Connecting to Remote BuildKit Instances: Docker and Kubernetes Examples

without credentials. 2. With certificates generated in `.certs/`, startup the container: ```console $ docker run -d --rm \ --name=remote-buildkitd \ --privileged \ -p 1234:1234 \ -v $PWD/.certs:/etc/buildkit/certs \ moby/buildkit:latest \ --addr tcp://0.0.0.0:1234 \ --tlscacert /etc/buildkit/certs/daemon/ca.pem \ --tlscert /etc/buildkit/certs/daemon/cert.pem \ --tlskey /etc/buildkit/certs/daemon/key.pem ``` This command starts a BuildKit container and exposes the daemon's port 1234 to localhost. 3. Connect to this running container using Buildx: ```console $ docker buildx create \ --name remote-container \ --driver remote \ --driver-opt cacert=${PWD}/.certs/client/ca.pem,cert=${PWD}/.certs/client/cert.pem,key=${PWD}/.certs/client/key.pem,servername=<TLS_SERVER_NAME> \ tcp://localhost:1234 ``` Alternatively, use the `docker-container://` URL scheme to connect to the BuildKit container without specifying a port: ```console $ docker buildx create \ --name remote-container \ --driver remote \ docker-container://remote-container ``` ## Example: Remote BuildKit in Kubernetes This guide will show you how to create a setup similar to the `kubernetes` driver by manually creating a BuildKit `Deployment`. While the `kubernetes` driver will do this under-the-hood, it might sometimes be desirable to scale BuildKit manually. Additionally, when executing builds from inside Kubernetes pods, the Buildx builder will need to be recreated from within each pod or copied between them. 1. Create a Kubernetes deployment of `buildkitd`, as per the instructions [here](https://github.com/moby/buildkit/tree/master/examples/kubernetes). Following the guide, create certificates for the BuildKit daemon and client using [create-certs.sh](https://github.com/moby/buildkit/blob/master/examples/kubernetes/create-certs.sh), and create a deployment of BuildKit pods with a service that connects to them. 2. Assuming that the service is called `buildkitd`, create a remote builder in Buildx, ensuring that the listed certificate files are present: ```console $ docker buildx create \ --name remote-kubernetes \ --driver remote \ --driver-opt cacert=${PWD}/.certs/client/ca.pem,cert=${PWD}/.certs/client/cert.pem,key=${PWD}/.certs/client/key.pem \ tcp://buildkitd.default.svc:1234 ``` Note that this only works internally, within the cluster, since the BuildKit setup guide only creates a `ClusterIP` service. To access a builder remotely, you can set up and use an ingress, which is outside the scope of this guide. ### Debug a remote builder in Kubernetes If you're having trouble accessing a remote builder deployed in Kubernetes, you can use the `kube-pod://` URL scheme to connect directly to a BuildKit pod through the Kubernetes API. Note that this method only connects to a single pod in the deployment. ```console $ kubectl get pods --selector=app=buildkitd -o json | jq -r '.items[].metadata.name' buildkitd-XXXXXXXXXX-xxxxx $ docker buildx create \ --name remote-container \ --driver remote \ kube-pod://buildkitd-XXXXXXXXXX-xxxxx ``` Alternatively, use the port forwarding mechanism of `kubectl`: ```console $ kubectl port-forward svc/buildkitd 1234:1234 ``` Then you can point the remote driver at `tcp://localhost:1234`.

This section details how to connect to remote BuildKit instances running in Docker and Kubernetes environments using Buildx. For Docker, it outlines the steps to start a BuildKit container with TLS enabled and connect to it using the `remote` driver or the `docker-container://` URL scheme. For Kubernetes, it explains how to create a BuildKit deployment and service, and then create a remote builder in Buildx, emphasizing the importance of correct certificate configuration. It also provides guidance on debugging remote builders in Kubernetes using `kube-pod://` and port forwarding.