On-boarding TKG Clusters on Tanzu Service Mesh

VMware Tanzu

What is Tanzu Kubernetes Grid Cluster?

TKG Cluster is a VMware opinionated production ready Kubernetes cluster that can run across hybrid multicloud environment.

Read more detail here:


What is Tanzu Service Mesh?

VMware Tanzu Service Mesh, is a service mesh solution from VMware that provides consistent control and security for microservices running across multicloud environment. Currently Tanzu Service Mesh is offered as a Service from VMware.

Read more detail here:


TKG Cluster on-boarding Pre-requirements

Technical Pre-requirements

In order to on-board a TKG cluster on TSM, there are different requirements e.g. TKG version, resource availability on worker nodes, network connectivity etc should be met. Those requirements are very well documented in link below.


Access Requirement

Tanzu Service Mesh is offered as a Service solution from VMware and it’s access can be validated from VMware Cloud Service portal. Follow the below steps:
1. Login to https://console.cloud.vmware.com/ 
2. On My Services Page, You will find Tanzu Service Mesh is listed.

On-boarding TKG Cluster on Tanzu Service Mesh Steps

  1. Click on the VMware Tanzu Service Mesh tile shown under My Services on VMware Cloud Service portal. This will redirect you to Tanzu Service Mesh portal.

Note: If you see 400 Bad Request, try opening in Incognito Window.

Error while opening Tanzu Service Mesh portal

2. Once it is opened, You will see portal like below.

Tanzu Service Mesh Landing Page

In my case, there are no cluster on-boarded yet. Let’s start TKG Cluster on-boarding.

3. Click on ADD NEW in left corner. It will give you different options. Click on Onboard New Cluster.


4. Enter the Cluster Name and Click on “GENERATE SECURITY TOKEN” button.

Note: Cluster name provided here need not be same as TKG Cluster name

5. After clicking on Generate Security Token button, Next step will be highlighted with token filled in.

6. Copy both and apply them on your TKG cluster.

$ kubectl apply -f <copy above link>
namespace/vmware-system-tsm created
customresourcedefinition.apiextensions.k8s.io/tsmclusters.tsm.vmware.com unchanged
customresourcedefinition.apiextensions.k8s.io/clusterhealths.client.cluster.tsm.tanzu.vmware.com configured
configmap/tsm-agent-operator created
serviceaccount/operator--srv-acnt created
clusterrolebinding.rbac.authorization.k8s.io/operator-cluster-admin-rb configured
deployment.apps/tsm-agent-operator created
serviceaccount/operator-ecr-read-only--service-account created
secret/operator-ecr-read-only--aws-credentials created
role.rbac.authorization.k8s.io/operator-ecr-read-only--role created
rolebinding.rbac.authorization.k8s.io/operator-ecr-read-only--role-binding created
cronjob.batch/operator-ecr-read-only--renew-token created
job.batch/operator-ecr-read-only--renew-token created

$ kubectl -n vmware-system-tsm create secret generic cluster-token --from-literal=token=<token removed>
secret/cluster-token created

7. In few sec, you will notice that the next step is highlighted to install Tanzu Service Mesh.

Before we install, Let see what changes has already been made on TKG Cluster. You will see that the vmware-system-tsm namespace is created and there are few resource created too. e.g. below

$ k get ns
adminspace Active 7d17h
cert-manager Active 16d
controller-my-tkg-controller Active 7d18h
default Active 54d
kube-node-lease Active 54d
kube-public Active 54d
kube-system Active 54d
tanzu-system-ingress Active 54d
tkg-system Active 54d
vmware-system-auth Active 54d
vmware-system-cloud-provider Active 54d
vmware-system-csi Active 54d
vmware-system-tsm Active 2m30s

$ k get all -n vmware-system-tsm
pod/allspark-ws-proxy-84f46b6c7b-h9hv7 1/1 Running 0 2m15s
pod/k8s-cluster-manager-7f65f4597c-jpxpq 1/1 Running 0 2m15s
pod/operator-ecr-read-only--renew-token-2qb5h 0/1 Completed 0 2m36s
pod/tsm-agent-operator-84459cfdb8-r6qqh 1/1 Running 0 2m36s
NAME                          TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)     AGE
service/k8s-cluster-manager ClusterIP <none> 40041/TCP 2m15s
NAME                                  READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/allspark-ws-proxy 1/1 1 1 2m15s
deployment.apps/k8s-cluster-manager 1/1 1 1 2m15s
deployment.apps/tsm-agent-operator 1/1 1 1 2m36s
NAME                                             DESIRED   CURRENT   READY   AGE
replicaset.apps/allspark-ws-proxy-84f46b6c7b 1 1 1 2m15s
replicaset.apps/k8s-cluster-manager-7f65f4597c 1 1 1 2m15s
replicaset.apps/tsm-agent-operator-84459cfdb8 1 1 1 2m36s
NAME                                            COMPLETIONS   DURATION   AGE
job.batch/operator-ecr-read-only--renew-token 1/1 2s 2m36s
NAME                                                SCHEDULE      SUSPEND   ACTIVE   LAST SCHEDULE   AGE
cronjob.batch/operator-ecr-read-only--renew-token 0 */8 * * * False 0 <none> 2m36s

8. You can select specific namespace if you need to exclude and then Click on Install Tanzu Service Mesh button.

TSM Installation is in progress

9. Let’s notice the changes in TKG cluster.

List the namespace and you will see that the New namespace is created. List the pods being created inside this namespace too.

istio-system                   Active   13s
$ k get po -n istio-system
allspark-telegraf-node-pjh2j 1/1 Running 0 7m40s
allspark-telegraf-node-s6fxt 1/1 Running 0 7m40s
allspark-telegraf-node-xszpj 1/1 Running 0 7m40s
istio-egressgateway-544d8dd96b-k4q9k 1/1 Running 0 9m10s
istio-egressgateway-544d8dd96b-qjlj8 1/1 Running 0 9m10s
istio-ingressgateway-55678bc575-b6v84 1/1 Running 0 9m10s
istio-ingressgateway-55678bc575-vnqdt 1/1 Running 0 9m10s
istio-telemetry-d564c59df-f97gh 2/2 Running 0 9m8s
istio-telemetry-d564c59df-vpqlv 2/2 Running 0 9m8s
istiocoredns-599c554d55-6zd77 2/2 Running 0 9m10s
istiocoredns-599c554d55-r77c6 2/2 Running 0 9m10s
istiod-bb6f7548-fw4fn 1/1 Running 0 9m27s
istiod-bb6f7548-vs9f9 1/1 Running 0 9m27s

10. Wait for sometime and above step will take take around 3–4 mins. Keep watching the resource deployment under istio-system namespace.

11. After few mins, you will see that the cluster onboarding is successful.

12. Click on EXIT TO CONSOLE button. You will see the newly onboarded cluster is listed.

So, our TKG Cluster is onboaded successfully. In the next post, i will talk about different concepts of TSM e.g. Global Namespace, SLO etc. and how to use them.


I found this video very helpful, watch it once.

Refer VMware Documentation for more detail


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s