openstack: pass through InsecureSkipVerify into openstack components

If the user has set InsecureSkipVerify in the kops cluster spec for openstack,
we should pass that through to the openstack clients we create, so that they
honor that setting.

We use a "private" environment variable KOPS_OS_TLS_INSECURE_SKIP_VERIFY,
because there is no well-known OpenStack environment variable for this purpose.

Author: justinsb

dnsprovider/pkg/dnsprovider/providers/openstack/designate/designate.go

@@ -63,7 +63,7 @@ func newDesignate(_ io.Reader) (*Interface, error) {
 	klog.V(4).Infof("Using user-agent %s", ua.Join())
 
 	tlsconfig := &tls.Config{}
-	tlsconfig.InsecureSkipVerify = true
+	tlsconfig.InsecureSkipVerify = oc.GetInsecureSkipVerify()
 	transport := &http.Transport{TLSClientConfig: tlsconfig}
 	provider.HTTPClient = http.Client{
 		Transport: transport,

nodeup/pkg/bootstrap/install.go

@@ -108,6 +108,7 @@ func (i *Installation) buildEnvFile() *nodetasks.InstallFile {
 			"OS_REGION_NAME",
 			"OS_APPLICATION_CREDENTIAL_ID",
 			"OS_APPLICATION_CREDENTIAL_SECRET",
+			openstackconfig.EnvKeyOpenstackTLSInsecureSkipVerify,
 		} {
 			envVars[envVar] = os.Getenv(envVar)
 		}

nodeup/pkg/model/protokube.go

@@ -268,6 +268,7 @@ func (t *ProtokubeBuilder) buildEnvFile() (*nodetasks.File, error) {
 			"OS_REGION_NAME",
 			"OS_APPLICATION_CREDENTIAL_ID",
 			"OS_APPLICATION_CREDENTIAL_SECRET",
+			openstackconfig.EnvKeyOpenstackTLSInsecureSkipVerify,
 		} {
 			envVars[envVar] = os.Getenv(envVar)
 		}

pkg/model/resources/nodeup.go

@@ -385,6 +385,11 @@ func buildEnvironmentVariables(cluster *kops.Cluster, ig *kops.InstanceGroup) (m
 			)
 		}
 
+		// Map our Insecure Skip Verify setting
+		if cluster.Spec.CloudProvider.Openstack != nil && fi.ValueOf(cluster.Spec.CloudProvider.Openstack.InsecureSkipVerify) {
+			os.Setenv(openstackconfig.EnvKeyOpenstackTLSInsecureSkipVerify, "true")
+		}
+
 		// credentials needed always in control-plane and when using gossip also in nodes
 		passEnvs := false
 		if ig.IsControlPlane() || cluster.UsesLegacyGossip() {

util/pkg/env/standard.go

@@ -24,6 +24,7 @@ import (
 	"k8s.io/kops/pkg/apis/kops"
 	"k8s.io/kops/upup/pkg/fi"
 	"k8s.io/kops/upup/pkg/fi/cloudup/scaleway"
+	"k8s.io/kops/util/pkg/vfs/openstackconfig"
 )
 
 type EnvVars map[string]string
@@ -64,6 +65,11 @@ func BuildSystemComponentEnvVars(spec *kops.ClusterSpec) EnvVars {
 	vars.addEnvVariableIfExist("OS_APPLICATION_CREDENTIAL_ID")
 	vars.addEnvVariableIfExist("OS_APPLICATION_CREDENTIAL_SECRET")
 
+	// Map our Insecure Skip Verify setting
+	if spec.CloudProvider.Openstack != nil && fi.ValueOf(spec.CloudProvider.Openstack.InsecureSkipVerify) {
+		vars[openstackconfig.EnvKeyOpenstackTLSInsecureSkipVerify] = "true"
+	}
+
 	// Digital Ocean related values.
 	vars.addEnvVariableIfExist("DIGITALOCEAN_ACCESS_TOKEN")
 

util/pkg/env/standard_test.go

@@ -0,0 +1,91 @@
+/*
+Copyright 2026 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package env
+
+import (
+	"testing"
+
+	"k8s.io/kops/pkg/apis/kops"
+	"k8s.io/kops/upup/pkg/fi"
+)
+
+func TestBuildSystemComponentEnvVars(t *testing.T) {
+	tests := []struct {
+		name      string
+		spec      *kops.ClusterSpec
+		envVar    string
+		wantVal   string
+		wantExist bool
+	}{
+		{
+			name: "Openstack nil",
+			spec: &kops.ClusterSpec{
+				CloudProvider: kops.CloudProviderSpec{},
+			},
+			envVar:    "KOPS_OS_TLS_INSECURE_SKIP_VERIFY",
+			wantExist: false,
+		},
+		{
+			name: "Openstack InsecureSkipVerify nil",
+			spec: &kops.ClusterSpec{
+				CloudProvider: kops.CloudProviderSpec{
+					Openstack: &kops.OpenstackSpec{},
+				},
+			},
+			envVar:    "KOPS_OS_TLS_INSECURE_SKIP_VERIFY",
+			wantExist: false,
+		},
+		{
+			name: "Openstack InsecureSkipVerify false",
+			spec: &kops.ClusterSpec{
+				CloudProvider: kops.CloudProviderSpec{
+					Openstack: &kops.OpenstackSpec{
+						InsecureSkipVerify: fi.PtrTo(false),
+					},
+				},
+			},
+			envVar:    "KOPS_OS_TLS_INSECURE_SKIP_VERIFY",
+			wantExist: false,
+		},
+		{
+			name: "Openstack InsecureSkipVerify true",
+			spec: &kops.ClusterSpec{
+				CloudProvider: kops.CloudProviderSpec{
+					Openstack: &kops.OpenstackSpec{
+						InsecureSkipVerify: fi.PtrTo(true),
+					},
+				},
+			},
+			envVar:    "KOPS_OS_TLS_INSECURE_SKIP_VERIFY",
+			wantVal:   "true",
+			wantExist: true,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			vars := BuildSystemComponentEnvVars(tc.spec)
+			val, ok := vars[tc.envVar]
+			if ok != tc.wantExist {
+				t.Errorf("Expected existence of key %q to be %v, but got %v", tc.envVar, tc.wantExist, ok)
+			}
+			if tc.wantExist && val != tc.wantVal {
+				t.Errorf("Expected value of key %q to be %q, but got %q", tc.envVar, tc.wantVal, val)
+			}
+		})
+	}
+}

util/pkg/vfs/openstackconfig/env.go

@@ -0,0 +1,23 @@
+/*
+Copyright 2026 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package openstackconfig
+
+// KOPS_OS_TLS_INSECURE_SKIP_VERIFY is used to configure skipping TLS verification for OpenStack clients
+// Ideally there would be a well-known OpenStack environment variable for this purpose,
+// but there isn't one at present.
+// Instead we create a KOPS_-specific variable.
+const EnvKeyOpenstackTLSInsecureSkipVerify = "KOPS_OS_TLS_INSECURE_SKIP_VERIFY"

util/pkg/vfs/swiftfs.go

@@ -41,6 +41,7 @@ import (
 	"k8s.io/client-go/util/homedir"
 	"k8s.io/klog/v2"
 	"k8s.io/kops/util/pkg/hashing"
+	"k8s.io/kops/util/pkg/vfs/openstackconfig"
 )
 
 func NewSwiftClient(ctx context.Context) (*gophercloud.ServiceClient, error) {
@@ -62,7 +63,7 @@ func NewSwiftClient(ctx context.Context) (*gophercloud.ServiceClient, error) {
 	klog.V(4).Infof("Using user-agent %s", ua.Join())
 
 	tlsconfig := &tls.Config{}
-	tlsconfig.InsecureSkipVerify = true
+	tlsconfig.InsecureSkipVerify = config.GetInsecureSkipVerify()
 	transport := &http.Transport{TLSClientConfig: tlsconfig}
 	pc.HTTPClient = http.Client{
 		Transport: transport,
@@ -150,6 +151,14 @@ func (oc OpenstackConfig) GetCredential() (gophercloud.AuthOptions, error) {
 	return env, nil
 }
 
+func (oc OpenstackConfig) GetInsecureSkipVerify() bool {
+	s := os.Getenv(openstackconfig.EnvKeyOpenstackTLSInsecureSkipVerify)
+	if s == "true" || s == "1" {
+		return true
+	}
+	return false
+}
+
 func (oc OpenstackConfig) GetRegion() (string, error) {
 	var region string
 	if region = os.Getenv("OS_REGION_NAME"); region != "" {

util/pkg/vfs/swiftfs_test.go

@@ -0,0 +1,89 @@
+/*
+Copyright 2026 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package vfs
+
+import (
+	"testing"
+)
+
+func TestOpenstackConfig_GetInsecureSkipVerify(t *testing.T) {
+	tests := []struct {
+		name   string
+		envVal string
+		envSet bool // if false, don't set the env var (simulate unset)
+		want   bool
+	}{
+		{
+			name:   "Not set",
+			envSet: false,
+			want:   false,
+		},
+		{
+			name:   "Set to empty string",
+			envVal: "",
+			envSet: true,
+			want:   false,
+		},
+		{
+			name:   "Set to true",
+			envVal: "true",
+			envSet: true,
+			want:   true,
+		},
+		{
+			name:   "Set to 1",
+			envVal: "1",
+			envSet: true,
+			want:   true,
+		},
+		{
+			name:   "Set to false",
+			envVal: "false",
+			envSet: true,
+			want:   false,
+		},
+		{
+			name:   "Set to 0",
+			envVal: "0",
+			envSet: true,
+			want:   false,
+		},
+		{
+			name:   "Set to other",
+			envVal: "foo",
+			envSet: true,
+			want:   false,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			if tc.envSet {
+				t.Setenv("KOPS_OS_TLS_INSECURE_SKIP_VERIFY", tc.envVal)
+			} else {
+				// Ensure it's not set from the environment where tests are running
+				t.Setenv("KOPS_OS_TLS_INSECURE_SKIP_VERIFY", "")
+			}
+
+			oc := OpenstackConfig{}
+			got := oc.GetInsecureSkipVerify()
+			if got != tc.want {
+				t.Errorf("GetInsecureSkipVerify() = %v, want %v", got, tc.want)
+			}
+		})
+	}
+}