Update vSphere credentials
EKS Anywhere does not currently support updating the vSphere credentials used by EKS Anywhere when upgrading clusters with the eksctl anywhere upgrade
command.
It is recommended to use the script maintained with EKS Anywhere to update your vSphere credentials, which automates the steps covered in the Update vSphere credentials manually section.
Update vSphere credentials with script
You can update all vSphere credentials in related Secret objects used by EKS Anywhere with the vSphere credential update script in EKS Anywhere GitHub repository. The following steps should be run from your admin machine or the local machine where you host the kubeconfig file for your EKS Anywhere management or standalone cluster.
- Set environment variables on your local machine
- Set the
KUBECONFIG
environment variable on your local machine to the kubeconfig file for your EKS Anywhere management or standalone cluster. For examplemgmt/mgmt-eks-a-cluster.kubeconfig
. - Set the
EKSA_VSPHERE_USERNAME
andEKSA_VSPHERE_PASSWORD
environment variables on your local machine with the new vSphere credentials.
export KUBECONFIG='<your-kubeconfig-file>'
export EKSA_VSPHERE_USERNAME='<your-vsphere-username>'
export EKSA_VSPHERE_PASSWORD='<your-vsphere-password>'
- Download the script to your local machine
curl -OL https://raw.githubusercontent.com/aws/eks-anywhere/refs/heads/main/scripts/update_vsphere_credential.sh
- Run the script from your local machine
- Replace
CLUSTER_NAME
with the name of your EKS Anywhere cluster andVSPHERE_SERVER_NAME
with the name of the vSphere server.
./update_vsphere_credential.sh CLUSTER_NAME VSPHERE_SERVER_NAME
NOTE: If you are using the vSphere CSI in your cluster, you must manually update the vSphere password in the
{CLUSTER_NAME}-csi-vsphere-config
Secret under theeksa-system
namespace. If the annotationkubectl.kubernetes.io/last-applied-configuration
exists on the secret object, update password in thekubectl.kubernetes.io/last-applied-configuration
field.
Update vSphere credentials manually
Follow the steps below to manually update the vSphere credentials used by EKS Anywhere.
- Update
EKSA_VSPHERE_PASSWORD
environment variable to the new password and get the base64 encoded string of the password usingecho -n "<YOUR_PASSWORD>" | base64
- Update the following secrets in your vSphere cluster using
kubectl edit
command:{CLUSTER_NAME}-vsphere-credentials
undereksa-system
namespace - Updatepassword
field under data.{CLUSTER_NAME}-cloud-provider-vsphere-credentials
undereksa-system
namespace - Decode the string under data, in the decoded string (which is the template for Secret objectcloud-provider-vsphere-credential
underkube-system
namespace), update the{CLUSTER_NAME}.password
with the base64 encoding of new password, then encode the string and update data field with the encoded string.vsphere-credentials
undereksa-system
namespace - Updatepassword
,passwordCP
,passwordCSI
field under data.- If annotation
kubectl.kubernetes.io/last-applied-configuration
exists on any of the above Secret object, update password inkubectl.kubernetes.io/last-applied-configuration
field. {CLUSTER_NAME}-csi-vsphere-config
undereksa-system
namespace - If annotationkubectl.kubernetes.io/last-applied-configuration
exists on the secret object, update password inkubectl.kubernetes.io/last-applied-configuration
field.