This repository has been archived by the owner on Oct 11, 2023. It is now read-only.
forked from zendesk/samson
-
Notifications
You must be signed in to change notification settings - Fork 0
/
.env.example
269 lines (222 loc) · 12.8 KB
/
.env.example
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
SECRET_TOKEN= # required, generate with `bundle exec rake secret`
CACHE_STORE=memory # required, use in-"memory" cache or "memcached" to use memcached from localhost / MEMCACHIER_SERVERS env var
## Github token, required
# Personal access token that Samson uses to access project repositories, commits, files and pull requests.
# - Navigate to https://github.com/settings/tokens/new to generate a new personal access token
# - Choose scopes repo, read:org, user and then generate the token
GITHUB_TOKEN=
## GitLab token, optional
# - Navigate to https://docs.gitlab.com/ee/user/profile/personal_access_tokens#creating-a-personal-access-token
# - Follow provided steps and choose api scope, then create personal access token.
GITLAB_TOKEN=
# PLUGINS=all # chose which plugins you want to enable (see setup/plugins.md), can also opt-out by using "all,-slack"
# DEFAULT_URL= # absolute url to samson (used by the mailer), e.g. http://localhost:3000
# EMAIL_DOMAIN= # optional, set to company.com to limit login only for people at Company
# DEPLOY_TIMEOUT=3600 # optional, deploy timeout in seconds, defaults to 2 hours
# DEPLOY_KILL_TIMEOUT=5 # optional, sigkill cancelled deploy process after this time, defaults to 1s
# RAILS_MIN_THREADS=5 #
# RAILS_MAX_THREADS=10 #
# DEFAULT_USER_ROLE=0 # optional, overrides default role assigned to new user. See app/models/role.rb for mappings
# RAILS_LOG_TO_STDOUT=true # send logs to stdout
# RAILS_LOG_TO_SYSLOG=true # send logs to syslog
# RAILS_LOG_WITH_LOGRAGE=true # log a single line for each request
## Login with Github
# Register a new OAuth application on https://github.com/settings/applications/new
# - "Homepage URL" is the same as DEFAULT_URL
# - "Authorization callback URL" is <DEFAULT_URL>/auth/github/callback
# AUTH_GITHUB=true
# GITHUB_CLIENT_ID=
# GITHUB_SECRET=
# GITHUB_ORGANIZATION= # optional, users need to be member of this organization to sign up eg. 'zendesk'
# GITHUB_ADMIN_TEAM= # optional, users in this team are made into admins eg. owners
# GITHUB_DEPLOY_TEAM= # optional, users in this team are made into deployers eg. developers
## Login with Google
# - Create a new project on https://console.developers.google.com/project
# - Enter a name and a unique project id
# - click APIs & auth
# - Turn on Contacts API and Google+ API (they are needed by Samson to get email and avatar)
# - Click the Credentials link and then create a new Client ID
# - Set the Authorized JavaScript Origins to same as DEFAULT_URL
# - Set the Authorized Redirect URI to <DEFAULT_URL>/auth/google/callback
# - Create the Client ID
# AUTH_GOOGLE=true
# GOOGLE_CLIENT_ID=
# GOOGLE_CLIENT_SECRET=
## Login with LDAP
# AUTH_LDAP=true
# LDAP_TITLE= # eg. My LDAP Server}
# LDAP_HOST=192.168.25.188
# LDAP_PORT=389
# LDAP_BASE='dc=domain,dc=com'
# LDAP_UID=uid
# LDAP_BINDDN=userldap
# LDAP_PASSWORD=myldapsecret
## Login with Gitlab
# AUTH_GITLAB=true
# GITLAB_APPLICATION_ID=
# GITLAB_SECRET=
# GITLAB_URL= # optional, replaces https://gitlab.com
## Login with Bitbucket
# - register a new OAuth customer on https://bitbucket.org/account/user/{username}/api
# - Set the Homepage URL to same as DEFAULT_URL
# - Set the Authorization callback URL to <DEFAULT_URL>/auth/bitbucket/callback
# AUTH_BITBUCKET=true
# BITBUCKET_KEY=
# BITBUCKET_SECRET=
## SMTP settings
# SMTP_URL='smtp://localhost'
# SMTP_USER=
# SMTP_PASSWORD=
## Github enterprise
# GITHUB_WEB_URL= # replaces https://github.com
# GITHUB_API_URL= # replaces https://api.github.com
# GITHUB_STATUS_URL= # replaces https://status.github.com
## Keys to set to be able to rotate session key without breaking everything else see config/initializers/secret_token.rb
# ATTR_ENCRYPTED_KEY= # generate with `bundle exec rake secret`
# BADGE_TOKEN_BASE= # generate with `bundle exec rake secret`
## Periodical tasks (cron substitute, see lib/samson/periodical.rb)
# Possible tasks:
# stop_expired_deploys:60
# remove_expired_locks:10
# renew_vault_token:86400
# report_system_stats:60
# report_process_stats:60
# periodical_deploy:86400
# cancel_stalled_builds:3600
# repo_provider_status:60 (for plugins that use repo_provider_status hook, like samson_github)
# global_command_cleanup:86400
# Recommended setup:
PERIODICAL=stop_expired_deploys:60,remove_expired_locks:60,report_system_stats:60,report_process_stats:60,periodical_deploy:86400,cancel_stalled_builds:3600,repo_provider_status:60,global_command_cleanup:86400
## Buddy Check feature: deploys to production require a buddy
# BUDDY_CHECK_FEATURE=1 # enable
# BYPASS_EMAIL= # email destinations that are alerted about buddy_check bypasses, comma separated
# BYPASS_DETAILS= # 'Some text explaining bypass procedure'
# BUDDY_CHECK_TIME_LIMIT= # max minutes a deploy is pending, default: 20
# DISABLE_BUDDY_BYPASS_FEATURE=1 # disable bypassing the buddy procedure
## StatsD reporting
# STATSD_HOST=192.168.1.1
# STATSD_PORT=8125
# DATADOG_TRACER=1 # enable datadog APM tracer
# PROJECT_CREATED_NOTIFY_ADDRESS=bobby-the-security-auditor@yourcompany.com
# PROJECT_DELETED_NOTIFY_ADDRESS=bobby-the-security-auditor@yourcompany.com # if not set uses PROJECT_CREATED_NOTIFY_ADDRESS
# DEPLOY_GROUP_FEATURE=1 # enable Environments and DeployGroups
# GITHUB_HOOK_SECRET=abcdef # verify github hooks are signed with webhook secret
# AIRBRAKE_API_KEY= # report errors to airbrake
# COMMIT_STATUS_RISKS=true # show risk indicator on commit status
# report deploys to Assertible
# ASSERTIBLE_SERVICE_KEY=
# ASSERTIBLE_DEPLOY_TOKEN=
# FORCE_SSL=1 # to require SSL
# SESSION_EXPIRATION=3600 # after how much time (seconds) to expire sessions, default: 1 month
# ENV_WHITELIST=FOOBAR,BARFOO # list of env values that should be passed to the command when deploying
# PROCESS_WHITELIST=puma,mysql # keywords to filter out of running process reporting
# MAX_CONCURRENT_JOBS=0 # max number of concurrent jobs Samson will run. default: 0 (unlimited)
# HELP_LINK="<a href='https://foobar.slack.com/messages/samson'>#samson</a>" # link to show in UI and error pages
# RELEASE_TAG_IN_REPO_RETRIES=10 # how often to retry finding a tag after it is released to github
# IGNORE_PENDING_COMMIT_CHECKS=Foo,Bar # commit status
## Plugin: NewRelic
# report performance stats see https://docs.newrelic.com/docs/agents/ruby-agent/configuration/ruby-agent-configuration
# NEW_RELIC_LICENSE_KEY=
# NEW_RELIC_APP_NAME=Samson
# NEW_RELIC_LOG_FILE_PATH=STDOUT
#
# optional: show graphs during/after deploy
# https://docs.newrelic.com/docs/features/getting-started-with-the-new-relic-rest-api#setup
# NEW_RELIC_API_KEY=
## Memcache: configure servers or we use localhost
# MEMCACHIER_SERVERS=a:123,b:234
# MEMCACHIER_USERNAME=username
# MEMCACHIER_PASSWORD=password
## Docker
# DOCKER_FEATURE=1 # docker support
# DOCKER_REGISTRIES=https://user:[email protected]/some-namespace # required, where to push/pull your docker images
# DOCKER_HOST= # e.g. tcp://my-docker-registry.example.com:2375
# DOCKER_KEEP_BUILT_IMGS=1 # Set to 1 to keep built images for cache. Fills the disk so some cleanup machanism is needed
# DOCKER_READ_TIMEOUT=600 # how long to wait on docker reads.
# DOCKER_FORCE_EXTERNAL_BUILD=1 # force docker to use images built externally.
# DOCKER_NEW_PROJECT_BUILD_METHOD=docker_image_building_disabled # make new projects use this
# EXTERNAL_IMAGES_DETAILS_URL= # explain how you build external images in your organization and how they get sent to samson
# EXTERNAL_BUILD_WAIT=60 # how long to wait for external builds to arrive when deploying (checking every 5s)
# DOCKER_CONFIG= # alternate location instead of ~/.docker/config.json
## Plugin: flowdock
# FLOWDOCK_API_TOKEN= # Needed for the flowdock integration user mention autocomplete in the buddy approval request form (when BUDDY_CHECK_FEATURE=1). Buddy approval notification would still work without this
## Plugin: Slack
# SLACK_API_TOKEN= # Needed for the slack integration user mention autocomplete in the buddy approval request form (when BUDDY_CHECK_FEATURE=1). Buddy approval notification would still work without this
# SLACK_CLIENT_ID= # see plugins/slack_app/README.md
# SLACK_CLIENT_SECRET= # see plugins/slack_app/README.md
# SLACK_VERIFICATION_TOKEN= # see plugins/slack_app/README.md
# SLACK_GLOBAL_BUDDY_REQUEST="<webhook_url>#<channel>" # optional, send notifications for all buddy requests to this channel
## Export job cleanup
## EXPORT_JOB_DOWNLOADED_AGE determines how long a csv export job and file should
## persist after it is downloaded before cleanup, default is 12 hours.
##
## EXPORT_JOB_MAX_AGE determines how long a csv export job and file should persist
## from it's creation date, default is 1 day.
# EXPORT_JOB_DOWNLOADED_AGE=43200 # optional
# EXPORT_JOB_MAX_AGE=86400 # optional
## JIRA_BASE_URL, if set, would enable the auto-detection of JIRA issue keys
## (e.g., KEY-123, SAMSON-456) in the titles and bodies of the pull requests
## associated with a deploy. The auto-detected JIRA issues will be displayed
## and linked (by prepending JIRA_BASE_URL) in the "JIRA Issues" tab of a deploy
##
## Full absolute JIRA URLs will still be detected, and they will take precedence
## over generated ones (i.e., if JIRA_BASE_URL is https://a.atlassian.net/browse/
## and both "KEY-123" and "http://z.atlassian.net/browse/KEY-123" appear in a
## pull request's title and body, only "http://z.atlassian.net/browse/KEY-123"
## would appear in the "JIRA Issues" tab).
##
# JIRA_BASE_URL= # eg. https://jira.atlassian.net/browse/
## Request access UI on users profile page
# REQUEST_ACCESS_FEATURE=1 # enable request access link
# REQUEST_ACCESS_EMAIL_ADDRESS_LIST= # space separated list of email addresses (managers mailing list, JIRA, etc.)
# REQUEST_ACCESS_EMAIL_PREFIX= # optional, email subject prefix
# ACCESS_REQUEST_ALTERNATIVE_INSTRUCTION= # text shown instead of a request form
## Secret storage
# SECRET_STORAGE_BACKEND= # should be one of: Samson::Secrets::DbBackend (default) or Samson::Secrets::HashicorpVaultBackend
# SECRET_STORAGE_SHARING_GRANTS=true # instead of sharing global secrets by default, access has to be granted
# SECRET_ENV_AS_ANNOTATIONS=true # convert env vars that include secrets to annotations
## Plugin: Kubernetes
# SECRET_PULLER_IMAGE=zendesk/samson_secret_puller:latest # docker image for zendesk/samson_secret_puller
# KUBECONFIG=/home/kube/.kube/config # used for database seeding
# KUBERNETES_LOG_TIMEOUT=20 # how long to wait for logs to appear in seconds
# KUBERNETES_LOG_LINES=50 # how many lines of logs to show when a deploy fails
# KUBERNETES_ALLOWED_VOLUME_HOST_PATHS=/data/ # prevent containers from mounting dangerous directories
# KUBERNETES_USAGE_LIMIT_WARNING="If you need more, ask Steve!" # help message to display when user reaches usage limit
# KUBERNETES_SERVICE_PERSISTENT_FIELDS="metadata.labels.proxy,spec.foo" # fields to not override when updating services unless they are not set, does not support fields with . in their name like metadata.annotations.gcr.io/foo/bar
# KUBERNETES_NO_CPU_LIMIT_ALLOWED=1 # allow users to chose to not have a cpu limit on their resources
## Plugin: Jenkins
## Required for Jenkins Plugin - JENKINS_URL, JENKINS_USERNAME, JENKINS_API_KEY
## Required for JenkinsStatusChecker Plugin - JENKINS_URL, JENKINS_USERNAME, JENKINS_API_KEY, JENKINS_STATUS_CHECKER
# JENKINS_URL= # server_url of jenkins
# JENKINS_USERNAME= # user id
# JENKINS_API_KEY= # API Token from user / Configure page
# JENKINS_STATUS_CHECKER= # /view/StagingStatus
## Automated deploys ... see automated_deploys_controller.rb
# AUTOMATED_DEPLOY_COMMAND_ID=123 # command to prepend to cloned automated stages
## Gcloud
# GCLOUD_IMAGE_TAGGER=true # enable image tagging
# GCLOUD_PROJECT=foo-123
# GCLOUD_ACCOUNT=my-account
# GCLOUD_OPTIONS=--verbose # optional options
## Only admins can (un)lock stages which affect production.
# PRODUCTION_STAGE_LOCK_REQUIRES_ADMIN=1
## Use LDAP_UID as user.external_id.
# The default is to use the Distinguished Name for users.external_id. If your organization changes
# any part of the DNs for any reason, this could cause any configured users to loose their current
# configuration since it will be assumed to be a new user with a new external_id. This feature
# forces the value of LDAP_UID (set above), which is used to query the user in the LDAP, which
# almost certainly is unique per user, to also be used for the external_id. Note, this name must
# also exist in the "extra" raw info:
# https://github.com/omniauth/omniauth-ldap/blob/master/README.md
# https://github.com/omniauth/omniauth-ldap/blob/master/lib/omniauth/strategies/ldap.rb#L17
# USE_LDAP_UID_AS_EXTERNAL_ID=1
## Plugin: Rollbar error reporting
# Report Samson's internal failures to Rollbar service
# ROLLBAR_ACCESS_TOKEN= # API token
# ROLLBAR_URL=https://api.rollbar.com # optional
# ROLLBAR_WEB_BASE=https://rollbar.com # optional
## Feature: STS Tokens (see plugins/aws_sts/README.md)
# SAMSON_STS_AWS_ACCESS_KEY_ID=
# SAMSON_STS_AWS_SECRET_ACCESS_KEY=
# SAMSON_STS_AWS_REGION=