├── .gitignore ├── LICENSE ├── README.md ├── ci ├── bump-versions.yml └── scripts │ └── bump-versions ├── cluster ├── README.md ├── cloud_configs │ └── vbox.yml ├── concourse.yml ├── external-windows-worker.yml ├── external-worker.yml └── operations │ ├── add-external-worker-keys.yml │ ├── add-garden-config-ini.yml │ ├── add-local-users.yml │ ├── add-main-team-auth-config.yml │ ├── add-main-team-cf-orgs.yml │ ├── add-main-team-cf-spaces.yml │ ├── add-main-team-cf-users.yml │ ├── add-main-team-ldap-groups.yml │ ├── add-main-team-ldap-users.yml │ ├── add-main-team-oauth-users.yml │ ├── add-main-team-oidc-groups.yml │ ├── add-main-team-oidc-users.yml │ ├── add-worker-key-variable.yml │ ├── audit.yml │ ├── aws-secrets-manager.yml │ ├── backup-atc-colocated-web.yml │ ├── backup-atc.yml │ ├── basic-auth.yml │ ├── build-log-retention.yml │ ├── cf-auth.yml │ ├── cluster-name.yml │ ├── container-placement-strategy-limit-active-tasks.yml │ ├── container-placement-strategy-random.yml │ ├── container-placement-strategy.yml │ ├── containerd-dns.yml │ ├── credential-manager-enable-cache.yml │ ├── credential-manager-tuning.yml │ ├── credhub-colocated.yml │ ├── credhub-path-prefix.yml │ ├── credhub-tls-skip-verify.yml │ ├── credhub.yml │ ├── datadog.yml │ ├── db-max-connections.yml │ ├── db-stats.yml │ ├── debug-concourse.yml │ ├── debug-external-worker.yml │ ├── debug-tagged-worker.yml │ ├── debug-untrusted-worker.yml │ ├── default-test-user.yml │ ├── dev-versions.yml │ ├── enable-global-resources.yml │ ├── enable-lets-encrypt.yml │ ├── enable-lidar.yml │ ├── enable-redacting-credentials.yml │ ├── encryption.yml │ ├── external-postgres-client-cert.yml │ ├── external-postgres-tls.yml │ ├── external-postgres.yml │ ├── garden-dns.yml │ ├── generic-oauth.yml │ ├── generic-oidc.yml │ ├── github-auth.yml │ ├── github-enterprise-auth.yml │ ├── gitlab-auth.yml │ ├── http-proxy-tagged-worker.yml │ ├── http-proxy.yml │ ├── influxdb.yml │ ├── ldap.yml │ ├── lidar-intervals.yml │ ├── max-db-connection-pool.yml │ ├── max-in-flight.yml │ ├── metrics-buffer-size.yml │ ├── mtls.yml │ ├── no-internet-access.yml │ ├── offline-releases.yml │ ├── postgres-link.yml │ ├── privileged-http.yml │ ├── privileged-https.yml │ ├── prometheus.yml │ ├── rotate-encryption-keys.yml │ ├── runtime-containerd.yml │ ├── scale-untrusted-worker.yml │ ├── scale.yml │ ├── secure-internal-postgres-bbr.yml │ ├── secure-internal-postgres-credhub.yml │ ├── secure-internal-postgres-uaa.yml │ ├── secure-internal-postgres.yml │ ├── static-web.yml │ ├── storage-driver.yml │ ├── syslog-drainer.yml │ ├── syslog_forwarder.yml │ ├── tagged-worker.yml │ ├── task-limits.yml │ ├── team-authorized-keys.yml │ ├── telegraf-postgres.yml │ ├── tls-port.yml │ ├── tls-vars.yml │ ├── tls.yml │ ├── turn-off-encryption.yml │ ├── uaa-generic-oauth-provider.yml │ ├── uaa.yml │ ├── untrusted-worker.yml │ ├── update-stemcell.yml │ ├── vault-shared-path.yml │ ├── vault-tls-cert-auth.yml │ ├── vault-tls-skip_verify.yml │ ├── vault.yml │ ├── web-network-extension.yml │ ├── windows-worker-ephemeral-disk.yml │ ├── windows-worker-network.yml │ ├── windows-worker.yml │ ├── worker-ephemeral-disk.yml │ ├── worker-max-in-flight.yml │ ├── worker-rebalancing.yml │ ├── worker-team-name.yml │ ├── worker-volume-sweeper-max-in-flight.yml │ ├── x-frame-options-allow-from.yml │ ├── x-frame-options-sameorigin.yml │ └── x-frame-options-unset.yml ├── lite ├── README.md ├── concourse.yml ├── infrastructures │ ├── aws.yml │ ├── azure.yml │ ├── gcp.yml │ ├── openstack.yml │ ├── virtualbox.yml │ └── vsphere.yml ├── jumpbox.yml └── operations │ ├── debug.yml │ ├── dns.yml │ ├── http-proxy.yml │ └── replace-concourse-url.yml └── versions.yml /.gitignore: -------------------------------------------------------------------------------- 1 | *creds.yml 2 | *state.json 3 | deploy-*.sh 4 | .DS_Store 5 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "{}" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright {yyyy} {name of copyright owner} 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # concourse-bosh-deployment 2 | 3 | > A toolchain for deploying Concourse with [BOSH](https://bosh.io). 4 | 5 | This repository is a community-maintained set of 6 | [manifests](http://bosh.io/docs/manifest-v2.html) and [ops 7 | files](http://bosh.io/docs/cli-ops-files.html) useful for deploying Concourse 8 | in various configurations to various IaaSes. 9 | 10 | **NOTE: This repository is effectively community-maintained, with only a 11 | portion of these configurations tested in CI. Use at your own risk!** 12 | 13 | ## Requirements 14 | - [Bosh CLI V2](https://bosh.io/docs/cli-v2.html#install) 15 | 16 | 17 | ## Usage 18 | 19 | Clone this repo. 20 | 21 | ```shell 22 | git clone https://github.com/concourse/concourse-bosh-deployment.git 23 | cd concourse-bosh-deployment 24 | ``` 25 | 26 | Then, choose your adventure below. 27 | 28 | 29 | ## Deployment scenarios 30 | 31 | ### `lite/`: "Lite" directorless deployment 32 | 33 | These manifests deploy Concourse, *without a BOSH director*, onto a single VM. 34 | 35 | This approach is intended as an easy way to get a development Concourse 36 | deployment up in the air and ready to `fly`! 37 | 38 | Consult the [`lite` README](lite/README.md) for more information. 39 | 40 | ### `cluster/`: A full-blown BOSH deployment to a director 41 | 42 | Consult the [`cluster` README](cluster/README.md) for more information. 43 | -------------------------------------------------------------------------------- /ci/bump-versions.yml: -------------------------------------------------------------------------------- 1 | --- 2 | platform: linux 3 | 4 | image_resource: 5 | type: docker-image 6 | source: 7 | repository: concourse/unit 8 | 9 | inputs: 10 | - name: concourse-bosh-deployment 11 | - name: concourse-boshio 12 | - name: bpm-release 13 | - name: postgres-release 14 | - name: credhub-release 15 | - name: uaa-release 16 | - name: bbr-sdk-release 17 | - name: windows-utilities-release 18 | 19 | outputs: 20 | - name: bumped-repo 21 | 22 | run: 23 | path: concourse-bosh-deployment/ci/scripts/bump-versions 24 | -------------------------------------------------------------------------------- /ci/scripts/bump-versions: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -e -u 4 | 5 | git config --global user.email "ci@localhost" 6 | git config --global user.name "CI Bot" 7 | 8 | git clone ./concourse-bosh-deployment ./bumped-repo 9 | 10 | concourse_version="$(cat concourse-boshio/version)" 11 | 12 | cat ./concourse-bosh-deployment/versions.yml | \ 13 | sed -e "s/concourse_version: .*/concourse_version: '$concourse_version'/" | \ 14 | sed -e "s/concourse_sha1: .*/concourse_sha1: '$(cat concourse-boshio/sha1)'/" | \ 15 | sed -e "s/bpm_version: .*/bpm_version: '$(cat bpm-release/version)'/" | \ 16 | sed -e "s/bpm_sha1: .*/bpm_sha1: '$(cat bpm-release/sha1)'/" | \ 17 | sed -e "s/postgres_version: .*/postgres_version: '$(cat postgres-release/version)'/" | \ 18 | sed -e "s/postgres_sha1: .*/postgres_sha1: '$(cat postgres-release/sha1)'/" | \ 19 | sed -e "s/uaa_version: .*/uaa_version: '$(cat uaa-release/version)'/" | \ 20 | sed -e "s/uaa_sha1: .*/uaa_sha1: '$(cat uaa-release/sha1)'/" | \ 21 | sed -e "s/credhub_version: .*/credhub_version: '$(cat credhub-release/version)'/" | \ 22 | sed -e "s/credhub_sha1: .*/credhub_sha1: '$(cat credhub-release/sha1)'/" | \ 23 | sed -e "s/bbr_sdk_version: .*/bbr_sdk_version: '$(cat bbr-sdk-release/version)'/" | \ 24 | sed -e "s/bbr_sdk_sha1: .*/bbr_sdk_sha1: '$(cat bbr-sdk-release/sha1)'/" | \ 25 | sed -e "s/windows_utilities_version: .*/windows_utilities_version: '$(cat windows-utilities-release/version)'/" | \ 26 | sed -e "s/windows_utilities_sha1: .*/windows_utilities_sha1: '$(cat windows-utilities-release/sha1)'/" \ 27 | > bumped-repo/versions.yml 28 | 29 | cd bumped-repo 30 | 31 | git add -A 32 | git commit -m "bump versions.yml" --allow-empty 33 | git tag -f "v$concourse_version" 34 | -------------------------------------------------------------------------------- /cluster/README.md: -------------------------------------------------------------------------------- 1 | # Cluster Concourse deployment 2 | 3 | A clustered Concourse deployment exercises the full might of BOSH. It 4 | provides disaster recovery for your VMs, safe management of your 5 | persistent state (including resizing of the available space, 6 | snapshot/restore, etc.), and in general will make your life easier once 7 | you get it going. 8 | 9 | You'll first need to set up the [Cloud 10 | Config](http://bosh.io/docs/cloud-config.html) on your director. This part 11 | depends on your infrastructure of choice. There are a few example configs under 12 | [cloud_configs/](cloud_configs/). 13 | 14 | Here's an example command for deploying Concourse to a BOSH director. Most of the 15 | values for the fields can be found in your cloud config, which you can retrieve using 16 | the `cloud-config` command. 17 | 18 | ```shell 19 | bosh -e $BOSH_ENVIRONMENT update-cloud-config cloud_configs/vbox.yml 20 | 21 | bosh -e $BOSH_ENVIRONMENT deploy -d concourse concourse.yml \ 22 | -l ../versions.yml \ 23 | --vars-store cluster-creds.yml \ 24 | -o operations/static-web.yml \ 25 | -o operations/basic-auth.yml \ 26 | --var local_user.username=admin \ 27 | --var local_user.password=admin \ 28 | --var web_ip=10.244.15.2 \ 29 | --var external_url=http://10.244.15.2:8080 \ 30 | --var network_name=concourse \ 31 | --var web_vm_type=concourse \ 32 | --var db_vm_type=concourse \ 33 | --var db_persistent_disk_type=db \ 34 | --var worker_vm_type=concourse \ 35 | --var deployment_name=concourse \ 36 | --var azs=[z1] 37 | ``` 38 | 39 | This should then result in a Concourse running and listening at 40 | [http://10.244.15.2:8080](http://10.244.15.2:8080), ready for targeting 41 | with `fly`: 42 | 43 | ```shell 44 | fly -t ci login -c http://10.244.15.2:8080 -u admin -p admin 45 | ``` 46 | 47 | To access the web dashboard locally, setup port forwarding using the following: 48 | 49 | ```shell 50 | bosh -e $BOSH_ENVIRONMENT -d $DEPLOYMENT_NAME ssh web/0 --opts ' -L 8080:localhost:8080' 51 | ``` 52 | 53 | ## Using BOSH BootLoader 54 | 55 | The `bbl` project maintains documentation for deploying Concourse quickly and 56 | easily across a few supported IaaSes. Consult their 57 | [`concourse.md`](https://github.com/cloudfoundry/bosh-bootloader/blob/master/docs/concourse.md) 58 | docs for more information. 59 | 60 | 61 | ## External Concourse worker 62 | 63 | In case you have a distributed setup with external concourse workers deployed on another BOSH 64 | you can deploy those with: 65 | ```shell 66 | bosh -e $BOSH_ENVIRONMENT deploy -d concourse-worker external-worker.yml \ 67 | -l ../versions.yml \ 68 | -v external_worker_network_name=concourse \ 69 | -v worker_vm_type=concourse-workers \ 70 | -v instances=2 \ 71 | -v azs=[z1] \ 72 | -v deployment_name=concourse-worker \ 73 | -v tsa_host=10.244.15.2 \ 74 | -v worker_tags=[tags] \ 75 | -l 76 | ``` 77 | 78 | The `secrets.yml` file has to contain the public tsa host key of the concourse master and the worker private 79 | key: 80 | 81 | ```yaml 82 | tsa_host_key: 83 | public_key: 84 | 85 | worker_key: 86 | private_key: | 87 | -----BEGIN RSA PRIVATE KEY----- 88 | ... 89 | -----END RSA PRIVATE KEY----- 90 | ``` 91 | -------------------------------------------------------------------------------- /cluster/cloud_configs/vbox.yml: -------------------------------------------------------------------------------- 1 | --- 2 | azs: 3 | - name: z1 4 | 5 | networks: 6 | - name: concourse 7 | subnets: 8 | - az: z1 9 | gateway: 10.244.15.1 10 | range: 10.244.15.0/30 11 | static: 12 | - 10.244.15.2 13 | - az: z1 14 | gateway: 10.244.16.1 15 | range: 10.244.16.0/24 16 | 17 | vm_types: 18 | - name: concourse 19 | network: concourse 20 | 21 | disk_types: 22 | - name: db 23 | disk_size: 10240 24 | 25 | compilation: 26 | az: z1 27 | workers: 3 28 | network: concourse 29 | -------------------------------------------------------------------------------- /cluster/concourse.yml: -------------------------------------------------------------------------------- 1 | --- 2 | name: ((deployment_name)) 3 | 4 | releases: 5 | - name: concourse 6 | version: ((concourse_version)) 7 | sha1: ((concourse_sha1)) 8 | url: https://bosh.io/d/github.com/concourse/concourse-bosh-release?v=((concourse_version)) 9 | - name: bpm 10 | version: ((bpm_version)) 11 | sha1: ((bpm_sha1)) 12 | url: https://bosh.io/d/github.com/cloudfoundry/bpm-release?v=((bpm_version)) 13 | - name: postgres 14 | version: ((postgres_version)) 15 | sha1: ((postgres_sha1)) 16 | url: https://bosh.io/d/github.com/cloudfoundry/postgres-release?v=((postgres_version)) 17 | 18 | instance_groups: 19 | - name: db 20 | instances: 1 21 | azs: ((azs)) 22 | networks: [{name: ((network_name))}] 23 | stemcell: jammy 24 | vm_type: ((db_vm_type)) 25 | persistent_disk_type: ((db_persistent_disk_type)) 26 | jobs: 27 | - release: postgres 28 | name: postgres 29 | properties: 30 | databases: 31 | port: 5432 32 | databases: 33 | - name: &db_name atc 34 | roles: 35 | - &db_role 36 | name: concourse 37 | password: ((postgres_password)) 38 | 39 | - name: web 40 | instances: 1 41 | azs: ((azs)) 42 | networks: [{name: ((network_name))}] 43 | stemcell: jammy 44 | vm_type: ((web_vm_type)) 45 | jobs: 46 | - release: bpm 47 | name: bpm 48 | 49 | - release: concourse 50 | name: web 51 | properties: 52 | token_signing_key: ((token_signing_key)) 53 | 54 | external_url: ((external_url)) 55 | 56 | postgresql: 57 | database: *db_name 58 | role: *db_role 59 | 60 | worker_gateway: 61 | host_key: ((tsa_host_key)) 62 | authorized_keys: | 63 | ((worker_key.public_key)) 64 | 65 | - name: worker 66 | instances: 1 67 | azs: ((azs)) 68 | networks: [{name: ((network_name))}] 69 | stemcell: jammy 70 | vm_type: ((worker_vm_type)) 71 | jobs: 72 | - release: concourse 73 | name: worker 74 | properties: 75 | drain_timeout: 10m 76 | worker_gateway: {worker_key: ((worker_key))} 77 | 78 | variables: 79 | - name: postgres_password 80 | type: password 81 | - name: token_signing_key 82 | type: rsa 83 | - name: tsa_host_key 84 | type: ssh 85 | - name: worker_key 86 | type: ssh 87 | 88 | stemcells: 89 | - alias: jammy 90 | os: ubuntu-jammy 91 | version: latest 92 | 93 | update: 94 | canaries: 1 95 | max_in_flight: 3 96 | serial: false 97 | canary_watch_time: 1000-60000 98 | update_watch_time: 1000-60000 99 | -------------------------------------------------------------------------------- /cluster/external-windows-worker.yml: -------------------------------------------------------------------------------- 1 | name: ((deployment_name)) 2 | 3 | releases: 4 | - name: concourse 5 | version: ((concourse_version)) 6 | sha1: ((concourse_sha1)) 7 | url: https://bosh.io/d/github.com/concourse/concourse-bosh-release?v=((concourse_version)) 8 | - name: windows-utilities 9 | version: ((windows_utilities_version)) 10 | url: https://bosh.io/d/github.com/cloudfoundry-incubator/windows-utilities-release?v=((windows_utilities_version)) 11 | sha1: ((windows_utilities_sha1)) 12 | 13 | stemcells: 14 | - alias: windows 15 | os: windows2019 16 | version: latest 17 | 18 | instance_groups: 19 | - name: windows-worker 20 | instances: ((instances)) 21 | vm_type: ((worker_vm_type)) 22 | stemcell: windows 23 | networks: [{name: ((external_worker_network_name))}] 24 | azs: ((azs)) 25 | jobs: 26 | - name: enable_ssh 27 | release: windows-utilities 28 | - name: worker-windows 29 | release: concourse 30 | properties: 31 | tags: ((worker_tags)) 32 | worker_gateway: 33 | hosts: ["((tsa_host)):2222"] 34 | host_public_key: ((tsa_host_key.public_key)) 35 | worker_key: ((worker_key)) 36 | 37 | update: 38 | canaries: 1 39 | max_in_flight: 1 40 | serial: false 41 | canary_watch_time: 1000-60000 42 | update_watch_time: 1000-60000 43 | -------------------------------------------------------------------------------- /cluster/external-worker.yml: -------------------------------------------------------------------------------- 1 | name: ((deployment_name)) 2 | 3 | releases: 4 | - name: concourse 5 | version: ((concourse_version)) 6 | sha1: ((concourse_sha1)) 7 | url: https://bosh.io/d/github.com/concourse/concourse-bosh-release?v=((concourse_version)) 8 | 9 | stemcells: 10 | - alias: jammy 11 | os: ubuntu-jammy 12 | version: latest 13 | 14 | instance_groups: 15 | - name: worker 16 | instances: ((instances)) 17 | azs: ((azs)) 18 | vm_type: ((worker_vm_type)) 19 | stemcell: jammy 20 | networks: [{name: ((external_worker_network_name))}] 21 | jobs: 22 | - name: worker 23 | release: concourse 24 | properties: 25 | log_level: debug 26 | tags: ((worker_tags)) 27 | worker_gateway: 28 | hosts: ["((tsa_host)):2222"] 29 | host_public_key: ((tsa_host_key.public_key)) 30 | worker_key: ((worker_key)) 31 | 32 | update: 33 | canaries: 1 34 | max_in_flight: 1 35 | serial: false 36 | canary_watch_time: 1000-60000 37 | update_watch_time: 1000-60000 38 | -------------------------------------------------------------------------------- /cluster/operations/add-external-worker-keys.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=web/jobs/name=web/properties/worker_gateway/authorized_keys 3 | value: | 4 | ((worker_key.public_key)) 5 | ((external_worker_authorized_keys)) -------------------------------------------------------------------------------- /cluster/operations/add-garden-config-ini.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=worker/jobs/name=worker/properties/garden? 3 | value: 4 | config_ini: ((worker_garden_config_ini)) -------------------------------------------------------------------------------- /cluster/operations/add-local-users.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=web/jobs/name=web/properties/main_team?/auth/local/users 3 | value: ((main_team_local_users)) 4 | 5 | - type: replace 6 | path: /instance_groups/name=web/jobs/name=web/properties/add_local_users? 7 | value: ((add_local_users)) 8 | -------------------------------------------------------------------------------- /cluster/operations/add-main-team-auth-config.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=web/jobs/name=web/properties/main_team?/auth/config 3 | value: ((main_team.auth_config)) 4 | -------------------------------------------------------------------------------- /cluster/operations/add-main-team-cf-orgs.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=web/jobs/name=web/properties/main_team?/auth/cf/orgs? 3 | value: ((main_team_cf_orgs)) 4 | -------------------------------------------------------------------------------- /cluster/operations/add-main-team-cf-spaces.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=web/jobs/name=web/properties/main_team?/auth/cf/spaces? 3 | value: ((main_team_cf_spaces)) 4 | -------------------------------------------------------------------------------- /cluster/operations/add-main-team-cf-users.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=web/jobs/name=web/properties/main_team?/auth/cf/users? 3 | value: ((main_team_cf_users)) 4 | -------------------------------------------------------------------------------- /cluster/operations/add-main-team-ldap-groups.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=web/jobs/name=web/properties/main_team?/auth/ldap/groups 3 | value: ((main_team_ldap_groups)) 4 | -------------------------------------------------------------------------------- /cluster/operations/add-main-team-ldap-users.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=web/jobs/name=web/properties/main_team?/auth/ldap/users 3 | value: ((main_team_ldap_users)) 4 | -------------------------------------------------------------------------------- /cluster/operations/add-main-team-oauth-users.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=web/jobs/name=web/properties/main_team?/auth/oauth 3 | value: 4 | users: ((main_team_oauth_users)) 5 | -------------------------------------------------------------------------------- /cluster/operations/add-main-team-oidc-groups.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=web/jobs/name=web/properties/main_team?/auth/oidc/groups 3 | value: ((main_team.auth.oidc.groups)) 4 | -------------------------------------------------------------------------------- /cluster/operations/add-main-team-oidc-users.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=web/jobs/name=web/properties/main_team?/auth/oidc/users 3 | value: ((main_team.auth.oidc.users)) 4 | -------------------------------------------------------------------------------- /cluster/operations/add-worker-key-variable.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /variables?/- 3 | value: 4 | name: worker_key 5 | type: ssh 6 | -------------------------------------------------------------------------------- /cluster/operations/audit.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=web/jobs/name=web/properties/audit?/build 3 | value: ((enable_build_audit_log)) 4 | 5 | - type: replace 6 | path: /instance_groups/name=web/jobs/name=web/properties/audit?/container 7 | value: ((enable_container_audit_log)) 8 | 9 | - type: replace 10 | path: /instance_groups/name=web/jobs/name=web/properties/audit?/job 11 | value: ((enable_job_audit_log)) 12 | 13 | - type: replace 14 | path: /instance_groups/name=web/jobs/name=web/properties/audit?/pipeline 15 | value: ((enable_pipeline_audit_log)) 16 | 17 | - type: replace 18 | path: /instance_groups/name=web/jobs/name=web/properties/audit?/resource 19 | value: ((enable_resource_audit_log)) 20 | 21 | - type: replace 22 | path: /instance_groups/name=web/jobs/name=web/properties/audit?/system 23 | value: ((enable_system_audit_log)) 24 | 25 | - type: replace 26 | path: /instance_groups/name=web/jobs/name=web/properties/audit?/team 27 | value: ((enable_team_audit_log)) 28 | 29 | - type: replace 30 | path: /instance_groups/name=web/jobs/name=web/properties/audit?/volume 31 | value: ((enable_volume_audit_log)) 32 | 33 | - type: replace 34 | path: /instance_groups/name=web/jobs/name=web/properties/audit?/worker 35 | value: ((enable_worker_audit_log)) 36 | -------------------------------------------------------------------------------- /cluster/operations/aws-secrets-manager.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=web/jobs/name=web/properties/aws_secretsmanager? 3 | value: 4 | access_key: ((aws_secretsmanager.access_key)) 5 | secret_key: ((aws_secretsmanager.secret_key)) 6 | region: ((aws_secretsmanager.region)) 7 | 8 | pipeline_secret_template: ((aws_secretsmanager.pipeline_secret_template)) 9 | # default value is /concourse/{{.Team}}/{{.Pipeline}}/{{.Secret}} 10 | 11 | team_secret_template: ((aws_secretsmanager.team_secret_template)) 12 | # default value is /concourse/{{.Team}}/{{.Secret}} 13 | -------------------------------------------------------------------------------- /cluster/operations/backup-atc-colocated-web.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /releases/- 3 | value: 4 | name: backup-and-restore-sdk 5 | url: https://bosh.io/d/github.com/cloudfoundry-incubator/backup-and-restore-sdk-release?v=((bbr_sdk_version)) 6 | sha1: ((bbr_sdk_sha1)) 7 | version: ((bbr_sdk_version)) 8 | 9 | - type: replace 10 | path: /instance_groups/name=web/jobs/- 11 | value: 12 | name: bbr-atcdb 13 | release: concourse 14 | 15 | - type: replace 16 | path: /instance_groups/name=web/jobs/- 17 | value: 18 | name: database-backup-restorer 19 | release: backup-and-restore-sdk 20 | -------------------------------------------------------------------------------- /cluster/operations/backup-atc.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /releases/name=backup-and-restore-sdk? 3 | value: 4 | name: backup-and-restore-sdk 5 | version: ((bbr_sdk_version)) 6 | url: https://bosh.io/d/github.com/cloudfoundry-incubator/backup-and-restore-sdk-release?v=((bbr_sdk_version)) 7 | 8 | - type: replace 9 | path: /instance_groups/name=db/jobs/- 10 | value: 11 | name: bbr-atcdb 12 | release: concourse 13 | 14 | - type: replace 15 | path: /instance_groups/name=db/jobs/- 16 | value: 17 | release: backup-and-restore-sdk 18 | name: database-backup-restorer 19 | -------------------------------------------------------------------------------- /cluster/operations/basic-auth.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=web/jobs/name=web/properties/main_team?/auth/local/users 3 | value: [((local_user.username))] 4 | 5 | - type: replace 6 | path: /instance_groups/name=web/jobs/name=web/properties/add_local_users? 7 | value: ['((local_user.username)):((local_user.password))'] 8 | -------------------------------------------------------------------------------- /cluster/operations/build-log-retention.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=web/jobs/name=web/properties/build_log_retention? 3 | value: 4 | default_builds: ((build_logs_default)) 5 | maximum_builds: ((build_logs_maximum)) 6 | -------------------------------------------------------------------------------- /cluster/operations/cf-auth.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=web/jobs/name=web/properties/cf_auth?/client_id 3 | value: ((cf_client_id)) 4 | - type: replace 5 | path: /instance_groups/name=web/jobs/name=web/properties/cf_auth?/client_secret 6 | value: ((cf_client_secret)) 7 | - type: replace 8 | path: /instance_groups/name=web/jobs/name=web/properties/cf_auth?/api_url 9 | value: ((cf_api_url)) 10 | -------------------------------------------------------------------------------- /cluster/operations/cluster-name.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=web/jobs/name=web/properties/cluster_name? 3 | value: ((cluster_name)) 4 | -------------------------------------------------------------------------------- /cluster/operations/container-placement-strategy-limit-active-tasks.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - type: replace 3 | path: /instance_groups/name=web/jobs/name=web/properties/container_placement_strategy? 4 | value: "limit-active-tasks" 5 | - type: replace 6 | path: /instance_groups/name=web/jobs/name=web/properties/max_active_tasks_per_worker? 7 | value: ((max-active-tasks-per-worker)) 8 | -------------------------------------------------------------------------------- /cluster/operations/container-placement-strategy-random.yml: -------------------------------------------------------------------------------- 1 | # 2 | # This operations file will configure web to use the "random" 3 | # container placement strategy, which you may find helps performance 4 | # for some cases. This overrides the out-of-the-box default of 5 | # "volume-locality". 6 | # 7 | # You can read more about this setting, and performance in general, 8 | # [here][1]. 9 | # 10 | # [1]: https://discuss.concourse-ci.org/t/concourse-ci-performance-recommendations/344/2 11 | # 12 | --- 13 | - type: replace 14 | path: /instance_groups/name=web/jobs/name=web/properties/container_placement_strategy? 15 | value: "random" 16 | -------------------------------------------------------------------------------- /cluster/operations/container-placement-strategy.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - type: replace 3 | path: /instance_groups/name=web/jobs/name=web/properties/container_placement_strategy? 4 | value: ((container_placement_strategy)) 5 | -------------------------------------------------------------------------------- /cluster/operations/containerd-dns.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=worker/jobs/name=worker/properties/containerd?/dns_servers? 3 | value: ((containerd_dns_servers)) 4 | -------------------------------------------------------------------------------- /cluster/operations/credential-manager-enable-cache.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | # Enable in-memory caching of secrets fetched from the credential manager. 3 | path: /instance_groups/name=web/jobs/name=web/properties/secrets?/cache?/enabled? 4 | value: true 5 | -------------------------------------------------------------------------------- /cluster/operations/credential-manager-tuning.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | # When credential manager is enabled, maximum duration for which to keep cached credentials. Default with concourse 5.3: 1m 3 | path: /instance_groups/name=web/jobs/name=web/properties/secrets?/cache?/duration? 4 | value: ((credential-manager.duration)) 5 | 6 | - type: replace 7 | # When credential manager is enabled, interval on which to purge expired cached credentials. Default with concourse 5.3: 10m 8 | path: /instance_groups/name=web/jobs/name=web/properties/secrets?/cache?/purge_interval? 9 | value: ((credential-manager.purge_interval)) 10 | 11 | - type: replace 12 | # When credential manager is enabled, the interval between secret retry retrieval attempts. Default with concourse 5.3: 10s 13 | path: /instance_groups/name=web/jobs/name=web/properties/secrets?/cache?/retry_interval? 14 | value: ((credential-manager.retry_interval)) 15 | 16 | - type: replace 17 | # When credential manager is enabled, the number of attempts secret will be retried to be fetched, in case a retryable error happens. Default with concourse 5.3: 5 18 | path: /instance_groups/name=web/jobs/name=web/properties/secrets?/cache?/retry_attempts? 19 | value: ((credential-manager.retry_attempts)) 20 | -------------------------------------------------------------------------------- /cluster/operations/credhub-colocated.yml: -------------------------------------------------------------------------------- 1 | # Notes: there are some dependencies while enabling this ops file: 2 | # - /operations/tls.yml: for TLS 3 | # - /operations/uaa.yml: for client/user authentication 4 | 5 | # release 6 | - path: /releases/- 7 | type: replace 8 | value: 9 | name: credhub 10 | url: https://bosh.io/d/github.com/pivotal-cf/credhub-release?v=((credhub_version)) 11 | sha1: ((credhub_sha1)) 12 | version: ((credhub_version)) 13 | 14 | # variables 15 | - path: /variables?/name=credhub_db_password? 16 | type: replace 17 | value: 18 | name: credhub_db_password 19 | type: password 20 | - path: /variables?/name=credhub_encryption_password? 21 | type: replace 22 | value: 23 | name: credhub_encryption_password 24 | type: password 25 | options: 26 | length: 40 27 | - path: /variables?/name=concourse_to_credhub_client_secret? 28 | type: replace 29 | value: 30 | name: concourse_to_credhub_client_secret 31 | type: password 32 | - path: /variables?/name=credhub_admin_secret? 33 | type: replace 34 | value: 35 | name: credhub_admin_secret 36 | type: password 37 | 38 | # add credhub job to web instance group 39 | - path: /instance_groups/name=web/jobs/- 40 | type: replace 41 | value: 42 | name: credhub 43 | release: credhub 44 | properties: 45 | credhub: 46 | port: 8844 47 | tls: ((atc_tls)) 48 | authentication: 49 | uaa: 50 | enabled: true 51 | url: "((external_url)):8443" 52 | ca_certs: [((atc_tls.ca))] 53 | authorization: 54 | acls: 55 | enabled: false 56 | data_storage: 57 | type: postgres 58 | database: &credhub_db credhub 59 | username: &credhub_db_role credhub 60 | password: &credhub_db_passwd ((credhub_db_password)) 61 | require_tls: false 62 | log_level: info 63 | encryption: 64 | providers: 65 | - name: internal-provider 66 | type: internal 67 | keys: 68 | - provider_name: internal-provider 69 | key_properties: 70 | encryption_password: ((credhub_encryption_password)) 71 | active: true 72 | 73 | # update DB instance to include credhub database 74 | - path: /instance_groups/name=db/jobs/name=postgres/properties/databases/databases/- 75 | type: replace 76 | value: 77 | name: *credhub_db 78 | - path: /instance_groups/name=db/jobs/name=postgres/properties/databases/roles/- 79 | type: replace 80 | value: 81 | name: *credhub_db 82 | password: *credhub_db_passwd 83 | 84 | # update UAA job by adding new client(s) 85 | # concourse_to_credhub_client is used for concourse<->credhub integration 86 | - path: /instance_groups/name=web/jobs/name=uaa/properties/uaa/clients?/concourse_to_credhub_client 87 | type: replace 88 | value: 89 | id: concourse_to_credhub_client 90 | secret: ((concourse_to_credhub_client_secret)) 91 | override: true 92 | authorized-grant-types: client_credentials 93 | scope: "" 94 | authorities: credhub.read,credhub.write 95 | access-token-validity: 1200 96 | refresh-token-validity: 3600 97 | # credhub_admin is used as the CredHub Admin 98 | - path: /instance_groups/name=web/jobs/name=uaa/properties/uaa/clients?/credhub_admin 99 | type: replace 100 | value: 101 | id: credhub_admin 102 | secret: ((credhub_admin_secret)) 103 | override: true 104 | authorized-grant-types: client_credentials 105 | scope: "" 106 | authorities: credhub.read,credhub.write 107 | access-token-validity: 3600 108 | refresh-token-validity: 3600 109 | 110 | # add credhub integration with concourse 111 | - path: /instance_groups/name=web/jobs/name=web/properties/credhub? 112 | type: replace 113 | value: 114 | url: ((external_url)):8844 115 | tls: 116 | ca_cert: 117 | certificate: ((atc_tls.ca)) 118 | client_cert: ((atc_tls.certificate)) 119 | insecure_skip_verify: false 120 | client_id: concourse_to_credhub_client 121 | client_secret: ((concourse_to_credhub_client_secret)) 122 | path_prefix: /concourse -------------------------------------------------------------------------------- /cluster/operations/credhub-path-prefix.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=web/jobs/name=web/properties/credhub?/path_prefix? 3 | value: ((credhub_path_prefix)) 4 | 5 | -------------------------------------------------------------------------------- /cluster/operations/credhub-tls-skip-verify.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - type: replace 3 | path: /instance_groups/name=web/jobs/name=web/properties/credhub/tls/insecure_skip_verify? 4 | value: true 5 | -------------------------------------------------------------------------------- /cluster/operations/credhub.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=web/jobs/name=web/properties/credhub? 3 | value: 4 | url: ((credhub_url)) 5 | client_id: ((credhub_client_id)) 6 | client_secret: ((credhub_client_secret)) 7 | tls: 8 | ca_cert: 9 | certificate: ((credhub_ca_cert)) 10 | -------------------------------------------------------------------------------- /cluster/operations/datadog.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /releases/- 3 | value: 4 | name: datadog-agent 5 | version: latest 6 | 7 | - type: replace 8 | path: /addons?/- 9 | value: 10 | name: dd-agent 11 | include: 12 | stemcell: 13 | - os: ubuntu-trusty 14 | - os: ubuntu-jammy 15 | jobs: 16 | - name: dd-agent 17 | release: datadog-agent 18 | properties: 19 | dd: 20 | api_key: ((datadog_api_key)) 21 | tags: ((datadog_tags)) 22 | 23 | # collect live per-process stats 24 | process_agent_enabled: true 25 | 26 | # enable statsd sink for concourse to emit its own metrics to 27 | use_dogstatsd: true 28 | 29 | # this is the default, but let's be explicit for below 30 | dogstatsd_port: 18125 31 | 32 | # without this the hostnames are just 'db-0' which aren't unique across 33 | # deployments, causing datadog to only collect one set of stats at a 34 | # time (whoever starts up last) 35 | unique_friendly_hostname: true 36 | 37 | # by default, the agent will emit disk usage for every volume. 38 | # this results in noisy, high-cardinality metrics that are also 39 | # very expensive! these two config flags override the defaults, 40 | # and disable per-volume reporting. 41 | generate_disk_config: false 42 | disk_yaml_config: | 43 | --- 44 | init_config: 45 | 46 | instances: 47 | - use_mount: yes 48 | tag_by_filesystem: true 49 | all_partitions: true 50 | mount_point_blacklist: 51 | - ^\/var\/vcap\/data\/worker\/work\/volumes\/.* 52 | file_system_blacklist: 53 | - tracefs 54 | 55 | - type: replace 56 | path: /instance_groups/name=web/jobs/name=web/properties/datadog? 57 | value: 58 | agent_host: 127.0.0.1 59 | agent_port: 18125 60 | prefix: concourse.ci 61 | -------------------------------------------------------------------------------- /cluster/operations/db-max-connections.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=db/jobs/name=postgres/properties/max_connections? 3 | value: ((max_connections)) 4 | -------------------------------------------------------------------------------- /cluster/operations/db-stats.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=db/jobs/name=postgres/properties/databases/collect_statement_statistics? 3 | value: true 4 | -------------------------------------------------------------------------------- /cluster/operations/debug-concourse.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - type: replace 3 | path: /instance_groups/name=web/jobs/name=web/properties/log_level? 4 | value: debug 5 | 6 | - type: replace 7 | path: /instance_groups/name=worker/jobs/name=worker/properties?/log_level 8 | value: debug 9 | -------------------------------------------------------------------------------- /cluster/operations/debug-external-worker.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - type: replace 3 | path: /instance_groups/name=worker/jobs/name=worker/properties/log_level? 4 | value: debug 5 | -------------------------------------------------------------------------------- /cluster/operations/debug-tagged-worker.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - type: replace 3 | path: /instance_groups/name=worker-((worker_tag))/jobs/name=worker/properties?/log_level 4 | value: debug 5 | -------------------------------------------------------------------------------- /cluster/operations/debug-untrusted-worker.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - type: replace 3 | path: /instance_groups/name=untrusted-worker/jobs/name=worker/properties/log_level? 4 | value: debug 5 | -------------------------------------------------------------------------------- /cluster/operations/default-test-user.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=web/jobs/name=web/properties/main_team?/auth/local/users 3 | value: [test] 4 | 5 | - type: replace 6 | path: /instance_groups/name=web/jobs/name=web/properties/add_local_users? 7 | value: ['test:test'] 8 | -------------------------------------------------------------------------------- /cluster/operations/dev-versions.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /releases/name=concourse/version 3 | value: latest 4 | - type: remove 5 | path: /releases/name=concourse/sha1 6 | - type: remove 7 | path: /releases/name=concourse/url 8 | 9 | - type: replace 10 | path: /releases/name=bpm/version 11 | value: latest 12 | - type: remove 13 | path: /releases/name=bpm/sha1 14 | - type: remove 15 | path: /releases/name=bpm/url 16 | 17 | - type: replace 18 | path: /releases/name=postgres/version 19 | value: latest 20 | - type: remove 21 | path: /releases/name=postgres/sha1 22 | - type: remove 23 | path: /releases/name=postgres/url 24 | -------------------------------------------------------------------------------- /cluster/operations/enable-global-resources.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=web/jobs/name=web/properties/enable_global_resources? 3 | value: true 4 | 5 | -------------------------------------------------------------------------------- /cluster/operations/enable-lets-encrypt.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=web/jobs/name=web/properties/lets_encrypt?/enabled 3 | value: true 4 | -------------------------------------------------------------------------------- /cluster/operations/enable-lidar.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=web/jobs/name=web/properties/enable_lidar? 3 | value: true 4 | 5 | -------------------------------------------------------------------------------- /cluster/operations/enable-redacting-credentials.yml: -------------------------------------------------------------------------------- 1 | # FYI: https://concourse-ci.org/creds-redacting.html 2 | - type: replace 3 | path: /instance_groups/name=web/jobs/name=web/properties/redact_secrets? 4 | value: true 5 | -------------------------------------------------------------------------------- /cluster/operations/encryption.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=web/jobs/name=web/properties/encryption_key? 3 | value: ((encryption_key)) 4 | -------------------------------------------------------------------------------- /cluster/operations/external-postgres-client-cert.yml: -------------------------------------------------------------------------------- 1 | # requires the external-postgres.yml op file 2 | - type: replace 3 | path: /instance_groups/name=web/jobs/name=web/properties/postgresql/client_cert? 4 | value: ((postgres_client_cert)) 5 | -------------------------------------------------------------------------------- /cluster/operations/external-postgres-tls.yml: -------------------------------------------------------------------------------- 1 | # requires the external-postgres.yml op file 2 | - type: replace 3 | path: /instance_groups/name=web/jobs/name=web/properties/postgresql/ca_cert? 4 | value: 5 | certificate: ((postgres_ca_cert)) 6 | - type: replace 7 | path: /instance_groups/name=web/jobs/name=web/properties/postgresql/sslmode? 8 | value: verify-ca 9 | -------------------------------------------------------------------------------- /cluster/operations/external-postgres.yml: -------------------------------------------------------------------------------- 1 | - type: remove 2 | path: /releases/name=postgres 3 | 4 | - type: replace 5 | path: /instance_groups/name=web/jobs/name=web/properties/postgresql?/host? 6 | value: ((postgres_host)) 7 | 8 | - type: replace 9 | path: /instance_groups/name=web/jobs/name=web/properties/postgresql?/port? 10 | value: ((postgres_port)) 11 | 12 | - type: replace 13 | path: /instance_groups/name=web/jobs/name=web/properties/postgresql?/role?/name? 14 | value: ((postgres_role)) 15 | 16 | - type: replace 17 | path: /instance_groups/name=web/jobs/name=web/properties/postgresql?/role?/password? 18 | value: ((postgres_password)) 19 | 20 | - type: replace 21 | path: /instance_groups/name=web/jobs/name=web/properties/postgresql?/sslmode? 22 | value: disable 23 | 24 | - type: remove 25 | path: /instance_groups/name=db 26 | -------------------------------------------------------------------------------- /cluster/operations/garden-dns.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=worker/jobs/name=worker/properties/garden?/dns_servers? 3 | value: ((garden_dns_servers)) 4 | -------------------------------------------------------------------------------- /cluster/operations/generic-oauth.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=web/jobs/name=web/properties/generic_oauth? 3 | value: 4 | client_id: ((oauth_client_username)) 5 | client_secret: ((oauth_client_password)) 6 | auth_url: ((oauth_auth_url)) 7 | token_url: ((oauth_token_url)) 8 | userinfo_url: ((oauth_userinfo_url)) 9 | scopes: ((oauth_scopes)) 10 | groups_key: ((oauth_groups_key)) 11 | display_name: ((oauth_display_name)) 12 | 13 | - type: replace 14 | path: /instance_groups/name=web/jobs/name=web/properties/main_team?/auth/oauth/users 15 | value: ((main_team.oauth.oauth_users)) 16 | 17 | - type: replace 18 | path: /instance_groups/name=web/jobs/name=web/properties/main_team?/auth/oauth/groups 19 | value: ((main_team.oauth.oauth_groups)) 20 | -------------------------------------------------------------------------------- /cluster/operations/generic-oidc.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=web/jobs/name=web/properties/generic_oidc? 3 | value: 4 | client_id: ((oidc.client_username)) 5 | client_secret: ((oidc.client_password)) 6 | issuer: ((oidc.issuer_url)) 7 | scopes: ((oidc.scopes)) 8 | groups_key: ((oidc.groups_key)) 9 | display_name: ((oidc.display_name)) 10 | user_name_key: ((oidc.user_name_key)) 11 | skip_email_verified_validation: ((oidc.skip_email_verified_validation)) 12 | skip_ssl_validation: ((oidc.skip_ssl_validation)) 13 | -------------------------------------------------------------------------------- /cluster/operations/github-auth.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=web/jobs/name=web/properties/github_auth? 3 | value: 4 | client_id: ((github_client.username)) 5 | client_secret: ((github_client.password)) 6 | 7 | - type: replace 8 | path: /instance_groups/name=web/jobs/name=web/properties/main_team?/auth/github/users 9 | value: ((main_team.github_users)) 10 | 11 | - type: replace 12 | path: /instance_groups/name=web/jobs/name=web/properties/main_team?/auth/github/orgs 13 | value: ((main_team.github_orgs)) 14 | 15 | - type: replace 16 | path: /instance_groups/name=web/jobs/name=web/properties/main_team?/auth/github/teams 17 | value: ((main_team.github_teams)) 18 | -------------------------------------------------------------------------------- /cluster/operations/github-enterprise-auth.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=web/jobs/name=web/properties/github_auth/host? 3 | value: ((github_enterprise.host)) 4 | -------------------------------------------------------------------------------- /cluster/operations/gitlab-auth.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=web/jobs/name=web/properties/gitlab_auth?/host? 3 | value: ((gitlab_host)) 4 | 5 | - type: replace 6 | path: /instance_groups/name=web/jobs/name=web/properties/main_team?/auth/gitlab/users 7 | value: 8 | value: ((main_team.gitlab_users)) 9 | 10 | - type: replace 11 | path: /instance_groups/name=web/jobs/name=web/properties/main_team?/auth/gitlab/groups 12 | value: 13 | value: ((main_team.gitlab_groups)) 14 | 15 | - type: replace 16 | path: /instance_groups/name=web/jobs/name=web/properties/gitlab_auth?/client_id? 17 | value: ((gitlab_client_id)) 18 | 19 | - type: replace 20 | path: /instance_groups/name=web/jobs/name=web/properties/gitlab_auth?/client_secret? 21 | value: ((gitlab_client_secret)) 22 | -------------------------------------------------------------------------------- /cluster/operations/http-proxy-tagged-worker.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=worker-((worker_tag))/jobs/name=worker/properties/http_proxy_url? 3 | value: ((http_proxy_url)) 4 | - type: replace 5 | path: /instance_groups/name=worker-((worker_tag))/jobs/name=worker/properties/https_proxy_url? 6 | value: ((https_proxy_url)) 7 | - type: replace 8 | path: /instance_groups/name=worker-((worker_tag))/jobs/name=worker/properties/no_proxy? 9 | value: ((no_proxy)) # --var no_proxy='["localhost", "127.0.0.1", "example.com", "domain.com:8080"]' 10 | -------------------------------------------------------------------------------- /cluster/operations/http-proxy.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=worker/jobs/name=worker/properties/http_proxy_url? 3 | value: ((http_proxy_url)) 4 | - type: replace 5 | path: /instance_groups/name=worker/jobs/name=worker/properties/https_proxy_url? 6 | value: ((https_proxy_url)) 7 | - type: replace 8 | path: /instance_groups/name=worker/jobs/name=worker/properties/no_proxy? 9 | value: ((no_proxy)) # --var no_proxy='["localhost", "127.0.0.1", "example.com", "domain.com:8080"]' 10 | -------------------------------------------------------------------------------- /cluster/operations/influxdb.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=web/jobs/name=web/properties/influxdb? 3 | value: 4 | url: ((influxdb_url)) 5 | database: ((influxdb_database)) 6 | username: ((influxdb_auth.username)) 7 | password: ((influxdb_auth.password)) 8 | -------------------------------------------------------------------------------- /cluster/operations/ldap.yml: -------------------------------------------------------------------------------- 1 | # add LDAP integretion to ATC job 2 | - type: replace 3 | path: /instance_groups/name=web/jobs/name=web/properties/ldap_auth? 4 | value: 5 | host: ((ldap_host)) 6 | bind_dn: ((ldap_bind_dn)) 7 | bind_pw: ((ldap_bind_pw)) 8 | 9 | # Required if LDAP host does not use TLS. Default: false 10 | insecure_no_ssl: ((ldap_insecure_no_ssl)) 11 | # Skip certificate verification. Default: false 12 | insecure_skip_verify: ((ldap_insecure_skip_verify)) 13 | # The CA certificate for the LDAP auth provider’s endpoints. 14 | ca_cert: ((ldap_ca_cert)) 15 | # Start on insecure port, then negotiate TLS. Default: false 16 | start_tls: ((ldap_start_tls)) 17 | 18 | # BaseDN to start the search from. e.g. "ou=people,dc=mycompany,dc=com" 19 | user_search_base_dn: ((ldap_user_search_base_dn)) 20 | # Optional filter to apply when searching the directory. e.g. "(objectClass=person)" 21 | user_search_filter: ((ldap_user_search_filter)) 22 | # Attribute to match against the inputted username. 23 | # This will be translated and combined with the other filter as ‘(=)‘. 24 | user_search_username: ((ldap_user_search_username)) 25 | # A mapping of attributes on the user entry to claims. Defaults to ‘uid’ if empty. 26 | user_search_id_attr: ((ldap_user_search_id_attr)) 27 | # A mapping of attributes on the user entry to claims. 28 | user_search_name_attr: ((ldap_user_search_name_attr)) 29 | # A mapping of attributes on the user entry to claims. Defaults to ‘mail’ if empty. 30 | user_search_email_attr: ((ldap_user_search_email_attr)) 31 | # Can either be ‘sub’ - search the whole sub tree or ‘one’ - only search one level. Defaults to ‘sub’ if empty. 32 | user_search_scope: ((ldap_user_search_scope)) 33 | 34 | # BaseDN to start the search from. e.g. "ou=groups,dc=mycompany,dc=com" 35 | group_search_base_dn: ((ldap_group_search_base_dn)) 36 | # Optional filter to apply when searching the directory. e.g. "(objectClass=posixGroup)" 37 | group_search_filter: ((ldap_group_search_filter)) 38 | # Adds an additional requirement to the filter that an attribute in the group match the user’s attribute value. 39 | # The exact filter being added is (=) 40 | group_search_group_attr: ((ldap_group_search_group_attr)) 41 | group_search_user_attr: ((ldap_group_search_user_attr)) 42 | # The attribute of the group that represents its name, e.g. "cn" 43 | group_search_name_attr: ((ldap_group_search_name_attr)) 44 | # Can either be ‘sub’ - search the whole sub tree or ‘one’ - only search one level. Defaults to ‘sub’ if empty. 45 | group_search_scope: ((ldap_group_search_scope)) 46 | -------------------------------------------------------------------------------- /cluster/operations/lidar-intervals.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=web/jobs/name=web/properties/lidar_checker_interval? 3 | value: ((lidar_checker_interval)) 4 | 5 | - type: replace 6 | path: /instance_groups/name=web/jobs/name=web/properties/lidar_scanner_interval? 7 | value: ((lidar_scanner_interval)) 8 | -------------------------------------------------------------------------------- /cluster/operations/max-db-connection-pool.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=web/jobs/name=web/properties/max_conns? 3 | value: ((max_db_connection_pool)) 4 | -------------------------------------------------------------------------------- /cluster/operations/max-in-flight.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /update/max_in_flight? 3 | value: ((update_max_in_flight)) 4 | -------------------------------------------------------------------------------- /cluster/operations/metrics-buffer-size.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - type: replace 3 | path: /instance_groups/name=web/jobs/name=web/properties/metrics_buffer_size? 4 | value: ((metrics_buffer_size)) 5 | -------------------------------------------------------------------------------- /cluster/operations/mtls.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=web/jobs/name=web/properties/tls?/cert 3 | value: ((atc_tls)) 4 | -------------------------------------------------------------------------------- /cluster/operations/no-internet-access.yml: -------------------------------------------------------------------------------- 1 | # Local releases when deployment is in an environment with no Internet access 2 | 3 | - type: replace 4 | path: /releases/name=concourse/url 5 | value: file://((concourse_release)) 6 | 7 | - type: remove 8 | path: /releases/name=concourse/sha1 9 | 10 | - type: replace 11 | path: /releases/name=bpm/url 12 | value: file://((garden_runc_release)) 13 | 14 | - type: remove 15 | path: /releases/name=bpm/sha1 16 | 17 | - type: replace 18 | path: /releases/name=postgres/url 19 | value: file://((postgres_release)) 20 | 21 | - type: remove 22 | path: /releases/name=postgres/sha1 23 | -------------------------------------------------------------------------------- /cluster/operations/offline-releases.yml: -------------------------------------------------------------------------------- 1 | # This remove all bosh.io references 2 | # used to ensure that the bosh director does 3 | # not call out to the open Internet 4 | 5 | # Requires all bosh releases that will be used 6 | # to have been uploaded to the bosh director 7 | - type: remove 8 | path: /releases/name=concourse?/url 9 | - type: remove 10 | path: /releases/name=bpm?/url 11 | - type: remove 12 | path: /releases/name=postgres?/url 13 | - type: remove 14 | path: /releases/name=uaa?/url 15 | - type: remove 16 | path: /releases/name=credhub?/url 17 | - type: remove 18 | path: /releases/name=bbr?/url 19 | - type: remove 20 | path: /releases/name=windows-utilities?/url 21 | - type: remove 22 | path: /releases/name=concourse?/sha1 23 | - type: remove 24 | path: /releases/name=bpm?/sha1 25 | - type: remove 26 | path: /releases/name=postgres?/sha1 27 | - type: remove 28 | path: /releases/name=uaa?/sha1 29 | - type: remove 30 | path: /releases/name=credhub?/sha1 31 | - type: remove 32 | path: /releases/name=bbr?/sha1 33 | - type: remove 34 | path: /releases/name=windows-utilities?/sha1 35 | -------------------------------------------------------------------------------- /cluster/operations/postgres-link.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=db/jobs/name=postgres/provides? 3 | value: 4 | postgres: {as: db} -------------------------------------------------------------------------------- /cluster/operations/privileged-http.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=web/jobs/name=web/properties/bind_port? 3 | value: 80 4 | -------------------------------------------------------------------------------- /cluster/operations/privileged-https.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=web/jobs/name=web/properties/tls?/bind_port? 3 | value: 443 4 | -------------------------------------------------------------------------------- /cluster/operations/prometheus.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=web/jobs/name=web/properties/prometheus? 3 | value: 4 | bind_ip: 0.0.0.0 5 | bind_port: ((prometheus_port)) 6 | -------------------------------------------------------------------------------- /cluster/operations/rotate-encryption-keys.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=web/jobs/name=web/properties/encryption_key? 3 | value: ((encryption_key)) 4 | - type: replace 5 | path: /instance_groups/name=web/jobs/name=web/properties/old_encryption_key? 6 | value: ((old_encryption_key)) -------------------------------------------------------------------------------- /cluster/operations/runtime-containerd.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=worker/jobs/name=worker/properties/runtime? 3 | value: containerd 4 | -------------------------------------------------------------------------------- /cluster/operations/scale-untrusted-worker.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=untrusted-worker/instances 3 | value: ((untrusted_worker_instances)) 4 | -------------------------------------------------------------------------------- /cluster/operations/scale.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=web/instances 3 | value: ((web_instances)) 4 | 5 | - type: replace 6 | path: /instance_groups/name=worker/instances 7 | value: ((worker_instances)) 8 | -------------------------------------------------------------------------------- /cluster/operations/secure-internal-postgres-bbr.yml: -------------------------------------------------------------------------------- 1 | # requires the secure-internal-postgres.yml op file 2 | - type: replace 3 | path: /variables/- 4 | value: 5 | name: postgres_client_tls 6 | type: certificate 7 | options: 8 | ca: postgres_ca 9 | common_name: concourse 10 | extended_key_usage: 11 | - client_auth 12 | 13 | - type: replace 14 | path: /instance_groups/name=web/jobs/name=web/properties/postgresql?/client_cert 15 | value: 16 | private_key: ((postgres_client_tls.private_key)) 17 | certificate: ((postgres_client_tls.certificate)) 18 | -------------------------------------------------------------------------------- /cluster/operations/secure-internal-postgres-credhub.yml: -------------------------------------------------------------------------------- 1 | # requires the secure-internal-postgres.yml op file 2 | - type: replace 3 | path: /instance_groups/name=web/jobs/name=credhub?/properties/credhub/data_storage/tls_ca? 4 | value: ((postgres_ca.certificate)) 5 | 6 | - type: replace 7 | path: /instance_groups/name=web/jobs/name=credhub?/properties/credhub/data_storage/require_tls? 8 | value: true 9 | -------------------------------------------------------------------------------- /cluster/operations/secure-internal-postgres-uaa.yml: -------------------------------------------------------------------------------- 1 | # requires the secure-internal-postgres.yml op file 2 | - type: replace 3 | path: /instance_groups/name=web/jobs/name=uaa?/properties/uaa/ca_certs? 4 | value: [((postgres_ca.certificate))] 5 | 6 | # available jbdc ssl mode options: 7 | # - enabled = verify-full 8 | # - enabled_skip_hostname_validation = verify-ca 9 | # - enabled_skip_all_validation = require 10 | # - disabled = disable 11 | - type: replace 12 | path: /instance_groups/name=web/jobs/name=uaa?/properties/uaadb/tls? 13 | value: enabled 14 | -------------------------------------------------------------------------------- /cluster/operations/secure-internal-postgres.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /variables/- 3 | value: 4 | name: postgres_ca 5 | type: certificate 6 | options: 7 | is_ca: true 8 | common_name: postgresCA 9 | 10 | - type: replace 11 | path: /variables/- 12 | value: 13 | name: postgres_tls 14 | type: certificate 15 | options: 16 | ca: postgres_ca 17 | extended_key_usage: 18 | - server_auth 19 | consumes: 20 | alternative_name: { from: concourse-postgres-address } 21 | common_name: { from: concourse-postgres-address } 22 | 23 | - type: replace 24 | path: /instance_groups/name=web/jobs/name=web/properties/postgresql/ca_cert? 25 | value: ((postgres_ca)) 26 | 27 | - type: replace 28 | path: /instance_groups/name=web/jobs/name=web/properties/postgresql/sslmode? 29 | value: verify-ca 30 | 31 | - type: replace 32 | path: /instance_groups/name=db/jobs/name=postgres/provides?/postgres-address 33 | value: {as: concourse-postgres-address} 34 | 35 | - type: replace 36 | path: /instance_groups/name=db/jobs/name=postgres/custom_provider_definitions?/- 37 | value: {name: postgres-address, type: address} 38 | 39 | - type: replace 40 | path: /instance_groups/name=db/jobs/name=postgres/properties/databases?/tls 41 | value: 42 | private_key: ((postgres_tls.private_key)) 43 | certificate: ((postgres_tls.certificate)) 44 | -------------------------------------------------------------------------------- /cluster/operations/static-web.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=web/networks/0/static_ips? 3 | value: [((web_ip))] 4 | -------------------------------------------------------------------------------- /cluster/operations/storage-driver.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=worker/jobs/name=worker/properties/baggageclaim?/driver? 3 | value: ((storage_driver)) 4 | -------------------------------------------------------------------------------- /cluster/operations/syslog-drainer.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=web/jobs/name=web/properties/syslog?/address 3 | value: ((syslog_address)):((syslog_port)) 4 | 5 | - type: replace 6 | path: /instance_groups/name=web/jobs/name=web/properties/syslog?/transport 7 | value: tls 8 | -------------------------------------------------------------------------------- /cluster/operations/syslog_forwarder.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /addons?/- 3 | value: 4 | name: syslog_forwarder 5 | include: 6 | stemcell: 7 | - os: ubuntu-trusty 8 | - os: ubuntu-jammy 9 | jobs: 10 | - name: syslog_forwarder 11 | release: syslog 12 | properties: 13 | syslog: 14 | address: ((syslog_address)) 15 | port: ((syslog_port)) 16 | transport: tcp 17 | tls_enabled: true 18 | permitted_peer: ((syslog_permitted_peer)) 19 | 20 | # prevent duplicate logs from components which send to syslog 21 | # themselves 22 | # audispd rule: remove audispd log event flooding if queue overflows 23 | # auditd rule: filter all logs to avoid "log file is larger than max size" 24 | custom_rule: | 25 | if ($programname startswith "vcap.") then stop 26 | if ($programname contains "audispd") then stop 27 | if ($programname contains "auditd") then stop 28 | 29 | - type: replace 30 | path: /releases/- 31 | value: 32 | name: syslog 33 | version: latest 34 | -------------------------------------------------------------------------------- /cluster/operations/tagged-worker.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/- 3 | value: 4 | name: worker-((worker_tag)) 5 | instances: 1 6 | vm_type: ((tagged_worker_vm_type)) 7 | stemcell: jammy 8 | networks: [{name: ((network_name))}] 9 | azs: [z1] 10 | jobs: 11 | - release: concourse 12 | name: worker 13 | properties: 14 | drain_timeout: 10m 15 | tags: [((worker_tag))] 16 | worker_gateway: {worker_key: ((worker_key))} 17 | -------------------------------------------------------------------------------- /cluster/operations/task-limits.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=web/jobs/name=web/properties/default_task_cpu_limit? 3 | value: ((default_task_cpu_limit)) 4 | 5 | - type: replace 6 | path: /instance_groups/name=web/jobs/name=web/properties/default_task_memory_limit? 7 | value: ((default_task_memory_limit)) 8 | -------------------------------------------------------------------------------- /cluster/operations/team-authorized-keys.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=web/jobs/name=web/properties/worker_gateway?/team_authorized_keys? 3 | value: ((team_authorized_keys)) 4 | -------------------------------------------------------------------------------- /cluster/operations/telegraf-postgres.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /releases/name=telegraf-agent? 3 | value: 4 | name: telegraf-agent 5 | version: latest 6 | 7 | - type: replace 8 | path: /instance_groups/name=db/jobs/- 9 | value: 10 | name: telegraf-agent 11 | release: telegraf-agent 12 | properties: 13 | influxdb: 14 | url: ((influxdb_url)) 15 | database: ((influxdb_database)) 16 | username: ((influxdb_auth.username)) 17 | password: ((influxdb_auth.password)) 18 | inputs: 19 | postgresql: 20 | address: 'postgres://concourse:((postgres_password))@127.0.0.1/atc?sslmode=disable' 21 | # postgresql_extensible: 22 | # address: 'postgres://concourse:((postgres_password))@127.0.0.1/atc?sslmode=disable' 23 | # outputaddress: prod 24 | # queries: 25 | # - measurement: "postgresql slow queries" 26 | # query: | 27 | # SELECT 28 | # total_time / calls AS avg_time, 29 | # calls, 30 | # total_time, 31 | # rows, 32 | # 100.0 * shared_blks_hit / nullif(shared_blks_hit + shared_blks_read, 0) AS hit_percent, 33 | # regexp_replace(query, '[\s\t\n]+', ' ', 'g') AS query 34 | # FROM pg_stat_statements 35 | # WHERE query NOT LIKE '%EXPLAIN%' 36 | # ORDER BY avg_time DESC LIMIT 50 37 | # version: 901 38 | # tags: ["query"] 39 | 40 | -------------------------------------------------------------------------------- /cluster/operations/tls-port.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=web/jobs/name=web/properties/tls?/bind_port? 3 | value: ((atc_tls.bind_port)) 4 | -------------------------------------------------------------------------------- /cluster/operations/tls-vars.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /variables/- 3 | value: 4 | name: atc_ca 5 | type: certificate 6 | options: 7 | is_ca: true 8 | common_name: atcCA 9 | 10 | - type: replace 11 | path: /variables/- 12 | value: 13 | name: atc_tls 14 | type: certificate 15 | options: 16 | ca: atc_ca 17 | alternative_names: [((external_host))] 18 | organization: atcOrg 19 | -------------------------------------------------------------------------------- /cluster/operations/tls.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=web/jobs/name=web/properties/tls?/cert 3 | value: 4 | certificate: ((atc_tls.certificate)) 5 | private_key: ((atc_tls.private_key)) 6 | -------------------------------------------------------------------------------- /cluster/operations/turn-off-encryption.yml: -------------------------------------------------------------------------------- 1 | 2 | - type: replace 3 | path: /instance_groups/name=web/jobs/name=web/properties/old_encryption_key? 4 | value: ((encryption_key)) -------------------------------------------------------------------------------- /cluster/operations/uaa-generic-oauth-provider.yml: -------------------------------------------------------------------------------- 1 | # Enable UAA as ATC's generic_oauth provider 2 | # Please add uaa.yml before this ops file 3 | 4 | # update UAA job by adding new client 5 | - type: replace 6 | path: /instance_groups/name=web/jobs/name=uaa/properties/uaa/clients?/concourse_generic_oauth_client 7 | value: 8 | id: concourse_generic_oauth_client 9 | secret: ((concourse_generic_oauth_client_secret)) 10 | override: true 11 | scope: openid,email,profile,roles 12 | authorized-grant-types: "authorization_code,refresh_token" 13 | access-token-validity: 3600 14 | refresh-token-validity: 7200 15 | redirect-uri: "((external_url))/sky/issuer/callback" 16 | 17 | # integrate ATC by adding generic_oauth part 18 | - type: replace 19 | path: /instance_groups/name=web/jobs/name=web/properties/generic_oauth? 20 | value: 21 | auth_url: "((external_url)):8443/oauth/authorize" 22 | ca_cert: ((atc_ca)) 23 | client_id: concourse_generic_oauth_client 24 | client_secret: ((concourse_generic_oauth_client_secret)) 25 | display_name: "UAA OAuth Provider" 26 | groups_key: [] 27 | scopes: [] 28 | token_url: "((external_url)):8443/oauth/token" 29 | userinfo_url: "((external_url)):8443/userinfo" 30 | 31 | # variables 32 | - type: replace 33 | path: /variables/name=concourse_generic_oauth_client_secret? 34 | value: 35 | name: concourse_generic_oauth_client_secret 36 | type: password 37 | -------------------------------------------------------------------------------- /cluster/operations/uaa.yml: -------------------------------------------------------------------------------- 1 | # release 2 | - type: replace 3 | path: /releases/- 4 | value: 5 | name: uaa 6 | url: https://bosh.io/d/github.com/cloudfoundry/uaa-release?v=((uaa_version)) 7 | sha1: ((uaa_sha1)) 8 | version: ((uaa_version)) 9 | 10 | # add UAA job to web instance group 11 | - type: replace 12 | path: /instance_groups/name=web/jobs/- 13 | value: 14 | name: uaa 15 | release: uaa 16 | properties: 17 | uaa: 18 | url: &uaa-url "((external_url)):8443" 19 | localhost_http_port: 8181 20 | scim: 21 | users: 22 | - name: admin 23 | password: ((uaa_users_admin)) 24 | groups: 25 | - scim.write 26 | - scim.read 27 | - bosh.admin 28 | - credhub.read 29 | - credhub.write 30 | admin: {client_secret: ((uaa_admin))} 31 | login: {client_secret: ((uaa_login))} 32 | zones: {internal: {hostnames: []}} 33 | sslCertificate: ((atc_tls.certificate)) 34 | sslPrivateKey: ((atc_tls.private_key)) 35 | jwt: 36 | revocable: true 37 | policy: 38 | active_key_id: key-1 39 | keys: 40 | key-1: 41 | signingKey: ((uaa_jwt.private_key)) 42 | uaadb: 43 | port: 5432 44 | db_scheme: postgresql 45 | databases: 46 | - tag: uaa 47 | name: &uaa_db uaa 48 | roles: 49 | - tag: admin 50 | name: *uaa_db 51 | password: &uaa_db_passwd ((uaa_db_password)) 52 | encryption: 53 | active_key_label: key-1 54 | encryption_keys: 55 | - label: key-1 56 | passphrase: ((uaa_encryption_key)) 57 | login: 58 | saml: 59 | serviceProviderCertificate: ((atc_tls.certificate)) 60 | serviceProviderKey: ((atc_tls.private_key)) 61 | serviceProviderKeyPassword: "" 62 | 63 | # update postgres job to have uaa database 64 | - type: replace 65 | path: /instance_groups/name=db/jobs/name=postgres/properties/databases/databases/- 66 | value: 67 | name: *uaa_db 68 | - type: replace 69 | path: /instance_groups/name=db/jobs/name=postgres/properties/databases/roles/- 70 | value: 71 | name: *uaa_db 72 | password: *uaa_db_passwd 73 | 74 | # variables 75 | - type: replace 76 | path: /variables?/name=uaa_db_password? 77 | value: 78 | name: uaa_db_password 79 | type: password 80 | - type: replace 81 | path: /variables?/name=uaa_users_admin? 82 | value: 83 | name: uaa_users_admin 84 | type: password 85 | - type: replace 86 | path: /variables?/name=concourse_to_credhub_secret? 87 | value: 88 | name: concourse_to_credhub_secret 89 | type: password 90 | - type: replace 91 | path: /variables?/name=uaa_admin? 92 | value: 93 | name: uaa_admin 94 | type: password 95 | - type: replace 96 | path: /variables?/name=uaa_login? 97 | value: 98 | name: uaa_login 99 | type: password 100 | - type: replace 101 | path: /variables?/name=uaa_jwt? 102 | value: 103 | name: uaa_jwt 104 | type: rsa 105 | options: 106 | key_length: 4096 107 | - type: replace 108 | path: /variables?/name=uaa_encryption_key? 109 | value: 110 | name: uaa_encryption_key 111 | type: password 112 | 113 | - type: replace 114 | path: /instance_groups/name=web/update? 115 | value: 116 | update_watch_time: 1000-150000 117 | canary_watch_time: 1000-150000 118 | -------------------------------------------------------------------------------- /cluster/operations/untrusted-worker.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/- 3 | value: 4 | name: untrusted-worker 5 | instances: 1 6 | vm_type: ((untrusted_worker_vm_type)) 7 | stemcell: jammy 8 | networks: [{name: ((untrusted_worker_network_name))}] 9 | azs: [z1] 10 | jobs: 11 | - release: concourse 12 | name: worker 13 | properties: 14 | tags: ((untrusted_worker_tags)) 15 | worker_gateway: 16 | worker_key: ((worker_key)) 17 | garden: 18 | deny_networks: ((untrusted_worker_deny_networks)) 19 | dns_servers: [8.8.8.8, 8.8.4.4] 20 | -------------------------------------------------------------------------------- /cluster/operations/update-stemcell.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=web/stemcell? 3 | value: ((stemcell_alias)) 4 | 5 | - type: replace 6 | path: /instance_groups/name=db/stemcell? 7 | value: ((stemcell_alias)) 8 | 9 | - type: replace 10 | path: /instance_groups/name=worker/stemcell? 11 | value: ((stemcell_alias)) 12 | 13 | - type: replace 14 | path: /stemcells/- 15 | value: 16 | alias: ((stemcell_alias)) 17 | os: ((stemcell_os)) 18 | version: latest 19 | -------------------------------------------------------------------------------- /cluster/operations/vault-shared-path.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=web/jobs/name=web/properties/vault/shared_path? 3 | value: ((vault_shared_path)) 4 | -------------------------------------------------------------------------------- /cluster/operations/vault-tls-cert-auth.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=web/jobs/name=web/properties/vault? 3 | value: 4 | url: https://((vault_host)):8200 5 | tls: 6 | ca_cert: 7 | certificate: ((vault_cert.ca)) 8 | client_cert: ((vault_client_cert)) 9 | auth: 10 | backend: cert 11 | 12 | - type: replace 13 | path: /variables/- 14 | value: 15 | name: vault_client_cert 16 | type: certificate 17 | options: 18 | is_ca: true 19 | common_name: concourse 20 | -------------------------------------------------------------------------------- /cluster/operations/vault-tls-skip_verify.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=web/jobs/name=web/properties/vault?/tls?/insecure_skip_verify? 3 | value: ((vault_tls_skip_verify)) 4 | -------------------------------------------------------------------------------- /cluster/operations/vault.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=web/jobs/name=web/properties/vault? 3 | value: 4 | path_prefix: ((concourse_vault_mount)) 5 | url: ((vault_url)) 6 | auth: 7 | client_token: ((concourse_vault_token)) 8 | -------------------------------------------------------------------------------- /cluster/operations/web-network-extension.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=web/networks/0/name 3 | value: ((web_network_name)) 4 | - type: replace 5 | path: /instance_groups/name=web/vm_extensions?/- 6 | value: ((web_network_vm_extension)) 7 | -------------------------------------------------------------------------------- /cluster/operations/windows-worker-ephemeral-disk.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=windows-worker/vm_extensions?/- 3 | value: ((windows_worker_ephemeral_disk)) 4 | -------------------------------------------------------------------------------- /cluster/operations/windows-worker-network.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=windows-worker/networks 3 | value: 4 | - name: ((windows_worker_network_name)) 5 | -------------------------------------------------------------------------------- /cluster/operations/windows-worker.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /releases/- 3 | value: 4 | name: "windows-utilities" 5 | version: ((windows_utilities_version)) 6 | url: "https://bosh.io/d/github.com/cloudfoundry-incubator/windows-utilities-release?v=((windows_utilities_version))" 7 | sha1: ((windows_utilities_sha1)) 8 | 9 | - type: replace 10 | path: /stemcells/- 11 | value: 12 | alias: windows 13 | os: ((windows_worker_os)) 14 | version: latest 15 | 16 | - type: replace 17 | path: /instance_groups/- 18 | value: 19 | name: windows-worker 20 | instances: 1 21 | vm_type: ((windows_worker_vm_type)) 22 | stemcell: windows 23 | networks: [{name: ((network_name))}] 24 | azs: [z1] 25 | jobs: 26 | - name: enable_ssh 27 | release: windows-utilities 28 | - name: worker-windows 29 | release: concourse 30 | properties: 31 | worker_gateway: 32 | worker_key: ((worker_key)) 33 | -------------------------------------------------------------------------------- /cluster/operations/worker-ephemeral-disk.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=worker/vm_extensions?/- 3 | value: ((worker_ephemeral_disk)) 4 | -------------------------------------------------------------------------------- /cluster/operations/worker-max-in-flight.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=worker/update?/max_in_flight? 3 | value: ((worker_update_max_in_flight)) 4 | -------------------------------------------------------------------------------- /cluster/operations/worker-rebalancing.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=worker/jobs/name=worker/properties/worker_gateway/rebalance_interval? 3 | value: ((worker_rebalance_interval)) 4 | -------------------------------------------------------------------------------- /cluster/operations/worker-team-name.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=worker/jobs/name=worker/properties/team? 3 | value: ((team_name)) 4 | 5 | -------------------------------------------------------------------------------- /cluster/operations/worker-volume-sweeper-max-in-flight.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=worker/jobs/name=worker/properties/volume_sweeper_max_in_flight? 3 | value: ((volume_sweeper_max_in_flight)) 4 | -------------------------------------------------------------------------------- /cluster/operations/x-frame-options-allow-from.yml: -------------------------------------------------------------------------------- 1 | # 2 | # This operations file will configure web to include this HTTP header: 3 | # 4 | # X-Frame-Options: allow-from https://example.com/ 5 | # 6 | # You can read more about this header and how it might help prevent 7 | # clickjacking attacks [here][1]. 8 | # 9 | # [1]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options 10 | # 11 | # The following URI parameter is required: 12 | # 13 | # x_frame_options_allow_from: 14 | # 15 | # It is mutually-exclusive with the other two x-frame-options*.yml 16 | # operations files. 17 | # 18 | --- 19 | - type: replace 20 | path: /instance_groups/name=web/jobs/name=web/properties/x_frame_options? 21 | value: "allow ((x_frame_options_allow_from))" 22 | -------------------------------------------------------------------------------- /cluster/operations/x-frame-options-sameorigin.yml: -------------------------------------------------------------------------------- 1 | # 2 | # This operations file will configure web to include this HTTP header: 3 | # 4 | # X-Frame-Options: sameorigin 5 | # 6 | # You can read more about this header and how it might help prevent 7 | # clickjacking attacks [here][1]. 8 | # 9 | # [1]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options 10 | # 11 | # There are no configurable parameters associated with this 12 | # operations file, and it is mutually-exclusive with the other two 13 | # x-frame-options*.yml operations files. 14 | # 15 | --- 16 | - type: replace 17 | path: /instance_groups/name=web/jobs/name=web/properties/x_frame_options? 18 | value: "sameorigin" 19 | -------------------------------------------------------------------------------- /cluster/operations/x-frame-options-unset.yml: -------------------------------------------------------------------------------- 1 | # 2 | # This operations file will configure web to not include the X-Frame-Options header 3 | # 4 | # This allows accessing the web UI via an iframe, as is done in the Concourse 5 | # documentation examples. 6 | # 7 | # There are no configurable parameters associated with this 8 | # operations file, and it is mutually-exclusive with the other two 9 | # x-frame-options*.yml operations files. 10 | # 11 | --- 12 | - type: replace 13 | path: /instance_groups/name=web/jobs/name=web/properties/x_frame_options? 14 | value: "" 15 | -------------------------------------------------------------------------------- /lite/README.md: -------------------------------------------------------------------------------- 1 | # Lite-VM Concourse deployment 2 | 3 | A "lite" Concourse deployment will co-locate everything together, without a 4 | BOSH director. The only real advantage of this is that it's a single VM, making 5 | it easy to get your feet wet, but it won't help you scale later when you need 6 | it. 7 | 8 | Note that without a BOSH director, you really won't be able to use any BOSH 9 | commands except `create-env` to create the VM and `delete-env` to delete it. 10 | There is no `bosh ssh`, `bosh restart`, etc., and if something goes wrong, your 11 | only real recourse is to just `delete-env` and try again. 12 | 13 | To get started, pick your infrastructure under `infrastructures/`, and run 14 | `create-env` with `-o path/to/infrastructure.yml` 15 | 16 | For example, to create a VirtualBox VM running Concourse, run: 17 | 18 | ```shell 19 | bosh create-env concourse.yml \ 20 | -o ./infrastructures/virtualbox.yml \ 21 | -l ../versions.yml \ 22 | --vars-store vbox-creds.yml \ 23 | --state vbox-state.json \ 24 | -v internal_cidr=192.168.100.0/24 \ 25 | -v internal_gw=192.168.100.1 \ 26 | -v internal_ip=192.168.100.4 \ 27 | -v public_ip=192.168.100.4 28 | ``` 29 | 30 | Note that you'll need [VirtualBox 31 | 5+](https://www.virtualbox.org/wiki/Downloads) for this scenario. 32 | 33 | This should then result in a Concourse running and listening at 34 | [http://192.168.100.4:8080](http://192.168.100.4:8080). You can then target it with `fly`: 35 | 36 | ```shell 37 | fly -t vbox login -c http://192.168.100.4:8080 38 | ``` 39 | 40 | Different infrastructures will require different parameters specified as `-v 41 | name=value`. You can see which things you need to provide by just running the 42 | command and seeing which values it blows up on. 43 | 44 | For example, this will show what values the [GCP 45 | infrastructure](infrastructures/gcp.yml) needs: 46 | 47 | ```shell 48 | $ bosh create-env concourse.yml -l ../versions.yml -o infrastructures/gcp.yml 49 | Deployment manifest: '/Users/pivotal/workspace/concourse-deployment/lite/concourse.yml' 50 | Deployment state: '/Users/pivotal/workspace/concourse-deployment/lite/concourse-state.json' 51 | 52 | Started validating 53 | Failed validating (00:00:00) 54 | 55 | Parsing release set manifest '/Users/pivotal/workspace/concourse-deployment/lite/concourse.yml': 56 | Evaluating manifest: 57 | - Expected to find variables: 58 | - gcp_credentials_json 59 | - internal_cidr 60 | - internal_gw 61 | - internal_ip 62 | - mbus_bootstrap_password 63 | - network 64 | - postgres_password 65 | - project_id 66 | - public_ip 67 | - subnetwork 68 | - tags 69 | - zone 70 | 71 | Exit code 1 72 | ``` 73 | 74 | To learn what should be specified for those values, for now you'll have to just 75 | have a look at the ops file. Hopefully there are comments. 76 | -------------------------------------------------------------------------------- /lite/concourse.yml: -------------------------------------------------------------------------------- 1 | --- 2 | name: concourse 3 | 4 | releases: 5 | - name: concourse 6 | version: ((concourse_version)) 7 | sha1: ((concourse_sha1)) 8 | url: https://bosh.io/d/github.com/concourse/concourse-bosh-release?v=((concourse_version)) 9 | - name: bpm 10 | version: ((bpm_version)) 11 | sha1: ((bpm_sha1)) 12 | url: https://bosh.io/d/github.com/cloudfoundry/bpm-release?v=((bpm_version)) 13 | - name: postgres 14 | version: ((postgres_version)) 15 | sha1: ((postgres_sha1)) 16 | url: https://bosh.io/d/github.com/cloudfoundry/postgres-release?v=((postgres_version)) 17 | 18 | resource_pools: 19 | - name: vms 20 | network: default 21 | env: 22 | bosh: 23 | password: '*' 24 | 25 | disk_pools: 26 | - name: disks 27 | disk_size: 32_768 28 | 29 | networks: 30 | - name: default 31 | type: manual 32 | subnets: 33 | - range: ((internal_cidr)) 34 | gateway: ((internal_gw)) 35 | static_ips: ((internal_ip)) 36 | dns: [8.8.8.8] 37 | 38 | instance_groups: 39 | - name: concourse 40 | instances: 1 41 | resource_pool: vms 42 | persistent_disk_pool: disks 43 | networks: 44 | - name: default 45 | default: [gateway,dns] 46 | jobs: 47 | - release: bpm 48 | name: bpm 49 | properties: {} 50 | 51 | - release: concourse 52 | name: web 53 | properties: 54 | token_signing_key: ((token_signing_key)) 55 | 56 | external_url: http://((public_ip)):8080 57 | 58 | postgresql: 59 | host: 127.0.0.1 60 | database: atc 61 | sslmode: disable 62 | role: 63 | name: atc 64 | password: ((postgres_password)) 65 | 66 | add_local_users: 67 | concourse: ((concourse_password)) 68 | 69 | main_team: 70 | auth: 71 | local: 72 | users: [concourse] 73 | 74 | worker_gateway: 75 | host_key: ((tsa_host_key)) 76 | authorized_keys: [((worker_key.public_key))] 77 | 78 | - release: postgres 79 | name: postgres 80 | properties: 81 | databases: 82 | port: 5432 83 | databases: 84 | - name: atc 85 | roles: 86 | - name: atc 87 | password: ((postgres_password)) 88 | 89 | - release: concourse 90 | name: worker 91 | properties: 92 | drain_timeout: 10m 93 | 94 | worker_gateway: 95 | hosts: ["127.0.0.1:2222"] 96 | host_public_key: ((tsa_host_key.public_key)) 97 | worker_key: ((worker_key)) 98 | 99 | garden: 100 | allow_host_access: true 101 | 102 | cloud_provider: 103 | mbus: https://mbus:((mbus_bootstrap_password))@((public_ip)):6868 104 | properties: 105 | agent: {mbus: "https://mbus:((mbus_bootstrap_password))@0.0.0.0:6868"} 106 | blobstore: {provider: local, path: /var/vcap/micro_bosh/data/cache} 107 | ntp: 108 | - time1.google.com 109 | - time2.google.com 110 | - time3.google.com 111 | - time4.google.com 112 | 113 | variables: 114 | - name: concourse_password 115 | type: password 116 | - name: mbus_bootstrap_password 117 | type: password 118 | - name: postgres_password 119 | type: password 120 | - name: token_signing_key 121 | type: rsa 122 | - name: tsa_host_key 123 | type: ssh 124 | - name: worker_key 125 | type: ssh 126 | -------------------------------------------------------------------------------- /lite/infrastructures/aws.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - type: replace 3 | path: /releases/- 4 | value: 5 | name: bosh-aws-cpi 6 | version: 65 7 | url: https://bosh.io/d/github.com/cloudfoundry-incubator/bosh-aws-cpi-release?v=65 8 | sha1: 26b3a5c43e6f82594a373309a495660d6db26254 9 | 10 | - type: replace 11 | path: /resource_pools/name=vms/stemcell? 12 | value: 13 | url: https://bosh.io/d/stemcells/bosh-aws-xen-hvm-ubuntu-bionic-go_agent?v=1.1 14 | sha1: f6ea357dfa0cb998b02d023d84f96d31b8da1ce3 15 | 16 | # Configure sizes 17 | - type: replace 18 | path: /resource_pools/name=vms/cloud_properties? 19 | value: 20 | availability_zone: ((az)) 21 | ephemeral_disk: 22 | size: 25000 23 | type: gp2 24 | instance_type: m3.xlarge 25 | 26 | # Add disk pool 27 | - type: replace 28 | path: /disk_pools/name=disks/cloud_properties? 29 | value: {type: gp2} 30 | 31 | # Configure networks 32 | - type: replace 33 | path: /networks/name=default/subnets/0/cloud_properties? 34 | value: {subnet: ((subnet_id))} 35 | 36 | - type: replace 37 | path: /instance_groups/name=concourse/networks/name=default/static_ips? 38 | value: [((internal_ip))] 39 | 40 | # Add CPI job 41 | - type: replace 42 | path: /cloud_provider/template? 43 | value: 44 | name: aws_cpi 45 | release: bosh-aws-cpi 46 | 47 | - type: replace 48 | path: /cloud_provider/properties/aws? 49 | value: 50 | access_key_id: ((access_key_id)) 51 | secret_access_key: ((secret_access_key)) 52 | default_key_name: ((default_key_name)) 53 | default_security_groups: ((default_security_groups)) 54 | region: ((region)) 55 | 56 | - type: replace 57 | path: /cloud_provider/ssh_tunnel? 58 | value: 59 | host: ((internal_ip)) 60 | port: 22 61 | user: vcap 62 | private_key: ((private_key)) 63 | -------------------------------------------------------------------------------- /lite/infrastructures/azure.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - type: replace 3 | path: /releases/- 4 | value: 5 | name: bosh-azure-cpi 6 | version: "35.3.0" 7 | url: https://bosh.io/d/github.com/cloudfoundry-incubator/bosh-azure-cpi-release?v=35.3.0 8 | sha1: 990fcfa31e70c99a109b8284d35f0b4e79665559 9 | 10 | - type: replace 11 | path: /resource_pools/name=vms/stemcell? 12 | value: 13 | url: https://bosh.io/d/stemcells/bosh-azure-hyperv-ubuntu-bionic-go_agent?v=1.1 14 | sha1: 95d206fcef938a37e1b27d5fa8cd505d229ad485 15 | 16 | # Configure sizes 17 | - type: replace 18 | path: /resource_pools/name=vms/cloud_properties? 19 | value: 20 | instance_type: Standard_D1_v2 21 | 22 | # Configure networks 23 | - type: replace 24 | path: /networks/name=default/subnets/0/cloud_properties? 25 | value: 26 | resource_group_name: ((resource_group_name)) 27 | virtual_network_name: ((vnet_name)) 28 | subnet_name: ((subnet_name)) 29 | 30 | - type: replace 31 | path: /networks/- 32 | value: 33 | name: public 34 | type: vip 35 | subnets: 36 | - cloud_properties: 37 | resource_group_name: ((resource_group_name)) 38 | 39 | - type: replace 40 | path: /instance_groups/name=concourse/networks/name=default/static_ips? 41 | value: [((internal_ip))] 42 | 43 | - type: replace 44 | path: /instance_groups/name=concourse/networks/name=default/default? 45 | value: [dns, gateway] 46 | 47 | - type: replace 48 | path: /instance_groups/name=concourse/networks/- 49 | value: 50 | name: public 51 | static_ips: [((public_ip))] 52 | 53 | # Add CPI 54 | - type: replace 55 | path: /cloud_provider/template? 56 | value: 57 | name: azure_cpi 58 | release: bosh-azure-cpi 59 | 60 | # Cloud properties 61 | - type: replace 62 | path: /cloud_provider/properties/azure? 63 | value: 64 | environment: AzureCloud 65 | subscription_id: ((subscription_id)) 66 | tenant_id: ((tenant_id)) 67 | client_id: ((client_id)) 68 | client_secret: ((client_secret)) 69 | resource_group_name: ((resource_group_name)) 70 | storage_account_name: ((storage_account_name)) 71 | default_security_group: ((default_security_group)) 72 | ssh_user: vcap 73 | ssh_public_key: ((ssh.public_key)) 74 | 75 | - type: replace 76 | path: /cloud_provider/ssh_tunnel? 77 | value: 78 | host: ((public_ip)) 79 | port: 22 80 | user: vcap 81 | private_key: ((ssh.private_key)) 82 | 83 | - type: replace 84 | path: /variables/- 85 | value: 86 | name: ssh 87 | type: ssh 88 | -------------------------------------------------------------------------------- /lite/infrastructures/gcp.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - type: replace 3 | path: /releases/- 4 | value: 5 | name: bosh-google-cpi 6 | version: 25.9.0 7 | url: https://bosh.io/d/github.com/cloudfoundry-incubator/bosh-google-cpi-release?v=25.9.0 8 | sha1: 3fbda22fde33878b54dec77f4182f8044be72687 9 | 10 | - type: replace 11 | path: /resource_pools/name=vms/stemcell? 12 | value: 13 | url: https://bosh.io/d/stemcells/bosh-google-kvm-ubuntu-bionic-go_agent?v=1.1 14 | sha1: 177a6ae19a6e07dccf99ac1d2cdfe600e0f1cc47 15 | 16 | # Configure sizes 17 | - type: replace 18 | path: /resource_pools/name=vms/cloud_properties? 19 | value: 20 | zone: ((zone)) 21 | machine_type: n1-standard-1 22 | root_disk_size_gb: 40 23 | root_disk_type: pd-standard 24 | 25 | - type: replace 26 | path: /disk_pools/name=disks/cloud_properties? 27 | value: {type: pd-standard} 28 | 29 | - type: replace 30 | path: /networks/name=default/subnets/0/cloud_properties? 31 | value: 32 | network_name: ((network)) 33 | subnetwork_name: ((subnetwork)) 34 | ephemeral_external_ip: true 35 | tags: ((tags)) 36 | 37 | # Add VIP network 38 | - type: replace 39 | path: /networks/- 40 | value: 41 | name: vip 42 | type: vip 43 | 44 | - type: replace 45 | path: /instance_groups/name=concourse/networks/name=default/default? 46 | value: [dns, gateway] 47 | 48 | - type: replace 49 | path: /instance_groups/name=concourse/networks/- 50 | value: 51 | name: vip 52 | static_ips: [((public_ip))] 53 | 54 | - type: replace 55 | path: /instance_groups/name=concourse/networks/name=default/static_ips? 56 | value: [((internal_ip))] 57 | 58 | # Add CPI job 59 | - type: replace 60 | path: /cloud_provider/template? 61 | value: 62 | name: google_cpi 63 | release: bosh-google-cpi 64 | 65 | - type: replace 66 | path: /cloud_provider/properties/google? 67 | value: 68 | project: ((project_id)) 69 | json_key: ((gcp_credentials_json)) 70 | 71 | # Use GCP NTP 72 | - type: replace 73 | path: /cloud_provider/properties/ntp 74 | value: &ntp [169.254.169.254] 75 | -------------------------------------------------------------------------------- /lite/infrastructures/openstack.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - type: replace 3 | path: /releases/- 4 | value: 5 | name: bosh-openstack-cpi 6 | version: 32 7 | url: https://bosh.io/d/github.com/cloudfoundry/bosh-openstack-cpi-release?v=32 8 | sha1: c8c35cba7ed1281a5c740e6b5f8c4c5472d7e843 9 | 10 | - type: replace 11 | path: /resource_pools/name=vms/stemcell? 12 | value: 13 | url: https://bosh.io/d/stemcells/bosh-openstack-kvm-ubuntu-bionic-go_agent?v=1.1 14 | sha1: 6a411bcdd0ed12365530371f8a85855c0f788d8c 15 | 16 | # Configure sizes 17 | - type: replace 18 | path: /resource_pools/name=vms/cloud_properties? 19 | value: 20 | instance_type: m1.xlarge 21 | availability_zone: ((az)) 22 | 23 | - type: replace 24 | path: /networks/name=default/subnets/0/cloud_properties? 25 | value: {net_id: ((net_id))} 26 | 27 | - type: replace 28 | path: /cloud_provider/template? 29 | value: 30 | name: openstack_cpi 31 | release: bosh-openstack-cpi 32 | 33 | - type: replace 34 | path: /cloud_provider/ssh_tunnel? 35 | value: 36 | host: ((public_ip)) 37 | port: 22 38 | user: vcap 39 | private_key: ((private_key)) 40 | 41 | - type: replace 42 | path: /cloud_provider/properties?/openstack? 43 | value: 44 | auth_url: ((auth_url)) 45 | username: ((openstack_username)) 46 | api_key: ((openstack_password)) 47 | domain: ((openstack_domain)) 48 | project: ((openstack_project)) 49 | region: ((region)) 50 | default_key_name: ((default_key_name)) 51 | default_security_groups: ((default_security_groups)) 52 | human_readable_vm_names: false 53 | 54 | # Add VIP network 55 | - type: replace 56 | path: /networks/- 57 | value: 58 | name: vip 59 | type: vip 60 | 61 | - type: replace 62 | path: /instance_groups/name=concourse/networks/name=default/default? 63 | value: [dns, gateway] 64 | 65 | - type: replace 66 | path: /instance_groups/name=concourse/networks/- 67 | value: 68 | name: vip 69 | static_ips: [((public_ip))] 70 | 71 | - type: replace 72 | path: /instance_groups/name=concourse/networks/name=default/static_ips? 73 | value: [((internal_ip))] 74 | -------------------------------------------------------------------------------- /lite/infrastructures/virtualbox.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - type: replace 3 | path: /releases/- 4 | value: 5 | name: bosh-virtualbox-cpi 6 | version: 0.0.13 7 | url: https://bosh.io/d/github.com/cppforlife/bosh-virtualbox-cpi-release?v=0.0.13 8 | sha1: 3aee2200f5d7ee20b149c7303009c3f6088ba559 9 | 10 | - type: replace 11 | path: /resource_pools/name=vms/stemcell? 12 | value: 13 | url: https://bosh.io/d/stemcells/bosh-vsphere-esxi-ubuntu-bionic-go_agent?v=1.1 14 | sha1: 4d957e87640b954591af8dbb5f57d3d7df08852d 15 | 16 | # Configure sizes 17 | - type: replace 18 | path: /resource_pools/name=vms/cloud_properties? 19 | value: 20 | cpus: 2 21 | memory: 4096 22 | ephemeral_disk: 32_768 23 | 24 | - type: replace 25 | path: /cloud_provider/template? 26 | value: 27 | name: virtualbox_cpi 28 | release: bosh-virtualbox-cpi 29 | 30 | # Configure static ip 31 | 32 | - type: replace 33 | path: /instance_groups/name=concourse/networks/name=default/static_ips? 34 | value: [((public_ip))] 35 | static_ips: [&web-ip ((public_ip))] 36 | 37 | # # Add outbound network 38 | - type: replace 39 | path: /networks/- 40 | value: 41 | name: outbound 42 | type: dynamic 43 | cloud_properties: 44 | type: natnetwork 45 | name: outbound 46 | 47 | - type: replace 48 | path: /instance_groups/name=concourse/networks/name=default/default? 49 | value: [dns, gateway] 50 | 51 | - type: replace 52 | path: /instance_groups/name=concourse/networks/- 53 | value: 54 | name: outbound 55 | -------------------------------------------------------------------------------- /lite/infrastructures/vsphere.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - type: replace 3 | path: /releases/- 4 | value: 5 | name: bosh-vsphere-cpi 6 | version: 41 7 | url: https://bosh.io/d/github.com/cloudfoundry-incubator/bosh-vsphere-cpi-release?v=41 8 | sha1: 648ba9921739d30763063c80ad7a280e6410a1b6 9 | 10 | - type: replace 11 | path: /resource_pools/name=vms/stemcell? 12 | value: 13 | url: https://bosh.io/d/stemcells/bosh-vsphere-esxi-ubuntu-bionic-go_agent?v=1.1 14 | sha1: 4d957e87640b954591af8dbb5f57d3d7df08852d 15 | 16 | # Configure sizes 17 | - type: replace 18 | path: /resource_pools/name=vms/cloud_properties? 19 | value: 20 | cpu: 2 21 | ram: 4_096 22 | disk: 64_000 23 | 24 | # Configure networks 25 | - type: replace 26 | path: /networks/name=default/subnets/0/cloud_properties? 27 | value: {name: ((network_name))} 28 | 29 | - type: replace 30 | path: /instance_groups/name=concourse/networks/name=default/static_ips? 31 | value: [((internal_ip))] 32 | 33 | # Add CPI 34 | - type: replace 35 | path: /cloud_provider/template? 36 | value: 37 | name: vsphere_cpi 38 | release: bosh-vsphere-cpi 39 | 40 | # Cloud properties 41 | - type: replace 42 | path: /cloud_provider/properties/vcenter? 43 | value: 44 | address: ((vcenter_ip)) 45 | user: ((vcenter_user)) 46 | password: ((vcenter_password)) 47 | datacenters: 48 | - name: ((vcenter_dc)) 49 | vm_folder: ((vcenter_vms)) 50 | template_folder: ((vcenter_templates)) 51 | datastore_pattern: ((vcenter_ds)) 52 | persistent_datastore_pattern: ((vcenter_ds)) 53 | disk_path: ((vcenter_disks)) 54 | clusters: 55 | - ((vcenter_cluster)): { resource_pool: ((vcenter_resource_pool))} 56 | -------------------------------------------------------------------------------- /lite/jumpbox.yml: -------------------------------------------------------------------------------- 1 | # Add os-conf release if not there or replace 2 | - type: replace 3 | path: /releases/name=os-conf? 4 | value: 5 | name: os-conf 6 | version: 12 7 | url: https://bosh.io/d/github.com/cloudfoundry/os-conf-release?v=12 8 | sha1: af5a2c9f228b9d7ec4bd051d71fef0e712fa1549 9 | 10 | - type: replace 11 | path: /instance_groups/name=concourse/jobs/- 12 | value: 13 | name: user_add 14 | release: os-conf 15 | properties: 16 | users: 17 | - name: jumpbox 18 | public_key: ((jumpbox_ssh.public_key)) 19 | 20 | - type: replace 21 | path: /variables/- 22 | value: 23 | name: jumpbox_ssh 24 | type: ssh 25 | -------------------------------------------------------------------------------- /lite/operations/debug.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - type: replace 3 | path: /instance_groups/name=concourse/jobs/name=web/properties?/log_level 4 | value: debug 5 | 6 | - type: replace 7 | path: /instance_groups/name=concourse/jobs/name=worker/properties?/log_level 8 | value: debug 9 | -------------------------------------------------------------------------------- /lite/operations/dns.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /networks/name=default/subnets/0/dns 3 | value: ((internal_dns)) 4 | -------------------------------------------------------------------------------- /lite/operations/http-proxy.yml: -------------------------------------------------------------------------------- 1 | - type: replace 2 | path: /instance_groups/name=concourse/jobs/name=worker/properties/http_proxy_url? 3 | value: ((http_proxy_url)) 4 | - type: replace 5 | path: /instance_groups/name=concourse/jobs/name=worker/properties/https_proxy_url? 6 | value: ((https_proxy_url)) 7 | - type: replace 8 | path: /instance_groups/name=concourse/jobs/name=worker/properties/no_proxy? 9 | value: ((no_proxy)) # --var no_proxy='["localhost", "127.0.0.1", "example.com", "domain.com:8080"]' 10 | -------------------------------------------------------------------------------- /lite/operations/replace-concourse-url.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - type: replace 3 | path: /releases/name=concourse/url 4 | value: ((concourse_url)) 5 | -------------------------------------------------------------------------------- /versions.yml: -------------------------------------------------------------------------------- 1 | # this file is partially maintained by CI; the concourse and garden-runc 2 | # versions and sha1s are automatically bumped, while the rest are preserved 3 | # as-is. 4 | # 5 | # this should make getting started easy while being easy enough to maintain 6 | # manually. feel free to PR sane defaults along with newly supported 7 | # infrastructures and such! 8 | --- 9 | concourse_version: '7.13.2' 10 | concourse_sha1: '20ef477efc14cbf701c0ddfe69565ad5c238a87a' 11 | bpm_version: '1.4.20' 12 | bpm_sha1: '00223345c70d5629d35008e88c42bf4482bdf766' 13 | postgres_version: '53.0.3' 14 | postgres_sha1: 'e5655af2b766900cd65f859703d7fdce44805a9b' 15 | windows_utilities_version: '0.20.0' 16 | windows_utilities_sha1: '52f489fe0806ee8915f5613f79c9173773871e8b' 17 | bbr_sdk_version: '1.19.45' 18 | bbr_sdk_sha1: 'af0c1cd711cde2125854737bc4f6ab20fb6f203c' 19 | uaa_version: '77.33.0' 20 | uaa_sha1: '58f152dfe7f2f90323e1a81a84b5907539396bc1' 21 | credhub_version: '2.14.1' 22 | credhub_sha1: '381bd866922e3e0502fc8311d500677ff900c12a' 23 | --------------------------------------------------------------------------------