Device authentication flow fails (Linux only)

If you are unable to complete device authentication against GitHub, you need to install passThis is because GitHub token is stored in an encrypted keyring on your device.

Install pass as described in the Prerequisites.

okctl keeps trying to do the Github Device Authentication Flow while trying to do \<any action>

This is known to happen if pass init <gpg-key-id> has not been run after installing pass.

Initialize pass as described in Prerequisites.

On okctl delete cluster, some resources are not deleted (automatic deletion is coming in a later version)

Workaround: manually delete the following resources:

  • It is recommended to delete the infrastructure/ directory and .okctl.yaml file upon successful delete of cluster, as the last manual step.

okctl create cluster: Create identitypool fails / Re-create cluster within short timespan fails

If you do the following:

  • Create a cluster
  • Delete it
  • Create a new cluster with the same domain name (e.g.

This might fail if you do these steps within 15 minutes. This is due to DNS resolvers caching NS server records. More details:

Workaround: Wait for up to 15 minutes before creating cluster again.

15 minutes is the TTL (Time to live, i.e. cache expiry) of the NS record. You can see this value in Route 53 -> Hosted zones -> Your domain -> NS record for your top domain -> Edit -> See TTL field.

okctl create cluster: Failed to create external secrets helm chart

You get the following error (shortened):

..  creating: external-secrets (elapsed: 1 second 76 microseconds)WARN[0007] failed to process request, because: failed to create external secrets helm chart: failed to update repository: failed to fetch : 403 Forbidden  endpoint=create service=helm/externalSecrets
✓   creating
request failed with Internal Server Error, because: failed to create external secrets helm chart: failed to update repository: failed to fetch : 403 Forbidden

This happens because Helm changed URLsto their repositories. Update your ~/.okctl/helm/repositories.yaml, and update URLs from

Name Old Location New Location

okctl apply cluster: Always prompts for github machine authentication, even after it has been set

There is an issue with some versions of pinentry-curses where sometimes the prompt to enter a password for you PGP key will not appear. We store the authentication token in a keyring, and since it cannot be decrypted without the password okctl just skips ahead. The solution is to export the following environment variable:

export GPG_TTY

This can be done in your current shell before you run okctl commands, or can be put in your .bashrc or similar to ensure you will always be prompted for your encryption key password. A bit more detail explanation can be found on stackoverflow