apiVersion: apps/v1
kind: Deployment
metadata:
  name: buildkitd
  namespace: build
spec:
  replicas: 1
  strategy:
    type: Recreate
  selector:
    matchLabels:
      app: buildkitd
  template:
    metadata:
      labels:
        app: buildkitd
    spec:
      # No hostNetwork — buildkitd is accessed via the ClusterIP service.
      # Public access goes through Pingora's TLS passthrough (SNI router).
      containers:
        - name: buildkitd
          image: moby/buildkit:v0.28.0
          args:
            - --addr
            - tcp://0.0.0.0:1234
            - --tlscacert
            - /etc/buildkit/tls/ca.crt
            - --tlscert
            - /etc/buildkit/tls/tls.crt
            - --tlskey
            - /etc/buildkit/tls/tls.key
          ports:
            - containerPort: 1234
          securityContext:
            privileged: true
          resources:
            requests:
              cpu: "500m"
              memory: "1Gi"
            limits:
              cpu: "4"
              memory: "8Gi"
          volumeMounts:
            - name: server-tls
              mountPath: /etc/buildkit/tls
              readOnly: true
      volumes:
        - name: server-tls
          projected:
            sources:
              - secret:
                  name: buildkitd-server-tls
                  items:
                    - key: tls.crt
                      path: tls.crt
                    - key: tls.key
                      path: tls.key
              - secret:
                  name: buildkit-ca-keypair
                  items:
                    - key: ca.crt
                      path: ca.crt