Learn Editor: Update howto-prepare-cluster.md

Author: meenag16

articles/iot-operations/deploy-iot-ops/howto-prepare-cluster.md

@@ -73,7 +73,38 @@ To prepare an Azure Arc-enabled Kubernetes cluster, you need:
 
   * [Azure IoT Operations supported environments](./overview-deploy.md#supported-environments).
   * [Azure Arc-enabled Kubernetes system requirements](/azure/azure-arc/kubernetes/system-requirements).
+    
+### [Tanzu Kubernetes Grid with a Management Cluster](#tab/tkgm)
 
+To prepare a TKGm workload cluster, you need:
+
+- An Azure subscription with either the Owner role or a combination of Contributor and User Access Administrator roles. You can check your access level by navigating to your subscription, selecting Access control (IAM) on the left-hand side of the Azure portal, and then selecting View my access. If you don't have an Azure subscription, [create one for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin. 
+
+- An Azure resource group. Only one Azure IoT Operations instance is supported per resource group. To create a new resource group, use the [az group create](/cli/azure/group#az-group-create) command. For the list of currently supported Azure regions, see [Supported regions](../overview-iot-operations.md#supported-regions).
+
+
+```azurecli
+ az group create --location <REGION> --resource-group <RESOURCE_GROUP> --subscription <SUBSCRIPTION_ID>
+```
+
+- Azure CLI version 2.53.0 or newer installed on your cluster machine. Use `az --version` to check your version and `az upgrade` to update if necessary. For more information, see [How to install the Azure CLI](/cli/azure/install-azure-cli).
+
+- The latest version of the **connectedk8s** extension for Azure CLI:
+
+
+```bash
+az extension add --upgrade --name connectedk8s
+```
+
+- [Tanzu Kubernetes Grid with a standalone management cluster.](https://techdocs.broadcom.com/us/en/vmware-tanzu/standalone-components/tanzu-kubernetes-grid/2-5/tkg/mgmt-index.html)
+
+- Hardware that meets the system requirements:
+
+  - [Azure IoT Operations supported environments](./overview-deploy.md#supported-environments).
+  - [Azure Arc-enabled Kubernetes system requirements](/azure/azure-arc/kubernetes/system-requirements).
+    
+  - [TKGm requirements.](https://techdocs.broadcom.com/us/en/vmware-tanzu/standalone-components/tanzu-kubernetes-grid/2-5/tkg/mgmt-reqs-index.html)
+    
 ---
 
 ## Create and Arc-enable a cluster
@@ -238,9 +269,116 @@ By default, a Kubernetes cluster is created with a node pool that can run Linux
 
 Then, once you have an Azure Arc-enabled Kubernetes cluster, you can [deploy Azure IoT Operations](howto-deploy-iot-operations.md).
 
----
+### [Tanzu Kubernetes Grid with a Management Cluster](#tab/tkgm)
+
+To prepare a TKGm workload cluster:
+
+1. Create a single-node or multi-node TKGm workload cluster. For guidance, see the [Tanzu documentation](https://techdocs.broadcom.com/us/en/vmware-tanzu/standalone-components/tanzu-kubernetes-grid/2-5/tkg/workload-clusters-index.html).
+
+1. SSH to one of the control plane VMs that is created. Once on the control plane VM, run the following:
+
+
+```bash
+mkdir ~/.kube
+sudo cp /etc/kubernetes/admin.conf ~/.kube/config
+sudo chown <user>:<user> ~/.kube/config
+kubectl get pods -A
+```
+
+### Arc-enable your cluster
+
+Connect your cluster to Azure Arc so that it can be managed remotely.
+
+1. On the machine where you deployed the Kubernetes cluster, sign into Azure CLI with your Microsoft Entra user account that has the required role(s) for the Azure subscription:
+
+
+```azurecli
+az login
+```
+
+If at any point you get an error that says *Your device is required to be managed to access your resource*, run `az login` again and make sure that you sign in interactively with a browser.
+
+1. After you sign in, the Azure CLI displays all of your subscriptions and indicates your default subscription with an asterisk `*`. To continue with your default subscription, select `Enter`. Otherwise, type the number of the Azure subscription that you want to use.
+
+1. Register the required resource providers in your subscription.
+
+
+```
+Note
+This step only needs to be run once per subscription. To register resource providers, you need permission to do the /register/action operation, which is included in subscription Contributor and Owner roles. For more information, see Azure resource providers and types.
+```
+
+
+```azurecli
+az provider register -n "Microsoft.ExtendedLocation"
+az provider register -n "Microsoft.Kubernetes"
+az provider register -n "Microsoft.KubernetesConfiguration"
+az provider register -n "Microsoft.IoTOperations"
+az provider register -n "Microsoft.DeviceRegistry"
+az provider register -n "Microsoft.SecretSyncController"
+```
+
+1. Use the [az connectedk8s connect](/cli/azure/connectedk8s) command to Arc-enable your Kubernetes cluster and manage it as part of your Azure resource group.
+
+
+```azurecli
+az connectedk8s connect --name <CLUSTER_NAME> -l <REGION> --resource-group <RESOURCE_GROUP> --subscription <SUBSCRIPTION_ID> --enable-oidc-issuer --enable-workload-identity --disable-auto-upgrade
+```
+
+To prevent unplanned updates to Azure Arc and the system Arc extensions that Azure IoT Operations uses as dependencies, this command disables autoupgrade. Instead, [manually upgrade agents](/azure/azure-arc/kubernetes/agent-upgrade) as needed.
+
+**Important**
+
+If your environment uses a proxy server or Azure Arc Gateway, modify the `az connectedk8s connect` command with your proxy information:
+
+   1. Follow the instructions in either **[Connect using an outbound proxy server](/azure/azure-arc/kubernetes/quickstart-connect-cluster)** or **[Onboard Kubernetes clusters to Azure Arc with Azure Arc Gateway](/azure/azure-arc/kubernetes/arc-gateway-simplify-networking)**.
+   1. Add `169.254.169.254` to the `--proxy-skip-range` parameter of the `az connectedk8s connect` command. **[Azure Device Registry](/editor/meenag16/azure-docs-pr/articles%2Fiot-operations%2Fdeploy-iot-ops%2Fhowto-prepare-cluster.md/docs-editor%2Foverview-iot-operations-1748623408/discover-manage-assets/overview-manage-assets.md)** uses this local endpoint to get access tokens for authorization.
+      
+Azure IoT Operations doesn't support proxy servers that require a trusted certificate.
+
+1. Get the cluster's issuer URL.
+
+
+```azurecli
+az connectedk8s show --resource-group <RESOURCE_GROUP> --name <CLUSTER_NAME> --query oidcIssuerProfile.issuerUrl --output tsv
+```
+
+Save the output of this command to use in the next steps.
+
+1. SSH to a TKGm management cluster. Edit the custom resource for the workload cluster with the issuer URL from the previous step.
+
+
+```azurecli
+kubectl edit cluster <WORKLOAD_CLUSTER_NAME> 
+```
+
+1. Add the following content to the `config.yaml` file, replacing the <OIDC_ISSUER_URL> placeholder with your cluster's issuer URL.
+
+
+```yaml
+- name: apiServerExtraArgs
+  value: {"service-account-issuer":"<OIDC_ISSUER_URL>"}
+```
+
+1. Use the [az connectedk8s enable-features](/cli/azure/connectedk8s) command to enable the custom location feature on your Arc cluster. This command uses the OBJECT_ID environment variable saved from the previous step to set the value for the custom-locations-oid parameter. Run this command on the machine where you deployed the Kubernetes cluster:
+
+Azure CLIEdit development language
+
+
+```azurecli
+az connectedk8s enable-features -n <CLUSTER_NAME> -g <RESOURCE_GROUP> --custom-locations-oid $OBJECT_ID --features cluster-connect custom-locations
+```
+
+### Update Pod Security Admission Settings
+
+Before deploying Azure IoT Operations, you will need to update the Pod Security Admission settings on your TKGm cluster. Applying this file will pre-create namespace labels and set pod security to `privileged`.
+
+
+```azurecli
+kubectl apply -f <link to repo>
+```
 
-## Advanced configuration
+## Advanced Configuration
 
 At this point, when you have an Azure Arc-enabled Kubernetes cluster but before you deploy Azure IoT Operations to it, you might want to configure your cluster for advanced scenarios.