You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When using the more recent buildkit docker images to build a container via buildctl-daemonless.sh with a remote buildkitd server, connections have begun failing where they previously did not with errors like:
error: failed to dial "tcp://buildkit.my-server.com:443" . make sure buildkitd is running: ClientConn's authority from transport creds "buildkit.my-server.com" and dial option "buildkit.my-server.com:443" don't match
We use the buildctl client, coupled with a custom cacert file, to perform in-cloud builds of local content with a hosted buildkitd server.
I found google.golang.org/grpc@v1.42.0 (updated in #2481) introduced better handling for :authority pseudo-header implemented in grpc/grpc-go#4817. This requires WithAuthority dial option value must match with the server name of transport creds when specified.
The current implementation always uses url.Host ("host:port") of --addr as an authority pseudo-header value. This is the root cause.
When using the more recent buildkit docker images to build a container via
buildctl-daemonless.sh
with a remote buildkitd server, connections have begun failing where they previously did not with errors like:We use the buildctl client, coupled with a custom cacert file, to perform in-cloud builds of local content with a hosted buildkitd server.
A sample command of how we run such a build is:
The above command succeeds, as expected. Specifically, that is with
When we change the docker image being to the following,
The build fails as noted earlier.
The request flow here is
The client is supplying a cacert that is valid for the certificate presented by the ingress.
Finally, I'm not sure when this stopped working, but certainly as of today, Dec 8, 2021
The text was updated successfully, but these errors were encountered: