Installing and Configuring Tanzu Service Manager

Warning: Tanzu Service Manager has reached End of General Support (EOGS) and has been withdrawn.

Page last updated:

This topic describes how to install and configure Tanzu Service Manager (TSMGR) for production using Helm.


TSMGR is installed and configured using a Helm chart.

For a video demonstration of installing and configuring TSMGR, watch How to Install Tanzu Service Manager below:

To install and configure TSMGR:

  1. Get TSMGR Resources From VMware Tanzu Network

  2. Install the TSMGR CLI

  3. Replicate TSMGR Images

  4. (Recommended) Configure Service Mesh

  5. Configure the TSMGR Helm Chart

  6. Install the TSMGR Helm Chart

  7. (Recommended) Configure Security

  8. (Optional) Install Prometheus

  9. Next Steps


Before you install TSMGR using Helm, you must have:

  • Helm 3 CLI (v3.2.4 or later): For information about installing the Helm CLI, see the Helm documentation.

  • Docker CLI: For information about installing Docker, see the Docker documentation.

  • TAS for VMs Deployment: A running TAS for VMs deployment.

  • Kubernetes Cluster: A running Kubernetes cluster. TSMGR supports Tanzu Kubernetes Grid Integrated Edition clusters. For supported cluster versions, see the Product Snapshot. For information about TKGI, see Tanzu Kubernetes Grid Integrated Edition.

  • Kubernetes CLI: For information about installing kubectl, see the Kubernetes documentation.

  • S3 Compatible Storage: TSMGR requires a S3-compatible bucket to store offered charts and the chart cache. For more information, see Configuring External Storage.

  • Private Container Image Registry: You need this to manage container images in air-gapped environments. VMware recommends using a registry in production deployments. You can use a registry such as Harbor.

  • Install the Ingress controller on the cluster where you want to install TSMGR: You must also reserve a subdomain for TSMGR in your DNS. For information about Ingress, see the Kubernetes documentation.

  • Cloud Foundry CLI (cf CLI): To download the cf CLI, see Cloud Foundry CLI in GitHub. Although, the cf CLI is not required for the procedures in this topic, it is required to give developers access to services. See Using Services with Tanzu Service Manager.

Get TSMGR Resources From VMware Tanzu Network

To get the resources needed from VMware Tanzu Network to install TSMGR:

  1. Log in and navigate to Tanzu Service Manager (TSMGR) in VMware Tanzu Network.

  2. Get the following resources:

    • The TSMGR Command Line Interface (CLI): Click CLIs and download the CLI for your operating system.
    • Docker pull commands: Click Artifact References and record the docker pull commands for the broker, daemon, and chartmuseum.
    • Helm chart TGZ file: Click tsmgr-VERSION-NUMBER.tgz and download the Helm chart for TSMGR.
    • values-production.yaml file: Download the values-production.yaml override configuration file.

Install the TSMGR CLI

To install the TSMGR Command Line Interface (CLI):

  1. Rename the downloaded TSMGR CLI file as tsmgr.

  2. Make the TSMGR binary act as an executable file by running:

    chmod +x tsmgr
  3. Move the binary file into your PATH by running:

    mv tsmgr /usr/local/bin/tsmgr
  4. Ensure TSMGR CLI is properly working:

    tsmgr version

Replicate TSMGR Images

To replicate your TSMGR images to a private container image registry:

  1. Relocate the images to your local machine: Run the docker pull commands recorded in Get TSMGR Resources From VMware Tanzu Network above, to pull the images. The registry credentials are the same as your VMware Tanzu Network credentials.

  2. Tag the images for your registry by running these commands:

    docker tag \
    docker tag \
    docker tag \


    For example:

    $ docker tag \
    $ docker tag \
    $ docker tag \
  3. Create the tanzu-service-manager project in your registry.

  4. Push the images to your registry by running these commands:

    docker push REGISTRY/tanzu-service-manager/broker:VERSION-NUMBER
    docker push REGISTRY/tanzu-service-manager/daemon:VERSION-NUMBER
    docker push REGISTRY/tanzu-service-manager/chartmuseum:CHARTMUSEUM-VERSION-NUMBER

    Where REGISTRY is the private container image registry path.

    For example:

    $ docker push
    $ docker push
    $ docker push

(Recommended) Configure Service Mesh

You can secure traffic between TSMGR components by using a service mesh, such as Istio.

To configure an Istio service mesh:

  1. Install Istio on your Kubernetes cluster by following the Istio documentation. Follow the steps in the installation guide that best meets your needs.

  2. Inject Istio into the namespace where TSMGR will be deployed by running:

    kubectl create ns TSMGR-NAMESPACE
    kubectl label namespace TSMGR-NAMESPACE istio-injection=enabled

    Where TSMGR-NAMESPACE is a name you choose for the TSMGR dedicated namespace.

Configure the TSMGR Helm Chart

Note: To see a detailed description of each value and its default, run: helm show values tsmgr-VERSION-NUMBER.tgz.

To configure the TSMGR Helm chart, edit the values-production.yaml file:

  1. Add the credentials for the registry where you replicated the TSMGR images:

     registry: REGISTRY
     username: REGISTRY-USERNAME
     password: REGISTRY-PASSWORD


    • REGISTRY is the registry you configured for installation images, for example,
    • REGISTRY-USERNAME is the username for the registry.
    • REGISTRY-PASSWORD is the password for the registry.

    TSMGR uses this registry for TSMGR installation Docker images. A new secret named registrySecretName of type dockerconfigjson is created with these credentials.

  2. Add the credentials for the registry where the service instance images come from.

    Service instance refers to the Helm chart files that TSMGR manages as services, such as mysql, postgresql, and etc-operator.



    • REGISTRY-INSTANCES is the registry you configured to offer images, for example,
    • REGISTRY-INSTANCES-USERNAME is the username for the registry. This user can have read-only access.
    • REGISTRY-INSTANCES-PASSWORD is the password for the registry.

    TSMGR uses this registry as the backing registry for the services that TSMGR deploys. TSMGR modifies the Helm charts that you offer to point to images in the registry.

    Note: Although this configuration is optional, VMware recommends using a private container registry in production.

  3. Define values for your registry by configuring the repository attributes:

       repository: REGISTRY/tanzu-service-manager/broker
       repository: REGISTRY/tanzu-service-manager/daemon
       repository: REGISTRY/tanzu-service-manager/chartmuseum

    Where REGISTRY is your private container image registry, for example,

  4. Define a secure password to authenticate your services by configuring the password attributes:

     password: BROKER-PASSWORD


    • BROKER-PASSWORD is a secure password for the TSMGR broker.
    • CHARTMUSEUM-PASSWORD is a secure password for ChartMuseum.
  5. Create a User Account and Authentication (UAA) client for TSMGR to use to register the broker and populate the catalog:

    uaac target uaa.SYSTEM-DOMAIN
    uaac token client get admin -s UAA-ADMIN-CLIENT-SECRET
    uaac client add CLIENT-ID -s CLIENT-SECRET \
      --authorized_grant_types client_credentials,refresh_token \
      --scope,cloud_controller.write \
      --authorities cloud_controller.admin


    • SYSTEM-DOMAIN is the system domain for TAS for VMs.
    • UAA-ADMIN-CLIENT-SECRET is the UAA Admin Client Credentials for TAS for VMs.
    • CLIENT-ID is the name of the client.
    • CLIENT-SECRET is the secret of the client.

    For information about UAA clients, see User Account and Authentication (UAA) Server in the Cloud Foundry documentation.

  6. Get the annotation information required by your Ingress controller. Use the appropriate section below:

    • If you are using an automated certificate management provider such as cert-manager: Follow the procedures to install and configure the prerequisites for the certificate management provider that you are using.
      For example, the prerequisite for cert-manager is to set up an Issuer on the cluster. For more information, see the cert-manager documentation.

    • If you are using your own TLS certificates: Create secrets with TLS certificate data.

      kubectl create secret tls daemon-cert --key DAEMON-KEY-FILE --cert DAEMON-CERT-FILE -n  NAMESPACE
      kubectl create secret tls broker-cert --key BROKER-KEY-FILE --cert BROKER-CERT-FILE -n  NAMESPACE


      • NAMESPACE is the namespace where TSMGR will be installed or, if you use an Istio Ingress controller, NAMESPACE is the same namespace as the istio-ingressgateway deployment, typically istio-system.
      • DAEMON-KEY-FILE and DAEMON-CERT-FILE are the paths to your TLS private key and certificate for the daemon.
      • BROKER-KEY-FILE and BROKER-CERT-FILE are the paths to your TLS private key and certificate for the broker.
  7. If you are using your own TLS certificates, follow the steps in Setting Trusted Certificates to ensure that Ops Manager and TAS for VMs trust the certificate.

  8. Add the following Ingress section to your tsmgr/values.yml file:

     enabled: true
     - name: INGRESS-DOMAIN
       path: INGRESS-PATH
     - secretName: daemon-cert
         - daemon.INGRESS-DOMAIN
     - secretName: broker-cert
         - broker.INGRESS-DOMAIN


    • INGRESS-DOMAIN is the name of your provisioned domain.
    • INGRESS-PATH is the path expression to match all paths for your particular ingress controller.
      Istio Ingress controller is set to "/*".
      NGINX Ingress controller is set to "/".
      Contour Ingress controller is set to "/".
    • ANNOTATION-KEY and ANNOTATION-VALUE is the annotation your Ingress controller requires.

    These values depend on the Ingress controller and certificate management option you use. For example, see the annotations for Istio Ingress controller and cert-manager:

    annotations: istio "letsencrypt-prod"

    Note: Implementation details vary by Ingress controller. For more detailed usage instructions, see the documentation for your chosen Ingress controller.

  9. Configure the Cloud Foundry environment details:

     apiAddress: https://api.SYSTEM-DOMAIN
     client: CLIENT-ID
     clientSecret: CLIENT-SECRET
     brokerName: tsmgr
     brokerUrl: https://broker.INGRESS-DOMAIN


    • SYSTEM-DOMAIN is the system domain for TAS for VMs.
    • CLIENT-ID is the client ID created in the step Create a User Account and Authentication client above. Alternatively, you can use an existing client ID for a TAS for VMs account with cloud_controller.admin permissions.
    • CLIENT-SECRET is the client secret for the TAS for VMs account.
    • INGRESS-DOMAIN is the name of your provisioned domain.

    Note: Alternatively, you can use the Cloud Foundry username and password, but this is discouraged for production. When using the username and password, replace client: with username: and clientSecret: with password:.

  10. Verify the Cloud Foundry apiAddress by running the cf target command.

  11. Add the credentials for your S3-compatible bucket using the template below:



    • BUCKET-NAME is your S3 bucket name.
    • ENDPOINT is your S3 endpoint. For example, in Google Cloud Platform (GCP) it is
    • ACCESS-KEY is your S3 access key ID.
    • SECRET is your S3 secret access key.

    The above credentials are for AWS. Depending on your IaaS, the credentials might not be a comprehensive list of the keys you need. For example, if you are not using using the default region, you might need to add the STORAGE_AMAZON_REGION:

          STORAGE_AMAZON_REGION: us-east-1

    For more information about configurations, see ChartMuseum Helm Chart in GitHub.

  12. Save the values-production.yaml file.

Install the TSMGR Helm Chart

To install the TSMGR Helm chart:

  1. From the root level of the chart, install the TSMGR Helm chart by running these commands:

    kubectl create ns TSMGR-NAMESPACE
    helm install RELEASE-NAME tsmgr-VERSION-NUMBER.tgz  -n TSMGR-NAMESPACE --wait -f values-production.yaml


    • TSMGR-NAMESPACE is a name you choose for the TSMGR dedicated namespace.
    • RELEASE-NAME is a name you choose for the release. Helm release names must begin and end with lowercase alphanumeric characters and can only contain lowercase alphanumeric characters and hyphens.
    • tsmgr-VERSION-NUMBER.tgz is the TSMGR Helm chart file you downloaded earlier.

(Recommended) Configure Security

VMware recommends configuring security on your Kubernetes cluster for TSMGR.

To configure security:

  1. Secure TSMGR secrets by using a secret provider. See Encrypting Secret Data at Rest in the Kubernetes documentation.
  2. Enable network policies on the cluster to secure traffic between services. See Network Policies in the Kubernetes documentation. Some settings can vary between clouds. For example, in GKE, network policies are not enabled by default. For more information, see your cloud-specific documentation.

(Optional) Install Prometheus

You can view metrics for TSMGR if you have Prometheus running in the cluster. You must install Prometheus in each cluster that you want to view metrics for.

To install Prometheus to a cluster:

  1. Install the Prometheus Helm chart by running these commands:

    kubectl create ns prometheus
    helm repo add prometheus-community
    helm install my-prometheus prometheus-community/prometheus -n prometheus
  2. Create a Kubernetes port forward to your local host by running these commands:

    export POD_NAME=$(kubectl get pods --namespace prometheus -l "app=prometheus,component=server" -o jsonpath="{.items[0]}")
    kubectl --namespace prometheus port-forward $POD_NAME 9090
  3. Access the Prometheus UI in your web browser at http://localhost:9090.

  4. To view metrics for TSMGR, type {app_kubernetes_io_name=~".*-tsmgr"} in the expression box and click Execute.

Next Steps

After installing and configuring TSMGR, you can start using TSMGR. For information, see Using Tanzu Service Manager.