I am concerned as well about the security of the mechanism rancher uses to pass the vsphere credentials to the downstream rke2 cluster. Installing vsphere cpi/csi on the downstream cluster after the fact seems to provide more control over how credentials are transferred and managed.