Skip to main content

Configuring OpsChain

This guide describes the various configuration options that can be included in your .env file, along with their default values.

Configuration variables

The following configuration variables can be set in your .env file:

info

After making changes to your .env file, you must run opschain server configure and then re-deploy OpsChain (e.g. opschain server deploy).

Common configuration

OPSCHAIN_API_CERTIFICATE_SECRET_NAME

Default value: none

The Kubernetes TLS secret name containing a custom certificate to be used for the HTTPS listener. OPSCHAIN_API_HOST_NAME must also be configured. Learn more

OPSCHAIN_API_EXTERNAL_PORT

Default value: 3000

The port that will be exposed for accessing the OpsChain API service.

OPSCHAIN_API_HOST_NAME

Default value: none

The host name that will be configured for the OpsChain API HTTPS listener. This is not required for HTTP access to the API, only for HTTPS access. Learn more

OPSCHAIN_DOCKER_USER

Default value: none

Docker Hub username for accessing the OpsChain images.

OPSCHAIN_DOCKER_PASSWORD

Default value: none

Docker Hub password/token for accessing the OpsChain images.

OPSCHAIN_GID

Default value: GID of the current user (i.e. the output of the id -g command)

Group ID on the host that should own the OpsChain files.

OPSCHAIN_GITHUB_USER

Default value: none

OpsChain username for accessing the OpsChain Helm charts via GitHub.

OPSCHAIN_GITHUB_TOKEN

Default value: none

GitHub personal access token for accessing the OpsChain Helm charts via GitHub.

OPSCHAIN_INSECURE_HTTP_PORT_ENABLED

Default value: true

Enable/Disable the HTTP ingress port. Learn more.

OPSCHAIN_IMAGE_REGISTRY_HOST

Default value: opschain-image-registry.local.gd

Internally used hostname that needs to resolve to the Kubernetes node, but be different to the API hostname.

OPSCHAIN_IMAGE_BUILD_ROOTLESS

Default value: true

Whether to use the Buildkit rootless mode for the image build container.

OPSCHAIN_IMAGE_BUILD_CACHE_VOLUME_SIZE

Default value: 10Gi

Volume claim size for the image build container cache.

OPSCHAIN_IMAGE_REGISTRY_VOLUME_SIZE

Default value: 10Gi

Volume claim size for the step image registry image storage volume.

OPSCHAIN_KUBERNETES_NAMESPACE

Default value: opschain

Kubernetes namespace to deploy OpsChain into.

OPSCHAIN_RUNNER_NODE_SELECTOR

Default value: {}

Kubernetes nodeSelector value that will be used for step runner pods. Must be specified as a JSON string.

OPSCHAIN_THREADS_PER_WORKER

Default value: 5
Minimum value: 2

The number of threads each worker process will run. Note that increasing this number further may actually decrease concurrency due to context switching. We recommend that you consider increasing the OPSCHAIN_API_WORKER_SCALE value before considering increasing this value.

OPSCHAIN_TLS_EXTERNAL_PORT

Default value: 3443

The HTTPS listener port on the Kubernetes node. It is also used by OpsChain from the Kubernetes runtime.

OPSCHAIN_UID

Default value: UID of the current user (i.e. the output of the id -u command)

User ID on the host that should own the OpsChain files.

OPSCHAIN_SSH_KNOWN_HOSTS_CONFIG_MAP

Default value: none

A custom config map name to use for the .ssh/known_hosts file. Learn more.

LDAP configuration

OPSCHAIN_LDAP_ADMIN

Default value: cn=admin,dc=opschain,dc=io

LDAP/AD administrator DN to connect to.
Note: As OpsChain does not write to the LDAP database, this need only be a DN with permission to search all users and groups.

OPSCHAIN_LDAP_BASE_DN

Default value: dc=opschain,dc=io

LDAP/AD base DN value.

OPSCHAIN_LDAP_DOMAIN

Default value: opschain.io

LDAP/AD domain.

OPSCHAIN_LDAP_GROUP_BASE

Default value: ou=groups,dc=opschain,dc=io

LDAP/AD base DN to search for groups.

OPSCHAIN_LDAP_GROUP_ATTRIBUTE

Default value: member

LDAP/AD group attribute containing OpsChain user DNs.

OPSCHAIN_LDAP_HC_USER

Default value: healthcheck

To verify the LDAP server is available, OpsChain performs a regular query of the LDAP database for the username supplied here.
Note: If you do not wish to perform this check, leave this blank.

OPSCHAIN_LDAP_HOST

Default value: opschain-ldap

LDAP/AD host name (or IP address).

OPSCHAIN_LDAP_PASSWORD

Default value: none

OPSCHAIN_LDAP_ADMIN password.

OPSCHAIN_LDAP_PORT

Default value: 389

LDAP/AD host port to connect to.

OPSCHAIN_LDAP_USER_BASE

Default value: ou=users,dc=opschain,dc=io

LDAP/AD base DN to search for users.

OPSCHAIN_LDAP_USER_ATTRIBUTE

Default value: uid

LDAP/AD user attribute used as the OpsChain user name.

Authentication configuration

OPSCHAIN_AUTH_SERVICE

Default value: none

Policy agent type on the authorisation host. The following policy agent is currently available: OPA. Please contact LimePoint if you require other policy agents.

Development environment

The following variables can be manually set inside the OpsChain development environment or configured in your host environment and they will be passed through (e.g. in your ~/.zshrc).

OPSCHAIN_ACTION_RUN_CHILDREN

Default value: false

Automatically run child steps in the local Docker development environment. See the Docker development environment guide (child steps) for more details.

OPSCHAIN_TRACE

Default value: false

If set to true, additional logging will be generated when actions are run