Skip to content

web job from concourse/5.8.1

The 'web' node provides the Concourse web UI and API, along with a worker gateway for registering workers via SSH.

Github source: 10f3388 or master branch

Properties

add_local_users

List of username:password combinations for all your local users. The password can be bcrypted. Bcrypted password must have a strength of 10 or higher or the user will not be able to login.

Example
some-other-user: $2a$10$.YIYH.5EWQcCvfE49xH/.OhIhGFiNtn.tQq.4pznpcrqZvoLxuKeC
some-plaintext-user: a-plaintext-password
some-user: $2a$10$sKZelZprWWcBAWbp28rB1uFef0Ybxsiqh05uo.H8EIm0sWc6IZGJu

audit

build

Enable auditing of build API requests.

container

Enable auditing of container API requests.

job

Enable auditing of job API requests.

pipeline

Enable auditing of pipeline API requests.

resource

Enable auditing of resource API requests.

system

Enable auditing of system API requests.

team

Enable auditing of team API requests.

volume

Enable auditing of volume API requests.

worker

Enable auditing of worker API requests.

auth_duration

Length of time for which tokens are valid. Afterwards, users will have to log back in. Use Go duration format (48h = 48 hours).

Default
24h

aws_secretsmanager

access_key

AWS Access key ID used as credentials for accessing SecretsManager.

pipeline_secret_template

AWS SecretsManager secret name template used to resolve pipeline specific secrets.

Default
/concourse/{{.Team}}/{{.Pipeline}}/{{.Secret}}

region

AWS region to use for fetching entries from SecretsManager.

secret_key

AWS Secret Access Key used as credentials for accessing SecretsManager.

session_token

AWS Session Token used as credentials for accessing SecretsManager.

team_secret_template

AWS SecretsManager secret name template used to resolve team specific secrets.

Default
/concourse/{{.Team}}/{{.Secret}}

aws_ssm

access_key

AWS Access key ID used as credentials for accessing SSM parameters.

pipeline_secret_template

AWS SSM parameter name template used to resolve pipeline specific secrets. If this flag contains slashes, be sure to start it with a /. Maximum 5 slashes are permitted by AWS in parameter names.

Default
/concourse/{{.Team}}/{{.Pipeline}}/{{.Secret}}

region

AWS region to use for fetching SSM parameters.

secret_key

AWS Secret Access Key used as credentials for accessing SSM parameters.

session_token

AWS Session Token used as credentials for accessing SSM parameters.

team_secret_template

AWS SSM parameter name template used to resolve team specific secrets. If this flag contains slashes, be sure to start it with a /. Maximum 5 slashes are permitted by AWS in parameter names. names.

Default
/concourse/{{.Team}}/{{.Secret}}

baggageclaim_response_header_timeout

How long to wait for Baggageclaim to send the response header. Use Go duration format (1m = 1 minute).

Default
1m

bind_ip

IP address on which the ATC should listen for HTTP traffic.

Default
0.0.0.0

bind_port

Port on which the ATC should listen for HTTP traffic.

Default
8080

bitbucket_cloud_auth

client_id

BitBucket Cloud client ID.

client_secret

BitBucket Cloud client secret.

build_log_retention

default

Deprecated. See build_log_retention.default_builds.

Example
100

default_builds

Default days to retain build logs. 0 means unlimited.

Example
100

default_days

Default days to retain build logs. 0 means unlimited.

Example
100

maximum

Deprecated. See build_log_retention.maximum_builds.

Example
1000

maximum_builds

Maximum builds logs to retain. Will override values configured in jobs.

Example
1000

maximum_days

Maximum days to retain build logs. Will override values configured in jobs.

Example
1000

build_tracker_interval

The interval, in Go duration format (1m = 1 minute), on which to run build tracking to keep track of build status.

Default
10s

capture_error_metrics

Enable capturing of error log metrics.

cf_auth

api_url

Cloud Foundry api endpoint url.

ca_cert

Cloud Foundry CA Certificate.

client_id

UAA client ID to use for OAuth.

client_secret

UAA client secret to use for OAuth.

skip_ssl_validation

Skip SSL validation.

cluster_name

A name for this Concourse cluster, to be displayed on the dashboard page.

config_rbac

YAML file content to customize RBAC role-action mapping.

Example
|+
  pipeline-operator:
  - OrderPipelines
  - PausePipelines

conjur

account

Conjur account name.

appliance_interval

URL of the Conjur instance.

auth

api_key

API key related to the host.

login

Host username. Example: host/concourse

token_file

Path to token file used if Conjur instance is running in Kubernetes or IAM.

cert_file

Path to cert file used if conjur instance is using a self-signed cert.

pipeline_secret_template

Conjur secret identifier template used for pipeline specific parameter.

secret_template

Conjur secret identifier template used for full path conjur secrets

team_secret_template

Conjur secret identifier template used for team specific parameter.

container_placement_strategy

Method by which a worker is selected during container placement.

Supported options are “volume-locality”, “random” and “fewest-build-containers”. Experimental option: “limit-active-tasks”

Default
volume-locality

cookie_secure

Set secure flag on auth cookies.

Default
false

credhub

client_id

Client ID for CredHub authorization.

client_secret

Client secret for CredHub authorization.

path_prefix

Path under which to namespace team/pipeline credentials.

Default
/concourse

tls

ca_cert

A PEM-encoded CA cert to use to verify the Credhub server SSL cert.

client_cert

Client certificate for CredHub mutual TLS auth.

insecure_skip_verify

Enable insecure SSL verification.

Default
false

url

CredHub server address used to access secrets.

Example
https://credhub-server:9000

datadog

agent_host

If configured, detailed metrics will be emitted to the specified Datadog Agent’s dogstatsd server.

agent_port

Port of the Datadog Agent’s dogstatsd server to emit events to.

Default
8125

prefix

An optional prefix for emitted Datadog events.

debug

bind_ip

IP address on which to listen for the pprof debugger endpoints.

Default
127.0.0.1

bind_port

Port on which to listen for the pprof debugger endpoints.

Default
8079

default_check_interval

The interval, in Go duration format (1m = 1 minute), on which to check for new versions of resources.

This can also be specified on a per-resource basis by specifying check_every on the resource config.

Default
1m

default_resource_type_check_interval

The interval, in Go duration format (1m = 1 minute), on which to check for new versions of resource types.

This can also be specified on a per-resource_type basis by specifying check_every on the resource type config.

Default
1m

default_task_cpu_limit

Default limit for cpu shares used per task. This can be overridden by specifying a different limit in the task yaml.

Example
256

default_task_memory_limit

Default limit for memory used per task. This can be overridden by specifying a different limit in the task yaml.

Example
200mb

emit_metrics_to_logs

Emit metrics to logs.

enable_global_resources

Enable equivalent resources across pipelines and teams to share a single version history.

Default
false

enable_lidar

Enable new resource checking which tracks checks in the database

Default
false

encryption_key

A 16 or 32 byte passphrase. This is used to generate an AES key to encrypt sensitive iinformation in the database.

If specified, all existing data will be encrypted on start and any new data will be encrypted.

external_url

Externally reachable URL of the ATCs. Required for OAuth. This will be auto-generated using the IP of each ATC VM if not specified, however this is only a reasonable default if you have a single instance.

Typically this is the URL that you as a user would use to reach your CI. For multiple ATCs it would go to some sort of load balancer.

Example
https://ci.concourse-ci.org

garden_request_timeout

How long to wait for requests to Garden to complete, in Go duration format (48h = 48 hours). 0 means no timeout.

Example
5m

gc

check_recycle_period

Period after which finished checks will get garbage-collected.

Default
6h

interval

The interval, in Go duration format (1m = 1 minute), on which to garbage collect containers, volumes, and other internal data.

Default
30s

missing_grace_period

Period after which to reap containers and volumes that were created but went missing from the worker.

one_off_grace_period

Period after which one-off build containers will be garbage-collected.

gc_interval

The interval, in Go duration format (1m = 1 minute), on which to garbage collect containers, volumes, and other internal data.

generic_oauth

auth_url

Generic OAuth provider authorization endpoint url.

ca_cert

The CA certificate for the Generic OAuth provider’s endpoints.

client_id

Application client ID for enabling generic OAuth.

client_secret

Application client secret for enabling generic OAuth.

display_name

Name of the authentication method to be displayed on the Web UI

groups_key

Groups claim key used to map groups from the OAuth userinfo/token

scopes

OAuth scopes to request during authorization.

skip_ssl_validation

Skip SSL validation.

token_url

Generic OAuth provider token endpoint URL.

user_id_key

User ID claim key used to map groups from the OAuth userinfo/token

user_name_key

User name claim key used to map groups from the OAuth userinfo/token

userinfo_url

Generic OAuth provider user info endpoint URL.

generic_oidc

ca_cert

The CA certificate for the Generic OIDC provider’s endpoints.

client_id

Application client ID for enabling generic OIDC.

client_secret

Application client secret for enabling generic OIDC.

display_name

Name of the authentication method to be displayed on the Web UI

groups_key

Groups claim key used to map groups from the OIDC userinfo/token

hosted_domains

List of whitelisted domains when using Google, only users from a listed domain will be allowed to log in

issuer

Generic OIDC provider issuer url.

scopes

OIDC scopes to request during authorization.

Default
[]

skip_ssl_validation

Skip SSL validation.

user_name_key

User name claim key used to map groups from the OIDC userinfo/token

github_auth

ca_cert

GitHub Enterprise CA Certificate.

client_id

GitHub client ID to use for OAuth.

The application must be configured with its callback URL as {external_url}/sky/issuer/callback (replacing {external_url} with the actual value).

client_secret

GitHub client secret to use for OAuth.

The application must be configured with its callback URL as {external_url}/sky/issuer/callback (replacing {external_url} with the actual value).

host

Override default hostname for Github Enterprise. (No scheme, No trailing slash)

Example
github.example.com

gitlab_auth

client_id

GitLab client ID to use for OAuth.

client_secret

GitLab client secret to use for OAuth.

host

Hostname of Gitlab Enterprise deployment (Include scheme, No trailing slash)

global_resource_check_timeout

Time limit on checking for new versions of resources.

Default
1h

influxdb

batch_duration

The duration to wait before emitting a batch of points to InfluxDB, disregarding influxdb.batch_size.

Default
300s

batch_size

Number of points to batch together when emitting to InfluxDB.

Default
5000

database

InfluxDB database to which metrics will be emitted.

insecure_skip_verify

Skip SSL verification when emitting to InfluxDB.

Default
false

password

InfluxDB password for authorizing access.

url

If configured, detailed metrics will be emitted to the specified InfluxDB server.

username

InfluxDB username for authorizing access.

intercept_idle_timeout

Length of time for a intercepted session to be idle before terminating, in Go duration format.

Example
5m

ldap_auth

bind_dn

Bind DN for searching LDAP users and groups. Typically this is a read-only user.

bind_pw

Bind Password for the user specified by ‘bind-dn’.

ca_cert

The CA certificate for the LDAP auth provider’s endpoints.

display_name

The auth provider name displayed to users on the login page.

group_search_base_dn

BaseDN to start the search from.

Example
cn=groups,dc=example,dc=com

group_search_filter

Optional filter to apply when searching the directory.

Example
(objectClass=posixGroup)

group_search_group_attr

Adds an additional requirement to the filter that an attribute in the group match the user’s attribute value. The exact filter being added is (=)

group_search_name_attr

The attribute of the group that represents its name.

group_search_scope

Can either be ‘sub’ - search the whole sub tree or ‘one’ - only search one level. Defaults to ‘sub’ if empty.

group_search_user_attr

Adds an additional requirement to the filter that an attribute in the group match the user’s attribute value. The exact filter being added is (=).

host

The host and optional port of the LDAP server. If port isn’t supplied, it will be guessed based on the TLS configuration. 389 or 636.

insecure_no_ssl

Required if LDAP host does not use TLS.

Default
false

insecure_skip_verify

Skip certificate verification.

Default
false

start_tls

Start on insecure port, then negotiate TLS.

Default
false

user_search_base_dn

BaseDN to start the search from.

Example
cn=users,dc=example,dc=com

user_search_email_attr

A mapping of attributes on the user entry to claims. Defaults to ‘mail’ if empty.

user_search_filter

Optional filter to apply when searching the directory.

Example
(objectClass=person)

user_search_id_attr

A mapping of attributes on the user entry to claims. Defaults to ‘uid’ if empty.

user_search_name_attr

A mapping of attributes on the user entry to claims.

user_search_scope

Can either be ‘sub’ - search the whole sub tree or ‘one’ - only search one level. Defaults to ‘sub’ if empty.

user_search_username

Attribute to match against the inputted username. This will be translated and combined with the other filter as ‘(=)‘.

lets_encrypt

acme_url

URL of the ACME CA directory endpoint.

Default
https://acme-v01.api.letsencrypt.org/directory

enabled

Automatically configure TLS certificates via Let’s Encrypt/ACME.

lidar_checker_interval

Interval on which the resource checker runs any scheduled checks

Default
10s

lidar_scanner_interval

Interval on which the resource scanner will run to see if new checks need to be scheduled

Default
1m

log_cluster_name

Add cluster name (CONCOURSE_CLUSTER_NAME) to logs.

Default
false

log_db_queries

Log database queries. Log level is debug, so you’ll need to set the log_level property as well. This is mainly useful for Concourse developers to analyze query counts.

Default
false

log_level

The log level for the ATC. When set to debug, you’ll see a lot more information about scheduling, resource scanning, etc., but it’ll be quite chatty.

Default
info

main_team

auth

bitbucket_cloud
teams

List of whitelisted Bitbucket Cloud teams.

Example
- my-bitbucket-cloud-team
users

List of whitelisted Bitbucket Cloud users.

Example
- my-bitbucket-cloud-login
cf
orgs

List of CloudFoundry Orgs that are authorized for the main team

Example
- myorg
space_guids

(Deprecated) List of CloudFoundry Space GUIDs that are authorized for the main team

spaces

(Deprecated) List of CloudFoundry Spaces whose ‘developer’ users are authorized for the main team

Example
- myorg:myspace
spaces_with_any_role

List of CloudFoundry Spaces whose users with any role are authorized for the main team

Example
- myorg:myspace
spaces_with_auditor_role

List of CloudFoundry Spaces whose ‘auditor’ users are authorized for the main team

Example
- myorg:myspace
spaces_with_developer_role

List of CloudFoundry Spaces whose ‘developer’ users are authorized for the main team

Example
- myorg:myspace
spaces_with_manager_role

List of CloudFoundry Spaces whose ‘manager’ users are authorized for the main team

Example
- myorg:myspace
users

List of CloudFoundry userids/usernames that are authorized for the main team

Example
- my-username
config

YAML file content for the main team’s role configuration.

Example
|+
  roles:
  - name: owner
    github:
      users: ["admin"]
  - name: member
    github:
      teams: ["org:team"]
  - name: viewer
    github:
      orgs: ["org"]
    local:
      users: ["visitor"]
github
orgs

An array of GitHub orgs that are authorized for the main team

Example
- my-github-org
teams

An array of GitHub teams that are authorized for the main team

Example
- my-github-org:my-github-team
users

An array of GitHub userids/logins that are authorized for the main team

Example
- my-github-login
gitlab
groups

An array of GitLab groups that are authorized for the main team

Example
- my-gitlab-group
users

An array of GitLab users that are authorized for the main team

Example
- my-gitlab-login
ldap
groups

List of LDAP groups that are authorized for the main team

Example
- my-group
users

List of LDAP users that are authorized for the main team

Example
- my-username
local
users

An array of local users that are authorized for the main team.

microsoft
groups

List of whitelisted Microsoft groups for the main team.

Example
- my-group
users

List of whitelisted Microsoft users for the main team.

Example
- my-username
oauth
groups

List of Generic OAuth groups that are authorized for the main team

Example
- my-group
users

List of Generic OAuth users that are authorized for the main team

Example
- my-username
oidc
groups

List of Generic OIDC groups that are authorized for the main team

Example
- my-group
users

List of Generic OIDC users that are authorized for the main team

Example
- my-username

max_active_tasks_per_worker

Maximum allowed number of active build tasks per worker.

Has effect only when used with “limit-active-tasks” placement strategy.

0 means no limit.

Default
0

max_conns

The maximum number of open connections for a database connection pool.

Default
32

metrics_buffer_size

The size of the buffer used in emitting event metrics.

Default
1000

microsoft_auth

client_id

Microsoft client ID to use for OAuth.

client_secret

Microsoft client secret to use for OAuth.

groups

Allowed Active Directory groups to use for Microsoft OAuth.

only_security_groups

Only fetch security groups for Microsoft OAuth.

tenant

Microsoft tenant limitation to use for OAuth (common, consumers, organizations, tenant name or tenant uuid).

newrelic

account_id

New Relic Account ID.

api_key

New Relic Insights API Key.

batch_duration

Length of time to wait between emitting until all currently batched events are emitted.

Example
60s

batch_size

Number of events to batch together before emitting.

Example
2000

disable_compression

Disables compression of the batch before sending it.

Example
false

service_prefix

An optional prefix for emitted New Relic events.

old_encryption_key

The key used previously to encrypt sensitive information in the database.

To rotate your encryption key, set both old_encryption_key and encryption_key. This will result in the ATC re-encrypting all data on start.

To disable encryption, specify old_encryption_key and do not set encryption_key. This will result in the ATC decrypting all data on start, restoring it to plaintext.

postgresql

ca_cert

CA certificate to verify the server against.

client_cert

Client certificate to use when connecting with the server.

connect_timeout

Dialing timeout, in Go duration format (1m = 1 minute). 0 means wait indefinitely.

Default
5m

database

Name of the database to use.

host

IP address or DNS name of a PostgreSQL server to connect to.

If not specified, one will be autodiscovered via BOSH links.

port

Port on which to connect to the server specified by postgresql.host.

If postgresql.host is not specified, this will be autodiscovered via BOSH links, along with the host.

Default
5432

role

name

Name of role to connect with.

password

Password to use when connecting.

socket

Path to a UNIX domain socket to connect to.

sslmode

Whether or not to use SSL. Defaults to verify-ca when postgresql.address or postgresql.host is provided. Otherwise, defaults to disable.

prometheus

bind_ip

If configured, expose Prometheus metrics at specified address

bind_port

If configured, expose Prometheus metrics at specified port

redact_secrets

Enable redacting secrets in build logs.

riemann

host

If configured, detailed metrics will be emitted to the specified Riemann server.

Default
""

port

Port of the Riemann server to emit events to.

Default
5555

service_prefix

An optional prefix for emitted Riemann services

tags

An optional map of tags in key: value format

Example
env: dev
foo: bar

secrets

cache

duration

Maximum duration for which to keep cached credentials.

Default
1m
duration_notfound

If the cache is enabled, secret not found responses will be cached for this duration.

Default
10s
enabled

Enable in-memory caching of secrets fetched from the credential manager.

purge_interval

Interval on which to purge expired cached credentials.

Default
10m

retry_attempts

The number of attempts secret will be retried to be fetched, in case a retryable error happens.

retry_interval

The interval between secret retry retrieval attempts.

syslog

address

Remote syslog server address with port.

Example
0.0.0.0:514

ca_cert

A PEM-encoded CA cert to use to verify the Syslog server SSL cert.

drain_interval

Interval over which checking is done for new build logs to send to syslog server (duration measurement units are s/m/h)

Default
30s
Example
30s

hostname

Client hostname with which the build logs will be sent to the syslog server.

Default
atc-syslog-drainer
Example
atc-syslog-drainer

transport

Transport protocol for syslog messages (Currently supporting tcp, udp & tls).

Example
tcp

tls

bind_port

Port on which the ATC should listen for HTTPS traffic.

cert

SSL cert to use for HTTPS.

If not specified, only HTTP will be enabled.

tls_bind_port

Deprecated in favor of tls.bind_port.

tls_cert

Deprecated in favor of tls.cert.

tls_key

Deprecated in favor of tls.cert.

token_signing_key

PEM RSA private key used for minting ATC tokens.

Example
private_key: |+
  -----BEGIN RSA PRIVATE KEY-----
  ...
  -----END RSA PRIVATE KEY-----
public_key: |+
  -----BEGIN PUBLIC KEY-----
  ...
  -----END PUBLIC KEY-----

vault

auth

backend

Auth backend to use for logging in to Vault.

backend_max_ttl

Time after which to force a re-login. If not set, the token will just be continuously renewed.

client_token

Client token to use for accessing your Vault server.

params

Key-value parameters to provide when logging in with the backend.

Example
role_id: abc123
secret_id: def456

namespace

Vault namespace to use for authentication and secret lookup. Currently only supported for Enterprise Vault.

path_prefix

Path under which to look up shared team/pipeline credentials.

Default
/concourse

retry

initial

The initial time between retries when logging in or re-authing a secret.

max

The maximum time between retries when logging in or re-authing a secret.

shared_path

Path under which to lookup shared credentials.

tls

ca_cert

A PEM-encoded CA cert to use to verify the Vault server SSL cert.

client_cert

Client certificate for Vault TLS auth.

insecure_skip_verify

Enable insecure SSL verification.

Default
false
server_name

If set, is used to set the SNI host when connecting via TLS.

url

Vault server URL to use for parameterizing credentials.

worker_gateway

authorized_keys

Public keys to authorize for SSH connections. Either a string with one public key per line, or an array of public keys.

Default
""

bind_port

Port on which to listen for SSH connections.

Default
2222

heartbeat_interval

Interval on which to register workers with the ATC.

Default
30s

host_key

Must be specified, bosh can auto-generate, see sample manifest.yml.

Example
private_key: |+
  -----BEGIN RSA PRIVATE KEY-----
  ...
  -----END RSA PRIVATE KEY-----
public_key: |+
  ssh-rsa ...

log_level

The log level for the TSA.

Default
info

team_authorized_keys

Public keys to authorize for per-team workers.

Map from team name to authorized keys, either as a string with one key per line or an array of public keys.

Default
{}
Example
concourse: |+
  ssh-rsa key [email protected]

x_frame_options

The value to set for X-Frame-Options.

Default
deny

Templates

Templates are rendered and placed onto corresponding instances during the deployment process. This job's templates will be placed into /var/vcap/jobs/web/ directory (learn more).

  • bin/pre_start (from pre_start.erb)
  • config/bpm.yml (from bpm.yml.erb)

Packages

Packages are compiled and placed onto corresponding instances during the deployment process. Packages will be placed into /var/vcap/packages/ directory.