forked from taskcluster/taskcluster
-
Notifications
You must be signed in to change notification settings - Fork 0
/
config.yml
174 lines (147 loc) · 6.23 KB
/
config.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
defaults:
taskcluster:
rootUrl: !env TASKCLUSTER_ROOT_URL
app:
# Azure table for the client table
clientTableName: !env:optional CLIENT_TABLE_NAME
# Azure blob container for the role table
rolesContainerName: !env:optional ROLES_CONTAINER_NAME
# Name of component in statistics
statsComponent: auth
# Static clients, these clients are built-in from start, and can't be
# modified or deleted at runtime. Useful for granting clientIds to other
# services and boostrapping with a root client.
# Each entry must have: clientId, accessToken, description, scopes
# where clientId MUST start with 'static/', by convention these namespaced:
# static/<project>/<name>
staticClients: !env:json STATIC_CLIENTS
# Accounts that auth can delegate access to, as JSON
azureAccounts: !env:json AZURE_ACCOUNTS
# Maximum before updating lastUsed, MUST be negative
# A sane value is something like 6 hours as all nodes will race to update
# this value, and it's really only a best effort service.
maxLastUsedDelay: '- 6 hours'
# Sentry configuration
# The authToken _must_ have at least project:{read,write,admin} and org:read
sentry:
organization: !env:optional SENTRY_ORGANIZATION
hostname: !env:optional SENTRY_HOST
authToken: !env:optional SENTRY_AUTH_TOKEN
initialTeam: !env:optional SENTRY_TEAM
keyPrefix: !env:optional SENTRY_KEY_PREFIX
# Delay before expiring sentry keys, this should be negative!
sentryExpirationDelay: '- 15 minutes'
# Similarly, delay before deleting expired clients
clientExpirationDelay: '-1 hour'
statsum:
secret: !env:optional STATSUM_API_SECRET
baseUrl: !env:optional STATSUM_BASE_URL
websocktunnel:
secret: !env:optional WEBSOCKTUNNEL_SECRET
# Overrides of s3 buckets for redeployability
# Leave unset if running inside Heroku
buckets:
docs: !env:optional DOCS_BUCKET
schemas: !env:optional SCHEMAS_BUCKET
references: !env:optional REFS_BUCKET
# Name of a kinesis firehose stream to write audit logs to
auditLog: !env:optional AUDIT_LOG
monitoring:
level: !env:optional LEVEL
errorConfig: !env:json:optional ERROR_CONFIG
server:
# Port to listen for requests on
port: !env:number PORT
# Environment 'development' or 'production'
env: !env NODE_ENV
# Force SSL, not useful when runnning locally
forceSSL: !env:bool FORCE_SSL
# Trust a forwarding proxy
trustProxy: !env:bool TRUST_PROXY
azure:
# Azure table storage account name
accountId: !env AZURE_ACCOUNT_ID
# Azure table storage account key
accessKey: !env AZURE_ACCOUNT_KEY
# Key for signing in base.Entity (sufficiently random string required)
signingKey: !env AZURE_SIGNING_KEY
# Key for data encryption in base.Entity (32 random bytes as base64)
cryptoKey: !env AZURE_CRYPTO_KEY
pulse:
username: !env PULSE_USERNAME
password: !env PULSE_PASSWORD
hostname: !env PULSE_HOSTNAME
vhost: !env PULSE_VHOST
# AWS SDK configuration for delegation of S3 access and publication of
# schemas and references and other buckets. only needed if managing buckets
aws:
accessKeyId: !env:optional AWS_ACCESS_KEY_ID
secretAccessKey: !env:optional AWS_SECRET_ACCESS_KEY
# Default AWS region, this is where the S3 bucket lives
region: !env:optional AWS_REGION
# Lock API version to use the latest API from 2013, this is fuzzy locking,
# but it does the trick...
apiVersion: '2014-01-01'
# Configuration for the GCP serviceAccounts to which the `gcpCredentials`
# endpoint can grant access.
gcpCredentials:
# This has the form {
# "projectName": {
# # credentials for a serviceAccount in this project that has
# # roles/iam.serviceAccountTokenCreator.
# "credentials": {
# "type": ..,
# "project_id": ..,
# ..
# },
# # allowed service accounts in this project
# "allowedServiceAccounts": ["accountName1", ..]
# }, ..
# }
# If omitted, it defaults to {}
allowedProjects: !env:json:optional GCP_CREDENTIALS_ALLOWED_PROJECTS
production:
app:
clientTableName: Clients
rolesContainerName: auth-production-roles
sentry:
organization: operations
hostname: sentry.prod.mozaws.net
initialTeam: taskcluster
keyPrefix: taskcluster-auth
server:
forceHSTS: true
env: 'production'
development: false
test:
app:
statsComponent: auth-tests
clientTableName: Clients
staticClients: # overridden in helper.js
# Special value for tests, as we don't want to wait forever
maxLastUsedDelay: '- 3 seconds'
sentry:
organization: operations
hostname: sentry.prod.mozaws.net
authToken: whatever
initialTeam: taskcluster
keyPrefix: auth-test
statsum:
secret: 'secret'
baseUrl: 'http://localhost.com'
websocktunnel:
secret: 'test-secret'
azure:
signingKey: not-a-secret-so-you-cant-guess-it
cryptoKey: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
# Test bucket for STS credentials
test:
testBucket: !env:optional TEST_BUCKET
server:
forceSSL: false
port: 60552
env: development
development: true
trustProxy: true
taskcluster:
rootUrl: "https://tc.example.com"