Self-signed certificate not working with docker buildx kubernetes driver

[parvathycec]

I have a kubernetes driver with registry cache as harbor. I created self-signed certificate for harbor. The host node has the harbor ingress url as insecure registry. The kubernetes driver has the certificates mounted and buildkitd.toml has ca defined. But still getting "tls: failed to verify certificate: x509: certificate signed by unknown authority".

buildkitd.toml: |
    debug=true
    [registry."harbor.harbor-registry.xxx.xxx.xxx.xxx.nip.io"]
      ca = ["/etc/ssl/buildkit/certs/harbor.harbor-registry.xxx.xxx.xxx.xxx.nip.io/ca.crt"]
      insecure = true

I also have added the harbor ingress url as an insecure registry in docker.

[mg1986jp]

I've hit this before with the kubernetes driver. The insecure = true in buildkitd.toml should bypass TLS verification, but there's a gotcha — the buildkit pods might not actually mount the cert path you're referencing in ca = [...].

With the kubernetes driver, the cert mount isn't automatic. You need to make sure the certificate is available inside the buildkit pod, usually via a Secret or ConfigMap. Something like:

kubectl create secret generic harbor-ca --from-file=ca.crt=/path/to/ca.crt -n buildkit

And then configure the builder to mount it:

docker buildx create --driver kubernetes \
  --driver-opt "namespace=buildkit" \
  --buildkitd-config ./buildkitd.toml \
  --driver-opt "qemu.install=true" \
  --name mybuilder

But honestly, if insecure = true is set, it should skip the CA check entirely. If it's still failing, I'd guess the buildkitd.toml isn't being picked up at all. Can you exec into the buildkit pod and check if /etc/buildkit/buildkitd.toml has your config?