sbbb/base/build/buildkitd-mtls.yaml

# mTLS certificate infrastructure for BuildKit.
#
# Self-signed CA → server cert (for buildkitd) + client cert (for CLI).
# This allows buildkitd to be publicly exposed through Pingora's TLS
# passthrough while requiring client certificate authentication.
#
# cert-manager must be installed before applying this.
---
# ── CA Issuer ────────────────────────────────────────────────────────────────
# Self-signed issuer bootstraps the CA keypair.
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: buildkit-selfsign
  namespace: build
spec:
  selfSigned: {}
---
# CA certificate — signs both server and client certs.
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: buildkit-ca
  namespace: build
spec:
  isCA: true
  commonName: buildkit-ca
  secretName: buildkit-ca-keypair
  duration: 87600h    # 10 years
  renewBefore: 8760h  # renew 1 year early
  privateKey:
    algorithm: ECDSA
    size: 256
  issuerRef:
    name: buildkit-selfsign
    kind: Issuer
---
# Issuer that signs certs using the CA above.
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: buildkit-ca-issuer
  namespace: build
spec:
  ca:
    secretName: buildkit-ca-keypair
---
# ── Server certificate (for buildkitd) ──────────────────────────────────────
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: buildkitd-server
  namespace: build
spec:
  secretName: buildkitd-server-tls
  duration: 8760h     # 1 year
  renewBefore: 720h   # renew 30 days early
  privateKey:
    algorithm: ECDSA
    size: 256
  usages:
    - digital signature
    - key encipherment
    - server auth
  dnsNames:
    - buildkitd
    - buildkitd.build.svc.cluster.local
    - build.DOMAIN_SUFFIX
  issuerRef:
    name: buildkit-ca-issuer
    kind: Issuer
---
# ── Client certificate (for Sunbeam CLI) ────────────────────────────────────
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: buildkitd-client
  namespace: build
spec:
  secretName: buildkitd-client-tls
  duration: 8760h
  renewBefore: 720h
  privateKey:
    algorithm: ECDSA
    size: 256
  usages:
    - digital signature
    - key encipherment
    - client auth
  commonName: sunbeam-cli
  issuerRef:
    name: buildkit-ca-issuer
    kind: Issuer