To provision TKG clusters on Supervisor, you can create a subscribed content library and synchronize Tanzu Kubernetes releases. A subscribed content library lets you automate the distribution of TKRs and stay current with the latest releases.

For TKG on Supervisor, VMware publishes Tanzu Kubernetes releases to a content delivery network. You can create a content library that subscribes to these image publications. You choose the synchronization mode: immediate or on demand.
Warning: Immediate synchronization of Tanzu Kubernetes releases on the public content delivery network can take substantial time and disk space.


The content library functionality is a feature of vCenter Server that TKG on Supervisor relies on. For more information, see "Using Content Libraries" in the vSphere Virtual Machine Administration documentation.


  1. Log in to the vCenter Server using the vSphere Client.
  2. Select Menu > Content Libraries.
  3. Click Create.
    The New Content Library wizard opens.
  4. Specify the Name and location of the content library and click Next when you are done.
    Field Description
    Name Enter a descriptive name, such as TKR-sub.
    Notes Include a description, such as Subscription library for TKRs for TKG2
    vCenter Server Select the vCenter Server instance where Workload Management is enabled.
  5. Configure the content library subscription at the Configure content library page and click Next when you are done.
    1. Select the Subscribed content library option.
    2. Enter the Subscription URL address of the publisher.

    3. For the Download content option, select one of the following:
      Option Description
      Immediately The subscription process synchronizes both the library metadata and images. If items are deleted from the published library, their contents remain in the subscribed library storage, and you have to manually delete them.
      When needed The subscription process synchronizes only the library metadata. The Tanzu Kubernetes Grid service downloads the images when published. When you no longer need the item, you can delete the item contents to free storage space. To save storage this option is recommended.
  6. When prompted, accept the SSL certificate thumbprint.
    The SSL certificate thumbprint is stored on your system until you delete the subscribed content library from the inventory.
  7. Configure the OVF security policy at the Apply security policy page and click Next when you are done.
    1. Select Apply Security Policy.
    2. Select OVF default policy.
    When you select this option, the system verifies the OVF signing certificate during the synchronization process. An OVF template that does not pass certificate validation is marked with the Verification Failed tag. The template metadata is kept, but the OVF files cannot be synchronized.
    Note: Currently the OVF default policy is the only supported security policy.
  8. At the Add storage page, select a datastore as a storage location for the content library contents and click Next.
  9. On the Ready to complete page, review the details and click Finish.
  10. At the Content Libraries page, select the new content library you created.
  11. Confirm or complete the synchronization of the library contents.
    Synchronization Option Description

    If you chose to download all content immediately, confirm that the library is synchronized.

    To view the synchronized library contents, select Templates > OVF & OVA Templates.

    When needed
    If you chose to synchronize the library on demand, you have two options:
    • Use Actions > Synchronize to synchronize the entire library
    • Right-click an item and select Synchronize to synchronize only it.
    To view the synchronized library contents, select Templates > OVF & OVA Templates.
  12. If you chose the When needed option, download the OVF templates you want to use.

    If you chose the When needed option, you see that the image files are not stored locally, only the metadata is stored. To download the template files, select the item, right-click and select Synchronize item.

  13. To update the subscribed content library settings, choose Actions > Edit Settings.
    Setting Value
    Subscription URL

    Authentication Not enabled
    Library content Download when needed
    Security policy OVF default policy


What to do next

The Tanzu Kubernetes release content library must be associated with each vSphere Namespace where you provision TKG clusters. See Configuring vSphere Namespaces for Hosting TKG Service Clusters.