OCPBUGS-64619: oc login: Respect insecure flag from kubeconfig

[tchap]

When running oc login, the insecure flag from kubeconfig is not consulted properly when calling getClientConfig.
This is now fixed.

[openshift-ci-robot]

@tchap: This pull request references Jira Issue OCPBUGS-64619, which is invalid:

• expected the bug to target the "4.21.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

When running oc login, the insecure flag from kubeconfig is not consulted properly when calling getClientConfig.
This is now fixed.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

Centralizes the insecure TLS decision by computing clientConfig.Insecure (OR of flag and existing kubeconfig detection), updates CA handling and certificate-error prompt logic to use that value, and adds a test validating kubeconfig-based insecure-skip-tls-verify behavior.

Changes

Cohort / File(s)	Summary
Core login logic refactor pkg/cli/login/loginoptions.go	getClientConfig now sets clientConfig.Insecure to `o.InsecureTLS
Test coverage expansion pkg/cli/login/loginoptions_test.go	Added TestGetClientConfig_InsecureSkipTLSVerify to verify behavior when --insecure-skip-tls-verify is absent but kubeconfig marks the cluster insecure. Test exercises flag/kubeconfig combinations against a TLS server and asserts resulting Insecure or TLS error outcomes.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20–30 minutes

• Review TLS/security implications of switching guards to clientConfig.Insecure.
• Verify CA file/CAData clearing and preservation across branches.
• Confirm prompt logic for certificate errors still matches intended UX (no unintended bypass).
• Inspect the new test for deterministic behavior and sufficient coverage of edge cases.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

Tip

📝 Customizable high-level summaries are now available in beta!

You can now customize how CodeRabbit generates the high-level summary in your pull requests — including its content, structure, tone, and formatting.

• Provide your own instructions using the high_level_summary_instructions setting.
• Format the summary however you like (bullet lists, tables, multi-section layouts, contributor stats, etc.).
• Use high_level_summary_in_walkthrough to move the summary from the description to the walkthrough section.

Example instruction:

"Divide the high-level summary into five sections:

1. 📝 Description — Summarize the main change in 50–60 words, explaining why this PR is needed, why this solution was chosen, and what was done.
2. 📓 References — List relevant issues, discussions, documentation, or related PRs.
3. 📦 Dependencies & Requirements — Mention any new/updated dependencies, environment variable changes, or configuration updates.
4. 📊 Contributor Summary — Include a Markdown table showing contributions:
   | Contributor | Lines Added | Lines Removed | Files Changed |
5. ✔️ Additional Notes — Add any extra reviewer context.
   Keep each section concise (under 200 words) and use bullet or numbered lists for clarity."

Note: This feature is currently in beta for Pro-tier users, and pricing will be announced later.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[tchap]

/jira refresh

[openshift-ci-robot]

@tchap: This pull request references Jira Issue OCPBUGS-64619, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.21.0) matches configured target version for branch (4.21.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[ardaguclu]

This one #2131 is also trying to fix same bug I suppose

[tchap]

Gosh, people don't link to Jira issues 🥲 I would personally keep this one as it also contains tests, but...

[ardaguclu]

Gosh, people don't link to Jira issues 🥲 I would personally keep this one as it also contains tests, but...

The PRs that contain tests will always have higher priority :).

[tchap]

/retest

[ardaguclu]

Dropped a comment about test cases. Logical changes are nice to me. Thank you for fixing this.

[ardaguclu]

I'd expect insecureFlag and insecureKubeconfig values differ and we explicitly state which one we should choose. Flags are higher priority than implicit assignments (kubeconfig)

[tchap]

I think that the logic is that there is no priority, but setting insecure anywhere just makes the whole thing accept insecure connection. In other words, insecure=false flag does not overwrite kubeconfig with insecure=true. Otherwise we would need to explicitly check whether the CLI flag was actually set and use that value in any case, in other words, treat default flag value and explicitly set flag value to false differently.

[ardaguclu]

My suggestion basically is to assure whatever the expected outcome if they differ. So that in the future if that test fails, we will be notified something has changed.

[ardaguclu]

So if assigning one of them is true makes the outcome as true, let's reflect it to the test

[tchap]

It is reflected in the test 🙂

[ardaguclu]

I assume the ones you pointed out is line:394 and line:398. They exercise, for example, oc login (with insecure in kubeconfig), vs. But they do not exercise oc login --insecure-tls-verify=false (with insecure in kubeconfig).

I'm totally aware that they are identical. But we need to test this case too, because from user point of view oc login and oc login --insecure-tls-verify are not identical (former means run this with whatever value, latter means run this command with my explicit definition). So in my opinion, adding 2 additional tests would make sense to me not in terms of functionality but in terms of semantically.

[ardaguclu]

On the other hand, test does not have notion of explicit, implicit flag. So we can leave the tests as is

[ardaguclu]

I appreciate adding unit tests every time. Thank you

[tchap]

This is the way :mandalorian:

[tchap]

What is not so great is that the tests are passing even when I roll back the change 😅

[ardaguclu]

/lgtm

[ardaguclu]

I believe that it is better to perform pre-merge tests. cc: @zhouying7780

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

pkg/cli/login/loginoptions.go (1)

163-174: Centralizing Insecure handling looks good; consider guarding StartingKubeConfig usage.

Using clientConfig.Insecure as the single source of truth (OR of o.InsecureTLS and hasExistingInsecureCluster) simplifies the TLS decision and keeps the error-path logic in sync with initial config, which is a nice cleanup. The only thing I’d double‑check is whether o.StartingKubeConfig is guaranteed non‑nil on all call sites: the new hasExistingInsecureCluster(*clientConfig, *o.StartingKubeConfig) call runs unconditionally now, including when the CLI flag is set, so if that invariant is ever broken this will panic. If the invariant isn’t watertight, a small guard like falling back to clientConfig.Insecure = o.InsecureTLS when StartingKubeConfig == nil would make this safer.

Also applies to: 191-201

pkg/cli/login/loginoptions_test.go (1)

380-451: Solid coverage of flag/kubeconfig combinations; tweak failure message for clarity.

The table cases nicely exercise the combinations of CLI and kubeconfig insecure sources and assert the resulting clientConfig.Insecure. One tiny readability nit: in the branch where expectedInsecureClientConfig is false, the fatal message says “Expected to fail with insecure connection…”, which sounds opposite to what the test is asserting (we actually expect a secure connection to fail TLS validation). Renaming that part of the message would avoid confusion for future readers, especially when debugging failures.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 17ab6e4 and 0215a6c.

📒 Files selected for processing (2)

• pkg/cli/login/loginoptions.go (2 hunks)
• pkg/cli/login/loginoptions_test.go (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

• pkg/cli/login/loginoptions_test.go
• pkg/cli/login/loginoptions.go

[openshift-ci]

@tchap: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[ardaguclu]

What was the leftover line that caused an issue in previous version. I'm wondering why did I miss it.

[tchap]

The one right below was removed:

clientConfig.Insecure = true

[ardaguclu]

/lgtm
we will need another round of verification

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ardaguclu, tchap

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [ardaguclu]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ardaguclu]

Basically this PR still requires to be tested to merge it.