Stitch any CI into Tangled
1# Tekton
2
3The Tekton provider runs only in Kubernetes. Tack receives Tangled
4pipeline triggers, creates a Tekton `PipelineRun` for an existing
5in-cluster `Pipeline`, watches that `PipelineRun`, and publishes
6`sh.tangled.pipeline.status` records back to Tangled.
7
8Tekton Triggers are intentionally not used. Tack already performs the
9event-to-run translation, and Tekton's native execution object is the
10`PipelineRun`.
11
12> [!IMPORTANT]
13>
14> **This is a community-contributed provider.** I (mitchellh) haven't
15> verified its functionality beyond what others have said worked. I've
16> only reviewed the code for obvious issues and to ensure it doesn't do
17> anything to jeopardize the rest of Tack.
18
19## Required cluster setup
20
21* Tekton Pipelines is installed in the cluster.
22* Tack is deployed inside the same cluster.
23* The target Tekton `Pipeline` objects already exist in the namespace
24 tack is configured to use.
25* Tack's Kubernetes service account has RBAC to:
26 * create, get, list, and watch `tekton.dev` `pipelineruns`
27 * get, list, and watch `tekton.dev` `taskruns`
28 * get and list pods
29 * get pod logs via `pods/log`
30
31Example RBAC:
32
33```yaml
34apiVersion: rbac.authorization.k8s.io/v1
35kind: Role
36metadata:
37 name: tack-tekton
38 namespace: ci
39rules:
40 - apiGroups: ["tekton.dev"]
41 resources: ["pipelineruns"]
42 verbs: ["create", "get", "list", "watch"]
43 - apiGroups: ["tekton.dev"]
44 resources: ["taskruns"]
45 verbs: ["get", "list", "watch"]
46 - apiGroups: [""]
47 resources: ["pods"]
48 verbs: ["get", "list"]
49 - apiGroups: [""]
50 resources: ["pods/log"]
51 verbs: ["get"]
52```
53
54## Configure Tack
55
56| Env var | Description |
57| ------------------------ | --------------------------------------------------------- |
58| `TACK_TEKTON_ENABLED` | Set to `1` to enable the Tekton provider |
59| `TACK_TEKTON_NAMESPACE` | Namespace for created `PipelineRun`s (default `default`) |
60
61The provider uses Kubernetes in-cluster service account credentials.
62It will not run from a local kubeconfig.
63
64## Naming
65
66There are three separate names:
67
68* Tack workflow name: the Tangled workflow filename/name, e.g. `ci.yml`.
69 This remains the Tangled-facing workflow identity in status records.
70* Tekton `Pipeline` name: the existing in-cluster pipeline definition,
71 e.g. `repo-ci`. This is written to `spec.pipelineRef.name`.
72* Tekton `PipelineRun` name: generated by tack per trigger/workflow,
73 e.g. `tack-ci-yml-<short-hash>`. This is the concrete execution
74 object tack watches and stores.
75
76## Workflow YAML
77
78Only the provider and target pipeline are required:
79
80```yaml
81tack:
82 tekton:
83 pipeline: repo-ci
84```
85
86Optional fields:
87
88```yaml
89tack:
90 tekton:
91 pipeline: repo-ci
92 service_account: pipeline-runner
93 params:
94 image: example/app
95```
96
97`params` are forwarded as string Tekton params. Tack also stores the
98knot, pipeline rkey, workflow name, actor DID, commit, and branch as
99`PipelineRun` annotations, so operators can inspect the Kubernetes
100object and connect it back to the Tangled trigger.
101
102## Example Pipeline
103
104```yaml
105apiVersion: tekton.dev/v1
106kind: Pipeline
107metadata:
108 name: repo-ci
109 namespace: ci
110spec:
111 params:
112 - name: image
113 type: string
114 tasks:
115 - name: test
116 taskSpec:
117 params:
118 - name: image
119 type: string
120 steps:
121 - name: test
122 image: golang:1.25
123 script: |
124 set -eu
125 echo "building $(params.image)"
126 go test ./...
127 workspaces: []
128 params:
129 - name: image
130 value: $(params.image)
131```
132
133Detailed CI behavior belongs in the in-cluster `Pipeline`. The Tangled
134workflow YAML should stay small: select `tekton`, pick the target
135pipeline, and pass only the small set of params that pipeline expects.