# All values in this document are the ENVIRONMENT variable names that can override the defaults # from `default.yaml` --- auth: # A private key uses for signing jwt tokens # Easily generate one by running # $ openssl genrsa -out jwt.pem 2048 jwtPrivateKey: SECRET_JWT_PRIVATE_KEY # The public key used for verifying the signature # Generate one by running # $ openssl rsa -in jwt.pem -pubout -out jwt.pub jwtPublicKey: SECRET_JWT_PUBLIC_KEY # The public key for queue service jwtQueueServicePublicKey: SECRET_JWT_QUEUE_SVC_PUBLIC_KEY # Environment of the JWTs. For example: 'prod' or 'beta' jwtEnvironment: JWT_ENVIRONMENT # A password used for encrypting session data. # **Needs to be minimum 32 characters** cookiePassword: SECRET_COOKIE_PASSWORD # A password used for encrypting stored pipeline secrets and user Oauth token. # **Needs to be minimum 32 characters** encryptionPassword: SECRET_PASSWORD # A password used for hashing user/pipeline access tokens. # **Needs to be minimum 32 characters** hashingPassword: SECRET_HASHING_PASSWORD # A flag to set if the server is running over https. # Used as a flag for the OAuth flow https: IS_HTTPS # A flag to set if you want guests to browse your pipelines allowGuestAccess: AUTH_GUEST_ACCESS whitelist: __name: SECRET_WHITELIST __format: json allowList: __name: SECRET_ALLOW_LIST __format: json admins: __name: SECRET_ADMINS __format: json sdAdmins: __name: SECRET_SD_ADMINS __format: json authCheckById: AUTH_CHECK_BY_ID # Default session timeout (in minutes) sessionTimeout: SESSION_TIMEOUT # Oauth redirect uri, configure this if your app is not running at root under the host oauthRedirectUri: OAUTH_REDIRECT_URI # SameSite Cookie Option sameSite: COOKIE_SAME_SITE # cookie path to access the cookie https://github.com/hapijs/cookie/issues/209 path: COOKIE_PATH_VALUE shutdown: terminationGracePeriod: TERMINATION_GRACE_PERIOD httpd: # Port to listen on port: PORT # Host to listen on (set to 0.0.0.0 to accept all connections) host: HOST # Externally routable URI (usually your load balancer or CNAME) uri: URI # TLS configuration (key, cert, etc.) # https://nodejs.org/api/tls.html#tls_tls_createserver_options_secureconnectionlistener tls: __name: HTTPD_TLS __format: json datastore: plugin: DATASTORE_PLUGIN ddlSyncEnabled: DATASTORE_DDL_SYNC_ENABLED sequelize: # Type of server to talk to dialect: DATASTORE_SEQUELIZE_DIALECT # Database name database: DATASTORE_SEQUELIZE_DATABASE # Username/Password username: DATASTORE_SEQUELIZE_USERNAME password: DATASTORE_SEQUELIZE_PASSWORD # Storage location for sqlite storage: DATASTORE_SEQUELIZE_STORAGE # Network settings host: DATASTORE_SEQUELIZE_HOST port: DATASTORE_SEQUELIZE_PORT # Prefix to the table names prefix: DATASTORE_SEQUELIZE_PREFIX # Configure SSL/TLS connection settings ssl: __name: DATASTORE_SEQUELIZE_SSL __format: json # Connection pool config. See http://docs.sequelizejs.com/class/lib/sequelize.js~Sequelize.html#instance-constructor-constructor pool: __name: DATASTORE_SEQUELIZE_POOL __format: json retry: __name: DATASTORE_SEQUELIZE_RETRY __format: json # An object of additional options, which are passed directly to the connection library # In order to configure SSL/TLS connection settings, use this option and 'caCert' option # https://sequelize.org/docs/v6/other-topics/dialect-specific-things/ dialectOptions: __name: DATASTORE_DIALECT_OPTIONS __format: json # A file path of ca or a raw certificate string caCert: DATASTORE_CA_CERT buildMetricsEnabled: DATASTORE_SEQUELIZE_CAPTURE_METRICS_ENABLED readOnly: __name: DATASTORE_SEQUELIZE_RO __format: json # dialect: sequelize # database: # username: # password: # host: # port: # More arguments here: # http://docs.sequelizejs.com/en/latest/api/sequelize/ executor: plugin: EXECUTOR_PLUGIN # The NPM module object(s) for the executor plugin(s) k8s: enabled: EXECUTOR_K8S_ENABLED options: kubernetes: # The host or IP of the kubernetes cluster host: K8S_HOST # The jwt token used for authenticating kubernetes requests token: K8S_TOKEN jobsNamespace: K8S_JOBS_NAMESPACE # Resources for build pod resources: # Number of cpu cores cpu: micro: K8S_CPU_MICRO low: K8S_CPU_LOW high: K8S_CPU_HIGH # Memory in GB memory: micro: K8S_MEMORY_MICRO low: K8S_MEMORY_LOW high: K8S_MEMORY_HIGH # Default build timeout for all builds in this cluster buildTimeout: K8S_BUILD_TIMEOUT # Default max build timeout maxBuildTimeout: K8S_MAX_BUILD_TIMEOUT # k8s node selectors for build pod scheduling. # Value is Object of format { label: 'value' } See # https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#step-one-attach-label-to-the-node # Eg: { dedicated: 'screwdriver' } to schedule pods on nodes having # label-value of dedicated=screwdriver nodeSelectors: __name: K8S_NODE_SELECTORS __format: json # k8s preferred node selectors for build pod scheduling # See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#node-affinity-beta-feature preferredNodeSelectors: __name: K8S_PREFERRED_NODE_SELECTORS __format: json # support for kata-containers-as-a-runtimeclass runtimeClass: K8S_RUNTIME_CLASS # Launcher container tag to use launchVersion: LAUNCH_VERSION # Launcher image to use launchImage: LAUNCH_IMAGE # Prefix to the pod prefix: EXECUTOR_PREFIX nomad: enabled: EXECUTOR_NOMAD_ENABLED options: nomad: # The host or IP of the nomad cluster host: NOMAD_HOST # Resources for build pod resources: # Number of cpu cores cpu: high: NOMAD_CPU # Memory in GB memory: high: NOMAD_MEMORY # Launcher container tag to use launchVersion: LAUNCH_VERSION # Prefix to the pod prefix: EXECUTOR_PREFIX docker: enabled: EXECUTOR_DOCKER_ENABLED options: # Configuration of Docker docker: __name: EXECUTOR_DOCKER_DOCKER __format: json # Launcher container tag to use launchVersion: LAUNCH_VERSION # Prefix to the container prefix: EXECUTOR_PREFIX k8s-vm: enabled: EXECUTOR_K8SVM_ENABLED options: # Configuration of Docker kubernetes: # The host or IP of the kubernetes cluster host: K8S_HOST # The jwt token used for authenticating kubernetes requests token: K8S_TOKEN jobsNamespace: K8S_JOBS_NAMESPACE baseImage: K8S_BASE_IMAGE # Resources for build pod resources: # Number of cpu cores cpu: micro: K8S_CPU_MICRO low: K8S_CPU_LOW high: K8S_CPU_HIGH # Memory in GB memory: micro: K8S_MEMORY_MICRO low: K8S_MEMORY_LOW high: K8S_MEMORY_HIGH # Default build timeout for all builds in this cluster buildTimeout: K8S_VM_BUILD_TIMEOUT # Default max build timeout maxBuildTimeout: K8S_VM_MAX_BUILD_TIMEOUT # k8s node selectors for build pod scheduling. # Value is Object of format { label: 'value' } See # https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#step-one-attach-label-to-the-node # Eg: { dedicated: 'screwdriver' } to schedule pods on nodes having # label-value of dedicated=screwdriver nodeSelectors: __name: K8S_VM_NODE_SELECTORS __format: json # k8s preferred node selectors for build pod scheduling # See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#node-affinity-beta-feature preferredNodeSelectors: __name: K8S_VM_PREFERRED_NODE_SELECTORS __format: json # Launcher image to use launchImage: LAUNCH_IMAGE # Launcher container tag to use launchVersion: LAUNCH_VERSION # Prefix to the container prefix: EXECUTOR_PREFIX jenkins: enabled: EXECUTOR_JENKINS_ENABLED options: jenkins: host: EXECUTOR_JENKINS_HOST port: EXECUTOR_JENKINS_PORT username: EXECUTOR_JENKINS_USERNAME # Jenkins password/token used for authenticating jenkins requests password: EXECUTOR_JENKINS_PASSWORD # Node labels of Jenkins slaves nodeLabel: EXECUTOR_JENKINS_NODE_LABEL # Default build timeout buildTimeout: EXECUTOR_JENKINS_BUILD_TIMEOUT # Default max build timeout maxBuildTimeout: EXECUTOR_JENKINS_MAX_BUILD_TIMEOUT docker: # The path to the docker-compose command composeCommand: EXECUTOR_JENKINS_DOCKER_COMPOSE_COMMAND # Prefix to the container prefix: EXECUTOR_JENKINS_DOCKER_PREFIX # Launcher container tag to use launchVersion: EXECUTOR_JENKINS_LAUNCH_VERSION # Memory limit (docker run `--memory` option) memory: EXECUTOR_JENKINS_DOCKER_MEMORY # Memory limit include swap (docker run `--memory-swap` option) memoryLimit: EXECUTOR_JENKINS_DOCKER_MEMORY_LIMIT # The command to start build buildScript: EXECUTOR_JENKINS_BUILD_SCRIPT # The command to clean up build system cleanupScript: EXECUTOR_JENKINS_CLEANUP_SCRIPT # Time (seconds) to destroy the job cleanupTimeLimit: EXECUTOR_JENKINS_CLEANUP_TIME_LIMIT # Interval to detect the stopped job (seconds) cleanupWatchInterval: EXECUTOR_JENKINS_CLEANUP_WATCH_INTERVAL queue: enabled: EXECUTOR_QUEUE_ENABLED options: # redis or redisCluster(beta) connectionType: QUEUE_REDIS_TYPE # Configuration of the redis instance containing resque redisConnection: host: QUEUE_REDIS_HOST port: QUEUE_REDIS_PORT options: password: QUEUE_REDIS_PASSWORD tls: QUEUE_REDIS_TLS_ENABLED database: QUEUE_REDIS_DATABASE redisClusterConnection: hosts: __name: QUEUE_REDIS_CLUSTER_HOSTS __format: json options: password: QUEUE_REDIS_PASSWORD tls: QUEUE_REDIS_TLS_ENABLED slotsRefreshTimeout: QUEUE_REDIS_CLUSTER_SLOTS_REFRESH_TIMEOUT queueWebhook: # Enabled events from webhook queue or not enabled: QUEUE_WEBHOOK_ENABLED scms: __name: SCM_SETTINGS __format: json # github: # plugin: github # config: # # The client id used for OAuth with github. Look up GitHub OAuth for details # # https://developer.github.com/v3/oauth/ # oauthClientId: SECRET_OAUTH_CLIENT_ID # # The client secret used for OAuth with github # oauthClientSecret: SECRET_OAUTH_CLIENT_SECRET # # You can also configure for use with GitHub enterprise # gheHost: SCM_GITHUB_GHE_HOST # # The username and email used for checkout with github # username: SCM_USERNAME # email: SCM_EMAIL # # Token for writing PR comments in Github, needs public_repo scope # commentUserToken: A_BOT_GITHUB_PERSONAL_ACCESS_TOKEN # # Secret to add to GitHub webhooks so that we can validate them # secret: WEBHOOK_GITHUB_SECRET # # Whether it supports private repo: boolean value. # # If true, it will ask for read and write access to public and private repos # # https://developer.github.com/v3/oauth/#scopes # privateRepo: SCM_PRIVATE_REPO_SUPPORT # bitbucket: # plugin: bitbucket # config: # # The client id used for OAuth with bitbucket. Look up Bitbucket OAuth for details # # https://confluence.atlassian.com/bitbucket/oauth-on-bitbucket-cloud-238027431.html # oauthClientId: SECRET_OAUTH_CLIENT_ID # # The client secret used for OAuth with bitbucket # oauthClientSecret: SECRET_OAUTH_CLIENT_SECRET # # The username and email used for checkout with bitbucket # username: SCM_USERNAME # email: SCM_EMAIL # gitlab: # plugin: gitlab # config: # # The client id used for OAuth with gitlab. Look up Gitlab OAuth for details # # https://docs.gitlab.com/ee/integration/oauth_provider.html # oauthClientId: SECRET_OAUTH_CLIENT_ID # # The client secret used for OAuth with bitbucket # oauthClientSecret: SECRET_OAUTH_CLIENT_SECRET # # The username and email used for checkout with gitlab # username: SCM_USERNAME # email: SCM_EMAIL # # if you have on-premise gitlab, you can specify that here # gitlabHost: SCM_GITLAB_HOST # gitlabProtocol: SCM_GITLAB_PROTOCOL # # readOnly scm config, default false # readOnly: # # set true to enable read-only scm mode # enabled: SCM_GITLAB_RO_ENABLED # # headless username # username: SCM_GITLAB_RO_USERNAME # # headless access token # accessToken: SCM_GITLAB_RO_TOKEN # # SCM clone type (https or ssh) # cloneType: SCM_GITLAB_RO_CLONE_TYPE webhooks: scms: # Object keyed by scm name with value webhook settings. # Value of webhook settings is an object with the following properties: # Example: # { # "github": { # # Obtains the SCM token for a given user. If a user does not have a valid SCM token registered with Screwdriver, it will use this user's token instead. # "username": "sd-buildbot", # # Ignore commits made by these users # "ignoreCommitsBy": [], # # Restrict PR: all, none, branch, or fork # "restrictPR": "none", # # Chain PR: true or false # "chainPR": false # }, # "github.example.com": { # "username": "someuser", # "ignoreCommitsBy": ["someuser", "anotheruser"], # "restrictPR": "branch", # "chainPR": true # } # } __name: WEBHOOK_SETTINGS __format: json maxBytes: WEBHOOK_MAX_BYTES bookends: # Object keyed by cluster name with value setup/teardown bookend. # Value of setup/teardown is list of module names, or objects { name, config } for instantiation to use in sd-setup/sd-teardown. # Example: # { # "default": { # "setup": ["scm", "screwdriver-cache-bookend", "foo"], # "teardown": ["screwdriver-artifact-bookend", "screwdriver-cache-bookend"] # }, # "clusterA": { # "setup": ["scm", "screwdriver-cache-bookend", "foo", "bar"], # "teardown": ["screwdriver-cache-bookend", {"name": "baz", "config": {}, "alias": "qux"}] # } # } __name: BOOKENDS __format: json notifications: __name: NOTIFICATIONS __format: json coverage: plugin: COVERAGE_PLUGIN default: COVERAGE_PLUGIN_DEFAULT_ENABLED sonar: # Screwdriver API url sdApiUrl: URI # Sonar host url sonarHost: COVERAGE_SONAR_HOST # Sonar admin token adminToken: COVERAGE_SONAR_ADMIN_TOKEN # Screwdriver UI url sdUiUrl: ECOSYSTEM_UI # Enterprise edition (true) or open source edition (false) sonarEnterprise: COVERAGE_SONAR_ENTERPRISE # Github app name for Sonar PR decoration (default to 'Screwdriver Sonar PR Checks') # https://docs.sonarqube.org/latest/analysis/pr-decoration/ sonarGitAppName: COVERAGE_SONAR_GIT_APP_NAME multiBuildCluster: # Enabled multi build cluster feature or not enabled: MULTI_BUILD_CLUSTER_ENABLED unzipArtifacts: # Enabled unzip artifacts feature or not enabled: UNZIP_ARTIFACTS_ENABLED ecosystem: # URL for the User Interface ui: ECOSYSTEM_UI # Externally routable URL for the Artifact Store store: ECOSYSTEM_STORE # Externally routable URL for the Queue Service queue: ECOSYSTEM_QUEUE # Badge service (needs to add a status and color) badges: ECOSYSTEM_BADGES # Default registry to pull build containers from dockerRegistry: ECOSYSTEM_DOCKER_REGISTRY # Array of extra origins allowed to do CORS to API allowCors: __name: ECOSYSTEM_ALLOW_CORS __format: json # build cache strategies: s3, disk, with s3 as default option to store cache cache: strategy: CACHE_STRATEGY path: CACHE_PATH compress: CACHE_COMPRESS md5check: CACHE_MD5CHECK max_size_mb: CACHE_MAX_SIZE_MB max_go_threads: CACHE_MAX_GO_THREADS redisLock: # set true to enable redis lock enabled: REDLOCK_ENABLED options: # maximum retry limit to obtain lock retryCount: REDLOCK_RETRY_COUNT # the expected clock drift driftFactor: REDLOCK_DRIFT_FACTOR # the time in milliseconds between retry attempts retryDelay: REDLOCK_RETRY_DELAY # the maximum time in milliseconds randomly added to retries retryJitter: REDLOCK_RETRY_JITTER # the maximum time in milliseconds living of a key that has a timeout ttl: REDLOCK_TTL # redis or redisCluster(beta) connectionType: REDLOCK_REDIS_TYPE # Configuration of the redis instance redisConnection: host: REDLOCK_REDIS_HOST port: REDLOCK_REDIS_PORT options: password: REDLOCK_REDIS_PASSWORD tls: REDLOCK_REDIS_TLS_ENABLED database: REDLOCK_REDIS_DATABASE redisClusterConnection: hosts: __name: REDLOCK_REDIS_CLUSTER_HOSTS __format: json options: password: REDLOCK_REDIS_PASSWORD tls: REDLOCK_REDIS_TLS_ENABLED slotsRefreshTimeout: REDLOCK_REDIS_CLUSTER_SLOTS_REFRESH_TIMEOUT # environment release information release: __name: RELEASE_ENVIRONMENT_VARIABLES __format: json # Logging preferences log: audit: # set true to enable audit logs for all API calls enabled: LOG_AUDIT_ENABLED # add target scope tokens(pipeline, build, temporal, admin, guest, user) scope: __name: LOG_AUDIT_SCOPE __format: json payload: # set true to enable payload logs for all API calls over 5s enabled: LOG_PAYLOAD_ENABLED build: environment: __name: CLUSTER_ENVIRONMENT_VARIABLES __format: json artifacts: # max artifact download size (in GB) maxDownloadSize: MAX_DOWNLOAD_SIZE rateLimit: __name: RATE_LIMIT_VARIABLES __format: json