Skip to content
Permalink
master
Switch branches/tags
Go to file
 
 
Cannot retrieve contributors at this time
## Default values for Concourse Helm Chart.
## This is a YAML-formatted file.
## Declare variables to be passed into your templates.
## Provide a name in place of `concourse` for `app:` labels
##
nameOverride:
## Provide a name to substitute for the full names of resources
##
fullnameOverride:
## Concourse image to use in both Web and Worker containers.
##
image: concourse/concourse
## Concourse image tag.
## ps.: release candidates are published under `concourse/concourse-rc` instead
## of `concourse/concourse`.
## Ref: https://hub.docker.com/r/concourse/concourse/tags/
##
imageTag: "5.6.0"
## Specific image digest to use in place of a tag.
## Ref: https://kubernetes.io/docs/concepts/configuration/overview/#container-images
##
imageDigest:
## Specify a imagePullPolicy regarding the fetching of container images.
## Ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images
##
imagePullPolicy: IfNotPresent
## Array of imagePullSecrets to allow pulling the Concourse image from private registries.
## ps.: secrets must be manually created in the namespace.
## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
##
## Example:
##
## imagePullSecrets:
## - myRegistryKeySecretName
##
imagePullSecrets: []
## Configuration values for the Concourse application (worker and web components).
## The values specified here are almost direct references to the flags under the
## `concourse web` and `concourse worker` commands.
##
concourse:
## Configurations for the `web` component based on the possible flags configurable
## through the `concourse web` command.
##
web:
## A name for this Concourse cluster, to be displayed on the dashboard page.
##
clusterName:
## The maximum number of open connections for a connection pool
##
maxConns:
## Enable equivalent resources across pipelines and teams to share a single version history.
## Ref: https://concourse-ci.org/global-resources.html
##
enableGlobalResources: true
## The Future™ of resource checking.
##
enableLidar:
## Interval on which the resource scanner will run to see if new checks need
## to be scheduled.
##
lidarScannerInterval:
## Interval on which the resource checker runs any scheduled checks.
##
lidarCheckerInterval:
## Enable auditing for all api requests connected to builds.
##
enableBuildAuditing: false
## Enable auditing for all api requests connected to containers.
##
enableContainerAuditing: false
## Enable auditing for all api requests connected to jobs.
##
enableJobAuditing: false
## Enable auditing for all api requests connected to pipelines.
##
enablePipelineAuditing: false
## Enable auditing for all api requests connected to resources.
##
enableResourceAuditing: false
## Enable auditing for all api requests connected to system transactions.
##
enableSystemAuditing: false
## Enable auditing for all api requests connected to teams.
##
enableTeamAuditing: false
## Enable auditing for all api requests connected to workers.
##
enableWorkerAuditing: false
## Enable auditing for all api requests connected to volumes.
##
enableVolumeAuditing: false
## Enable redacting secrets in build logs.
##
enableRedactSecrets:
## The number of attempts secret will be retried to be fetched,
## in case a retryable error happens.
##
secretRetryAttempts: 5
## The interval between secret retry retieval attempts.
##
secretRetryInterval: 1s
## Enable in-memory cache for secrets.
##
secretCacheEnabled: false
## If the cache is enabled, secret values will be cached for not longer
## than this duration (it can be less, if underlying secret lease time
## is smaller).
##
secretCacheDuration:
## If the cache is enabled, secret not found responses will be cached for
## this duration.
##
secretCacheDurationNotFound:
## If the cache is enabled, expired items will be removed on this internal.
##
secretCachePurgeInterval:
## Minimum level of logs to see. Possible options: debug, info, error.
##
logLevel: info
## IP address on which to listen for HTTP traffic (web UI and API).
##
bindIp: 0.0.0.0
## Port on which to listen for HTTP traffic (web UI and API).
##
bindPort: 8080
## TLS configuration for the web component to be able to serve HTTPS traffic.
## Once enabled, consumes the certificates set via secrets (`web-tls-cert` and
## `web-tls-key`).
##
tls:
## Enable serving HTTPS traffic directly through the web component.
##
enabled: false
## Port on which to listen for HTTPS traffic.
##
bindPort: 443
## URL used to reach any ATC from the outside world.
## This is *very* important for a proper authentication workflow as
## browser redirects are based on the value set here.
##
## Example: http://ci.concourse-ci.org
##
externalUrl:
encryption:
## Enable encryption of pipeline configuration. Encryption keys can be set via secrets
## (`encryption-key` and `old-encryption-key` fields).
## Ref: https://concourse-ci.org/encryption.html
##
enabled: false
localAuth:
## Enable the use of local authentication (basic auth).
## Once enabled, users configured through `local-users` (secret)
## are able to authenticate.
##
## Local users can be individually added to the `main` team by setting
## `concourse.web.auth.mainTeam.localUser` with a comma-separated list
## of ids.
##
## Ref: https://concourse-ci.org/install.html#local-auth-config
##
enabled: true
## IP address on which to listen for the pprof debugger endpoints.
##
debugBindIp: 127.0.0.1
## Port on which to listen for the pprof debugger endpoints.
##
debugBindPort: 8079
## Length of time for a intercepted session to be idle before terminating.
##
interceptIdleTimeout: 0m
## Time limit on checking for new versions of resources.
##
globalResourceCheckTimeout: 1h
## Interval on which to check for new versions of resources.
##
resourceCheckingInterval: 1m
## Interval on which to check for new versions of resource types.
##
resourceTypeCheckingInterval: 1m
## Method by which a worker is selected during container placement.
## Possible values: volume-locality | random | fewest-build-containers| limit-active-tasks
containerPlacementStrategy: volume-locality
## Maximum allowed number of active build tasks per worker.
##
## Has effect only when containerPlacementStrategy is set to use
## limit-active-tasks placement strategy.
##
## ps.: 0 means no limit.
##
## ref: https://concourse-ci.org/container-placement.html#limit-active-tasks-strategy
##
limitActiveTasks:
## How long to wait for Baggageclaim to send the response header.
##
baggageclaimResponseHeaderTimeout: 1m
## Directory containing downloadable CLI binaries.
## By default, Concourse will try to find the assets
## path relative to the executable.
##
cliArtifactsDir:
## Log database queries.
##
logDbQueries: false
## Log cluster name.
##
logClusterName:
## Interval on which to run build tracking.
##
buildTrackerInterval: 10s
## Default number of build logs to retain. 0 means all.
##
defaultBuildLogsToRetain:
## Maximum build logs to retain, 0 means not specified. Will override values configured in jobs.
##
maxBuildLogsToRetain:
## Default days to retain build logs. 0 means unlimited.
##
defaultDaysToRetainBuildLogs:
## Maximum days to retain build logs, 0 means not specified. Will override values configured in jobs.
##
maxDaysToRetainBuildLogs:
## Default max number of cpu shares per task, 0 means unlimited.
##
defaultTaskCpuLimit:
## Default maximum memory per task, 0 means unlimited.
##
defaultTaskMemoryLimit:
## Network address of this web node, reachable by other web nodes. Used for forwarded worker addresses. (default: $POD_IP)
##
peerAddress:
## Configurations regarding how the web component is able to connect to a postgres
## instance.
##
postgres:
## The host to connect to.
##
host:
## The port to connect to.
##
port: 5432
## Path to a UNIX domain socket to connect to.
##
socket:
## Whether or not to use SSL.
##
sslmode: disable
## Dialing timeout. (0 means wait indefinitely)
##
connectTimeout: 5m
## The name of the database to use.
##
database: atc
kubernetes:
## Enable the use of Kubernetes Secrets as the credential provider for
## concourse pipelines.
##
enabled: true
## Prefix to use for Kubernetes namespaces under which secrets will be looked up.
## Defaults to the Release name hyphen, e.g. "my-release-" produces namespace "my-release-main"
## for the "main" Concourse team.
##
namespacePrefix:
## Teams to create namespaces for to hold secrets.
## This property only has effect if `createTeamNamespaces` is set to `true`.
##
teams:
- main
## Create the Kubernetes namespace for each team listed under `concourse.web.kubernetes.teams`.
##
createTeamNamespaces: true
## When true, namespaces are not deleted when the release is deleted.
## Irrelevant if the namespaces are not created by this chart.
##
keepNamespaces: true
## Path to Kubernetes config when running ATC outside Kubernetes.
##
configPath:
## Configuration for using AWS SSM as a credential manager.
## Ref: https://concourse-ci.org/creds.html#asm
##
awsSecretsManager:
## Enable the use of AWS Secrets Manager for credential management.
##
enabled: false
## AWS region to use when reading from Secrets Manager
##
region:
## Configure authentication using an access key and secret key. If disabled, IAM role auth is assumed.
## Session Token can also be enabled, if required.
keyAuth:
enabled: true
useSessionToken: false
## pipeline-specific template for Secrets Manager parameters, defaults to: /concourse/{{.Team}}/{{.Pipeline}}/{{.Secret}}
##
pipelineSecretTemplate: /concourse/{{.Team}}/{{.Pipeline}}/{{.Secret}}
## team-specific template for Secrets Manager parameters, defaults to: /concourse/{{.Team}}/{{.Secret}}
##
teamSecretTemplate: /concourse/{{.Team}}/{{.Secret}}
## Configuration for using AWS SSM as a credential manager.
## Ref: https://concourse-ci.org/creds.html#ssm
##
awsSsm:
## Enable the use of AWS SSM.
##
enabled: false
## AWS region to use when reading from SSM
##
region:
## Configure authentication using an access key and secret key. If disabled, IAM role auth is assumed.
## Session Token can also be enabled, if required.
keyAuth:
enabled: true
useSessionToken: false
## pipeline-specific template for SSM parameters, defaults to: /concourse/{{.Team}}/{{.Pipeline}}/{{.Secret}}
##
pipelineSecretTemplate: /concourse/{{.Team}}/{{.Pipeline}}/{{.Secret}}
## team-specific template for SSM parameters, defaults to: /concourse/{{.Team}}/{{.Secret}}
##
teamSecretTemplate: /concourse/{{.Team}}/{{.Secret}}
## Configuration for using Vault as a credential manager.
## Ref: https://concourse-ci.org/creds.html#vault
##
vault:
## Enable the use of Vault as a credential manager.
##
enabled: false
## URL pointing to vault addr (i.e. http://vault:8200).
##
url:
## Vault path under which to namespace credentials lookup.
##
pathPrefix: /concourse
## Path under which to lookup shared credentials.
##
sharedPath:
## if the Vault server is using a self-signed certificate, set this to true,
## and provide a value for the cert in secrets (field `vault-ca-cert`).
##
useCaCert: false
## Vault authentication backend, leave this blank if using an initial periodic token.
## Currently supported backends: token, approle, cert.
##
authBackend: ""
## Path to a directory of PEMEncoded CA cert files to verify the vault server SSL cert.
##
caPath:
## If set, is used to set the SNI host when connecting via TLS.
##
serverName:
## Enable insecure SSL verification.
##
insecureSkipVerify: false
## Client token for accessing secrets within the Vault server.
##
clientToken:
## Time after which to force a reLogin. If not set, the token will just be continuously renewed.
##
authBackendMaxTtl:
## The maximum time between retries when logging in or reAuthing a secret.
##
retryMax: 5m
## The initial time between retries when logging in or reAuthing a secret.
##
retryInitial: 1s
## Configuration for using Credhub as a credential manager.
## Ref: https://concourse-ci.org/credhub-credential-manager.html
##
credhub:
## Enable the use of Credhub as a credential manager.
##
enabled: false
## CredHub server address used to access secrets
## Example: https://credhub.example.com
##
url:
## Path under which to namespace credential lookup. (default: /concourse)
##
pathPrefix:
## Enables using a CA Certificate
##
useCaCert: false
## Enables insecure SSL verification.
##
insecureSkipVerify: false
## Configures the way that the Concourse authenticates against CredHub
## - secrets: makes use of `client-id` and `client-secret`
## - mtls: leverages client certificates
##
authenticationMode: "secrets"
## Don't actually do any automatic scheduling or checking.
##
noop: false
staticWorker:
## Enables the direct registration of a worker that has its properties
## hardcoded.
##
enabled: false
## A Garden API endpoint to register as a worker.
##
gardenUrl:
## A Baggageclaim API endpoint to register with the worker.
##
baggageclaimUrl:
## A resource type to advertise for the worker. Can be specified multiple times.
##
resource:
metrics:
## Host string to attach to emitted metrics.
##
hostName:
## A key-value attribute to attach to emitted metrics.
##
attribute:
## Enable capturing of error log metrics.
##
captureErrorMetrics: false
## The size of the buffer used in emitting event metrics.
##
bufferSize:
datadog:
enabled: false
## Use IP of node the pod is scheduled on, overrides `agentHost`
##
agentHostUseHostIP: false
## Datadog agent host to expose dogstatsd metrics
##
agentHost: 127.0.0.1
## Datadog agent port to expose dogstatsd metrics
##
agentPort: 8125
## Prefix for all metrics to easily find them in Datadog
##
prefix: "concourse.ci"
influxdb:
enabled: false
## Number of points to batch together when emitting to InfluxDB
##
batchSize:
## The duration to wait before emitting a batch of points to InfluxDB,
## disregarding # the batch size.
##
batchDuration:
## InfluxDB server address to emit points to.
## Example: http://127.0.0.1:8086
##
url:
## InfluxDB database to write points to.
##
database: concourse
## InfluxDB server username.
##
username:
## Skip SSL verification when emitting to InfluxDB.
##
insecureSkipVerify: false
## Emit metrics to logs instead of an actual metrics system.
##
emitToLogs: false
newrelic:
enabled: false
## New Relic Account ID
##
accountId:
## New Relic Insights API Key
##
apiKey:
## An optional prefix for emitted New Relic events
##
servicePrefix:
prometheus:
enabled: false
## IP to listen on to expose Prometheus metrics.
##
bindIp: "0.0.0.0"
## Port to listen on to expose Prometheus metrics.
##
bindPort: 9391
riemann:
enabled: false
## Riemann server address to emit metrics to.
##
host:
## Port of the Riemann server to emit metrics to.
##
port: 5555
## An optional prefix for emitted Riemann services
##
servicePrefix:
## Tag to attach to emitted metrics. Can be specified multiple times.
##
tag:
## The value to set for X-Frame-Options. If omitted, the header is not set.
##
xFrameOptions:
gc:
## Interval on which to perform garbage collection.
##
interval: 30s
## Grace period before reaping oneOff task containers
##
oneOffGracePeriod: 5m
## Period after which to reap containers and volumes that were created but
## went missing from the worker.
##
missingGracePeriod: 5m
## Period after which to reap checks that are completed.
##
checkRecyclePeriod:
syslog:
## Enables the emission of build logs to external log ingesters through
## using the syslog protocol.
##
enabled: false
## Client hostname with which the build logs will be sent to the syslog server.
##
hostname: atc-syslog-drainer
## Remote syslog server address with port (Example: 0.0.0.0:514).
##
address:
## Transport protocol for syslog messages (Currently supporting tcp, udp & tls).
##
transport:
## Interval over which checking is done for new build logs to send to syslog server
## (duration measurement units are s/m/h; eg. 30s/30m/1h)
drainInterval: 30s
## If the syslog server is using a self-signed certificate, set this to true,
## and provide a value for the cert in secrets (`syslog-ca-cert`).
##
useCaCert: false
auth:
## Force sending secure flag on http cookies
##
cookieSecure: false
## Length of time for which tokens are valid. Afterwards, users will have to log back in.
## The value must be specified as Go duration values (e.g.: 30m or 24h).
duration: 24h
mainTeam:
## Configuration file for specifying team params.
## Ref: https://concourse-ci.org/managing-teams.html#setting-roles
##
config:
## List of local Concourse users to be included as members of the `main` team.
## Make sure you have local users support enabled (`concourse.web.localAuth.enabled`) and
## that the users were added (`local-users` secret).
##
localUser: "test"
## Authentication (Main Team) (CloudFoundry)
##
cf:
## List of whitelisted CloudFoundry users.
##
user:
## List of whitelisted CloudFoundry orgs
##
org:
## List of whitelisted CloudFoundry spaces
##
space:
## (Deprecated) List of whitelisted CloudFoundry space guids
##
spaceGuid:
## Authentication (Main Team) (Bitbucket Cloud)
##
bitbucketCloud:
## List of whitelisted Bitbucket Cloud users
##
user:
## List of whitelisted Bitbucket Cloud teams
##
team:
## Authentication (Main Team) (GitHub)
##
github:
## List of whitelisted GitHub users
##
user:
## List of whitelisted GitHub orgs
##
org:
## List of whitelisted GitHub teams
##
team:
## Authentication (Main Team) (GitLab)
##
gitlab:
## List of whitelisted GitLab users
##
user:
## List of whitelisted GitLab groups
##
group:
## Authentication (Main Team) (LDAP)
##
ldap:
## List of whitelisted LDAP users
##
user:
## List of whitelisted LDAP groups
##
group:
## Authentication (Main Team) (OAuth2)
##
oauth:
## List of whitelisted OAuth2 users
##
user:
## List of whitelisted OAuth2 groups
##
group:
## Authentication (Main Team) (OIDC)
##
oidc:
## List of whitelisted OIDC users
##
user:
## List of whitelisted OIDC groups
##
group:
## Authentication (CloudFoundry)
##
cf:
enabled: false
## (Required) The base API URL of your CF deployment. It will use this information to discover information
## about the authentication provider.
##
## Example: https://api.run.pivotal.io
##
apiUrl:
## CA Certificate
##
useCaCert: false
## Skip SSL validation
##
skipSslValidation: false
## Authentication (GitHub)
##
github:
enabled: false
## Hostname of GitHub Enterprise deployment (No scheme, No trailing slash)
##
host:
## CA certificate of GitHub Enterprise deployment
##
useCaCert: false
## Authentication (BitbucketCloud)
##
bitbucketCloud:
enabled: false
## Authentication (GitLab)
gitlab:
enabled: false
## Hostname of Gitlab Enterprise deployment (Include scheme, No trailing slash)
##
host:
## Authentication (LDAP)
ldap:
enabled: false
## The auth provider name displayed to users on the login page
##
displayName:
## (Required) The host and optional port of the LDAP server. If port isn't supplied, it will be guessed
## based on the TLS configuration. 389 or 636.
##
host:
## (Required) Bind DN for searching LDAP users and groups. Typically this is a readOnly user.
##
bindDn:
## (Required) Bind Password for the user specified by 'bindDn'
##
bindPw:
## Required if LDAP host does not use TLS.
##
insecureNoSsl:
## Skip certificate verification
##
insecureSkipVerify:
## Start on insecure port, then negotiate TLS
##
startTls:
## CA certificate
##
useCaCert:
## BaseDN to start the search from. For example 'cn=users,dc=example,dc=com'
##
userSearchBaseDn:
## Optional filter to apply when searching the directory. For example '(objectClass=person)'
##
userSearchFilter:
## Attribute to match against the inputted username. This will be translated and combined with the other
## filter as '(<attr>=<username>)'.
##
userSearchUsername:
## Can either be: 'sub' search the whole sub tree or 'one' - only search one level. Defaults to 'sub'.
##
userSearchScope:
## A mapping of attributes on the user entry to claims. Defaults to 'uid'.
##
userSearchIdAttr:
## A mapping of attributes on the user entry to claims. Defaults to 'mail'.
##
userSearchEmailAttr:
## A mapping of attributes on the user entry to claims.
##
userSearchNameAttr:
## BaseDN to start the search from. For example 'cn=groups,dc=example,dc=com'
##
groupSearchBaseDn:
## Optional filter to apply when searching the directory. For example '(objectClass=posixGroup)'
##
groupSearchFilter:
## Can either be: 'sub' search the whole sub tree or 'one' - only search one level. Defaults to 'sub'.
##
groupSearchScope:
## Adds an additional requirement to the filter that an attribute in the group match the user's attribute value. The exact filter being added is: (<groupAttr>=<userAttr value>)
##
groupSearchUserAttr:
## Adds an additional requirement to the filter that an attribute in the group match the user's attribute value. The exact filter being added is: (<groupAttr>=<userAttr value>)
##
groupSearchGroupAttr:
## The attribute of the group that represents its name.
##
groupSearchNameAttr:
## Authentication (OAuth2)
##
oauth:
enabled: false
## The auth provider name displayed to users on the login page
##
displayName:
## (Required) Authorization URL
##
authUrl:
## (Required) Token URL
##
tokenUrl:
## UserInfo URL
##
userinfoUrl:
## Any additional scopes that need to be requested during authorization
##
scope:
## The groups key indicates which claim to use to map external groups to Concourse teams.
##
groupsKey:
## CA Certificate
##
useCaCert:
## Skip SSL validation
##
skipSslValidation:
## The user id key indicates which claim to use to map an external user id to a
## Concourse user id.
##
userIdKey: user_id
## The user name key indicates which claim to use to map an external user name to a
## Concourse user name.
##
userNameKey: user_name
## Authentication (OIDC)
oidc:
enabled: false
## The auth provider name displayed to users on the login page
##
displayName:
## (Required) An OIDC issuer URL that will be used to discover provider configuration using the .wellKnown/openid-configuration
##
issuer:
## Any additional scopes that need to be requested during authorization
##
scope:
## The groups key indicates which claim to use to map external groups to Concourse teams.
##
groupsKey:
## CA Certificate
##
useCaCert:
## Skip SSL validation
##
skipSslValidation:
## The user name key indicates which claim to use to map an external user name to a
## Concourse user name.
##
userNameKey: username
tsa:
## Minimum level of logs to see. Possible values: debug, info, error.
##
logLevel: info
## IP address on which to listen for SSH.
##
bindIp: 0.0.0.0
## Port on which to listen for SSH.
##
bindPort: 2222
## IP address on which to listen for the pprof debugger endpoints (default: 127.0.0.1)
##
debugBindIp: 127.0.0.1
## Port on which to listen for TSA pprof server.
##
debugBindPort: 2221
## Path to private key to use for the SSH server.
##
hostKey:
## Path to file containing keys to authorize, in SSH authorized_keys format (one public key per line).
##
authorizedKeys:
## ATC API endpoints to which workers will be registered.
##
atcUrl:
## Path to private key to use when signing tokens in reqests to the ATC during registration.
##
sessionSigningKey:
## Interval on which to heartbeat workers to the ATC.
##
heartbeatInterval: 30s
letsEncrypt:
## Automatically configure TLS certificates via Let's Encrypt/ACME.
##
enabled: false
## URL of the ACME CA directory endpoint.
##
acmeURL:
worker:
## Signal to send to the worker container when shutting down.
## Possible values:
##
## - SIGUSR1: land the worker, and
## - SIGUSR2: retire the worker.
##
## Note.: using SIGUSR2 with persistence enabled implies the use of an
## initContainer that removes any data the existed previously under
## `concourse.worker.workDir` as the action of `retire`ing a worker implies
## that no state comes back with it when re-registering.
##
## Ref: https://concourse-ci.org/concourse-worker.html
## Ref: https://concourse-ci.org/worker-internals.html
##
shutdownSignal: SIGUSR2
## Duration after which the registration should be swapped to another random SSH gateway.
##
rebalanceInterval:
## Duration after which a worker should give up draining forwarded connections on shutdown.
##
connectionDrainTimeout: 1h
## IP address on which to listen for health checking requests.
##
healthcheckBindIp: 0.0.0.0
## Port on which to listen for health checking requests.
##
healthcheckBindPort: 8888
## HTTP timeout for the full duration of health checking.
##
healthcheckTimeout: 5s
## The name to set for the worker during registration. If not specified, the hostname will be used.
##
name:
## A tag to set during registration. Can be specified multiple times.
##
tag:
## The name of the team that this worker will be assigned to.
##
team:
## HTTP proxy endpoint to use for containers.
##
http_proxy:
## HTTPS proxy endpoint to use for containers.
##
https_proxy:
## Blacklist of addresses to skip the proxy when reaching.
##
no_proxy:
## If set, the worker will be immediately removed upon stalling.
##
ephemeral:
## IP address on which to listen for the pprof debugger endpoints.
##
debugBindIp: 127.0.0.1
## Port on which to listen for beacon pprof server.
##
debugBindPort: 7776
## Version of the worker. This is normally baked in to the binary, so this flag is hidden.
##
version:
## Directory in which to place container data.
##
workDir: /concourse-work-dir
## IP address on which to listen for the Garden server.
##
bindIp: 127.0.0.1
## Port on which to listen for the Garden server.
##
bindPort: 7777
## IP used to reach this worker from the ATC nodes.
##
peerIp:
## Interval on which containers and volumes will be garbage collected from the worker.
##
sweepInterval: 30s
## Minimum level of logs to see. Possible options: debug, info, error.
##
logLevel: info
## Maximum number of containers which can be swept in parallel.
##
containerSweeperMaxInFlight: 5
## Maximum number of volumes which can be swept in parallel.
##
volumeSweeperMaxInFlight: 5
tsa:
## TSA host(s) to forward the worker through.
## Only used for worker-only deployments.
## Example:
## hosts:
## - 1.1.1.1:2222
## - 2.2.2.2:2222
##
hosts: []
## File containing a public key to expect from the TSA.
##
publicKey:
## File containing the private key to use when authenticating to the TSA.
##
workerPrivateKey:
## API endpoint of an externally managed Garden server to use instead of
## running the embedded Garden server.
##
externalGardenUrl:
garden:
## Path to the 'gdn' executable (or leave as 'gdn' to find it in $PATH)
##
bin: gdn
## Path to a config file to use for Garden in INI format.
##
## For example, in a ConfigMap:
##
## [server]
## max-containers = 100
##
## For information about the possible values:
## Ref: https://bosh.io/jobs/garden?source=github.com/cloudfoundry/garden-runc-release
##
config:
## Enable a proxy DNS server for Garden
##
dnsProxyEnable:
## Use the insecure Houdini Garden backend.
##
useHoudini:
baggageclaim:
## Minimum level of logs to see. Possible values: debug, info, error
##
logLevel: info
## IP address on which to listen for API traffic.
##
bindIp: 127.0.0.1
## Port on which to listen for API traffic.
##
bindPort: 7788
## IP address on which to listen for the pprof debugger endpoints.
##
debugBindIp: 127.0.0.1
## Port on which to listen for baggageclaim pprof server.
##
debugBindPort: 7787
## Disable remapping of user/group IDs in unprivileged volumes.
##
disableUserNamespaces:
## Directory in which to place volume data.
##
volumes:
## Driver to use for managing volumes.
## Possible values: detect, naive, btrfs, and overlay.
##
driver: naive
## Path to btrfs binary
##
btrfsBin: btrfs
## Path to mkfs.btrfs binary
##
mkfsBin: mkfs.btrfs
## Path to directory in which to store overlay data
##
overlaysDir:
## Interval on which to reap expired volumes.
##
reapInterval: 10s
## Configuration values for Concourse Web components.
## For more information regarding the characteristics of
## Concourse Web nodes, see https://concourse-ci.org/concourse-web.html.
##
web:
## Enable or disable the web component.
## This allows the creation of worker-only releases by setting this to false.
##
enabled: true
## Override the components name (defaults to web).
##
nameOverride:
## Number of replicas.
##
replicas: 1
## Array of extra containers to run alongside the Concourse Web
## container.
##
## Example:
## - name: myapp-container
## image: busybox
## command: ['sh', '-c', 'echo Hello && sleep 3600']
##
sidecarContainers: []
## Configures the liveness probe used to determine if the Web component is up.
## ps.: if you're upgrading Concourse from one version to another, the probe will
## probably fail for some time before migrations are finished - in such situations,
## consider bumping the values set here.
## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
##
livenessProbe:
failureThreshold: 5
initialDelaySeconds: 10
periodSeconds: 15
timeoutSeconds: 3
httpGet:
path: /api/v1/info
port: atc
## Configures the readiness probes.
## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
##
readinessProbe:
httpGet:
path: /api/v1/info
port: atc
## Configure resource requests and limits.
## Ref: https://kubernetes.io/docs/user-guide/compute-resources/
##
resources:
requests:
cpu: "100m"
memory: "128Mi"
## Configure additional environment variables for the
## web containers.
## Example:
##
## - name: CONCOURSE_LOG_LEVEL
## value: "debug"
## - name: CONCOURSE_TSA_LOG_LEVEL
## value: "debug"
##
env:
## Where secrets should be mounted for the web container.
##
keySecretsPath: "/concourse-keys"
teamSecretsPath: "/team-authorized-keys"
authSecretsPath: "/concourse-auth"
vaultSecretsPath: "/concourse-vault"
credhubSecretsPath: "/concourse-credhub"
postgresqlSecretsPath: "/concourse-postgresql"
syslogSecretsPath: "/concourse-syslog"
tlsSecretsPath: "/concourse-web-tls"
## Configure additional volumes for the
## web container(s).
##
## Example:
##
## - name: my-team-authorized-keys
## configMap:
## name: my-team-authorized-keys-config
##
## Ref: https://kubernetes.io/docs/concepts/storage/volumes/
##
additionalVolumes: []
## Configure additional volumeMounts for the
## web container(s)
##
## Example:
##
## - name: my-team-authorized-keys
## mountPath: /my-team-authorized-keys
##
## Ref: https://kubernetes.io/docs/concepts/storage/volumes/
##
additionalVolumeMounts:
## Additional affinities to add to the web pods.
##
## Example:
## nodeAffinity:
## preferredDuringSchedulingIgnoredDuringExecution:
## - weight: 50
## preference:
## matchExpressions:
## - key: spot
## operator: NotIn
## values:
## - "true"
##
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
##
additionalAffinities:
## Additional Labels to be added to the web pods.
##
## Example:
## key1: "value1"
## key2: "value2"
##
## Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
##
labels: {}
## Annotations for the web nodes.
##
## Example:
## key1: "value1"
## key2: "value2"
##
## Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
##
annotations: {}
## Node selector for web nodes.
## Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
##
nodeSelector: {}
## Tolerations for the web nodes.
##
## Example:
## - key: "toleration=key"
## operator: "Equal"
## value: "value"
## effect: "NoSchedule"
##
## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
##
tolerations: []
## Strategy for web deployment updates.
##
## Example:
##
## strategy:
## type: RollingUpdate
## rollingUpdate:
## maxSurge: 1
## maxUnavailable: 25%
strategy: {}
## Service configuration.
## Ref: https://kubernetes.io/docs/user-guide/services/
##
service:
## For minikube, set this to ClusterIP, elsewhere use LoadBalancer or NodePort
## Ref: https://kubernetes.io/docs/user-guide/services/#publishing-services---service-types
##
type: ClusterIP
## When using `web.service.type: LoadBalancer`, sets the user-specified load balancer IP.
## Example: 172.217.1.174
##
loadBalancerIP:
## Additional Labels to be added to the web service.
##
labels:
## Annotations to be added to the web service.
##
## Example:
##
## prometheus.io/probe: "true"
## prometheus.io/probe_path: "/"
##
## When using `web.service.type: LoadBalancer` in AWS, enable HTTPS with an ACM cert:
##
## service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:eu-west-1:123456789:certificate/abc123-abc123-abc123-abc123"
## service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "http"
## service.beta.kubernetes.io/aws-load-balancer-backend-port: "atc"
## service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
##
annotations: {}
## When using `web.service.type: LoadBalancer`, whitelist the load balancer to particular IPs
## Example:
## - 192.168.1.10/32
##
loadBalancerSourceRanges:
## When using `web.service.type: NodePort`, sets the nodePort for atc
##
atcNodePort:
## When using `web.service.type: NodePort`, sets the nodePort for atc tls
##
atcTlsNodePort:
## When using `web.service.type: NodePort`, sets the nodePort for tsa
##
tsaNodePort:
## Ingress configuration.
## Ref: https://kubernetes.io/docs/user-guide/ingress/
##
ingress:
## Enable Ingress.
##
enabled: false
## Annotations to be added to the web ingress.
## Example:
## kubernetes.io/ingress.class: nginx
## kubernetes.io/tls-acme: 'true'
##
annotations: {}
## Hostnames.
## Must be provided if Ingress is enabled.
## Example:
## - concourse.domain.com
##
hosts:
## TLS configuration.
## Secrets must be manually created in the namespace.
## Example:
## - secretName: concourse-web-tls
## hosts:
## - concourse.domain.com
##
tls:
## Configuration values for Concourse Worker components.
## For more information regarding the characteristics of
## Concourse Workers, see https://concourse-ci.org/concourse-worker.html
##
worker:
## Enable or disable the worker component.
## This can allow users to create web only releases by setting this to false
##
enabled: true
## Override the components name (defaults to worker).
##
nameOverride:
## Removes any previous state created in `concourse.worker.workDir`.
##
cleanUpWorkDirOnStart: true
## Number of replicas.
##
replicas: 2
## Array of extra containers to run alongside the Concourse worker
## container.
##
## Example:
##
## - name: myapp-container
## image: busybox
## command: ['sh', '-c', 'echo Hello && sleep 3600']
##
sidecarContainers: []
## Minimum number of workers available after an eviction
## Ref: https://kubernetes.io/docs/admin/disruptions/
##
minAvailable: 1
## Configures the liveness probe used to determine if the Worker component is up.
## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
##
livenessProbe:
failureThreshold: 5
initialDelaySeconds: 10
periodSeconds: 15
timeoutSeconds: 3
httpGet:
path: /
port: worker-hc
## Configures the readiness probes.
## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
##
readinessProbe: {}
## Configure resource requests and limits.
## Ref: https://kubernetes.io/docs/user-guide/compute-resources/
##
resources:
requests:
cpu: "100m"
memory: "512Mi"
## Configure additional environment variables for the
## worker container(s)
##
## Example:
##
## - name: CONCOURSE_NAME
## value: "anything"
##
env: []
## For managing where secrets should be mounted for worker agents
##
keySecretsPath: "/concourse-keys"
## Configure additional volumeMounts for the
## worker container(s)
##
## Example:
## - name: concourse-baggageclaim
## mountPath: /baggageclaim
##
additionalVolumeMounts: []
## Additional Labels to be added to the worker pods.
##
## Example:
## key1: "value1"
## key2: "value2"
##
## Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
##
labels: {}
## Annotations to be added to the worker pods.
##
## Example:
##
## iam.amazonaws.com/role: arn:aws:iam::123456789012:role/concourse
##
annotations: {}
## Node selector for the worker nodes.
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
##
nodeSelector: {}
## Additional affinities to add to the worker pods.
## Useful if you prefer to run workers on non-spot instances, for example.
##
## Example:
##
## nodeAffinity:
## preferredDuringSchedulingIgnoredDuringExecution:
## - weight: 50
## preference:
## matchExpressions:
## - key: spot
## operator: NotIn
## values:
## - "true"
##
additionalAffinities: {}
## Configure additional volumes for the
## worker container(s).
## Example:
##
## - name: concourse-baggageclaim
## hostPath:
## path: /dev/nvme0n1
## type: BlockDevice
##
##
## As a special exception, this allows taking over the `concourse-work-dir`
## volume (from the default emptyDir) if `persistence.enabled` is false:
##
## additionalVolumes:
## - name: concourse-work-dir
## hostPath:
## path: /mnt/locally-mounted-fast-disk/concourse
## type: DirectoryOrCreate
##
additionalVolumes: []
## Whether the workers should be forced to run on separate nodes.
## This is accomplished by setting their AntiAffinity with requiredDuringSchedulingIgnoredDuringExecution as opposed to preferred
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity-beta-feature
##
hardAntiAffinity: false
## Tolerations for the worker nodes.
## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
##
## For example:
##
## - key: "toleration=key"
## operator: "Equal"
## value: "value"
## effect: "NoSchedule"
##
tolerations: []
## Time to allow the pod to terminate before being forcefully terminated. This should provide time for
## the worker to retire, i.e. drain its tasks. See https://concourse-ci.org/worker-internals.html for worker
## lifecycle semantics.
##
terminationGracePeriodSeconds: 60
## Strategy for StatefulSet updates (requires Kubernetes 1.6+)
## Ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset
##
updateStrategy: RollingUpdate
## Pod Management strategy (requires Kubernetes 1.7+)
## Ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#pod-management-policies
##
## "OrderedReady" is default. "Parallel" means worker pods will launch or terminate
## in parallel.
##
podManagementPolicy: Parallel
## When persistance is disabled this value will be used to limit the emptyDir volume size
## Ref: https://kubernetes.io/docs/concepts/storage/volumes/#emptydir
##
## Example: 20Gi
##
emptyDirSize:
## Persistent Volume Storage configuration.
## Ref: https://kubernetes.io/docs/user-guide/persistent-volumes
##
persistence:
## Enable persistence using Persistent Volume Claims.
##
enabled: true
## Worker Persistence configuration.
##
worker:
## concourse data Persistent Volume Storage Class
## If defined, storageClassName: <storageClass>
## If set to "-", storageClassName: "", which disables dynamic provisioning
## If undefined (the default) or set to null, no storageClassName spec is
## set, choosing the default provisioner. (gp2 on AWS, standard on
## GKE, AWS & OpenStack)
##
storageClass:
## Persistent Volume Access Mode.
##
accessMode: ReadWriteOnce
## Persistent Volume Storage Size.
##
size: 20Gi
## Configuration values for the postgresql dependency.
## Ref: https://github.com/helm/charts/blob/master/stable/postgresql/README.md
##
postgresql:
## Use the PostgreSQL chart dependency.
##
## Set to false if bringing your own PostgreSQL, and set the corresponding `secrets`
## fields that correspond to the PostgreSQL variables that `concourse web` should use
## to connect to.
##
## Should be set to false if using the chart as a worker only deployment.
##
enabled: true
### PostgreSQL User to create.
##
postgresqlUsername: concourse
## PostgreSQL Password for the new user.
## If not set, a random 10 characters password will be used.
##
postgresqlPassword: concourse
## PostgreSQL Database to create.
##
postgresqlDatabase: concourse
## Persistent Volume Storage configuration for PostgreSQL.
##
## Ref: https://kubernetes.io/docs/user-guide/persistent-volumes
##
persistence:
## Enable PostgreSQL persistence using Persistent Volume Claims.
##
enabled: true
## Persistent Volume Storage Class to be used by PersistentVolumes created
## for PostgreSQL.
##
## If defined, storageClassName: <storageClass>
## If set to "-", storageClassName: "", which disables dynamic provisioning
## If undefined (the default) or set to null, no storageClassName spec is
## set, choosing the default provisioner. (gp2 on AWS, standard on
## GKE, AWS & OpenStack)
##
storageClass:
## Persistent Volume Access Mode.
##
accessModes:
- ReadWriteOnce
## Persistent Volume Storage Size.
##
size: 8Gi
## For Kubernetes RBAC support:
##
rbac:
## Enable the creation of RBAC resources.
##
create: true
## RBAC Version
##
apiVersion: v1beta1
## The name of the service account to use for web pods if rbac.create is false
##
webServiceAccountName: default
## The name of the service account to use for worker pods if rbac.create is false
##
workerServiceAccountName: default
## For managing secrets using Helm
##
secrets:
## Create the secret resource from the following values. Set this to
## false to manage these secrets outside Helm.
##
create: true
## Array of team names and public keys for team external workers.
##
## Example:
## - team: main
## key: |-
## ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDYBQ9fG6IML+qsFaMh1Pl+81wyUwRilHdfhItAiAsLVQsOwI5+V4pn5aLhHPBuRQqIqYmbkZ7I1VUIN1+90PVJ3X7l9qqanb85AHMtLujw1j9u0zDyH2XHgpUloknUQzUSLIZjjU3Hn3Uo/XikF+vT8104isO7Ym8Xp7sIcRuvOQ3nuRsFVCRogxpLTVHD/k57rwYVqWWLaKLwvx01ZVXOq4GHk/BVaKa9ODC/dNgbZMfwvVVXuf7/NFGmSMyXb49Si4aoP4Gn7jAX6GngBbm/bgKqO0skQy/ggQm/YVF+s5q4EhleMBLVJKD1VpM5LeLDFpiu/y4bVd8wUcgK+QQ9 Concourse
##
## Make sure to chack the security caveats here: https://concourse-ci.org/teams-caveats.html
## Extra Reads: https://github.com/concourse/concourse/issues/1865#issuecomment-464166994
## https://concourse-ci.org/global-resources.html#complications-with-reusing-containers
##
teamAuthorizedKeys:
## List of `username:password` or `username:bcrypted_password` combinations for all your local concourse users.
##
localUsers: "test:test"
## The TLS certificate and private key for the web component to be able to terminate
## TLS connections.
##
webTlsCert:
webTlsKey:
## Concourse Host Keys.
## Ref: https://concourse-ci.org/install.html#generating-keys
##
hostKey: |-
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEA2AUPXxuiDC/qrBWjIdT5fvNcMlMEYpR3X4SLQIgLC1ULDsCO
fleKZ+Wi4RzwbkUKiKmJm5GeyNVVCDdfvdD1Sd1+5faqmp2/OQBzLS7o8NY/btMw
8h9lx4KVJaJJ1EM1EiyGY41Nx591KP14pBfr0/NdOIrDu2JvF6e7CHEbrzkN57kb
BVQkaIMaS01Rw/5Oe68GFalli2ii8L8dNWVVzquBh5PwVWimvTgwv3TYG2TH8L1V
V7n+/zRRpkjMl2+PUouGqD+Bp+4wF+hp4AW5v24CqjtLJEMv4IEJv2FRfrOauBIZ
XjAS1SSg9VaTOS3iwxaYrv8uG1XfMFHICvkEPQIDAQABAoIBAG87W8jrX6vK2Jm3
ooJ/OeFmymiXWsCwFi+2/kVCR/2T0tfLyxO/W+NX2WD1F9CP+HaaZeMXPp3HS7up
V8FT4ZohVYBwXTS0WYyucKApcYThrVQRpzhldnEfClGQmVeVK7Sp/KEyV4Sc1SVA
L2i/cI142N2Ohm7spquVkLcuFsVINzZ0fXCv25dTqbkEgjTJzNdBzyFXvc4z0Mt9
gW14M7mz+YKYOfsCxIEm438fC9b16C96yIFBdN+/jaP8pmb2RoIE2D0F8bj5K1hR
YyGFKMOU4e6cYq59iWfubKuu2WNJEBk/5aO7x7Xu2S0k8wIYlwxFuu4LfR2Kvizu
+mFVf3kCgYEA9e0+40tJGpOPM8hAB3DwXjYc8lCuyYf3z30T3RqVNCUVSWnlaj/s
3ENi6+Ng3u+Zs8cR2CFou+jAClTyWLuSnI9yACD0eyW9n4bzYMUbgdC6vneLjpzx
wWR9Xv5RmZVly7xWuqcgEeEf8RNcYI3oXby0laF3EObvuAx/4ETIkFcCgYEA4N42
w1UEWGopWBIIXYHkEPHQuF0SxR2CZyh9ExTeSxFphyibkcHRjDW+t91ZLnSm5k1N
TOdYuc0ApBV3U+TexeFvDI94L/Oze6Ht5MatRQz8kRwMFGJL3TrpbgTmWdfG05Ad
oiScJzwY16oJXnKusxik7V+gCCNNE0/2UuMnY4sCgYAEf82pvOPef5qcGOrK+A79
ukG3UTCRcVJgUmp9nhHivVbxW+WdlwPPV9BEfol0KrAGMPsrmBjhbzWsOregVfYt
tRYh2HiAlEUu2Po06AZDzrzL5UYBWu+1WRBOH5sAk1IkcxKnIY2dph++elszTQVW
SbCIGEckYQU7ucbRJJECywKBgBb4vHFx8vKxTa3wkagzx7+vZFohL/SxEgxFx5k2
bYsPqU8kZ9gZC7YeG3CfDShAxHgMd5QeoiLA/YrFop4QaG2gnP6UfXuwkqpTnYDc
hwDh1b9hNR6z9/oOtaAGoh2VfHtKYqyYvtcHPaZyeWiLoKstHlQdi7SpHouVhJ1t
FS4HAoGAGy+56+zvdROjJy9A2Mn/4BvWrsu4RSQILBJ6Hb4TpF46p2fn0rwqyhOj
Occs+xkdEsI9w5phXzIEeOq2LqvWHDPxtdLpxOrrmx4AftAWdM8S1+OqTpzHihK1
y1ZOrWfvON+XjWFFAEej/CpQZkNUkTzjTtSC0dnfAveZlasQHdI=
-----END RSA PRIVATE KEY-----
hostKeyPub: |-
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDYBQ9fG6IML+qsFaMh1Pl+81wyUwRilHdfhItAiAsLVQsOwI5+V4pn5aLhHPBuRQqIqYmbkZ7I1VUIN1+90PVJ3X7l9qqanb85AHMtLujw1j9u0zDyH2XHgpUloknUQzUSLIZjjU3Hn3Uo/XikF+vT8104isO7Ym8Xp7sIcRuvOQ3nuRsFVCRogxpLTVHD/k57rwYVqWWLaKLwvx01ZVXOq4GHk/BVaKa9ODC/dNgbZMfwvVVXuf7/NFGmSMyXb49Si4aoP4Gn7jAX6GngBbm/bgKqO0skQy/ggQm/YVF+s5q4EhleMBLVJKD1VpM5LeLDFpiu/y4bVd8wUcgK+QQ9 Concourse
## Concourse Session Signing Keys.
## Ref: https://concourse-ci.org/install.html#generating-keys
##
sessionSigningKey: |-
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAwLql/rUIaI+PX7Tl3FWcTee4sQf8/daakALXx955tPwkhqlY
e4T2V84p/ylFvNWpM4vfcMYKfMY0JLKgAgBvJhCytSkDBhTBoWmN6yE0AB11P9En
lIZRBWNYqaC2cSge2ZD8qOSnwfFhnQAW8+7pE+ElJAVh7dtdF3A478H50lIigq8I
zMWp2EGJpFC7/Uu36oIL/03MNGCmrH1jvtTuJiAMQUZYyL1ReBkvvHOzw9i4HXPy
SMVtcllm4NBs2aVPtwhr2kwSkLt8t1bPdRn6OIyEAw5WktzAKaiZnkTvj6g3xzdp
zKcrdlBr9aznlNvoSinBUfvtwyFmvFN1HHbA9wIDAQABAoIBAE7G/DrUfI9gvtX7
90jMpYsigFe8UCjho2PiBZlo0o6r0bJJXiV+/8J8PqZRlHPPUc4EClzqVjcSPRYS
/VxUGRqSELoD/Xxq14rGvn+xnrO9VsOzFl6bWFq/dOpBCtHN+G4t2VifvgKES8YE
11z19sdta+UBXjn/RFnkQSGfRCI3QqTaYvjxevt0uWlyPmqkFPQQw8bvHIXzoB+B
rzeiMa++nMvbX5pAH9XA0BvhyuH3fHidTUwiVBpkMcpLWtjP0A0JTsecDdbinDDq
un2EIo8zMWRwKQN/JnUxsi8AUEigBTCUqeDgREXtW62uvFkSpcVMXwmVityLYIVy
qnVLUCECgYEA6IwXkP1qnSfcNeoVI/ypDuz1/kdqcjSPhLYe+jdiLLoFkMW9AlDm
lzwNaWlTFD9ygo+NjJCo63/A8HCm55sajws5hZ6r20vdZcKFMk9h0qF5oVA7lkQ2
gvG2WaznuU7KkqhfP+pXhiLgZKoJkst/+g7r6uHpredwDY6hxeBK4vsCgYEA1CqH
8ywC5qUo/36kQg/TU2adN/YEHdJAAbU23EVrGQSVmnXW08H2NLFk0tsxrwoNnbgp
PIk2J7BimbJvbND17ibr4GAklDTsR8aJkDl+0JgNCAK9N07qVt1s7FXzhg95jUL9
EQW55z60GAJpecqNwA4Jsa8P852N0355Obp92TUCgYBkOBvf7JcJ66fHxH4f6D+j
oxPQ5k5Fsck4VJS9GSlCRVkor09ptBvsiYDuMOoRC9b51YwXTDDAbWplNOd5YSrt
AtVjdKJz/BoKRO7KY9Owxs54au+DLxqfDDSeKRokjoRW+CE0lnXp5RX3zCAcF3+r
8MpTi9D9lYSBEzs84BDmCQKBgQCMcH6/K3HcJJVn0fd+tyUGftUw9sswxjySJNbk
pZrH263/qWMDls+Xf5kire9MU1ZCAWZiaN0NFoed/2wcVpGEDAV0548u/30r4bKr
YjOcdhmiJNYFJ1qdF0MDib2CDvpB1IbZXrX46RujDO2urbJ435HxKNVhR/had8xc
tyKYxQKBgCVDhN0MhnlUQJVZfX42APmF4gQg0r3sfL/NGXjEjMIKKFe5a88eZVHr
L8x1+dp0q7czC8a/l1DUuiwDKl8OEpxLsGCq/J/wAfrSMPifu6EUlbUwlJOPdgha
+p/KFAelHXJ2w/8yackAcarh35VP7ixhuvxswHNdgvfsBTFcjn30
-----END RSA PRIVATE KEY-----
## Concourse Worker Keys.
## Ref: https://concourse-ci.org/install.html#generating-keys
##
workerKey: |-
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAuPehUmBXAQCoA7TLAQCYhf+vzcZVyj+VGXnMhLHnWLk7dRjo
CU8GgNamdS5h7G3ywxOvKA3YjOLr8XyOMLS4c+e8N7tIzlMWdiXhe0lcBH9Z1ai5
+Bof3/BlDUBksiKdc1A+QcfX6tDwMkOO5re1H4vOK3H/Cype58wCB03HYNgb05ED
fW1Bj2qvz29VtmyjwEMuDs100iMqwCfPUx9oxXmmX8sUBRmw/Y1Rx/8pdKIjKw3m
kWIHHBOSCPimO1qC47Aa8v/UH9hERCykyuFHiBiKlnIvZWm9bYvhsRTz4gt5KzRY
6OI0oVeHlLOHDSK48Da8VWij15lOqO2Nx6WssQIDAQABAoIBADET22UNFOi6MNpS
5S5N5ypezlnOD0NLnZcV3zMyNQ0wkNsgEakuo64Zxi7/cJIYFjq2hVoeWl//cdUw
VFYODYcLbMBo3AeKukH9CRf6PgUfeUmcrENtQxnbIiTi+hTd5GMNXod7rAmtCJ59
mHQVOGS3ZqvWYnKm+mmMktk3RPinynX/A4y3WHPacuAS58HM09Ck43WcHMxbGpsL
/gZpICyFYZ2DviM+AHyWGcmw7LJrpC0QHo6+BAFMs4xlUecNgVIFUpfOoAcfsdtG
K9j4AbuZ47iFisbay+1pyg/7O5eRTdGVQRtc7PBMOjea5jGsfmlDmdn1ZS50ykun
ANfoQ5UCgYEA9Ak73PRy9nLlRkt4OBCF/4fwThUCMedsnWaVjQBMJYim4FB2ivF5
cKdWt3y/RZI85KKYu0EXhLEoSIEAfz057R8t3QdVK4tZx6B47UFjBjCYeVMtwHDQ
prxQiOPHIHCplBNFuGzA5VXL9gQLRD+ek0uOy2GJJ0Wu1xyeouI+SW8CgYEAwgkO
TOtOogqmcAALjWgeeQiZetflSKbJlpQNhmCPAMm0SFI8eF4SpRXLzd41VC2mLIwT
L3tjc7/8ocXoElFM4L0fo9Lx/SHFH4JEn5FT0PXPmvsF2JRhsXJFLJSihxF/91Xs
2aBcQILPFzLcrI6OFUakNwGTU/CIxpkzRvQrG98CgYEAzNVnUuo4CNadzagRK3Xr
E3Yl5VRK+FpY17FAfA6w25xc/dFr/un61e0Po4no/ltmEz7LVfmn5O/ScTEemq5o
jbjrBShfe+JGpIH0nqiQlqR5hvSjZXEMIbfVHWGbRYZrQGgA0HEwZA7k2QXB8zI3
R0lXfSzMM5OQ0uwp12xxfa8CgYBHILq1R6zTicPpWprhg0FobNaWSX4rW7iaEjvC
/rJtP4Nu33Z7SUDcc1j6ZnJ2ISXBPrfpt/mE/OPHCZ1A2bysxadLjpBWkoKIQmCV
fdiTyQgJb+t8sSf+vDzPUs0hZjDaogzo2ff3TfxMLMDoIHnFItgfsdwn8QyygIZj
hC4pUQKBgQDqsxnkI6yXFE5gshnW7H8zqKNlzKd/dZEL6e+lRz4R3UY/KcEkRAfq
Yi3cwo9fE3U3kSmpl5MQwUjWm/BZ7JyueoY/4ndwaFPgc34IKsgJ0wau9pZiQAB1
DxpOSF+BR71Jx3sxvIdCODNTtm645j5yrZVnJAuMPofo5XFmunDoJA==
-----END RSA PRIVATE KEY-----
workerKeyPub: |-
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC496FSYFcBAKgDtMsBAJiF/6/NxlXKP5UZecyEsedYuTt1GOgJTwaA1qZ1LmHsbfLDE68oDdiM4uvxfI4wtLhz57w3u0jOUxZ2JeF7SVwEf1nVqLn4Gh/f8GUNQGSyIp1zUD5Bx9fq0PAyQ47mt7Ufi84rcf8LKl7nzAIHTcdg2BvTkQN9bUGPaq/Pb1W2bKPAQy4OzXTSIyrAJ89TH2jFeaZfyxQFGbD9jVHH/yl0oiMrDeaRYgccE5II+KY7WoLjsBry/9Qf2ERELKTK4UeIGIqWci9lab1ti+GxFPPiC3krNFjo4jShV4eUs4cNIrjwNrxVaKPXmU6o7Y3Hpayx Concourse
## Secrets for DB access
##
postgresUser:
postgresPassword:
postgresCaCert:
postgresClientCert:
postgresClientKey:
## Secrets for DB encryption
##
encryptionKey:
oldEncryptionKey:
## Secrets for SSM AWS access
##
awsSsmAccessKey:
awsSsmSecretKey:
awsSsmSessionToken:
## Secrets for Secrets Manager AWS access
##
awsSecretsmanagerAccessKey:
awsSecretsmanagerSecretKey:
awsSecretsmanagerSessionToken:
## Secrets for using CredHub as a credential manager.
##
## Value of PEM-encoded CA cert file to use to verify the CredHub server SSL cert.
##
credhubCaCert:
## Client ID for CredHub authorization.
##
credhubClientId:
## Client secret for CredHub authorization.
##
credhubClientSecret:
## Client cert for Credhub authorization
##
credhubClientCert:
## Client key for Credhub authorization
##
credhubClientKey:
## Secrets for CF OAuth
##
cfClientId:
cfClientSecret:
cfCaCert:
## Secrets for BitbucketCloud OAuth.
##
bitbucketCloudClientId:
bitbucketCloudClientSecret:
## Secrets for GitHub OAuth.
##
githubClientId:
githubClientSecret:
githubCaCert:
## Secrets for GitLab OAuth.
##
gitlabClientId:
gitlabClientSecret:
## Secrets for LDAP Auth.
##
ldapCaCert:
## Secrets for generic OAuth.
##
oauthClientId:
oauthClientSecret:
oauthCaCert:
## Secrets for oidc OAuth.
##
oidcClientId:
oidcClientSecret:
oidcCaCert:
## Secrets for using Hashcorp Vault as a credential manager.
##
## if the Vault server is using a self-signed certificate, provide the CA public key.
## the value will be written to /concourse-vault/ca.cert
##
vaultCaCert:
## initial periodic token issued for concourse
## Ref: https://www.vaultproject.io/docs/concepts/tokens.html#periodic-tokens
##
vaultClientToken:
## vault authentication parameters
## Parameter to pass when logging in via the backend
## Required for "approle" authenication method
## e.g. "role_id:x,secret_id:x"
## Ref: https://concourse-ci.org/vault-credential-manager.html#vault-approle-auth
##
vaultAuthParam:
## provide the client certificate for authenticating with the [TLS](https://www.vaultproject.io/docs/auth/cert.html) backend
## the value will be written to /concourse-vault/client.cert
## make sure to also set credentialManager.vault.authBackend to `cert`
##
vaultClientCert:
## provide the client key for authenticating with the [TLS](https://www.vaultproject.io/docs/auth/cert.html) backend
## the value will be written to /concourse-vault/client.key
## make sure to also set credentialManager.vault.authBackend to `cert`
##
vaultClientKey:
## If influxdb metrics are enabled and authentication is required,
## provide a password here to authenticate with the influxdb server configured.
##
influxdbPassword:
## SSL certificate used to verify the Syslog server for draining build logs.
##
syslogCaCert: