Skip to main content
  1. Posts/

Automatically Login to VKS Clusters with 1Password CLI

·752 words·4 mins
Table of Contents

If you’re using vSphere Kubernetes Service (VKS) and the vSphere Supervisor a good amount, you might be getting tired of having to re-enter your account password at the start of every day. If you’ve seen one of my previous posts about using 1Password CLI for PowerCLI, you already know where I’m going with this.

To give a quick refresher, 1Password CLI (op) is a command-line tool that allows you to programmatically read entries from your 1Password vault. Instead of a plaintext secret, you use secret references in your scripts in the form of op://<Vault Name>/<Entry Name>/password. Then op can automatically replace these references with the actual password while executing the script.

In vSphere Supervisor 9.0, you log into the supervisor control plane and your VKS clusters using the vcf CLI tool. Specifically with the commands vcf context create, vcf context use, and vcf context refresh. When you create the context or refresh your login, you’ll be prompted for your password. The vcf CLI doesn’t include a way to provide this password through parameters, which is honestly for the better. However, this prevents us from using 1Password CLI in the same way as PowerCLI, where we ran Connect-ViServer by passing the results of op read directly to the -Password parameter.

All is not lost though! We can still provide the password using an environment variable. vcf CLI checks VCF_CLI_VSPHERE_PASSWORD for a vSphere password and VCF_CLI_VCFA_API_TOKEN for a VCF Automation API token. This allows us to use op run to automatically provide our password or API token to vcf CLI!

Bash Terminal #

If you’re using Bash, set VCF_CLI_VSPHERE_PASSWORD as an environment variable containing the password’s secret reference. Then execute op run -- vcf context use CONTEXT-NAME:VKS-CLUSTER-NAME and it’ll automatically provide vcf CLI with your password through the environment variable. If you think you’ll be doing this quite often, you can also add the export command into your ~/.bashrc file – or its equivalent for your shell – in order to make the environment variable permanent.

# Set Environment Variable
$ export VCF_CLI_VSPHERE_PASSWORD="op://home lab/vsphere-admin/password"

# Logging into the VKS cluster through VCF CLI
$ op run -- vcf context use home-lab-ns:home-lab-cluster
[i] Reading the password from env variable


[i] Logging in to Kubernetes cluster (home-lab-cluster) (home-lab-ns)
[i] Successfully logged in to Kubernetes cluster 10.0.0.123

You have access to the following contexts:
   home-lab-ns
   home-lab-ns:home-lab-cluster

If the namespace context you wish to use is not in this list, you may need to
refresh the context again, or contact your cluster administrator.

To change context, use `vcf context use <context_name>`
[ok] Successful re-authentication completed for context "home-lab-ns:home-lab-cluster"

Alternatively, you can define VCF_CLI_VSPHERE_PASSWORD inline with op run. This avoids leaving the secret reference hanging around in your environment variables.

$ VCF_CLI_VSPHERE_PASSWORD="op://home lab/vsphere-admin/password" op run -- vcf context use home-lab-ns:home-lab-cluster

It might also be worth wrapping all of this into an alias – with or without the inline declaration – to save on typing out op run -- repeatedly. Same advice to add it to your ~./bashrc or equivalent if you’ll be using it a lot.

$ alias vcf-op='op run -- vcf'
$ vcf-op context use home-lab-ns:home-lab-cluster

PowerShell Terminal #

PowerShell is pretty much the same, except inline environment variables aren’t a thing. So the only option is to fully declare VCF_CLI_VSPHERE_PASSWORD as an environment variable.

PS > $Env:VCF_CLI_VSPHERE_PASSWORD = "op://home lab/vsphere-admin/password"
PS > op run -- vcf context use home-lab-ns:home-lab-cluster

And if you want an alias for this like in Linux, where you can provide additional parameters after the alias, you’ll have to define it in a roundabout way. PowerShell only allows a one-to-one definition for Set-Alias, meaning we can create an alias with vcf-op, but it has to point to a single command. We can’t set it to a command with other parameters in it, like op run -- vcf. We will have to first define a wrapper function like Use-VcfCliWith1Password that executes op run --vcf $args. Including the $args variable is what allows us to pass a variety of arguments into op run --vcf.

PS > function Use-VcfCliWith1Password { op run -- vcf $args } 
PS > Set-Alias -Name vcf-op -Value Use-VcfCliWith1Password
PS > vcf-op context use home-lab-ns:home-lab-cluster

And to make the environment variable and alias declarations permanent, add these commands to your PowerShell profile. The path is usually stored in the $PROFILE variable.

Now you don’t have to manually type in your password whenever you login to your VKS cluster! And it’s certainly better than having the VKS cluster’s default kubeconfig file lying around your local filesystem.