richmilne · April 24, 2026 14:25
diff --git a/kind-configure-cluster-certs.sh b/kind-configure-cluster-certs.sh
 # You can't pull images when using Kind out-of-the-box behind our corporate proxy.
 # Trying to run a pod results in the Status "ErrImagePull" with further error messages such as:

 #  > Failed to pull image "nginx": failed to pull and unpack image "docker.io/library/nginx:latest":
 #  > failed to copy: httpReadSeeker: failed open: failed to do request: Get "https://dock...
 #  > tls: failed to verify certificate: x509: certificate signed by unknown authority

 # To solve, I had to configure Kind to mount my local cert file, containing our corporate certs,
 # into the control and worker containers, and configure containerd to pick up the file, as shown
 # below.

 # Based on https://github.com/kubernetes-sigs/kind/issues/2009#issuecomment-2558030771

 cat <<EOF | tee proxy-certs.conf  # conf file name must match that used in hostPath below
 [Service]
 Environment="HTTP_PROXY=${HTTP_PROXY}"
 Environment="HTTPS_PROXY=${HTTPS_PROXY}"
 Environment="NO_PROXY=${NO_PROXY}"
 Environment="SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt"
 Environment="REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt"
 EOF

 cat <<EOF | kind create cluster --name=cert-proxy-cluster --image=kindest/node:v1.35.1 --config=-
 kind: Cluster
 apiVersion: kind.x-k8s.io/v1alpha4
 nodes:
  - role: control-plane
    extraMounts:
    - hostPath: ./proxy-certs.conf
      containerPath: /etc/systemd/system/containerd.service.d/proxy-certs.conf
    - hostPath: ${SSL_CERT_FILE}
      containerPath: /etc/ssl/certs/ca-certificates.crt

  - role: worker
    extraMounts:
    - hostPath: ./proxy-certs.conf
      containerPath: /etc/systemd/system/containerd.service.d/proxy-certs.conf
    - hostPath: ${SSL_CERT_FILE}
      containerPath: /etc/ssl/certs/ca-certificates.crt
 EOF
	# You can't pull images when using Kind out-of-the-box behind our corporate proxy.
	# Trying to run a pod results in the Status "ErrImagePull" with further error messages such as:

	# > Failed to pull image "nginx": failed to pull and unpack image "docker.io/library/nginx:latest":
	# > failed to copy: httpReadSeeker: failed open: failed to do request: Get "https://dock...
	# > tls: failed to verify certificate: x509: certificate signed by unknown authority

	# To solve, I had to configure Kind to mount my local cert file, containing our corporate certs,
	# into the control and worker containers, and configure containerd to pick up the file, as shown
	# below.

	# Based on https://github.com/kubernetes-sigs/kind/issues/2009#issuecomment-2558030771

	cat <<EOF \| tee proxy-certs.conf # conf file name must match that used in hostPath below
	[Service]
	Environment="HTTP_PROXY=${HTTP_PROXY}"
	Environment="HTTPS_PROXY=${HTTPS_PROXY}"
	Environment="NO_PROXY=${NO_PROXY}"
	Environment="SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt"
	Environment="REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt"
	EOF

	cat <<EOF \| kind create cluster --name=cert-proxy-cluster --image=kindest/node:v1.35.1 --config=-
	kind: Cluster
	apiVersion: kind.x-k8s.io/v1alpha4
	nodes:
	- role: control-plane
	extraMounts:
	- hostPath: ./proxy-certs.conf
	containerPath: /etc/systemd/system/containerd.service.d/proxy-certs.conf
	- hostPath: ${SSL_CERT_FILE}
	containerPath: /etc/ssl/certs/ca-certificates.crt

	- role: worker
	extraMounts:
	- hostPath: ./proxy-certs.conf
	containerPath: /etc/systemd/system/containerd.service.d/proxy-certs.conf
	- hostPath: ${SSL_CERT_FILE}
	containerPath: /etc/ssl/certs/ca-certificates.crt
	EOF
No results found