values.yaml

## Default values for Concourse Helm Chart.
## This is a YAML-formatted file.
## Declare variables to be passed into your templates.

## Provide a name in place of `concourse` for `app:` labels
##
nameOverride:

## Provide a name to substitute for the full names of resources
## ps.: You should also change the postgresql.fullnameOverride if you're using
## that chart dependency
##
fullnameOverride:

## Concourse image to use in both Web and Worker containers.
##
image: concourse/concourse

## Concourse image tag.
## ps.: release candidates are published under `concourse/concourse-rc` instead
##      of `concourse/concourse`.
## Ref: https://hub.docker.com/r/concourse/concourse/tags/
##
imageTag: "7.5.0"

## Specific image digest to use in place of a tag.
## Ref: https://kubernetes.io/docs/concepts/configuration/overview/#container-images
##
imageDigest:

## Specify a imagePullPolicy regarding the fetching of container images.
## Ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images
##
imagePullPolicy: IfNotPresent

## Array of imagePullSecrets to allow pulling the Concourse image from private registries.
## ps.: secrets must be manually created in the namespace.
## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
##
## Example:
##
##   imagePullSecrets:
##    - myRegistryKeySecretName
##
imagePullSecrets: []


## Configuration values for the Concourse application (worker and web components).
## The values specified here are almost direct references to the flags under the
## `concourse web` and `concourse worker` commands.
##
concourse:
  ## Configurations for the `web` component based on the possible flags configurable
  ## through the `concourse web` command.
  ##
  web:
    ## A name for this Concourse cluster, to be displayed on the dashboard page.
    ##
    clusterName:

    ## Enable this flag in order to customize the `client_id` and
    ## `client_secret` used when logging into the Concourse UI.
    ##
    ## Enabling this requires setting `secrets.clientId` and #
    ## `secrets.clientSecret` (or filling the equivalent fields in the Secret).
    ##
    clientConfig:
      enabled: false

    ## Interval on which runners are kicked off for builds, locks, scans, and
    ## checks.
    ##
    ## Example: 10s
    ##
    componentRunnerInterval:

    ## The maximum number of open connections for the API connection pool.
    ##
    apiMaxConns:

    ## The maximum number of open connections for the backend connection pool.
    ##
    backendMaxConns:

    ## Enable equivalent resources across pipelines and teams to share a single version history.
    ## Ref: https://concourse-ci.org/global-resources.html
    ##
    enableGlobalResources: true

    ## Enable automatic rerunning of builds when worker disappears.
    ##
    enableBuildRerunWhenWorkerDisappears: false

    ## Enable the experimental across step to be used in jobs. The API is subject to change.
    ##
    enableAcrossStep: false

    ## Enable the creation of instanced pipelines.
    ##
    enablePipelineInstances: false

    ## Enable P2P volume streaming between all wokrers.
    ## By default all volume streming goes through the web nodes.
    ##
    enablep2pVolumeStreaming: false

    ## Enable caching streamed resource volumes on the destination worker.
    ##
    enableCacheStreamedVolumes: false

    ## Enable web UI and API endpoint for resource causality.
    ##
    enableResourceCausality: false

    ## Maximum number of jobs to be scheduling at the same time.
    ##
    jobSchedulingMaxInFlight:

    ## Interval on which the resource scanner will run to see if new checks need
    ## to be scheduled.
    ##
    lidarScannerInterval:

    ## Limit the number of concurrent requests to an API endpoint.
    ##
    ## Example:
    ##   ListAllJobs: 5
    ##
    concurrentRequestLimits:

    ## Enable auditing for all api requests connected to builds.
    ##
    enableBuildAuditing: false

    ## Enable auditing for all api requests connected to containers.
    ##
    enableContainerAuditing: false

    ## Enable auditing for all api requests connected to jobs.
    ##
    enableJobAuditing: false

    ## Enable auditing for all api requests connected to pipelines.
    ##
    enablePipelineAuditing: false

    ## Enable auditing for all api requests connected to resources.
    ##
    enableResourceAuditing: false

    ## Enable auditing for all api requests connected to system transactions.
    ##
    enableSystemAuditing: false

    ## Enable auditing for all api requests connected to teams.
    ##
    enableTeamAuditing: false

    ## Enable auditing for all api requests connected to workers.
    ##
    enableWorkerAuditing: false

    ## Enable auditing for all api requests connected to volumes.
    ##
    enableVolumeAuditing: false

    ## Enable redacting secrets in build logs.
    ##
    enableRedactSecrets:

    ## The number of attempts secret will be retried to be fetched,
    ## in case a retryable error happens.
    ##
    secretRetryAttempts: 5

    ## The interval between secret retry retieval attempts.
    ##
    secretRetryInterval: 1s

    ## Enable in-memory cache for secrets.
    ##
    secretCacheEnabled: false

    ## If the cache is enabled, secret values will be cached for not longer
    ## than this duration (it can be less, if underlying secret lease time
    ## is smaller).
    ##
    secretCacheDuration:

    ## If the cache is enabled, secret not found responses will be cached for
    ## this duration.
    ##
    secretCacheDurationNotFound:

    ## If the cache is enabled, expired items will be removed on this internal.
    ##
    secretCachePurgeInterval:

    ## Minimum level of logs to see. Possible options: debug, info, error.
    ##
    logLevel: info

    ## IP address on which to listen for HTTP traffic (web UI and API).
    ##
    bindIp: 0.0.0.0

    ## Port on which to listen for HTTP traffic (web UI and API).
    ##
    bindPort: 8080

    ## TLS configuration for the web component to be able to serve HTTPS traffic.
    ## Once enabled, consumes the certificates set via secrets (`web-tls-cert` and
    ## `web-tls-key`).
    ##
    tls:

      ## Enable serving HTTPS traffic directly through the web component.
      ##
      enabled: false

      ## Port on which to listen for HTTPS traffic.
      ##
      bindPort: 443

    ## URL used to reach any ATC from the outside world.
    ## This is *very* important for a proper authentication workflow as
    ## browser redirects are based on the value set here.
    ##
    ## Example: http://ci.concourse-ci.org
    ##
    externalUrl:

    encryption:
      ## Enable encryption of pipeline configuration. Encryption keys can be set via secrets
      ## (`encryption-key` and `old-encryption-key` fields).
      ## Ref: https://concourse-ci.org/encryption.html
      ##
      enabled: false

    localAuth:
      ## Enable the use of local authentication (basic auth).
      ## Once enabled, users configured through `local-users` (secret)
      ## are able to authenticate.
      ##
      ## Local users can be individually added to the `main` team by setting
      ## `concourse.web.auth.mainTeam.localUser` with a comma-separated list
      ## of ids.
      ##
      ## Ref: https://concourse-ci.org/local-auth.html
      ##
      enabled: true

    ## IP address on which to listen for the pprof debugger endpoints.
    ##
    debugBindIp: 127.0.0.1

    ## Port on which to listen for the pprof debugger endpoints.
    ##
    debugBindPort: 8079

    ## Length of time for a intercepted session to be idle before terminating.
    ##
    interceptIdleTimeout: 0m

    ## Time limit on checking for new versions of resources.
    ##
    globalResourceCheckTimeout: 1h

    ## Time limit on P2P volume streaming
    ##
    p2pVolumeStreamingTimeout:

    ## Maximum number of checks that can be started per second. If not
    ## specified, # this will be calculated as (# of resources)/(resource
    ## checking interval). # -1 value will remove this maximum limit of checks
    ## per second.
    maxChecksPerSecond: 0

    ## Interval on which to check for new versions of resources.
    ##
    resourceCheckingInterval: 1m

    ## Interval on which to check for new versions of any resources that have
    ## configured a webhook token
    ##
    resourceWithWebhookCheckingInterval: 1m

    ## Configuration file for specifying defaults for base resource types
    ## Ref: https://concourse-ci.org/concourse-web.html#resource-defaults
    ## Example:
    ## baseResourceTypeDefaults: |
    ##   registry-image:
    ##     registry_mirror:
    ##       host: https://registry.mirror.example.com
    ##
    baseResourceTypeDefaults: ""

    ## Compression to use when streaming artifacts (values: zstd, gzip)
    ##
    streamingArtifactsCompression:

    ## Method by which a worker is selected during container placement.
    ## Possible values: volume-locality | random | fewest-build-containers | limit-active-tasks | limit-active-containers | limit-active-volumes
    containerPlacementStrategy: volume-locality

    ## Instead of specifying a single placement strategy, configure a chain of
    ## them to be applied in order.
    ##
    ## If set, takes priority over containerPlacementStrategy.
    ##
    ## Possible values: volume-locality | fewest-build-containers | limit-active-tasks | limit-active-containers | limit-active-volumes
    containerPlacementStrategies: []

    ## Maximum allowed number of active build tasks per worker.
    ##
    ## Has effect only when containerPlacementStrategy is set to use
    ## limit-active-tasks placement strategy.
    ##
    ## ps.: 0 means no limit.
    ##
    ## ref: https://concourse-ci.org/container-placement.html#limit-active-tasks-strategy
    ##
    limitActiveTasks:

    ## Maximum allowed number of active containers per worker.
    ##
    ## Has effect only when containerPlacementStrategy is set to use
    ## limit-active-containers placement strategy.
    ##
    ## ps.: 0 means no limit.
    ##
    ## ref: https://concourse-ci.org/container-placement.html#limit-active-containers-strategy
    ##
    limitActiveContainers:

    ## Maximum allowed number of active volumes per worker.
    ##
    ## Has effect only when containerPlacementStrategy is set to use
    ## limit-active-volumes placement strategy.
    ##
    ## ps.: 0 means no limit.
    ##
    ## ref: https://concourse-ci.org/container-placement.html#limit-active-volumes-strategy
    ##
    limitActiveVolumes:

    ## How long to wait for requests to Garden to complete. 0 means no timeout.
    ##
    gardenRequestTimeout:

    ## How long to wait for Baggageclaim to send the response header.
    ##
    baggageclaimResponseHeaderTimeout: 1m

    ## Directory containing downloadable CLI binaries.
    ## By default, Concourse will try to find the assets
    ## path relative to the executable.
    ##
    cliArtifactsDir:

    ## Log database queries.
    ##
    logDbQueries: false

    ## Log cluster name.
    ##
    logClusterName:

    ## Interval on which to run build tracking.
    ##
    buildTrackerInterval: 10s

    ## Default number of build logs to retain. 0 means all.
    ##
    defaultBuildLogsToRetain:

    ## Maximum build logs to retain, 0 means not specified. Will override values configured in jobs.
    ##
    maxBuildLogsToRetain:

    ## Default days to retain build logs. 0 means unlimited.
    ##
    defaultDaysToRetainBuildLogs:

    ## Maximum days to retain build logs, 0 means not specified. Will override values configured in jobs.
    ##
    maxDaysToRetainBuildLogs:

    ## Default max number of cpu shares per task, 0 means unlimited.
    ##
    defaultTaskCpuLimit:

    ## Default maximum memory per task, 0 means unlimited.
    ##
    defaultTaskMemoryLimit:

    ## Network address of this web node, reachable by other web nodes. Used for forwarded worker addresses. (default: $POD_IP)
    ##
    peerAddress:

    ## Configurations regarding how the web component is able to connect to a postgres
    ## instance.
    ##
    postgres:
      ## The host to connect to.
      ##
      host:

      ## The port to connect to.
      ##
      port: 5432

      ## Path to a UNIX domain socket to connect to.
      ##
      socket:

      ## Whether or not to use SSL.
      ##
      sslmode: disable

      ## Dialing timeout. (0 means wait indefinitely)
      ##
      connectTimeout: 5m

      ## The name of the database to use.
      ##
      database: atc


    kubernetes:
      ## Enable the use of Kubernetes Secrets as the credential provider for
      ## concourse pipelines.
      ##
      enabled: true

      ## Prefix to use for Kubernetes namespaces under which secrets will be looked up.
      ## Defaults to the Release (https://helm.sh/docs/glossary/#release) name
      ## hyphen, e.g. "my-release-" produces namespace "my-release-main" for
      ## the "main" Concourse team.
      namespacePrefix:

      ## Teams to create namespaces for to hold secrets.
      ## This property only has effect if `createTeamNamespaces` is set to `true`.
      ##
      teams:
        - main

      ## Create the Kubernetes namespace for each team listed under `concourse.web.kubernetes.teams`.
      ##
      createTeamNamespaces: true

      ## When true, namespaces are not deleted when the release is deleted.
      ## Irrelevant if the namespaces are not created by this chart.
      ##
      keepNamespaces: true

      ## Path to Kubernetes config when running ATC outside Kubernetes.
      ##
      configPath:

    ## Configuration for using AWS SSM as a credential manager.
    ## Ref: https://concourse-ci.org/creds.html#asm
    ##
    awsSecretsManager:
      ## Enable the use of AWS Secrets Manager for credential management.
      ##
      enabled: false

      ## AWS region to use when reading from Secrets Manager
      ##
      region:

      ## Configure authentication using an access key and secret key. If disabled, IAM role auth is assumed.
      ## Session Token can also be enabled, if required.
      keyAuth:
        enabled: true
        useSessionToken: false

      ## pipeline-specific template for Secrets Manager parameters, defaults to: /concourse/{{.Team}}/{{.Pipeline}}/{{.Secret}}
      ##
      pipelineSecretTemplate: /concourse/{{.Team}}/{{.Pipeline}}/{{.Secret}}

      ## team-specific template for Secrets Manager parameters, defaults to: /concourse/{{.Team}}/{{.Secret}}
      ##
      teamSecretTemplate: /concourse/{{.Team}}/{{.Secret}}

    ## Configuration for using AWS SSM as a credential manager.
    ## Ref: https://concourse-ci.org/creds.html#ssm
    ##
    awsSsm:
      ## Enable the use of AWS SSM.
      ##
      enabled: false

      ## AWS region to use when reading from SSM
      ##
      region:

      ## Configure authentication using an access key and secret key. If disabled, IAM role auth is assumed.
      ## Session Token can also be enabled, if required.
      keyAuth:
        enabled: true
        useSessionToken: false

      ## pipeline-specific template for SSM parameters, defaults to: /concourse/{{.Team}}/{{.Pipeline}}/{{.Secret}}
      ##
      pipelineSecretTemplate: /concourse/{{.Team}}/{{.Pipeline}}/{{.Secret}}

      ## team-specific template for SSM parameters, defaults to: /concourse/{{.Team}}/{{.Secret}}
      ##
      teamSecretTemplate: /concourse/{{.Team}}/{{.Secret}}


    ## Configuration for using Vault as a credential manager.
    ## Ref: https://concourse-ci.org/creds.html#vault
    ##
    vault:
      ## Enable the use of Vault as a credential manager.
      ##
      enabled: false

      ## URL pointing to vault addr (i.e. http://vault:8200).
      ##
      url:

      ## Vault namespace to use for authentication and secret lookup.
      ##
      namespace:

      ## Vault path under which to namespace credentials lookup.
      ##
      pathPrefix: /concourse

      ## Path under which to lookup shared credentials.
      ##
      sharedPath:

      ## Path templates to use for credential lookup.
      ##
      ## Example: ["/{{.Team}}/{{.Pipeline}}/{{.Secret}}", "/{{.Team}}/{{.Secret}}"]
      lookupTemplates: []

      ## if the Vault server is using a self-signed certificate, set this to true,
      ## and provide a value for the cert in secrets (field `vault-ca-cert`).
      ##
      useCaCert: false

      ## Vault authentication backend, leave this blank if using an initial periodic token.
      ## Currently supported backends: token, approle, cert.
      ##
      authBackend: ""

      ## if the Vault authentication backend requires params from secrets, set this to true,
      ## and provide a value in secrets (field `vault-client-auth-param`).
      ##
      useAuthParam:

      ## Path to a directory of PEMEncoded CA cert files to verify the vault server SSL cert.
      ##
      caPath:

      ## If set, is used to set the SNI host when connecting via TLS.
      ##
      serverName:

      ## Enable insecure SSL verification.
      ##
      insecureSkipVerify: false

      ## Time after which to force a reLogin. If not set, the token will just be continuously renewed.
      ##
      authBackendMaxTtl:

      ## The maximum time between retries when logging in or reAuthing a secret.
      ##
      retryMax: 5m

      ## The initial time between retries when logging in or reAuthing a secret.
      ##
      retryInitial: 1s

      ## The maximum time to wait to authenticate with Vault.
      ##
      loginTimeout:

      ## The maximum time to wait for Vault queries to resolve.
      ##
      queryTimeout:

    ## Configuration for using Credhub as a credential manager.
    ## Ref: https://concourse-ci.org/credhub-credential-manager.html
    ##
    credhub:
      ## Enable the use of Credhub as a credential manager.
      ##
      enabled: false

      ## CredHub server address used to access secrets
      ## Example: https://credhub.example.com
      ##
      url:

      ## Path under which to namespace credential lookup. (default: /concourse)
      ##
      pathPrefix:

      ## Enables using a CA Certificate
      ##
      useCaCert: false

      ## Enables insecure SSL verification.
      ##
      insecureSkipVerify: false

      ## Configures the way that the Concourse authenticates against CredHub
      ## - secrets: makes use of `client-id` and `client-secret`
      ## - mtls: leverages client certificates
      ##
      authenticationMode: "secrets"

    ## Configuration for using Conjur as a credential manager.
    ## Ref: https://concourse-ci.org/conjur-credential-manager.html
    ##
    conjur:
      ## Enable the use of Conjur as a credential manager
      enabled: false

      # URL of the Conjur instance.
      applianceUrl:

      # Path used to to locate pipeline-level secret
      pipelineSecretTemplate: concourse/{{.Team}}/{{.Pipeline}}/{{.Secret}}

      # Path used to locate team-level secret
      teamSecretTemplate: concourse/{{.Team}}/{{.Secret}}

      # Path used to locate a vault or safe-level secret
      secretTemplate: concourse/{{.Secret}}

    tracing:
      ## Service name to attach to traces as metadata.
      #
      ## Example: "web"
      ##
      serviceName:

      ## Attributes to attach to traces as metadata.
      #
      ## Example:
      ##   environment: ci
      ##
      attributes:

      ## Jaeger's HTTP-based Thrift collector endpoint.
      #
      ## Example: "http://jaeger:14268/api/traces"
      ##
      jaegerEndpoint:

      ## Tags to include to components
      ##
      ## Example: "foo:bar,caz:zaz"
      ##
      jaegerTags:

      ## Name of the service being traced
      ##
      ## Example: "web"
      ##
      jaegerService:

      ## GCP's Project ID
      ##
      ## Example: "my-projectid"
      ##
      stackdriverProjectId:

      ## Honeycomb.io API Key
      ##
      honeycombApiKey:

      ## Name of dataset
      ##
      ## Example: "web"
      ##
      honeycombDataset:

      ## OTLP address to send traces to
      ##
      ## Example: "otel-collector:55680"
      ##
      otlpAddress:

      ## Headers to attach to each tracing message
      ##
      ## Example:
      ##   lightstep-access-token: mysupersecrettoken
      ##
      otlpHeaders:

      ## Whether to use TLS for the OTLP connection
      ##
      otlpUseTls:

    metrics:
      ## Host string to attach to emitted metrics.
      ##
      hostName:

      ## A key-value attribute to attach to emitted metrics.
      ##
      attribute:

      ## Enable capturing of error log metrics.
      ##
      captureErrorMetrics: false

      ## The size of the buffer used in emitting event metrics.
      ##
      bufferSize:

    datadog:
      enabled: false

      ## Use IP of node the pod is scheduled on, overrides `agentHost`
      ##
      agentHostUseHostIP: false

      ## Datadog agent host to expose dogstatsd metrics
      ##
      agentHost: 127.0.0.1

      ## Datadog agent port to expose dogstatsd metrics
      ##
      agentPort: 8125

      ## Datadog agent unix domain socket (uds) filepath to expose dogstatsd metrics
      ## e.g. /tmp/datadog.socket
      ##
      agentUdsFilepath:

      ## Prefix for all metrics to easily find them in Datadog
      ##
      prefix: "concourse.ci"

    influxdb:
      enabled: false

      ## Number of points to batch together when emitting to InfluxDB
      ##
      batchSize:

      ## The duration to wait before emitting a batch of points to InfluxDB,
      ## disregarding # the batch size.
      ##
      batchDuration:

      ## InfluxDB server address to emit points to.
      ## Example: http://127.0.0.1:8086
      ##
      url:

      ## InfluxDB database to write points to.
      ##
      database: concourse

      ## InfluxDB server username.
      ##
      username:

      ## Skip SSL verification when emitting to InfluxDB.
      ##
      insecureSkipVerify: false

    ## Emit metrics to logs instead of an actual metrics system.
    ##
    emitToLogs: false

    newrelic:
      enabled: false

      ## New Relic Insights Insert API base Url
      ## For configuring EU data centers refer to:
      ## https://docs.newrelic.com/docs/using-new-relic/welcome-new-relic/getting-started/introduction-eu-region-data-center#endpoints
      ## For default values refer to: https://github.com/concourse/concourse/blob/bc2ff0c9a606814a0a5d6338f44d5cd942b74456/atc/metric/emitter/newrelic.go#L43
      ##
      url:

      ## New Relic Account ID
      ##
      accountId:

      ## New Relic Insights API Key
      ##
      apiKey:

      ## An optional prefix for emitted New Relic events
      ##
      servicePrefix:

      ## Number of events to batch together before emitting
      ##
      batchSize:

      ## Length of time to wait between emitting until all currently batched events are emitted
      ## Example: 60s
      ##
      batchDuration:

      ## Disables compression of the batch before sending it
      ##
      disableCompression:

    prometheus:
      enabled: false

      ## IP to listen on to expose Prometheus metrics.
      ##
      bindIp: "0.0.0.0"

      ## Port to listen on to expose Prometheus metrics.
      ##
      bindPort: 9391

      ## If Prometheus operator is used, also create a servicemonitor object
      serviceMonitor:
        enabled: false
        interval: "30s"
        # Namespace the servicemonitor object should be in
        namespace:

        ## Additional Labels to be added to the servicemonitor.
        ##
        ##
        ## Example:
        ##   key1: "value1"
        ##   key2: "value2"
        ##
        ## Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
        labels: {}

        ## Relabel Metrics
        ## https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs
        ## Example that consolidates duplicate metrics when web is running in HA:
        ## metricRelabelings:
        ##   - regex: 'instance'
        ##     action: labeldrop
        ##   - regex: 'pod'
        ##     action: labeldrop
        metricRelabelings:

    ## The value to set for X-Frame-Options. If omitted, the default value in
    ## the Concourse binary is used.
    ##
    xFrameOptions:

    ## The value to set for Content-Security-Policy header. If omitted, the default
    ## value in the Concourse binary is used.
    ##
    contentSecurityPolicy:

    gc:
      ## Interval on which to perform garbage collection.
      ##
      interval: 30s

      ## Grace period before reaping oneOff task containers
      ##
      oneOffGracePeriod: 5m

      ## Period after which to reap containers and volumes that were created but
      ## went missing from the worker.
      ##
      missingGracePeriod: 5m

      ## Period after which hijacked containers will be garbage collected
      ##
      hijackGracePeriod:

      ## Period after which failed containers will be garbage collected
      ##
      failedGracePeriod:

      ## Period after which completed checks will be garbage collected
      ##
      checkRecyclePeriod:

      ## Period after which unused var_sources will get garbage collected
      ##
      varSourceRecyclePeriod:

    syslog:
      ## Enables the emission of build logs to external log ingesters through
      ## using the syslog protocol.
      ##
      enabled: false

      ## Client hostname with which the build logs will be sent to the syslog server.
      ##
      hostname: atc-syslog-drainer

      ## Remote syslog server address with port (Example: 0.0.0.0:514).
      ##
      address:

      ## Transport protocol for syslog messages (Currently supporting tcp, udp & tls).
      ##
      transport:

      ## Interval over which checking is done for new build logs to send to syslog server
      ## (duration measurement units are s/m/h; eg. 30s/30m/1h)
      drainInterval: 30s

      ## If the syslog server is using a self-signed certificate, set this to true,
      ## and provide a value for the cert in secrets (`syslog-ca-cert`).
      ##
      useCaCert: false

    opa:
      ## Open Policy Agent policy check endpoint.
      ##
      ## Example: https://opa.example.com:8181/v1/data/concourse/allow
      ##
      url:

      ## Open Policy Agent API request timeout, in Go duration format.
      ##
      ## Example: 5s for 5 seconds
      ##
      timeout:

      result:
        ## Name of key in the Open Policy Agent result to check if the action is allowed.
        ##
        ## Example: result.allowed
        ##
        allowedKey:

        ## Name of key in the Open Policy Agent result to check if it should hard block and fail, or soft block and emit warning on failure.
        ##
        ## Example: result.block
        ##
        shouldBlockKey:

        ## Name of key in the Open Policy Agent result to extract the messages from.
        ##
        ## Example: result.reasons
        ##
        messagesKey:


    policyCheck:
      ## Array of HTTP methods to filter through policy checking.
      ##
      ## Example: ["PUT", "POST"]
      ##
      filterHttpMethods:

      ## Array of ATC API actions to filter through policy checking.
      ##
      ## Example: ["SaveConfig", "UseImage"]
      ##
      filterActions:

      ## Array of ATC API actions to skip policy checking.
      ##
      ## Example: ["PausePipeline", "UnpausePipeline"]
      ##
      skipActions:

    ## Customize RBAC role-action mapping. Pass in as a multi-line YAML string
    ## Ref: https://concourse-ci.org/user-roles.html#configuring-rbac
    ## Example:
    ## configRBAC: |
    ##   owner:
    ##   - SetTeam
    ##   member:
    ##   - CreateBuild
    ##
    configRBAC: ""

    auth:
      ## Force sending secure flag on http cookies
      ##
      cookieSecure: false

      ## Length of time for which tokens are valid. Afterwards, users will have to log back in.
      ## The value must be specified as Go duration values (e.g.: 30m or 24h).
      duration: 24h

      ## The connector to use for password authentication for `fly login -u ... -p ...`.
      ## Either "local" or "ldap". Defaults to "local".
      passwordConnector:

      mainTeam:

        ## Configuration file for specifying the main teams params.
        ## Ref: https://concourse-ci.org/managing-teams.html#setting-roles
        ## Example:
        ## config: |
        ##   roles:
        ##   - name: owner
        ##     local:
        ##       users: ["admin"]
        ##   - name: member
        ##     local:
        ##       users: ["test"]
        ##
        config: ""

        ## Comma-separated list of local Concourse users to be included as members of the `main` team.
        ## Make sure you have local users support enabled (`concourse.web.localAuth.enabled`) and
        ## that the users were added (`secrets.localUsers`).
        ##
        localUser: "test"

        # Define how to display user ID for each authentication connector.
        # Format is <connector>:<fieldname>. Valid field names are user_id,
        # name, username and email, where name maps to claims field username,
        # and username maps to claims field preferred username.
        #
        userIDFieldPerConnector: ""

        ## Authentication (Main Team) (CloudFoundry)
        ##
        cf:
          ## Comma-separated allow list of CloudFoundry users.
          ##
          user:

          ## Comma-separated allow list of CloudFoundry orgs.
          ##
          org:

          ## Comma-separated allow list of CloudFoundry spaces for users with any role.
          ##
          spaceWithAnyRole:

          ## Comma-separated allow list of CloudFoundry spaces for users with the 'developer' role.
          ##
          spaceWithDeveloperRole:

          ## Comma-separated allow list of CloudFoundry spaces for users with the 'auditor' role.
          ##
          spaceWithAuditorRole:

          ## Comma-separated allow list of CloudFoundry spaces for users with the 'manager' role.
          ##
          spaceWithManagerRole:

          ## (Deprecated) Comma-separated allow list of CloudFoundry spaces for users with the 'developer' role.
          ##
          space:

          ## (Deprecated) Comma-separated allow list of CloudFoundry space guids.
          ##
          spaceGuid:

        ## Authentication (Main Team) (Bitbucket Cloud)
        ##
        bitbucketCloud:

          ## Comma-separated allow list of Bitbucket Cloud users.
          ##
          user:

          ## Comma-separated allow list of Bitbucket Cloud teams.
          ##
          team:

        ## Authentication (Main Team) (GitHub)
        ##
        github:
          ## Comma-separated allow list of GitHub users.
          ##
          user:

          ## Comma-separated allow list of GitHub orgs.
          ##
          org:

          ## Comma-separated allow list of GitHub teams.
          ##
          team:

        ## Authentication (Main Team) (GitLab)
        ##
        gitlab:

          ## Comma-separated allow list of GitLab users.
          ##
          user:

          ## Comma-separated allow list of GitLab groups.
          ##
          group:

        ## Authentication (Main Team) (LDAP)
        ##
        ldap:
          ## Comma-separated allow list of LDAP users.
          ##
          user:

          ## Comma-separated allow list of LDAP groups.
          ##
          group:

        ## Authentication (Main Team) (SAML)
        ##
        saml:
          ## Comma-separated allow list of SAML users.
          ##
          user:

          ## Comma-separated allow list of SAML groups.
          ##
          group:

        ## Authentication (Main Team) (OAuth2)
        ##
        oauth:
          ## Comma-separated allow list of OAuth2 users.
          ##
          user:

          ## Comma-separated allow list of OAuth2 groups.
          ##
          group:

        ## Authentication (Main Team) (OIDC)
        ##
        oidc:

          ## Comma-separated allow list of OIDC users.
          ##
          user:

          ## Comma-separated allow list of OIDC groups.
          ##
          group:

        ## Authentication (Main Team) (Microsoft Login)
        ##
        microsoft:

          ## Comma-separated allow list of Microsoft users.
          ##
          user:

          ## Comma-separated allow list of Microsoft groups.
          ##
          group:

      ## Authentication (CloudFoundry)
      ##
      cf:
        enabled: false

        ## (Required) The base API URL of your CF deployment. It will use this information to discover information
        ## about the authentication provider.
        ##
        ## Example: https://api.run.pivotal.io
        ##
        apiUrl:

        ## CA Certificate
        ##
        useCaCert: false

        ## Skip SSL validation
        ##
        skipSslValidation: false

      ## Authentication (GitHub)
      ##
      github:
        enabled: false

        ## Hostname of GitHub Enterprise deployment (No scheme, No trailing slash)
        ##
        host:

        ## CA certificate of GitHub Enterprise deployment
        ##
        useCaCert: false

      ## Authentication (BitbucketCloud)
      ##
      bitbucketCloud:
        enabled: false

      ## Authentication (GitLab)
      gitlab:
        enabled: false

        ## Hostname of Gitlab Enterprise deployment (Include scheme, No trailing slash)
        ##
        host:

      ## Authentication (LDAP)
      ldap:
        enabled: false

        ## The auth provider name displayed to users on the login page
        ##
        displayName:

        ## (Required) The host and optional port of the LDAP server. If port isn't supplied, it will be guessed
        ## based on the TLS configuration. 389 or 636.
        ##
        host:

        ## (Required) Bind DN for searching LDAP users and groups. Typically this is a readOnly user.
        ##
        bindDn:

        ## (Required) Bind Password for the user specified by 'bindDn'
        ##
        bindPw:

        ## Required if LDAP host does not use TLS.
        ##
        insecureNoSsl:

        ## Skip certificate verification
        ##
        insecureSkipVerify:

        ## Start on insecure port, then negotiate TLS
        ##
        startTls:

        ## CA certificate
        ##
        useCaCert:

        ## BaseDN to start the search from. For example 'cn=users,dc=example,dc=com'
        ##
        userSearchBaseDn:

        ## Optional filter to apply when searching the directory. For example '(objectClass=person)'
        ##
        userSearchFilter:

        ## Attribute to match against the inputted username. This will be translated and combined with the other
        ## filter as '(<attr>=<username>)'.
        ##
        userSearchUsername:

        ## The prompt when logging in through the UI when concourse.web.auth.passwordConnector is set to "ldap".
        ## Defaults to 'Username'.
        usernamePrompt:

        ## Can either be: 'sub'  search the whole sub tree or 'one' - only search one level. Defaults to 'sub'.
        ##
        userSearchScope:

        ## A mapping of attributes on the user entry to claims. Defaults to 'uid'.
        ##
        userSearchIdAttr:

        ## A mapping of attributes on the user entry to claims. Defaults to 'mail'.
        ##
        userSearchEmailAttr:

        ## A mapping of attributes on the user entry to claims.
        ##
        userSearchNameAttr:

        ## BaseDN to start the search from. For example 'cn=groups,dc=example,dc=com'
        ##
        groupSearchBaseDn:

        ## Optional filter to apply when searching the directory. For example '(objectClass=posixGroup)'
        ##
        groupSearchFilter:

        ## Can either be: 'sub'  search the whole sub tree or 'one' - only search one level. Defaults to 'sub'.
        ##
        groupSearchScope:

        ## Adds an additional requirement to the filter that an attribute in the group match the user's attribute value. The exact filter being added is: (<groupAttr>=<userAttr value>)
        ##
        groupSearchUserAttr:

        ## Adds an additional requirement to the filter that an attribute in the group match the user's attribute value. The exact filter being added is: (<groupAttr>=<userAttr value>)
        ##
        groupSearchGroupAttr:

        ## The attribute of the group that represents its name.
        ##
        groupSearchNameAttr:

      ## Authentication (SAML)
      saml:
        enabled: false

        ## The auth provider name displayed to users on the login page
        ##
        displayName:

        ## (Required) SSO URL used for POST value.
        ##
        ssoURL:

        ## Issuer value expected in the SAML response.
        ##
        ssoIssuer:

        ## Manually specify Concourse's Issuer value.
        ##
        ## When provided Concourse will include this as the Issuer value during AuthnRequest.
        ## If not provided, will default to the redirect URI when evaluating
        ## AudienceRestriction elements in the response.
        entityIssuer:

        ## Name of the username attribute in the returned assertions to map to ID token claims (default: name)
        ##
        usernameAttr:

        ## Name of the email attribute in the returned assertions to map to ID token claims (default: email)
        ##
        emailAttr:

        ## Name of the groups attribute in the returned assertions to map to ID token claims (default: groups)
        ##
        groupsAttr:

        ## Delimiter for splitting groups returned as a single string.
        ##
        ## By default, multiple groups are assumed to be represented as multiple
        ## attributes with the same name.
        ##
        ## If "groupsDelim" is provided groups are assumed to be represented as a
        ## single attribute and the delimiter is used to split the attribute's value
        ## into multiple groups.
        groupsDelim:

        ## Requested format of the NameID.
        ##
        ## The NameID value is is mapped to the user ID of the user. This can be an
        ## abbreviated form of the full URI with just the last component. For example,
        ## if this value is set to "emailAddress" the format will resolve to:
        ##
        ##     urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
        ##
        ## If no value is specified, this value defaults to:
        ##
        ##     urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
        ##
        nameIDPolicyFormat:

        ## Skip signature verification. If false, you must provide secrets.samlCaCert.
        ##
        insecureSkipVerify: false

      ## Authentication (OAuth2)
      ##
      oauth:
        enabled: false

        ## The auth provider name displayed to users on the login page
        ##
        displayName:

        ## (Required) Authorization URL
        ##
        authUrl:

        ## (Required) Token URL
        ##
        tokenUrl:

        ## UserInfo URL
        ##
        userinfoUrl:

        ## Any additional scopes that need to be requested during authorization
        ##
        scope:

        ## The groups key indicates which claim to use to map external groups to Concourse teams.
        ##
        groupsKey:

        ## CA Certificate
        ##
        useCaCert:

        ## Skip SSL validation
        ##
        skipSslValidation:

        ## The user id key indicates which claim to use to map an external user id to a
        ## Concourse user id.
        ##
        userIdKey: user_id

        ## The user name key indicates which claim to use to map an external user name to a
        ## Concourse user name.
        ##
        userNameKey: user_name

      ## Authentication (OIDC)
      oidc:
        enabled: false

        ## The auth provider name displayed to users on the login page
        ##
        displayName:

        ## (Required) An OIDC issuer URL that will be used to discover provider configuration using the .wellKnown/openid-configuration
        ##
        issuer:

        ## Any additional scopes that need to be requested during authorization
        ##
        scope:

        ## The groups key indicates which claim to use to map external groups to Concourse teams
        ##
        groupsKey:

        ## CA Certificate
        ##
        useCaCert:

        ## Skip SSL validation
        ##
        skipSslValidation:

        ## Ignore the email_verified claim from the upstream provider, treating all users as if email_verified were true
        ##
        skipEmailVerifiedValidation:

        ## The user name key indicates which claim to use to map an external user name to a
        ## Concourse user name.
        ##
        userNameKey: username

        ## Disable OIDC groups claim fetching
        ##
        disableGroups:

      ## Authentication (Microsoft)
      microsoft:
        enabled: false

        # Microsoft Tenant limitation (common, consumers, organizations, tenant name or tenant uuid)
        tenant:

        # Allowed Active Directory Groups
        groups:

        # Only fetch security groups
        onlySecurityGroups:

    tsa:
      ## Enable this flag in order to customize the `client_id` and
      ## `client_secret` used when the TSA needs to communicate with the ATC.
      ##
      ## Enabling this requires setting `secrets.tsaClientId` and
      ## `secrets.tsaClientSecret` (or filling the equivalent fields in the Secret).
      ##
      clientConfig:
        enabled: false

      ## Minimum level of logs to see. Possible values: debug, info, error.
      ##
      logLevel: info

      ## IP address on which to listen for SSH.
      ##
      bindIp: 0.0.0.0

      ## Port on which to listen for SSH.
      ##
      bindPort: 2222

      ## IP address on which to listen for the pprof debugger endpoints (default: 127.0.0.1)
      ##
      debugBindIp: 127.0.0.1

      ## Port on which to listen for TSA pprof server.
      ##
      debugBindPort: 2221

      ## Path to private key to use for the SSH server.
      ##
      hostKey:

      ## ATC API endpoints to which workers will be registered.
      ##
      atcUrl:

      ## Interval on which to heartbeat workers to the ATC.
      ##
      heartbeatInterval: 30s

      ## How long to wait for requests to Garden to complete. 0 means no timeout.
      ##
      gardenRequestTimeout:

    letsEncrypt:
      ## Automatically configure TLS certificates via Let's Encrypt/ACME.
      ##
      enabled: false

      ## URL of the ACME CA directory endpoint.
      ##
      acmeURL:

  worker:
    ## Signal to send to the worker container when shutting down.
    ## Possible values:
    ##
    ## - SIGUSR1: land the worker, and
    ## - SIGUSR2: retire the worker.
    ##
    ## Note.: using SIGUSR2 with persistence enabled implies the use of an
    ## initContainer that removes any data the existed previously under
    ## `concourse.worker.workDir` as the action of `retire`ing a worker implies
    ## that no state comes back with it when re-registering.
    ##
    ## Ref: https://concourse-ci.org/concourse-worker.html
    ## Ref: https://concourse-ci.org/worker-internals.html
    ##
    shutdownSignal: SIGUSR2

    ## Duration after which the registration should be swapped to another random SSH gateway.
    ##
    rebalanceInterval:

    ## Duration after which a worker should give up draining forwarded connections on shutdown.
    ##
    connectionDrainTimeout: 1h

    ## IP address on which to listen for health checking requests.
    ##
    healthcheckBindIp: 0.0.0.0

    ## Port on which to listen for health checking requests.
    ##
    healthcheckBindPort: 8888

    ## HTTP timeout for the full duration of health checking.
    ##
    healthcheckTimeout: 5s

    ## The name to set for the worker during registration. If not specified, the hostname will be used.
    ##
    name:

    ## A tag to set during registration. Can be specified multiple times.
    ##
    tag:

    ## The name of the team that this worker will be assigned to.
    ##
    team:

    ## HTTP proxy endpoint to use for containers.
    ##
    http_proxy:

    ## HTTPS proxy endpoint to use for containers.
    ##
    https_proxy:

    ## Blacklist of addresses to skip the proxy when reaching.
    ##
    no_proxy:

    ## If set, the worker will be immediately removed upon stalling.
    ## Ignored for kind: Deployment and set to "true"
    ##
    ephemeral:

    ## IP address on which to listen for the pprof debugger endpoints.
    ##
    debugBindIp: 127.0.0.1

    ## Port on which to listen for beacon pprof server.
    ##
    debugBindPort: 7776

    ## Version of the worker. This is normally baked in to the binary, so this flag is hidden.
    ##
    version:

    ## Directory in which to place container data.
    ##
    workDir: /concourse-work-dir

    ## IP address on which to listen for the Garden server.
    ##
    bindIp: 127.0.0.1

    ## Port on which to listen for the Garden server.
    ##
    bindPort: 7777

    ## IP used to reach this worker from the ATC nodes.
    ##
    peerIp:

    ## Interval on which containers and volumes will be garbage collected from the worker.
    ##
    sweepInterval: 30s

    ## Minimum level of logs to see. Possible options: debug, info, error.
    ##
    logLevel: info

    ## Maximum number of containers which can be swept in parallel.
    ##
    containerSweeperMaxInFlight: 5

    ## Maximum number of volumes which can be swept in parallel.
    ##
    volumeSweeperMaxInFlight: 5

    ## Runtime to use with the worker. Possible values: guardian, containerd, houdini.
    ## Please note that Houdini is insecure and doesn't run 'tasks' in containers.
    runtime:

    tsa:

      ## TSA host(s) to forward the worker through.
      ## Only used for worker-only deployments.
      ## Example:
      ## hosts:
      ##   - 1.1.1.1:2222
      ##   - 2.2.2.2:2222
      ##
      hosts: []

      ## File containing a public key to expect from the TSA.
      ##
      publicKey:

      ## File containing the private key to use when authenticating to the TSA.
      ##
      workerPrivateKey:

    # The following refers to configuration for the Guardian runtime. For historical reasons
    # it is referred to as "garden" which is the server wrapping Guardian and the interface
    # that Guardian implements.
    garden:
      ## Path to a guardian executable (non-absolute names get resolved from $PATH).
      ## This defaults to the gdn binary bundled with Concourse.
      bin:

      ## Path to a config file to use for Garden in INI format.
      ##
      ## For example, in a ConfigMap:
      ##
      ##   [server]
      ##     max-containers = 100
      ##
      ## For information about the possible values:
      ## Ref: https://bosh.io/jobs/garden?source=github.com/cloudfoundry/garden-runc-release
      ##
      config:

      ## Enable a proxy DNS server for Garden
      ##
      dnsProxyEnable:

      ## How long to wait for requests to Garden to complete. 0 means no timeout.
      ##
      requestTimeout:

      ## Maximum container capacity. 0 means no limit. Defaults to 250.
      ##
      maxContainers:

      ## Network range to use for dynamically allocated container subnets. Defaults to "10.80.0.0/16".
      ##
      networkPool:

    containerd:

      ## Path to a containerd executable (non-absolute names get resolved from $PATH)."`
      bin:

      ## Path to a config file to use for the Containerd daemon.
      config:

      ## Enable a proxy DNS server for Garden. Note: this implicitly turns on container access to host network.
      dnsProxyEnable:

      ## MTU size for container network interfaces. Defaults to the MTU of the interface used for outbound access by the host
      mtu:

      ## IP address to use to reach container's mapped ports. Autodetected if not specified.
      externalIP:

      ## List of DNS server IP addresses to use instead of automatically determined servers.
      ## Example:
      ## dnsServers:
      ##   - 1.1.1.1
      ##   - 2.2.2.2
      dnsServers: []

      ## List of network ranges to which traffic from containers will be restricted.
      ## Example:
      ## restrictedNetworks:
      ##   - 1.1.1.1
      ##   - 2.2.2.2
      restrictedNetworks: []

      ## Allows containers to reach host network.
      allowHostAccess:

      ## Maximum container capacity. 0 means no limit. Defaults to 250.
      maxContainers:

      ## Network range to use for dynamically allocated container subnets, defaults to "10.80.0.0/16"
      ##
      networkPool:

      ## Time to wait for requests to Containerd to complete. 0 means no timeout.
      requestTimeout:

      ## Path to a dumb init executable, defaults to /usr/local/concourse/bin/init
      initBin:

      ## Path to CNI network plugins, defaults to /usr/local/concourse/bin
      cniPluginsDir:

    ## API endpoint of an externally managed Garden server to use instead of
    ## running the embedded Garden server.
    ##
    externalGardenUrl:

    baggageclaim:
      ## Minimum level of logs to see. Possible values: debug, info, error
      ##
      logLevel: info

      ## IP address on which to listen for API traffic.
      ##
      bindIp: 127.0.0.1

      ## Port on which to listen for API traffic.
      ##
      bindPort: 7788

      ## IP address on which to listen for the pprof debugger endpoints.
      ##
      debugBindIp: 127.0.0.1

      ## Port on which to listen for baggageclaim pprof server.
      ##
      debugBindPort: 7787

      ## Disable remapping of user/group IDs in unprivileged volumes.
      ##
      disableUserNamespaces:

      ## Directory in which to place volume data.
      ##
      volumes:

      ## Driver to use for managing volumes.
      ## Possible values: detect, naive, btrfs, and overlay.
      ##
      driver:

      ## Path to btrfs binary
      ##
      btrfsBin: btrfs

      ## Path to mkfs.btrfs binary
      ##
      mkfsBin: mkfs.btrfs

      ## Path to directory in which to store overlay data
      ##
      overlaysDir:

      ## Interval on which to reap expired volumes.
      ##
      reapInterval: 10s

      ## 4 for IPv4 and 6 for IPv6
      ##
      p2pInterfaceFamily:

      ## Regular expression to match a network interface for p2p streaming
      ## e.g. "eth0"
      ##
      p2pInterfaceNamePattern:

    ## Enable Horizontal Pod Autoscaling
    ## to use this, ephemeral worker with
    ## worker.kind: Deployment is recommended
    ##
    ## see. https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
    ## for custom metrics see.
    ##   https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#support-for-custom-metrics
    ##
    ## To disable autoscaling set it to an empty map: { }
    autoscaling: { }
      # maxReplicas is required to for auto scaling
      # see the following example for scaling on CPU_Utilization and on
      # a custom metric 'concourse_workers_containers'
      # for this to work you need to configure the metric eg. with prometheus adapter
#      maxReplicas: 1
#      minReplicas: 1
#      builtInMetrics:
#        - type: Resource
#          resource:
#            name: cpu
#            target:
#              type: Utilization
#              averageUtilization: 80
#      customMetrics:
#        - type: Pods
#          pods:
#            metric:
#              name: concourse_workers_containers
#            target:
#              type: AverageValue
#              averageValue: 180

## Configuration values for Concourse Web components.
## For more information regarding the characteristics of
## Concourse Web nodes, see https://concourse-ci.org/concourse-web.html.
##
web:
  ## Enable or disable the web component.
  ## This allows the creation of worker-only releases by setting this to false.
  ##
  enabled: true

  ## Override the components name (defaults to web).
  ##
  nameOverride:

  ## Number of replicas.
  ##
  replicas: 1

  ## Startup command for the web component.
  ## Allows to override the docker image command
  # command: ["dumb-init", "/usr/local/concourse/bin/concourse"]

  ## Args of the startup command for the web component.
  ##
  args: ["web"]

  ## Array of extra containers to run alongside the Concourse Web
  ## container.
  ##
  ## Example:
  ## - name: myapp-container
  ##   image: busybox
  ##   command: ['sh', '-c', 'echo Hello && sleep 3600']
  ##
  sidecarContainers: []

  ## Array of extra initContainers to run alongside the Concourse Web
  ## container.
  ##
  ## Example:
  ## - name: myapp-init-container
  ##   image: busybox
  ##   command: ['sh', '-c', 'echo Hello && sleep 3600']
  ##
  extraInitContainers: []

  ## Pod priority class to assign to web pods.
  ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#pod-priority
  priorityClassName:

  ## Enable or disable the process namespace sharing for the web nodes.
  ## This allows signaling the concourse process from a sidecar container.
  ## eg.: signal concourse web to reload the team authorized keys file.
  ##
  ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace/
  ##
  shareProcessNamespace: false

  ## Configures the liveness probe used to determine if the Web component is up.
  ## ps.: if you're upgrading Concourse from one version  to another, the probe will
  ## probably fail for some time before migrations are finished - in such situations,
  ## consider bumping the values set here.
  ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
  ##
  livenessProbe:
    failureThreshold: 5
    initialDelaySeconds: 10
    periodSeconds: 15
    timeoutSeconds: 3
    httpGet:
      path: /api/v1/info
      port: atc

  ## Configures the readiness probes.
  ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
  ##
  readinessProbe:
    httpGet:
      path: /api/v1/info
      port: atc

  ## Configure resource requests and limits.
  ## Ref: https://kubernetes.io/docs/user-guide/compute-resources/
  ##
  resources:
    requests:
      cpu: "100m"
      memory: "128Mi"

  ## Configure additional environment variables for the
  ## web containers.
  ## Example:
  ##
  ##   - name: CONCOURSE_LOG_LEVEL
  ##     value: "debug"
  ##   - name: CONCOURSE_TSA_LOG_LEVEL
  ##     value: "debug"
  ##
  env:

  ## Configure the security context for the web containers.
  ## Example:
  ##   capabilities:
  ##     add:
  ##       - SYS_PTRACE
  ##
  securityContext:

  ## Where secrets should be mounted for the web container.
  ##
  keySecretsPath: "/concourse-keys"
  teamSecretsPath: "/team-authorized-keys"
  authSecretsPath: "/concourse-auth"
  vaultSecretsPath: "/concourse-vault"
  credhubSecretsPath: "/concourse-credhub"
  postgresqlSecretsPath: "/concourse-postgresql"
  syslogSecretsPath: "/concourse-syslog"
  tlsSecretsPath: "/concourse-web-tls"
  conjurSecretsPath: "/concourse-conjur"

  ## Configure additional volumes for the
  ## web container(s).
  ##
  ## Example:
  ##
  ##   - name: my-team-authorized-keys
  ##     configMap:
  ##       name: my-team-authorized-keys-config
  ##
  ## Ref: https://kubernetes.io/docs/concepts/storage/volumes/
  ##
  additionalVolumes: []

  ## Configure additional volumeMounts for the
  ## web container(s)
  ##
  ## Example:
  ##
  ##  - name: my-team-authorized-keys
  ##    mountPath: /my-team-authorized-keys
  ##
  ## Ref: https://kubernetes.io/docs/concepts/storage/volumes/
  ##
  additionalVolumeMounts:

  ## Additional affinities to add to the web pods.
  ##
  ## Example:
  ##   nodeAffinity:
  ##     preferredDuringSchedulingIgnoredDuringExecution:
  ##       - weight: 50
  ##         preference:
  ##           matchExpressions:
  ##             - key: spot
  ##               operator: NotIn
  ##               values:
  ##                 - "true"
  ##
  ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
  ##
  additionalAffinities:

  ## Additional Labels to be added to the web pods.
  ##
  ## Example:
  ##   key1: "value1"
  ##   key2: "value2"
  ##
  ## Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
  ##
  labels: {}

  ## Annotations for the web nodes.
  ##
  ## Example:
  ##   key1: "value1"
  ##   key2: "value2"
  ##
  ## Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
  ##
  annotations: {}

  ## Node selector for web nodes.
  ## Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
  ##
  nodeSelector: {}

  ## Tolerations for the web nodes.
  ##
  ## Example:
  ##   - key: "toleration=key"
  ##     operator: "Equal"
  ##     value: "value"
  ##     effect: "NoSchedule"
  ##
  ## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
  ##
  tolerations: []

  ## Strategy for web deployment updates.
  ##
  ## Example:
  ##
  ##   strategy:
  ##     type: RollingUpdate
  ##     rollingUpdate:
  ##       maxSurge: 1
  ##       maxUnavailable: 25%
  strategy: {}

  ## Service configuration.
  ## Ref: https://kubernetes.io/docs/user-guide/services/
  ##
  service:
    api:
      ## For minikube, set this to ClusterIP, elsewhere use LoadBalancer or NodePort
      ## Ref: https://kubernetes.io/docs/user-guide/services/#publishing-services---service-types
      ##
      type: ClusterIP

      ## When using `web.service.api.type: ClusterIP`, sets the user-specified cluster IP.
      ## Example: 172.217.1.174
      ##
      clusterIP:

      ## When using `web.service.api.type: LoadBalancer`, sets the user-specified load balancer IP.
      ## Example: 172.217.1.174
      ##
      loadBalancerIP:

      ## Additional Labels to be added to the web api service.
      ##
      labels:

      ## Annotations to be added to the web api service.
      ##
      ##
      ## When using `web.service.api.type: LoadBalancer` in AWS, enable HTTPS with an ACM cert:
      ##
      ##   service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:eu-west-1:123456789:certificate/abc123-abc123-abc123-abc123"
      ##   service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "http"
      ##   service.beta.kubernetes.io/aws-load-balancer-backend-port: "api"
      ##   service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
      ##
      annotations: {}

      ## When using `web.service.api.type: LoadBalancer`, restrict access to the load balancer to particular IPs
      ## Example:
      ##   - 192.168.1.10/32
      ##
      loadBalancerSourceRanges:

      ## When using `web.service.api.type: NodePort`, sets the nodePort for api
      ##
      NodePort:

      ## When using `web.service.api.type: NodePort`, sets the nodePort for api tls
      ##
      tlsNodePort:

    workerGateway:
      ## For minikube, set this to ClusterIP, elsewhere use LoadBalancer or NodePort
      ## Ref: https://kubernetes.io/docs/user-guide/services/#publishing-services---service-types
      ##
      type: ClusterIP

      ## When using `web.service.workerGateway.type: ClusterIP`, sets the user-specified cluster IP.
      ## Example: 172.217.1.174
      ##
      clusterIP:

      ## When using `web.service.workerGateway.type: LoadBalancer`, sets the user-specified load balancer IP.
      ## Example: 172.217.1.174
      ##
      loadBalancerIP:

      ## Additional Labels to be added to the web workerGateway service.
      ##
      labels:

      ## Annotations to be added to the web workerGateway service.
      ##
      ## When using `web.service.workerGateway.type: LoadBalancer` in AWS, enable HTTPS with an ACM cert:
      ##
      ##   service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:eu-west-1:123456789:certificate/abc123-abc123-abc123-abc123"
      ##   service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "http"
      ##   service.beta.kubernetes.io/aws-load-balancer-backend-port: "atc"
      ##   service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
      ##
      annotations: {}

      ## When using `web.service.workerGateway.type: LoadBalancer`, restrict access to the load balancer to particular IPs
      ## Example:
      ##   - 192.168.1.10/32
      ##
      loadBalancerSourceRanges:

      ## When using `web.service.workerGateway.type: NodePort`, sets the nodePort for tsa
      ##
      NodePort:



    prometheus:
      ## Additional Labels to be added to the web service.
      ##
      labels:

      ## Annotations to be added to the web service.
      ##
      ## Example:
      ##
      ##   prometheus.io/probe: "true"
      ##   prometheus.io/probe_path: "/"
      ##
      ##
      annotations: {}

      ## For minikube, set this to ClusterIP, elsewhere use LoadBalancer or NodePort
      ## Ref: https://kubernetes.io/docs/user-guide/services/#publishing-services---service-types
      ##
      type: ClusterIP

      ## When using `web.service.prometheus.type: ClusterIP`, sets the user-specified cluster IP.
      ## Example: 172.217.1.174
      ##
      clusterIP:

      ## When using `web.service.prometheus.type: LoadBalancer`, sets the user-specified load balancer IP.
      ## Example: 172.217.1.174
      ##
      loadBalancerIP:

      ## When using `web.service.prometheus.type: LoadBalancer`, restrict access to the load balancer to particular IPs
      ## Example:
      ##   - 192.168.1.10/32
      ##
      loadBalancerSourceRanges:

      ## When using `web.service.prometheus.type: NodePort`, sets the nodePort
      ##
      NodePort:

  ## Ingress configuration.
  ## Ref: https://kubernetes.io/docs/user-guide/ingress/
  ##
  ingress:
    ## Enable Ingress.
    ##
    enabled: false

    ## Annotations to be added to the web ingress.
    ## Example:
    ##   kubernetes.io/ingress.class: nginx
    ##   kubernetes.io/tls-acme: 'true'
    ##
    annotations: {}

    ## Hostnames.
    ## Either `hosts` or `rulesOverride` must be provided if Ingress is enabled.
    ## `hosts` sets up the Ingress with default rules per provided hostname.
    hosts:

    ## Ingress class name
    ## Should match the name of the IngressClass. If left unset, will select the default IngressClass.
    ingressClassName:

    ## Ingress rules override
    ## Either `hosts` or `rulesOverride` must be provided if Ingress is enabled.
    ## `rulesOverride` allows the user to define the full set of ingress rules, for more complex Ingress setups.
    rulesOverride:

    ## TLS configuration.
    ## Secrets must be manually created in the namespace.
    ## Example:
    ##   - secretName: concourse-web-tls
    ##     hosts:
    ##       - concourse.domain.com
    ##
    tls:

## Configuration values for Concourse Worker components.
## For more information regarding the characteristics of
## Concourse Workers, see https://concourse-ci.org/concourse-worker.html
##
worker:

  ## Enable or disable the worker component.
  ## This can allow users to create web only releases by setting this to false
  ##
  enabled: true

  ## Selects kind of Deployment. Valid Options are: StatefulSet | Deployment
  ## Using Deployment leads to ephemeral workers. Meaning workers do not
  ## share state between restarts
  ##
  kind: StatefulSet

  ## Override the components name (defaults to worker).
  ##
  nameOverride:

  ## Removes any previous state created in `concourse.worker.workDir`.
  ##
  cleanUpWorkDirOnStart: true

  ## Number of replicas.
  ##
  replicas: 2

  ## Array of extra containers to run alongside the Concourse worker
  ## container.
  ##
  ## Example:
  ##
  ## - name: myapp-container
  ##   image: busybox
  ##   command: ['sh', '-c', 'echo Hello && sleep 3600']
  ##
  sidecarContainers: []

  ## Array of extra initContainers to run alongside the Concourse worker
  ## container.
  ##
  ## Example:
  ## - name: myapp-init-container
  ##   image: busybox
  ##   command: ['sh', '-c', 'echo Hello && sleep 3600']
  ##
  extraInitContainers: []

  ## Minimum number of workers available after an eviction
  ## Ref: https://kubernetes.io/docs/admin/disruptions/
  ##
  minAvailable: 1

  ## Configures the liveness probe used to determine if the Worker component is up.
  ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
  ##
  livenessProbe:
    failureThreshold: 5
    initialDelaySeconds: 10
    periodSeconds: 15
    timeoutSeconds: 3
    httpGet:
      path: /
      port: worker-hc

  ## Configures the readiness probes.
  ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
  ##
  readinessProbe: {}

  ## Configure resource requests and limits.
  ## Ref: https://kubernetes.io/docs/user-guide/compute-resources/
  ##
  resources:
    requests:
      cpu: "100m"
      memory: "512Mi"

  ## Configure additional environment variables for the
  ## worker container(s)
  ##
  ## Example:
  ##
  ##   - name: CONCOURSE_NAME
  ##     value: "anything"
  ##
  env: []

  ## For managing where secrets should be mounted for worker agents
  ##
  keySecretsPath: "/concourse-keys"

  ## For managing where additional certs should be added into a worker.
  ## You can add additional certs with secrets.workerAdditionalCerts
  ##
  certsPath: "/etc/ssl/certs"

  ## Configure additional volumeMounts for the
  ## worker container(s)
  ##
  ## Example:
  ##   - name: concourse-baggageclaim
  ##     mountPath: /baggageclaim
  ##
  additionalVolumeMounts: []

  ## Additional Labels to be added to the worker pods.
  ##
  ## Example:
  ##   key1: "value1"
  ##   key2: "value2"
  ##
  ## Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
  ##
  labels: {}

  ## Annotations to be added to the worker pods.
  ##
  ## Example:
  ##
  ##   iam.amazonaws.com/role: arn:aws:iam::123456789012:role/concourse
  ##
  annotations: {}

  ## Node selector for the worker nodes.
  ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
  ##
  nodeSelector: {}

  ## Additional affinities to add to the worker pods.
  ## Useful if you prefer to run workers on non-spot instances, for example.
  ##
  ## Example:
  ##
  ##   nodeAffinity:
  ##     preferredDuringSchedulingIgnoredDuringExecution:
  ##       - weight: 50
  ##         preference:
  ##           matchExpressions:
  ##             - key: spot
  ##               operator: NotIn
  ##               values:
  ##                 - "true"
  ##
  additionalAffinities: {}

  ## Configure additional volumes for the
  ## worker container(s).
  ## Example:
  ##
  ##  - name: concourse-baggageclaim
  ##    hostPath:
  ##      path: /dev/nvme0n1
  ##      type: BlockDevice
  ##
  ##
  ## As a special exception, this allows taking over the `concourse-work-dir`
  ## volume (from the default emptyDir) if `persistence.enabled` is false:
  ##
  ##   additionalVolumes:
  ##     - name: concourse-work-dir
  ##       hostPath:
  ##         path: /mnt/locally-mounted-fast-disk/concourse
  ##         type: DirectoryOrCreate
  ##
  additionalVolumes: []

  ## Whether the workers should be forced to run on separate nodes.
  ## This is accomplished by setting their AntiAffinity with requiredDuringSchedulingIgnoredDuringExecution as opposed to preferred
  ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity-beta-feature
  ##
  hardAntiAffinity: false

  ## Set of labels to use in the hard anti affinity rule.
  ##
  ## Example:
  ##   hardAntiAffinity: true
  ##   hardAntiAffinityLabels:
  ##     application: concourse
  ##
  hardAntiAffinityLabels: {}

  ## Tolerations for the worker nodes.
  ## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
  ##
  ## For example:
  ##
  ##   - key: "toleration=key"
  ##     operator: "Equal"
  ##     value: "value"
  ##     effect: "NoSchedule"
  ##
  tolerations: []

  ## Pod priority class to assign to worker pods.
  ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#pod-priority
  priorityClassName:

  ## Time to allow the pod to terminate before being forcefully terminated. This should provide time for
  ## the worker to retire, i.e. drain its tasks. See https://concourse-ci.org/worker-internals.html for worker
  ## lifecycle semantics.
  ##
  terminationGracePeriodSeconds: 60

  ## Strategy for StatefulSet updates (requires Kubernetes 1.6+)
  ## Ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset
  ##
  ## Strategy for Deployment updates
  ## Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
  ##
  updateStrategy:
    type: RollingUpdate
#    rollingUpdate:
#      maxSurge: 25%
#      maxUnavailable: 1

  ## Pod Management strategy (requires Kubernetes 1.7+)
  ## Ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#pod-management-policies
  ##
  ## "OrderedReady" is default. "Parallel" means worker pods will launch or terminate
  ## in parallel.
  ##
  ## Ignored for Kind Deployment
  podManagementPolicy: Parallel

  ## When persistance is disabled this value will be used to limit the emptyDir volume size
  ## Ref: https://kubernetes.io/docs/concepts/storage/volumes/#emptydir
  ##
  ## Example: 20Gi
  ##
  emptyDirSize:

## Persistent Volume Storage configuration.
## Ref: https://kubernetes.io/docs/user-guide/persistent-volumes
##
persistence:
  ## Enable persistence using Persistent Volume Claims.
  ## Ignored for Kind: Deployment. If persistence is needed use kind: StatefulSet
  ##
  enabled: true

  ## Worker Persistence configuration.
  ##
  worker:
    ## concourse data Persistent Volume Storage Class
    ## If defined, storageClassName: <storageClass>
    ## If set to "-", storageClassName: "", which disables dynamic provisioning
    ## If undefined (the default) or set to null, no storageClassName spec is
    ##   set, choosing the default provisioner.  (gp2 on AWS, standard on
    ##   GKE, AWS & OpenStack)
    ##
    storageClass:

    ## Persistent Volume Access Mode.
    ##
    accessMode: ReadWriteOnce

    ## Persistent Volume Storage Size.
    ##
    size: 20Gi

    # You can define additional selector for pvc
    selector:
    #   matchLabels:
    #     app-volume: "concourse"

## Configuration values for the postgresql dependency.
## Ref: https://github.com/helm/charts/blob/master/stable/postgresql/README.md
##
postgresql:

  ## Use the PostgreSQL chart dependency.
  ##
  ## Set to false if bringing your own PostgreSQL, and set the corresponding `secrets`
  ## fields that correspond to the PostgreSQL variables that `concourse web` should use
  ## to connect to.
  ##
  ## Should be set to false if using the chart as a worker only deployment.
  ##
  enabled: true

  ## Provide a name to substitute for the full name of postgresql resources
  ## ps.: Resources will not be appended with "-postgresql"
  ##
  fullnameOverride:

  ### PostgreSQL User to create.
  ##
  postgresqlUsername: concourse

  ## PostgreSQL Password for the new user.
  ## If not set, a random 10 characters password will be used.
  ##
  postgresqlPassword: concourse

  ## PostgreSQL Database to create.
  ##
  postgresqlDatabase: concourse

  ## Allows for setting a specific cluster ip for the PostgreSQL
  ## service.
  service:
    clusterIP:

  ## Persistent Volume Storage configuration for PostgreSQL.
  ##
  ## Ref: https://kubernetes.io/docs/user-guide/persistent-volumes
  ##
  persistence:
    ## Enable PostgreSQL persistence using Persistent Volume Claims.
    ##
    enabled: true

    ## Persistent Volume Storage Class to be used by PersistentVolumes created
    ## for PostgreSQL.
    ##
    ## If defined, storageClassName: <storageClass>
    ## If set to "-", storageClassName: "", which disables dynamic provisioning
    ## If undefined (the default) or set to null, no storageClassName spec is
    ##   set, choosing the default provisioner.  (gp2 on AWS, standard on
    ##   GKE, AWS & OpenStack)
    ##
    storageClass:

    ## Persistent Volume Access Mode.
    ##
    accessModes:
      - ReadWriteOnce

    ## Persistent Volume Storage Size.
    ##
    size: 8Gi

## For Kubernetes RBAC support:
##
rbac:
  ## Enable the creation of RBAC resources.
  ##
  create: true

  ## RBAC Version
  ##
  apiVersion: v1

  ## The name of the service account to use for web pods if rbac.create is false
  ##
  webServiceAccountName: default

  ## Any annotations required for the web Service Account
  webServiceAccountAnnotations: {}

  ## The name of the service account to use for worker pods if rbac.create is false
  ##
  workerServiceAccountName: default

  ## Any annotations required for the worker Service Account
  workerServiceAccountAnnotations: {}

## For managing podSecurityPolicies. To make sure rbac objects are also created
## for the use of the podsecuritypolicy objects,
## set rbac.create to 'true' (this is the default value)
##
podSecurityPolicy:
  ## Create podSecurityPolicy objects for concourse. Set this to false if
  ## objects are not needed, or if they are managed outside helm.
  ##
  create: false

  ## By default use the recommended minimum set of volumes in kubernetes.
  ## Possible to overwrite if other types are used.
  ##
  allowedWorkerVolumes:
  - 'secret'
  - 'persistentVolumeClaim'
  - 'configMap'
  - 'downwardAPI'
  - 'emptyDir'
  - 'projected'

  ## By default use the recommended minimum set of volumes in kubernetes.
  ## Possible to overwrite if other types are used.
  ##
  allowedWebVolumes:
  - 'secret'
  - 'persistentVolumeClaim'
  - 'configMap'
  - 'downwardAPI'
  - 'emptyDir'
  - 'projected'

## For managing secrets using Helm
##
secrets:
  ## Create the secret resource from the following values. Set this to
  ## false to manage these secrets outside Helm.
  ##
  create: true

  ## Annotations to be added to the secrets.
  ##
  ## Example:
  ##   key1: "value1"
  ##   key2: "value2"
  ##
  ## Ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
  ##
  annotations: {}

  ## Array of team names and public keys for team external workers. A single
  ## team can have many keys defined in the key field.
  ##
  ## Example:
  ## - team: main
  ##   key: |-
  ##     ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDYBQ9fG6IML+qsFaMh1Pl+81wyUwRilHdfhItAiAsLVQsOwI5+V4pn5aLhHPBuRQqIqYmbkZ7I1VUIN1+90PVJ3X7l9qqanb85AHMtLujw1j9u0zDyH2XHgpUloknUQzUSLIZjjU3Hn3Uo/XikF+vT8104isO7Ym8Xp7sIcRuvOQ3nuRsFVCRogxpLTVHD/k57rwYVqWWLaKLwvx01ZVXOq4GHk/BVaKa9ODC/dNgbZMfwvVVXuf7/NFGmSMyXb49Si4aoP4Gn7jAX6GngBbm/bgKqO0skQy/ggQm/YVF+s5q4EhleMBLVJKD1VpM5LeLDFpiu/y4bVd8wUcgK+QQ9 Concourse
  ##     ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDzpK/sIOtL9SCjAWrvO8QvknzYbnXvP/BljTQFNLwzsPqawqTk3FqUIsEjsq4clV3nwADK8Iq9A/xRlPR+ANhoGDPDv34FsWz5qKcXV7aXcOma8vyU4MJPjveXcZX7FjwztGoRIND9CXlLCDuYeIwBxCcnBBAwQFZuCmEXcqwsRbCve1KkswV1yr9yvmNaKNKTkJGo+7wGyShjzkfqijYCdwYbUWpSB0/tOGszBONtKE6FyJUmVtBgj+CAGZtj1AxGBbMnxxV
  ##
  ## Make sure to chack the security caveats here: https://concourse-ci.org/teams-caveats.html
  ## Extra Reads: https://github.com/concourse/concourse/issues/1865#issuecomment-464166994
  ## https://concourse-ci.org/global-resources.html#complications-with-reusing-containers
  ##
  teamAuthorizedKeys:

  ## List of `username:password` or `username:bcrypted_password` combinations for all your local concourse users.
  ## For details of expected format, see https://concourse-ci.org/local-auth.html
  ##
  localUsers: "test:test"

  ## The TLS certificate and private key for the web component to be able to terminate
  ## TLS connections.
  ##
  webTlsCert:
  webTlsKey:

  ## The TLS CA certificate for the web component to be able to terminate
  ## TLS connections. Enables mTLS.
  ##
  webTlsCaCert:

  ## Concourse Host Keys.
  ## Ref: https://concourse-ci.org/install.html#generating-keys
  ##
  hostKey: |-
    -----BEGIN RSA PRIVATE KEY-----
    MIIEogIBAAKCAQEA2AUPXxuiDC/qrBWjIdT5fvNcMlMEYpR3X4SLQIgLC1ULDsCO
    fleKZ+Wi4RzwbkUKiKmJm5GeyNVVCDdfvdD1Sd1+5faqmp2/OQBzLS7o8NY/btMw
    8h9lx4KVJaJJ1EM1EiyGY41Nx591KP14pBfr0/NdOIrDu2JvF6e7CHEbrzkN57kb
    BVQkaIMaS01Rw/5Oe68GFalli2ii8L8dNWVVzquBh5PwVWimvTgwv3TYG2TH8L1V
    V7n+/zRRpkjMl2+PUouGqD+Bp+4wF+hp4AW5v24CqjtLJEMv4IEJv2FRfrOauBIZ
    XjAS1SSg9VaTOS3iwxaYrv8uG1XfMFHICvkEPQIDAQABAoIBAG87W8jrX6vK2Jm3
    ooJ/OeFmymiXWsCwFi+2/kVCR/2T0tfLyxO/W+NX2WD1F9CP+HaaZeMXPp3HS7up
    V8FT4ZohVYBwXTS0WYyucKApcYThrVQRpzhldnEfClGQmVeVK7Sp/KEyV4Sc1SVA
    L2i/cI142N2Ohm7spquVkLcuFsVINzZ0fXCv25dTqbkEgjTJzNdBzyFXvc4z0Mt9
    gW14M7mz+YKYOfsCxIEm438fC9b16C96yIFBdN+/jaP8pmb2RoIE2D0F8bj5K1hR
    YyGFKMOU4e6cYq59iWfubKuu2WNJEBk/5aO7x7Xu2S0k8wIYlwxFuu4LfR2Kvizu
    +mFVf3kCgYEA9e0+40tJGpOPM8hAB3DwXjYc8lCuyYf3z30T3RqVNCUVSWnlaj/s
    3ENi6+Ng3u+Zs8cR2CFou+jAClTyWLuSnI9yACD0eyW9n4bzYMUbgdC6vneLjpzx
    wWR9Xv5RmZVly7xWuqcgEeEf8RNcYI3oXby0laF3EObvuAx/4ETIkFcCgYEA4N42
    w1UEWGopWBIIXYHkEPHQuF0SxR2CZyh9ExTeSxFphyibkcHRjDW+t91ZLnSm5k1N
    TOdYuc0ApBV3U+TexeFvDI94L/Oze6Ht5MatRQz8kRwMFGJL3TrpbgTmWdfG05Ad
    oiScJzwY16oJXnKusxik7V+gCCNNE0/2UuMnY4sCgYAEf82pvOPef5qcGOrK+A79
    ukG3UTCRcVJgUmp9nhHivVbxW+WdlwPPV9BEfol0KrAGMPsrmBjhbzWsOregVfYt
    tRYh2HiAlEUu2Po06AZDzrzL5UYBWu+1WRBOH5sAk1IkcxKnIY2dph++elszTQVW
    SbCIGEckYQU7ucbRJJECywKBgBb4vHFx8vKxTa3wkagzx7+vZFohL/SxEgxFx5k2
    bYsPqU8kZ9gZC7YeG3CfDShAxHgMd5QeoiLA/YrFop4QaG2gnP6UfXuwkqpTnYDc
    hwDh1b9hNR6z9/oOtaAGoh2VfHtKYqyYvtcHPaZyeWiLoKstHlQdi7SpHouVhJ1t
    FS4HAoGAGy+56+zvdROjJy9A2Mn/4BvWrsu4RSQILBJ6Hb4TpF46p2fn0rwqyhOj
    Occs+xkdEsI9w5phXzIEeOq2LqvWHDPxtdLpxOrrmx4AftAWdM8S1+OqTpzHihK1
    y1ZOrWfvON+XjWFFAEej/CpQZkNUkTzjTtSC0dnfAveZlasQHdI=
    -----END RSA PRIVATE KEY-----

  hostKeyPub: |-
    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDYBQ9fG6IML+qsFaMh1Pl+81wyUwRilHdfhItAiAsLVQsOwI5+V4pn5aLhHPBuRQqIqYmbkZ7I1VUIN1+90PVJ3X7l9qqanb85AHMtLujw1j9u0zDyH2XHgpUloknUQzUSLIZjjU3Hn3Uo/XikF+vT8104isO7Ym8Xp7sIcRuvOQ3nuRsFVCRogxpLTVHD/k57rwYVqWWLaKLwvx01ZVXOq4GHk/BVaKa9ODC/dNgbZMfwvVVXuf7/NFGmSMyXb49Si4aoP4Gn7jAX6GngBbm/bgKqO0skQy/ggQm/YVF+s5q4EhleMBLVJKD1VpM5LeLDFpiu/y4bVd8wUcgK+QQ9 Concourse

  ## Concourse Session Signing Keys.
  ## Ref: https://concourse-ci.org/concourse-generate-key.html
  ##
  sessionSigningKey: |-
    -----BEGIN RSA PRIVATE KEY-----
    MIIEowIBAAKCAQEAwLql/rUIaI+PX7Tl3FWcTee4sQf8/daakALXx955tPwkhqlY
    e4T2V84p/ylFvNWpM4vfcMYKfMY0JLKgAgBvJhCytSkDBhTBoWmN6yE0AB11P9En
    lIZRBWNYqaC2cSge2ZD8qOSnwfFhnQAW8+7pE+ElJAVh7dtdF3A478H50lIigq8I
    zMWp2EGJpFC7/Uu36oIL/03MNGCmrH1jvtTuJiAMQUZYyL1ReBkvvHOzw9i4HXPy
    SMVtcllm4NBs2aVPtwhr2kwSkLt8t1bPdRn6OIyEAw5WktzAKaiZnkTvj6g3xzdp
    zKcrdlBr9aznlNvoSinBUfvtwyFmvFN1HHbA9wIDAQABAoIBAE7G/DrUfI9gvtX7
    90jMpYsigFe8UCjho2PiBZlo0o6r0bJJXiV+/8J8PqZRlHPPUc4EClzqVjcSPRYS
    /VxUGRqSELoD/Xxq14rGvn+xnrO9VsOzFl6bWFq/dOpBCtHN+G4t2VifvgKES8YE
    11z19sdta+UBXjn/RFnkQSGfRCI3QqTaYvjxevt0uWlyPmqkFPQQw8bvHIXzoB+B
    rzeiMa++nMvbX5pAH9XA0BvhyuH3fHidTUwiVBpkMcpLWtjP0A0JTsecDdbinDDq
    un2EIo8zMWRwKQN/JnUxsi8AUEigBTCUqeDgREXtW62uvFkSpcVMXwmVityLYIVy
    qnVLUCECgYEA6IwXkP1qnSfcNeoVI/ypDuz1/kdqcjSPhLYe+jdiLLoFkMW9AlDm
    lzwNaWlTFD9ygo+NjJCo63/A8HCm55sajws5hZ6r20vdZcKFMk9h0qF5oVA7lkQ2
    gvG2WaznuU7KkqhfP+pXhiLgZKoJkst/+g7r6uHpredwDY6hxeBK4vsCgYEA1CqH
    8ywC5qUo/36kQg/TU2adN/YEHdJAAbU23EVrGQSVmnXW08H2NLFk0tsxrwoNnbgp
    PIk2J7BimbJvbND17ibr4GAklDTsR8aJkDl+0JgNCAK9N07qVt1s7FXzhg95jUL9
    EQW55z60GAJpecqNwA4Jsa8P852N0355Obp92TUCgYBkOBvf7JcJ66fHxH4f6D+j
    oxPQ5k5Fsck4VJS9GSlCRVkor09ptBvsiYDuMOoRC9b51YwXTDDAbWplNOd5YSrt
    AtVjdKJz/BoKRO7KY9Owxs54au+DLxqfDDSeKRokjoRW+CE0lnXp5RX3zCAcF3+r
    8MpTi9D9lYSBEzs84BDmCQKBgQCMcH6/K3HcJJVn0fd+tyUGftUw9sswxjySJNbk
    pZrH263/qWMDls+Xf5kire9MU1ZCAWZiaN0NFoed/2wcVpGEDAV0548u/30r4bKr
    YjOcdhmiJNYFJ1qdF0MDib2CDvpB1IbZXrX46RujDO2urbJ435HxKNVhR/had8xc
    tyKYxQKBgCVDhN0MhnlUQJVZfX42APmF4gQg0r3sfL/NGXjEjMIKKFe5a88eZVHr
    L8x1+dp0q7czC8a/l1DUuiwDKl8OEpxLsGCq/J/wAfrSMPifu6EUlbUwlJOPdgha
    +p/KFAelHXJ2w/8yackAcarh35VP7ixhuvxswHNdgvfsBTFcjn30
    -----END RSA PRIVATE KEY-----

  ## Concourse Worker Keys.
  ## Ref: https://concourse-ci.org/concourse-generate-key.html
  ##
  workerKey: |-
    -----BEGIN RSA PRIVATE KEY-----
    MIIEpAIBAAKCAQEAuPehUmBXAQCoA7TLAQCYhf+vzcZVyj+VGXnMhLHnWLk7dRjo
    CU8GgNamdS5h7G3ywxOvKA3YjOLr8XyOMLS4c+e8N7tIzlMWdiXhe0lcBH9Z1ai5
    +Bof3/BlDUBksiKdc1A+QcfX6tDwMkOO5re1H4vOK3H/Cype58wCB03HYNgb05ED
    fW1Bj2qvz29VtmyjwEMuDs100iMqwCfPUx9oxXmmX8sUBRmw/Y1Rx/8pdKIjKw3m
    kWIHHBOSCPimO1qC47Aa8v/UH9hERCykyuFHiBiKlnIvZWm9bYvhsRTz4gt5KzRY
    6OI0oVeHlLOHDSK48Da8VWij15lOqO2Nx6WssQIDAQABAoIBADET22UNFOi6MNpS
    5S5N5ypezlnOD0NLnZcV3zMyNQ0wkNsgEakuo64Zxi7/cJIYFjq2hVoeWl//cdUw
    VFYODYcLbMBo3AeKukH9CRf6PgUfeUmcrENtQxnbIiTi+hTd5GMNXod7rAmtCJ59
    mHQVOGS3ZqvWYnKm+mmMktk3RPinynX/A4y3WHPacuAS58HM09Ck43WcHMxbGpsL
    /gZpICyFYZ2DviM+AHyWGcmw7LJrpC0QHo6+BAFMs4xlUecNgVIFUpfOoAcfsdtG
    K9j4AbuZ47iFisbay+1pyg/7O5eRTdGVQRtc7PBMOjea5jGsfmlDmdn1ZS50ykun
    ANfoQ5UCgYEA9Ak73PRy9nLlRkt4OBCF/4fwThUCMedsnWaVjQBMJYim4FB2ivF5
    cKdWt3y/RZI85KKYu0EXhLEoSIEAfz057R8t3QdVK4tZx6B47UFjBjCYeVMtwHDQ
    prxQiOPHIHCplBNFuGzA5VXL9gQLRD+ek0uOy2GJJ0Wu1xyeouI+SW8CgYEAwgkO
    TOtOogqmcAALjWgeeQiZetflSKbJlpQNhmCPAMm0SFI8eF4SpRXLzd41VC2mLIwT
    L3tjc7/8ocXoElFM4L0fo9Lx/SHFH4JEn5FT0PXPmvsF2JRhsXJFLJSihxF/91Xs
    2aBcQILPFzLcrI6OFUakNwGTU/CIxpkzRvQrG98CgYEAzNVnUuo4CNadzagRK3Xr
    E3Yl5VRK+FpY17FAfA6w25xc/dFr/un61e0Po4no/ltmEz7LVfmn5O/ScTEemq5o
    jbjrBShfe+JGpIH0nqiQlqR5hvSjZXEMIbfVHWGbRYZrQGgA0HEwZA7k2QXB8zI3
    R0lXfSzMM5OQ0uwp12xxfa8CgYBHILq1R6zTicPpWprhg0FobNaWSX4rW7iaEjvC
    /rJtP4Nu33Z7SUDcc1j6ZnJ2ISXBPrfpt/mE/OPHCZ1A2bysxadLjpBWkoKIQmCV
    fdiTyQgJb+t8sSf+vDzPUs0hZjDaogzo2ff3TfxMLMDoIHnFItgfsdwn8QyygIZj
    hC4pUQKBgQDqsxnkI6yXFE5gshnW7H8zqKNlzKd/dZEL6e+lRz4R3UY/KcEkRAfq
    Yi3cwo9fE3U3kSmpl5MQwUjWm/BZ7JyueoY/4ndwaFPgc34IKsgJ0wau9pZiQAB1
    DxpOSF+BR71Jx3sxvIdCODNTtm645j5yrZVnJAuMPofo5XFmunDoJA==
    -----END RSA PRIVATE KEY-----

  workerKeyPub: |-
    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC496FSYFcBAKgDtMsBAJiF/6/NxlXKP5UZecyEsedYuTt1GOgJTwaA1qZ1LmHsbfLDE68oDdiM4uvxfI4wtLhz57w3u0jOUxZ2JeF7SVwEf1nVqLn4Gh/f8GUNQGSyIp1zUD5Bx9fq0PAyQ47mt7Ufi84rcf8LKl7nzAIHTcdg2BvTkQN9bUGPaq/Pb1W2bKPAQy4OzXTSIyrAJ89TH2jFeaZfyxQFGbD9jVHH/yl0oiMrDeaRYgccE5II+KY7WoLjsBry/9Qf2ERELKTK4UeIGIqWci9lab1ti+GxFPPiC3krNFjo4jShV4eUs4cNIrjwNrxVaKPXmU6o7Y3Hpayx Concourse

  ## Additonal certs to add to a workers certsPath
  ## Example:
  ## workerAdditionalCerts: |-
  ##   -----BEGIN CERTIFICATE-----
  ##   ....
  ##   -----END CERTIFICATE-----
  ##   -----BEGIN CERTIFICATE-----
  ##   ....
  ##   -----END CERTIFICATE-----
  ##   ....
  #
  workerAdditionalCerts:

  ## Secrets for web interface login
  ##
  clientId:
  clientSecret:

  ## Secrets for tsa login
  ##
  tsaClientId:
  tsaClientSecret:

  ## Secrets for DB access
  ##
  postgresUser:
  postgresPassword:
  postgresCaCert:
  postgresClientCert:
  postgresClientKey:

  ## Secrets for DB encryption
  ##
  encryptionKey:
  oldEncryptionKey:

  ## Secrets for SSM AWS access
  ##
  awsSsmAccessKey:
  awsSsmSecretKey:
  awsSsmSessionToken:

  ## Secrets for Secrets Manager AWS access
  ##
  awsSecretsmanagerAccessKey:
  awsSecretsmanagerSecretKey:
  awsSecretsmanagerSessionToken:

  ## Secrets for using CredHub as a credential manager.
  ##
  ## Value of PEM-encoded CA cert file to use to verify the CredHub server SSL cert.
  ##
  credhubCaCert:

  ## Client ID for CredHub authorization.
  ##
  credhubClientId:

  ## Client secret for CredHub authorization.
  ##
  credhubClientSecret:

  ## Client cert for Credhub authorization
  ##
  credhubClientCert:

  ## Client key for Credhub authorization
  ##
  credhubClientKey:

  ## Secrets for CF OAuth
  ##
  cfClientId:
  cfClientSecret:
  cfCaCert:

  ## Secrets for BitbucketCloud OAuth.
  ##
  bitbucketCloudClientId:
  bitbucketCloudClientSecret:

  ## Secrets for GitHub OAuth.
  ##
  githubClientId:
  githubClientSecret:
  githubCaCert:

  ## Secrets for GitLab OAuth.
  ##
  gitlabClientId:
  gitlabClientSecret:

  ## Secrets for LDAP Auth.
  ##
  ldapCaCert:

  ## Secrets for SAML Auth.
  ##
  samlCaCert:

  ## Secrets for generic OAuth.
  ##
  oauthClientId:
  oauthClientSecret:
  oauthCaCert:

  ## Secrets for oidc OAuth.
  ##
  oidcClientId:
  oidcClientSecret:
  oidcCaCert:

  ## Secrets for Microsoft Auth.
  microsoftClientId:
  microsoftClientSecret:

  ## Secrets for using Hashcorp Vault as a credential manager.
  ##
  ## if the Vault server is using a self-signed certificate, provide the CA public key.
  ## the value will be written to /concourse-vault/ca.cert
  ##
  vaultCaCert:

  ## initial periodic token issued for concourse
  ## Ref: https://www.vaultproject.io/docs/concepts/tokens.html#periodic-tokens
  ##
  vaultClientToken:

  ## vault authentication parameters
  ## Parameter to pass when logging in via the backend
  ## Required for "approle" authenication method
  ## e.g. "role_id:x,secret_id:x"
  ## Ref: https://concourse-ci.org/vault-credential-manager.html#vault-approle-auth
  ##
  vaultAuthParam:

  ## provide the client certificate for authenticating with the [TLS](https://www.vaultproject.io/docs/auth/cert.html) backend
  ## the value will be written to /concourse-vault/client.cert
  ## make sure to also set credentialManager.vault.authBackend to `cert`
  ##
  vaultClientCert:

  ## provide the client key for authenticating with the [TLS](https://www.vaultproject.io/docs/auth/cert.html) backend
  ## the value will be written to /concourse-vault/client.key
  ## make sure to also set credentialManager.vault.authBackend to `cert`
  ##
  vaultClientKey:

  ## If influxdb metrics are enabled and authentication is required,
  ## provide a password here to authenticate with the influxdb server configured.
  ##
  influxdbPassword:

  ## SSL certificate used to verify the Syslog server for draining build logs.
  ##
  syslogCaCert:

  ## Secrets for Conjur credentials manager.
  #
  # Org account.
  conjurAccount:

  # Host username. E.g host/concourse
  conjurAuthnLogin:

  # Api key related to the host.
  conjurAuthnApiKey:

  # Token file used if conjur instance is running in k8s or iam. E.g. /path/to/token_file
  conjurAuthnTokenFile:

  # CA Certificate to specify if conjur instance is deployed with a self-signed cert
  conjurCACert: