Tanzu Application Platform release notes

This topic contains release notes for Tanzu Application Platform v1.6.

v1.6.13

Release Date: 02 July 2024

v1.6.13 Breaking changes

This release includes the following changes, listed by component and area.

v1.6.13 Breaking changes: Tanzu Application Platform

  • Tanzu Application Platform releases have migrated from VMware Tanzu Network to the Broadcom Support Portal and Broadcom registry. Using VMware Tanzu Network to install or upgrade Tanzu Application Platform is no longer supported.

    Before you upgrade, you must relocate the Tanzu Application Platform images from the Broadcom registry tanzu.packages.broadcom.com to your own registry. Make sure you relocate the images to your container image registry as part of the instructions in Upgrade Tanzu Application Platform.


v1.6.13 Security fixes

This release has the following security fixes, listed by component and area.

Package Name Vulnerabilities Resolved
base-jammy-stack-lite.buildpacks.tanzu.vmware.com
Expand to see the list
cert-manager.tanzu.vmware.com
Expand to see the list
ootb-templates.tanzu.vmware.com
Expand to see the list

v1.6.13 Known issues

This release has the following known issues, listed by component and area.

v1.6.13 Known issues: Tanzu Application Platform

  • This Tanzu Application Platform release is not supported with Tanzu Kubernetes releases (TKR) v1.26 on vSphere with Tanzu.

v1.6.13 Known issues: Artifact Metadata Repository Observer and CloudEvent Handler

  • Periodic reconciliation or restarting of the AMR Observer causes reattempted posting of ImageVulnerabilityScan results. There is an error on duplicate submission of identical ImageVulnerabilityScans you can ignore if the previous submission was successful.

  • ReplicaSet status in AMR only has two states: created and deleted. There is a known issue where the available and unavailable state is not showing. The workaround is that you can interpolate this information from the instances metadata in the AMR for the ReplicaSet.

v1.6.13 Known issues: Bitnami Services

  • If you try to configure private registry integration for the Bitnami services after having already created a claim for one or more of the Bitnami services using the default configuration, the updated private registry configuration does not appear to take effect. This is due to caching behavior in the system which is not accounted for during configuration updates. For a workaround, see Troubleshoot Bitnami Services.

v1.6.13 Known issues: Cloud Native Runtimes

  • For Knative Serving, certain app name, namespace, and domain combinations produce Knative Services with status CertificateNotReady. For more information, see Troubleshooting.

v1.6.13 Known issues: Crossplane

  • Crossplane Providers cannot communicate with systems using a custom CA. For more information and a workaround, see Troubleshoot Crossplane.

  • The Crossplane validatingwebhookconfiguration is not removed when you uninstall the Crossplane Package. To workaround, delete the validatingwebhookconfiguration manually by running kubectl delete validatingwebhookconfiguration crossplane.

v1.6.13 Known issues: Eventing

  • When using vSphere sources in Eventing, the vsphere-source is using a high number of informers to alleviate load on the API server. This causes high memory use.

v1.6.13 Known issues: Learning Center

v1.6.13 Known issues: Services Toolkit

  • An error occurs if additionalProperties is true in a CompositeResourceDefinition. For more information and a workaround, see Troubleshoot Services Toolkit.

v1.6.13 Known issues: Supply Chain Choreographer

  • When using the Carvel Package Supply Chains, if the operator updates the parameter carvel_package.name_suffix, existing workloads incorrectly output a Carvel package to the GitOps repository that uses the old value of carvel_package.name_suffix. You can ignore or delete this package.

  • If the size of the resulting OpenAPIv3 specification exceeds a certain size, approximately 3 KB, the Supply Chain does not function. If you use the default Carvel package parameters, you this issue does not occur. If you use custom Carvel package parameters, you might encounter this size limit. If you exceed the size limit, you can either deactivate this feature, or use a workaround. The workaround requires enabling a Tekton feature flag. For more information, see the Tekton documentation.

v1.6.13 Known issues: Supply Chain Security Tools - Scan

  • The Snyk scanner outputs an incorrectly created date, resulting in an invalid date. If the workload is in a failed state due to an invalid date, wait approximately 10 hours and the workload automatically goes into the ready state. For more information, see this issue in the Snyk Github repository.

v1.6.13 Supply Chain Security Tools - Store

  • SCST - Store automatically detects PostgreSQL database index corruptions. If SCST - Store finds a PostgresSQL database index corruption issue, it does not reconcile. For how to fix this issue, see Fix Postgres Database Index Corruption.

v1.6.13 Known issues: Tanzu Developer Portal (formerly named Tanzu Application Platform GUI)

  • If you do not configure any authentication providers, and do not allow guest access, the following message appears when loading Tanzu Developer Portal in a browser:

    No configured authentication providers. Please configure at least one.
    

    To resolve this issue, see Troubleshooting.

  • Ad-blocking browser extensions and standalone ad-blocking software can interfere with telemetry collection within the VMware Customer Experience Improvement Program and restrict access to all or parts of Tanzu Developer Portal. For more information, see Troubleshooting.

  • ScmAuth is a Backstage concept that abstracts Source Code Management (SCM) authentication into a package. An oversight in a recent code-base migration led to the accidental exclusion of custom ScmAuth functions. This exclusion affected some client operations, such as using Application Accelerators to create Git repositories on behalf of users.

  • The back-end Kubernetes plug-in reports failure in multicluster environments. In a multicluster environment when one request to a Kubernetes cluster fails, backstage-kubernetes-backend reports a failure to the front end. This is a known issue with upstream Backstage and it applies to all released versions of Tanzu Developer Portal. For more information, see this Backstage code in GitHub. This behavior arises from the API at the Backstage level. There are currently no known workarounds. There are plans for upstream commits to Backstage to resolve this issue.

v1.6.13 Known issues: Tanzu Developer Portal - Supply Chain GUI plug-in

  • Any workloads created by using a custom resource definition (CRD) might not work as expected. Only Out of the Box (OOTB) Supply Chains are supported in the UI.

  • Downloading the SBOM from a vulnerability scan requires additional configuration in tap-values.yaml. For more information, see Troubleshooting.

v1.6.13 Known issues: Tanzu Developer Tools for IntelliJ

  • The error com.vdurmont.semver4j.SemverException: Invalid version (no major version) is shown in the error logs when attempting to perform a workload action before installing the Tanzu CLI apps plug-in.

  • If you restart your computer while running Live Update without terminating the Tilt process beforehand, there is a lock that incorrectly shows that Live Update is still running and prevents it from starting again. For the fix, see Troubleshooting.

  • Workload actions and Live Update do not work when in a project with spaces in its name, such as my app, or in its path, such as C:\Users\My User\my-app. For more information, see Troubleshooting.

  • An EDT Thread Exception error is logged or reported as a notification with a message similar to "com.intellij.diagnostic.PluginException: 2007 ms to call on EDT TanzuApplyAction#update@ProjectViewPopup". For more information, see Troubleshooting.

v1.6.13 Known issues: Tanzu Developer Tools for Visual Studio

  • Clicking the red square Stop button in the Visual Studio top toolbar can cause a workload to fail. For more information, see Troubleshooting.

v1.6.13 Known issues: Tanzu Developer Tools for VS Code

  • In the Tanzu activity panel, the config-writer-pull-requester of type Runnable is incorrectly categorized as Unknown. The correct category is Supply Chain.

v1.6.13 Component versions

The following table lists the Tanzu Application Platform package versions included with this release.

Component Name Version
API Auto Registration 0.3.5
API portal 1.4.7
Application Accelerator 1.6.6
Application Configuration Service 2.1.4
Application Live View APIServer 1.6.3
Application Live View back end 1.6.4
Application Live View connector 1.6.4
Application Live View conventions 1.6.3
Application Single Sign-On 4.0.7
Artifact Metadata Repository Observer (alpha) 0.1.2
Bitnami Services 0.2.0
Carbon Black Scanner for SCST - Scan (beta) 1.2.5
Cartographer Conventions 0.7.5
cert-manager 2.4.8
Cloud Native Runtimes 2.3.14
Contour 2.0.0
Crossplane 0.2.2
Default Roles 1.1.0
Developer Conventions 0.11.2
Eventing (deprecated) 2.2.10
External Secrets Operator 0.6.1+tap.6
Flux CD Source Controller 0.36.1+tanzu.2
Grype Scanner for SCST - Scan 1.6.140
Learning Center (deprecated) 0.3.2
Learning Center workshops (deprecated) 0.3.1
Local Source Proxy 0.1.1
Namespace Provisioner 0.4.1
Out of the Box Delivery - Basic 0.13.21
Out of the Box Supply Chain - Basic 0.13.21
Out of the Box Supply Chain - Testing 0.13.21
Out of the Box Supply Chain - Testing and Scanning 0.13.21
Out of the Box Templates 0.13.21
Service Bindings 0.9.4
Services Toolkit 0.11.1
Snyk Scanner for SCST - Scan (beta) 1.0.0-beta.156
Source Controller 0.8.4
Spring Boot conventions 1.6.3
Spring Cloud Gateway 2.0.12
Supply Chain Choreographer 0.7.5
Supply Chain Security Tools - Policy Controller 1.4.2
Supply Chain Security Tools - Scan 1.6.141
Supply Chain Security Tools - Scan 2.0 (beta) 0.1.0-beta.137
Supply Chain Security Tools - Store 1.6.14
Tanzu Application Platform Telemetry 0.6.2
Tanzu Build Service 1.11.18
Tanzu CLI 1.3.0
Tanzu Developer Portal (formerly Tanzu Application Platform GUI) 1.6.8
Tanzu Developer Portal Configurator (beta) 0.1.2
Tekton Pipelines 0.41.0+tap.9

v1.6.12

Release Date: 11 June 2024

v1.6.12 Security fixes

This release has the following security fixes, listed by component and area.

Package Name Vulnerabilities Resolved
base-jammy-stack-lite.buildpacks.tanzu.vmware.com
Expand to see the list
cert-manager.tanzu.vmware.com
Expand to see the list
ootb-templates.tanzu.vmware.com
Expand to see the list

v1.6.12 Known issues

This release has the following known issues, listed by component and area.

v1.6.12 Known issues: Tanzu Application Platform

  • This Tanzu Application Platform release is not supported with Tanzu Kubernetes releases (TKR) v1.26 on vSphere with Tanzu.

v1.6.12 Known issues: Artifact Metadata Repository Observer and CloudEvent Handler

  • Periodic reconciliation or restarting of the AMR Observer causes reattempted posting of ImageVulnerabilityScan results. There is an error on duplicate submission of identical ImageVulnerabilityScans you can ignore if the previous submission was successful.

  • ReplicaSet status in AMR only has two states: created and deleted. There is a known issue where the available and unavailable state is not showing. The workaround is that you can interpolate this information from the instances metadata in the AMR for the ReplicaSet.

v1.6.12 Known issues: Bitnami Services

  • If you try to configure private registry integration for the Bitnami services after having already created a claim for one or more of the Bitnami services using the default configuration, the updated private registry configuration does not appear to take effect. This is due to caching behavior in the system which is not accounted for during configuration updates. For a workaround, see Troubleshoot Bitnami Services.

v1.6.12 Known issues: Cloud Native Runtimes

  • For Knative Serving, certain app name, namespace, and domain combinations produce Knative Services with status CertificateNotReady. For more information, see Troubleshooting.

v1.6.12 Known issues: Crossplane

  • Crossplane Providers cannot communicate with systems using a custom CA. For more information and a workaround, see Troubleshoot Crossplane.

  • The Crossplane validatingwebhookconfiguration is not removed when you uninstall the Crossplane Package. To workaround, delete the validatingwebhookconfiguration manually by running kubectl delete validatingwebhookconfiguration crossplane.

v1.6.12 Known issues: Eventing

  • When using vSphere sources in Eventing, the vsphere-source is using a high number of informers to alleviate load on the API server. This causes high memory use.

v1.6.12 Known issues: Learning Center

v1.6.12 Known issues: Services Toolkit

  • An error occurs if additionalProperties is true in a CompositeResourceDefinition. For more information and a workaround, see Troubleshoot Services Toolkit.

v1.6.12 Known issues: Supply Chain Choreographer

  • When using the Carvel Package Supply Chains, if the operator updates the parameter carvel_package.name_suffix, existing workloads incorrectly output a Carvel package to the GitOps repository that uses the old value of carvel_package.name_suffix. You can ignore or delete this package.

  • If the size of the resulting OpenAPIv3 specification exceeds a certain size, approximately 3 KB, the Supply Chain does not function. If you use the default Carvel package parameters, you this issue does not occur. If you use custom Carvel package parameters, you might encounter this size limit. If you exceed the size limit, you can either deactivate this feature, or use a workaround. The workaround requires enabling a Tekton feature flag. For more information, see the Tekton documentation.

v1.6.12 Known issues: Supply Chain Security Tools - Scan

  • The Snyk scanner outputs an incorrectly created date, resulting in an invalid date. If the workload is in a failed state due to an invalid date, wait approximately 10 hours and the workload automatically goes into the ready state. For more information, see this issue in the Snyk Github repository.

v1.6.12 Supply Chain Security Tools - Store

  • SCST - Store automatically detects PostgreSQL database index corruptions. If SCST - Store finds a PostgresSQL database index corruption issue, it does not reconcile. For how to fix this issue, see Fix Postgres Database Index Corruption.

v1.6.12 Known issues: Tanzu Developer Portal (formerly named Tanzu Application Platform GUI)

  • If you do not configure any authentication providers, and do not allow guest access, the following message appears when loading Tanzu Developer Portal in a browser:

    No configured authentication providers. Please configure at least one.
    

    To resolve this issue, see Troubleshooting.

  • Ad-blocking browser extensions and standalone ad-blocking software can interfere with telemetry collection within the VMware Customer Experience Improvement Program and restrict access to all or parts of Tanzu Developer Portal. For more information, see Troubleshooting.

  • ScmAuth is a Backstage concept that abstracts Source Code Management (SCM) authentication into a package. An oversight in a recent code-base migration led to the accidental exclusion of custom ScmAuth functions. This exclusion affected some client operations, such as using Application Accelerators to create Git repositories on behalf of users.

  • The back-end Kubernetes plug-in reports failure in multicluster environments. In a multicluster environment when one request to a Kubernetes cluster fails, backstage-kubernetes-backend reports a failure to the front end. This is a known issue with upstream Backstage and it applies to all released versions of Tanzu Developer Portal. For more information, see this Backstage code in GitHub. This behavior arises from the API at the Backstage level. There are currently no known workarounds. There are plans for upstream commits to Backstage to resolve this issue.

v1.6.12 Known issues: Tanzu Developer Portal - Supply Chain GUI plug-in

  • Any workloads created by using a custom resource definition (CRD) might not work as expected. Only Out of the Box (OOTB) Supply Chains are supported in the UI.

  • Downloading the SBOM from a vulnerability scan requires additional configuration in tap-values.yaml. For more information, see Troubleshooting.

v1.6.12 Known issues: Tanzu Developer Tools for IntelliJ

  • The error com.vdurmont.semver4j.SemverException: Invalid version (no major version) is shown in the error logs when attempting to perform a workload action before installing the Tanzu CLI apps plug-in.

  • If you restart your computer while running Live Update without terminating the Tilt process beforehand, there is a lock that incorrectly shows that Live Update is still running and prevents it from starting again. For the fix, see Troubleshooting.

  • Workload actions and Live Update do not work when in a project with spaces in its name, such as my app, or in its path, such as C:\Users\My User\my-app. For more information, see Troubleshooting.

  • An EDT Thread Exception error is logged or reported as a notification with a message similar to "com.intellij.diagnostic.PluginException: 2007 ms to call on EDT TanzuApplyAction#update@ProjectViewPopup". For more information, see Troubleshooting.

v1.6.12 Known issues: Tanzu Developer Tools for Visual Studio

  • Clicking the red square Stop button in the Visual Studio top toolbar can cause a workload to fail. For more information, see Troubleshooting.

v1.6.12 Known issues: Tanzu Developer Tools for VS Code

  • In the Tanzu activity panel, the config-writer-pull-requester of type Runnable is incorrectly categorized as Unknown. The correct category is Supply Chain.

v1.6.12 Component versions

The following table lists the supported component versions for this Tanzu Application Platform release.

Component Name Version
API Auto Registration 0.3.5
API portal 1.4.7
Application Accelerator 1.6.6
Application Configuration Service 2.1.4
Application Live View APIServer 1.6.3
Application Live View back end 1.6.4
Application Live View connector 1.6.4
Application Live View conventions 1.6.3
Application Single Sign-On 4.0.7
Artifact Metadata Repository Observer (alpha) 0.1.2
Bitnami Services 0.2.0
Carbon Black Scanner for SCST - Scan (beta) 1.2.5
Cartographer Conventions 0.7.5
cert-manager 2.4.8
Cloud Native Runtimes 2.3.14
Contour 2.0.0
Crossplane 0.2.2
Default Roles 1.1.0
Developer Conventions 0.11.2
Eventing (deprecated) 2.2.10
External Secrets Operator 0.6.1+tap.6
Flux CD Source Controller 0.36.1+tanzu.2
Grype Scanner for SCST - Scan 1.6.140
Learning Center (deprecated) 0.3.2
Learning Center workshops (deprecated) 0.3.1
Local Source Proxy 0.1.1
Namespace Provisioner 0.4.1
Out of the Box Delivery - Basic 0.13.21
Out of the Box Supply Chain - Basic 0.13.21
Out of the Box Supply Chain - Testing 0.13.21
Out of the Box Supply Chain - Testing and Scanning 0.13.21
Out of the Box Templates 0.13.21
Service Bindings 0.9.4
Services Toolkit 0.11.1
Snyk Scanner for SCST - Scan (beta) 1.0.0-beta.156
Source Controller 0.8.4
Spring Boot conventions 1.6.3
Spring Cloud Gateway 2.0.12
Supply Chain Choreographer 0.7.5
Supply Chain Security Tools - Policy Controller 1.4.2
Supply Chain Security Tools - Scan 1.6.141
Supply Chain Security Tools - Scan 2.0 (beta) 0.1.0-beta.137
Supply Chain Security Tools - Store 1.6.13
Tanzu Application Platform Telemetry 0.6.2
Tanzu Build Service 1.11.18
Tanzu CLI 1.3.0
Tanzu Developer Portal (formerly Tanzu Application Platform GUI) 1.6.8
Tanzu Developer Portal Configurator (beta) 0.1.2
Tekton Pipelines 0.41.0+tap.9

v1.6.11

Release Date: 07 May 2024

v1.6.11 Security fixes

This release has the following security fixes, listed by component and area.

Package Name Vulnerabilities Resolved
base-jammy-stack-lite.buildpacks.tanzu.vmware.com
Expand to see the list
cert-manager.tanzu.vmware.com
Expand to see the list
metadata-store.apps.tanzu.vmware.com
Expand to see the list
sso.apps.tanzu.vmware.com
Expand to see the list

v1.6.11 Known issues

This release has the following known issues, listed by component and area.

v1.6.11 Known issues: Tanzu Application Platform

  • This Tanzu Application Platform release is not supported with Tanzu Kubernetes releases (TKR) v1.26 on vSphere with Tanzu.

v1.6.11 Known issues: Artifact Metadata Repository Observer and CloudEvent Handler

  • Periodic reconciliation or restarting of the AMR Observer causes reattempted posting of ImageVulnerabilityScan results. There is an error on duplicate submission of identical ImageVulnerabilityScans you can ignore if the previous submission was successful.

  • ReplicaSet status in AMR only has two states: created and deleted. There is a known issue where the available and unavailable state is not showing. The workaround is that you can interpolate this information from the instances metadata in the AMR for the ReplicaSet.

v1.6.11 Known issues: Bitnami Services

  • If you try to configure private registry integration for the Bitnami services after having already created a claim for one or more of the Bitnami services using the default configuration, the updated private registry configuration does not appear to take effect. This is due to caching behavior in the system which is not accounted for during configuration updates. For a workaround, see Troubleshoot Bitnami Services.

v1.6.11 Known issues: Cloud Native Runtimes

  • For Knative Serving, certain app name, namespace, and domain combinations produce Knative Services with status CertificateNotReady. For more information, see Troubleshooting.

v1.6.11 Known issues: Crossplane

  • Crossplane Providers cannot communicate with systems using a custom CA. For more information and a workaround, see Troubleshoot Crossplane.

  • The Crossplane validatingwebhookconfiguration is not removed when you uninstall the Crossplane Package. To workaround, delete the validatingwebhookconfiguration manually by running kubectl delete validatingwebhookconfiguration crossplane.

v1.6.11 Known issues: Eventing

  • When using vSphere sources in Eventing, the vsphere-source is using a high number of informers to alleviate load on the API server. This causes high memory use.

v1.6.11 Known issues: Learning Center

v1.6.11 Known issues: Services Toolkit

  • An error occurs if additionalProperties is true in a CompositeResourceDefinition. For more information and a workaround, see Troubleshoot Services Toolkit.

v1.6.11 Known issues: Supply Chain Choreographer

  • When using the Carvel Package Supply Chains, if the operator updates the parameter carvel_package.name_suffix, existing workloads incorrectly output a Carvel package to the GitOps repository that uses the old value of carvel_package.name_suffix. You can ignore or delete this package.

  • If the size of the resulting OpenAPIv3 specification exceeds a certain size, approximately 3 KB, the Supply Chain does not function. If you use the default Carvel package parameters, you this issue does not occur. If you use custom Carvel package parameters, you might encounter this size limit. If you exceed the size limit, you can either deactivate this feature, or use a workaround. The workaround requires enabling a Tekton feature flag. For more information, see the Tekton documentation.

v1.6.11 Known issues: Supply Chain Security Tools - Scan

  • The Snyk scanner outputs an incorrectly created date, resulting in an invalid date. If the workload is in a failed state due to an invalid date, wait approximately 10 hours and the workload automatically goes into the ready state. For more information, see this issue in the Snyk Github repository.

v1.6.11 Supply Chain Security Tools - Store

  • SCST - Store automatically detects PostgreSQL database index corruptions. If SCST - Store finds a PostgresSQL database index corruption issue, it does not reconcile. For how to fix this issue, see Fix Postgres Database Index Corruption.

v1.6.11 Known issues: Tanzu Developer Portal (formerly named Tanzu Application Platform GUI)

  • If you do not configure any authentication providers, and do not allow guest access, the following message appears when loading Tanzu Developer Portal in a browser:

    No configured authentication providers. Please configure at least one.
    

    To resolve this issue, see Troubleshooting.

  • Ad-blocking browser extensions and standalone ad-blocking software can interfere with telemetry collection within the VMware Customer Experience Improvement Program and restrict access to all or parts of Tanzu Developer Portal. For more information, see Troubleshooting.

  • ScmAuth is a Backstage concept that abstracts Source Code Management (SCM) authentication into a package. An oversight in a recent code-base migration led to the accidental exclusion of custom ScmAuth functions. This exclusion affected some client operations, such as using Application Accelerators to create Git repositories on behalf of users.

  • The back-end Kubernetes plug-in reports failure in multicluster environments. In a multicluster environment when one request to a Kubernetes cluster fails, backstage-kubernetes-backend reports a failure to the front end. This is a known issue with upstream Backstage and it applies to all released versions of Tanzu Developer Portal. For more information, see this Backstage code in GitHub. This behavior arises from the API at the Backstage level. There are currently no known workarounds. There are plans for upstream commits to Backstage to resolve this issue.

v1.6.11 Known issues: Tanzu Developer Portal - Supply Chain GUI plug-in

  • Any workloads created by using a custom resource definition (CRD) might not work as expected. Only Out of the Box (OOTB) Supply Chains are supported in the UI.

  • Downloading the SBOM from a vulnerability scan requires additional configuration in tap-values.yaml. For more information, see Troubleshooting.

v1.6.11 Known issues: Tanzu Developer Tools for IntelliJ

  • The error com.vdurmont.semver4j.SemverException: Invalid version (no major version) is shown in the error logs when attempting to perform a workload action before installing the Tanzu CLI apps plug-in.

  • If you restart your computer while running Live Update without terminating the Tilt process beforehand, there is a lock that incorrectly shows that Live Update is still running and prevents it from starting again. For the fix, see Troubleshooting.

  • Workload actions and Live Update do not work when in a project with spaces in its name, such as my app, or in its path, such as C:\Users\My User\my-app. For more information, see Troubleshooting.

  • An EDT Thread Exception error is logged or reported as a notification with a message similar to "com.intellij.diagnostic.PluginException: 2007 ms to call on EDT TanzuApplyAction#update@ProjectViewPopup". For more information, see Troubleshooting.

v1.6.11 Known issues: Tanzu Developer Tools for Visual Studio

  • Clicking the red square Stop button in the Visual Studio top toolbar can cause a workload to fail. For more information, see Troubleshooting.

v1.6.11 Known issues: Tanzu Developer Tools for VS Code

  • In the Tanzu activity panel, the config-writer-pull-requester of type Runnable is incorrectly categorized as Unknown. The correct category is Supply Chain.

v1.6.11 Component versions

The following table lists the supported component versions for this Tanzu Application Platform release.

Component Name Version
API Auto Registration 0.3.5
API portal 1.4.7
Application Accelerator 1.6.6
Application Configuration Service 2.1.4
Application Live View APIServer 1.6.3
Application Live View back end 1.6.4
Application Live View connector 1.6.4
Application Live View conventions 1.6.3
Application Single Sign-On 4.0.7
Artifact Metadata Repository Observer (alpha) 0.1.2
Bitnami Services 0.2.0
Carbon Black Scanner for SCST - Scan (beta) 1.2.5
Cartographer Conventions 0.7.5
cert-manager 2.4.5
Cloud Native Runtimes 2.3.14
Contour 2.0.0
Crossplane 0.2.1
Default Roles 1.1.0
Developer Conventions 0.11.2
Eventing (deprecated) 2.2.10
External Secrets Operator 0.6.1+tap.6
Flux CD Source Controller 0.36.1+tanzu.2
Grype Scanner for SCST - Scan 1.6.140
Learning Center (deprecated) 0.3.2
Learning Center workshops (deprecated) 0.3.1
Local Source Proxy 0.1.1
Namespace Provisioner 0.4.1
Out of the Box Delivery - Basic 0.13.18
Out of the Box Supply Chain - Basic 0.13.18
Out of the Box Supply Chain - Testing 0.13.18
Out of the Box Supply Chain - Testing and Scanning 0.13.18
Out of the Box Templates 0.13.18
Service Bindings 0.9.4
Services Toolkit 0.11.1
Snyk Scanner for SCST - Scan (beta) 1.0.0-beta.156
Source Controller 0.8.4
Spring Boot conventions 1.6.3
Spring Cloud Gateway 2.0.12
Supply Chain Choreographer 0.7.5
Supply Chain Security Tools - Policy Controller 1.4.2
Supply Chain Security Tools - Scan 1.6.141
Supply Chain Security Tools - Scan 2.0 (beta) 0.1.0-beta.137
Supply Chain Security Tools - Store 1.6.13
Tanzu Application Platform Telemetry 0.6.2
Tanzu Build Service 1.11.18
Tanzu CLI 1.3.0
Tanzu Developer Portal (formerly Tanzu Application Platform GUI) 1.6.8
Tanzu Developer Portal Configurator (beta) 0.1.2
Tekton Pipelines 0.41.0+tap.9

v1.6.10

Release Date: 09 April 2024

v1.6.10 Security fixes

This release has the following security fixes, listed by component and area.

Package Name Vulnerabilities Resolved
apiserver.appliveview.tanzu.vmware.com
Expand to see the list
base-jammy-stack-lite.buildpacks.tanzu.vmware.com
Expand to see the list
connector.appliveview.tanzu.vmware.com
Expand to see the list
controller.source.apps.tanzu.vmware.com
Expand to see the list
conventions.appliveview.tanzu.vmware.com
Expand to see the list
sso.apps.tanzu.vmware.com
Expand to see the list

v1.6.10 Known issues

This release has the following known issues, listed by component and area.

v1.6.10 Known issues: Tanzu Application Platform

  • This Tanzu Application Platform release is not supported with Tanzu Kubernetes releases (TKR) v1.26 on vSphere with Tanzu.

v1.6.10 Known issues: Artifact Metadata Repository Observer and CloudEvent Handler

  • Periodic reconciliation or restarting of the AMR Observer causes reattempted posting of ImageVulnerabilityScan results. There is an error on duplicate submission of identical ImageVulnerabilityScans you can ignore if the previous submission was successful.

  • ReplicaSet status in AMR only has two states: created and deleted. There is a known issue where the available and unavailable state is not showing. The workaround is that you can interpolate this information from the instances metadata in the AMR for the ReplicaSet.

v1.6.10 Known issues: Bitnami Services

  • If you try to configure private registry integration for the Bitnami services after having already created a claim for one or more of the Bitnami services using the default configuration, the updated private registry configuration does not appear to take effect. This is due to caching behavior in the system which is not accounted for during configuration updates. For a workaround, see Troubleshoot Bitnami Services.

v1.6.10 Known issues: Cloud Native Runtimes

  • For Knative Serving, certain app name, namespace, and domain combinations produce Knative Services with status CertificateNotReady. For more information, see Troubleshooting.

v1.6.10 Known issues: Crossplane

  • Crossplane Providers cannot communicate with systems using a custom CA. For more information and a workaround, see Troubleshoot Crossplane.

  • The Crossplane validatingwebhookconfiguration is not removed when you uninstall the Crossplane Package. To workaround, delete the validatingwebhookconfiguration manually by running kubectl delete validatingwebhookconfiguration crossplane.

v1.6.10 Known issues: Eventing

  • When using vSphere sources in Eventing, the vsphere-source is using a high number of informers to alleviate load on the API server. This causes high memory use.

v1.6.10 Known issues: Learning Center

v1.6.10 Known issues: Services Toolkit

  • An error occurs if additionalProperties is true in a CompositeResourceDefinition. For more information and a workaround, see Troubleshoot Services Toolkit.

v1.6.10 Known issues: Supply Chain Choreographer

  • When using the Carvel Package Supply Chains, if the operator updates the parameter carvel_package.name_suffix, existing workloads incorrectly output a Carvel package to the GitOps repository that uses the old value of carvel_package.name_suffix. You can ignore or delete this package.

  • If the size of the resulting OpenAPIv3 specification exceeds a certain size, approximately 3 KB, the Supply Chain does not function. If you use the default Carvel package parameters, you this issue does not occur. If you use custom Carvel package parameters, you might encounter this size limit. If you exceed the size limit, you can either deactivate this feature, or use a workaround. The workaround requires enabling a Tekton feature flag. For more information, see the Tekton documentation.

v1.6.10 Known issues: Supply Chain Security Tools - Scan

  • The Snyk scanner outputs an incorrectly created date, resulting in an invalid date. If the workload is in a failed state due to an invalid date, wait approximately 10 hours and the workload automatically goes into the ready state. For more information, see this issue in the Snyk Github repository.

v1.6.10 Supply Chain Security Tools - Store

  • SCST - Store automatically detects PostgreSQL database index corruptions. If SCST - Store finds a PostgresSQL database index corruption issue, it does not reconcile. For how to fix this issue, see Fix Postgres Database Index Corruption.

v1.6.10 Known issues: Tanzu Developer Portal (formerly named Tanzu Application Platform GUI)

  • If you do not configure any authentication providers, and do not allow guest access, the following message appears when loading Tanzu Developer Portal in a browser:

    No configured authentication providers. Please configure at least one.
    

    To resolve this issue, see Troubleshooting.

  • Ad-blocking browser extensions and standalone ad-blocking software can interfere with telemetry collection within the VMware Customer Experience Improvement Program and restrict access to all or parts of Tanzu Developer Portal. For more information, see Troubleshooting.

  • ScmAuth is a Backstage concept that abstracts Source Code Management (SCM) authentication into a package. An oversight in a recent code-base migration led to the accidental exclusion of custom ScmAuth functions. This exclusion affected some client operations, such as using Application Accelerators to create Git repositories on behalf of users.

  • The back-end Kubernetes plug-in reports failure in multicluster environments. In a multicluster environment when one request to a Kubernetes cluster fails, backstage-kubernetes-backend reports a failure to the front end. This is a known issue with upstream Backstage and it applies to all released versions of Tanzu Developer Portal. For more information, see this Backstage code in GitHub. This behavior arises from the API at the Backstage level. There are currently no known workarounds. There are plans for upstream commits to Backstage to resolve this issue.

v1.6.10 Known issues: Tanzu Developer Portal - Supply Chain GUI plug-in

  • Any workloads created by using a custom resource definition (CRD) might not work as expected. Only Out of the Box (OOTB) Supply Chains are supported in the UI.

  • Downloading the SBOM from a vulnerability scan requires additional configuration in tap-values.yaml. For more information, see Troubleshooting.

v1.6.10 Known issues: Tanzu Developer Tools for IntelliJ

  • The error com.vdurmont.semver4j.SemverException: Invalid version (no major version) is shown in the error logs when attempting to perform a workload action before installing the Tanzu CLI apps plug-in.

  • If you restart your computer while running Live Update without terminating the Tilt process beforehand, there is a lock that incorrectly shows that Live Update is still running and prevents it from starting again. For the fix, see Troubleshooting.

  • Workload actions and Live Update do not work when in a project with spaces in its name, such as my app, or in its path, such as C:\Users\My User\my-app. For more information, see Troubleshooting.

  • An EDT Thread Exception error is logged or reported as a notification with a message similar to "com.intellij.diagnostic.PluginException: 2007 ms to call on EDT TanzuApplyAction#update@ProjectViewPopup". For more information, see Troubleshooting.

v1.6.10 Known issues: Tanzu Developer Tools for Visual Studio

  • Clicking the red square Stop button in the Visual Studio top toolbar can cause a workload to fail. For more information, see Troubleshooting.

v1.6.10 Known issues: Tanzu Developer Tools for VS Code

  • In the Tanzu activity panel, the config-writer-pull-requester of type Runnable is incorrectly categorized as Unknown. The correct category is Supply Chain.

v1.6.10 Component versions

The following table lists the supported component versions for this Tanzu Application Platform release.

Component Name Version
API Auto Registration 0.3.5
API portal 1.4.7
Application Accelerator 1.6.6
Application Configuration Service 2.1.4
Application Live View APIServer 1.6.3
Application Live View back end 1.6.4
Application Live View connector 1.6.4
Application Live View conventions 1.6.3
Application Single Sign-On 4.0.6
Artifact Metadata Repository Observer (alpha) 0.1.2
Bitnami Services 0.2.0
Carbon Black Scanner for SCST - Scan (beta) 1.2.5
Cartographer Conventions 0.7.5
cert-manager 2.4.3
Cloud Native Runtimes 2.3.14
Contour 2.0.0
Crossplane 0.2.1
Default Roles 1.1.0
Developer Conventions 0.11.2
Eventing (deprecated) 2.2.10
External Secrets Operator 0.6.1+tap.6
Flux CD Source Controller 0.36.1+tanzu.2
Grype Scanner for SCST - Scan 1.6.140
Learning Center (deprecated) 0.3.2
Learning Center workshops (deprecated) 0.3.1
Local Source Proxy 0.1.1
Namespace Provisioner 0.4.1
Out of the Box Delivery - Basic 0.13.18
Out of the Box Supply Chain - Basic 0.13.18
Out of the Box Supply Chain - Testing 0.13.18
Out of the Box Supply Chain - Testing and Scanning 0.13.18
Out of the Box Templates 0.13.18
Service Bindings 0.9.4
Services Toolkit 0.11.1
Snyk Scanner for SCST - Scan (beta) 1.0.0-beta.156
Source Controller 0.8.4
Spring Boot conventions 1.6.3
Spring Cloud Gateway 2.0.12
Supply Chain Choreographer 0.7.5
Supply Chain Security Tools - Policy Controller 1.4.2
Supply Chain Security Tools - Scan 1.6.141
Supply Chain Security Tools - Scan 2.0 (beta) 0.1.0-beta.137
Supply Chain Security Tools - Store 1.6.9
Tanzu Application Platform Telemetry 0.6.2
Tanzu Build Service 1.11.18
Tanzu CLI 1.1.0
Tanzu Developer Portal (formerly Tanzu Application Platform GUI) 1.6.8
Tanzu Developer Portal Configurator (beta) 0.1.2
Tekton Pipelines 0.41.0+tap.9

v1.6.9

Release Date: 12 March 2024

v1.6.9 Security fixes

This release has the following security fixes, listed by component and area.

Package Name Vulnerabilities Resolved
amr-observer.apps.tanzu.vmware.com
Expand to see the list
base-jammy-stack-lite.buildpacks.tanzu.vmware.com
Expand to see the list
controller.source.apps.tanzu.vmware.com
Expand to see the list
metadata-store.apps.tanzu.vmware.com
Expand to see the list
ootb-templates.tanzu.vmware.com
Expand to see the list
spring-cloud-gateway.tanzu.vmware.com
Expand to see the list
sso.apps.tanzu.vmware.com
Expand to see the list
tekton.tanzu.vmware.com
Expand to see the list

v1.6.9 Resolved issues

The following issues, listed by component and area, are resolved in this release.

v1.6.9 Resolved issues: Cloud Native Runtimes

  • Resolved the issue where web workloads created with Tanzu Application Platform v1.6.3 and earlier failed to update with the error API server says: admission webhook "validation.webhook.serving.knative.dev" denied the request: validation failed: annotation value is immutable.

v1.6.9 Known issues

This release has the following known issues, listed by component and area.

v1.6.9 Known issues: Tanzu Application Platform

  • This Tanzu Application Platform release is not supported with Tanzu Kubernetes releases (TKR) v1.26 on vSphere with Tanzu.

v1.6.9 Known issues: Artifact Metadata Repository Observer and CloudEvent Handler

  • Periodic reconciliation or restarting of the AMR Observer causes reattempted posting of ImageVulnerabilityScan results. There is an error on duplicate submission of identical ImageVulnerabilityScans you can ignore if the previous submission was successful.

  • ReplicaSet status in AMR only has two states: created and deleted. There is a known issue where the available and unavailable state is not showing. The workaround is that you can interpolate this information from the instances metadata in the AMR for the ReplicaSet.

v1.6.9 Known issues: Bitnami Services

  • If you try to configure private registry integration for the Bitnami services after having already created a claim for one or more of the Bitnami services using the default configuration, the updated private registry configuration does not appear to take effect. This is due to caching behavior in the system which is not accounted for during configuration updates. For a workaround, see Troubleshoot Bitnami Services.

v1.6.9 Known issues: Cloud Native Runtimes

  • For Knative Serving, certain app name, namespace, and domain combinations produce Knative Services with status CertificateNotReady. For more information, see Troubleshooting.

v1.6.9 Known issues: Crossplane

  • Crossplane Providers cannot communicate with systems using a custom CA. For more information and a workaround, see Troubleshoot Crossplane.

  • The Crossplane validatingwebhookconfiguration is not removed when you uninstall the Crossplane Package. To workaround, delete the validatingwebhookconfiguration manually by running kubectl delete validatingwebhookconfiguration crossplane.

v1.6.9 Known issues: Eventing

  • When using vSphere sources in Eventing, the vsphere-source is using a high number of informers to alleviate load on the API server. This causes high memory use.

v1.6.9 Known issues: Learning Center

v1.6.9 Known issues: Services Toolkit

  • An error occurs if additionalProperties is true in a CompositeResourceDefinition. For more information and a workaround, see Troubleshoot Services Toolkit.

v1.6.9 Known issues: Supply Chain Choreographer

  • When using the Carvel Package Supply Chains, if the operator updates the parameter carvel_package.name_suffix, existing workloads incorrectly output a Carvel package to the GitOps repository that uses the old value of carvel_package.name_suffix. You can ignore or delete this package.

  • If the size of the resulting OpenAPIv3 specification exceeds a certain size, approximately 3 KB, the Supply Chain does not function. If you use the default Carvel package parameters, you this issue does not occur. If you use custom Carvel package parameters, you might encounter this size limit. If you exceed the size limit, you can either deactivate this feature, or use a workaround. The workaround requires enabling a Tekton feature flag. For more information, see the Tekton documentation.

v1.6.9 Known issues: Supply Chain Security Tools - Scan

  • The Snyk scanner outputs an incorrectly created date, resulting in an invalid date. If the workload is in a failed state due to an invalid date, wait approximately 10 hours and the workload automatically goes into the ready state. For more information, see this issue in the Snyk Github repository.

v1.6.9 Supply Chain Security Tools - Store

  • SCST - Store automatically detects PostgreSQL database index corruptions. If SCST - Store finds a PostgresSQL database index corruption issue, it does not reconcile. For how to fix this issue, see Fix Postgres Database Index Corruption.

v1.6.9 Known issues: Tanzu Developer Portal (formerly named Tanzu Application Platform GUI)

  • If you do not configure any authentication providers, and do not allow guest access, the following message appears when loading Tanzu Developer Portal in a browser:

    No configured authentication providers. Please configure at least one.
    

    To resolve this issue, see Troubleshooting.

  • Ad-blocking browser extensions and standalone ad-blocking software can interfere with telemetry collection within the VMware Customer Experience Improvement Program and restrict access to all or parts of Tanzu Developer Portal. For more information, see Troubleshooting.

  • ScmAuth is a Backstage concept that abstracts Source Code Management (SCM) authentication into a package. An oversight in a recent code-base migration led to the accidental exclusion of custom ScmAuth functions. This exclusion affected some client operations, such as using Application Accelerators to create Git repositories on behalf of users.

  • The back-end Kubernetes plug-in reports failure in multicluster environments. In a multicluster environment when one request to a Kubernetes cluster fails, backstage-kubernetes-backend reports a failure to the front end. This is a known issue with upstream Backstage and it applies to all released versions of Tanzu Developer Portal. For more information, see this Backstage code in GitHub. This behavior arises from the API at the Backstage level. There are currently no known workarounds. There are plans for upstream commits to Backstage to resolve this issue.

v1.6.9 Known issues: Tanzu Developer Portal - Supply Chain GUI plug-in

  • Any workloads created by using a custom resource definition (CRD) might not work as expected. Only Out of the Box (OOTB) Supply Chains are supported in the UI.

  • Downloading the SBOM from a vulnerability scan requires additional configuration in tap-values.yaml. For more information, see Troubleshooting.

v1.6.9 Known issues: Tanzu Developer Tools for IntelliJ

  • The error com.vdurmont.semver4j.SemverException: Invalid version (no major version) is shown in the error logs when attempting to perform a workload action before installing the Tanzu CLI apps plug-in.

  • If you restart your computer while running Live Update without terminating the Tilt process beforehand, there is a lock that incorrectly shows that Live Update is still running and prevents it from starting again. For the fix, see Troubleshooting.

  • Workload actions and Live Update do not work when in a project with spaces in its name, such as my app, or in its path, such as C:\Users\My User\my-app. For more information, see Troubleshooting.

  • An EDT Thread Exception error is logged or reported as a notification with a message similar to "com.intellij.diagnostic.PluginException: 2007 ms to call on EDT TanzuApplyAction#update@ProjectViewPopup". For more information, see Troubleshooting.

v1.6.9 Known issues: Tanzu Developer Tools for Visual Studio

  • Clicking the red square Stop button in the Visual Studio top toolbar can cause a workload to fail. For more information, see Troubleshooting.

v1.6.9 Known issues: Tanzu Developer Tools for VS Code

  • In the Tanzu activity panel, the config-writer-pull-requester of type Runnable is incorrectly categorized as Unknown. The correct category is Supply Chain.

v1.6.9 Component versions

The following table lists the supported component versions for this Tanzu Application Platform release.

Component Name Version
API Auto Registration 0.3.5
API portal 1.4.7
Application Accelerator 1.6.5
Application Configuration Service 2.1.4
Application Live View APIServer 1.6.2
Application Live View back end 1.6.2
Application Live View connector 1.6.2
Application Live View conventions 1.6.2
Application Single Sign-On 4.0.5
Artifact Metadata Repository Observer (alpha) 0.1.2
Bitnami Services 0.2.0
Carbon Black Scanner for SCST - Scan (beta) 1.2.5
Cartographer Conventions 0.7.5
cert-manager 2.4.3
Cloud Native Runtimes 2.3.14
Contour 2.0.0
Crossplane 0.2.1
Default Roles 1.1.0
Developer Conventions 0.11.2
Eventing (deprecated) 2.2.10
External Secrets Operator 0.6.1+tap.6
Flux CD Source Controller 0.36.1+tanzu.2
Grype Scanner for SCST - Scan 1.6.140
Learning Center (deprecated) 0.3.2
Learning Center workshops (deprecated) 0.3.1
Local Source Proxy 0.1.1
Namespace Provisioner 0.4.1
Out of the Box Delivery - Basic 0.13.18
Out of the Box Supply Chain - Basic 0.13.18
Out of the Box Supply Chain - Testing 0.13.18
Out of the Box Supply Chain - Testing and Scanning 0.13.18
Out of the Box Templates 0.13.18
Service Bindings 0.9.4
Services Toolkit 0.11.1
Snyk Scanner for SCST - Scan (beta) 1.0.0-beta.156
Source Controller 0.8.4
Spring Boot conventions 1.6.2
Spring Cloud Gateway 2.0.12
Supply Chain Choreographer 0.7.5
Supply Chain Security Tools - Policy Controller 1.4.2
Supply Chain Security Tools - Scan 1.6.141
Supply Chain Security Tools - Scan 2.0 (beta) 0.1.0-beta.137
Supply Chain Security Tools - Store 1.6.9
Tanzu Application Platform Telemetry 0.6.2
Tanzu Build Service 1.11.18
Tanzu Developer Portal (formerly Tanzu Application Platform GUI) 1.6.8
Tanzu Developer Portal Configurator (beta) 0.1.2
Tanzu CLI 1.2.0
Tekton Pipelines 0.41.0+tap.9

v1.6.8

Release Date: 13 February 2024

v1.6.8 Security fixes

This release has the following security fixes, listed by component and area.

Package Name Vulnerabilities Resolved
accelerator.apps.tanzu.vmware.com
Expand to see the list
application-configuration-service.tanzu.vmware.com
Expand to see the list
base-jammy-stack-lite.buildpacks.tanzu.vmware.com
Expand to see the list
carbonblack.scanning.apps.tanzu.vmware.com
Expand to see the list
cert-manager.tanzu.vmware.com
Expand to see the list
metadata-store.apps.tanzu.vmware.com
Expand to see the list
sso.apps.tanzu.vmware.com
Expand to see the list
tap-gui.tanzu.vmware.com
Expand to see the list

v1.6.8 Resolved issues

The following issues, listed by component and area, are resolved in this release.

v1.6.8 Resolved issues: Application Single Sign-On

  • When requesting an access_token by using the the Authorization Code flow, scopes in the token are filtered based on user roles. In this version, the scope parameter of the access token response is also filtered, with the same rules. For more information, see the OAuth documentation.

v1.6.8 Resolved issues: Contour

  • Ships with Contour v1.24.6.
  • Supports upgrades to Tanzu Application Platform v1.6.8 without downtime when transitioning from DaemonSet to Deployments.

    Note

    Downtime-free upgrades require more than one node in the cluster.


v1.6.8 Known issues

This release has the following known issues, listed by component and area.

v1.6.8 Known issues: Tanzu Application Platform

  • This Tanzu Application Platform release is not supported with Tanzu Kubernetes releases (TKR) v1.26 on vSphere with Tanzu.

v1.6.8 Known issues: Artifact Metadata Repository Observer and CloudEvent Handler

  • Periodic reconciliation or restarting of the AMR Observer causes reattempted posting of ImageVulnerabilityScan results. There is an error on duplicate submission of identical ImageVulnerabilityScans you can ignore if the previous submission was successful.

  • ReplicaSet status in AMR only has two states: created and deleted. There is a known issue where the available and unavailable state is not showing. The workaround is that you can interpolate this information from the instances metadata in the AMR for the ReplicaSet.

v1.6.8 Known issues: Bitnami Services

  • If you try to configure private registry integration for the Bitnami services after having already created a claim for one or more of the Bitnami services using the default configuration, the updated private registry configuration does not appear to take effect. This is due to caching behavior in the system which is not accounted for during configuration updates. For a workaround, see Troubleshoot Bitnami Services.

v1.6.8 Known issues: Cloud Native Runtimes

  • For Knative Serving, certain app name, namespace, and domain combinations produce Knative Services with status CertificateNotReady. For more information, see Troubleshooting.

  • Web workloads created with Tanzu Application Platform v1.6.3 and earlier fail to update with the error API server says: admission webhook "validation.webhook.serving.knative.dev" denied the request: validation failed: annotation value is immutable. For a workaround, see Troubleshoot Cloud Native Runtimes for Tanzu.

v1.6.8 Known issues: Crossplane

  • Crossplane Providers cannot communicate with systems using a custom CA. For more information and a workaround, see Troubleshoot Crossplane.

  • The Crossplane validatingwebhookconfiguration is not removed when you uninstall the Crossplane Package. To workaround, delete the validatingwebhookconfiguration manually by running kubectl delete validatingwebhookconfiguration crossplane.

v1.6.8 Known issues: Eventing

  • When using vSphere sources in Eventing, the vsphere-source is using a high number of informers to alleviate load on the API server. This causes high memory use.

v1.6.8 Known issues: Learning Center

v1.6.8 Known issues: Services Toolkit

  • An error occurs if additionalProperties is true in a CompositeResourceDefinition. For more information and a workaround, see Troubleshoot Services Toolkit.

v1.6.8 Known issues: Supply Chain Choreographer

  • When using the Carvel Package Supply Chains, if the operator updates the parameter carvel_package.name_suffix, existing workloads incorrectly output a Carvel package to the GitOps repository that uses the old value of carvel_package.name_suffix. You can ignore or delete this package.

  • If the size of the resulting OpenAPIv3 specification exceeds a certain size, approximately 3 KB, the Supply Chain does not function. If you use the default Carvel package parameters, you this issue does not occur. If you use custom Carvel package parameters, you might encounter this size limit. If you exceed the size limit, you can either deactivate this feature, or use a workaround. The workaround requires enabling a Tekton feature flag. For more information, see the Tekton documentation.

v1.6.8 Known issues: Supply Chain Security Tools - Scan

  • The Snyk scanner outputs an incorrectly created date, resulting in an invalid date. If the workload is in a failed state due to an invalid date, wait approximately 10 hours and the workload automatically goes into the ready state. For more information, see this issue in the Snyk Github repository.

v1.6.8 Supply Chain Security Tools - Store

  • SCST - Store automatically detects PostgreSQL database index corruptions. If SCST - Store finds a PostgresSQL database index corruption issue, it does not reconcile. For how to fix this issue, see Fix Postgres Database Index Corruption.

v1.6.8 Known issues: Tanzu Developer Portal (formerly named Tanzu Application Platform GUI)

  • If you do not configure any authentication providers, and do not allow guest access, the following message appears when loading Tanzu Developer Portal in a browser:

    No configured authentication providers. Please configure at least one.
    

    To resolve this issue, see Troubleshooting.

  • Ad-blocking browser extensions and standalone ad-blocking software can interfere with telemetry collection within the VMware Customer Experience Improvement Program and restrict access to all or parts of Tanzu Developer Portal. For more information, see Troubleshooting.

  • ScmAuth is a Backstage concept that abstracts Source Code Management (SCM) authentication into a package. An oversight in a recent code-base migration led to the accidental exclusion of custom ScmAuth functions. This exclusion affected some client operations, such as using Application Accelerators to create Git repositories on behalf of users.

  • The back-end Kubernetes plug-in reports failure in multicluster environments. In a multicluster environment when one request to a Kubernetes cluster fails, backstage-kubernetes-backend reports a failure to the front end. This is a known issue with upstream Backstage and it applies to all released versions of Tanzu Developer Portal. For more information, see this Backstage code in GitHub. This behavior arises from the API at the Backstage level. There are currently no known workarounds. There are plans for upstream commits to Backstage to resolve this issue.

v1.6.8 Known issues: Tanzu Developer Portal - Supply Chain GUI plug-in

  • Any workloads created by using a custom resource definition (CRD) might not work as expected. Only Out of the Box (OOTB) Supply Chains are supported in the UI.

  • Downloading the SBOM from a vulnerability scan requires additional configuration in tap-values.yaml. For more information, see Troubleshooting.

v1.6.8 Known issues: Tanzu Developer Tools for IntelliJ

  • The error com.vdurmont.semver4j.SemverException: Invalid version (no major version) is shown in the error logs when attempting to perform a workload action before installing the Tanzu CLI apps plug-in.

  • If you restart your computer while running Live Update without terminating the Tilt process beforehand, there is a lock that incorrectly shows that Live Update is still running and prevents it from starting again. For the fix, see Troubleshooting.

  • Workload actions and Live Update do not work when in a project with spaces in its name, such as my app, or in its path, such as C:\Users\My User\my-app. For more information, see Troubleshooting.

  • An EDT Thread Exception error is logged or reported as a notification with a message similar to "com.intellij.diagnostic.PluginException: 2007 ms to call on EDT TanzuApplyAction#update@ProjectViewPopup". For more information, see Troubleshooting.

v1.6.8 Known issues: Tanzu Developer Tools for Visual Studio

  • Clicking the red square Stop button in the Visual Studio top toolbar can cause a workload to fail. For more information, see Troubleshooting.

v1.6.8 Known issues: Tanzu Developer Tools for VS Code

  • In the Tanzu activity panel, the config-writer-pull-requester of type Runnable is incorrectly categorized as Unknown. The correct category is Supply Chain.

v1.6.8 Component versions

The following table lists the supported component versions for this Tanzu Application Platform release.

Component Name Version
API Auto Registration 0.3.5
API portal 1.4.7
Application Accelerator 1.6.5
Application Configuration Service 2.1.4
Application Live View API Server 1.6.2
Application Live View Backend 1.6.2
Application Live View Connector 1.6.2
Application Live View Conventions 1.6.2
Application Single Sign-On 4.0.4
Artifact Metadata Repository Observer (alpha) 0.1.1-alpha.2
Bitnami Services 0.2.0
Carbon Black Scanner for SCST - Scan (beta) 1.2.5
Cartographer Conventions 0.7.5
cert-manager 2.4.3
Cloud Native Runtimes 2.3.14
Contour 2.0.0
Crossplane 0.2.1
Default Roles 1.1.0
Developer Conventions 0.11.2
Eventing (deprecated) 2.2.10
External Secrets Operator 0.6.1+tap.6
Flux CD Source Controller 0.36.1+tanzu.2
Grype Scanner for SCST - Scan 1.6.140
Learning Center (deprecated) 0.3.2
Learning Center workshops (deprecated) 0.3.1
Local Source Proxy 0.1.1
Namespace Provisioner 0.4.1
Out of the Box Delivery - Basic 0.13.15
Out of the Box Supply Chain - Basic 0.13.15
Out of the Box Supply Chain - Testing 0.13.15
Out of the Box Supply Chain - Testing and Scanning 0.13.15
Out of the Box Templates 0.13.15
Service Bindings 0.9.4
Services Toolkit 0.11.1
Snyk Scanner for SCST - Scan (beta) 1.0.0-beta.156
Source Controller 0.8.3
Spring Boot conventions 1.6.2
Spring Cloud Gateway 2.0.10
Supply Chain Choreographer 0.7.5
Supply Chain Security Tools - Policy Controller 1.4.2
Supply Chain Security Tools - Scan 1.6.141
Supply Chain Security Tools - Scan 2.0 (beta) 0.1.0-beta.137
Supply Chain Security Tools - Store 1.6.8
Tanzu Developer Portal (formerly Tanzu Application Platform GUI) 1.6.8
Tanzu Developer Portal Configurator (beta) 0.1.2
Tanzu Application Platform Telemetry 0.6.2
Tanzu Build Service 1.11.17
Tanzu CLI 1.1.0
Tekton Pipelines 0.41.0+tap.8

v1.6.7

Release Date: 09 January 2024

v1.6.7 Security fixes

This release has the following security fixes, listed by component and area.

Package Name Vulnerabilities Resolved
api-portal.tanzu.vmware.com
Expand to see the list
application-configuration-service.tanzu.vmware.com
Expand to see the list
base-jammy-stack-lite.buildpacks.tanzu.vmware.com
Expand to see the list
cnrs.tanzu.vmware.com
Expand to see the list
developer-conventions.tanzu.vmware.com
Expand to see the list
metadata-store.apps.tanzu.vmware.com
Expand to see the list
spring-cloud-gateway.tanzu.vmware.com
Expand to see the list
sso.apps.tanzu.vmware.com
Expand to see the list

v1.6.7 Known issues

This release has the following known issues, listed by component and area.

v1.6.7 Known issues: Tanzu Application Platform

  • This Tanzu Application Platform release is not supported with Tanzu Kubernetes releases (TKR) v1.26 on vSphere with Tanzu.

v1.6.7 Known issues: Artifact Metadata Repository Observer and CloudEvent Handler

  • Periodic reconciliation or restarting of the AMR Observer causes reattempted posting of ImageVulnerabilityScan results. There is an error on duplicate submission of identical ImageVulnerabilityScans you can ignore if the previous submission was successful.

  • ReplicaSet status in AMR only has two states: created and deleted. There is a known issue where the available and unavailable state is not showing. The workaround is that you can interpolate this information from the instances metadata in the AMR for the ReplicaSet.

v1.6.7 Known issues: Bitnami Services

  • If you try to configure private registry integration for the Bitnami services after having already created a claim for one or more of the Bitnami services using the default configuration, the updated private registry configuration does not appear to take effect. This is due to caching behavior in the system which is not accounted for during configuration updates. For a workaround, see Troubleshoot Bitnami Services.

v1.6.7 Known issues: Cloud Native Runtimes

  • For Knative Serving, certain app name, namespace, and domain combinations produce Knative Services with status CertificateNotReady. For more information, see Troubleshooting.

  • Web workloads created with Tanzu Application Platform v1.6.3 and earlier fail to update with the error API server says: admission webhook "validation.webhook.serving.knative.dev" denied the request: validation failed: annotation value is immutable. For a workaround, see Troubleshoot Cloud Native Runtimes for Tanzu.

v1.6.7 Known issues: Crossplane

  • Crossplane Providers cannot communicate with systems using a custom CA. For more information and a workaround, see Troubleshoot Crossplane.

  • The Crossplane validatingwebhookconfiguration is not removed when you uninstall the Crossplane Package. To workaround, delete the validatingwebhookconfiguration manually by running kubectl delete validatingwebhookconfiguration crossplane.

v1.6.7 Known issues: Eventing

  • When using vSphere sources in Eventing, the vsphere-source is using a high number of informers to alleviate load on the API server. This causes high memory use.

v1.6.7 Known issues: Learning Center

v1.6.7 Known issues: Services Toolkit

  • An error occurs if additionalProperties is true in a CompositeResourceDefinition. For more information and a workaround, see Troubleshoot Services Toolkit.

v1.6.7 Known issues: Supply Chain Choreographer

  • When using the Carvel Package Supply Chains, if the operator updates the parameter carvel_package.name_suffix, existing workloads incorrectly output a Carvel package to the GitOps repository that uses the old value of carvel_package.name_suffix. You can ignore or delete this package.

  • If the size of the resulting OpenAPIv3 specification exceeds a certain size, approximately 3 KB, the Supply Chain does not function. If you use the default Carvel package parameters, you this issue does not occur. If you use custom Carvel package parameters, you might encounter this size limit. If you exceed the size limit, you can either deactivate this feature, or use a workaround. The workaround requires enabling a Tekton feature flag. For more information, see the Tekton documentation.

v1.6.7 Known issues: Supply Chain Security Tools - Scan

  • The Snyk scanner outputs an incorrectly created date, resulting in an invalid date. If the workload is in a failed state due to an invalid date, wait approximately 10 hours and the workload automatically goes into the ready state. For more information, see this issue in the Snyk Github repository.

v1.6.7 Supply Chain Security Tools - Store

  • SCST - Store automatically detects PostgreSQL database index corruptions. If SCST - Store finds a PostgresSQL database index corruption issue, it does not reconcile. For how to fix this issue, see Fix Postgres Database Index Corruption.

v1.6.7 Known issues: Tanzu Developer Portal (formerly named Tanzu Application Platform GUI)

  • If you do not configure any authentication providers, and do not allow guest access, the following message appears when loading Tanzu Developer Portal in a browser:

    No configured authentication providers. Please configure at least one.
    

    To resolve this issue, see Troubleshooting.

  • Ad-blocking browser extensions and standalone ad-blocking software can interfere with telemetry collection within the VMware Customer Experience Improvement Program and restrict access to all or parts of Tanzu Developer Portal. For more information, see Troubleshooting.

  • ScmAuth is a Backstage concept that abstracts Source Code Management (SCM) authentication into a package. An oversight in a recent code-base migration led to the accidental exclusion of custom ScmAuth functions. This exclusion affected some client operations, such as using Application Accelerators to create Git repositories on behalf of users.

  • The back-end Kubernetes plug-in reports failure in multicluster environments. In a multicluster environment when one request to a Kubernetes cluster fails, backstage-kubernetes-backend reports a failure to the front end. This is a known issue with upstream Backstage and it applies to all released versions of Tanzu Developer Portal. For more information, see this Backstage code in GitHub. This behavior arises from the API at the Backstage level. There are currently no known workarounds. There are plans for upstream commits to Backstage to resolve this issue.

v1.6.7 Known issues: Tanzu Developer Portal - Supply Chain GUI plug-in

  • Any workloads created by using a custom resource definition (CRD) might not work as expected. Only Out of the Box (OOTB) Supply Chains are supported in the UI.

  • Downloading the SBOM from a vulnerability scan requires additional configuration in tap-values.yaml. For more information, see Troubleshooting.

v1.6.7 Known issues: Tanzu Developer Tools for IntelliJ

  • The error com.vdurmont.semver4j.SemverException: Invalid version (no major version) is shown in the error logs when attempting to perform a workload action before installing the Tanzu CLI apps plug-in.

  • If you restart your computer while running Live Update without terminating the Tilt process beforehand, there is a lock that incorrectly shows that Live Update is still running and prevents it from starting again. For the fix, see Troubleshooting.

  • Workload actions and Live Update do not work when in a project with spaces in its name, such as my app, or in its path, such as C:\Users\My User\my-app. For more information, see Troubleshooting.

  • An EDT Thread Exception error is logged or reported as a notification with a message similar to "com.intellij.diagnostic.PluginException: 2007 ms to call on EDT TanzuApplyAction#update@ProjectViewPopup". For more information, see Troubleshooting.

v1.6.7 Known issues: Tanzu Developer Tools for Visual Studio

  • Clicking the red square Stop button in the Visual Studio top toolbar can cause a workload to fail. For more information, see Troubleshooting.

v1.6.7 Known issues: Tanzu Developer Tools for VS Code

  • In the Tanzu activity panel, the config-writer-pull-requester of type Runnable is incorrectly categorized as Unknown. The correct category is Supply Chain.

v1.6.7 Component versions

The following table lists the supported component versions for this Tanzu Application Platform release.

Component Name Version
API Auto Registration 0.3.5
API portal 1.4.6
Application Accelerator 1.6.2
Application Configuration Service 2.1.3
Application Live View API Server 1.6.2
Application Live View Backend 1.6.2
Application Live View Connector 1.6.2
Application Live View Conventions 1.6.2
Application Single Sign-On 4.0.2
Artifact Metadata Repository Observer (alpha) 0.1.1-alpha.2
Bitnami Services 0.2.0
Carbon Black Scanner for SCST - Scan (beta) 1.2.2-beta.1
Cartographer Conventions 0.7.5
cert-manager 2.4.2
Cloud Native Runtimes 2.3.6
Contour 1.24.6
Crossplane 0.2.1
Default Roles 1.1.0
Developer Conventions 0.11.2
Eventing (deprecated) 2.2.10
External Secrets Operator 0.6.1+tap.6
Flux CD Source Controller 0.36.1+tanzu.2
Grype Scanner for SCST - Scan 1.6.140
Learning Center (deprecated) 0.3.2
Learning Center workshops (deprecated) 0.3.1
Local Source Proxy 0.1.1
Namespace Provisioner 0.4.1
Out of the Box Delivery - Basic 0.13.11
Out of the Box Supply Chain - Basic 0.13.11
Out of the Box Supply Chain - Testing 0.13.11
Out of the Box Supply Chain - Testing and Scanning 0.13.11
Out of the Box Templates 0.13.11
Service Bindings 0.9.4
Services Toolkit 0.11.1
Snyk Scanner for SCST - Scan (beta) 1.0.0-beta.156
Source Controller 0.8.3
Spring Boot conventions 1.6.2
Spring Cloud Gateway 2.0.10
Supply Chain Choreographer 0.7.5
Supply Chain Security Tools - Policy Controller 1.4.2
Supply Chain Security Tools - Scan 1.6.141
Supply Chain Security Tools - Scan 2.0 (beta) 0.1.0-beta.137
Supply Chain Security Tools - Store 1.6.6
Tanzu Developer Portal (formerly Tanzu Application Platform GUI) 1.6.6
Tanzu Developer Portal Configurator (beta) 0.1.2
Tanzu Application Platform Telemetry 0.6.2
Tanzu Build Service 1.11.16
Tanzu CLI 1.1.0
Tekton Pipelines 0.41.0+tap.8

v1.6.6

Release Date: 12 December 2023

v1.6.6 Security fixes

This release has the following security fixes, listed by component and area.

Package Name Vulnerabilities Resolved
api-portal.tanzu.vmware.com
Expand to see the list
apis.apps.tanzu.vmware.com
Expand to see the list
base-jammy-stack-lite.buildpacks.tanzu.vmware.com
Expand to see the list
buildservice.tanzu.vmware.com
Expand to see the list
cert-manager.tanzu.vmware.com
Expand to see the list
cnrs.tanzu.vmware.com
Expand to see the list
eventing.tanzu.vmware.com
Expand to see the list
spring-cloud-gateway.tanzu.vmware.com
Expand to see the list
tap-gui.tanzu.vmware.com
Expand to see the list

v1.6.6 Resolved issues

The following issues, listed by component and area, are resolved in this release.

v1.6.6 Resolved issues: cert-manager

  • Resolved the known vulnerability with ACME HTTP01 in Tanzu Application Platform.

v1.6.6 Known issues

This release has the following known issues, listed by component and area.

v1.6.6 Known issues: Tanzu Application Platform

  • This Tanzu Application Platform release is not supported with Tanzu Kubernetes releases (TKR) v1.26 on vSphere with Tanzu.

v1.6.6 Known issues: Artifact Metadata Repository Observer and CloudEvent Handler

  • Periodic reconciliation or restarting of the AMR Observer causes reattempted posting of ImageVulnerabilityScan results. There is an error on duplicate submission of identical ImageVulnerabilityScans you can ignore if the previous submission was successful.

  • ReplicaSet status in AMR only has two states: created and deleted. There is a known issue where the available and unavailable state is not showing. The workaround is that you can interpolate this information from the instances metadata in the AMR for the ReplicaSet.

v1.6.6 Known issues: Bitnami Services

  • If you try to configure private registry integration for the Bitnami services after having already created a claim for one or more of the Bitnami services using the default configuration, the updated private registry configuration does not appear to take effect. This is due to caching behavior in the system which is not accounted for during configuration updates. For a workaround, see Troubleshoot Bitnami Services.

v1.6.6 Known issues: Cloud Native Runtimes

  • For Knative Serving, certain app name, namespace, and domain combinations produce Knative Services with status CertificateNotReady. For more information, see Troubleshooting.

  • Web workloads created with Tanzu Application Platform v1.6.3 and earlier fail to update with the error API server says: admission webhook "validation.webhook.serving.knative.dev" denied the request: validation failed: annotation value is immutable. For a workaround, see Troubleshoot Cloud Native Runtimes for Tanzu.

v1.6.6 Known issues: Crossplane

  • Crossplane Providers cannot communicate with systems using a custom CA. For more information and a workaround, see Troubleshoot Crossplane.

  • The Crossplane validatingwebhookconfiguration is not removed when you uninstall the Crossplane Package. To workaround, delete the validatingwebhookconfiguration manually by running kubectl delete validatingwebhookconfiguration crossplane.

v1.6.6 Known issues: Eventing

  • When using vSphere sources in Eventing, the vsphere-source is using a high number of informers to alleviate load on the API server. This causes high memory use.

v1.6.6 Known issues: Learning Center

v1.6.6 Known issues: Services Toolkit

  • An error occurs if additionalProperties is true in a CompositeResourceDefinition. For more information and a workaround, see Troubleshoot Services Toolkit.

v1.6.6 Known issues: Supply Chain Choreographer

  • When using the Carvel Package Supply Chains, if the operator updates the parameter carvel_package.name_suffix, existing workloads incorrectly output a Carvel package to the GitOps repository that uses the old value of carvel_package.name_suffix. You can ignore or delete this package.

  • If the size of the resulting OpenAPIv3 specification exceeds a certain size, approximately 3 KB, the Supply Chain does not function. If you use the default Carvel package parameters, you this issue does not occur. If you use custom Carvel package parameters, you might encounter this size limit. If you exceed the size limit, you can either deactivate this feature, or use a workaround. The workaround requires enabling a Tekton feature flag. For more information, see the Tekton documentation.

v1.6.6 Supply Chain Security Tools - Store

  • SCST - Store automatically detects PostgreSQL database index corruptions. If SCST - Store finds a PostgresSQL database index corruption issue, it does not reconcile. For how to fix this issue, see Fix Postgres Database Index Corruption.

v1.6.6 Known issues: Tanzu Developer Portal (formerly named Tanzu Application Platform GUI)

  • If you do not configure any authentication providers, and do not allow guest access, the following message appears when loading Tanzu Developer Portal in a browser:

    No configured authentication providers. Please configure at least one.
    

    To resolve this issue, see Troubleshooting.

  • Ad-blocking browser extensions and standalone ad-blocking software can interfere with telemetry collection within the VMware Customer Experience Improvement Program and restrict access to all or parts of Tanzu Developer Portal. For more information, see Troubleshooting.

  • ScmAuth is a Backstage concept that abstracts Source Code Management (SCM) authentication into a package. An oversight in a recent code-base migration led to the accidental exclusion of custom ScmAuth functions. This exclusion affected some client operations, such as using Application Accelerators to create Git repositories on behalf of users.

  • The back-end Kubernetes plug-in reports failure in multicluster environments. In a multicluster environment when one request to a Kubernetes cluster fails, backstage-kubernetes-backend reports a failure to the front end. This is a known issue with upstream Backstage and it applies to all released versions of Tanzu Developer Portal. For more information, see this Backstage code in GitHub. This behavior arises from the API at the Backstage level. There are currently no known workarounds. There are plans for upstream commits to Backstage to resolve this issue.

v1.6.6 Known issues: Tanzu Developer Portal - Supply Chain GUI plug-in

  • Any workloads created by using a custom resource definition (CRD) might not work as expected. Only Out of the Box (OOTB) Supply Chains are supported in the UI.

  • Downloading the SBOM from a vulnerability scan requires additional configuration in tap-values.yaml. For more information, see Troubleshooting.

v1.6.6 Known issues: Tanzu Developer Tools for IntelliJ

  • The error com.vdurmont.semver4j.SemverException: Invalid version (no major version) is shown in the error logs when attempting to perform a workload action before installing the Tanzu CLI apps plug-in.

  • If you restart your computer while running Live Update without terminating the Tilt process beforehand, there is a lock that incorrectly shows that Live Update is still running and prevents it from starting again. For the fix, see Troubleshooting.

  • Workload actions and Live Update do not work when in a project with spaces in its name, such as my app, or in its path, such as C:\Users\My User\my-app. For more information, see Troubleshooting.

  • An EDT Thread Exception error is logged or reported as a notification with a message similar to "com.intellij.diagnostic.PluginException: 2007 ms to call on EDT TanzuApplyAction#update@ProjectViewPopup". For more information, see Troubleshooting.

v1.6.6 Known issues: Tanzu Developer Tools for Visual Studio

  • Clicking the red square Stop button in the Visual Studio top toolbar can cause a workload to fail. For more information, see Troubleshooting.

v1.6.6 Known issues: Tanzu Developer Tools for VS Code

  • In the Tanzu activity panel, the config-writer-pull-requester of type Runnable is incorrectly categorized as Unknown. The correct category is Supply Chain.

v1.6.6 Component versions

The following table lists the supported component versions for this Tanzu Application Platform release.

Component Name Version
API Auto Registration 0.3.5
API portal 1.4.5
Application Accelerator 1.6.2
Application Configuration Service 2.1.2
Application Live View API Server 1.6.2
Application Live View Backend 1.6.2
Application Live View Connector 1.6.2
Application Live View Conventions 1.6.2
Application Single Sign-On 4.0.1
Artifact Metadata Repository Observer (alpha) 0.1.1-alpha.2
Bitnami Services 0.2.0
Carbon Black Scanner for SCST - Scan (beta) 1.2.2-beta.1
Cartographer Conventions 0.7.5
cert-manager 2.4.2
Cloud Native Runtimes 2.3.5
Contour 1.24.6
Crossplane 0.2.1
Default Roles 1.1.0
Developer Conventions 0.11.0
Eventing (deprecated) 2.2.10
External Secrets Operator 0.6.1+tap.6
Flux CD Source Controller 0.36.1+tanzu.2
Grype Scanner for SCST - Scan 1.6.140
Learning Center (deprecated) 0.3.2
Learning Center workshops (deprecated) 0.3.1
Local Source Proxy 0.1.1
Namespace Provisioner 0.4.1
Out of the Box Delivery - Basic 0.13.11
Out of the Box Supply Chain - Basic 0.13.11
Out of the Box Supply Chain - Testing 0.13.11
Out of the Box Supply Chain - Testing and Scanning 0.13.11
Out of the Box Templates 0.13.11
Service Bindings 0.9.4
Services Toolkit 0.11.1
Snyk Scanner for SCST - Scan (beta) 1.0.0-beta.156
Source Controller 0.8.3
Spring Boot conventions 1.6.2
Spring Cloud Gateway 2.0.9
Supply Chain Choreographer 0.7.5
Supply Chain Security Tools - Policy Controller 1.4.2
Supply Chain Security Tools - Scan 1.6.141
Supply Chain Security Tools - Scan 2.0 (beta) 0.1.0-beta.137
Supply Chain Security Tools - Store 1.6.5
Tanzu Developer Portal (formerly Tanzu Application Platform GUI) 1.6.6
Tanzu Developer Portal Configurator (beta) 0.1.2
Tanzu Application Platform Telemetry 0.6.2
Tanzu Build Service 1.11.16
Tanzu CLI 1.1.0
Tekton Pipelines 0.41.0+tap.8

v1.6.5

Release Date: 14 November 2023

v1.6.5 Security fixes

This release has the following security fixes, listed by component and area.

Package Name Vulnerabilities Resolved
api-portal.tanzu.vmware.com
Expand to see the list
base-jammy-stack-lite.buildpacks.tanzu.vmware.com
Expand to see the list
cnrs.tanzu.vmware.com
Expand to see the list
contour.tanzu.vmware.com
Expand to see the list

v1.6.5 Resolved issues

This release has the following resolved issues, listed by component and area.

v1.6.5 Resolved issues: Local Source Proxy

  • When installing Local Source Proxy outside of a Tanzu Application Platform profile, there is no longer failure at the OpenShift distribution stage.

v1.6.5 Known issues

This release has the following known issues, listed by component and area.

v1.6.5 Known issues: Tanzu Application Platform

  • This Tanzu Application Platform release is not supported with Tanzu Kubernetes releases (TKR) v1.26 on vSphere with Tanzu.

v1.6.5 Known issues: Artifact Metadata Repository Observer and CloudEvent Handler

  • Periodic reconciliation or restarting of the AMR Observer causes reattempted posting of ImageVulnerabilityScan results. There is an error on duplicate submission of identical ImageVulnerabilityScans you can ignore if the previous submission was successful.

  • ReplicaSet status in AMR only has two states: created and deleted. There is a known issue where the available and unavailable state is not showing. The workaround is that you can interpolate this information from the instances metadata in the AMR for the ReplicaSet.

v1.6.5 Known issues: Bitnami Services

  • If you try to configure private registry integration for the Bitnami services after having already created a claim for one or more of the Bitnami services using the default configuration, the updated private registry configuration does not appear to take effect. This is due to caching behavior in the system which is not accounted for during configuration updates. For a workaround, see Troubleshoot Bitnami Services.

v1.6.5 Known issues: cert-manager

  • There is a known vulnerability with ACME HTTP01 in Tanzu Application Platform v1.6.5. Although the likelihood of exploitation of the cert-manager’s ACME HTTP01 solver Pod is minimal, if your organization heavily relies on ACME HTTP01 challenges and deems it too risky to retry certificate issuance, consider using DNS01 until VMware provides a technical solution in the future patch release.

v1.6.5 Known issues: Cloud Native Runtimes

  • For Knative Serving, certain app name, namespace, and domain combinations produce Knative Services with status CertificateNotReady. For more information, see Troubleshooting.

  • Web workloads created with Tanzu Application Platform v1.6.3 and earlier fail to update with the error API server says: admission webhook "validation.webhook.serving.knative.dev" denied the request: validation failed: annotation value is immutable. For a workaround, see Troubleshoot Cloud Native Runtimes for Tanzu.

v1.6.5 Known issues: Crossplane

  • Crossplane Providers cannot communicate with systems using a custom CA. For more information and a workaround, see Troubleshoot Crossplane.

  • The Crossplane validatingwebhookconfiguration is not removed when you uninstall the Crossplane Package. To workaround, delete the validatingwebhookconfiguration manually by running kubectl delete validatingwebhookconfiguration crossplane.

v1.6.5 Known issues: Eventing

  • When using vSphere sources in Eventing, the vsphere-source is using a high number of informers to alleviate load on the API server. This causes high memory use.

v1.6.5 Known issues: Learning Center

v1.6.5 Known issues: Services Toolkit

  • An error occurs if additionalProperties is true in a CompositeResourceDefinition. For more information and a workaround, see Troubleshoot Services Toolkit.

v1.6.5 Known issues: Supply Chain Choreographer

  • When using the Carvel Package Supply Chains, if the operator updates the parameter carvel_package.name_suffix, existing workloads incorrectly output a Carvel package to the GitOps repository that uses the old value of carvel_package.name_suffix. You can ignore or delete this package.

  • If the size of the resulting OpenAPIv3 specification exceeds a certain size, approximately 3 KB, the Supply Chain does not function. If you use the default Carvel package parameters, you this issue does not occur. If you use custom Carvel package parameters, you might encounter this size limit. If you exceed the size limit, you can either deactivate this feature, or use a workaround. The workaround requires enabling a Tekton feature flag. For more information, see the Tekton documentation.

v1.6.5 Supply Chain Security Tools - Store

  • SCST - Store automatically detects PostgreSQL database index corruptions. If SCST - Store finds a PostgresSQL database index corruption issue, it does not reconcile. For how to fix this issue, see Fix Postgres Database Index Corruption.

v1.6.5 Known issues: Tanzu Developer Portal (formerly named Tanzu Application Platform GUI)

  • If you do not configure any authentication providers, and do not allow guest access, the following message appears when loading Tanzu Developer Portal in a browser:

    No configured authentication providers. Please configure at least one.
    

    To resolve this issue, see Troubleshooting.

  • Ad-blocking browser extensions and standalone ad-blocking software can interfere with telemetry collection within the VMware Customer Experience Improvement Program and restrict access to all or parts of Tanzu Developer Portal. For more information, see Troubleshooting.

  • ScmAuth is a Backstage concept that abstracts Source Code Management (SCM) authentication into a package. An oversight in a recent code-base migration led to the accidental exclusion of custom ScmAuth functions. This exclusion affected some client operations, such as using Application Accelerators to create Git repositories on behalf of users.

  • The back-end Kubernetes plug-in reports failure in multicluster environments. In a multicluster environment when one request to a Kubernetes cluster fails, backstage-kubernetes-backend reports a failure to the front end. This is a known issue with upstream Backstage and it applies to all released versions of Tanzu Developer Portal. For more information, see this Backstage code in GitHub. This behavior arises from the API at the Backstage level. There are currently no known workarounds. There are plans for upstream commits to Backstage to resolve this issue.

v1.6.5 Known issues: Tanzu Developer Portal - Supply Chain GUI plug-in

  • Any workloads created by using a custom resource definition (CRD) might not work as expected. Only Out of the Box (OOTB) Supply Chains are supported in the UI.

  • Downloading the SBOM from a vulnerability scan requires additional configuration in tap-values.yaml. For more information, see Troubleshooting.

v1.6.5 Known issues: Tanzu Developer Tools for IntelliJ

  • The error com.vdurmont.semver4j.SemverException: Invalid version (no major version) is shown in the error logs when attempting to perform a workload action before installing the Tanzu CLI apps plug-in.

  • If you restart your computer while running Live Update without terminating the Tilt process beforehand, there is a lock that incorrectly shows that Live Update is still running and prevents it from starting again. For the fix, see Troubleshooting.

  • Workload actions and Live Update do not work when in a project with spaces in its name, such as my app, or in its path, such as C:\Users\My User\my-app. For more information, see Troubleshooting.

  • An EDT Thread Exception error is logged or reported as a notification with a message similar to "com.intellij.diagnostic.PluginException: 2007 ms to call on EDT TanzuApplyAction#update@ProjectViewPopup". For more information, see Troubleshooting.

v1.6.5 Known issues: Tanzu Developer Tools for Visual Studio

  • Clicking the red square Stop button in the Visual Studio top toolbar can cause a workload to fail. For more information, see Troubleshooting.

v1.6.5 Known issues: Tanzu Developer Tools for VS Code

  • In the Tanzu activity panel, the config-writer-pull-requester of type Runnable is incorrectly categorized as Unknown. The correct category is Supply Chain.

v1.6.5 Component versions

The following table lists the supported component versions for this Tanzu Application Platform release.

Component Name Version
API Auto Registration 0.3.4
API portal 1.4.4
Application Accelerator 1.6.2
Application Configuration Service 2.1.2
Application Live View API Server 1.6.2
Application Live View Backend 1.6.2
Application Live View Connector 1.6.2
Application Live View Conventions 1.6.2
Application Single Sign-On 4.0.1
Artifact Metadata Repository Observer (alpha) 0.1.1-alpha.2
Bitnami Services 0.2.0
Carbon Black Scanner for SCST - Scan (beta) 1.2.2-beta.1
Cartographer Conventions 0.7.5
cert-manager 2.3.1
Cloud Native Runtimes 2.3.4
Contour 1.24.6
Crossplane 0.2.1
Default Roles 1.1.0
Developer Conventions 0.11.0
Eventing (deprecated) 2.2.6
External Secrets Operator 0.6.1+tap.6
Flux CD Source Controller 0.36.1+tanzu.2
Grype Scanner for SCST - Scan 1.6.140
Learning Center (deprecated) 0.3.2
Learning Center workshops (deprecated) 0.3.1
Local Source Proxy 0.1.1
Namespace Provisioner 0.4.1
Out of the Box Delivery - Basic 0.13.11
Out of the Box Supply Chain - Basic 0.13.11
Out of the Box Supply Chain - Testing 0.13.11
Out of the Box Supply Chain - Testing and Scanning 0.13.11
Out of the Box Templates 0.13.11
Service Bindings 0.9.4
Services Toolkit 0.11.1
Snyk Scanner for SCST - Scan (beta) 1.0.0-beta.156
Source Controller 0.8.3
Spring Boot conventions 1.6.2
Spring Cloud Gateway 2.0.8
Supply Chain Choreographer 0.7.5
Supply Chain Security Tools - Policy Controller 1.4.2
Supply Chain Security Tools - Scan 1.6.141
Supply Chain Security Tools - Scan 2.0 (beta) 0.1.0-beta.137
Supply Chain Security Tools - Store 1.6.3
Tanzu Developer Portal (formerly Tanzu Application Platform GUI) 1.6.5
Tanzu Developer Portal Configurator (beta) 0.1.2
Tanzu Application Platform Telemetry 0.6.2
Tanzu Build Service 1.11.14
Tanzu CLI 1.0.0
Tekton Pipelines 0.41.0+tap.8

v1.6.4

Release Date: 10 October 2023

v1.6.4 Breaking changes

This release has the following breaking changes, listed by component and area.

v1.6.4 Breaking changes: Services Toolkit

  • Services Toolkit forces explicit cluster-wide permissions to claim from a ClusterInstanceClass. You must now grant the permission to claim from a ClusterInstanceClass by using a ClusterRole and ClusterRoleBinding. For more information, see The claim verb for ClusterInstanceClass.

v1.6.4 Security fixes

This release has the following security fixes, listed by component and area.

Package Name Vulnerabilities Resolved
accelerator.apps.tanzu.vmware.com
Expand to see the list
api-portal.tanzu.vmware.com
Expand to see the list
apis.apps.tanzu.vmware.com
Expand to see the list
application-configuration-service.tanzu.vmware.com
Expand to see the list
base-jammy-stack-lite.buildpacks.tanzu.vmware.com
Expand to see the list
learningcenter.tanzu.vmware.com
Expand to see the list
ootb-templates.tanzu.vmware.com
Expand to see the list
policy.apps.tanzu.vmware.com
Expand to see the list
spring-cloud-gateway.tanzu.vmware.com
Expand to see the list
tap-gui.tanzu.vmware.com
Expand to see the list
tekton.tanzu.vmware.com
Expand to see the list

v1.6.4 Resolved issues

The following issues, listed by component and area, are resolved in this release.

v1.6.4 Resolved issues: Application Configuration Service

  • Resolves an issue which caused client applications that include the spring-cloud-config-client dependency to fail to start or properly load the configuration that Application Configuration Service produced. The fix is adding the property spring.cloud.config.enabled=false in secret resources that Application Configuration Service produced.

  • Resolves some installation failure scenarios by setting the pod security context to adhere to the restricted pod security standard.


v1.6.4 Known issues

This release has the following known issues, listed by component and area.

v1.6.4 Known issues: Tanzu Application Platform

  • This Tanzu Application Platform release is not supported with Tanzu Kubernetes releases (TKR) v1.26 on vSphere with Tanzu.

v1.6.4 Known issues: Artifact Metadata Repository Observer and CloudEvent Handler

  • Periodic reconciliation or restarting of the AMR Observer causes reattempted posting of ImageVulnerabilityScan results. There is an error on duplicate submission of identical ImageVulnerabilityScans you can ignore if the previous submission was successful.

  • ReplicaSet status in AMR only has two states: created and deleted. There is a known issue where the available and unavailable state is not showing. The workaround is that you can interpolate this information from the instances metadata in the AMR for the ReplicaSet.

v1.6.4 Known issues: Bitnami Services

  • If you try to configure private registry integration for the Bitnami services after having already created a claim for one or more of the Bitnami services using the default configuration, the updated private registry configuration does not appear to take effect. This is due to caching behavior in the system which is not accounted for during configuration updates. For a workaround, see Troubleshoot Bitnami Services.

v1.6.4 Known issues: Cloud Native Runtimes

  • For Knative Serving, certain app name, namespace, and domain combinations produce Knative Services with status CertificateNotReady. For more information, see Troubleshooting.

  • Web workloads created with Tanzu Application Platform v1.6.3 and earlier fail to update with the error API server says: admission webhook "validation.webhook.serving.knative.dev" denied the request: validation failed: annotation value is immutable. For a workaround, see Troubleshoot Cloud Native Runtimes for Tanzu.

v1.6.4 Known issues: Crossplane

  • Crossplane Providers cannot communicate with systems using a custom CA. For more information and a workaround, see Troubleshoot Crossplane.

  • The Crossplane validatingwebhookconfiguration is not removed when you uninstall the Crossplane Package. To workaround, delete the validatingwebhookconfiguration manually by running kubectl delete validatingwebhookconfiguration crossplane.

v1.6.4 Known issues: Eventing

  • When using vSphere sources in Eventing, the vsphere-source is using a high number of informers to alleviate load on the API server. This causes high memory use.

v1.6.4 Known issues: Learning Center

v1.6.4 Known issues: Services Toolkit

  • An error occurs if additionalProperties is true in a CompositeResourceDefinition. For more information and a workaround, see Troubleshoot Services Toolkit.

v1.6.4 Known issues: Supply Chain Choreographer

  • When using the Carvel Package Supply Chains, if the operator updates the parameter carvel_package.name_suffix, existing workloads incorrectly output a Carvel package to the GitOps repository that uses the old value of carvel_package.name_suffix. You can ignore or delete this package.

  • If the size of the resulting OpenAPIv3 specification exceeds a certain size, approximately 3 KB, the Supply Chain does not function. If you use the default Carvel package parameters, you this issue does not occur. If you use custom Carvel package parameters, you might encounter this size limit. If you exceed the size limit, you can either deactivate this feature, or use a workaround. The workaround requires enabling a Tekton feature flag. For more information, see the Tekton documentation.

v1.6.4 Supply Chain Security Tools - Store

  • SCST - Store automatically detects PostgreSQL database index corruptions. If SCST - Store finds a PostgresSQL database index corruption issue, it does not reconcile. For how to fix this issue, see Fix Postgres Database Index Corruption.

v1.6.4 Known issues: Tanzu Developer Portal (formerly named Tanzu Application Platform GUI)

  • Ad-blocking browser extensions and standalone ad-blocking software can interfere with telemetry collection within the VMware Customer Experience Improvement Program and restrict access to all or parts of Tanzu Developer Portal. For more information, see Troubleshooting.

  • ScmAuth is a Backstage concept that abstracts Source Code Management (SCM) authentication into a package. An oversight in a recent code-base migration led to the accidental exclusion of custom ScmAuth functions. This exclusion affected some client operations, such as using Application Accelerators to create Git repositories on behalf of users.

  • The back-end Kubernetes plug-in reports failure in multicluster environments. In a multicluster environment when one request to a Kubernetes cluster fails, backstage-kubernetes-backend reports a failure to the front end. This is a known issue with upstream Backstage and it applies to all released versions of Tanzu Developer Portal. For more information, see this Backstage code in GitHub. This behavior arises from the API at the Backstage level. There are currently no known workarounds. There are plans for upstream commits to Backstage to resolve this issue.

v1.6.4 Known issues: Tanzu Developer Portal - Supply Chain GUI plug-in

  • Any workloads created by using a custom resource definition (CRD) might not work as expected. Only Out of the Box (OOTB) Supply Chains are supported in the UI.

  • Downloading the SBOM from a vulnerability scan requires additional configuration in tap-values.yaml. For more information, see Troubleshooting.

v1.6.4 Known issues: Tanzu Developer Tools for IntelliJ

  • The error com.vdurmont.semver4j.SemverException: Invalid version (no major version) is shown in the error logs when attempting to perform a workload action before installing the Tanzu CLI apps plug-in.

  • If you restart your computer while running Live Update without terminating the Tilt process beforehand, there is a lock that incorrectly shows that Live Update is still running and prevents it from starting again. For the fix, see Troubleshooting.

  • Workload actions and Live Update do not work when in a project with spaces in its name, such as my app, or in its path, such as C:\Users\My User\my-app. For more information, see Troubleshooting.

  • An EDT Thread Exception error is logged or reported as a notification with a message similar to "com.intellij.diagnostic.PluginException: 2007 ms to call on EDT TanzuApplyAction#update@ProjectViewPopup". For more information, see Troubleshooting.

v1.6.4 Known issues: Tanzu Developer Tools for Visual Studio

  • Clicking the red square Stop button in the Visual Studio top toolbar can cause a workload to fail. For more information, see Troubleshooting.

v1.6.4 Known issues: Tanzu Developer Tools for VS Code

  • In the Tanzu activity panel, the config-writer-pull-requester of type Runnable is incorrectly categorized as Unknown. The correct category is Supply Chain.

v1.6.4 Component versions

The following table lists the supported component versions for this Tanzu Application Platform release.

Component Name Version
API Auto Registration 0.3.4
API portal 1.4.2
Application Accelerator 1.6.2
Application Configuration Service 2.1.2
Application Live View API Server 1.6.2
Application Live View Backend 1.6.2
Application Live View Connector 1.6.2
Application Live View Conventions 1.6.2
Application Single Sign-On 4.0.1
Artifact Metadata Repository Observer (alpha) 0.1.1-alpha.2
Bitnami Services 0.2.0
Carbon Black Scanner for SCST - Scan (beta) 1.2.2-beta.1
Cartographer Conventions 0.7.4
cert-manager 2.3.1
Cloud Native Runtimes 2.3.2
Contour 1.24.4
Crossplane 0.2.1
Default Roles 1.1.0
Developer Conventions 0.11.0
Eventing (deprecated) 2.2.4
External Secrets Operator 0.6.1
Flux CD Source Controller 0.36.1
Grype Scanner for SCST - Scan 1.6.140
Learning Center (deprecated) 0.3.2
Learning Center workshops (deprecated) 0.3.1
Local Source Proxy 0.1.0
Namespace Provisioner 0.4.1
Out of the Box Delivery - Basic 0.13.11
Out of the Box Supply Chain - Basic 0.13.11
Out of the Box Supply Chain - Testing 0.13.11
Out of the Box Supply Chain - Testing and Scanning 0.13.11
Out of the Box Templates 0.13.11
Service Bindings 0.9.1
Services Toolkit 0.11.1
Snyk Scanner for SCST - Scan (beta) 1.0.0-beta.156
Source Controller 0.8.3
Spring Boot conventions 1.6.2
Spring Cloud Gateway 2.0.8
Supply Chain Choreographer 0.7.4
Supply Chain Security Tools - Policy Controller 1.4.2
Supply Chain Security Tools - Scan 1.6.141
Supply Chain Security Tools - Scan 2.0 (beta) 0.1.0-beta.137
Supply Chain Security Tools - Store 1.6.3
Tanzu Developer Portal (formerly Tanzu Application Platform GUI) 1.6.5
Tanzu Developer Portal Configurator (beta) 0.1.2
Tanzu Application Platform Telemetry 0.6.2
Tanzu Build Service 1.11.13
Tanzu CLI 1.0.0
Tekton Pipelines 0.41.0+tap.8

v1.6.3

Release Date: 12 September 2023

v1.6.3 Security fixes

This release has the following security fixes, listed by component and area.

Package Name Vulnerabilities Resolved
accelerator.apps.tanzu.vmware.com
Expand to see the list
application-configuration-service.tanzu.vmware.com
Expand to see the list
base-jammy-stack-lite.buildpacks.tanzu.vmware.com
Expand to see the list
buildservice.tanzu.vmware.com
Expand to see the list
carbonblack.scanning.apps.tanzu.vmware.com
Expand to see the list
eventing.tanzu.vmware.com
Expand to see the list
learningcenter.tanzu.vmware.com
Expand to see the list
ootb-templates.tanzu.vmware.com
Expand to see the list
workshops.learningcenter.tanzu.vmware.com
Expand to see the list

v1.6.3 Resolved issues

The following issues, listed by component and area, are resolved in this release.

v1.6.3 Resolved issues: Application Configuration Service

  • GitRepository is now consistently observed beyond 15 minutes. The interval property for a ConfigurationSlice now continues to work as expected.

  • Error-logging is improved where a ConfigurationSlice references a non-existent ConfigurationSource. A ConfigurationSlice properly reconciles after the referenced ConfigurationSource is created.

v1.6.3 Resolved issues: Tanzu CLI and plugins

  • This release includes Tanzu CLI v1.2.0 and a set of installable plug-in groups that are versioned so that the CLI is compatible with every supported version of Tanzu Applicatin Platform. For more information, see Install Tanzu CLI.

v1.6.3 Known issues

This release has the following known issues, listed by component and area.

v1.6.3 Known issues: Tanzu Application Platform

  • This Tanzu Application Platform release is not supported with Tanzu Kubernetes releases (TKR) v1.26 on vSphere with Tanzu.

v1.6.3 Known issues: Application Configuration Service

  • Client applications that include the spring-cloud-config-client dependency might fail to start or properly load the configuration that Application Configuration Service produced.

  • Installation might fail because the pod security context does not perfectly adhere to the restricted pod security standard.

v1.6.3 Known issues: Artifact Metadata Repository Observer and CloudEvent Handler

  • Periodic reconciliation or restarting of the AMR Observer causes reattempted posting of ImageVulnerabilityScan results. There is an error on duplicate submission of identical ImageVulnerabilityScans you can ignore if the previous submission was successful.

  • ReplicaSet status in AMR only has two states: created and deleted. There is a known issue where the available and unavailable state is not showing. The workaround is that you can interpolate this information from the instances metadata in the AMR for the ReplicaSet.

v1.6.3 Known issues: Bitnami Services

  • If you try to configure private registry integration for the Bitnami services after having already created a claim for one or more of the Bitnami services using the default configuration, the updated private registry configuration does not appear to take effect. This is due to caching behavior in the system which is not accounted for during configuration updates. For a workaround, see Troubleshoot Bitnami Services.

v1.6.3 Known issues: Cloud Native Runtimes

  • For Knative Serving, certain app name, namespace, and domain combinations produce Knative Services with status CertificateNotReady. For more information, see Troubleshooting.

v1.6.3 Known issues: Crossplane

  • Crossplane Providers cannot communicate with systems using a custom CA. For more information and a workaround, see Troubleshoot Crossplane.

  • The Crossplane validatingwebhookconfiguration is not removed when you uninstall the Crossplane Package. To workaround, delete the validatingwebhookconfiguration manually by running kubectl delete validatingwebhookconfiguration crossplane.

v1.6.3 Known issues: Eventing

  • When using vSphere sources in Eventing, the vsphere-source is using a high number of informers to alleviate load on the API server. This causes high memory use.

v1.6.3 Known issues: Learning Center

v1.6.3 Known issues: Services Toolkit

  • An error occurs if additionalProperties is true in a CompositeResourceDefinition. For more information and a workaround, see Troubleshoot Services Toolkit.

v1.6.3 Known issues: Supply Chain Choreographer

  • When using the Carvel Package Supply Chains, if the operator updates the parameter carvel_package.name_suffix, existing workloads incorrectly output a Carvel package to the GitOps repository that uses the old value of carvel_package.name_suffix. You can ignore or delete this package.

  • If the size of the resulting OpenAPIv3 specification exceeds a certain size, approximately 3 KB, the Supply Chain does not function. If you use the default Carvel package parameters, you this issue does not occur. If you use custom Carvel package parameters, you might encounter this size limit. If you exceed the size limit, you can either deactivate this feature, or use a workaround. The workaround requires enabling a Tekton feature flag. For more information, see the Tekton documentation.

v1.6.3 Supply Chain Security Tools - Store

  • SCST - Store automatically detects PostgreSQL database index corruptions. If SCST - Store finds a PostgresSQL database index corruption issue, it does not reconcile. For how to fix this issue, see Fix Postgres Database Index Corruption.

v1.6.3 Known issues: Tanzu Developer Portal (formerly named Tanzu Application Platform GUI)

  • Ad-blocking browser extensions and standalone ad-blocking software can interfere with telemetry collection within the VMware Customer Experience Improvement Program and restrict access to all or parts of Tanzu Developer Portal. For more information, see Troubleshooting.

  • ScmAuth is a Backstage concept that abstracts Source Code Management (SCM) authentication into a package. An oversight in a recent code-base migration led to the accidental exclusion of custom ScmAuth functions. This exclusion affected some client operations, such as using Application Accelerators to create Git repositories on behalf of users.

  • The back-end Kubernetes plug-in reports failure in multicluster environments. In a multicluster environment when one request to a Kubernetes cluster fails, backstage-kubernetes-backend reports a failure to the front end. This is a known issue with upstream Backstage and it applies to all released versions of Tanzu Developer Portal. For more information, see this Backstage code in GitHub. This behavior arises from the API at the Backstage level. There are currently no known workarounds. There are plans for upstream commits to Backstage to resolve this issue.

v1.6.3 Known issues: Tanzu Developer Portal - Supply Chain GUI plug-in

  • Any workloads created by using a custom resource definition (CRD) might not work as expected. Only Out of the Box (OOTB) Supply Chains are supported in the UI.

  • Downloading the SBOM from a vulnerability scan requires additional configuration in tap-values.yaml. For more information, see Troubleshooting.

v1.6.3 Known issues: Tanzu Developer Tools for IntelliJ

  • The error com.vdurmont.semver4j.SemverException: Invalid version (no major version) is shown in the error logs when attempting to perform a workload action before installing the Tanzu CLI apps plug-in.

  • If you restart your computer while running Live Update without terminating the Tilt process beforehand, there is a lock that incorrectly shows that Live Update is still running and prevents it from starting again. For the fix, see Troubleshooting.

  • Workload actions and Live Update do not work when in a project with spaces in its name, such as my app, or in its path, such as C:\Users\My User\my-app. For more information, see Troubleshooting.

  • An EDT Thread Exception error is logged or reported as a notification with a message similar to "com.intellij.diagnostic.PluginException: 2007 ms to call on EDT TanzuApplyAction#update@ProjectViewPopup". For more information, see Troubleshooting.

v1.6.3 Known issues: Tanzu Developer Tools for Visual Studio

  • Clicking the red square Stop button in the Visual Studio top toolbar can cause a workload to fail. For more information, see Troubleshooting.

v1.6.3 Known issues: Tanzu Developer Tools for VS Code

  • In the Tanzu activity panel, the config-writer-pull-requester of type Runnable is incorrectly categorized as Unknown. The correct category is Supply Chain.

v1.6.3 Component versions

The following table lists the supported component versions for this Tanzu Application Platform release.

Component Name Version
API Auto Registration 0.3.3
API portal 1.4.1
Application Accelerator 1.6.2
Application Configuration Service 2.1.1
Application Live View API Server 1.6.1
Application Live View Backend 1.6.1
Application Live View Connector 1.6.1
Application Live View Conventions 1.6.1
Application Single Sign-On 4.0.0
Artifact Metadata Repository Observer (alpha) 0.1.1-alpha.2
Bitnami Services 0.2.0
Carbon Black Scanner for SCST - Scan (beta) 1.2.2-beta.1
Cartographer Conventions 0.7.3
cert-manager 2.3.1
Cloud Native Runtimes 2.3.1
Contour 1.24.4
Crossplane 0.2.1
Default Roles 1.1.0
Developer Conventions 0.11.0
Eventing (deprecated) 2.2.4
External Secrets Operator 0.6.1+tap.6
Flux CD Source Controller 0.36.1+tanzu.2
Grype Scanner for SCST - Scan 1.6.140
Learning Center (deprecated) 0.3.2
Learning Center workshops (deprecated) 0.3.1
Local Source Proxy 0.1.0
Namespace Provisioner 0.4.0
Out of the Box Delivery - Basic 0.13.9
Out of the Box Supply Chain - Basic 0.13.9
Out of the Box Supply Chain - Testing 0.13.9
Out of the Box Supply Chain - Testing and Scanning 0.13.9
Out of the Box Templates 0.13.9
Service Bindings 0.9.1
Services Toolkit 0.11.0
Snyk Scanner for SCST - Scan (beta) 1.0.0-beta.156
Source Controller 0.8.1
Spring Boot conventions 1.6.1
Spring Cloud Gateway 2.0.6
Supply Chain Choreographer 0.7.3
Supply Chain Security Tools - Policy Controller 1.4.0
Supply Chain Security Tools - Scan 1.6.141
Supply Chain Security Tools - Scan 2.0 (beta) 0.1.0-beta.137
Supply Chain Security Tools - Store 1.6.3
Tanzu Developer Portal (formerly Tanzu Application Platform GUI) 1.6.5
Tanzu Developer Portal Configurator (beta) 0.1.2
Tanzu Application Platform Telemetry 0.6.1
Tanzu Build Service 1.11.13
Tanzu CLI 1.0.0
Tekton Pipelines 0.41.0+tap.8

v1.6.2

Release Date: 15 August 2023

v1.6.2 Security fixes

This release has the following security fixes, listed by component and area.

Package Name Vulnerabilities Resolved
accelerator.apps.tanzu.vmware.com
Expand to see the list
api-portal.tanzu.vmware.com
Expand to see the list
app-scanning.apps.tanzu.vmware.com
Expand to see the list
base-jammy-stack-lite.buildpacks.tanzu.vmware.com
Expand to see the list
fluxcd.source.controller.tanzu.vmware.com
Expand to see the list
metadata-store.apps.tanzu.vmware.com
Expand to see the list
spring-cloud-gateway.tanzu.vmware.com
Expand to see the list
tap-gui.tanzu.vmware.com
Expand to see the list

v1.6.2 Resolved issues

The following issues, listed by component and area, are resolved in this release.

v1.6.2 Resolved issues: Supply Chain Choreographer

  • Fixed an issue where if a user attempted to update the ootb_supply_chain_testing_scanning field in their tap-values.yaml file to use a specified ClusterImageTemplate, it did not update because the ClusterSupplyChain was already preset to image-scanner-template. You can now update the ootb_supply_chain_testing_scanning field in their tap-values.yaml to use a specified ClusterImageTemplate.

v1.6.2 Resolved issues: Tanzu Developer Portal - Supply Chain GUI plug-in

v1.6.2 Resolved issues: Tanzu Developer Tools for VS Code

  • Fixed an issue that prevented Tanzu Debug from working on new untracked workloads on Windows.

v1.6.2 Known issues

This release has the following known issues, listed by component and area.

v1.6.2 Known issues: Application Configuration Service

  • Client applications that include the spring-cloud-config-client dependency might fail to start or properly load the configuration that Application Configuration Service produced.

  • Installation might fail because the pod security context does not perfectly adhere to the restricted pod security standard.

v1.6.2 Known issues: Artifact Metadata Repository Observer and CloudEvent Handler

  • Periodic reconciliation or restarting of the AMR Observer causes reattempted posting of ImageVulnerabilityScan results. There is an error on duplicate submission of identical ImageVulnerabilityScans you can ignore if the previous submission was successful.

  • ReplicaSet status in AMR only has two states: created and deleted. There is a known issue where the available and unavailable state is not showing. The workaround is that you can interpolate this information from the instances metadata in the AMR for the ReplicaSet.

v1.6.2 Known issues: Bitnami Services

  • If you try to configure private registry integration for the Bitnami services after having already created a claim for one or more of the Bitnami services using the default configuration, the updated private registry configuration does not appear to take effect. This is due to caching behavior in the system which is not accounted for during configuration updates. For a workaround, see Troubleshoot Bitnami Services.

v1.6.2 Known issues: Cloud Native Runtimes

  • For Knative Serving, certain app name, namespace, and domain combinations produce Knative Services with status CertificateNotReady. For more information, see Troubleshooting.

v1.6.2 Known issues: Crossplane

  • Crossplane Providers cannot communicate with systems using a custom CA. For more information and a workaround, see Troubleshoot Crossplane.

  • The Crossplane validatingwebhookconfiguration is not removed when you uninstall the Crossplane Package. To workaround, delete the validatingwebhookconfiguration manually by running kubectl delete validatingwebhookconfiguration crossplane.

v1.6.2 Known issues: Eventing

  • When using vSphere sources in Eventing, the vsphere-source is using a high number of informers to alleviate load on the API server. This causes high memory use.

v1.6.2 Known issues: Learning Center

v1.6.2 Known issues: Services Toolkit

  • An error occurs if additionalProperties is true in a CompositeResourceDefinition. For more information and a workaround, see Troubleshoot Services Toolkit.

v1.6.2 Known issues: Supply Chain Choreographer

  • When using the Carvel Package Supply Chains, if the operator updates the parameter carvel_package.name_suffix, existing workloads incorrectly output a Carvel package to the GitOps repository that uses the old value of carvel_package.name_suffix. You can ignore or delete this package.

  • If the size of the resulting OpenAPIv3 specification exceeds a certain size, approximately 3 KB, the Supply Chain does not function. If you use the default Carvel package parameters, you this issue does not occur. If you use custom Carvel package parameters, you might encounter this size limit. If you exceed the size limit, you can either deactivate this feature, or use a workaround. The workaround requires enabling a Tekton feature flag. For more information, see the Tekton documentation.

v1.6.2 Supply Chain Security Tools - Store

  • SCST - Store automatically detects PostgreSQL database index corruptions. If SCST - Store finds a PostgresSQL database index corruption issue, it does not reconcile. For how to fix this issue, see Fix Postgres Database Index Corruption.

v1.6.2 Known issues: Tanzu Developer Portal (formerly named Tanzu Application Platform GUI)

  • Ad-blocking browser extensions and standalone ad-blocking software can interfere with telemetry collection within the VMware Customer Experience Improvement Program and restrict access to all or parts of Tanzu Developer Portal. For more information, see Troubleshooting.

  • ScmAuth is a Backstage concept that abstracts Source Code Management (SCM) authentication into a package. An oversight in a recent code-base migration led to the accidental exclusion of custom ScmAuth functions. This exclusion affected some client operations, such as using Application Accelerators to create Git repositories on behalf of users.

  • The back-end Kubernetes plug-in reports failure in multicluster environments. In a multicluster environment when one request to a Kubernetes cluster fails, backstage-kubernetes-backend reports a failure to the front end. This is a known issue with upstream Backstage and it applies to all released versions of Tanzu Developer Portal. For more information, see this Backstage code in GitHub. This behavior arises from the API at the Backstage level. There are currently no known workarounds. There are plans for upstream commits to Backstage to resolve this issue.

v1.6.2 Known issues: Tanzu Developer Portal - Supply Chain GUI plug-in

  • Any workloads created by using a custom resource definition (CRD) might not work as expected. Only Out of the Box (OOTB) Supply Chains are supported in the UI.

  • Downloading the SBOM from a vulnerability scan requires additional configuration in tap-values.yaml. For more information, see Troubleshooting.

v1.6.2 Known issues: Tanzu Developer Tools for IntelliJ

  • The error com.vdurmont.semver4j.SemverException: Invalid version (no major version) is shown in the error logs when attempting to perform a workload action before installing the Tanzu CLI apps plug-in.

  • If you restart your computer while running Live Update without terminating the Tilt process beforehand, there is a lock that incorrectly shows that Live Update is still running and prevents it from starting again. For the fix, see Troubleshooting.

  • Workload actions and Live Update do not work when in a project with spaces in its name, such as my app, or in its path, such as C:\Users\My User\my-app. For more information, see Troubleshooting.

  • An EDT Thread Exception error is logged or reported as a notification with a message similar to "com.intellij.diagnostic.PluginException: 2007 ms to call on EDT TanzuApplyAction#update@ProjectViewPopup". For more information, see Troubleshooting.

v1.6.2 Known issues: Tanzu Developer Tools for Visual Studio

  • Clicking the red square Stop button in the Visual Studio top toolbar can cause a workload to fail. For more information, see Troubleshooting.

v1.6.2 Known issues: Tanzu Developer Tools for VS Code

  • In the Tanzu activity panel, the config-writer-pull-requester of type Runnable is incorrectly categorized as Unknown. The correct category is Supply Chain.

v1.6.2 Component versions

The following table lists the supported component versions for this Tanzu Application Platform release.

Component Name Version
API Auto Registration 0.3.3
API portal 1.4.1
Application Accelerator 1.6.2
Application Configuration Service 2.1.0
Application Live View APIServer 1.6.1
Application Live View back end 1.6.1
Application Live View connector 1.6.1
Application Live View conventions 1.6.1
Application Single Sign-On 4.0.0
Artifact Metadata Repository Observer (alpha) 0.1.1-alpha.2
Bitnami Services 0.2.0
Carbon Black Scanner for SCST - Scan (beta) 1.2.1-beta.2
Cartographer Conventions 0.7.3
cert-manager 2.3.1
Cloud Native Runtimes 2.3.1
Contour 1.24.4
Crossplane 0.2.1
Default Roles 1.1.0
Developer Conventions 0.11.0
Eventing (deprecated) 2.2.3
External Secrets Operator 0.6.1+tap.6
Flux CD Source Controller 0.36.1+tanzu.1
Grype Scanner for SCST - Scan 1.6.140
Learning Center (deprecated) 0.3.1
Learning Center workshops (deprecated) 0.3.0
Local Source Proxy 0.1.0
Namespace Provisioner 0.4.0
Out of the Box Delivery - Basic 0.13.8
Out of the Box Supply Chain - Basic 0.13.8
Out of the Box Supply Chain - Testing 0.13.8
Out of the Box Supply Chain - Testing and Scanning 0.13.8
Out of the Box Templates 0.13.8
Service Bindings 0.9.1
Services Toolkit 0.11.0
Snyk Scanner for SCST - Scan (beta) 1.0.0-beta.156
Source Controller 0.8.0
Spring Boot conventions 1.6.1
Spring Cloud Gateway 2.0.6
Supply Chain Choreographer 0.7.3
Supply Chain Security Tools - Policy Controller 1.4.0
Supply Chain Security Tools - Scan 1.6.141
Supply Chain Security Tools - Scan 2.0 (beta) 0.1.0-beta.137
Supply Chain Security Tools - Store 1.6.3
Tanzu Developer Portal (formerly Tanzu Application Platform GUI) 1.6.5
Tanzu Developer Portal Configurator (beta) 0.1.2
Tanzu Application Platform Telemetry 0.6.1
Tanzu Build Service 1.11.10
Tanzu CLI 0.90.1
Tanzu CLI Application Accelerator plug-in 1.6.0
Tanzu CLI Apps plug-in 0.12.1
Tanzu CLI Build Service plug-in 1.0.0
Tanzu CLI Insight plug-in 1.6.3
Tanzu Service CLI plug-in 0.7.0
Tekton Pipelines 0.41.0+tap.8

v1.6.1

Release Date: 27 July 2023

What’s new in Tanzu Application Platform v1.6

This release includes the following platform-wide enhancements.

New platform-wide features

  • New services available with the Bitnami Service package: MongoDB and Kafka.
  • Best practices required to build and deploy workloads at scale are now available in the documentation. For more information, see Scale workloads.

New components

  • Local Source Proxy offers developers a secure and user-friendly approach to seamlessly upload their local source code to a Tanzu Application Platform cluster. This enables developers to navigate their code smoothly through a predefined production pathway using supply chains.

    This component reduces the obstacles faced by developers who would otherwise need to manually specify a registry and provide their credentials on their local systems for iterative inner loop workflows.


v1.6.1 New features by component and area

This release includes the following changes, listed by component and area.

v1.6.1 Features: Application Accelerator

  • The Application Accelerator plug-in for IntelliJ has now reached general availability. The plug-in for IntelliJ now supports Git repository creation and custom type declarations for options, and embeds telemetry and bootstrapping provenance. For more information, see Application Accelerator IntelliJ Plug-in.

v1.6.1 Features: Application Live View

  • You can secure access, at the user level, to sensitive operations that can be executed on a running application using the actuator endpoints. For more information, see Authorize a user to execute sensitive operations.

  • Developers can view the live information of natively compiled Spring applications by using Application Live View for lightweight troubleshooting. The pages and metrics that are currently unavailable for natively compiled Spring applications include threads, heap dump, memory graphs, cache manager, conditions, schedules tasks, and actuator information. For more information, see Enable Spring Native apps for Application Live View.

v1.6.1 Features: Application Single Sign-On (AppSSO)

  • Incorporates the token expiry settings into the AuthServer resource. Service operators can customize the expiry settings of access, refresh, or identity tokens. For more information, see Token settings.

  • You can map custom user attributes or claims from upstream identity providers, such as OpenID, LDAP, and SAML. You can also configure the internal unsafe provider with custom claims. For more information, see Identity providers.

  • Adds ClusterUnsafeTestLogin, which is an unsafe, ready-to-claim Application Single Sign-On service offering that you can use to get started. It is not safe for production environments. For more information, see ClusterUnsafeTestLogin API.

  • Adds ClusterWorkloadRegistrationClass, which exposes an AuthServer as a ready-to-claim Application Single Sign-On service offering. For more information, see ClusterWorkloadRegistrationClass API.

  • Adds WorkloadRegistration, which is a portable client registration that templates redirect URIs. For more information, see WorkloadRegistration API.

  • Adds XWorkloadRegistration, which is a composite resource definition (XRD) and an integration API between Services Toolkit, Crossplane, and Application Single Sign-On. For more information, see XWorkloadRegistration API.

v1.6.1 Features: Bitnami Services

The bitnami.services.tanzu.vmware.com package v0.2.0 includes the following:

  • New services available: MongoDB and Kafka

v1.6.1 Features: Cloud Native Runtimes

  • Adds a new configuration option that configures default-external-scheme on Knative’s config-network ConfigMap with a default scheme you can use for Knative Service URLs. Supported values are either http or https. You cannot set this option at the same time as the default_tls_secret option.

v1.6.1 Features: Contour

  • Adds new parameters to specify contour and envoy resources requests and limits for CPU and memory. For more information, see Install Contour.

  • For more information about the new features in Contour v1.24.4, see the Contour release notes in GitHub.

v1.6.1 Features: Crossplane

The crossplane.tanzu.vmware.com package v0.2.1 includes the following:

  • Includes updates to the following software components:

    • Updates Universal Crossplane (UXP) to v1.12.1-up.1, which includes new Crossplane features such as ObserveOnly resources, Composition Validation, and Pluggable Secret Stores. For the full release notes, see universal-crossplane releases in GitHub.
    • Updates provider-helm to v0.15.0. For the full release notes, see provider-helm releases in GitHub.
    • Updates provider-kubernetes to v0.8.0. For the full release notes, see provider-kubernetes releases in GitHub.

    For more information about versions of software comprising the Crossplane package, See Version matrix for Crossplane.

  • The Crossplane package now more gracefully handles situations in which Crossplane is already installed to a cluster by using another method, for example, through Helm install. For more information, see Use your existing Crossplane installation.

  • Includes kapp wait rules that match on Healthy=True for the Providers. This means that package installation now waits for the Providers to become healthy before reporting success.

  • Adds support for installing Providers in environments that use custom CA certificates.

  • Adds the orphan_resources package value to allow you to configure whether to orphan all Crossplane Custom Resource Definitions (CRDs), providers, and managed resources when the package is uninstalled. This setting is optional. The default is true.

    Caution

    setting this value to false causes all Crossplane CRDs, providers, and managed resources to be deleted when the crossplane.tanzu.vmware.com package is uninstalled. This might also cause any existing service instances also being deleted. For more information, see Delete Crossplane resources when you uninstall Tanzu Application Platform.

v1.6.1 Features: Flux CD Source Controller

Flux Source Controller v0.36.1-build.2 release includes the following API changes:

  • GitRepository API:

    • spec.ref.name is the reference value for Git checkout. It takes precedence over Branch, Tag, and SemVer. It must be a valid Git reference.

      Examples:

      • "refs/heads/main"
      • "refs/tags/v0.1.0"
      • "refs/pull/420/head"
      • "refs/merge-requests/1/head"
    • status.artifact.digest represents the value of the file in the form of ALGORITHM:CHECKSUM.

    • status.observedIgnore represents the latest spec.ignore value. It indicates the ignore rules for building the current artifact in storage.
    • status.observedRecurseSubmodules represents the latest spec.recurseSubmodules value during the latest reconciliation.
    • status.observedInclude represents the list of GitRepository resources that produces the current artifact.
  • OCIRepository API:

    • spec.layerSelector specifies which layer is extracted from an OCI Artifact. This field is optional and set to extracting the first layer in the artifact by default.
    • spec.verify includes the secret name that holds the trusted public keys for signature verification. It also indicates the provider responsible for validating the authenticity of the OCI image.
    • spec.insecure enables connections to a non-TLS HTTP container image registry.
  • HelmChart API:

    • Adds the new field spec.verify, which includes the secret name that holds the trusted public keys for signature verification. It also indicates the provider responsible for validating the authenticity of the OCI image. This field is only supported when using the HelmRepository source with the spec.type OCI. Chart dependencies, which are not bundled in the umbrella chart artifact, are not verified.
  • HelmRepository API:

    • Adds the new field spec.provider for authentication purposes. Supported values are aws, azure, gcp, or generic. generic is its default value. This field is only required when the .spec.type field is set to oci
  • Bucket API:

    • Adds the new field status.observedIgnore, which represents the latest spec.ignore value. It indicates the ignore rules for building the current artifact in storage.

v1.6.1 Features: Namespace Provisioner

  • Implements the capability to skip creating certain default resources for the Namespace Provisioner, providing greater flexibility for customization.

  • Enables you to deactivate the default installation of the Grype scanner by using default_parameters in the tap-values.yaml file or by using namespace parameters. For more information, see Deactivate Grype install.

  • Enhances support for adding secrets and imagePullSecrets to the service account used by the Supply Chain and Delivery components. You can do this by using either default_parameters or namespace-level parameters. For more information, see Customize service accounts.

  • Introduces the option to deactivate the creation of the LimitRange object in full, iterate, and run profile clusters. For more information, see Deactivate LimitRange Setup.

  • Adds support for passing lists or objects with annotations for complex namespace parameters. This simplifies the configuration process. For more information about how to use this feature, see Namespace parameters.

  • The path value in additional_sources is now automatically generated, eliminating the need for you to provide it manually. This simplifies the configuration of external sources.

v1.6.1 Features: Services Toolkit

The services-toolkit.tanzu.vmware.com package v0.11.0 includes the following:

  • Adds Kubernetes events to make debugging easier:

    • Normal events: CreatedCompositeResource, DeletedCompositeResource, ClaimableInstanceFound, NoClaimableInstancesFound
    • Warning events: ParametersValidationFailed, CompositeResourceDeletionFailed
  • Updates reconciler-runtime to v0.11.1.

The Tanzu Service CLI plug-in v0.7.0 includes the following:

  • The Tanzu Service CLI plug-in is now compiled using the new Tanzu CLI runtime (v0.90.0).
  • There are no new features or changes to existing commands.

v1.6.1 Features: Supply Chain Choreographer

v1.6.1 Features: Supply Chain Security Tools (SCST) - Scan

v1.6.1 Features: Supply Chain Security Tools (SCST) - Store

  • Adds a new report feature that links all packages, vulnerabilities, and ratings associated from a specific vulnerability scan SBOM to a Store report. When querying a report, it returns information linked to the original SBOM report instead of returning the aggregated data of all reports for the linked image or source.
    • Updates to the POST /api/v1/images and POST /api/v1/sources APIs:
      • New optional header request fields:
        • Report-UID: A unique identifier to assign to the report. If omitted, a unique identifier is randomly generated for the report. Supported characters: uppercase letters (A-Z), lowercase letters (a-z), numbers (0-9), hyphen (-), period (.), underscore (_), and tilde (~).
        • Original-Location: The stored location of the original SBOM vulnerability scan result used to create this report.
      • New response field returned ReportUID, the report’s unique identifier associated with the data submitted by this image.
    • Updates to the POST /api/v1/artifact-groups API:
      • New ReportUID optional body payload field that links an existing report, tagged by its UID, to this artifact group.
    • New GET /api/v1/report/{ReportUID} API gets a specific report by its unique identifier.
    • New GET /api/v1/reports API queries for a list of reports with specified image digest, source SHA, or original location.
      Note

      When you request SPDX or CycloneDX format, the report date is set to the date of the original vulnerability scan SBOM. In addition, the tooling section includes the tool used to generate the original vulnerability scan report, if provided, and SCST - Store.

  • Artifact Metadata Repository Observer (alpha). For more information, see Artifact Metadata Repository overview

    • Registers the cluster’s location using user defined labels and the kube-system UID as the reference
    • Observes ImageVulnerabilityScan CustomResources from SCST - Scan 2.0 package
    • Observes workload ReplicaSets. These are ReplicaSets that have a container with the name workload, which are produced by the Out of the Box Supply Chains.
    • Sends CloudEvents for observed resources to the Artifact Metadata Repository CloudEvent Handler
  • Artifact Metadata Repository CloudEvent Handler (alpha). See Artifact Metadata Repository overview.

    • The name Artifact Metadata Repository Persister is deprecated in favor of Artifact Metadata Repository CloudEvent Handler.
    • Handles ImageVulnerabilityScan configured CloudEvents from the Artifact Metadata Repository Observer.
    • Handles Location configured CloudEvents from the Artifact Metadata Repository Observer.
    • Handles ReplicaSet configured CloudEvents from the Artifact Metadata Repository Observer.
  • Adds a new vulnerability triage feature allows you to store analysis data for vulnerabilities detected in their workloads. The vulnerability analysis data allows you to record the impact of a particular vulnerability, to discover an effective remediation plan.

    • New triage API supports the creating, updating, and searching vulnerability analysis. For more information, see v1triage.
    • New triage subcommands for the Tanzu CLI Insight plug-in enable interaction with the triage API. For more information, see Triage vulnerabilities.

v1.6.1 Features: Tanzu CLI

  • This Tanzu Application Platform release introduces the new Tanzu CLI v0.90.1.

    Important

    Newer versions of Tanzu CLI might be supported when they are released, for more information, see Product Interoperability Matrix. VMware strongly encourages you to upgrade to the latest Tanzu CLI version.

  • Backward compatibility with earlier versions of Tanzu CLI plug-ins is provided.

  • Install Tanzu CLI using a package manager. For more information, see Install the Tanzu CLI.

  • Install plug-ins from the new centralized plug-in repository using plug-in groups. For more information, see Install Tanzu CLI Plug-ins.

  • For Internet-restricted environments, plug-ins and plug-in groups can be migrated to, and installed from internal registries.

  • There is now central Tanzu CLI documentation where more detailed information about the CLI architecture, the centralized plug-in repository, plug-in groups, and Internet-restricted environments is available. For more information, see VMware Tanzu CLI documentation.

  • If you have any issues, questions, or suggestions, you can submit feedback, feature requests, or issue reports in the open-source Tanzu CLI project on GitHub.

v1.6.1 Features: Tanzu CLI plug-in distribution change

  • Tanzu CLI plug-ins are no longer distributed as part of the Tanzu Application Platform bundle on VMware Tanzu Network. The Tanzu CLI is still included in the bundle.

  • The plug-ins are now installed using Tanzu CLI commands. Manual download of the plug-in binaries to the local file system is no longer required.

  • For Internet-restricted environments, see Installing the Tanzu CLI in Internet-Restricted Environments.

v1.6.1 Features: Tanzu CLI Apps plug-in

  • The apps plug-in is integrated with Local Source Proxy for seamless iterative inner-loop development using the Tanzu CLI or IDE plug-ins.

  • The tanzu apps workload apply and tanzu apps workload create commands can now seamlessly create a workload from local source using only the --local-path flag.

  • The --source-image flag is now optional. If --source-image flag is used with --local-path, the local source proxy is not used and bypassed for backward compatibility.

  • A new command, tanzu apps lsp health is available. It allows you to verify the status of the Local Source Proxy. This command performs several checks, including:

    • Verifies whether the developer has Role-Based Access Control (RBAC) permissions to access the Local Source Proxy using their kubeconfig.
    • Checks if the Local Source Proxy is installed on the cluster.
    • Ensures that the Local Source Proxy deployment is healthy and accessible.
    • Verifies that the Local Source Proxy is correctly configured and can access the registry using the credentials set up by the operator during Tanzu Application Platform installation.
  • Auto-completion is available for workload types. Additionally, the default workload type is set to web, making the --type flag optional. The flag is only required if the type is something other than web.

  • The shorthand option -e is available as a convenient alternative for the --export flag.

  • The tanzu apps workload get command is enhanced to include Git revision information in the overview section. This provides a quick reference to the Git revision associated with the workload.

v1.6.1 Features: Tanzu CLI Build Service plug-in

  • Adds a new Build Service plug-in that allows you to view all Tanzu Build Service resources on any Kubernetes cluster that has Tanzu Application Platform or Tanzu Build Service installed. For more information, see Build Service CLI plug-in overview.

v1.6.1 Features: Tanzu CLI Insight plug-in

  • Triage vulnerabilities with the tanzu insight triage command. For more information, see Triage vulnerabilities.

v1.6.1 Features: Tanzu Developer Portal (formerly named Tanzu Application Platform GUI)

  • Download the Software Bill of Materials (SBOM) from the Supply Chain Cartographer (SCC) plug-in. Obtain the SCST - Store-generated SBOM in SPDX or CycloneDX formats.

  • The component is renamed as Tanzu Developer Portal to reflect that it’s more than just a graphical user interface (GUI) for Tanzu Application Platform.

  • As of this release, the tool Configurator is available in beta. Configurator enables the integration of Backstage-compatible plug-ins in Tanzu Developer Portal. For more information, see Tanzu Developer Portal Configurator.

  • Permission framework is released in alpha. Permission framework enables the Platform Operator to evaluate visibility restriction of the software catalog entities based on ownership property. For more information, see Set up permission framework for your Tanzu Developer Portal

v1.6.1 Features: Tanzu Developer Tools for IntelliJ

  • Added support for Local Source Proxy that eliminates the need to provide source image configuration for rapid iteration in the inner loop.

  • You can now use Tanzu Developer Tools for IntelliJ to rapidly iterate on Spring-native applications. Developers can Live Update and debug spring-native applications non-natively and then deploy to a cluster as a native image.

  • Developers can now use Tanzu Developer Tools for IntelliJ to rapidly iterate and build Gradle projects in their preferred IDE.

v1.6.1 Features: Tanzu Developer Tools for VS Code

  • Added support for Local Source Proxy that eliminates the need to provide source image configuration for rapid iteration in the inner loop.

  • You can now use Tanzu Developer Tools for VS Code to rapidly iterate on Spring-native applications. Developers can Live Update and debug spring-native applications non-natively and then deploy to a cluster as a native image.

  • Developers can now use Tanzu Developer Tools for VS Code to rapidly iterate and build Gradle projects in their preferred IDE.

v1.6.1 Features: Tanzu Developer Tools for Visual Studio

  • Added a Tanzu Workloads panel to easily view deployed workloads in a Tanzu Application Platform cluster.
  • You can now use Tanzu Developer Tools for Visual Studio to directly manage workloads, which includes the functions Apply Workload, Start Live Update, and Debug Workload.

v1.6.1 Breaking changes

This release includes the following changes, listed by component and area.

v1.6.1 Breaking changes: Application Single Sign-On (AppSSO)

  • Consumes Application Single Sign-On service offerings using ClassClaim instead of the lower-level WorkloadRegistration or ClientRegistration.

  • Crossplane is an installation and runtime dependency of Application Single Sign-On.

  • The field AuthServer.spec.tls.disabled is removed. Use AuthServer.spec.tls.deactivated instead.

  • The default for field ClientRegistration.spec.redirectURIs is no longer ["http://127.0.0.0:8080"].

v1.6.1 Breaking changes: Cloud Native Runtimes

  • The provider configuration option is removed in this release. For more information, see the Deprecation notice in the Cloud Native Runtimes v2.0 release notes.

v1.6.1 Breaking changes: Contour

  • By default, Tanzu Application Platform uses TLS 1.3 as the minimum TLS version for Contour. Certain infrastructure setups might cause request failures if the Envoy clients do not support TLS 1.3. You might see the following errors in the Envoy logs:

    [source/extensions/transport_sockets/tls/ssl_socket.cc:233] [C112] remote address:20.27.140.81:3073,TLS error: 268435696:SSL routines:OPENSSL_internal:UNSUPPORTED_PROTOCOL
    

    To set the minimum TLS version to 1.2, see Configure Cipher Suites and TLS version in Contour.

v1.6.1 Breaking changes: Flux CD Source Controller

  • The format of the status.artifact.revision value in the GitRepository resource’s status field is updated from BRANCH/CHECKSUM to BRANCH@sha1:CHECKSUM. For example, main/6db88c7a7e7dec1843809b058195b68480c4c12a is now main@sha1:6db88c7a7e7dec1843809b058195b68480c4c12a.

v1.6.1 Breaking changes: Tanzu Build Service

  • The full dependencies package is renamed and the installation process is modified.

    • You must remove existing full dependencies installations before installing the new version.
    • You must provide the tap-values.yaml file during the full dependencies package installation.
  • The full dependencies package repository is tagged with the Tanzu Application Platform package version instead of the Tanzu Build Service package version.

  • The Ubuntu Bionic stack is no longer included with the Tanzu Application Platform and the full dependencies package repository.

  • Introduced a cluster buildpack resource to enable individually packaged dependencies and provide insights into installed buildpack versions.

v1.6.1 Breaking changes: Tanzu CLI Apps plug-in

  • The deprecated command tanzu apps workload update is removed from the CLI. Use the command tanzu apps workload apply instead.

v1.6.1 Breaking changes: Tanzu Developer Portal (formerly named Tanzu Application Platform GUI)

  • The allowGuestAccess configuration option: Previously this was not needed in the configuration because users were permitted to log in without credentials by default. In v1.6 and later, guest users must be permitted explicitly. The recommended values files in the installation sections are updated to include this setting. Add the following lines to tap-values.yaml to enable guest access explicitly:

    # Existing tap-values.yaml settings
    tap_gui:
      app_config:
        auth:
          allowGuestAccess: true  # Allows unauthenticated users to log in to your portal. If you deactivate it, configure an alternative auth provider.
    

v1.6.1 Security fixes

This release has the following security fixes, listed by component and area.

Package name Vulnerabilities resolved
accelerator.apps.tanzu.vmware.com
Expand to see the list
api-portal.tanzu.vmware.com
Expand to see the list
apis.apps.tanzu.vmware.com
Expand to see the list
apiserver.appliveview.tanzu.vmware.com
Expand to see the list
app-scanning.apps.tanzu.vmware.com
Expand to see the list
application-configuration-service.tanzu.vmware.com
Expand to see the list
backend.appliveview.tanzu.vmware.com
Expand to see the list
buildservice.tanzu.vmware.com
Expand to see the list
cnrs.tanzu.vmware.com
Expand to see the list
connector.appliveview.tanzu.vmware.com
Expand to see the list
controller.source.apps.tanzu.vmware.com
Expand to see the list
conventions.appliveview.tanzu.vmware.com
Expand to see the list
developer-conventions.tanzu.vmware.com
Expand to see the list
fluxcd.source.controller.tanzu.vmware.com
Expand to see the list
learningcenter.tanzu.vmware.com
Expand to see the list
metadata-store.apps.tanzu.vmware.com
Expand to see the list
ootb-templates.tanzu.vmware.com
Expand to see the list
scanning.apps.tanzu.vmware.com
Expand to see the list
services-toolkit.tanzu.vmware.com
Expand to see the list
sso.apps.tanzu.vmware.com
Expand to see the list
tap-gui.tanzu.vmware.com
Expand to see the list
workshops.learningcenter.tanzu.vmware.com
Expand to see the list

v1.6.1 Resolved issues

The following issues, listed by component and area, are resolved in this release.

v1.6.1 Resolved issues: Cloud Native Runtimes

  • New toggle feature for how to make ConfigMap updates. For some ConfigMaps in Cloud Native Runtimes, such as config-features, the option to update using an overlay was not taking effect. This issue is fixed.

    With this version, the legacy behavior remains the same, but VMware introduced a configuration to opt-in into updating ConfigMaps using overlays in Cloud Native Runtimes. To configure this option, edit your cnr-values.yaml file to change the following configuration:

    allow_manual_configmap_update: false
    

v1.6.1 Resolved issues: Crossplane

  • The Crossplane package now more gracefully handles situations in which Crossplane is already installed to a cluster by using another method, for example, Helm install.

    Previously the Crossplane Package assumed that Crossplane was not already installed on the cluster, which is not always true. Rather than fail, the package completed installing, which caused non-deterministic behavior.

    Now, if you attempt to install or upgrade the Crossplane package on a cluster that has Crossplane installed by other means, it fails with the error Resource already exists. In such cases, you can either exclude the Crossplane package from the Tanzu Application Platform installation, or set adopt_resources to true in the Crossplane package to adopt resources from your existing installation. For more information, see Use your existing Crossplane installation.

  • Resolved an issue where Crossplane Providers did not transition to HEALTHY=True if using a custom certificate for your registry. This prevented the class claims used for dynamic provisioning from reconciling. The Crossplane Package now inherits the data configured in shared.ca_cert_data of tap-values.yaml.

v1.6.1 Resolved issues: Namespace Provisioner

  • Resolved an issue that prevented updates to the AWS Identity and Access Management (IAM) role from reflecting in the service accounts used by Supply Chains and Delivery components.

  • Resolved a behavior where the Namespace Provisioner failed if the same Git secret was used multiple times within the additional_sources section of the tap-values.yaml file. This fix requires Cluster Essentials v1.6 or later installed on the cluster.

  • Resolved an issue where a namespace managed by the Namespace Provisioner became stuck in the Terminating phase during deletion if it contained a workload. This fix requires Cluster Essentials v1.6 or later installed on the cluster.

v1.6.1 Resolved issues: Services Toolkit

  • Resolved an issue that prevented the default cluster-admin IAM role on Google Kubernetes Engine (GKE) clusters from claiming any of the Bitnami services.

    Previously, if a user with the cluster-admin role on a GKE cluster attempted to claim any of the Bitnami services, they received a validation error.

  • Resolved an issue affecting the dynamic provisioning flow if you used a CompositeResourceDefinition that specified a schema that defined .status without also defining .spec. You can now use a CompositeResourceDefinition which only specifies .status in the schema.

    Previously, if you attempted to create a ClassClaim for a ClusterInstanceClass that referred to such a CompositeResourceDefinition, the ClassClaim did not transition into Ready=True and instead reported unexpected end of JSON input.

v1.6.1 Resolved issues: Supply Chain Security Tools (SCST) - Store

  • Implemented basic logging in the AMR database.

  • AMR database no longer creates a load balancer when enabling the shared ingress domain and ingress values in tap-values.yaml.

  • Modified the behavior of the /v1/artifact-groups/vulnerabilities/_search endpoint. It now returns a list of artifact groups affected by the vulnerability even if the images or sources in the query are not linked to them.

    Previously the endpoint returned the list of artifact groups the images or sources were linked to, even if the artifact group was not affected by the vulnerability.

v1.6.1 Resolved issues: Tanzu CLI Apps plug-in

  • Implemented validations to prevent the inclusion of multiple sources through flags in the workload create and workload apply commands.

  • Modified the behavior of the commands when waiting to apply workload changes. If the workload was previously in a failed state, it no longer immediately fails. When the --wait flag is used, the command continues to wait until the workload either succeeds or fails again. When the --tail flag is used, the command continues tailing logs from the Supply chain steps that were impacted by the workload update.

v1.6.1 Resolved issues: Tanzu Developer Tools for IntelliJ

  • The apply action no longer stores the workload file path, which prevented modifying the workload file path later. Now this information is either computed or obtained by prompting the user as needed.

  • In the Tanzu activity panel, the config-writer-pull-requester of the type Runnable is no longer incorrectly categorized as Unknown.

v1.6.1 Resolved issues: Tanzu Developer Tools for VS Code

  • Errors in the kubeconfig file ~/.kube/config that are not related to the current context are now ignored, allowing you to work with Tanzu panel without any issues.

v1.6.1 Known issues

This release has the following known issues, listed by component and area.

Note

Starting in this release, the release notes list known issues in every release until they are resolved.

v1.6.1 Known issues: Application Configuration Service

  • Client applications that include the spring-cloud-config-client dependency might fail to start or properly load the configuration that Application Configuration Service produced.

  • Installation might fail because the pod security context does not perfectly adhere to the restricted pod security standard.

v1.6.1 Known issues: Artifact Metadata Repository Observer and CloudEvent Handler

  • Periodic reconciliation or restarting of the AMR Observer causes reattempted posting of ImageVulnerabilityScan results. There is an error on duplicate submission of identical ImageVulnerabilityScans you can ignore if the previous submission was successful.

  • ReplicaSet status in AMR only has two states: created and deleted. There is a known issue where the available and unavailable state is not showing. The workaround is that you can interpolate this information from the instances metadata in the AMR for the ReplicaSet.

v1.6.1 Known issues: Bitnami Services

  • If you try to configure private registry integration for the Bitnami services after having already created a claim for one or more of the Bitnami services using the default configuration, the updated private registry configuration does not appear to take effect. This is due to caching behavior in the system which is not accounted for during configuration updates. For a workaround, see Troubleshoot Bitnami Services.

v1.6.1 Known issues: Cloud Native Runtimes

  • For Knative Serving, certain app name, namespace, and domain combinations produce Knative Services with status CertificateNotReady. For more information, see Troubleshooting.

v1.6.1 Known issues: Crossplane

  • Crossplane Providers cannot communicate with systems using a custom CA. For more information and a workaround, see Troubleshoot Crossplane.

  • The Crossplane validatingwebhookconfiguration is not removed when you uninstall the Crossplane Package. To workaround, delete the validatingwebhookconfiguration manually by running kubectl delete validatingwebhookconfiguration crossplane.

v1.6.1 Known issues: Eventing

  • When using vSphere sources in Eventing, the vsphere-source is using a high number of informers to alleviate load on the API server. This causes high memory use.

v1.6.1 Known issues: Learning Center

v1.6.1 Known issues: Services Toolkit

  • An error occurs if additionalProperties is true in a CompositeResourceDefinition. For more information and a workaround, see Troubleshoot Services Toolkit.

v1.6.1 Known issues: Supply Chain Choreographer

  • When using the Carvel Package Supply Chains, if the operator updates the parameter carvel_package.name_suffix, existing workloads incorrectly output a Carvel package to the GitOps repository that uses the old value of carvel_package.name_suffix. You can ignore or delete this package.

  • If the size of the resulting OpenAPIv3 specification exceeds a certain size, approximately 3 KB, the Supply Chain does not function. If you use the default Carvel package parameters, you this issue does not occur. If you use custom Carvel package parameters, you might encounter this size limit. If you exceed the size limit, you can either deactivate this feature, or use a workaround. The workaround requires enabling a Tekton feature flag. For more information, see the Tekton documentation.

  • The ClusterSupplyChain scanning-image-scan-to-url does not update if you attempt to update the ootb_supply_chain_testing_scanning field in the tap-values.yaml file to use a specified ClusterImageTemplate as follows:

    ootb_supply_chain_testing_scanning:
      image_scanner_template_name: CLUSTERIMAGETEMPLATE
    

    This is because the ClusterSupplyChain is preset to image-scanner-template. To workaround, edit the Out of the Box Supply template following the steps Modifying an Out of the Box Supply template.

v1.6.1 Supply Chain Security Tools - Store

  • SCST - Store automatically detects PostgreSQL database index corruptions. If SCST - Store finds a PostgresSQL database index corruption issue, it does not reconcile. For how to fix this issue, see Fix Postgres Database Index Corruption.

v1.6.1 Known issues: Tanzu Developer Portal (formerly named Tanzu Application Platform GUI)

  • Ad-blocking browser extensions and standalone ad-blocking software can interfere with telemetry collection within the VMware Customer Experience Improvement Program and restrict access to all or parts of Tanzu Developer Portal. For more information, see Troubleshooting.

  • ScmAuth is a Backstage concept that abstracts Source Code Management (SCM) authentication into a package. An oversight in a recent code-base migration led to the accidental exclusion of custom ScmAuth functions. This exclusion affected some client operations, such as using Application Accelerators to create Git repositories on behalf of users.

  • The back-end Kubernetes plug-in reports failure in multicluster environments. In a multicluster environment when one request to a Kubernetes cluster fails, backstage-kubernetes-backend reports a failure to the front end. This is a known issue with upstream Backstage and it applies to all released versions of Tanzu Developer Portal. For more information, see this Backstage code in GitHub. This behavior arises from the API at the Backstage level. There are currently no known workarounds. There are plans for upstream commits to Backstage to resolve this issue.

v1.6.1 Known issues: Tanzu Developer Portal - Supply Chain GUI plug-in

  • Any workloads created by using a custom resource definition (CRD) might not work as expected. Only Out of the Box (OOTB) Supply Chains are supported in the GUI.

  • Supply Chain Security Tools - Scan v2.0, which introduces the ImageVulnerabilityScanner CRD, is not currently supported in the Supply Chain GUI.

  • Downloading the SBOM from a vulnerability scan requires additional configuration in tap-values.yaml. For more information, see Troubleshooting.

v1.6.1 Known issues: Tanzu Developer Tools for IntelliJ

  • The error com.vdurmont.semver4j.SemverException: Invalid version (no major version) is shown in the error logs when attempting to perform a workload action before installing the Tanzu CLI apps plug-in.

  • If you restart your computer while running Live Update without terminating the Tilt process beforehand, there is a lock that incorrectly shows that Live Update is still running and prevents it from starting again. For the fix, see Troubleshooting.

  • Workload actions and Live Update do not work when in a project with spaces in its name, such as my app, or in its path, such as C:\Users\My User\my-app. For more information, see Troubleshooting.

  • An EDT Thread Exception error is logged or reported as a notification with a message similar to "com.intellij.diagnostic.PluginException: 2007 ms to call on EDT TanzuApplyAction#update@ProjectViewPopup". For more information, see Troubleshooting.

v1.6.1 Known issues: Tanzu Developer Tools for Visual Studio

  • Clicking the red square Stop button in the Visual Studio top toolbar can cause a workload to fail. For more information, see Troubleshooting.

v1.6.1 Known issues: Tanzu Developer Tools for VS Code

  • In the Tanzu activity panel, the config-writer-pull-requester of type Runnable is incorrectly categorized as Unknown. The correct category is Supply Chain.

  • Tanzu Debug does not work on Windows for new workloads. When attempting to Tanzu Debug on Windows, the user sees an error message similar to the following:

    Error: unable to check if filepath "'FILE-PATH'" is a valid url.
    

    For more information, see Troubleshooting.


v1.6.1 Component versions

The following table lists the supported component versions for this Tanzu Application Platform release.

Component Name Version
API Auto Registration 0.3.3
API portal 1.4.0
Application Accelerator 1.6.1
Application Configuration Service 2.1.0
Application Live View APIserver 1.6.1
Application Live View back end 1.6.1
Application Live View connector 1.6.1
Application Live View conventions 1.6.1
Application Single Sign-On 4.0.0
Artifact Metadata Repository Observer (alpha) 0.1.0-alpha.8
Bitnami Services 0.2.0
Carbon Black Scanner for SCST - Scan (beta) 1.2.1-beta.1
Cartographer Conventions 0.7.3
cert-manager 2.3.1
Cloud Native Runtimes 2.3.1
Contour 1.24.4
Crossplane 0.2.1
Default Roles 1.1.0
Developer Conventions 0.11.0
Eventing (deprecated) 2.2.3-build.36
External Secrets Operator 0.6.1+tap.6
Flux CD Source Controller 0.36.1-build.2
Grype Scanner for SCST - Scan 1.6.66
Learning Center (deprecated) 0.3.1
Learning Center workshops (deprecated) 0.3.0
Local Source Proxy 0.1.0
Namespace Provisioner 0.4.0
Out of the Box Delivery - Basic 0.13.6
Out of the Box Supply Chain - Basic 0.13.6
Out of the Box Supply Chain - Testing 0.13.6
Out of the Box Supply Chain - Testing and Scanning 0.13.6
Out of the Box Templates 0.13.6
Service Bindings 0.9.1
Services Toolkit 0.11.0
Snyk Scanner for SCST - Scan (beta) 1.0.0-beta.71
Source Controller 0.8.0
Spring Boot conventions 1.6.1
Spring Cloud Gateway 2.0.3
Supply Chain Choreographer 0.7.3
Supply Chain Security Tools - Policy Controller 1.4.0
Supply Chain Security Tools - Scan 1.6.67
Supply Chain Security Tools - Scan 2.0 (beta) 0.1.0-beta.45
Supply Chain Security Tools - Store 1.6.2
Tanzu Developer Portal (formerly Tanzu Application Platform GUI) 1.6.3
Tanzu Developer Portal Configurator (beta) 0.1.2
Tanzu Application Platform Telemetry 0.6.1
Tanzu Build Service 1.11.10
Tanzu CLI 0.90.0
Tanzu CLI Application Accelerator plug-in 1.6.0
Tanzu CLI Apps plug-in 0.12.1
Tanzu CLI Build Service plug-in 1.0.0
Tanzu CLI Insight plug-in 1.6.0
Tanzu Service CLI plug-in 0.7.0
Tekton Pipelines 0.41.0+tap.8

Deprecations

The following features, listed by component, are deprecated. Deprecated features will remain on this list until they are retired from Tanzu Application Platform.

Tanzu Application Platform deprecations

  • Minikube support is deprecated and will be removed in Tanzu Application Platform v1.7.

Application Live View deprecations

  • appliveview_connnector.backend.sslDisabled is deprecated and marked for removal in Tanzu Application Platform v1.7.0. For more information about the migration, see Deprecate the sslDisabled key.

Application Single Sign-On (AppSSO) deprecations

  • ClientRegistration resource clientAuthenticationMethod field values post and basic are deprecated and marked for removal in Tanzu Application Platform v1.7.0. Use client_secret_post and client_secret_basic instead.

Eventing deprecations

  • Eventing in Tanzu Application Platform is deprecated and marked for removal in Tanzu Application Platform v1.7.0.

Flux CD Source Controller deprecations

  • Deprecations for the GitRepository API:

    • spec.gitImplementation is deprecated. GitImplementation defines the Git client library implementation. go-git is the default and only supported implementation. libgit2 is no longer supported.
    • spec.accessFrom is deprecated. AccessFrom, which defines an Access Control List for enabling cross-namespace references to this object, was never implemented.
    • status.contentConfigChecksum is deprecated in favor of the explicit fields defined in the observed artifact content config within the status.
    • status.artifact.checksum is deprecated in favor of status.artifact.digest.
    • status.url is deprecated in favor of status.artifact.url.
  • Deprecations for the OCIRepository API:

    • status.contentConfigChecksum is deprecated in favor of the explicit fields defined in the observed artifact content config within the status.

Learning Center deprecations

  • Learning Center is deprecated and marked for removal in Tanzu Application Platform v1.7.0. Use Tanzu Academy instead for all Tanzu Application Platform learning and education needs.

Services Toolkit deprecations

  • The tanzu services claims CLI plug-in command is now deprecated. It is hidden from help text output, but continues to work until officially removed after the deprecation period. The new tanzu services resource-claims command provides the same function.

Source Controller deprecations

  • The Source Controller ImageRepository API is deprecated and is marked for removal. Use the OCIRepository API instead. The Flux Source Controller installation includes the OCIRepository API. For more information about the OCIRepository API, see the Flux documentation.

Supply Chain Choreographer deprecations

  • Supply Chain Choreographer no longer uses the git_implementation field. The go-git implementation now assumes that libgit2 is not supported.
    • Flux CD no longer supports the spec.gitImplementation field as of v0.33.0. For more information, see the fluxcd/source-controller Changelog.
    • Existing references to the git_implementation field are ignored and references to libgit2 do not cause failures. This is assured up to Tanzu Application Platform v1.9.0.
    • Azure DevOps works without specifying git_implementation in Tanzu Application Platform v1.6.1.

Supply Chain Security Tools (SCST) - Scan deprecations

  • The docker field and related sub-fields used in SCST - Scan are deprecated and marked for removal in Tanzu Application Platform v1.7.0.

    The deprecation impacts the following components: Scan Controller, Grype Scanner, and Snyk Scanner. Carbon Black Scanner is not impacted. For information about the migration path, see Troubleshooting.

  • The profile based installation of Grype to a developer namespace and related fields in the values file, such as grype.namespace and grype.targetImagePullSecret, are deprecated and marked for removal in Tanzu Application Platform v1.8.0.

    VMware recommends using the namespace provisioner to populate namespaces with all the required resources, including the Grype installation. For information about how to use namespace provisioner to populate a namespace with SCST - SCST scan, see Setup for OOTB Supply Chains.

Tanzu Build Service deprecations

  • The Ubuntu Bionic stack is deprecated: Ubuntu Bionic stops receiving support in April 2023. VMware recommends you migrate builds to Jammy stacks in advance. For how to migrate builds, see Use Jammy stacks for a workload.

  • The Cloud Native Buildpack Bill of Materials (CNB BOM) format is deprecated. VMware plans to deactivate this format by default in Tanzu Application Platform v1.6.1 and remove support in Tanzu Application Platform v1.8.

Tanzu CLI Apps plug-in deprecations

  • The default value for the –update-strategy flag is planned to change from merge to replace in Tanzu Application Platform v1.7.0.

Tekton Pipelines deprecations

  • Tekton ClusterTask is deprecated and marked for removal. Use the Task API instead. For more information, see the Tekton documentation.

Linux Kernel CVEs

Kernel level vulnerabilities are regularly identified and patched by Canonical. Tanzu Application Platform releases with available images, which might contain known vulnerabilities. When Canonical makes patched images available, Tanzu Application Platform incorporates these fixed images into future releases.

The kernel runs on your container host VM, not the Tanzu Application Platform container image. Even with a patched Tanzu Application Platform image, the vulnerability is not mitigated until you deploy your containers on a host with a patched OS. An unpatched host OS might be exploitable if the base image is deployed.

check-circle-line exclamation-circle-line close-line
Scroll to top icon