studio/sbbb
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(build): mTLS for buildkitd + public exposure via TLS passthrough

Browse Source 
cert-manager self-signed CA issues server and client certs for BuildKit
mTLS. Buildkitd serves TLS on its ClusterIP (hostNetwork removed) and
is publicly reachable at build.DOMAIN_SUFFIX:443 through Pingora's new
SNI-based TLS passthrough router. Clients authenticate with the client
certificate from the buildkitd-client-tls secret.
This commit is contained in:
Sienna Meridian Satterwhite
2026-03-26 14:23:56 +00:00
parent 632099893a
commit 33f0e44545
5 changed files with 149 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
docs/proxy.md
View File

@@ -100,6 +100,7 @@ Every subdomain gets routed by prefix (the part before the first dot). The bounc
| `hydra` | Hydra admin (auth-gated) | subrequest to `/userinfo` |
| `search` | OpenSearch (auth-gated) | subrequest to `/userinfo` |
| `vault` | OpenBao (auth-gated) | subrequest to `/userinfo` |
| `build` | BuildKit daemon | TLS passthrough (mTLS) |
Path sub-routes use longest-prefix-first matching within each host.
@@ -129,6 +130,25 @@ Pure Rust, no C dependencies in the TLS stack.
- **Local:** mkcert wildcard cert
- **Production:** Let's Encrypt via cert-manager (ACME HTTP-01 challenges routed by the proxy itself)
### SNI-Based TLS Passthrough
Some backends handle their own TLS (e.g. buildkitd with mTLS client certificate auth). The proxy supports **TLS passthrough** — peeking at the TLS ClientHello SNI without terminating the connection, then relaying the raw TCP stream to the backend.
```toml
[[tls_passthrough]]
host_prefix = "build"
backend = "buildkitd.build.svc.cluster.local:1234"
```
When `tls_passthrough` routes are configured, the proxy's HTTPS listener splits into two layers:
1. **SNI router** on `:443` — peeks the first ~1536 bytes of each connection, parses the ClientHello for the SNI hostname
2. **Pingora TLS** on `127.0.0.1:10443` — normal TLS termination for HTTP traffic
If the SNI matches a passthrough route, the connection is relayed directly to the backend (no TLS termination, no HTTP inspection). Otherwise it's forwarded to Pingora for normal processing. Non-TLS traffic and connections without SNI fall through to Pingora.
When no `tls_passthrough` routes are configured, Pingora binds `:443` directly — zero overhead.
## ML Training Pipeline
The models aren't downloaded — they're compiled into the binary. Weights baked in = zero model file overhead, L1-cache-resident inference.