VMware Tanzu Application Service for VMs v2.12 Release Notes

Page last updated:

This topic contains release notes for VMware Tanzu Application Service for VMs (TAS for VMs) v2.12.

TAS for VMs is certified by the Cloud Foundry Foundation for 2021.

For more information about the Cloud Foundry Certified Provider Program, see How Do I Become a Certified Provider? on the Cloud Foundry website.

Because VMware uses the Percona Distribution for MySQL, expect a time lag between Oracle releasing a MySQL patch and VMware releasing TAS for VMs containing that patch.


Releases

2.12.2

Release Date: 11/23/2021

  • [Feature Improvement] Enable HTTP/2 for HAProxy
  • [Bug Fix] Fix log cache nozzle metrics
  • [Bug Fix] Breaking Change: Any customers with gorouter certificates lacking a SubjectAltName extension will experience failures upon deployment. As a workaround to complete deployment while new certificates are procured, enable the “Enable temporary workaround for certs without SANs” property in the Networking section of the TAS tile. For more information on updating certs, see https://community.pivotal.io/s/article/Routing-and-golang-1-15-X-509-CommonName-deprecation?language=en_US
  • [Bug Fix] Cloud Controller - Ensure app lifecycle_type is not nil when determining app lifecycle
  • Bump backup-and-restore-sdk to version 1.18.26
  • Bump bpm to version 1.1.15
  • Bump cf-autoscaling to version 241
  • Bump cf-networking to version 2.40.0
  • Bump cflinuxfs3 to version 0.264.0
  • Bump diego to version 2.53.1
  • Bump dotnet-core-offline-buildpack to version 2.3.36
  • Bump go-offline-buildpack to version 1.9.37
  • Bump haproxy to version 11.6.0
  • Bump loggregator to version 106.6.1
  • Bump nodejs-offline-buildpack to version 1.7.63
  • Bump php-offline-buildpack to version 4.4.48
  • Bump python-offline-buildpack to version 1.7.47
  • Bump r-offline-buildpack to version 1.1.23
  • Bump routing to version 0.226.0
  • Bump ruby-offline-buildpack to version 1.8.48
  • Bump silk to version 2.40.0
  • Bump staticfile-offline-buildpack to version 1.5.26
Component Version
ubuntu-xenial stemcell621.0
backup-and-restore-sdk1.18.26
binary-offline-buildpack1.0.40
bosh-dns-aliases0.0.4
bosh-system-metrics-forwarder0.0.20
bpm1.1.15
capi1.117.1
cf-autoscaling241
cf-cli1.33.0
cf-networking2.40.0
cflinuxfs30.264.0
credhub2.9.4
diego2.53.1
dotnet-core-offline-buildpack2.3.36
garden-runc1.19.30
go-offline-buildpack1.9.37
haproxy11.6.0
java-offline-buildpack4.42
log-cache2.11.4
loggregator-agent6.3.4
loggregator106.6.1
mapfs1.2.6
metric-registrar1.2.2
metrics-discovery3.0.6
mysql-monitoring9.15.0
nats40
nfs-volume7.1.1
nginx-offline-buildpack1.1.32
nodejs-offline-buildpack1.7.63
notifications-ui40
notifications62
php-offline-buildpack4.4.48
push-apps-manager-release675.0.1
push-usage-service-release674.0.23
pxc0.39.0
python-offline-buildpack1.7.47
r-offline-buildpack1.1.23
routing0.226.0
ruby-offline-buildpack1.8.48
silk2.40.0
smb-volume3.1.0
smoke-tests4.3.0
staticfile-offline-buildpack1.5.26
statsd-injector1.11.16
syslog11.7.5
system-metrics-scraper3.2.3
uaa74.5.26

2.12.1

Release Date: 10/20/2021

  • [Security Fix] CAPI - Cap label selectors at 50 in queries and improve label selector performance to mitigate DOS vulnerability CVE-2021-22101
  • [Feature Improvement] HTTP/2 toggle disables Diego container proxy ALPN
  • [Feature Improvement] Set default for System metrics scrape interval to 15s
  • [Bug Fix] CAPI - Some metrics for CAPI were not being properly emitted
  • [Bug Fix] Fix certificate rotation by fixing CredHub’s import of concatenated certificates
  • [Bug Fix] Fix “System metrics scrape interval” configuration in manifest
  • Bump backup-and-restore-sdk to version 1.18.22
  • Bump bpm to version 1.1.14
  • Bump capi to version 1.117.1
  • Bump cflinuxfs3 to version 0.262.0
  • Bump credhub to version 2.9.4
  • Bump log-cache to version 2.11.4
  • Bump nginx-offline-buildpack to version 1.1.32
  • Bump nodejs-offline-buildpack to version 1.7.61
  • Bump push-usage-service-release to version 674.0.23
  • Bump pxc to version 0.39.0
  • Bump python-offline-buildpack to version 1.7.46
  • Bump r-offline-buildpack to version 1.1.22
  • Bump ruby-offline-buildpack to version 1.8.47
  • Bump uaa to version 74.5.26
Component Version
ubuntu-xenial stemcell621.0
backup-and-restore-sdk1.18.22
binary-offline-buildpack1.0.40
bosh-dns-aliases0.0.4
bosh-system-metrics-forwarder0.0.20
bpm1.1.14
capi1.117.1
cf-autoscaling239
cf-cli1.33.0
cf-networking2.38.0
cflinuxfs30.262.0
credhub2.9.4
diego2.53.0
dotnet-core-offline-buildpack2.3.34
garden-runc1.19.30
go-offline-buildpack1.9.34
haproxy11.4.4
java-offline-buildpack4.42
log-cache2.11.4
loggregator-agent6.3.4
loggregator106.6.0
mapfs1.2.6
metric-registrar1.2.2
metrics-discovery3.0.6
mysql-monitoring9.15.0
nats40
nfs-volume7.1.1
nginx-offline-buildpack1.1.32
nodejs-offline-buildpack1.7.61
notifications-ui40
notifications62
php-offline-buildpack4.4.45
push-apps-manager-release675.0.1
push-usage-service-release674.0.23
pxc0.39.0
python-offline-buildpack1.7.46
r-offline-buildpack1.1.22
routing0.224.0
ruby-offline-buildpack1.8.47
silk2.38.0
smb-volume3.1.0
smoke-tests4.3.0
staticfile-offline-buildpack1.5.24
statsd-injector1.11.16
syslog11.7.5
system-metrics-scraper3.2.3
uaa74.5.26

2.12.0

Release Date: October 4, 2021

Component Version
ubuntu-xenial stemcell621.0
backup-and-restore-sdk1.18.18
binary-offline-buildpack1.0.40
bosh-dns-aliases0.0.4
bosh-system-metrics-forwarder0.0.20
bpm1.1.13
capi1.117.0
cf-autoscaling239
cf-cli1.33.0
cf-networking2.38.0
cflinuxfs30.259.0
credhub2.9.1
diego2.53.0
dotnet-core-offline-buildpack2.3.34
garden-runc1.19.30
go-offline-buildpack1.9.34
haproxy11.4.4
java-offline-buildpack4.42
log-cache2.11.2
loggregator-agent6.3.4
loggregator106.6.0
mapfs1.2.6
metric-registrar1.2.2
metrics-discovery3.0.6
mysql-monitoring9.15.0
nats40
nfs-volume7.1.1
nginx-offline-buildpack1.1.31
nodejs-offline-buildpack1.7.57
notifications-ui40
notifications62
php-offline-buildpack4.4.45
push-apps-manager-release675.0.1
push-usage-service-release674.0.20
pxc0.37.0
python-offline-buildpack1.7.45
r-offline-buildpack1.1.21
routing0.224.0
ruby-offline-buildpack1.8.46
silk2.38.0
smb-volume3.1.0
smoke-tests4.3.0
staticfile-offline-buildpack1.5.24
statsd-injector1.11.16
syslog11.7.5
system-metrics-scraper3.2.3
uaa74.5.25

How to Upgrade

To upgrade to TAS for VMs v2.12, see Configuring TAS for VMs for Upgrades.

When upgrading to TAS for VMs v2.12, be aware of the following upgrade considerations:

  • If you previously used an earlier version of TAS for VMs, you must first upgrade to TAS for VMs v2.11 to successfully upgrade to TAS for VMs v2.12.

  • To minimize downtime for developers pushing apps, upgrade from TAS for VMs v2.11.9 or later. Upgrading from earlier patch versions can result in an Unknown Error when pushing apps.

  • Some partner service tiles may be incompatible with TAS for VMs v2.12. VMware is working with partners to ensure their tiles are updated to work with the latest versions of TAS for VMs.

    For information about which partner service releases are currently compatible with TAS for VMs v2.12, review the appropriate partners services release documentation at https://docs.pivotal.io or contact the partner organization that produces the tile.

New Features in TAS for VMs v2.12

TAS for VMs v2.12 includes the following major features:

TAS for VMs Is Compatible with cf CLI v8

TAS for VMs v2.12 paired with cf CLI v8 allows you to do the following:

  • Push apps with end-to-end HTTP/2 routing
  • Assign the Space Supporter role to users
  • Manage services asynchronously

For more information, see Upgrading to cf CLI v8.

Gorouter Supports HTTP/2

Breaking Change: See Envoy Advertises HTTP/2 Support Over ALPN in the Breaking Changes section.

In TAS for VMs v2.12 and later, HTTP/2 support is enabled by default. HTTP/2 is the second major version of the the HTTP protocol.

HTTP/2 features the following improvements over HTTP/1.1:

  • Uses a binary data format instead of plain text
  • Compresses headers
  • Multiplexes multiple HTTP requests over a single TCP connection

Together, these improvements can improve response times for some apps.

For more information about the HTTP/2 protocol, see RFC 7540.

For information about configuring support for HTTP/2 in TAS for VMs, see Configuring HTTP/2 Support.

For information about routing HTTP/2 traffic to your TAS for VMs apps, see Routing HTTP/2 and gRPC Traffic to Apps.

Gorouter Supports TLS v1.3

In TAS for VMs v2.12, the Gorouter supports TLS v1.3. New installations of TAS for VMs use TLS v1.3 for the Gorouter by default. If you are upgrading to TAS for VMs v2.12, the Gorouter uses TLS v1.2 by default.

You can select which versions of TLS that the Gorouter uses when you configure TAS for VMs. Selecting support for TLS v1.3 only is a beta feature in TAS for VMs v2.12.

For more information, see (Beta) Gorouter Can Support TLS v1.3 Connections Only in the Breaking Changes section.

New User Role: Space Supporter

TAS for VMs v2.12 introduces the Space Supporter role. Users with the Space Supporter role can do the following:

  • View app logs and audit events
  • Start, stop, and restart apps
  • Scale apps
  • Read, bind, and unbind existing service instances

Users with the Space Supporter role cannot do any of the following:

  • View credentials or app data
  • Edit app source code
  • SSH into app instances
  • View the app environment
  • Create or access service keys
  • Create or update services
  • Delete apps or services

The Space Supporter role is only available for the Cloud Controller V3 API. If a user with this role tries to access a V2 endpoint, the API returns a 403.

For more information, see User Roles in Orgs, Spaces, Roles, and Permissions.

TAS for VMs Version is in Apps Manager UI

You can find the current version of TAS for VMs in the footer of the Apps Manager UI.

Secure Endpoint for Metric Registrar

TAS for VMs v2.12 allows operators to register a secure endpoint for the Metric Registrar CLI plugin to ingest app metrics. You can use the cf register-metrics-endpoint command to specify an internal port in your app when you register the endpoint to the metric registrar.

For more information, see Register a Metrics Endpoint in Using Metric Registrar.

Reduce Traffic to Syslog Drains

TAS for VMs v2.12 includes an option to control how much deployment metadata is sent in app and aggregate syslog drains.

If you select the Default loggregator drain metadata checkbox, then TAS for VMs sends all metadata from your deployment to syslog drains.

If you do not select this option, then TAS for VMs sends a reduced amount of metadata. This can reduce your external database logs by up to 50 percent.

For more information, see (Optional) Configure System Logging in Configuring TAS for VMs.

Supported cf CLI Container Images

VMware supports the following container images that contain the cf CLI:

VMware maintains these container images and updates them with the latest security patches.

Breaking Changes

TAS for VMs v2.12 includes the following breaking changes:

(Beta) Gorouter Can Support TLS v1.3 Connections Only

TLS v1.3 is not compatible with some versions of Java. If you configure TAS for VMs to support TLS v1.3 only, you might encounter errors with Java apps. For more information, see JSSE Client does not accept status_request extension in CertificateRequest messages for TLS 1.3 in the JDK Bug System.

The tile property that controls the TLS version in TAS for VMs changes in TAS for VMs v2.12. You must update any stored configuration files to reflect the change.

Envoy Advertises HTTP/2 Support Over ALPN

Envoy, the Diego container proxy, advertises HTTP/2 support using Application-Layer Protocol Negotiation (ALPN) for all apps. Internal clients that access the Envoy TLS port directly must negotiate down to HTTP/1.1 for apps that do not support HTTP/2. The Envoy TLS port is typically 61001. Clients that connect to apps using the Gorouter are not affected.

Gorouter No Longer De-chunks Short Chunked Responses

In previous versions of TAS for VMs, the Gorouter de-chunked short chunked responses, set a Content-Length header, and sent a traditional body. This capability was available when Gorouter used Golang v1.15, which is out of support.

For versions of TAS for VMs that contain routing-release v0.214.0 and later, the Gorouter uses Golang v1.16 which sends a chunked response. If your clients or proxies that access apps cannot handle a chunked response, or expect a Content-Length header, they break.

For more information, see Clients receive responses with no Content-Length header and a chunked encoded body after upgrading Tanzu Application Service for VMs in the Knowledge Base.

Known Issues

TAS for VMs v2.12 includes the following known issue:

HAProxy Does Not Support HTTP/2

HAProxy is not configured to support HTTP/2 ingress traffic. HAProxy also does not send HTTP/2 traffic to the Gorouter, even when HTTP/2 is enabled.

To work around this issue, you can use an external load balancer to support HTTP/2 traffic. For more information, see Configure Load Balancers in Configuring HTTP/2 Support.

This issue is resolved in TAS for VMs v2.12.2 and later.