Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Undefined
Fix Version/s: 4.22.0
Affects Version/s: 4.20
Component/s: oc
Labels:
- pre-merge-tested
- pre-merge-verified

Activity Type:
Quality / Stability / Reliability
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
None
Regression:
None

Target Backport Versions:
None
Target Version:

4.22
Release Blocker:
None
Sprint:
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Release Note Status:
Proposed
Release Note Type:
Bug Fix
Release Note Text:
Aligned oc login to correctly handle insecure-skip-tls-verify flag in the kubeconfig file cluster section.

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

Hi!

We found an interesting bug:

Valid certificate for the frontend ocp.foo.com
Invalid certificate/chain for the oauth endpoint (oauth-openshift.apps.ocp.foo.com)

Setting insecure-skip-tls-verify inkubeconfig does not skip the verification of certs from the oauth endpoint.

This is because setting the config to insecure happens inside this conditional: https://github.com/openshift/oc/blob/main/pkg/cli/login/loginoptions.go#L190. Note that it does work with the command line option, since that code path is different.

If that makes sense, I can submit a PR in github to move the code outside of the initial dialToServer() call.

links to

openshift/oc#2134: OCPBUGS-64619: oc login: Respect insecure flag from kubeconfig

Assignee:: Ondřej Kupka

Reporter:: Burt Holzman (Inactive)

Need Info From:: None

Contributors:: None

QA Contact:: Ying Zhou

Doc Contact:: None

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Created:: 2025/11/03 8:55 PM

Updated:: 2026/01/07 2:24 PM