Fix K8S_AUTH_VERIFY_SSL environment value handling in kubectl connection plugin (#1049)

SUMMARY Fixed a bug where setting K8S_AUTH_VERIFY_SSL=true (or any string value) caused the value to be treated as a separate kubectl command argument instead of being properly converted to a boolean. The option key name is validate_certs, which does NOT end with "verify_ssl", so the original condition key.endswith("verify_ssl") at line 327 failed. This caused the code to fall through to the else block which added the value as separate arguments: ["--insecure-skip-tls-verify", "true"], making "true" appear as a kubectl command. Fixes #1021 ISSUE TYPE Bugfix Pull Request COMPONENT NAME kubernetes.core.kubectl ADDITIONAL INFORMATION Changes Made Changed condition from key.endswith("verify_ssl") to key == "validate_certs" Added import of boolean function from ansible.module_utils.parsing.convert_bool Added proper boolean conversion using boolean(self.get_option(key), strict=False) Partially used LLM (GitHub Copilot with Claude Sonnet 4). Before Fix K8S_AUTH_VERIFY_SSL=true Command: ['/usr/bin/kubectl', '--insecure-skip-tls-verify', 'true', 'exec', ...] ^^^^^ treated as kubectl command (BUG!) After Fix K8S_AUTH_VERIFY_SSL=true Command: ['/usr/bin/kubectl', '--insecure-skip-tls-verify=false', 'exec', ...] ^^^^^ properly converted (FIXED!) Reviewed-by: Bikouo Aubin Reviewed-by: Alina Buzachis Reviewed-by: Bianca Henderson <beeankha@gmail.com>
2026-03-26 21:33:02 +00:00 · 2026-01-23 16:30:28 +01:00
parent 987c029c87
commit 12abc9bda9
2 changed files with 9 additions and 3 deletions
--- a/changelogs/fragments/20251220-fix-K8S_AUTH_VERIFY_SSL-in-kubectl-connecton-plugion.yaml
+++ b/changelogs/fragments/20251220-fix-K8S_AUTH_VERIFY_SSL-in-kubectl-connecton-plugion.yaml
@@ -0,0 +1,2 @@
+bugfixes:
+  - Fixed a bug where setting K8S_AUTH_VERIFY_SSL=true (or any string value) caused the value to be treated as a separate kubectl command argument. (https://github.com/ansible-collections/kubernetes.core/pull/1049).
--- a/plugins/connection/kubectl.py
+++ b/plugins/connection/kubectl.py
@@ -265,6 +265,7 @@ import tempfile

 from ansible.errors import AnsibleError, AnsibleFileNotFound
 from ansible.module_utils._text import to_bytes
+from ansible.module_utils.parsing.convert_bool import boolean
 from ansible.module_utils.six.moves import shlex_quote
 from ansible.parsing.yaml.loader import AnsibleLoader
 from ansible.plugins.connection import BUFSIZE, ConnectionBase
@@ -324,9 +325,12 @@ class Connection(ConnectionBase):
        # Build command options based on doc string
        doc_yaml = AnsibleLoader(self.documentation).get_single_data()
        for key in doc_yaml.get("options"):
-            if key.endswith("verify_ssl") and self.get_option(key) != "":
-                # Translate verify_ssl to skip_verify_ssl, and output as string
-                skip_verify_ssl = not self.get_option(key)
+            if key == "validate_certs" and self.get_option(key) != "":
+                # Translate validate_certs to --insecure-skip-tls-verify flag
+                # validate_certs=True means verify certs (don't skip verification)
+                # validate_certs=False means don't verify certs (skip verification)
+                validate_certs_value = boolean(self.get_option(key), strict=False)
+                skip_verify_ssl = not validate_certs_value
                local_cmd.append(
                    "{0}={1}".format(
                        self.connection_options[key], str(skip_verify_ssl).lower()