Skip to content

atc job from concourse/3.10.0

The ATC (Air Traffic Controller) provides UI and API access. It is responsible for scheduling builds and detecting versions of your resources.

Github source: 90627b1 or master branch

Properties

auth_duration

Length of time for which tokens are valid. Afterwards, users will have to log back in. Use Go duration format (48h = 48 hours).

Default
24h

aws_ssm

access_key

AWS Access key ID used as credentials for accessing SSM parameters.

pipeline_secret_template

AWS SSM parameter name template used to resolve pipeline specific secrets. If this flag contains slashes, be sure to start it with a /. Maximum 5 slashes are permitted by AWS in parameter names.

Default
/concourse/{{.Team}}/{{.Pipeline}}/{{.Secret}}

region

AWS region to use for fetching SSM parameters.

secret_key

AWS Secret Access Key used as credentials for accessing SSM parameters.

session_token

AWS Session Token used as credentials for accessing SSM parameters.

team_secret_template

AWS SSM parameter name template used to resolve team specific secrets. If this flag contains slashes, be sure to start it with a /. Maximum 5 slashes are permitted by AWS in parameter names. names.

Default
/concourse/{{.Team}}/{{.Secret}}

baggageclaim_response_header_timeout

How long to wait for Baggageclaim to send the response header. Use Go duration format (1m = 1 minute).

Default
1m

basic_auth_password

Password for HTTP basic auth, in plaintext.

Default
""

basic_auth_username

Username for HTTP basic auth.

Default
""

bind_ip

IP address on which the ATC should listen for HTTP traffic.

Default
0.0.0.0

bind_port

Port on which the ATC should listen for HTTP traffic.

Default
8080

build_tracker_interval

The interval, in Go duration format (1m = 1 minute), on which to run build tracking to keep track of build status.

Default
10s

container_placement_strategy

Method by which a worker is selected during container placement.

Options are “volume-locality” and “random”.

Default
volume-locality

credhub

client_id

Client ID for CredHub authorization.

client_secret

Client secret for CredHub authorization.

path_prefix

Path under which to namespace team/pipeline credentials.

Default
/concourse

tls

ca_cert

A PEM-encoded CA cert to use to verify the Credhub server SSL cert.

client_cert

Client certificate for CredHub mutual TLS auth.

insecure_skip_verify

Enable insecure SSL verification.

Default
false

url

CredHub server address used to access secrets.

Example
https://credhub-server:9000

default_check_interval

The interval, in Go duration format (1m = 1 minute), on which to check for new versions of resources.

This can also be specified on a per-resource basis by specifying check_every on the resource config.

Default
1m

encryption_key

The 16 or 32 byte AES key to use for encrypting sensitive information in the database.

If specified, all existing data will be encrypted on start and any new data will be encrypted.

external_url

Externally reachable URL of the ATCs. Required for OAuth. This will be auto-generated using the IP of each ATC VM if not specified, however this is only a reasonable default if you have a single instance.

Typically this is the URL that you as a user would use to reach your CI. For multiple ATCs it would go to some sort of load balancer.

Example
https://ci.concourse-ci.org

gc_interval

The interval, in Go duration format (1m = 1 minute), on which to garbage collect containers, volumes, and other internal data.

Default
30s

generic_oauth

auth_url

Generic OAuth provider authorization endpoint url.

Default
""

auth_url_params

List Parameter to pass to the authentication server authorization url.

Default
{}
Example
param1: value1
param2: value2

client_id

Application client ID for enabling generic OAuth.

Default
""

client_secret

Application client secret for enabling generic OAuth.

Default
""

display_name

Name of the authentication method to be displayed on the Web UI

Default
""

scope

OAuth scope required for users who will have access.

Default
""

token_url

Generic OAuth provider token endpoint URL.

Default
""

github_auth

api_url

Override default API endpoint URL for Github Enterprise. Must end in a trailing slash.

Example
https://github.example.com/api/v3/

auth_url

Override default OAuth endpoint for Github Enterprise.

Example
https://github.example.com/login/oauth/authorize

authorize

An array of different criteria to check for when authorizing a GitHub user. If empty, GitHub authorization is effectively disabled.

Default
[]
Example
- organization: org1
  teams: all
- organization: org2
  teams:
  - Team 1
  - Team 2
- user: user1
- user: user2

client_id

GitHub client ID to use for OAuth.

The application must be configured with its callback URL as {external_url}/auth/github/callback (replacing {external_url} with the actual value).

Default
""

client_secret

GitHub client secret to use for OAuth.

The application must be configured with its callback URL as {external_url}/auth/github/callback (replacing {external_url} with the actual value).

Default
""

token_url

Override default access token endpoint for Github Enterprise.

Example
https://github.example.com/login/oauth/access_token

influxdb

database

InfluxDB database to which metrics will be emitted.

Default
""

insecure_skip_verify

Skip SSL verification when emitting to InfluxDB.

Default
false

password

InfluxDB password for authorizing access.

Default
""

url

If configured, detailed metrics will be emitted to the specified InfluxDB server.

username

InfluxDB username for authorizing access.

Default
""

intercept_idle_timeout

Length of time for a intercepted session to be idle before terminating, in Go duration format.

Example
5m

log_db_queries

Log database queries. Log level is debug, so you’ll need to set the log_level property as well. This is mainly useful for Concourse developers to analyze query counts.

Default
false

log_level

The log level for the ATC. When set to debug, you’ll see a lot more information about scheduling, resource scanning, etc., but it’ll be quite chatty.

Default
info

no_really_i_dont_want_any_auth

A safeguard to prevent accidentally forgetting to configure auth. Set this to true if you really don’t want auth configured. This will leave your Concourse wide open and writable.

Default
false

old_encryption_key

The key used previously to encrypt sensitive information in the database.

To rotate your encryption key, set both old_encryption_key and encryption_key. This will result in the ATC re-encrypting all data on start.

To disable encryption, specify old_encryption_key and do not set encryption_key. This will result in the ATC decrypting all data on start, restoring it to plaintext.

peer_url

Address used internally to reach the ATC. This will be auto-generated using the IP of each ATC VM if not specified.

Note that this refers to an individual ATC, not the whole cluster. This property is only useful if you’re deploying in a way that cannot autodetect its own IP, e.g. a bosh-init deployment.

You should otherwise leave this value blank.

postgresql

address

Deprecated. Shorthand for specifying postgresql.host and postgresql.port.

ca_cert

CA certificate to verify the server against.

client_cert

Client certificate to use when connecting with the server.

connect_timeout

Dialing timeout, in Go duration format (1m = 1 minute). 0 means wait indefinitely.

Default
5m

database

Name of the database to use.

Default
atc

host

IP address or DNS name of a PostgreSQL server to connect to.

If not specified, one will be autodiscovered via BOSH links.

port

Port on which to connect to the server specified by postgresql.host.

If postgresql.host is not specified, this will be autodiscovered via BOSH links, along with the host.

Default
5432

role

name

Name of role to connect with.

Default
atc
password

Password to use when connecting.

sslmode

Whether or not to use SSL. Defaults to verify-ca when postgresql.address or postgresql.host is provided. Otherwise, defaults to disable.

postgresql_database

Name of the database to use from the postgresql link.

prometheus

bind_ip

If configured, expose Prometheus metrics at specified address

bind_port

If configured, expose Prometheus metrics at specified port

resource_cache_cleanup_interval

The interval, in Go duration format (1m = 1 minute), on which to check for and release old caches of resource versions.

Default
30s

riemann

host

If configured, detailed metrics will be emitted to the specified Riemann server.

Default
""

port

Port of the Riemann server to emit events to.

Default
5555

service_prefix

An optional prefix for emitted Riemann services

Default
""

tags

An optional map of tags in key: value format

Default
{}
Example
env: dev
foo: bar

tls_bind_port

Port on which the ATC should listen for HTTPS traffic.

Default
4443

tls_cert

SSL cert to use for HTTPS.

If not specified, only HTTP will be enabled.

tls_key

SSL private key to use for encrypting HTTPS traffic.

If not specified, only HTTP will be enabled.

token_signing_key

PEM RSA private key used for minting ATC tokens.

Example
private_key: |+
  -----BEGIN RSA PRIVATE KEY-----
  ...
  -----END RSA PRIVATE KEY-----
public_key: |+
  -----BEGIN PUBLIC KEY-----
  ...
  -----END PUBLIC KEY-----

uaa_auth

auth_url

UAA authorization endpoint url to use for OAuth.

Default
""

cf_api_url

Cloud Foundry api endpoint url.

Default
""

cf_ca_cert

Cloud Foundry CA Certificate.

Default
""

cf_spaces

List of space GUIDs for Cloud Foundry spaces whose developers will have access.

Default
[]

client_id

UAA client ID to use for OAuth.

Default
""

client_secret

UAA client secret to use for OAuth.

Default
""

token_url

UAA token endpoint url to use for OAuth.

Default
""

vault

auth

backend

Auth backend to use for logging in to Vault.

Default
""
client_token

Client token to use for accessing your Vault server.

Default
""
params

Key-value parameters to provide when logging in with the backend.

Default
{}
Example
role_id: abc123
secret_id: def456

path_prefix

Path under which to namespace team/pipeline credentials.

Default
/concourse

tls

ca_cert

A PEM-encoded CA cert to use to verify the Vault server SSL cert.

client_cert

Client certificate for Vault TLS auth.

insecure_skip_verify

Enable insecure SSL verification.

Default
false
server_name

If set, is used to set the SNI host when connecting via TLS.

Default
""

url

Vault server URL to use for parameterizing credentials.

x_frame_options

The value to set for X-Frame-Options.

If omitted, the header is not set.

Default
""

yeller

api_key

If configured, errors emitted to the logs will also be emitted to Yeller. This is only really useful for Concourse developers.

Default
""

environment_name

Environment name to specify for errors emitted to Yeller.

Default
""

Templates

Templates are rendered and placed onto corresponding instances during the deployment process. This job's templates will be placed into /var/vcap/jobs/atc/ directory (learn more).

  • bin/atc_ctl (from atc_ctl.erb)
  • bin/experimental_downgrade_db (from downgrade_db.erb)
  • config/cf_ca_cert (from cf_ca_cert.erb)
  • config/credhub_ca_cert (from credhub_ca_cert.erb)
  • config/credhub_client_cert (from credhub_client_cert.erb)
  • config/credhub_client_key (from credhub_client_key.erb)
  • config/postgres_ca_cert (from postgres_ca_cert.erb)
  • config/postgres_client_cert (from postgres_client_cert.erb)
  • config/postgres_client_key (from postgres_client_key.erb)
  • config/tls_cert (from tls_cert.erb)
  • config/tls_key (from tls_key.erb)
  • config/token_signing_key (from token_signing_key.erb)
  • config/vault_ca_cert (from vault_ca_cert.erb)
  • config/vault_client_cert (from vault_client_cert.erb)
  • config/vault_client_key (from vault_client_key.erb)

Packages

Packages are compiled and placed onto corresponding instances during the deployment process. Packages will be placed into /var/vcap/packages/ directory.