Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
1478 lines (1272 sloc) 45 KB
# vim: ft=yaml
---
name: web
description: |
The 'web' node provides the Concourse web UI and API, along with a worker
gateway for registering workers via SSH.
templates:
bpm.yml.erb: config/bpm.yml
pre_start.erb: bin/pre_start
packages:
- concourse
consumes:
- name: postgres
type: database
optional: true
provides:
- name: web
type: web
properties:
- bind_port
- tls_bind_port
- tls.bind_port
- worker_gateway.bind_port
- worker_gateway.host_key
- name: concourse_db
type: concourse_db
properties:
- postgresql.host
- postgresql.port
- postgresql.database
- postgresql.role.name
- postgresql.role.password
- postgresql.sslmode
- postgresql.ca_cert
- postgresql.client_cert
properties:
bind_ip:
env: CONCOURSE_BIND_IP
description: |
IP address on which the ATC should listen for HTTP traffic.
default: 0.0.0.0
bind_port:
env: CONCOURSE_BIND_PORT
description: |
Port on which the ATC should listen for HTTP traffic.
default: 8080
cluster_name:
env: CONCOURSE_CLUSTER_NAME
description: |
A name for this Concourse cluster, to be displayed on the dashboard page.
tls.bind_port:
env: CONCOURSE_TLS_BIND_PORT
description: |
Port on which the ATC should listen for HTTPS traffic.
tls.cert:
type: certificate
env_fields:
certificate: {env_file: CONCOURSE_TLS_CERT}
private_key: {env_file: CONCOURSE_TLS_KEY}
description: |
SSL cert to use for HTTPS.
If not specified, only HTTP will be enabled.
tls_bind_port:
env: CONCOURSE_TLS_BIND_PORT
description: |
Deprecated in favor of tls.bind_port.
tls_cert:
env_file: CONCOURSE_TLS_CERT
description: |
Deprecated in favor of tls.cert.
tls_key:
env_file: CONCOURSE_TLS_KEY
description: |
Deprecated in favor of tls.cert.
debug.bind_ip:
env: CONCOURSE_DEBUG_BIND_IP
description: |
IP address on which to listen for the pprof debugger endpoints.
default: 127.0.0.1
debug.bind_port:
env: CONCOURSE_DEBUG_BIND_PORT
description: |
Port on which to listen for the pprof debugger endpoints.
default: 8079
external_url:
env: CONCOURSE_EXTERNAL_URL
description: |
Externally reachable URL of the ATCs. Required for OAuth. This will be
auto-generated using the IP of each ATC VM if not specified, however
this is only a reasonable default if you have a single instance.
Typically this is the URL that you as a user would use to reach your CI.
For multiple ATCs it would go to some sort of load balancer.
example: https://ci.concourse-ci.org
x_frame_options:
env: CONCOURSE_X_FRAME_OPTIONS
description: |
The value to set for X-Frame-Options.
default: deny
log_level:
env: CONCOURSE_LOG_LEVEL
description: |
The log level for the ATC. When set to debug, you'll see a lot more
information about scheduling, resource scanning, etc., but it'll be quite
chatty.
default: info
log_db_queries:
env: CONCOURSE_LOG_DB_QUERIES
description: |
Log database queries. Log level is debug, so you'll need to set the
log_level property as well. This is mainly useful for Concourse
developers to analyze query counts.
default: false
log_cluster_name:
env: CONCOURSE_LOG_CLUSTER_NAME
description: |
Add cluster name (CONCOURSE_CLUSTER_NAME) to logs.
default: false
encryption_key:
env: CONCOURSE_ENCRYPTION_KEY
description: |
A 16 or 32 byte passphrase. This is used to generate an AES key to encrypt
sensitive iinformation in the database.
If specified, all existing data will be encrypted on start and any new
data will be encrypted.
old_encryption_key:
env: CONCOURSE_OLD_ENCRYPTION_KEY
description: |
The key used previously to encrypt sensitive information in the database.
To rotate your encryption key, set both old_encryption_key and
encryption_key. This will result in the ATC re-encrypting all data on
start.
To disable encryption, specify old_encryption_key and do *not* set
encryption_key. This will result in the ATC decrypting all data on start,
restoring it to plaintext.
cookie_secure:
env: CONCOURSE_COOKIE_SECURE
description: |
Set secure flag on auth cookies.
default: false
auth_duration:
env: CONCOURSE_AUTH_DURATION
description: |
Length of time for which tokens are valid. Afterwards, users will have to log back in.
Use Go duration format (48h = 48 hours).
default: 24h
audit.build:
env: CONCOURSE_ENABLE_BUILD_AUDITING
description: |
Enable auditing of build API requests.
audit.container:
env: CONCOURSE_ENABLE_CONTAINER_AUDITING
description: |
Enable auditing of container API requests.
audit.job:
env: CONCOURSE_ENABLE_JOB_AUDITING
description: |
Enable auditing of job API requests.
audit.pipeline:
env: CONCOURSE_ENABLE_PIPELINE_AUDITING
description: |
Enable auditing of pipeline API requests.
audit.resource:
env: CONCOURSE_ENABLE_RESOURCE_AUDITING
description: |
Enable auditing of resource API requests.
audit.system:
env: CONCOURSE_ENABLE_SYSTEM_AUDITING
description: |
Enable auditing of system API requests.
audit.team:
env: CONCOURSE_ENABLE_TEAM_AUDITING
description: |
Enable auditing of team API requests.
audit.volume:
env: CONCOURSE_ENABLE_VOLUME_AUDITING
description: |
Enable auditing of volume API requests.
audit.worker:
env: CONCOURSE_ENABLE_WORKER_AUDITING
description: |
Enable auditing of worker API requests.
redact_secrets:
env: CONCOURSE_ENABLE_REDACT_SECRETS
description: |
Enable redacting secrets in build logs.
token_signing_key:
type: rsa
env_fields:
private_key: {env_file: CONCOURSE_SESSION_SIGNING_KEY}
description: |
PEM RSA private key used for minting ATC tokens.
example:
private_key: |
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
public_key: |
-----BEGIN PUBLIC KEY-----
...
-----END PUBLIC KEY-----
config_rbac:
env_file: CONCOURSE_CONFIG_RBAC
description: |
YAML file content to customize RBAC role-action mapping.
example: |
pipeline-operator:
- OrderPipelines
- PausePipelines
add_local_users:
env: CONCOURSE_ADD_LOCAL_USER
description: |
List of username:password combinations for all your local users. The
password can be bcrypted. Bcrypted password must have a strength of 10 or
higher or the user will not be able to login.
example:
some-user: $2a$10$sKZelZprWWcBAWbp28rB1uFef0Ybxsiqh05uo.H8EIm0sWc6IZGJu
some-other-user: $2a$10$.YIYH.5EWQcCvfE49xH/.OhIhGFiNtn.tQq.4pznpcrqZvoLxuKeC
some-plaintext-user: a-plaintext-password
github_auth.client_id:
env: CONCOURSE_GITHUB_CLIENT_ID
description: |
GitHub client ID to use for OAuth.
The application must be configured with its callback URL as
`{external_url}/sky/issuer/callback` (replacing `{external_url}`
with the actual value).
github_auth.client_secret:
env: CONCOURSE_GITHUB_CLIENT_SECRET
description: |
GitHub client secret to use for OAuth.
The application must be configured with its callback URL as
`{external_url}/sky/issuer/callback` (replacing `{external_url}`
with the actual value).
github_auth.host:
env: CONCOURSE_GITHUB_HOST
description: |
Override default hostname for Github Enterprise. (No scheme, No trailing slash)
example: "github.example.com"
github_auth.ca_cert:
type: certificate
env_fields: {certificate: {env_file: CONCOURSE_GITHUB_CA_CERT}}
description: |
GitHub Enterprise CA Certificate.
cf_auth.client_id:
env: CONCOURSE_CF_CLIENT_ID
description: UAA client ID to use for OAuth.
cf_auth.client_secret:
env: CONCOURSE_CF_CLIENT_SECRET
description: UAA client secret to use for OAuth.
cf_auth.skip_ssl_validation:
env: CONCOURSE_CF_SKIP_SSL_VALIDATION
description: Skip SSL validation.
cf_auth.api_url:
env: CONCOURSE_CF_API_URL
description: Cloud Foundry api endpoint url.
cf_auth.ca_cert:
type: certificate
env_fields: {certificate: {env_file: CONCOURSE_CF_CA_CERT}}
description: |
Cloud Foundry CA Certificate.
ldap_auth.host:
env: CONCOURSE_LDAP_HOST
description: |
The host and optional port of the LDAP server. If port isn't supplied, it
will be guessed based on the TLS configuration. 389 or 636.
ldap_auth.display_name:
env: CONCOURSE_LDAP_DISPLAY_NAME
description: |
The auth provider name displayed to users on the login page.
ldap_auth.bind_dn:
env: CONCOURSE_LDAP_BIND_DN
description: |
Bind DN for searching LDAP users and groups. Typically this is a
read-only user.
ldap_auth.bind_pw:
env: CONCOURSE_LDAP_BIND_PW
description: |
Bind Password for the user specified by 'bind-dn'.
ldap_auth.insecure_no_ssl:
env: CONCOURSE_LDAP_INSECURE_NO_SSL
description: |
Required if LDAP host does not use TLS.
default: false
ldap_auth.insecure_skip_verify:
env: CONCOURSE_LDAP_INSECURE_SKIP_VERIFY
description: |
Skip certificate verification.
default: false
ldap_auth.start_tls:
env: CONCOURSE_LDAP_START_TLS
description: |
Start on insecure port, then negotiate TLS.
default: false
ldap_auth.ca_cert:
type: certificate
env_fields: {certificate: {env_file: CONCOURSE_LDAP_CA_CERT}}
description: |
The CA certificate for the LDAP auth provider's endpoints.
ldap_auth.user_search_base_dn:
env: CONCOURSE_LDAP_USER_SEARCH_BASE_DN
description: |
BaseDN to start the search from.
example: 'cn=users,dc=example,dc=com'
ldap_auth.user_search_filter:
env: CONCOURSE_LDAP_USER_SEARCH_FILTER
description: |
Optional filter to apply when searching the directory.
example: '(objectClass=person)'
ldap_auth.user_search_username:
env: CONCOURSE_LDAP_USER_SEARCH_USERNAME
description: |
Attribute to match against the inputted username. This will be translated
and combined with the other filter as '(<attr>=<username>)'.
ldap_auth.user_search_scope:
env: CONCOURSE_LDAP_USER_SEARCH_SCOPE
description: |
Can either be 'sub' - search the whole sub tree or 'one' - only search
one level. Defaults to 'sub' if empty.
ldap_auth.user_search_id_attr:
env: CONCOURSE_LDAP_USER_SEARCH_ID_ATTR
description: |
A mapping of attributes on the user entry to claims. Defaults to 'uid' if
empty.
ldap_auth.user_search_email_attr:
env: CONCOURSE_LDAP_USER_SEARCH_EMAIL_ATTR
description: |
A mapping of attributes on the user entry to claims. Defaults to 'mail'
if empty.
ldap_auth.user_search_name_attr:
env: CONCOURSE_LDAP_USER_SEARCH_NAME_ATTR
description: |
A mapping of attributes on the user entry to claims.
ldap_auth.group_search_base_dn:
env: CONCOURSE_LDAP_GROUP_SEARCH_BASE_DN
description: |
BaseDN to start the search from.
example: 'cn=groups,dc=example,dc=com'
ldap_auth.group_search_filter:
env: CONCOURSE_LDAP_GROUP_SEARCH_FILTER
description: |
Optional filter to apply when searching the directory.
example: '(objectClass=posixGroup)'
ldap_auth.group_search_scope:
env: CONCOURSE_LDAP_GROUP_SEARCH_SCOPE
description: |
Can either be 'sub' - search the whole sub tree or 'one' - only search
one level. Defaults to 'sub' if empty.
ldap_auth.group_search_user_attr:
env: CONCOURSE_LDAP_GROUP_SEARCH_USER_ATTR
description: |
Adds an additional requirement to the filter that an attribute in the
group match the user's attribute value. The exact filter being added is
(<groupAttr>=<userAttrvalue>).
ldap_auth.group_search_group_attr:
env: CONCOURSE_LDAP_GROUP_SEARCH_GROUP_ATTR
description: |
Adds an additional requirement to the filter that an attribute in the
group match the user's attribute value. The exact filter being added is
(<groupAttr>=<userAttrvalue>)
ldap_auth.group_search_name_attr:
env: CONCOURSE_LDAP_GROUP_SEARCH_NAME_ATTR
description: |
The attribute of the group that represents its name.
generic_oauth.client_id:
env: CONCOURSE_OAUTH_CLIENT_ID
description: |
Application client ID for enabling generic OAuth.
generic_oauth.client_secret:
env: CONCOURSE_OAUTH_CLIENT_SECRET
description: |
Application client secret for enabling generic OAuth.
generic_oauth.auth_url:
env: CONCOURSE_OAUTH_AUTH_URL
description: Generic OAuth provider authorization endpoint url.
generic_oauth.token_url:
env: CONCOURSE_OAUTH_TOKEN_URL
description: Generic OAuth provider token endpoint URL.
generic_oauth.userinfo_url:
env: CONCOURSE_OAUTH_USERINFO_URL
description: Generic OAuth provider user info endpoint URL.
generic_oauth.scopes:
env: CONCOURSE_OAUTH_SCOPE
description: OAuth scopes to request during authorization.
generic_oauth.user_id_key:
env: CONCOURSE_OAUTH_USER_ID_KEY
description: User ID claim key used to map groups from the OAuth userinfo/token
generic_oauth.user_name_key:
env: CONCOURSE_OAUTH_USER_NAME_KEY
description: User name claim key used to map groups from the OAuth userinfo/token
generic_oauth.groups_key:
env: CONCOURSE_OAUTH_GROUPS_KEY
description: Groups claim key used to map groups from the OAuth userinfo/token
generic_oauth.display_name:
env: CONCOURSE_OAUTH_DISPLAY_NAME
description: Name of the authentication method to be displayed on the Web UI
generic_oauth.ca_cert:
type: certificate
env_fields: {certificate: {env_file: CONCOURSE_OAUTH_CA_CERT}}
description: |
The CA certificate for the Generic OAuth provider's endpoints.
generic_oauth.skip_ssl_validation:
env: CONCOURSE_OAUTH_SKIP_SSL_VALIDATION
description: Skip SSL validation.
generic_oidc.client_id:
env: CONCOURSE_OIDC_CLIENT_ID
description: Application client ID for enabling generic OIDC.
generic_oidc.client_secret:
env: CONCOURSE_OIDC_CLIENT_SECRET
description: Application client secret for enabling generic OIDC.
generic_oidc.issuer:
env: CONCOURSE_OIDC_ISSUER
description: Generic OIDC provider issuer url.
generic_oidc.scopes:
env: CONCOURSE_OIDC_SCOPE
description: OIDC scopes to request during authorization.
default: []
generic_oidc.user_name_key:
env: CONCOURSE_OIDC_USER_NAME_KEY
description: User name claim key used to map groups from the OIDC userinfo/token
generic_oidc.groups_key:
env: CONCOURSE_OIDC_GROUPS_KEY
description: Groups claim key used to map groups from the OIDC userinfo/token
generic_oidc.display_name:
env: CONCOURSE_OIDC_DISPLAY_NAME
description: Name of the authentication method to be displayed on the Web UI
generic_oidc.hosted_domains:
env: CONCOURSE_OIDC_HOSTED_DOMAINS
description: |
List of whitelisted domains when using Google, only users from a listed
domain will be allowed to log in
generic_oidc.ca_cert:
type: certificate
env_fields: {certificate: {env_file: CONCOURSE_OIDC_CA_CERT}}
description: |
The CA certificate for the Generic OIDC provider's endpoints.
generic_oidc.skip_ssl_validation:
env: CONCOURSE_OIDC_SKIP_SSL_VALIDATION
description: Skip SSL validation.
bitbucket_cloud_auth.client_id:
env: CONCOURSE_BITBUCKET_CLOUD_CLIENT_ID
description: |
BitBucket Cloud client ID.
bitbucket_cloud_auth.client_secret:
env: CONCOURSE_BITBUCKET_CLOUD_CLIENT_SECRET
description: |
BitBucket Cloud client secret.
gitlab_auth.host:
env: CONCOURSE_GITLAB_HOST
description: |
Hostname of Gitlab Enterprise deployment (Include scheme, No trailing
slash)
gitlab_auth.client_id:
env: CONCOURSE_GITLAB_CLIENT_ID
description: |
GitLab client ID to use for OAuth.
gitlab_auth.client_secret:
env: CONCOURSE_GITLAB_CLIENT_SECRET
description: |
GitLab client secret to use for OAuth.
microsoft_auth.client_id:
env: CONCOURSE_MICROSOFT_CLIENT_ID
description: |
Microsoft client ID to use for OAuth.
microsoft_auth.client_secret:
env: CONCOURSE_MICROSOFT_CLIENT_SECRET
description: |
Microsoft client secret to use for OAuth.
microsoft_auth.tenant:
env: CONCOURSE_MICROSOFT_TENANT
description: |
Microsoft tenant limitation to use for OAuth (common, consumers, organizations, tenant name or tenant uuid).
microsoft_auth.groups:
env: CONCOURSE_MICROSOFT_GROUPS
description: |
Allowed Active Directory groups to use for Microsoft OAuth.
microsoft_auth.only_security_groups:
env: CONCOURSE_MICROSOFT_ONLY_SECURITY_GROUPS
description: |
Only fetch security groups for Microsoft OAuth.
main_team.auth.config:
env_file: CONCOURSE_MAIN_TEAM_CONFIG
description: |
YAML file content for the main team's role configuration.
example: |
roles:
- name: owner
github:
users: ["admin"]
- name: member
github:
teams: ["org:team"]
- name: viewer
github:
orgs: ["org"]
local:
users: ["visitor"]
main_team.auth.local.users:
env: CONCOURSE_MAIN_TEAM_LOCAL_USER
description: |
An array of local users that are authorized for the main team.
main_team.auth.github.users:
env: CONCOURSE_MAIN_TEAM_GITHUB_USER
description: |
An array of GitHub userids/logins that are authorized for the main team
example:
- my-github-login
main_team.auth.github.orgs:
env: CONCOURSE_MAIN_TEAM_GITHUB_ORG
description: |
An array of GitHub orgs that are authorized for the main team
example:
- my-github-org
main_team.auth.gitlab.users:
env: CONCOURSE_MAIN_TEAM_GITLAB_USER
description: |
An array of GitLab users that are authorized for the main team
example:
- my-gitlab-login
main_team.auth.gitlab.groups:
env: CONCOURSE_MAIN_TEAM_GITLAB_GROUP
description: |
An array of GitLab groups that are authorized for the main team
example:
- my-gitlab-group
main_team.auth.github.teams:
env: CONCOURSE_MAIN_TEAM_GITHUB_TEAM
description: |
An array of GitHub teams that are authorized for the main team
example:
- my-github-org:my-github-team
main_team.auth.cf.users:
env: CONCOURSE_MAIN_TEAM_CF_USER
description: |
List of CloudFoundry userids/usernames that are authorized for the main team
example:
- my-username
main_team.auth.cf.orgs:
env: CONCOURSE_MAIN_TEAM_CF_ORG
description: |
List of CloudFoundry Orgs that are authorized for the main team
example:
- myorg
main_team.auth.cf.spaces:
env: CONCOURSE_MAIN_TEAM_CF_SPACE
description: |
(Deprecated) List of CloudFoundry Spaces whose 'developer' users are authorized for the main team
example:
- myorg:myspace
main_team.auth.cf.spaces_with_any_role:
env: CONCOURSE_MAIN_TEAM_CF_SPACE_WITH_ANY_ROLE
description: |
List of CloudFoundry Spaces whose users with any role are authorized for the main team
example:
- myorg:myspace
main_team.auth.cf.spaces_with_developer_role:
env: CONCOURSE_MAIN_TEAM_CF_SPACE_WITH_DEVELOPER_ROLE
description: |
List of CloudFoundry Spaces whose 'developer' users are authorized for the main team
example:
- myorg:myspace
main_team.auth.cf.spaces_with_auditor_role:
env: CONCOURSE_MAIN_TEAM_CF_SPACE_WITH_AUDITOR_ROLE
description: |
List of CloudFoundry Spaces whose 'auditor' users are authorized for the main team
example:
- myorg:myspace
main_team.auth.cf.spaces_with_manager_role:
env: CONCOURSE_MAIN_TEAM_CF_SPACE_WITH_MANAGER_ROLE
description: |
List of CloudFoundry Spaces whose 'manager' users are authorized for the main team
example:
- myorg:myspace
main_team.auth.cf.space_guids:
env: CONCOURSE_MAIN_TEAM_CF_SPACE_GUID
description: |
List of CloudFoundry Space GUIDs that are authorized for the main team
main_team.auth.ldap.users:
env: CONCOURSE_MAIN_TEAM_LDAP_USER
description: |
List of LDAP users that are authorized for the main team
example:
- my-username
main_team.auth.ldap.groups:
env: CONCOURSE_MAIN_TEAM_LDAP_GROUP
description: |
List of LDAP groups that are authorized for the main team
example:
- my-group
main_team.auth.oauth.users:
env: CONCOURSE_MAIN_TEAM_OAUTH_USER
description: |
List of Generic OAuth users that are authorized for the main team
example:
- my-username
main_team.auth.oauth.groups:
env: CONCOURSE_MAIN_TEAM_OAUTH_GROUP
description: |
List of Generic OAuth groups that are authorized for the main team
example:
- my-group
main_team.auth.oidc.users:
env: CONCOURSE_MAIN_TEAM_OIDC_USER
description: |
List of Generic OIDC users that are authorized for the main team
example:
- my-username
main_team.auth.oidc.groups:
env: CONCOURSE_MAIN_TEAM_OIDC_GROUP
description: |
List of Generic OIDC groups that are authorized for the main team
example:
- my-group
main_team.auth.bitbucket_cloud.users:
env: CONCOURSE_MAIN_TEAM_BITBUCKET_CLOUD_USER
description: |
List of whitelisted Bitbucket Cloud users.
example:
- my-bitbucket-cloud-login
main_team.auth.bitbucket_cloud.teams:
env: CONCOURSE_MAIN_TEAM_BITBUCKET_CLOUD_TEAM
description: |
List of whitelisted Bitbucket Cloud teams.
example:
- my-bitbucket-cloud-team
main_team.auth.microsoft.users:
env: CONCOURSE_MAIN_TEAM_MICROSOFT_USER
description: |
List of whitelisted Microsoft users for the main team.
example:
- my-username
main_team.auth.microsoft.groups:
env: CONCOURSE_MAIN_TEAM_MICROSOFT_GROUP
description: |
List of whitelisted Microsoft groups for the main team.
example:
- my-group
intercept_idle_timeout:
env: CONCOURSE_INTERCEPT_IDLE_TIMEOUT
description: Length of time for a intercepted session to be idle before terminating, in Go duration format.
example: 5m
enable_global_resources:
env: CONCOURSE_ENABLE_GLOBAL_RESOURCES
description: |
Enable equivalent resources across pipelines and teams to share a single
version history.
default: false
job_scheduling_max_in_flight:
env: CONCOURSE_JOB_SCHEDULING_MAX_IN_FLIGHT
description: |
Maximum number of jobs to be scheduling at the same time.
default: 32
lidar_checker_interval:
env: CONCOURSE_LIDAR_CHECKER_INTERVAL
description: |
Interval on which the resource checker runs any scheduled checks
default: 10s
lidar_scanner_interval:
env: CONCOURSE_LIDAR_SCANNER_INTERVAL
description: |
Interval on which the resource scanner will run to see if new checks need to be scheduled
default: 1m
global_resource_check_timeout:
env: CONCOURSE_GLOBAL_RESOURCE_CHECK_TIMEOUT
description: |
Time limit on checking for new versions of resources.
default: 1h
default_check_interval:
env: CONCOURSE_RESOURCE_CHECKING_INTERVAL
description: |
The interval, in Go duration format (1m = 1 minute), on which to check
for new versions of resources.
This can also be specified on a per-resource basis by specifying
`check_every` on the resource config.
default: 1m
default_resource_type_check_interval:
env: CONCOURSE_RESOURCE_TYPE_CHECKING_INTERVAL
description: |
The interval, in Go duration format (1m = 1 minute), on which to check
for new versions of resource types.
This can also be specified on a per-resource_type basis by specifying
`check_every` on the resource type config.
default: 1m
gc_interval:
env: CONCOURSE_GC_INTERVAL
description: |
The interval, in Go duration format (1m = 1 minute), on which to garbage
collect containers, volumes, and other internal data.
gc.interval:
env: CONCOURSE_GC_INTERVAL
description: |
The interval, in Go duration format (1m = 1 minute), on which to garbage
collect containers, volumes, and other internal data.
default: 30s
gc.missing_grace_period:
env: CONCOURSE_GC_MISSING_GRACE_PERIOD
description: |
Period after which to reap containers and volumes that were created but
went missing from the worker.
gc.one_off_grace_period:
env: CONCOURSE_GC_ONE_OFF_GRACE_PERIOD
description: |
Period after which one-off build containers will be garbage-collected.
gc.check_recycle_period:
env: CONCOURSE_GC_CHECK_RECYCLE_PERIOD
description: |
Period after which finished checks will get garbage-collected.
default: 6h
build_tracker_interval:
env: CONCOURSE_BUILD_TRACKER_INTERVAL
description: |
The interval, in Go duration format (1m = 1 minute), on which to run
build tracking to keep track of build status.
default: 10s
container_placement_strategy:
env: CONCOURSE_CONTAINER_PLACEMENT_STRATEGY
description: |
Method by which a worker is selected during container placement.
Supported options are "volume-locality", "random" and "fewest-build-containers".
Experimental option: "limit-active-tasks"
default: "volume-locality"
max_active_tasks_per_worker:
env: CONCOURSE_MAX_ACTIVE_TASKS_PER_WORKER
description: |
Maximum allowed number of active build tasks per worker.
Has effect only when used with "limit-active-tasks" placement strategy.
0 means no limit.
default: 0
baggageclaim_response_header_timeout:
env: CONCOURSE_BAGGAGECLAIM_RESPONSE_HEADER_TIMEOUT
description: |
How long to wait for Baggageclaim to send the response header. Use Go duration
format (1m = 1 minute).
default: 1m
garden_request_timeout:
env: CONCOURSE_GARDEN_REQUEST_TIMEOUT
description: |
How long to wait for requests to Garden to complete, in Go duration format (48h = 48 hours).
0 means no timeout.
example: 5m
postgresql.host:
env: CONCOURSE_POSTGRES_HOST
description: |
IP address or DNS name of a PostgreSQL server to connect to.
If not specified, one will be autodiscovered via BOSH links.
postgresql.port:
env: CONCOURSE_POSTGRES_PORT
description: |
Port on which to connect to the server specified by `postgresql.host`.
If `postgresql.host` is not specified, this will be autodiscovered via
BOSH links, along with the host.
default: 5432
postgresql.socket:
env: CONCOURSE_POSTGRES_SOCKET
description: |
Path to a UNIX domain socket to connect to.
postgresql.database:
env: CONCOURSE_POSTGRES_DATABASE
description: |
Name of the database to use.
postgresql.role.name:
env: CONCOURSE_POSTGRES_USER
description: |
Name of role to connect with.
postgresql.role.password:
env: CONCOURSE_POSTGRES_PASSWORD
description: |
Password to use when connecting.
postgresql.sslmode:
env: CONCOURSE_POSTGRES_SSLMODE
description: |
Whether or not to use SSL. Defaults to `verify-ca` when `postgresql.address`
or `postgresql.host` is provided. Otherwise, defaults to `disable`.
postgresql.ca_cert:
type: certificate
env_fields: {certificate: {env_file: CONCOURSE_POSTGRES_CA_CERT}}
description: |
CA certificate to verify the server against.
postgresql.client_cert:
type: certificate
env_fields:
certificate: {env_file: CONCOURSE_POSTGRES_CLIENT_CERT}
private_key: {env_file: CONCOURSE_POSTGRES_CLIENT_KEY}
description: |
Client certificate to use when connecting with the server.
postgresql.connect_timeout:
env: CONCOURSE_POSTGRES_CONNECT_TIMEOUT
description: |
Dialing timeout, in Go duration format (1m = 1 minute). 0 means wait indefinitely.
default: 5m
api_max_conns:
env: CONCOURSE_API_MAX_CONNS
description: |
The maximum number of open connections for the api connection pool.
backend_max_conns:
env: CONCOURSE_BACKEND_MAX_CONNS
description: |
The maximum number of open connections for the backend connection pool.
datadog.agent_host:
env: CONCOURSE_DATADOG_AGENT_HOST
description: |
If configured, detailed metrics will be emitted to the specified Datadog Agent's
dogstatsd server.
datadog.agent_port:
env: CONCOURSE_DATADOG_AGENT_PORT
description: |
Port of the Datadog Agent's dogstatsd server to emit events to.
default: 8125
datadog.prefix:
env: CONCOURSE_DATADOG_PREFIX
description: |
An optional prefix for emitted Datadog events.
riemann.host:
env: CONCOURSE_RIEMANN_HOST
description: |
If configured, detailed metrics will be emitted to the specified Riemann
server.
default: ""
riemann.port:
env: CONCOURSE_RIEMANN_PORT
description: |
Port of the Riemann server to emit events to.
default: 5555
riemann.service_prefix:
env: CONCOURSE_RIEMANN_SERVICE_PREFIX
description: |
An optional prefix for emitted Riemann services
riemann.tags:
env: CONCOURSE_RIEMANN_TAG
description: |
An optional map of tags in key: value format
example:
env: dev
foo: bar
prometheus.bind_ip:
env: CONCOURSE_PROMETHEUS_BIND_IP
description: |
If configured, expose Prometheus metrics at specified address
prometheus.bind_port:
env: CONCOURSE_PROMETHEUS_BIND_PORT
description: |
If configured, expose Prometheus metrics at specified port
influxdb.url:
env: CONCOURSE_INFLUXDB_URL
description: |
If configured, detailed metrics will be emitted to the specified InfluxDB
server.
influxdb.database:
env: CONCOURSE_INFLUXDB_DATABASE
description: |
InfluxDB database to which metrics will be emitted.
influxdb.username:
env: CONCOURSE_INFLUXDB_USERNAME
description: |
InfluxDB username for authorizing access.
influxdb.password:
env: CONCOURSE_INFLUXDB_PASSWORD
description: |
InfluxDB password for authorizing access.
influxdb.insecure_skip_verify:
env: CONCOURSE_INFLUXDB_INSECURE_SKIP_VERIFY
description: |
Skip SSL verification when emitting to InfluxDB.
default: false
influxdb.batch_size:
env: CONCOURSE_INFLUXDB_BATCH_SIZE
description: |
Number of points to batch together when emitting to InfluxDB.
default: 5000
influxdb.batch_duration:
env: CONCOURSE_INFLUXDB_BATCH_DURATION
description: |
The duration to wait before emitting a batch of points to InfluxDB,
disregarding `influxdb.batch_size`.
default: 300s
newrelic.account_id:
env: CONCOURSE_NEWRELIC_ACCOUNT_ID
description: |
New Relic Account ID.
newrelic.api_key:
env: CONCOURSE_NEWRELIC_API_KEY
description: |
New Relic Insights API Key.
newrelic.service_prefix:
env: CONCOURSE_NEWRELIC_SERVICE_PREFIX
description: |
An optional prefix for emitted New Relic events.
newrelic.batch_size:
env: CONCOURSE_NEWRELIC_BATCH_SIZE
description: |
Number of events to batch together before emitting.
example: 2000
newrelic.batch_duration:
env: CONCOURSE_NEWRELIC_BATCH_DURATION
description: |
Length of time to wait between emitting until all currently batched events are emitted.
example: 60s
newrelic.disable_compression:
env: CONCOURSE_NEWRELIC_BATCH_DISABLE_COMPRESSION
description: |
Disables compression of the batch before sending it.
example: false
tracing.jaeger_endpoint:
env: CONCOURSE_TRACING_JAEGER_ENDPOINT
description: |
jaeger HTTP-based Thrift collector.
example: http://jaeger:14268/api/traces
tracing.jaeger_service:
env: CONCOURSE_TRACING_JAEGER_SERVICE
description: |
Name of the service being traced.
example: web
tracing.jaeger_tags:
env: CONCOURSE_TRACING_JAEGER_TAGS
description: |
Tags to include in components.
example: foo:bar,caz:zaz
tracing.stackdriver_projectid:
env: CONCOURSE_TRACING_STACKDRIVER_PROJECTID
description: |
GCP's Project ID
example: my-projectid
capture_error_metrics:
env: CONCOURSE_CAPTURE_ERROR_METRICS
description: |
Enable capturing of error log metrics.
metrics_buffer_size:
env: CONCOURSE_METRICS_BUFFER_SIZE
description: |
The size of the buffer used in emitting event metrics.
default: 1000
emit_metrics_to_logs:
env: CONCOURSE_EMIT_TO_LOGS
description: |
Emit metrics to logs.
secrets.retry_attempts:
env: CONCOURSE_SECRET_RETRY_ATTEMPTS
description: |
The number of attempts secret will be retried to be fetched, in case a
retryable error happens.
secrets.retry_interval:
env: CONCOURSE_SECRET_RETRY_INTERVAL
description: |
The interval between secret retry retrieval attempts.
secrets.cache.enabled:
env: CONCOURSE_SECRET_CACHE_ENABLED
description: |
Enable in-memory caching of secrets fetched from the credential manager.
secrets.cache.duration:
env: CONCOURSE_SECRET_CACHE_DURATION
description: |
Maximum duration for which to keep cached credentials.
default: 1m
secrets.cache.duration_notfound:
env: CONCOURSE_SECRET_CACHE_DURATION_NOTFOUND
description: |
If the cache is enabled, secret not found responses will be cached for this duration.
default: 10s
secrets.cache.purge_interval:
env: CONCOURSE_SECRET_CACHE_PURGE_INTERVAL
description: |
Interval on which to purge expired cached credentials.
default: 10m
vault.url:
env: CONCOURSE_VAULT_URL
description: |
Vault server URL to use for parameterizing credentials.
vault.path_prefix:
env: CONCOURSE_VAULT_PATH_PREFIX
description: |
Path under which to look up shared team/pipeline credentials.
default: /concourse
vault.shared_path:
env: CONCOURSE_VAULT_SHARED_PATH
description: |
Path under which to lookup shared credentials.
vault.namespace:
env: CONCOURSE_VAULT_NAMESPACE
description: |
Vault namespace to use for authentication and secret lookup. Currently only supported for Enterprise Vault.
vault.tls.ca_cert:
type: certificate
env_fields: {certificate: {env_file: CONCOURSE_VAULT_CA_CERT}}
description: |
A PEM-encoded CA cert to use to verify the Vault server SSL cert.
vault.tls.server_name:
env: CONCOURSE_VAULT_SERVER_NAME
description: |
If set, is used to set the SNI host when connecting via TLS.
vault.tls.insecure_skip_verify:
env: CONCOURSE_VAULT_INSECURE_SKIP_VERIFY
description: |
Enable insecure SSL verification.
default: false
vault.tls.client_cert:
type: certificate
env_fields:
certificate: {env_file: CONCOURSE_VAULT_CLIENT_CERT}
private_key: {env_file: CONCOURSE_VAULT_CLIENT_KEY}
description: |
Client certificate for Vault TLS auth.
vault.auth.client_token:
env: CONCOURSE_VAULT_CLIENT_TOKEN
description: |
Client token to use for accessing your Vault server.
vault.auth.backend:
env: CONCOURSE_VAULT_AUTH_BACKEND
description: |
Auth backend to use for logging in to Vault.
vault.auth.backend_max_ttl:
env: CONCOURSE_VAULT_AUTH_BACKEND_MAX_TTL
description: |
Time after which to force a re-login. If not set, the token will just be
continuously renewed.
vault.auth.params:
env: CONCOURSE_VAULT_AUTH_PARAM
description: |
Key-value parameters to provide when logging in with the backend.
example: {role_id: abc123, secret_id: def456}
vault.retry.initial:
env: CONCOURSE_VAULT_RETRY_INITIAL
description: |
The initial time between retries when logging in or re-authing a secret.
vault.retry.max:
env: CONCOURSE_VAULT_RETRY_MAX
description: |
The maximum time between retries when logging in or re-authing a secret.
conjur.appliance_interval:
env: CONCOURSE_CONJUR_APPLIANCE_URL
description: |
URL of the Conjur instance.
conjur.account:
env: CONCOURSE_CONJUR_ACCOUNT
description: |
Conjur account name.
conjur.cert_file:
env: CONCOURSE_CONJUR_CERT_FILE
description: |
Path to cert file used if conjur instance is using a self-signed cert.
conjur.auth.login:
env: CONCOURSE_CONJUR_AUTHN_LOGIN
description: |
Host username. Example: host/concourse
conjur.auth.api_key:
env: CONCOURSE_CONJUR_AUTHN_API_KEY
description: |
API key related to the host.
conjur.auth.token_file:
env: CONCOURSE_CONJUR_AUTHN_TOKEN_FILE
description: |
Path to token file used if Conjur instance is running in Kubernetes or IAM.
conjur.pipeline_secret_template:
env: CONCOURSE_CONJUR_PIPELINE_SECRET_TEMPLATE
description: |
Conjur secret identifier template used for pipeline specific parameter.
conjur.team_secret_template:
env: CONCOURSE_CONJUR_TEAM_SECRET_TEMPLATE
description: |
Conjur secret identifier template used for team specific parameter.
conjur.secret_template:
env: CONCOURSE_CONJUR_SECRET_TEMPLATE
description: |
Conjur secret identifier template used for full path conjur secrets
credhub.url:
env: CONCOURSE_CREDHUB_URL
description: |
CredHub server address used to access secrets.
example: "https://credhub-server:9000"
credhub.path_prefix:
env: CONCOURSE_CREDHUB_PATH_PREFIX
description: |
Path under which to namespace team/pipeline credentials.
default: /concourse
credhub.tls.ca_cert:
type: certificate
env_fields: {certificate: {env_file: CONCOURSE_CREDHUB_CA_CERT}}
description: |
A PEM-encoded CA cert to use to verify the Credhub server SSL cert.
credhub.tls.client_cert:
type: certificate
env_fields:
certificate: {env_file: CONCOURSE_CREDHUB_CLIENT_CERT}
private_key: {env_file: CONCOURSE_CREDHUB_CLIENT_KEY}
description: |
Client certificate for CredHub mutual TLS auth.
credhub.tls.insecure_skip_verify:
env: CONCOURSE_CREDHUB_INSECURE_SKIP_VERIFY
description: |
Enable insecure SSL verification.
default: false
credhub.client_id:
env: CONCOURSE_CREDHUB_CLIENT_ID
description: |
Client ID for CredHub authorization.
credhub.client_secret:
env: CONCOURSE_CREDHUB_CLIENT_SECRET
description: |
Client secret for CredHub authorization.
aws_ssm.region:
env: CONCOURSE_AWS_SSM_REGION
description: |
AWS region to use for fetching SSM parameters.
aws_ssm.access_key:
env: CONCOURSE_AWS_SSM_ACCESS_KEY
description: |
AWS Access key ID used as credentials for accessing SSM parameters.
aws_ssm.secret_key:
env: CONCOURSE_AWS_SSM_SECRET_KEY
description: |
AWS Secret Access Key used as credentials for accessing SSM parameters.
aws_ssm.session_token:
env: CONCOURSE_AWS_SSM_SESSION_TOKEN
description: |
AWS Session Token used as credentials for accessing SSM parameters.
aws_ssm.pipeline_secret_template:
env: CONCOURSE_AWS_SSM_PIPELINE_SECRET_TEMPLATE
description: |
AWS SSM parameter name template used to resolve pipeline specific secrets. If this flag contains slashes, be sure
to start it with a /. Maximum 5 slashes are permitted by AWS in parameter names.
default: /concourse/{{.Team}}/{{.Pipeline}}/{{.Secret}}
aws_ssm.team_secret_template:
env: CONCOURSE_AWS_SSM_TEAM_SECRET_TEMPLATE
description: |
AWS SSM parameter name template used to resolve team specific secrets. If this flag contains slashes, be sure
to start it with a /. Maximum 5 slashes are permitted by AWS in parameter names.
names.
default: /concourse/{{.Team}}/{{.Secret}}
aws_secretsmanager.region:
env: CONCOURSE_AWS_SECRETSMANAGER_REGION
description: |
AWS region to use for fetching entries from SecretsManager.
aws_secretsmanager.access_key:
env: CONCOURSE_AWS_SECRETSMANAGER_ACCESS_KEY
description: |
AWS Access key ID used as credentials for accessing SecretsManager.
aws_secretsmanager.secret_key:
env: CONCOURSE_AWS_SECRETSMANAGER_SECRET_KEY
description: |
AWS Secret Access Key used as credentials for accessing SecretsManager.
aws_secretsmanager.session_token:
env: CONCOURSE_AWS_SECRETSMANAGER_SESSION_TOKEN
description: |
AWS Session Token used as credentials for accessing SecretsManager.
aws_secretsmanager.pipeline_secret_template:
env: CONCOURSE_AWS_SECRETSMANAGER_PIPELINE_SECRET_TEMPLATE
description: |
AWS SecretsManager secret name template used to resolve pipeline specific secrets.
default: /concourse/{{.Team}}/{{.Pipeline}}/{{.Secret}}
aws_secretsmanager.team_secret_template:
env: CONCOURSE_AWS_SECRETSMANAGER_TEAM_SECRET_TEMPLATE
description: |
AWS SecretsManager secret name template used to resolve team specific secrets.
default: /concourse/{{.Team}}/{{.Secret}}
build_log_retention.default:
env: CONCOURSE_DEFAULT_BUILD_LOGS_TO_RETAIN
description: |
Deprecated. See build_log_retention.default_builds.
example: 100
build_log_retention.maximum:
env: CONCOURSE_MAX_BUILD_LOGS_TO_RETAIN
description: |
Deprecated. See build_log_retention.maximum_builds.
example: 1000
build_log_retention.default_builds:
env: CONCOURSE_DEFAULT_BUILD_LOGS_TO_RETAIN
description: |
Default days to retain build logs. 0 means unlimited.
example: 100
build_log_retention.maximum_builds:
env: CONCOURSE_MAX_BUILD_LOGS_TO_RETAIN
description: |
Maximum builds logs to retain. Will override values configured in jobs.
example: 1000
build_log_retention.default_days:
env: CONCOURSE_DEFAULT_DAYS_TO_RETAIN_BUILD_LOGS
description: |
Default days to retain build logs. 0 means unlimited.
example: 100
build_log_retention.maximum_days:
env: CONCOURSE_MAX_DAYS_TO_RETAIN_BUILD_LOGS
description: |
Maximum days to retain build logs. Will override values configured in
jobs.
example: 1000
lets_encrypt.enabled:
env: CONCOURSE_ENABLE_LETS_ENCRYPT
description: |
Automatically configure TLS certificates via Let's Encrypt/ACME.
lets_encrypt.acme_url:
env: CONCOURSE_LETS_ENCRYPT_ACME_URL
description: |
URL of the ACME CA directory endpoint.
default: https://acme-v02.api.letsencrypt.org/directory
default_task_cpu_limit:
env: CONCOURSE_DEFAULT_TASK_CPU_LIMIT
description: |
Default limit for cpu shares used per task. This can be overridden by specifying
a different limit in the task yaml.
example: 256
default_task_memory_limit:
env: CONCOURSE_DEFAULT_TASK_MEMORY_LIMIT
description: |
Default limit for memory used per task. This can be overridden by specifying
a different limit in the task yaml.
example: 200mb
syslog.address:
env: CONCOURSE_SYSLOG_ADDRESS
description: |
Remote syslog server address with port.
example: 0.0.0.0:514
syslog.hostname:
env: CONCOURSE_SYSLOG_HOSTNAME
description: |
Client hostname with which the build logs will be sent to the syslog server.
example: atc-syslog-drainer
default: atc-syslog-drainer
syslog.transport:
env: CONCOURSE_SYSLOG_TRANSPORT
description: Transport protocol for syslog messages (Currently supporting tcp, udp & tls).
example: tcp
syslog.drain_interval:
env: CONCOURSE_SYSLOG_DRAIN_INTERVAL
description: |
Interval over which checking is done for new build logs to send to syslog server (duration measurement units are s/m/h)
example: 30s
default: 30s
syslog.ca_cert:
type: certificate
env_fields: {certificate: {env_file: CONCOURSE_SYSLOG_CA_CERT}}
description: |
A PEM-encoded CA cert to use to verify the Syslog server SSL cert.
worker_gateway.heartbeat_interval:
env: CONCOURSE_TSA_HEARTBEAT_INTERVAL
description: |
Interval on which to register workers with the ATC.
default: 30s
worker_gateway.bind_port:
env: CONCOURSE_TSA_BIND_PORT
description: |
Port on which to listen for SSH connections.
default: 2222
worker_gateway.host_key:
type: ssh
env_fields: {private_key: {env_file: CONCOURSE_TSA_HOST_KEY}}
description: |
Must be specified, bosh can auto-generate, see sample manifest.yml.
example:
private_key: |
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
public_key: |
ssh-rsa ...
worker_gateway.authorized_keys:
env_file: CONCOURSE_TSA_AUTHORIZED_KEYS
description: |
Public keys to authorize for SSH connections. Either a string with one
public key per line, or an array of public keys.
default: ""
worker_gateway.team_authorized_keys:
env_file: CONCOURSE_TSA_TEAM_AUTHORIZED_KEYS
description: |
Public keys to authorize for per-team workers.
Map from team name to authorized keys, either as a string with one key
per line or an array of public keys.
example:
concourse: |
ssh-rsa key key@pivotal.io
default: {}
worker_gateway.log_level:
env: CONCOURSE_TSA_LOG_LEVEL
description: |
The log level for the TSA.
default: info
You can’t perform that action at this time.