mitchellh.com / tack
Stitch any CI into Tangled
3
Fork 10

Configure Feed

Select the types of activity you want to include in your feed.

k8s deployment (should take out before pr probaboy?

author
Dylan Shepard committer
Tangled date (May 3, 2026, 4:31 AM UTC) commit 624fdde3 parent 2607c810
+243
+21
Dockerfile
··· 1 + FROM golang:1.25-bookworm AS builder 2 + 3 + WORKDIR /src 4 + COPY go.mod go.sum ./ 5 + RUN go mod download 6 + 7 + COPY . . 8 + RUN CGO_ENABLED=1 GOOS=linux go build -trimpath -ldflags="-s -w" -o /tack . 9 + 10 + FROM debian:bookworm-slim 11 + 12 + RUN apt-get update && apt-get install -y --no-install-recommends ca-certificates && rm -rf /var/lib/apt/lists/* 13 + 14 + COPY --from=builder /tack /usr/local/bin/tack 15 + 16 + RUN useradd -r -u 1000 -m tack 17 + USER tack 18 + 19 + EXPOSE 8080 20 + 21 + ENTRYPOINT ["/usr/local/bin/tack"]
+71
deploy/deployment.yaml
··· 1 + apiVersion: apps/v1 2 + kind: Deployment 3 + metadata: 4 + name: tack 5 + namespace: tack 6 + spec: 7 + replicas: 1 # SQLite is single-writer; do not scale above 1 8 + selector: 9 + matchLabels: 10 + app: tack 11 + template: 12 + metadata: 13 + labels: 14 + app: tack 15 + spec: 16 + serviceAccountName: tack 17 + securityContext: 18 + runAsNonRoot: true 19 + runAsUser: 1000 20 + fsGroup: 1000 21 + seccompProfile: 22 + type: RuntimeDefault 23 + containers: 24 + - name: tack 25 + image: atcr.io/dsx.sh/tack:latest 26 + imagePullPolicy: IfNotPresent 27 + ports: 28 + - name: http 29 + containerPort: 8080 30 + env: 31 + - name: TACK_LISTEN_ADDR 32 + value: ":8080" 33 + - name: TACK_DB_PATH 34 + value: "/var/lib/tack/tack.db" 35 + - name: TACK_TEKTON_ENABLED 36 + value: "1" 37 + - name: TACK_TEKTON_NAMESPACE 38 + value: "tekton-pipelines" 39 + envFrom: 40 + - secretRef: 41 + name: tack 42 + volumeMounts: 43 + - name: db 44 + mountPath: /var/lib/tack 45 + livenessProbe: 46 + httpGet: 47 + path: / 48 + port: http 49 + initialDelaySeconds: 5 50 + periodSeconds: 30 51 + readinessProbe: 52 + httpGet: 53 + path: / 54 + port: http 55 + initialDelaySeconds: 2 56 + periodSeconds: 10 57 + resources: 58 + requests: 59 + cpu: 50m 60 + memory: 64Mi 61 + limits: 62 + memory: 256Mi 63 + securityContext: 64 + allowPrivilegeEscalation: false 65 + readOnlyRootFilesystem: true 66 + capabilities: 67 + drop: ["ALL"] 68 + volumes: 69 + - name: db 70 + persistentVolumeClaim: 71 + claimName: tack-db
+57
deploy/hello-world.yaml
··· 1 + apiVersion: tekton.dev/v1 2 + kind: Pipeline 3 + metadata: 4 + name: hello-world 5 + spec: 6 + description: Simple Pipeline for validating Tack-created Tekton PipelineRuns. 7 + params: 8 + - name: message 9 + type: string 10 + default: Hello from Tack 11 + - name: name 12 + type: string 13 + default: world 14 + tasks: 15 + - name: say-hello 16 + taskRef: 17 + name: hello-world 18 + params: 19 + - name: message 20 + value: $(params.message) 21 + - name: name 22 + value: $(params.name) 23 + - name: finish 24 + runAfter: 25 + - say-hello 26 + taskRef: 27 + name: hello-world-finish 28 + params: 29 + - name: name 30 + value: $(params.name) 31 + --- 32 + apiVersion: tekton.dev/v1 33 + kind: Pipeline 34 + metadata: 35 + name: hello-world-inline 36 + spec: 37 + description: Single inline-task Pipeline for the smallest Tack smoke test. 38 + params: 39 + - name: message 40 + type: string 41 + default: Hello from Tack 42 + tasks: 43 + - name: say-hello 44 + taskSpec: 45 + params: 46 + - name: message 47 + type: string 48 + steps: 49 + - name: hello 50 + image: busybox:1.36 51 + script: | 52 + #!/bin/sh 53 + set -eu 54 + echo "$(params.message)" 55 + params: 56 + - name: message 57 + value: $(params.message)
+11
deploy/kustomization.yaml
··· 1 + apiVersion: kustomize.config.k8s.io/v1beta1 2 + kind: Kustomization 3 + namespace: tack 4 + resources: 5 + - namespace.yaml 6 + - serviceaccount.yaml 7 + - rbac.yaml 8 + - pvc.yaml 9 + - secret.yaml 10 + - deployment.yaml 11 + - service.yaml
+6
deploy/namespace.yaml
··· 1 + apiVersion: v1 2 + kind: Namespace 3 + metadata: 4 + name: tack 5 + labels: 6 + atcr.io-image: "true"
+11
deploy/pvc.yaml
··· 1 + apiVersion: v1 2 + kind: PersistentVolumeClaim 3 + metadata: 4 + name: tack-db 5 + namespace: tack 6 + spec: 7 + accessModes: 8 + - ReadWriteMany 9 + resources: 10 + requests: 11 + storage: 1Gi
+34
deploy/rbac.yaml
··· 1 + # Role in tekton-pipelines so tack can manage PipelineRuns and read pod logs there. 2 + # The RoleBinding references tack's ServiceAccount cross-namespace. 3 + apiVersion: rbac.authorization.k8s.io/v1 4 + kind: Role 5 + metadata: 6 + name: tack 7 + namespace: tekton-pipelines 8 + rules: 9 + - apiGroups: ["tekton.dev"] 10 + resources: ["pipelineruns"] 11 + verbs: ["create", "get", "list", "watch"] 12 + - apiGroups: ["tekton.dev"] 13 + resources: ["taskruns"] 14 + verbs: ["list"] 15 + - apiGroups: [""] 16 + resources: ["pods"] 17 + verbs: ["get", "list"] 18 + - apiGroups: [""] 19 + resources: ["pods/log"] 20 + verbs: ["get"] 21 + --- 22 + apiVersion: rbac.authorization.k8s.io/v1 23 + kind: RoleBinding 24 + metadata: 25 + name: tack 26 + namespace: tekton-pipelines 27 + subjects: 28 + - kind: ServiceAccount 29 + name: tack 30 + namespace: tack 31 + roleRef: 32 + kind: Role 33 + name: tack 34 + apiGroup: rbac.authorization.k8s.io
+15
deploy/secret.yaml
··· 1 + # Rename to secret.yaml and fill in real values before applying. 2 + # Do not commit populated secrets to version control. 3 + apiVersion: v1 4 + kind: Secret 5 + metadata: 6 + name: tack 7 + namespace: tack 8 + type: Opaque 9 + stringData: 10 + TACK_HOSTNAME: "tack.example.com" 11 + TACK_OWNER_DID: "did:plc:1234" 12 + # Uncomment to enable Buildkite provider: 13 + # TACK_BUILDKITE_TOKEN: "" 14 + # TACK_BUILDKITE_ORG: "" 15 + # TACK_BUILDKITE_WEBHOOK_SECRET: ""
+12
deploy/service.yaml
··· 1 + apiVersion: v1 2 + kind: Service 3 + metadata: 4 + name: tack 5 + namespace: tack 6 + spec: 7 + selector: 8 + app: tack 9 + ports: 10 + - name: http 11 + port: 80 12 + targetPort: http
+5
deploy/serviceaccount.yaml
··· 1 + apiVersion: v1 2 + kind: ServiceAccount 3 + metadata: 4 + name: tack 5 + namespace: tack