forked from ahelal/ansible-concourse
-
Notifications
You must be signed in to change notification settings - Fork 0
/
web_arguments.txt
277 lines (241 loc) · 32.7 KB
/
web_arguments.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
Usage:
concourse [OPTIONS] web [web-OPTIONS]
Application Options:
-v, --version Print the version of Concourse and exit [$CONCOURSE_VERSION]
Help Options:
-h, --help Show this help message
[web command options]
--log-level=[debug|info|error|fatal] Minimum level of logs to see. (default: info) [$CONCOURSE_LOG_LEVEL]
--bind-ip= IP address on which to listen for web traffic. (default: 0.0.0.0) [$CONCOURSE_BIND_IP]
--bind-port= Port on which to listen for HTTP traffic. (default: 8080) [$CONCOURSE_BIND_PORT]
--tls-bind-port= Port on which to listen for HTTPS traffic. [$CONCOURSE_TLS_BIND_PORT]
--tls-cert= File containing an SSL certificate. [$CONCOURSE_TLS_CERT]
--tls-key= File containing an RSA private key, used to encrypt HTTPS traffic. [$CONCOURSE_TLS_KEY]
--external-url= URL used to reach any ATC from the outside world. [$CONCOURSE_EXTERNAL_URL]
--peer-url= URL used to reach this ATC from other ATCs in the cluster. [$CONCOURSE_PEER_URL]
--encryption-key= A 16 or 32 length key used to encrypt sensitive information before storing it in the database. [$CONCOURSE_ENCRYPTION_KEY]
--old-encryption-key= Encryption key previously used for encrypting sensitive information. If provided without a new key, data is encrypted. If provided with a new key, data is
re-encrypted. [$CONCOURSE_OLD_ENCRYPTION_KEY]
--debug-bind-ip= IP address on which to listen for the pprof debugger endpoints. (default: 127.0.0.1) [$CONCOURSE_DEBUG_BIND_IP]
--debug-bind-port= Port on which to listen for the pprof debugger endpoints. (default: 8079) [$CONCOURSE_DEBUG_BIND_PORT]
--intercept-idle-timeout= Length of time for a intercepted session to be idle before terminating. (default: 0m) [$CONCOURSE_INTERCEPT_IDLE_TIMEOUT]
--global-resource-check-timeout= Time limit on checking for new versions of resources. (default: 1h) [$CONCOURSE_GLOBAL_RESOURCE_CHECK_TIMEOUT]
--resource-checking-interval= Interval on which to check for new versions of resources. (default: 1m) [$CONCOURSE_RESOURCE_CHECKING_INTERVAL]
--resource-type-checking-interval= Interval on which to check for new versions of resource types. (default: 1m) [$CONCOURSE_RESOURCE_TYPE_CHECKING_INTERVAL]
--container-placement-strategy=[volume-locality|random] Method by which a worker is selected during container placement. (default: volume-locality) [$CONCOURSE_CONTAINER_PLACEMENT_STRATEGY]
--baggageclaim-response-header-timeout= How long to wait for Baggageclaim to send the response header. (default: 1m) [$CONCOURSE_BAGGAGECLAIM_RESPONSE_HEADER_TIMEOUT]
--cli-artifacts-dir= Directory containing downloadable CLI binaries. [$CONCOURSE_CLI_ARTIFACTS_DIR]
--log-db-queries Log database queries. [$CONCOURSE_LOG_DB_QUERIES]
--build-tracker-interval= Interval on which to run build tracking. (default: 10s) [$CONCOURSE_BUILD_TRACKER_INTERVAL]
--default-build-logs-to-retain= Default build logs to retain, 0 means all [$CONCOURSE_DEFAULT_BUILD_LOGS_TO_RETAIN]
--max-build-logs-to-retain= Maximum build logs to retain, 0 means not specified. Will override values configured in jobs [$CONCOURSE_MAX_BUILD_LOGS_TO_RETAIN]
--default-task-cpu-limit= Default max number of cpu shares per task, 0 means unlimited [$CONCOURSE_DEFAULT_TASK_CPU_LIMIT]
--default-task-memory-limit= Default maximum memory per task, 0 means unlimited [$CONCOURSE_DEFAULT_TASK_MEMORY_LIMIT]
PostgreSQL Configuration:
--postgres-host= The host to connect to. (default: 127.0.0.1) [$CONCOURSE_POSTGRES_HOST]
--postgres-port= The port to connect to. (default: 5432) [$CONCOURSE_POSTGRES_PORT]
--postgres-socket= Path to a UNIX domain socket to connect to. [$CONCOURSE_POSTGRES_SOCKET]
--postgres-user= The user to sign in as. [$CONCOURSE_POSTGRES_USER]
--postgres-password= The user's password. [$CONCOURSE_POSTGRES_PASSWORD]
--postgres-sslmode=[disable|require|verify-ca|verify-full] Whether or not to use SSL. (default: disable) [$CONCOURSE_POSTGRES_SSLMODE]
--postgres-ca-cert= CA cert file location, to verify when connecting with SSL. [$CONCOURSE_POSTGRES_CA_CERT]
--postgres-client-cert= Client cert file location. [$CONCOURSE_POSTGRES_CLIENT_CERT]
--postgres-client-key= Client key file location. [$CONCOURSE_POSTGRES_CLIENT_KEY]
--postgres-connect-timeout= Dialing timeout. (0 means wait indefinitely) (default: 5m) [$CONCOURSE_POSTGRES_CONNECT_TIMEOUT]
--postgres-database= The name of the database to use. (default: atc) [$CONCOURSE_POSTGRES_DATABASE]
CredHub Credential Management:
--credhub-url= CredHub server address used to access secrets. [$CONCOURSE_CREDHUB_URL]
--credhub-path-prefix= Path under which to namespace credential lookup. (default: /concourse) [$CONCOURSE_CREDHUB_PATH_PREFIX]
--credhub-ca-cert= Paths to PEM-encoded CA cert files to use to verify the CredHub server SSL cert. [$CONCOURSE_CREDHUB_CA_CERT]
--credhub-client-cert= Path to the client certificate for mutual TLS authorization. [$CONCOURSE_CREDHUB_CLIENT_CERT]
--credhub-client-key= Path to the client private key for mutual TLS authorization. [$CONCOURSE_CREDHUB_CLIENT_KEY]
--credhub-insecure-skip-verify Enable insecure SSL verification. [$CONCOURSE_CREDHUB_INSECURE_SKIP_VERIFY]
--credhub-client-id= Client ID for CredHub authorization. [$CONCOURSE_CREDHUB_CLIENT_ID]
--credhub-client-secret= Client secret for CredHub authorization. [$CONCOURSE_CREDHUB_CLIENT_SECRET]
Kubernetes Credential Management:
--kubernetes-in-cluster Enables the in-cluster client. [$CONCOURSE_KUBERNETES_IN_CLUSTER]
--kubernetes-config-path= Path to Kubernetes config when running ATC outside Kubernetes. [$CONCOURSE_KUBERNETES_CONFIG_PATH]
--kubernetes-namespace-prefix= Prefix to use for Kubernetes namespaces under which secrets will be looked up. (default: concourse-) [$CONCOURSE_KUBERNETES_NAMESPACE_PREFIX]
AWS SecretsManager Credential Management:
--aws-secretsmanager-access-key= AWS Access key ID [$CONCOURSE_AWS_SECRETSMANAGER_ACCESS_KEY]
--aws-secretsmanager-secret-key= AWS Secret Access Key [$CONCOURSE_AWS_SECRETSMANAGER_SECRET_KEY]
--aws-secretsmanager-session-token= AWS Session Token [$CONCOURSE_AWS_SECRETSMANAGER_SESSION_TOKEN]
--aws-secretsmanager-region= AWS region to send requests to [$AWS_REGION]
--aws-secretsmanager-pipeline-secret-template= AWS Secrets Manager secret identifier template used for pipeline specific parameter (default: /concourse/{{.Team}}/{{.Pipeline}}/{{.Secret}})
[$CONCOURSE_AWS_SECRETSMANAGER_PIPELINE_SECRET_TEMPLATE]
--aws-secretsmanager-team-secret-template= AWS Secrets Manager secret identifier template used for team specific parameter (default: /concourse/{{.Team}}/{{.Secret}})
[$CONCOURSE_AWS_SECRETSMANAGER_TEAM_SECRET_TEMPLATE]
AWS SSM Credential Management:
--aws-ssm-access-key= AWS Access key ID [$CONCOURSE_AWS_SSM_ACCESS_KEY]
--aws-ssm-secret-key= AWS Secret Access Key [$CONCOURSE_AWS_SSM_SECRET_KEY]
--aws-ssm-session-token= AWS Session Token [$CONCOURSE_AWS_SSM_SESSION_TOKEN]
--aws-ssm-region= AWS region to send requests to [$AWS_REGION]
--aws-ssm-pipeline-secret-template= AWS SSM parameter name template used for pipeline specific parameter (default: /concourse/{{.Team}}/{{.Pipeline}}/{{.Secret}})
[$CONCOURSE_AWS_SSM_PIPELINE_SECRET_TEMPLATE]
--aws-ssm-team-secret-template= AWS SSM parameter name template used for team specific parameter (default: /concourse/{{.Team}}/{{.Secret}}) [$CONCOURSE_AWS_SSM_TEAM_SECRET_TEMPLATE]
Vault Credential Management:
--vault-url= Vault server address used to access secrets. [$CONCOURSE_VAULT_URL]
--vault-path-prefix= Path under which to namespace credential lookup. (default: /concourse) [$CONCOURSE_VAULT_PATH_PREFIX]
--vault-cache Cache returned secrets for their lease duration in memory [$CONCOURSE_VAULT_CACHE]
--vault-max-lease= If the cache is enabled, and this is set, override secrets lease duration with a maximum value [$CONCOURSE_VAULT_MAX_LEASE]
--vault-ca-cert= Path to a PEM-encoded CA cert file to use to verify the vault server SSL cert. [$CONCOURSE_VAULT_CA_CERT]
--vault-ca-path= Path to a directory of PEM-encoded CA cert files to verify the vault server SSL cert. [$CONCOURSE_VAULT_CA_PATH]
--vault-client-cert= Path to the client certificate for Vault authorization. [$CONCOURSE_VAULT_CLIENT_CERT]
--vault-client-key= Path to the client private key for Vault authorization. [$CONCOURSE_VAULT_CLIENT_KEY]
--vault-server-name= If set, is used to set the SNI host when connecting via TLS. [$CONCOURSE_VAULT_SERVER_NAME]
--vault-insecure-skip-verify Enable insecure SSL verification. [$CONCOURSE_VAULT_INSECURE_SKIP_VERIFY]
--vault-client-token= Client token for accessing secrets within the Vault server. [$CONCOURSE_VAULT_CLIENT_TOKEN]
--vault-auth-backend= Auth backend to use for logging in to Vault. [$CONCOURSE_VAULT_AUTH_BACKEND]
--vault-auth-backend-max-ttl= Time after which to force a re-login. If not set, the token will just be continuously renewed. [$CONCOURSE_VAULT_AUTH_BACKEND_MAX_TTL]
--vault-retry-max= The maximum time between retries when logging in or re-authing a secret. (default: 5m) [$CONCOURSE_VAULT_RETRY_MAX]
--vault-retry-initial= The initial time between retries when logging in or re-authing a secret. (default: 1s) [$CONCOURSE_VAULT_RETRY_INITIAL]
--vault-auth-param=NAME=VALUE Paramter to pass when logging in via the backend. Can be specified multiple times. [$CONCOURSE_VAULT_AUTH_PARAM]
Developer Options:
-n, --noop Don't actually do any automatic scheduling or checking. [$CONCOURSE_NOOP]
Static Worker (optional):
--worker-garden-url= A Garden API endpoint to register as a worker. [$CONCOURSE_WORKER_GARDEN_URL]
--worker-baggageclaim-url= A Baggageclaim API endpoint to register with the worker. [$CONCOURSE_WORKER_BAGGAGECLAIM_URL]
--worker-resource=TYPE:IMAGE A resource type to advertise for the worker. Can be specified multiple times. [$CONCOURSE_WORKER_RESOURCE]
Metrics & Diagnostics:
--metrics-host-name= Host string to attach to emitted metrics. [$CONCOURSE_METRICS_HOST_NAME]
--metrics-attribute=NAME:VALUE A key-value attribute to attach to emitted metrics. Can be specified multiple times. [$CONCOURSE_METRICS_ATTRIBUTE]
Metric Emitter (Datadog):
--datadog-agent-host= Datadog agent host to expose dogstatsd metrics [$CONCOURSE_DATADOG_AGENT_HOST]
--datadog-agent-port= Datadog agent port to expose dogstatsd metrics [$CONCOURSE_DATADOG_AGENT_PORT]
--datadog-prefix= Prefix for all metrics to easily find them in Datadog [$CONCOURSE_DATADOG_PREFIX]
Metric Emitter (InfluxDB):
--influxdb-url= InfluxDB server address to emit points to. [$CONCOURSE_INFLUXDB_URL]
--influxdb-database= InfluxDB database to write points to. [$CONCOURSE_INFLUXDB_DATABASE]
--influxdb-username= InfluxDB server username. [$CONCOURSE_INFLUXDB_USERNAME]
--influxdb-password= InfluxDB server password. [$CONCOURSE_INFLUXDB_PASSWORD]
--influxdb-insecure-skip-verify Skip SSL verification when emitting to InfluxDB. [$CONCOURSE_INFLUXDB_INSECURE_SKIP_VERIFY]
Metric Emitter (Lager):
--emit-to-logs Emit metrics to logs. [$CONCOURSE_EMIT_TO_LOGS]
Metric Emitter (NewRelic):
--newrelic-account-id= New Relic Account ID [$CONCOURSE_NEWRELIC_ACCOUNT_ID]
--newrelic-api-key= New Relic Insights API Key [$CONCOURSE_NEWRELIC_API_KEY]
--newrelic-service-prefix= An optional prefix for emitted New Relic events [$CONCOURSE_NEWRELIC_SERVICE_PREFIX]
Metric Emitter (Prometheus):
--prometheus-bind-ip= IP to listen on to expose Prometheus metrics. [$CONCOURSE_PROMETHEUS_BIND_IP]
--prometheus-bind-port= Port to listen on to expose Prometheus metrics. [$CONCOURSE_PROMETHEUS_BIND_PORT]
Metric Emitter (Riemann):
--riemann-host= Riemann server address to emit metrics to. [$CONCOURSE_RIEMANN_HOST]
--riemann-port= Port of the Riemann server to emit metrics to. (default: 5555) [$CONCOURSE_RIEMANN_PORT]
--riemann-service-prefix= An optional prefix for emitted Riemann services [$CONCOURSE_RIEMANN_SERVICE_PREFIX]
--riemann-tag=TAG Tag to attach to emitted metrics. Can be specified multiple times. [$CONCOURSE_RIEMANN_TAG]
Web Server:
--x-frame-options= The value to set for X-Frame-Options. If omitted, the header is not set. [$CONCOURSE_X_FRAME_OPTIONS]
Garbage Collection:
--gc-interval= Interval on which to perform garbage collection. (default: 30s) [$CONCOURSE_GC_INTERVAL]
--gc-one-off-grace-period= Grace period before reaping one-off task containers (default: 5m) [$CONCOURSE_GC_ONE_OFF_GRACE_PERIOD]
Syslog Drainer Configuration:
--syslog-hostname= Client hostname with which the build logs will be sent to the syslog server. (default: atc-syslog-drainer) [$CONCOURSE_SYSLOG_HOSTNAME]
--syslog-address= Remote syslog server address with port (Example: 0.0.0.0:514). [$CONCOURSE_SYSLOG_ADDRESS]
--syslog-transport= Transport protocol for syslog messages (Currently supporting tcp, udp & tls). [$CONCOURSE_SYSLOG_TRANSPORT]
--syslog-drain-interval= Interval over which checking is done for new build logs to send to syslog server (duration measurement units are s/m/h; eg. 30s/30m/1h) (default: 30s)
[$CONCOURSE_SYSLOG_DRAIN_INTERVAL]
--syslog-ca-cert= Paths to PEM-encoded CA cert files to use to verify the Syslog server SSL cert. [$CONCOURSE_SYSLOG_CA_CERT]
Authentication:
--cookie-secure Force sending secure flag on http cookies [$CONCOURSE_COOKIE_SECURE]
--auth-duration= Length of time for which tokens are valid. Afterwards, users will have to log back in. (default: 24h) [$CONCOURSE_AUTH_DURATION]
--session-signing-key= File containing an RSA private key, used to sign auth tokens. [$CONCOURSE_SESSION_SIGNING_KEY]
--add-local-user=USERNAME:PASSWORD List of username:password combinations for all your local users. The password can be bcrypted - if so, it must have a minimum cost of 10. [$CONCOURSE_ADD_LOCAL_USER]
Authentication (Main Team):
--main-team-local-user=USERNAME List of whitelisted local concourse users. These are the users you've added at atc startup with the --add-local-user flag. [$CONCOURSE_MAIN_TEAM_LOCAL_USER]
--main-team-allow-all-users Setting this flag will whitelist all logged in users in the system. ALL OF THEM. If, for example, you've configured GitHub, any user with a GitHub account will have
access to your team. [$CONCOURSE_MAIN_TEAM_ALLOW_ALL_USERS]
Authentication (Main Team) (CloudFoundry):
--main-team-cf-user=USERNAME List of whitelisted CloudFoundry users. [$CONCOURSE_MAIN_TEAM_CF_USER]
--main-team-cf-org=ORG_NAME List of whitelisted CloudFoundry orgs [$CONCOURSE_MAIN_TEAM_CF_ORG]
--main-team-cf-space=ORG_NAME:SPACE_NAME List of whitelisted CloudFoundry spaces [$CONCOURSE_MAIN_TEAM_CF_SPACE]
--main-team-cf-space-guid=SPACE_GUID (Deprecated) List of whitelisted CloudFoundry space guids [$CONCOURSE_MAIN_TEAM_CF_SPACE_GUID]
Authentication (Main Team) (GitHub):
--main-team-github-user=USERNAME List of whitelisted GitHub users [$CONCOURSE_MAIN_TEAM_GITHUB_USER]
--main-team-github-org=ORG_NAME List of whitelisted GitHub orgs [$CONCOURSE_MAIN_TEAM_GITHUB_ORG]
--main-team-github-team=ORG_NAME:TEAM_NAME List of whitelisted GitHub teams [$CONCOURSE_MAIN_TEAM_GITHUB_TEAM]
Authentication (Main Team) (GitLab):
--main-team-gitlab-user=USERNAME List of whitelisted GitLab users [$CONCOURSE_MAIN_TEAM_GITLAB_USER]
--main-team-gitlab-group=GROUP_NAME List of whitelisted GitLab groups [$CONCOURSE_MAIN_TEAM_GITLAB_GROUP]
Authentication (Main Team) (LDAP):
--main-team-ldap-user=USERNAME List of whitelisted LDAP users [$CONCOURSE_MAIN_TEAM_LDAP_USER]
--main-team-ldap-group=GROUP_NAME List of whitelisted LDAP groups [$CONCOURSE_MAIN_TEAM_LDAP_GROUP]
Authentication (Main Team) (OAuth2):
--main-team-oauth-user=USERNAME List of whitelisted OAuth2 users [$CONCOURSE_MAIN_TEAM_OAUTH_USER]
--main-team-oauth-group=GROUP_NAME List of whitelisted OAuth2 groups [$CONCOURSE_MAIN_TEAM_OAUTH_GROUP]
Authentication (Main Team) (OIDC):
--main-team-oidc-user=USERNAME List of whitelisted OIDC users [$CONCOURSE_MAIN_TEAM_OIDC_USER]
--main-team-oidc-group=GROUP_NAME List of whitelisted OIDC groups [$CONCOURSE_MAIN_TEAM_OIDC_GROUP]
Authentication (CloudFoundry):
--cf-client-id= (Required) Client id [$CONCOURSE_CF_CLIENT_ID]
--cf-client-secret= (Required) Client secret [$CONCOURSE_CF_CLIENT_SECRET]
--cf-api-url= (Required) The base API URL of your CF deployment. It will use this information to discover information about the authentication provider. [$CONCOURSE_CF_API_URL]
--cf-ca-cert= CA Certificate [$CONCOURSE_CF_CA_CERT]
--cf-skip-ssl-validation Skip SSL validation [$CONCOURSE_CF_SKIP_SSL_VALIDATION]
Authentication (GitHub):
--github-client-id= (Required) Client id [$CONCOURSE_GITHUB_CLIENT_ID]
--github-client-secret= (Required) Client secret [$CONCOURSE_GITHUB_CLIENT_SECRET]
--github-host= Hostname of GitHub Enterprise deployment (No scheme, No trailing slash) [$CONCOURSE_GITHUB_HOST]
--github-ca-cert= CA certificate of GitHub Enterprise deployment [$CONCOURSE_GITHUB_CA_CERT]
Authentication (GitLab):
--gitlab-client-id= (Required) Client id [$CONCOURSE_GITLAB_CLIENT_ID]
--gitlab-client-secret= (Required) Client secret [$CONCOURSE_GITLAB_CLIENT_SECRET]
--gitlab-host= Hostname of Gitlab Enterprise deployment (Include scheme, No trailing slash) [$CONCOURSE_GITLAB_HOST]
Authentication (LDAP):
--ldap-display-name= The auth provider name displayed to users on the login page [$CONCOURSE_LDAP_DISPLAY_NAME]
--ldap-host= (Required) The host and optional port of the LDAP server. If port isn't supplied, it will be guessed based on the TLS configuration. 389 or 636.
[$CONCOURSE_LDAP_HOST]
--ldap-bind-dn= (Required) Bind DN for searching LDAP users and groups. Typically this is a read-only user. [$CONCOURSE_LDAP_BIND_DN]
--ldap-bind-pw= (Required) Bind Password for the user specified by 'bind-dn' [$CONCOURSE_LDAP_BIND_PW]
--ldap-insecure-no-ssl Required if LDAP host does not use TLS. [$CONCOURSE_LDAP_INSECURE_NO_SSL]
--ldap-insecure-skip-verify Skip certificate verification [$CONCOURSE_LDAP_INSECURE_SKIP_VERIFY]
--ldap-start-tls Start on insecure port, then negotiate TLS [$CONCOURSE_LDAP_START_TLS]
--ldap-ca-cert= CA certificate [$CONCOURSE_LDAP_CA_CERT]
--ldap-user-search-base-dn= BaseDN to start the search from. For example 'cn=users,dc=example,dc=com' [$CONCOURSE_LDAP_USER_SEARCH_BASE_DN]
--ldap-user-search-filter= Optional filter to apply when searching the directory. For example '(objectClass=person)' [$CONCOURSE_LDAP_USER_SEARCH_FILTER]
--ldap-user-search-username= Attribute to match against the inputted username. This will be translated and combined with the other filter as '(<attr>=<username>)'.
[$CONCOURSE_LDAP_USER_SEARCH_USERNAME]
--ldap-user-search-scope= Can either be: 'sub' - search the whole sub tree or 'one' - only search one level. Defaults to 'sub'. [$CONCOURSE_LDAP_USER_SEARCH_SCOPE]
--ldap-user-search-id-attr= A mapping of attributes on the user entry to claims. Defaults to 'uid'. [$CONCOURSE_LDAP_USER_SEARCH_ID_ATTR]
--ldap-user-search-email-attr= A mapping of attributes on the user entry to claims. Defaults to 'mail'. [$CONCOURSE_LDAP_USER_SEARCH_EMAIL_ATTR]
--ldap-user-search-name-attr= A mapping of attributes on the user entry to claims. [$CONCOURSE_LDAP_USER_SEARCH_NAME_ATTR]
--ldap-group-search-base-dn= BaseDN to start the search from. For example 'cn=groups,dc=example,dc=com' [$CONCOURSE_LDAP_GROUP_SEARCH_BASE_DN]
--ldap-group-search-filter= Optional filter to apply when searching the directory. For example '(objectClass=posixGroup)' [$CONCOURSE_LDAP_GROUP_SEARCH_FILTER]
--ldap-group-search-scope= Can either be: 'sub' - search the whole sub tree or 'one' - only search one level. Defaults to 'sub'. [$CONCOURSE_LDAP_GROUP_SEARCH_SCOPE]
--ldap-group-search-user-attr= Adds an additional requirement to the filter that an attribute in the group match the user's attribute value. The exact filter being added is: (<groupAttr>=<userAttr
value>) [$CONCOURSE_LDAP_GROUP_SEARCH_USER_ATTR]
--ldap-group-search-group-attr= Adds an additional requirement to the filter that an attribute in the group match the user's attribute value. The exact filter being added is: (<groupAttr>=<userAttr
value>) [$CONCOURSE_LDAP_GROUP_SEARCH_GROUP_ATTR]
--ldap-group-search-name-attr= The attribute of the group that represents its name. [$CONCOURSE_LDAP_GROUP_SEARCH_NAME_ATTR]
Authentication (OAuth2):
--oauth-display-name= The auth provider name displayed to users on the login page [$CONCOURSE_OAUTH_DISPLAY_NAME]
--oauth-client-id= (Required) Client id [$CONCOURSE_OAUTH_CLIENT_ID]
--oauth-client-secret= (Required) Client secret [$CONCOURSE_OAUTH_CLIENT_SECRET]
--oauth-auth-url= (Required) Authorization URL [$CONCOURSE_OAUTH_AUTH_URL]
--oauth-token-url= (Required) Token URL [$CONCOURSE_OAUTH_TOKEN_URL]
--oauth-userinfo-url= UserInfo URL [$CONCOURSE_OAUTH_USERINFO_URL]
--oauth-scope= Any additional scopes that need to be requested during authorization [$CONCOURSE_OAUTH_SCOPE]
--oauth-groups-key= The groups key indicates which claim to use to map external groups to Concourse teams. [$CONCOURSE_OAUTH_GROUPS_KEY]
--oauth-ca-cert= CA Certificate [$CONCOURSE_OAUTH_CA_CERT]
--oauth-skip-ssl-validation Skip SSL validation [$CONCOURSE_OAUTH_SKIP_SSL_VALIDATION]
Authentication (OIDC):
--oidc-display-name= The auth provider name displayed to users on the login page [$CONCOURSE_OIDC_DISPLAY_NAME]
--oidc-issuer= (Required) An OIDC issuer URL that will be used to discover provider configuration using the .well-known/openid-configuration [$CONCOURSE_OIDC_ISSUER]
--oidc-client-id= (Required) Client id [$CONCOURSE_OIDC_CLIENT_ID]
--oidc-client-secret= (Required) Client secret [$CONCOURSE_OIDC_CLIENT_SECRET]
--oidc-scope= Any additional scopes that need to be requested during authorization [$CONCOURSE_OIDC_SCOPE]
--oidc-groups-key= The groups key indicates which claim to use to map external groups to Concourse teams. [$CONCOURSE_OIDC_GROUPS_KEY]
--oidc-hosted-domains= List of whitelisted domains when using Google, only users from a listed domain will be allowed to log in [$CONCOURSE_OIDC_HOSTED_DOMAINS]
--oidc-ca-cert= CA Certificate [$CONCOURSE_OIDC_CA_CERT]
--oidc-skip-ssl-validation Skip SSL validation [$CONCOURSE_OIDC_SKIP_SSL_VALIDATION]
TSA Configuration:
--tsa-log-level=[debug|info|error|fatal] Minimum level of logs to see. (default: info) [$CONCOURSE_TSA_LOG_LEVEL]
--tsa-bind-ip= IP address on which to listen for SSH. (default: 0.0.0.0) [$CONCOURSE_TSA_BIND_IP]
--tsa-bind-port= Port on which to listen for SSH. (default: 2222) [$CONCOURSE_TSA_BIND_PORT]
--tsa-bind-debug-port= Port on which to listen for TSA pprof server. (default: 8089) [$CONCOURSE_TSA_BIND_DEBUG_PORT]
--tsa-peer-ip= IP address of this TSA, reachable by the ATCs. Used for forwarded worker addresses. [$CONCOURSE_TSA_PEER_IP]
--tsa-host-key= Path to private key to use for the SSH server. [$CONCOURSE_TSA_HOST_KEY]
--tsa-authorized-keys= Path to file containing keys to authorize, in SSH authorized_keys format (one public key per line). [$CONCOURSE_TSA_AUTHORIZED_KEYS]
--tsa-team-authorized-keys=NAME=PATH Path to file containing keys to authorize, in SSH authorized_keys format (one public key per line). [$CONCOURSE_TSA_TEAM_AUTHORIZED_KEYS]
--tsa-atc-url= ATC API endpoints to which workers will be registered. [$CONCOURSE_TSA_ATC_URL]
--tsa-session-signing-key= Path to private key to use when signing tokens in reqests to the ATC during registration. [$CONCOURSE_TSA_SESSION_SIGNING_KEY]
--tsa-heartbeat-interval= interval on which to heartbeat workers to the ATC (default: 30s) [$CONCOURSE_TSA_HEARTBEAT_INTERVAL]