Edit me

Introduction

vSphere credentials can be protected from being exposed as clear text by using Kubernetes secrets instead of plain-text usernames and passwords in your vsphere.conf.

Config file changes

Create a vsphere.conf file with secret-name and secret-namespace defined instead of username and password as is detailed here.

[Global]
secret-name = "vcconf"
secret-namespace = "kube-system"
port = "443"
insecure-flag = "1"

[VirtualCenter "10.0.1.200"]
datacenters = "DC-1"

[Workspace]
server = "10.0.1.200"
datacenter = "DC-1"
default-datastore = "vsanDatastore"
resourcepool-path = "ClusterNameHere/Resources"
folder = "kubernetes"

[Disk]
scsicontrollertype = pvscsi

Encode the username and password

Launch the Kubernetes cluster with vSphere Cloud Provider configured as above.

Create base64 encoded strings for the username and password:

$ echo -n 'Administrator@vsphere.local' | base64
QWRtaW5pc3RyYXRvckB2c3BoZXJlLmxvY2Fs

$ echo -n 'password' | base64
cGFzc3dvcmQ=

Create a K8s secret

Next, create a Kubernetes secret with the base64 encoded vCenter credentials.

Create a credentials.yaml as shown below - replacing your vCenter IP address and base64 strings from above, as appropriate. In the below example, the secret name is vcconf and matches what we put in the secret-name section of vsphere.conf file above.

apiVersion: v1
kind: Secret
metadata:
 name: vcconf
type: Opaque
data:
   10.0.1.200.username: QWRtaW5pc3RyYXRvckB2c3BoZXJlLmxvY2Fs
   10.0.1.200.password: cGFzc3dvcmQ=

Import the secret definition into Kubernetes (note, we are importing into the kube-system namespace, which must match the secret-namespace section in the vsphere.conf file from above):

kubectl create -f credentials.yaml --namespace=kube-system

The vSphere Cloud Provider will authenticate with the vCenter using the Kubernetes managed secret.

Using SAML auth

Note: vSphere credentials can also be encrypted using SAML token authentication, Please refer documentation for SAML token authentication using vCenter SSO API.