base/build/buildkitd-deployment.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: buildkitd
  namespace: build
spec:
  replicas: 1
  strategy:
    type: Recreate
  selector:
    matchLabels:
      app: buildkitd
  template:
    metadata:
      labels:
        app: buildkitd
    spec:
      # No hostNetwork — buildkitd is accessed via the ClusterIP service.
      # Public access goes through Pingora's TLS passthrough (SNI router).
      containers:
        - name: buildkitd
          image: moby/buildkit:v0.28.0
          args:
            - --addr
            - tcp://0.0.0.0:1234
            - --tlscacert
            - /etc/buildkit/tls/ca.crt
            - --tlscert
            - /etc/buildkit/tls/tls.crt
            - --tlskey
            - /etc/buildkit/tls/tls.key
          ports:
            - containerPort: 1234
          securityContext:
            privileged: true
          resources:
            requests:
              cpu: "500m"
              memory: "1Gi"
            limits:
              cpu: "4"
              memory: "8Gi"
          volumeMounts:
            - name: server-tls
              mountPath: /etc/buildkit/tls
              readOnly: true
      volumes:
        - name: server-tls
          projected:
            sources:
              - secret:
                  name: buildkitd-server-tls
                  items:
                    - key: tls.crt
                      path: tls.crt
                    - key: tls.key
                      path: tls.key
              - secret:
                  name: buildkit-ca-keypair
                  items:
                    - key: ca.crt
                      path: ca.crt
feat: La Suite email/messages, buildkitd, monitoring, vault and storage updates - Add Messages (email) service: backend, frontend, MTA in/out, MPA, SOCKS proxy, worker, DKIM config, and theme customization - Add Collabora deployment for document collaboration - Add Drive frontend nginx config and values - Add buildkitd namespace for in-cluster container builds - Add SeaweedFS remote sync and additional S3 buckets - Update vault secrets across namespaces (devtools, lasuite, media, monitoring, ory, storage) with expanded credential management - Update monitoring: rename grafana→metrics OAuth2Client, add Prometheus remote write and additional scrape configs - Update local/production overlays with resource patches - Remove stale login-ui resource patch from production overlay 2026-03-10 19:00:57 +00:00			`apiVersion: apps/v1`
			`kind: Deployment`
			`metadata:`
			`name: buildkitd`
			`namespace: build`
			`spec:`
			`replicas: 1`
			`strategy:`
			`type: Recreate`
			`selector:`
			`matchLabels:`
			`app: buildkitd`
			`template:`
			`metadata:`
			`labels:`
			`app: buildkitd`
			`spec:`
feat(build): mTLS for buildkitd + public exposure via TLS passthrough cert-manager self-signed CA issues server and client certs for BuildKit mTLS. Buildkitd serves TLS on its ClusterIP (hostNetwork removed) and is publicly reachable at build.DOMAIN_SUFFIX:443 through Pingora's new SNI-based TLS passthrough router. Clients authenticate with the client certificate from the buildkitd-client-tls secret. 2026-03-26 14:23:56 +00:00			`# No hostNetwork — buildkitd is accessed via the ClusterIP service.`
			`# Public access goes through Pingora's TLS passthrough (SNI router).`
feat: La Suite email/messages, buildkitd, monitoring, vault and storage updates - Add Messages (email) service: backend, frontend, MTA in/out, MPA, SOCKS proxy, worker, DKIM config, and theme customization - Add Collabora deployment for document collaboration - Add Drive frontend nginx config and values - Add buildkitd namespace for in-cluster container builds - Add SeaweedFS remote sync and additional S3 buckets - Update vault secrets across namespaces (devtools, lasuite, media, monitoring, ory, storage) with expanded credential management - Update monitoring: rename grafana→metrics OAuth2Client, add Prometheus remote write and additional scrape configs - Update local/production overlays with resource patches - Remove stale login-ui resource patch from production overlay 2026-03-10 19:00:57 +00:00			`containers:`
			`- name: buildkitd`
			`image: moby/buildkit:v0.28.0`
			`args:`
			`- --addr`
			`- tcp://0.0.0.0:1234`
feat(build): mTLS for buildkitd + public exposure via TLS passthrough cert-manager self-signed CA issues server and client certs for BuildKit mTLS. Buildkitd serves TLS on its ClusterIP (hostNetwork removed) and is publicly reachable at build.DOMAIN_SUFFIX:443 through Pingora's new SNI-based TLS passthrough router. Clients authenticate with the client certificate from the buildkitd-client-tls secret. 2026-03-26 14:23:56 +00:00			`- --tlscacert`
			`- /etc/buildkit/tls/ca.crt`
			`- --tlscert`
			`- /etc/buildkit/tls/tls.crt`
			`- --tlskey`
			`- /etc/buildkit/tls/tls.key`
feat: La Suite email/messages, buildkitd, monitoring, vault and storage updates - Add Messages (email) service: backend, frontend, MTA in/out, MPA, SOCKS proxy, worker, DKIM config, and theme customization - Add Collabora deployment for document collaboration - Add Drive frontend nginx config and values - Add buildkitd namespace for in-cluster container builds - Add SeaweedFS remote sync and additional S3 buckets - Update vault secrets across namespaces (devtools, lasuite, media, monitoring, ory, storage) with expanded credential management - Update monitoring: rename grafana→metrics OAuth2Client, add Prometheus remote write and additional scrape configs - Update local/production overlays with resource patches - Remove stale login-ui resource patch from production overlay 2026-03-10 19:00:57 +00:00			`ports:`
			`- containerPort: 1234`
			`securityContext:`
			`privileged: true`
			`resources:`
			`requests:`
			`cpu: "500m"`
			`memory: "1Gi"`
			`limits:`
			`cpu: "4"`
			`memory: "8Gi"`
feat(build): mTLS for buildkitd + public exposure via TLS passthrough cert-manager self-signed CA issues server and client certs for BuildKit mTLS. Buildkitd serves TLS on its ClusterIP (hostNetwork removed) and is publicly reachable at build.DOMAIN_SUFFIX:443 through Pingora's new SNI-based TLS passthrough router. Clients authenticate with the client certificate from the buildkitd-client-tls secret. 2026-03-26 14:23:56 +00:00			`volumeMounts:`
			`- name: server-tls`
			`mountPath: /etc/buildkit/tls`
			`readOnly: true`
			`volumes:`
			`- name: server-tls`
			`projected:`
			`sources:`
			`- secret:`
			`name: buildkitd-server-tls`
			`items:`
			`- key: tls.crt`
			`path: tls.crt`
			`- key: tls.key`
			`path: tls.key`
			`- secret:`
			`name: buildkit-ca-keypair`
			`items:`
			`- key: ca.crt`
			`path: ca.crt`