-
Notifications
You must be signed in to change notification settings - Fork 49
/
spec
1510 lines (1298 loc) · 46.2 KB
/
spec
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
# vim: ft=yaml
---
name: web
description: |
The 'web' node provides the Concourse web UI and API, along with a worker
gateway for registering workers via SSH.
templates:
bpm.yml.erb: config/bpm.yml
pre_start.erb: bin/pre_start
packages:
- concourse
consumes:
- name: postgres
type: database
optional: true
provides:
- name: web
type: web
properties:
- bind_port
- tls_bind_port
- tls.bind_port
- worker_gateway.bind_port
- worker_gateway.host_key
- name: concourse_db
type: concourse_db
properties:
- postgresql.host
- postgresql.port
- postgresql.database
- postgresql.role.name
- postgresql.role.password
- postgresql.sslmode
- postgresql.ca_cert
- postgresql.client_cert
properties:
bind_ip:
env: CONCOURSE_BIND_IP
description: |
IP address on which the ATC should listen for HTTP traffic.
default: 0.0.0.0
bind_port:
env: CONCOURSE_BIND_PORT
description: |
Port on which the ATC should listen for HTTP traffic.
default: 8080
cluster_name:
env: CONCOURSE_CLUSTER_NAME
description: |
A name for this Concourse cluster, to be displayed on the dashboard page.
tls.bind_port:
env: CONCOURSE_TLS_BIND_PORT
description: |
Port on which the ATC should listen for HTTPS traffic.
tls.cert:
type: certificate
env_fields:
certificate: {env_file: CONCOURSE_TLS_CERT}
private_key: {env_file: CONCOURSE_TLS_KEY}
description: |
SSL cert to use for HTTPS.
If not specified, only HTTP will be enabled.
tls_bind_port:
env: CONCOURSE_TLS_BIND_PORT
description: |
Deprecated in favor of tls.bind_port.
tls_cert:
env_file: CONCOURSE_TLS_CERT
description: |
Deprecated in favor of tls.cert.
tls_key:
env_file: CONCOURSE_TLS_KEY
description: |
Deprecated in favor of tls.cert.
debug.bind_ip:
env: CONCOURSE_DEBUG_BIND_IP
description: |
IP address on which to listen for the pprof debugger endpoints.
default: 127.0.0.1
debug.bind_port:
env: CONCOURSE_DEBUG_BIND_PORT
description: |
Port on which to listen for the pprof debugger endpoints.
default: 8079
external_url:
env: CONCOURSE_EXTERNAL_URL
description: |
Externally reachable URL of the ATCs. Required for OAuth. This will be
auto-generated using the IP of each ATC VM if not specified, however
this is only a reasonable default if you have a single instance.
Typically this is the URL that you as a user would use to reach your CI.
For multiple ATCs it would go to some sort of load balancer.
example: https://ci.concourse-ci.org
x_frame_options:
env: CONCOURSE_X_FRAME_OPTIONS
description: |
The value to set for X-Frame-Options.
default: deny
concurrent_request_limits:
env: CONCOURSE_CONCURRENT_REQUEST_LIMIT
description: |
Limit the number of concurrent requests to an API endpoint.
example:
ListAllJobs: 5
log_level:
env: CONCOURSE_LOG_LEVEL
description: |
The log level for the ATC. When set to debug, you'll see a lot more
information about scheduling, resource scanning, etc., but it'll be quite
chatty.
default: info
log_db_queries:
env: CONCOURSE_LOG_DB_QUERIES
description: |
Log database queries. Log level is debug, so you'll need to set the
log_level property as well. This is mainly useful for Concourse
developers to analyze query counts.
default: false
log_cluster_name:
env: CONCOURSE_LOG_CLUSTER_NAME
description: |
Add cluster name (CONCOURSE_CLUSTER_NAME) to logs.
default: false
encryption_key:
env: CONCOURSE_ENCRYPTION_KEY
description: |
A 16 or 32 byte passphrase. This is used to generate an AES key to encrypt
sensitive iinformation in the database.
If specified, all existing data will be encrypted on start and any new
data will be encrypted.
old_encryption_key:
env: CONCOURSE_OLD_ENCRYPTION_KEY
description: |
The key used previously to encrypt sensitive information in the database.
To rotate your encryption key, set both old_encryption_key and
encryption_key. This will result in the ATC re-encrypting all data on
start.
To disable encryption, specify old_encryption_key and do *not* set
encryption_key. This will result in the ATC decrypting all data on start,
restoring it to plaintext.
cookie_secure:
env: CONCOURSE_COOKIE_SECURE
description: |
Set secure flag on auth cookies.
default: false
auth_duration:
env: CONCOURSE_AUTH_DURATION
description: |
Length of time for which tokens are valid. Afterwards, users will have to log back in.
Use Go duration format (48h = 48 hours).
default: 24h
audit.build:
env: CONCOURSE_ENABLE_BUILD_AUDITING
description: |
Enable auditing of build API requests.
audit.container:
env: CONCOURSE_ENABLE_CONTAINER_AUDITING
description: |
Enable auditing of container API requests.
audit.job:
env: CONCOURSE_ENABLE_JOB_AUDITING
description: |
Enable auditing of job API requests.
audit.pipeline:
env: CONCOURSE_ENABLE_PIPELINE_AUDITING
description: |
Enable auditing of pipeline API requests.
audit.resource:
env: CONCOURSE_ENABLE_RESOURCE_AUDITING
description: |
Enable auditing of resource API requests.
audit.system:
env: CONCOURSE_ENABLE_SYSTEM_AUDITING
description: |
Enable auditing of system API requests.
audit.team:
env: CONCOURSE_ENABLE_TEAM_AUDITING
description: |
Enable auditing of team API requests.
audit.volume:
env: CONCOURSE_ENABLE_VOLUME_AUDITING
description: |
Enable auditing of volume API requests.
audit.worker:
env: CONCOURSE_ENABLE_WORKER_AUDITING
description: |
Enable auditing of worker API requests.
redact_secrets:
env: CONCOURSE_ENABLE_REDACT_SECRETS
description: |
Enable redacting secrets in build logs.
token_signing_key:
type: rsa
env_fields:
private_key: {env_file: CONCOURSE_SESSION_SIGNING_KEY}
description: |
PEM RSA private key used for minting ATC tokens.
example:
private_key: |
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
public_key: |
-----BEGIN PUBLIC KEY-----
...
-----END PUBLIC KEY-----
config_rbac:
env_file: CONCOURSE_CONFIG_RBAC
description: |
YAML file content to customize RBAC role-action mapping.
example: |
pipeline-operator:
- OrderPipelines
- PausePipelines
add_local_users:
env: CONCOURSE_ADD_LOCAL_USER
description: |
List of username:password combinations for all your local users. The
password can be bcrypted. Bcrypted password must have a strength of 10 or
higher or the user will not be able to login.
example:
some-user: $2a$10$sKZelZprWWcBAWbp28rB1uFef0Ybxsiqh05uo.H8EIm0sWc6IZGJu
some-other-user: $2a$10$.YIYH.5EWQcCvfE49xH/.OhIhGFiNtn.tQq.4pznpcrqZvoLxuKeC
some-plaintext-user: a-plaintext-password
client_id:
env: CONCOURSE_CLIENT_ID
description: |
The concourse client_id to use when logging into the web interface
client_secret:
env: CONCOURSE_CLIENT_SECRET
description: |
The concourse client_secret to use when logging into the web interface
github_auth.client_id:
env: CONCOURSE_GITHUB_CLIENT_ID
description: |
GitHub client ID to use for OAuth.
The application must be configured with its callback URL as
`{external_url}/sky/issuer/callback` (replacing `{external_url}`
with the actual value).
github_auth.client_secret:
env: CONCOURSE_GITHUB_CLIENT_SECRET
description: |
GitHub client secret to use for OAuth.
The application must be configured with its callback URL as
`{external_url}/sky/issuer/callback` (replacing `{external_url}`
with the actual value).
github_auth.host:
env: CONCOURSE_GITHUB_HOST
description: |
Override default hostname for Github Enterprise. (No scheme, No trailing slash)
example: "github.example.com"
github_auth.ca_cert:
type: certificate
env_fields: {certificate: {env_file: CONCOURSE_GITHUB_CA_CERT}}
description: |
GitHub Enterprise CA Certificate.
cf_auth.client_id:
env: CONCOURSE_CF_CLIENT_ID
description: UAA client ID to use for OAuth.
cf_auth.client_secret:
env: CONCOURSE_CF_CLIENT_SECRET
description: UAA client secret to use for OAuth.
cf_auth.skip_ssl_validation:
env: CONCOURSE_CF_SKIP_SSL_VALIDATION
description: Skip SSL validation.
cf_auth.api_url:
env: CONCOURSE_CF_API_URL
description: Cloud Foundry api endpoint url.
cf_auth.ca_cert:
type: certificate
env_fields: {certificate: {env_file: CONCOURSE_CF_CA_CERT}}
description: |
Cloud Foundry CA Certificate.
ldap_auth.host:
env: CONCOURSE_LDAP_HOST
description: |
The host and optional port of the LDAP server. If port isn't supplied, it
will be guessed based on the TLS configuration. 389 or 636.
ldap_auth.display_name:
env: CONCOURSE_LDAP_DISPLAY_NAME
description: |
The auth provider name displayed to users on the login page.
ldap_auth.bind_dn:
env: CONCOURSE_LDAP_BIND_DN
description: |
Bind DN for searching LDAP users and groups. Typically this is a
read-only user.
ldap_auth.bind_pw:
env: CONCOURSE_LDAP_BIND_PW
description: |
Bind Password for the user specified by 'bind-dn'.
ldap_auth.insecure_no_ssl:
env: CONCOURSE_LDAP_INSECURE_NO_SSL
description: |
Required if LDAP host does not use TLS.
default: false
ldap_auth.insecure_skip_verify:
env: CONCOURSE_LDAP_INSECURE_SKIP_VERIFY
description: |
Skip certificate verification.
default: false
ldap_auth.start_tls:
env: CONCOURSE_LDAP_START_TLS
description: |
Start on insecure port, then negotiate TLS.
default: false
ldap_auth.ca_cert:
type: certificate
env_fields: {certificate: {env_file: CONCOURSE_LDAP_CA_CERT}}
description: |
The CA certificate for the LDAP auth provider's endpoints.
ldap_auth.user_search_base_dn:
env: CONCOURSE_LDAP_USER_SEARCH_BASE_DN
description: |
BaseDN to start the search from.
example: 'cn=users,dc=example,dc=com'
ldap_auth.user_search_filter:
env: CONCOURSE_LDAP_USER_SEARCH_FILTER
description: |
Optional filter to apply when searching the directory.
example: '(objectClass=person)'
ldap_auth.user_search_username:
env: CONCOURSE_LDAP_USER_SEARCH_USERNAME
description: |
Attribute to match against the inputted username. This will be translated
and combined with the other filter as '(<attr>=<username>)'.
ldap_auth.user_search_scope:
env: CONCOURSE_LDAP_USER_SEARCH_SCOPE
description: |
Can either be 'sub' - search the whole sub tree or 'one' - only search
one level. Defaults to 'sub' if empty.
ldap_auth.user_search_id_attr:
env: CONCOURSE_LDAP_USER_SEARCH_ID_ATTR
description: |
A mapping of attributes on the user entry to claims. Defaults to 'uid' if
empty.
ldap_auth.user_search_email_attr:
env: CONCOURSE_LDAP_USER_SEARCH_EMAIL_ATTR
description: |
A mapping of attributes on the user entry to claims. Defaults to 'mail'
if empty.
ldap_auth.user_search_name_attr:
env: CONCOURSE_LDAP_USER_SEARCH_NAME_ATTR
description: |
A mapping of attributes on the user entry to claims.
ldap_auth.group_search_base_dn:
env: CONCOURSE_LDAP_GROUP_SEARCH_BASE_DN
description: |
BaseDN to start the search from.
example: 'cn=groups,dc=example,dc=com'
ldap_auth.group_search_filter:
env: CONCOURSE_LDAP_GROUP_SEARCH_FILTER
description: |
Optional filter to apply when searching the directory.
example: '(objectClass=posixGroup)'
ldap_auth.group_search_scope:
env: CONCOURSE_LDAP_GROUP_SEARCH_SCOPE
description: |
Can either be 'sub' - search the whole sub tree or 'one' - only search
one level. Defaults to 'sub' if empty.
ldap_auth.group_search_user_attr:
env: CONCOURSE_LDAP_GROUP_SEARCH_USER_ATTR
description: |
Adds an additional requirement to the filter that an attribute in the
group match the user's attribute value. The exact filter being added is
(<groupAttr>=<userAttrvalue>).
ldap_auth.group_search_group_attr:
env: CONCOURSE_LDAP_GROUP_SEARCH_GROUP_ATTR
description: |
Adds an additional requirement to the filter that an attribute in the
group match the user's attribute value. The exact filter being added is
(<groupAttr>=<userAttrvalue>)
ldap_auth.group_search_name_attr:
env: CONCOURSE_LDAP_GROUP_SEARCH_NAME_ATTR
description: |
The attribute of the group that represents its name.
generic_oauth.client_id:
env: CONCOURSE_OAUTH_CLIENT_ID
description: |
Application client ID for enabling generic OAuth.
generic_oauth.client_secret:
env: CONCOURSE_OAUTH_CLIENT_SECRET
description: |
Application client secret for enabling generic OAuth.
generic_oauth.auth_url:
env: CONCOURSE_OAUTH_AUTH_URL
description: Generic OAuth provider authorization endpoint url.
generic_oauth.token_url:
env: CONCOURSE_OAUTH_TOKEN_URL
description: Generic OAuth provider token endpoint URL.
generic_oauth.userinfo_url:
env: CONCOURSE_OAUTH_USERINFO_URL
description: Generic OAuth provider user info endpoint URL.
generic_oauth.scopes:
env: CONCOURSE_OAUTH_SCOPE
description: OAuth scopes to request during authorization.
generic_oauth.user_id_key:
env: CONCOURSE_OAUTH_USER_ID_KEY
description: User ID claim key used to map groups from the OAuth userinfo/token
generic_oauth.user_name_key:
env: CONCOURSE_OAUTH_USER_NAME_KEY
description: User name claim key used to map groups from the OAuth userinfo/token
generic_oauth.groups_key:
env: CONCOURSE_OAUTH_GROUPS_KEY
description: Groups claim key used to map groups from the OAuth userinfo/token
generic_oauth.display_name:
env: CONCOURSE_OAUTH_DISPLAY_NAME
description: Name of the authentication method to be displayed on the Web UI
generic_oauth.ca_cert:
type: certificate
env_fields: {certificate: {env_file: CONCOURSE_OAUTH_CA_CERT}}
description: |
The CA certificate for the Generic OAuth provider's endpoints.
generic_oauth.skip_ssl_validation:
env: CONCOURSE_OAUTH_SKIP_SSL_VALIDATION
description: Skip SSL validation.
generic_oidc.client_id:
env: CONCOURSE_OIDC_CLIENT_ID
description: Application client ID for enabling generic OIDC.
generic_oidc.client_secret:
env: CONCOURSE_OIDC_CLIENT_SECRET
description: Application client secret for enabling generic OIDC.
generic_oidc.issuer:
env: CONCOURSE_OIDC_ISSUER
description: Generic OIDC provider issuer url.
generic_oidc.scopes:
env: CONCOURSE_OIDC_SCOPE
description: OIDC scopes to request during authorization.
default: []
generic_oidc.user_name_key:
env: CONCOURSE_OIDC_USER_NAME_KEY
description: User name claim key used to map groups from the OIDC userinfo/token
generic_oidc.groups_key:
env: CONCOURSE_OIDC_GROUPS_KEY
description: Groups claim key used to map groups from the OIDC userinfo/token
generic_oidc.display_name:
env: CONCOURSE_OIDC_DISPLAY_NAME
description: Name of the authentication method to be displayed on the Web UI
generic_oidc.hosted_domains:
env: CONCOURSE_OIDC_HOSTED_DOMAINS
description: |
List of whitelisted domains when using Google, only users from a listed
domain will be allowed to log in
generic_oidc.ca_cert:
type: certificate
env_fields: {certificate: {env_file: CONCOURSE_OIDC_CA_CERT}}
description: |
The CA certificate for the Generic OIDC provider's endpoints.
generic_oidc.skip_ssl_validation:
env: CONCOURSE_OIDC_SKIP_SSL_VALIDATION
description: Skip SSL validation.
bitbucket_cloud_auth.client_id:
env: CONCOURSE_BITBUCKET_CLOUD_CLIENT_ID
description: |
BitBucket Cloud client ID.
bitbucket_cloud_auth.client_secret:
env: CONCOURSE_BITBUCKET_CLOUD_CLIENT_SECRET
description: |
BitBucket Cloud client secret.
gitlab_auth.host:
env: CONCOURSE_GITLAB_HOST
description: |
Hostname of Gitlab Enterprise deployment (Include scheme, No trailing
slash)
gitlab_auth.client_id:
env: CONCOURSE_GITLAB_CLIENT_ID
description: |
GitLab client ID to use for OAuth.
gitlab_auth.client_secret:
env: CONCOURSE_GITLAB_CLIENT_SECRET
description: |
GitLab client secret to use for OAuth.
microsoft_auth.client_id:
env: CONCOURSE_MICROSOFT_CLIENT_ID
description: |
Microsoft client ID to use for OAuth.
microsoft_auth.client_secret:
env: CONCOURSE_MICROSOFT_CLIENT_SECRET
description: |
Microsoft client secret to use for OAuth.
microsoft_auth.tenant:
env: CONCOURSE_MICROSOFT_TENANT
description: |
Microsoft tenant limitation to use for OAuth (common, consumers, organizations, tenant name or tenant uuid).
microsoft_auth.groups:
env: CONCOURSE_MICROSOFT_GROUPS
description: |
Allowed Active Directory groups to use for Microsoft OAuth.
microsoft_auth.only_security_groups:
env: CONCOURSE_MICROSOFT_ONLY_SECURITY_GROUPS
description: |
Only fetch security groups for Microsoft OAuth.
main_team.auth.config:
env_file: CONCOURSE_MAIN_TEAM_CONFIG
description: |
YAML file content for the main team's role configuration.
example: |
roles:
- name: owner
github:
users: ["admin"]
- name: member
github:
teams: ["org:team"]
- name: viewer
github:
orgs: ["org"]
local:
users: ["visitor"]
main_team.auth.local.users:
env: CONCOURSE_MAIN_TEAM_LOCAL_USER
description: |
An array of local users that are authorized for the main team.
main_team.auth.github.users:
env: CONCOURSE_MAIN_TEAM_GITHUB_USER
description: |
An array of GitHub userids/logins that are authorized for the main team
example:
- my-github-login
main_team.auth.github.orgs:
env: CONCOURSE_MAIN_TEAM_GITHUB_ORG
description: |
An array of GitHub orgs that are authorized for the main team
example:
- my-github-org
main_team.auth.gitlab.users:
env: CONCOURSE_MAIN_TEAM_GITLAB_USER
description: |
An array of GitLab users that are authorized for the main team
example:
- my-gitlab-login
main_team.auth.gitlab.groups:
env: CONCOURSE_MAIN_TEAM_GITLAB_GROUP
description: |
An array of GitLab groups that are authorized for the main team
example:
- my-gitlab-group
main_team.auth.github.teams:
env: CONCOURSE_MAIN_TEAM_GITHUB_TEAM
description: |
An array of GitHub teams that are authorized for the main team
example:
- my-github-org:my-github-team
main_team.auth.cf.users:
env: CONCOURSE_MAIN_TEAM_CF_USER
description: |
List of CloudFoundry userids/usernames that are authorized for the main team
example:
- my-username
main_team.auth.cf.orgs:
env: CONCOURSE_MAIN_TEAM_CF_ORG
description: |
List of CloudFoundry Orgs that are authorized for the main team
example:
- myorg
main_team.auth.cf.spaces:
env: CONCOURSE_MAIN_TEAM_CF_SPACE
description: |
(Deprecated) List of CloudFoundry Spaces whose 'developer' users are authorized for the main team
example:
- myorg:myspace
main_team.auth.cf.spaces_with_any_role:
env: CONCOURSE_MAIN_TEAM_CF_SPACE_WITH_ANY_ROLE
description: |
List of CloudFoundry Spaces whose users with any role are authorized for the main team
example:
- myorg:myspace
main_team.auth.cf.spaces_with_developer_role:
env: CONCOURSE_MAIN_TEAM_CF_SPACE_WITH_DEVELOPER_ROLE
description: |
List of CloudFoundry Spaces whose 'developer' users are authorized for the main team
example:
- myorg:myspace
main_team.auth.cf.spaces_with_auditor_role:
env: CONCOURSE_MAIN_TEAM_CF_SPACE_WITH_AUDITOR_ROLE
description: |
List of CloudFoundry Spaces whose 'auditor' users are authorized for the main team
example:
- myorg:myspace
main_team.auth.cf.spaces_with_manager_role:
env: CONCOURSE_MAIN_TEAM_CF_SPACE_WITH_MANAGER_ROLE
description: |
List of CloudFoundry Spaces whose 'manager' users are authorized for the main team
example:
- myorg:myspace
main_team.auth.cf.space_guids:
env: CONCOURSE_MAIN_TEAM_CF_SPACE_GUID
description: |
List of CloudFoundry Space GUIDs that are authorized for the main team
main_team.auth.ldap.users:
env: CONCOURSE_MAIN_TEAM_LDAP_USER
description: |
List of LDAP users that are authorized for the main team
example:
- my-username
main_team.auth.ldap.groups:
env: CONCOURSE_MAIN_TEAM_LDAP_GROUP
description: |
List of LDAP groups that are authorized for the main team
example:
- my-group
main_team.auth.oauth.users:
env: CONCOURSE_MAIN_TEAM_OAUTH_USER
description: |
List of Generic OAuth users that are authorized for the main team
example:
- my-username
main_team.auth.oauth.groups:
env: CONCOURSE_MAIN_TEAM_OAUTH_GROUP
description: |
List of Generic OAuth groups that are authorized for the main team
example:
- my-group
main_team.auth.oidc.users:
env: CONCOURSE_MAIN_TEAM_OIDC_USER
description: |
List of Generic OIDC users that are authorized for the main team
example:
- my-username
main_team.auth.oidc.groups:
env: CONCOURSE_MAIN_TEAM_OIDC_GROUP
description: |
List of Generic OIDC groups that are authorized for the main team
example:
- my-group
main_team.auth.bitbucket_cloud.users:
env: CONCOURSE_MAIN_TEAM_BITBUCKET_CLOUD_USER
description: |
List of whitelisted Bitbucket Cloud users.
example:
- my-bitbucket-cloud-login
main_team.auth.bitbucket_cloud.teams:
env: CONCOURSE_MAIN_TEAM_BITBUCKET_CLOUD_TEAM
description: |
List of whitelisted Bitbucket Cloud teams.
example:
- my-bitbucket-cloud-team
main_team.auth.microsoft.users:
env: CONCOURSE_MAIN_TEAM_MICROSOFT_USER
description: |
List of whitelisted Microsoft users for the main team.
example:
- my-username
main_team.auth.microsoft.groups:
env: CONCOURSE_MAIN_TEAM_MICROSOFT_GROUP
description: |
List of whitelisted Microsoft groups for the main team.
example:
- my-group
intercept_idle_timeout:
env: CONCOURSE_INTERCEPT_IDLE_TIMEOUT
description: Length of time for a intercepted session to be idle before terminating, in Go duration format.
example: 5m
enable_global_resources:
env: CONCOURSE_ENABLE_GLOBAL_RESOURCES
description: |
Enable equivalent resources across pipelines and teams to share a single
version history.
default: false
enable_archive_pipeline:
env: CONCOURSE_ENABLE_ARCHIVE_PIPELINE
description: |
Enable pipeline archiving functionality in the API
enable_rerun_when_worker_disappears:
env: CONCOURSE_ENABLE_RERUN_WHEN_WORKER_DISAPPEARS
description: |
Enable rerunning of builds when worker disappears.
streaming_artifacts_compression:
env: CONCOURSE_STREAMING_ARTIFACTS_COMPRESSION
description: |
Compression to use when streaming artifacts (values: zstd, gzip)
job_scheduling_max_in_flight:
env: CONCOURSE_JOB_SCHEDULING_MAX_IN_FLIGHT
description: |
Maximum number of jobs to be scheduling at the same time.
default: 32
component_runner_interval:
env: CONCOURSE_COMPONENT_RUNNER_INTERVAL
description: |
Interval on which runners are kicked off for builds, locks, scans, and checks
lidar_checker_interval:
env: CONCOURSE_LIDAR_CHECKER_INTERVAL
description: |
Interval on which the resource checker runs any scheduled checks
default: 10s
lidar_scanner_interval:
env: CONCOURSE_LIDAR_SCANNER_INTERVAL
description: |
Interval on which the resource scanner will run to see if new checks need to be scheduled
default: 1m
global_resource_check_timeout:
env: CONCOURSE_GLOBAL_RESOURCE_CHECK_TIMEOUT
description: |
Time limit on checking for new versions of resources.
default: 1h
default_check_interval:
env: CONCOURSE_RESOURCE_CHECKING_INTERVAL
description: |
The interval, in Go duration format (1m = 1 minute), on which to check
for new versions of resources.
This can also be specified on a per-resource basis by specifying
`check_every` on the resource config.
default: 1m
default_check_interval_with_webhook:
env: CONCOURSE_RESOURCE_WITH_WEBHOOK_CHECKING_INTERVAL
description: |
The interval, in Go duration format (1m = 1 minute), on which to check
for new versions of resources which have a webhook token configured.
example: 1m
gc_interval:
env: CONCOURSE_GC_INTERVAL
description: |
The interval, in Go duration format (1m = 1 minute), on which to garbage
collect containers, volumes, and other internal data.
gc.interval:
env: CONCOURSE_GC_INTERVAL
description: |
The interval, in Go duration format (1m = 1 minute), on which to garbage
collect containers, volumes, and other internal data.
default: 30s
gc.missing_grace_period:
env: CONCOURSE_GC_MISSING_GRACE_PERIOD
description: |
Period after which to reap containers and volumes that were created but
went missing from the worker.
gc.hijack_grace_period:
env: CONCOURSE_GC_HIJACK_GRACE_PERIOD
description: |
Period after which hijacked containers will be garbage-collected.
gc.one_off_grace_period:
env: CONCOURSE_GC_ONE_OFF_GRACE_PERIOD
description: |
Period after which one-off build containers will be garbage-collected.
gc.check_recycle_period:
env: CONCOURSE_GC_CHECK_RECYCLE_PERIOD
description: |
Period after which finished checks will get garbage-collected.
default: 6h
gc.failed_grace_period:
env: CONCOURSE_GC_FAILED_GRACE_PERIOD
description: |
Period after which failed builds will get garbage collected
build_tracker_interval:
env: CONCOURSE_BUILD_TRACKER_INTERVAL
description: |
The interval, in Go duration format (1m = 1 minute), on which to run
build tracking to keep track of build status.
default: 10s
container_placement_strategy:
env: CONCOURSE_CONTAINER_PLACEMENT_STRATEGY
description: |
Method by which a worker is selected during container placement.
Supported options are "volume-locality", "random" and "fewest-build-containers".
Experimental option: "limit-active-tasks"
default: "volume-locality"
max_active_tasks_per_worker:
env: CONCOURSE_MAX_ACTIVE_TASKS_PER_WORKER
description: |
Maximum allowed number of active build tasks per worker.
Has effect only when used with "limit-active-tasks" placement strategy.
0 means no limit.
default: 0
baggageclaim_response_header_timeout:
env: CONCOURSE_BAGGAGECLAIM_RESPONSE_HEADER_TIMEOUT
description: |
How long to wait for Baggageclaim to send the response header. Use Go duration
format (1m = 1 minute).
default: 1m
garden_request_timeout:
env: CONCOURSE_GARDEN_REQUEST_TIMEOUT
description: |
How long to wait for requests to Garden to complete, in Go duration format (48h = 48 hours).
0 means no timeout.
example: 5m
postgresql.host:
env: CONCOURSE_POSTGRES_HOST
description: |
IP address or DNS name of a PostgreSQL server to connect to.
If not specified, one will be autodiscovered via BOSH links.
postgresql.port:
env: CONCOURSE_POSTGRES_PORT
description: |
Port on which to connect to the server specified by `postgresql.host`.
If `postgresql.host` is not specified, this will be autodiscovered via
BOSH links, along with the host.
default: 5432
postgresql.socket:
env: CONCOURSE_POSTGRES_SOCKET
description: |
Path to a UNIX domain socket to connect to.
postgresql.database:
env: CONCOURSE_POSTGRES_DATABASE
description: |
Name of the database to use.
postgresql.role.name:
env: CONCOURSE_POSTGRES_USER
description: |
Name of role to connect with.
postgresql.role.password:
env: CONCOURSE_POSTGRES_PASSWORD
description: |
Password to use when connecting.
postgresql.sslmode:
env: CONCOURSE_POSTGRES_SSLMODE
description: |
Whether or not to use SSL. Defaults to `verify-ca` when `postgresql.address`
or `postgresql.host` is provided. Otherwise, defaults to `disable`.
postgresql.ca_cert:
type: certificate
env_fields: {certificate: {env_file: CONCOURSE_POSTGRES_CA_CERT}}
description: |
CA certificate to verify the server against.
postgresql.client_cert:
type: certificate
env_fields:
certificate: {env_file: CONCOURSE_POSTGRES_CLIENT_CERT}
private_key: {env_file: CONCOURSE_POSTGRES_CLIENT_KEY}
description: |
Client certificate to use when connecting with the server.
postgresql.connect_timeout:
env: CONCOURSE_POSTGRES_CONNECT_TIMEOUT
description: |
Dialing timeout, in Go duration format (1m = 1 minute). 0 means wait indefinitely.
default: 5m
api_max_conns: