mirror of
https://github.com/run-llama/workflows-py.git
synced 2026-07-18 16:14:58 -04:00
1.8 KiB
1.8 KiB
Build API
The Build API is a secure proxy service that enables deployment pods to access external resources without exposing credentials directly. It runs on port 8001 alongside the management API.
Purpose
Deployment pods need access to private repositories and build artifacts, but can't safely store credentials. The Build API solves this by:
- Authenticating pods using deployment-specific tokens
- Proxying requests with appropriate credentials
- Enforcing network isolation between pods and sensitive services
Authentication
- Each deployment gets a unique token generated by the operator
- Pods authenticate to the build API using
Authorization: Bearer <token>or HTTP Basic Auth - Basic Auth supports using either username or password as the token (for Git compatibility)
- The build API validates tokens against Kubernetes CRDs
- Network policies restrict pods to only access the build API port
Current Capabilities
Git Repository Proxying
The Build API provides Git HTTP protocol support for secure repository access:
- Protocol Support: Handles all Git HTTP operations (GET/POST)
- directly forwards all requests to '/deployments/{deployment_id}' to the deployment's git repository
- Uses basic auth with the deployment token, and re-authenticates with the proxy git repo
Future Capabilities
- S3 Repositories: Access private S3-based git repositories without complex pod permissions
- Build Artifacts: Push/pull container images and build artifacts
- Multi-Provider Git: GitLab, Bitbucket, and other git providers
- Credential Rotation: Automatic token refresh
Security Benefits
- Pods don't need direct cloud credentials or git tokens
- Network policies isolate pods from management APIs
- Centralized credential management and audit logging
- Fine-grained access control per deployment