#With the Node.JS SDK, how do I use a private container registry with untrusted certificates?

The FAQ in the documentation which showed how to start a custom dagger-buildkitd doesn't seem to work for me, and has since been removed from the documentation. I'm on a macOS host, using Docker Desktop, and I have a .pem containing the full CA chain for the private registry.

This conversation may be of interest - https://discord.com/channels/707636530424053791/1030538312508776540/threads/1031785076029128784

@teal plaza you say you started your own buildkit container with custom config. Did you follow the vanilla docker docs with docker buildx create, and did you have to use any specific flags or configuration beyond the registry config in buildkitd.toml?

No that's it. Just the --config buildkitd.toml

that's fantastic. thank you!

I can't get this to work. 😒

I did docker buildx create --config buildkitd.toml and it still doesn't work. I think I need to figure out whether dagger is using the buildkit container I created at all, or whether the certs are broken inside it.

did you set the BUILDKIT_HOST env var? easy way to verify that is to stop/kill the running buildkit image dagger created. You can see which one it's using then.

Good shout. I'll give that a go.

Hi, I may have similar issue with Go SDK. I have private container registry and on pulling image I get x509: certificate signed by unknown authority. I don't have this issue building with DOCKER_BUILDKIT=1 docker build. Do I really have to start my custom buildkit for dagger to work with private registries? Should I create dedicated thread for this?

@burnt pike where exactly do you get that error? Is it when dagger bootstraps (downloads) the engine image? Or when you try to build your own image? Could you show a sample code snippet?

└─⭘ go run main.go 
Building with Dagger
#1 resolve image config for oci.git.company.com/cz/it/devops-templates/dotnet/sdk:5.0
#1 ERROR: failed to do request: Head "https://oci.git.company.com/v2/cz/it/devops-templates/dotnet/sdk/manifests/5.0": x509: certificate signed by unknown authority
------
 > resolve image config for oci.git.company.com/cz/it/devops-templates/dotnet/sdk:5.0:
------
panic: input:1: container.from failed to do request: Head "https://oci.git.company.com/v2/cz/it/devops-templates/dotnet/sdk/manifests/5.0": x509: certificate signed by unknown authority

Please visit https://dagger.io/help#go for troubleshooting guidance.

goroutine 1 [running]:
main.main()
    /home/company.net/david.vrtel/Projects/kube/dagger/main.go:56 +0x11a8
exit status 2

It happens at image pull, I connect dagger and connect, then call From() on container and it fails

    builder := client.Container().
        From("oci.git.company.com/cz/it/devops-templates/dotnet/sdk:5.0")

I'm using Rancher desktop with moby docker btw

but as I said, it works when I build with CLI

Have you logged into your private registry? Since dagger runs in a container I had to do a docker login from my go code. Something like this - #1031785076029128784 message

yes, the docker CLI would not work without proper login to the private repo. I'm trying to port dockerfile that always worked

I will create a separate thread for this.

Hi @burnt pike 👋 ! Did you manage to create a thread about this ? Thanks

Hi, yes, forgot to link it
https://discord.com/channels/707636530424053791/1047441435147894814
I'm currently in no rush to have this feature working so it's not very active last two weeks