tanzu.vmware.com
can optionally install self-signed ClusterIssuer
s.ClassClaim
API that allows claims for service instances to be created by referring to a ClusterInstanceClass
. For more information, see When to use ClassClaim vs ResourceClaim and Introducing different service implementations in different environments.tanzu services class-claims
CLI plug-in command.spec.source.git.url
is added to the Overview section of the Source Provider stage in the supply chain.Show Unique CVEs
filter so that the scan results show one CVE per ID as opposed to each CVE per package. This allows better alignment between the data in the Supply Chain Choreographer plug-in and the Security Analysis plug-in.tap-values.yml
for both Grype and Snyk scanners.apply
and delete
actions were added to IntelliJ.workload.yaml
and catalog-info.yaml
files were added to IntelliJ.See code updates running on-cluster in seconds: By using Live Update facilitated by Tilt, deploy your workload once, save changes to the code, and then in seconds see those changes reflected in the workload running on the cluster. All Live Update output is filtered to its own output pane window within Visual Studio.
Debug workloads directly on the cluster: Debug your application in a production-like environment by debugging on your Kubernetes cluster that has Tanzu Application Platform. An environment’s similarity to production relies on keeping dependencies updated, among other variables.
This release has the following breaking changes, listed by area and component.
AuthServer.spec.identityProvider.ldap.group.search{Filter,Base,Depth,SubTree}
and introduced ldap.group.search: {}
.
ldap.group
is defined and ldap.group.search
is not defined, the LDAP is considered an ActiveDirectory style LDAP and groups are loaded from the user’s memberOf
attribute.ldap.group
and ldap.group.search
are both defined, the LDAP is considered a Classic LDAP and group search is done by searching in the ldap.group.search.base
.AuthServer.spec.identityProviders.ldap.server
field.AuthServer.status.deployments.authServer.lastParentGenerationWithRestart
field.AuthServer.spec.issuerURI
. For more information, see IssuerURI and TLS.<workload-name>
to <workload-name>-deliverable
. Any automation that depends on obtaining the Deliverable content by the former name must be updated with the new name. For more information, see Multicluster Tanzu Application Platform overview.ClusterImagePolicy
. To continue to use keyless authorities, provide the value policy.tuf_enabled: true
by using the tap-values.yaml
file while upgrading. By default, the public Sigstore The Update Framework (TUF) server is used. To target an alternative Sigstore stack, specify policy.tuf_mirror
and policy.tuf_root
.Ingress URL: As mentioned in the new features section, Tanzu Application Platform GUI participates in the shared ingress issuer feature. You might need to change your scheme from http to https. For more information, see Troubleshooting.
Communication with Supply Chain Security Tools - Store: In previous versions of Tanzu Application Platform, you configured Tanzu Application Platform GUI to use the read-only access token to communicate with Supply
In v1.4, you must use the read-write access token to use new features in the Security Analysis GUI plug-in. If upgrading from v1.3, update your Tanzu Application Platform GUI configuration accordingly. See the updated instructions in Enable CVE scan results.
Tanzu Debug
no longer port forwards the application port (8080).This release has the following security fixes, listed by area and component.
net/http
and os
packages.python
is updated to 3.7.5-22.ph3
.The following is a list of vulnerabilities remediated with this release:
CVE-2022-4378 is a high severity, exploitable stack overflow flaw found in the Linux kernel’s SYSCTL subsystem. At this time, there is no available patch from Canonical in their upstream Ubuntu distribution. Once there is a patch available for the 22.04 release line, Tanzu Application Platform will release a patched base stack image. The current status for patching this vulnerability in the Jammy stack is available on Ubuntu’s security page.
It is important for customers to understand CVE-2022-4378 is a kernel exploit, and the kernel runs on the customers’ container host VM, not the Tanzu Application Platform container image. Even with a patched image, the vulnerability will not be mitigated until customers deploy their containers on a host with a patched OS. An unpatched host OS may be exploitable if the base image is deployed allowing users to modify SYSCTL parameters.
RedHat has published a potential mitigation preventing regular users from accessing sysctl files and increasing privileges until a patch becomes available.
The following issues, listed by area and component, are resolved in this release.
API Descriptor
. This triggers reconciliation into the Tanzu Application Platform GUI catalog. This synchronization period or frequency is configurable through the new value sync_period
. The default value is 5 minutes.AuthServer
configured with a single OIDC or SAML identity provider.AuthServer
no longer attempts to configure Redis event listeners.SecurityContextConstraint
resource is created for Kubernetes platforms versions 1.23.x and lower.Fixed deliverable content written into ConfigMaps in multicluster setup. ConfigMap is renamed to avoid conflict with config-template
.
For more information, see Multicluster Tanzu Application Platform overview.
tanzu apps workload tail
command output, which was displaying extra init container log lines.tanzu apps workload tail
command not including all logs.Immediate entity provider back-end plug-in
5Mb
to accept larger API specifications.409 Conflict
error is returned.Unable to retrieve details from Image Provider Stage
when the Builder is not available or configured. It now correctly shows the same error as the CLI, Builder default is not ready
.This release has the following known issues, listed by area and component.
certificateNotReady
if workload name, namespace, and domain are more than 64 bytes. See Cloud Native Runtimes Troubleshooting.Scanning Java source code that uses Gradle package manager might not reveal vulnerabilities:
For most languages, Source Code Scanning only scans files present in the source code repository. Except for support added for Java projects using Maven, no network calls fetch dependencies. For languages using dependency lock files, such as Golang and Node.js, Grype uses the lock files to check dependencies for vulnerabilities.
For Java using Gradle, dependency lock files are not guaranteed, so Grype uses dependencies present in the built binaries, such as .jar
or .war
files.
Because VMware discourages committing binaries to source code repositories, Grype fails to find vulnerabilities during a source scan. The vulnerabilities are still found during the image scan after the binaries are built and packaged as images.
Scanning some Alpine-based container images fails with a panic:
An issue in Syft causes the scanner to crash with index out of range, while parsing APK metadata to identify installed OS packages if a package’s list of provided files is empty. This problem is resolved in SCST - Scan (Grype) version 1.4.1
or in the Tanzu Application Platform version 1.5.0+
.
grype
package values, will cause the provisioner
Carvel app to crash due to ownership issues. This is because it’s trying to install Grype in a namespace where it’s already been installed.In a Build profile cluster, Deliverables will be created with the labels to associate them with their Workload missing. As a workaround, they will have to be manually injected. For more information, see Multicluster Tanzu Application Platform overview.
Generation
field and scan policy link in the Overview section does not update when you amend a scan policy. The correct version and details of the policy are shown in the CLI.Source Tester
stage in an Out Of the Box supply chain does not show details in the Stage Details section.If a workload is deployed onto a namespace by using Live Update, you must set that namespace as the namespace of the current context of your kubeconfig file. Otherwise, if you run Tanzu Debug, it causes the workload to re-deploy. For more information, see Troubleshooting.
On macOS, Tanzu Panel might be empty when using a GKE cluster. For more information, see Troubleshooting.
The Describe action in the pop-up menu in the Activity panel can fail when used on PodIntent resources. For more information, see Troubleshooting.
The Tanzu panel might show workloads without showing Kubernetes resources in the center panel of the activity pane. For more information, see Troubleshooting.
The Details table and Messages pane in the activity panel can show stale data because these views only refresh when the selection in the Resource tree is changed. As a workaround, make the views refresh by clicking somewhere in the Resource tree to change the current selection.
Live Update does not work when using the Jammy ClusterBuilder
.
The Tanzu: Delete Workload
command can fail with the extension erroneously reporting that the workload isn’t running. For more information, see Troubleshooting.
The Tanzu: Start Live Update
command can fail because the specified path was not found. For more information, see Troubleshooting.
Live Update does not work when using the Jammy ClusterBuilder
.
Could not find the task 'tanzuManagement: Kill Port Forward fortune-service'
. You might see this error message if an app was deployed with a previous version of the Visual Studio Code extension. For more information, see Troubleshooting.The following features, listed by component, are deprecated. Deprecated features will remain on this list until they are retired from Tanzu Application Platform.
appliveview_connnector.backend.sslDisabled
is deprecated and marked for removal in Tanzu Application Platform 1.7.0. For more information on the migration, see Deprecate the sslDisabled key.AuthServer.spec.tls.disabled
is deprecated and marked for removal in the next release. For more information about how to migrate to AuthServer.spec.tls.deactivated
, see Migration guides.tanzu services claims
CLI plug-in command is now deprecated. It is hidden from help text output, but continues to work until officially removed after the deprecation period. The new tanzu services resource-claims
command provides the same functionality.docker
field and related sub-fields used in Supply Chain Security Tools - Scan are deprecated and marked for removal in Tanzu Application Platform 1.7.0.--update-strategy
flag will change from merge
to replace
in Tanzu Application Platform v1.7.0.tanzu apps workload update
command is deprecated and marked for removal in Tanzu Application Platform 1.5.0. Use tanzu apps workload apply
instead.Kernel level vulnerabilities are regularly identified and patched by Canonical. Tanzu Application Platform releases with available images, which might contain known vulnerabilities. When Canonical makes patched images available, Tanzu Application Platform incorporates these fixed images into future releases.
The kernel runs on your container host VM, not the Tanzu Application Platform container image. Even with a patched Tanzu Application Platform image, the vulnerability is not mitigated until you deploy your containers on a host with a patched OS. An unpatched host OS might be exploitable if the base image is deployed.