oci-cli icon indicating copy to clipboard operation
oci-cli copied to clipboard

Published 20 hours ago verified publisher icon oracle

oci-cli generated .kube/config against OKE causes kubectl to hang if session expired or auth misconfigured

Open stuartberry-oracle opened this issue 1 year ago • 3 comments

.kube/config generated using the oci-cli against OKE includes an oci cli command to authenticate e.g.

- name: user-abc123
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1beta1
      command: oci
      args:
      - ce
      - cluster
      - generate-token
      - --cluster-id
      - ocid1.cluster.oc1.uk-london-1.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
      - --region
      - uk-london-1
      env: []

The oci ce command prompts for user input if the oci config is wrong or the session key has expired. This causes kubectl to hang permanently and there is no feedback to the user on what is wrong

kubectl should exit with an error in this situation. One option is to

  • introduce a flag or environment variable which causes oci to exit 1 instead of prompting for user input (e.g. --no-prompt)
  • change the .kube/config command generated by oci cli to use the new flag/env-var

The --no-prompt flag would be useful for automation other than kubectl. oci shouldn't assume there is a user available for inputting values.

Examples of the kubectl hang

bash-4.2$ rm ~/.oci/config 
bash-4.2$ kubectl get ns
                                                   <<<< hangs 

bash-4.2$ oci os ns get | cat
ERROR: This CLI session has expired, so it cannot currently be used to run commands
Do you want to re-authenticate your CLI session profile? [Y/n]: n
bash-4.2$ kubectl get ns
                                               << hangs

stuartberry-oracle avatar Dec 07 '23 14:12 stuartberry-oracle

Have you tried with --force option?

karthik-k-kamath avatar Dec 11 '23 10:12 karthik-k-kamath 

[bash ~]$ OCI_CLI_AUTH=security_token oci os ns get 
ERROR: This CLI session has expired, so it cannot currently be used to run commands
Do you want to re-authenticate your CLI session profile? [Y/n]: ^CAbort: 

[bash ~]$ OCI_CLI_AUTH=security_token oci os ns get --force
Usage: oci os ns get [OPTIONS]

Error: no such option: --force

[bash ~]$ oci --version
3.23.2

This is using the latest oci cli in yum for OL8

stuartberry-oracle avatar Dec 11 '23 10:12 stuartberry-oracle

There is no force option, also in the latest release. As this blocks the kubectl command, it would be great if it could be enforced, possibly also with an environment variable (OCI_CLI_AUTH_CONFIRM_REAUTH=true or alike ?) .

shell$ oci -version
3.37.11

shell$ oci session refresh --force

Error: No such option: --force

For OCI CLI commands and parameters suggestion, auto completion and other useful features, try the Interactive mode by typing `oci -i`.

robert-heinzmann-logmein avatar Feb 29 '24 07:02 robert-heinzmann-logmein