Merge pull request #384 from concourse/release/7.14.x

Merge Release/7.14.x into master

Author: taylorsilva

templates/_helpers.tpl

@@ -284,6 +284,12 @@ Return concourse environment variables for worker configuration
   value: {{ . | title | quote }}
 {{- end }}
 {{- end }}
+{{- if .Values.concourse.worker.containerd.additionalHosts }}
+{{- range .Values.concourse.worker.containerd.additionalHosts }}
+- name: CONCOURSE_CONTAINERD_ADDITIONAL_HOSTS
+  value: {{ . | title | quote }}
+{{- end }}
+{{- end }}
 {{- if .Values.concourse.worker.containerd.allowHostAccess }}
 - name: CONCOURSE_CONTAINERD_ALLOW_HOST_ACCESS
   value: {{ .Values.concourse.worker.containerd.allowHostAccess | quote }}
@@ -481,6 +487,10 @@ Return concourse environment variables for postgresql configuration
 - name: CONCOURSE_POSTGRES_SSLMODE
   value: {{ .Values.concourse.web.postgres.sslmode | quote }}
 {{- end }}
+{{- if .Values.concourse.web.postgres.sslNegotiation }}
+- name: CONCOURSE_POSTGRES_SSLNEGOTIATION
+  value: {{ .Values.concourse.web.postgres.sslNegotiation | quote }}
+{{- end }}
 {{- if .Values.secrets.postgresCaCert }}
 - name: CONCOURSE_POSTGRES_CA_CERT
   value: "{{ .Values.web.postgresqlSecretsPath }}/ca.cert"

templates/web-deployment.yaml

@@ -747,6 +747,19 @@ spec:
               value: {{ .Values.concourse.web.conjur.secretTemplate | quote }}
             {{- end }}
 
+            {{- if .Values.concourse.web.idToken.signingKey.checkInterval }}
+            - name: CONCOURSE_SIGNING_KEY_CHECK_INTERVAL
+              value: {{ .Values.concourse.web.idToken.signingKey.checkInterval | quote }}
+            {{- end }}
+            {{- if .Values.concourse.web.idToken.signingKey.rotationPeriod }}
+            - name: CONCOURSE_SIGNING_KEY_ROTATION_PERIOD
+              value: {{ .Values.concourse.web.idToken.signingKey.rotationPeriod | quote }}
+            {{- end }}
+            {{- if .Values.concourse.web.idToken.signingKey.gracePeriod }}
+            - name: CONCOURSE_SIGNING_KEY_GRACE_PERIOD
+              value: {{ .Values.concourse.web.idToken.signingKey.gracePeriod | quote }}
+            {{- end }}
+
             {{- if .Values.concourse.web.metrics.hostName }}
             - name: CONCOURSE_METRICS_HOST_NAME
               value: {{ .Values.concourse.web.metrics.hostName | quote }}

values.yaml

@@ -486,6 +486,11 @@ concourse:
       ##
       sslmode: disable
 
+      ## Controls how SSL encryption is negotiated with the server. (default: postgres)
+      ## Can be set to "postgres" or "direct".
+      ##
+      sslNegotiation:
+
       ## Dialing timeout. (0 means wait indefinitely)
       ##
       connectTimeout: 5m
@@ -723,6 +728,29 @@ concourse:
       # Path used to locate a vault or safe-level secret
       secretTemplate: concourse/{{.Secret}}
 
+    ## Configuration for Concourse Identity Tokens.
+    ## Ref: https://concourse-ci.org/idtoken-credential-manager.html
+    ##
+    idToken:
+      ## Configuration for the Signing Key used to sign identity tokens
+      ## generated by Concourse.
+      ##
+      signingKey:
+        ## How often to check for outdated or expired signing keys for the
+        ## idtoken secrets provider (default: 10m)
+        ##
+        checkInterval:
+
+        ## After which time a new signing key for the idtoken secrets provider
+        ## should be generated. 0 turns off generation of new keys (default: 168h)
+        ##
+        rotationPeriod:
+
+        ## How long a key should still be published for the idtoken secrets
+        ## provider after a new key has been generated (default: 24h)
+        ##
+        gracePeriod:
+
     tracing:
       ## Service name to attach to traces as metadata.
       #
@@ -1798,6 +1826,13 @@ concourse:
       ##   - 2.2.2.2
       restrictedNetworks: []
 
+      ## List of hosts to be added to /etc/hosts file.
+      ## Example:
+      ## additionalHosts:
+      ##   - 1.1.1.1 example.com
+      ##   - 2.2.2.2 another.example.com
+      additionalHosts: []
+
       ## Allows containers to reach host network.
       allowHostAccess: