k8s deployment (should take out before pr probaboy?

+21

Dockerfile

··· 1 + FROM golang:1.25-bookworm AS builder 2 + 3 + WORKDIR /src 4 + COPY go.mod go.sum ./ 5 + RUN go mod download 6 + 7 + COPY . . 8 + RUN CGO_ENABLED=1 GOOS=linux go build -trimpath -ldflags="-s -w" -o /tack . 9 + 10 + FROM debian:bookworm-slim 11 + 12 + RUN apt-get update && apt-get install -y --no-install-recommends ca-certificates && rm -rf /var/lib/apt/lists/* 13 + 14 + COPY --from=builder /tack /usr/local/bin/tack 15 + 16 + RUN useradd -r -u 1000 -m tack 17 + USER tack 18 + 19 + EXPOSE 8080 20 + 21 + ENTRYPOINT ["/usr/local/bin/tack"]

+71

deploy/deployment.yaml

··· 1 + apiVersion: apps/v1 2 + kind: Deployment 3 + metadata: 4 + name: tack 5 + namespace: tack 6 + spec: 7 + replicas: 1 # SQLite is single-writer; do not scale above 1 8 + selector: 9 + matchLabels: 10 + app: tack 11 + template: 12 + metadata: 13 + labels: 14 + app: tack 15 + spec: 16 + serviceAccountName: tack 17 + securityContext: 18 + runAsNonRoot: true 19 + runAsUser: 1000 20 + fsGroup: 1000 21 + seccompProfile: 22 + type: RuntimeDefault 23 + containers: 24 + - name: tack 25 + image: atcr.io/dsx.sh/tack:latest 26 + imagePullPolicy: IfNotPresent 27 + ports: 28 + - name: http 29 + containerPort: 8080 30 + env: 31 + - name: TACK_LISTEN_ADDR 32 + value: ":8080" 33 + - name: TACK_DB_PATH 34 + value: "/var/lib/tack/tack.db" 35 + - name: TACK_TEKTON_ENABLED 36 + value: "1" 37 + - name: TACK_TEKTON_NAMESPACE 38 + value: "tekton-pipelines" 39 + envFrom: 40 + - secretRef: 41 + name: tack 42 + volumeMounts: 43 + - name: db 44 + mountPath: /var/lib/tack 45 + livenessProbe: 46 + httpGet: 47 + path: / 48 + port: http 49 + initialDelaySeconds: 5 50 + periodSeconds: 30 51 + readinessProbe: 52 + httpGet: 53 + path: / 54 + port: http 55 + initialDelaySeconds: 2 56 + periodSeconds: 10 57 + resources: 58 + requests: 59 + cpu: 50m 60 + memory: 64Mi 61 + limits: 62 + memory: 256Mi 63 + securityContext: 64 + allowPrivilegeEscalation: false 65 + readOnlyRootFilesystem: true 66 + capabilities: 67 + drop: ["ALL"] 68 + volumes: 69 + - name: db 70 + persistentVolumeClaim: 71 + claimName: tack-db

+57

deploy/hello-world.yaml

··· 1 + apiVersion: tekton.dev/v1 2 + kind: Pipeline 3 + metadata: 4 + name: hello-world 5 + spec: 6 + description: Simple Pipeline for validating Tack-created Tekton PipelineRuns. 7 + params: 8 + - name: message 9 + type: string 10 + default: Hello from Tack 11 + - name: name 12 + type: string 13 + default: world 14 + tasks: 15 + - name: say-hello 16 + taskRef: 17 + name: hello-world 18 + params: 19 + - name: message 20 + value: $(params.message) 21 + - name: name 22 + value: $(params.name) 23 + - name: finish 24 + runAfter: 25 + - say-hello 26 + taskRef: 27 + name: hello-world-finish 28 + params: 29 + - name: name 30 + value: $(params.name) 31 + --- 32 + apiVersion: tekton.dev/v1 33 + kind: Pipeline 34 + metadata: 35 + name: hello-world-inline 36 + spec: 37 + description: Single inline-task Pipeline for the smallest Tack smoke test. 38 + params: 39 + - name: message 40 + type: string 41 + default: Hello from Tack 42 + tasks: 43 + - name: say-hello 44 + taskSpec: 45 + params: 46 + - name: message 47 + type: string 48 + steps: 49 + - name: hello 50 + image: busybox:1.36 51 + script: | 52 + #!/bin/sh 53 + set -eu 54 + echo "$(params.message)" 55 + params: 56 + - name: message 57 + value: $(params.message)

+11

deploy/kustomization.yaml

··· 1 + apiVersion: kustomize.config.k8s.io/v1beta1 2 + kind: Kustomization 3 + namespace: tack 4 + resources: 5 + - namespace.yaml 6 + - serviceaccount.yaml 7 + - rbac.yaml 8 + - pvc.yaml 9 + - secret.yaml 10 + - deployment.yaml 11 + - service.yaml

+6

deploy/namespace.yaml

··· 1 + apiVersion: v1 2 + kind: Namespace 3 + metadata: 4 + name: tack 5 + labels: 6 + atcr.io-image: "true"

+11

deploy/pvc.yaml

··· 1 + apiVersion: v1 2 + kind: PersistentVolumeClaim 3 + metadata: 4 + name: tack-db 5 + namespace: tack 6 + spec: 7 + accessModes: 8 + - ReadWriteMany 9 + resources: 10 + requests: 11 + storage: 1Gi

+34

deploy/rbac.yaml

··· 1 + # Role in tekton-pipelines so tack can manage PipelineRuns and read pod logs there. 2 + # The RoleBinding references tack's ServiceAccount cross-namespace. 3 + apiVersion: rbac.authorization.k8s.io/v1 4 + kind: Role 5 + metadata: 6 + name: tack 7 + namespace: tekton-pipelines 8 + rules: 9 + - apiGroups: ["tekton.dev"] 10 + resources: ["pipelineruns"] 11 + verbs: ["create", "get", "list", "watch"] 12 + - apiGroups: ["tekton.dev"] 13 + resources: ["taskruns"] 14 + verbs: ["list"] 15 + - apiGroups: [""] 16 + resources: ["pods"] 17 + verbs: ["get", "list"] 18 + - apiGroups: [""] 19 + resources: ["pods/log"] 20 + verbs: ["get"] 21 + --- 22 + apiVersion: rbac.authorization.k8s.io/v1 23 + kind: RoleBinding 24 + metadata: 25 + name: tack 26 + namespace: tekton-pipelines 27 + subjects: 28 + - kind: ServiceAccount 29 + name: tack 30 + namespace: tack 31 + roleRef: 32 + kind: Role 33 + name: tack 34 + apiGroup: rbac.authorization.k8s.io

+15

deploy/secret.yaml

··· 1 + # Rename to secret.yaml and fill in real values before applying. 2 + # Do not commit populated secrets to version control. 3 + apiVersion: v1 4 + kind: Secret 5 + metadata: 6 + name: tack 7 + namespace: tack 8 + type: Opaque 9 + stringData: 10 + TACK_HOSTNAME: "tack.example.com" 11 + TACK_OWNER_DID: "did:plc:1234" 12 + # Uncomment to enable Buildkite provider: 13 + # TACK_BUILDKITE_TOKEN: "" 14 + # TACK_BUILDKITE_ORG: "" 15 + # TACK_BUILDKITE_WEBHOOK_SECRET: ""

+12

deploy/service.yaml

··· 1 + apiVersion: v1 2 + kind: Service 3 + metadata: 4 + name: tack 5 + namespace: tack 6 + spec: 7 + selector: 8 + app: tack 9 + ports: 10 + - name: http 11 + port: 80 12 + targetPort: http

+5

deploy/serviceaccount.yaml

··· 1 + apiVersion: v1 2 + kind: ServiceAccount 3 + metadata: 4 + name: tack 5 + namespace: tack

Configure Feed

Configure Feed