Tanzu Application Platform release notes

This topic describes the changes in Tanzu Application Platform (commonly known as TAP) v1.7.

Note
Tanzu Application Platform v1.7 is a long-term support (LTS) release. It will receive one year of patches and support, dated from initial release. Over the life cycle of Tanzu Application Platform v1.7, VMware will release patches and maintenance updates.

v1.7.9

Release Date: 02 July 2024

v1.7.9 Breaking changes

This release includes the following changes, listed by component and area.

v1.7.9 Breaking changes: Tanzu Application Platform

Tanzu Application Platform releases have migrated from VMware Tanzu Network to the Broadcom Support Portal and Broadcom registry. Using VMware Tanzu Network to install or upgrade Tanzu Application Platform is no longer supported.

Before you upgrade, you must relocate the Tanzu Application Platform images from the Broadcom registry tanzu.packages.broadcom.com to your own registry. Make sure you relocate the images to your container image registry as part of the instructions in Upgrade Tanzu Application Platform.

v1.7.9 Security fixes

This release has the following security fixes, listed by component and area.

Package Name	Vulnerabilities Resolved
base-jammy-stack-lite.buildpacks.tanzu.vmware.com	Expand to see the list CVE-2024-33602 CVE-2024-33601 CVE-2024-33600 CVE-2024-33599 CVE-2024-32465 CVE-2024-32021 CVE-2024-32020 CVE-2024-32004 CVE-2024-32002 CVE-2024-26920 CVE-2024-26916 CVE-2024-26910 CVE-2024-26829 CVE-2024-26826 CVE-2024-26825 CVE-2024-26808 CVE-2024-26722 CVE-2024-26720 CVE-2024-26717 CVE-2024-26715 CVE-2024-26712 CVE-2024-26707 CVE-2024-26704 CVE-2024-26702 CVE-2024-26698 CVE-2024-26697 CVE-2024-26696 CVE-2024-26695 CVE-2024-26689 CVE-2024-26685 CVE-2024-26684 CVE-2024-26679 CVE-2024-26676 CVE-2024-26675 CVE-2024-26673 CVE-2024-26671 CVE-2024-26668 CVE-2024-26665 CVE-2024-26664 CVE-2024-26663 CVE-2024-26660 CVE-2024-26645 CVE-2024-26644 CVE-2024-26641 CVE-2024-26640 CVE-2024-26636 CVE-2024-26635 CVE-2024-26627 CVE-2024-26625 CVE-2024-26622 CVE-2024-26615 CVE-2024-26614 CVE-2024-26610 CVE-2024-26608 CVE-2024-26606 CVE-2024-26602 CVE-2024-26600 CVE-2024-26594 CVE-2024-26593 CVE-2024-26592 CVE-2024-23849 CVE-2024-2201 CVE-2024-1151 CVE-2023-52643 CVE-2023-52642 CVE-2023-52638 CVE-2023-52637 CVE-2023-52635 CVE-2023-52633 CVE-2023-52631 CVE-2023-52627 CVE-2023-52623 CVE-2023-52622 CVE-2023-52619 CVE-2023-52618 CVE-2023-52617 CVE-2023-52616 CVE-2023-52615 CVE-2023-52614 CVE-2023-52608 CVE-2023-52607 CVE-2023-52606 CVE-2023-52604 CVE-2023-52602 CVE-2023-52601 CVE-2023-52599 CVE-2023-52598 CVE-2023-52597 CVE-2023-52595 CVE-2023-52594 CVE-2023-52588 CVE-2023-52587 CVE-2023-52530 CVE-2023-52498 CVE-2023-52494 CVE-2023-52493 CVE-2023-52492 CVE-2023-52491 CVE-2023-52489 CVE-2023-52486 CVE-2023-52435 CVE-2023-47233
cert-manager.tanzu.vmware.com	Expand to see the list GHSA-4v7x-pqxf-cx7m CVE-2023-39326
java-lite.buildpacks.tanzu.vmware.com	Expand to see the list GHSA-xw73-rw38-6vjc GHSA-qppj-fm5r-hxr3 GHSA-mq39-4gv4-mvpx GHSA-jq35-85cj-fj4p GHSA-8r3f-844c-mc37 GHSA-7ww5-4wqc-m92c GHSA-45x7-px36-x8w8 GHSA-2wrh-6pvc-2jm9 CVE-2024-29018
ootb-templates.tanzu.vmware.com	Expand to see the list GHSA-6wrf-mxfj-pf5p GHSA-33pg-m6jh-5237 CVE-2024-28835 CVE-2024-28834 CVE-2024-26581 CVE-2023-52603 CVE-2023-52600 CVE-2023-24023 CVE-2022-41715 CVE-2022-32148 CVE-2022-30629 CVE-2022-29526 CVE-2022-1962 CVE-2022-1705

v1.7.9 Known issues

This release has the following known issues, listed by component and area.

v1.7.9 Known issues: Tanzu Application Platform

The Tanzu Application Platform integration with Tanzu Service Mesh does not work on vSphere with TKR v1.26. For more information about this integration, see Set up Tanzu Service Mesh. As a workaround, you can apply the label to update pod security on a TKr v1.26 Kubernetes namespace as advised by the release notes for TKr 1.26.5 for vSphere 8.x. However, applying this label provides more than the minimum necessary privilege to the resources in developer namespaces.

v1.7.9 Known issues: API Auto Registration

Registering conflicting groupId and version with API portal:

If you create two CuratedAPIDescriptors with the same groupId and version combination, both reconcile without throwing an error, and the /openapi?groupId&version endpoint returns both specifications. If you are adding both specifications to the API portal, only one of them might show up in the API portal UI with a warning indicating that there is a conflict. If you add the route provider annotation for both of the CuratedAPIDescriptors to use Spring Cloud Gateway, the generated API specspecification includes API routes from both CuratedAPIDescriptors.

You can see the groupId and version information from all CuratedAPIDescriptors by running:
```
$ kubectl get curatedapidescriptors -A

NAMESPACE           NAME         GROUPID            VERSION   STATUS   CURATED API SPEC URL
my-apps             petstore     test-api-group     1.2.3     Ready    http://AAR-CONTROLLER-FQDN/openapi/my-apps/petstore
default             mystery      test-api-group     1.2.3     Ready    http://AAR-CONTROLLER-FQDN/openapi/default/mystery
```
When creating an APIDescriptor with different apiSpec.url and server.url, the controller incorrectly uses the API spec URL as the server URL. To avoid this issue, use server.url only.

v1.7.9 Known issues: Application Live View

On the Run profile, Application Live View fails to reconcile if you use a non-default cluster issuer while installing through Tanzu Mission Control.

v1.7.9 Known issues: Artifact Metadata Repository Observer and CloudEvent Handler

Periodic reconciliation or restarting of the AMR Observer causes reattempted posting of ImageVulnerabilityScan results. There is an error on duplicate submission of identical ImageVulnerabilityScans you can ignore if the previous submission was successful.

v1.7.9 Known issues: Bitnami Services

If you try to configure private registry integration for the Bitnami services after having already created a claim for one or more of the Bitnami services using the default configuration, the updated private registry configuration does not appear to take effect. This is due to caching behavior in the system which is not accounted for during configuration updates. For a workaround, see Troubleshoot Bitnami Services.

v1.7.9 Known issues: Cartographer Conventions

While processing workloads with large SBOMs, the Cartographer Convention controller manager pod can fail with the status CrashLoopBackOff or OOMKilled. For information about how to increase the memory limit for both the convention server and webhook servers, including app-live-view-conventions, spring-boot-webhook, and developer-conventions/webhook, see Troubleshoot Cartographer Conventions.

v1.7.9 Known issues: Crossplane

The Crossplane validatingwebhookconfiguration is not removed when you uninstall the Crossplane package. To workaround, delete the validatingwebhookconfiguration manually by running kubectl delete validatingwebhookconfiguration crossplane.

v1.7.9 Known issues: Service Bindings

When upgrading Tanzu Application Platform, pods are recreated for all workloads with service bindings. This is because workloads and pods that use service bindings are being updated to new service binding volumes. This happens automatically and will not affect subsequent upgrades.

Affected pods are updated concurrently. To avoid failures, you must have sufficient Kubernetes resources in your clusters to support the pod rollout.
ServiceBinding is not immediately reconciled when status.binding.name changes on a previously bound service resource. This impacts the timely rollout of new connection secrets to workloads. The reconciler eventually picks up the change but this might take up to 10 hours. As a temporary workaround, you can do one of the following:
- Delete the existing ServiceBinding and create a new one that is identical.
- Trigger reconciliation of the existing ServiceBinding by adding an arbitrary annotation or label.
- Delete and recreate the application workload referred to by the ServiceBinding.

v1.7.9 Known issues: Services Toolkit

An error occurs if additionalProperties is true in a CompositeResourceDefinition. For more information and a workaround, see Troubleshoot Services Toolkit.

v1.7.9 Known issues: Supply Chain Choreographer

By default, Server Workload Carvel packages generated by the Carvel package supply chains no longer contain OpenAPIv3 descriptions of their parameters. These descriptions were omitted to keep the size of the Carvel Package definition under 4 KB, which is the size limit for the string output of a Tekton Task. For information about these parameters, see Carvel Package Supply Chains.
When using the Carvel Package Supply Chains, if the operator updates the parameter carvel_package.name_suffix, existing workloads incorrectly output a Carvel package to the GitOps repository that uses the old value of carvel_package.name_suffix. You can ignore or delete this package.
If the size of the resulting OpenAPIv3 specification exceeds a certain size, approximately 3 KB, the Supply Chain does not function. If you use the default Carvel package parameters, this issue does not occur. If you use custom Carvel package parameters, you might encounter this size limit. If you exceed the size limit, you can either deactivate this feature, or use a workaround. The workaround requires enabling a Tekton feature flag. For more information, see the Tekton documentation.
Supply Chains that use SSH auth with the git-writer resource will fail in the gitops step. As a workaround, use HTTPS auth.

v1.7.9 Known issues: Supply Chain Security Tools - Policy

Supply Chain Security Tools - Policy is defaulting to TUF enabled due to incorrect logic. This might cause the package to not reconcile correctly if the default TUF mirrors are not reachable. To work around this, explicitly configure policy controller in the tap-values.yaml file to enable TUF:
```
policy:
  tuf_enabled: true
```

v1.7.9 Known issues: Supply Chain Security Tools (SCST) - Scan

When using SCST - Scan 2.0 with a ClusterImageTemplate, the value for the scanning image is overwritten with an incorrect default value from ootb_supply_chain_testing_scanning.image_scanner_cli in the tap-values.yaml file. You can prevent this by setting the value in your tap-values.yaml file to the correct image. For example, for the Trivy image packaged with Tanzu Application Platform:
```
ootb_supply_chain_testing_scanning:
  image_scanner_template_name: image-vulnerability-scan-trivy
  image_scanning_cli:
    image: registry.example.com/tanzu-application-platform/tap-packages@sha256:675673a6d495d6f6a688497b754cee304960d9ad56e194cf4f4ea6ab53ca71d6
```
When using SCST - Scan 2.0, Trivy must be pinned to v0.42.1. This is because CycloneDX v1.5 is the default for later versions of Trivy and is not supported by AMR.
The Snyk scanner outputs an incorrectly created date, resulting in an invalid date. If the workload is in a failed state due to an invalid date, wait approximately 10 hours and the workload automatically goes into the ready state. For more information, see this issue in the Snyk GitHub repository.
SCST - Scan 1.0 fails with the error secrets 'store-ca-cert' not found during deployment by using Tanzu Mission Control with a non-default issuer. For how to work around this issue, see Deployment failure with non-default issuer.

v1.7.9 Known issues: Supply Chain Security Tools - Store

AMR-specific steps have been added to the Multicluster setup for Supply Chain Security Tools - Store.
SCST - Store automatically detects PostgreSQL database index corruptions. If SCST - Store finds a PostgresSQL database index corruption issue, it does not reconcile. For how to fix this issue, see Fix Postgres Database Index Corruption.
When observer.deploy_through_tmc is true, properties are auto-configured for Tanzu Mission Control (TMC). This causes the MultiClusterPropertyCollector resource to overwrite existing Tanzu Application Platform values for Observer.

When using Let’s Encrypt ACME issuers, the resultant Kubernetes secret resource does not contain a ca.crt property. Therefore, when the MultiClusterPropertyCollector resource creates the Observer package configuration values secret, the required ca_cert_data is empty.

To work around this issue, add the Certificate Authority (CA) Certificate to the shared.ca_cert_data key in the Tanzu Application Platform installation values.

v1.7.9 Known issues: Tanzu Build Service

During upgrades a large number of builds might be created due to buildpack and stack updates. Some of these builds might fail due to transient network issues, causing the workload to be in an unhealthy state. This resolves itself on subsequent builds after a code change and does not affect the running application.

If you do not want to wait for subsequent builds to run, you can manually trigger a build. For instructions, see Troubleshooting.

v1.7.9 Known issues: Tanzu Developer Portal

If you do not configure any authentication providers, and do not allow guest access, the following message appears when loading Tanzu Developer Portal in a browser:
```
No configured authentication providers. Please configure at least one.
```
To resolve this issue, see Troubleshooting.
When viewing a supply chain with the Supply Chain Choreographer plug-in, scrolling horizontally does not work. Click and drag left or right instead to move the supply chain diagram. A fix is planned for the future. The zoom function was removed because of user feedback.
Ad-blocking browser extensions and standalone ad-blocking software can interfere with telemetry collection within the VMware Customer Experience Improvement Program and restrict access to all or parts of Tanzu Developer Portal. For more information, see Troubleshooting.
ScmAuth is a Backstage concept that abstracts Source Code Management (SCM) authentication into a package. An oversight in a recent code-base migration led to the accidental exclusion of custom ScmAuth functions. This exclusion affected some client operations, such as using Application Accelerators to create Git repositories on behalf of users.
The back-end Kubernetes plug-in reports failure in multicluster environments. In a multicluster environment when one request to a Kubernetes cluster fails, backstage-kubernetes-backend reports a failure to the front end. This is a known issue with upstream Backstage and it applies to all released versions of Tanzu Developer Portal. For more information, see this Backstage code in GitHub. This behavior arises from the API at the Backstage level. There are currently no known workarounds. There are plans for upstream commits to Backstage to resolve this issue.

v1.7.9 Known issues: Tanzu Developer Tools for IntelliJ

The error com.vdurmont.semver4j.SemverException: Invalid version (no major version) is shown in the error logs when attempting to perform a workload action before installing the Tanzu CLI apps plug-in.
If you restart your computer while running Live Update without terminating the Tilt process beforehand, there is a lock that incorrectly shows that Live Update is still running and prevents it from starting again. For the fix, see Troubleshooting.
Workload actions and Live Update do not work when in a project with spaces in its name, such as my app, or in its path, such as C:\Users\My User\my-app. For more information, see Troubleshooting.
An EDT Thread Exception error is logged or reported as a notification with a message similar to "com.intellij.diagnostic.PluginException: 2007 ms to call on EDT TanzuApplyAction#update@ProjectViewPopup". For more information, see Troubleshooting.

v1.7.9 Known issues: Tanzu Developer Tools for Visual Studio

Clicking the red square Stop button in the Visual Studio top toolbar can cause a workload to fail. For more information, see Troubleshooting.

v1.7.9 Component versions

The following table lists the Tanzu Application Platform package versions included with this release.

Component Name	Version
API Auto Registration	0.5.0-alpha.1
API portal	1.4.7
Application Accelerator	1.7.7
Application Configuration Service	2.2.2
Application Live View APIServer	1.7.4
Application Live View back end	1.7.4
Application Live View connector	1.7.4
Application Live View conventions	1.7.4
Application Single Sign-On	5.0.6
Artifact Metadata Repository Observer	0.2.5
AWS Services	0.1.0
Bitnami Services	0.3.1
Carbon Black Scanner for SCST - Scan (beta)	1.2.8
Cartographer Conventions	0.8.10
cert-manager	2.4.8
Cloud Native Runtimes	2.4.17
Contour	2.1.0
Crossplane	0.3.1
Default Roles	1.1.0
Developer Conventions	0.14.2
External Secrets Operator	0.9.4+tanzu.3
Flux CD Source Controller	0.36.1+tanzu.2
Grype Scanner for SCST - Scan	1.7.6
Local Source Proxy	0.2.1
Namespace Provisioner	0.5.0
Out of the Box Delivery - Basic	0.14.18
Out of the Box Supply Chain - Basic	0.14.18
Out of the Box Supply Chain - Testing	0.14.18
Out of the Box Supply Chain - Testing and Scanning	0.14.18
Out of the Box Templates	0.14.18
Service Bindings	0.10.3
Service Registry	1.2.4
Services Toolkit	0.12.0
Snyk Scanner for SCST - Scan (beta)	1.1.7
Source Controller	0.8.4
Spring Boot conventions	1.7.4
Spring Cloud Gateway	2.1.10
Supply Chain Choreographer	0.8.10
Supply Chain Security Tools - Policy Controller	1.6.4
Supply Chain Security Tools - Scan	1.7.9
Supply Chain Security Tools - Scan 2.0 (beta)	0.2.4
Supply Chain Security Tools - Store	1.7.8
Tanzu Application Platform Telemetry	0.7.0
Tanzu Build Service	1.12.6
Tanzu CLI	1.3.0
Tanzu Developer Portal	1.7.12
Tanzu Developer Portal Configurator	1.7.12
Tekton Pipelines	0.50.3+tanzu.4

v1.7.8

Release Date: 11 June 2024

v1.7.8 Security fixes

This release has the following security fixes, listed by component and area.

Package Name	Vulnerabilities Resolved
base-jammy-stack-lite.buildpacks.tanzu.vmware.com	Expand to see the list CVE-2024-26920 CVE-2024-26916 CVE-2024-26910 CVE-2024-26829 CVE-2024-26826 CVE-2024-26825 CVE-2024-26808 CVE-2024-26722 CVE-2024-26720 CVE-2024-26717 CVE-2024-26715 CVE-2024-26712 CVE-2024-26707 CVE-2024-26704 CVE-2024-26702 CVE-2024-26698 CVE-2024-26697 CVE-2024-26696 CVE-2024-26695 CVE-2024-26689 CVE-2024-26685 CVE-2024-26684 CVE-2024-26679 CVE-2024-26676 CVE-2024-26675 CVE-2024-26673 CVE-2024-26671 CVE-2024-26668 CVE-2024-26665 CVE-2024-26664 CVE-2024-26663 CVE-2024-26660 CVE-2024-26645 CVE-2024-26644 CVE-2024-26641 CVE-2024-26640 CVE-2024-26636 CVE-2024-26635 CVE-2024-26627 CVE-2024-26625 CVE-2024-26615 CVE-2024-26614 CVE-2024-26610 CVE-2024-26608 CVE-2024-26606 CVE-2024-26602 CVE-2024-26600 CVE-2024-26594 CVE-2024-26593 CVE-2024-26592 CVE-2024-23849 CVE-2024-2201 CVE-2024-1151 CVE-2023-52643 CVE-2023-52642 CVE-2023-52638 CVE-2023-52637 CVE-2023-52635 CVE-2023-52633 CVE-2023-52631 CVE-2023-52627 CVE-2023-52623 CVE-2023-52622 CVE-2023-52619 CVE-2023-52618 CVE-2023-52617 CVE-2023-52616 CVE-2023-52615 CVE-2023-52614 CVE-2023-52608 CVE-2023-52607 CVE-2023-52606 CVE-2023-52604 CVE-2023-52602 CVE-2023-52601 CVE-2023-52599 CVE-2023-52598 CVE-2023-52597 CVE-2023-52595 CVE-2023-52594 CVE-2023-52588 CVE-2023-52587 CVE-2023-52498 CVE-2023-52494 CVE-2023-52493 CVE-2023-52492 CVE-2023-52491 CVE-2023-52489 CVE-2023-52486 CVE-2023-52435
cert-manager.tanzu.vmware.com	Expand to see the list GHSA-4v7x-pqxf-cx7m CVE-2023-39326
java-lite.buildpacks.tanzu.vmware.com	Expand to see the list GHSA-xw73-rw38-6vjc GHSA-qppj-fm5r-hxr3 GHSA-mq39-4gv4-mvpx GHSA-jq35-85cj-fj4p GHSA-8r3f-844c-mc37 GHSA-7ww5-4wqc-m92c GHSA-45x7-px36-x8w8 GHSA-2wrh-6pvc-2jm9 CVE-2024-29018
ootb-templates.tanzu.vmware.com	Expand to see the list CVE-2024-28835 CVE-2024-28834 CVE-2024-26581 CVE-2023-52603 CVE-2023-52600 CVE-2023-24023

v1.7.8 Known issues

This release has the following known issues, listed by component and area.

v1.7.8 Known issues: Tanzu Application Platform

The Tanzu Application Platform integration with Tanzu Service Mesh does not work on vSphere with TKR v1.26. For more information about this integration, see Set up Tanzu Service Mesh. As a workaround, you can apply the label to update pod security on a TKr v1.26 Kubernetes namespace as advised by the release notes for TKr 1.26.5 for vSphere 8.x. However, applying this label provides more than the minimum necessary privilege to the resources in developer namespaces.

v1.7.8 Known issues: API Auto Registration

Registering conflicting groupId and version with API portal:

If you create two CuratedAPIDescriptors with the same groupId and version combination, both reconcile without throwing an error, and the /openapi?groupId&version endpoint returns both specifications. If you are adding both specifications to the API portal, only one of them might show up in the API portal UI with a warning indicating that there is a conflict. If you add the route provider annotation for both of the CuratedAPIDescriptors to use Spring Cloud Gateway, the generated API specspecification includes API routes from both CuratedAPIDescriptors.

You can see the groupId and version information from all CuratedAPIDescriptors by running:
```
$ kubectl get curatedapidescriptors -A

NAMESPACE           NAME         GROUPID            VERSION   STATUS   CURATED API SPEC URL
my-apps             petstore     test-api-group     1.2.3     Ready    http://AAR-CONTROLLER-FQDN/openapi/my-apps/petstore
default             mystery      test-api-group     1.2.3     Ready    http://AAR-CONTROLLER-FQDN/openapi/default/mystery
```
When creating an APIDescriptor with different apiSpec.url and server.url, the controller incorrectly uses the API spec URL as the server URL. To avoid this issue, use server.url only.

v1.7.8 Known issues: Application Live View

On the Run profile, Application Live View fails to reconcile if you use a non-default cluster issuer while installing through Tanzu Mission Control.

v1.7.8 Known issues: Artifact Metadata Repository Observer and CloudEvent Handler

Periodic reconciliation or restarting of the AMR Observer causes reattempted posting of ImageVulnerabilityScan results. There is an error on duplicate submission of identical ImageVulnerabilityScans you can ignore if the previous submission was successful.

v1.7.8 Known issues: Bitnami Services

If you try to configure private registry integration for the Bitnami services after having already created a claim for one or more of the Bitnami services using the default configuration, the updated private registry configuration does not appear to take effect. This is due to caching behavior in the system which is not accounted for during configuration updates. For a workaround, see Troubleshoot Bitnami Services.

v1.7.8 Known issues: Cartographer Conventions

While processing workloads with large SBOMs, the Cartographer Convention controller manager pod can fail with the status CrashLoopBackOff or OOMKilled. For information about how to increase the memory limit for both the convention server and webhook servers, including app-live-view-conventions, spring-boot-webhook, and developer-conventions/webhook, see Troubleshoot Cartographer Conventions.

v1.7.8 Known issues: Crossplane

The Crossplane validatingwebhookconfiguration is not removed when you uninstall the Crossplane package. To workaround, delete the validatingwebhookconfiguration manually by running kubectl delete validatingwebhookconfiguration crossplane.

v1.7.8 Known issues: Service Bindings

When upgrading Tanzu Application Platform, pods are recreated for all workloads with service bindings. This is because workloads and pods that use service bindings are being updated to new service binding volumes. This happens automatically and will not affect subsequent upgrades.

Affected pods are updated concurrently. To avoid failures, you must have sufficient Kubernetes resources in your clusters to support the pod rollout.
ServiceBinding is not immediately reconciled when status.binding.name changes on a previously bound service resource. This impacts the timely rollout of new connection secrets to workloads. The reconciler eventually picks up the change but this might take up to 10 hours. As a temporary workaround, you can do one of the following:
- Delete the existing ServiceBinding and create a new one that is identical.
- Trigger reconciliation of the existing ServiceBinding by adding an arbitrary annotation or label.
- Delete and recreate the application workload referred to by the ServiceBinding.

v1.7.8 Known issues: Services Toolkit

An error occurs if additionalProperties is true in a CompositeResourceDefinition. For more information and a workaround, see Troubleshoot Services Toolkit.

v1.7.8 Known issues: Supply Chain Choreographer

By default, Server Workload Carvel packages generated by the Carvel package supply chains no longer contain OpenAPIv3 descriptions of their parameters. These descriptions were omitted to keep the size of the Carvel Package definition under 4 KB, which is the size limit for the string output of a Tekton Task. For information about these parameters, see Carvel Package Supply Chains.
When using the Carvel Package Supply Chains, if the operator updates the parameter carvel_package.name_suffix, existing workloads incorrectly output a Carvel package to the GitOps repository that uses the old value of carvel_package.name_suffix. You can ignore or delete this package.
If the size of the resulting OpenAPIv3 specification exceeds a certain size, approximately 3 KB, the Supply Chain does not function. If you use the default Carvel package parameters, this issue does not occur. If you use custom Carvel package parameters, you might encounter this size limit. If you exceed the size limit, you can either deactivate this feature, or use a workaround. The workaround requires enabling a Tekton feature flag. For more information, see the Tekton documentation.
Supply Chains that use SSH auth with the git-writer resource will fail in the gitops step. As a workaround, use HTTPS auth.

v1.7.8 Known issues: Supply Chain Security Tools - Policy

Supply Chain Security Tools - Policy is defaulting to TUF enabled due to incorrect logic. This might cause the package to not reconcile correctly if the default TUF mirrors are not reachable. To work around this, explicitly configure policy controller in the tap-values.yaml file to enable TUF:
```
policy:
  tuf_enabled: true
```

v1.7.8 Known issues: Supply Chain Security Tools (SCST) - Scan

When using SCST - Scan 2.0 with a ClusterImageTemplate, the value for the scanning image is overwritten with an incorrect default value from ootb_supply_chain_testing_scanning.image_scanner_cli in the tap-values.yaml file. You can prevent this by setting the value in your tap-values.yaml file to the correct image. For example, for the Trivy image packaged with Tanzu Application Platform:
```
ootb_supply_chain_testing_scanning:
  image_scanner_template_name: image-vulnerability-scan-trivy
  image_scanning_cli:
    image: registry.example.com/tanzu-application-platform/tap-packages@sha256:675673a6d495d6f6a688497b754cee304960d9ad56e194cf4f4ea6ab53ca71d6
```
When using SCST - Scan 2.0, Trivy must be pinned to v0.42.1. This is because CycloneDX v1.5 is the default for later versions of Trivy and is not supported by AMR.
The Snyk scanner outputs an incorrectly created date, resulting in an invalid date. If the workload is in a failed state due to an invalid date, wait approximately 10 hours and the workload automatically goes into the ready state. For more information, see this issue in the Snyk GitHub repository.
SCST - Scan 1.0 fails with the error secrets 'store-ca-cert' not found during deployment by using Tanzu Mission Control with a non-default issuer. For how to work around this issue, see Deployment failure with non-default issuer.

v1.7.8 Known issues: Supply Chain Security Tools - Store

AMR-specific steps have been added to the Multicluster setup for Supply Chain Security Tools - Store.
SCST - Store automatically detects PostgreSQL database index corruptions. If SCST - Store finds a PostgresSQL database index corruption issue, it does not reconcile. For how to fix this issue, see Fix Postgres Database Index Corruption.
When observer.deploy_through_tmc is true, properties are auto-configured for Tanzu Mission Control (TMC). This causes the MultiClusterPropertyCollector resource to overwrite existing Tanzu Application Platform values for Observer.

When using Let’s Encrypt ACME issuers, the resultant Kubernetes secret resource does not contain a ca.crt property. Therefore, when the MultiClusterPropertyCollector resource creates the Observer package configuration values secret, the required ca_cert_data is empty.

To work around this issue, add the Certificate Authority (CA) Certificate to the shared.ca_cert_data key in the Tanzu Application Platform installation values.

v1.7.8 Known issues: Tanzu Build Service

During upgrades a large number of builds might be created due to buildpack and stack updates. Some of these builds might fail due to transient network issues, causing the workload to be in an unhealthy state. This resolves itself on subsequent builds after a code change and does not affect the running application.

If you do not want to wait for subsequent builds to run, you can manually trigger a build. For instructions, see Troubleshooting.

v1.7.8 Known issues: Tanzu Developer Portal

If you do not configure any authentication providers, and do not allow guest access, the following message appears when loading Tanzu Developer Portal in a browser:
```
No configured authentication providers. Please configure at least one.
```
To resolve this issue, see Troubleshooting.
When viewing a supply chain with the Supply Chain Choreographer plug-in, scrolling horizontally does not work. Click and drag left or right instead to move the supply chain diagram. A fix is planned for the future. The zoom function was removed because of user feedback.
Ad-blocking browser extensions and standalone ad-blocking software can interfere with telemetry collection within the VMware Customer Experience Improvement Program and restrict access to all or parts of Tanzu Developer Portal. For more information, see Troubleshooting.
ScmAuth is a Backstage concept that abstracts Source Code Management (SCM) authentication into a package. An oversight in a recent code-base migration led to the accidental exclusion of custom ScmAuth functions. This exclusion affected some client operations, such as using Application Accelerators to create Git repositories on behalf of users.
The back-end Kubernetes plug-in reports failure in multicluster environments. In a multicluster environment when one request to a Kubernetes cluster fails, backstage-kubernetes-backend reports a failure to the front end. This is a known issue with upstream Backstage and it applies to all released versions of Tanzu Developer Portal. For more information, see this Backstage code in GitHub. This behavior arises from the API at the Backstage level. There are currently no known workarounds. There are plans for upstream commits to Backstage to resolve this issue.

v1.7.8 Known issues: Tanzu Developer Tools for IntelliJ

The error com.vdurmont.semver4j.SemverException: Invalid version (no major version) is shown in the error logs when attempting to perform a workload action before installing the Tanzu CLI apps plug-in.
If you restart your computer while running Live Update without terminating the Tilt process beforehand, there is a lock that incorrectly shows that Live Update is still running and prevents it from starting again. For the fix, see Troubleshooting.
Workload actions and Live Update do not work when in a project with spaces in its name, such as my app, or in its path, such as C:\Users\My User\my-app. For more information, see Troubleshooting.
An EDT Thread Exception error is logged or reported as a notification with a message similar to "com.intellij.diagnostic.PluginException: 2007 ms to call on EDT TanzuApplyAction#update@ProjectViewPopup". For more information, see Troubleshooting.

v1.7.8 Known issues: Tanzu Developer Tools for Visual Studio

Clicking the red square Stop button in the Visual Studio top toolbar can cause a workload to fail. For more information, see Troubleshooting.

v1.7.8 Component versions

The following table lists the supported component versions for this Tanzu Application Platform release.

Component Name	Version
API Auto Registration	0.5.0-alpha.1
API portal	1.4.7
Application Accelerator	1.7.7
Application Configuration Service	2.2.2
Application Live View APIServer	1.7.4
Application Live View back end	1.7.4
Application Live View connector	1.7.4
Application Live View conventions	1.7.4
Application Single Sign-On	5.0.6
Artifact Metadata Repository Observer	0.2.4
AWS Services	0.1.0
Bitnami Services	0.3.1
Carbon Black Scanner for SCST - Scan (beta)	1.2.8
Cartographer Conventions	0.8.10
cert-manager	2.4.8
Cloud Native Runtimes	2.4.17
Contour	2.1.0
Crossplane	0.3.1
Default Roles	1.1.0
Developer Conventions	0.14.2
External Secrets Operator	0.9.4+tanzu.3
Flux CD Source Controller	0.36.1+tanzu.2
Grype Scanner for SCST - Scan	1.7.6
Local Source Proxy	0.2.1
Namespace Provisioner	0.5.0
Out of the Box Delivery - Basic	0.14.18
Out of the Box Supply Chain - Basic	0.14.18
Out of the Box Supply Chain - Testing	0.14.18
Out of the Box Supply Chain - Testing and Scanning	0.14.18
Out of the Box Templates	0.14.18
Service Bindings	0.10.3
Service Registry	1.2.4
Services Toolkit	0.12.0
Snyk Scanner for SCST - Scan (beta)	1.1.7
Source Controller	0.8.4
Spring Boot conventions	1.7.4
Spring Cloud Gateway	2.1.10
Supply Chain Choreographer	0.8.10
Supply Chain Security Tools - Policy Controller	1.6.4
Supply Chain Security Tools - Scan	1.7.9
Supply Chain Security Tools - Scan 2.0 (beta)	0.2.4
Supply Chain Security Tools - Store	1.7.7
Tanzu Application Platform Telemetry	0.7.0
Tanzu Build Service	1.12.6
Tanzu CLI	1.3.0
Tanzu Developer Portal	1.7.12
Tanzu Developer Portal Configurator	1.7.12
Tekton Pipelines	0.50.3+tanzu.4

v1.7.7

Release Date: 07 May 2024

v1.7.7 Security fixes

This release has the following security fixes, listed by component and area.

Package Name	Vulnerabilities Resolved
base-jammy-stack-lite.buildpacks.tanzu.vmware.com	Expand to see the list CVE-2024-2961 CVE-2024-28835 CVE-2024-28834 CVE-2024-28085 CVE-2024-26633 CVE-2024-26631 CVE-2024-26598 CVE-2024-26597 CVE-2024-26591 CVE-2024-26589 CVE-2024-26586 CVE-2024-26581 CVE-2024-24860 CVE-2024-2398 CVE-2024-23851 CVE-2024-23850 CVE-2024-22705 CVE-2023-52612 CVE-2023-52610 CVE-2023-52609 CVE-2023-52603 CVE-2023-52600 CVE-2023-52480 CVE-2023-52470 CVE-2023-52469 CVE-2023-52467 CVE-2023-52464 CVE-2023-52463 CVE-2023-52462 CVE-2023-52458 CVE-2023-52457 CVE-2023-52456 CVE-2023-52454 CVE-2023-52451 CVE-2023-52449 CVE-2023-52448 CVE-2023-52445 CVE-2023-52444 CVE-2023-52443 CVE-2023-52442 CVE-2023-52441 CVE-2023-52436 CVE-2023-52429 CVE-2023-52340 CVE-2023-46838 CVE-2023-3867 CVE-2023-38431 CVE-2023-38430 CVE-2023-38427 CVE-2023-32258 CVE-2023-32254 CVE-2023-24023 CVE-2023-1194
cert-manager.tanzu.vmware.com	Expand to see the list GHSA-8r3f-844c-mc37 GHSA-45x7-px36-x8w8
dotnet-core-lite.buildpacks.tanzu.vmware.com	Expand to see the list GHSA-xw73-rw38-6vjc GHSA-mq39-4gv4-mvpx GHSA-8r3f-844c-mc37 CVE-2024-29018
metadata-store.apps.tanzu.vmware.com	Expand to see the list CVE-2024-24785 CVE-2024-24784 CVE-2024-24783 CVE-2023-45290 CVE-2023-45289
nodejs-lite.buildpacks.tanzu.vmware.com	Expand to see the list GHSA-xw73-rw38-6vjc GHSA-mq39-4gv4-mvpx GHSA-8r3f-844c-mc37 CVE-2024-29018
ootb-templates.tanzu.vmware.com	Expand to see the list GHSA-mw99-9chc-xw7r GHSA-449p-3h89-pw88 CVE-2024-28757 CVE-2024-28085 CVE-2024-26633 CVE-2024-26631 CVE-2024-26598 CVE-2024-26597 CVE-2024-26591 CVE-2024-26589 CVE-2024-26586 CVE-2024-24860 CVE-2024-24855 CVE-2024-2398 CVE-2024-23851 CVE-2024-23850 CVE-2024-22705 CVE-2024-1086 CVE-2024-1085 CVE-2024-0646 CVE-2024-0607 CVE-2024-0565 CVE-2024-0340 CVE-2023-6121 CVE-2023-52612 CVE-2023-52610 CVE-2023-52609 CVE-2023-52480 CVE-2023-52470 CVE-2023-52469 CVE-2023-52467 CVE-2023-52464 CVE-2023-52463 CVE-2023-52462 CVE-2023-52458 CVE-2023-52457 CVE-2023-52456 CVE-2023-52454 CVE-2023-52451 CVE-2023-52449 CVE-2023-52448 CVE-2023-52445 CVE-2023-52444 CVE-2023-52443 CVE-2023-52442 CVE-2023-52441 CVE-2023-52436 CVE-2023-52429 CVE-2023-52425 CVE-2023-52340 CVE-2023-51782 CVE-2023-51781 CVE-2023-51780 CVE-2023-51779 CVE-2023-50868 CVE-2023-50387 CVE-2023-46862 CVE-2023-46838 CVE-2023-46343 CVE-2023-4134 CVE-2023-3867 CVE-2023-38431 CVE-2023-38430 CVE-2023-38427 CVE-2023-32258 CVE-2023-32254 CVE-2023-32247 CVE-2023-23000 CVE-2023-22995 CVE-2023-1194 CVE-2022-48065 CVE-2022-48063 CVE-2022-47695 CVE-2022-3715
ruby-lite.buildpacks.tanzu.vmware.com	Expand to see the list GHSA-xw73-rw38-6vjc GHSA-mq39-4gv4-mvpx GHSA-8r3f-844c-mc37 CVE-2024-29018
spring-cloud-gateway.tanzu.vmware.com	Expand to see the list GHSA-hgjh-9rj2-g67j CVE-2024-28835 CVE-2024-28834 CVE-2024-28757 CVE-2024-28085 CVE-2023-52425 CVE-2022-3715
sso.apps.tanzu.vmware.com	Expand to see the list GHSA-hgjh-9rj2-g67j GHSA-f3jh-qvm4-mg39 GHSA-2wrp-6fg6-hmc5

v1.7.7 Known issues

This release has the following known issues, listed by component and area.

v1.7.7 Known issues: Tanzu Application Platform

The Tanzu Application Platform integration with Tanzu Service Mesh does not work on vSphere with TKR v1.26. For more information about this integration, see Set up Tanzu Service Mesh. As a workaround, you can apply the label to update pod security on a TKr v1.26 Kubernetes namespace as advised by the release notes for TKr 1.26.5 for vSphere 8.x. However, applying this label provides more than the minimum necessary privilege to the resources in developer namespaces.

v1.7.7 Known issues: API Auto Registration

Registering conflicting groupId and version with API portal:

If you create two CuratedAPIDescriptors with the same groupId and version combination, both reconcile without throwing an error, and the /openapi?groupId&version endpoint returns both specifications. If you are adding both specifications to the API portal, only one of them might show up in the API portal UI with a warning indicating that there is a conflict. If you add the route provider annotation for both of the CuratedAPIDescriptors to use Spring Cloud Gateway, the generated API specspecification includes API routes from both CuratedAPIDescriptors.

You can see the groupId and version information from all CuratedAPIDescriptors by running:
```
$ kubectl get curatedapidescriptors -A

NAMESPACE           NAME         GROUPID            VERSION   STATUS   CURATED API SPEC URL
my-apps             petstore     test-api-group     1.2.3     Ready    http://AAR-CONTROLLER-FQDN/openapi/my-apps/petstore
default             mystery      test-api-group     1.2.3     Ready    http://AAR-CONTROLLER-FQDN/openapi/default/mystery
```
When creating an APIDescriptor with different apiSpec.url and server.url, the controller incorrectly uses the API spec URL as the server URL. To avoid this issue, use server.url only.

v1.7.7 Known issues: Application Live View

On the Run profile, Application Live View fails to reconcile if you use a non-default cluster issuer while installing through Tanzu Mission Control.

v1.7.7 Known issues: Artifact Metadata Repository Observer and CloudEvent Handler

Periodic reconciliation or restarting of the AMR Observer causes reattempted posting of ImageVulnerabilityScan results. There is an error on duplicate submission of identical ImageVulnerabilityScans you can ignore if the previous submission was successful.

v1.7.7 Known issues: Bitnami Services

If you try to configure private registry integration for the Bitnami services after having already created a claim for one or more of the Bitnami services using the default configuration, the updated private registry configuration does not appear to take effect. This is due to caching behavior in the system which is not accounted for during configuration updates. For a workaround, see Troubleshoot Bitnami Services.

v1.7.7 Known issues: Cartographer Conventions

While processing workloads with large SBOMs, the Cartographer Convention controller manager pod can fail with the status CrashLoopBackOff or OOMKilled. For information about how to increase the memory limit for both the convention server and webhook servers, including app-live-view-conventions, spring-boot-webhook, and developer-conventions/webhook, see Troubleshoot Cartographer Conventions.

v1.7.7 Known issues: Crossplane

The Crossplane validatingwebhookconfiguration is not removed when you uninstall the Crossplane package. To workaround, delete the validatingwebhookconfiguration manually by running kubectl delete validatingwebhookconfiguration crossplane.

v1.7.7 Known issues: Service Bindings

When upgrading Tanzu Application Platform, pods are recreated for all workloads with service bindings. This is because workloads and pods that use service bindings are being updated to new service binding volumes. This happens automatically and will not affect subsequent upgrades.

Affected pods are updated concurrently. To avoid failures, you must have sufficient Kubernetes resources in your clusters to support the pod rollout.
ServiceBinding is not immediately reconciled when status.binding.name changes on a previously bound service resource. This impacts the timely rollout of new connection secrets to workloads. The reconciler eventually picks up the change but this might take up to 10 hours. As a temporary workaround, you can do one of the following:
- Delete the existing ServiceBinding and create a new one that is identical.
- Trigger reconciliation of the existing ServiceBinding by adding an arbitrary annotation or label.
- Delete and recreate the application workload referred to by the ServiceBinding.

v1.7.7 Known issues: Services Toolkit

An error occurs if additionalProperties is true in a CompositeResourceDefinition. For more information and a workaround, see Troubleshoot Services Toolkit.

v1.7.7 Known issues: Supply Chain Choreographer

By default, Server Workload Carvel packages generated by the Carvel package supply chains no longer contain OpenAPIv3 descriptions of their parameters. These descriptions were omitted to keep the size of the Carvel Package definition under 4 KB, which is the size limit for the string output of a Tekton Task. For information about these parameters, see Carvel Package Supply Chains.
When using the Carvel Package Supply Chains, if the operator updates the parameter carvel_package.name_suffix, existing workloads incorrectly output a Carvel package to the GitOps repository that uses the old value of carvel_package.name_suffix. You can ignore or delete this package.
If the size of the resulting OpenAPIv3 specification exceeds a certain size, approximately 3 KB, the Supply Chain does not function. If you use the default Carvel package parameters, this issue does not occur. If you use custom Carvel package parameters, you might encounter this size limit. If you exceed the size limit, you can either deactivate this feature, or use a workaround. The workaround requires enabling a Tekton feature flag. For more information, see the Tekton documentation.
Supply Chains that use SSH auth with the git-writer resource will fail in the gitops step. As a workaround, use HTTPS auth.

v1.7.7 Known issues: Supply Chain Security Tools - Policy

Supply Chain Security Tools - Policy is defaulting to TUF enabled due to incorrect logic. This might cause the package to not reconcile correctly if the default TUF mirrors are not reachable. To work around this, explicitly configure policy controller in the tap-values.yaml file to enable TUF:
```
policy:
  tuf_enabled: true
```

v1.7.7 Known issues: Supply Chain Security Tools (SCST) - Scan

When using SCST - Scan 2.0 with a ClusterImageTemplate, the value for the scanning image is overwritten with an incorrect default value from ootb_supply_chain_testing_scanning.image_scanner_cli in the tap-values.yaml file. You can prevent this by setting the value in your tap-values.yaml file to the correct image. For example, for the Trivy image packaged with Tanzu Application Platform:
```
ootb_supply_chain_testing_scanning:
  image_scanner_template_name: image-vulnerability-scan-trivy
  image_scanning_cli:
    image: registry.example.com/tanzu-application-platform/tap-packages@sha256:675673a6d495d6f6a688497b754cee304960d9ad56e194cf4f4ea6ab53ca71d6
```
When using SCST - Scan 2.0, Trivy must be pinned to v0.42.1. This is because CycloneDX v1.5 is the default for later versions of Trivy and is not supported by AMR.
The Snyk scanner outputs an incorrectly created date, resulting in an invalid date. If the workload is in a failed state due to an invalid date, wait approximately 10 hours and the workload automatically goes into the ready state. For more information, see this issue in the Snyk GitHub repository.
SCST - Scan 1.0 fails with the error secrets 'store-ca-cert' not found during deployment by using Tanzu Mission Control with a non-default issuer. For how to work around this issue, see Deployment failure with non-default issuer.

v1.7.7 Known issues: Supply Chain Security Tools - Store

AMR-specific steps have been added to the Multicluster setup for Supply Chain Security Tools - Store.
SCST - Store automatically detects PostgreSQL database index corruptions. If SCST - Store finds a PostgresSQL database index corruption issue, it does not reconcile. For how to fix this issue, see Fix Postgres Database Index Corruption.
When observer.deploy_through_tmc is true, properties are auto-configured for Tanzu Mission Control (TMC). This causes the MultiClusterPropertyCollector resource to overwrite existing Tanzu Application Platform values for Observer.

When using Let’s Encrypt ACME issuers, the resultant Kubernetes secret resource does not contain a ca.crt property. Therefore, when the MultiClusterPropertyCollector resource creates the Observer package configuration values secret, the required ca_cert_data is empty.

To work around this issue, add the Certificate Authority (CA) Certificate to the shared.ca_cert_data key in the Tanzu Application Platform installation values.

v1.7.7 Known issues: Tanzu Build Service

During upgrades a large number of builds might be created due to buildpack and stack updates. Some of these builds might fail due to transient network issues, causing the workload to be in an unhealthy state. This resolves itself on subsequent builds after a code change and does not affect the running application.

If you do not want to wait for subsequent builds to run, you can manually trigger a build. For instructions, see Troubleshooting.

v1.7.7 Known issues: Tanzu Developer Portal

If you do not configure any authentication providers, and do not allow guest access, the following message appears when loading Tanzu Developer Portal in a browser:
```
No configured authentication providers. Please configure at least one.
```
To resolve this issue, see Troubleshooting.
When viewing a supply chain with the Supply Chain Choreographer plug-in, scrolling horizontally does not work. Click and drag left or right instead to move the supply chain diagram. A fix is planned for the future. The zoom function was removed because of user feedback.
Ad-blocking browser extensions and standalone ad-blocking software can interfere with telemetry collection within the VMware Customer Experience Improvement Program and restrict access to all or parts of Tanzu Developer Portal. For more information, see Troubleshooting.
ScmAuth is a Backstage concept that abstracts Source Code Management (SCM) authentication into a package. An oversight in a recent code-base migration led to the accidental exclusion of custom ScmAuth functions. This exclusion affected some client operations, such as using Application Accelerators to create Git repositories on behalf of users.
The back-end Kubernetes plug-in reports failure in multicluster environments. In a multicluster environment when one request to a Kubernetes cluster fails, backstage-kubernetes-backend reports a failure to the front end. This is a known issue with upstream Backstage and it applies to all released versions of Tanzu Developer Portal. For more information, see this Backstage code in GitHub. This behavior arises from the API at the Backstage level. There are currently no known workarounds. There are plans for upstream commits to Backstage to resolve this issue.

v1.7.7 Known issues: Tanzu Developer Tools for IntelliJ

The error com.vdurmont.semver4j.SemverException: Invalid version (no major version) is shown in the error logs when attempting to perform a workload action before installing the Tanzu CLI apps plug-in.
If you restart your computer while running Live Update without terminating the Tilt process beforehand, there is a lock that incorrectly shows that Live Update is still running and prevents it from starting again. For the fix, see Troubleshooting.
Workload actions and Live Update do not work when in a project with spaces in its name, such as my app, or in its path, such as C:\Users\My User\my-app. For more information, see Troubleshooting.
An EDT Thread Exception error is logged or reported as a notification with a message similar to "com.intellij.diagnostic.PluginException: 2007 ms to call on EDT TanzuApplyAction#update@ProjectViewPopup". For more information, see Troubleshooting.

v1.7.7 Known issues: Tanzu Developer Tools for Visual Studio

Clicking the red square Stop button in the Visual Studio top toolbar can cause a workload to fail. For more information, see Troubleshooting.

v1.7.7 Component versions

The following table lists the supported component versions for this Tanzu Application Platform release.

Component Name	Version
API Auto Registration	0.5.0-alpha.1
API portal	1.4.7
Application Accelerator	1.7.7
Application Configuration Service	2.2.2
Application Live View APIServer	1.7.4
Application Live View back end	1.7.4
Application Live View connector	1.7.4
Application Live View conventions	1.7.4
Application Single Sign-On	5.0.6
Artifact Metadata Repository Observer	0.2.4
AWS Services	0.1.0
Bitnami Services	0.3.1
Carbon Black Scanner for SCST - Scan (beta)	1.2.8
Cartographer Conventions	0.8.10
cert-manager	2.4.5
Cloud Native Runtimes	2.4.17
Contour	2.1.0
Crossplane	0.3.0
Default Roles	1.1.0
Developer Conventions	0.14.2
External Secrets Operator	0.9.4+tanzu.3
Flux CD Source Controller	0.36.1+tanzu.2
Grype Scanner for SCST - Scan	1.7.6
Local Source Proxy	0.2.1
Namespace Provisioner	0.5.0
Out of the Box Delivery - Basic	0.14.16
Out of the Box Supply Chain - Basic	0.14.16
Out of the Box Supply Chain - Testing	0.14.16
Out of the Box Supply Chain - Testing and Scanning	0.14.16
Out of the Box Templates	0.14.16
Service Bindings	0.10.3
Service Registry	1.2.4
Services Toolkit	0.12.0
Snyk Scanner for SCST - Scan (beta)	1.1.7
Source Controller	0.8.4
Spring Boot conventions	1.7.4
Spring Cloud Gateway	2.1.10
Supply Chain Choreographer	0.8.10
Supply Chain Security Tools - Policy Controller	1.6.4
Supply Chain Security Tools - Scan	1.7.9
Supply Chain Security Tools - Scan 2.0 (beta)	0.2.4
Supply Chain Security Tools - Store	1.7.7
Tanzu Application Platform Telemetry	0.7.0
Tanzu Build Service	1.12.6
Tanzu CLI	1.3.0
Tanzu Developer Portal	1.7.12
Tanzu Developer Portal Configurator	1.7.12
Tekton Pipelines	0.50.3+tanzu.4

v1.7.6

Release Date: 09 April 2024

v1.7.6 Security fixes

This release has the following security fixes, listed by component and area.

Package Name	Vulnerabilities Resolved
apis.apps.tanzu.vmware.com	Expand to see the list GHSA-45x7-px36-x8w8 CVE-2024-0727 CVE-2023-6237 CVE-2023-6129 CVE-2023-5678 CVE-2023-5156 CVE-2023-4813 CVE-2023-4806
apiserver.appliveview.tanzu.vmware.com	Expand to see the list CVE-2024-0727 CVE-2023-6237 CVE-2023-6129 CVE-2023-5678 CVE-2023-5156 CVE-2023-4813 CVE-2023-4806 CVE-2023-39326
app-scanning.apps.tanzu.vmware.com	Expand to see the list CVE-2024-0727 CVE-2023-6237 CVE-2023-6129 CVE-2023-5678 CVE-2023-5156 CVE-2023-4813 CVE-2023-4806
backend.appliveview.tanzu.vmware.com	Expand to see the list CVE-2024-20926 CVE-2024-0727 CVE-2023-6237 CVE-2023-6129 CVE-2023-5678 CVE-2023-5156 CVE-2023-4813 CVE-2023-4806 CVE-2023-39326
base-jammy-stack-lite.buildpacks.tanzu.vmware.com	Expand to see the list CVE-2024-28757 CVE-2024-24855 CVE-2024-1086 CVE-2024-1085 CVE-2024-0646 CVE-2024-0607 CVE-2024-0565 CVE-2024-0340 CVE-2023-6915 CVE-2023-6121 CVE-2023-52425 CVE-2023-51782 CVE-2023-51781 CVE-2023-51780 CVE-2023-51779 CVE-2023-46862 CVE-2023-46343 CVE-2023-4134 CVE-2023-32247 CVE-2023-23000 CVE-2023-22995 CVE-2022-48065 CVE-2022-48063 CVE-2022-47695 CVE-2022-3715
connector.appliveview.tanzu.vmware.com	Expand to see the list GHSA-wjxj-5m7g-mg7q GHSA-w33c-445m-f8w7 GHSA-jjfh-589g-3hjx GHSA-hr8g-6v94-x4m9 GHSA-cgwf-w82q-5jrr GHSA-6qvw-249j-h44c GHSA-5jpm-x58v-624v CVE-2024-29025 CVE-2024-26308 CVE-2024-25710 CVE-2024-0727 CVE-2023-6237 CVE-2023-6129 CVE-2023-5678 CVE-2023-5156 CVE-2023-4813 CVE-2023-4806 CVE-2023-42503 CVE-2023-39326 CVE-2023-35116 CVE-2023-34462
controller.source.apps.tanzu.vmware.com	Expand to see the list GHSA-qppj-fm5r-hxr3 GHSA-jq35-85cj-fj4p GHSA-45x7-px36-x8w8
conventions.appliveview.tanzu.vmware.com	Expand to see the list CVE-2024-0727 CVE-2023-6237 CVE-2023-6129 CVE-2023-5678 CVE-2023-5156 CVE-2023-4813 CVE-2023-4806 CVE-2023-39326
metadata-store.apps.tanzu.vmware.com	Expand to see the list GHSA-qppj-fm5r-hxr3 GHSA-m425-mq94-257g CVE-2024-25062
policy.apps.tanzu.vmware.com	Expand to see the list CVE-2024-0727 CVE-2023-6237 CVE-2023-6129 CVE-2023-5678 CVE-2023-5363 CVE-2023-5156 CVE-2023-4813 CVE-2023-4806 CVE-2023-3817 CVE-2023-3446 CVE-2023-2975
service-registry.spring.apps.tanzu.vmware.com	Expand to see the list CVE-2024-0727 CVE-2023-6237 CVE-2023-6129 CVE-2023-5678
spring-boot-conventions.tanzu.vmware.com	Expand to see the list CVE-2024-0727 CVE-2023-6237 CVE-2023-6129 CVE-2023-5678 CVE-2023-5156 CVE-2023-4813 CVE-2023-4806 CVE-2023-39326
spring-cloud-gateway.tanzu.vmware.com	Expand to see the list GHSA-ccgv-vj62-xf9h GHSA-4g9r-vxhx-9pgx GHSA-4265-ccf5-phj5 CVE-2024-26308 CVE-2024-25710 CVE-2024-24785 CVE-2024-24784 CVE-2024-24783 CVE-2024-24549 CVE-2024-23672 CVE-2023-4641 CVE-2023-45290 CVE-2023-45289
sso.apps.tanzu.vmware.com	Expand to see the list CVE-2024-26462 CVE-2024-26461 CVE-2024-26458 CVE-2024-20926 CVE-2024-0553 CVE-2023-7008 CVE-2023-6237 CVE-2023-4813 CVE-2023-4806 CVE-2022-48303 CVE-2021-36087 CVE-2021-36086 CVE-2021-36085 CVE-2021-36084

v1.7.6 Known issues

This release has the following known issues, listed by component and area.

v1.7.6 Known issues: Tanzu Application Platform

The Tanzu Application Platform integration with Tanzu Service Mesh does not work on vSphere with TKR v1.26. For more information about this integration, see Set up Tanzu Service Mesh. As a workaround, you can apply the label to update pod security on a TKr v1.26 Kubernetes namespace as advised by the release notes for TKr 1.26.5 for vSphere 8.x. However, applying this label provides more than the minimum necessary privilege to the resources in developer namespaces.

v1.7.6 Known issues: API Auto Registration

Registering conflicting groupId and version with API portal:

If you create two CuratedAPIDescriptors with the same groupId and version combination, both reconcile without throwing an error, and the /openapi?groupId&version endpoint returns both specifications. If you are adding both specifications to the API portal, only one of them might show up in the API portal UI with a warning indicating that there is a conflict. If you add the route provider annotation for both of the CuratedAPIDescriptors to use Spring Cloud Gateway, the generated API specspecification includes API routes from both CuratedAPIDescriptors.

You can see the groupId and version information from all CuratedAPIDescriptors by running:
```
$ kubectl get curatedapidescriptors -A

NAMESPACE           NAME         GROUPID            VERSION   STATUS   CURATED API SPEC URL
my-apps             petstore     test-api-group     1.2.3     Ready    http://AAR-CONTROLLER-FQDN/openapi/my-apps/petstore
default             mystery      test-api-group     1.2.3     Ready    http://AAR-CONTROLLER-FQDN/openapi/default/mystery
```
When creating an APIDescriptor with different apiSpec.url and server.url, the controller incorrectly uses the API spec URL as the server URL. To avoid this issue, use server.url only.

v1.7.6 Known issues: Application Live View

On the Run profile, Application Live View fails to reconcile if you use a non-default cluster issuer while installing through Tanzu Mission Control.

v1.7.6 Known issues: Artifact Metadata Repository Observer and CloudEvent Handler

Periodic reconciliation or restarting of the AMR Observer causes reattempted posting of ImageVulnerabilityScan results. There is an error on duplicate submission of identical ImageVulnerabilityScans you can ignore if the previous submission was successful.

v1.7.6 Known issues: Bitnami Services

If you try to configure private registry integration for the Bitnami services after having already created a claim for one or more of the Bitnami services using the default configuration, the updated private registry configuration does not appear to take effect. This is due to caching behavior in the system which is not accounted for during configuration updates. For a workaround, see Troubleshoot Bitnami Services.

v1.7.6 Known issues: Cartographer Conventions

While processing workloads with large SBOMs, the Cartographer Convention controller manager pod can fail with the status CrashLoopBackOff or OOMKilled. For information about how to increase the memory limit for both the convention server and webhook servers, including app-live-view-conventions, spring-boot-webhook, and developer-conventions/webhook, see Troubleshoot Cartographer Conventions.

v1.7.6 Known issues: Crossplane

The Crossplane validatingwebhookconfiguration is not removed when you uninstall the Crossplane package. To workaround, delete the validatingwebhookconfiguration manually by running kubectl delete validatingwebhookconfiguration crossplane.

v1.7.6 Known issues: Service Bindings

When upgrading Tanzu Application Platform, pods are recreated for all workloads with service bindings. This is because workloads and pods that use service bindings are being updated to new service binding volumes. This happens automatically and will not affect subsequent upgrades.

Affected pods are updated concurrently. To avoid failures, you must have sufficient Kubernetes resources in your clusters to support the pod rollout.
ServiceBinding is not immediately reconciled when status.binding.name changes on a previously bound service resource. This impacts the timely rollout of new connection secrets to workloads. The reconciler eventually picks up the change but this might take up to 10 hours. As a temporary workaround, you can do one of the following:
- Delete the existing ServiceBinding and create a new one that is identical.
- Trigger reconciliation of the existing ServiceBinding by adding an arbitrary annotation or label.
- Delete and recreate the application workload referred to by the ServiceBinding.

v1.7.6 Known issues: Services Toolkit

An error occurs if additionalProperties is true in a CompositeResourceDefinition. For more information and a workaround, see Troubleshoot Services Toolkit.

v1.7.6 Known issues: Supply Chain Choreographer

By default, Server Workload Carvel packages generated by the Carvel package supply chains no longer contain OpenAPIv3 descriptions of their parameters. These descriptions were omitted to keep the size of the Carvel Package definition under 4 KB, which is the size limit for the string output of a Tekton Task. For information about these parameters, see Carvel Package Supply Chains.
When using the Carvel Package Supply Chains, if the operator updates the parameter carvel_package.name_suffix, existing workloads incorrectly output a Carvel package to the GitOps repository that uses the old value of carvel_package.name_suffix. You can ignore or delete this package.
If the size of the resulting OpenAPIv3 specification exceeds a certain size, approximately 3 KB, the Supply Chain does not function. If you use the default Carvel package parameters, this issue does not occur. If you use custom Carvel package parameters, you might encounter this size limit. If you exceed the size limit, you can either deactivate this feature, or use a workaround. The workaround requires enabling a Tekton feature flag. For more information, see the Tekton documentation.
Supply Chains that use SSH auth with the git-writer resource will fail in the gitops step. As a workaround, use HTTPS auth.

v1.7.6 Known issues: Supply Chain Security Tools - Policy

Supply Chain Security Tools - Policy is defaulting to TUF enabled due to incorrect logic. This might cause the package to not reconcile correctly if the default TUF mirrors are not reachable. To work around this, explicitly configure policy controller in the tap-values.yaml file to enable TUF:
```
policy:
  tuf_enabled: true
```

v1.7.6 Known issues: Supply Chain Security Tools (SCST) - Scan

When using SCST - Scan 2.0 with a ClusterImageTemplate, the value for the scanning image is overwritten with an incorrect default value from ootb_supply_chain_testing_scanning.image_scanner_cli in the tap-values.yaml file. You can prevent this by setting the value in your tap-values.yaml file to the correct image. For example, for the Trivy image packaged with Tanzu Application Platform:
```
ootb_supply_chain_testing_scanning:
  image_scanner_template_name: image-vulnerability-scan-trivy
  image_scanning_cli:
    image: registry.example.com/tanzu-application-platform/tap-packages@sha256:675673a6d495d6f6a688497b754cee304960d9ad56e194cf4f4ea6ab53ca71d6
```
When using SCST - Scan 2.0, Trivy must be pinned to v0.42.1. This is because CycloneDX v1.5 is the default for later versions of Trivy and is not supported by AMR.
The Snyk scanner outputs an incorrectly created date, resulting in an invalid date. If the workload is in a failed state due to an invalid date, wait approximately 10 hours and the workload automatically goes into the ready state. For more information, see this issue in the Snyk GitHub repository.
SCST - Scan 1.0 fails with the error secrets 'store-ca-cert' not found during deployment by using Tanzu Mission Control with a non-default issuer. For how to work around this issue, see Deployment failure with non-default issuer.

v1.7.6 Known issues: Supply Chain Security Tools - Store

AMR-specific steps have been added to the Multicluster setup for Supply Chain Security Tools - Store.
SCST - Store automatically detects PostgreSQL database index corruptions. If SCST - Store finds a PostgresSQL database index corruption issue, it does not reconcile. For how to fix this issue, see Fix Postgres Database Index Corruption.
When observer.deploy_through_tmc is true, properties are auto-configured for Tanzu Mission Control (TMC). This causes the MultiClusterPropertyCollector resource to overwrite existing Tanzu Application Platform values for Observer.

When using Let’s Encrypt ACME issuers, the resultant Kubernetes secret resource does not contain a ca.crt property. Therefore, when the MultiClusterPropertyCollector resource creates the Observer package configuration values secret, the required ca_cert_data is empty.

To work around this issue, add the Certificate Authority (CA) Certificate to the shared.ca_cert_data key in the Tanzu Application Platform installation values.

v1.7.6 Known issues: Tanzu Build Service

During upgrades a large number of builds might be created due to buildpack and stack updates. Some of these builds might fail due to transient network issues, causing the workload to be in an unhealthy state. This resolves itself on subsequent builds after a code change and does not affect the running application.

If you do not want to wait for subsequent builds to run, you can manually trigger a build. For instructions, see Troubleshooting.

v1.7.6 Known issues: Tanzu Developer Portal

If you do not configure any authentication providers, and do not allow guest access, the following message appears when loading Tanzu Developer Portal in a browser:
```
No configured authentication providers. Please configure at least one.
```
To resolve this issue, see Troubleshooting.
When viewing a supply chain with the Supply Chain Choreographer plug-in, scrolling horizontally does not work. Click and drag left or right instead to move the supply chain diagram. A fix is planned for the future. The zoom function was removed because of user feedback.
Ad-blocking browser extensions and standalone ad-blocking software can interfere with telemetry collection within the VMware Customer Experience Improvement Program and restrict access to all or parts of Tanzu Developer Portal. For more information, see Troubleshooting.
ScmAuth is a Backstage concept that abstracts Source Code Management (SCM) authentication into a package. An oversight in a recent code-base migration led to the accidental exclusion of custom ScmAuth functions. This exclusion affected some client operations, such as using Application Accelerators to create Git repositories on behalf of users.
The back-end Kubernetes plug-in reports failure in multicluster environments. In a multicluster environment when one request to a Kubernetes cluster fails, backstage-kubernetes-backend reports a failure to the front end. This is a known issue with upstream Backstage and it applies to all released versions of Tanzu Developer Portal. For more information, see this Backstage code in GitHub. This behavior arises from the API at the Backstage level. There are currently no known workarounds. There are plans for upstream commits to Backstage to resolve this issue.

v1.7.6 Known issues: Tanzu Developer Tools for IntelliJ

The error com.vdurmont.semver4j.SemverException: Invalid version (no major version) is shown in the error logs when attempting to perform a workload action before installing the Tanzu CLI apps plug-in.
If you restart your computer while running Live Update without terminating the Tilt process beforehand, there is a lock that incorrectly shows that Live Update is still running and prevents it from starting again. For the fix, see Troubleshooting.
Workload actions and Live Update do not work when in a project with spaces in its name, such as my app, or in its path, such as C:\Users\My User\my-app. For more information, see Troubleshooting.
An EDT Thread Exception error is logged or reported as a notification with a message similar to "com.intellij.diagnostic.PluginException: 2007 ms to call on EDT TanzuApplyAction#update@ProjectViewPopup". For more information, see Troubleshooting.

v1.7.6 Known issues: Tanzu Developer Tools for Visual Studio

Clicking the red square Stop button in the Visual Studio top toolbar can cause a workload to fail. For more information, see Troubleshooting.

v1.7.6 Component versions

The following table lists the supported component versions for this Tanzu Application Platform release.

Component Name	Version
API Auto Registration	0.5.0-alpha.1
API portal	1.4.7
Application Accelerator	1.7.7
Application Configuration Service	2.2.2
Application Live View APIServer	1.7.4
Application Live View back end	1.7.4
Application Live View connector	1.7.4
Application Live View conventions	1.7.4
Application Single Sign-On	5.0.5
Artifact Metadata Repository Observer	0.2.3
AWS Services	0.1.0
Bitnami Services	0.3.1
Carbon Black Scanner for SCST - Scan (beta)	1.2.8
Cartographer Conventions	0.8.10
cert-manager	2.4.3
Cloud Native Runtimes	2.4.17
Contour	2.1.0
Crossplane	0.3.0
Default Roles	1.1.0
Developer Conventions	0.14.2
External Secrets Operator	0.9.4+tanzu.3
Flux CD Source Controller	0.36.1+tanzu.2
Grype Scanner for SCST - Scan	1.7.6
Local Source Proxy	0.2.1
Namespace Provisioner	0.5.0
Out of the Box Delivery - Basic	0.14.15
Out of the Box Supply Chain - Basic	0.14.15
Out of the Box Supply Chain - Testing	0.14.15
Out of the Box Supply Chain - Testing and Scanning	0.14.15
Out of the Box Templates	0.14.15
Service Bindings	0.10.3
Service Registry	1.2.4
Services Toolkit	0.12.0
Snyk Scanner for SCST - Scan (beta)	1.1.7
Source Controller	0.8.4
Spring Boot conventions	1.7.4
Spring Cloud Gateway	2.1.9
Supply Chain Choreographer	0.8.10
Supply Chain Security Tools - Policy Controller	1.6.4
Supply Chain Security Tools - Scan	1.7.9
Supply Chain Security Tools - Scan 2.0 (beta)	0.2.4
Supply Chain Security Tools - Store	1.7.6
Tanzu Application Platform Telemetry	0.7.0
Tanzu Build Service	1.12.6
Tanzu CLI	1.2.0
Tanzu Developer Portal	1.7.12
Tanzu Developer Portal Configurator	1.7.12
Tekton Pipelines	0.50.3+tanzu.4

v1.7.5

Release Date: 12 March 2024

v1.7.5 Security fixes

This release has the following security fixes, listed by component and area.

Package Name	Vulnerabilities Resolved
amr-observer.apps.tanzu.vmware.com	Expand to see the list CVE-2024-0727 CVE-2023-6237 CVE-2023-6129 CVE-2023-5678 CVE-2023-5363 CVE-2023-5156 CVE-2023-4813 CVE-2023-4806 CVE-2023-3817 CVE-2023-3446 CVE-2023-2975
base-jammy-stack-lite.buildpacks.tanzu.vmware.com	Expand to see the list CVE-2024-0727 CVE-2024-0641 CVE-2024-0193 CVE-2023-6932 CVE-2023-6931 CVE-2023-6817 CVE-2023-6622 CVE-2023-6606 CVE-2023-6237 CVE-2023-6176 CVE-2023-6129 CVE-2023-6040 CVE-2023-6039 CVE-2023-5678 CVE-2023-46813 CVE-2023-4641 CVE-2023-4563 CVE-2023-35827 CVE-2023-34324 CVE-2023-32257 CVE-2023-32252 CVE-2023-32250 CVE-2023-2953
buildservice.tanzu.vmware.com	Expand to see the list CVE-2024-22365 CVE-2024-0727 CVE-2024-0567 CVE-2024-0553 CVE-2023-6237 CVE-2023-6129 CVE-2023-5678 CVE-2023-4641
carbonblack.scanning.apps.tanzu.vmware.com	Expand to see the list CVE-2024-0727 CVE-2023-6237 CVE-2023-6129 CVE-2023-5678 CVE-2023-5156 CVE-2023-4813 CVE-2023-4806 CVE-2023-29409 CVE-2023-29406 CVE-2023-24532
dotnet-core-lite.buildpacks.tanzu.vmware.com	Expand to see the list GHSA-7ww5-4wqc-m92c GHSA-45x7-px36-x8w8 CVE-2023-45284
grype.scanning.apps.tanzu.vmware.com	Expand to see the list CVE-2024-0727 CVE-2023-6237 CVE-2023-6129 CVE-2023-5678 CVE-2023-5156 CVE-2023-4813 CVE-2023-4806 CVE-2023-29409 CVE-2023-29406 CVE-2023-24532
metadata-store.apps.tanzu.vmware.com	Expand to see the list CVE-2023-2953
ootb-templates.tanzu.vmware.com	Expand to see the list CVE-2024-0641 CVE-2023-6622 CVE-2023-6176 CVE-2023-6039 CVE-2023-46813 CVE-2023-4641 CVE-2023-35827 CVE-2023-34324 CVE-2023-32257 CVE-2023-32252 CVE-2023-32250
scanning.apps.tanzu.vmware.com	Expand to see the list CVE-2024-0727 CVE-2023-6237 CVE-2023-6129 CVE-2023-5678 CVE-2023-5156 CVE-2023-4813 CVE-2023-4806
snyk.scanning.apps.tanzu.vmware.com	Expand to see the list CVE-2024-0727 CVE-2023-6237 CVE-2023-6129 CVE-2023-5678 CVE-2023-5156 CVE-2023-4813 CVE-2023-4806 CVE-2023-29409 CVE-2023-29406 CVE-2023-24532
spring-cloud-gateway.tanzu.vmware.com	Expand to see the list GHSA-r4q3-7g4q-x89m GHSA-hr8g-6v94-x4m9 GHSA-7g45-4rm6-3mm3 GHSA-5mg8-w23w-74h3 GHSA-45x7-px36-x8w8 CVE-2024-22365 CVE-2024-20952 CVE-2024-20932 CVE-2024-20926 CVE-2024-20918 CVE-2024-0727 CVE-2024-0567 CVE-2024-0553 CVE-2023-6237 CVE-2023-6129 CVE-2023-5678 CVE-2023-39326 CVE-2023-2976 CVE-2020-8908
tap-gui.tanzu.vmware.com	Expand to see the list CVE-2024-0727 CVE-2024-0641 CVE-2023-6622 CVE-2023-6606 CVE-2023-6237 CVE-2023-6129 CVE-2023-6040 CVE-2023-6039 CVE-2023-5679 CVE-2023-5678 CVE-2023-5517 CVE-2023-46813 CVE-2023-4641 CVE-2023-4408 CVE-2023-35827 CVE-2023-34324 CVE-2023-32257 CVE-2023-32252 CVE-2023-32250 CVE-2023-2953 CVE-2023-22084 CVE-2022-47015 CVE-2022-43253 CVE-2022-43252 CVE-2022-43248 CVE-2022-43243 CVE-2022-43242 CVE-2022-43241 CVE-2022-43240 CVE-2022-43239 CVE-2022-43238 CVE-2022-43237 CVE-2022-43236 CVE-2022-43235 CVE-2022-1253 CVE-2021-36411 CVE-2021-36410 CVE-2021-36409 CVE-2021-36408 CVE-2021-35452

v1.7.5 Resolved issues

The following issues, listed by component and area, are resolved in this release.

v1.7.5 Resolved issues: Cloud Native Runtimes

Resolved the issue where web workloads created with Tanzu Application Platform v1.6.3 and earlier failed to update with the error API server says: admission webhook "validation.webhook.serving.knative.dev" denied the request: validation failed: annotation value is immutable.

v1.7.5 Resolved issues: Supply Chain Security Tools - Store

Resolved the issue where using a custom issuer such as Let’s Encrypt broke the Tanzu Mission Console orchestration that pushes the AMR Observer credentials from the view cluster to the non-view cluster.

v1.7.5 Known issues

This release has the following known issues, listed by component and area.

v1.7.5 Known issues: Tanzu Application Platform

The Tanzu Application Platform integration with Tanzu Service Mesh does not work on vSphere with TKR v1.26. For more information about this integration, see Set up Tanzu Service Mesh. As a workaround, you can apply the label to update pod security on a TKr v1.26 Kubernetes namespace as advised by the release notes for TKr 1.26.5 for vSphere 8.x. However, applying this label provides more than the minimum necessary privilege to the resources in developer namespaces.

v1.7.5 Known issues: API Auto Registration

Registering conflicting groupId and version with API portal:

If you create two CuratedAPIDescriptors with the same groupId and version combination, both reconcile without throwing an error, and the /openapi?groupId&version endpoint returns both specifications. If you are adding both specifications to the API portal, only one of them might show up in the API portal UI with a warning indicating that there is a conflict. If you add the route provider annotation for both of the CuratedAPIDescriptors to use Spring Cloud Gateway, the generated API specspecification includes API routes from both CuratedAPIDescriptors.

You can see the groupId and version information from all CuratedAPIDescriptors by running:
```
$ kubectl get curatedapidescriptors -A

NAMESPACE           NAME         GROUPID            VERSION   STATUS   CURATED API SPEC URL
my-apps             petstore     test-api-group     1.2.3     Ready    http://AAR-CONTROLLER-FQDN/openapi/my-apps/petstore
default             mystery      test-api-group     1.2.3     Ready    http://AAR-CONTROLLER-FQDN/openapi/default/mystery
```
When creating an APIDescriptor with different apiSpec.url and server.url, the controller incorrectly uses the API spec URL as the server URL. To avoid this issue, use server.url only.

v1.7.5 Known issues: Application Live View

On the Run profile, Application Live View fails to reconcile if you use a non-default cluster issuer while installing through Tanzu Mission Control.

v1.7.5 Known issues: Artifact Metadata Repository Observer and CloudEvent Handler

Periodic reconciliation or restarting of the AMR Observer causes reattempted posting of ImageVulnerabilityScan results. There is an error on duplicate submission of identical ImageVulnerabilityScans you can ignore if the previous submission was successful.

v1.7.5 Known issues: Bitnami Services

If you try to configure private registry integration for the Bitnami services after having already created a claim for one or more of the Bitnami services using the default configuration, the updated private registry configuration does not appear to take effect. This is due to caching behavior in the system which is not accounted for during configuration updates. For a workaround, see Troubleshoot Bitnami Services.

v1.7.5 Known issues: Cartographer Conventions

While processing workloads with large SBOMs, the Cartographer Convention controller manager pod can fail with the status CrashLoopBackOff or OOMKilled. For information about how to increase the memory limit for both the convention server and webhook servers, including app-live-view-conventions, spring-boot-webhook, and developer-conventions/webhook, see Troubleshoot Cartographer Conventions.

v1.7.5 Known issues: Crossplane

The Crossplane validatingwebhookconfiguration is not removed when you uninstall the Crossplane package. To workaround, delete the validatingwebhookconfiguration manually by running kubectl delete validatingwebhookconfiguration crossplane.

v1.7.5 Known issues: Service Bindings

When upgrading Tanzu Application Platform, pods are recreated for all workloads with service bindings. This is because workloads and pods that use service bindings are being updated to new service binding volumes. This happens automatically and will not affect subsequent upgrades.

Affected pods are updated concurrently. To avoid failures, you must have sufficient Kubernetes resources in your clusters to support the pod rollout.
ServiceBinding is not immediately reconciled when status.binding.name changes on a previously bound service resource. This impacts the timely rollout of new connection secrets to workloads. The reconciler eventually picks up the change but this might take up to 10 hours. As a temporary workaround, you can do one of the following:
- Delete the existing ServiceBinding and create a new one that is identical.
- Trigger reconciliation of the existing ServiceBinding by adding an arbitrary annotation or label.
- Delete and recreate the application workload referred to by the ServiceBinding.

v1.7.5 Known issues: Services Toolkit

An error occurs if additionalProperties is true in a CompositeResourceDefinition. For more information and a workaround, see Troubleshoot Services Toolkit.

v1.7.5 Known issues: Supply Chain Choreographer

By default, Server Workload Carvel packages generated by the Carvel package supply chains no longer contain OpenAPIv3 descriptions of their parameters. These descriptions were omitted to keep the size of the Carvel Package definition under 4 KB, which is the size limit for the string output of a Tekton Task. For information about these parameters, see Carvel Package Supply Chains.
When using the Carvel Package Supply Chains, if the operator updates the parameter carvel_package.name_suffix, existing workloads incorrectly output a Carvel package to the GitOps repository that uses the old value of carvel_package.name_suffix. You can ignore or delete this package.
If the size of the resulting OpenAPIv3 specification exceeds a certain size, approximately 3 KB, the Supply Chain does not function. If you use the default Carvel package parameters, this issue does not occur. If you use custom Carvel package parameters, you might encounter this size limit. If you exceed the size limit, you can either deactivate this feature, or use a workaround. The workaround requires enabling a Tekton feature flag. For more information, see the Tekton documentation.
Supply Chains that use SSH auth with the git-writer resource will fail in the gitops step. As a workaround, use HTTPS auth.

v1.7.5 Known issues: Supply Chain Security Tools - Policy

Supply Chain Security Tools - Policy is defaulting to TUF enabled due to incorrect logic. This might cause the package to not reconcile correctly if the default TUF mirrors are not reachable. To work around this, explicitly configure policy controller in the tap-values.yaml file to enable TUF:
```
policy:
  tuf_enabled: true
```

v1.7.5 Known issues: Supply Chain Security Tools (SCST) - Scan

When using SCST - Scan 2.0 with a ClusterImageTemplate, the value for the scanning image is overwritten with an incorrect default value from ootb_supply_chain_testing_scanning.image_scanner_cli in the tap-values.yaml file. You can prevent this by setting the value in your tap-values.yaml file to the correct image. For example, for the Trivy image packaged with Tanzu Application Platform:
```
ootb_supply_chain_testing_scanning:
  image_scanner_template_name: image-vulnerability-scan-trivy
  image_scanning_cli:
    image: registry.example.com/tanzu-application-platform/tap-packages@sha256:675673a6d495d6f6a688497b754cee304960d9ad56e194cf4f4ea6ab53ca71d6
```
When using SCST - Scan 2.0, Trivy must be pinned to v0.42.1. This is because CycloneDX v1.5 is the default for later versions of Trivy and is not supported by AMR.
The Snyk scanner outputs an incorrectly created date, resulting in an invalid date. If the workload is in a failed state due to an invalid date, wait approximately 10 hours and the workload automatically goes into the ready state. For more information, see this issue in the Snyk GitHub repository.
SCST - Scan 1.0 fails with the error secrets 'store-ca-cert' not found during deployment by using Tanzu Mission Control with a non-default issuer. For how to work around this issue, see Deployment failure with non-default issuer.

v1.7.5 Known issues: Supply Chain Security Tools - Store

AMR-specific steps have been added to the Multicluster setup for Supply Chain Security Tools - Store.
SCST - Store automatically detects PostgreSQL database index corruptions. If SCST - Store finds a PostgresSQL database index corruption issue, it does not reconcile. For how to fix this issue, see Fix Postgres Database Index Corruption.
When observer.deploy_through_tmc is true, properties are auto-configured for Tanzu Mission Control (TMC). This causes the MultiClusterPropertyCollector resource to overwrite existing Tanzu Application Platform values for Observer.

When using Let’s Encrypt ACME issuers, the resultant Kubernetes secret resource does not contain a ca.crt property. Therefore, when the MultiClusterPropertyCollector resource creates the Observer package configuration values secret, the required ca_cert_data is empty.

To work around this issue, add the Certificate Authority (CA) Certificate to the shared.ca_cert_data key in the Tanzu Application Platform installation values.

v1.7.5 Known issues: Tanzu Build Service

During upgrades a large number of builds might be created due to buildpack and stack updates. Some of these builds might fail due to transient network issues, causing the workload to be in an unhealthy state. This resolves itself on subsequent builds after a code change and does not affect the running application.

If you do not want to wait for subsequent builds to run, you can manually trigger a build. For instructions, see Troubleshooting.

v1.7.5 Known issues: Tanzu Developer Portal

If you do not configure any authentication providers, and do not allow guest access, the following message appears when loading Tanzu Developer Portal in a browser:
```
No configured authentication providers. Please configure at least one.
```
To resolve this issue, see Troubleshooting.
When viewing a supply chain with the Supply Chain Choreographer plug-in, scrolling horizontally does not work. Click and drag left or right instead to move the supply chain diagram. A fix is planned for the future. The zoom function was removed because of user feedback.
Ad-blocking browser extensions and standalone ad-blocking software can interfere with telemetry collection within the VMware Customer Experience Improvement Program and restrict access to all or parts of Tanzu Developer Portal. For more information, see Troubleshooting.
ScmAuth is a Backstage concept that abstracts Source Code Management (SCM) authentication into a package. An oversight in a recent code-base migration led to the accidental exclusion of custom ScmAuth functions. This exclusion affected some client operations, such as using Application Accelerators to create Git repositories on behalf of users.
The back-end Kubernetes plug-in reports failure in multicluster environments. In a multicluster environment when one request to a Kubernetes cluster fails, backstage-kubernetes-backend reports a failure to the front end. This is a known issue with upstream Backstage and it applies to all released versions of Tanzu Developer Portal. For more information, see this Backstage code in GitHub. This behavior arises from the API at the Backstage level. There are currently no known workarounds. There are plans for upstream commits to Backstage to resolve this issue.

v1.7.5 Known issues: Tanzu Developer Tools for IntelliJ

The error com.vdurmont.semver4j.SemverException: Invalid version (no major version) is shown in the error logs when attempting to perform a workload action before installing the Tanzu CLI apps plug-in.
If you restart your computer while running Live Update without terminating the Tilt process beforehand, there is a lock that incorrectly shows that Live Update is still running and prevents it from starting again. For the fix, see Troubleshooting.
Workload actions and Live Update do not work when in a project with spaces in its name, such as my app, or in its path, such as C:\Users\My User\my-app. For more information, see Troubleshooting.
An EDT Thread Exception error is logged or reported as a notification with a message similar to "com.intellij.diagnostic.PluginException: 2007 ms to call on EDT TanzuApplyAction#update@ProjectViewPopup". For more information, see Troubleshooting.

v1.7.5 Known issues: Tanzu Developer Tools for Visual Studio

Clicking the red square Stop button in the Visual Studio top toolbar can cause a workload to fail. For more information, see Troubleshooting.

v1.7.5 Component versions

The following table lists the supported component versions for this Tanzu Application Platform release.

Component Name	Version
API Auto Registration	0.4.2
API portal	1.4.7
Application Accelerator	1.7.7
Application Configuration Service	2.2.2
Application Live View APIServer	1.7.3
Application Live View back end	1.7.3
Application Live View connector	1.7.3
Application Live View conventions	1.7.3
Application Single Sign-On	5.0.3
Artifact Metadata Repository Observer	0.2.2
AWS Services	0.1.0
Bitnami Services	0.3.1
Carbon Black Scanner for SCST - Scan (beta)	1.2.7
Cartographer Conventions	0.8.10
cert-manager	2.4.3
Cloud Native Runtimes	2.4.17
Contour	2.1.0
Crossplane	0.3.0
Default Roles	1.1.0
Developer Conventions	0.14.2
External Secrets Operator	0.9.4+tanzu.3
Flux CD Source Controller	0.36.1+tanzu.2
Grype Scanner for SCST - Scan	1.7.5
Local Source Proxy	0.2.1
Namespace Provisioner	0.5.0
Out of the Box Delivery - Basic	0.14.15
Out of the Box Supply Chain - Basic	0.14.15
Out of the Box Supply Chain - Testing	0.14.15
Out of the Box Supply Chain - Testing and Scanning	0.14.15
Out of the Box Templates	0.14.15
Service Bindings	0.10.3
Service Registry	1.2.3
Services Toolkit	0.12.0
Snyk Scanner for SCST - Scan (beta)	1.1.6
Source Controller	0.8.3
Spring Boot conventions	1.7.3
Spring Cloud Gateway	2.1.8
Supply Chain Choreographer	0.8.10
Supply Chain Security Tools - Policy Controller	1.6.3
Supply Chain Security Tools - Scan	1.7.7
Supply Chain Security Tools - Scan 2.0 (beta)	0.2.3
Supply Chain Security Tools - Store	1.7.5
Tanzu Application Platform Telemetry	0.7.0
Tanzu Build Service	1.12.6
Tanzu CLI	1.2.0
Tanzu Developer Portal	1.7.11
Tanzu Developer Portal Configurator	1.7.11
Tekton Pipelines	0.50.3+tanzu.4

v1.7.4

Release Date: 13 February 2024

v1.7.4 Security fixes

This release has the following security fixes, listed by component and area.

Package Name	Vulnerabilities Resolved
application-configuration-service.tanzu.vmware.com	Expand to see the list GHSA-wjxj-5m7g-mg7q GHSA-cgwf-w82q-5jrr GHSA-45x7-px36-x8w8 CVE-2023-42503
base-jammy-stack-lite.buildpacks.tanzu.vmware.com	Expand to see the list CVE-2024-22365 CVE-2024-0567 CVE-2024-0553 CVE-2023-6918 CVE-2023-6004 CVE-2022-47011 CVE-2022-47010 CVE-2022-47008 CVE-2022-47007 CVE-2022-45703 CVE-2022-44840
buildservice.tanzu.vmware.com	Expand to see the list CVE-2023-5156 CVE-2023-4813 CVE-2023-4806 CVE-2023-47038 CVE-2023-39804 CVE-2022-48522
cartographer.tanzu.vmware.com	Expand to see the list GHSA-qppj-fm5r-hxr3 GHSA-jq35-85cj-fj4p CVE-2023-5363 CVE-2023-5156 CVE-2023-4911 CVE-2023-4813 CVE-2023-4806 CVE-2023-45287 CVE-2023-39319 CVE-2023-39318 CVE-2023-3817 CVE-2023-3446 CVE-2023-2975 CVE-2023-29409 CVE-2023-29406 CVE-2023-2650 CVE-2023-1255 CVE-2023-0465 CVE-2023-0464 CVE-2022-3996
cert-manager.tanzu.vmware.com	Expand to see the list CVE-2023-39326
cnrs.tanzu.vmware.com	Expand to see the list GHSA-qppj-fm5r-hxr3 CVE-2023-5156 CVE-2023-4813 CVE-2023-4806
contour.tanzu.vmware.com	Expand to see the list CVE-2023-6246
go-lite.buildpacks.tanzu.vmware.com	Expand to see the list GHSA-449p-3h89-pw88 CVE-2023-45284 CVE-2023-39319 CVE-2023-39318
metadata-store.apps.tanzu.vmware.com	Expand to see the list CVE-2023-7104 CVE-2023-47038 CVE-2023-45285 CVE-2023-39325 CVE-2022-48522 CVE-2022-46908
nodejs-lite.buildpacks.tanzu.vmware.com	Expand to see the list GHSA-9763-4f94-gfch GHSA-7ww5-4wqc-m92c GHSA-45x7-px36-x8w8 GHSA-449p-3h89-pw88
ootb-templates.tanzu.vmware.com	Expand to see the list CVE-2024-22365 CVE-2024-0567 CVE-2024-0553 CVE-2024-0193 CVE-2023-6932 CVE-2023-6931 CVE-2023-6918 CVE-2023-6817 CVE-2023-6606 CVE-2023-6040 CVE-2023-6004 CVE-2023-2953 CVE-2022-47011 CVE-2022-47010 CVE-2022-47008 CVE-2022-47007 CVE-2022-45703 CVE-2022-44840
python-lite.buildpacks.tanzu.vmware.com	Expand to see the list GHSA-9763-4f94-gfch GHSA-7ww5-4wqc-m92c GHSA-45x7-px36-x8w8 GHSA-449p-3h89-pw88 CVE-2023-45284
ruby-lite.buildpacks.tanzu.vmware.com	Expand to see the list GHSA-jq35-85cj-fj4p GHSA-9763-4f94-gfch GHSA-7ww5-4wqc-m92c GHSA-45x7-px36-x8w8 GHSA-449p-3h89-pw88 CVE-2023-45284
service-registry.spring.apps.tanzu.vmware.com	Expand to see the list GHSA-45x7-px36-x8w8
sso.apps.tanzu.vmware.com	Expand to see the list GHSA-2wrh-6pvc-2jm9 CVE-2023-5156 CVE-2023-45145 CVE-2023-41056 CVE-2023-39319 CVE-2023-39318 CVE-2023-3817 CVE-2023-36054 CVE-2023-3446 CVE-2023-22049 CVE-2023-22045 CVE-2023-22044 CVE-2023-22041 CVE-2023-22036 CVE-2023-22006
tap-gui.tanzu.vmware.com	Expand to see the list CVE-2024-22365 CVE-2024-0567 CVE-2024-0553 CVE-2023-7104 CVE-2023-6918 CVE-2023-6004 CVE-2023-51385 CVE-2023-51384 CVE-2023-48795 CVE-2023-28531 CVE-2022-46908
tekton.tanzu.vmware.com	Expand to see the list CVE-2024-22365 CVE-2024-0567 CVE-2024-0553 CVE-2023-6918 CVE-2023-6546 CVE-2023-6004 CVE-2023-5981 CVE-2023-5717 CVE-2023-5178 CVE-2023-5158 CVE-2023-5156 CVE-2023-48795 CVE-2023-4813 CVE-2023-4806 CVE-2023-47038 CVE-2023-46218 CVE-2023-45871 CVE-2023-44487 CVE-2023-42754 CVE-2023-4016 CVE-2023-39804 CVE-2023-39198 CVE-2023-39194 CVE-2023-39193 CVE-2023-39192 CVE-2023-39189 CVE-2023-3773 CVE-2023-3772 CVE-2023-37453 CVE-2023-36054 CVE-2023-31085 CVE-2023-31083 CVE-2023-25775 CVE-2022-48522 CVE-2022-47011 CVE-2022-47010 CVE-2022-47008 CVE-2022-47007 CVE-2022-45703 CVE-2022-44840 CVE-2022-4285 CVE-2022-35205
web-servers-lite.buildpacks.tanzu.vmware.com	Expand to see the list GHSA-9763-4f94-gfch GHSA-7ww5-4wqc-m92c GHSA-45x7-px36-x8w8 GHSA-449p-3h89-pw88

v1.7.4 Resolved issues

The following issues, listed by component and area, are resolved in this release.

v1.7.4 Resolved issues: Application Single Sign-On

When requesting an access_token by using the the Authorization Code flow, scopes in the token are filtered based on user roles. In this version, the scope parameter of the access token response is also filtered, with the same rules. For more information, see the OAuth documentation.

v1.7.4 Resolved issues: Contour

Ships with Contour v1.25.3.
Supports upgrades to Tanzu Application Platform v1.7.4 without downtime when transitioning from DaemonSet to Deployments.

Note
Downtime-free upgrades require more than one node in the cluster.

v1.7.4 Resolved issues: Supply Chain Security Tools - Store

Artifact Metadata Repository now properly sets the hasNextPage to false when there are no more items to be retrieved during a paginated query. This fixes the issue where the last page always returns an empty list.

v1.7.4 Known issues

This release has the following known issues, listed by component and area.

v1.7.4 Known issues: Tanzu Application Platform

The Tanzu Application Platform integration with Tanzu Service Mesh does not work on vSphere with TKR v1.26. For more information about this integration, see Set up Tanzu Service Mesh. As a workaround, you can apply the label to update pod security on a TKr v1.26 Kubernetes namespace as advised by the release notes for TKr 1.26.5 for vSphere 8.x. However, applying this label provides more than the minimum necessary privilege to the resources in developer namespaces.

v1.7.4 Known issues: API Auto Registration

Registering conflicting groupId and version with API portal:

If you create two CuratedAPIDescriptors with the same groupId and version combination, both reconcile without throwing an error, and the /openapi?groupId&version endpoint returns both specifications. If you are adding both specifications to the API portal, only one of them might show up in the API portal UI with a warning indicating that there is a conflict. If you add the route provider annotation for both of the CuratedAPIDescriptors to use Spring Cloud Gateway, the generated API specspecification includes API routes from both CuratedAPIDescriptors.

You can see the groupId and version information from all CuratedAPIDescriptors by running:
```
$ kubectl get curatedapidescriptors -A

NAMESPACE           NAME         GROUPID            VERSION   STATUS   CURATED API SPEC URL
my-apps             petstore     test-api-group     1.2.3     Ready    http://AAR-CONTROLLER-FQDN/openapi/my-apps/petstore
default             mystery      test-api-group     1.2.3     Ready    http://AAR-CONTROLLER-FQDN/openapi/default/mystery
```
When creating an APIDescriptor with different apiSpec.url and server.url, the controller incorrectly uses the API spec URL as the server URL. To avoid this issue, use server.url only.

v1.7.4 Known issues: Application Live View

On the Run profile, Application Live View fails to reconcile if you use a non-default cluster issuer while installing through Tanzu Mission Control.

v1.7.4 Known issues: Artifact Metadata Repository Observer and CloudEvent Handler

Periodic reconciliation or restarting of the AMR Observer causes reattempted posting of ImageVulnerabilityScan results. There is an error on duplicate submission of identical ImageVulnerabilityScans you can ignore if the previous submission was successful.

v1.7.4 Known issues: Bitnami Services

If you try to configure private registry integration for the Bitnami services after having already created a claim for one or more of the Bitnami services using the default configuration, the updated private registry configuration does not appear to take effect. This is due to caching behavior in the system which is not accounted for during configuration updates. For a workaround, see Troubleshoot Bitnami Services.

v1.7.4 Known issues: Cartographer Conventions

While processing workloads with large SBOMs, the Cartographer Convention controller manager pod can fail with the status CrashLoopBackOff or OOMKilled. For information about how to increase the memory limit for both the convention server and webhook servers, including app-live-view-conventions, spring-boot-webhook, and developer-conventions/webhook, see Troubleshoot Cartographer Conventions.

v1.7.4 Known issues: Cloud Native Runtimes

Web workloads created with Tanzu Application Platform v1.6.3 and earlier fail to update with the error API server says: admission webhook "validation.webhook.serving.knative.dev" denied the request: validation failed: annotation value is immutable. For a workaround, see Troubleshoot Cloud Native Runtimes for Tanzu.

v1.7.4 Known issues: Crossplane

The Crossplane validatingwebhookconfiguration is not removed when you uninstall the Crossplane package. To workaround, delete the validatingwebhookconfiguration manually by running kubectl delete validatingwebhookconfiguration crossplane.

v1.7.4 Known issues: Service Bindings

When upgrading Tanzu Application Platform, pods are recreated for all workloads with service bindings. This is because workloads and pods that use service bindings are being updated to new service binding volumes. This happens automatically and will not affect subsequent upgrades.

Affected pods are updated concurrently. To avoid failures, you must have sufficient Kubernetes resources in your clusters to support the pod rollout.
ServiceBinding is not immediately reconciled when status.binding.name changes on a previously bound service resource. This impacts the timely rollout of new connection secrets to workloads. The reconciler eventually picks up the change but this might take up to 10 hours. As a temporary workaround, you can do one of the following:
- Delete the existing ServiceBinding and create a new one that is identical.
- Trigger reconciliation of the existing ServiceBinding by adding an arbitrary annotation or label.
- Delete and recreate the application workload referred to by the ServiceBinding.

v1.7.4 Known issues: Services Toolkit

An error occurs if additionalProperties is true in a CompositeResourceDefinition. For more information and a workaround, see Troubleshoot Services Toolkit.

v1.7.4 Known issues: Supply Chain Choreographer

By default, Server Workload Carvel packages generated by the Carvel package supply chains no longer contain OpenAPIv3 descriptions of their parameters. These descriptions were omitted to keep the size of the Carvel Package definition under 4 KB, which is the size limit for the string output of a Tekton Task. For information about these parameters, see Carvel Package Supply Chains.
When using the Carvel Package Supply Chains, if the operator updates the parameter carvel_package.name_suffix, existing workloads incorrectly output a Carvel package to the GitOps repository that uses the old value of carvel_package.name_suffix. You can ignore or delete this package.
If the size of the resulting OpenAPIv3 specification exceeds a certain size, approximately 3 KB, the Supply Chain does not function. If you use the default Carvel package parameters, this issue does not occur. If you use custom Carvel package parameters, you might encounter this size limit. If you exceed the size limit, you can either deactivate this feature, or use a workaround. The workaround requires enabling a Tekton feature flag. For more information, see the Tekton documentation.
Supply Chains that use SSH auth with the git-writer resource will fail in the gitops step. As a workaround, use HTTPS auth.

v1.7.4 Known issues: Supply Chain Security Tools (SCST) - Scan

When using SCST - Scan 2.0 with a ClusterImageTemplate, the value for the scanning image is overwritten with an incorrect default value from ootb_supply_chain_testing_scanning.image_scanner_cli in the tap-values.yaml file. You can prevent this by setting the value in your tap-values.yaml file to the correct image. For example, for the Trivy image packaged with Tanzu Application Platform:
```
ootb_supply_chain_testing_scanning:
  image_scanner_template_name: image-vulnerability-scan-trivy
  image_scanning_cli:
    image: registry.example.com/tanzu-application-platform/tap-packages@sha256:675673a6d495d6f6a688497b754cee304960d9ad56e194cf4f4ea6ab53ca71d6
```
When using SCST - Scan 2.0, Trivy must be pinned to v0.42.1. This is because CycloneDX v1.5 is the default for later versions of Trivy and is not supported by AMR.
The Snyk scanner outputs an incorrectly created date, resulting in an invalid date. If the workload is in a failed state due to an invalid date, wait approximately 10 hours and the workload automatically goes into the ready state. For more information, see this issue in the Snyk GitHub repository.
SCST - Scan 1.0 fails with the error secrets 'store-ca-cert' not found during deployment by using Tanzu Mission Control with a non-default issuer. For how to work around this issue, see Deployment failure with non-default issuer.

v1.7.4 Known issues: Supply Chain Security Tools - Store

AMR-specific steps have been added to the Multicluster setup for Supply Chain Security Tools - Store.
SCST - Store automatically detects PostgreSQL database index corruptions. If SCST - Store finds a PostgresSQL database index corruption issue, it does not reconcile. For how to fix this issue, see Fix Postgres Database Index Corruption.
Using a custom issuer such as Let’s Encrypt breaks the Tanzu Mission Control orchestration that pushes the AMR Observer credentials from the view cluster to the non-view cluster. There is currently no remediation for this issue.
When observer.deploy_through_tmc is true, properties are auto-configured for Tanzu Mission Control (TMC). This causes the MultiClusterPropertyCollector resource to overwrite existing Tanzu Application Platform values for Observer.

When using Let’s Encrypt ACME issuers, the resultant Kubernetes secret resource does not contain a ca.crt property. Therefore, when the MultiClusterPropertyCollector resource creates the Observer package configuration values secret, the required ca_cert_data is empty.

To work around this issue, add the Certificate Authority (CA) Certificate to the shared.ca_cert_data key in the Tanzu Application Platform installation values.

v1.7.4 Known issues: Tanzu Build Service

During upgrades a large number of builds might be created due to buildpack and stack updates. Some of these builds might fail due to transient network issues, causing the workload to be in an unhealthy state. This resolves itself on subsequent builds after a code change and does not affect the running application.

If you do not want to wait for subsequent builds to run, you can manually trigger a build. For instructions, see Troubleshooting.

v1.7.4 Known issues: Tanzu Developer Portal

If you do not configure any authentication providers, and do not allow guest access, the following message appears when loading Tanzu Developer Portal in a browser:
```
No configured authentication providers. Please configure at least one.
```
To resolve this issue, see Troubleshooting.
When viewing a supply chain with the Supply Chain Choreographer plug-in, scrolling horizontally does not work. Click and drag left or right instead to move the supply chain diagram. A fix is planned for the future. The zoom function was removed because of user feedback.
Ad-blocking browser extensions and standalone ad-blocking software can interfere with telemetry collection within the VMware Customer Experience Improvement Program and restrict access to all or parts of Tanzu Developer Portal. For more information, see Troubleshooting.
ScmAuth is a Backstage concept that abstracts Source Code Management (SCM) authentication into a package. An oversight in a recent code-base migration led to the accidental exclusion of custom ScmAuth functions. This exclusion affected some client operations, such as using Application Accelerators to create Git repositories on behalf of users.
The back-end Kubernetes plug-in reports failure in multicluster environments. In a multicluster environment when one request to a Kubernetes cluster fails, backstage-kubernetes-backend reports a failure to the front end. This is a known issue with upstream Backstage and it applies to all released versions of Tanzu Developer Portal. For more information, see this Backstage code in GitHub. This behavior arises from the API at the Backstage level. There are currently no known workarounds. There are plans for upstream commits to Backstage to resolve this issue.

v1.7.4 Known issues: Tanzu Developer Tools for IntelliJ

The error com.vdurmont.semver4j.SemverException: Invalid version (no major version) is shown in the error logs when attempting to perform a workload action before installing the Tanzu CLI apps plug-in.
If you restart your computer while running Live Update without terminating the Tilt process beforehand, there is a lock that incorrectly shows that Live Update is still running and prevents it from starting again. For the fix, see Troubleshooting.
Workload actions and Live Update do not work when in a project with spaces in its name, such as my app, or in its path, such as C:\Users\My User\my-app. For more information, see Troubleshooting.
An EDT Thread Exception error is logged or reported as a notification with a message similar to "com.intellij.diagnostic.PluginException: 2007 ms to call on EDT TanzuApplyAction#update@ProjectViewPopup". For more information, see Troubleshooting.

v1.7.4 Known issues: Tanzu Developer Tools for Visual Studio

Clicking the red square Stop button in the Visual Studio top toolbar can cause a workload to fail. For more information, see Troubleshooting.

v1.7.4 Component versions

The following table lists the supported component versions for this Tanzu Application Platform release.

Component Name	Version
API Auto Registration	0.4.2
API portal	1.4.7
Application Accelerator	1.7.7
Application Configuration Service	2.2.2
Application Live View APIServer	1.7.3
Application Live View back end	1.7.3
Application Live View connector	1.7.3
Application Live View conventions	1.7.3
Application Single Sign-On	5.0.3
Artifact Metadata Repository Observer	0.2.1
AWS Services	0.1.0
Bitnami Services	0.3.1
Carbon Black Scanner for SCST - Scan (beta)	1.2.5
Cartographer Conventions	0.8.10
cert-manager	2.4.3
Cloud Native Runtimes	2.4.17
Contour	2.1.0
Crossplane	0.3.0
Default Roles	1.1.0
Developer Conventions	0.14.2
External Secrets Operator	0.9.4+tanzu.2
Flux CD Source Controller	0.36.1+tanzu.2
Grype Scanner for SCST - Scan	1.7.3
Local Source Proxy	0.2.1
Namespace Provisioner	0.5.0
Out of the Box Delivery - Basic	0.14.14
Out of the Box Supply Chain - Basic	0.14.14
Out of the Box Supply Chain - Testing	0.14.14
Out of the Box Supply Chain - Testing and Scanning	0.14.14
Out of the Box Templates	0.14.14
Service Bindings	0.10.3
Service Registry	1.2.3
Services Toolkit	0.12.0
Snyk Scanner for SCST - Scan (beta)	1.1.4
Source Controller	0.8.3
Spring Boot conventions	1.7.3
Spring Cloud Gateway	2.1.7
Supply Chain Choreographer	0.8.10
Supply Chain Security Tools - Policy Controller	1.6.3
Supply Chain Security Tools - Scan	1.7.5
Supply Chain Security Tools - Scan 2.0 (beta)	0.2.3
Supply Chain Security Tools - Store	1.7.4
Tanzu Developer Portal	1.7.10
Tanzu Developer Portal Configurator	1.0.6
Tanzu Application Platform Telemetry	0.7.0
Tanzu Build Service	1.12.5
Tanzu CLI	1.1.0
Tekton Pipelines	0.50.3+tanzu.4

v1.7.3

Release Date: 09 January 2024

v1.7.3 Security fixes

This release has the following security fixes, listed by component and area.

Package Name	Vulnerabilities Resolved
accelerator.apps.tanzu.vmware.com	Expand to see the list GHSA-v94h-hvhg-mf9h GHSA-jjfh-589g-3hjx CVE-2023-45285 CVE-2023-34053
api-portal.tanzu.vmware.com	Expand to see the list GHSA-vmq6-5m68-f53m CVE-2023-5981 CVE-2023-47038 CVE-2023-4016 CVE-2023-36054 CVE-2022-48522
apis.apps.tanzu.vmware.com	Expand to see the list CVE-2023-45285
application-configuration-service.tanzu.vmware.com	Expand to see the list CVE-2023-6378 CVE-2023-44487 CVE-2023-39325 CVE-2023-3635 CVE-2023-34053
base-jammy-stack-lite.buildpacks.tanzu.vmware.com	Expand to see the list CVE-2023-5717 CVE-2023-5178 CVE-2023-5158 CVE-2023-5156 CVE-2023-48795 CVE-2023-4813 CVE-2023-4806 CVE-2023-47038 CVE-2023-46218 CVE-2023-44487 CVE-2023-42754 CVE-2023-39804 CVE-2023-39198 CVE-2023-39194 CVE-2023-39193 CVE-2023-39192 CVE-2023-39189 CVE-2023-3773 CVE-2023-37453 CVE-2022-48522 CVE-2022-4285 CVE-2022-35205
developer-conventions.tanzu.vmware.com	Expand to see the list CVE-2023-5156 CVE-2023-4813 CVE-2023-4806
ootb-templates.tanzu.vmware.com	Expand to see the list CVE-2023-5981 CVE-2023-5717 CVE-2023-5178 CVE-2023-5158 CVE-2023-48795 CVE-2023-47038 CVE-2023-46218 CVE-2023-45871 CVE-2023-42754 CVE-2023-39804 CVE-2023-39198 CVE-2023-39194 CVE-2023-39193 CVE-2023-39192 CVE-2023-39189 CVE-2023-3773 CVE-2023-37453 CVE-2023-31085 CVE-2023-25775 CVE-2022-48522 CVE-2022-4285 CVE-2022-35205
service-registry.spring.apps.tanzu.vmware.com	Expand to see the list CVE-2023-6378 CVE-2023-39325 CVE-2023-34053
servicebinding.tanzu.vmware.com	Expand to see the list CVE-2023-5363 CVE-2023-39325 CVE-2023-39319 CVE-2023-39318 CVE-2023-3817 CVE-2023-3446 CVE-2023-2975
spring-cloud-gateway.tanzu.vmware.com	Expand to see the list GHSA-jjfh-589g-3hjx CVE-2023-5981 CVE-2023-5156 CVE-2023-4813 CVE-2023-4806 CVE-2023-47038 CVE-2023-44487 CVE-2023-4016 CVE-2023-39804 CVE-2023-34053 CVE-2022-48522
sso.apps.tanzu.vmware.com	Expand to see the list GHSA-vmq6-5m68-f53m CVE-2023-5363 CVE-2023-34053 CVE-2023-2975
tap-gui.tanzu.vmware.com	Expand to see the list GHSA-hww2-5g85-429m GHSA-fj7f-vq84-fh43 CVE-2023-5981 CVE-2023-5870 CVE-2023-5869 CVE-2023-5868 CVE-2023-5717 CVE-2023-5178 CVE-2023-5158 CVE-2023-5156 CVE-2023-48706 CVE-2023-48237 CVE-2023-48236 CVE-2023-48235 CVE-2023-48234 CVE-2023-48233 CVE-2023-48231 CVE-2023-4813 CVE-2023-4806 CVE-2023-47038 CVE-2023-46246 CVE-2023-46218 CVE-2023-45871 CVE-2023-44487 CVE-2023-42754 CVE-2023-40217 CVE-2023-4016 CVE-2023-39804 CVE-2023-39198 CVE-2023-39194 CVE-2023-39193 CVE-2023-39192 CVE-2023-39189 CVE-2023-38473 CVE-2023-38472 CVE-2023-38471 CVE-2023-38470 CVE-2023-38469 CVE-2023-3773 CVE-2023-37453 CVE-2023-36617 CVE-2023-31085 CVE-2023-28756 CVE-2023-28755 CVE-2023-25775 CVE-2022-48522 CVE-2022-40090 CVE-2022-24599 CVE-2022-2042 CVE-2022-2000 CVE-2022-1897 CVE-2022-1886 CVE-2022-1771 CVE-2022-1725 CVE-2019-13147

v1.7.3 Resolved issues

The following issues, listed by component and area, are resolved in this release.

v1.7.3 Resolved issues: Tanzu Application Platform

Tanzu Mission Control has support for this Tanzu Application Platform release.

v1.7.3 Known issues

This release has the following known issues, listed by component and area.

v1.7.3 Known issues: Tanzu Application Platform

The Tanzu Application Platform integration with Tanzu Service Mesh does not work on vSphere with TKR v1.26. For more information about this integration, see Set up Tanzu Service Mesh. As a workaround, you can apply the label to update pod security on a TKr v1.26 Kubernetes namespace as advised by the release notes for TKr 1.26.5 for vSphere 8.x. However, applying this label provides more than the minimum necessary privilege to the resources in developer namespaces.

v1.7.3 Known issues: API Auto Registration

Registering conflicting groupId and version with API portal:

If you create two CuratedAPIDescriptors with the same groupId and version combination, both reconcile without throwing an error, and the /openapi?groupId&version endpoint returns both specifications. If you are adding both specifications to the API portal, only one of them might show up in the API portal UI with a warning indicating that there is a conflict. If you add the route provider annotation for both of the CuratedAPIDescriptors to use Spring Cloud Gateway, the generated API specspecification includes API routes from both CuratedAPIDescriptors.

You can see the groupId and version information from all CuratedAPIDescriptors by running:
```
$ kubectl get curatedapidescriptors -A

NAMESPACE           NAME         GROUPID            VERSION   STATUS   CURATED API SPEC URL
my-apps             petstore     test-api-group     1.2.3     Ready    http://AAR-CONTROLLER-FQDN/openapi/my-apps/petstore
default             mystery      test-api-group     1.2.3     Ready    http://AAR-CONTROLLER-FQDN/openapi/default/mystery
```
When creating an APIDescriptor with different apiSpec.url and server.url, the controller incorrectly uses the API spec URL as the server URL. To avoid this issue, use server.url only.

v1.7.3 Known issues: Application Live View

On the Run profile, Application Live View fails to reconcile if you use a non-default cluster issuer while installing through Tanzu Mission Control.

v1.7.3 Known issues: Artifact Metadata Repository Observer and CloudEvent Handler

Periodic reconciliation or restarting of the AMR Observer causes reattempted posting of ImageVulnerabilityScan results. There is an error on duplicate submission of identical ImageVulnerabilityScans you can ignore if the previous submission was successful.

v1.7.3 Known issues: Bitnami Services

If you try to configure private registry integration for the Bitnami services after having already created a claim for one or more of the Bitnami services using the default configuration, the updated private registry configuration does not appear to take effect. This is due to caching behavior in the system which is not accounted for during configuration updates. For a workaround, see Troubleshoot Bitnami Services.

v1.7.3 Known issues: Cartographer Conventions

While processing workloads with large SBOMs, the Cartographer Convention controller manager pod can fail with the status CrashLoopBackOff or OOMKilled. For information about how to increase the memory limit for both the convention server and webhook servers, including app-live-view-conventions, spring-boot-webhook, and developer-conventions/webhook, see Troubleshoot Cartographer Conventions.

v1.7.3 Known issues: Cloud Native Runtimes

Web workloads created with Tanzu Application Platform v1.6.3 and earlier fail to update with the error API server says: admission webhook "validation.webhook.serving.knative.dev" denied the request: validation failed: annotation value is immutable. For a workaround, see Troubleshoot Cloud Native Runtimes for Tanzu.

v1.7.3 Known issues: Crossplane

The Crossplane validatingwebhookconfiguration is not removed when you uninstall the Crossplane package. To workaround, delete the validatingwebhookconfiguration manually by running kubectl delete validatingwebhookconfiguration crossplane.

v1.7.3 Known issues: Service Bindings

When upgrading Tanzu Application Platform, pods are recreated for all workloads with service bindings. This is because workloads and pods that use service bindings are being updated to new service binding volumes. This happens automatically and will not affect subsequent upgrades.

Affected pods are updated concurrently. To avoid failures, you must have sufficient Kubernetes resources in your clusters to support the pod rollout.
ServiceBinding is not immediately reconciled when status.binding.name changes on a previously bound service resource. This impacts the timely rollout of new connection secrets to workloads. The reconciler eventually picks up the change but this might take up to 10 hours. As a temporary workaround, you can do one of the following:
- Delete the existing ServiceBinding and create a new one that is identical.
- Trigger reconciliation of the existing ServiceBinding by adding an arbitrary annotation or label.
- Delete and recreate the application workload referred to by the ServiceBinding.

v1.7.3 Known issues: Services Toolkit

An error occurs if additionalProperties is true in a CompositeResourceDefinition. For more information and a workaround, see Troubleshoot Services Toolkit.

v1.7.3 Known issues: Supply Chain Choreographer

By default, Server Workload Carvel packages generated by the Carvel package supply chains no longer contain OpenAPIv3 descriptions of their parameters. These descriptions were omitted to keep the size of the Carvel Package definition under 4 KB, which is the size limit for the string output of a Tekton Task. For information about these parameters, see Carvel Package Supply Chains.
When using the Carvel Package Supply Chains, if the operator updates the parameter carvel_package.name_suffix, existing workloads incorrectly output a Carvel package to the GitOps repository that uses the old value of carvel_package.name_suffix. You can ignore or delete this package.
If the size of the resulting OpenAPIv3 specification exceeds a certain size, approximately 3 KB, the Supply Chain does not function. If you use the default Carvel package parameters, this issue does not occur. If you use custom Carvel package parameters, you might encounter this size limit. If you exceed the size limit, you can either deactivate this feature, or use a workaround. The workaround requires enabling a Tekton feature flag. For more information, see the Tekton documentation.
Supply Chains that use SSH auth with the git-writer resource will fail in the gitops step. As a workaround, use HTTPS auth.

v1.7.3 Known issues: Supply Chain Security Tools (SCST) - Scan

When using SCST - Scan 2.0 with a ClusterImageTemplate, the value for the scanning image is overwritten with an incorrect default value from ootb_supply_chain_testing_scanning.image_scanner_cli in the tap-values.yaml file. You can prevent this by setting the value in your tap-values.yaml file to the correct image. For example, for the Trivy image packaged with Tanzu Application Platform:
```
ootb_supply_chain_testing_scanning:
  image_scanner_template_name: image-vulnerability-scan-trivy
  image_scanning_cli:
    image: registry.example.com/tanzu-application-platform/tap-packages@sha256:675673a6d495d6f6a688497b754cee304960d9ad56e194cf4f4ea6ab53ca71d6
```
When using SCST - Scan 2.0, Trivy must be pinned to v0.42.1. This is because CycloneDX v1.5 is the default for later versions of Trivy and is not supported by AMR.
The Snyk scanner outputs an incorrectly created date, resulting in an invalid date. For more information, see this issue in the Snyk Github repository.
SCST - Scan 1.0 fails with the error secrets 'store-ca-cert' not found during deployment by using Tanzu Mission Control with a non-default issuer. For how to work around this issue, see Deployment failure with non-default issuer.

v1.7.3 Known issues: Supply Chain Security Tools - Store

AMR-specific steps have been added to the Multicluster setup for Supply Chain Security Tools - Store.
SCST - Store automatically detects PostgreSQL database index corruptions. If SCST - Store finds a PostgresSQL database index corruption issue, it does not reconcile. For how to fix this issue, see Fix Postgres Database Index Corruption.
When observer.deploy_through_tmc is true, properties are auto-configured for Tanzu Mission Control (TMC). This causes the MultiClusterPropertyCollector resource to overwrite existing Tanzu Application Platform values for Observer.

When using Let’s Encrypt ACME issuers, the resultant Kubernetes secret resource does not contain a ca.crt property. Therefore, when the MultiClusterPropertyCollector resource creates the Observer package configuration values secret, the required ca_cert_data is empty.

To work around this issue, add the Certificate Authority (CA) Certificate to the shared.ca_cert_data key in the Tanzu Application Platform installation values.

v1.7.3 Known issues: Tanzu Build Service

During upgrades a large number of builds might be created due to buildpack and stack updates. Some of these builds might fail due to transient network issues, causing the workload to be in an unhealthy state. This resolves itself on subsequent builds after a code change and does not affect the running application.

If you do not want to wait for subsequent builds to run, you can manually trigger a build. For instructions, see Troubleshooting.

v1.7.3 Known issues: Tanzu Developer Portal

If you do not configure any authentication providers, and do not allow guest access, the following message appears when loading Tanzu Developer Portal in a browser:
```
No configured authentication providers. Please configure at least one.
```
To resolve this issue, see Troubleshooting.
When viewing a supply chain with the Supply Chain Choreographer plug-in, scrolling horizontally does not work. Click and drag left or right instead to move the supply chain diagram. A fix is planned for the future. The zoom function was removed because of user feedback.
Ad-blocking browser extensions and standalone ad-blocking software can interfere with telemetry collection within the VMware Customer Experience Improvement Program and restrict access to all or parts of Tanzu Developer Portal. For more information, see Troubleshooting.
ScmAuth is a Backstage concept that abstracts Source Code Management (SCM) authentication into a package. An oversight in a recent code-base migration led to the accidental exclusion of custom ScmAuth functions. This exclusion affected some client operations, such as using Application Accelerators to create Git repositories on behalf of users.
The back-end Kubernetes plug-in reports failure in multicluster environments. In a multicluster environment when one request to a Kubernetes cluster fails, backstage-kubernetes-backend reports a failure to the front end. This is a known issue with upstream Backstage and it applies to all released versions of Tanzu Developer Portal. For more information, see this Backstage code in GitHub. This behavior arises from the API at the Backstage level. There are currently no known workarounds. There are plans for upstream commits to Backstage to resolve this issue.

v1.7.3 Known issues: Tanzu Developer Tools for IntelliJ

The error com.vdurmont.semver4j.SemverException: Invalid version (no major version) is shown in the error logs when attempting to perform a workload action before installing the Tanzu CLI apps plug-in.
If you restart your computer while running Live Update without terminating the Tilt process beforehand, there is a lock that incorrectly shows that Live Update is still running and prevents it from starting again. For the fix, see Troubleshooting.
Workload actions and Live Update do not work when in a project with spaces in its name, such as my app, or in its path, such as C:\Users\My User\my-app. For more information, see Troubleshooting.
An EDT Thread Exception error is logged or reported as a notification with a message similar to "com.intellij.diagnostic.PluginException: 2007 ms to call on EDT TanzuApplyAction#update@ProjectViewPopup". For more information, see Troubleshooting.

v1.7.3 Known issues: Tanzu Developer Tools for Visual Studio

Clicking the red square Stop button in the Visual Studio top toolbar can cause a workload to fail. For more information, see Troubleshooting.

v1.7.3 Component versions

The following table lists the supported component versions for this Tanzu Application Platform release.

Component Name	Version
API Auto Registration	0.4.2
API portal	1.4.6
Application Accelerator	1.7.7
Application Configuration Service	2.2.1
Application Live View APIServer	1.7.3
Application Live View back end	1.7.3
Application Live View connector	1.7.3
Application Live View conventions	1.7.3
Application Single Sign-On	5.0.1
Artifact Metadata Repository Observer	0.2.1
AWS Services	0.1.0
Bitnami Services	0.3.1
Carbon Black Scanner for SCST - Scan (beta)	1.2.4
Cartographer Conventions	0.8.5
cert-manager	2.4.2
Cloud Native Runtimes	2.4.3
Contour	1.25.3
Crossplane	0.3.0
Default Roles	1.1.0
Developer Conventions	0.14.2
External Secrets Operator	0.9.4+tanzu.2
Flux CD Source Controller	0.36.1+tanzu.2
Grype Scanner for SCST - Scan	1.7.2
Local Source Proxy	0.2.1
Namespace Provisioner	0.5.0
Out of the Box Delivery - Basic	0.14.8
Out of the Box Supply Chain - Basic	0.14.8
Out of the Box Supply Chain - Testing	0.14.8
Out of the Box Supply Chain - Testing and Scanning	0.14.8
Out of the Box Templates	0.14.8
Service Bindings	0.10.3
Service Registry	1.2.2
Services Toolkit	0.12.0
Snyk Scanner for SCST - Scan (beta)	1.1.3
Source Controller	0.8.3
Spring Boot conventions	1.7.3
Spring Cloud Gateway	2.1.6
Supply Chain Choreographer	0.8.5
Supply Chain Security Tools - Policy Controller	1.6.3
Supply Chain Security Tools - Scan	1.7.3
Supply Chain Security Tools - Scan 2.0 (beta)	0.2.2
Supply Chain Security Tools - Store	1.7.2
Tanzu Developer Portal	1.7.9
Tanzu Developer Portal Configurator	1.0.5
Tanzu Application Platform Telemetry	0.7.0
Tanzu Build Service	1.12.4
Tanzu CLI	1.1.0
Tekton Pipelines	0.50.3+tanzu.3

v1.7.2

Release Date: 12 December 2023

v1.7.2 Security fixes

This release has the following security fixes, listed by component and area.

Package Name	Vulnerabilities Resolved
api-portal.tanzu.vmware.com	Expand to see the list GHSA-qppj-fm5r-hxr3 CVE-2023-5363 CVE-2023-3817 CVE-2023-35116 CVE-2023-3446 CVE-2023-2975 CVE-2023-22081 CVE-2023-22025
apiserver.appliveview.tanzu.vmware.com	Expand to see the list CVE-2023-5363 CVE-2023-3817 CVE-2023-3446 CVE-2023-2975
app-scanning.apps.tanzu.vmware.com	Expand to see the list CVE-2023-5363 CVE-2023-39319 CVE-2023-39318 CVE-2023-3817 CVE-2023-3446 CVE-2023-2975
backend.appliveview.tanzu.vmware.com	Expand to see the list GHSA-qppj-fm5r-hxr3 GHSA-2wrh-6pvc-2jm9 CVE-2023-5363 CVE-2023-39319 CVE-2023-39318 CVE-2023-3817 CVE-2023-3446 CVE-2023-2975 CVE-2023-29409 CVE-2023-29406 CVE-2023-22049 CVE-2023-22045 CVE-2023-22044 CVE-2023-22041 CVE-2023-22036 CVE-2023-22006
base-jammy-stack-lite.buildpacks.tanzu.vmware.com	Expand to see the list CVE-2023-5981 CVE-2023-45871 CVE-2023-4016 CVE-2023-31085 CVE-2023-25775
buildservice.tanzu.vmware.com	Expand to see the list GHSA-vfp6-jrw2-99g9 GHSA-qppj-fm5r-hxr3 GHSA-4374-p667-p6c8 GHSA-2wrh-6pvc-2jm9 GHSA-2c7c-3mj9-8fqh CVE-2023-5981 CVE-2023-5363 CVE-2023-4016 CVE-2023-3817 CVE-2023-36054 CVE-2023-3446 CVE-2023-2975
carbonblack.scanning.apps.tanzu.vmware.com	Expand to see the list GHSA-6xv5-86q9-7xr8 CVE-2023-5363 CVE-2023-3817 CVE-2023-3446 CVE-2023-2975
cert-manager.tanzu.vmware.com	Expand to see the list GHSA-qppj-fm5r-hxr3 GHSA-2wrh-6pvc-2jm9
connector.appliveview.tanzu.vmware.com	Expand to see the list CVE-2023-5363 CVE-2023-3817 CVE-2023-3446 CVE-2023-2975
conventions.appliveview.tanzu.vmware.com	Expand to see the list CVE-2023-5363 CVE-2023-39319 CVE-2023-39318 CVE-2023-3817 CVE-2023-3446 CVE-2023-2975 CVE-2023-29409 CVE-2023-29406
dotnet-core-lite.buildpacks.tanzu.vmware.com	Expand to see the list GHSA-qppj-fm5r-hxr3 GHSA-jq35-85cj-fj4p GHSA-2wrh-6pvc-2jm9 GHSA-2q89-485c-9j2x CVE-2023-39319 CVE-2023-39318 CVE-2023-29409
go-lite.buildpacks.tanzu.vmware.com	Expand to see the list GHSA-2wrh-6pvc-2jm9 CVE-2023-29409
grype.scanning.apps.tanzu.vmware.com	Expand to see the list CVE-2023-5363 CVE-2023-3817 CVE-2023-3446 CVE-2023-2975
metadata-store.apps.tanzu.vmware.com	Expand to see the list GHSA-4374-p667-p6c8 GHSA-2wrh-6pvc-2jm9 CVE-2023-4911
nodejs-lite.buildpacks.tanzu.vmware.com	Expand to see the list GHSA-jq35-85cj-fj4p
python-lite.buildpacks.tanzu.vmware.com	Expand to see the list GHSA-qppj-fm5r-hxr3 GHSA-2wrh-6pvc-2jm9 CVE-2023-39319 CVE-2023-39318 CVE-2023-29409
ruby-lite.buildpacks.tanzu.vmware.com	Expand to see the list GHSA-qppj-fm5r-hxr3 GHSA-2wrh-6pvc-2jm9 GHSA-2q89-485c-9j2x
scanning.apps.tanzu.vmware.com	Expand to see the list CVE-2023-5363 CVE-2023-39319 CVE-2023-39318 CVE-2023-3817 CVE-2023-3446 CVE-2023-2975
service-registry.spring.apps.tanzu.vmware.com	Expand to see the list CVE-2023-5363 CVE-2023-39325 CVE-2023-3817 CVE-2023-3446 CVE-2023-2975
snyk.scanning.apps.tanzu.vmware.com	Expand to see the list CVE-2023-5363 CVE-2023-3817 CVE-2023-3446 CVE-2023-2975
spring-boot-conventions.tanzu.vmware.com	Expand to see the list CVE-2023-5363 CVE-2023-3817 CVE-2023-3446 CVE-2023-2975
web-servers-lite.buildpacks.tanzu.vmware.com	Expand to see the list GHSA-qppj-fm5r-hxr3 GHSA-jq35-85cj-fj4p GHSA-2wrh-6pvc-2jm9 CVE-2023-29409

v1.7.2 Resolved issues

The following issues, listed by component and area, are resolved in this release.

v1.7.2 Resolved issues: cert-manager

Resolved the known vulnerability with ACME HTTP01 in Tanzu Application Platform.

v1.7.2 Resolved issues: SCST - Scan and SCST - Scan 2.0

Resolved an issue that caused Scan Controller to fail because of panic when container.SecurityContext is not null and the Capabilities or SeccompProfile field is null.

v1.7.2 Resolved issues: Service Registry

Skips hostname and TLS verification when mTLS is not enabled.

v1.7.2 Known issues

This release has the following known issues, listed by component and area.

v1.7.2 Known issues: Tanzu Application Platform

The Tanzu Application Platform integration with Tanzu Service Mesh does not work on vSphere with TKR v1.26. For more information about this integration, see Set up Tanzu Service Mesh. As a workaround, you can apply the label to update pod security on a TKr v1.26 Kubernetes namespace as advised by the release notes for TKr 1.26.5 for vSphere 8.x. However, applying this label provides more than the minimum necessary privilege to the resources in developer namespaces.
Tanzu Mission Control does not support this Tanzu Application Platform release.

v1.7.2 Known issues: API Auto Registration

Registering conflicting groupId and version with API portal:

If you create two CuratedAPIDescriptors with the same groupId and version combination, both reconcile without throwing an error, and the /openapi?groupId&version endpoint returns both specifications. If you are adding both specifications to the API portal, only one of them might show up in the API portal UI with a warning indicating that there is a conflict. If you add the route provider annotation for both of the CuratedAPIDescriptors to use Spring Cloud Gateway, the generated API specspecification includes API routes from both CuratedAPIDescriptors.

You can see the groupId and version information from all CuratedAPIDescriptors by running:
```
$ kubectl get curatedapidescriptors -A

NAMESPACE           NAME         GROUPID            VERSION   STATUS   CURATED API SPEC URL
my-apps             petstore     test-api-group     1.2.3     Ready    http://AAR-CONTROLLER-FQDN/openapi/my-apps/petstore
default             mystery      test-api-group     1.2.3     Ready    http://AAR-CONTROLLER-FQDN/openapi/default/mystery
```
When creating an APIDescriptor with different apiSpec.url and server.url, the controller incorrectly uses the API spec URL as the server URL. To avoid this issue, use server.url only.

v1.7.2 Known issues: Application Live View

On the Run profile, Application Live View fails to reconcile if you use a non-default cluster issuer while installing through Tanzu Mission Control.

v1.7.2 Known issues: Artifact Metadata Repository Observer and CloudEvent Handler

Periodic reconciliation or restarting of the AMR Observer causes reattempted posting of ImageVulnerabilityScan results. There is an error on duplicate submission of identical ImageVulnerabilityScans you can ignore if the previous submission was successful.

v1.7.2 Known issues: Bitnami Services

If you try to configure private registry integration for the Bitnami services after having already created a claim for one or more of the Bitnami services using the default configuration, the updated private registry configuration does not appear to take effect. This is due to caching behavior in the system which is not accounted for during configuration updates. For a workaround, see Troubleshoot Bitnami Services.

v1.7.2 Known issues: Cartographer Conventions

While processing workloads with large SBOMs, the Cartographer Convention controller manager pod can fail with the status CrashLoopBackOff or OOMKilled. For information about how to increase the memory limit for both the convention server and webhook servers, including app-live-view-conventions, spring-boot-webhook, and developer-conventions/webhook, see Troubleshoot Cartographer Conventions.

v1.7.2 Known issues: Cloud Native Runtimes

Web workloads created with Tanzu Application Platform v1.6.3 and earlier fail to update with the error API server says: admission webhook "validation.webhook.serving.knative.dev" denied the request: validation failed: annotation value is immutable. For a workaround, see Troubleshoot Cloud Native Runtimes for Tanzu.

v1.7.2 Known issues: Crossplane

The Crossplane validatingwebhookconfiguration is not removed when you uninstall the Crossplane package. To workaround, delete the validatingwebhookconfiguration manually by running kubectl delete validatingwebhookconfiguration crossplane.

v1.7.2 Known issues: Service Bindings

When upgrading Tanzu Application Platform, pods are recreated for all workloads with service bindings. This is because workloads and pods that use service bindings are being updated to new service binding volumes. This happens automatically and will not affect subsequent upgrades.

Affected pods are updated concurrently. To avoid failures, you must have sufficient Kubernetes resources in your clusters to support the pod rollout.
ServiceBinding is not immediately reconciled when status.binding.name changes on a previously bound service resource. This impacts the timely rollout of new connection secrets to workloads. The reconciler eventually picks up the change but this might take up to 10 hours. As a temporary workaround, you can do one of the following:
- Delete the existing ServiceBinding and create a new one that is identical.
- Trigger reconciliation of the existing ServiceBinding by adding an arbitrary annotation or label.
- Delete and recreate the application workload referred to by the ServiceBinding.

v1.7.2 Known issues: Services Toolkit

An error occurs if additionalProperties is true in a CompositeResourceDefinition. For more information and a workaround, see Troubleshoot Services Toolkit.

v1.7.2 Known issues: Supply Chain Choreographer

By default, Server Workload Carvel packages generated by the Carvel package supply chains no longer contain OpenAPIv3 descriptions of their parameters. These descriptions were omitted to keep the size of the Carvel Package definition under 4 KB, which is the size limit for the string output of a Tekton Task. For information about these parameters, see Carvel Package Supply Chains.
When using the Carvel Package Supply Chains, if the operator updates the parameter carvel_package.name_suffix, existing workloads incorrectly output a Carvel package to the GitOps repository that uses the old value of carvel_package.name_suffix. You can ignore or delete this package.
If the size of the resulting OpenAPIv3 specification exceeds a certain size, approximately 3 KB, the Supply Chain does not function. If you use the default Carvel package parameters, this issue does not occur. If you use custom Carvel package parameters, you might encounter this size limit. If you exceed the size limit, you can either deactivate this feature, or use a workaround. The workaround requires enabling a Tekton feature flag. For more information, see the Tekton documentation.
Supply Chains that use SSH auth with the git-writer resource will fail in the gitops step. As a workaround, use HTTPS auth.

v1.7.2 Known issues: Supply Chain Security Tools (SCST) - Scan

When using SCST - Scan 2.0 with a ClusterImageTemplate, the value for the scanning image is overwritten with an incorrect default value from ootb_supply_chain_testing_scanning.image_scanner_cli in the tap-values.yaml file. You can prevent this by setting the value in your tap-values.yaml file to the correct image. For example, for the Trivy image packaged with Tanzu Application Platform:
```
ootb_supply_chain_testing_scanning:
  image_scanner_template_name: image-vulnerability-scan-trivy
  image_scanning_cli:
    image: registry.example.com/tanzu-application-platform/tap-packages@sha256:675673a6d495d6f6a688497b754cee304960d9ad56e194cf4f4ea6ab53ca71d6
```
When using SCST - Scan 2.0, Trivy must be pinned to v0.42.1. This is because CycloneDX v1.5 is the default for later versions of Trivy and is not supported by AMR.
SCST - Scan 1.0 fails with the error secrets 'store-ca-cert' not found during deployment by using Tanzu Mission Control with a non-default issuer. For how to work around this issue, see Deployment failure with non-default issuer.

v1.7.2 Known issues: Supply Chain Security Tools - Store

AMR-specific steps have been added to the Multicluster setup for Supply Chain Security Tools - Store.
SCST - Store automatically detects PostgreSQL database index corruptions. If SCST - Store finds a PostgresSQL database index corruption issue, it does not reconcile. For how to fix this issue, see Fix Postgres Database Index Corruption.
When observer.deploy_through_tmc is true, properties are auto-configured for Tanzu Mission Control (TMC). This causes the MultiClusterPropertyCollector resource to overwrite existing Tanzu Application Platform values for Observer.

When using Let’s Encrypt ACME issuers, the resultant Kubernetes secret resource does not contain a ca.crt property. Therefore, when the MultiClusterPropertyCollector resource creates the Observer package configuration values secret, the required ca_cert_data is empty.

To work around this issue, add the Certificate Authority (CA) Certificate to the shared.ca_cert_data key in the Tanzu Application Platform installation values.

v1.7.2 Known issues: Tanzu Build Service

During upgrades a large number of builds might be created due to buildpack and stack updates. Some of these builds might fail due to transient network issues, causing the workload to be in an unhealthy state. This resolves itself on subsequent builds after a code change and does not affect the running application.

If you do not want to wait for subsequent builds to run, you can manually trigger a build. For instructions, see Troubleshooting.

v1.7.2 Known issues: Tanzu Developer Portal

If you do not configure any authentication providers, and do not allow guest access, the following message appears when loading Tanzu Developer Portal in a browser:
```
No configured authentication providers. Please configure at least one.
```
To resolve this issue, see Troubleshooting.
When viewing a supply chain with the Supply Chain Choreographer plug-in, scrolling horizontally does not work. Click and drag left or right instead to move the supply chain diagram. A fix is planned for the future. The zoom function was removed because of user feedback.
Ad-blocking browser extensions and standalone ad-blocking software can interfere with telemetry collection within the VMware Customer Experience Improvement Program and restrict access to all or parts of Tanzu Developer Portal. For more information, see Troubleshooting.
ScmAuth is a Backstage concept that abstracts Source Code Management (SCM) authentication into a package. An oversight in a recent code-base migration led to the accidental exclusion of custom ScmAuth functions. This exclusion affected some client operations, such as using Application Accelerators to create Git repositories on behalf of users.
The back-end Kubernetes plug-in reports failure in multicluster environments. In a multicluster environment when one request to a Kubernetes cluster fails, backstage-kubernetes-backend reports a failure to the front end. This is a known issue with upstream Backstage and it applies to all released versions of Tanzu Developer Portal. For more information, see this Backstage code in GitHub. This behavior arises from the API at the Backstage level. There are currently no known workarounds. There are plans for upstream commits to Backstage to resolve this issue.

v1.7.2 Known issues: Tanzu Developer Tools for IntelliJ

The error com.vdurmont.semver4j.SemverException: Invalid version (no major version) is shown in the error logs when attempting to perform a workload action before installing the Tanzu CLI apps plug-in.
If you restart your computer while running Live Update without terminating the Tilt process beforehand, there is a lock that incorrectly shows that Live Update is still running and prevents it from starting again. For the fix, see Troubleshooting.
Workload actions and Live Update do not work when in a project with spaces in its name, such as my app, or in its path, such as C:\Users\My User\my-app. For more information, see Troubleshooting.
An EDT Thread Exception error is logged or reported as a notification with a message similar to "com.intellij.diagnostic.PluginException: 2007 ms to call on EDT TanzuApplyAction#update@ProjectViewPopup". For more information, see Troubleshooting.

v1.7.2 Known issues: Tanzu Developer Tools for Visual Studio

Clicking the red square Stop button in the Visual Studio top toolbar can cause a workload to fail. For more information, see Troubleshooting.

v1.7.2 Component versions

The following table lists the supported component versions for this Tanzu Application Platform release.

Component Name	Version
API Auto Registration	0.4.1
API portal	1.4.5
Application Accelerator	1.7.6
Application Configuration Service	2.2.0
Application Live View APIServer	1.7.3
Application Live View back end	1.7.3
Application Live View connector	1.7.3
Application Live View conventions	1.7.3
Application Single Sign-On	5.0.0
Artifact Metadata Repository Observer	0.2.1
AWS Services	0.1.0
Bitnami Services	0.3.1
Carbon Black Scanner for SCST - Scan (beta)	1.2.4
Cartographer Conventions	0.8.5
cert-manager	2.4.2
Cloud Native Runtimes	2.4.3
Contour	1.25.3
Crossplane	0.3.0
Default Roles	1.1.0
Developer Conventions	0.14.1
External Secrets Operator	0.9.4+tanzu.2
Flux CD Source Controller	0.36.1+tanzu.2
Grype Scanner for SCST - Scan	1.7.2
Local Source Proxy	0.2.1
Namespace Provisioner	0.5.0
Out of the Box Delivery - Basic	0.14.8
Out of the Box Supply Chain - Basic	0.14.8
Out of the Box Supply Chain - Testing	0.14.8
Out of the Box Supply Chain - Testing and Scanning	0.14.8
Out of the Box Templates	0.14.8
Service Bindings	0.10.2
Service Registry	1.2.1
Services Toolkit	0.12.0
Snyk Scanner for SCST - Scan (beta)	1.1.3
Source Controller	0.8.3
Spring Boot conventions	1.7.3
Spring Cloud Gateway	2.1.5
Supply Chain Choreographer	0.8.5
Supply Chain Security Tools - Policy Controller	1.6.3
Supply Chain Security Tools - Scan	1.7.3
Supply Chain Security Tools - Scan 2.0 (beta)	0.2.2
Supply Chain Security Tools - Store	1.7.2
Tanzu Developer Portal	1.7.8
Tanzu Developer Portal Configurator	1.0.4
Tanzu Application Platform Telemetry	0.7.0
Tanzu Build Service	1.12.4
Tanzu CLI	1.1.0
Tekton Pipelines	0.50.3+tanzu.3

v1.7.1

Release Date: 27 November 2023

v1.7.1 New features by component and area

This release includes the following changes, listed by component and area.

v1.7.1 Features: Contour

Contour v1.25.3 is available in Tanzu Application Platform. For more information, see the Contour v1.25.3 release notes in GitHub.

v1.7.1 Features: External Secrets Operator

Adds support for OpenShift clusters. For more information, see Install External Secrets Operator.

v1.7.1 Security fixes

This release has the following security fixes, listed by component and area.

Package Name	Vulnerabilities Resolved
accelerator.apps.tanzu.vmware.com	Expand to see the list GHSA-4374-p667-p6c8
apis.apps.tanzu.vmware.com	Expand to see the list GHSA-qppj-fm5r-hxr3 CVE-2023-5363 CVE-2023-3817 CVE-2023-3446 CVE-2023-2975
cnrs.tanzu.vmware.com	Expand to see the list CVE-2023-5363 CVE-2023-39325 CVE-2023-39323 CVE-2023-39319 CVE-2023-39318 CVE-2023-3817 CVE-2023-3446 CVE-2023-2975
dotnet-core-lite.buildpacks.tanzu.vmware.com	Expand to see the list GHSA-6wrf-mxfj-pf5p GHSA-33pg-m6jh-5237
tekton.tanzu.vmware.com	Expand to see the list GHSA-qppj-fm5r-hxr3 GHSA-m425-mq94-257g GHSA-4374-p667-p6c8 GHSA-2wrh-6pvc-2jm9 CVE-2023-5363 CVE-2023-5197 CVE-2023-4921 CVE-2023-4881 CVE-2023-4623 CVE-2023-4622 CVE-2023-4569 CVE-2023-44487 CVE-2023-44466 CVE-2023-42756 CVE-2023-42755 CVE-2023-42753 CVE-2023-42752 CVE-2023-4273 CVE-2023-4244 CVE-2023-4208 CVE-2023-4207 CVE-2023-4206 CVE-2023-4194 CVE-2023-4155 CVE-2023-4132 CVE-2023-4128 CVE-2023-40283 CVE-2023-39323 CVE-2023-39319 CVE-2023-39318 CVE-2023-3866 CVE-2023-3865 CVE-2023-3863 CVE-2023-38546 CVE-2023-38432 CVE-2023-3817 CVE-2023-3446 CVE-2023-34319 CVE-2023-3338 CVE-2023-2975 CVE-2023-29409 CVE-2023-29406 CVE-2023-29405 CVE-2023-29404 CVE-2023-29403 CVE-2023-29402 CVE-2023-29400 CVE-2023-24540 CVE-2023-24539 CVE-2023-24538 CVE-2023-24537 CVE-2023-24536 CVE-2023-24534 CVE-2023-24532 CVE-2023-2156 CVE-2023-20588 CVE-2023-20569 CVE-2023-1732 CVE-2023-1206 CVE-2022-41725 CVE-2022-41724 CVE-2022-41723 CVE-2022-41722

v1.7.1 Resolved issues

The following issues, listed by component and area, are resolved in this release.

v1.7.1 Resolved issues: Tanzu Application Platform

Tanzu Application Platform v1.7.1 is supported with Tanzu Kubernetes releases (TKR) v1.26 on vSphere with Tanzu v8.

v1.7.1 Resolved issues: Supply Chain Choreographer

Pods created by Tekton Tasks adhere to the “Restricted” Pod Security Standard.

v1.7.1 Known issues

This release has the following known issues, listed by component and area.

v1.7.1 Known issues: Tanzu Application Platform

The Tanzu Application Platform integration with Tanzu Service Mesh does not work on vSphere with TKR v1.26. For more information about this integration, see Set up Tanzu Service Mesh. As a workaround, you can apply the label to update pod security on a TKr v1.26 Kubernetes namespace as advised by the release notes for TKr 1.26.5 for vSphere 8.x. However, applying this label provides more than the minimum necessary privilege to the resources in developer namespaces.

v1.7.1 Known issues: API Auto Registration

Registering conflicting groupId and version with API portal:

If you create two CuratedAPIDescriptors with the same groupId and version combination, both reconcile without throwing an error, and the /openapi?groupId&version endpoint returns both specifications. If you are adding both specifications to the API portal, only one of them might show up in the API portal UI with a warning indicating that there is a conflict. If you add the route provider annotation for both of the CuratedAPIDescriptors to use Spring Cloud Gateway, the generated API specspecification includes API routes from both CuratedAPIDescriptors.

You can see the groupId and version information from all CuratedAPIDescriptors by running:
```
$ kubectl get curatedapidescriptors -A

NAMESPACE           NAME         GROUPID            VERSION   STATUS   CURATED API SPEC URL
my-apps             petstore     test-api-group     1.2.3     Ready    http://AAR-CONTROLLER-FQDN/openapi/my-apps/petstore
default             mystery      test-api-group     1.2.3     Ready    http://AAR-CONTROLLER-FQDN/openapi/default/mystery
```
When creating an APIDescriptor with different apiSpec.url and server.url, the controller incorrectly uses the API spec URL as the server URL. To avoid this issue, use server.url only.

v1.7.1 Known issues: Application Live View

On the Run profile, Application Live View fails to reconcile if you use a non-default cluster issuer while installing through Tanzu Mission Control.

v1.7.1 Known issues: Artifact Metadata Repository Observer and CloudEvent Handler

Periodic reconciliation or restarting of the AMR Observer causes reattempted posting of ImageVulnerabilityScan results. There is an error on duplicate submission of identical ImageVulnerabilityScans you can ignore if the previous submission was successful.

v1.7.1 Known issues: Bitnami Services

If you try to configure private registry integration for the Bitnami services after having already created a claim for one or more of the Bitnami services using the default configuration, the updated private registry configuration does not appear to take effect. This is due to caching behavior in the system which is not accounted for during configuration updates. For a workaround, see Troubleshoot Bitnami Services.

v1.7.1 Known issues: Cartographer Conventions

While processing workloads with large SBOMs, the Cartographer Convention controller manager pod can fail with the status CrashLoopBackOff or OOMKilled. For information about how to increase the memory limit for both the convention server and webhook servers, including app-live-view-conventions, spring-boot-webhook, and developer-conventions/webhook, see Troubleshoot Cartographer Conventions.

v1.7.1 Known issues: cert-manager

There is a known vulnerability with ACME HTTP01 in Tanzu Application Platform v1.7.1. Although the likelihood of exploitation of the cert-manager’s ACME HTTP01 solver Pod is minimal, if your organization heavily relies on ACME HTTP01 challenges and deems it too risky to retry certificate issuance, consider using DNS01 until VMware provides a technical solution in the future patch release.

v1.7.1 Known issues: Cloud Native Runtimes

Web workloads created with Tanzu Application Platform v1.6.3 and earlier fail to update with the error API server says: admission webhook "validation.webhook.serving.knative.dev" denied the request: validation failed: annotation value is immutable. For a workaround, see Troubleshoot Cloud Native Runtimes for Tanzu.

v1.7.1 Known issues: Crossplane

The Crossplane validatingwebhookconfiguration is not removed when you uninstall the Crossplane package. To workaround, delete the validatingwebhookconfiguration manually by running kubectl delete validatingwebhookconfiguration crossplane.

v1.7.1 Known issues: Service Bindings

When upgrading Tanzu Application Platform, pods are recreated for all workloads with service bindings. This is because workloads and pods that use service bindings are being updated to new service binding volumes. This happens automatically and will not affect subsequent upgrades.

Affected pods are updated concurrently. To avoid failures, you must have sufficient Kubernetes resources in your clusters to support the pod rollout.
ServiceBinding is not immediately reconciled when status.binding.name changes on a previously bound service resource. This impacts the timely rollout of new connection secrets to workloads. The reconciler eventually picks up the change but this might take up to 10 hours. As a temporary workaround, you can do one of the following:
- Delete the existing ServiceBinding and create a new one that is identical.
- Trigger reconciliation of the existing ServiceBinding by adding an arbitrary annotation or label.
- Delete and recreate the application workload referred to by the ServiceBinding.

v1.7.1 Known issues: Services Toolkit

An error occurs if additionalProperties is true in a CompositeResourceDefinition. For more information and a workaround, see Troubleshoot Services Toolkit.

v1.7.1 Known issues: Supply Chain Choreographer

By default, Server Workload Carvel packages generated by the Carvel package supply chains no longer contain OpenAPIv3 descriptions of their parameters. These descriptions were omitted to keep the size of the Carvel Package definition under 4 KB, which is the size limit for the string output of a Tekton Task. For information about these parameters, see Carvel Package Supply Chains.
When using the Carvel Package Supply Chains, if the operator updates the parameter carvel_package.name_suffix, existing workloads incorrectly output a Carvel package to the GitOps repository that uses the old value of carvel_package.name_suffix. You can ignore or delete this package.
If the size of the resulting OpenAPIv3 specification exceeds a certain size, approximately 3 KB, the Supply Chain does not function. If you use the default Carvel package parameters, this issue does not occur. If you use custom Carvel package parameters, you might encounter this size limit. If you exceed the size limit, you can either deactivate this feature, or use a workaround. The workaround requires enabling a Tekton feature flag. For more information, see the Tekton documentation.
Supply Chains that use SSH auth with the git-writer resource will fail in the gitops step. As a workaround, use HTTPS auth.

v1.7.1 Known issues: Supply Chain Security Tools (SCST) - Scan

When using SCST - Scan 2.0 with a ClusterImageTemplate, the value for the scanning image is overwritten with an incorrect default value from ootb_supply_chain_testing_scanning.image_scanner_cli in the tap-values.yaml file. You can prevent this by setting the value in your tap-values.yaml file to the correct image. For example, for the Trivy image packaged with Tanzu Application Platform:
```
ootb_supply_chain_testing_scanning:
  image_scanner_template_name: image-vulnerability-scan-trivy
  image_scanning_cli:
    image: registry.example.com/tanzu-application-platform/tap-packages@sha256:675673a6d495d6f6a688497b754cee304960d9ad56e194cf4f4ea6ab53ca71d6
```
When using SCST - Scan 2.0, Trivy must be pinned to v0.42.1. This is because CycloneDX v1.5 is the default for later versions of Trivy and is not supported by AMR.
When container.SecurityContext is not null and the Capabilities or SeccompProfile field is empty (null), the controller fails because of panic. For a workaround, see Troubleshoot Supply Chain Security Tools - Scan.
SCST - Scan 1.0 fails with the error secrets 'store-ca-cert' not found during deployment by using Tanzu Mission Control with a non-default issuer. For how to work around this issue, see Deployment failure with non-default issuer.

v1.7.1 Known issues: Supply Chain Security Tools - Store

AMR-specific steps have been added to the Multicluster setup for Supply Chain Security Tools - Store.
SCST - Store automatically detects PostgreSQL database index corruptions. If SCST - Store finds a PostgresSQL database index corruption issue, it does not reconcile. For how to fix this issue, see Fix Postgres Database Index Corruption.
When observer.deploy_through_tmc is true, properties are auto-configured for Tanzu Mission Control (TMC). This causes the MultiClusterPropertyCollector resource to overwrite existing Tanzu Application Platform values for Observer.

When using Let’s Encrypt ACME issuers, the resultant Kubernetes secret resource does not contain a ca.crt property. Therefore, when the MultiClusterPropertyCollector resource creates the Observer package configuration values secret, the required ca_cert_data is empty.

To work around this issue, add the Certificate Authority (CA) Certificate to the shared.ca_cert_data key in the Tanzu Application Platform installation values.

v1.7.1 Known issues: Tanzu Build Service

During upgrades a large number of builds might be created due to buildpack and stack updates. Some of these builds might fail due to transient network issues, causing the workload to be in an unhealthy state. This resolves itself on subsequent builds after a code change and does not affect the running application.

If you do not want to wait for subsequent builds to run, you can manually trigger a build. For instructions, see Troubleshooting.

v1.7.1 Known issues: Tanzu Developer Portal

If you do not configure any authentication providers, and do not allow guest access, the following message appears when loading Tanzu Developer Portal in a browser:
```
No configured authentication providers. Please configure at least one.
```
To resolve this issue, see Troubleshooting.
When viewing a supply chain with the Supply Chain Choreographer plug-in, scrolling horizontally does not work. Click and drag left or right instead to move the supply chain diagram. A fix is planned for the future. The zoom function was removed because of user feedback.
Ad-blocking browser extensions and standalone ad-blocking software can interfere with telemetry collection within the VMware Customer Experience Improvement Program and restrict access to all or parts of Tanzu Developer Portal. For more information, see Troubleshooting.
ScmAuth is a Backstage concept that abstracts Source Code Management (SCM) authentication into a package. An oversight in a recent code-base migration led to the accidental exclusion of custom ScmAuth functions. This exclusion affected some client operations, such as using Application Accelerators to create Git repositories on behalf of users.
The back-end Kubernetes plug-in reports failure in multicluster environments. In a multicluster environment when one request to a Kubernetes cluster fails, backstage-kubernetes-backend reports a failure to the front end. This is a known issue with upstream Backstage and it applies to all released versions of Tanzu Developer Portal. For more information, see this Backstage code in GitHub. This behavior arises from the API at the Backstage level. There are currently no known workarounds. There are plans for upstream commits to Backstage to resolve this issue.

v1.7.1 Known issues: Tanzu Developer Tools for IntelliJ

The error com.vdurmont.semver4j.SemverException: Invalid version (no major version) is shown in the error logs when attempting to perform a workload action before installing the Tanzu CLI apps plug-in.
If you restart your computer while running Live Update without terminating the Tilt process beforehand, there is a lock that incorrectly shows that Live Update is still running and prevents it from starting again. For the fix, see Troubleshooting.
Workload actions and Live Update do not work when in a project with spaces in its name, such as my app, or in its path, such as C:\Users\My User\my-app. For more information, see Troubleshooting.
An EDT Thread Exception error is logged or reported as a notification with a message similar to "com.intellij.diagnostic.PluginException: 2007 ms to call on EDT TanzuApplyAction#update@ProjectViewPopup". For more information, see Troubleshooting.

v1.7.1 Known issues: Tanzu Developer Tools for Visual Studio

Clicking the red square Stop button in the Visual Studio top toolbar can cause a workload to fail. For more information, see Troubleshooting.

v1.7.1 Component versions

The following table lists the supported component versions for this Tanzu Application Platform release.

Component Name	Version
API Auto Registration	0.4.1
API portal	1.4.4
Application Accelerator	1.7.6
Application Configuration Service	2.2.0
Application Live View APIServer	1.7.2
Application Live View back end	1.7.2
Application Live View connector	1.7.2
Application Live View conventions	1.7.2
Application Single Sign-On	5.0.0
Artifact Metadata Repository Observer	0.2.1
AWS Services	0.1.0
Bitnami Services	0.3.1
Carbon Black Scanner for SCST - Scan (beta)	1.2.2
Cartographer Conventions	0.8.5
cert-manager	2.4.1
Cloud Native Runtimes	2.4.3
Contour	1.25.3
Crossplane	0.3.0
Default Roles	1.1.0
Developer Conventions	0.14.1
External Secrets Operator	0.9.4+tanzu.2
Flux CD Source Controller	0.36.1+tanzu.2
Grype Scanner for SCST - Scan	1.7.0
Local Source Proxy	0.2.1
Namespace Provisioner	0.5.0
Out of the Box Delivery - Basic	0.14.8
Out of the Box Supply Chain - Basic	0.14.8
Out of the Box Supply Chain - Testing	0.14.8
Out of the Box Supply Chain - Testing and Scanning	0.14.8
Out of the Box Templates	0.14.8
Service Bindings	0.10.2
Service Registry	1.2.0
Services Toolkit	0.12.0
Snyk Scanner for SCST - Scan (beta)	1.1.0
Source Controller	0.8.3
Spring Boot conventions	1.7.2
Spring Cloud Gateway	2.1.5
Supply Chain Choreographer	0.8.5
Supply Chain Security Tools - Policy Controller	1.6.3
Supply Chain Security Tools - Scan	1.7.1
Supply Chain Security Tools - Scan 2.0 (beta)	0.2.1
Supply Chain Security Tools - Store	1.7.1
Tanzu Developer Portal	1.7.8
Tanzu Developer Portal Configurator	1.0.4
Tanzu Application Platform Telemetry	0.7.0
Tanzu Build Service	1.12.2
Tanzu CLI	1.1.0
Tekton Pipelines	0.50.3+tanzu.3

v1.7.0

Release Date: 07 November 2023

What’s new in Tanzu Application Platform v1.7

This release includes the following platform-wide enhancements.

New platform-wide features

Added air-gapped support to the Tanzu Application Platform GitOps install method. For more information, see one of the following install topics:

New components

Aria Operations for Applications (AOA) dashboard (Beta): This dashboard, powered by Aria Operations for Applications (formerly Tanzu Observability), helps platform engineers monitor the health of clusters by showing whether the deployed Tanzu Application Platform components are behaving as expected.
AWS Services: Provides a more streamlined approach for integrating services from AWS into Tanzu Application Platform. Currently supports RDS PostgresSQL and MySQL on AWS. Installing this package is optional because it is not included in any Tanzu Application Platform profile.
Service Registry for VMware Tanzu: Provides on-demand Eureka servers for Tanzu Application Platform clusters. With Service Registry, you can create Eureka servers in your namespaces and bind Spring Boot workloads to them.

v1.7.0 New features by component and area

This release includes the following changes, listed by component and area.

v1.7.0 Features: API Auto Registration

Introduces API curation feature in alpha that is intended for testing only.
The new CuratedAPIDescriptor custom resource allows aggregating multiple APIs of type OpenAPI in a single curated API.
Integrates with Spring Cloud Gateway for Kubernetes to automatically generate SpringCloudGatewayMappings and SpringCloudGatewayRouteConfigs.
The API Auto Registration controller exposes API endpoints to view all curated APIs or filter for specific APIs to add as API portal’s source URLs.

v1.7.0 Features: Application Accelerator

Includes built-in integration of application bootstrap provenance through an accelerator into Artifact Metadata Repository (AMR). This enables application architects to get advanced insight into how accelerators are used, such as, the most commonly and rarely used accelerators. For more information, see Integration with AMR.

v1.7.0 Features: Application Configuration Service

The default interval for a new ConfigurationSlice resource is now 60 seconds.
When debugging ConfigurationSlice resources, you now see status information from GitRepository resources if any of the errors are related to the GitRepository reconciliation.

v1.7.0 Features: Application Single Sign-On

Includes cross-origin resource sharing (CORS) options so application developers can use client_credentials grants for single-page apps.
Adds new configuration option AuthServer.spec.session.expiry to customize how long an Authserver’s session is active.
Authorization servers support the user-information endpoint to obtain users identity information for OpenID Connect (OIDC) providers.
Updates the UI to have clearer messaging on login and consent screens.
Enhances audit log, error handling, and status fields.

v1.7.0 Features: Bitnami Services

Adds support for environments enforcing the restricted Pod Security Standard.

v1.7.0 Features: cert-manager

Upgrades cert-manager.tanzu.vmware.com to [email protected]. For more information, see the cert-manager documentation.

v1.7.0 Features: Cloud Native Runtimes

Adds the new configuration option resource_management, which allows you to configure CPU and memory for both Kubernetes request and limits for all Knative Serving deployments in the knative-serving namespace. For information about how to use this configuration, see Knative Serving Resource Management.
Adds the new configuration option cnrs.contour.default_tls_secret, which has the same meaning as cnrs.default_tls_secret. cnrs.default_tls_secret is deprecated in this release and is marked for removal in Tanzu Application Platform v1.10, which includes Cloud Native Runtimes v2.7. In the meantime both options are supported and cnrs.contour.default_tls_secret takes precedence over cnrs.default_tls_secret.
Adds new configuration options cnrs.contour.[internal|external].namespace. These two new options behave the same as cnrs.ingress.[internal|external].namespace. cnrs.ingress.[internal/external].namespace is deprecated in this release and is marked for removal in Tanzu Application Platform v1.10. In the meantime, both options are supported, but cnrs.contour.[internal/external].namespace takes precedence over cnrs.ingress.[internal/external].namespace.
New Knative garbage collection defaults. Cloud Native Runtimes is reducing the number of revisions kept for each Knative service from 20 to 5. This improves the Knative controller’s memory consumption when there are several Knative services. Knative manages this through the config-gc ConfigMap under the knative-serving namespace. See the Knative documentation. The following defaults are set for Knative garbage collection:
- retain-since-create-time: "48h": Any revision created with an age of 2 days is considered for garbage collection.
- retain-since-last-active-time: "15h": Revision that was last active at least 15 hours ago is considered for garbage collection.
- min-non-active-revisions: "2": The minimum number of inactive Revisions to retain.
- max-non-active-revisions: "5": The maximum number of inactive Revisions to retain.
For more information about updating default values, see Configure Garbage collection for the Knative revisions.
Knative Serving v1.11 is available in Cloud Native Runtimes. For more information, see the Knative v1.11 release notes.
Adds the Knative Serving migrator job. Cloud Native Runtimes now runs a new job in the knative-serving namespace that is responsible for ensuring that Cloud Native Runtimes uses the latest Knative Serving resource versions.

v1.7.0 Features: Contour

Contour v1.25.2 is available in Tanzu Application Platform. For more information, see the Contour v1.25.2 release notes in GitHub.
Adds the new configuration option loadBalancerTLSTermination, which allows you to configure the Envoy service’s port for TLS termination. For information about using this configuration option, see Configure Contour to support TLS termination at an AWS Network LoadBalancer

v1.7.0 Features: Crossplane

Updates Universal Crossplane to v1.13.2-up.1. For more information, see the Upbound blog.
Custom certificate data is now correctly passed through to the Crossplane Providers.

v1.7.0 Features: External Secrets Operator

External Secrets Operator has now reached General Availability.
Adds SYNC, GET, LIST and CREATE commands to the CLI. The GET command lets you get more details about your external secrets and secret stores. The CREATE command lets you create cluster external secret and cluster secret stores. For more information, see the Tanzu CLI Command Reference documentation.

v1.7.0 Features: Service Bindings

Introduces the new servicebinding.tanzu.vmware.com package, which supersedes the existing service-bindings.labs.vmware.com. The new package is based on the community maintained servicebinding/runtime implementation instead of the VMware-maintained vmware-tanzu/servicebinding.

v1.7.0 Features: Services Toolkit

Adds support for Kubernetes v1.27.

v1.7.0 Features: Supply Chain Choreographer

Documents procedure for implementing blue-green deployments with Flagger for Carvel-package supply chains. For more information, see Use blue-green deployment with Flagger for Supply Chain Choreographer (beta).

v1.7.0 Features: Supply Chain plug-in for Tanzu Developer Portal

You can add triage analysis to vulnerabilities from a vulnerability scanner step. For more information, see Triage Vulnerabilities
Adds role-based access control (RBAC) support based on namespace to allow a user with a namespace scoped account to select a namespace within the plug-in. For more information, see Enable role-based access control for the Secure Supply Chains UI and Security Analysis UI plug-ins

v1.7.0 Features: Security Analysis plug-in for Tanzu Developer Portal

Adds RBAC support based on namespace to allow a user with a namespace scoped account to select a namespace within the plug-in. For more information, see Enable role-based access control for the Secure Supply Chains UI and Security Analysis UI plug-ins

v1.7.0 Features: Spring Boot Conventions

Developers can override the settings for the Kubernetes default liveness, readiness, and startup probes for Spring Boot apps in Tanzu Application Platform. For more information, see Configure liveness, readiness, and startup probes for Spring Boot applications.

v1.7.0 Features: Supply Chain Security Tools (SCST) - Scan

Adds support for Pod Security Admission with Pod Security Standards enforced.
Adds support for the new version of the Tanzu CLI Insight plug-in.
SCST - Scan 2.0 (beta) now uses Trivy as the default scanner for container image scanning using the included image and template. SCST - Scan 1.0 maintains Grype as the default.

v1.7.0 Features: Supply Chain Security Tools (SCST) - Store

Artifact Metadata Repository (AMR) is a new component that extends the capabilities of SCST - Store. AMR has the following new features in v1.7.0:

AMR-specific steps have been added to the Multicluster setup for Supply Chain Security Tools - Store.
Installing Tanzu Application Platform now deploys AMR by default. For more information, see Artifact Metadata Repository.
Introduces the AMR authentication and authorization feature. For more information, see Authentication and authorization.
AMR GraphQL now contains data for Images, Containers, and Location. For more information, see Data Model and Concepts.
To enable DORA metrics functionality, if you configured the environment label, rename it to env. For more information, see Configure Artifact Metadata Repository.

v1.7.0 Features: Tanzu CLI and plug-ins

This release includes Tanzu CLI v1.2.0 and a set of installable plug-in groups that are versioned so that the CLI is compatible with every supported version of Tanzu Application Platform. For more information, see Install Tanzu CLI.

v1.7.0 Features: Tanzu CLI Insight plug-in

You can access reports from each scan to find out what packages and vulnerabilities were discovered by using the tanzu insight report command. For more information, see the Tanzu CLI Command Reference documentation.
You can rebase vulnerability triage analyses by using the tanzu insight triage rebase command. For more information, see Rebase multiple analyses and the Tanzu CLI Command Reference documentation.

v1.7.0 Features: Tanzu Developer Portal

Tanzu Developer Portal Configurator has now reached General Availability. You can use Configurator to make use of VMware validated plug-ins and also integrate custom external plug-ins. For more information, see the Configurator overview.
The following third-party plug-ins have validated compatibility with the Configurator:
- Tech Insights - @vmware-tanzu/tdp-plugin-techinsights
- Tech Insights Backend - @vmware-tanzu/tdp-plugin-techinsights-backend
- Sonarqube - @vmware-tanzu/tdp-plugin-backstage-sonarqube
- Sonarqube Backend -@vmware-tanzu/tdp-plugin-backstage-sonarqube-backend
- Stack Overflow - @vmware-tanzu/tdp-plugin-stack-overflow
- Prometheus - @vmware-tanzu/tdp-plugin-prometheus
- Jira - @vmware-tanzu/tdp-plugin-backstage-jira
- Grafana - @vmware-tanzu/tdp-plugin-backstage-grafana
- GitHub Actions - @vmware-tanzu/tdp-plugin-github-actions
- Snyk - @vmware-tanzu/tdp-plugin-snyk
- Tanzu Developer Portal Home - @vmware-tanzu/tdp-plugin-home

v1.7.0 Features: Tanzu Developer Tools for VS Code

Introduces alpha support for development containers. For more information, see Use development containers to make a development environment (alpha).

v1.7.0 Breaking changes

This release includes the following changes, listed by component and area.

v1.7.0 Breaking changes: Tanzu Application Platform

Minikube support has been removed.

v1.7.0 Breaking changes: Contour

By default, Tanzu Application Platform v1.7.0 installs the Contour’s Envoy pods as a Deployment instead of a DaemonSet. This causes application downtime during an upgrade. For more information about how to avoid upgrade downtime, see Configure Envoy for Contour.

v1.7.0 Breaking changes: Application Live View

The appliveview_connector.backend.sslDisabled key has been removed and is replaced by appliveview_connector.backend.sslDeactivated.

v1.7.0 Breaking changes: Application Single Sign-On

ClientRegistration.spec.clientAuthenticationMethod no longer supports basic and post.
The internal-unsafe identity provider forAuthServer no longer supports claim mappings.
ClusterUnsafeTestLogin no longer has the short name cutl.

v1.7.0 Breaking changes: Eventing

Eventing is removed in this release. Install and manage Knative Eventing as an alternative solution.

v1.7.0 Breaking changes: Learning Center

Learning Center is removed in this release. Use Tanzu Academy instead for all Tanzu Application Platform learning and education needs.

v1.7.0 Breaking changes: Services Toolkit

Services Toolkit forces explicit cluster-wide permissions to claim from a ClusterInstanceClass. You must now grant the permission to claim from a ClusterInstanceClass by using a ClusterRole and ClusterRoleBinding. For more information, see The claim verb for ClusterInstanceClass.

v1.7.0 Breaking changes: Supply Chain Security Tools (SCST) - Scan

The docker field and related sub-fields used in SCST - Scan are removed in this release.
The field scanning.metadataStore.url is now removed. If this field is present in the tap-values.yaml file, it can cause reconciliation failure. For more information, see Troubleshooting
SCST - Scan 2.0: You must upgrade the Tanzu Application Platform package to v1.7.0 before upgrading app-scanning.apps.tanzu.vmware.com to v0.2.0. See Troubleshooting.

v1.7.0 Breaking changes: Tanzu CLI command reference documentation

The Tanzu CLI plug-in command reference documentation has moved from the Tanzu Application Platform documentation to the VMware Tanzu CLI documentation. The following Tanzu CLI plug-ins are impacted: Accelerator, Apps, Build Service, External Secrets, Insight, and Tanzu Service.

v1.7.0 Breaking changes: Tanzu CLI RBAC plug-in

The RBAC plug-in for the Tanzu CLI, which was released as a beta to help manage user and group bindings to the Tanzu Application Platform Default Roles, has been removed in favor of native Kubernetes capability. For more information, see the Default roles for Tanzu Application Platform documentation.

v1.7.0 Breaking changes: Workloads

Function Buildpacks for Knative and the corresponding Application Accelerator starter templates for Python and Java are removed in this release.

v1.7.0 Security fixes

This release has the following security fixes, listed by component and area.

Package Name	Vulnerabilities Resolved
accelerator.apps.tanzu.vmware.com	Expand to see the list GHSA-hrmr-f5m6-m9pq GHSA-6fxm-66hq-fc96 CVE-2023-22049 CVE-2023-22045 CVE-2023-22044 CVE-2023-22041 CVE-2023-22036 CVE-2023-22006 CVE-2012-2098
amr-observer.apps.tanzu.vmware.com	Expand to see the list CVE-2023-31484 CVE-2023-29491 CVE-2023-29383 CVE-2023-26604 CVE-2023-2650 CVE-2023-0465 CVE-2023-0464 CVE-2022-3821 CVE-2022-3219 CVE-2020-13844 CVE-2016-2781 CVE-2013-4235
api-portal.tanzu.vmware.com	Expand to see the list GHSA-2wrh-6pvc-2jm9 CVE-2023-4911 CVE-2023-22049 CVE-2023-22045 CVE-2023-22044 CVE-2023-22041 CVE-2023-22036 CVE-2023-22006
apis.apps.tanzu.vmware.com	Expand to see the list GHSA-2wrh-6pvc-2jm9 CVE-2023-44487
app-scanning.apps.tanzu.vmware.com	Expand to see the list GHSA-6xv5-86q9-7xr8 GHSA-6wrf-mxfj-pf5p GHSA-33pg-m6jh-5237 GHSA-2q89-485c-9j2x
backend.appliveview.tanzu.vmware.com	Expand to see the list GHSA-w37g-rhq8-7m4j GHSA-9w3m-gqgf-c4p9 GHSA-6mjq-h674-j845 CVE-2023-20863
base-jammy-stack-lite.buildpacks.tanzu.vmware.com	Expand to see the list CVE-2023-4911 CVE-2023-44466 CVE-2023-4273 CVE-2023-4194 CVE-2023-4155 CVE-2023-4132 CVE-2023-3866 CVE-2023-3865 CVE-2023-3863 CVE-2023-38432 CVE-2023-3338 CVE-2023-2156 CVE-2023-1206
buildservice.tanzu.vmware.com	Expand to see the list GHSA-v95c-p5hm-xq8f GHSA-m8cg-xc2p-r3fc GHSA-hmfx-3pcx-653p GHSA-g2j6-57v7-gm8c GHSA-f3fp-gc8g-vw66 GHSA-6xv5-86q9-7xr8 GHSA-6wrf-mxfj-pf5p GHSA-33pg-m6jh-5237 GHSA-259w-8hf6-59c2 CVE-2023-4911 CVE-2023-2650 CVE-2023-1255 CVE-2023-0465 CVE-2023-0464 CVE-2022-3996
carbonblack.scanning.apps.tanzu.vmware.com	Expand to see the list GHSA-6wrf-mxfj-pf5p GHSA-33pg-m6jh-5237
cartographer.tanzu.vmware.com	Expand to see the list GHSA-qppj-fm5r-hxr3 GHSA-6wrf-mxfj-pf5p GHSA-4374-p667-p6c8 GHSA-33pg-m6jh-5237 GHSA-2wrh-6pvc-2jm9
connector.appliveview.tanzu.vmware.com	Expand to see the list GHSA-jgvc-jfgh-rjvv GHSA-7g24-qg88-p43q GHSA-6mjq-h674-j845 CVE-2023-20863
crossplane.tanzu.vmware.com	Expand to see the list GHSA-6wrf-mxfj-pf5p GHSA-33pg-m6jh-5237 CVE-2023-2650 CVE-2023-1255 CVE-2023-0465 CVE-2023-0464 CVE-2022-3996
developer-conventions.tanzu.vmware.com	Expand to see the list GHSA-2wrh-6pvc-2jm9 CVE-2023-2650 CVE-2023-1255
external-secrets.apps.tanzu.vmware.com	Expand to see the list GHSA-rm8v-mxj3-5rmq GHSA-2wrh-6pvc-2jm9 CVE-2023-2650 CVE-2023-1255 CVE-2023-0465 CVE-2023-0464 CVE-2022-3996
java-lite.buildpacks.tanzu.vmware.com	Expand to see the list GHSA-gwrp-pvrq-jmwv GHSA-gp7f-rwcx-9369 CVE-2023-20863 CVE-2022-36033 CVE-2021-29425
java-native-image-lite.buildpacks.tanzu.vmware.com	Expand to see the list GHSA-gwrp-pvrq-jmwv GHSA-gp7f-rwcx-9369 CVE-2023-20863 CVE-2022-36033 CVE-2021-29425
metadata-store.apps.tanzu.vmware.com	Expand to see the list CVE-2023-29939 CVE-2023-29934 CVE-2023-29932
ootb-supply-chain-testing-scanning.tanzu.vmware.com	Expand to see the list GHSA-2q89-485c-9j2x
ootb-templates.tanzu.vmware.com	Expand to see the list GHSA-p782-xgp4-8hr8 GHSA-2q89-485c-9j2x CVE-2023-5197 CVE-2023-4921 CVE-2023-4881 CVE-2023-4623 CVE-2023-4622 CVE-2023-4569 CVE-2023-44466 CVE-2023-42756 CVE-2023-42755 CVE-2023-42753 CVE-2023-42752 CVE-2023-4273 CVE-2023-4244 CVE-2023-4208 CVE-2023-4207 CVE-2023-4206 CVE-2023-4194 CVE-2023-4155 CVE-2023-4147 CVE-2023-4132 CVE-2023-4128 CVE-2023-40283 CVE-2023-4015 CVE-2023-4004 CVE-2023-3995 CVE-2023-3866 CVE-2023-3865 CVE-2023-3863 CVE-2023-38546 CVE-2023-38545 CVE-2023-38432 CVE-2023-38429 CVE-2023-38428 CVE-2023-38426 CVE-2023-3777 CVE-2023-3776 CVE-2023-3611 CVE-2023-3610 CVE-2023-3609 CVE-2023-35829 CVE-2023-35828 CVE-2023-35824 CVE-2023-35823 CVE-2023-35788 CVE-2023-3567 CVE-2023-35001 CVE-2023-3439 CVE-2023-34319 CVE-2023-34256 CVE-2023-3390 CVE-2023-3389 CVE-2023-3355 CVE-2023-3338 CVE-2023-33288 CVE-2023-33203 CVE-2023-3268 CVE-2023-32269 CVE-2023-32248 CVE-2023-32233 CVE-2023-3220 CVE-2023-3212 CVE-2023-3161 CVE-2023-31484 CVE-2023-31436 CVE-2023-3141 CVE-2023-31248 CVE-2023-3117 CVE-2023-31084 CVE-2023-3090 CVE-2023-30772 CVE-2023-30456 CVE-2023-2985 CVE-2023-29491 CVE-2023-29007 CVE-2023-2898 CVE-2023-28466 CVE-2023-28322 CVE-2023-28321 CVE-2023-2650 CVE-2023-2612 CVE-2023-2603 CVE-2023-2602 CVE-2023-25815 CVE-2023-25652 CVE-2023-25588 CVE-2023-25585 CVE-2023-25584 CVE-2023-25012 CVE-2023-23004 CVE-2023-2283 CVE-2023-2269 CVE-2023-2235 CVE-2023-2194 CVE-2023-2163 CVE-2023-2162 CVE-2023-2156 CVE-2023-21400 CVE-2023-21255 CVE-2023-2124 CVE-2023-20938 CVE-2023-20593 CVE-2023-20588 CVE-2023-20569 CVE-2023-2002 CVE-2023-1998 CVE-2023-1990 CVE-2023-1972 CVE-2023-1859 CVE-2023-1855 CVE-2023-1670 CVE-2023-1667 CVE-2023-1611 CVE-2023-1513 CVE-2023-1380 CVE-2023-1255 CVE-2023-1206 CVE-2023-1192 CVE-2023-1079 CVE-2023-1078 CVE-2023-1077 CVE-2023-1076 CVE-2023-1075 CVE-2023-0597 CVE-2023-0459 CVE-2022-48502 CVE-2022-48425 CVE-2022-47696 CVE-2022-47673 CVE-2022-45886 CVE-2022-4269 CVE-2022-40982 CVE-2022-3707 CVE-2022-27672
policy.apps.tanzu.vmware.com	Expand to see the list GHSA-vvpx-j8f3-3w6h GHSA-frqx-jfcm-6jjr GHSA-6wrf-mxfj-pf5p GHSA-33pg-m6jh-5237 GHSA-2wrh-6pvc-2jm9
service-bindings.labs.vmware.com	Expand to see the list GHSA-qppj-fm5r-hxr3 GHSA-m425-mq94-257g GHSA-4374-p667-p6c8 GHSA-2wrh-6pvc-2jm9
services-toolkit.tanzu.vmware.com	Expand to see the list GHSA-2wrh-6pvc-2jm9
snyk.scanning.apps.tanzu.vmware.com	Expand to see the list GHSA-6wrf-mxfj-pf5p GHSA-33pg-m6jh-5237
spring-cloud-gateway.tanzu.vmware.com	Expand to see the list GHSA-xpw8-rcwv-8f8p GHSA-qppj-fm5r-hxr3 GHSA-jgvc-jfgh-rjvv GHSA-7g24-qg88-p43q GHSA-57m8-f3v5-hm5m GHSA-4374-p667-p6c8 CVE-2023-4911 CVE-2023-35116 CVE-2023-22081 CVE-2023-22025
sso.apps.tanzu.vmware.com	Expand to see the list GHSA-rm8v-mxj3-5rmq GHSA-7g45-4rm6-3mm3 GHSA-68p4-95xf-7gx8 GHSA-5mg8-w23w-74h3 CVE-2023-41053 CVE-2023-34035 CVE-2020-8908
tap-gui.tanzu.vmware.com	Expand to see the list GHSA-wg6p-jmpc-xjmr GHSA-j8xg-fqg3-53r7 GHSA-gpv5-7x3g-ghjv CVE-2023-5197 CVE-2023-4921 CVE-2023-4911 CVE-2023-4813 CVE-2023-4806 CVE-2023-46862 CVE-2023-46813 CVE-2023-4641 CVE-2023-4623 CVE-2023-4622 CVE-2023-45863 CVE-2023-4569 CVE-2023-42756 CVE-2023-42755 CVE-2023-42753 CVE-2023-4273 CVE-2023-4244 CVE-2023-4208 CVE-2023-4207 CVE-2023-4206 CVE-2023-4194 CVE-2023-4147 CVE-2023-4132 CVE-2023-4128 CVE-2023-4039 CVE-2023-40283 CVE-2023-40217 CVE-2023-4010 CVE-2023-4004 CVE-2023-39332 CVE-2023-39331 CVE-2023-3863 CVE-2023-3817 CVE-2023-3777 CVE-2023-3776 CVE-2023-37454 CVE-2023-3640 CVE-2023-3611 CVE-2023-3609 CVE-2023-35829 CVE-2023-35828 CVE-2023-35827 CVE-2023-35824 CVE-2023-35823 CVE-2023-35788 CVE-2023-3446 CVE-2023-34319 CVE-2023-34256 CVE-2023-3397 CVE-2023-3389 CVE-2023-3338 CVE-2023-3268 CVE-2023-3212 CVE-2023-31484 CVE-2023-3141 CVE-2023-3111 CVE-2023-31084 CVE-2023-31082 CVE-2023-3090 CVE-2023-29491 CVE-2023-2898 CVE-2023-24329 CVE-2023-2269 CVE-2023-21400 CVE-2023-21255 CVE-2023-2124 CVE-2023-20588 CVE-2023-20569 CVE-2023-2002 CVE-2023-1380 CVE-2023-1206 CVE-2023-1192 CVE-2023-1075 CVE-2023-0597 CVE-2023-0160 CVE-2022-45887 CVE-2022-45886 CVE-2022-45061 CVE-2022-43945 CVE-2022-4269 CVE-2022-40982 CVE-2022-39189 CVE-2022-3567 CVE-2022-3566 CVE-2022-3344 CVE-2022-3114 CVE-2022-3108 CVE-2022-1304 CVE-2022-1280 CVE-2022-0500 CVE-2022-0391 CVE-2021-44879 CVE-2021-4204 CVE-2021-4189 CVE-2021-4149 CVE-2021-4023 CVE-2021-39686 CVE-2021-3847 CVE-2021-3737 CVE-2021-3733 CVE-2021-3669 CVE-2021-36087 CVE-2021-36086 CVE-2021-36085 CVE-2021-36084 CVE-2021-33560 CVE-2021-33061 CVE-2021-31239 CVE-2020-36694 CVE-2020-24504 CVE-2020-16156 CVE-2020-12364 CVE-2020-12363 CVE-2020-12362 CVE-2020-10735 CVE-2019-8457 CVE-2019-20794 CVE-2019-19449 CVE-2019-16089 CVE-2019-15794 CVE-2018-12928 CVE-2015-20107
tap-telemetry.tanzu.vmware.com	Expand to see the list GHSA-2wrh-6pvc-2jm9
tekton.tanzu.vmware.com	Expand to see the list GHSA-hp87-p4gw-j4gq GHSA-hmfx-3pcx-653p GHSA-6wrf-mxfj-pf5p GHSA-33pg-m6jh-5237 GHSA-2qjp-425j-52j9 GHSA-259w-8hf6-59c2 CVE-2023-4147 CVE-2023-40217 CVE-2023-4015 CVE-2023-4004 CVE-2023-3995 CVE-2023-38429 CVE-2023-38428 CVE-2023-38426 CVE-2023-3777 CVE-2023-3776 CVE-2023-3611 CVE-2023-3610 CVE-2023-3609 CVE-2023-35829 CVE-2023-35828 CVE-2023-35824 CVE-2023-35823 CVE-2023-35788 CVE-2023-3567 CVE-2023-35001 CVE-2023-3439 CVE-2023-34256 CVE-2023-3390 CVE-2023-3389 CVE-2023-3358 CVE-2023-3357 CVE-2023-3355 CVE-2023-33288 CVE-2023-33203 CVE-2023-3268 CVE-2023-32269 CVE-2023-32248 CVE-2023-32233 CVE-2023-3220 CVE-2023-3212 CVE-2023-3161 CVE-2023-31484 CVE-2023-31436 CVE-2023-3141 CVE-2023-31248 CVE-2023-3117 CVE-2023-31084 CVE-2023-3090 CVE-2023-30772 CVE-2023-30456 CVE-2023-2985 CVE-2023-29491 CVE-2023-29007 CVE-2023-2898 CVE-2023-28466 CVE-2023-28328 CVE-2023-28322 CVE-2023-28321 CVE-2023-27538 CVE-2023-27536 CVE-2023-27535 CVE-2023-27534 CVE-2023-27533 CVE-2023-27043 CVE-2023-26607 CVE-2023-26606 CVE-2023-26605 CVE-2023-26545 CVE-2023-26544 CVE-2023-2650 CVE-2023-2612 CVE-2023-2603 CVE-2023-2602 CVE-2023-25815 CVE-2023-25652 CVE-2023-25588 CVE-2023-25585 CVE-2023-25584 CVE-2023-25012 CVE-2023-24329 CVE-2023-23946 CVE-2023-23916 CVE-2023-23915 CVE-2023-23914 CVE-2023-23559 CVE-2023-23455 CVE-2023-23454 CVE-2023-23004 CVE-2023-2283 CVE-2023-2269 CVE-2023-22490 CVE-2023-2235 CVE-2023-2194 CVE-2023-2166 CVE-2023-2163 CVE-2023-2162 CVE-2023-21400 CVE-2023-21255 CVE-2023-2124 CVE-2023-21102 CVE-2023-20938 CVE-2023-20593 CVE-2023-2006 CVE-2023-2002 CVE-2023-1998 CVE-2023-1990 CVE-2023-1972 CVE-2023-1872 CVE-2023-1859 CVE-2023-1855 CVE-2023-1829 CVE-2023-1670 CVE-2023-1667 CVE-2023-1652 CVE-2023-1611 CVE-2023-1513 CVE-2023-1382 CVE-2023-1380 CVE-2023-1281 CVE-2023-1255 CVE-2023-1195 CVE-2023-1192 CVE-2023-1079 CVE-2023-1078 CVE-2023-1077 CVE-2023-1076 CVE-2023-1075 CVE-2023-1074 CVE-2023-1073 CVE-2023-0597 CVE-2023-0468 CVE-2023-0465 CVE-2023-0464 CVE-2023-0461 CVE-2023-0459 CVE-2023-0458 CVE-2023-0394 CVE-2023-0386 CVE-2023-0361 CVE-2023-0266 CVE-2023-0210 CVE-2023-0179 CVE-2023-0045 CVE-2022-48502 CVE-2022-4842 CVE-2022-48425 CVE-2022-48424 CVE-2022-48423 CVE-2022-48303 CVE-2022-47929 CVE-2022-47696 CVE-2022-47673 CVE-2022-47521 CVE-2022-47520 CVE-2022-47519 CVE-2022-47518 CVE-2022-45886 CVE-2022-45869 CVE-2022-4415 CVE-2022-4382 CVE-2022-4379 CVE-2022-4269 CVE-2022-42329 CVE-2022-42328 CVE-2022-4139 CVE-2022-4129 CVE-2022-41218 CVE-2022-40982 CVE-2022-3996 CVE-2022-3821 CVE-2022-3707 CVE-2022-36280 CVE-2022-3545 CVE-2022-3521 CVE-2022-3435 CVE-2022-3424 CVE-2022-3344 CVE-2022-3169 CVE-2022-27672 CVE-2022-2196 CVE-2007-4559
tpb.tanzu.vmware.com	Expand to see the list CVE-2022-29858 CVE-2021-43138 CVE-2019-10716 CVE-2019-10715 CVE-2018-25076 CVE-2017-18589 CVE-2014-2980 CVE-2013-1779 CVE-2011-5125 CVE-2010-0128 CVE-2009-4592 CVE-2009-4591 CVE-2009-4590 CVE-2009-0880 CVE-2009-0879 CVE-2007-5612 CVE-2006-4683 CVE-2006-4682 CVE-2006-4681 CVE-2005-4708

v1.7.0 Resolved issues

The following issues, listed by component and area, are resolved in this release.

v1.7.0 Resolved issues: Application Configuration Service

The pod security context now adheres to the restricted Pod Security Standard, which prevents some installation failures.

v1.7.0 Resolved issues: Application Single Sign-On

Authorization servers advertise only supported scopes by using the discovery endpoint.
AuthServer.spec.identityProviders.*.name has a description.
AuthServer.spec.identityProviders.*.name is validated against DNS1123.
ClusterUnsafeTestLogin reconciles only if the namespace designated by cluster_resource_namespace exists.
Correctly implements the restricted Pod Security Standard for the controller and all AuthServer-related resources.
Authorization servers display OpenID Connect (OIDC) providers on the login page even when there are no SAML providers.

v1.7.0 Resolved issues: Artifact Metadata Repository Observer and CloudEvent Handler

The ReplicaSet status in AMR now shows the available and unavailable states in addition to created and deleted.

v1.7.0 Resolved issues: Cloud Native Runtimes

Certain combinations of app name, namespace, and domain no longer produce Knative Services with status CertificateNotReady.

v1.7.0 Resolved issues: Crossplane

Crossplane Providers can now communicate with systems using a custom CA.

v1.7.0 Resolved issues: Supply Chain Choreographer

You can safely ignore the label apps.tanzu.vmware.com/carvel-package-workflow when the package supply chain is deactivated. Previously, workloads with this label failed when the package supply chain was deactivated.
Workloads failed on image supply chains with multiple supply chain matches when testing or scanning supply chains are side loaded with the basic supply chain. Though side loading these supply chains is not a supported configuration, this fix allows you to continue to create workloads.
The package Supply Chain can now generate a Carvel package when building an image from source and uploading it to a private registry using a certificate.

v1.7.0 Resolved issues: Tanzu Developer Portal - Supply Chain GUI plug-in

Workloads created by using a custom resource definition (CRD) work as expected.
Downloading the SBOM from a vulnerability scan no longer requires additional configuration in tap-values.yaml.

v1.7.0 Resolved issues: Tanzu Developer Tools for VS Code

In the Tanzu activity panel, the config-writer-pull-requester of type Runnable is correctly categorized as Supply Chain.

v1.7.0 Known issues

This release has the following known issues, listed by component and area.

v1.7.0 Known issues: Tanzu Application Platform

Tanzu Application Platform v1.7.0 is not supported with Tanzu Kubernetes releases (TKR) v1.26 on vSphere with Tanzu v8.

v1.7.0 Known issues: API Auto Registration

Registering conflicting groupId and version with API portal:

If you create two CuratedAPIDescriptors with the same groupId and version combination, both reconcile without throwing an error, and the /openapi?groupId&version endpoint returns both specifications. If you are adding both specifications to the API portal, only one of them might show up in the API portal UI with a warning indicating that there is a conflict. If you add the route provider annotation for both of the CuratedAPIDescriptors to use Spring Cloud Gateway, the generated API specspecification includes API routes from both CuratedAPIDescriptors.

You can see the groupId and version information from all CuratedAPIDescriptors by running:
```
$ kubectl get curatedapidescriptors -A

NAMESPACE           NAME         GROUPID            VERSION   STATUS   CURATED API SPEC URL
my-apps             petstore     test-api-group     1.2.3     Ready    http://AAR-CONTROLLER-FQDN/openapi/my-apps/petstore
default             mystery      test-api-group     1.2.3     Ready    http://AAR-CONTROLLER-FQDN/openapi/default/mystery
```
When creating an APIDescriptor with different apiSpec.url and server.url, the controller incorrectly uses the API spec URL as the server URL. To avoid this issue, use server.url only.

v1.7.0 Known issues: Application Live View

On the Run profile, Application Live View fails to reconcile if you use a non-default cluster issuer while installing through Tanzu Mission Control.

v1.7.0 Known issues: Artifact Metadata Repository Observer and CloudEvent Handler

Periodic reconciliation or restarting of the AMR Observer causes reattempted posting of ImageVulnerabilityScan results. There is an error on duplicate submission of identical ImageVulnerabilityScans you can ignore if the previous submission was successful.

v1.7.0 Known issues: Bitnami Services

If you try to configure private registry integration for the Bitnami services after having already created a claim for one or more of the Bitnami services using the default configuration, the updated private registry configuration does not appear to take effect. This is due to caching behavior in the system which is not accounted for during configuration updates. For a workaround, see Troubleshoot Bitnami Services.

v1.7.0 Known issues: Carbon Black Scanner for SCST - Scan

Carbon Black Scanner templates raise a PodSecurity violation error in clusters that use the restricted Pod Security Standard. As a workaround, see Troubleshooting.

v1.7.0 Known issues: Cartographer Conventions

While processing workloads with large SBOMs, the Cartographer Convention controller manager pod can fail with the status CrashLoopBackOff or OOMKilled. For information about how to increase the memory limit for both the convention server and webhook servers, including app-live-view-conventions, spring-boot-webhook, and developer-conventions/webhook, see Troubleshoot Cartographer Conventions.

v1.7.0 Known issues: Cloud Native Runtimes

Web workloads created with Tanzu Application Platform v1.6.3 and earlier fail to update with the error API server says: admission webhook "validation.webhook.serving.knative.dev" denied the request: validation failed: annotation value is immutable. For a workaround, see Troubleshoot Cloud Native Runtimes for Tanzu.

v1.7.0 Known issues: Crossplane

The Crossplane validatingwebhookconfiguration is not removed when you uninstall the Crossplane package. To workaround, delete the validatingwebhookconfiguration manually by running kubectl delete validatingwebhookconfiguration crossplane.

v1.7.0 Known issues: Service Bindings

When upgrading Tanzu Application Platform, pods are recreated for all workloads with service bindings. This is because workloads and pods that use service bindings are being updated to new service binding volumes. This happens automatically and will not affect subsequent upgrades.

Affected pods are updated concurrently. To avoid failures, you must have sufficient Kubernetes resources in your clusters to support the pod rollout.
ServiceBinding is not immediately reconciled when status.binding.name changes on a previously bound service resource. This impacts the timely rollout of new connection secrets to workloads. The reconciler eventually picks up the change but this might take up to 10 hours. As a temporary workaround, you can do one of the following:
- Delete the existing ServiceBinding and create a new one that is identical.
- Trigger reconciliation of the existing ServiceBinding by adding an arbitrary annotation or label.
- Delete and recreate the application workload referred to by the ServiceBinding.

v1.7.0 Known issues: Services Toolkit

An error occurs if additionalProperties is true in a CompositeResourceDefinition. For more information and a workaround, see Troubleshoot Services Toolkit.

v1.7.0 Known issues: Supply Chain Choreographer

By default, Server Workload Carvel packages generated by the Carvel package supply chains no longer contain OpenAPIv3 descriptions of their parameters. These descriptions were omitted to keep the size of the Carvel Package definition under 4 KB, which is the size limit for the string output of a Tekton Task. For information about these parameters, see Carvel Package Supply Chains.
When using the Carvel Package Supply Chains, if the operator updates the parameter carvel_package.name_suffix, existing workloads incorrectly output a Carvel package to the GitOps repository that uses the old value of carvel_package.name_suffix. You can ignore or delete this package.
If the size of the resulting OpenAPIv3 specification exceeds a certain size, approximately 3 KB, the Supply Chain does not function. If you use the default Carvel package parameters, this issue does not occur. If you use custom Carvel package parameters, you might encounter this size limit. If you exceed the size limit, you can either deactivate this feature, or use a workaround. The workaround requires enabling a Tekton feature flag. For more information, see the Tekton documentation.
Pods created by using Tekton do not adhere to the Pod Security Standard. To run Supply Chains in a cluster where this webhook is installed by default, VMware recommends labeling the namespace with pod-security.kubernetes.io/enforce=privileged to ensure that they are correctly created.

v1.7.0 Known issues: Supply Chain Security Tools (SCST) - Scan

When container.SecurityContext is not null and the Capabilities field or SeccompProfile field is empty (null), the controller fails because of panic. For a workaround, see Troubleshoot Supply Chain Security Tools - Scan.
When using SCST - Scan 2.0 with a ClusterImageTemplate, the value for the scanning image is overwritten with an incorrect default value from ootb_supply_chain_testing_scanning.image_scanner_cli in the tap-values.yaml file. You can prevent this by setting the value in your tap-values.yaml file to the correct image. For example, for the Trivy image packaged with Tanzu Application Platform:
```
ootb_supply_chain_testing_scanning:
  image_scanner_template_name: image-vulnerability-scan-trivy
  image_scanning_cli:
    image: registry.example.com/tanzu-application-platform/tap-packages@sha256:675673a6d495d6f6a688497b754cee304960d9ad56e194cf4f4ea6ab53ca71d6
```
When using SCST - Scan 2.0, Trivy must be pinned to v0.42.1. This is because CycloneDX v1.5 is the default for later versions of Trivy and is not supported by AMR.
When container.SecurityContext is not null but either of fields Capabilities or SeccompProfile are left empty (null), the controller fails because of panic. For a workaround, see Troubleshoot Supply Chain Security Tools - Scan.
SCST - Scan 1.0 fails with the error secrets 'store-ca-cert' not found during deployment by using Tanzu Mission Control with a non-default issuer. For how to work around this issue, see Deployment failure with non-default issuer.

v1.7.0 Known issues: Supply Chain Security Tools (SCST) - Store

AMR-specific steps have been added to the Multicluster setup for Supply Chain Security Tools - Store.
SCST - Store automatically detects PostgreSQL database index corruptions. If SCST - Store finds a PostgresSQL database index corruption issue, it does not reconcile. For how to fix this issue, see Fix Postgres Database Index Corruption.
When observer.deploy_through_tmc is true, properties are auto-configured for Tanzu Mission Control (TMC). This causes the MultiClusterPropertyCollector resource to overwrite existing Tanzu Application Platform values for Observer.

When using Let’s Encrypt ACME issuers, the resultant Kubernetes secret resource does not contain a ca.crt property. Therefore, when the MultiClusterPropertyCollector resource creates the Observer package configuration values secret, the required ca_cert_data is empty.

To work around this issue, add the Certificate Authority (CA) Certificate to the shared.ca_cert_data key in the Tanzu Application Platform installation values.

v1.7.0 Known issues: Tanzu Build Service

During upgrades a large number of builds might be created due to buildpack and stack updates. Some of these builds might fail due to transient network issues, causing the workload to be in an unhealthy state. This resolves itself on subsequent builds after a code change and does not affect the running application.

If you do not want to wait for subsequent builds to run, you can manually trigger a build. For instructions, see Troubleshooting.

v1.7.0 Known issues: Tanzu Developer Portal

If you do not configure any authentication providers, and do not allow guest access, the following message appears when loading Tanzu Developer Portal in a browser:
```
No configured authentication providers. Please configure at least one.
```
To resolve this issue, see Troubleshooting.
When viewing a supply chain with the Supply Chain Choreographer plug-in, scrolling horizontally does not work. Click and drag left or right instead to move the supply chain diagram. A fix is planned for the future. The zoom function was removed because of user feedback.
Ad-blocking browser extensions and standalone ad-blocking software can interfere with telemetry collection within the VMware Customer Experience Improvement Program and restrict access to all or parts of Tanzu Developer Portal. For more information, see Troubleshooting.
When installing Tanzu Developer Portal for the first time, there might be a transient failure during reconciliation. No action is needed because the reconciliation succeeds during the automatic retry. The issue is related to the order of creation for Kubernetes resources. A fix is planned for a later release.
Back-end Kubernetes plug-in reporting failure in multicluster environments. In a multicluster environment when one request to a Kubernetes cluster fails, backstage-kubernetes-backend reports a failure to the front end. This is a known issue with upstream Backstage and it applies to all released versions of Tanzu Application Platform GUI. For more information, see this Backstage code in GitHub. This behavior arises from the API at the Backstage level. There are currently no known workarounds. There are plans for upstream commits to Backstage to resolve this issue.
ScmAuth is a Backstage concept that abstracts Source Code Management (SCM) authentication into a package. An oversight in a recent code-base migration led to the accidental exclusion of custom ScmAuth functions. This exclusion affected some client operations, such as using Application Accelerators to create Git repositories on behalf of users.
The back-end Kubernetes plug-in reports failure in multicluster environments. In a multicluster environment when one request to a Kubernetes cluster fails, backstage-kubernetes-backend reports a failure to the front end. This is a known issue with upstream Backstage and it applies to all released versions of Tanzu Developer Portal. For more information, see this Backstage code in GitHub. This behavior arises from the API at the Backstage level. There are currently no known workarounds. There are plans for upstream commits to Backstage to resolve this issue.

v1.7.0 Known issues: Tanzu Developer Tools for IntelliJ

The error com.vdurmont.semver4j.SemverException: Invalid version (no major version) is shown in the error logs when attempting to perform a workload action before installing the Tanzu CLI apps plug-in.
If you restart your computer while running Live Update without terminating the Tilt process beforehand, there is a lock that incorrectly shows that Live Update is still running and prevents it from starting again. For the fix, see Troubleshooting.
Workload actions and Live Update do not work when in a project with spaces in its name, such as my app, or in its path, such as C:\Users\My User\my-app. For more information, see Troubleshooting.
An EDT Thread Exception error is logged or reported as a notification with a message similar to "com.intellij.diagnostic.PluginException: 2007 ms to call on EDT TanzuApplyAction#update@ProjectViewPopup". For more information, see Troubleshooting.

v1.7.0 Known issues: Tanzu Developer Tools for Visual Studio

Clicking the red square Stop button in the Visual Studio top toolbar can cause a workload to fail. For more information, see Troubleshooting.

v1.7.0 Component versions

The following table lists the supported component versions for this Tanzu Application Platform release.

Component Name	Version
API Auto Registration	0.4.0
API portal	1.4.4
Application Accelerator	1.7.3
Application Configuration Service	2.2.0
Application Live View APIServer	1.7.2
Application Live View back end	1.7.2
Application Live View connector	1.7.2
Application Live View conventions	1.7.2
Application Single Sign-On	5.0.0
Artifact Metadata Repository Observer	0.2.1
AWS Services	0.1.0
Bitnami Services	0.3.1
Carbon Black Scanner for SCST - Scan (beta)	1.2.2
Cartographer Conventions	0.8.5
cert-manager	2.4.1 (contains cert-manager v1.12)
Cloud Native Runtimes	2.4.1
Contour	1.25.2
Crossplane	0.3.0
Default Roles	1.1.0
Developer Conventions	0.14.0
External Secrets Operator	0.9.4+tanzu.1
Flux CD Source Controller	0.36.1+tanzu.2
Grype Scanner for SCST - Scan	1.7.0
Local Source Proxy	0.2.1
Namespace Provisioner	0.5.0
Out of the Box Delivery - Basic	0.14.7
Out of the Box Supply Chain - Basic	0.14.7
Out of the Box Supply Chain - Testing	0.14.7
Out of the Box Supply Chain - Testing and Scanning	0.14.7
Out of the Box Templates	0.14.7
Service Bindings	0.10.2
Service Registry	1.2.0
Services Toolkit	0.12.0
Snyk Scanner for SCST - Scan (beta)	1.1.0
Source Controller	0.8.3
Spring Boot conventions	1.7.2
Spring Cloud Gateway	2.1.4
Supply Chain Choreographer	0.8.5
Supply Chain Security Tools - Policy Controller	1.6.3
Supply Chain Security Tools - Scan	1.7.1
Supply Chain Security Tools - Scan 2.0 (beta)	0.2.1
Supply Chain Security Tools - Store	1.7.1
Tanzu Developer Portal	1.7.7
Tanzu Developer Portal Configurator	1.0.3
Tanzu Application Platform Telemetry	0.7.0-build.3
Tanzu Build Service	1.12.2
Tanzu CLI	1.1.0
Tekton Pipelines	0.50.1+tanzu.3

Deprecations

The following features, listed by component, are deprecated. Deprecated features remain on this list until they are retired from Tanzu Application Platform.

API Scoring and Validation deprecations

The apix package is deprecated and will be removed in the next Tanzu Application Platform release.

Cloud Native Runtimes deprecations

default_tls_secret config option: This config option is now in contour.default_tls_secret and is marked for removal in a future Tanzu Application Platform version. In the meantime, both options are supported, and contour.default_tls_secret takes precedence over default_tls_secret.
ingress.[internal/external].namespace config options: These config options are now in contour.[internal/external].namespace are marked for removal in a future Tanzu Application Platform version. In the meantime, both options are supported, and contour.[internal/external].namespace takes precedence over ingress.[internal/external].namespace.

Flux CD Source Controller deprecations

Deprecations for the GitRepository API:
- spec.gitImplementation is deprecated. GitImplementation defines the Git client library implementation. go-git is the default and only supported implementation. libgit2 is no longer supported.
- spec.accessFrom is deprecated. AccessFrom, which defines an Access Control List for enabling cross-namespace references to this object, was never implemented.
- status.contentConfigChecksum is deprecated in favor of the explicit fields defined in the observed artifact content config within the status.
- status.artifact.checksum is deprecated in favor of status.artifact.digest.
- status.url is deprecated in favor of status.artifact.url.
Deprecations for the OCIRepository API:
- status.contentConfigChecksum is deprecated in favor of the explicit fields defined in the observed artifact content config within the status.

Services Toolkit deprecations

The tanzu services claims CLI plug-in command is deprecated and is marked for removal in Tanzu Application Platform v1.9. It is hidden from help text output, but it will continue to work until it is removed. The new tanzu services resource-claims command provides the same function.
The experimental multicluster APIs *.multicluster.x-tanzu.vmware.com/v1alpha1 are deprecated and marked for removal in Tanzu Application Platform v1.9.
The experimental kubectl-scp plug-in is deprecated and marked for removal in Tanzu Application Platform v1.9.

Source Controller deprecations

The Source Controller ImageRepository API is deprecated and is marked for removal. Use the OCIRepository API instead. The Flux Source Controller installation includes the OCIRepository API. For more information about the OCIRepository API, see the Flux documentation.

Supply Chain Choreographer deprecations

Supply Chain Choreographer no longer uses the git_implementation field. The go-git implementation now assumes that libgit2 is not supported.
- Flux CD no longer supports the spec.gitImplementation field as of v0.33.0. For more information, see the fluxcd/source-controller Changelog.
- Existing references to the git_implementation field are ignored and references to libgit2 do not cause failures. This is assured up to Tanzu Application Platform v1.9.
- Azure DevOps works without specifying git_implementation in Tanzu Application Platform v1.7.

Supply Chain Security Tools (SCST) - Scan deprecations

The profile based installation of Grype to a developer namespace and related fields in the values file, such as grype.namespace and grype.targetImagePullSecret, are deprecated and are marked for removal in Tanzu Application Platform v1.8. Before removal, you can opt-in to use the profile based installation of Grype to a single namespace by setting grype.namespace in the tap-values.yaml configuration file.

Tanzu Build Service deprecations

The Cloud Native Buildpack Bill of Materials (CNB BOM) format is deprecated. VMware plans to remove support in Tanzu Application Platform v1.8.

Tekton Pipelines deprecations

Tekton ClusterTask is deprecated and marked for removal. Use the Task API instead. For more information, see the Tekton documentation.

Linux Kernel CVEs

Kernel level vulnerabilities are regularly identified and patched by Canonical. Tanzu Application Platform releases with available images, which might contain known vulnerabilities. When Canonical makes patched images available, Tanzu Application Platform incorporates these fixed images into future releases.

The kernel runs on your container host VM, not the Tanzu Application Platform container image. Even with a patched Tanzu Application Platform image, the vulnerability is not mitigated until you deploy your containers on a host with a patched OS. An unpatched host OS might be exploitable if the base image is deployed.