From 02d2bb1ca3823b65fed84f254c5ef8931c89dd4c Mon Sep 17 00:00:00 2001 From: Ambient Code Bot Date: Thu, 9 Apr 2026 20:30:05 +0000 Subject: [PATCH 1/2] fix: replace --insecure-skip-tls-verify with --certificate-authority in CI oc login Remove --insecure-skip-tls-verify from all oc login commands in CI workflows to prevent MITM attacks during token exchange. Each login step now writes the cluster CA bundle (from a GitHub Actions secret) to a temp file and passes --certificate-authority instead. Secrets required: - OPENSHIFT_CA_BUNDLE (staging/dev cluster) - PROD_OPENSHIFT_CA_BUNDLE (production cluster) Closes #1271 Co-Authored-By: Claude Opus 4.6 --- .github/workflows/components-build-deploy.yml | 12 ++++++++---- .github/workflows/prod-release-deploy.yaml | 6 ++++-- 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/.github/workflows/components-build-deploy.yml b/.github/workflows/components-build-deploy.yml index 6e3887cfc..530745172 100755 --- a/.github/workflows/components-build-deploy.yml +++ b/.github/workflows/components-build-deploy.yml @@ -206,7 +206,8 @@ jobs: - name: Log in to OpenShift Cluster run: | - oc login ${{ secrets.OPENSHIFT_SERVER }} --token=${{ secrets.OPENSHIFT_TOKEN }} --insecure-skip-tls-verify + echo "${{ secrets.OPENSHIFT_CA_BUNDLE }}" > "$RUNNER_TEMP/openshift-ca.crt" + oc login ${{ secrets.OPENSHIFT_SERVER }} --token=${{ secrets.OPENSHIFT_TOKEN }} --certificate-authority="$RUNNER_TEMP/openshift-ca.crt" - name: Deploy Service Mesh operator via OLM run: | @@ -327,7 +328,8 @@ jobs: - name: Log in to OpenShift Cluster run: | - oc login ${{ secrets.OPENSHIFT_SERVER }} --token=${{ secrets.OPENSHIFT_TOKEN }} --insecure-skip-tls-verify + echo "${{ secrets.OPENSHIFT_CA_BUNDLE }}" > "$RUNNER_TEMP/openshift-ca.crt" + oc login ${{ secrets.OPENSHIFT_SERVER }} --token=${{ secrets.OPENSHIFT_TOKEN }} --certificate-authority="$RUNNER_TEMP/openshift-ca.crt" - name: Apply RBAC and CRD manifests run: | @@ -360,7 +362,8 @@ jobs: - name: Log in to OpenShift Cluster run: | - oc login ${{ secrets.OPENSHIFT_SERVER }} --token=${{ secrets.OPENSHIFT_TOKEN }} --insecure-skip-tls-verify + echo "${{ secrets.OPENSHIFT_CA_BUNDLE }}" > "$RUNNER_TEMP/openshift-ca.crt" + oc login ${{ secrets.OPENSHIFT_SERVER }} --token=${{ secrets.OPENSHIFT_TOKEN }} --certificate-authority="$RUNNER_TEMP/openshift-ca.crt" - name: Update kustomization with SHA image tags working-directory: components/manifests/overlays/production @@ -435,7 +438,8 @@ jobs: - name: Log in to OpenShift Cluster run: | - oc login ${{ secrets.OPENSHIFT_SERVER }} --token=${{ secrets.OPENSHIFT_TOKEN }} --insecure-skip-tls-verify + echo "${{ secrets.OPENSHIFT_CA_BUNDLE }}" > "$RUNNER_TEMP/openshift-ca.crt" + oc login ${{ secrets.OPENSHIFT_SERVER }} --token=${{ secrets.OPENSHIFT_TOKEN }} --certificate-authority="$RUNNER_TEMP/openshift-ca.crt" - name: Update kustomization with SHA image tags working-directory: components/manifests/overlays/production diff --git a/.github/workflows/prod-release-deploy.yaml b/.github/workflows/prod-release-deploy.yaml index 5ad67d1f9..a431215b8 100755 --- a/.github/workflows/prod-release-deploy.yaml +++ b/.github/workflows/prod-release-deploy.yaml @@ -345,7 +345,8 @@ jobs: - name: Log in to OpenShift Cluster run: | - oc login ${{ secrets.PROD_OPENSHIFT_SERVER }} --token=${{ secrets.PROD_OPENSHIFT_TOKEN }} --insecure-skip-tls-verify + echo "${{ secrets.PROD_OPENSHIFT_CA_BUNDLE }}" > "$RUNNER_TEMP/openshift-ca.crt" + oc login ${{ secrets.PROD_OPENSHIFT_SERVER }} --token=${{ secrets.PROD_OPENSHIFT_TOKEN }} --certificate-authority="$RUNNER_TEMP/openshift-ca.crt" - name: Deploy Service Mesh operator via OLM run: | @@ -472,7 +473,8 @@ jobs: - name: Log in to OpenShift Cluster run: | - oc login ${{ secrets.PROD_OPENSHIFT_SERVER }} --token=${{ secrets.PROD_OPENSHIFT_TOKEN }} --insecure-skip-tls-verify + echo "${{ secrets.PROD_OPENSHIFT_CA_BUNDLE }}" > "$RUNNER_TEMP/openshift-ca.crt" + oc login ${{ secrets.PROD_OPENSHIFT_SERVER }} --token=${{ secrets.PROD_OPENSHIFT_TOKEN }} --certificate-authority="$RUNNER_TEMP/openshift-ca.crt" - name: Deploy observability stack run: | From 89f1a4b07d5bbebbd03a8fcbe34c8b10dba673e0 Mon Sep 17 00:00:00 2001 From: Ambient Code Bot Date: Thu, 9 Apr 2026 20:44:00 +0000 Subject: [PATCH 2/2] fix: simply remove --insecure-skip-tls-verify (clusters use public CA) The OpenShift clusters use a publicly trusted certificate authority, so no --certificate-authority flag or CA bundle secret is needed. Simply removing the insecure flag is sufficient. Co-Authored-By: Claude Opus 4.6 --- .github/workflows/components-build-deploy.yml | 12 ++++-------- .github/workflows/prod-release-deploy.yaml | 6 ++---- 2 files changed, 6 insertions(+), 12 deletions(-) diff --git a/.github/workflows/components-build-deploy.yml b/.github/workflows/components-build-deploy.yml index 530745172..6ababd85f 100755 --- a/.github/workflows/components-build-deploy.yml +++ b/.github/workflows/components-build-deploy.yml @@ -206,8 +206,7 @@ jobs: - name: Log in to OpenShift Cluster run: | - echo "${{ secrets.OPENSHIFT_CA_BUNDLE }}" > "$RUNNER_TEMP/openshift-ca.crt" - oc login ${{ secrets.OPENSHIFT_SERVER }} --token=${{ secrets.OPENSHIFT_TOKEN }} --certificate-authority="$RUNNER_TEMP/openshift-ca.crt" + oc login ${{ secrets.OPENSHIFT_SERVER }} --token=${{ secrets.OPENSHIFT_TOKEN }} - name: Deploy Service Mesh operator via OLM run: | @@ -328,8 +327,7 @@ jobs: - name: Log in to OpenShift Cluster run: | - echo "${{ secrets.OPENSHIFT_CA_BUNDLE }}" > "$RUNNER_TEMP/openshift-ca.crt" - oc login ${{ secrets.OPENSHIFT_SERVER }} --token=${{ secrets.OPENSHIFT_TOKEN }} --certificate-authority="$RUNNER_TEMP/openshift-ca.crt" + oc login ${{ secrets.OPENSHIFT_SERVER }} --token=${{ secrets.OPENSHIFT_TOKEN }} - name: Apply RBAC and CRD manifests run: | @@ -362,8 +360,7 @@ jobs: - name: Log in to OpenShift Cluster run: | - echo "${{ secrets.OPENSHIFT_CA_BUNDLE }}" > "$RUNNER_TEMP/openshift-ca.crt" - oc login ${{ secrets.OPENSHIFT_SERVER }} --token=${{ secrets.OPENSHIFT_TOKEN }} --certificate-authority="$RUNNER_TEMP/openshift-ca.crt" + oc login ${{ secrets.OPENSHIFT_SERVER }} --token=${{ secrets.OPENSHIFT_TOKEN }} - name: Update kustomization with SHA image tags working-directory: components/manifests/overlays/production @@ -438,8 +435,7 @@ jobs: - name: Log in to OpenShift Cluster run: | - echo "${{ secrets.OPENSHIFT_CA_BUNDLE }}" > "$RUNNER_TEMP/openshift-ca.crt" - oc login ${{ secrets.OPENSHIFT_SERVER }} --token=${{ secrets.OPENSHIFT_TOKEN }} --certificate-authority="$RUNNER_TEMP/openshift-ca.crt" + oc login ${{ secrets.OPENSHIFT_SERVER }} --token=${{ secrets.OPENSHIFT_TOKEN }} - name: Update kustomization with SHA image tags working-directory: components/manifests/overlays/production diff --git a/.github/workflows/prod-release-deploy.yaml b/.github/workflows/prod-release-deploy.yaml index a431215b8..dcff0a8be 100755 --- a/.github/workflows/prod-release-deploy.yaml +++ b/.github/workflows/prod-release-deploy.yaml @@ -345,8 +345,7 @@ jobs: - name: Log in to OpenShift Cluster run: | - echo "${{ secrets.PROD_OPENSHIFT_CA_BUNDLE }}" > "$RUNNER_TEMP/openshift-ca.crt" - oc login ${{ secrets.PROD_OPENSHIFT_SERVER }} --token=${{ secrets.PROD_OPENSHIFT_TOKEN }} --certificate-authority="$RUNNER_TEMP/openshift-ca.crt" + oc login ${{ secrets.PROD_OPENSHIFT_SERVER }} --token=${{ secrets.PROD_OPENSHIFT_TOKEN }} - name: Deploy Service Mesh operator via OLM run: | @@ -473,8 +472,7 @@ jobs: - name: Log in to OpenShift Cluster run: | - echo "${{ secrets.PROD_OPENSHIFT_CA_BUNDLE }}" > "$RUNNER_TEMP/openshift-ca.crt" - oc login ${{ secrets.PROD_OPENSHIFT_SERVER }} --token=${{ secrets.PROD_OPENSHIFT_TOKEN }} --certificate-authority="$RUNNER_TEMP/openshift-ca.crt" + oc login ${{ secrets.PROD_OPENSHIFT_SERVER }} --token=${{ secrets.PROD_OPENSHIFT_TOKEN }} - name: Deploy observability stack run: |