Skip to content

fix: remove --insecure-skip-tls-verify from CI oc login commands#1272

Merged
mergify[bot] merged 2 commits intomainfrom
fix/remove-insecure-skip-tls-verify-ci
Apr 9, 2026
Merged

fix: remove --insecure-skip-tls-verify from CI oc login commands#1272
mergify[bot] merged 2 commits intomainfrom
fix/remove-insecure-skip-tls-verify-ci

Conversation

@ambient-code
Copy link
Copy Markdown
Contributor

@ambient-code ambient-code bot commented Apr 9, 2026
edited
Loading

Summary

  • Remove --insecure-skip-tls-verify from all 6 oc login commands across CI workflows
  • No replacement flag needed — clusters use a publicly trusted certificate authority

Affected files

  • .github/workflows/components-build-deploy.yml — 4 oc login calls (deploy-rhoai-mlflow, update-rbac-and-crd, deploy-to-openshift, deploy-with-dispatch)
  • .github/workflows/prod-release-deploy.yaml — 2 oc login calls (deploy-rhoai-mlflow, deploy-to-openshift)

Test plan

  • Trigger components-build-deploy.yml via workflow_dispatch and verify all deploy jobs authenticate successfully
  • Verify prod release pipeline login steps work on next release

Closes #1271

🤖 Generated with Claude Code

🤖 Ambient Session

@claude
fix: replace --insecure-skip-tls-verify with --certificate-authority …
02d2bb1 
…in CI oc login

Remove --insecure-skip-tls-verify from all oc login commands in CI
workflows to prevent MITM attacks during token exchange. Each login
step now writes the cluster CA bundle (from a GitHub Actions secret)
to a temp file and passes --certificate-authority instead.

Secrets required:
- OPENSHIFT_CA_BUNDLE (staging/dev cluster)
- PROD_OPENSHIFT_CA_BUNDLE (production cluster)

Closes #1271

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@ambient-code ambient-code bot added the ambient-code:managed PR managed by AI automation label Apr 9, 2026
@ambient-code
Copy link
Copy Markdown
Contributor Author

ambient-code bot commented Apr 9, 2026

This PR removes all --insecure-skip-tls-verify flags from oc login commands in CI workflows and replaces them with --certificate-authority pointing to a CA bundle written from GitHub Actions secrets.

Action required before merging: The OPENSHIFT_CA_BUNDLE and PROD_OPENSHIFT_CA_BUNDLE secrets must be added to the repository's GitHub Actions secrets. See the PR description for how to extract the CA bundle from each cluster.

🤖 Session

@ktdreyer
Copy link
Copy Markdown
Contributor

ktdreyer commented Apr 9, 2026

@ambient-code We do not need --certificate-authority. It's a public certificate authority.

@claude
fix: simply remove --insecure-skip-tls-verify (clusters use public CA)
89f1a4b 
The OpenShift clusters use a publicly trusted certificate authority,
so no --certificate-authority flag or CA bundle secret is needed.
Simply removing the insecure flag is sufficient.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@ambient-code
Copy link
Copy Markdown
Contributor Author

ambient-code bot commented Apr 9, 2026

Updated — removed --insecure-skip-tls-verify without any replacement flag since the clusters use a publicly trusted CA. No new secrets needed.

🤖 Session

@mergify mergify bot added the queued label Apr 9, 2026
@mergify
Copy link
Copy Markdown

mergify bot commented Apr 9, 2026
edited
Loading

Merge Queue Status

  • Entered queue2026-04-09 21:28 UTC · Rule: default
  • Checks skipped · PR is already up-to-date
  • Merged2026-04-09 21:28 UTC · at 89f1a4b07d5bbebbd03a8fcbe34c8b10dba673e0

This pull request spent 8 seconds in the queue, including 1 second running CI.

Required conditions to merge

@mergify mergify bot merged commit 45ff21f into main Apr 9, 2026
35 of 38 checks passed
@mergify mergify bot deleted the fix/remove-insecure-skip-tls-verify-ci branch April 9, 2026 21:28
@mergify mergify bot removed the queued label Apr 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ktdreyer ktdreyer ktdreyer approved these changes

Assignees

No one assigned

Labels

ambient-code:managed PR managed by AI automation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Remove --insecure-skip-tls-verify from CI oc login commands

1 participant

@ktdreyer