Enhanced OpenShift CLI: Quick Start

The enhanced OpenShift CLI can help you manage a large amount of OpenShift clusters securely and efficiently. It is an open source project I created on GitHub.

As the second post of enhanced oc series, in this post, I will share with you how to install the enhanced oc and demonstrate some of cool features it provides.

Install Enhanced OpenShift CLI

The enhanced OpenShift CLI has some dependencies before it can work. So, when you start to install it, please make sure the following prerequisites are installed:

  • gpg: for data encryption and decryption
  • git: for encrypted data storing and sharing
  • gopass: run on top of gpg and git for secret data management
  • oc: the original OpenShift CLI for cluster manipulation

To install git and gpg, run one of below commands that depends on which OS you use:

# MacOS
$ brew install gnupg2 git
# RHEL & CentOS
$ brew install gnupg2 git
# Ubuntu & Debian
$ apt-get install gnupg2 git

To install gopass, it is recommended to go to the GitHub repository releases page and download the latest version with appropriate distribution. As an example, download the darwin or linux package for MacOS or Linux, extract the package and find the gopass executable, put it somewhere that can be reached via $PATH, then you are done.

To install oc, please refer to the OpenShift documentation.

After you get all the prerequisites installed, please download the enhanced oc shell script from GitHub:

$ curl -OL https://raw.githubusercontent.com/morningspace/oc/master/oc.sh

Add the below line to your .bashrc if you use Bash or whatever initialization file is used by your shell:

[[ -f /path/to/oc.sh ]] && source /path/to/oc.sh

Then open a new terminal and run oc to verify the installation. If everything works as expected, you should see a notice started with "An Enhanced Version of OpenShift Client" at the head of the normal oc help information.

Setup Environment

gopass depends on gpg for encryption and decryption. Before you start to use the enhanced oc, you must generate a private and public key pair at first:

$ gpg --full-generate-key

Choose RSA and RSA as key type, keysize to be 2048, key does not expire, input your user name as real name, email address, and passphrase.

You should also add the following line to your .bashrc if you use Bash or whatever initialization file is used by your shell:

export GPG_TTY=$(tty)

Then init the secret store:

$ gopass init

Choose the private key you created above for encrypting secrets, enter your email address for git config.

Now you can run the enhanced oc.

Login cluster for the first time

To login to a cluster for the first time:

$ oc login

You will be prompted for the URL of the server that you are about to access, the name and password of the login user. These are all features supported by the original oc. After that, it will ask you to enter an additional field called context alias. It is the shorthand of the full context name that represents which cluster you are accessing to and which user account you are using to access this cluster. You will see how the context alias can be used to efficiently manage multiple clusters access later in this post. Here is an example:

$ oc login
Server [https://localhost:8443]: https://api.cluster-foo.example.com:6443
Username [kubeadmin]:
Context alias [api-cluster-foo-example-com-6443]: cluster-foo
Login successful.
You have access to 59 projects, the list has been suppressed. You can list all projects with 'oc projects'Using project "default".
Save context 'cluster-foo' into secret store...
Context saved successfully.

Of course just as the original oc supports, you can specify all the information as the command line arguments when you run oc login. However, to avoid the unexpected exposure of your login information in the command history, the list of previously used commands in the terminal, it is not recommended to specify the information such as user password as command argument of oc login.

Login cluster using context alias

When the login session to a cluster is expired, you have to re-run oc login to login to the cluster again. But different from the original oc, you don't have to provide all the information that has already been input the first time you run oc login to access this cluster. This time the only thing needed is the context alias:

$ oc login -c cluster-foo
Read context 'cluster-foo' from secret store...
Context loaded successfully.
Login successful.
You have access to 59 projects, the list has been suppressed. You can list all projects with 'oc projects'Using project "default".

This is because all the information you previously input for this cluster has been saved in gopass secret store with a context alias pointing to it. So, you just specify the context alias, and the enhanced oc will load all the necessary information by the context alias in order to login the cluster.


In this post, you have learned how to install the enhanced OpenShift CLI and its prerequisites, how to setup the environment, and how to login to a cluster quickly by specifying an alias after you have all the access information for this cluster saved in the secret store.

In next post, I will share with you more interesting features that enhanced oc provides.

The enhanced OpenShift CLI is an open source project I created on GitHub. If you like it, you can consider to give star to it. You can also learn more on this project by reading its online documents. Any contributions such as bug report and code submission are very welcome.

Life is coding and writing! I am a software engineer who have been in IT field for 10+ years. I would love to write beautiful code and story for people.