Tanzu Application Platform release notes

This topic contains release notes for Tanzu Application Platform v1.8.

Note

Tanzu Application Platform v1.8 is a long-term support (LTS) release. It will receive one year of patches and support, dated from initial release. Over the life cycle of Tanzu Application Platform v1.8, VMware will release patches and maintenance updates.

v1.8.5

Release Date: 02 July 2024

v1.8.5 Breaking changes

This release includes the following changes, listed by component and area.

v1.8.5 Breaking changes: Tanzu Application Platform

  • Tanzu Application Platform releases have migrated from VMware Tanzu Network to the Broadcom Support Portal and Broadcom registry. Using VMware Tanzu Network to install or upgrade Tanzu Application Platform is no longer supported.

    Before you upgrade, you must relocate the Tanzu Application Platform images from the Broadcom registry tanzu.packages.broadcom.com to your own registry. Make sure you relocate the images to your container image registry as part of the instructions in Upgrade Tanzu Application Platform.

v1.8.5 Security fixes

This release has the following security fixes, listed by component and area.

Package Name Vulnerabilities Resolved
application-configuration-service.tanzu.vmware.com
Expand to see the list
base-jammy-stack-lite.buildpacks.tanzu.vmware.com
Expand to see the list
cert-manager.tanzu.vmware.com
Expand to see the list
cnrs.tanzu.vmware.com
Expand to see the list
crossplane.tanzu.vmware.com
Expand to see the list
dotnet-core-lite.buildpacks.tanzu.vmware.com
Expand to see the list
git-writer.component.apps.tanzu.vmware.com
Expand to see the list
java-lite.buildpacks.tanzu.vmware.com
Expand to see the list
managed-resource-controller.apps.tanzu.vmware.com
Expand to see the list
ootb-templates.tanzu.vmware.com
Expand to see the list
service-registry.spring.apps.tanzu.vmware.com
Expand to see the list
source.component.apps.tanzu.vmware.com
Expand to see the list
sso.apps.tanzu.vmware.com
Expand to see the list
supply-chain-catalog.apps.tanzu.vmware.com
Expand to see the list
supply-chain.apps.tanzu.vmware.com
Expand to see the list

v1.8.5 Known issues

This release has the following known issues, listed by component and area.

v1.8.5 Known issues: Tanzu Application Platform

  • On Azure Kubernetes Service (AKS), the Datadog Cluster Agent cannot reconcile the webhook, which leads to an error. For troubleshooting information, see Datadog agent cannot reconcile webhook on AKS.

  • The Tanzu Application Platform integration with Tanzu Service Mesh does not work on vSphere with TKR v1.26. For more information about this integration, see Set up Tanzu Service Mesh. As a workaround, you can apply the label to update pod security on a TKr v1.26 Kubernetes namespace as advised by the release notes for TKr 1.26.5 for vSphere 8.x. However, applying this label provides more than the minimum necessary privilege to the resources in developer namespaces.

v1.8.5 Known issues: API Auto Registration

  • Registering conflicting groupId and version with API portal:

    If you create two CuratedAPIDescriptors with the same groupId and version combination, both reconcile without throwing an error, and the /openapi?groupId&version endpoint returns both specifications. If you are adding both specifications to the API portal, only one of them might show up in the API portal UI with a warning indicating that there is a conflict. If you add the route provider annotation for both of the CuratedAPIDescriptors to use Spring Cloud Gateway, the generated API specspecification includes API routes from both CuratedAPIDescriptors.

    You can see the groupId and version information from all CuratedAPIDescriptors by running:

    $ kubectl get curatedapidescriptors -A

NAMESPACE           NAME         GROUPID            VERSION   STATUS   CURATED API SPEC URL
my-apps             petstore     test-api-group     1.2.3     Ready    http://AAR-CONTROLLER-FQDN/openapi/my-apps/petstore
default             mystery      test-api-group     1.2.3     Ready    http://AAR-CONTROLLER-FQDN/openapi/default/mystery

  • When creating an APIDescriptor with different apiSpec.url and server.url, the controller incorrectly uses the API spec URL as the server URL. To avoid this issue, use server.url only.

v1.8.5 Known issues: App Last Mile Catalog

  • The app-config-web, app-config-server, and app-config-worker components do not allow developers to override the default application ports. This means that applications that use non-standard ports do not work. To work around this, you can configure ports by providing values to the resulting Carvel package. This issue is planned to be fixed in a future release.

v1.8.5 Known issues: Application Live View

  • On the Run profile, Application Live View fails to reconcile if you use a non-default cluster issuer while installing through Tanzu Mission Control.

v1.8.5 Known issues: Artifact Metadata Repository Observer and CloudEvent Handler

  • Periodic reconciliation or restarting of the AMR Observer causes reattempted posting of ImageVulnerabilityScan results. There is an error on duplicate submission of identical ImageVulnerabilityScans you can ignore if the previous submission was successful.

v1.8.5 Known issues: Bitnami Services

  • If you try to configure private registry integration for the Bitnami Services after having already created a claim for one or more of the services using the default configuration, the updated private registry configuration does not appear to take effect. This is due to caching behavior in the system which is not accounted for during configuration updates. For a workaround, see Troubleshoot Bitnami Services.

v1.8.5 Known issues: Cartographer Conventions

  • While processing workloads with large SBOMs, the Cartographer Convention controller manager pod can fail with the status CrashLoopBackOff or OOMKilled. For information about how to increase the memory limit for both the convention server and webhook servers, including app-live-view-conventions, spring-boot-webhook, and developer-conventions/webhook, see Troubleshoot Cartographer Conventions.

v1.8.5 Known issues: Crossplane

  • The Crossplane validatingwebhookconfiguration is not removed when you uninstall the Crossplane package. To workaround, delete the validatingwebhookconfiguration manually by running kubectl delete validatingwebhookconfiguration crossplane.

v1.8.5 Known issues: Go Lite Buildpack

  • In v1.8.1 there was a mismatch in version between the Go Lite buildpack provided in the Tanzu Application Platform packages and the Go buildpack provided in the full dependencies. This version mismatch made it impossible to use the dependency updater. In Tanzu Application Platform v1.8.2, the version of Go Lite has been upgraded from v2.2.x to v3.1.x. This version of the buildpack contains a breaking change which is the removal of the Dep package manager, which has been deprecated. If you still need to use the Dep package manager, see Update dependencies out of band with Tanzu Application Platform releases.

v1.8.5 Known issues: Services Toolkit

  • An error occurs if additionalProperties is true in a CompositeResourceDefinition. For more information and a workaround, see Troubleshoot Services Toolkit.

v1.8.5 Known issues: Supply Chain

  • The Workload page in the Supply Chain UI takes a long time to load when there are more than 100 workloads to display.

  • The Workload Details page, accessed by clicking on a workload name, does not load in the Supply Chain UI when there are more than 100 workloads to display.

v1.8.5 Known issues: Supply Chain Choreographer

  • The template for the external-deliverable-template does not respect the gitops_credentials_secret parameter. The value is not present on the deliverable if it is provided in the workload parameter gitops_credentials_secret or the supply chain tap-value ootb_supply_chain*.gitops.credentials_secret. As a workaround, operators must provide the value as a tap-value for the delivery: ootb_delivery_basic.source.credentials_secret. The supply chain’s GitOps credentials must authenticate to the same repository as the delivery’s source credentials. If a deliverable must use a secret different from that specified by the delivery tap-value, the deliverable must be manually altered when being copied to the Run cluster. Add the secret name as a source_credentials_secret parameter on the deliverable.

  • By default, Server Workload Carvel packages generated by the Carvel package supply chains no longer contain OpenAPIv3 descriptions of their parameters. These descriptions were omitted to keep the size of the Carvel Package definition under 4 KB, which is the size limit for the string output of a Tekton Task. For information about these parameters, see Carvel Package Supply Chains.

  • When using the Carvel Package Supply Chains, if the operator updates the parameter carvel_package.name_suffix, existing workloads incorrectly output a Carvel package to the GitOps repository that uses the old value of carvel_package.name_suffix. You can ignore or delete this package.

  • If the size of the resulting OpenAPIv3 specification exceeds a certain size, approximately 3 KB, the Supply Chain does not function. If you use the default Carvel package parameters, this issue does not occur. If you use custom Carvel package parameters, you might encounter this size limit. If you exceed the size limit, you can either deactivate this feature, or use a workaround. The workaround requires enabling a Tekton feature flag. For more information, see the Tekton documentation.

v1.8.5 Known issues: Supply Chain Security Tools - Policy

  • Supply Chain Security Tools - Policy defaults to The Update Framework (TUF) enabled due to incorrect logic. This might cause the package to not reconcile correctly if the default TUF mirrors are not reachable. To work around this, explicitly configure policy controller in the tap-values.yaml file to enable TUF:

    policy:
  tuf_enabled: true

v1.8.5 Known issues: Supply Chain Security Tools - Scan

  • When using Supply Chain Security Tools (SCST) - Scan 2.0 with a ClusterImageTemplate, the value for the scanning image is overwritten with an incorrect default value from ootb_supply_chain_testing_scanning.image_scanner_cli in the tap-values.yaml file for templates other than Trivy. You can prevent this by setting the value in your tap-values.yaml file to the correct image. For example, for the Grype image packaged with Tanzu Application Platform:

    ootb_supply_chain_testing_scanning:
  image_scanner_template_name: image-vulnerability-scan-grype
  image_scanning_cli:
    image: registry.tanzu.vmware.com/tanzu-application-platform/tap-packages@sha256:feb1cdbd5c918aae7a89bdb2aa39d486bf6ffc81000764b522842e5934578497

  • The Snyk scanner outputs an incorrectly created date, resulting in an invalid date. If the workload is in a failed state due to an invalid date, wait approximately 10 hours and the workload automatically goes into the ready state. For more about this issue information, see the Snyk GitHub repository.

  • Recurring scan has a maximum of approximately 5000 container images that can be scanned at a single time due to size limits configMaps.

  • If the supply chain container image scanning is configured to use a different scanner or scanner version than the recurring scanning, the vulnerabilities displayed in Tanzu Developer Portal might be inaccurate.

  • SCST - Scan 1.0 fails with the error secrets 'store-ca-cert' not found during deployment by using Tanzu Mission Control with a non-default issuer. For how to work around this issue, see Deployment failure with non-default issuer.

v1.8.5 Known issues: Supply Chain Security Tools - Store

  • SCST - Store automatically detects PostgreSQL database index corruptions. If SCST - Store finds a PostgresSQL database index has been corrupted, SCST - Store will automatically attempt to repair, which might cause reconciliation during package updates. When this happens, the included Postgres database might take some time to complete the repair and accept connections. For more information, see Fix Postgres Database Index Corruption.

  • When outputting CycloneDX v1.5 SBOMs, the report is found to be an invalid SBOM by CycloneDX validators. This issue is planned to be fixed in a future release.

  • If CA Certificate data is included in the shared Tanzu Application Platform values section, do not configure AMR Observer with CA Certificate data.

  • If CA Certificate data is included in the shared Tanzu Application Platform values section, do not configure AMR Observer with CA Certificate data.

  • When observer.deploy_through_tmc is true, properties are auto-configured for Tanzu Mission Control (TMC). This causes the MultiClusterPropertyCollector resource to overwrite existing Tanzu Application Platform values for Observer.

    When using Let’s Encrypt ACME issuers, the resultant Kubernetes secret resource does not contain a ca.crt property. Therefore, when the MultiClusterPropertyCollector resource creates the Observer package configuration values secret, the required ca_cert_data is empty.

    To work around this issue, add the Certificate Authority (CA) Certificate to the shared.ca_cert_data key in the Tanzu Application Platform installation values.

v1.8.5 Known issues: Tanzu Build Service

  • During upgrades a large number of builds might be created due to buildpack and stack updates. Some of these builds might fail due to transient network issues, causing the workload to be in an unhealthy state. This resolves itself on subsequent builds after a code change and does not affect the running application.

    If you do not want to wait for subsequent builds to run, you can manually trigger a build. For instructions, see Troubleshooting.

v1.8.5 Known issues: Tanzu Developer Portal

  • Tanzu Developer Portal Configurator jumps from v1.0.x in Tanzu Application Platform v1.7 to v1.8.x in Tanzu Application Platform v1.8. This version jump enables future versions of Tanzu Developer Portal and Tanzu Developer Portal Configurator to sync going forward.

  • If you do not configure any authentication providers, and do not allow guest access, the following message appears when loading Tanzu Developer Portal in a browser:

    No configured authentication providers. Please configure at least one.

    To resolve this issue, see Troubleshooting.

  • Ad-blocking browser extensions and standalone ad-blocking software can interfere with telemetry collection within the VMware Customer Experience Improvement Program and restrict access to all or parts of Tanzu Developer Portal. For more information, see Troubleshooting.

  • ScmAuth is a Backstage concept that abstracts Source Code Management (SCM) authentication into a package. An oversight in a recent code-base migration led to the accidental exclusion of custom ScmAuth functions. This exclusion affected some client operations, such as using Application Accelerators to create Git repositories on behalf of users.

  • The back-end Kubernetes plug-in reports failure in multicluster environments. In a multicluster environment when one request to a Kubernetes cluster fails, backstage-kubernetes-backend reports a failure to the front end. This is a known issue with upstream Backstage and it applies to all released versions of Tanzu Developer Portal. For more information, see this Backstage code in GitHub. This behavior arises from the API at the Backstage level. There are currently no known workarounds. There are plans for upstream commits to Backstage to resolve this issue.

v1.8.5 Known issues: Tanzu Developer Tools for IntelliJ

  • The error com.vdurmont.semver4j.SemverException: Invalid version (no major version) is shown in the error logs when attempting to perform a workload action before installing the Tanzu CLI apps plug-in.

  • If you restart your computer while running Live Update without terminating the Tilt process beforehand, there is a lock that incorrectly shows that Live Update is still running and prevents it from starting again. For the fix, see Troubleshooting.

  • Workload actions and Live Update do not work when in a project with spaces in its name, such as my app, or in its path, such as C:\Users\My User\my-app. For more information, see Troubleshooting.

  • An EDT Thread Exception error is logged or reported as a notification with a message similar to "com.intellij.diagnostic.PluginException: 2007 ms to call on EDT TanzuApplyAction#update@ProjectViewPopup". For more information, see Troubleshooting.

v1.8.5 Known issues: Tanzu Developer Tools for Visual Studio

  • Clicking the red square Stop button in the Visual Studio top toolbar can cause a workload to fail. For more information, see Troubleshooting.

v1.8.5 Component versions

The following table lists the Tanzu Application Platform package versions included with this release. For open source component versions in this Tanzu Application Platform release, see Open source component versions.

Component Name Version
API Auto Registration 0.5.0
API portal 1.5.0
Application Accelerator 1.8.1
Application Configuration Service 2.3.3
Application Live View APIServer 1.8.2
Application Live View back end 1.8.2
Application Live View connector 1.8.2
Application Live View conventions 1.8.2
Application Single Sign-On 5.1.6
Artifact Metadata Repository Observer 0.4.5
AWS Services 0.2.1
Bitnami Services 0.4.0
Carbon Black Scanner for SCST - Scan (beta) 1.3.7
Cartographer Conventions 0.8.10
cert-manager 2.7.6
Cloud Native Runtimes 2.5.8
Contour 2.2.0
Crossplane 0.4.3
Default Roles 1.1.0
Developer Conventions 0.16.1
External Secrets Operator 0.9.4+tanzu.3
Flux CD Source Controller 0.36.1+tanzu.2
Grype Scanner for SCST - Scan 1.8.8
Local Source Proxy 0.2.1
Managed Resource Controller (beta) 0.1.48
Namespace Provisioner 0.6.2
Out of the Box Delivery - Basic 0.15.11
Out of the Box Supply Chain - Basic 0.15.11
Out of the Box Supply Chain - Testing 0.15.11
Out of the Box Supply Chain - Testing and Scanning 0.15.11
Out of the Box Templates 0.15.11
Service Bindings 0.11.0
Service Registry 1.3.3
Services Toolkit 0.13.0
Snyk Scanner for SCST - Scan (beta) 1.2.7
Source Controller 0.8.4
Spring Boot conventions 1.8.2
Spring Cloud Gateway 2.1.10
Supply Chain Choreographer 0.8.10
Supply Chain Security Tools - Policy Controller 1.6.4
Supply Chain Security Tools - Scan 1.8.9
Supply Chain Security Tools - Scan 2.0 0.3.7
Supply Chain Security Tools - Store 1.8.5
Tanzu Application Platform Telemetry 0.7.0
Tanzu Build Service 1.14.0-rc.2
Tanzu CLI 1.3.0
Tanzu Developer Portal 1.8.5
Tanzu Developer Portal Configurator 1.8.5
Tanzu Supply Chain (beta) 0.1.88
Tekton Pipelines 0.50.3+tanzu.4

v1.8.4

Release Date: 11 June 2024

v1.8.4 Security fixes

This release has the following security fixes, listed by component and area.

Package Name Vulnerabilities Resolved
application-configuration-service.tanzu.vmware.com
Expand to see the list
base-jammy-stack-lite.buildpacks.tanzu.vmware.com
Expand to see the list
cert-manager.tanzu.vmware.com
Expand to see the list
cnrs.tanzu.vmware.com
Expand to see the list
dotnet-core-lite.buildpacks.tanzu.vmware.com
Expand to see the list
git-writer.component.apps.tanzu.vmware.com
Expand to see the list
java-lite.buildpacks.tanzu.vmware.com
Expand to see the list
service-registry.spring.apps.tanzu.vmware.com
Expand to see the list
source.component.apps.tanzu.vmware.com
Expand to see the list
sso.apps.tanzu.vmware.com
Expand to see the list
supply-chain-catalog.apps.tanzu.vmware.com
Expand to see the list
supply-chain.apps.tanzu.vmware.com
Expand to see the list

v1.8.4 Known issues

This release has the following known issues, listed by component and area.

v1.8.4 Known issues: Tanzu Application Platform

  • On Azure Kubernetes Service (AKS), the Datadog Cluster Agent cannot reconcile the webhook, which leads to an error. For troubleshooting information, see Datadog agent cannot reconcile webhook on AKS.

  • The Tanzu Application Platform integration with Tanzu Service Mesh does not work on vSphere with TKR v1.26. For more information about this integration, see Set up Tanzu Service Mesh. As a workaround, you can apply the label to update pod security on a TKr v1.26 Kubernetes namespace as advised by the release notes for TKr 1.26.5 for vSphere 8.x. However, applying this label provides more than the minimum necessary privilege to the resources in developer namespaces.

v1.8.4 Known issues: API Auto Registration

  • Registering conflicting groupId and version with API portal:

    If you create two CuratedAPIDescriptors with the same groupId and version combination, both reconcile without throwing an error, and the /openapi?groupId&version endpoint returns both specifications. If you are adding both specifications to the API portal, only one of them might show up in the API portal UI with a warning indicating that there is a conflict. If you add the route provider annotation for both of the CuratedAPIDescriptors to use Spring Cloud Gateway, the generated API specspecification includes API routes from both CuratedAPIDescriptors.

    You can see the groupId and version information from all CuratedAPIDescriptors by running:

    $ kubectl get curatedapidescriptors -A

NAMESPACE           NAME         GROUPID            VERSION   STATUS   CURATED API SPEC URL
my-apps             petstore     test-api-group     1.2.3     Ready    http://AAR-CONTROLLER-FQDN/openapi/my-apps/petstore
default             mystery      test-api-group     1.2.3     Ready    http://AAR-CONTROLLER-FQDN/openapi/default/mystery

  • When creating an APIDescriptor with different apiSpec.url and server.url, the controller incorrectly uses the API spec URL as the server URL. To avoid this issue, use server.url only.

v1.8.4 Known issues: App Last Mile Catalog

  • The app-config-web, app-config-server, and app-config-worker components do not allow developers to override the default application ports. This means that applications that use non-standard ports do not work. To work around this, you can configure ports by providing values to the resulting Carvel package. This issue is planned to be fixed in a future release.

v1.8.4 Known issues: Application Live View

  • On the Run profile, Application Live View fails to reconcile if you use a non-default cluster issuer while installing through Tanzu Mission Control.

v1.8.4 Known issues: Artifact Metadata Repository Observer and CloudEvent Handler

  • Periodic reconciliation or restarting of the AMR Observer causes reattempted posting of ImageVulnerabilityScan results. There is an error on duplicate submission of identical ImageVulnerabilityScans you can ignore if the previous submission was successful.

v1.8.4 Known issues: Bitnami Services

  • If you try to configure private registry integration for the Bitnami Services after having already created a claim for one or more of the services using the default configuration, the updated private registry configuration does not appear to take effect. This is due to caching behavior in the system which is not accounted for during configuration updates. For a workaround, see Troubleshoot Bitnami Services.

v1.8.4 Known issues: Cartographer Conventions

  • While processing workloads with large SBOMs, the Cartographer Convention controller manager pod can fail with the status CrashLoopBackOff or OOMKilled. For information about how to increase the memory limit for both the convention server and webhook servers, including app-live-view-conventions, spring-boot-webhook, and developer-conventions/webhook, see Troubleshoot Cartographer Conventions.

v1.8.4 Known issues: Crossplane

  • The Crossplane validatingwebhookconfiguration is not removed when you uninstall the Crossplane package. To workaround, delete the validatingwebhookconfiguration manually by running kubectl delete validatingwebhookconfiguration crossplane.

v1.8.4 Known issues: Go Lite Buildpack

  • In v1.8.1 there was a mismatch in version between the Go Lite buildpack provided in the Tanzu Application Platform packages and the Go buildpack provided in the full dependencies. This version mismatch made it impossible to use the dependency updater. In Tanzu Application Platform v1.8.2, the version of Go Lite has been upgraded from v2.2.x to v3.1.x. This version of the buildpack contains a breaking change which is the removal of the Dep package manager, which has been deprecated. If you still need to use the Dep package manager, see Update dependencies out of band with Tanzu Application Platform releases.

v1.8.4 Known issues: Services Toolkit

  • An error occurs if additionalProperties is true in a CompositeResourceDefinition. For more information and a workaround, see Troubleshoot Services Toolkit.

v1.8.4 Known issues: Supply Chain

  • The Workload page in the Supply Chain UI takes a long time to load when there are more than 100 workloads to display.

  • The Workload Details page, accessed by clicking on a workload name, does not load in the Supply Chain UI when there are more than 100 workloads to display.

v1.8.4 Known issues: Supply Chain Choreographer

  • The template for the external-deliverable-template does not respect the gitops_credentials_secret parameter. The value is not present on the deliverable if it is provided in the workload parameter gitops_credentials_secret or the supply chain tap-value ootb_supply_chain*.gitops.credentials_secret. As a workaround, operators must provide the value as a tap-value for the delivery: ootb_delivery_basic.source.credentials_secret. The supply chain’s GitOps credentials must authenticate to the same repository as the delivery’s source credentials. If a deliverable must use a secret different from that specified by the delivery tap-value, the deliverable must be manually altered when being copied to the Run cluster. Add the secret name as a source_credentials_secret parameter on the deliverable.

  • By default, Server Workload Carvel packages generated by the Carvel package supply chains no longer contain OpenAPIv3 descriptions of their parameters. These descriptions were omitted to keep the size of the Carvel Package definition under 4 KB, which is the size limit for the string output of a Tekton Task. For information about these parameters, see Carvel Package Supply Chains.

  • When using the Carvel Package Supply Chains, if the operator updates the parameter carvel_package.name_suffix, existing workloads incorrectly output a Carvel package to the GitOps repository that uses the old value of carvel_package.name_suffix. You can ignore or delete this package.

  • If the size of the resulting OpenAPIv3 specification exceeds a certain size, approximately 3 KB, the Supply Chain does not function. If you use the default Carvel package parameters, this issue does not occur. If you use custom Carvel package parameters, you might encounter this size limit. If you exceed the size limit, you can either deactivate this feature, or use a workaround. The workaround requires enabling a Tekton feature flag. For more information, see the Tekton documentation.

v1.8.4 Known issues: Supply Chain Security Tools - Policy

  • Supply Chain Security Tools - Policy defaults to The Update Framework (TUF) enabled due to incorrect logic. This might cause the package to not reconcile correctly if the default TUF mirrors are not reachable. To work around this, explicitly configure policy controller in the tap-values.yaml file to enable TUF:

    policy:
  tuf_enabled: true

v1.8.4 Known issues: Supply Chain Security Tools - Scan

  • When using Supply Chain Security Tools (SCST) - Scan 2.0 with a ClusterImageTemplate, the value for the scanning image is overwritten with an incorrect default value from ootb_supply_chain_testing_scanning.image_scanner_cli in the tap-values.yaml file for templates other than Trivy. You can prevent this by setting the value in your tap-values.yaml file to the correct image. For example, for the Grype image packaged with Tanzu Application Platform:

    ootb_supply_chain_testing_scanning:
  image_scanner_template_name: image-vulnerability-scan-grype
  image_scanning_cli:
    image: registry.tanzu.vmware.com/tanzu-application-platform/tap-packages@sha256:feb1cdbd5c918aae7a89bdb2aa39d486bf6ffc81000764b522842e5934578497

  • The Snyk scanner outputs an incorrectly created date, resulting in an invalid date. If the workload is in a failed state due to an invalid date, wait approximately 10 hours and the workload automatically goes into the ready state. For more about this issue information, see the Snyk GitHub repository.

  • Recurring scan has a maximum of approximately 5000 container images that can be scanned at a single time due to size limits configMaps.

  • If the supply chain container image scanning is configured to use a different scanner or scanner version than the recurring scanning, the vulnerabilities displayed in Tanzu Developer Portal might be inaccurate.

  • SCST - Scan 1.0 fails with the error secrets 'store-ca-cert' not found during deployment by using Tanzu Mission Control with a non-default issuer. For how to work around this issue, see Deployment failure with non-default issuer.

v1.8.4 Known issues: Supply Chain Security Tools - Store

  • SCST - Store automatically detects PostgreSQL database index corruptions. If SCST - Store finds a PostgresSQL database index has been corrupted, SCST - Store will automatically attempt to repair, which might cause reconciliation during package updates. When this happens, the included Postgres database might take some time to complete the repair and accept connections. For more information, see Fix Postgres Database Index Corruption.

  • When outputting CycloneDX v1.5 SBOMs, the report is found to be an invalid SBOM by CycloneDX validators. This issue is planned to be fixed in a future release.

  • If CA Certificate data is included in the shared Tanzu Application Platform values section, do not configure AMR Observer with CA Certificate data.

  • If CA Certificate data is included in the shared Tanzu Application Platform values section, do not configure AMR Observer with CA Certificate data.

  • When observer.deploy_through_tmc is true, properties are auto-configured for Tanzu Mission Control (TMC). This causes the MultiClusterPropertyCollector resource to overwrite existing Tanzu Application Platform values for Observer.

    When using Let’s Encrypt ACME issuers, the resultant Kubernetes secret resource does not contain a ca.crt property. Therefore, when the MultiClusterPropertyCollector resource creates the Observer package configuration values secret, the required ca_cert_data is empty.

    To work around this issue, add the Certificate Authority (CA) Certificate to the shared.ca_cert_data key in the Tanzu Application Platform installation values.

v1.8.4 Known issues: Tanzu Build Service

  • During upgrades a large number of builds might be created due to buildpack and stack updates. Some of these builds might fail due to transient network issues, causing the workload to be in an unhealthy state. This resolves itself on subsequent builds after a code change and does not affect the running application.

    If you do not want to wait for subsequent builds to run, you can manually trigger a build. For instructions, see Troubleshooting.

v1.8.4 Known issues: Tanzu Developer Portal

  • Tanzu Developer Portal Configurator jumps from v1.0.x in Tanzu Application Platform v1.7 to v1.8.x in Tanzu Application Platform v1.8. This version jump enables future versions of Tanzu Developer Portal and Tanzu Developer Portal Configurator to sync going forward.

  • If you do not configure any authentication providers, and do not allow guest access, the following message appears when loading Tanzu Developer Portal in a browser:

    No configured authentication providers. Please configure at least one.

    To resolve this issue, see Troubleshooting.

  • Ad-blocking browser extensions and standalone ad-blocking software can interfere with telemetry collection within the VMware Customer Experience Improvement Program and restrict access to all or parts of Tanzu Developer Portal. For more information, see Troubleshooting.

  • ScmAuth is a Backstage concept that abstracts Source Code Management (SCM) authentication into a package. An oversight in a recent code-base migration led to the accidental exclusion of custom ScmAuth functions. This exclusion affected some client operations, such as using Application Accelerators to create Git repositories on behalf of users.

  • The back-end Kubernetes plug-in reports failure in multicluster environments. In a multicluster environment when one request to a Kubernetes cluster fails, backstage-kubernetes-backend reports a failure to the front end. This is a known issue with upstream Backstage and it applies to all released versions of Tanzu Developer Portal. For more information, see this Backstage code in GitHub. This behavior arises from the API at the Backstage level. There are currently no known workarounds. There are plans for upstream commits to Backstage to resolve this issue.

v1.8.4 Known issues: Tanzu Developer Tools for IntelliJ

  • The error com.vdurmont.semver4j.SemverException: Invalid version (no major version) is shown in the error logs when attempting to perform a workload action before installing the Tanzu CLI apps plug-in.

  • If you restart your computer while running Live Update without terminating the Tilt process beforehand, there is a lock that incorrectly shows that Live Update is still running and prevents it from starting again. For the fix, see Troubleshooting.

  • Workload actions and Live Update do not work when in a project with spaces in its name, such as my app, or in its path, such as C:\Users\My User\my-app. For more information, see Troubleshooting.

  • An EDT Thread Exception error is logged or reported as a notification with a message similar to "com.intellij.diagnostic.PluginException: 2007 ms to call on EDT TanzuApplyAction#update@ProjectViewPopup". For more information, see Troubleshooting.

v1.8.4 Known issues: Tanzu Developer Tools for Visual Studio

  • Clicking the red square Stop button in the Visual Studio top toolbar can cause a workload to fail. For more information, see Troubleshooting.

v1.8.4 Component versions

The following table lists the supported component versions for this Tanzu Application Platform release.

Component Name Version
API Auto Registration 0.5.0
API portal 1.5.0
Application Accelerator 1.8.1
Application Configuration Service 2.3.2
Application Live View APIServer 1.8.2
Application Live View back end 1.8.2
Application Live View connector 1.8.2
Application Live View conventions 1.8.2
Application Single Sign-On 5.1.6
Artifact Metadata Repository Observer 0.4.4
AWS Services 0.2.1
Bitnami Services 0.4.0
Carbon Black Scanner for SCST - Scan (beta) 1.3.7
Cartographer Conventions 0.8.10
cert-manager 2.7.6
Cloud Native Runtimes 2.5.7
Contour 2.2.0
Crossplane 0.4.3
Default Roles 1.1.0
Developer Conventions 0.16.1
External Secrets Operator 0.9.4+tanzu.3
Flux CD Source Controller 0.36.1+tanzu.2
Grype Scanner for SCST - Scan 1.8.8
Local Source Proxy 0.2.1
Managed Resource Controller (beta) 0.1.39
Namespace Provisioner 0.6.2
Out of the Box Delivery - Basic 0.15.11
Out of the Box Supply Chain - Basic 0.15.11
Out of the Box Supply Chain - Testing 0.15.11
Out of the Box Supply Chain - Testing and Scanning 0.15.11
Out of the Box Templates 0.15.11
Service Bindings 0.11.0
Service Registry 1.3.3
Services Toolkit 0.13.0
Snyk Scanner for SCST - Scan (beta) 1.2.7
Source Controller 0.8.4
Spring Boot conventions 1.8.2
Spring Cloud Gateway 2.1.10
Supply Chain Choreographer 0.8.10
Supply Chain Security Tools - Policy Controller 1.6.4
Supply Chain Security Tools - Scan 1.8.9
Supply Chain Security Tools - Scan 2.0 0.3.7
Supply Chain Security Tools - Store 1.8.4
Tanzu Application Platform Telemetry 0.7.0
Tanzu Build Service 1.13.0
Tanzu CLI 1.3.0
Tanzu Developer Portal 1.8.5
Tanzu Developer Portal Configurator 1.8.5
Tanzu Supply Chain (beta) 0.1.74
Tekton Pipelines 0.50.3+tanzu.4

v1.8.3

Release Date: 7 May 2024

v1.8.3 Security fixes

This release has the following security fixes, listed by component and area.

Package Name Vulnerabilities Resolved
alm-catalog.component.apps.tanzu.vmware.com
Expand to see the list
base-jammy-stack-lite.buildpacks.tanzu.vmware.com
Expand to see the list
cert-manager.tanzu.vmware.com
Expand to see the list
conventions.component.apps.tanzu.vmware.com
Expand to see the list
git-writer.component.apps.tanzu.vmware.com
Expand to see the list
managed-resource-controller.apps.tanzu.vmware.com
Expand to see the list
metadata-store.apps.tanzu.vmware.com
Expand to see the list
ootb-templates.tanzu.vmware.com
Expand to see the list
spring-cloud-gateway.tanzu.vmware.com
Expand to see the list
sso.apps.tanzu.vmware.com
Expand to see the list
supply-chain-catalog.apps.tanzu.vmware.com
Expand to see the list
supply-chain.apps.tanzu.vmware.com
Expand to see the list
tap-gui.tanzu.vmware.com
Expand to see the list

v1.8.3 Resolved issues

The following issues, listed by component and area, are resolved in this release.

v1.8.3 Resolved issues: App Last Mile Catalog

  • Resolved an issue where the Deployer component output an error message that was larger than 4 KB. This caused a Tekton error. The Deployer component now outputs a smaller error message that is human readable.

v1.8.3 Resolved issues: Tanzu Developer Portal

  • Adds namespaces read permits to the k8s-reader role to avoid access errors when querying clusters for namespaces resources.

v1.8.3 Known issues

This release has the following known issues, listed by component and area.

v1.8.3 Known issues: Tanzu Application Platform

  • On Azure Kubernetes Service (AKS), the Datadog Cluster Agent cannot reconcile the webhook, which leads to an error. For troubleshooting information, see Datadog agent cannot reconcile webhook on AKS.

  • The Tanzu Application Platform integration with Tanzu Service Mesh does not work on vSphere with TKR v1.26. For more information about this integration, see Set up Tanzu Service Mesh. As a workaround, you can apply the label to update pod security on a TKr v1.26 Kubernetes namespace as advised by the release notes for TKr 1.26.5 for vSphere 8.x. However, applying this label provides more than the minimum necessary privilege to the resources in developer namespaces.

v1.8.3 Known issues: API Auto Registration

  • Registering conflicting groupId and version with API portal:

    If you create two CuratedAPIDescriptors with the same groupId and version combination, both reconcile without throwing an error, and the /openapi?groupId&version endpoint returns both specifications. If you are adding both specifications to the API portal, only one of them might show up in the API portal UI with a warning indicating that there is a conflict. If you add the route provider annotation for both of the CuratedAPIDescriptors to use Spring Cloud Gateway, the generated API specspecification includes API routes from both CuratedAPIDescriptors.

    You can see the groupId and version information from all CuratedAPIDescriptors by running:

    $ kubectl get curatedapidescriptors -A

NAMESPACE           NAME         GROUPID            VERSION   STATUS   CURATED API SPEC URL
my-apps             petstore     test-api-group     1.2.3     Ready    http://AAR-CONTROLLER-FQDN/openapi/my-apps/petstore
default             mystery      test-api-group     1.2.3     Ready    http://AAR-CONTROLLER-FQDN/openapi/default/mystery

  • When creating an APIDescriptor with different apiSpec.url and server.url, the controller incorrectly uses the API spec URL as the server URL. To avoid this issue, use server.url only.

v1.8.3 Known issues: App Last Mile Catalog

  • The app-config-web, app-config-server, and app-config-worker components do not allow developers to override the default application ports. This means that applications that use non-standard ports do not work. To work around this, you can configure ports by providing values to the resulting Carvel package. This issue is planned to be fixed in a future release.

v1.8.3 Known issues: Application Live View

  • On the Run profile, Application Live View fails to reconcile if you use a non-default cluster issuer while installing through Tanzu Mission Control.

v1.8.3 Known issues: Artifact Metadata Repository Observer and CloudEvent Handler

  • Periodic reconciliation or restarting of the AMR Observer causes reattempted posting of ImageVulnerabilityScan results. There is an error on duplicate submission of identical ImageVulnerabilityScans you can ignore if the previous submission was successful.

v1.8.3 Known issues: Bitnami Services

  • If you try to configure private registry integration for the Bitnami Services after having already created a claim for one or more of the services using the default configuration, the updated private registry configuration does not appear to take effect. This is due to caching behavior in the system which is not accounted for during configuration updates. For a workaround, see Troubleshoot Bitnami Services.

v1.8.3 Known issues: Cartographer Conventions

  • While processing workloads with large SBOMs, the Cartographer Convention controller manager pod can fail with the status CrashLoopBackOff or OOMKilled. For information about how to increase the memory limit for both the convention server and webhook servers, including app-live-view-conventions, spring-boot-webhook, and developer-conventions/webhook, see Troubleshoot Cartographer Conventions.

v1.8.3 Known issues: Crossplane

  • The Crossplane validatingwebhookconfiguration is not removed when you uninstall the Crossplane package. To workaround, delete the validatingwebhookconfiguration manually by running kubectl delete validatingwebhookconfiguration crossplane.

v1.8.3 Known issues: Go Lite Buildpack

  • In v1.8.1 there was a mismatch in version between the Go Lite buildpack provided in the Tanzu Application Platform packages and the Go buildpack provided in the full dependencies. This version mismatch made it impossible to use the dependency updater. In Tanzu Application Platform v1.8.2, the version of Go Lite has been upgraded from v2.2.x to v3.1.x. This version of the buildpack contains a breaking change which is the removal of the Dep package manager, which has been deprecated. If you still need to use the Dep package manager, see Update dependencies out of band with Tanzu Application Platform releases.

v1.8.3 Known issues: Services Toolkit

  • An error occurs if additionalProperties is true in a CompositeResourceDefinition. For more information and a workaround, see Troubleshoot Services Toolkit.

v1.8.3 Known issues: Supply Chain

  • The Workload page in the Supply Chain UI takes a long time to load when there are more than 100 workloads to display.

  • The Workload Details page, accessed by clicking on a workload name, does not load in the Supply Chain UI when there are more than 100 workloads to display.

v1.8.3 Known issues: Supply Chain Choreographer

  • The template for the external-deliverable-template does not respect the gitops_credentials_secret parameter. The value is not present on the deliverable if it is provided in the workload parameter gitops_credentials_secret or the supply chain tap-value ootb_supply_chain*.gitops.credentials_secret. As a workaround, operators must provide the value as a tap-value for the delivery: ootb_delivery_basic.source.credentials_secret. The supply chain’s GitOps credentials must authenticate to the same repository as the delivery’s source credentials. If a deliverable must use a secret different from that specified by the delivery tap-value, the deliverable must be manually altered when being copied to the Run cluster. Add the secret name as a source_credentials_secret parameter on the deliverable.

  • By default, Server Workload Carvel packages generated by the Carvel package supply chains no longer contain OpenAPIv3 descriptions of their parameters. These descriptions were omitted to keep the size of the Carvel Package definition under 4 KB, which is the size limit for the string output of a Tekton Task. For information about these parameters, see Carvel Package Supply Chains.

  • When using the Carvel Package Supply Chains, if the operator updates the parameter carvel_package.name_suffix, existing workloads incorrectly output a Carvel package to the GitOps repository that uses the old value of carvel_package.name_suffix. You can ignore or delete this package.

  • If the size of the resulting OpenAPIv3 specification exceeds a certain size, approximately 3 KB, the Supply Chain does not function. If you use the default Carvel package parameters, this issue does not occur. If you use custom Carvel package parameters, you might encounter this size limit. If you exceed the size limit, you can either deactivate this feature, or use a workaround. The workaround requires enabling a Tekton feature flag. For more information, see the Tekton documentation.

v1.8.3 Known issues: Supply Chain Security Tools - Policy

  • Supply Chain Security Tools - Policy defaults to The Update Framework (TUF) enabled due to incorrect logic. This might cause the package to not reconcile correctly if the default TUF mirrors are not reachable. To work around this, explicitly configure policy controller in the tap-values.yaml file to enable TUF:

    policy:
  tuf_enabled: true

v1.8.3 Known issues: Supply Chain Security Tools - Scan

  • When using Supply Chain Security Tools (SCST) - Scan 2.0 with a ClusterImageTemplate, the value for the scanning image is overwritten with an incorrect default value from ootb_supply_chain_testing_scanning.image_scanner_cli in the tap-values.yaml file for templates other than Trivy. You can prevent this by setting the value in your tap-values.yaml file to the correct image. For example, for the Grype image packaged with Tanzu Application Platform:

    ootb_supply_chain_testing_scanning:
  image_scanner_template_name: image-vulnerability-scan-grype
  image_scanning_cli:
    image: registry.tanzu.vmware.com/tanzu-application-platform/tap-packages@sha256:feb1cdbd5c918aae7a89bdb2aa39d486bf6ffc81000764b522842e5934578497

  • The Snyk scanner outputs an incorrectly created date, resulting in an invalid date. If the workload is in a failed state due to an invalid date, wait approximately 10 hours and the workload automatically goes into the ready state. For more about this issue information, see the Snyk GitHub repository.

  • Recurring scan has a maximum of approximately 5000 container images that can be scanned at a single time due to size limits configMaps.

  • If the supply chain container image scanning is configured to use a different scanner or scanner version than the recurring scanning, the vulnerabilities displayed in Tanzu Developer Portal might be inaccurate.

  • SCST - Scan 1.0 fails with the error secrets 'store-ca-cert' not found during deployment by using Tanzu Mission Control with a non-default issuer. For how to work around this issue, see Deployment failure with non-default issuer.

v1.8.3 Known issues: Supply Chain Security Tools - Store

  • SCST - Store automatically detects PostgreSQL database index corruptions. If SCST - Store finds a PostgresSQL database index has been corrupted, SCST - Store will automatically attempt to repair, which might cause reconciliation during package updates. When this happens, the included Postgres database might take some time to complete the repair and accept connections. For more information, see Fix Postgres Database Index Corruption.

  • When outputting CycloneDX v1.5 SBOMs, the report is found to be an invalid SBOM by CycloneDX validators. This issue is planned to be fixed in a future release.

  • If CA Certificate data is included in the shared Tanzu Application Platform values section, do not configure AMR Observer with CA Certificate data.

  • If CA Certificate data is included in the shared Tanzu Application Platform values section, do not configure AMR Observer with CA Certificate data.

  • When observer.deploy_through_tmc is true, properties are auto-configured for Tanzu Mission Control (TMC). This causes the MultiClusterPropertyCollector resource to overwrite existing Tanzu Application Platform values for Observer.

    When using Let’s Encrypt ACME issuers, the resultant Kubernetes secret resource does not contain a ca.crt property. Therefore, when the MultiClusterPropertyCollector resource creates the Observer package configuration values secret, the required ca_cert_data is empty.

    To work around this issue, add the Certificate Authority (CA) Certificate to the shared.ca_cert_data key in the Tanzu Application Platform installation values.

v1.8.3 Known issues: Tanzu Build Service

  • During upgrades a large number of builds might be created due to buildpack and stack updates. Some of these builds might fail due to transient network issues, causing the workload to be in an unhealthy state. This resolves itself on subsequent builds after a code change and does not affect the running application.

    If you do not want to wait for subsequent builds to run, you can manually trigger a build. For instructions, see Troubleshooting.

v1.8.3 Known issues: Tanzu Developer Portal

  • Tanzu Developer Portal Configurator jumps from v1.0.x in Tanzu Application Platform v1.7 to v1.8.x in Tanzu Application Platform v1.8. This version jump enables future versions of Tanzu Developer Portal and Tanzu Developer Portal Configurator to sync going forward.

  • If you do not configure any authentication providers, and do not allow guest access, the following message appears when loading Tanzu Developer Portal in a browser:

    No configured authentication providers. Please configure at least one.

    To resolve this issue, see Troubleshooting.

  • Ad-blocking browser extensions and standalone ad-blocking software can interfere with telemetry collection within the VMware Customer Experience Improvement Program and restrict access to all or parts of Tanzu Developer Portal. For more information, see Troubleshooting.

  • ScmAuth is a Backstage concept that abstracts Source Code Management (SCM) authentication into a package. An oversight in a recent code-base migration led to the accidental exclusion of custom ScmAuth functions. This exclusion affected some client operations, such as using Application Accelerators to create Git repositories on behalf of users.

  • The back-end Kubernetes plug-in reports failure in multicluster environments. In a multicluster environment when one request to a Kubernetes cluster fails, backstage-kubernetes-backend reports a failure to the front end. This is a known issue with upstream Backstage and it applies to all released versions of Tanzu Developer Portal. For more information, see this Backstage code in GitHub. This behavior arises from the API at the Backstage level. There are currently no known workarounds. There are plans for upstream commits to Backstage to resolve this issue.

v1.8.3 Known issues: Tanzu Developer Tools for IntelliJ

  • The error com.vdurmont.semver4j.SemverException: Invalid version (no major version) is shown in the error logs when attempting to perform a workload action before installing the Tanzu CLI apps plug-in.

  • If you restart your computer while running Live Update without terminating the Tilt process beforehand, there is a lock that incorrectly shows that Live Update is still running and prevents it from starting again. For the fix, see Troubleshooting.

  • Workload actions and Live Update do not work when in a project with spaces in its name, such as my app, or in its path, such as C:\Users\My User\my-app. For more information, see Troubleshooting.

  • An EDT Thread Exception error is logged or reported as a notification with a message similar to "com.intellij.diagnostic.PluginException: 2007 ms to call on EDT TanzuApplyAction#update@ProjectViewPopup". For more information, see Troubleshooting.

v1.8.3 Known issues: Tanzu Developer Tools for Visual Studio

  • Clicking the red square Stop button in the Visual Studio top toolbar can cause a workload to fail. For more information, see Troubleshooting.

v1.8.3 Component versions

The following table lists the Tanzu Application Platform package versions included with this release. For open source component versions in this Tanzu Application Platform release, see Open source component versions.

Component Name Version
API Auto Registration 0.5.0
API portal 1.5.0
Application Accelerator 1.8.1
Application Configuration Service 2.3.1
Application Live View APIServer 1.8.2
Application Live View back end 1.8.2
Application Live View connector 1.8.2
Application Live View conventions 1.8.2
Application Single Sign-On 5.1.5
Artifact Metadata Repository Observer 0.4.4
AWS Services 0.2.1
Bitnami Services 0.4.0
Carbon Black Scanner for SCST - Scan (beta) 1.3.7
Cartographer Conventions 0.8.10
cert-manager 2.7.4
Cloud Native Runtimes 2.5.3
Contour 2.2.0
Crossplane 0.4.2
Default Roles 1.1.0
Developer Conventions 0.16.1
External Secrets Operator 0.9.4+tanzu.3
Flux CD Source Controller 0.36.1+tanzu.2
Grype Scanner for SCST - Scan 1.8.8
Local Source Proxy 0.2.1
Managed Resource Controller (beta) 0.1.21
Namespace Provisioner 0.6.2
Out of the Box Delivery - Basic 0.15.9
Out of the Box Supply Chain - Basic 0.15.9
Out of the Box Supply Chain - Testing 0.15.9
Out of the Box Supply Chain - Testing and Scanning 0.15.9
Out of the Box Templates 0.15.9
Service Bindings 0.11.0
Service Registry 1.3.2
Services Toolkit 0.13.0
Snyk Scanner for SCST - Scan (beta) 1.2.7
Source Controller 0.8.4
Spring Boot conventions 1.8.2
Spring Cloud Gateway 2.1.10
Supply Chain Choreographer 0.8.10
Supply Chain Security Tools - Policy Controller 1.6.4
Supply Chain Security Tools - Scan 1.8.9
Supply Chain Security Tools - Scan 2.0 0.3.6
Supply Chain Security Tools - Store 1.8.4
Tanzu Application Platform Telemetry 0.7.0
Tanzu Build Service 1.13.0
Tanzu CLI 1.3.0
Tanzu Developer Portal 1.8.5
Tanzu Developer Portal Configurator 1.8.5
Tanzu Supply Chain (beta) 0.1.57
Tekton Pipelines 0.50.3+tanzu.4

v1.8.2

Release Date: 09 April 2024

v1.8.2 Security fixes

This release has the following security fixes, listed by component and area.

Package Name Vulnerabilities Resolved
apis.apps.tanzu.vmware.com
Expand to see the list
apiserver.appliveview.tanzu.vmware.com
Expand to see the list
app-scanning.apps.tanzu.vmware.com
Expand to see the list
application-configuration-service.tanzu.vmware.com
Expand to see the list
aws.services.tanzu.vmware.com
Expand to see the list
backend.appliveview.tanzu.vmware.com
Expand to see the list
base-jammy-stack-lite.buildpacks.tanzu.vmware.com
Expand to see the list
carbonblack.scanning.apps.tanzu.vmware.com
Expand to see the list
connector.appliveview.tanzu.vmware.com
Expand to see the list
controller.source.apps.tanzu.vmware.com
Expand to see the list
conventions.appliveview.tanzu.vmware.com
Expand to see the list
conventions.component.apps.tanzu.vmware.com
Expand to see the list
crossplane.tanzu.vmware.com
Expand to see the list
git-writer.component.apps.tanzu.vmware.com
Expand to see the list
go-lite.buildpacks.tanzu.vmware.com
Expand to see the list
grype.scanning.apps.tanzu.vmware.com
Expand to see the list
metadata-store.apps.tanzu.vmware.com
Expand to see the list
ootb-supply-chain-testing-scanning.tanzu.vmware.com
Expand to see the list
ootb-templates.tanzu.vmware.com
Expand to see the list
policy.apps.tanzu.vmware.com
Expand to see the list
service-registry.spring.apps.tanzu.vmware.com
Expand to see the list
snyk.scanning.apps.tanzu.vmware.com
Expand to see the list
source.component.apps.tanzu.vmware.com
Expand to see the list
spring-boot-conventions.tanzu.vmware.com
Expand to see the list
spring-cloud-gateway.tanzu.vmware.com
Expand to see the list
supply-chain-catalog.apps.tanzu.vmware.com
Expand to see the list
tap-gui.tanzu.vmware.com
Expand to see the list
trivy.app-scanning.component.apps.tanzu.vmware.com
Expand to see the list

v1.8.2 Resolved issues

The following issues, listed by component and area, are resolved in this release.

v1.8.2 Resolved issues: AWS Services

  • Updated the endpoint key name in the binding secret for Amazon MQ (RabbitMQ) claims to addresses so that it matches the name that the Spring Cloud Bindings library uses. This key name change is not applied to any existing Amazon MQ (RabbitMQ) claims. If new Amazon MQ (RabbitMQ) claims still do not have the updated addresses key name, see Troubleshoot AWS Services.

v1.8.2 Resolved issues: Crossplane

  • Fixed an issue that you might encounter if you uninstall and reinstall the Crossplane package on the same cluster. You no longer receive a TLS certificate verification error with service claims never transitioning to READY=True.

v1.8.2 Resolved issues: Supply Chain Security Tools - Scan

  • Resolved an issue that caused source code scanning to fail due to curl missing in the container image.

v1.8.2 Known issues

This release has the following known issues, listed by component and area.

v1.8.2 Known issues: Tanzu Application Platform

  • On Azure Kubernetes Service (AKS), the Datadog Cluster Agent cannot reconcile the webhook, which leads to an error. For troubleshooting information, see Datadog agent cannot reconcile webhook on AKS.

  • The Tanzu Application Platform integration with Tanzu Service Mesh does not work on vSphere with TKR v1.26. For more information about this integration, see Set up Tanzu Service Mesh. As a workaround, you can apply the label to update pod security on a TKr v1.26 Kubernetes namespace as advised by the release notes for TKr 1.26.5 for vSphere 8.x. However, applying this label provides more than the minimum necessary privilege to the resources in developer namespaces.

v1.8.2 Known issues: API Auto Registration

  • Registering conflicting groupId and version with API portal:

    If you create two CuratedAPIDescriptors with the same groupId and version combination, both reconcile without throwing an error, and the /openapi?groupId&version endpoint returns both specifications. If you are adding both specifications to the API portal, only one of them might show up in the API portal UI with a warning indicating that there is a conflict. If you add the route provider annotation for both of the CuratedAPIDescriptors to use Spring Cloud Gateway, the generated API specspecification includes API routes from both CuratedAPIDescriptors.

    You can see the groupId and version information from all CuratedAPIDescriptors by running:

    $ kubectl get curatedapidescriptors -A

NAMESPACE           NAME         GROUPID            VERSION   STATUS   CURATED API SPEC URL
my-apps             petstore     test-api-group     1.2.3     Ready    http://AAR-CONTROLLER-FQDN/openapi/my-apps/petstore
default             mystery      test-api-group     1.2.3     Ready    http://AAR-CONTROLLER-FQDN/openapi/default/mystery

  • When creating an APIDescriptor with different apiSpec.url and server.url, the controller incorrectly uses the API spec URL as the server URL. To avoid this issue, use server.url only.

v1.8.2 Known issues: App Last Mile Catalog

  • The app-config-web, app-config-server, and app-config-worker components do not allow developers to override the default application ports. This means that applications that use non-standard ports do not work. To work around this, you can configure ports by providing values to the resulting Carvel package. This issue is planned to be fixed in a future release.

v1.8.2 Known issues: Application Live View

  • On the Run profile, Application Live View fails to reconcile if you use a non-default cluster issuer while installing through Tanzu Mission Control.

v1.8.2 Known issues: Artifact Metadata Repository Observer and CloudEvent Handler

  • Periodic reconciliation or restarting of the AMR Observer causes reattempted posting of ImageVulnerabilityScan results. There is an error on duplicate submission of identical ImageVulnerabilityScans you can ignore if the previous submission was successful.

v1.8.2 Known issues: Bitnami Services

  • If you try to configure private registry integration for the Bitnami Services after having already created a claim for one or more of the services using the default configuration, the updated private registry configuration does not appear to take effect. This is due to caching behavior in the system which is not accounted for during configuration updates. For a workaround, see Troubleshoot Bitnami Services.

v1.8.2 Known issues: Cartographer Conventions

  • While processing workloads with large SBOMs, the Cartographer Convention controller manager pod can fail with the status CrashLoopBackOff or OOMKilled. For information about how to increase the memory limit for both the convention server and webhook servers, including app-live-view-conventions, spring-boot-webhook, and developer-conventions/webhook, see Troubleshoot Cartographer Conventions.

v1.8.2 Known issues: Crossplane

  • The Crossplane validatingwebhookconfiguration is not removed when you uninstall the Crossplane package. To workaround, delete the validatingwebhookconfiguration manually by running kubectl delete validatingwebhookconfiguration crossplane.

v1.8.2 Known issues: Go Lite Buildpack

  • In v1.8.1 there was a mismatch in version between the Go Lite buildpack provided in the Tanzu Application Platform packages and the Go buildpack provided in the full dependencies. This version mismatch made it impossible to use the dependency updater. For Tanzu Application Platform v1.8.2, the version of Go Lite has been upgraded from v2.2.x to v3.1.x. This version of the buildpack contains a breaking change which is the removal of the Dep package manager, which has been deprecated. If you still need to use the Dep package manager, see Update dependencies out of band with Tanzu Application Platform releases.

v1.8.2 Known issues: Services Toolkit

  • An error occurs if additionalProperties is true in a CompositeResourceDefinition. For more information and a workaround, see Troubleshoot Services Toolkit.

v1.8.2 Known issues: Supply Chain

  • The Workload page in the Supply Chain UI takes a long time to load when there are more than 100 workloads to display.

  • The Workload Details page, accessed by clicking on a workload name, does not load in the Supply Chain UI when there are more than 100 workloads to display.

v1.8.2 Known issues: Supply Chain Choreographer

  • The template for the external-deliverable-template does not respect the gitops_credentials_secret parameter. The value is not present on the deliverable if it is provided in the workload parameter gitops_credentials_secret or the supply chain tap-value ootb_supply_chain*.gitops.credentials_secret. As a workaround, operators must provide the value as a tap-value for the delivery: ootb_delivery_basic.source.credentials_secret. The supply chain’s GitOps credentials must authenticate to the same repository as the delivery’s source credentials. If a deliverable must use a secret different from that specified by the delivery tap-value, the deliverable must be manually altered when being copied to the Run cluster. Add the secret name as a source_credentials_secret parameter on the deliverable.

  • By default, Server Workload Carvel packages generated by the Carvel package supply chains no longer contain OpenAPIv3 descriptions of their parameters. These descriptions were omitted to keep the size of the Carvel Package definition under 4 KB, which is the size limit for the string output of a Tekton Task. For information about these parameters, see Carvel Package Supply Chains.

  • When using the Carvel Package Supply Chains, if the operator updates the parameter carvel_package.name_suffix, existing workloads incorrectly output a Carvel package to the GitOps repository that uses the old value of carvel_package.name_suffix. You can ignore or delete this package.

  • If the size of the resulting OpenAPIv3 specification exceeds a certain size, approximately 3 KB, the Supply Chain does not function. If you use the default Carvel package parameters, this issue does not occur. If you use custom Carvel package parameters, you might encounter this size limit. If you exceed the size limit, you can either deactivate this feature, or use a workaround. The workaround requires enabling a Tekton feature flag. For more information, see the Tekton documentation.

v1.8.2 Known issues: Supply Chain Security Tools - Policy

  • Supply Chain Security Tools - Policy defaults to The Update Framework (TUF) enabled due to incorrect logic. This might cause the package to not reconcile correctly if the default TUF mirrors are not reachable. To work around this, explicitly configure policy controller in the tap-values.yaml file to enable TUF:

    policy:
  tuf_enabled: true

v1.8.2 Known issues: Supply Chain Security Tools - Scan

  • When using Supply Chain Security Tools (SCST) - Scan 2.0 with a ClusterImageTemplate, the value for the scanning image is overwritten with an incorrect default value from ootb_supply_chain_testing_scanning.image_scanner_cli in the tap-values.yaml file for templates other than Trivy. You can prevent this by setting the value in your tap-values.yaml file to the correct image. For example, for the Grype image packaged with Tanzu Application Platform:

    ootb_supply_chain_testing_scanning:
  image_scanner_template_name: image-vulnerability-scan-grype
  image_scanning_cli:
    image: registry.tanzu.vmware.com/tanzu-application-platform/tap-packages@sha256:feb1cdbd5c918aae7a89bdb2aa39d486bf6ffc81000764b522842e5934578497

  • The Snyk scanner outputs an incorrectly created date, resulting in an invalid date. If the workload is in a failed state due to an invalid date, wait approximately 10 hours and the workload automatically goes into the ready state. For more about this issue information, see the Snyk GitHub repository.

  • Recurring scan has a maximum of approximately 5000 container images that can be scanned at a single time due to size limits configMaps.

  • If the supply chain container image scanning is configured to use a different scanner or scanner version than the recurring scanning, the vulnerabilities displayed in Tanzu Developer Portal might be inaccurate.

  • SCST - Scan 1.0 fails with the error secrets 'store-ca-cert' not found during deployment by using Tanzu Mission Control with a non-default issuer. For how to work around this issue, see Deployment failure with non-default issuer.

v1.8.2 Known issues: Supply Chain Security Tools - Store

  • SCST - Store automatically detects PostgreSQL database index corruptions. If SCST - Store finds a PostgresSQL database index has been corrupted, SCST - Store will automatically attempt to repair, which might cause reconciliation during package updates. When this happens, the included Postgres database might take some time to complete the repair and accept connections. For more information, see Fix Postgres Database Index Corruption.

  • When outputting CycloneDX v1.5 SBOMs, the report is found to be an invalid SBOM by CycloneDX validators. This issue is planned to be fixed in a future release.

  • If CA Certificate data is included in the shared Tanzu Application Platform values section, do not configure AMR Observer with CA Certificate data.

  • When observer.deploy_through_tmc is true, properties are auto-configured for Tanzu Mission Control (TMC). This causes the MultiClusterPropertyCollector resource to overwrite existing Tanzu Application Platform values for Observer.

    When using Let’s Encrypt ACME issuers, the resultant Kubernetes secret resource does not contain a ca.crt property. Therefore, when the MultiClusterPropertyCollector resource creates the Observer package configuration values secret, the required ca_cert_data is empty.

    To work around this issue, add the Certificate Authority (CA) Certificate to the shared.ca_cert_data key in the Tanzu Application Platform installation values.

v1.8.2 Known issues: Tanzu Build Service

  • During upgrades a large number of builds might be created due to buildpack and stack updates. Some of these builds might fail due to transient network issues, causing the workload to be in an unhealthy state. This resolves itself on subsequent builds after a code change and does not affect the running application.

    If you do not want to wait for subsequent builds to run, you can manually trigger a build. For instructions, see Troubleshooting.

v1.8.2 Known issues: Tanzu Developer Portal

  • Tanzu Developer Portal Configurator jumps from v1.0.x in Tanzu Application Platform v1.7 to v1.8.x in Tanzu Application Platform v1.8. This version jump enables future versions of Tanzu Developer Portal and Tanzu Developer Portal Configurator to sync going forward.

  • If you do not configure any authentication providers, and do not allow guest access, the following message appears when loading Tanzu Developer Portal in a browser:

    No configured authentication providers. Please configure at least one.

    To resolve this issue, see Troubleshooting.

  • Ad-blocking browser extensions and standalone ad-blocking software can interfere with telemetry collection within the VMware Customer Experience Improvement Program and restrict access to all or parts of Tanzu Developer Portal. For more information, see Troubleshooting.

  • ScmAuth is a Backstage concept that abstracts Source Code Management (SCM) authentication into a package. An oversight in a recent code-base migration led to the accidental exclusion of custom ScmAuth functions. This exclusion affected some client operations, such as using Application Accelerators to create Git repositories on behalf of users.

  • The back-end Kubernetes plug-in reports failure in multicluster environments. In a multicluster environment when one request to a Kubernetes cluster fails, backstage-kubernetes-backend reports a failure to the front end. This is a known issue with upstream Backstage and it applies to all released versions of Tanzu Developer Portal. For more information, see this Backstage code in GitHub. This behavior arises from the API at the Backstage level. There are currently no known workarounds. There are plans for upstream commits to Backstage to resolve this issue.

v1.8.2 Known issues: Tanzu Developer Tools for IntelliJ

  • The error com.vdurmont.semver4j.SemverException: Invalid version (no major version) is shown in the error logs when attempting to perform a workload action before installing the Tanzu CLI apps plug-in.

  • If you restart your computer while running Live Update without terminating the Tilt process beforehand, there is a lock that incorrectly shows that Live Update is still running and prevents it from starting again. For the fix, see Troubleshooting.

  • Workload actions and Live Update do not work when in a project with spaces in its name, such as my app, or in its path, such as C:\Users\My User\my-app. For more information, see Troubleshooting.

  • An EDT Thread Exception error is logged or reported as a notification with a message similar to "com.intellij.diagnostic.PluginException: 2007 ms to call on EDT TanzuApplyAction#update@ProjectViewPopup". For more information, see Troubleshooting.

v1.8.2 Known issues: Tanzu Developer Tools for Visual Studio

  • Clicking the red square Stop button in the Visual Studio top toolbar can cause a workload to fail. For more information, see Troubleshooting.

v1.8.2 Component versions

The following table lists the Tanzu Application Platform package versions included with this release. For open source component versions in this Tanzu Application Platform release, see Open source component versions.

Component Name Version
API Auto Registration 0.5.0
API portal 1.5.0
Application Accelerator 1.8.1
Application Configuration Service 2.3.1
Application Live View APIServer 1.8.2
Application Live View back end 1.8.2
Application Live View connector 1.8.2
Application Live View conventions 1.8.2
Application Single Sign-On 5.1.4
Artifact Metadata Repository Observer 0.4.3
AWS Services 0.2.1
Bitnami Services 0.4.0
Carbon Black Scanner for SCST - Scan (beta) 1.3.7
Cartographer Conventions 0.8.10
cert-manager 2.7.2
Cloud Native Runtimes 2.5.3
Contour 2.2.0
Crossplane 0.4.2
Default Roles 1.1.0
Developer Conventions 0.16.1
External Secrets Operator 0.9.4+tanzu.3
Flux CD Source Controller 0.36.1+tanzu.2
Grype Scanner for SCST - Scan 1.8.8
Local Source Proxy 0.2.1
Managed Resource Controller (beta) 0.1.9
Namespace Provisioner 0.6.2
Out of the Box Delivery - Basic 0.15.7
Out of the Box Supply Chain - Basic 0.15.7
Out of the Box Supply Chain - Testing 0.15.7
Out of the Box Supply Chain - Testing and Scanning 0.15.7
Out of the Box Templates 0.15.7
Service Bindings 0.11.0
Service Registry 1.3.2
Services Toolkit 0.13.0
Snyk Scanner for SCST - Scan (beta) 1.2.7
Source Controller 0.8.4
Spring Boot conventions 1.8.2
Spring Cloud Gateway 2.1.9
Supply Chain Choreographer 0.8.10
Supply Chain Security Tools - Policy Controller 1.6.4
Supply Chain Security Tools - Scan 1.8.9
Supply Chain Security Tools - Scan 2.0 0.3.6
Supply Chain Security Tools - Store 1.8.3
Tanzu Application Platform Telemetry 0.7.0
Tanzu Build Service 1.13.0
Tanzu CLI 1.2.0
Tanzu Developer Portal 1.8.4
Tanzu Developer Portal Configurator 1.8.4
Tanzu Supply Chain (beta) 0.1.38
Tekton Pipelines 0.50.3+tanzu.4

v1.8.1

Release Date: 12 March 2024

v1.8.1 Security fixes

This release has the following security fixes, listed by component and area.

Package Name Vulnerabilities Resolved
alm-catalog.component.apps.tanzu.vmware.com
Expand to see the list
app-scanning.apps.tanzu.vmware.com
Expand to see the list
base-jammy-stack-lite.buildpacks.tanzu.vmware.com
Expand to see the list
carbonblack.scanning.apps.tanzu.vmware.com
Expand to see the list
conventions.component.apps.tanzu.vmware.com
Expand to see the list
git-writer.component.apps.tanzu.vmware.com
Expand to see the list
grype.scanning.apps.tanzu.vmware.com
Expand to see the list
metadata-store.apps.tanzu.vmware.com
Expand to see the list
ruby-lite.buildpacks.tanzu.vmware.com
Expand to see the list
scanning.apps.tanzu.vmware.com
Expand to see the list
snyk.scanning.apps.tanzu.vmware.com
Expand to see the list
source.component.apps.tanzu.vmware.com
Expand to see the list
spring-cloud-gateway.tanzu.vmware.com
Expand to see the list
sso.apps.tanzu.vmware.com
Expand to see the list
supply-chain-catalog.apps.tanzu.vmware.com
Expand to see the list
tap-gui.tanzu.vmware.com
Expand to see the list
trivy.app-scanning.component.apps.tanzu.vmware.com
Expand to see the list

v1.8.1 Resolved issues

The following issues, listed by component and area, are resolved in this release.

v1.8.1 Resolved issues: App Last Mile Catalog

  • Resolved an issue where the app-config-web, app-config-server, and app-config-worker components output a YTT overlay that incorrectly replaced all Convention provided environment variables instead of merging developer provided environment variables. Environment variables are now correctly merged.

v1.8.1 Resolved issues: Supply Chain Security Tools - Scan

  • Resolved an issue prevent recurring scanning from import keychains for cloud container registries such as ECR, ACR, and GCR.

  • Resolved an issue which caused recurring scan resources to appear in the Security Analysis Plug-in in Tanzu Developer Portal.

v1.8.1 Known issues

This release has the following known issues, listed by component and area.

v1.8.1 Known issues: Tanzu Application Platform

  • On Azure Kubernetes Service (AKS), the Datadog Cluster Agent cannot reconcile the webhook, which leads to an error. For troubleshooting information, see Datadog agent cannot reconcile webhook on AKS.

  • The Tanzu Application Platform integration with Tanzu Service Mesh does not work on vSphere with TKR v1.26. For more information about this integration, see Set up Tanzu Service Mesh. As a workaround, you can apply the label to update pod security on a TKr v1.26 Kubernetes namespace as advised by the release notes for TKr 1.26.5 for vSphere 8.x. However, applying this label provides more than the minimum necessary privilege to the resources in developer namespaces.

v1.8.1 Known issues: API Auto Registration

  • Registering conflicting groupId and version with API portal:

    If you create two CuratedAPIDescriptors with the same groupId and version combination, both reconcile without throwing an error, and the /openapi?groupId&version endpoint returns both specifications. If you are adding both specifications to the API portal, only one of them might show up in the API portal UI with a warning indicating that there is a conflict. If you add the route provider annotation for both of the CuratedAPIDescriptors to use Spring Cloud Gateway, the generated API specspecification includes API routes from both CuratedAPIDescriptors.

    You can see the groupId and version information from all CuratedAPIDescriptors by running:

    $ kubectl get curatedapidescriptors -A

NAMESPACE           NAME         GROUPID            VERSION   STATUS   CURATED API SPEC URL
my-apps             petstore     test-api-group     1.2.3     Ready    http://AAR-CONTROLLER-FQDN/openapi/my-apps/petstore
default             mystery      test-api-group     1.2.3     Ready    http://AAR-CONTROLLER-FQDN/openapi/default/mystery

  • When creating an APIDescriptor with different apiSpec.url and server.url, the controller incorrectly uses the API spec URL as the server URL. To avoid this issue, use server.url only.

v1.8.1 Known issues: App Last Mile Catalog

  • The app-config-web, app-config-server, and app-config-worker components do not allow developers to override the default application ports. This means that applications that use non-standard ports do not work. To work around this, you can configure ports by providing values to the resulting Carvel package. This issue is planned to be fixed in a future release.

v1.8.1 Known issues: Application Live View

  • On the Run profile, Application Live View fails to reconcile if you use a non-default cluster issuer while installing through Tanzu Mission Control.

v1.8.1 Known issues: Artifact Metadata Repository Observer and CloudEvent Handler

  • Periodic reconciliation or restarting of the AMR Observer causes reattempted posting of ImageVulnerabilityScan results. There is an error on duplicate submission of identical ImageVulnerabilityScans you can ignore if the previous submission was successful.

v1.8.1 Known issues: AWS Services

  • When you create claims for Amazon MQ (RabbitMQ), one of the key names in the binding secret is endpoint. This does not match the name that the Spring Cloud Bindings library expects, which is addresses. As a result, when you bind Spring-based workloads to the Amazon MQ service, the connection is not established automatically. For a workaround, see Troubleshoot AWS Services.

v1.8.1 Known issues: Bitnami Services

  • If you try to configure private registry integration for the Bitnami Services after having already created a claim for one or more of the services using the default configuration, the updated private registry configuration does not appear to take effect. This is due to caching behavior in the system which is not accounted for during configuration updates. For a workaround, see Troubleshoot Bitnami Services.

v1.8.1 Known issues: Cartographer Conventions

  • While processing workloads with large SBOMs, the Cartographer Convention controller manager pod can fail with the status CrashLoopBackOff or OOMKilled. For information about how to increase the memory limit for both the convention server and webhook servers, including app-live-view-conventions, spring-boot-webhook, and developer-conventions/webhook, see Troubleshoot Cartographer Conventions.

v1.8.1 Known issues: Crossplane

  • After you uninstall the Crossplane package and reinstall it on the same cluster, service claims you create never transition to READY=True. If you inspect the underlying Crossplane managed resource, you see a TLS certificate verification error. For more information, see Troubleshoot Crossplane.

  • The Crossplane validatingwebhookconfiguration is not removed when you uninstall the Crossplane package. To workaround, delete the validatingwebhookconfiguration manually by running kubectl delete validatingwebhookconfiguration crossplane.

v1.8.1 Known issues: Services Toolkit

  • An error occurs if additionalProperties is true in a CompositeResourceDefinition. For more information and a workaround, see Troubleshoot Services Toolkit.

v1.8.1 Known issues: Supply Chain

  • The Workload page in the Supply Chain UI takes a long time to load when there are more than 100 workloads to display.

  • The Workload Details page, accessed by clicking on a workload name, does not load in the Supply Chain UI when there are more than 100 workloads to display.

v1.8.1 Known issues: Supply Chain Choreographer

  • The template for the external-deliverable-template does not respect the gitops_credentials_secret parameter. The value is not present on the deliverable if it is provided in the workload parameter gitops_credentials_secret or the supply chain tap-value ootb_supply_chain*.gitops.credentials_secret. As a workaround, operators must provide the value as a tap-value for the delivery: ootb_delivery_basic.source.credentials_secret. The supply chain’s GitOps credentials must authenticate to the same repository as the delivery’s source credentials. If a deliverable must use a secret different from that specified by the delivery tap-value, the deliverable must be manually altered when being copied to the Run cluster. Add the secret name as a source_credentials_secret parameter on the deliverable.

  • By default, Server Workload Carvel packages generated by the Carvel package supply chains no longer contain OpenAPIv3 descriptions of their parameters. These descriptions were omitted to keep the size of the Carvel Package definition under 4 KB, which is the size limit for the string output of a Tekton Task. For information about these parameters, see Carvel Package Supply Chains.

  • When using the Carvel Package Supply Chains, if the operator updates the parameter carvel_package.name_suffix, existing workloads incorrectly output a Carvel package to the GitOps repository that uses the old value of carvel_package.name_suffix. You can ignore or delete this package.

  • If the size of the resulting OpenAPIv3 specification exceeds a certain size, approximately 3 KB, the Supply Chain does not function. If you use the default Carvel package parameters, this issue does not occur. If you use custom Carvel package parameters, you might encounter this size limit. If you exceed the size limit, you can either deactivate this feature, or use a workaround. The workaround requires enabling a Tekton feature flag. For more information, see the Tekton documentation.

v1.8.1 Known issues: Supply Chain Security Tools - Policy

  • Supply Chain Security Tools - Policy defaults to The Update Framework (TUF) enabled due to incorrect logic. This might cause the package to not reconcile correctly if the default TUF mirrors are not reachable. To work around this, explicitly configure policy controller in the tap-values.yaml file to enable TUF:

    policy:
  tuf_enabled: true

v1.8.1 Known issues: Supply Chain Security Tools - Scan

  • When opting in to source scanning in the supply chain the source scan will fail because curl is not available in the source scan image for Grype.

  • When using Supply Chain Security Tools (SCST) - Scan 2.0 with a ClusterImageTemplate, the value for the scanning image is overwritten with an incorrect default value from ootb_supply_chain_testing_scanning.image_scanner_cli in the tap-values.yaml file for templates other than Trivy. You can prevent this by setting the value in your tap-values.yaml file to the correct image. For example, for the Grype image packaged with Tanzu Application Platform:

    ootb_supply_chain_testing_scanning:
  image_scanner_template_name: image-vulnerability-scan-grype
  image_scanning_cli:
    image: registry.tanzu.vmware.com/tanzu-application-platform/tap-packages@sha256:feb1cdbd5c918aae7a89bdb2aa39d486bf6ffc81000764b522842e5934578497

  • The Snyk scanner outputs an incorrectly created date, resulting in an invalid date. If the workload is in a failed state due to an invalid date, wait approximately 10 hours and the workload automatically goes into the ready state. For more about this issue information, see the Snyk GitHub repository.

  • Recurring scan has a maximum of approximately 5000 container images that can be scanned at a single time due to size limits configMaps.

  • If the supply chain container image scanning is configured to use a different scanner or scanner version than the recurring scanning, the vulnerabilities displayed in Tanzu Developer Portal might be inaccurate.

  • SCST - Scan 1.0 fails with the error secrets 'store-ca-cert' not found during deployment by using Tanzu Mission Control with a non-default issuer. For how to work around this issue, see Deployment failure with non-default issuer.

v1.8.1 Known issues: Supply Chain Security Tools - Store

  • SCST - Store automatically detects PostgreSQL database index corruptions. If SCST - Store finds a PostgresSQL database index has been corrupted, SCST - Store will automatically attempt to repair, which might cause reconciliation during package updates. When this happens, the included Postgres database might take some time to complete the repair and accept connections. For more information, see Fix Postgres Database Index Corruption.

  • When outputting CycloneDX v1.5 SBOMs, the report is found to be an invalid SBOM by CycloneDX validators. This issue is planned to be fixed in a future release.

  • If CA Certificate data is included in the shared Tanzu Application Platform values section, do not configure AMR Observer with CA Certificate data.

  • When observer.deploy_through_tmc is true, properties are auto-configured for Tanzu Mission Control (TMC). This causes the MultiClusterPropertyCollector resource to overwrite existing Tanzu Application Platform values for Observer.

    When using Let’s Encrypt ACME issuers, the resultant Kubernetes secret resource does not contain a ca.crt property. Therefore, when the MultiClusterPropertyCollector resource creates the Observer package configuration values secret, the required ca_cert_data is empty.

    To work around this issue, add the Certificate Authority (CA) Certificate to the shared.ca_cert_data key in the Tanzu Application Platform installation values.

v1.8.1 Known issues: Tanzu Build Service

  • During upgrades a large number of builds might be created due to buildpack and stack updates. Some of these builds might fail due to transient network issues, causing the workload to be in an unhealthy state. This resolves itself on subsequent builds after a code change and does not affect the running application.

    If you do not want to wait for subsequent builds to run, you can manually trigger a build. For instructions, see Troubleshooting.

v1.8.1 Known issues: Tanzu Developer Portal

  • Tanzu Developer Portal Configurator jumps from v1.0.x in Tanzu Application Platform v1.7 to v1.8.x in Tanzu Application Platform v1.8. This version jump enables future versions of Tanzu Developer Portal and Tanzu Developer Portal Configurator to sync going forward.

  • If you do not configure any authentication providers, and do not allow guest access, the following message appears when loading Tanzu Developer Portal in a browser:

    No configured authentication providers. Please configure at least one.

    To resolve this issue, see Troubleshooting.

  • Ad-blocking browser extensions and standalone ad-blocking software can interfere with telemetry collection within the VMware Customer Experience Improvement Program and restrict access to all or parts of Tanzu Developer Portal. For more information, see Troubleshooting.

  • ScmAuth is a Backstage concept that abstracts Source Code Management (SCM) authentication into a package. An oversight in a recent code-base migration led to the accidental exclusion of custom ScmAuth functions. This exclusion affected some client operations, such as using Application Accelerators to create Git repositories on behalf of users.

  • The back-end Kubernetes plug-in reports failure in multicluster environments. In a multicluster environment when one request to a Kubernetes cluster fails, backstage-kubernetes-backend reports a failure to the front end. This is a known issue with upstream Backstage and it applies to all released versions of Tanzu Developer Portal. For more information, see this Backstage code in GitHub. This behavior arises from the API at the Backstage level. There are currently no known workarounds. There are plans for upstream commits to Backstage to resolve this issue.

v1.8.1 Known issues: Tanzu Developer Tools for IntelliJ

  • The error com.vdurmont.semver4j.SemverException: Invalid version (no major version) is shown in the error logs when attempting to perform a workload action before installing the Tanzu CLI apps plug-in.

  • If you restart your computer while running Live Update without terminating the Tilt process beforehand, there is a lock that incorrectly shows that Live Update is still running and prevents it from starting again. For the fix, see Troubleshooting.

  • Workload actions and Live Update do not work when in a project with spaces in its name, such as my app, or in its path, such as C:\Users\My User\my-app. For more information, see Troubleshooting.

  • An EDT Thread Exception error is logged or reported as a notification with a message similar to "com.intellij.diagnostic.PluginException: 2007 ms to call on EDT TanzuApplyAction#update@ProjectViewPopup". For more information, see Troubleshooting.

v1.8.1 Known issues: Tanzu Developer Tools for Visual Studio

  • Clicking the red square Stop button in the Visual Studio top toolbar can cause a workload to fail. For more information, see Troubleshooting.

v1.8.1 Component versions

The following table lists the Tanzu Application Platform package versions included with this release. For open source component versions in this Tanzu Application Platform release, see Open source component versions.

Component Name Version
API Auto Registration 0.4.2
API portal 1.5.0
Application Accelerator 1.8.1
Application Configuration Service 2.3.0
Application Live View APIServer 1.8.0
Application Live View back end 1.8.0
Application Live View connector 1.8.0
Application Live View conventions 1.8.0
Application Single Sign-On 5.1.3
Artifact Metadata Repository Observer 0.4.2
AWS Services 0.2.0
Bitnami Services 0.4.0
Carbon Black Scanner for SCST - Scan (beta) 1.3.6
Cartographer Conventions 0.8.10
cert-manager 2.7.1
Cloud Native Runtimes 2.5.2
Contour 2.2.0
Crossplane 0.4.1
Default Roles 1.1.0
Developer Conventions 0.16.1
External Secrets Operator 0.9.4+tanzu.3
Flux CD Source Controller 0.36.1+tanzu.2
Grype Scanner for SCST - Scan 1.8.6
Local Source Proxy 0.2.1
Managed Resource Controller (beta) 0.1.5
Namespace Provisioner 0.6.2
Out of the Box Delivery - Basic 0.15.6
Out of the Box Supply Chain - Basic 0.15.6
Out of the Box Supply Chain - Testing 0.15.6
Out of the Box Supply Chain - Testing and Scanning 0.15.6
Out of the Box Templates 0.15.6
Service Bindings 0.11.0
Service Registry 1.3.1
Services Toolkit 0.13.0
Snyk Scanner for SCST - Scan (beta) 1.2.6
Source Controller 0.8.3
Spring Boot conventions 1.8.0
Spring Cloud Gateway 2.1.8
Supply Chain Choreographer 0.8.10
Supply Chain Security Tools - Policy Controller 1.6.3
Supply Chain Security Tools - Scan 1.8.7
Supply Chain Security Tools - Scan 2.0 0.3.5
Supply Chain Security Tools - Store 1.8.2
Tanzu Application Platform Telemetry 0.7.0
Tanzu Build Service 1.13.0
Tanzu CLI 1.2.0
Tanzu Developer Portal 1.8.2
Tanzu Developer Portal Configurator 1.8.2
Tanzu Supply Chain (beta) 0.1.18
Tekton Pipelines 0.50.3+tanzu.4

v1.8.0

Release Date: 29 February 2024

v1.8.0 New features by component and area

This release includes the following changes, listed by component and area.

v1.8.0 Features: Application Accelerator

  • Accelerator authors can create accelerators faster using a local authoring experience without connecting to a Tanzu Application Platform cluster. This allows you to create accelerators locally by using the VSCode IDE. For more information, see Using a local Application Accelerator engine server

v1.8.0 Features: Application Live View

  • By default, Application Live View connector is deployed as a Kubernetes DaemonSet to discover applications across all namespaces running in a worker node of a Kubernetes cluster. When the connector is deployed as a DaemonSet, the Kubernetes scheduling pattern might be unpredictable when a node restarts. To avoid this, you can override the default settings to deploy the connector as a deployment or in namespace-scope mode. For more information, see Connector deployment modes in Application Live View.

v1.8.0 Features: Application Single Sign-On

  • The authorization server can auto-discover upstream identity provider configuration from AuthServer.spec.identityProviders[].openID.configurationURI. For more information, see Identity providers for Application Single Sign-On.

  • The userinfo endpoint of an upstream identity provider is called when it’s known and configured with the scope openid. That means user information is retrieved for non-standard providers.

  • Scopes in the token response are filtered according to the roles filtering defined on the AuthServer.

  • Advertises the Application Single Sign-On version on components:

    • The controller workloads are annotated with sso.apps.tanzu.vmware.com/version.
    • AuthServer-owned workloads are annotated with sso.apps.tanzu.vmware.com/version.
    • Authorization servers report the version by using the endpoint FDQN/actuator/info.

  • Shows an error message when attempting unsupported, Relying Party (RP)-Initiated Logout.

  • Shows an improved error message when using localhost in ClientRegistration.spec.redirectURIs.

  • Bundles the latest bitnami/redis:7.2.4.

  • Supports Kubernetes v1.29.

v1.8.0 Features: AWS Services

  • Adds the service Amazon MQ for RabbitMQ. To enable the new service, set rabbitmq.enabled: true in your aws-services-values.yaml. For more configuration options, see Package values for AWS Services.

  • Adds the package value crossplane.role_arn. Users can specify a role_arn, which causes the Provider pods to run as a service account that is mapped to the corresponding IAM role in AWS.

  • Updates upbound/provider-aws from v0.39.0 to v0.46.0.

v1.8.0 Features: Bitnami Services

  • Updates all Compositions to use function pipelines rather than Crossplane’s default patch and transform. New instances created using a class claim are now composed using the new Compositions. There is no change to how the resulting composed service instances operate. There is no impact to existing instances.

v1.8.0 Features: Buildpacks and Stacks

v1.8.0 Features: cert-manager

v1.8.0 Features: Cloud Native Runtimes

v1.8.0 Features: Contour

v1.8.0 Features: Crossplane

  • Updates Universal Crossplane to v1.14.5-up.1 For more information, see the Upbound blog.

  • Updates provider-helm to v0.16.0.

  • Updates provider-kubernetes to v0.11.0.

  • Adds support for composition functions. Composition functions are beta in for Crossplane v1.14. For more information, see the Upbound Documentation.

  • Adds the patch and transform function. Users who want to use function pipelines in their Compositions can use this function without having to explicitly install it.

v1.8.0 Features: Service Bindings

  • Updates servicebinding/runtime to v0.7.0. This update fixes the issue of ServiceBinding not immediately reconciling when status.binding.name changes on a previously bound service resource. For more information, see the runtime release notes.

v1.8.0 Features: Service Registry

  • Skips TLS verification in DiscoveryClient when mTLS is not enabled.

  • Enables TLS configuration conditionally with the server.ssl.enabled flag.

  • Permits configuration of resource requests and limits for EurekaServers that were deployed by using eureka-controller.

v1.8.0 Features: Services Toolkit

  • Updates reconciler-runtime to v0.15.1.

v1.8.0 Features: Spring Boot Convention

  • You no longer need to provide the verbose configuration to enable actuators and the Application Live View features while running Spring Native workloads on Tanzu Application Platform. The Spring Boot convention server enhances Tanzu PodIntents with metadata. This metadata can include labels, annotations, or properties required to run native workloads in Tanzu Application Platform. This metadata enables Application Live View to discover and register the app instances so that Application Live View can access the actuator data from those workloads. For more information, see Enable Spring Native apps for Application Live View.

v1.8.0 Features: Supply Chain Choreographer

  • Introduces Carvel Package Supply Chains for the Out of the Box Supply Chain with Testing and Out of the Box Supply Chain with Testing and Scanning packages. This feature is in beta. For more information, see Carvel Package Supply Chains (beta).

v1.8.0 Features: Supply Chain Security Tools - Scan

  • Supply Chain Security Tools (SCST) - Scan 2.0 is now GA. For more information, including guidance about when to use SCST - Scan 1.0 versus SCST - Scan 2.0, see SCST - Scan Overview.

  • SCST - Scan 1.0 remains the default scan component, with SCST - Scan 2.0 available on an opt-in basis, except in the following situations:

    • Air-gapped installs use SCST - Scan 2.0 and Trivy to simplify the installation and configuration process.
    • Tanzu Supply Chain (Beta) uses the Trivy component based on SCST - Scan 2.0.

  • You can scan container images on a periodic interval after the initial build. For more information, see Set up recurring scanning.

  • The SCST - Scan 2.0 scanners are updated to the latest versions to support CycloneDX v1.5 outputs:

    • Aqua Trivy is updated to v0.48.3.
    • Anchore Grype is updated to v0.74.1.

v1.8.0 Features: Supply Chain Security Tools - Store

  • Adds support for ingesting Software Bill of Materials (SBOMs) in CycloneDX v1.5 format.

  • Includes better error messaging for ingestion errors.

  • To enable DORA metrics functionality, if you configured the environment label, rename it to env. For more information, see Configure Artifact Metadata Repository.

v1.8.0 Features: Tanzu Build Service

  • Tanzu Build Service can now generate Supply-chain Levels for Software Artifacts (SLSA) attestations. For instructions, see Generate Supply-chain Levels for Software Artifacts attestations.

  • Tanzu UBI and Static builders are now available and you can install them as part of the full dependencies. For instructions and descriptions, see Installing Install full dependencies.

  • You can now configure Tanzu Build Service with automatic dependency updates to keep your stacks and buildpacks up to date out of band of Tanzu Application Platform releases. For instructions, see Configure your profile with automatic dependency updates.

  • Cosign signatures for Builders and ClusterBuilders are now generated. Previously, only app images were signed.

  • Builders and ClusterBuilders can now specify additional labels to be attached to the image.

v1.8.0 Features: Tanzu Developer Portal

  • The DORA plug-in now has:
    • A Date Range drop-down menu, which includes the filters This Week, This Month, This Quarter, and Last 90 Days (default)
    • An Environments drop-down menu, which includes the filters All Environments (default) and any available individual environment

v1.8.0 Features: Tanzu Developer Tools for IntelliJ

  • You can create portforwards with the Port Forward action from the pop-up menu in the Tanzu panel. This enables you to easily access the application when iterating locally from a local URL by using Tanzu: Portforward or by using a Knative URL for web type workloads from the Tanzu panel.

v1.8.0 Features: Tanzu Developer Tools for Visual Studio Code

  • You can create portforwards with the Tanzu: Portforward action from the pop-up menu in the Tanzu panel. This enables you to easily access the application when iterating locally from a local URL by using Tanzu: Portforward or by using a Knative URL for web type workloads from the Tanzu panel.

v1.8.0 Breaking changes

This release includes the following changes, listed by component and area.

v1.8.0 Breaking changes: API Validation and Scoring

  • API Validation and Scoring is removed in this release.

v1.8.0 Breaking changes: Buildpacks

  • Tanzu Java Buildpack removes Java (BellSoft Liberica) v20. This is replaced by Java v21.

  • Tanzu Go Buildpack removes support for the dep dependency management tool for Go. This tool has been officially deprecated since 2020.

v1.8.0 Breaking changes: Supply Chain Security Tools - Scan

v1.8.0 Breaking changes: Tanzu Build Service

  • The Cloud Native Buildpack Bill of Materials (CNB BOM) format has been removed.

v1.8.0 Security fixes

This release has the following security fixes, listed by component and area.

Package Name Vulnerabilities Resolved
accelerator.apps.tanzu.vmware.com
Expand to see the list
amr-observer.apps.tanzu.vmware.com
Expand to see the list
api-portal.tanzu.vmware.com
Expand to see the list
apiserver.appliveview.tanzu.vmware.com
Expand to see the list
app-scanning.apps.tanzu.vmware.com
Expand to see the list
aws.services.tanzu.vmware.com
Expand to see the list
backend.appliveview.tanzu.vmware.com
Expand to see the list
buildservice.tanzu.vmware.com
Expand to see the list
carbonblack.scanning.apps.tanzu.vmware.com
Expand to see the list
cnrs.tanzu.vmware.com
Expand to see the list
connector.appliveview.tanzu.vmware.com
Expand to see the list
conventions.appliveview.tanzu.vmware.com
Expand to see the list
crossplane.tanzu.vmware.com
Expand to see the list
developer-conventions.tanzu.vmware.com
Expand to see the list
dotnet-core-lite.buildpacks.tanzu.vmware.com
Expand to see the list
grype.scanning.apps.tanzu.vmware.com
Expand to see the list
java-lite.buildpacks.tanzu.vmware.com
Expand to see the list
java-native-image-lite.buildpacks.tanzu.vmware.com
Expand to see the list
metadata-store.apps.tanzu.vmware.com
Expand to see the list
namespace-provisioner.apps.tanzu.vmware.com
Expand to see the list
nodejs-lite.buildpacks.tanzu.vmware.com
Expand to see the list
ootb-supply-chain-testing-scanning.tanzu.vmware.com
Expand to see the list
ootb-templates.tanzu.vmware.com
Expand to see the list
python-lite.buildpacks.tanzu.vmware.com
Expand to see the list
scanning.apps.tanzu.vmware.com
Expand to see the list
servicebinding.tanzu.vmware.com
Expand to see the list
services-toolkit.tanzu.vmware.com
Expand to see the list
snyk.scanning.apps.tanzu.vmware.com
Expand to see the list
sso.apps.tanzu.vmware.com
Expand to see the list
tap-gui.tanzu.vmware.com
Expand to see the list

v1.8.0 Resolved issues

The following issues, listed by component and area, are resolved in this release.

v1.8.0 Resolved issues: Cloud Native Runtimes

  • Resolved the issue where web workloads created with Tanzu Application Platform v1.6.3 and earlier failed to update with the error API server says: admission webhook "validation.webhook.serving.knative.dev" denied the request: validation failed: annotation value is immutable.

v1.8.0 Resolved issues: Service Bindings

  • Resolved an issue in which ServiceBinding is not immediately reconciled when status.binding.name changes on a previously bound service resource.

v1.8.0 Resolved issues: Supply Chain Choreographer

  • Supply Chains that use SSH auth with the git-writer resource no longer fail in the gitops step.

v1.8.0 Resolved issues: Supply Chain Security Tools - Scan

  • Trivy is no longer pinned to an old version with the introduction of support of CycloneDX 1.5 from SCST - Store.

v1.8.0 Resolved issues: Supply Chain Security Tools - Store

  • Resolved the issue where using a custom issuer such as Let’s Encrypt broke the Tanzu Mission Console orchestration that pushes the AMR Observer credentials from the view cluster to the non-view cluster.

  • Resolved the issue with expired certificates where you must restart the metadata-store pods when the internal database certificate is rotated by cert-manager. This issue no longer occurs with the default internal database, but the solution does not cover external databases.

  • Artifact Metadata Repository now properly sets the hasNextPage to false when there are no more items to be retrieved during a paginated query. This fixes the issue where the last page always returns an empty list.

v1.8.0 Known issues

This release has the following known issues, listed by component and area.

v1.8.0 Known issues: Tanzu Application Platform

  • Installing this Tanzu Application Platform release using Tanzu Mission Control is not supported for Kubernetes v1.26.

  • On Azure Kubernetes Service (AKS), the Datadog Cluster Agent cannot reconcile the webhook, which leads to an error. For troubleshooting information, see Datadog agent cannot reconcile webhook on AKS.

  • The Tanzu Application Platform integration with Tanzu Service Mesh does not work on vSphere with TKR v1.26. For more information about this integration, see Set up Tanzu Service Mesh. As a workaround, you can apply the label to update pod security on a TKr v1.26 Kubernetes namespace as advised by the release notes for TKr 1.26.5 for vSphere 8.x. However, applying this label provides more than the minimum necessary privilege to the resources in developer namespaces.

v1.8.0 Known issues: API Auto Registration

  • Registering conflicting groupId and version with API portal:

    If you create two CuratedAPIDescriptors with the same groupId and version combination, both reconcile without throwing an error, and the /openapi?groupId&version endpoint returns both specifications. If you are adding both specifications to the API portal, only one of them might show up in the API portal UI with a warning indicating that there is a conflict. If you add the route provider annotation for both of the CuratedAPIDescriptors to use Spring Cloud Gateway, the generated API specspecification includes API routes from both CuratedAPIDescriptors.

    You can see the groupId and version information from all CuratedAPIDescriptors by running:

    $ kubectl get curatedapidescriptors -A

NAMESPACE           NAME         GROUPID            VERSION   STATUS   CURATED API SPEC URL
my-apps             petstore     test-api-group     1.2.3     Ready    http://AAR-CONTROLLER-FQDN/openapi/my-apps/petstore
default             mystery      test-api-group     1.2.3     Ready    http://AAR-CONTROLLER-FQDN/openapi/default/mystery

  • When creating an APIDescriptor with different apiSpec.url and server.url, the controller incorrectly uses the API spec URL as the server URL. To avoid this issue, use server.url only.

v1.8.0 Known issues: App Last Mile Catalog

  • The app-config-web, app-config-server, and app-config-worker components do not allow developers to override the default application ports. This means that applications that use non-standard ports do not work. To work around this, you can configure ports by providing values to the resulting Carvel package. This issue is planned to be fixed in a future release.

  • The app-config-web, app-config-server, and app-config-worker components output a YTT overlay that allows developers to configure the environment variables for their Carvel package. This overlay incorrectly replaces all Convention provided environment variables, instead of merging developer provided environment variables. To work around this, supply all environment variables, both Convention provided and user provided, to the Carvel package. This issue is planned to be fixed in a future release.

v1.8.0 Known issues: Application Live View

  • On the Run profile, Application Live View fails to reconcile if you use a non-default cluster issuer while installing through Tanzu Mission Control.

v1.8.0 Known issues: Artifact Metadata Repository Observer and CloudEvent Handler

  • Periodic reconciliation or restarting of the AMR Observer causes reattempted posting of ImageVulnerabilityScan results. There is an error on duplicate submission of identical ImageVulnerabilityScans you can ignore if the previous submission was successful.

v1.8.0 Known issues: AWS Services

  • When you create claims for Amazon MQ (RabbitMQ), one of the key names in the binding secret is endpoint. This does not match the name that the Spring Cloud Bindings library expects, which is addresses. As a result, when you bind Spring-based workloads to the Amazon MQ service, the connection is not established automatically. For a workaround, see Troubleshoot AWS Services.

v1.8.0 Known issues: Bitnami Services

  • If you try to configure private registry integration for the Bitnami Services after having already created a claim for one or more of the services using the default configuration, the updated private registry configuration does not appear to take effect. This is due to caching behavior in the system which is not accounted for during configuration updates. For a workaround, see Troubleshoot Bitnami Services.

v1.8.0 Known issues: Cartographer Conventions

  • While processing workloads with large SBOMs, the Cartographer Convention controller manager pod can fail with the status CrashLoopBackOff or OOMKilled. For information about how to increase the memory limit for both the convention server and webhook servers, including app-live-view-conventions, spring-boot-webhook, and developer-conventions/webhook, see Troubleshoot Cartographer Conventions.

v1.8.0 Known issues: Crossplane

  • After you uninstall the Crossplane package and reinstall it on the same cluster, service claims you create never transition to READY=True. If you inspect the underlying Crossplane managed resource, you see a TLS certificate verification error. For more information, see Troubleshoot Crossplane.

  • The Crossplane validatingwebhookconfiguration is not removed when you uninstall the Crossplane package. To workaround, delete the validatingwebhookconfiguration manually by running kubectl delete validatingwebhookconfiguration crossplane.

v1.8.0 Known issues: Services Toolkit

  • An error occurs if additionalProperties is true in a CompositeResourceDefinition. For more information and a workaround, see Troubleshoot Services Toolkit.

v1.8.0 Known issues: Supply Chain

  • The Workload page in the Supply Chain UI takes a long time to load when there are more than 100 workloads to display.

  • The Workload Details page, accessed by clicking on a workload name, does not load in the Supply Chain UI when there are more than 100 workloads to display.

v1.8.0 Known issues: Supply Chain Choreographer

  • The template for the external-deliverable-template does not respect the gitops_credentials_secret parameter. The value is not present on the deliverable if it is provided in the workload parameter gitops_credentials_secret or the supply chain tap-value ootb_supply_chain*.gitops.credentials_secret. As a workaround, operators must provide the value as a tap-value for the delivery: ootb_delivery_basic.source.credentials_secret. The supply chain’s GitOps credentials must authenticate to the same repository as the delivery’s source credentials. If a deliverable must use a secret different from that specified by the delivery tap-value, the deliverable must be manually altered when being copied to the Run cluster. Add the secret name as a source_credentials_secret parameter on the deliverable.

  • By default, Server Workload Carvel packages generated by the Carvel package supply chains no longer contain OpenAPIv3 descriptions of their parameters. These descriptions were omitted to keep the size of the Carvel Package definition under 4 KB, which is the size limit for the string output of a Tekton Task. For information about these parameters, see Carvel Package Supply Chains.

  • When using the Carvel Package Supply Chains, if the operator updates the parameter carvel_package.name_suffix, existing workloads incorrectly output a Carvel package to the GitOps repository that uses the old value of carvel_package.name_suffix. You can ignore or delete this package.

  • If the size of the resulting OpenAPIv3 specification exceeds a certain size, approximately 3 KB, the Supply Chain does not function. If you use the default Carvel package parameters, this issue does not occur. If you use custom Carvel package parameters, you might encounter this size limit. If you exceed the size limit, you can either deactivate this feature, or use a workaround. The workaround requires enabling a Tekton feature flag. For more information, see the Tekton documentation.

v1.8.0 Known issues: Supply Chain Security Tools - Scan

  • When opting in to source scanning in the supply chain the source scan will fail because curl is not available in the source scan image for Grype.

  • When using Supply Chain Security Tools (SCST) - Scan 2.0 with a ClusterImageTemplate, the value for the scanning image is overwritten with an incorrect default value from ootb_supply_chain_testing_scanning.image_scanner_cli in the tap-values.yaml file for templates other than Trivy. You can prevent this by setting the value in your tap-values.yaml file to the correct image. For example, for the Grype image packaged with Tanzu Application Platform:

    ootb_supply_chain_testing_scanning:
  image_scanner_template_name: image-vulnerability-scan-grype
  image_scanning_cli:
    image: registry.tanzu.vmware.com/tanzu-application-platform/tap-packages@sha256:feb1cdbd5c918aae7a89bdb2aa39d486bf6ffc81000764b522842e5934578497

  • The Snyk scanner outputs an incorrectly created date, resulting in an invalid date. If the workload is in a failed state due to an invalid date, wait approximately 10 hours and the workload automatically goes into the ready state. For more about this issue information, see the Snyk GitHub repository.

  • Recurring scan has a maximum of approximately 5000 container images that can be scanned at a single time due to size limits configMaps.

  • If the supply chain container image scanning is configured to use a different scanner or scanner version than the recurring scanning, the vulnerabilities displayed in Tanzu Developer Portal might be inaccurate.

  • SCST - Scan 1.0 fails with the error secrets 'store-ca-cert' not found during deployment by using Tanzu Mission Control with a non-default issuer. For how to work around this issue, see Deployment failure with non-default issuer.

v1.8.0 Known issues: Supply Chain Security Tools - Store

  • SCST - Store automatically detects PostgreSQL database index corruptions. If SCST - Store finds a PostgresSQL database index has been corrupted, SCST - Store will automatically attempt to repair, which might cause reconciliation during package updates. When this happens, the included Postgres database might take some time to complete the repair and accept connections. For more information, see Fix Postgres Database Index Corruption.

  • When outputting CycloneDX v1.5 SBOMs, the report is found to be an invalid SBOM by CycloneDX validators. This issue is planned to be fixed in a future release.

  • If CA Certificate data is included in the shared Tanzu Application Platform values section, do not configure AMR Observer with CA Certificate data.

  • When observer.deploy_through_tmc is true, properties are auto-configured for Tanzu Mission Control (TMC). This causes the MultiClusterPropertyCollector resource to overwrite existing Tanzu Application Platform values for Observer.

    When using Let’s Encrypt ACME issuers, the resultant Kubernetes secret resource does not contain a ca.crt property. Therefore, when the MultiClusterPropertyCollector resource creates the Observer package configuration values secret, the required ca_cert_data is empty.

    To work around this issue, add the Certificate Authority (CA) Certificate to the shared.ca_cert_data key in the Tanzu Application Platform installation values.

v1.8.0 Known issues: Tanzu Build Service

  • During upgrades a large number of builds might be created due to buildpack and stack updates. Some of these builds might fail due to transient network issues, causing the workload to be in an unhealthy state. This resolves itself on subsequent builds after a code change and does not affect the running application.

    If you do not want to wait for subsequent builds to run, you can manually trigger a build. For instructions, see Troubleshooting.

v1.8.0 Known issues: Tanzu Developer Portal

  • Tanzu Developer Portal Configurator jumps from v1.0.x in Tanzu Application Platform v1.7 to v1.8.x in Tanzu Application Platform v1.8. This version jump enables future versions of Tanzu Developer Portal and Tanzu Developer Portal Configurator to sync going forward.

  • If you do not configure any authentication providers, and do not allow guest access, the following message appears when loading Tanzu Developer Portal in a browser:

    No configured authentication providers. Please configure at least one.

    To resolve this issue, see Troubleshooting.

  • Ad-blocking browser extensions and standalone ad-blocking software can interfere with telemetry collection within the VMware Customer Experience Improvement Program and restrict access to all or parts of Tanzu Developer Portal. For more information, see Troubleshooting.

  • ScmAuth is a Backstage concept that abstracts Source Code Management (SCM) authentication into a package. An oversight in a recent code-base migration led to the accidental exclusion of custom ScmAuth functions. This exclusion affected some client operations, such as using Application Accelerators to create Git repositories on behalf of users.

  • The back-end Kubernetes plug-in reports failure in multicluster environments. In a multicluster environment when one request to a Kubernetes cluster fails, backstage-kubernetes-backend reports a failure to the front end. This is a known issue with upstream Backstage and it applies to all released versions of Tanzu Developer Portal. For more information, see this Backstage code in GitHub. This behavior arises from the API at the Backstage level. There are currently no known workarounds. There are plans for upstream commits to Backstage to resolve this issue.

v1.8.0 Known issues: Tanzu Developer Tools for IntelliJ

  • The error com.vdurmont.semver4j.SemverException: Invalid version (no major version) is shown in the error logs when attempting to perform a workload action before installing the Tanzu CLI apps plug-in.

  • If you restart your computer while running Live Update without terminating the Tilt process beforehand, there is a lock that incorrectly shows that Live Update is still running and prevents it from starting again. For the fix, see Troubleshooting.

  • Workload actions and Live Update do not work when in a project with spaces in its name, such as my app, or in its path, such as C:\Users\My User\my-app. For more information, see Troubleshooting.

  • An EDT Thread Exception error is logged or reported as a notification with a message similar to "com.intellij.diagnostic.PluginException: 2007 ms to call on EDT TanzuApplyAction#update@ProjectViewPopup". For more information, see Troubleshooting.

v1.8.0 Known issues: Tanzu Developer Tools for Visual Studio

  • Clicking the red square Stop button in the Visual Studio top toolbar can cause a workload to fail. For more information, see Troubleshooting.

v1.8.0 Component versions

The following table lists the Tanzu Application Platform package versions included with this release. For open source component versions in this Tanzu Application Platform release, see Open source component versions.

Component Name Version
API Auto Registration 0.4.2
API portal 1.5.0
Application Accelerator 1.8.1
Application Configuration Service 2.3.0
Application Live View APIServer 1.8.0
Application Live View back end 1.8.0
Application Live View connector 1.8.0
Application Live View conventions 1.8.0
Application Single Sign-On 5.1.1
Artifact Metadata Repository Observer 0.4.1
AWS Services 0.2.0
Bitnami Services 0.4.0
Carbon Black Scanner for SCST - Scan (beta) 1.3.2
Cartographer Conventions 0.8.10
cert-manager 2.7.0
Cloud Native Runtimes 2.5.1
Contour 2.2.0
Crossplane 0.4.1
Default Roles 1.1.0
Developer Conventions 0.16.1
External Secrets Operator 0.9.4+tanzu.2
Flux CD Source Controller 0.36.1+tanzu.2
Grype Scanner for SCST - Scan 1.8.2
Local Source Proxy 0.2.1
Managed Resource Controller (beta) 0.1.2
Namespace Provisioner 0.6.2
Out of the Box Delivery - Basic 0.15.6
Out of the Box Supply Chain - Basic 0.15.6
Out of the Box Supply Chain - Testing 0.15.6
Out of the Box Supply Chain - Testing and Scanning 0.15.6
Out of the Box Templates 0.15.6
Service Bindings 0.11.0
Service Registry 1.3.1
Services Toolkit 0.13.0
Snyk Scanner for SCST - Scan (beta) 1.2.2
Source Controller 0.8.3
Spring Boot conventions 1.8.0
Spring Cloud Gateway 2.1.7
Supply Chain Choreographer 0.8.10
Supply Chain Security Tools - Policy Controller 1.6.3
Supply Chain Security Tools - Scan 1.8.2
Supply Chain Security Tools - Scan 2.0 0.3.2
Supply Chain Security Tools - Store 1.8.1
Tanzu Application Platform Telemetry 0.7.0
Tanzu Build Service 1.13.0
Tanzu CLI 1.2.0
Tanzu Developer Portal 1.8.1
Tanzu Developer Portal Configurator 1.8.1
Tanzu Supply Chain (beta) 0.1.16
Tekton Pipelines 0.50.3+tanzu.4

Deprecations

The following features, listed by component, are deprecated. Deprecated features remain on this list until they are retired from Tanzu Application Platform.

Cloud Native Runtimes deprecations

  • default_tls_secret config option: This config option is now in contour.default_tls_secret and is marked for removal in a future Tanzu Application Platform version. In the meantime, both options are supported, and contour.default_tls_secret takes precedence over default_tls_secret.

  • ingress.[internal/external].namespace config options: These config options are now in contour.[internal/external].namespace are marked for removal in a future Tanzu Application Platform version. In the meantime, both options are supported, and contour.[internal/external].namespace takes precedence over ingress.[internal/external].namespace.

Flux CD Source Controller deprecations

  • Deprecations for the GitRepository API:

    • spec.gitImplementation is deprecated. GitImplementation defines the Git client library implementation. go-git is the default and only supported implementation. libgit2 is no longer supported.
    • spec.accessFrom is deprecated. AccessFrom, which defines an Access Control List for enabling cross-namespace references to this object, was never implemented.
    • status.contentConfigChecksum is deprecated in favor of the explicit fields defined in the observed artifact content config within the status.
    • status.artifact.checksum is deprecated in favor of status.artifact.digest.
    • status.url is deprecated in favor of status.artifact.url.

  • Deprecations for the OCIRepository API:

    • status.contentConfigChecksum is deprecated in favor of the explicit fields defined in the observed artifact content config within the status.

Services Toolkit deprecations

  • The tanzu services claims CLI plug-in command is deprecated and is marked for removal in Tanzu Application Platform v1.9. It is hidden from help text output, but it will continue to work until it is removed. The new tanzu services resource-claims command provides the same function.

  • The experimental multicluster APIs *.multicluster.x-tanzu.vmware.com/v1alpha1 are deprecated and marked for removal in Tanzu Application Platform v1.9.

  • The experimental kubectl-scp plug-in is deprecated and marked for removal in Tanzu Application Platform v1.9.

  • The following experimental APIs are deprecated and are marked for removal in Tanzu Application Platform v1.9:

    • apiexportrolebindings.projection.apiresources.multicluster.x-tanzu.vmware.com/v1alpha1
    • apiresourceimports.projection.apiresources.multicluster.x-tanzu.vmware.com/v1alpha1
    • clusterapigroupimports.projection.apiresources.multicluster.x-tanzu.vmware.com/v1alpha1
    • downstreamclusterlinks.projection.apiresources.multicluster.x-tanzu.vmware.com/v1alpha1
    • upstreamclusterlinks.projection.apiresources.multicluster.x-tanzu.vmware.com/v1alpha1
    • clusterresourceexportmonitors.replication.apiresources.multicluster.x-tanzu.vmware.com/v1alpha1
    • clusterresourceimportmonitors.replication.apiresources.multicluster.x-tanzu.vmware.com/v1alpha1
    • resourceexportmonitorbindings.replication.apiresources.multicluster.x-tanzu.vmware.com/v1alpha1
    • resourceimportmonitorbindings.replication.apiresources.multicluster.x-tanzu.vmware.com/v1alpha1
    • secretexports.replication.apiresources.multicluster.x-tanzu.vmware.com/v1alpha1
    • secretimports.replication.apiresources.multicluster.x-tanzu.vmware.com/v1alpha1

Source Controller deprecations

  • The Source Controller ImageRepository API is deprecated and is marked for removal. Use the OCIRepository API instead. The Flux Source Controller installation includes the OCIRepository API. For more information about the OCIRepository API, see the Flux documentation.

Supply Chain Choreographer deprecations

  • Supply Chain Choreographer no longer uses the git_implementation field. The go-git implementation now assumes that libgit2 is not supported.
    • Flux CD no longer supports the spec.gitImplementation field as of v0.33.0. For more information, see the fluxcd/source-controller Changelog.
    • Existing references to the git_implementation field are ignored and references to libgit2 do not cause failures. This is assured up to Tanzu Application Platform v1.9.
    • Azure DevOps works without specifying git_implementation in Tanzu Application Platform v1.8.

Tekton Pipelines deprecations

  • Tekton ClusterTask is deprecated and marked for removal. Use the Task API instead. For more information, see the Tekton documentation.

Linux Kernel CVEs

Kernel level vulnerabilities are regularly identified and patched by Canonical. Tanzu Application Platform releases with available images, which might contain known vulnerabilities. When Canonical makes patched images available, Tanzu Application Platform incorporates these fixed images into future releases.

The kernel runs on your container host VM, not the Tanzu Application Platform container image. Even with a patched Tanzu Application Platform image, the vulnerability is not mitigated until you deploy your containers on a host with a patched OS. An unpatched host OS might be exploitable if the base image is deployed.

check-circle-line exclamation-circle-line close-line
Scroll to top icon