Posts Tagged: PowerShell

“Preparing Windows for VCF CLI and Kubectl”

Who this is for

Windows-based vSphere/VCF administrators or Platform Engineers who want to use VMware Cloud Foundation (VCF) CLI and Kubernetes tools on a Windows machine.

This guide walks through setting up a Windows admin workstation with all necessary tooling for managing vSphere Kubernetes Service (VKS) on VCF (9).

What you’ll set up

  1. Install prerequisites (.NET 4.8 for the VCF CLI).
  2. Install PowerShell tooling: Chocolatey, VCF CLI, kubectl, etc.
  3. Enable auto-completion and aliases for CLI commands.
  4. (Optional) Install helpers like PSKubeContext and k9s.
  5. Verify your environment is ready for VCF and Kubernetes commands.

1) Install .NET 4.8 (required for VCF CLI)

Open PowerShell as Administrator and run:

$DownloadUrl = "https://go.microsoft.com/fwlink/?linkid=2088631"  # .NET 4.8 installer
$OutputFile = "C:\ndp48-x86-x64-allos-enu.exe"
Invoke-WebRequest -Uri $DownloadUrl -OutFile $OutputFile -UseBasicParsing -ErrorAction Stop
Start-Process -FilePath $OutputFile -ArgumentList "/quiet","/norestart" -Wait

 • Installs silently in the background.
 • Once complete, reboot your machine (required for .NET to finalize).

2) Prepare PowerShell & Chocolatey

After reboot, open PowerShell (Administrator) again.

Create a PowerShell profile (Skip if you got one or we will overwrite yours)

New-Item -ItemType File -Path $PROFILE -Force

This creates (or resets) your PowerShell profile (where aliases & completions live).

Install Chocolatey (Windows package manager)

Set-ExecutionPolicy Bypass -Scope Process -Force;
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072;
iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))

• If PATH isn’t updated immediately, restart PowerShell.

3) Install VCF CLI and kubectl

VCF CLI via Chocolatey

choco install vcf-cli -y

Manual installation (if Chocolatey package unavailable)

$vcfRoot = "C:\Program Files\VCF\"
$vcfVersion = "v9.0.0"
$arch = "amd64"
$url = "https://packages.broadcom.com/artifactory/vcf-distro/vcf-cli/windows/$arch/$vcfVersion/vcf-cli.zip"

if (Test-Path $vcfRoot) { Remove-Item -Recurse -Force $vcfRoot }
$tmp = Join-Path $env:TEMP 'vcf-bootstrap'
if (Test-Path $tmp) { Remove-Item -Recurse -Force $tmp }
New-Item -ItemType Directory -Path $tmp | Out-Null

$zip = Join-Path $tmp 'vcf-cli.zip'
Invoke-WebRequest $url -OutFile $zip -UseBasicParsing
Expand-Archive $zip -DestinationPath $tmp -Force

New-Item -ItemType Directory -Path $vcfRoot -Force | Out-Null
Copy-Item (Join-Path $tmp 'vcf-cli-windows_amd64.exe') -Destination (Join-Path $vcfRoot 'vcf.exe') -Force

$currentPath = [Environment]::GetEnvironmentVariable('Path','Machine')
if ($currentPath -notlike "*$vcfRoot*") {
    [Environment]::SetEnvironmentVariable('Path', "$currentPath;$vcfRoot", 'Machine')
}
Remove-Item -Recurse -Force $tmp
Write-Host "VCF CLI installed to $vcfRoot. Restart PowerShell or run 'refreshenv'."

Install kubectl

choco install kubernetes-cli -y

Check with:

kubectl version --client

Optional tools

choco install k9s -y      # Kubernetes TUI
choco install vscode -y   # VS Code for YAML editing

4) Enhance PowerShell with Auto-Completion & Aliases

Install PSReadLine

Install-Module -Name PSReadLine -Force -SkipPublisherCheck

Enable VCF CLI completion

vcf completion powershell | Out-String | Invoke-Expression
vcf completion powershell | Out-File -Append -Encoding ascii $PROFILE

Enable kubectl alias (k) + completion

Set-Alias -Name k -Value kubectl -Option AllScope

$kubeComp = kubectl completion powershell | Out-String
$kubeComp = $kubeComp -replace "CommandName 'kubectl'", "CommandName @('kubectl','k')"
Invoke-Expression $kubeComp

$marker = '# >>> kubectl-alias-and-completion'
$profilePath = $PROFILE

if (-not (Select-String -Path $profilePath -SimpleMatch $marker)) {
    $persistBlock = @"
$marker
Import-Module PSReadLine
Set-Alias -Name k -Value kubectl -Option AllScope
$($kubeComp.TrimEnd())
# <<< kubectl-alias-and-completion
"@
    Add-Content -Path $profilePath -Value $persistBlock
}

Optional: PSKubeContext (kubectx/kubens equivalents)

Install-Module -Name PSKubeContext -Scope CurrentUser -Force

Add to profile

kubectx/kubens shortcuts and completion

Import-Module PSKubeContext
Set-Alias kubens  Select-KubeNamespace
Set-Alias kns     Select-KubeNamespace
Set-Alias kubectx Select-KubeContext
Set-Alias kctx    Select-KubeContext
Register-PSKubeContextComplete

Reload profile:

. $PROFILE

5) Verify Your Environment

VCF CLI

vcf --help

Try tab completion: vcf context

kubectl & alias

kubectl version --client
k version --client

Try:

k get <Tab><Tab>
kubectx -h
kubens -h

Test k9s

k9s

(Will show UI if a kubeconfig context is configured.)

Lazy VCF Token Refresh

If you use many VKS supervisors, your access tokens expire quickly and you end up logging in to every cluster again. The VCF CLI can handle this for you. The following PowerShell script walks through every saved context and refreshes the tokens automatically.

<#
.SYNOPSIS
  Refresh (and if needed re-auth) all VCF CLI contexts non-interactively.

.NOTES
  - No TMC special-casing here; treats all contexts the same.
  - Fixes the bug where $Args conflicted with PowerShell’s automatic $args.

.PARAMETER Password
  SecureString password for this run (no storage).

.PARAMETER PromptForPassword
  Prompt for the password securely (no storage).

.PARAMETER SaveCredential
  Prompt once and save password securely for reuse (DPAPI file; Credential Manager if available).

.PARAMETER UseSavedCredential
  Load previously saved password (DPAPI file or Credential Manager).

.PARAMETER ClearCredential
  Remove any stored credential and exit.

.PARAMETER CredTarget
  Name for the stored credential (if Credential Manager is used). Default: VCF-SSO.
#>

[CmdletBinding()]
param(
  [Parameter(ParameterSetName='Direct', Mandatory=$false)]
  [SecureString]$Password,

  [Parameter(ParameterSetName='Prompt', Mandatory=$true)]
  [switch]$PromptForPassword,

  [Parameter(Mandatory=$false)]
  [switch]$SaveCredential,

  [Parameter(Mandatory=$false)]
  [switch]$UseSavedCredential,

  [Parameter(Mandatory=$false)]
  [switch]$ClearCredential,

  [Parameter(Mandatory=$false)]
  [string]$CredTarget = 'VCF-SSO'
)

# ---------- Secure storage (DPAPI; optional Windows Credential Manager) ----------
$AppDir   = Join-Path $env:APPDATA 'VcfCli'
$CredFile = Join-Path $AppDir 'vcf_sso_cred.xml'

function ConvertTo-PlainText([SecureString]$Secure) {
  if (-not $Secure) { return $null }
  $bstr = [Runtime.InteropServices.Marshal]::SecureStringToBSTR($Secure)
  try { [Runtime.InteropServices.Marshal]::PtrToStringBSTR($bstr) }
  finally { [Runtime.InteropServices.Marshal]::ZeroFreeBSTR($bstr) }
}

function Save-Password([SecureString]$Secure, [string]$Target) {
  if (-not (Test-Path $AppDir)) { [void](New-Item -Type Directory -Path $AppDir -Force) }
  $cred = New-Object System.Management.Automation.PSCredential ('vcf', $Secure)
  $cred | Export-Clixml -Path $CredFile

  $cm = Get-Module -ListAvailable -Name CredentialManager | Select-Object -First 1
  if ($cm) {
    try {
      Import-Module CredentialManager -ErrorAction Stop | Out-Null
      $plain = ConvertTo-PlainText $Secure
      if ($plain) { New-StoredCredential -Target $Target -UserName 'vcf' -Password $plain -Persist LocalMachine | Out-Null }
    } catch { }
  }
}

function Load-Password([string]$Target) {
  $cm = Get-Module -ListAvailable -Name CredentialManager | Select-Object -First 1
  if ($cm) {
    try {
      Import-Module CredentialManager -ErrorAction Stop | Out-Null
      $stored = Get-StoredCredential -Target $Target
      if ($stored -and $stored.Password) { return ($stored.Password | ConvertTo-SecureString -AsPlainText -Force) }
    } catch { }
  }
  if (Test-Path $CredFile) {
    try {
      $cred = Import-Clixml -Path $CredFile
      if ($cred -and $cred.Password) { return $cred.Password }
    } catch { }
  }
  return $null
}

function Clear-Password([string]$Target) {
  if (Test-Path $CredFile) { Remove-Item $CredFile -Force -ErrorAction SilentlyContinue }
  $cm = Get-Module -ListAvailable -Name CredentialManager | Select-Object -First 1
  if ($cm) {
    try {
      Import-Module CredentialManager -ErrorAction Stop | Out-Null
      Remove-StoredCredential -Target $Target -ErrorAction SilentlyContinue
    } catch { }
  }
}

if ($ClearCredential) {
  Clear-Password -Target $CredTarget
  Write-Host "Stored credential cleared." -ForegroundColor Yellow
  return
}

# ---------- Determine password ----------
$SecurePwd = $null
switch ($PSCmdlet.ParameterSetName) {
  'Prompt' { $SecurePwd = Read-Host 'Enter VCF password' -AsSecureString }
  'Direct' { $SecurePwd = $Password }
  default {
    if ($UseSavedCredential) {
      $SecurePwd = Load-Password -Target $CredTarget
      if (-not $SecurePwd) { throw "No saved credential found. Run with -SaveCredential or -PromptForPassword." }
    } elseif ($SaveCredential) {
      $SecurePwd = Read-Host 'Enter VCF password to save (hidden)' -AsSecureString
      Save-Password -Secure $SecurePwd -Target $CredTarget
      Write-Host "Credential saved securely." -ForegroundColor Green
    } else {
      $SecurePwd = Load-Password -Target $CredTarget
      if (-not $SecurePwd) { $SecurePwd = Read-Host 'Enter VCF password (not stored)' -AsSecureString }
    }
  }
}
$PlainPwd = ConvertTo-PlainText $SecurePwd
if (-not $PlainPwd) { throw "No password available." }

# ---------- CLI wrapper (avoid $args conflict; support PS5/PS7) ----------
function Invoke-Vcf {
  param([string[]]$ArgList)
  # Prefer native invocation with array splatting (PS7+). For PS5, fall back to cmd.exe
  if ($PSVersionTable.PSVersion.Major -ge 7) {
    $out = & vcf @ArgList 2>&1
  } else {
    $quoted = $ArgList | ForEach-Object { if ($_ -match '[s"]') { '"' + ($_ -replace '"','"') + '"' } else { $_ } }
    $cmd = 'vcf ' + ($quoted -join ' ')
    $out = & cmd /c $cmd 2>&1
  }
  $code = if ($LASTEXITCODE -ne $null) { $LASTEXITCODE } else { 0 }
  [pscustomobject]@{ ExitCode = $code; Output = ($out -join "`n") }
}

function Get-VcfContexts {
  # Primary attempt
  $res = Invoke-Vcf @('context','list')
  if ($res.ExitCode -ne 0) { throw "Failed to list contexts:`n$($res.Output)" }

  # If we somehow got top-level help, don’t parse it as contexts.
  if ($res.Output -match 'Usage:s+vcfb' -or $res.Output -match 'Available command groups:') {
    throw "CLI returned help text instead of contexts. Ensure 'vcf context list' works in this shell."
  }

  $names = @()
  foreach ($line in ($res.Output -split "`n")) {
    if ($line -match '^s*$' -or $line -match '^s*(NAME|CURRENT|-+)b') { continue }
    # Extract the first token (context name), but only if it looks like a context (lowercase/colon/digit/._-)
    if ($line -match '^s*(?<name>[a-z0-9][a-z0-9._:-]*)b') {
      $n = $Matches['name']
      if ($n -ne 'vcf' -and $n -ne 'usage') { $names += $n }
    }
  }
  $names = $names | Sort-Object -Unique
  if (-not $names) { throw "No contexts parsed from 'vcf context list'. Raw:`n$($res.Output)" }
  return $names
}

function Try-Refresh([string]$ctx) { Invoke-Vcf @('context','refresh', $ctx) }

# ---------- Main ----------
Write-Host "Collecting contexts..." -ForegroundColor Cyan
$contexts = Get-VcfContexts
$env:VCF_CLI_VSPHERE_PASSWORD = $PlainPwd  # non-interactive auth for Supervisor/VKS

$failed = @()

try {
  Write-Host "Found contexts:" -ForegroundColor Cyan
  $contexts | ForEach-Object { Write-Host " - $_" }

  foreach ($ctx in $contexts) {
    Write-Host "`n[$ctx] Refresh..." -ForegroundColor Yellow
    $r = Try-Refresh $ctx
    if ($r.ExitCode -eq 0) {
      Write-Host "[$ctx] OK (refreshed or token still valid)." -ForegroundColor Green
      continue
    }

    Write-Warning "[$ctx] refresh failed (ExitCode=$($r.ExitCode)). Trying 'use'..."
    $u = Invoke-Vcf @('context','use', $ctx)
    if ($u.ExitCode -eq 0) {
      Write-Host "[$ctx] Re-auth via 'use' OK." -ForegroundColor Green
      $r2 = Try-Refresh $ctx
      if ($r2.ExitCode -eq 0) { Write-Host "[$ctx] Final refresh OK." -ForegroundColor Green }
    } else {
      Write-Host "[$ctx] Could not re-auth without an interactive terminal. Check endpoint trust/credentials." -ForegroundColor Red
      $failed += $ctx
    }
  }
}
finally {
  $env:VCF_CLI_VSPHERE_PASSWORD = $null
  $PlainPwd = $null
}

if ($failed.Count) {
  Write-Host "`nManual follow-up required for:" -ForegroundColor Magenta
  $failed | ForEach-Object { Write-Host " - $_" }
}
Script output with multiple contexts
More output with additional contexts
Secure password prompt in PowerShell

Why this script is handy

  • no typing for each cluster
  • enter the password once or store it securely for reuse
  • cleans up the environment after running
  • suitable for lab setups and production installations

Happy lazy logins!