We use cookies to understand how people use Depot.
🚀 All of the performance of Depot, now for GitHub Actions Runners!
Depot
Sign InSign Up
← All Posts

Introducing self-hosted Depot builders

Written by
kyle
Kyle Galbraith
Published on
18 August 2022
Self-hosted Depot builders are here! Launch builders in your own AWS accounts on a per-project basis and connect directly to them without passing through any Depot proxy.
Introducing self-hosted Depot builders banner

In June, we announced that we were working on the ability to run self-hosted Depot builders inside your own cloud accounts. This would allow project builds to run inside your own infrastructure instead of inside Depot's infrastructure providers. Allowing organizations with special requirements to utilize Depot while keeping their build data entirely inside their account.

Today, we are excited to announce that you can now launch self-hosted Depot builders in your own AWS account 🎉

How self-hosted builders work

Self-hosted builders use a connection that you configure inside your Depot organization with details about your cloud account. You can then decide to use your self-hosted cloud connection on a per-project basis.

Self-hosted builders allow the Depot API to create, start, stop, and delete builder machines and cache volumes in your own cloud account. When the Depot CLI requests a build via depot build for a project using a self-hosted connection, the build flow is as follows:

  1. The Depot CLI asks the Depot API for a new builder machine connection (with organization ID, project ID, and the required architecture) and polls the API for when a machine is ready
  2. The Depot API stores that pending request for a builder
  3. A cloud-agent process running in your cloud periodically reports current status to the Depot API and asks if there are any pending infrastructure changes — it receives a description of the machine to start for the pending build and launches that machine
  4. When the machine launches, a machine-agent process running inside the VM registers itself with the Depot API and receives the instruction to launch BuildKit with specific mTLS certificates provisioned for your build
  5. After the machine-agent reports that BuildKit is running, the Depot API returns a success response to the Depot CLI, along with new mTLS certificates to secure and authenticate the build connection
  6. The Depot CLI uses the new mTLS certificates to directly connect the builder instance in your cloud account, using that machine and cache volume for the build

Your build data and context never passes through Depot infrastructure and communicates directly with the builder machine inside your AWS account.

Open-source components

All the components that make self-hosted builders work are open-source:

  • cloud-agent runs as a Fargate task. This task is responsible for connecting to our Depot API via SSL and a connection token you receive when configuring your connection. It reports the current state of Depot infrastructure in your account, and receives back a list of actions that should be taken to update the Depot infrastructure to meet current build demands.

  • machine-agent is a process that runs on the build machines that are launched by the cloud-agent. This process reports to our Depot API to inform it that it is available for a build. Once assigned a build, it launches BuildKit to run the build and report its results back.

  • depot/connection/aws is a Terraform module that provisions the necessary AWS infrastructure and IAM permissions necessary for the cloud connection to run and provision Depot infrastructure in response to builds.

  • All the machine images (AMIs) that run inside your cloud are open-source as well.

  • Our Depot CLI as of version 0.1.4 supports directly connecting to builder machines in your cloud using mTLS.

Security and transparency

The hosted Depot service and API has no direct access to your cloud account, instead the cloud-agent process translates the desired machine state into changes in your account. This means there are no cross-account IAM roles provisioned and no AWS access tokens stored in Depot's database. Additionally, the cloud-agent has a limited vocabulary of actions it can perform, limited to simple actions like creating, stopping, starting, and deleting builder machines.

The cloud-agent process has a restricted IAM role policy that only allows management of Depot infrastructure in your account. The IAM policy provisioned by Terraform allows the cloud-agent to interact with EC2 instances and EBS volumes in your account, only if they are tagged with a depot-connection tag. It also requires that any new instances or volumes must be tagged with the depot-connection tag. This limits what the process is allowed to access to only resources it has launched.

The Depot CLI communicates with self-hosted builder machines directly, using mTLS. Your build data and communication are encrypted with TLS, authenticated for the build, and do not pass through any Depot-hosted proxy or API. This means your build data is private to your own AWS account. The mTLS certificates are provisioned per build machine / per build.

Getting started

To get started with self-hosted Depot builders, see our setup and usage guide in our docs.

We think this solves a lot of use cases for organizations that have special requirements or need to use existing infrastructure for CI builds without having to manage any of it. Today, self-hosted builders only support AWS, but we intend to support others in the near future.

If you have any feedback about self-hosted Depot builders or have ideas for improvements, please send us a message and let us know!

Build 40x faster
Get started for free →