WilliamLam.com

Quick Tip - Configuring vSphere Supervisor Services with self-signed container registry

08.18.2025 by William Lam // 2 Comments

When deploying additional vSphere Supervisor Services including the new Data Services Operator enabling Database-as-a-Service (DBaaS), the container images that are used are hosted on Broadcom's container registry (projects.packages.broadcom.com).

For air-gapped deployments where you need to use an internal container registry, there is a process to relocate the Broadcom's container images into your own container registry, which has been possible since vSphere 8.0 Update 3.

While attempting to install the DSM Operator Supervisor Service, which had already been relocated into my standalone Harbor registry, I ran into the classic issue where the self-signed TLS certificate could not be trusted as you can see from the screenshot below.

While the validation error message was clear on why the installation will fail, it did not provide any details on how to actually add the trust the self-signed TLS certificate from my container registry.

After checking internally with a few folks, I was able to resolve this, but it took several attempts. I have already made a request to improve the official documentation to make these steps clearer.

[Read more...]

Quick Tip - Auditing configured Per-VM EVC (Enhanced vMotion Compatibility)

08.18.2025 by William Lam // Leave a Comment

A request came in last week to help automate the inventory of vSphere Virtual Machines (VMs) that have been configured with the Per-VM EVC (Enhanced vMotion Compatibility) capability.

It is important to understand that if a VM is not configured with Per-VM EVC, it will automatically inherit the configured EVC-mode from the vSphere Cluster. While there are several vSphere API properties that will give you information about the EVC details for a VM, the quickest way to check whether a VM has Per-VM EVC configured is by looking at the FeatureMask property.

Here is a quick PowerCLI snippet that demonstrates the use of this vSphere API:

$vms = Get-View -ViewType VirtualMachine -Property Name, Runtime

foreach ($vm in $vms) {
    if($vm.Runtime.FeatureMask -ne $null -and $vm.name -notmatch "vCLS-") {
        Write-Host "Per-VM EVC Enabled for $(${vm}.name)"
    }
}

Here is an example output when running this script and you can adjust the output based on your needs including exporting it to CSV list/etc.

Quick Tip - Configuring vSphere Kubernetes Service (VKS) Cluster with self-signed container registry

08.12.2025 by William Lam // Leave a Comment

Over the weekend, I had finished building a small container application that I had developed on my local desktop, which worked great. However, the real test was to deploy the application on a vSphere Kubernetes Service (VKS) Cluster, which would require the container image to be hosted in a container registry.

Rather than using a public container registry, like many organizations, you typically would setup an internal registry that your infrastructure could have access to. Harbor is my go to container registry and is extremely simple to setup as it uses docker-compose under the hood.

After uploading my container image to Harbor, if you try to deploy it to your VKS Cluster, you will immediately see the following image pull error:

tls: failed to verify certificate: x509: certificate signed by unknown authority

Just like any system that attempts to connect to an endpoint with a self-signed TLS certificate that it can not verify, it will not trust which is the default behavior.

For our VKS Cluster to be able to successfully pull an image from Harbor with a self-signed TLS certificate, we need to add the trusted CA to our vSphere Namespace and then reference that as part of our VKS Cluster deployment.

[Read more...]