From 0215a6cc0175ba678e48466951f17cc73f3c28ee Mon Sep 17 00:00:00 2001 From: Ondra Kupka Date: Fri, 7 Nov 2025 12:05:21 +0100 Subject: [PATCH] oc login: Respect insecure flag from kubeconfig When running oc login, the insecure flag from kubeconfig is not consulted properly when calling getClientConfig(). This is now fixed. Assisted-by: Claude Code --- pkg/cli/login/loginoptions.go | 8 ++-- pkg/cli/login/loginoptions_test.go | 73 ++++++++++++++++++++++++++++++ 2 files changed, 76 insertions(+), 5 deletions(-) diff --git a/pkg/cli/login/loginoptions.go b/pkg/cli/login/loginoptions.go index efbe6b57fe..00a5943b57 100644 --- a/pkg/cli/login/loginoptions.go +++ b/pkg/cli/login/loginoptions.go @@ -160,9 +160,9 @@ func (o *LoginOptions) getClientConfig() (*restclient.Config, error) { } o.Server = serverNormalized clientConfig.Host = o.Server - clientConfig.Insecure = o.InsecureTLS + clientConfig.Insecure = o.InsecureTLS || hasExistingInsecureCluster(*clientConfig, *o.StartingKubeConfig) - if !o.InsecureTLS { + if !clientConfig.Insecure { // use specified CA or find existing CA if len(o.CAFile) > 0 { clientConfig.CAFile = o.CAFile @@ -188,9 +188,7 @@ func (o *LoginOptions) getClientConfig() (*restclient.Config, error) { // connection or if we already have a cluster stanza that tells us to // connect to this particular server insecurely case x509.UnknownAuthorityError, x509.HostnameError, x509.CertificateInvalidError: - if o.InsecureTLS || - hasExistingInsecureCluster(*clientConfig, *o.StartingKubeConfig) || - promptForInsecureTLS(o.In, o.Out, err) { + if clientConfig.Insecure || promptForInsecureTLS(o.In, o.Out, err) { clientConfig.Insecure = true clientConfig.CAFile = "" clientConfig.CAData = nil diff --git a/pkg/cli/login/loginoptions_test.go b/pkg/cli/login/loginoptions_test.go index dfd61899e0..e26ca98760 100644 --- a/pkg/cli/login/loginoptions_test.go +++ b/pkg/cli/login/loginoptions_test.go @@ -377,6 +377,79 @@ func TestDialToHTTPSServer(t *testing.T) { } } +func TestGetClientConfig_InsecureSkipTLSVerify(t *testing.T) { + // Test that insecure-skip-tls-verify setting from kubeconfig is respected + // when logging in without the --insecure-skip-tls-verify flag. + + server := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + w.WriteHeader(http.StatusOK) + })) + defer server.Close() + + testCases := map[string]struct { + insecureFlag bool + insecureKubeconfig bool + expectedInsecureClientConfig bool + }{ + "command flag set": { + insecureFlag: true, + expectedInsecureClientConfig: true, + }, + "kubeconfig flag set": { + insecureKubeconfig: true, + expectedInsecureClientConfig: true, + }, + "no flag set": { + insecureFlag: false, + insecureKubeconfig: false, + expectedInsecureClientConfig: false, + }, + "both command and kubeconfig flag set": { + insecureFlag: true, + insecureKubeconfig: true, + expectedInsecureClientConfig: true, + }, + } + + for name, test := range testCases { + t.Run(name, func(t *testing.T) { + startingConfig := &kclientcmdapi.Config{ + Clusters: map[string]*kclientcmdapi.Cluster{}, + } + if test.insecureKubeconfig { + startingConfig.Clusters["test-cluster"] = &kclientcmdapi.Cluster{ + Server: server.URL, + InsecureSkipTLSVerify: true, + } + } + + options := &LoginOptions{ + Server: server.URL, + InsecureTLS: test.insecureFlag, + StartingKubeConfig: startingConfig, + } + + clientConfig, err := options.getClientConfig() + if err != nil { + if test.expectedInsecureClientConfig { + t.Fatalf("Expected to succeed with insecure connection, but got error: %v", err) + } else { + // If we expect secure connection and get a TLS error, that's expected + // since we're using a test server with a self-signed cert. + if err.Error() != certificateAuthorityUnknownMsg { + t.Fatalf("Expected to fail with insecure connection, but got another error: %v", err) + } + return + } + } + + if clientConfig.Insecure != test.expectedInsecureClientConfig { + t.Errorf("expected Insecure=%v, got %v", test.expectedInsecureClientConfig, clientConfig.Insecure) + } + }) + } +} + func TestPreserveExecProviderOnUsernameLogin(t *testing.T) { // Test that when using -u flag with existing OIDC credentials, // the ExecProvider configuration is preserved