Quick Tip - Using VCF CLI to login to vSphere Supervisor when configured with VCF Automation

When a vSphere Supervisor Cluster is configured to be consumed by VCF Automation, the Identity Provider (IdP) for that vSphere Supervisor is automatically configured to redirect to VCF Automation (VCFA) as an OIDC relay.

When an end user wishes to access or manage their resources, they will be directed to the IdP that has been configured for their Organization Portal. To create a k8s login context, they will need to create a VCFA API token that is then passed to the VCF CLI before they can interact with their resources using kubectl.

Below is an example VCF CLI command where I am logging into an Organization Portal called legal and I have specified my VCFA endpoint along with the VCFA API Token to login as an end user.

vcf context create legal --endpoint auto01.vcf.lab --api-token $VCF_CLI_VCFA_API_TOKEN --insecure-skip-tls-verify --type cci --tenant-name legal

However, if you are an administrator who is managing the underlying VCF Infrastructure and need to troubleshoot or access the vSphere Supervisor Cluster, an alternative workflow will be required.

vSphere SSO Login Workflow

We still need to create k8s login context, but instead of specifying the VCFA endpoint, we will now provide the vSphere Supervisor Control Plane Endpoint as well as --auth-type to be "basic" and this allow us to authenticate using a user from vCenter SSO (e.g. *protected email*).

vcf context create sv01 --endpoint=sv01.vcf.lab --username administrator[at]vsphere[dot]local --insecure-skip-tls-verify --auth-type basic

Note: You can use the KUBECTL_VSPHERE_PASSWORD environment variable to store your password and VCF CLI will automatically use that if it is configured for non-interactive login.

VCF SSO Login Workflow

If you have VCF SSO configured, an additional step is required as we need to grant authorization (Thanks Tomas Fojta) to the VCF SSO group within vSphere Supervisor Cluster or else you will be able to create k8s login context, but you will not have any permissions.

Step 1 - SSH to vCenter Server Appliance (VCSA) managing the vSphere Supervisor Cluster

Step 2 - Run the following command to provide the root password to the vSphere Supervisor Cluster Control Plane VM

/usr/lib/vmware-wcp/decryptK8Pwd.py

SSH to the IP Address with root user and the password provided by the previous command

Step 3 - We need to create a ClusterRoleBinding to authorize our VCF SSO group, to do so create a YAML file (vcf-admins-rb.yaml) with the following and replace the Group name with your VCF SSO group (vcf-admins[at]vcf[dot]lab)

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: vcfa-admin-rolebinding
subjects:
- kind: Group
  name: vcf-admins[at]vcf[dot]lab
  apiGroup: ""
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: ""

Apply the configuration by running the following command:

kubectl apply -f vcf-admins-rb.yaml

Step 4 - Create k8s login context using the vSphere Supervisor Control Plane endpoint, VCF SSO user (which should be part of the VCF SSO group) and using --type k8s. This should open a browser and redirect to the VCFA login screen which will ask for the VCFA Organization, enter SYSTEM and then you should be taken to your external IdP for authentication. If you have already logged in, it should auto redirect back to the terminal after a successful authentication.

vcf context create sv01 --endpoint=sv01.vcf.lab --username *protected email* --insecure-skip-tls-verify --type k8s

At this point, you are now authenticated with VCF SSO via your external IdP and you should now be able to access the vSphere Supervisor Cluster simliar to the previous workflow which uses vSphere SSO rather than VCF SSO for authentication.