Skip to content

Instantly share code, notes, and snippets.

@calebwashburn

calebwashburn/concourse-uaa.yml

Last active February 1, 2018 15:20
Show Gist options
  • Save calebwashburn/c054ec50d09f9f105fa2f6076f3f52be to your computer and use it in GitHub Desktop.
Save calebwashburn/c054ec50d09f9f105fa2f6076f3f52be to your computer and use it in GitHub Desktop.
Download ZIP
Concourse with UAA integration
Raw
concourse-uaa.yml
---
name: concourse
releases:
- name: concourse
- name: garden-runc
- name: postgres
- name: uaa
- name: credhub
stemcells:
- alias: default
os: ubuntu-trusty
version: ((stemcell-version))
instance_groups:
- name: db
instances: 1
persistent_disk_type: ((db_persistent_disk_type))
vm_type: ((db_vm_type))
stemcell: default
azs: [z1]
networks:
- name: concourse
static_ips: [((db_ip))]
jobs:
- release: postgres
name: postgres
properties:
databases:
port: 5432
databases:
- name: atc
- name: credhub
- name: uaa
roles:
- name: atc
password: ((atc-db-password))
- name: credhub
password: ((credhub-db-password))
- name: uaa
password: ((uaa-db-password))
- name: web
instances: ((web_instances))
vm_type: ((web_vm_type))
stemcell: default
azs: [z1]
networks:
- name: concourse
static_ips: ((atc_ips))
jobs:
- release: concourse
name: atc
properties:
external_url: https://((concourse_host)):443
basic_auth_username: admin
basic_auth_password: ((main-team-password))
tls_cert: ((concourse-tls.certificate))
tls_key: ((concourse-tls.private_key))
tls_bind_port: 443
postgresql:
host: ((db_ip))
database: atc
sslmode: disable
role:
name: atc
password: ((atc-db-password))
credhub:
url: https://((concourse_internal_host)):8844
tls:
ca_cert: ((concourse-tls.ca))
# hardcoded to side-step defect, should be able to make "false"
insecure_skip_verify: true
client_id: concourse_to_credhub
client_secret: ((concourse_to_credhub_secret))
token_signing_key: ((token_signing_key))
- release: concourse
name: tsa
properties:
host_key: ((tsa_host_key))
token_signing_key: ((token_signing_key))
authorized_keys: [((worker_key.public_key))]
- name: uaa
release: uaa
properties:
uaa:
ldap:
enabled: true
profile_type: search-and-bind
searchBase: ((user_search_base))
searchFilter: uid={0}
ssl:
skipverification: true
url: ldaps://((ldap_server))
userDN: ((ldap_user_dn))
userPassword: ((ldap_password))
groups:
groupSearchFilter: member={0}
profile_type: groups-map-to-scopes
searchBase: ((group_search_base))
url: &uaa-url "https://((concourse_host)):8443"
port: -1
scim:
users:
- name: admin
password: ((uaa-users-admin))
groups:
- scim.write
- scim.read
clients:
credhub_cli:
override: true
authorized-grant-types: password,refresh_token
scope: credhub.read,credhub.write
authorities: ""
access-token-validity: 1200
refresh-token-validity: 3600
secret: ""
concourse_to_credhub:
override: true
authorized-grant-types: client_credentials
scope: ""
authorities: credhub.read,credhub.write
access-token-validity: 30
refresh-token-validity: 3600
secret: ((concourse_to_credhub_secret))
concourse:
id: concourse
secret: ((concourse_client_secret))
scope: "*"
authorized-grant-types: "authorization_code,refresh_token"
access-token-validity: 3600
refresh-token-validity: 3600
redirect-uri: https://((concourse_host)):443/auth/oauth/callback
admin: {client_secret: ((uaa-admin))}
login: {client_secret: ((uaa-login))}
zones: {internal: {hostnames: []}}
sslCertificate: ((concourse-tls.certificate))
sslPrivateKey: ((concourse-tls.private_key))
jwt:
revocable: true
policy:
active_key_id: key-1
keys:
key-1:
signingKey: ((uaa-jwt.private_key))
uaadb:
address: ((db_ip))
port: 5432
db_scheme: postgresql
databases:
- tag: uaa
name: uaa
roles:
- tag: admin
name: uaa
password: ((uaa-db-password))
login:
saml:
serviceProviderCertificate: ((concourse-tls.certificate))
serviceProviderKey: ((concourse-tls.private_key))
serviceProviderKeyPassword: ""
- name: credhub
release: credhub
properties:
credhub:
port: 8844
authentication:
uaa:
url: *uaa-url
verification_key: ((uaa-jwt.public_key))
ca_certs:
- ((concourse-tls.ca))
data_storage:
type: postgres
host: ((db_ip))
port: 5432
username: credhub
password: ((credhub-db-password))
database: credhub
require_tls: false
tls: ((concourse-tls))
log_level: info
encryption:
keys:
- provider_name: int
encryption_password: ((credhub-encryption-password))
active: true
providers:
- name: int
type: internal
- name: worker
instances: ((worker_instances))
vm_type: ((worker_vm_type))
stemcell: default
azs: [z1]
networks:
- name: concourse
jobs:
- release: concourse
name: groundcrew
consumes: {baggageclaim: {from: worker-baggageclaim}}
properties:
drain_timeout: 10m
tsa: {worker_key: ((worker_key))}
- release: concourse
name: baggageclaim
properties: {log_level: debug}
provides: {baggageclaim: {as: worker-baggageclaim}}
- release: garden-runc
name: garden
properties:
garden:
listen_network: tcp
listen_address: 0.0.0.0:7777
update:
canaries: 1
canary_watch_time: 30000-1200000
max_in_flight: 5
serial: false
update_watch_time: 5000-1200000
variables:
- name: atc-db-password
type: password
- name: credhub-encryption-password
type: password
options:
length: 40
- name: credhub-db-password
type: password
- name: uaa-jwt
type: rsa
options:
key_length: 4096
- name: uaa-users-admin
type: password
- name: uaa-admin
type: password
- name: uaa-login
type: password
- name: uaa-credhub-admin
type: password
- name: uaa-db-admin
type: password
- name: uaa-db-password
type: password
- name: concourse_to_credhub_secret
type: password
- name: credhub_cli_password
type: password
- name: concourse_client_secret
type: password
- name: main-team-password
type: password
- name: tsa_host_key
type: ssh
- name: worker_key
type: ssh
- name: token_signing_key
type: rsa
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment