Non-Interactive Logins to vSphere 7 with Tanzu Clusters

Non-Interactive Logins to vSphere 7 with Tanzu Clusters

December 1, 2020 0 By Eric Shanks

You’ve deployed your first Tanzu Kubernetes Grid Clusters in vSphere 7 and are beyond the learning phase. You’re now ready to start automating your Kubernetes cluster builds, and application deployments.

Typically you’d login to your TKG clusters through the kubectl cli with a command like:

kubectl vsphere login ...

Normally, you’d be right, but that command requires an interactive login, meaning for you to wait for a second prompt to enter a password. The current version of the vSphere plugin doesn’t have an option for non-interactive logins so we need to get creative until this feature is added.

First, take a look at an existing KUBECONFIG file that was created for you when you ran the kubectl vsphere login ... command as describe in the previous post. This KUBECONFIG file is most likely stored in a hidden directory named .kube within your user profile. The default file is named config but you can change this by setting your own environment variable named $KUBECONFIG.

Below, I’ve run my login so you can see it. Note the interactive login where I was prompted for a password.

After which I was able to look at my KUBECONFIG which was the default seen below.

If we take a look at that config file, we see that we’ve got our supervisor cluster configuration information listed here. The name, IP Addresses, certificates, etc. The only real problem here is the token. The JWT token expires every 10 hours by default. This means, that this KUBECONFIG file is going to be useless in 10 hours.

Luckily, we can still get a new token without using the kubectl vsphere login ... process. We can call the API directly by using a simple curl command.

In the command below, you’ll want to enter your own username/password and supervisor cluster URL. For the command to run you’ll also need to have curl and jq installed.

curl -XPOST -u administrator@vsphere.local:'PASSWORD' https://sup.hollow.local/wcp/login -H "Content-Type: application/json" | jq -r .session_idCode language: JavaScript (javascript)

With your new token, you can either paste it into your existing kubeconfig file and use it for another 10 hours, or you can pass along the --token flag on your kubernetes commands as seen below.

kubectl get nodes --token=$(curl -XPOST -u administrator@vsphere.local:'PASSWORD' https://sup.hollow.local/wcp/login -k -H "Content-Type: application/json" | jq -r .session_id)Code language: PHP (php)

One other thing to mention, if you need to do a similar task for your TKG workload clusters, you can also add the following to your curl command.

-d '{"guest_cluster_name":"myguestcluster"}'Code language: JavaScript (javascript)

The full code being:

curl -XPOST -u administrator@vsphere.local:'PASSWORD' https://sup.hollow.local/wcp/login -k -d '{"guest_cluster_name":"myguestcluster"}' -H "Content-Type: application/json"Code language: JavaScript (javascript)

Summary

I imagine this post won’t be needed very long since the vsphere plugin will likely have non-interactive logins in the future, but until then you can query the Kubernetes API directly to obtain a new token for your automation needs. I should also mention that its possible to create a new KUBECONFIG file for a Kubernetes Service Account if you don’t care about your JWT token expiring.