start: trust custom CAs before registry probe; retry once on cert errors

[mulan04]

What this PR does / why we need it

When a user provides custom root CAs (for example behind enterprise VPNs or proxies), Minikube currently probes
https://registry.k8s.io/ before those CAs are copied and trusted inside the guest.
This causes a misleading warning like:

Failing to connect to https://registry.k8s.io/ ... SSL certificate problem: self-signed certificate

even though connectivity works moments later once the CAs are installed.

This PR:

• Ensures custom CA certificates are copied and installed before the registry connectivity probe runs.
• Refreshes the system trust store (update-ca-certificates / update-ca-trust) inside the guest.
• Adds a one-time retry when the initial probe fails with a certificate trust error, suppressing the warning if the retry succeeds.

---

Before / After this PR output

Before this PR

❗ Failing to connect to https://registry.k8s.io/ from inside the minikube VM
curl: (60) SSL certificate problem: self-signed certificate

After this PR

(no warning about https://registry.k8s.io/)

• Custom CA certs are copied & trusted before the registry probe.
• If the first probe fails with a certificate trust error, it retries once after the trust store refresh; the warning is suppressed if the retry succeeds.

---

Which issue(s) this PR fixes

Fixes [#21799](#21799)
(Startup falsely reports registry SSL failure when using custom CA.)

---

Special notes for your reviewer

• The implementation reuses Minikube’s existing bootstrapper CA logic (collectCACerts, installCertSymlinks)
  instead of duplicating certificate copy and trust code.
• EnsureCACertsEarly is idempotent and safe to call multiple times; it will only act when host-provided certs exist.
• The retry-on-cert-error logic ensures genuine connectivity issues are still reported.

---

Testing

1. Place a custom CA (e.g. your corporate proxy CA) in ~/.minikube/certs/
   or ~/.minikube/files/etc/ssl/certs/.

2. Run Minikube start:

   minikube start --driver=podman --container-runtime=containerd --embed-certs

3. Observe:

   • Before this change → startup prints SSL warning for registry.k8s.io.
   • After this change → no warning (curl succeeds after CA trust refresh).

Also verified:

• If network is genuinely unreachable (DNS/firewall), the warning still appears as before.

---

Release note

start: avoid misleading “SSL certificate problem” warning on startup
when using custom CA certificates by installing CAs before the
registry connectivity probe and retrying once on certificate errors.

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: mulan04 / name: Andreas Müller (db33af8)

[k8s-ci-robot]

Welcome @mulan04!

It looks like this is your first PR to kubernetes/minikube 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes/minikube has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[k8s-ci-robot]

Hi @mulan04. Thanks for your PR.

I'm waiting for a github.com member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[minikube-bot]

Can one of the admins verify this patch?

[medyagh]

/ok-to-test

[medyagh]

plz add a Before/After this PR ouptut

[mulan04]

plz add a Before/After this PR ouptut

@medyagh I added the requested 'Before / After this PR output' section to the PR description - I hope it is clear now what this PR accomplishes

---

Before / After this PR output

Before this PR

❗ Failing to connect to https://registry.k8s.io/ from inside the minikube VM with VPN Client requiring a custom CA cert
curl: (60) SSL certificate problem: self-signed certificate

After this PR

(no warning about https://registry.k8s.io/)

• Custom CA certs are copied & trusted before the registry probe.
• If the first probe fails with a certificate trust error, it retries once after the trust store refresh; the warning is suppressed if the retry succeeds.

---

[medyagh]

thank you for patience, this PR seems interesting plz see comments

[medyagh]

the collectCACerts is also called in func SetupCerts
would that make it duplicate or do two times? I would like to ensure this wont make minikube start slower, can it be done once for every minikbube start?

[medyagh]

also would u plz add before after this pr

before this PR

minikube delete --all
time minikbue start

After this PR

minikube delete --all
time minikbue start

[mulan04]

Good catch — collectCACerts is indeed called both from EnsureCACertsEarly and later from SetupCerts, so with custom CAs present we do:

• scan ~/.minikube/certs and ~/.minikube/files/etc/ssl/certs for .crt/.pem certs,
• create FileAssets and copy them into the guest, and
• call installCertSymlinks

twice per minikube start.
All of that is idempotent and the work is proportional to the number of user-provided CA files (typically small), so the overhead is very small compared to the rest of the start sequence.

To validate this, I measured startup time before/after this PR with enabled VPN which requires the customCA in ~/.minikube/certs:

Before this PR (master)

$ /tmp/minikube-master delete --all --purge
🔥  Deleting "minikube" in podman ...
🔥  Removing /home/user/.minikube/machines/minikube ...
💀  Removed all traces of the "minikube" cluster.
🔥  Successfully deleted all profiles
💀  Successfully purged minikube directory located at - [/home/user/.minikube]
$ mkdir ~/.minikube/
cp -r  ~/certs/ ~/.minikube/

$ time /tmp/minikube-master start \
  --driver=podman \
  --container-runtime=containerd \
  --embed-certs
😄  minikube v1.37.0 on Fedora 42 (kvm/amd64)
✨  Using the podman driver based on user configuration
📌  Using Podman driver with root privileges
👍  Starting "minikube" primary control-plane node in "minikube" cluster
🚜  Pulling base image v0.0.48-1765661130-22141 ...
💾  Downloading Kubernetes v1.34.3 preload ...
    > preloaded-images-k8s-v18-v1...:  324.02 MiB / 324.02 MiB  100.00% 2.07 Mi
    > gcr.io/k8s-minikube/kicbase...:  498.47 MiB / 498.47 MiB  100.00% 3.05 Mi
E1217 14:18:17.914003   13521 cache.go:238] Error downloading kic artifacts:  not yet implemented, see issue #8426
🔥  Creating podman container (CPUs=2, Memory=3900MB) ...
❗  Failing to connect to https://registry.k8s.io/ from inside the minikube container
💡  To pull new external images, you may need to configure a proxy: https://minikube.sigs.k8s.io/docs/reference/networking/proxy/
📦  Preparing Kubernetes v1.34.3 on containerd 2.2.0 ...
🔗  Configuring CNI (Container Networking Interface) ...
🔎  Verifying Kubernetes components...
    ▪ Using image gcr.io/k8s-minikube/storage-provisioner:v5
🌟  Enabled addons: storage-provisioner, default-storageclass
🏄  Done! kubectl is now configured to use "minikube" cluster and "default" namespace by default

real    4m54.419s
user    0m10.988s
sys     0m23.922s


for i in 1 2 3; do
  /tmp/minikube-master delete --all
  time /tmp/minikube-master start \
    --driver=podman \
    --container-runtime=containerd \
    --embed-certs
done
🔥  Deleting "minikube" in podman ...
🔥  Removing /home/user/.minikube/machines/minikube ...
💀  Removed all traces of the "minikube" cluster.
🔥  Successfully deleted all profiles
😄  minikube v1.37.0 on Fedora 42 (kvm/amd64)
✨  Using the podman driver based on user configuration
📌  Using Podman driver with root privileges
👍  Starting "minikube" primary control-plane node in "minikube" cluster
🚜  Pulling base image v0.0.48-1765661130-22141 ...
E1217 14:40:24.280843   49878 cache.go:238] Error downloading kic artifacts:  not yet implemented, see issue #8426
🔥  Creating podman container (CPUs=2, Memory=3900MB) ...
❗  Failing to connect to https://registry.k8s.io/ from inside the minikube container
💡  To pull new external images, you may need to configure a proxy: https://minikube.sigs.k8s.io/docs/reference/networking/proxy/
📦  Preparing Kubernetes v1.34.3 on containerd 2.2.0 ...
🔗  Configuring CNI (Container Networking Interface) ...
🔎  Verifying Kubernetes components...
    ▪ Using image gcr.io/k8s-minikube/storage-provisioner:v5
🌟  Enabled addons: storage-provisioner, default-storageclass
🏄  Done! kubectl is now configured to use "minikube" cluster and "default" namespace by default

real    0m19.482s
user    0m0.968s
sys     0m0.672s
🔥  Deleting "minikube" in podman ...
🔥  Removing /home/user/.minikube/machines/minikube ...
💀  Removed all traces of the "minikube" cluster.
🔥  Successfully deleted all profiles
😄  minikube v1.37.0 on Fedora 42 (kvm/amd64)
✨  Using the podman driver based on user configuration
📌  Using Podman driver with root privileges
👍  Starting "minikube" primary control-plane node in "minikube" cluster
🚜  Pulling base image v0.0.48-1765661130-22141 ...
E1217 14:40:48.966342   53245 cache.go:238] Error downloading kic artifacts:  not yet implemented, see issue #8426
🔥  Creating podman container (CPUs=2, Memory=3900MB) ...
❗  Failing to connect to https://registry.k8s.io/ from inside the minikube container
💡  To pull new external images, you may need to configure a proxy: https://minikube.sigs.k8s.io/docs/reference/networking/proxy/
📦  Preparing Kubernetes v1.34.3 on containerd 2.2.0 ...
🔗  Configuring CNI (Container Networking Interface) ...
🔎  Verifying Kubernetes components...
    ▪ Using image gcr.io/k8s-minikube/storage-provisioner:v5
🌟  Enabled addons: storage-provisioner, default-storageclass
🏄  Done! kubectl is now configured to use "minikube" cluster and "default" namespace by default

real    0m19.431s
user    0m0.779s
sys     0m0.732s
🔥  Deleting "minikube" in podman ...
🔥  Removing /home/user/.minikube/machines/minikube ...
💀  Removed all traces of the "minikube" cluster.
🔥  Successfully deleted all profiles
😄  minikube v1.37.0 on Fedora 42 (kvm/amd64)
✨  Using the podman driver based on user configuration
📌  Using Podman driver with root privileges
👍  Starting "minikube" primary control-plane node in "minikube" cluster
🚜  Pulling base image v0.0.48-1765661130-22141 ...
E1217 14:41:15.365287   56645 cache.go:238] Error downloading kic artifacts:  not yet implemented, see issue #8426
🔥  Creating podman container (CPUs=2, Memory=3900MB) ...
❗  Failing to connect to https://registry.k8s.io/ from inside the minikube container
💡  To pull new external images, you may need to configure a proxy: https://minikube.sigs.k8s.io/docs/reference/networking/proxy/
📦  Preparing Kubernetes v1.34.3 on containerd 2.2.0 ...
🔗  Configuring CNI (Container Networking Interface) ...
🔎  Verifying Kubernetes components...
    ▪ Using image gcr.io/k8s-minikube/storage-provisioner:v5
🌟  Enabled addons: storage-provisioner, default-storageclass
🏄  Done! kubectl is now configured to use "minikube" cluster and "default" namespace by default

real    0m19.992s
user    0m0.824s
sys     0m0.724s

After this PR

$ for i in 1 2 3; do
  /tmp/minikube-pr delete --all
  time /tmp/minikube-pr start \
    --driver=podman \
    --container-runtime=containerd \
    --embed-certs
done
🔥  Deleting "minikube" in podman ...
🔥  Removing /home/user/.minikube/machines/minikube ...
💀  Removed all traces of the "minikube" cluster.
🔥  Successfully deleted all profiles
😄  minikube v1.37.0 on Fedora 42 (kvm/amd64)
✨  Using the podman driver based on user configuration
📌  Using Podman driver with root privileges
👍  Starting "minikube" primary control-plane node in "minikube" cluster
🚜  Pulling base image v0.0.48-1765661130-22141 ...
E1217 14:37:54.159666   39146 cache.go:238] Error downloading kic artifacts:  not yet implemented, see issue #8426
🔥  Creating podman container (CPUs=2, Memory=3900MB) ...
📦  Preparing Kubernetes v1.34.3 on containerd 2.2.0 ...
🔗  Configuring CNI (Container Networking Interface) ...
🔎  Verifying Kubernetes components...
    ▪ Using image gcr.io/k8s-minikube/storage-provisioner:v5
🌟  Enabled addons: storage-provisioner, default-storageclass
🏄  Done! kubectl is now configured to use "minikube" cluster and "default" namespace by default

real    0m23.042s
user    0m0.778s
sys     0m0.702s
🔥  Deleting "minikube" in podman ...
🔥  Removing /home/user/.minikube/machines/minikube ...
💀  Removed all traces of the "minikube" cluster.
🔥  Successfully deleted all profiles
😄  minikube v1.37.0 on Fedora 42 (kvm/amd64)
✨  Using the podman driver based on user configuration
📌  Using Podman driver with root privileges
👍  Starting "minikube" primary control-plane node in "minikube" cluster
🚜  Pulling base image v0.0.48-1765661130-22141 ...
E1217 14:38:23.629614   42520 cache.go:238] Error downloading kic artifacts:  not yet implemented, see issue #8426
🔥  Creating podman container (CPUs=2, Memory=3900MB) ...
📦  Preparing Kubernetes v1.34.3 on containerd 2.2.0 ...
🔗  Configuring CNI (Container Networking Interface) ...
🔎  Verifying Kubernetes components...
    ▪ Using image gcr.io/k8s-minikube/storage-provisioner:v5
🌟  Enabled addons: storage-provisioner, default-storageclass
🏄  Done! kubectl is now configured to use "minikube" cluster and "default" namespace by default

real    0m18.974s
user    0m0.751s
sys     0m0.732s
🔥  Deleting "minikube" in podman ...
🔥  Removing /home/user/.minikube/machines/minikube ...
💀  Removed all traces of the "minikube" cluster.
🔥  Successfully deleted all profiles
😄  minikube v1.37.0 on Fedora 42 (kvm/amd64)
✨  Using the podman driver based on user configuration
📌  Using Podman driver with root privileges
👍  Starting "minikube" primary control-plane node in "minikube" cluster
🚜  Pulling base image v0.0.48-1765661130-22141 ...
E1217 14:38:49.273019   45866 cache.go:238] Error downloading kic artifacts:  not yet implemented, see issue #8426
🔥  Creating podman container (CPUs=2, Memory=3900MB) ...
📦  Preparing Kubernetes v1.34.3 on containerd 2.2.0 ...
🔗  Configuring CNI (Container Networking Interface) ...
🔎  Verifying Kubernetes components...
    ▪ Using image gcr.io/k8s-minikube/storage-provisioner:v5
🌟  Enabled addons: storage-provisioner, default-storageclass
🏄  Done! kubectl is now configured to use "minikube" cluster and "default" namespace by default

real    0m19.865s
user    0m0.934s
sys     0m0.643s

Repeating each 3x shows startup times within normal variance (no measurable slowdown).

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: mulan04
Once this PR has been reviewed and has the lgtm label, please assign comradeprogrammer for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[Copilot]

Pull request overview

This PR fixes a misleading SSL certificate error warning that appears during minikube start when users provide custom CA certificates (e.g., for corporate proxies or VPNs). The issue occurred because the registry connectivity probe ran before the custom CAs were installed and trusted in the guest VM.

Key Changes:

• Custom CA certificates are now installed and trusted in the guest VM before the HTTPS registry connectivity probe runs
• Added retry logic with certificate error detection to handle edge cases where the trust store refresh hasn't fully propagated
• The warning is suppressed if the retry succeeds, eliminating false positive SSL warnings

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
pkg/minikube/node/start.go	Added early CA installation call in validateNetwork(), implemented isCertError() helper to detect certificate trust errors, and enhanced tryRegistry() with single-retry logic for cert errors
pkg/minikube/bootstrapper/certs.go	Introduced EnsureCACertsEarly() function to collect, copy, and install custom CA certificates into the guest, and refresh the system trust store before connectivity probes run

---

The implementation is well-designed and follows existing codebase patterns. The changes are minimal, focused, and solve the specific problem without introducing unnecessary complexity. The code properly handles errors (making CA setup failures non-fatal), manages resources correctly (using defer for file cleanup), and includes appropriate retry logic to handle timing edge cases. No issues were found during the review.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[k8s-ci-robot]

Keywords which can automatically close issues and at(@) or hashtag(#) mentions are not allowed in commit messages.

The list of commits with invalid commit messages:

• 6156688 start: trust custom CAs before registry probe; retry once on cert errors

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[minikube-pr-bot]

kvm2 driver with docker runtime

┌────────────────┬──────────┬────────────────────────┐
│    COMMAND     │ MINIKUBE │ MINIKUBE  ( PR 21808 ) │
├────────────────┼──────────┼────────────────────────┤
│ minikube start │ 41.3s    │ 42.0s                  │
│ enable ingress │ 16.1s    │ 16.1s                  │
└────────────────┴──────────┴────────────────────────┘

Details

Times for minikube start: 39.8s 44.0s 39.6s 42.5s 40.7s
Times for minikube (PR 21808) start: 42.1s 41.3s 43.6s 44.0s 39.0s

Times for minikube ingress: 16.3s 16.8s 15.8s 15.8s 15.8s
Times for minikube (PR 21808) ingress: 16.8s 15.8s 15.8s 16.4s 15.8s

docker driver with docker runtime

┌────────────────┬──────────┬────────────────────────┐
│    COMMAND     │ MINIKUBE │ MINIKUBE  ( PR 21808 ) │
├────────────────┼──────────┼────────────────────────┤
│ minikube start │ 21.6s    │ 22.5s                  │
│ enable ingress │ 10.9s    │ 10.7s                  │
└────────────────┴──────────┴────────────────────────┘

Details

Times for minikube start: 21.5s 22.7s 21.1s 21.7s 21.1s
Times for minikube (PR 21808) start: 20.7s 21.4s 21.3s 23.7s 25.4s

Times for minikube ingress: 10.7s 10.7s 10.7s 10.7s 11.7s
Times for minikube (PR 21808) ingress: 10.7s 10.7s 10.7s 10.7s 10.7s

docker driver with containerd runtime

┌────────────────┬──────────┬────────────────────────┐
│    COMMAND     │ MINIKUBE │ MINIKUBE  ( PR 21808 ) │
├────────────────┼──────────┼────────────────────────┤
│ minikube start │ 21.3s    │ 21.8s                  │
│ enable ingress │ 22.8s    │ 22.8s                  │
└────────────────┴──────────┴────────────────────────┘

Details

Times for minikube start: 23.0s 19.8s 22.2s 21.4s 20.1s
Times for minikube (PR 21808) start: 23.0s 23.1s 20.0s 18.5s 24.2s

Times for minikube (PR 21808) ingress: 22.1s 22.2s 23.2s 23.2s 23.1s
Times for minikube ingress: 23.1s 23.2s 22.2s 23.2s 22.2s

[minikube-pr-bot]

Here are the number of top 10 failed tests in each environments with lowest flake rate.

Environment	Test Name	Flake Rate
KVM_Linux (1 failed)	TestPause/serial/SecondStartNoReconfiguration(gopogh)	0.00% (chart)
Docker_Linux (1 failed)	TestScheduledStopUnix(gopogh)	0.00% (chart)

Besides the following environments also have failed tests:

• Docker_Linux_crio_arm64: 42 failed (gopogh)

• Docker_Linux_containerd: 11 failed (gopogh)

• Docker_Linux_containerd_arm64: 25 failed (gopogh)

• Docker_Linux_crio: 27 failed (gopogh)

• KVM_Linux_crio: 3 failed (gopogh)

To see the flake rates of all tests by environment, click here.

[k8s-ci-robot]

@mulan04: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
integration-vfkit-docker-macos-arm64	db33af8	link	false	/test integration-vfkit-docker-macos-arm64
integration-docker-crio-linux-x86-64	db33af8	link	true	/test integration-docker-crio-linux-x86-64
integration-kvm-docker-linux-x86-64	db33af8	link	true	/test integration-kvm-docker-linux-x86-64
integration-kvm-containerd-linux-x86-64	db33af8	link	true	/test integration-kvm-containerd-linux-x86-64
integration-kvm-crio-linux-x86-64	db33af8	link	true	/test integration-kvm-crio-linux-x86-64
integration-none-docker-linux-x86	db33af8	link	true	/test integration-none-docker-linux-x86
integration-kvm-docker-linux-x86	db33af8	link	true	/test integration-kvm-docker-linux-x86
integration-docker-docker-linux-arm	db33af8	link	true	/test integration-docker-docker-linux-arm
integration-kvm-containerd-linux-x86	db33af8	link	true	/test integration-kvm-containerd-linux-x86
integration-docker-crio-linux-x86	db33af8	link	true	/test integration-docker-crio-linux-x86
integration-kvm-crio-linux-x86	db33af8	link	true	/test integration-kvm-crio-linux-x86
integration-docker-docker-linux-x86	db33af8	link	true	/test integration-docker-docker-linux-x86
integration-docker-containerd-linux-x86	db33af8	link	true	/test integration-docker-containerd-linux-x86

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.