forked from zendesk/samson
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy path.env.example
186 lines (151 loc) · 8.71 KB
/
.env.example
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
PLUGINS=all
DEFAULT_URL=http://localhost:3000
SECRET_TOKEN={bundle exec rake secret}
RAILS_MIN_THREADS=5
RAILS_MAX_THREADS=10
# Required token to fetch commit diff / PR status / create tags etc
GITHUB_TOKEN=
# EMAIL_DOMAIN= # optional, set to company.com to limit login only for people at Company
# DEPLOY_TIMEOUT=3600 # optional, deploy timeout in seconds, defaults to 2 hours
## Auth with Github (optional)
# AUTH_GITHUB=true
# GITHUB_CLIENT_ID=
# GITHUB_SECRET=
# GITHUB_ORGANIZATION= # optional, users need to be member of this organization to sign up eg. 'zendesk'
# GITHUB_ADMIN_TEAM= # optional, users in this team are made into admins eg. owners
# GITHUB_DEPLOY_TEAM= # optional, users in this team are made into deployers eg. developers
# GITHUB_WEB_URL= # optional, replaces https://github.com
# GITHUB_API_URL= # optional, replaces https://api.github.com
# GITHUB_STATUS_URL= # optional, replaces https://status.github.com
## Auth with Google (optional)
# AUTH_GOOGLE=true
# GOOGLE_CLIENT_ID=
# GOOGLE_CLIENT_SECRET=
## Auth with LDAP (optional)
# AUTH_LDAP=true
# LDAP_TITLE= # eg. My LDAP Server}
# LDAP_HOST=192.168.25.188
# LDAP_PORT=389
# LDAP_BASE='dc=domain,dc=com'
# LDAP_UID=uid
# LDAP_BINDDN=userldap
# LDAP_PASSWORD=myldapsecret
## Auth with Gitlab (optional)
# AUTH_GITLAB=true
# GITLAB_APPLICATION_ID=
# GITLAB_SECRET=
# GITLAB_URL= # optional, replaces https://gitlab.com
## Auth with Bitbucket (optional)
# AUTH_BITBUCKET=true
# BITBUCKET_KEY=
# BITBUCKET_SECRET=
## SMTP settings
# SMTP_URL='smtp://localhost'
# SMTP_USER=
# SMTP_PASSWORD=
## Periodical tasks (cron substitute, see lib/samson/periodical.rb)
# stop_expired_deploys:60
# remove_expired_locks:10
# renew_vault_token:86400
# report_system_stats:60
# periodical_deploy:86400
PERIODICAL=stop_expired_deploys:60,remove_expired_locks:60,report_system_stats:60,periodical_deploy:86400
## Buddy Check feature: deploys to production require a buddy
# BUDDY_CHECK_FEATURE=1 # optional, enable
# BUDDY_CHECK_TIME_LIMIT=20 # optional, max minutes a deploy is pending
# BYPASS_EMAIL= # optional, email destinations that are alerted about buddy_check bypasses, comma separated
# BYPASS_DETAILS= # optional 'Some text explaining bypass procedure'
## StatsD reporting
# STATSD_HOST=192.168.1.1
# STATSD_PORT=8125
# PROJECT_CREATED_NOTIFY_ADDRESS=bobby-the-security-auditor@yourcompany.com
# PROJECT_DELETED_NOTIFY_ADDRESS=bobby-the-security-auditor@yourcompany.com # if not set uses PROJECT_CREATED_NOTIFY_ADDRESS
# DEPLOY_GROUP_FEATURE=1 # optional, enable Environments and DeployGroups
# GITHUB_HOOK_SECRET=abcdef # optional, verify github hooks are signed with webhook secret
# AIRBRAKE_API_KEY= # optional, report errors to airbrake
# FORCE_SSL=1 # optional, to require SSL
# SESSION_EXPIRATION=3600 # optional, after how much time (seconds) to expire sessions, default: 1 month
# ENV_WHITELIST=FOOBAR,BARFOO # optional, list of env values that should be passed to the command when deploying
# MAX_CONCURRENT_JOBS=0 # optional, max number of concurrent jobs Samson will run. default: 0 (unlimited)
# HELP_LINK="<a href='https://foobar.slack.com/messages/samson'>#samson</a>" # link to show in UI and error pages
## NewRelic: optional report performance stats see https://docs.newrelic.com/docs/agents/ruby-agent/configuration/ruby-agent-configuration
# NEW_RELIC_LICENSE_KEY: my-key
# NEW_RELIC_APP_NAME: Samson
# NEW_RELIC_LOG_FILE_PATH: STDOUT
## Memcache: configure servers or we use localhost
# MEMCACHIER_SERVERS=a:123,b:234
# MEMCACHIER_USERNAME=username
# MEMCACHIER_PASSWORD=password
## Docker
# DOCKER_FEATURE=1 # optional, docker support
# DOCKER_REGISTRIES=https://user:[email protected]/some-namespace # required, where to push/pull your docker images
# DOCKER_HOST= # e.g. tcp://my-docker-registry.example.com:2375
# DOCKER_KEEP_BUILT_IMGS # optional. Set to 1 to keep built images for cache. Fills the disk so some cleanup machanism is needed
# DOCKER_READ_TIMEOUT=600 # optional. How long to wait on docker reads.
# EXTERNAL_BUILD_WAIT=60 # how long to wait for external builds to arrive when deploying (checking every 5s)
# FLOWDOCK_API_TOKEN= # optional. only required for the flowdock integration user mention autocomplete in the buddy approval request form (when BUDDY_CHECK_FEATURE=1). Buddy approval notification would still work without this
## Slack
# SLACK_API_TOKEN= # optional. only required for the slack integration user mention autocomplete in the buddy approval request form (when BUDDY_CHECK_FEATURE=1). Buddy approval notification would still work without this
# SLACK_CLIENT_ID= # optional, see plugins/slack_app/README.md
# SLACK_CLIENT_SECRET= # optional, see plugins/slack_app/README.md
# SLACK_VERIFICATION_TOKEN= # optional, see plugins/slack_app/README.md
# SLACK_GLOBAL_BUDDY_REQUEST="<webhook_url>#<channel>" # send notifications for all buddy requests to this channel
## Export job cleanup
## EXPORT_JOB_DOWNLOADED_AGE determines how long a csv export job and file should
## persist after it is downloaded before cleanup, default is 12 hours.
##
## EXPORT_JOB_MAX_AGE determines how long a csv export job and file should persist
## from it's creation date, default is 1 day.
# EXPORT_JOB_DOWNLOADED_AGE=43200 # optional
# EXPORT_JOB_MAX_AGE=86400 # optional
## JIRA_BASE_URL, if set, would enable the auto-detection of JIRA issue keys
## (e.g., KEY-123, SAMSON-456) in the titles and bodies of the pull requests
## associated with a deploy. The auto-detected JIRA issues will be displayed
## and linked (by prepending JIRA_BASE_URL) in the "JIRA Issues" tab of a deploy
##
## Full absolute JIRA URLs will still be detected, and they will take precedence
## over generated ones (i.e., if JIRA_BASE_URL is https://a.atlassian.net/browse/
## and both "KEY-123" and "http://z.atlassian.net/browse/KEY-123" appear in a
## pull request's title and body, only "http://z.atlassian.net/browse/KEY-123"
## would appear in the "JIRA Issues" tab).
##
# JIRA_BASE_URL= # optional, eg. https://jira.atlassian.net/browse/
## Request access UI on users profile page
# REQUEST_ACCESS_FEATURE=1 # optional, enable request access link
# REQUEST_ACCESS_EMAIL_ADDRESS_LIST= # optional, space separated list of email addresses (managers mailing list, JIRA, etc.)
# REQUEST_ACCESS_EMAIL_PREFIX= # optional, email subject prefix
## Secret storage
# SECRET_STORAGE_BACKEND= # optional, should be one of: Samson::Secrets::DbBackend (default) or Samson::Secrets::HashicorpVaultBackend
# SECRET_STORAGE_SHARING_GRANTS=true # optional, instead of sharing global secrets by default, access has to be granted
# VAULT_PREFIX= # optional, what to prefix vault keys with if using Samson::Secrets::HashicorpVaultBackend
## Kubernetes
# SECRET_PULLER_IMAGE=zendesk/samson_secret_puller:latest # optional, docker image for zendesk/samson_secret_puller
# KUBERNETES_LOG_TIMEOUT=20 # how long to wait for logs to appear in seconds
# KUBERNETES_LOG_LINES=50 # how many lines of logs to show when a deploy fails
# KUBERNETES_ALLOWED_VOLUME_HOST_PATHS=/data/ # prevent containers from mounting dangerous directories
# KUBERNETES_USAGE_LIMIT_WARNING="If you need more, ask Steve!" # help message to display when user reaches usage limit
# KUBERNETES_SERVICE_PERSISTENT_FIELDS="metadata.labels.proxy,spec.foo" # fields to not override when updating services unless they are not set, does not support fields with . in their name like metadata.annotations.gcr.io/foo/bar
## Jenkins, optional, for triggering Jenkins builds after deployment
# JENKINS_URL= # server_url of jenkins
# JENKINS_USERNAME= # user id
# JENKINS_API_KEY= # API Token from user / Configure page
## Automated deploys ... see automated_deploys_controller.rb
# AUTOMATED_DEPLOY_COMMAND_ID=123 # command to prepend to cloned automated stages
## Gcloud
# GCLOUD_IMAGE_TAGGER=true # optional, enable image tagging
# GCLOUD_OPTIONS=--verbose # optional, options
# GCLOUD_PROJECT=foo-123
# GCLOUD_ACCOUNT=my-account
## Feature: Only admins can (un)lock stages which affect production.
# PRODUCTION_STAGE_LOCK_REQUIRES_ADMIN=1
## Feature: Use LDAP_UID as user.external_id.
# The default is to use the Distinguished Name for users.external_id. If your organization changes
# any part of the DNs for any reason, this could cause any configured users to loose their current
# configuration since it will be assumed to be a new user with a new external_id. This feature
# forces the value of LDAP_UID (set above), which is used to query the user in the LDAP, which
# almost certainly is unique per user, to also be used for the external_id. Note, this name must
# also exist in the "extra" raw info:
# https://github.com/omniauth/omniauth-ldap/blob/master/README.md
# https://github.com/omniauth/omniauth-ldap/blob/master/lib/omniauth/strategies/ldap.rb#L17
# USE_LDAP_UID_AS_EXTERNAL_ID=1