Skip to content

DPF: Add a load-kubeconfig step (2)#81564

Merged
openshift-merge-bot[bot] merged 1 commit into
openshift:mainfrom
josecastillolema:dpf-conformance2
Jul 7, 2026
Merged

DPF: Add a load-kubeconfig step (2)#81564
openshift-merge-bot[bot] merged 1 commit into
openshift:mainfrom
josecastillolema:dpf-conformance2

Conversation

@josecastillolema

@josecastillolema josecastillolema commented Jul 7, 2026

Copy link
Copy Markdown
Member

It would be better to run the conformance tests directly from Prow than from the bastion node.
This step will allow this pattern (even for other DPF tests, like the networking one, etc.).

Summary by CodeRabbit

Added a new DPF hypervisor load-kubeconfig CI step so OpenShift CI can fetch and prepare a usable kubeconfig directly from Prow instead of relying on the bastion workflow.

In practical terms, this updates the DPF CI infrastructure to:

  • create and install an SSH key from Vault-backed credentials,
  • connect to the hypervisor and locate the latest openshift-dpf install directory,
  • copy the cluster kubeconfig into the CI shared workspace,
  • rewrite the API server endpoint to a CI-reachable IP,
  • relax kubeconfig TLS settings for downstream consumers, and
  • register the step with the appropriate owners metadata for CI automation.

This lays the groundwork for running DPF conformance and similar downstream tests directly from the CI environment.

Signed-off-by: Jose Castillo Lema <josecastillolema@gmail.com>

    gitleaks.version: 8.30.0
    gitleaks.check-secrets: ENABLED
@coderabbitai

coderabbitai Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Walkthrough

Adds a new CI step registry entry dpf-hypervisor-load-kubeconfig under ci-operator/step-registry/dpf/hypervisor/load-kubeconfig, comprising OWNERS, a reference YAML, metadata JSON, and a commands script that SSHes into a hypervisor, retrieves the cluster kubeconfig, patches its API server address, and writes it to SHARED_DIR.

Changes

DPF hypervisor load-kubeconfig step

Layer / File(s) Summary
SSH setup and connectivity check
dpf-hypervisor-load-kubeconfig-commands.sh
Enables strict mode, sets remote path/host variables, builds an SSH private key from Vault-mounted /var/run/dpf-ci/private-key, constructs SSH_OPTS, and verifies SSH connectivity to the hypervisor.
Locate install dir and fetch kubeconfig
dpf-hypervisor-load-kubeconfig-commands.sh
Copies and sources last-openshift-dpf-dir.sh to determine the last openshift-dpf install directory, then scp's kubeconfig.doca8 from that directory into the CI container.
Resolve IP and patch kubeconfig
dpf-hypervisor-load-kubeconfig-commands.sh
Resolves the API server hostname to an IP via remote DNS lookup, rewrites the cluster server URL, marks the cluster insecure, unsets certificate-authority-data, and writes the final kubeconfig to ${SHARED_DIR}/kubeconfig.
Step registry reference, metadata, and ownership
dpf-hypervisor-load-kubeconfig-ref.yaml, dpf-hypervisor-load-kubeconfig-ref.metadata.json, OWNERS
Defines the new step's command, Vault credential mount, REMOTE_HOST default, resource requests, timeout, documentation, metadata owners, and OWNERS approvers/reviewers.

Estimated code review effort: 3 (Moderate) | ~20 minutes

Sequence Diagram(s)

sequenceDiagram
    participant CIStep as CI Step
    participant Script as load-kubeconfig script
    participant Hypervisor as Hypervisor host
    participant SharedDir as SHARED_DIR

    CIStep->>Script: Run dpf-hypervisor-load-kubeconfig-commands.sh
    Script->>Script: Build SSH key from Vault secret
    Script->>Hypervisor: SSH connectivity check
    Script->>Hypervisor: scp last-openshift-dpf-dir.sh
    Script->>Script: Source script, get LAST_OPENSHIFT_DPF
    Script->>Hypervisor: scp kubeconfig.doca8
    Script->>Script: Extract cluster name & server hostname
    Script->>Hypervisor: SSH DNS resolve hostname to IP
    Script->>Script: Patch kubeconfig server URL to IP, mark insecure
    Script->>SharedDir: Copy patched kubeconfig
    Script-->>CIStep: Log success
Loading

Compact metadata:

  • Related issues: None referenced
  • Related PRs: None referenced

Suggested labels: ok-to-test, jira/valid-bug

Suggested reviewers: josecastillolema, linoyaslan, szigmon, tsorya, wabouhamad

🐰 A hypervisor's secrets, once locked away,
Now hop through SSH to greet the CI day,
A kubeconfig patched, insecure but bright,
Lands in SHARED_DIR, ready for flight.


Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error)

Check name Status Explanation Resolution
No-Sensitive-Data-In-Logs ❌ Error The new step logs internal hostnames/IPs and install paths (REMOTE_HOST, CLUSTER_API_SERVER_HOSTNAME, CLUSTER_API_IP, LAST_OPENSHIFT_DPF). Remove or genericize those echo statements; never print internal hostnames/IPs or other cluster-specific paths in CI logs.
✅ Passed checks (14 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly reflects the main change: adding a new DPF load-kubeconfig step.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed No Ginkgo test titles were added or changed; the PR only touches step-registry metadata and shell scripts.
Test Structure And Quality ✅ Passed PR only adds step-registry config and a shell script; no Ginkgo test code is changed, so the test-quality check is not applicable.
Microshift Test Compatibility ✅ Passed PR adds only step-registry shell/metadata files; no new Ginkgo tests or MicroShift-incompatible API use found.
Single Node Openshift (Sno) Test Compatibility ✅ Passed PR adds only step-registry config and a bash command; no new Ginkgo e2e tests or topology assumptions to check.
Topology-Aware Scheduling Compatibility ✅ Passed PR only adds CI step-registry files and a kubeconfig helper script; no deployment/controller scheduling constraints or topology assumptions were introduced.
Ote Binary Stdout Contract ✅ Passed PR only changes step-registry config and a bash step script; no OTE binary main/init/TestMain/suite setup code is introduced.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed No new Ginkgo/e2e test code was added; the PR only introduces step-registry YAML, metadata, OWNERS, and a shell step.
No-Weak-Crypto ✅ Passed No MD5/SHA1/DES/RC4/3DES/Blowfish/ECB, custom crypto, or secret comparisons found in the changed files.
Container-Privileges ✅ Passed The new step registry YAML/metadata add no pod securityContext or privilege flags; search found no privileged, hostNetwork, hostPID, hostIPC, or allowPrivilegeEscalation settings.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@openshift-ci openshift-ci Bot requested review from szigmon and wabouhamad July 7, 2026 14:44
@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 7, 2026
@openshift-merge-bot openshift-merge-bot Bot added the rehearsals-ack Signifies that rehearsal jobs have been acknowledged label Jul 7, 2026
@openshift-merge-bot

Copy link
Copy Markdown
Contributor

[REHEARSALNOTIFIER]
@josecastillolema: no rehearsable tests are affected by this change

Note: If this PR includes changes to step registry files (ci-operator/step-registry/) and you expected jobs to be found, try rebasing your PR onto the base branch. This helps pj-rehearse accurately detect changes when the base branch has moved forward.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/step-registry/dpf/hypervisor/load-kubeconfig/dpf-hypervisor-load-kubeconfig-commands.sh`:
- Around line 55-63: The kubeconfig load script is logging sensitive cluster API
hostname/IP details; update the logging in the cluster resolution block to use
generic status messages instead of echoing CLUSTER_API_SERVER_HOSTNAME or
CLUSTER_API_IP. Keep the resolution logic in
dpf-hypervisor-load-kubeconfig-commands.sh intact, but change the status and
error messages around the SSH/getent lookup to avoid exposing endpoint details
in CI logs.
- Line 56: The hostname passed through the remote resolver in
dpf-hypervisor-load-kubeconfig-commands.sh should be quoted and narrowed to a
single IP so the captured server value stays valid. Update the CLUSTER_API_IP
assignment to safely pass CLUSTER_API_SERVER_HOSTNAME into the ssh command, and
ensure the resolver output is reduced to one address instead of returning
multiple lines. Use the existing CLUSTER_API_IP and CLUSTER_API_SERVER_HOSTNAME
references in that command block to locate and adjust the fix.
- Around line 32-39: The kubeconfig loader currently sources a copied remote
helper file in the CI pod, which can execute arbitrary content with mounted
credentials available. Update dpf-hypervisor-load-kubeconfig-commands.sh to
avoid cat/source of /tmp/last-openshift-dpf-dir.sh; instead, read only the
LAST_OPENSHIFT_DPF value from the file in a safe, non-executing way and use that
value directly in the existing echo/logging path. Keep the fix localized around
the scp and the LAST_OPENSHIFT_DPF handling block.
- Around line 71-74: The kubeconfig setup in the dpf hypervisor load script is
disabling TLS verification and removing certificate-authority-data, which should
be avoided. Update the cluster configuration in the oc config set-cluster flow
to keep verification enabled by using --tls-server-name with the original API
hostname, and stop unsetting clusters.${CLUSTER_NAME}.certificate-authority-data
so the existing CA data remains intact.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 7f73c8e3-c519-4e14-9b2f-b1545bed676a

📥 Commits

Reviewing files that changed from the base of the PR and between 87b1f99 and df4f98e.

📒 Files selected for processing (4)
  • ci-operator/step-registry/dpf/hypervisor/load-kubeconfig/OWNERS
  • ci-operator/step-registry/dpf/hypervisor/load-kubeconfig/dpf-hypervisor-load-kubeconfig-commands.sh
  • ci-operator/step-registry/dpf/hypervisor/load-kubeconfig/dpf-hypervisor-load-kubeconfig-ref.metadata.json
  • ci-operator/step-registry/dpf/hypervisor/load-kubeconfig/dpf-hypervisor-load-kubeconfig-ref.yaml

Comment on lines +32 to +39
scp ${SSH_OPTS} root@${REMOTE_HOST}:${REMOTE_LAST_OPENSHIFT_DPF_DIR_LOCATION} /tmp

if [ -f /tmp/last-openshift-dpf-dir.sh ]; then
cat /tmp/last-openshift-dpf-dir.sh
set -a
source /tmp/last-openshift-dpf-dir.sh
set +a
echo "Last openshift-dpf dir is: '${LAST_OPENSHIFT_DPF}'"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Avoid sourcing remote content inside the CI pod.

Line 37 executes the copied hypervisor file locally with the pod’s mounted credentials available. Retrieve only the LAST_OPENSHIFT_DPF value, and avoid printing the whole helper file.

Safer pattern
-scp ${SSH_OPTS} root@${REMOTE_HOST}:${REMOTE_LAST_OPENSHIFT_DPF_DIR_LOCATION} /tmp
-
-if [ -f /tmp/last-openshift-dpf-dir.sh ]; then
-    cat /tmp/last-openshift-dpf-dir.sh
-    set -a
-    source /tmp/last-openshift-dpf-dir.sh
-    set +a
-    echo "Last openshift-dpf dir is: '${LAST_OPENSHIFT_DPF}'"
-else
-    echo "ERROR: Failed to find scp-ed file '/tmp/last-openshift-dpf-dir.sh'"
+LAST_OPENSHIFT_DPF="$(
+    ssh ${SSH_OPTS} root@${REMOTE_HOST} \
+        "set -euo pipefail; source '${REMOTE_LAST_OPENSHIFT_DPF_DIR_LOCATION}'; printf '%s' \"\${LAST_OPENSHIFT_DPF}\""
+)"
+
+if [[ -z "${LAST_OPENSHIFT_DPF}" ]]; then
+    echo "ERROR: Failed to determine last openshift-dpf install dir"
     exit 1
 fi
+echo "Last openshift-dpf dir located"
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
scp ${SSH_OPTS} root@${REMOTE_HOST}:${REMOTE_LAST_OPENSHIFT_DPF_DIR_LOCATION} /tmp
if [ -f /tmp/last-openshift-dpf-dir.sh ]; then
cat /tmp/last-openshift-dpf-dir.sh
set -a
source /tmp/last-openshift-dpf-dir.sh
set +a
echo "Last openshift-dpf dir is: '${LAST_OPENSHIFT_DPF}'"
LAST_OPENSHIFT_DPF="$(
ssh ${SSH_OPTS} root@${REMOTE_HOST} \
"set -euo pipefail; source '${REMOTE_LAST_OPENSHIFT_DPF_DIR_LOCATION}'; printf '%s' \"\${LAST_OPENSHIFT_DPF}\""
)"
if [[ -z "${LAST_OPENSHIFT_DPF}" ]]; then
echo "ERROR: Failed to determine last openshift-dpf install dir"
exit 1
fi
echo "Last openshift-dpf dir located"
🧰 Tools
🪛 ast-grep (0.44.1)

[warning] 34-34: Writing to or reading from a hardcoded, predictable path under /tmp is vulnerable to symlink and TOCTOU attacks: a local attacker can pre-create the file (or a symlink pointing elsewhere) and hijack or corrupt the contents. Generate a unique, unpredictable temporary file with mktemp instead, e.g. tmpfile="$(mktemp)" (or mktemp -d for directories) and reference "$tmpfile".
Context: /tmp/last-openshift-dpf-dir.sh
Note: [CWE-377] Insecure Temporary File.

(predictable-tmp-file-bash)


[warning] 36-36: Writing to or reading from a hardcoded, predictable path under /tmp is vulnerable to symlink and TOCTOU attacks: a local attacker can pre-create the file (or a symlink pointing elsewhere) and hijack or corrupt the contents. Generate a unique, unpredictable temporary file with mktemp instead, e.g. tmpfile="$(mktemp)" (or mktemp -d for directories) and reference "$tmpfile".
Context: /tmp/last-openshift-dpf-dir.sh
Note: [CWE-377] Insecure Temporary File.

(predictable-tmp-file-bash)

🪛 Shellcheck (0.11.0)

[info] 32-32: Double quote to prevent globbing and word splitting.

(SC2086)


[info] 32-32: Double quote to prevent globbing and word splitting.

(SC2086)


[info] 37-37: Not following: /tmp/last-openshift-dpf-dir.sh was not specified as input (see shellcheck -x).

(SC1091)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/dpf/hypervisor/load-kubeconfig/dpf-hypervisor-load-kubeconfig-commands.sh`
around lines 32 - 39, The kubeconfig loader currently sources a copied remote
helper file in the CI pod, which can execute arbitrary content with mounted
credentials available. Update dpf-hypervisor-load-kubeconfig-commands.sh to
avoid cat/source of /tmp/last-openshift-dpf-dir.sh; instead, read only the
LAST_OPENSHIFT_DPF value from the file in a safe, non-executing way and use that
value directly in the existing echo/logging path. Keep the fix localized around
the scp and the LAST_OPENSHIFT_DPF handling block.

Comment on lines +55 to +63
echo "Resolving cluster API server hostname '${CLUSTER_API_SERVER_HOSTNAME}' from the hypervisor..."
CLUSTER_API_IP="$(ssh ${SSH_OPTS} root@${REMOTE_HOST} "getent hosts ${CLUSTER_API_SERVER_HOSTNAME} | awk '{print \$1}'")"

if [[ -z "${CLUSTER_API_IP}" ]]; then
echo "ERROR: Failed to resolve '${CLUSTER_API_SERVER_HOSTNAME}' from the hypervisor"
exit 1
fi

echo "Resolved '${CLUSTER_API_SERVER_HOSTNAME}' to '${CLUSTER_API_IP}'"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Do not log the cluster API endpoint details.

Lines 55, 59, and 63 expose the internal API hostname/IP in CI logs. Log generic resolution status instead. As per coding guidelines, “Step registry command scripts must avoid leaking sensitive information into CI logs: do not echo passwords, tokens, API keys, cluster URLs, or kubeconfig contents.”

Proposed fix
-echo "Resolving cluster API server hostname '${CLUSTER_API_SERVER_HOSTNAME}' from the hypervisor..."
+echo "Resolving cluster API server hostname from the hypervisor..."
 CLUSTER_API_IP="$(ssh ${SSH_OPTS} root@${REMOTE_HOST} "getent hosts ${CLUSTER_API_SERVER_HOSTNAME} | awk '{print \$1}'")"
 
 if [[ -z "${CLUSTER_API_IP}" ]]; then
-    echo "ERROR: Failed to resolve '${CLUSTER_API_SERVER_HOSTNAME}' from the hypervisor"
+    echo "ERROR: Failed to resolve cluster API server hostname from the hypervisor"
     exit 1
 fi
 
-echo "Resolved '${CLUSTER_API_SERVER_HOSTNAME}' to '${CLUSTER_API_IP}'"
+echo "Resolved cluster API server hostname from the hypervisor"
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
echo "Resolving cluster API server hostname '${CLUSTER_API_SERVER_HOSTNAME}' from the hypervisor..."
CLUSTER_API_IP="$(ssh ${SSH_OPTS} root@${REMOTE_HOST} "getent hosts ${CLUSTER_API_SERVER_HOSTNAME} | awk '{print \$1}'")"
if [[ -z "${CLUSTER_API_IP}" ]]; then
echo "ERROR: Failed to resolve '${CLUSTER_API_SERVER_HOSTNAME}' from the hypervisor"
exit 1
fi
echo "Resolved '${CLUSTER_API_SERVER_HOSTNAME}' to '${CLUSTER_API_IP}'"
echo "Resolving cluster API server hostname from the hypervisor..."
CLUSTER_API_IP="$(ssh ${SSH_OPTS} root@${REMOTE_HOST} "getent hosts ${CLUSTER_API_SERVER_HOSTNAME} | awk '{print \$1}'")"
if [[ -z "${CLUSTER_API_IP}" ]]; then
echo "ERROR: Failed to resolve cluster API server hostname from the hypervisor"
exit 1
fi
echo "Resolved cluster API server hostname from the hypervisor"
🧰 Tools
🪛 Shellcheck (0.11.0)

[info] 56-56: Double quote to prevent globbing and word splitting.

(SC2086)


[info] 56-56: Double quote to prevent globbing and word splitting.

(SC2086)


[info] 56-56: Note that, unescaped, this expands on the client side.

(SC2029)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/dpf/hypervisor/load-kubeconfig/dpf-hypervisor-load-kubeconfig-commands.sh`
around lines 55 - 63, The kubeconfig load script is logging sensitive cluster
API hostname/IP details; update the logging in the cluster resolution block to
use generic status messages instead of echoing CLUSTER_API_SERVER_HOSTNAME or
CLUSTER_API_IP. Keep the resolution logic in
dpf-hypervisor-load-kubeconfig-commands.sh intact, but change the status and
error messages around the SSH/getent lookup to avoid exposing endpoint details
in CI logs.

Source: Coding guidelines

CLUSTER_NAME="$(oc --kubeconfig=/tmp/kubeconfig.doca8 config view -o jsonpath='{.clusters[0].name}')"
CLUSTER_API_SERVER_HOSTNAME="$(oc --kubeconfig=/tmp/kubeconfig.doca8 config view -o jsonpath='{.clusters[0].cluster.server}' | sed -E 's#https://([^:]+):.*#\1#')"
echo "Resolving cluster API server hostname '${CLUSTER_API_SERVER_HOSTNAME}' from the hypervisor..."
CLUSTER_API_IP="$(ssh ${SSH_OPTS} root@${REMOTE_HOST} "getent hosts ${CLUSTER_API_SERVER_HOSTNAME} | awk '{print \$1}'")"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Quote the resolver input and select one address.

Line 56 interpolates a kubeconfig-derived hostname into a remote root shell and captures every getent result. A multi-record response can produce an invalid multiline server URL.

Proposed fix
-CLUSTER_API_IP="$(ssh ${SSH_OPTS} root@${REMOTE_HOST} "getent hosts ${CLUSTER_API_SERVER_HOSTNAME} | awk '{print \$1}'")"
+CLUSTER_API_HOSTNAME_QUOTED="$(printf '%q' "${CLUSTER_API_SERVER_HOSTNAME}")"
+CLUSTER_API_IP="$(ssh ${SSH_OPTS} root@${REMOTE_HOST} "getent ahostsv4 ${CLUSTER_API_HOSTNAME_QUOTED} | awk 'NR == 1 { print \$1; exit }'")"
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
CLUSTER_API_IP="$(ssh ${SSH_OPTS} root@${REMOTE_HOST} "getent hosts ${CLUSTER_API_SERVER_HOSTNAME} | awk '{print \$1}'")"
CLUSTER_API_HOSTNAME_QUOTED="$(printf '%q' "${CLUSTER_API_SERVER_HOSTNAME}")"
CLUSTER_API_IP="$(ssh ${SSH_OPTS} root@${REMOTE_HOST} "getent ahostsv4 ${CLUSTER_API_HOSTNAME_QUOTED} | awk 'NR == 1 { print \$1; exit }'")"
🧰 Tools
🪛 Shellcheck (0.11.0)

[info] 56-56: Double quote to prevent globbing and word splitting.

(SC2086)


[info] 56-56: Double quote to prevent globbing and word splitting.

(SC2086)


[info] 56-56: Note that, unescaped, this expands on the client side.

(SC2029)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/dpf/hypervisor/load-kubeconfig/dpf-hypervisor-load-kubeconfig-commands.sh`
at line 56, The hostname passed through the remote resolver in
dpf-hypervisor-load-kubeconfig-commands.sh should be quoted and narrowed to a
single IP so the captured server value stays valid. Update the CLUSTER_API_IP
assignment to safely pass CLUSTER_API_SERVER_HOSTNAME into the ssh command, and
ensure the resolver output is reduced to one address instead of returning
multiple lines. Use the existing CLUSTER_API_IP and CLUSTER_API_SERVER_HOSTNAME
references in that command block to locate and adjust the fix.

Source: Linters/SAST tools

Comment on lines +71 to +74
oc --kubeconfig=/tmp/kubeconfig.doca8 config set-cluster "${CLUSTER_NAME}" \
--server="https://${CLUSTER_API_IP}:6443" \
--insecure-skip-tls-verify=true
oc --kubeconfig=/tmp/kubeconfig.doca8 config unset "clusters.${CLUSTER_NAME}.certificate-authority-data"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

file="ci-operator/step-registry/dpf/hypervisor/load-kubeconfig/dpf-hypervisor-load-kubeconfig-commands.sh"

echo "== File excerpt =="
cat -n "$file" | sed -n '1,180p'

echo
echo "== Search for related kubeconfig handling =="
rg -n "tls-server-name|insecure-skip-tls-verify|certificate-authority-data|set-cluster|load-kubeconfig" ci-operator/step-registry/dpf -S || true

echo
echo "== Search for API hostname source =="
rg -n "CLUSTER_API_SERVER_HOSTNAME|CLUSTER_API_IP|CLUSTER_NAME" ci-operator/step-registry/dpf -S || true

Repository: openshift/release

Length of output: 12803


🌐 Web query:

oc config set-cluster tls-server-name kubeconfig supported by oc or kubectl

💡 Result:

Yes, the --tls-server-name option is officially supported by both the OpenShift CLI (oc) and the Kubernetes CLI (kubectl) when using the config set-cluster command [1][2][3]. This option allows you to specify a custom server name for TLS certificate validation [1][4][5]. When provided, it overrides the default behavior where the CLI uses the hostname from the server URL to validate the TLS certificate [4][5]. Usage examples: To set the tls-server-name for a specific cluster entry in your kubeconfig: oc config set-cluster --tls-server-name= kubectl config set-cluster --tls-server-name= This functionality was added to support TLS Server Name Indication (SNI) overrides in kubeconfig files, which is useful in environments where the hostname used to connect to the cluster differs from the name presented in the cluster's TLS certificate [6][7][3]. The parameter is stored directly in the cluster configuration within the kubeconfig file [5][8].

Citations:


🌐 Web query:

kubeconfig tls-server-name field oc config set-cluster help

💡 Result:

The tls-server-name field in a kubeconfig file is used to specify an alternative hostname for TLS certificate verification [1][2][3]. When a client connects to a Kubernetes API server, it typically validates the server's certificate against the hostname used to contact the server (the address specified in the cluster server field) [2][3]. By setting tls-server-name, you instruct the client to instead verify the certificate against this specified name, which is useful in environments where the API server is accessed via a proxy or load balancer whose hostname differs from the one in the certificate's Common Name (CN) or Subject Alternative Name (SAN) [4][3]. You can set this field using the oc config set-cluster command as follows: oc config set-cluster <cluster_nickname> --tls-server-name=<hostname_to_verify> If the field is left empty or not provided, the client defaults to using the hostname from the cluster's server URL for verification [5][2]. This flag is functionally identical to the kubectl config set-cluster command [6][7].

Citations:


🌐 Web query:

kubectl config set-cluster --tls-server-name documentation

💡 Result:

The --tls-server-name flag for the kubectl config set-cluster command is used to specify a custom server name for server certificate validation when connecting to a Kubernetes cluster [1][2][3]. By default, when kubectl connects to a cluster, it uses the hostname from the server URL to validate the TLS certificate provided by the server [2]. If you need to use a different name for validation—for example, if the server certificate is issued to a specific Subject Alternative Name (SAN) that does not match the server's public URL—you can use this flag to override that behavior [1][3]. Usage syntax: kubectl config set-cluster [NAME] --tls-server-name=[SERVER_NAME] Example: kubectl config set-cluster my-cluster --tls-server-name=example.com If the flag is not provided, kubectl falls back to using the hostname found in the cluster's server URL [2].

Citations:


Keep kubeconfig verification enabled. oc config set-cluster supports --tls-server-name, so this can use the original API hostname for certificate validation and leave certificate-authority-data intact instead of setting --insecure-skip-tls-verify=true.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/step-registry/dpf/hypervisor/load-kubeconfig/dpf-hypervisor-load-kubeconfig-commands.sh`
around lines 71 - 74, The kubeconfig setup in the dpf hypervisor load script is
disabling TLS verification and removing certificate-authority-data, which should
be avoided. Update the cluster configuration in the oc config set-cluster flow
to keep verification enabled by using --tls-server-name with the original API
hostname, and stop unsetting clusters.${CLUSTER_NAME}.certificate-authority-data
so the existing CA data remains intact.

@linoyaslan

Copy link
Copy Markdown
Contributor

/lgtm

@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Jul 7, 2026
@openshift-ci

openshift-ci Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: josecastillolema, linoyaslan

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci

openshift-ci Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

@josecastillolema: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@openshift-merge-bot openshift-merge-bot Bot merged commit 362163a into openshift:main Jul 7, 2026
11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. rehearsals-ack Signifies that rehearsal jobs have been acknowledged

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants