Skip to content

web job from concourse/5.1.0

The 'web' node provides the Concourse web UI and API, along with a worker gateway for registering workers via SSH.

Github source: 3087471 or master branch

Properties

add_local_users

List of username:password combinations for all your local users. The password can be bcrypted. Bcrypted password must have a strength of 10 or higher or the user will not be able to login.

Example
some-other-user: $2a$10$.YIYH.5EWQcCvfE49xH/.OhIhGFiNtn.tQq.4pznpcrqZvoLxuKeC
some-plaintext-user: a-plaintext-password
some-user: $2a$10$sKZelZprWWcBAWbp28rB1uFef0Ybxsiqh05uo.H8EIm0sWc6IZGJu

auth_duration

Length of time for which tokens are valid. Afterwards, users will have to log back in. Use Go duration format (48h = 48 hours).

Default
24h

aws_secretsmanager

access_key

AWS Access key ID used as credentials for accessing SecretsManager.

pipeline_secret_template

AWS SecretsManager secret name template used to resolve pipeline specific secrets.

Default
/concourse/{{.Team}}/{{.Pipeline}}/{{.Secret}}

region

AWS region to use for fetching entries from SecretsManager.

secret_key

AWS Secret Access Key used as credentials for accessing SecretsManager.

session_token

AWS Session Token used as credentials for accessing SecretsManager.

team_secret_template

AWS SecretsManager secret name template used to resolve team specific secrets.

Default
/concourse/{{.Team}}/{{.Secret}}

aws_ssm

access_key

AWS Access key ID used as credentials for accessing SSM parameters.

pipeline_secret_template

AWS SSM parameter name template used to resolve pipeline specific secrets. If this flag contains slashes, be sure to start it with a /. Maximum 5 slashes are permitted by AWS in parameter names.

Default
/concourse/{{.Team}}/{{.Pipeline}}/{{.Secret}}

region

AWS region to use for fetching SSM parameters.

secret_key

AWS Secret Access Key used as credentials for accessing SSM parameters.

session_token

AWS Session Token used as credentials for accessing SSM parameters.

team_secret_template

AWS SSM parameter name template used to resolve team specific secrets. If this flag contains slashes, be sure to start it with a /. Maximum 5 slashes are permitted by AWS in parameter names. names.

Default
/concourse/{{.Team}}/{{.Secret}}

baggageclaim_response_header_timeout

How long to wait for Baggageclaim to send the response header. Use Go duration format (1m = 1 minute).

Default
1m

bind_ip

IP address on which the ATC should listen for HTTP traffic.

Default
0.0.0.0

bind_port

Port on which the ATC should listen for HTTP traffic.

Default
8080

bitbucket_cloud_auth

client_id

BitBucket Cloud client ID.

client_secret

BitBucket Cloud client secret.

build_log_retention

default

Default (can be overriden by job) number of build logs to retain, 0 (or not set) means retain all (database will grow indefinitely).

Example
100

maximum

If set, this will cap the maximum number of build logs to retain for any job, capping any value set in a job itself or the build_log_retention.default. 0 (or not set) means no maximum is specified.

Example
1000

build_tracker_interval

The interval, in Go duration format (1m = 1 minute), on which to run build tracking to keep track of build status.

Default
10s

capture_error_metrics

Enable capturing of error log metrics.

cf_auth

api_url

Cloud Foundry api endpoint url.

ca_cert

Cloud Foundry CA Certificate.

client_id

UAA client ID to use for OAuth.

client_secret

UAA client secret to use for OAuth.

skip_ssl_validation

Skip SSL validation.

container_placement_strategy

Method by which a worker is selected during container placement.

Options are “volume-locality”, “random”, and “least-build-containers”.

Default
volume-locality

cookie_secure

Set secure flag on auth cookies.

Default
false

credhub

client_id

Client ID for CredHub authorization.

client_secret

Client secret for CredHub authorization.

path_prefix

Path under which to namespace team/pipeline credentials.

Default
/concourse

tls

ca_cert

A PEM-encoded CA cert to use to verify the Credhub server SSL cert.

client_cert

Client certificate for CredHub mutual TLS auth.

insecure_skip_verify

Enable insecure SSL verification.

Default
false

url

CredHub server address used to access secrets.

Example
https://credhub-server:9000

datadog

agent_host

If configured, detailed metrics will be emitted to the specified Datadog Agent’s dogstatsd server.

agent_port

Port of the Datadog Agent’s dogstatsd server to emit events to.

Default
8125

prefix

An optional prefix for emitted Datadog events.

debug

bind_ip

IP address on which to listen for the pprof debugger endpoints.

Default
127.0.0.1

bind_port

Port on which to listen for the pprof debugger endpoints.

Default
8079

default_check_interval

The interval, in Go duration format (1m = 1 minute), on which to check for new versions of resources.

This can also be specified on a per-resource basis by specifying check_every on the resource config.

Default
1m

default_resource_type_check_interval

The interval, in Go duration format (1m = 1 minute), on which to check for new versions of resource types.

This can also be specified on a per-resource_type basis by specifying check_every on the resource type config.

Default
1m

default_task_cpu_limit

Default limit for cpu shares used per task. This can be overridden by specifying a different limit in the task yaml.

Example
256

default_task_memory_limit

Default limit for memory used per task. This can be overridden by specifying a different limit in the task yaml.

Example
200mb

emit_metrics_to_logs

Emit metrics to logs.

enable_global_resources

Enable equivalent resources across pipelines and teams to share a single version history.

Default
false

encryption_key

A 16 or 32 byte passphrase. This is used to generate an AES key to encrypt sensitive iinformation in the database.

If specified, all existing data will be encrypted on start and any new data will be encrypted.

external_url

Externally reachable URL of the ATCs. Required for OAuth. This will be auto-generated using the IP of each ATC VM if not specified, however this is only a reasonable default if you have a single instance.

Typically this is the URL that you as a user would use to reach your CI. For multiple ATCs it would go to some sort of load balancer.

Example
https://ci.concourse-ci.org

gc

interval

The interval, in Go duration format (1m = 1 minute), on which to garbage collect containers, volumes, and other internal data.

Default
30s

missing_grace_period

Period after which to reap containers and volumes that were created but went missing from the worker.

one_off_grace_period

Period after which one-off build containers will be garbage-collected.

gc_interval

The interval, in Go duration format (1m = 1 minute), on which to garbage collect containers, volumes, and other internal data.

generic_oauth

auth_url

Generic OAuth provider authorization endpoint url.

ca_cert

The CA certificate for the Generic OAuth provider’s endpoints.

client_id

Application client ID for enabling generic OAuth.

client_secret

Application client secret for enabling generic OAuth.

display_name

Name of the authentication method to be displayed on the Web UI

groups_key

Groups claim key used to map groups from the OAuth userinfo/token

scopes

OAuth scopes to request during authorization.

skip_ssl_validation

Skip SSL validation.

token_url

Generic OAuth provider token endpoint URL.

user_id_key

User ID claim key used to map groups from the OAuth userinfo/token

user_name_key

User name claim key used to map groups from the OAuth userinfo/token

userinfo_url

Generic OAuth provider user info endpoint URL.

generic_oidc

ca_cert

The CA certificate for the Generic OIDC provider’s endpoints.

client_id

Application client ID for enabling generic OIDC.

client_secret

Application client secret for enabling generic OIDC.

display_name

Name of the authentication method to be displayed on the Web UI

groups_key

Groups claim key used to map groups from the OIDC userinfo/token

hosted_domains

List of whitelisted domains when using Google, only users from a listed domain will be allowed to log in

issuer

Generic OIDC provider issuer url.

scopes

OIDC scopes to request during authorization.

Default
[]

skip_ssl_validation

Skip SSL validation.

user_name_key

User name claim key used to map groups from the OIDC userinfo/token

github_auth

ca_cert

GitHub Enterprise CA Certificate.

client_id

GitHub client ID to use for OAuth.

The application must be configured with its callback URL as {external_url}/sky/issuer/callback (replacing {external_url} with the actual value).

client_secret

GitHub client secret to use for OAuth.

The application must be configured with its callback URL as {external_url}/sky/issuer/callback (replacing {external_url} with the actual value).

host

Override default hostname for Github Enterprise. (No scheme, No trailing slash)

Example
github.example.com

gitlab_auth

client_id

GitLab client ID to use for OAuth.

client_secret

GitLab client secret to use for OAuth.

host

Hostname of Gitlab Enterprise deployment (Include scheme, No trailing slash)

global_resource_check_timeout

Time limit on checking for new versions of resources.

Default
1h

influxdb

database

InfluxDB database to which metrics will be emitted.

insecure_skip_verify

Skip SSL verification when emitting to InfluxDB.

Default
false

password

InfluxDB password for authorizing access.

url

If configured, detailed metrics will be emitted to the specified InfluxDB server.

username

InfluxDB username for authorizing access.

intercept_idle_timeout

Length of time for a intercepted session to be idle before terminating, in Go duration format.

Example
5m

ldap_auth

bind_dn

Bind DN for searching LDAP users and groups. Typically this is a read-only user.

bind_pw

Bind Password for the user specified by ‘bind-dn’.

ca_cert

The CA certificate for the LDAP auth provider’s endpoints.

display_name

The auth provider name displayed to users on the login page.

group_search_base_dn

BaseDN to start the search from.

Example
cn=groups,dc=example,dc=com

group_search_filter

Optional filter to apply when searching the directory.

Example
(objectClass=posixGroup)

group_search_group_attr

Adds an additional requirement to the filter that an attribute in the group match the user’s attribute value. The exact filter being added is (=)

group_search_name_attr

The attribute of the group that represents its name.

group_search_scope

Can either be ‘sub’ - search the whole sub tree or ‘one’ - only search one level. Defaults to ‘sub’ if empty.

group_search_user_attr

Adds an additional requirement to the filter that an attribute in the group match the user’s attribute value. The exact filter being added is (=).

host

The host and optional port of the LDAP server. If port isn’t supplied, it will be guessed based on the TLS configuration. 389 or 636.

insecure_no_ssl

Required if LDAP host does not use TLS.

Default
false

insecure_skip_verify

Skip certificate verification.

Default
false

start_tls

Start on insecure port, then negotiate TLS.

Default
false

user_search_base_dn

BaseDN to start the search from.

Example
cn=users,dc=example,dc=com

user_search_email_attr

A mapping of attributes on the user entry to claims. Defaults to ‘mail’ if empty.

user_search_filter

Optional filter to apply when searching the directory.

Example
(objectClass=person)

user_search_id_attr

A mapping of attributes on the user entry to claims. Defaults to ‘uid’ if empty.

user_search_name_attr

A mapping of attributes on the user entry to claims.

user_search_scope

Can either be ‘sub’ - search the whole sub tree or ‘one’ - only search one level. Defaults to ‘sub’ if empty.

user_search_username

Attribute to match against the inputted username. This will be translated and combined with the other filter as ‘(=)‘.

log_db_queries

Log database queries. Log level is debug, so you’ll need to set the log_level property as well. This is mainly useful for Concourse developers to analyze query counts.

Default
false

log_level

The log level for the ATC. When set to debug, you’ll see a lot more information about scheduling, resource scanning, etc., but it’ll be quite chatty.

Default
info

main_team

auth

bitbucket_cloud
teams

List of whitelisted Bitbucket Cloud teams.

Example
- my-bitbucket-cloud-team
users

List of whitelisted Bitbucket Cloud users.

Example
- my-bitbucket-cloud-login
cf
orgs

List of CloudFoundry Orgs that are authorized for the main team

Example
- myorg
space_guids

List of CloudFoundry Space GUIDs that are authorized for the main team

spaces

List of CloudFoundry Spaces that are authorized for the main team

Example
- myorg:myspace
users

List of CloudFoundry userids/usernames that are authorized for the main team

Example
- my-username
github
orgs

An array of GitHub orgs that are authorized for the main team

Example
- my-github-org
teams

An array of GitHub teams that are authorized for the main team

Example
- my-github-org:my-github-team
users

An array of GitHub userids/logins that are authorized for the main team

Example
- my-github-login
gitlab
groups

An array of GitLab groups that are authorized for the main team

Example
- my-gitlab-group
users

An array of GitLab users that are authorized for the main team

Example
- my-gitlab-login
ldap
groups

List of LDAP groups that are authorized for the main team

Example
- my-group
users

List of LDAP users that are authorized for the main team

Example
- my-username
local
users

An array of local users that are authorized for the main team.

oauth
groups

List of Generic OAuth groups that are authorized for the main team

Example
- my-group
users

List of Generic OAuth users that are authorized for the main team

Example
- my-username
oidc
groups

List of Generic OIDC groups that are authorized for the main team

Example
- my-group
users

List of Generic OIDC users that are authorized for the main team

Example
- my-username

newrelic

account_id

New Relic Account ID.

api_key

New Relic Insights API Key.

service_prefix

An optional prefix for emitted New Relic events.

old_encryption_key

The key used previously to encrypt sensitive information in the database.

To rotate your encryption key, set both old_encryption_key and encryption_key. This will result in the ATC re-encrypting all data on start.

To disable encryption, specify old_encryption_key and do not set encryption_key. This will result in the ATC decrypting all data on start, restoring it to plaintext.

postgresql

ca_cert

CA certificate to verify the server against.

client_cert

Client certificate to use when connecting with the server.

connect_timeout

Dialing timeout, in Go duration format (1m = 1 minute). 0 means wait indefinitely.

Default
5m

database

Name of the database to use.

host

IP address or DNS name of a PostgreSQL server to connect to.

If not specified, one will be autodiscovered via BOSH links.

port

Port on which to connect to the server specified by postgresql.host.

If postgresql.host is not specified, this will be autodiscovered via BOSH links, along with the host.

Default
5432

role

name

Name of role to connect with.

password

Password to use when connecting.

socket

Path to a UNIX domain socket to connect to.

sslmode

Whether or not to use SSL. Defaults to verify-ca when postgresql.address or postgresql.host is provided. Otherwise, defaults to disable.

prometheus

bind_ip

If configured, expose Prometheus metrics at specified address

bind_port

If configured, expose Prometheus metrics at specified port

riemann

host

If configured, detailed metrics will be emitted to the specified Riemann server.

Default
""

port

Port of the Riemann server to emit events to.

Default
5555

service_prefix

An optional prefix for emitted Riemann services

tags

An optional map of tags in key: value format

Example
env: dev
foo: bar

secrets

retry_attempts

The number of attempts secret will be retried to be fetched, in case a retryable error happens.

retry_interval

The interval between secret retry retrieval attempts.

syslog

address

Remote syslog server address with port.

Example
0.0.0.0:514

ca_cert

A PEM-encoded CA cert to use to verify the Syslog server SSL cert.

drain_interval

Interval over which checking is done for new build logs to send to syslog server (duration measurement units are s/m/h)

Default
30s
Example
30s

hostname

Client hostname with which the build logs will be sent to the syslog server.

Default
atc-syslog-drainer
Example
atc-syslog-drainer

transport

Transport protocol for syslog messages (Currently supporting tcp, udp & tls).

Example
tcp

tls

bind_port

Port on which the ATC should listen for HTTPS traffic.

cert

SSL cert to use for HTTPS.

If not specified, only HTTP will be enabled.

tls_bind_port

Deprecated in favor of tls.bind_port.

tls_cert

Deprecated in favor of tls.cert.

tls_key

Deprecated in favor of tls.cert.

token_signing_key

PEM RSA private key used for minting ATC tokens.

Example
private_key: |+
  -----BEGIN RSA PRIVATE KEY-----
  ...
  -----END RSA PRIVATE KEY-----
public_key: |+
  -----BEGIN PUBLIC KEY-----
  ...
  -----END PUBLIC KEY-----

vault

auth

backend

Auth backend to use for logging in to Vault.

backend_max_ttl

Time after which to force a re-login. If not set, the token will just be continuously renewed.

client_token

Client token to use for accessing your Vault server.

params

Key-value parameters to provide when logging in with the backend.

Example
role_id: abc123
secret_id: def456

cache

Enable Vault cache for secrets lease duration in memory.

Default
false

max_lease

If the cache is enabled, and this is set, override secrets lease duration with a maximum value.

path_prefix

Path under which to namespace team/pipeline credentials.

Default
/concourse

retry

initial

The initial time between retries when logging in or re-authing a secret.

max

The maximum time between retries when logging in or re-authing a secret.

shared_path

Path under which to lookup shared credentials.

tls

ca_cert

A PEM-encoded CA cert to use to verify the Vault server SSL cert.

client_cert

Client certificate for Vault TLS auth.

insecure_skip_verify

Enable insecure SSL verification.

Default
false
server_name

If set, is used to set the SNI host when connecting via TLS.

url

Vault server URL to use for parameterizing credentials.

worker_gateway

authorized_keys

Public keys to authorize for SSH connections. Either a string with one public key per line, or an array of public keys.

Default
""

bind_port

Port on which to listen for SSH connections.

Default
2222

heartbeat_interval

Interval on which to register workers with the ATC.

Default
30s

host_key

Must be specified, bosh can auto-generate, see sample manifest.yml.

Example
private_key: |+
  -----BEGIN RSA PRIVATE KEY-----
  ...
  -----END RSA PRIVATE KEY-----
public_key: |+
  ssh-rsa ...

log_level

The log level for the TSA.

Default
info

team_authorized_keys

Public keys to authorize for per-team workers.

Map from team name to authorized keys, either as a string with one key per line or an array of public keys.

Default
{}
Example
concourse: |+
  ssh-rsa key key@pivotal.io

x_frame_options

The value to set for X-Frame-Options.

If omitted, the header is not set.

Templates

Templates are rendered and placed onto corresponding instances during the deployment process. This job's templates will be placed into /var/vcap/jobs/web/ directory (learn more).

  • bin/pre_start (from pre_start.erb)
  • config/bpm.yml (from bpm.yml.erb)

Packages

Packages are compiled and placed onto corresponding instances during the deployment process. Packages will be placed into /var/vcap/packages/ directory.