search

moby / buildkit

concurrent, cache-efficient, and Dockerfile-agnostic builder toolkit
https://github.com/moby/moby/issues/34227
Apache License 2.0
8.17k stars 1.16k forks source link

x509 on urls other than registries #2616

Open msimonelli331 opened 2 years ago

msimonelli331 commented 2 years ago

The buildkitd.toml is fine for adding a ca for individual docker registries but I don't see a solution for the buildx container to trust other URLs. For example if you want to build a container with the helm cli you could do something like:

ADD https://get.helm.sh/helm-v3.2.4-linux-amd64.tar.gz /tmp/helm.tar.gz

But then you get an x509 on the URL: https://get.helm.sh/helm-v3.2.4-linux-amd64.tar.gz

Suggestion to support a global ca in the .toml.

tonistiigi commented 2 years ago

I'm not sure I understand. The example command seems to work without issues because that URL does have a valid certificate.

If you want to use untrusted or custom certs then I suggest to use RUN curl instead so you can configure it any way you want.

matthewhembree commented 2 months ago

Adding some context for my use case here..

I want to be able to add my internal CA certificates to the image from an https artifact via the ADD command.

Yes, I can add the local cert files from the docker context. I guess this is more of a difference without a distinction problem. It just would be nice have ADD support private CAs.