Files
workflows-py/architecture-docs/build-api.md
T

1.8 KiB

Build API

The Build API is a secure proxy service that enables deployment pods to access external resources without exposing credentials directly. It runs on port 8001 alongside the management API.

Purpose

Deployment pods need access to private repositories and build artifacts, but can't safely store credentials. The Build API solves this by:

  1. Authenticating pods using deployment-specific tokens
  2. Proxying requests with appropriate credentials
  3. Enforcing network isolation between pods and sensitive services

Authentication

  • Each deployment gets a unique token generated by the operator
  • Pods authenticate to the build API using Authorization: Bearer <token> or HTTP Basic Auth
  • Basic Auth supports using either username or password as the token (for Git compatibility)
  • The build API validates tokens against Kubernetes CRDs
  • Network policies restrict pods to only access the build API port

Current Capabilities

Git Repository Proxying

The Build API provides Git HTTP protocol support for secure repository access:

  • Protocol Support: Handles all Git HTTP operations (GET/POST)
    • directly forwards all requests to '/deployments/{deployment_id}' to the deployment's git repository
    • Uses basic auth with the deployment token, and re-authenticates with the proxy git repo

Future Capabilities

  • S3 Repositories: Access private S3-based git repositories without complex pod permissions
  • Build Artifacts: Push/pull container images and build artifacts
  • Multi-Provider Git: GitLab, Bitbucket, and other git providers
  • Credential Rotation: Automatic token refresh

Security Benefits

  • Pods don't need direct cloud credentials or git tokens
  • Network policies isolate pods from management APIs
  • Centralized credential management and audit logging
  • Fine-grained access control per deployment