feat(build): mTLS for buildkitd + public exposure via TLS passthrough
cert-manager self-signed CA issues server and client certs for BuildKit mTLS. Buildkitd serves TLS on its ClusterIP (hostNetwork removed) and is publicly reachable at build.DOMAIN_SUFFIX:443 through Pingora's new SNI-based TLS passthrough router. Clients authenticate with the client certificate from the buildkitd-client-tls secret.
This commit is contained in:
@@ -15,21 +15,20 @@ spec:
|
||||
labels:
|
||||
app: buildkitd
|
||||
spec:
|
||||
# Use host network so buildkitd can push to src.DOMAIN_SUFFIX (Gitea registry
|
||||
# via Pingora) without DNS resolution issues. The registry runs on the same
|
||||
# node, so host networking routes traffic back to localhost directly.
|
||||
hostNetwork: true
|
||||
dnsPolicy: None
|
||||
dnsConfig:
|
||||
nameservers:
|
||||
- 8.8.8.8
|
||||
- 1.1.1.1
|
||||
# No hostNetwork — buildkitd is accessed via the ClusterIP service.
|
||||
# Public access goes through Pingora's TLS passthrough (SNI router).
|
||||
containers:
|
||||
- name: buildkitd
|
||||
image: moby/buildkit:v0.28.0
|
||||
args:
|
||||
- --addr
|
||||
- tcp://0.0.0.0:1234
|
||||
- --tlscacert
|
||||
- /etc/buildkit/tls/ca.crt
|
||||
- --tlscert
|
||||
- /etc/buildkit/tls/tls.crt
|
||||
- --tlskey
|
||||
- /etc/buildkit/tls/tls.key
|
||||
ports:
|
||||
- containerPort: 1234
|
||||
securityContext:
|
||||
@@ -41,3 +40,23 @@ spec:
|
||||
limits:
|
||||
cpu: "4"
|
||||
memory: "8Gi"
|
||||
volumeMounts:
|
||||
- name: server-tls
|
||||
mountPath: /etc/buildkit/tls
|
||||
readOnly: true
|
||||
volumes:
|
||||
- name: server-tls
|
||||
projected:
|
||||
sources:
|
||||
- secret:
|
||||
name: buildkitd-server-tls
|
||||
items:
|
||||
- key: tls.crt
|
||||
path: tls.crt
|
||||
- key: tls.key
|
||||
path: tls.key
|
||||
- secret:
|
||||
name: buildkit-ca-keypair
|
||||
items:
|
||||
- key: ca.crt
|
||||
path: ca.crt
|
||||
|
||||
Reference in New Issue
Block a user