skyscrapers / terraform-concourse Goto Github PK
View Code? Open in Web Editor NEWTerraform setup to deploy an ECS based concourse-ci setup.
License: Apache License 2.0
terraform-concourse's Issues
Principals can't be empty in cross-account Concourse keys policy
In the keys module, if no principals are provided in the concourse_keys_cross_account_principals variable, AWS complains that it can't create the policy without principals.
* aws_iam_role.concourse_keys_cross_account: Error creating IAM Role concourse-keys-20180525100019477900000001: MalformedPolicyDocument: Invalid principal in policy: com.amazon.balsa.error.InvalidPolicyException: The passed in policy has a statement with no principals!
Possible solution
Don't create the policy if no principals are provided
Green / Blue Canary Setup: HowTo?
Is there any documentation as to how to use the implemented Canary setup here? If this is not the best place to post lmk.
Workers not starting
Describe the problem
Pipelines are not running. When executing fly -t main workers we see that no workers are running.
To Reproduce
Steps to reproduce the behavior:
- Provision VPC
- Run
terraform apply - Wait about 5 minutes for web to become available
- Run
fly --target main login --team-name main --concourse-url https://concourse.mydomain.com/to authenticate - Run
fly -t main workers
Expected behavior
Expect two workers to be running
[RFC] Support for all possible combinations of `concourse web` arguments
This ticket is a Request For Comments to discuss the future evolution of this module given the set of CLI arguments or environment variables in upstream Concourse will still evolve quite a bit.
Below is the full list of arguments that concourse web supports:
Usage:
concourse [OPTIONS] web [web-OPTIONS]
Application Options:
-v, --version Print the version of Concourse and exit [$CONCOURSE_VERSION]
Help Options:
-h, --help Show this help message
[web command options]
--log-level=[debug|info|error|fatal] Minimum level of logs to see. (default: info) [$CONCOURSE_LOG_LEVEL]
--bind-ip= IP address on which to listen for web traffic. (default: 0.0.0.0) [$CONCOURSE_BIND_IP]
--bind-port= Port on which to listen for HTTP traffic. (default: 8080) [$CONCOURSE_BIND_PORT]
--tls-bind-port= Port on which to listen for HTTPS traffic. [$CONCOURSE_TLS_BIND_PORT]
--tls-cert= File containing an SSL certificate. [$CONCOURSE_TLS_CERT]
--tls-key= File containing an RSA private key, used to encrypt HTTPS traffic. [$CONCOURSE_TLS_KEY]
--external-url= URL used to reach any ATC from the outside world. [$CONCOURSE_EXTERNAL_URL]
--peer-url= URL used to reach this ATC from other ATCs in the cluster. [$CONCOURSE_PEER_URL]
--encryption-key= A 16 or 32 length key used to encrypt sensitive information before storing it in the database.
[$CONCOURSE_ENCRYPTION_KEY]
--old-encryption-key= Encryption key previously used for encrypting sensitive information. If provided without a new key, data is
encrypted. If provided with a new key, data is re-encrypted. [$CONCOURSE_OLD_ENCRYPTION_KEY]
--debug-bind-ip= IP address on which to listen for the pprof debugger endpoints. (default: 127.0.0.1)
[$CONCOURSE_DEBUG_BIND_IP]
--debug-bind-port= Port on which to listen for the pprof debugger endpoints. (default: 8079) [$CONCOURSE_DEBUG_BIND_PORT]
--intercept-idle-timeout= Length of time for a intercepted session to be idle before terminating. (default: 0m)
[$CONCOURSE_INTERCEPT_IDLE_TIMEOUT]
--global-resource-check-timeout= Time limit on checking for new versions of resources. (default: 1h) [$CONCOURSE_GLOBAL_RESOURCE_CHECK_TIMEOUT]
--resource-checking-interval= Interval on which to check for new versions of resources. (default: 1m)
[$CONCOURSE_RESOURCE_CHECKING_INTERVAL]
--resource-type-checking-interval= Interval on which to check for new versions of resource types. (default: 1m)
[$CONCOURSE_RESOURCE_TYPE_CHECKING_INTERVAL]
--container-placement-strategy=[volume-locality|random] Method by which a worker is selected during container placement. (default: volume-locality)
[$CONCOURSE_CONTAINER_PLACEMENT_STRATEGY]
--baggageclaim-response-header-timeout= How long to wait for Baggageclaim to send the response header. (default: 1m)
[$CONCOURSE_BAGGAGECLAIM_RESPONSE_HEADER_TIMEOUT]
--cli-artifacts-dir= Directory containing downloadable CLI binaries. [$CONCOURSE_CLI_ARTIFACTS_DIR]
--log-db-queries Log database queries. [$CONCOURSE_LOG_DB_QUERIES]
--build-tracker-interval= Interval on which to run build tracking. (default: 10s) [$CONCOURSE_BUILD_TRACKER_INTERVAL]
--default-build-logs-to-retain= Default build logs to retain, 0 means all [$CONCOURSE_DEFAULT_BUILD_LOGS_TO_RETAIN]
--max-build-logs-to-retain= Maximum build logs to retain, 0 means not specified. Will override values configured in jobs
[$CONCOURSE_MAX_BUILD_LOGS_TO_RETAIN]
--default-task-cpu-limit= Default max number of cpu shares per task, 0 means unlimited [$CONCOURSE_DEFAULT_TASK_CPU_LIMIT]
--default-task-memory-limit= Default maximum memory per task, 0 means unlimited [$CONCOURSE_DEFAULT_TASK_MEMORY_LIMIT]
PostgreSQL Configuration:
--postgres-host= The host to connect to. (default: 127.0.0.1) [$CONCOURSE_POSTGRES_HOST]
--postgres-port= The port to connect to. (default: 5432) [$CONCOURSE_POSTGRES_PORT]
--postgres-socket= Path to a UNIX domain socket to connect to. [$CONCOURSE_POSTGRES_SOCKET]
--postgres-user= The user to sign in as. [$CONCOURSE_POSTGRES_USER]
--postgres-password= The user's password. [$CONCOURSE_POSTGRES_PASSWORD]
--postgres-sslmode=[disable|require|verify-ca|verify-full] Whether or not to use SSL. (default: disable) [$CONCOURSE_POSTGRES_SSLMODE]
--postgres-ca-cert= CA cert file location, to verify when connecting with SSL. [$CONCOURSE_POSTGRES_CA_CERT]
--postgres-client-cert= Client cert file location. [$CONCOURSE_POSTGRES_CLIENT_CERT]
--postgres-client-key= Client key file location. [$CONCOURSE_POSTGRES_CLIENT_KEY]
--postgres-connect-timeout= Dialing timeout. (0 means wait indefinitely) (default: 5m) [$CONCOURSE_POSTGRES_CONNECT_TIMEOUT]
--postgres-database= The name of the database to use. (default: atc) [$CONCOURSE_POSTGRES_DATABASE]
Vault Credential Management:
--vault-url= Vault server address used to access secrets. [$CONCOURSE_VAULT_URL]
--vault-path-prefix= Path under which to namespace credential lookup. (default: /concourse) [$CONCOURSE_VAULT_PATH_PREFIX]
--vault-cache Cache returned secrets for their lease duration in memory [$CONCOURSE_VAULT_CACHE]
--vault-max-lease= If the cache is enabled, and this is set, override secrets lease duration with a maximum value
[$CONCOURSE_VAULT_MAX_LEASE]
--vault-ca-cert= Path to a PEM-encoded CA cert file to use to verify the vault server SSL cert. [$CONCOURSE_VAULT_CA_CERT]
--vault-ca-path= Path to a directory of PEM-encoded CA cert files to verify the vault server SSL cert.
[$CONCOURSE_VAULT_CA_PATH]
--vault-client-cert= Path to the client certificate for Vault authorization. [$CONCOURSE_VAULT_CLIENT_CERT]
--vault-client-key= Path to the client private key for Vault authorization. [$CONCOURSE_VAULT_CLIENT_KEY]
--vault-server-name= If set, is used to set the SNI host when connecting via TLS. [$CONCOURSE_VAULT_SERVER_NAME]
--vault-insecure-skip-verify Enable insecure SSL verification. [$CONCOURSE_VAULT_INSECURE_SKIP_VERIFY]
--vault-client-token= Client token for accessing secrets within the Vault server. [$CONCOURSE_VAULT_CLIENT_TOKEN]
--vault-auth-backend= Auth backend to use for logging in to Vault. [$CONCOURSE_VAULT_AUTH_BACKEND]
--vault-auth-backend-max-ttl= Time after which to force a re-login. If not set, the token will just be continuously renewed.
[$CONCOURSE_VAULT_AUTH_BACKEND_MAX_TTL]
--vault-retry-max= The maximum time between retries when logging in or re-authing a secret. (default: 5m)
[$CONCOURSE_VAULT_RETRY_MAX]
--vault-retry-initial= The initial time between retries when logging in or re-authing a secret. (default: 1s)
[$CONCOURSE_VAULT_RETRY_INITIAL]
--vault-auth-param=NAME=VALUE Paramter to pass when logging in via the backend. Can be specified multiple times.
[$CONCOURSE_VAULT_AUTH_PARAM]
CredHub Credential Management:
--credhub-url= CredHub server address used to access secrets. [$CONCOURSE_CREDHUB_URL]
--credhub-path-prefix= Path under which to namespace credential lookup. (default: /concourse) [$CONCOURSE_CREDHUB_PATH_PREFIX]
--credhub-ca-cert= Paths to PEM-encoded CA cert files to use to verify the CredHub server SSL cert. [$CONCOURSE_CREDHUB_CA_CERT]
--credhub-client-cert= Path to the client certificate for mutual TLS authorization. [$CONCOURSE_CREDHUB_CLIENT_CERT]
--credhub-client-key= Path to the client private key for mutual TLS authorization. [$CONCOURSE_CREDHUB_CLIENT_KEY]
--credhub-insecure-skip-verify Enable insecure SSL verification. [$CONCOURSE_CREDHUB_INSECURE_SKIP_VERIFY]
--credhub-client-id= Client ID for CredHub authorization. [$CONCOURSE_CREDHUB_CLIENT_ID]
--credhub-client-secret= Client secret for CredHub authorization. [$CONCOURSE_CREDHUB_CLIENT_SECRET]
Kubernetes Credential Management:
--kubernetes-in-cluster Enables the in-cluster client. [$CONCOURSE_KUBERNETES_IN_CLUSTER]
--kubernetes-config-path= Path to Kubernetes config when running ATC outside Kubernetes. [$CONCOURSE_KUBERNETES_CONFIG_PATH]
--kubernetes-namespace-prefix= Prefix to use for Kubernetes namespaces under which secrets will be looked up. (default: concourse-)
[$CONCOURSE_KUBERNETES_NAMESPACE_PREFIX]
AWS SecretsManager Credential Management:
--aws-secretsmanager-access-key= AWS Access key ID [$CONCOURSE_AWS_SECRETSMANAGER_ACCESS_KEY]
--aws-secretsmanager-secret-key= AWS Secret Access Key [$CONCOURSE_AWS_SECRETSMANAGER_SECRET_KEY]
--aws-secretsmanager-session-token= AWS Session Token [$CONCOURSE_AWS_SECRETSMANAGER_SESSION_TOKEN]
--aws-secretsmanager-region= AWS region to send requests to [$AWS_REGION]
--aws-secretsmanager-pipeline-secret-template= AWS Secrets Manager secret identifier template used for pipeline specific parameter (default:
/concourse/{{.Team}}/{{.Pipeline}}/{{.Secret}}) [$CONCOURSE_AWS_SECRETSMANAGER_PIPELINE_SECRET_TEMPLATE]
--aws-secretsmanager-team-secret-template= AWS Secrets Manager secret identifier template used for team specific parameter (default:
/concourse/{{.Team}}/{{.Secret}}) [$CONCOURSE_AWS_SECRETSMANAGER_TEAM_SECRET_TEMPLATE]
AWS SSM Credential Management:
--aws-ssm-access-key= AWS Access key ID [$CONCOURSE_AWS_SSM_ACCESS_KEY]
--aws-ssm-secret-key= AWS Secret Access Key [$CONCOURSE_AWS_SSM_SECRET_KEY]
--aws-ssm-session-token= AWS Session Token [$CONCOURSE_AWS_SSM_SESSION_TOKEN]
--aws-ssm-region= AWS region to send requests to [$AWS_REGION]
--aws-ssm-pipeline-secret-template= AWS SSM parameter name template used for pipeline specific parameter (default:
/concourse/{{.Team}}/{{.Pipeline}}/{{.Secret}}) [$CONCOURSE_AWS_SSM_PIPELINE_SECRET_TEMPLATE]
--aws-ssm-team-secret-template= AWS SSM parameter name template used for team specific parameter (default: /concourse/{{.Team}}/{{.Secret}})
[$CONCOURSE_AWS_SSM_TEAM_SECRET_TEMPLATE]
Developer Options:
-n, --noop Don't actually do any automatic scheduling or checking. [$CONCOURSE_NOOP]
Static Worker (optional):
--worker-garden-url= A Garden API endpoint to register as a worker. [$CONCOURSE_WORKER_GARDEN_URL]
--worker-baggageclaim-url= A Baggageclaim API endpoint to register with the worker. [$CONCOURSE_WORKER_BAGGAGECLAIM_URL]
--worker-resource=TYPE:IMAGE A resource type to advertise for the worker. Can be specified multiple times. [$CONCOURSE_WORKER_RESOURCE]
Metrics & Diagnostics:
--metrics-host-name= Host string to attach to emitted metrics. [$CONCOURSE_METRICS_HOST_NAME]
--metrics-attribute=NAME:VALUE A key-value attribute to attach to emitted metrics. Can be specified multiple times.
[$CONCOURSE_METRICS_ATTRIBUTE]
Metric Emitter (Datadog):
--datadog-agent-host= Datadog agent host to expose dogstatsd metrics [$CONCOURSE_DATADOG_AGENT_HOST]
--datadog-agent-port= Datadog agent port to expose dogstatsd metrics [$CONCOURSE_DATADOG_AGENT_PORT]
--datadog-prefix= Prefix for all metrics to easily find them in Datadog [$CONCOURSE_DATADOG_PREFIX]
Metric Emitter (InfluxDB):
--influxdb-url= InfluxDB server address to emit points to. [$CONCOURSE_INFLUXDB_URL]
--influxdb-database= InfluxDB database to write points to. [$CONCOURSE_INFLUXDB_DATABASE]
--influxdb-username= InfluxDB server username. [$CONCOURSE_INFLUXDB_USERNAME]
--influxdb-password= InfluxDB server password. [$CONCOURSE_INFLUXDB_PASSWORD]
--influxdb-insecure-skip-verify Skip SSL verification when emitting to InfluxDB. [$CONCOURSE_INFLUXDB_INSECURE_SKIP_VERIFY]
Metric Emitter (Lager):
--emit-to-logs Emit metrics to logs. [$CONCOURSE_EMIT_TO_LOGS]
Metric Emitter (NewRelic):
--newrelic-account-id= New Relic Account ID [$CONCOURSE_NEWRELIC_ACCOUNT_ID]
--newrelic-api-key= New Relic Insights API Key [$CONCOURSE_NEWRELIC_API_KEY]
--newrelic-service-prefix= An optional prefix for emitted New Relic events [$CONCOURSE_NEWRELIC_SERVICE_PREFIX]
Metric Emitter (Prometheus):
--prometheus-bind-ip= IP to listen on to expose Prometheus metrics. [$CONCOURSE_PROMETHEUS_BIND_IP]
--prometheus-bind-port= Port to listen on to expose Prometheus metrics. [$CONCOURSE_PROMETHEUS_BIND_PORT]
Metric Emitter (Riemann):
--riemann-host= Riemann server address to emit metrics to. [$CONCOURSE_RIEMANN_HOST]
--riemann-port= Port of the Riemann server to emit metrics to. (default: 5555) [$CONCOURSE_RIEMANN_PORT]
--riemann-service-prefix= An optional prefix for emitted Riemann services [$CONCOURSE_RIEMANN_SERVICE_PREFIX]
--riemann-tag=TAG Tag to attach to emitted metrics. Can be specified multiple times. [$CONCOURSE_RIEMANN_TAG]
Web Server:
--x-frame-options= The value to set for X-Frame-Options. If omitted, the header is not set. [$CONCOURSE_X_FRAME_OPTIONS]
Garbage Collection:
--gc-interval= Interval on which to perform garbage collection. (default: 30s) [$CONCOURSE_GC_INTERVAL]
--gc-one-off-grace-period= Grace period before reaping one-off task containers (default: 5m) [$CONCOURSE_GC_ONE_OFF_GRACE_PERIOD]
Syslog Drainer Configuration:
--syslog-hostname= Client hostname with which the build logs will be sent to the syslog server. (default: atc-syslog-drainer)
[$CONCOURSE_SYSLOG_HOSTNAME]
--syslog-address= Remote syslog server address with port (Example: 0.0.0.0:514). [$CONCOURSE_SYSLOG_ADDRESS]
--syslog-transport= Transport protocol for syslog messages (Currently supporting tcp, udp & tls). [$CONCOURSE_SYSLOG_TRANSPORT]
--syslog-drain-interval= Interval over which checking is done for new build logs to send to syslog server (duration measurement units
are s/m/h; eg. 30s/30m/1h) (default: 30s) [$CONCOURSE_SYSLOG_DRAIN_INTERVAL]
--syslog-ca-cert= Paths to PEM-encoded CA cert files to use to verify the Syslog server SSL cert. [$CONCOURSE_SYSLOG_CA_CERT]
Authentication:
--cookie-secure Force sending secure flag on http cookies [$CONCOURSE_COOKIE_SECURE]
--auth-duration= Length of time for which tokens are valid. Afterwards, users will have to log back in. (default: 24h)
[$CONCOURSE_AUTH_DURATION]
--session-signing-key= File containing an RSA private key, used to sign auth tokens. [$CONCOURSE_SESSION_SIGNING_KEY]
--add-local-user=USERNAME:PASSWORD List of username:password combinations for all your local users. The password can be bcrypted - if so, it
must have a minimum cost of 10. [$CONCOURSE_ADD_LOCAL_USER]
Authentication (Main Team):
--main-team-local-user=USERNAME List of whitelisted local concourse users. These are the users you've added at atc startup with the
--add-local-user flag. [$CONCOURSE_MAIN_TEAM_LOCAL_USER]
--main-team-allow-all-users Setting this flag will whitelist all logged in users in the system. ALL OF THEM. If, for example, you've
configured GitHub, any user with a GitHub account will have access to your team.
[$CONCOURSE_MAIN_TEAM_ALLOW_ALL_USERS]
Authentication (Main Team) (CloudFoundry):
--main-team-cf-user=USERNAME List of whitelisted CloudFoundry users. [$CONCOURSE_MAIN_TEAM_CF_USER]
--main-team-cf-org=ORG_NAME List of whitelisted CloudFoundry orgs [$CONCOURSE_MAIN_TEAM_CF_ORG]
--main-team-cf-space=ORG_NAME:SPACE_NAME List of whitelisted CloudFoundry spaces [$CONCOURSE_MAIN_TEAM_CF_SPACE]
--main-team-cf-space-guid=SPACE_GUID (Deprecated) List of whitelisted CloudFoundry space guids [$CONCOURSE_MAIN_TEAM_CF_SPACE_GUID]
Authentication (Main Team) (GitHub):
--main-team-github-user=USERNAME List of whitelisted GitHub users [$CONCOURSE_MAIN_TEAM_GITHUB_USER]
--main-team-github-org=ORG_NAME List of whitelisted GitHub orgs [$CONCOURSE_MAIN_TEAM_GITHUB_ORG]
--main-team-github-team=ORG_NAME:TEAM_NAME List of whitelisted GitHub teams [$CONCOURSE_MAIN_TEAM_GITHUB_TEAM]
Authentication (Main Team) (GitLab):
--main-team-gitlab-user=USERNAME List of whitelisted GitLab users [$CONCOURSE_MAIN_TEAM_GITLAB_USER]
--main-team-gitlab-group=GROUP_NAME List of whitelisted GitLab groups [$CONCOURSE_MAIN_TEAM_GITLAB_GROUP]
Authentication (Main Team) (LDAP):
--main-team-ldap-user=USERNAME List of whitelisted LDAP users [$CONCOURSE_MAIN_TEAM_LDAP_USER]
--main-team-ldap-group=GROUP_NAME List of whitelisted LDAP groups [$CONCOURSE_MAIN_TEAM_LDAP_GROUP]
Authentication (Main Team) (OAuth2):
--main-team-oauth-user=USERNAME List of whitelisted OAuth2 users [$CONCOURSE_MAIN_TEAM_OAUTH_USER]
--main-team-oauth-group=GROUP_NAME List of whitelisted OAuth2 groups [$CONCOURSE_MAIN_TEAM_OAUTH_GROUP]
Authentication (Main Team) (OIDC):
--main-team-oidc-user=USERNAME List of whitelisted OIDC users [$CONCOURSE_MAIN_TEAM_OIDC_USER]
--main-team-oidc-group=GROUP_NAME List of whitelisted OIDC groups [$CONCOURSE_MAIN_TEAM_OIDC_GROUP]
Authentication (CloudFoundry):
--cf-client-id= (Required) Client id [$CONCOURSE_CF_CLIENT_ID]
--cf-client-secret= (Required) Client secret [$CONCOURSE_CF_CLIENT_SECRET]
--cf-api-url= (Required) The base API URL of your CF deployment. It will use this information to discover information about
the authentication provider. [$CONCOURSE_CF_API_URL]
--cf-ca-cert= CA Certificate [$CONCOURSE_CF_CA_CERT]
--cf-skip-ssl-validation Skip SSL validation [$CONCOURSE_CF_SKIP_SSL_VALIDATION]
Authentication (GitHub):
--github-client-id= (Required) Client id [$CONCOURSE_GITHUB_CLIENT_ID]
--github-client-secret= (Required) Client secret [$CONCOURSE_GITHUB_CLIENT_SECRET]
--github-host= Hostname of GitHub Enterprise deployment (No scheme, No trailing slash) [$CONCOURSE_GITHUB_HOST]
--github-ca-cert= CA certificate of GitHub Enterprise deployment [$CONCOURSE_GITHUB_CA_CERT]
Authentication (GitLab):
--gitlab-client-id= (Required) Client id [$CONCOURSE_GITLAB_CLIENT_ID]
--gitlab-client-secret= (Required) Client secret [$CONCOURSE_GITLAB_CLIENT_SECRET]
--gitlab-host= Hostname of Gitlab Enterprise deployment (Include scheme, No trailing slash) [$CONCOURSE_GITLAB_HOST]
Authentication (LDAP):
--ldap-display-name= The auth provider name displayed to users on the login page [$CONCOURSE_LDAP_DISPLAY_NAME]
--ldap-host= (Required) The host and optional port of the LDAP server. If port isn't supplied, it will be guessed based on
the TLS configuration. 389 or 636. [$CONCOURSE_LDAP_HOST]
--ldap-bind-dn= (Required) Bind DN for searching LDAP users and groups. Typically this is a read-only user.
[$CONCOURSE_LDAP_BIND_DN]
--ldap-bind-pw= (Required) Bind Password for the user specified by 'bind-dn' [$CONCOURSE_LDAP_BIND_PW]
--ldap-insecure-no-ssl Required if LDAP host does not use TLS. [$CONCOURSE_LDAP_INSECURE_NO_SSL]
--ldap-insecure-skip-verify Skip certificate verification [$CONCOURSE_LDAP_INSECURE_SKIP_VERIFY]
--ldap-start-tls Start on insecure port, then negotiate TLS [$CONCOURSE_LDAP_START_TLS]
--ldap-ca-cert= CA certificate [$CONCOURSE_LDAP_CA_CERT]
--ldap-user-search-base-dn= BaseDN to start the search from. For example 'cn=users,dc=example,dc=com'
[$CONCOURSE_LDAP_USER_SEARCH_BASE_DN]
--ldap-user-search-filter= Optional filter to apply when searching the directory. For example '(objectClass=person)'
[$CONCOURSE_LDAP_USER_SEARCH_FILTER]
--ldap-user-search-username= Attribute to match against the inputted username. This will be translated and combined with the other filter
as '(<attr>=<username>)'. [$CONCOURSE_LDAP_USER_SEARCH_USERNAME]
--ldap-user-search-scope= Can either be: 'sub' - search the whole sub tree or 'one' - only search one level. Defaults to 'sub'.
[$CONCOURSE_LDAP_USER_SEARCH_SCOPE]
--ldap-user-search-id-attr= A mapping of attributes on the user entry to claims. Defaults to 'uid'. [$CONCOURSE_LDAP_USER_SEARCH_ID_ATTR]
--ldap-user-search-email-attr= A mapping of attributes on the user entry to claims. Defaults to 'mail'.
[$CONCOURSE_LDAP_USER_SEARCH_EMAIL_ATTR]
--ldap-user-search-name-attr= A mapping of attributes on the user entry to claims. [$CONCOURSE_LDAP_USER_SEARCH_NAME_ATTR]
--ldap-group-search-base-dn= BaseDN to start the search from. For example 'cn=groups,dc=example,dc=com'
[$CONCOURSE_LDAP_GROUP_SEARCH_BASE_DN]
--ldap-group-search-filter= Optional filter to apply when searching the directory. For example '(objectClass=posixGroup)'
[$CONCOURSE_LDAP_GROUP_SEARCH_FILTER]
--ldap-group-search-scope= Can either be: 'sub' - search the whole sub tree or 'one' - only search one level. Defaults to 'sub'.
[$CONCOURSE_LDAP_GROUP_SEARCH_SCOPE]
--ldap-group-search-user-attr= Adds an additional requirement to the filter that an attribute in the group match the user's attribute value.
The exact filter being added is: (<groupAttr>=<userAttr value>) [$CONCOURSE_LDAP_GROUP_SEARCH_USER_ATTR]
--ldap-group-search-group-attr= Adds an additional requirement to the filter that an attribute in the group match the user's attribute value.
The exact filter being added is: (<groupAttr>=<userAttr value>) [$CONCOURSE_LDAP_GROUP_SEARCH_GROUP_ATTR]
--ldap-group-search-name-attr= The attribute of the group that represents its name. [$CONCOURSE_LDAP_GROUP_SEARCH_NAME_ATTR]
Authentication (OAuth2):
--oauth-display-name= The auth provider name displayed to users on the login page [$CONCOURSE_OAUTH_DISPLAY_NAME]
--oauth-client-id= (Required) Client id [$CONCOURSE_OAUTH_CLIENT_ID]
--oauth-client-secret= (Required) Client secret [$CONCOURSE_OAUTH_CLIENT_SECRET]
--oauth-auth-url= (Required) Authorization URL [$CONCOURSE_OAUTH_AUTH_URL]
--oauth-token-url= (Required) Token URL [$CONCOURSE_OAUTH_TOKEN_URL]
--oauth-userinfo-url= UserInfo URL [$CONCOURSE_OAUTH_USERINFO_URL]
--oauth-scope= Any additional scopes that need to be requested during authorization [$CONCOURSE_OAUTH_SCOPE]
--oauth-groups-key= The groups key indicates which claim to use to map external groups to Concourse teams.
[$CONCOURSE_OAUTH_GROUPS_KEY]
--oauth-ca-cert= CA Certificate [$CONCOURSE_OAUTH_CA_CERT]
--oauth-skip-ssl-validation Skip SSL validation [$CONCOURSE_OAUTH_SKIP_SSL_VALIDATION]
Authentication (OIDC):
--oidc-display-name= The auth provider name displayed to users on the login page [$CONCOURSE_OIDC_DISPLAY_NAME]
--oidc-issuer= (Required) An OIDC issuer URL that will be used to discover provider configuration using the
.well-known/openid-configuration [$CONCOURSE_OIDC_ISSUER]
--oidc-client-id= (Required) Client id [$CONCOURSE_OIDC_CLIENT_ID]
--oidc-client-secret= (Required) Client secret [$CONCOURSE_OIDC_CLIENT_SECRET]
--oidc-scope= Any additional scopes that need to be requested during authorization [$CONCOURSE_OIDC_SCOPE]
--oidc-groups-key= The groups key indicates which claim to use to map external groups to Concourse teams.
[$CONCOURSE_OIDC_GROUPS_KEY]
--oidc-hosted-domains= List of whitelisted domains when using Google, only users from a listed domain will be allowed to log in
[$CONCOURSE_OIDC_HOSTED_DOMAINS]
--oidc-ca-cert= CA Certificate [$CONCOURSE_OIDC_CA_CERT]
--oidc-skip-ssl-validation Skip SSL validation [$CONCOURSE_OIDC_SKIP_SSL_VALIDATION]
TSA Configuration:
--tsa-log-level=[debug|info|error|fatal] Minimum level of logs to see. (default: info) [$CONCOURSE_TSA_LOG_LEVEL]
--tsa-bind-ip= IP address on which to listen for SSH. (default: 0.0.0.0) [$CONCOURSE_TSA_BIND_IP]
--tsa-bind-port= Port on which to listen for SSH. (default: 2222) [$CONCOURSE_TSA_BIND_PORT]
--tsa-bind-debug-port= Port on which to listen for TSA pprof server. (default: 8089) [$CONCOURSE_TSA_BIND_DEBUG_PORT]
--tsa-peer-ip= IP address of this TSA, reachable by the ATCs. Used for forwarded worker addresses. [$CONCOURSE_TSA_PEER_IP]
--tsa-host-key= Path to private key to use for the SSH server. [$CONCOURSE_TSA_HOST_KEY]
--tsa-authorized-keys= Path to file containing keys to authorize, in SSH authorized_keys format (one public key per line).
[$CONCOURSE_TSA_AUTHORIZED_KEYS]
--tsa-team-authorized-keys=NAME=PATH Path to file containing keys to authorize, in SSH authorized_keys format (one public key per line).
[$CONCOURSE_TSA_TEAM_AUTHORIZED_KEYS]
--tsa-atc-url= ATC API endpoints to which workers will be registered. [$CONCOURSE_TSA_ATC_URL]
--tsa-session-signing-key= Path to private key to use when signing tokens in reqests to the ATC during registration.
[$CONCOURSE_TSA_SESSION_SIGNING_KEY]
--tsa-heartbeat-interval= interval on which to heartbeat workers to the ATC (default: 30s) [$CONCOURSE_TSA_HEARTBEAT_INTERVAL]
Before adding specific support for other sets of options, I would like to discuss whether or not it would be better to pass these options in a more general way.
The configuration for PostgreSQL and TSA are required settings for any Concourse deployment. The configuration of these 2 sets of arguments could remain as is.
The current state of the module only supports a subset of the remaining options:
- Basic Authentication
- Github Authentication
- Vault for Concourse Credential Management
Suppose we would only pass a single args parameter, then the templating to combine all the arguments would be outside of this module and specific to the use case. Given the set of options will evolve in the future, this approach will require less maintenance on this module.
The current case I'm working on requires:
- Datadog Metrics emitter
- OAuth2 Authentication (Office365) (BitBucket is currently not supported by Concourse via its integrated Dex)
- AWS Secrets Manager for Concourse Credential Management
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.