atc job from concourse/4.2.3
The ATC (Air Traffic Controller) provides UI and API access. It is responsible for scheduling builds and detecting versions of your resources.
Github source:
bcd4251
or
master branch
Properties¶
add_local_users
¶
List of local concourse users to add with their bcrypted passwords. bcrypted password must have a strength of 10 or higher or the user will not be able to login
- Default
[]
- Example
-
- some-user:$2a$10$sKZelZprWWcBAWbp28rB1uFef0Ybxsiqh05uo.H8EIm0sWc6IZGJu - some-other-user:$2a$10$.YIYH.5EWQcCvfE49xH/.OhIhGFiNtn.tQq.4pznpcrqZvoLxuKeC
auth_duration
¶
Length of time for which tokens are valid. Afterwards, users will have to log back in. Use Go duration format (48h = 48 hours).
- Default
24h
aws_secretsmanager
¶
access_key
¶AWS Access key ID used as credentials for accessing SecretsManager.
pipeline_secret_template
¶AWS SecretsManager secret name template used to resolve pipeline specific secrets.
- Default
/concourse/{{.Team}}/{{.Pipeline}}/{{.Secret}}
region
¶AWS region to use for fetching entries from SecretsManager.
secret_key
¶AWS Secret Access Key used as credentials for accessing SecretsManager.
session_token
¶AWS Session Token used as credentials for accessing SecretsManager.
team_secret_template
¶AWS SecretsManager secret name template used to resolve team specific secrets.
- Default
/concourse/{{.Team}}/{{.Secret}}
aws_ssm
¶
access_key
¶AWS Access key ID used as credentials for accessing SSM parameters.
pipeline_secret_template
¶AWS SSM parameter name template used to resolve pipeline specific secrets. If this flag contains slashes, be sure to start it with a /. Maximum 5 slashes are permitted by AWS in parameter names.
- Default
/concourse/{{.Team}}/{{.Pipeline}}/{{.Secret}}
region
¶AWS region to use for fetching SSM parameters.
secret_key
¶AWS Secret Access Key used as credentials for accessing SSM parameters.
session_token
¶AWS Session Token used as credentials for accessing SSM parameters.
team_secret_template
¶AWS SSM parameter name template used to resolve team specific secrets. If this flag contains slashes, be sure to start it with a /. Maximum 5 slashes are permitted by AWS in parameter names. names.
- Default
/concourse/{{.Team}}/{{.Secret}}
baggageclaim_response_header_timeout
¶
How long to wait for Baggageclaim to send the response header. Use Go duration format (1m = 1 minute).
- Default
1m
bind_ip
¶
IP address on which the ATC should listen for HTTP traffic.
- Default
0.0.0.0
bind_port
¶
Port on which the ATC should listen for HTTP traffic.
- Default
8080
build_log_retention
¶
default
¶Default (can be overriden by job) number of build logs to retain, 0 (or not set) means retain all (database will grow indefinitely).
- Example
100
maximum
¶If set, this will cap the maximum number of build logs to retain for any job, capping any value set in a job itself or the build_log_retention.default. 0 (or not set) means no maximum is specified.
- Example
1000
build_tracker_interval
¶
The interval, in Go duration format (1m = 1 minute), on which to run build tracking to keep track of build status.
- Default
10s
cf_auth
¶
api_url
¶Cloud Foundry api endpoint url.
- Default
""
ca_cert
¶Cloud Foundry CA Certificate.
client_id
¶UAA client ID to use for OAuth.
- Default
""
client_secret
¶UAA client secret to use for OAuth.
- Default
""
container_placement_strategy
¶
Method by which a worker is selected during container placement.
Options are “volume-locality” and “random”.
- Default
volume-locality
cookie_secure
¶
Set secure flag on auth cookies
- Default
false
credhub
¶
client_id
¶Client ID for CredHub authorization.
client_secret
¶Client secret for CredHub authorization.
path_prefix
¶Path under which to namespace team/pipeline credentials.
- Default
/concourse
tls
¶
ca_cert
¶A PEM-encoded CA cert to use to verify the Credhub server SSL cert.
client_cert
¶Client certificate for CredHub mutual TLS auth.
insecure_skip_verify
¶Enable insecure SSL verification.
- Default
false
url
¶CredHub server address used to access secrets.
- Example
https://credhub-server:9000
datadog
¶
agent_host
¶If configured, detailed metrics will be emitted to the specified Datadog Agent’s dogstatsd server.
agent_port
¶Port of the Datadog Agent’s dogstatsd server to emit events to.
- Default
8125
prefix
¶An optional prefix for emitted Datadog events.
default_check_interval
¶
The interval, in Go duration format (1m = 1 minute), on which to check for new versions of resources.
This can also be specified on a per-resource basis by specifying
check_every
on the resource config.
- Default
1m
default_resource_type_check_interval
¶
The interval, in Go duration format (1m = 1 minute), on which to check for new versions of resource types.
This can also be specified on a per-resource_type basis by specifying
check_every
on the resource type config.
- Default
1m
default_task_cpu_limit
¶
Default limit for cpu shares used per task. This can be overridden by specifying a different limit in the task yaml.
- Example
-
256
default_task_memory_limit
¶
Default limit for memory used per task. This can be overridden by specifying a different limit in the task yaml.
- Example
-
200mb
encryption_key
¶
A 16 or 32 byte passphrase. This is used to generate an AES key to encrypt sensitive iinformation in the database.
If specified, all existing data will be encrypted on start and any new data will be encrypted.
external_url
¶
Externally reachable URL of the ATCs. Required for OAuth. This will be auto-generated using the IP of each ATC VM if not specified, however this is only a reasonable default if you have a single instance.
Typically this is the URL that you as a user would use to reach your CI. For multiple ATCs it would go to some sort of load balancer.
- Example
-
https://ci.concourse-ci.org
gc_interval
¶
The interval, in Go duration format (1m = 1 minute), on which to garbage collect containers, volumes, and other internal data.
- Default
30s
generic_oauth
¶
auth_url
¶Generic OAuth provider authorization endpoint url.
- Default
""
ca_cert
¶The CA certificate for the Generic OAuth provider’s endpoints.
client_id
¶Application client ID for enabling generic OAuth.
- Default
""
client_secret
¶Application client secret for enabling generic OAuth.
- Default
""
display_name
¶Name of the authentication method to be displayed on the Web UI
- Default
""
groups_key
¶Groups claim key used to map groups from the OAuth userinfo/token
- Default
""
scopes
¶OAuth scopes to request during authorization.
- Default
[]
token_url
¶Generic OAuth provider token endpoint URL.
- Default
""
userinfo_url
¶Generic OAuth provider user info endpoint URL.
- Default
""
generic_oidc
¶
ca_cert
¶The CA certificate for the Generic OIDC provider’s endpoints.
client_id
¶Application client ID for enabling generic OIDC.
- Default
""
client_secret
¶Application client secret for enabling generic OIDC.
- Default
""
display_name
¶Name of the authentication method to be displayed on the Web UI
- Default
""
groups_key
¶Groups claim key used to map groups from the OIDC userinfo/token
- Default
""
issuer
¶Generic OIDC provider issuer url.
- Default
""
scopes
¶OIDC scopes to request during authorization.
- Default
[]
github_auth
¶
ca_cert
¶GitHub Enterprise CA Certificate.
client_id
¶GitHub client ID to use for OAuth.
The application must be configured with its callback URL as
{external_url}/sky/issuer/callback
(replacing{external_url}
with the actual value).
- Default
""
client_secret
¶GitHub client secret to use for OAuth.
The application must be configured with its callback URL as
{external_url}/sky/issuer/callback
(replacing{external_url}
with the actual value).
- Default
""
host
¶Override default hostname for Github Enterprise. (No scheme, No trailing slash)
- Default
""- Example
github.example.com
influxdb
¶
database
¶InfluxDB database to which metrics will be emitted.
- Default
""
insecure_skip_verify
¶Skip SSL verification when emitting to InfluxDB.
- Default
false
password
¶InfluxDB password for authorizing access.
- Default
""
url
¶If configured, detailed metrics will be emitted to the specified InfluxDB server.
username
¶InfluxDB username for authorizing access.
- Default
""
intercept_idle_timeout
¶
Length of time for a intercepted session to be idle before terminating, in Go duration format.
- Example
-
5m
ldap_auth
¶
bind_dn
¶Bind DN for searching LDAP users and groups. Typically this is a read-only user.
- Default
""
bind_pw
¶Bind Password for the user specified by ‘bind-dn’.
- Default
""
ca_cert
¶The CA certificate for the LDAP auth provider’s endpoints.
group_search_base_dn
¶BaseDN to start the search from. For example ‘cn=groups,dc=example,dc=com’.
- Default
""
group_search_filter
¶Optional filter to apply when searching the directory. For example ‘(objectClass=posixGroup)’.
- Default
""
group_search_group_attr
¶Adds an additional requirement to the filter that an attribute in the group match the user’s attribute value. The exact filter being added is (=)
- Default
""
group_search_name_attr
¶The attribute of the group that represents its name.
- Default
""
group_search_scope
¶Can either be ‘sub’ - search the whole sub tree or ‘one’ - only search one level. Defaults to ‘sub’ if empty.
- Default
""
group_search_user_attr
¶Adds an additional requirement to the filter that an attribute in the group match the user’s attribute value. The exact filter being added is (=).
- Default
""
host
¶The host and optional port of the LDAP server. If port isn’t supplied, it will be guessed based on the TLS configuration. 389 or 636.
- Default
""
insecure_no_ssl
¶Required if LDAP host does not use TLS.
- Default
false
insecure_skip_verify
¶Skip certificate verification.
- Default
false
start_tls
¶Start on insecure port, then negotiate TLS.
- Default
false
user_search_base_dn
¶BaseDN to start the search from. For example ‘cn=users,dc=example,dc=com’.
- Default
""
user_search_email_attr
¶A mapping of attributes on the user entry to claims. Defaults to ‘mail’ if empty.
- Default
""
user_search_filter
¶Optional filter to apply when searching the directory. For example ‘(objectClass=person)’.
- Default
""
user_search_id_attr
¶A mapping of attributes on the user entry to claims. Defaults to ‘uid’ if empty.
- Default
""
user_search_name_attr
¶A mapping of attributes on the user entry to claims.
- Default
""
user_search_scope
¶Can either be ‘sub’ - search the whole sub tree or ‘one’ - only search one level. Defaults to ‘sub’ if empty.
- Default
""
user_search_username
¶Attribute to match against the inputted username. This will be translated and combined with the other filter as ‘(=)‘.
- Default
""
log_db_queries
¶
Log database queries. Log level is debug, so you’ll need to set the log_level property as well. This is mainly useful for Concourse developers to analyze query counts.
- Default
false
log_level
¶
The log level for the ATC. When set to debug, you’ll see a lot more information about scheduling, resource scanning, etc., but it’ll be quite chatty.
- Default
info
main_team
¶
auth
¶
allow_all_users
¶Whitelist all authenticated users for the main team.
- Default
false
cf
¶
orgs
¶List of CloudFoundry Orgs that are authorized for the main team
- Default
[]- Example
- myorg
spaces
¶List of CloudFoundry Spaces that are authorized for the main team
- Default
[]- Example
- myorg:myspace
users
¶List of CloudFoundry userids/usernames that are authorized for the main team
- Default
[]- Example
- my-username
github
¶
orgs
¶An array of GitHub orgs that are authorized for the main team
- Default
[]- Example
- my-github-org
teams
¶An array of GitHub teams that are authorized for the main team
- Default
[]- Example
- my-github-org:my-github-team
users
¶An array of GitHub userids/logins that are authorized for the main team
- Default
[]- Example
- my-github-login
ldap
¶
groups
¶List of LDAP groups that are authorized for the main team
- Default
[]- Example
- my-group
users
¶List of LDAP users that are authorized for the main team
- Default
[]- Example
- my-username
local
¶
users
¶An array of local users that are authorized for the main team.
- Default
[]
oauth
¶
groups
¶List of Generic OAuth groups that are authorized for the main team
- Default
[]- Example
- my-group
users
¶List of Generic OAuth users that are authorized for the main team
- Default
[]- Example
- my-username
oidc
¶
groups
¶List of Generic OIDC groups that are authorized for the main team
- Default
[]- Example
- my-group
users
¶List of Generic OIDC users that are authorized for the main team
- Default
[]- Example
- my-username
old_encryption_key
¶
The key used previously to encrypt sensitive information in the database.
To rotate your encryption key, set both old_encryption_key and encryption_key. This will result in the ATC re-encrypting all data on start.
To disable encryption, specify old_encryption_key and do not set encryption_key. This will result in the ATC decrypting all data on start, restoring it to plaintext.
peer_url
¶
Address used internally to reach the ATC. This will be auto-generated using the IP of each ATC VM if not specified.
Note that this refers to an individual ATC, not the whole cluster. This
property is only useful if you’re deploying in a way that cannot
autodetect its own IP, e.g. a bosh-init
deployment.
You should otherwise leave this value blank.
postgresql
¶
address
¶Deprecated. Shorthand for specifying
postgresql.host
andpostgresql.port
.
ca_cert
¶CA certificate to verify the server against.
client_cert
¶Client certificate to use when connecting with the server.
connect_timeout
¶Dialing timeout, in Go duration format (1m = 1 minute). 0 means wait indefinitely.
- Default
5m
database
¶Name of the database to use.
- Default
atc
host
¶IP address or DNS name of a PostgreSQL server to connect to.
If not specified, one will be autodiscovered via BOSH links.
port
¶Port on which to connect to the server specified by
postgresql.host
.If
postgresql.host
is not specified, this will be autodiscovered via BOSH links, along with the host.
- Default
5432
role
¶
name
¶Name of role to connect with.
- Default
atc
password
¶Password to use when connecting.
sslmode
¶Whether or not to use SSL. Defaults to
verify-ca
whenpostgresql.address
orpostgresql.host
is provided. Otherwise, defaults todisable
.
postgresql_database
¶
Name of the database to use from the postgresql
link.
prometheus
¶
bind_ip
¶If configured, expose Prometheus metrics at specified address
bind_port
¶If configured, expose Prometheus metrics at specified port
resource_cache_cleanup_interval
¶
The interval, in Go duration format (1m = 1 minute), on which to check for and release old caches of resource versions.
- Default
30s
riemann
¶
host
¶If configured, detailed metrics will be emitted to the specified Riemann server.
- Default
""
port
¶Port of the Riemann server to emit events to.
- Default
5555
service_prefix
¶An optional prefix for emitted Riemann services
- Default
""
tags
¶An optional map of tags in key: value format
- Default
{}- Example
env: dev foo: bar
syslog
¶
address
¶Remote syslog server address with port.
- Example
0.0.0.0:514
ca_cert
¶A PEM-encoded CA cert to use to verify the Syslog server SSL cert.
drain_interval
¶Interval over which checking is done for new build logs to send to syslog server (duration measurement units are s/m/h)
- Default
30s- Example
30s
hostname
¶Client hostname with which the build logs will be sent to the syslog server.
- Default
atc-syslog-drainer- Example
atc-syslog-drainer
transport
¶Transport protocol for syslog messages (Currently supporting tcp, udp & tls).
- Example
tcp
tls_bind_port
¶
Port on which the ATC should listen for HTTPS traffic.
- Default
4443
tls_cert
¶
SSL cert to use for HTTPS.
If not specified, only HTTP will be enabled.
tls_key
¶
SSL private key to use for encrypting HTTPS traffic.
If not specified, only HTTP will be enabled.
token_signing_key
¶
PEM RSA private key used for minting ATC tokens.
- Example
-
private_key: |+ -----BEGIN RSA PRIVATE KEY----- ... -----END RSA PRIVATE KEY----- public_key: |+ -----BEGIN PUBLIC KEY----- ... -----END PUBLIC KEY-----
vault
¶
auth
¶
backend
¶Auth backend to use for logging in to Vault.
- Default
""
client_token
¶Client token to use for accessing your Vault server.
- Default
""
params
¶Key-value parameters to provide when logging in with the backend.
- Default
{}- Example
role_id: abc123 secret_id: def456
cache
¶Enable Vault cache for secrets lease duration in memory.
- Default
false
path_prefix
¶Path under which to namespace team/pipeline credentials.
- Default
/concourse
tls
¶
ca_cert
¶A PEM-encoded CA cert to use to verify the Vault server SSL cert.
client_cert
¶Client certificate for Vault TLS auth.
insecure_skip_verify
¶Enable insecure SSL verification.
- Default
false
server_name
¶If set, is used to set the SNI host when connecting via TLS.
- Default
""
url
¶Vault server URL to use for parameterizing credentials.
x_frame_options
¶
The value to set for X-Frame-Options.
If omitted, the header is not set.
- Default
""
Templates¶
Templates are rendered and placed onto corresponding
instances during the deployment process. This job's templates
will be placed into /var/vcap/jobs/atc/
directory
(learn more).
bin/atc_ctl
(fromatc_ctl.erb
)bin/experimental_downgrade_db
(fromdowngrade_db.erb
)config/cf_ca_cert
(fromcf_ca_cert.erb
)config/credhub_ca_cert
(fromcredhub_ca_cert.erb
)config/credhub_client_cert
(fromcredhub_client_cert.erb
)config/credhub_client_key
(fromcredhub_client_key.erb
)config/github_ca_cert
(fromgithub_ca_cert.erb
)config/ldap_ca_cert
(fromldap_ca_cert.erb
)config/oauth_ca_cert
(fromoauth_ca_cert.erb
)config/oidc_ca_cert
(fromoidc_ca_cert.erb
)config/postgres_ca_cert
(frompostgres_ca_cert.erb
)config/postgres_client_cert
(frompostgres_client_cert.erb
)config/postgres_client_key
(frompostgres_client_key.erb
)config/syslog_ca_cert
(fromsyslog_ca_cert.erb
)config/tls_cert
(fromtls_cert.erb
)config/tls_key
(fromtls_key.erb
)config/token_signing_key
(fromtoken_signing_key.erb
)config/vault_ca_cert
(fromvault_ca_cert.erb
)config/vault_client_cert
(fromvault_client_cert.erb
)config/vault_client_key
(fromvault_client_key.erb
)
Packages¶
Packages are compiled and placed onto corresponding
instances during the deployment process. Packages will be
placed into /var/vcap/packages/
directory.