feat: consolidate TLS flags into single --insecure option

e2e/tests.bats

@@ -207,7 +207,7 @@ wait_for_exporter() {
 
   jmp config client   delete test-client-oidc
 
-  run jmp login test-client-oidc@${LOGIN_ENDPOINT} --insecure-login-http \
+  run jmp login test-client-oidc@${LOGIN_ENDPOINT} --insecure --nointeractive \
     --username test-client-oidc@example.com --password password --unsafe
   assert_success
 

python/docs/source/getting-started/configuration/authentication.md

@@ -52,14 +52,14 @@ prefixed with "keycloak:" (e.g., keycloak:example-user).
    prefix usernames with `keycloak:` as configured in the claim mappings:
 
 ```console
-$ jmp admin create client test-client --insecure-tls-config --oidc-username keycloak:developer-1
+$ jmp admin create client test-client --insecure --oidc-username keycloak:developer-1
 ```
 
 4. Instruct users to log in with:
 
 ```console
 $ jmp login --client <client alias> \
-    --insecure-tls-config \
+    --insecure \
     --endpoint <jumpstarter controller endpoint> \
     --namespace <namespace> --name <client name> \
     --issuer https://<keycloak domain>/realms/<realm name>
@@ -69,7 +69,7 @@ For non-interactive login, add username and password:
 
 ```console
 $ jmp login --client <client alias> [other parameters] \
-    --insecure-tls-config \
+    --insecure \
     --username <username> \
     --password <password>
 ```
@@ -84,7 +84,7 @@ For exporters, use similar login command but with the `--exporter` flag:
 
 ```console
 $ jmp login --exporter <exporter alias> \
-    --insecure-tls-config \
+    --insecure \
     --endpoint <jumpstarter controller endpoint> \
     --namespace <namespace> --name <exporter name> \
     --issuer https://<keycloak domain>/realms/<realm name>
@@ -197,7 +197,7 @@ spec:
 
 ```console
 $ jmp admin create exporter test-exporter --label foo=bar \
-    --insecure-tls-config \
+    --insecure \
     --oidc-username dex:system:serviceaccount:default:test-service-account
 ```
 
@@ -207,7 +207,7 @@ For clients:
 
 ```console
 $ jmp login --client <client alias> \
-    --insecure-tls-config \
+    --insecure \
     --endpoint <jumpstarter controller endpoint> \
     --namespace <namespace> --name <client name> \
     --issuer https://dex.dex.svc.cluster.local:5556 \
@@ -219,7 +219,7 @@ For exporters:
 
 ```console
 $ jmp login --exporter <exporter alias> \
-    --insecure-tls-config \
+    --insecure \
     --endpoint <jumpstarter controller endpoint> \
     --namespace <namespace> --name <exporter name> \
     --issuer https://dex.dex.svc.cluster.local:5556 \

python/docs/source/getting-started/guides/setup-distributed-mode.md

@@ -7,7 +7,7 @@ controller service, configuring drivers, and running the exporter.
 The jumpstarter-controller endpoints are secured by TLS. However, in release 0.7.x,
 the certificates are self-signed and rotated on every restart. This means the client
 will not be able to verify the server certificate. To bypass this, you should use the
-`--insecure-tls-config` flag when creating clients and exporters. This issue will be
+`--insecure` flag when creating clients and exporters. This issue will be
 resolved in the next release. See [issue #72](https://github.com/jumpstarter-dev/jumpstarter/issues/72)
 for more details.
 Alternatively, you can configure the ingress/route in reencrypt mode with your own key and certificate.
@@ -40,7 +40,7 @@ Run this command to create an exporter named `example-distributed` and save the
 configuration locally:
 
 ```console
-$ jmp admin create exporter example-distributed --label foo=bar --save --insecure-tls-config
+$ jmp admin create exporter example-distributed --label foo=bar --save --insecure
 ```
 
 After creating the exporter, find the new configuration file at
@@ -88,7 +88,7 @@ development purposes, and saves the configuration locally in
 `${HOME}/.config/jumpstarter/clients/`:
 
 ```console
-$ jmp admin create client hello --save --unsafe --insecure-tls-config
+$ jmp admin create client hello --save --unsafe --insecure
 ```
 
 ### Spawn an Exporter Shell

python/packages/jumpstarter-cli-admin/jumpstarter_cli_admin/create.py

@@ -6,9 +6,9 @@
 from jumpstarter_cli_common.callbacks import ClickCallback
 from jumpstarter_cli_common.opt import (
     OutputType,
-    confirm_insecure_tls,
+    confirm_insecure,
     opt_context,
-    opt_insecure_tls_config,
+    opt_insecure,
     opt_kubeconfig,
     opt_labels,
     opt_namespace,
@@ -69,7 +69,7 @@ def create():
 @opt_labels()
 @opt_kubeconfig
 @opt_context
-@opt_insecure_tls_config
+@opt_insecure
 @opt_oidc_username
 @opt_nointeractive
 @opt_output_all
@@ -78,7 +78,7 @@ async def create_client(
     name: Optional[str],
     kubeconfig: Optional[str],
     context: Optional[str],
-    insecure_tls_config: bool,
+    insecure: bool,
     namespace: str,
     labels: dict[str, str],
     save: bool,
@@ -91,7 +91,7 @@ async def create_client(
 ):
     """Create a client object in the Kubernetes cluster"""
     try:
-        confirm_insecure_tls(insecure_tls_config, nointeractive)
+        confirm_insecure(insecure, nointeractive)
         async with ClientsV1Alpha1Api(namespace, kubeconfig, context) as api:
             if output is None:
                 # Only print status if  is not JSON/YAML
@@ -111,7 +111,7 @@ async def create_client(
                 allow_drivers = allow.split(",") if allow is not None and len(allow) > 0 else []
                 client_config.drivers.unsafe = unsafe
                 client_config.drivers.allow = allow_drivers
-                client_config.tls.insecure = insecure_tls_config
+                client_config.tls.insecure = insecure
                 ClientConfigV1Alpha1.save(client_config, out)
                 # If this is the only client config, set it as default
                 if out is None and len(ClientConfigV1Alpha1.list().items) == 1:
@@ -146,7 +146,7 @@ async def create_client(
 @opt_labels(required=True)
 @opt_kubeconfig
 @opt_context
-@opt_insecure_tls_config
+@opt_insecure
 @opt_oidc_username
 @opt_nointeractive
 @opt_output_all
@@ -155,7 +155,7 @@ async def create_exporter(
     name: Optional[str],
     kubeconfig: Optional[str],
     context: Optional[str],
-    insecure_tls_config: bool,
+    insecure: bool,
     namespace: str,
     labels: dict[str, str],
     save: bool,
@@ -166,7 +166,7 @@ async def create_exporter(
 ):
     """Create an exporter object in the Kubernetes cluster"""
     try:
-        confirm_insecure_tls(insecure_tls_config, nointeractive)
+        confirm_insecure(insecure, nointeractive)
         async with ExportersV1Alpha1Api(namespace, kubeconfig, context) as api:
             if output is None:
                 click.echo(f"Creating exporter '{name}' in namespace '{namespace}'")
@@ -176,7 +176,7 @@ async def create_exporter(
                 if output is None:
                     click.echo("Fetching exporter credentials from cluster")
                 exporter_config = await api.get_exporter_config(name)
-                exporter_config.tls.insecure = insecure_tls_config
+                exporter_config.tls.insecure = insecure
                 ExporterConfigV1Alpha1.save(exporter_config, out)
                 if output is None:
                     click.echo(f"Exporter configuration successfully saved to {exporter_config.path}")

python/packages/jumpstarter-cli-admin/jumpstarter_cli_admin/create_test.py

@@ -118,15 +118,15 @@ def test_create_client(
     mock_get_client_config.return_value = INSECURE_TLS_CLIENT_CONFIG
 
     # Save with prompts accept insecure = Y, save = Y, unsafe = Y
-    result = runner.invoke(create, ["client", "--insecure-tls-config", CLIENT_NAME], input="Y\nY\nY\n")
+    result = runner.invoke(create, ["client", "--insecure", CLIENT_NAME], input="Y\nY\nY\n")
     assert result.exit_code == 0
     assert "Client configuration successfully saved" in result.output
     mock_save_client.assert_called_once_with(INSECURE_TLS_CLIENT_CONFIG, None)
     mock_save_client.reset_mock()
 
     # Save no interactive and insecure tls
     result = runner.invoke(
-        create, ["client", "--insecure-tls-config", "--unsafe", "--save", "--nointeractive", CLIENT_NAME]
+        create, ["client", "--insecure", "--unsafe", "--save", "--nointeractive", CLIENT_NAME]
     )
     assert result.exit_code == 0
     assert "Client configuration successfully saved" in result.output
@@ -137,7 +137,7 @@ def test_create_client(
     mock_get_client_config.return_value = INSECURE_TLS_CLIENT_CONFIG
 
     # Save with prompts accept insecure = N
-    result = runner.invoke(create, ["client", "--insecure-tls-config", CLIENT_NAME], input="n\n")
+    result = runner.invoke(create, ["client", "--insecure", CLIENT_NAME], input="n\n")
     assert result.exit_code == 1
     assert "Aborted" in result.output
 
@@ -295,7 +295,7 @@ def test_create_exporter(
     _get_exporter_config_mock.return_value = INSECURE_TLS_EXPORTER_CONFIG
     # Save with prompts accept insecure = Y, save = Y
     result = runner.invoke(
-        create, ["exporter", "--insecure-tls-config", EXPORTER_NAME, "--label", "foo=bar"], input="Y\nY\n"
+        create, ["exporter", "--insecure", EXPORTER_NAME, "--label", "foo=bar"], input="Y\nY\n"
     )
     assert result.exit_code == 0
     assert "Exporter configuration successfully saved" in result.output
@@ -305,7 +305,7 @@ def test_create_exporter(
     _get_exporter_config_mock.return_value = INSECURE_TLS_EXPORTER_CONFIG
     # Save with prompts accept no interactive
     result = runner.invoke(
-        create, ["exporter", "--insecure-tls-config", "--nointeractive", "--save", EXPORTER_NAME, "--label", "foo=bar"]
+        create, ["exporter", "--insecure", "--nointeractive", "--save", EXPORTER_NAME, "--label", "foo=bar"]
     )
     assert result.exit_code == 0
     assert "Exporter configuration successfully saved" in result.output
@@ -316,7 +316,7 @@ def test_create_exporter(
     _get_exporter_config_mock.return_value = INSECURE_TLS_EXPORTER_CONFIG
     # Save with prompts accept insecure = N
     result = runner.invoke(
-        create, ["exporter", "--insecure-tls-config", EXPORTER_NAME, "--label", "foo=bar"], input="n\n"
+        create, ["exporter", "--insecure", EXPORTER_NAME, "--label", "foo=bar"], input="n\n"
     )
     assert result.exit_code == 1
     assert "Aborted" in result.output

python/packages/jumpstarter-cli-admin/jumpstarter_cli_admin/import_res.py

@@ -4,9 +4,9 @@
 from jumpstarter_cli_common.blocking import blocking
 from jumpstarter_cli_common.opt import (
     PathOutputType,
-    confirm_insecure_tls,
+    confirm_insecure,
     opt_context,
-    opt_insecure_tls_config,
+    opt_insecure,
     opt_kubeconfig,
     opt_namespace,
     opt_nointeractive,
@@ -48,7 +48,7 @@ def import_res():
 @opt_namespace
 @opt_kubeconfig
 @opt_context
-@opt_insecure_tls_config
+@opt_insecure
 @opt_output_path_only
 @opt_nointeractive
 @blocking
@@ -57,7 +57,7 @@ async def import_client(
     namespace: str,
     kubeconfig: Optional[str],
     context: Optional[str],
-    insecure_tls_config: bool,
+    insecure: bool,
     allow: Optional[str],
     unsafe: bool,
     out: Optional[str],
@@ -69,7 +69,7 @@ async def import_client(
     if out is None and ClientConfigV1Alpha1.exists(name):
         raise click.ClickException(f"A client with the name '{name}' already exists")
     try:
-        confirm_insecure_tls(insecure_tls_config, nointeractive)
+        confirm_insecure(insecure, nointeractive)
         async with ClientsV1Alpha1Api(namespace, kubeconfig, context) as api:
             if unsafe is False and allow is None and nointeractive is False:
                 unsafe = click.confirm("Allow unsafe driver client imports?")
@@ -81,7 +81,7 @@ async def import_client(
                 click.echo("Fetching client credentials from cluster")
             allow_drivers = allow.split(",") if allow is not None and len(allow) > 0 else []
             client_config = await api.get_client_config(name, allow=allow_drivers, unsafe=unsafe)
-            client_config.tls.insecure = insecure_tls_config
+            client_config.tls.insecure = insecure
             config_path = ClientConfigV1Alpha1.save(client_config, out)
             # If this is the only client config, set it as default
             if out is None and len(ClientConfigV1Alpha1.list().items) == 1:
@@ -108,7 +108,7 @@ async def import_client(
 @opt_namespace
 @opt_kubeconfig
 @opt_context
-@opt_insecure_tls_config
+@opt_insecure
 @opt_output_path_only
 @opt_nointeractive
 @blocking
@@ -118,7 +118,7 @@ async def import_exporter(
     out: Optional[str],
     kubeconfig: Optional[str],
     context: Optional[str],
-    insecure_tls_config: bool,
+    insecure: bool,
     output: PathOutputType,
     nointeractive: bool,
 ):
@@ -130,12 +130,12 @@ async def import_exporter(
     else:
         raise click.ClickException(f'An exporter with the name "{name}" already exists')
     try:
-        confirm_insecure_tls(insecure_tls_config, nointeractive)
+        confirm_insecure(insecure, nointeractive)
         async with ExportersV1Alpha1Api(namespace, kubeconfig, context) as api:
             if output is None:
                 click.echo("Fetching exporter credentials from cluster")
             exporter_config = await api.get_exporter_config(name)
-            exporter_config.tls.insecure = insecure_tls_config
+            exporter_config.tls.insecure = insecure
             config_path = ExporterConfigV1Alpha1.save(exporter_config, out)
             if output is None:
                 click.echo(f"Exporter configuration successfully saved to {config_path}")

python/packages/jumpstarter-cli-admin/jumpstarter_cli_admin/import_res_test.py

@@ -71,21 +71,21 @@ def test_import_client(_load_kube_config_mock, get_client_config_mock: AsyncMock
     get_client_config_mock.return_value = INSECURE_TLS_CLIENT_CONFIG
 
     # Save with prompts accept insecure = Y
-    result = runner.invoke(import_res, ["client", CLIENT_NAME, "--insecure-tls-config"], input="Y\nY\n")
+    result = runner.invoke(import_res, ["client", CLIENT_NAME, "--insecure"], input="Y\nY\n")
     assert result.exit_code == 0
     assert "Client configuration successfully saved" in result.output
     save_client_config_mock.assert_called_once_with(INSECURE_TLS_CLIENT_CONFIG, None)
     save_client_config_mock.reset_mock()
 
     # Save with prompts no interactive prompts and insecure tls cert
-    result = runner.invoke(import_res, ["client", CLIENT_NAME, "--nointeractive", "--insecure-tls-config"])
+    result = runner.invoke(import_res, ["client", CLIENT_NAME, "--nointeractive", "--insecure"])
     assert result.exit_code == 0
     assert "Client configuration successfully saved" in result.output
     save_client_config_mock.assert_called_once_with(INSECURE_TLS_CLIENT_CONFIG, None)
     save_client_config_mock.reset_mock()
 
     # Save with prompts accept insecure = N
-    result = runner.invoke(import_res, ["client", CLIENT_NAME, "--insecure-tls-config"], input="n\n")
+    result = runner.invoke(import_res, ["client", CLIENT_NAME, "--insecure"], input="n\n")
     assert result.exit_code == 1
     assert "Aborted" in result.output
     save_client_config_mock.assert_not_called()
@@ -168,14 +168,14 @@ def test_import_exporter(_load_kube_config_mock, _get_exporter_config_mock, save
     _get_exporter_config_mock.return_value = INSECURE_TLS_EXPORTER_CONFIG
 
     # Save with prompts accept insecure = Y
-    result = runner.invoke(import_res, ["exporter", EXPORTER_NAME, "--insecure-tls-config"], input="Y\n")
+    result = runner.invoke(import_res, ["exporter", EXPORTER_NAME, "--insecure"], input="Y\n")
     assert result.exit_code == 0
     assert "Exporter configuration successfully saved" in result.output
     save_exporter_config_mock.assert_called_once_with(INSECURE_TLS_EXPORTER_CONFIG, None)
     save_exporter_config_mock.reset_mock()
 
     # Save with prompts accept insecure = N
-    result = runner.invoke(import_res, ["exporter", EXPORTER_NAME, "--insecure-tls-config"], input="n\n")
+    result = runner.invoke(import_res, ["exporter", EXPORTER_NAME, "--insecure"], input="n\n")
     assert result.exit_code == 1
     assert "Aborted" in result.output
     save_exporter_config_mock.assert_not_called()