feat(build): mTLS for buildkitd + public exposure via TLS passthrough

cert-manager self-signed CA issues server and client certs for BuildKit mTLS. Buildkitd serves TLS on its ClusterIP (hostNetwork removed) and is publicly reachable at build.DOMAIN_SUFFIX:443 through Pingora's new SNI-based TLS passthrough router. Clients authenticate with the client certificate from the buildkitd-client-tls secret.
2026-03-26 14:23:56 +00:00
parent 632099893a
commit 33f0e44545
5 changed files with 149 additions and 9 deletions
--- a/base/ingress/pingora-config.yaml
+++ b/base/ingress/pingora-config.yaml
@@ -362,6 +362,13 @@ data:
      prefix  = "/.well-known/matrix"
      backend = "http://tuwunel.matrix.svc.cluster.local:6167"

+    # TLS passthrough: SNI-routed connections relayed without TLS termination.
+    # BuildKit uses mTLS (client certs) so Pingora can't terminate — it peeks
+    # the ClientHello SNI and relays the raw TCP stream to the backend.
+    [[tls_passthrough]]
+    host_prefix = "build"
+    backend     = "buildkitd.build.svc.cluster.local:1234"
+
    # SSH TCP passthrough: port 22 → Gitea SSH pod (headless service → pod:2222).
    [ssh]
    listen  = "0.0.0.0:22"