Using kim build with Rancher Desktop on macOS involves pulling a base image from a custom registry which uses self-signed corporate cert, and the error is x509: certificate signed by unknown authority. I have the root CA certs in KeyChain as well as under /usr/local/share/ca-certificates on my host machine. I understand that Rancher Desktop has recently added support for installing the host CA certs into k3s under the cover. However, when I checked the BuildKit instance running in the kube-image namespace in k3s, it doesn’t seem to have the corporate root CA certs imported from the host machine. My understanding is that kim is the one installing the BuildKit instance, hence this report.
To Reproduce
Steps to reproduce the behaviour:
$ kim build -f Dockerfile .
Result
[+] Building 0.4s (3/3) FINISHED
=> [internal] load build definition from Dockerfile 0.1s
=> => transferring dockerfile: 38B 0.0s
=> [internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> ERROR [internal] load metadata for foobar.com/myimage:tag 0.2s
------
> [internal] load metadata for foobar.com/myimage:tag
------
error: failed to solve: failed to solve with frontend dockerfile.v0: failed to create LLB definition: failed to do request: Head https://foobar.com/v2/myimage/manifests/tag: x509: certificate signed by unknown authority
FATA[0000] unrecognized image format
This issue makes kim unsuitable to work in many corporate environments. This issue is similar to the one reported to Rancher Desktop: https://github.com/rancher-sandbox/rancher-desktop/issues/909, as both kim and nerdctl seem to suffer the same problem.
For bugs, describe what you're seeing
Using
kim buildwith Rancher Desktop on macOS involves pulling a base image from a custom registry which uses self-signed corporate cert, and the error is x509: certificate signed by unknown authority. I have the root CA certs in KeyChain as well as under /usr/local/share/ca-certificates on my host machine. I understand that Rancher Desktop has recently added support for installing the host CA certs into k3s under the cover. However, when I checked the BuildKit instance running in the kube-image namespace in k3s, it doesn’t seem to have the corporate root CA certs imported from the host machine. My understanding is thatkimis the one installing the BuildKit instance, hence this report.To Reproduce Steps to reproduce the behaviour:
Result
This issue makes
kimunsuitable to work in many corporate environments. This issue is similar to the one reported to Rancher Desktop: https://github.com/rancher-sandbox/rancher-desktop/issues/909, as bothkimandnerdctlseem to suffer the same problem.