start: trust custom CAs before registry probe; retry once on cert errors

[mulan04]

What this PR does / why we need it

When a user provides custom root CAs (for example behind enterprise VPNs or proxies), Minikube currently probes
https://registry.k8s.io/ before those CAs are copied and trusted inside the guest.
This causes a misleading warning like:

Failing to connect to https://registry.k8s.io/ ... SSL certificate problem: self-signed certificate

even though connectivity works moments later once the CAs are installed.

This PR:

• Ensures custom CA certificates are copied and installed before the registry connectivity probe runs.
• Refreshes the system trust store (update-ca-certificates / update-ca-trust) inside the guest.
• Adds a one-time retry when the initial probe fails with a certificate trust error, suppressing the warning if the retry succeeds.

---

Before / After this PR output

Before this PR

❗ Failing to connect to https://registry.k8s.io/ from inside the minikube VM
curl: (60) SSL certificate problem: self-signed certificate

After this PR

(no warning about https://registry.k8s.io/)

• Custom CA certs are copied & trusted before the registry probe.
• If the first probe fails with a certificate trust error, it retries once after the trust store refresh; the warning is suppressed if the retry succeeds.

---

Which issue(s) this PR fixes

Fixes [#21799](#21799)
(Startup falsely reports registry SSL failure when using custom CA.)

---

Special notes for your reviewer

• The implementation reuses Minikube’s existing bootstrapper CA logic (collectCACerts, installCertSymlinks)
  instead of duplicating certificate copy and trust code.
• EnsureCACertsEarly is idempotent and safe to call multiple times; it will only act when host-provided certs exist.
• The retry-on-cert-error logic ensures genuine connectivity issues are still reported.

---

Testing

1. Place a custom CA (e.g. your corporate proxy CA) in ~/.minikube/certs/
   or ~/.minikube/files/etc/ssl/certs/.

2. Run Minikube start:

   minikube start --driver=podman --container-runtime=containerd --embed-certs

3. Observe:

   • Before this change → startup prints SSL warning for registry.k8s.io.
   • After this change → no warning (curl succeeds after CA trust refresh).

Also verified:

• If network is genuinely unreachable (DNS/firewall), the warning still appears as before.

---

Release note

start: avoid misleading “SSL certificate problem” warning on startup
when using custom CA certificates by installing CAs before the
registry connectivity probe and retrying once on certificate errors.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: mulan04
Once this PR has been reviewed and has the lgtm label, please assign spowelljr for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: mulan04 / name: mulan04 (530458d)

[k8s-ci-robot]

Welcome @mulan04!

It looks like this is your first PR to kubernetes/minikube 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes/minikube has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[k8s-ci-robot]

Hi @mulan04. Thanks for your PR.

I'm waiting for a github.com member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[minikube-bot]

Can one of the admins verify this patch?

[medyagh]

/ok-to-test

[medyagh]

plz add a Before/After this PR ouptut

[k8s-ci-robot]

@mulan04: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
integration-kvm-docker-linux-x86-64	530458d	link	true	/test integration-kvm-docker-linux-x86-64
integration-docker-docker-linux-x86-64	530458d	link	true	/test integration-docker-docker-linux-x86-64
integration-docker-containerd-linux-x86-64	530458d	link	true	/test integration-docker-containerd-linux-x86-64
integration-none-docker-linux-x86-64	530458d	link	true	/test integration-none-docker-linux-x86-64
integration-docker-crio-linux-x86-64	530458d	link	true	/test integration-docker-crio-linux-x86-64
integration-kvm-containerd-linux-x86-64	530458d	link	true	/test integration-kvm-containerd-linux-x86-64
integration-kvm-crio-linux-x86-64	530458d	link	true	/test integration-kvm-crio-linux-x86-64

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[minikube-pr-bot]

kvm2 driver with docker runtime

┌────────────────┬──────────┬────────────────────────┐
│    COMMAND     │ MINIKUBE │ MINIKUBE  ( PR 21808 ) │
├────────────────┼──────────┼────────────────────────┤
│ minikube start │ 43.8s    │ 44.8s                  │
│ enable ingress │ 15.9s    │ 16.3s                  │
└────────────────┴──────────┴────────────────────────┘

Times for minikube start: 42.8s 45.3s 43.2s 44.4s 43.5s
Times for minikube (PR 21808) start: 45.1s 44.4s 44.5s 46.1s 44.0s

Times for minikube (PR 21808) ingress: 15.8s 16.2s 17.7s 16.3s 15.7s
Times for minikube ingress: 15.7s 15.7s 16.8s 15.7s 15.7s

docker driver with docker runtime

┌────────────────┬──────────┬────────────────────────┐
│    COMMAND     │ MINIKUBE │ MINIKUBE  ( PR 21808 ) │
├────────────────┼──────────┼────────────────────────┤
│ minikube start │ 22.3s    │ 22.2s                  │
│ enable ingress │ 11.4s    │ 12.2s                  │
└────────────────┴──────────┴────────────────────────┘

Times for minikube ingress: 12.6s 10.6s 12.6s 10.6s 10.6s
Times for minikube (PR 21808) ingress: 11.6s 11.6s 11.6s 12.6s 13.6s

Times for minikube start: 21.1s 21.5s 24.6s 21.9s 22.5s
Times for minikube (PR 21808) start: 21.9s 22.4s 21.5s 22.6s 22.7s

docker driver with containerd runtime

┌────────────────┬──────────┬────────────────────────┐
│    COMMAND     │ MINIKUBE │ MINIKUBE  ( PR 21808 ) │
├────────────────┼──────────┼────────────────────────┤
│ minikube start │ 20.3s    │ 21.0s                  │
│ enable ingress │ 21.1s    │ 20.5s                  │
└────────────────┴──────────┴────────────────────────┘

Times for minikube start: 21.8s 20.6s 19.6s 19.5s 20.0s
Times for minikube (PR 21808) start: 20.0s 19.0s 22.9s 22.6s 20.8s

Times for minikube ingress: 22.1s 21.1s 21.1s 20.1s 21.1s
Times for minikube (PR 21808) ingress: 21.1s 21.1s 20.1s 20.1s 20.1s

[k8s-ci-robot]

Keywords which can automatically close issues and at(@) or hashtag(#) mentions are not allowed in commit messages.

The list of commits with invalid commit messages:

• 6156688 start: trust custom CAs before registry probe; retry once on cert errors

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[mulan04]

plz add a Before/After this PR ouptut

@medyagh I added the requested 'Before / After this PR output' section to the PR description - I hope it is clear now what this PR accomplishes

---

Before / After this PR output

Before this PR

❗ Failing to connect to https://registry.k8s.io/ from inside the minikube VM with VPN Client requiring a custom CA cert
curl: (60) SSL certificate problem: self-signed certificate

After this PR

(no warning about https://registry.k8s.io/)

• Custom CA certs are copied & trusted before the registry probe.
• If the first probe fails with a certificate trust error, it retries once after the trust store refresh; the warning is suppressed if the retry succeeds.

---

[minikube-pr-bot]

Here are the number of top 10 failed tests in each environments with lowest flake rate.

Environment	Test Name	Flake Rate
KVM_Linux (1 failed)	TestStartStop/group/default-k8s-diff-port/serial/Pause(gopogh)	0.00% (chart)
Docker_Windows (1 failed)	TestErrorSpam/setup(gopogh)	Unknown

Besides the following environments also have failed tests:

• KVM_Linux_crio: 2 failed (gopogh)

• Docker_Linux_crio_arm64: 37 failed (gopogh)

• Docker_Linux_crio: 37 failed (gopogh)

To see the flake rates of all tests by environment, click here.