Onboard a Kubernetes Cluster to Tanzu Service Mesh using your own Private Image Registry

VMware Tanzu Service Mesh (TSM) introduces the support of bringing your own private image registry to pull images during cluster onboarding to TSM. This helps our clients to avoid pulling TSM images require to setup data plane components on your Kubernetes Cluster from public repositories.

In this blog post, I will walk you through a step by step process about how to add an image registry, how to use the newly image registry during cluster onboarding and what all images should be available in your private image registry before you onboard a cluster.

Let’s go step by step:

Add a Registry Secret to Kubernetes Cluster

In order to access an image registry to pull TSM image on a Kubernetes cluster, we need to create a secret. Secret should be created on kube-system, istio-system and vmware-system-tsm namespace. Run the following commands to create the same.

Create Namespace (kube-system is already present, so we do not need to create)

kubectl create namespace istio-system

kubectl create namespace vmware-system-tsm

Create Secrets

password=<<password/token for the registry>>

username=<<username for registry>>

registryURL=<<URL for the registry>>


kubectl create secret docker-registry "${registrySecret}" \ 
--docker-server="${registryURL}" \ 
--docker-username="${username}" \ 
--docker-password="${password}" \ 

kubectl create secret docker-registry "${registrySecret}" \ 
--docker-server="${registryURL}" \ 
--docker-username="${username}" \ 
--docker-password="${password}" \ 

kubectl create secret docker-registry "${registrySecret}" \ 
--docker-server="${registryURL}" \ 
--docker-username="${username}" \ 
--docker-password="${password}" \ 

Add an Image Registry

  • Login to TSM GUI and Navigate to the Tanzu Admin -> Image Registries
  • Click New Image Registry
  • Fill the required details to add a new registry


  • Enter a valid container registry url
  • Ensure that you have tsm-secret created on a k8s cluster that is getting onboarded on TSM on the following namespace
    • istio-system
    • vmware-system-tsm
    • kube-system
  • The secret is of type docker-registry

Onboard a Cluster to TSM

Now, it’s time to onboard a Kubernetes cluster to TSM and select the image registry during onboarding. In this section, I will not cover the full onboarding, but I will show you the option where you need to select a registry.

  • Click on New Workflow -> Onboard New Cluster
  • Enter the name of cluster
  • Select the checkbox Pull images from a custom image registry...
  • As you can see above, you will be presented with list of image registries. Select an appropriate one. Rest, you can follow the same steps as usual to continue onboarding a cluster.

That’s all for this post. Do let me know if this works for you in a comment.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s