From 94b43dc582832204a6b01cd12d34a6056b1c6cd9 Mon Sep 17 00:00:00 2001 From: "patchback[bot]" <45432694+patchback[bot]@users.noreply.github.com> Date: Fri, 23 Jan 2026 20:24:44 +0000 Subject: [PATCH] Fix K8S_AUTH_VERIFY_SSL environment value handling in kubectl connection plugin (#1049) (#1069) This is a backport of PR #1049 as merged into main (12abc9b). SUMMARY Fixed a bug where setting K8S_AUTH_VERIFY_SSL=true (or any string value) caused the value to be treated as a separate kubectl command argument instead of being properly converted to a boolean. The option key name is validate_certs, which does NOT end with "verify_ssl", so the original condition key.endswith("verify_ssl") at line 327 failed. This caused the code to fall through to the else block which added the value as separate arguments: ["--insecure-skip-tls-verify", "true"], making "true" appear as a kubectl command. Fixes #1021 ISSUE TYPE Bugfix Pull Request COMPONENT NAME kubernetes.core.kubectl ADDITIONAL INFORMATION Changes Made Changed condition from key.endswith("verify_ssl") to key == "validate_certs" Added import of boolean function from ansible.module_utils.parsing.convert_bool Added proper boolean conversion using boolean(self.get_option(key), strict=False) Partially used LLM (GitHub Copilot with Claude Sonnet 4). Before Fix K8S_AUTH_VERIFY_SSL=true Command: ['/usr/bin/kubectl', '--insecure-skip-tls-verify', 'true', 'exec', ...] ^^^^^ treated as kubectl command (BUG!) After Fix K8S_AUTH_VERIFY_SSL=true Command: ['/usr/bin/kubectl', '--insecure-skip-tls-verify=false', 'exec', ...] ^^^^^ properly converted (FIXED!) Reviewed-by: Bianca Henderson --- ...S_AUTH_VERIFY_SSL-in-kubectl-connecton-plugion.yaml | 2 ++ plugins/connection/kubectl.py | 10 +++++++--- 2 files changed, 9 insertions(+), 3 deletions(-) create mode 100644 changelogs/fragments/20251220-fix-K8S_AUTH_VERIFY_SSL-in-kubectl-connecton-plugion.yaml diff --git a/changelogs/fragments/20251220-fix-K8S_AUTH_VERIFY_SSL-in-kubectl-connecton-plugion.yaml b/changelogs/fragments/20251220-fix-K8S_AUTH_VERIFY_SSL-in-kubectl-connecton-plugion.yaml new file mode 100644 index 00000000..9313ea4f --- /dev/null +++ b/changelogs/fragments/20251220-fix-K8S_AUTH_VERIFY_SSL-in-kubectl-connecton-plugion.yaml @@ -0,0 +1,2 @@ +bugfixes: + - Fixed a bug where setting K8S_AUTH_VERIFY_SSL=true (or any string value) caused the value to be treated as a separate kubectl command argument. (https://github.com/ansible-collections/kubernetes.core/pull/1049). diff --git a/plugins/connection/kubectl.py b/plugins/connection/kubectl.py index 47953845..1f865cd0 100644 --- a/plugins/connection/kubectl.py +++ b/plugins/connection/kubectl.py @@ -265,6 +265,7 @@ import tempfile from ansible.errors import AnsibleError, AnsibleFileNotFound from ansible.module_utils._text import to_bytes +from ansible.module_utils.parsing.convert_bool import boolean from ansible.module_utils.six.moves import shlex_quote from ansible.parsing.yaml.loader import AnsibleLoader from ansible.plugins.connection import BUFSIZE, ConnectionBase @@ -324,9 +325,12 @@ class Connection(ConnectionBase): # Build command options based on doc string doc_yaml = AnsibleLoader(self.documentation).get_single_data() for key in doc_yaml.get("options"): - if key.endswith("verify_ssl") and self.get_option(key) != "": - # Translate verify_ssl to skip_verify_ssl, and output as string - skip_verify_ssl = not self.get_option(key) + if key == "validate_certs" and self.get_option(key) != "": + # Translate validate_certs to --insecure-skip-tls-verify flag + # validate_certs=True means verify certs (don't skip verification) + # validate_certs=False means don't verify certs (skip verification) + validate_certs_value = boolean(self.get_option(key), strict=False) + skip_verify_ssl = not validate_certs_value local_cmd.append( "{0}={1}".format( self.connection_options[key], str(skip_verify_ssl).lower()