TAMOSS is a Kubernetes-native implementation of the
BBC TAMS v8.1 API specification. It installs as
an operator-driven product with three supported infrastructure profiles:
local-kind, single-server, and multi-server.
The operator reconciles Tamoss and StorageBackend custom resources into the
API, worker, UI, schema migration, generated Secrets, routing, and selected
backend integrations.
- TAMS-compatible media store: Implements the BBC TAMS v8.1 API for working with sources, flows, flow segments, tags, storage backends, webhooks, and deletion workflows.
- Operator-managed runtime: Reconciles API, worker, UI, schema migration, generated Secrets, routing, and backend integration from Kubernetes custom resources.
- Deployment profiles: Ships
local-kind,single-server, andmulti-serverprofiles so the same operator path works from local evaluation through production-shaped clusters. - Interchangeable platform services: Supports managed or external PostgreSQL, S3-compatible storage, OAuth2/OIDC authentication, and HTTP ingress without changing the client-side install flow.
- Operational web UI: Provides a browser interface for browsing TAMOSS records, checking runtime state, and exercising selected API-backed actions.
- Day-2 controls: Reports readiness through status conditions and Events, corrects managed-resource drift, and protects destructive resource deletion.
Prerequisites: Docker, curl, openssl, and git. The rest of the toolchain
(task, kind, kubectl, helm, helmfile, chainsaw, …) is provisioned by aqua install.
Use the local Kind profile first:
aqua install
export PATH="$(aqua root-dir)/bin:$PATH"
task kind:up PROFILE=local-kindThe summary prints the app URL, app username/password, API docs URL, API token, OAuth client details, and storage credentials. Then inspect the instance:
kubectl --kubeconfig tams.kubeconfig -n tams get tamoss,pods,svc,ingressOpen:
- API docs: https://api.tamoss.localtest.me/docs
- Web UI: https://app.tamoss.localtest.me
- S3 endpoint: https://s3.tamoss.localtest.me
- Authentik: https://auth.tamoss.localtest.me
The equivalent Kubernetes install shape is always:
task env:init NAME=my-prod PROFILE=multi-server DOMAIN=tamoss.example.com
$EDITOR deploy/environments/my-prod/platform-values.yaml
$EDITOR deploy/environments/my-prod/tamoss-patch.yaml
task env:apply ENV=my-prod KUBECONFIG=/path/to/kubeconfig
task env:wait ENV=my-prod KUBECONFIG=/path/to/kubeconfigRemote environments are composition roots: platform-values.yaml configures the
Helmfile-managed platform releases, and the Kustomize overlay applies the
Tamoss resources.
Generated remote environments default to public ACME TLS through
ClusterIssuer/tamoss-public; set the ACME email in platform-values.yaml
before applying. Use tls.mode: existing for a pre-installed ClusterIssuer or
tls.mode: disabled when TLS Secrets are supplied outside cert-manager.
The raw apply sequence is:
(
cd deploy/platform
helmfile --kubeconfig "$KUBECONFIG" \
--file helmfile.yaml.gotmpl \
--state-values-file values/defaults.yaml \
--state-values-file ../../deploy/environments/<name>/platform-values.yaml \
sync \
--sync-args "--server-side=true --rollback-on-failure" \
--wait \
--wait-for-jobs
)
kubectl apply --server-side -k deploy/operator
kubectl apply -k deploy/environments/<name>| Profile | Use when | Default backing services |
|---|---|---|
local-kind |
You want to evaluate or develop TAMOSS on Kind. | Local reference platform with CNPG, RustFS Operator, Authentik, cert-manager, and Traefik on host port 443. |
single-server |
You run one Kubernetes node or a small self-managed cluster. | Single-node workload topology; platform services are selected by the environment. |
multi-server |
You run production-shaped self-managed Kubernetes. | Replicated workload topology; platform services are selected by the environment. |
Use multi-server as the production reference profile. External PostgreSQL,
S3-compatible storage, OAuth2/OIDC, and ingress providers can be used where the
Tamoss or StorageBackend resource selects an external provider.
| Guide | Description |
|---|---|
| Documentation Map | Full documentation structure |
| Local Kind | Start locally on Kind |
| Install | Apply platform, operator, and environment layers |
| Profiles | Understand supported profile defaults |
| Provider Ownership | Managed vs external responsibilities |
| Storage Backends | Default and additional object-store backends |
| Troubleshooting | Diagnose install and runtime failures |
| Task Commands | Current operational command surface |
| Contributing | Development and contribution workflow |
For product development:
task setup
task dev
task checkFor deployed confidence:
task kind:test PROFILE=local-kindSee Development Workflow and Testing.
- Bug reports and feature requests: GitHub Issues
- Discussions: GitHub Discussions
- Security vulnerabilities: see SECURITY.md
Licensed under the Apache License 2.0.
This project implements the BBC TAMS v8.1 specification. See src/vendor/bbc-tams/ for upstream license information.