From 19bbb267eeb9d0aacda5d2f0bae2cbb09a49a69b Mon Sep 17 00:00:00 2001
From: Burt Holzman <burt@fnal.gov>
Date: Tue, 4 Nov 2025 10:58:22 -0600
Subject: [PATCH] Do not verify TLS if cluster is configured as insecure

---
 pkg/cli/login/loginoptions.go | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/pkg/cli/login/loginoptions.go b/pkg/cli/login/loginoptions.go
index efbe6b57fe..4318b34799 100644
--- a/pkg/cli/login/loginoptions.go
+++ b/pkg/cli/login/loginoptions.go
@@ -160,7 +160,7 @@ func (o *LoginOptions) getClientConfig() (*restclient.Config, error) {
 	}
 	o.Server = serverNormalized
 	clientConfig.Host = o.Server
-	clientConfig.Insecure = o.InsecureTLS
+	clientConfig.Insecure = o.InsecureTLS || hasExistingInsecureCluster(*clientConfig, *o.StartingKubeConfig)
 
 	if !o.InsecureTLS {
 		// use specified CA or find existing CA
@@ -188,9 +188,7 @@ func (o *LoginOptions) getClientConfig() (*restclient.Config, error) {
 		// connection or if we already have a cluster stanza that tells us to
 		// connect to this particular server insecurely
 		case x509.UnknownAuthorityError, x509.HostnameError, x509.CertificateInvalidError:
-			if o.InsecureTLS ||
-				hasExistingInsecureCluster(*clientConfig, *o.StartingKubeConfig) ||
-				promptForInsecureTLS(o.In, o.Out, err) {
+			if promptForInsecureTLS(o.In, o.Out, err) {
 				clientConfig.Insecure = true
 				clientConfig.CAFile = ""
 				clientConfig.CAData = nil