This topic contains release notes for Tanzu Application Platform v1.7.2.
Release Date: 12 December 2023
For the list of security fixes in this Tanzu Application Platform release, see Security fixes.
The following issues, listed by component and area, are resolved in this release.
container.SecurityContext
is not null and the Capabilities
or SeccompProfile
field is null.This release has the following known issues, listed by component and area.
The Tanzu Application Platform integration with Tanzu Service Mesh does not work on vSphere with TKR v1.26. For more information about this integration, see Set up Tanzu Service Mesh. As a workaround, you can apply the label to update pod security on a TKr v1.26 Kubernetes namespace as advised by the release notes for TKr 1.26.5 for vSphere 8.x. However, applying this label provides more than the minimum necessary privilege to the resources in developer namespaces.
Tanzu Mission Control does not support this Tanzu Application Platform release.
Registering conflicting groupId
and version
with API portal:
If you create two CuratedAPIDescriptor
s with the same groupId
and version
combination, both reconcile without throwing an error, and the /openapi?groupId&version
endpoint returns both specifications. If you are adding both specifications to the API portal, only one of them might show up in the API portal UI with a warning indicating that there is a conflict. If you add the route provider annotation for both of the CuratedAPIDescriptor
s to use Spring Cloud Gateway, the generated API specspecification includes API routes from both CuratedAPIDescriptor
s.
You can see the groupId
and version
information from all CuratedAPIDescriptor
s by running:
$ kubectl get curatedapidescriptors -A
NAMESPACE NAME GROUPID VERSION STATUS CURATED API SPEC URL
my-apps petstore test-api-group 1.2.3 Ready http://AAR-CONTROLLER-FQDN/openapi/my-apps/petstore
default mystery test-api-group 1.2.3 Ready http://AAR-CONTROLLER-FQDN/openapi/default/mystery
When creating an APIDescriptor
with different apiSpec.url
and server.url
, the controller incorrectly uses the API spec URL as the server URL. To avoid this issue, use server.url
only.
CrashLoopBackOff
or OOMKilled
. For information about how to increase the memory limit for both the convention server and webhook servers, including app-live-view-conventions, spring-boot-webhook, and developer-conventions/webhook, see Troubleshoot Cartographer Conventions.API server says: admission webhook "validation.webhook.serving.knative.dev" denied the request: validation failed: annotation value is immutable
. For a workaround, see Troubleshoot Cloud Native Runtimes for Tanzu.validatingwebhookconfiguration
is not removed when you uninstall the Crossplane package. To workaround, delete the validatingwebhookconfiguration
manually by running kubectl delete validatingwebhookconfiguration crossplane
.When upgrading Tanzu Application Platform, pods are recreated for all workloads with service bindings. This is because workloads and pods that use service bindings are being updated to new service binding volumes. This happens automatically and will not affect subsequent upgrades.
Affected pods are updated concurrently. To avoid failures, you must have sufficient Kubernetes resources in your clusters to support the pod rollout.
ServiceBinding
is not immediately reconciled when status.binding.name
changes on a previously bound service resource. This impacts the timely rollout of new connection secrets to workloads. The reconciler eventually picks up the change but this might take up to 10 hours. As a temporary workaround, you can do one of the following:
ServiceBinding
and create a new one that is identical.ServiceBinding
by adding an arbitrary annotation or label.ServiceBinding
.additionalProperties
is true
in a CompositeResourceDefinition. For more information and a workaround, see Troubleshoot Services Toolkit.By default, Server Workload Carvel packages generated by the Carvel package supply chains no longer contain OpenAPIv3 descriptions of their parameters. These descriptions were omitted to keep the size of the Carvel Package definition under 4 KB, which is the size limit for the string output of a Tekton Task. For information about these parameters, see Carvel Package Supply Chains.
When using the Carvel Package Supply Chains, if the operator updates the parameter carvel_package.name_suffix
, existing workloads incorrectly output a Carvel package to the GitOps repository that uses the old value of carvel_package.name_suffix
. You can ignore or delete this package.
If the size of the resulting OpenAPIv3 specification exceeds a certain size, approximately 3 KB, the Supply Chain does not function. If you use the default Carvel package parameters, this issue does not occur. If you use custom Carvel package parameters, you might encounter this size limit. If you exceed the size limit, you can either deactivate this feature, or use a workaround. The workaround requires enabling a Tekton feature flag. For more information, see the Tekton documentation.
Supply Chains that use SSH auth with the git-writer resource will fail in the gitops step. As a workaround, use HTTPS auth.
When using SCST - Scan 2.0 with a ClusterImageTemplate, the value for the scanning image is overwritten with an incorrect default value from ootb_supply_chain_testing_scanning.image_scanner_cli
in the tap-values.yaml
file. You can prevent this by setting the value in your tap-values.yaml
file to the correct image. For example, for the Trivy image packaged with Tanzu Application Platform:
ootb_supply_chain_testing_scanning:
image_scanner_template_name: image-vulnerability-scan-trivy
image_scanning_cli:
image: registry.example.com/tanzu-application-platform/tap-packages@sha256:675673a6d495d6f6a688497b754cee304960d9ad56e194cf4f4ea6ab53ca71d6
When using SCST - Scan 2.0, Trivy must be pinned to v0.42.1. This is because CycloneDX v1.5 is the default for later versions of Trivy and is not supported by AMR.
SCST - Scan 1.0 fails with the error secrets 'store-ca-cert' not found
during deployment by using Tanzu Mission Control with a non-default issuer. For how to work around this issue, see Deployment failure with non-default issuer.
AMR-specific steps have been added to the Multicluster setup for Supply Chain Security Tools - Store.
SCST - Store automatically detects PostgreSQL database index corruptions. If SCST - Store finds a PostgresSQL database index corruption issue, it does not reconcile. For how to fix this issue, see Fix Postgres Database Index Corruption.
When observer.deploy_through_tmc
is true
, properties are auto-configured for Tanzu Mission Control (TMC). This causes the MultiClusterPropertyCollector
resource to overwrite existing Tanzu Application Platform values for Observer.
When using Let’s Encrypt ACME issuers, the resultant Kubernetes secret resource does not contain a ca.crt
property. Therefore, when the MultiClusterPropertyCollector
resource creates the Observer package configuration values secret, the required ca_cert_data
is empty.
To work around this issue, add the Certificate Authority (CA) Certificate to the shared.ca_cert_data
key in the Tanzu Application Platform installation values.
During upgrades a large number of builds might be created due to buildpack and stack updates. Some of these builds might fail due to transient network issues, causing the workload to be in an unhealthy state. This resolves itself on subsequent builds after a code change and does not affect the running application.
If you do not want to wait for subsequent builds to run, you can manually trigger a build. For instructions, see Troubleshooting.
If you do not configure any authentication providers, and do not allow guest access, the following message appears when loading Tanzu Developer Portal in a browser:
No configured authentication providers. Please configure at least one.
To resolve this issue, see Troubleshooting.
When viewing a supply chain with the Supply Chain Choreographer plug-in, scrolling horizontally does not work. Click and drag left or right instead to move the supply chain diagram. A fix is planned for the future. The zoom function was removed because of user feedback.
Ad-blocking browser extensions and standalone ad-blocking software can interfere with telemetry collection within the VMware Customer Experience Improvement Program and restrict access to all or parts of Tanzu Developer Portal. For more information, see Troubleshooting.
ScmAuth is a Backstage concept that abstracts Source Code Management (SCM) authentication into a package. An oversight in a recent code-base migration led to the accidental exclusion of custom ScmAuth functions. This exclusion affected some client operations, such as using Application Accelerators to create Git repositories on behalf of users.
The back-end Kubernetes plug-in reports failure in multicluster environments. In a multicluster environment when one request to a Kubernetes cluster fails, backstage-kubernetes-backend
reports a failure to the front end. This is a known issue with upstream Backstage and it applies to all released versions of Tanzu Developer Portal. For more information, see this Backstage code in GitHub. This behavior arises from the API at the Backstage level. There are currently no known workarounds. There are plans for upstream commits to Backstage to resolve this issue.
The error com.vdurmont.semver4j.SemverException: Invalid version (no major version)
is shown in the error logs when attempting to perform a workload action before installing the Tanzu CLI apps plug-in.
If you restart your computer while running Live Update without terminating the Tilt process beforehand, there is a lock that incorrectly shows that Live Update is still running and prevents it from starting again. For the fix, see Troubleshooting.
Workload actions and Live Update do not work when in a project with spaces in its name, such as my app
, or in its path, such as C:\Users\My User\my-app
. For more information, see Troubleshooting.
An EDT Thread Exception error is logged or reported as a notification with a message similar to "com.intellij.diagnostic.PluginException: 2007 ms to call on EDT TanzuApplyAction#update@ProjectViewPopup"
. For more information, see Troubleshooting.
The following table lists the supported component versions for this Tanzu Application Platform release.
Component Name | Version |
---|---|
API Auto Registration | 0.4.1 |
API portal | 1.4.5 |
Application Accelerator | 1.7.6 |
Application Configuration Service | 2.2.0 |
Application Live View APIServer | 1.7.3 |
Application Live View back end | 1.7.3 |
Application Live View connector | 1.7.3 |
Application Live View conventions | 1.7.3 |
Application Single Sign-On | 5.0.0 |
Artifact Metadata Repository Observer | 0.2.1 |
AWS Services | 0.1.0 |
Bitnami Services | 0.3.1 |
Carbon Black Scanner for SCST - Scan (beta) | 1.2.4 |
Cartographer Conventions | 0.8.5 |
cert-manager | 2.4.2 |
Cloud Native Runtimes | 2.4.3 |
Contour | 1.25.3 |
Crossplane | 0.3.0 |
Default Roles | 1.1.0 |
Developer Conventions | 0.14.1 |
External Secrets Operator | 0.9.4+tanzu.2 |
Flux CD Source Controller | 0.36.1+tanzu.2 |
Grype Scanner for SCST - Scan | 1.7.2 |
Local Source Proxy | 0.2.1 |
Namespace Provisioner | 0.5.0 |
Out of the Box Delivery - Basic | 0.14.8 |
Out of the Box Supply Chain - Basic | 0.14.8 |
Out of the Box Supply Chain - Testing | 0.14.8 |
Out of the Box Supply Chain - Testing and Scanning | 0.14.8 |
Out of the Box Templates | 0.14.8 |
Service Bindings | 0.10.2 |
Service Registry | 1.2.1 |
Services Toolkit | 0.12.0 |
Snyk Scanner for SCST - Scan (beta) | 1.1.3 |
Source Controller | 0.8.3 |
Spring Boot conventions | 1.7.3 |
Spring Cloud Gateway | 2.1.5 |
Supply Chain Choreographer | 0.8.5 |
Supply Chain Security Tools - Policy Controller | 1.6.3 |
Supply Chain Security Tools - Scan | 1.7.3 |
Supply Chain Security Tools - Scan 2.0 (beta) | 0.2.2 |
Supply Chain Security Tools - Store | 1.7.2 |
Tanzu Developer Portal | 1.7.8 |
Tanzu Developer Portal Configurator | 1.0.4 |
Tanzu Application Platform Telemetry | 0.7.0 |
Tanzu Build Service | 1.12.4 |
Tanzu CLI | 1.1.0 |
Tekton Pipelines | 0.50.3+tanzu.3 |