web job from concourse/6.5.0
The 'web' node provides the Concourse web UI and API, along with a worker gateway for registering workers via SSH.
Github source:
31d78f2 or
master branch
Properties¶
add_local_users¶
List of username:password combinations for all your local users. The password can be bcrypted. Bcrypted password must have a strength of 10 or higher or the user will not be able to login.
- Example
-
some-other-user: $2a$10$.YIYH.5EWQcCvfE49xH/.OhIhGFiNtn.tQq.4pznpcrqZvoLxuKeC some-plaintext-user: a-plaintext-password some-user: $2a$10$sKZelZprWWcBAWbp28rB1uFef0Ybxsiqh05uo.H8EIm0sWc6IZGJu
api_max_conns¶
The maximum number of open connections for the api connection pool.
audit¶
build¶Enable auditing of build API requests.
container¶Enable auditing of container API requests.
job¶Enable auditing of job API requests.
pipeline¶Enable auditing of pipeline API requests.
resource¶Enable auditing of resource API requests.
system¶Enable auditing of system API requests.
team¶Enable auditing of team API requests.
volume¶Enable auditing of volume API requests.
worker¶Enable auditing of worker API requests.
auth_duration¶
Length of time for which tokens are valid. Afterwards, users will have to log back in. Use Go duration format (48h = 48 hours).
- Default
24h
aws_secretsmanager¶
access_key¶AWS Access key ID used as credentials for accessing SecretsManager.
pipeline_secret_template¶AWS SecretsManager secret name template used to resolve pipeline specific secrets.
- Default
/concourse/{{.Team}}/{{.Pipeline}}/{{.Secret}}
region¶AWS region to use for fetching entries from SecretsManager.
secret_key¶AWS Secret Access Key used as credentials for accessing SecretsManager.
session_token¶AWS Session Token used as credentials for accessing SecretsManager.
team_secret_template¶AWS SecretsManager secret name template used to resolve team specific secrets.
- Default
/concourse/{{.Team}}/{{.Secret}}
aws_ssm¶
access_key¶AWS Access key ID used as credentials for accessing SSM parameters.
pipeline_secret_template¶AWS SSM parameter name template used to resolve pipeline specific secrets. If this flag contains slashes, be sure to start it with a /. Maximum 5 slashes are permitted by AWS in parameter names.
- Default
/concourse/{{.Team}}/{{.Pipeline}}/{{.Secret}}
region¶AWS region to use for fetching SSM parameters.
secret_key¶AWS Secret Access Key used as credentials for accessing SSM parameters.
session_token¶AWS Session Token used as credentials for accessing SSM parameters.
team_secret_template¶AWS SSM parameter name template used to resolve team specific secrets. If this flag contains slashes, be sure to start it with a /. Maximum 5 slashes are permitted by AWS in parameter names. names.
- Default
/concourse/{{.Team}}/{{.Secret}}
backend_max_conns¶
The maximum number of open connections for the backend connection pool.
baggageclaim_response_header_timeout¶
How long to wait for Baggageclaim to send the response header. Use Go duration format (1m = 1 minute).
- Default
1m
bind_ip¶
IP address on which the ATC should listen for HTTP traffic.
- Default
0.0.0.0
bind_port¶
Port on which the ATC should listen for HTTP traffic.
- Default
8080
bitbucket_cloud_auth¶
client_id¶BitBucket Cloud client ID.
client_secret¶BitBucket Cloud client secret.
build_log_retention¶
default¶Deprecated. See build_log_retention.default_builds.
- Example
default_builds¶Default days to retain build logs. 0 means unlimited.
- Example
default_days¶Default days to retain build logs. 0 means unlimited.
- Example
maximum¶Deprecated. See build_log_retention.maximum_builds.
- Example
maximum_builds¶Maximum builds logs to retain. Will override values configured in jobs.
- Example
maximum_days¶Maximum days to retain build logs. Will override values configured in jobs.
- Example
build_tracker_interval¶
The interval, in Go duration format (1m = 1 minute), on which to run build tracking to keep track of build status.
- Default
10s
capture_error_metrics¶
Enable capturing of error log metrics.
cf_auth¶
api_url¶Cloud Foundry api endpoint url.
ca_cert¶Cloud Foundry CA Certificate.
client_id¶UAA client ID to use for OAuth.
client_secret¶UAA client secret to use for OAuth.
skip_ssl_validation¶Skip SSL validation.
client_id¶
The concourse client_id to use when logging into the web interface
client_secret¶
The concourse client_secret to use when logging into the web interface
cluster_name¶
A name for this Concourse cluster, to be displayed on the dashboard page.
component_runner_interval¶
Interval on which runners are kicked off for builds, locks, scans, and checks
concurrent_request_limits¶
Limit the number of concurrent requests to an API endpoint.
- Example
-
ListAllJobs: 5
config_rbac¶
YAML file content to customize RBAC role-action mapping.
- Example
-
|+ pipeline-operator: - OrderPipelines - PausePipelines
conjur¶
account¶Conjur account name.
appliance_url¶URL of the Conjur instance.
auth¶
api_key¶API key related to the host.
login¶Host username. Example: host/concourse
token_file¶Path to token file used if Conjur instance is running in Kubernetes or IAM.
pipeline_secret_template¶Conjur secret identifier template used for pipeline specific parameter.
secret_template¶Conjur secret identifier template used for full path conjur secrets
team_secret_template¶Conjur secret identifier template used for team specific parameter.
tls¶
ca_cert¶A PEM-encoded CA cert to use to verify the Conjur server SSL cert.
container_placement_strategy¶
Method by which a worker is selected during container placement.
Supported options are “volume-locality”, “random” and “fewest-build-containers”. Experimental option: “limit-active-tasks”
- Default
volume-locality
cookie_secure¶
Set secure flag on auth cookies.
- Default
false
credhub¶
client_id¶Client ID for CredHub authorization.
client_secret¶Client secret for CredHub authorization.
path_prefix¶Path under which to namespace team/pipeline credentials.
- Default
tls¶
ca_cert¶A PEM-encoded CA cert to use to verify the Credhub server SSL cert.
client_cert¶Client certificate for CredHub mutual TLS auth.
insecure_skip_verify¶Enable insecure SSL verification.
- Default
url¶CredHub server address used to access secrets.
- Example
datadog¶
agent_host¶If configured, detailed metrics will be emitted to the specified Datadog Agent’s dogstatsd server.
agent_port¶Port of the Datadog Agent’s dogstatsd server to emit events to.
- Default
prefix¶An optional prefix for emitted Datadog events.
debug¶
bind_ip¶IP address on which to listen for the pprof debugger endpoints.
- Default
bind_port¶Port on which to listen for the pprof debugger endpoints.
- Default
default_check_interval¶
The interval, in Go duration format (1m = 1 minute), on which to check for new versions of resources.
This can also be specified on a per-resource basis by specifying
check_every on the resource config.
- Default
1m
default_check_interval_with_webhook¶
The interval, in Go duration format (1m = 1 minute), on which to check for new versions of resources which have a webhook token configured.
- Example
-
1m
default_task_cpu_limit¶
Default limit for cpu shares used per task. This can be overridden by specifying a different limit in the task yaml.
- Example
-
256
default_task_memory_limit¶
Default limit for memory used per task. This can be overridden by specifying a different limit in the task yaml.
- Example
-
200mb
emit_metrics_to_logs¶
Emit metrics to logs.
enable_across_step¶
Enable the experimental across step to be used in jobs. The API is subject to change.
enable_global_resources¶
Enable equivalent resources across pipelines and teams to share a single version history.
- Default
false
enable_rerun_when_worker_disappears¶
Enable rerunning of builds when worker disappears.
encryption_key¶
A 16 or 32 byte passphrase. This is used to generate an AES key to encrypt sensitive iinformation in the database.
If specified, all existing data will be encrypted on start and any new data will be encrypted.
external_url¶
Externally reachable URL of the ATCs. Required for OAuth. This will be auto-generated using the IP of each ATC VM if not specified, however this is only a reasonable default if you have a single instance.
Typically this is the URL that you as a user would use to reach your CI. For multiple ATCs it would go to some sort of load balancer.
- Example
-
https://ci.concourse-ci.org
garden_request_timeout¶
How long to wait for requests to Garden to complete, in Go duration format (48h = 48 hours). 0 means no timeout.
- Example
-
5m
gc¶
check_recycle_period¶Period after which finished checks will get garbage-collected.
- Default
failed_grace_period¶Period after which failed builds will get garbage collected
hijack_grace_period¶Period after which hijacked containers will be garbage-collected.
interval¶The interval, in Go duration format (1m = 1 minute), on which to garbage collect containers, volumes, and other internal data.
- Default
missing_grace_period¶Period after which to reap containers and volumes that were created but went missing from the worker.
one_off_grace_period¶Period after which one-off build containers will be garbage-collected.
gc_interval¶
The interval, in Go duration format (1m = 1 minute), on which to garbage collect containers, volumes, and other internal data.
generic_oauth¶
auth_url¶Generic OAuth provider authorization endpoint url.
ca_cert¶The CA certificate for the Generic OAuth provider’s endpoints.
client_id¶Application client ID for enabling generic OAuth.
client_secret¶Application client secret for enabling generic OAuth.
display_name¶Name of the authentication method to be displayed on the Web UI
groups_key¶Groups claim key used to map groups from the OAuth userinfo/token
scopes¶OAuth scopes to request during authorization.
skip_ssl_validation¶Skip SSL validation.
token_url¶Generic OAuth provider token endpoint URL.
user_id_key¶User ID claim key used to map groups from the OAuth userinfo/token
user_name_key¶User name claim key used to map groups from the OAuth userinfo/token
userinfo_url¶Generic OAuth provider user info endpoint URL.
generic_oidc¶
ca_cert¶The CA certificate for the Generic OIDC provider’s endpoints.
client_id¶Application client ID for enabling generic OIDC.
client_secret¶Application client secret for enabling generic OIDC.
display_name¶Name of the authentication method to be displayed on the Web UI
groups_key¶Groups claim key used to map groups from the OIDC userinfo/token
hosted_domains¶List of whitelisted domains when using Google, only users from a listed domain will be allowed to log in
issuer¶Generic OIDC provider issuer url.
scopes¶OIDC scopes to request during authorization.
- Default
skip_ssl_validation¶Skip SSL validation.
user_name_key¶User name claim key used to map groups from the OIDC userinfo/token
github_auth¶
ca_cert¶GitHub Enterprise CA Certificate.
client_id¶GitHub client ID to use for OAuth.
The application must be configured with its callback URL as
{external_url}/sky/issuer/callback(replacing{external_url}with the actual value).
client_secret¶GitHub client secret to use for OAuth.
The application must be configured with its callback URL as
{external_url}/sky/issuer/callback(replacing{external_url}with the actual value).
host¶Override default hostname for Github Enterprise. (No scheme, No trailing slash)
- Example
gitlab_auth¶
client_id¶GitLab client ID to use for OAuth.
client_secret¶GitLab client secret to use for OAuth.
host¶Hostname of Gitlab Enterprise deployment (Include scheme, No trailing slash)
global_resource_check_timeout¶
Time limit on checking for new versions of resources.
- Default
1h
influxdb¶
batch_duration¶The duration to wait before emitting a batch of points to InfluxDB, disregarding
influxdb.batch_size.
- Default
batch_size¶Number of points to batch together when emitting to InfluxDB.
- Default
database¶InfluxDB database to which metrics will be emitted.
insecure_skip_verify¶Skip SSL verification when emitting to InfluxDB.
- Default
password¶InfluxDB password for authorizing access.
url¶If configured, detailed metrics will be emitted to the specified InfluxDB server.
username¶InfluxDB username for authorizing access.
intercept_idle_timeout¶
Length of time for a intercepted session to be idle before terminating, in Go duration format.
- Example
-
5m
job_scheduling_max_in_flight¶
Maximum number of jobs to be scheduling at the same time.
- Default
32
ldap_auth¶
bind_dn¶Bind DN for searching LDAP users and groups. Typically this is a read-only user.
bind_pw¶Bind Password for the user specified by ‘bind-dn’.
ca_cert¶The CA certificate for the LDAP auth provider’s endpoints.
display_name¶The auth provider name displayed to users on the login page.
group_search_base_dn¶BaseDN to start the search from.
- Example
group_search_filter¶Optional filter to apply when searching the directory.
- Example
group_search_group_attr¶Adds an additional requirement to the filter that an attribute in the group match the user’s attribute value. The exact filter being added is (=)
group_search_name_attr¶The attribute of the group that represents its name.
group_search_scope¶Can either be ‘sub’ - search the whole sub tree or ‘one’ - only search one level. Defaults to ‘sub’ if empty.
group_search_user_attr¶Adds an additional requirement to the filter that an attribute in the group match the user’s attribute value. The exact filter being added is (=).
host¶The host and optional port of the LDAP server. If port isn’t supplied, it will be guessed based on the TLS configuration. 389 or 636.
insecure_no_ssl¶Required if LDAP host does not use TLS.
- Default
insecure_skip_verify¶Skip certificate verification.
- Default
start_tls¶Start on insecure port, then negotiate TLS.
- Default
user_search_base_dn¶BaseDN to start the search from.
- Example
user_search_email_attr¶A mapping of attributes on the user entry to claims. Defaults to ‘mail’ if empty.
user_search_filter¶Optional filter to apply when searching the directory.
- Example
user_search_id_attr¶A mapping of attributes on the user entry to claims. Defaults to ‘uid’ if empty.
user_search_name_attr¶A mapping of attributes on the user entry to claims.
user_search_scope¶Can either be ‘sub’ - search the whole sub tree or ‘one’ - only search one level. Defaults to ‘sub’ if empty.
user_search_username¶Attribute to match against the inputted username. This will be translated and combined with the other filter as ‘(=)‘.
lets_encrypt¶
acme_url¶URL of the ACME CA directory endpoint.
- Default
enabled¶Automatically configure TLS certificates via Let’s Encrypt/ACME.
lidar_checker_interval¶
Interval on which the resource checker runs any scheduled checks
- Default
10s
lidar_scanner_interval¶
Interval on which the resource scanner will run to see if new checks need to be scheduled
- Default
1m
log_cluster_name¶
Add cluster name (CONCOURSE_CLUSTER_NAME) to logs.
- Default
false
log_db_queries¶
Log database queries. Log level is debug, so you’ll need to set the log_level property as well. This is mainly useful for Concourse developers to analyze query counts.
- Default
false
log_level¶
The log level for the ATC. When set to debug, you’ll see a lot more information about scheduling, resource scanning, etc., but it’ll be quite chatty.
- Default
info
main_team¶
auth¶
bitbucket_cloud¶
teams¶List of whitelisted Bitbucket Cloud teams.
- Example
users¶List of whitelisted Bitbucket Cloud users.
- Example
cf¶
orgs¶List of CloudFoundry Orgs that are authorized for the main team
- Example
space_guids¶List of CloudFoundry Space GUIDs that are authorized for the main team
spaces¶(Deprecated) List of CloudFoundry Spaces whose ‘developer’ users are authorized for the main team
- Example
spaces_with_any_role¶List of CloudFoundry Spaces whose users with any role are authorized for the main team
- Example
spaces_with_auditor_role¶List of CloudFoundry Spaces whose ‘auditor’ users are authorized for the main team
- Example
spaces_with_developer_role¶List of CloudFoundry Spaces whose ‘developer’ users are authorized for the main team
- Example
spaces_with_manager_role¶List of CloudFoundry Spaces whose ‘manager’ users are authorized for the main team
- Example
users¶List of CloudFoundry userids/usernames that are authorized for the main team
- Example
config¶YAML file content for the main team’s role configuration.
- Example
|+ roles: - name: owner github: users: ["admin"] - name: member github: teams: ["org:team"] - name: viewer github: orgs: ["org"] local: users: ["visitor"]
github¶
orgs¶An array of GitHub orgs that are authorized for the main team
- Example
teams¶An array of GitHub teams that are authorized for the main team
- Example
users¶An array of GitHub userids/logins that are authorized for the main team
- Example
gitlab¶
groups¶An array of GitLab groups that are authorized for the main team
- Example
users¶An array of GitLab users that are authorized for the main team
- Example
ldap¶
groups¶List of LDAP groups that are authorized for the main team
- Example
users¶List of LDAP users that are authorized for the main team
- Example
local¶
users¶An array of local users that are authorized for the main team.
microsoft¶
groups¶List of whitelisted Microsoft groups for the main team.
- Example
users¶List of whitelisted Microsoft users for the main team.
- Example
oauth¶
groups¶List of Generic OAuth groups that are authorized for the main team
- Example
users¶List of Generic OAuth users that are authorized for the main team
- Example
oidc¶
groups¶List of Generic OIDC groups that are authorized for the main team
- Example
users¶List of Generic OIDC users that are authorized for the main team
- Example
max_active_tasks_per_worker¶
Maximum allowed number of active build tasks per worker.
Has effect only when used with “limit-active-tasks” placement strategy.
0 means no limit.
- Default
0
max_checks_per_second¶
Maximum number of checks that can be started per second. If not specified, this will be calculated as (# of resources)/(resource checking interval). -1 value will remove this maximum limit of checks per second.
- Example
-
100
metrics_buffer_size¶
The size of the buffer used in emitting event metrics.
- Default
1000
microsoft_auth¶
client_id¶Microsoft client ID to use for OAuth.
client_secret¶Microsoft client secret to use for OAuth.
groups¶Allowed Active Directory groups to use for Microsoft OAuth.
only_security_groups¶Only fetch security groups for Microsoft OAuth.
tenant¶Microsoft tenant limitation to use for OAuth (common, consumers, organizations, tenant name or tenant uuid).
newrelic¶
account_id¶New Relic Account ID.
api_key¶New Relic Insights API Key.
batch_duration¶Length of time to wait between emitting until all currently batched events are emitted.
- Example
batch_size¶Number of events to batch together before emitting.
- Example
disable_compression¶Disables compression of the batch before sending it.
- Example
service_prefix¶An optional prefix for emitted New Relic events.
url¶New Relic Insights Base Url
- Example
old_encryption_key¶
The key used previously to encrypt sensitive information in the database.
To rotate your encryption key, set both old_encryption_key and encryption_key. This will result in the ATC re-encrypting all data on start.
To disable encryption, specify old_encryption_key and do not set encryption_key. This will result in the ATC decrypting all data on start, restoring it to plaintext.
opa¶
timeout¶Open Policy Agent API request timeout.
url¶Open Policy Agent policy check endpoint.
- Example
policy_check¶
filter_actions¶Array of ATC API actions to filter through policy checking.
- Example
filter_http_methods¶Array of HTTP methods to filter through policy checking.
- Example
skip_actions¶Array of ATC API actions to skip policy checking.
- Example
postgresql¶
ca_cert¶CA certificate to verify the server against.
client_cert¶Client certificate to use when connecting with the server.
connect_timeout¶Dialing timeout, in Go duration format (1m = 1 minute). 0 means wait indefinitely.
- Default
database¶Name of the database to use.
host¶IP address or DNS name of a PostgreSQL server to connect to.
If not specified, one will be autodiscovered via BOSH links.
port¶Port on which to connect to the server specified by
postgresql.host.If
postgresql.hostis not specified, this will be autodiscovered via BOSH links, along with the host.
- Default
role¶
name¶Name of role to connect with.
password¶Password to use when connecting.
socket¶Path to a UNIX domain socket to connect to.
sslmode¶Whether or not to use SSL. Defaults to
verify-cawhenpostgresql.addressorpostgresql.hostis provided. Otherwise, defaults todisable.
prometheus¶
bind_ip¶If configured, expose Prometheus metrics at specified address
bind_port¶If configured, expose Prometheus metrics at specified port
redact_secrets¶
Enable redacting secrets in build logs.
secrets¶
cache¶
duration¶Maximum duration for which to keep cached credentials.
- Default
duration_notfound¶If the cache is enabled, secret not found responses will be cached for this duration.
- Default
enabled¶Enable in-memory caching of secrets fetched from the credential manager.
purge_interval¶Interval on which to purge expired cached credentials.
- Default
retry_attempts¶The number of attempts secret will be retried to be fetched, in case a retryable error happens.
retry_interval¶The interval between secret retry retrieval attempts.
streaming_artifacts_compression¶
Compression to use when streaming artifacts (values: zstd, gzip)
syslog¶
address¶Remote syslog server address with port.
- Example
ca_cert¶A PEM-encoded CA cert to use to verify the Syslog server SSL cert.
drain_interval¶Interval over which checking is done for new build logs to send to syslog server (duration measurement units are s/m/h)
- Default
- Example
hostname¶Client hostname with which the build logs will be sent to the syslog server.
- Default
- Example
transport¶Transport protocol for syslog messages (Currently supporting tcp, udp & tls).
- Example
tls¶
bind_port¶Port on which the ATC should listen for HTTPS traffic.
cert¶SSL cert to use for HTTPS.
If not specified, only HTTP will be enabled.
tls_bind_port¶
Deprecated in favor of tls.bind_port.
tls_cert¶
Deprecated in favor of tls.cert.
tls_key¶
Deprecated in favor of tls.cert.
token_signing_key¶
PEM RSA private key used for minting ATC tokens.
- Example
-
private_key: |+ -----BEGIN RSA PRIVATE KEY----- ... -----END RSA PRIVATE KEY----- public_key: |+ -----BEGIN PUBLIC KEY----- ... -----END PUBLIC KEY-----
tracing¶
jaeger_endpoint¶jaeger HTTP-based Thrift collector.
- Example
jaeger_service¶Name of the service being traced.
- Example
jaeger_tags¶Tags to include in components.
- Example
stackdriver_projectid¶GCP’s Project ID
- Example
vault¶
auth¶
backend¶Auth backend to use for logging in to Vault.
backend_max_ttl¶Time after which to force a re-login. If not set, the token will just be continuously renewed.
client_token¶Client token to use for accessing your Vault server.
params¶Key-value parameters to provide when logging in with the backend.
- Example
lookup_templates¶Path templates for credential lookup.
namespace¶Vault namespace to use for authentication and secret lookup. Currently only supported for Enterprise Vault.
path_prefix¶Path under which to look up shared team/pipeline credentials.
- Default
retry¶
initial¶The initial time between retries when logging in or re-authing a secret.
max¶The maximum time between retries when logging in or re-authing a secret.
shared_path¶Path under which to lookup shared credentials.
tls¶
ca_cert¶A PEM-encoded CA cert to use to verify the Vault server SSL cert.
client_cert¶Client certificate for Vault TLS auth.
insecure_skip_verify¶Enable insecure SSL verification.
- Default
server_name¶If set, is used to set the SNI host when connecting via TLS.
url¶Vault server URL to use for parameterizing credentials.
worker_gateway¶
authorized_keys¶Public keys to authorize for SSH connections. Either a string with one public key per line, or an array of public keys.
- Default
bind_port¶Port on which to listen for SSH connections.
- Default
client_id¶Configure the client_id to use when requesting a token
client_secret¶Configure the client_secret to use when requesting a token
garden_request_timeout¶How long to wait for requests to Garden to complete. 0 means no timeout.
- Example
heartbeat_interval¶Interval on which to register workers with the ATC.
- Default
host_key¶Must be specified, bosh can auto-generate, see sample manifest.yml.
- Example
log_level¶The log level for the TSA.
- Default
team_authorized_keys¶Public keys to authorize for per-team workers.
Map from team name to authorized keys, either as a string with one key per line or an array of public keys.
- Example
x_frame_options¶
The value to set for X-Frame-Options.
- Default
deny
Templates¶
Templates are rendered and placed onto corresponding
instances during the deployment process. This job's templates
will be placed into /var/vcap/jobs/web/ directory
(learn more).
bin/pre_start(frompre_start.erb)config/bpm.yml(frombpm.yml.erb)
Packages¶
Packages are compiled and placed onto corresponding
instances during the deployment process. Packages will be
placed into /var/vcap/packages/ directory.