Skip to content

atc job from concourse/4.2.3

The ATC (Air Traffic Controller) provides UI and API access. It is responsible for scheduling builds and detecting versions of your resources.

Github source: bcd4251 or master branch

Properties

add_local_users

List of local concourse users to add with their bcrypted passwords. bcrypted password must have a strength of 10 or higher or the user will not be able to login

Default
[]
Example
- some-user:$2a$10$sKZelZprWWcBAWbp28rB1uFef0Ybxsiqh05uo.H8EIm0sWc6IZGJu
- some-other-user:$2a$10$.YIYH.5EWQcCvfE49xH/.OhIhGFiNtn.tQq.4pznpcrqZvoLxuKeC

auth_duration

Length of time for which tokens are valid. Afterwards, users will have to log back in. Use Go duration format (48h = 48 hours).

Default
24h

aws_secretsmanager

access_key

AWS Access key ID used as credentials for accessing SecretsManager.

pipeline_secret_template

AWS SecretsManager secret name template used to resolve pipeline specific secrets.

Default
/concourse/{{.Team}}/{{.Pipeline}}/{{.Secret}}

region

AWS region to use for fetching entries from SecretsManager.

secret_key

AWS Secret Access Key used as credentials for accessing SecretsManager.

session_token

AWS Session Token used as credentials for accessing SecretsManager.

team_secret_template

AWS SecretsManager secret name template used to resolve team specific secrets.

Default
/concourse/{{.Team}}/{{.Secret}}

aws_ssm

access_key

AWS Access key ID used as credentials for accessing SSM parameters.

pipeline_secret_template

AWS SSM parameter name template used to resolve pipeline specific secrets. If this flag contains slashes, be sure to start it with a /. Maximum 5 slashes are permitted by AWS in parameter names.

Default
/concourse/{{.Team}}/{{.Pipeline}}/{{.Secret}}

region

AWS region to use for fetching SSM parameters.

secret_key

AWS Secret Access Key used as credentials for accessing SSM parameters.

session_token

AWS Session Token used as credentials for accessing SSM parameters.

team_secret_template

AWS SSM parameter name template used to resolve team specific secrets. If this flag contains slashes, be sure to start it with a /. Maximum 5 slashes are permitted by AWS in parameter names. names.

Default
/concourse/{{.Team}}/{{.Secret}}

baggageclaim_response_header_timeout

How long to wait for Baggageclaim to send the response header. Use Go duration format (1m = 1 minute).

Default
1m

bind_ip

IP address on which the ATC should listen for HTTP traffic.

Default
0.0.0.0

bind_port

Port on which the ATC should listen for HTTP traffic.

Default
8080

build_log_retention

default

Default (can be overriden by job) number of build logs to retain, 0 (or not set) means retain all (database will grow indefinitely).

Example
100

maximum

If set, this will cap the maximum number of build logs to retain for any job, capping any value set in a job itself or the build_log_retention.default. 0 (or not set) means no maximum is specified.

Example
1000

build_tracker_interval

The interval, in Go duration format (1m = 1 minute), on which to run build tracking to keep track of build status.

Default
10s

cf_auth

api_url

Cloud Foundry api endpoint url.

Default
""

ca_cert

Cloud Foundry CA Certificate.

client_id

UAA client ID to use for OAuth.

Default
""

client_secret

UAA client secret to use for OAuth.

Default
""

container_placement_strategy

Method by which a worker is selected during container placement.

Options are “volume-locality” and “random”.

Default
volume-locality

cookie_secure

Set secure flag on auth cookies

Default
false

credhub

client_id

Client ID for CredHub authorization.

client_secret

Client secret for CredHub authorization.

path_prefix

Path under which to namespace team/pipeline credentials.

Default
/concourse

tls

ca_cert

A PEM-encoded CA cert to use to verify the Credhub server SSL cert.

client_cert

Client certificate for CredHub mutual TLS auth.

insecure_skip_verify

Enable insecure SSL verification.

Default
false

url

CredHub server address used to access secrets.

Example
https://credhub-server:9000

datadog

agent_host

If configured, detailed metrics will be emitted to the specified Datadog Agent’s dogstatsd server.

agent_port

Port of the Datadog Agent’s dogstatsd server to emit events to.

Default
8125

prefix

An optional prefix for emitted Datadog events.

default_check_interval

The interval, in Go duration format (1m = 1 minute), on which to check for new versions of resources.

This can also be specified on a per-resource basis by specifying check_every on the resource config.

Default
1m

default_resource_type_check_interval

The interval, in Go duration format (1m = 1 minute), on which to check for new versions of resource types.

This can also be specified on a per-resource_type basis by specifying check_every on the resource type config.

Default
1m

default_task_cpu_limit

Default limit for cpu shares used per task. This can be overridden by specifying a different limit in the task yaml.

Example
256

default_task_memory_limit

Default limit for memory used per task. This can be overridden by specifying a different limit in the task yaml.

Example
200mb

encryption_key

A 16 or 32 byte passphrase. This is used to generate an AES key to encrypt sensitive iinformation in the database.

If specified, all existing data will be encrypted on start and any new data will be encrypted.

external_url

Externally reachable URL of the ATCs. Required for OAuth. This will be auto-generated using the IP of each ATC VM if not specified, however this is only a reasonable default if you have a single instance.

Typically this is the URL that you as a user would use to reach your CI. For multiple ATCs it would go to some sort of load balancer.

Example
https://ci.concourse-ci.org

gc_interval

The interval, in Go duration format (1m = 1 minute), on which to garbage collect containers, volumes, and other internal data.

Default
30s

generic_oauth

auth_url

Generic OAuth provider authorization endpoint url.

Default
""

ca_cert

The CA certificate for the Generic OAuth provider’s endpoints.

client_id

Application client ID for enabling generic OAuth.

Default
""

client_secret

Application client secret for enabling generic OAuth.

Default
""

display_name

Name of the authentication method to be displayed on the Web UI

Default
""

groups_key

Groups claim key used to map groups from the OAuth userinfo/token

Default
""

scopes

OAuth scopes to request during authorization.

Default
[]

token_url

Generic OAuth provider token endpoint URL.

Default
""

userinfo_url

Generic OAuth provider user info endpoint URL.

Default
""

generic_oidc

ca_cert

The CA certificate for the Generic OIDC provider’s endpoints.

client_id

Application client ID for enabling generic OIDC.

Default
""

client_secret

Application client secret for enabling generic OIDC.

Default
""

display_name

Name of the authentication method to be displayed on the Web UI

Default
""

groups_key

Groups claim key used to map groups from the OIDC userinfo/token

Default
""

issuer

Generic OIDC provider issuer url.

Default
""

scopes

OIDC scopes to request during authorization.

Default
[]

github_auth

ca_cert

GitHub Enterprise CA Certificate.

client_id

GitHub client ID to use for OAuth.

The application must be configured with its callback URL as {external_url}/sky/issuer/callback (replacing {external_url} with the actual value).

Default
""

client_secret

GitHub client secret to use for OAuth.

The application must be configured with its callback URL as {external_url}/sky/issuer/callback (replacing {external_url} with the actual value).

Default
""

host

Override default hostname for Github Enterprise. (No scheme, No trailing slash)

Default
""
Example
github.example.com

influxdb

database

InfluxDB database to which metrics will be emitted.

Default
""

insecure_skip_verify

Skip SSL verification when emitting to InfluxDB.

Default
false

password

InfluxDB password for authorizing access.

Default
""

url

If configured, detailed metrics will be emitted to the specified InfluxDB server.

username

InfluxDB username for authorizing access.

Default
""

intercept_idle_timeout

Length of time for a intercepted session to be idle before terminating, in Go duration format.

Example
5m

ldap_auth

bind_dn

Bind DN for searching LDAP users and groups. Typically this is a read-only user.

Default
""

bind_pw

Bind Password for the user specified by ‘bind-dn’.

Default
""

ca_cert

The CA certificate for the LDAP auth provider’s endpoints.

group_search_base_dn

BaseDN to start the search from. For example ‘cn=groups,dc=example,dc=com’.

Default
""

group_search_filter

Optional filter to apply when searching the directory. For example ‘(objectClass=posixGroup)’.

Default
""

group_search_group_attr

Adds an additional requirement to the filter that an attribute in the group match the user’s attribute value. The exact filter being added is (=)

Default
""

group_search_name_attr

The attribute of the group that represents its name.

Default
""

group_search_scope

Can either be ‘sub’ - search the whole sub tree or ‘one’ - only search one level. Defaults to ‘sub’ if empty.

Default
""

group_search_user_attr

Adds an additional requirement to the filter that an attribute in the group match the user’s attribute value. The exact filter being added is (=).

Default
""

host

The host and optional port of the LDAP server. If port isn’t supplied, it will be guessed based on the TLS configuration. 389 or 636.

Default
""

insecure_no_ssl

Required if LDAP host does not use TLS.

Default
false

insecure_skip_verify

Skip certificate verification.

Default
false

start_tls

Start on insecure port, then negotiate TLS.

Default
false

user_search_base_dn

BaseDN to start the search from. For example ‘cn=users,dc=example,dc=com’.

Default
""

user_search_email_attr

A mapping of attributes on the user entry to claims. Defaults to ‘mail’ if empty.

Default
""

user_search_filter

Optional filter to apply when searching the directory. For example ‘(objectClass=person)’.

Default
""

user_search_id_attr

A mapping of attributes on the user entry to claims. Defaults to ‘uid’ if empty.

Default
""

user_search_name_attr

A mapping of attributes on the user entry to claims.

Default
""

user_search_scope

Can either be ‘sub’ - search the whole sub tree or ‘one’ - only search one level. Defaults to ‘sub’ if empty.

Default
""

user_search_username

Attribute to match against the inputted username. This will be translated and combined with the other filter as ‘(=)‘.

Default
""

log_db_queries

Log database queries. Log level is debug, so you’ll need to set the log_level property as well. This is mainly useful for Concourse developers to analyze query counts.

Default
false

log_level

The log level for the ATC. When set to debug, you’ll see a lot more information about scheduling, resource scanning, etc., but it’ll be quite chatty.

Default
info

main_team

auth

allow_all_users

Whitelist all authenticated users for the main team.

Default
false
cf
orgs

List of CloudFoundry Orgs that are authorized for the main team

Default
[]
Example
- myorg
spaces

List of CloudFoundry Spaces that are authorized for the main team

Default
[]
Example
- myorg:myspace
users

List of CloudFoundry userids/usernames that are authorized for the main team

Default
[]
Example
- my-username
github
orgs

An array of GitHub orgs that are authorized for the main team

Default
[]
Example
- my-github-org
teams

An array of GitHub teams that are authorized for the main team

Default
[]
Example
- my-github-org:my-github-team
users

An array of GitHub userids/logins that are authorized for the main team

Default
[]
Example
- my-github-login
ldap
groups

List of LDAP groups that are authorized for the main team

Default
[]
Example
- my-group
users

List of LDAP users that are authorized for the main team

Default
[]
Example
- my-username
local
users

An array of local users that are authorized for the main team.

Default
[]
oauth
groups

List of Generic OAuth groups that are authorized for the main team

Default
[]
Example
- my-group
users

List of Generic OAuth users that are authorized for the main team

Default
[]
Example
- my-username
oidc
groups

List of Generic OIDC groups that are authorized for the main team

Default
[]
Example
- my-group
users

List of Generic OIDC users that are authorized for the main team

Default
[]
Example
- my-username

old_encryption_key

The key used previously to encrypt sensitive information in the database.

To rotate your encryption key, set both old_encryption_key and encryption_key. This will result in the ATC re-encrypting all data on start.

To disable encryption, specify old_encryption_key and do not set encryption_key. This will result in the ATC decrypting all data on start, restoring it to plaintext.

peer_url

Address used internally to reach the ATC. This will be auto-generated using the IP of each ATC VM if not specified.

Note that this refers to an individual ATC, not the whole cluster. This property is only useful if you’re deploying in a way that cannot autodetect its own IP, e.g. a bosh-init deployment.

You should otherwise leave this value blank.

postgresql

address

Deprecated. Shorthand for specifying postgresql.host and postgresql.port.

ca_cert

CA certificate to verify the server against.

client_cert

Client certificate to use when connecting with the server.

connect_timeout

Dialing timeout, in Go duration format (1m = 1 minute). 0 means wait indefinitely.

Default
5m

database

Name of the database to use.

Default
atc

host

IP address or DNS name of a PostgreSQL server to connect to.

If not specified, one will be autodiscovered via BOSH links.

port

Port on which to connect to the server specified by postgresql.host.

If postgresql.host is not specified, this will be autodiscovered via BOSH links, along with the host.

Default
5432

role

name

Name of role to connect with.

Default
atc
password

Password to use when connecting.

sslmode

Whether or not to use SSL. Defaults to verify-ca when postgresql.address or postgresql.host is provided. Otherwise, defaults to disable.

postgresql_database

Name of the database to use from the postgresql link.

prometheus

bind_ip

If configured, expose Prometheus metrics at specified address

bind_port

If configured, expose Prometheus metrics at specified port

resource_cache_cleanup_interval

The interval, in Go duration format (1m = 1 minute), on which to check for and release old caches of resource versions.

Default
30s

riemann

host

If configured, detailed metrics will be emitted to the specified Riemann server.

Default
""

port

Port of the Riemann server to emit events to.

Default
5555

service_prefix

An optional prefix for emitted Riemann services

Default
""

tags

An optional map of tags in key: value format

Default
{}
Example
env: dev
foo: bar

syslog

address

Remote syslog server address with port.

Example
0.0.0.0:514

ca_cert

A PEM-encoded CA cert to use to verify the Syslog server SSL cert.

drain_interval

Interval over which checking is done for new build logs to send to syslog server (duration measurement units are s/m/h)

Default
30s
Example
30s

hostname

Client hostname with which the build logs will be sent to the syslog server.

Default
atc-syslog-drainer
Example
atc-syslog-drainer

transport

Transport protocol for syslog messages (Currently supporting tcp, udp & tls).

Example
tcp

tls_bind_port

Port on which the ATC should listen for HTTPS traffic.

Default
4443

tls_cert

SSL cert to use for HTTPS.

If not specified, only HTTP will be enabled.

tls_key

SSL private key to use for encrypting HTTPS traffic.

If not specified, only HTTP will be enabled.

token_signing_key

PEM RSA private key used for minting ATC tokens.

Example
private_key: |+
  -----BEGIN RSA PRIVATE KEY-----
  ...
  -----END RSA PRIVATE KEY-----
public_key: |+
  -----BEGIN PUBLIC KEY-----
  ...
  -----END PUBLIC KEY-----

vault

auth

backend

Auth backend to use for logging in to Vault.

Default
""
client_token

Client token to use for accessing your Vault server.

Default
""
params

Key-value parameters to provide when logging in with the backend.

Default
{}
Example
role_id: abc123
secret_id: def456

cache

Enable Vault cache for secrets lease duration in memory.

Default
false

path_prefix

Path under which to namespace team/pipeline credentials.

Default
/concourse

tls

ca_cert

A PEM-encoded CA cert to use to verify the Vault server SSL cert.

client_cert

Client certificate for Vault TLS auth.

insecure_skip_verify

Enable insecure SSL verification.

Default
false
server_name

If set, is used to set the SNI host when connecting via TLS.

Default
""

url

Vault server URL to use for parameterizing credentials.

x_frame_options

The value to set for X-Frame-Options.

If omitted, the header is not set.

Default
""

Templates

Templates are rendered and placed onto corresponding instances during the deployment process. This job's templates will be placed into /var/vcap/jobs/atc/ directory (learn more).

  • bin/atc_ctl (from atc_ctl.erb)
  • bin/experimental_downgrade_db (from downgrade_db.erb)
  • config/cf_ca_cert (from cf_ca_cert.erb)
  • config/credhub_ca_cert (from credhub_ca_cert.erb)
  • config/credhub_client_cert (from credhub_client_cert.erb)
  • config/credhub_client_key (from credhub_client_key.erb)
  • config/github_ca_cert (from github_ca_cert.erb)
  • config/ldap_ca_cert (from ldap_ca_cert.erb)
  • config/oauth_ca_cert (from oauth_ca_cert.erb)
  • config/oidc_ca_cert (from oidc_ca_cert.erb)
  • config/postgres_ca_cert (from postgres_ca_cert.erb)
  • config/postgres_client_cert (from postgres_client_cert.erb)
  • config/postgres_client_key (from postgres_client_key.erb)
  • config/syslog_ca_cert (from syslog_ca_cert.erb)
  • config/tls_cert (from tls_cert.erb)
  • config/tls_key (from tls_key.erb)
  • config/token_signing_key (from token_signing_key.erb)
  • config/vault_ca_cert (from vault_ca_cert.erb)
  • config/vault_client_cert (from vault_client_cert.erb)
  • config/vault_client_key (from vault_client_key.erb)

Packages

Packages are compiled and placed onto corresponding instances during the deployment process. Packages will be placed into /var/vcap/packages/ directory.