Rootless kubernetes driver ignores buildkit config

[javiertury]

Contributing guidelines

• I've read the contributing guidelines and wholeheartedly agree

I've found a bug, and:

• The documentation does not mention anything about my problem
• There are no open or closed issues that are related to my problem

Description

Adding rootless=true to driver-opts makes buildx ignore buildkitd-config-inline. Removing rootless=true makes everything work again.

In this workflow I build and push some images to an insecure private registry using rootless kubernetes. I use buildkitd-config-inline to tell buildkit to use an http connection instead of https.

Expected behaviour

Buildkit should push to the registry using http instead of https.

Actual behaviour

Buildkit tries to use https and throws an error since the registry does not support https.

Repository URL

No response

Workflow run URL

No response

YAML workflow

name: container
run-name: ${{ github.actor }} is building a container 🚀
on:
  registry_package:
    types: [published, updated]

env:
  REGISTRY: <my-registry-domain>:<my-registry-port>
  IMAGE_PATH: <owner>/<image-repo>

jobs:
  build-and-push-container-image:
    runs-on: ubuntu-latest

    if: ${{ github.event.registry_package.name == '<npm-package-name>' && github.event.registry_package.package_type == 'npm' }}

    env:
      PKG_VERSION: ${{ github.event.registry_package.package_version.version }}

    steps:
      -
        name: Check out repository code
        uses: actions/checkout@v4
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
        with:
          platforms: linux/amd64,linux/arm64
          buildkitd-config-inline: |
            [registry."${{ env.REGISTRY }}"]
              http = true
          driver: kubernetes
          driver-opts: |
            rootless=true
            namespace=buildkit
            replicas=1
            limits.memory=800Mi
            limits.ephemeral-storage=1G
            qemu.install=true
      -
        name: Login to container registry
        uses: docker/login-action@v3
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ secrets.USERNAME }}
          password: ${{ secrets.PASSWORD }}
      -
        name: Build and push
        uses: docker/build-push-action@v6
        env:
            TAGS: "${{ env.REGISTRY }}/${{ env.IMAGE_PATH }}:${{ env.PKG_VERSION }}"
        with:
          context: .
          platforms: |
            linux/amd64
            linux/arm/v7
          push: true
          pull: true
          no-cache: true
          tags: ${{ env.TAGS }}

Workflow logs

#10 exporting manifest list sha256:XXX done
#10 pushing layers 0.0s done
#10 ERROR: failed to push <my-registry-domain>:<my-registry-port>/<owner>/<image-repo>:X.X.X: failed to do request: Head "https://<my-registry-domain>:<my-registry-port>/v2/<owner>/<image-repo>/blobs/sha256:XXX": http: server gave HTTP response to HTTPS client
------
 > exporting to image:
------
ERROR: failed to solve: failed to push <my-registry-domain>:<my-registry-port>/<owner>/<image-repo>:X.X.X: failed to do request: Head "https://<my-registry-domain>:<my-registry-port>/v2/<owner>/<image-repo>/blobs/sha256:XXX": http: server gave HTTP response to HTTPS client
::group::Reference
builder-6b93c16c-fb2d-4928-aa9e-9f29d5144b6d/builder-6b93c16c-fb2d-4928-aa9e-9f29d5144b6d0/jfwtnpoiz3l68ln69he5sooo2
::endgroup::
::group::Check build summary support
Build summary is not yet supported on GHES
::endgroup::
::error::buildx failed with: ERROR: failed to solve: failed to push <my-registry-domain>:<my-registry-port>/<owner>/<image-repo>:X.X.X: failed to do request: Head "https://<my-registry-domain>:<my-registry-port>/v2/<owner>/<image-repo>/blobs/sha256:XXX": http: server gave HTTP response to HTTPS client

BuildKit logs

No response

Additional info

Related to moby/buildkit#2044. Could this workaround be implemented?

Also related to docker/buildx#2226. If buildkit inherited insecure registries from docker daemon, there would be no need to configure buildkit.