From a101ea4b06db155497c50524bd2ff9a3376c3ff1 Mon Sep 17 00:00:00 2001
From: Sienna Meridian Satterwhite <sienna@r3t.io>
Date: Mon, 9 Mar 2026 01:40:25 +0000
Subject: [PATCH] fix(ingress): add localhost to rate-limit bypass CIDRs

Adds 127.0.0.0/8 and ::1/128 so host-networked pods (buildkitd) are
not blocked by the detection pipeline.
---
 base/ingress/pingora-config.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/base/ingress/pingora-config.yaml b/base/ingress/pingora-config.yaml
index 2e521f5..006406c 100644
--- a/base/ingress/pingora-config.yaml
+++ b/base/ingress/pingora-config.yaml
@@ -67,7 +67,7 @@ data:
     enabled                = true
     eviction_interval_secs = 300
     stale_after_secs       = 600
-    bypass_cidrs           = ["10.42.0.0/16"]
+    bypass_cidrs           = ["10.42.0.0/16", "127.0.0.0/8", "::1/128"]
 
     [rate_limit.authenticated]
     burst = 200