Tanzu Service Mesh supports using a customer registry for pulling client-side images. For example, your organization may mandate that all images deployed would be pulled to a local registry and scanned for vulnerabilities before used. If your private image registry requires authentication to be accessed, you will need to use secrets on your client Kubernetes clusters. This topic explains how to create a secret for authenticating your private image registry during cluster onboarding.

Customer-owned registry support is used as a part of cluster onboarding. For more details on how to onboard a cluster and prerequisites, see Onboard a Cluster to Tanzu Service Mesh. The steps below explain how to create a secret. For more information on secret authentication for private registry, refer to Pull an Image from a Private Registry.


In a terminal, run the following commands to set the shell variables:

password=<<password/token for the registry>>
username=<<username for registry>> 
registryURL=<<URL for the registry>> 
registrySecret=<<Name of the secret for registry account in TSM>>


  1. Run the following commands to set up namespaces. To install TSM successfully, we need secret in these three namespaces: istio-system, kube-system, and vmware-system-tsm. As the Kubernetes installation includes kube-system by default, we now create istio-system and vmware-system-tsm namespaces.
    kubectl create namespace istio-system 
    kubectl create namespace vmware-system-tsm 

    The response message looks like:

    namespace/istio-system created
    namespace/vmware-system-tsm created

    If any of the namespaces already exist, you may receive the following error and there is no need to recreate it:

    Error from server (AlreadyExists): namespaces "<<namespace>>" already exists
  2. Run the following commands to create secret with name ${registrySecret} in istio-system, kube-system, and vmware-system-tsm namespaces respectively.

    Use the code below to create a secret in any other namespaces that require authentication to the custom registry to pull images.

    kubectl create secret docker-registry "${registrySecret}" \ 
    --docker-server="${registryURL}" \ 
    --docker-username="${username}" \ 
    --docker-password="${password}" \ 
    kubectl create secret docker-registry "${registrySecret}" \ 
    --docker-server="${registryURL}" \ 
    --docker-username="${username}" \ 
    --docker-password="${password}" \ 
    kubectl create secret docker-registry "${registrySecret}" \ 
    --docker-server="${registryURL}" \ 
    --docker-username="${username}" \ 
    --docker-password="${password}" \ 

    When the secret name already exists, the kubectl create secret command will throw an error. You can either recreate the secret or update the existing secret with correct value.

    error: failed to create secret secrets "<<secret-name>>" already exists

    The secret is created which can be used in pod specification to pull images from your private image registry. A typical response message looks like:

    secret/<<registrysecret>> created

What to do next

Create a new custom image registry account by following these steps:

  1. In the navigation panel on the left side of the Tanzu Service Mesh console, select Image Registries under Admin.

  2. Click Add Image Registry to open the New Image Registry Configuration modal window.

  3. Fill out the following details:


    Enter your account name.

    Description (optional)

    Optionally provide comments about your private image registry.

    Registry URL

    Enter the base URL of your private image registry.


    If authentication is required for your private image registry, select Use a Secret and enter the Secret Name.

  4. Click Save. Your private image registry account is created and saved for use during cluster onboarding.


As a prerequisite for onboarding a cluster using Tanzu Service Mesh images from your private registry, you need to mirror the required repositories from the Tanzu Service Mesh public ECR registry located at public.ecr.aws/v6x6b8s5. For private registries that do not support mirroring, download the images from the Tanzu Service Mesh public ECR registry and push them into your private registries.

List of repositories to mirror

  • public.ecr.aws/v6x6b8s5/config-service

  • public.ecr.aws/v6x6b8s5/k8s-cluster-manager

  • public.ecr.aws/v6x6b8s5/metrics-proxy

  • public.ecr.aws/v6x6b8s5/telegraf

  • public.ecr.aws/v6x6b8s5/tsm-agent-operator

  • public.ecr.aws/v6x6b8s5/vmwareallspark/install-cni

  • public.ecr.aws/v6x6b8s5/vmwareallspark/mixer

  • public.ecr.aws/v6x6b8s5/vmwareallspark/pilot

  • public.ecr.aws/v6x6b8s5/vmwareallspark/proxyv2

  • public.ecr.aws/v6x6b8s5/vmwareallspark/service-mesh-installer

  • public.ecr.aws/v6x6b8s5/vmwareallspark/service-mesh-manifests

  • public.ecr.aws/v6x6b8s5/ws-client

  • public.ecr.aws/v6x6b8s5/deployment_utils

List of images to download

For a list of the Tanzu Service Mesh images to download, see the Tanzu Service Mesh Images to Download section in the VMware Tanzu Service Mesh Global Controller Release Notes.


Deleting a custom image registry account: Tanzu Service Mesh does not currently support editing a registry location for an already onboarded cluster. In the rare case that you will need to change your registry the only option would be to delete the registry location definition and re-onboard the cluster.

If you delete an image registry account from Admin> Image Registries > More Actions > Delete Account, you will be notified that you have to re-onboard the cluster to avoid ImagePullBackOff issue.