Building using an image from a private repository results in "x509: certificate signed by unknown authority".

chriseaton commented 2 years ago

When our docker file specifies an image in a private repo, it causes the oci-build-task to fail. As far I could tell there's no way to specify a custom CA.

ERROR: failed to do request: Head "https://our-private-repo/v2/shared/centos/manifests/latest": x509: certificate signed by unknown authority

CJLove commented 2 years ago

Here's a possible workaround, with the downside that you're basically forking the official oci-build-task image and using it in the interim:

Build your own oci-build-task image with a Dockerfile like this to add your ca.crt file to the image, and push to your private registry
```
FROM docker.io/concourse/oci-build-task:latest
```

COPY ca.crt /usr/local/share/ca-certificates/

RUN update-ca-certificates

2. In your pipeline specify your `oci-build-task` image in place of the official one

...

task: build-task-image privileged: true config: platform: linux image_resource: type: registry-image source: repository: fir.love.io:3005/amd64/oci-build-task
repository: concourse/oci-build-task
```
  tag: latest
```
...

lrstanley commented 2 years ago

Related, that has a bit cleaner temporary solution that doesn't require making a custom image: https://github.com/concourse/oci-build-task/issues/70#issuecomment-933674965

Looking at the code, however, I believe adding an input for custom certs/ca should be pretty easy.

concourse / oci-build-task

Building using an image from a private repository results in "x509: certificate signed by unknown authority". #83

repository: concourse/oci-build-task