oci-cli generated .kube/config against OKE causes kubectl to hang if session expired or auth misconfigured

[stuartberry-oracle]

.kube/config generated using the oci-cli against OKE includes an oci cli command to authenticate e.g.

- name: user-abc123
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1beta1
      command: oci
      args:
      - ce
      - cluster
      - generate-token
      - --cluster-id
      - ocid1.cluster.oc1.uk-london-1.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
      - --region
      - uk-london-1
      env: []

The oci ce command prompts for user input if the oci config is wrong or the session key has expired. This causes kubectl to hang permanently and there is no feedback to the user on what is wrong

kubectl should exit with an error in this situation. One option is to

• introduce a flag or environment variable which causes oci to exit 1 instead of prompting for user input (e.g. --no-prompt)
• change the .kube/config command generated by oci cli to use the new flag/env-var

The --no-prompt flag would be useful for automation other than kubectl. oci shouldn't assume there is a user available for inputting values.

Examples of the kubectl hang

bash-4.2$ rm ~/.oci/config 
bash-4.2$ kubectl get ns
                                                   <<<< hangs 

bash-4.2$ oci os ns get | cat
ERROR: This CLI session has expired, so it cannot currently be used to run commands
Do you want to re-authenticate your CLI session profile? [Y/n]: n
bash-4.2$ kubectl get ns
                                               << hangs 

[karthik-k-kamath]

Have you tried with --force option?

[stuartberry-oracle]

[bash ~]$ OCI_CLI_AUTH=security_token oci os ns get 
ERROR: This CLI session has expired, so it cannot currently be used to run commands
Do you want to re-authenticate your CLI session profile? [Y/n]: ^CAbort: 

[bash ~]$ OCI_CLI_AUTH=security_token oci os ns get --force
Usage: oci os ns get [OPTIONS]

Error: no such option: --force

[bash ~]$ oci --version
3.23.2

This is using the latest oci cli in yum for OL8

[robert-heinzmann-logmein]

There is no force option, also in the latest release. As this blocks the kubectl command, it would be great if it could be enforced, possibly also with an environment variable (OCI_CLI_AUTH_CONFIRM_REAUTH=true or alike ?) .

shell$ oci -version
3.37.11

shell$ oci session refresh --force

Error: No such option: --force

For OCI CLI commands and parameters suggestion, auto completion and other useful features, try the Interactive mode by typing `oci -i`.

[bhoogter]

Came here hoping for a solution... In the meantime, continuing to use the current workaround:

echo 'Y' | oci ...

[pankajmjx]

OCI session authentication has a default period of 60 minutes. Once the session expires, you will need to either create a new session token or refresh the existing token by responding with 'Y'. Session authentication is not recommended for automation, so it prompts you to refresh the token once it expires. You can use other authentication methods that do not expire, such as API key-based authentication. Please Refer this doc for supported authentication methods -https://docs.oracle.com/en-us/iaas/Content/API/Concepts/sdk_authentication_methods.htm

[karthik-k-kamath]

Closing as @pankajmjx has clarified the behaviour.

[adizohar]

Btw, I am using session authentication and refresh the session in the background every 5 min Just an option:

oci session refresh --profile xxx

[stuartberry-oracle]

The issue is that kubectl hangs, with no hint to the user of why kubectl has hung. kubectl should exit with a message and failure code, not hang. This requires a change in the oci command which is called by kubectl.

Request ticket is re-opened.

[bhoogter]

Btw, I am using session authentication and refresh the session in the background every 5 min Just an option:

oci session refresh --profile xxx

That is an excellent workaround... Still wish there was a --force option. I don't understand how being being overly particular about usage, as indicated by @pankajmjx 's answer, is the go-to answer...