vRealize Automation 8.8 | 28 APR 2022

Check for additions and updates to these release notes.

Release Versions

VRealize Automation 8.8 | April 2022
  • vRA Easy Installer (ISO) build 19716706
  • vRA Product (appliance) build 19691889
  • SaltStack Config build 19669743

Updates made to this document

Date Description of update Type
04/28/2022 Initial publishing.

IMPORTANT:

Behaviour Change: Deployment failures occur when static IP assignments are used with “Network Configure” extensibility event

In Cloud Templates, when "assignment: static" is used for a VM network interface, a network with IP ranges configured will be selected during allocation. If there are no networks with IP ranges configured in network profile(s) then allocation fails.

The "assignment: static" should only be used for a VM network interface when using a vRA internal IPAM or an external IPAM with static IP ranges. If the static IP is allocated via the "Network Configure" extensibility event custom solution then the "assignment: static" should not be used for a VM network interface in the Cloud Template. This results in an allocation failure.

Workaround - If the static IP is allocated via the "Network Configure" extensibility event custom solution and allocation is failing with Error: 'Unable to find common placement for compute <vm-name> and its associated network', then remove the "assignment: static" from the VM network interface in the Cloud Template and retry.

About vRealize Automation 8.8

vRealize Automation 8.8 complements vRealize Automation 8.7 capabilities with variety of new features including the ability to change project for provisioned deployments, an evolution of the ABX On Prem engine, SaltStack Config avaliability as a resource within Cloud Templates, custom validation for catalog items by custom forms via API, custom remediations for SaltStack Sec Ops and more.

Before you begin

Familiarize yourself with the supporting documents.

After installing vRealize Automation and setting up your users, you can use the Getting Started and Using and Managing guides for each of the included services. The Getting Started guides include an end-to-end proof of concept. The Using and Managing guides provide more in-depth information that supports your exploration of the available features. Additional information is also available in vRealize Automation 8.8 product documentation.

For information on vRealize Orchestrator 8.8 features and limitations, refer to the vRealize Orchestrator 8.8 Release Notes.

What's New

The many benefits of vRealize Automation 8.8 include:

  • vRA Migration Assistant supports vRA 7.6 only

    Changed and Deprecated Functionality:

    With this release, vRealize Automation supports migrations through the Migration Assistant from vRealize Automation 7.6 only. You can still perform a migration assessment for older versions.

    Option to migrate vRA 7.5 or below versioned sources is to upgrade the source to 7.6. Once the source upgrade to 7.6 is complete, edit the migration source in the migration tool so that the tool can take into account the change in the version of the source. There's no need to run assessment again as the update will be picked up automatically.

  • Azure properties under protectedSettings is now encrypted

    The Azure provisioning extension property under protectedSettings is now encrypted.  

  • Allow global configuration of memory allocation limits

    A global configuration property has been added that sets the maximum memory allocation amount on an individual host or cluster for the entire org.

  • Support change owner Day2 action for single user that is part of an AD group

    Support changing deployment owner to users that are part of AD groups which are project administrator or project member.

    Note: If user is a project viewer or supervisor, they are not eligible to be owner of a deployment.

  • Enhance day-2 operations for TKGs clusters- Update K8s version, Update Tanzu Cluster VM classes, Scale worker nodes

    VRealize Automation now supports day-2 operations for TKGs cluster to add further automation . When you have provisioned Tanzu Kubernetes Cluster as Deployment, you can execute one of these operations:

    • Update Kubernetes version - You can choose from the dropdown one of the available version that you can update
    • Update Tanzu Cluster workers count - Update workers count by typing number in the dialog box
    • Update Tanzu Cluster VM classes - Update vm classes of control plane nodes and worker nodes, you can choose the class from available classes in the dropdowns

     

  • Approval policy now includes multi-level approvals

    Approval policies now include multi-level approvals. Approvals can be set to specific levels, with all matching policies firing sequentially based upon the criteria selected. This includes a revamped approval progress screen to show the levels currently pending or approved, and the approver pending a decision to better inform the end-user of their approval flow status. Learn more.

  • Provisioning now supports an approval policy with limit > 2 days

     The Project's request timeout value has been disassociated with the allocation timeout for provisioning service objects, and vRealize Automation now sets that to a value greater than the maximum approval policy period. Customers should no longer see errors at provisioning time for objects that were pending approval for more than 2 days.

  • Request ID is now displayed in deployment request history

    Request ID is now displayed for each action on the deployment History tab. You can leverage this information for debugging and billing purposes.

  • Disk resizing and VM tagging - Scale and minor feature fixes in vRA/VCD integration

    Disk resizing and VM updates now:

    • Introduces disk resizing capability
    • Updating the sizing policy of a deployed VM in VCD
    • Supports VM Tagging
    • Supports VMs in vRA tagging and updating
  • Custom forms supports workflows with legacy presentations from vRO java client

    Custom forms in vRA now support workflows with legacy presentations from the vRO java client.

  • Ability to provision NSX-T On-Demand VLAN Segments - VCT support

    You can now provision NSX-T VLAN segments by specifying one or more VLAN IDs on private NSX network type. This can be used in cases where your overall design prohibits you from provisioning overlay networks on NSX-T. As part of this feature, we also collect and display information about VLAN transport zones which should be selected in network profile in order to give ability for VLAN networks to be created. Learn more.

  • Custom Naming has been revamped to include expanded functionality.

    Custom Naming has been revamped to include expanded functionality:

    • Scoping has been expanded to be either single project, multiple projects, or full org
    • Templates can now be assigned at a per-resource level which include: compute, network, storage, load balancer, resource group, gateway, NAT and security group
    • Counters are now configurable for starting and increment value, and will increment sequentially
    • Validation for compute name uniqueness is now available and will check against all objects vRA manages or discovers
    • Matching patterns allow for specific strings within a per-resource naming template to increment independent of one another

API Documentation and Versioning

API documentation is available with the product. To access all Swagger documents from a single landing page, go to https://<appliance.domain.com>/automation-ui/api-docs where appliance.domain.com is your vRealize Automation appliance.

Before using the API, consider the latest API updates and changes for this release, and note any changes to the API services that you use. If you have not locked your API using the apiVersion variable before, you might encounter a change in an API response. All API updates and changes for this release are provided in the table below.

For unlocked APIs, the default behavior varies depending upon the API.

  • For Cloud Assembly IaaS APIs, all requests which are executed without the apiVersion parameter will be redirected to the first version which is 2019-01-15. This redirect will allow every user who did not previously specify the apiVersion parameter to transition smoothly to the latest version without experiencing breaking changes.

    NOTE: For the Cloud Assembly IaaS APIs, the latest version is apiVersion=2021-07-15. If left unlocked, IaaS API requests will be redirected to the first version which is 2019-01-15. The first version is deprecated and will be supported for 12 months. To ensure a smooth transition to the new version, lock your IaaS API requests with the apiVersion parameter assigned to 2021-07-15.

  • For other APIs, your API requests will default to the latest version. If you select one of the earlier version dates listed for the Swagger spec, the API behavior will reflect APIs that were in effect as of that date and any date until the next most recent version date. APIs are not versioned for every vRealize Automation release and not all APIs support the apiVersion parameter.

For more information about API versioning, see the vRealize Automation 8.8 API Programming Guide.

Service Name Service Description API Updates and Changes
ABX Holds all functionality specific to ABX, including creation and management of actions and their versions and executing actions and flows. No change
Approval Enforce policies which control who must agree to a deployment or day 2 action before the request is provisioned API response modified to include level information for approval requests:
  • GET /approval/api/approvals
  • GET /approval/api/approvals/{id}

New API request parameter "currentLevelApproval" used to accept or reject approval request:

POST /approval/api/approvals/action

Blueprint Create, validate, and provision VMware Cloud Templates (formerly called Blueprints) No change
CMX When using Kubernetes with vRealize Automation, deploy and manage Kubernetes clusters and namespaces. New API endpoints:
  • To search cluster plan aggregations:

    GET /cmx/api/resources/cluster-plans/aggregation

  • To attach a Kubernetes cluster to a cluster group.

    PUT /cmx/api/resources/k8s/clusters/{id}/attach

Incompatible change in TMC Endpoint Controller APIs with responses in a "content" section:

  • GET /cmx/api/resources/tmc/endpoints/{id}/clustergroups
  • GET /cmx/api/resources/tmc/endpoints/{id}/workspaces
  • GET /cmx/api/resources/tmc/endpoints/clustergroups
  • GET /cmx/api/resources/tmc/endpoints/workspaces

The content section includes all pagination query parameters for the Cluster Group Resource Service and Workspace Resource Service in the TMC APIs.

Content Gateway (content service) Connect to your infrastructure as code content in external content sources such as SCM Providers. No change
Custom Forms (form-service) Define dynamic form rendering and customization behavior in Service Broker and Cloud Assembly VMware services. No change
Deployment Access deployment objects and platforms or blueprints that have been deployed into the system. No change
IaaS Perform infrastructure setup tasks, including validation and provisioning of resources in iterative manner. New API endpoint to manually:
  • Start an asynchronous health check of a cloud account.
  • Retrigger a health check for cloud accounts unavailable for deployment.

POST /iaas/api/cloud-accounts/{id}/health-check

Migration This service is used to quickly setup a vRA 8 instance based on information in a configuration file a.k.a Zero-Setup No change
Project Holds all functionality specific to creation, management and delete of projects New endpoint to assign sync principals to any project wihtin the user organization.

POST /project-service/api/projects/{id}/sync-principals

Relocation Define policy and plans for bringing existing VMs from any cloud under management. No change
Catalog Access Service Broker catalog items and catalog sources, including content sharing and the request of catalog items. API response modified to include "externalId" for the ID of the content item coming from the content provider:
  • GET /catalog/api/admin/items/{id}
  • GET /catalog/api/items/{id}/versions

If there is only one version of the content item, that version propagates to the catalog item object and the externalId does not appear in the response.

Catalog Service (Policies) Interact with policies created in Service Broker. No change
Code stream all pipeline-service These API provide access to Code Stream services. No change
Identity Service A list of identity, account and service management APIs. No change
Relocation Service New restrictions added to PATCH action on onboardingBlueprintState No change

Resolved Issues

The following issues were resolved in this release.

  • Administrator role missing permissions.

    When SaltStack Config is integrated with vIDM and has a role of Administrator, you cannot view minions, minion keys or accept minion keys.

  • Extensibility actions running on AWS Lambda might fail with an error.

    Due to a minor change in the AWS Lambda service, extensibility actions running on AWS Lambda might fail with the following error:

    'Error com.amazonaws.services.lambda.model.ResourceConflictException: The operation cannot be performed at this time. The function is currently in the following state: Pending'.

  • Provisioning a VM from a snapshot does not place the VM in the correct datastore as configured in the storage profile.

    When provisioning a VM by using a snapshot, the VM is not placed in the correct datastore where that snapshot resides regardless of the datastores configured in the storage profiles.

  • Reconfiguring security rules fail after upgrade.

    After upgrading, users cannot reconfigure security groups with new rules that use a protocol and port on NSX-T versions earlier then 3.x.

  • Bracket position error issue occurred on Requests - Confirm Delete Requests page.

    Bracket placement in the pop-up confirmation screen is not as expected when multiple deployment resources are present.

  • Azure, AWS networks are marked missing and re-collected as new networks.

    vRealize Automation Network Profiles created for AWS & Azure cloud accounts that contain discovered Networks and Security Groups can start to have missing items (i.e. Networks and/or Security Groups). Missing items start to appear in a couple of days after their creation and on some environments. The cause of missing items appeared to be Enumeration process which cannot find correspondence between the cloud account and the Provisioning entities and because of this the Provisioning entities are deleted.

  • vSphere adapter - Network Reconfiguring of a Windows machine without customization spec is failing

    When updating a deployed vSphere machine with Windows OS to connect to a different network and there is no customization spec specified in the cloud account, a failure occurs. The failure error message is: "Error from vCenter: A specified parameter was not correct: spec.identity". The reason for the error is that vRA does not detect this is a Windows machine and creates customization suitable for a Linux machine.

  • Fix CSV values not evaluated to string value for certain cases

    There are value inconsistencies for 'Complex' values with columns/fieds of type String/Password when the corresponding value in the CSV is either:

    • number - value is being written in the form schema as a number even though it's supposed to be string. (i.e. value: 12 instead of value: '12')
    • false - value is being written as a value: false instead of value: 'false'
  • External value 'complex' parameter CSV gets deleted when other values are changed

    Due to error the parsing logic, the Form Designer was deleting the set value for a 'Complex' parameter whenever any of the other paramaters' values were changed.

  • Added authorization in the get all service definitions endpoint breaks some pipeline jobs

    In order to access the Identity service API endpoint for retrieving all service definitions in organization (GET /csp/gateway/slc/api/definitions) an authentication credentials must be provided to the request.

  • RELEASE_IPADDRESS_PERIOD_MINUTES toggle is not org-aware

    The task that runs globally to move IP addresses from RELEASED to AVAILABLE is not org aware. In multi-org/multi-tenant environments where one or more tenants have configured the timeout, it will only pick one value and apply it to all orgs.

  • Day2 Add Disk action on Azure VM which is of un-managed disk type.

    vRA does not support creation of independent un-managed Azure disks. Hence, the Day2 Add disk action must be disabled on Azure VM which is of un-managed disk type.

  • Salt configuration CREATE with job id [] failed. Error:: : Minion deployment and/or state file run failed on Windows VM;s [Salt Error: Failed to start Salt]

    Minion deployment is failing on windows VM;s with the below error from the salt side

    Salt Side Error:

    "return": "Exception occurred in runner deploy.minion: Traceback (most recent call last):\n File \"/usr/lib/python3.7/site-packages/salt/client/mixins.py\", line 390, in low\n data[\"return\"] = func(*args, **kwargs)\n File \"/usr/lib/python3.7/site-packages/salt/loader.py\", line 1241, in _call_\n return self.loader.run(run_func, *args, **kwargs)\n File \"/usr/lib/python3.7/site-packages/salt/loader.py\", line 2274, in run\n return self._last_context.run(self._run_as, _func_or_method, *args, **kwargs)\n File \"/usr/lib/python3.7/site-packages/salt/loader.py\", line 2289, in _run_as\n return _func_or_method(*args, **kwargs)\n File \"/usr/lib/python3.7/site-packages//sseape/runners/deploy.py\", line 589, in minion\n raise salt.exceptions.SaltException('Error in installing salt minion - {}'.format(str(ret)))\nsalt.exceptions.SaltException: Error in installing salt minion - {'salt-vm-windows-test-mcm612-187496514722': {'Error':
    
    {'Not Deployed': 'Failed to start Salt on host salt-vm-windows-test-mcm612-187496514722'}
    
    }}\n",
    "master_uuid": "a50dfade-26bf-42a5-be08-0b2d785af2c8",
    "minion_id": "saltstack_enterprise_installer",
  • SSC: Leading a target-group search with a space breaks the search feature

    Leading a search for target-groups with a space causes the search feature to break. You will experience an infinite spinning wheel and an inability to view your target groups.

  • SSC: Master authentication failures.

    When a RaaS instance is running, every 24 hours, the key rotation engine attempts to refresh a jwt token. Under certain circumstances, the engine keeps an expired jwt token, instead of refreshing it, causing 401 traceback errors in the salt-master service, as it can't authenticate to the RaaS service. This will cause certain key functionalities of SSC to fail.

  • Cannot create Cluster Plan when Vsphere endpoint is using proxy

    The Cmx agent is missing in the extensibility proxy and this results in a problem retrieving Kubernetes versions. If extensibility proxy is enabled for vsphere endpoint this can make all supervisor functionalities unable to work. 

  • Leading a target-group search with a space breaks the search feature

    Leading a search for target-groups with a space causes the search feature to break. You will experience an infinite spinning wheel and an inability to view your target groups.

  • Invoke a REST operation - Some tabs disappear when opening the workflow presentation

    Some tabs disappear when opening the workflow presentation. This happens when there is external source binding for the "visibility" property of a form element. When the form renders, all fields are visible by default, but based on the external source's response some form elements can become invisible.

  • Input field is Unable to read the data of readOnly field with Default value comes from External source

    When creating readOnly fields with dynamic value in the blueprints, they are translated to readOnly fields in the custom form. When the default custom form is used for a request the request passes, but when a customized form is used the request fails with '<readonly field id> is required'.

  • Spring is updated to 5.3.latest due to CVE-2022-22965

    A recently, privately reported issue in spring-framework was made public on March 30. An application using spring-framework might be vulnerable to remote code execution (RCE) via data binding.

    The specific exploit requires the application to be packaged as a WAR and deployed to:

    • Apache Tomcat.
    • CVE-2022-22965

    Supported versions

    • Spring Framework 5.3.0 to 5.3.17
    • Spring Framework 5.2.0 to 5.2.19

      Unsupported versions

    • Unsupported versions are also affected

     Resolution: We have updated the automation-platform and all vRA services that had the dependencies.

  • Resource Actions and Custom Resources (that have additional actions added) must include the "tenant" (orgId) property to their "formDefinition".

    This affects users that explicitly set their formDefinition without providing "tenant" property with it for the aforementioned features (e.g. API users).

  • Behaviour Change: Deployment failures occur when static IP assignments are used with “Network Configure” extensibility event

    Behaviour Change: Deployment failures occur when static IP assignments are used with “Network Configure” extensibility event

    In Cloud Templates, when "assignment: static" is used for a VM network interface, a network with IP ranges configured will be selected during allocation. If there are no networks with IP ranges configured in network profile(s) then allocation fails.

    The "assignment: static" should only be used for a VM network interface when using a vRA internal IPAM or an external IPAM with static IP ranges. If the static IP is allocated via the "Network Configure" extensibility event custom solution then the "assignment: static" should not be used for a VM network interface in the Cloud Template. This results in an allocation failure.

    Workaround - If the static IP is allocated via the "Network Configure" extensibility event custom solution and allocation is failing with Error: 'Unable to find common placement for compute <vm-name> and its associated network', then remove the "assignment: static" from the VM network interface in the Cloud Template and retry.

  • Exceptions for READ operation are not properly processed.

    If a back-end error happens for deployment iterative updates, only a generic error message is shown. From the server logs, a detailed error message is shown. However, because of the exception not being handled properly, only a generic error message is displayed in the UI.

  • Request tracker is not working for resource views.

    On the All resources page, after selecting a machine and performing any day 2 action, the request tracker does not appear unless a manual refresh is initiated.

Known Issues

The following known issues are present in this release.

  • Failed to start upgrade to 8.5.1 and 8.6.0.

    Starting an iterative upgrade trhough vRSLCM to vRealize Automation 8.5.1 or later on a vRealize Automation 8.5.0 system fails at the vRealize Automation Upgrade/Patch/Internal Network step of Stage 1 about a minute or so after launching the upgrade. The previous upgrade, while completed successfully, is unable to delete its runtime data and leaves the upgrade in an "in progress" state. Hence, a new upgrade cannot be launched. This is likely to affect some systems with long host names (FQDNs) that has been upgraded from vRealize Automation 8.4.x to 8.5.0.

    Workaround: In this release, LCM will perform the precheck and notify you of the issue. For information on workaround steps, see KB 85965.

  • Upgrading from vRealize Automation 8.5 and 8.5.1 might fail with an error "Upgrade terminated due to critical error".

    Upgrading from vRealize Automation 8.5 or 8.5.1 might fail with the error "Upgrade terminated due to critical error". Disk space checks show /root at *or near* 100% utilization.

    Workaround: For information on workaround steps, see KB 85864.

  • IPv4 and IPv6 addresses are not allocated in the internal IPAM upon VM re-onboarding.

    For a VM that was onboarded and its IP allocated successfully, unregistering the VM and onboarding the VM immediately will still keep its IPs Released instead of being Allocated again. 

    Workaround: Wait for 30 minutes before onboarding the VM again to have the IP allocated.

  • Custom validation for catalog item by custom forms is now supported via API

    If a customer used vRA 8.6 and had catalog item form external validations via UI, after upgrading to vRA 8.7, when requesting a catalog item via API, the external validation won't be executed.

    Workaround: On the service broker UI, go to the custom form that the catalog item has, and re-save the form by clicking the "save" button on the UI. You can also find the catalog item id and the form id, and use PATCH /catalog/api/admin/items/{catalog-item-id} to populate the catalog item with the formId.

  • SSC: Master authentication failures.

    When a RaaS instance is running, every 24 hours, the key rotation engine attempts to refresh a jwt token. Under certain circumstances, the engine keeps an expired jwt token, instead of refreshing it, causing 401 traceback errors in the salt-master service, as it can't authenticate to the RaaS service. This will cause certain key functionalities of SSC to fail.

    Workaround: On the VM running the salt-master service, do the following:

    1. Remove the sseapi_key.pub:

      rm /etc/salt/pki/master/sseapi_key.pub

    2. Remove the jwt auth token:

      rm /var/cache/salt/master/auth_token.jwt

    3. Restart the salt-master service:

      systemctl restart salt-master

  • Visibility binding doesn't work in Custom Form Renderer

    Visibility binding option was released in Form Designer from version 8.6.2, but implementation is missing in Form Renderer and hence not working.

  • HCMP: Cluster capacity API fails with 500 ISE "Failed to retrieve compute metrics. Please try after sometime".

    Cluster compute metrics are not visible in cloud zone page in vRA.

    Workaround: Add the Cluster compute into the corresponding Cloud Zone to get the cluster compute metrics.

  • Cluster capacity API fails with 500 ISE "Failed to retrieve compute metrics. Please try after sometime".

     Cluster compute metrics are not visible in cloud zone page in vRealize Automation.

    Workaround: Add the cluster compute to the corresponding Cloud Zone to get the cluster compute metrics.

  • Pipeline running during upgrade gets stuck in execution post upgrade

    If you upgrade to 8.8 while there are executions running, those executions get stuck after upgrade and will not reach terminal state.

    Workaround:

    1. Upgrade to 8.8 when there are no running (in-progress) executions.
    2. In case upgrade is performed when there are running executions, rerun stuck executions after upgrade.

  • Onboarding machines with VLAN IDs in custom properties fails

    Onboarded NSX-T VLAN segments have data collected VLAN IDs in their custom properties. Onboarding of VMs copies all enumerated custom properties when onboarding VMs connected to existing VLAN segments. As we do not support specifying vlanIds custom property for existing networks this causes a validation failure.

  • Incorrectly dropped or placed elements in Cloud Templates break the UI page.

    In Firefox, using drag and drop can sometimes redirect the page. When dragging a resource node, dropping it outside of the canvas could also cause page redirection in Firefox.

    Workaround: Drop the resource in the canvas and delete it instead.

  • Custom resource subscriptions not available for custom resources based on extensibility actions.

    While vRealize Automation 8.5.1 introduced extensibility action based custom resources, there are some limitations to the feature. For example, cloud admins are still unable to include extensibility action based resources in event based subscriptions.

  • Timeout exception appears during deployment update of an extensibility action based custom resource.

    When you update an extensibility action based custom resource deployment, you might see a ''504 Gateway Time-out issue" error. The error appears in the event of an extensibility action read failure.

Changed and Deprecated Functionality

Upcoming Migration assistant update

Starting with the 8.8 release, vRealize Automation will support migrations through the Migration Assistant only from vRealize Automation 7.6. Migration Assessment for older versions will continue to work.

check-circle-line exclamation-circle-line close-line
Scroll to top icon