ods-core.env.sample

#########################################
# Global configuration for OpenDevStack #
#########################################

# OpenDevStack central namespace. This will be used e.g. to store images such as
# jenkins-master, jenkins-agent-base etc. but also to run shared services such
# as Nexus, SonarQube, provisioning app etc.
# Hint: For a standard installation, set this to "ods".
ODS_NAMESPACE=ods

# OpenDevStack image tag. This will be used e.g. to tag images in the 'ods'
# namespace such as jenkins-master, jenkins-agent-base etc.
# The value will also be used as a Git reference for the Jenkins Shared Library.
# It is recommended to use values such as "4.x", "5.x" etc. That way, users
# consume a major version of ODS, and as an admin you are able to update the
# content of this tag to ship e.g. patches or small backwards-compatible
# changes without requiring users to adopt those explicitly.
# However, you can use any other value that you wish, e.g. you could use more
# precise image tags such as "4.0.x" or even "4.0.0".
# Hint: For a standard installation, set this to "<major-version>.x".
ODS_IMAGE_TAG=latest

# OpenDevStack source code Git reference. This will be used e.g. to configure
# which Dockerfiles are used to build the images, and which revision of the
# Jenkins shared libary should be used.
# It is recommended to use a tag such as "v4.0.0", "v4.0.1", "v4.1.0" etc. That
# way, as an admin you can control exactly which revision of ODS is in use.
# You may also use a branch, e.g. "master" or "4.x", but then the revision of
# ODS in use depends on the time of installation, as those pointers are moving
# targets. Further, you may also reference Git refs only existing in your
# Bitbucket instance, e.g. custom tags like "v4.acme" to include modifications.
# Hint: For a standard installation, set this to latest Git tag of the current major version.
ODS_GIT_REF=master

# Bitbucket project name. In case you install ODS multiple times on the same
# cluster, each installation must be based on a different Bitbucket project.
# This is required to separate the configuration repository properly.
# Hint: For a standard installation, set this to "opendevstack".
ODS_BITBUCKET_PROJECT=opendevstack

#########
# Nexus #
#########

# Nexus base image
# See Dockerhub https://hub.docker.com/r/sonatype/nexus3/tags.
# Officially supported is:
# - 3.70.4-java11-ubi
NEXUS_IMAGE_TAG=3.70.4-java11-ubi

# Nexus host without protocol.
# The domain should be equal to OPENSHIFT_APPS_BASEDOMAIN (see below).
NEXUS_HOST=nexus-cd.192.168.56.101.nip.io

# Nexus URL exposed by the NEXUS route.
# The domain should be equal to OPENSHIFT_APPS_BASEDOMAIN (see below).
NEXUS_URL=https://nexus-cd.192.168.56.101.nip.io

# Username and password for Nexus
NEXUS_USERNAME=developer
NEXUS_PASSWORD=changeme
NEXUS_PASSWORD_B64=changeme
# Password of Nexus administrator - should be set to a secure password
# of your choice.
NEXUS_ADMIN_PASSWORD=changeme
NEXUS_ADMIN_PASSWORD_B64=changeme
# Nexus (basic) authentication username:password
NEXUS_AUTH=developer:changeme

# Nexus JVM parameters, adjust acording to organization size
# See https://help.sonatype.com/en/sonatype-nexus-repository-system-requirements.html
NEXUS_JVM_PARAMS="-Xms2703m -Xmx2703m -XX:MaxDirectMemorySize=2703m -Djava.util.prefs.userRoot=/nexus-data/javaprefs"

# Nexus memory and CPU resources
NEXUS_CPU_REQUEST=200m
NEXUS_MEMORY_REQUEST=3Gi
NEXUS_CPU_LIMIT=1
NEXUS_MEMORY_LIMIT=5Gi

# Nexus data capacity
NEXUS_DATA_CAPACITY=60Gi

# Nexus storage name
NEXUS_STORAGE_NAME="nexus-storage"

# Storage class provisioner, for AWS this should be "kubernetes.io/aws-ebs"
NEXUS_STORAGE_PROVISIONER="ebs.csi.aws.com"

# Storage class for Nexus data, for AWS this should be "gp3-csi"
NEXUS_STORAGE_CLASS_DATA="gp3-csi"

# Storage class for Nexus backup, for AWS this should be "csi-aws-vsc"
NEXUS_STORAGE_CLASS_BACKUP="csi-aws-vsc"

# Nexus snapshot configuration, default to run daily at 2 AM
NEXUS_SNAPSHOT_SCHEDULE="0 2 * * *"

# Nexus snapshot cleanup configuration, default to run daily at 3 AM
NEXUS_SNAPSHOT_CLEANUP_SCHEDULE="0 3 * * *"

# Nexus snapshot TTL in seconds (default: 30 days)
NEXUS_SNAPSHOT_TTL=2592000

# Timeout in seconds to wait for a VolumeSnapshot to become ready
NEXUS_SNAPSHOT_CHECK_TIMEOUT=600

#############
# SonarQube #
#############

# Host without protocol exposed by the SonarQube route
# The domain should be equal to OPENSHIFT_APPS_BASEDOMAIN (see below).
SONARQUBE_HOST=sonarqube-cd.192.168.56.101.nip.io

# SonarQube URL exposed by the SonarQube route
# The domain should be equal to OPENSHIFT_APPS_BASEDOMAIN (see below).
SONARQUBE_URL=https://sonarqube-cd.192.168.56.101.nip.io

# Username of SonarQube administrator
SONAR_ADMIN_USERNAME=admin
# Password of SonarQube administrator - should be set to a secure password
# of your choice.
SONAR_ADMIN_PASSWORD_B64=changeme
# Authentication token used by sonar-scanner-cli from Jenkins pipelines.
# Do not change the value manually - the token is created and set automatically during "make configure-sonarqube".
SONAR_AUTH_TOKEN_B64=changeme
# Web authetification code, needed for liveness Probe
SONAR_WEB_SYSTEMPASSCODE_B64=changeme

# Toggle authentication via SAML
SONAR_AUTH_SAML='true'

# SAML Application used for authentication
SONAR_SAML_APPLICATION_ID=https://sonarqube-cd.192.168.56.101.nip.io/sonar/saml
SONAR_SAML_PROVIDER_ID_B64=changeme
SONAR_SAML_LOGIN_URL_B64=changeme
SONAR_SAML_CERTIFICATE_B64=changeme

# Postgres DB for SonarQube
# Image to use for the PostgreSQL database. This needs to be compatible with
# your SonarQube version, see https://docs.sonarqube.org/latest/requirements/requirements/.
# Take care when upgrading either database or SQ version.
# E.g. registry.redhat.io/rhel10/postgresql-16
SONAR_DATABASE_IMAGE=registry.redhat.io/rhel10/postgresql-16
# Connection string for JDBC. Typically this does not need to be changed.
SONAR_DATABASE_JDBC_URL=jdbc:postgresql://sonarqube-postgresql:5432/sonarqube
# Database name for SonarQube. Typically this does not need to be changed.
SONAR_DATABASE_NAME=sonarqube
# Password of SonarQube database - should be set to a secure password.
SONAR_DATABASE_PASSWORD_B64=changeme
SONAR_DATABASE_SUPER_NAME=super_sonarqube
# Super Password of SonarQube database - should be set to a secure password.
SONAR_DATABASE_SUPER_PASSWORD_B64=changeme
# User of SonarQube database. Typically this does not need to be changed.
SONAR_DATABASE_USER=sonarqube

# SonarQube edition
# See https://www.sonarsource.com/plans-and-pricing/.
# - Use "community" for free edition
# - Use "developer", "enterprise" or "datacenter" for commercial editions
SONAR_EDITION=developer
# SonarQube version.
# See Dockerhub https://hub.docker.com/_/sonarqube/tags
# Officially supported is:
# - 2025.5.0
SONAR_VERSION=2025.5.0

# SonarQube memory and CPU resources
SONARQUBE_CPU_REQUEST=300m
SONARQUBE_MEMORY_REQUEST=5Gi
SONARQUBE_CPU_LIMIT=2
SONARQUBE_MEMORY_LIMIT=5Gi

# SonarQube data and backup capacity
SONARQUBE_DATA_CAPACITY=2Gi
SONARQUBE_EXTENSIONS_CAPACITY=1Gi

# SonarQube database memory and CPU resources
SONARQUBE_DB_CPU_REQUEST=200m
SONARQUBE_DB_MEMORY_REQUEST=512Mi
SONARQUBE_DB_CPU_LIMIT=2
SONARQUBE_DB_MEMORY_LIMIT=512Mi

# SonarQube database and backup capacity
SONARQUBE_DB_CAPACITY=2Gi
SONARQUBE_DB_BACKUP_CAPACITY=1Gi

# SonarQube data storage name
SONARQUBE_DATA_STORAGE_NAME="sonarqube-data-storage"

# Storage class provisioner for SonarQube data, for AWS this should be "ebs.csi.aws.com"
SONARQUBE_STORAGE_PROVISIONER=""

# Storage class for SonarQube data, for AWS this should be "gp3-csi"
SONARQUBE_STORAGE_CLASS_DATA=""

# Storage class provisioner for fast SonarQube storage, for AWS this should be "ebs.csi.aws.com"
SONARQUBE_FAST_STORAGE_PROVISIONER="ebs.csi.aws.com"

# Storage class for fast SonarQube data, for AWS this should be "gp3-csi"
SONARQUBE_FAST_STORAGE_CLASS_DATA="gp3-csi"

# Storage class for fast SonarQube backup, for AWS this should be "csi-aws-vsc"
SONARQUBE_FAST_STORAGE_CLASS_BACKUP="csi-aws-vsc"

# SonarQube backup configuration, default to run daily at 2 AM
SONARQUBE_BACKUP_SCHEDULE="0 2 * * *"

# SonarQube DB backup TTL in days (default: 30 days)
SONARQUBE_DB_BACKUP_TTL=30

# SonarQube scan configuration
SONAR_SCAN_ENABLED="true"
SONAR_SCAN_EXCLUSIONS=".json,.xml,**/__pycache__/**,**/*.pyc,/venv/,/.venv/,/site-packages/,/node_modules/,/dist/,/build/,/out/,/coverage/,/.next/,/.parcel-cache/,/target/,/.gradle/,/.mvn/,/vendor/,/bin/,/obj/,/build/libs/,/.terraform/,/pkg/,/android/,/ios/,/www/,/target/**,/Cargo.lock,/target/,/**/*.class,/**/*.jar,/**/*.war"
SONAR_SCAN_NEXUS_REPOSITORY=leva-documentation
SONAR_SCAN_ALERT_EMAILS=
SONAR_SCAN_PROJECTS_PRIVATE="false"
SONAR_SCAN_ACCOUNT=cd-user-with-password


#########
# Jira #
#########

# JIRA URL
JIRA_URL=http://192.168.56.31:8080


#########
# Crowd #
#########

# Crowd server URL
CROWD_URL=http://192.168.56.31:8095/crowd


###################
# Bitbucket / Git #
###################

# Bitbucket host (without protocol!)
BITBUCKET_HOST=192.168.56.31:7990

# Bitbucket URL (including protocol!)
BITBUCKET_URL=http://192.168.56.31:7990

# Git repository base URL (including protocol!)
# Typically ends in "/scm" for Bitbucket.
REPO_BASE=http://192.168.56.31:7990/scm

# Technical user ("cd_user") to authenticate against Bitbucket.
# Used e.g. to clone repositories and use the API from the central
# ODS namespace.
CD_USER_ID=cd_user
# Name of user b64-encoded: "cd_user" equals "Y2RfdXNlcg==".
CD_USER_ID_B64=Y2RfdXNlcg==
# Password of user (needs to be set to the password set in Crowd for that user)
CD_USER_PWD_B64=changeme_b64

# Repos under "opendevstack" which are readable by project-specific technical users.
# If you use or might use documentation templates in the future,
# it is highly recommended to add "ods-document-generation-templates" to this list.
READABLE_OPENDEVSTACK_REPOS=ods-jenkins-shared-library,ods-quickstarters

##############
# Confluence #
##############

# Confluence URL (including protocol!)
CONFLUENCE_URL=http://192.168.56.31:8090


###########
# Jenkins #
###########

# Base image for Jenkins master.
# For UBI8-based images (OpenShift 4):
# - RHEL variant: https://catalog.redhat.com/software/containers/ocp-tools-4/jenkins-rhel8/5fe1f38288e9c2f788526306
# -      Example: registry.redhat.io/ocp-tools-4/jenkins-rhel8:v4.14.0
# -      Last tested: registry.redhat.io/ocp-tools-4/jenkins-rhel8:v4.14.0-1723454631
# - Community variant: https://quay.io/repository/openshift/origin-jenkins?tab=tags
# -           Example: quay.io/openshift/origin-jenkins:4.6
JENKINS_MASTER_BASE_FROM_IMAGE=registry.redhat.io/ocp-tools-4/jenkins-rhel8:v4.14.0-1723454631

# Dockerfile to use for Jenkins master.
# Use "Dockerfile.ubi8" for both OpenShift 3.11 and 4  (UBI8 base image)
JENKINS_MASTER_DOCKERFILE_PATH=Dockerfile.ubi8

# Base image for Jenkins agent base.
# For UBI8-based images (OpenShift 4):
# - RHEL variant: https://catalog.redhat.com/software/containers/ocp-tools-4/jenkins-agent-base-rhel8/6241e3457847116cf8577aea
# -      Example: registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8:v4.14.0
# -      Last tested: registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8:v4.14.0-1723453106
# - Community variant: https://quay.io/repository/openshift/origin-jenkins-agent-base?tab=tags
# -           Example: quay.io/openshift/origin-jenkins-agent-base:4.6
JENKINS_AGENT_BASE_FROM_IMAGE=registry.redhat.io/ocp-tools-4/jenkins-agent-base-rhel8:v4.14.0-1723453106

# Dockerfile to use for Jenkins agents.
# Use "Dockerfile.ubi8" for both OpenShift 3.11 and 4  (UBI8 base image)
JENKINS_AGENT_DOCKERFILE_PATH=Dockerfile.ubi8

# Snyk CLI binary distribution url
# Leave empty to avoid installing Snyk.
# Releases are published at https://github.com/snyk/snyk/releases.
# Latest tested version is v1.1292.4.
JENKINS_AGENT_BASE_SNYK_DISTRIBUTION_URL=https://github.com/snyk/snyk/releases/download/v1.1292.4/snyk-linux

# AquaSec CLI binary distribution url
# Leave empty to avoid installing AquaSec.
# Releases are published at https://download.aquasec.com/scanner
# Check Aqua versions backward compatibility at https://docs.aquasec.com/docs/version-compatibility-of-components#section-backward-compatibility-across-two-major-versions
# To Download the aquaSec scanner cli and check their documentaion requires a valid account on aquasec.com
# Latest tested version is 2022.4.829
# Example: https://<USER>:<PASSWORD>@download.aquasec.com/scanner/2022.4.829/scannercli
JENKINS_AGENT_BASE_AQUASEC_SCANNERCLI_URL=

# Repository of shared library
# You may also point to repository underneath REPO_BASE.
SHARED_LIBRARY_REPOSITORY=https://github.com/opendevstack/ods-jenkins-shared-library.git

#############
# OpenShift #
#############

# Internal docker registry host and port - this is used
# for pulling the agent images in jenkins.
DOCKER_REGISTRY=docker-registry.default.svc:5000

# Semicolon separated list of DNSs and optional port (default is 443) - used for grabbing the root CA and adding into the agent(s)
# Leave empty if you do not use a custom CA.
# One of the very stable URLs you could use is the external OCP docker registry URL.
# Example: hostA;hostB:8443;hostC:8443
APP_DNS=192.168.56.101.nip.io

# URI of the OpenShift API
OPENSHIFT_API_URL=https://192.168.56.101:8443

# Host DNS of the OpenShift console to create the right links
OPENSHIFT_CONSOLE_HOST=https://192.168.56.101:8443

# Application domain of OpenShift for routes
OPENSHIFT_APPS_BASEDOMAIN=.192.168.56.101.nip.io

# Pipeline Trigger Secret (both base64-encoded and raw are required)
# Should be set to a secure password. This is used to protect pipelines
# from unauthorized access.
PIPELINE_TRIGGER_SECRET_B64=changeme_base64
PIPELINE_TRIGGER_SECRET=changeme

###########
# Storage #
###########

# Storage class provisioner, for AWS this should be "kubernetes.io/aws-ebs"
STORAGE_PROVISIONER=""

# Storage class for data, for AWS this should be "gp2"
STORAGE_CLASS_DATA=""

# Storage class for backup, for AWS this should be "gp2-encrypted"
STORAGE_CLASS_BACKUP=""

#########################
# Documentation Service #
#########################

# Image to use as the 'FROM' image for the doc gen BuildConfig
# Available tags listed at: https://hub.docker.com/repository/docker/opendevstackorg/ods-document-generation-svc/tags
DOC_GEN_FROM_IMAGE=opendevstackorg/ods-document-generation-svc:latest

####################
# Provisioning App #
####################

# Image to use as the 'FROM' image for the prov app BuildConfig
# Available tags listed at: https://hub.docker.com/repository/docker/opendevstackorg/ods-provisioning-app/tags
PROV_APP_FROM_IMAGE=opendevstackorg/ods-provisioning-app:latest

# Image of the prov app to use in the DeploymentConfig
PROV_APP_IMAGE=ods-provisioning-app:latest

# which image-pull-policy to use in the DeploymentConfig (in relation to PROV_APP_IMAGE)
# see https://docs.openshift.com/container-platform/3.11/dev_guide/managing_images.html#image-pull-policy
PROV_APP_IMAGE_PULL_POLICY=Always

# crowd groups
PROV_APP_CROWD_USER_GROUP=bitbucket-users
PROV_APP_CROWD_ADMIN_GROUP=bitbucket-administrators

# Default package prefix
PROV_APP_PACKAGE_PREFIX=org.opendevstack

# (cookie) domain for atlassian tools - used for crowd
PROV_APP_ATLASSIAN_DOMAIN=192.168.56.31

# Crowd password
PROV_APP_CROWD_PASSWORD=changeme
PROV_APP_JASYPT_PASSWORD=changeme

# Host and credentials for the mailhost
PROV_APP_MAIL_HOST=opendevstack.org
PROV_APP_MAIL_PASSWORD=changeme
PROV_APP_MAIL_USERNAME=provision

# Logging
PROV_APP_LOG_LEVEL_ATLASSIAN_CROWD=INFO
PROV_APP_LOG_LEVEL_OPENDEVSTACK=INFO
PROV_APP_LOGGING_FILE_PATH=/opt/provision/history/logs

# Comma-separated list of events for which Bitbucket sends a request to the webhook proxy service
# to create/start a Jenkins pipeline or delete a Jenkins pipeline.
# Pipelines can be created/started for: repo:refs_changed, pr:opened
# Pipelines will be deleted for: pr:merged, pr:declined, pr:deleted
WEBHOOK_PROXY_EVENTS=repo:refs_changed,pr:merged,pr:declined,pr:deleted

# Webhook Proxy to which to delegate admin jobs.
# https://<PROV_APP_WEBHOOKPROXY_HOST><OPENSHIFT_APPS_BASEDOMAIN>
PROV_APP_WEBHOOKPROXY_HOST=webhook-proxy-ods

# Activate or deactivate the confluence adapter
PROV_APP_CONFLUENCE_ADAPTER_ENABLED=true

# Additionally activate (or deactivate) basic auth authentication to current identity manager provider
# Note: basic auth access is needed for the tests of the provision app to succeed
PROV_APP_AUTH_BASIC_AUTH_ENABLED=true

# (de)activate cleanup of projects that were left incomplete due an error on provision new project
PROV_APP_PROVISION_CLEANUP_INCOMPLETE_PROJECTS_ENABLED=false

# (de)activate provisioning app single-page client
PROV_APP_FRONT_SPA_ENABLED=false

# List of jira project templates
JIRA_PROJECT_TEMPLATE_KEY_NAMES=${project.template.default.key},kanban

# List of default groups to be permissioned in openshift on project creation (value is optional and can be empty).
# e.g: DEFAULT_OPENSHIFT_PERMISSION_GROUPS="ADMINGROUP=MY-DEFAULT-CLUSTER-ADMIN-GROUP"
DEFAULT_OPENSHIFT_PERMISSION_GROUPS=

# Enable or disable the openshift service in the provisioning app (values: "true" or "false")
PROV_APP_OPENSHIFT_SERVICE_ENABLED=false

# List of additional jira project template configuration
# Note: multiline parameters replace is supported... if you need to add multiple lines add as separator "\n".
# Example: ADDITIONAL_JIRA_PROJECT_TEMPLATE_PROPERTIES="jira.project.template.key.MY_TEMPLATE=value1\njira.project.template.type.MY_TEMPLATE=value2\n#End of file\n"
ADDITIONAL_JIRA_PROJECT_TEMPLATE_PROPERTIES="# ------------------------------------------- \n# No additional jira project template properties \n# ------------------------------------------- \n"

# All params defined in the template https://github.com/opendevstack/ods-core/blob/master/ods-provisioning-app/ocp-config/dc.yml
# can be overwritten by specifying the param in this file.

########
# Aqua #
########
# Enable or disable Aqua at the cluster level
AQUA_ENABLED=false

# The URL to the Aqua service, f.e. using a local service in OCP http://<aqua-service>.aqua.svc.cluster.local:8080
# using a hosted instance of Aqua in OCP => aqua service route https://<aqua-route>.<public-cluster-url>/
AQUA_URL=

# The name of a the internal registry defined in Aqua to keep the track of the images scanned
AQUA_REGISTRY=

# The name of a secret containing credentials (username and password) of an Aqua user that has scanner rights
AQUA_SECRET_NAME=cd-user-with-password

# Comma separated list of email addresses to provide feedback in case there are problems using Aqua
AQUA_ALERT_EMAILS=

# The name of a Nexus repository to store the reports generated by Aqua
AQUA_NEXUS_REPOSITORY=leva-documentation

##########################
# Opentelemety Collector #
##########################
# The docker image used to build the Opentelemetry Collector
OPENTELEMETRY_COLLECTOR_IMAGE=otel/opentelemetry-collector-k8s

# The docker image tag used to build the Opentelemetry Collector
OPENTELEMETRY_COLLECTOR_IMAGE_TAG=0.123.0-amd64

# The Go memory limit for the Opentelemetry Collector
OPENTELEMETRY_COLLECTOR_GOMEMLIMIT=128MiB

# The endpoint to send telemetry data using the OpenTelemetry Protocol (OTLP)
OPENTELEMETRY_COLLECTOR_OTLP_API_ENDPOINT=https://fake-jaeger/v1/traces

# The Authorization Token used to authenticate requests sent to the OTLP_API_ENDPOINT
OPENTELEMETRY_COLLECTOR_OTLP_API_TOKEN=Api-Token fakeJaegerIDToken

# The Host of the Opentelemetry Collector
OPENTELEMETRY_COLLECTOR_INGRESS_HOST=fake.opentelemetry-collector.com

# Resource requests and limits for the Opentelemetry Collector
OPENTELEMETRY_COLLECTOR_CPU_REQUEST=200m
OPENTELEMETRY_COLLECTOR_MEMORY_REQUEST=128Mi
OPENTELEMETRY_COLLECTOR_CPU_LIMIT=1
OPENTELEMETRY_COLLECTOR_MEMORY_LIMIT=256Mi

#################################
# Post-Creation Scripts Config #
#################################

# Enable or disable post-creation script execution
POST_CREATION_SCRIPTS_ENABLED=false

### Configuration ####
POST_CREATION_SCRIPTS_CONFIG_REPO_URL=changeme
POST_CREATION_SCRIPTS_CONFIG_REPO_BRANCH=master
POST_CREATION_SCRIPTS_CONFIG_FILE=post-project-creation-scripts.env

### Scripts ####
POST_CREATION_SCRIPTS_REPO_URL=changeme
POST_CREATION_SCRIPTS_BRANCH=master
POST_CREATION_SCRIPTS_ORDER=01.sh,02.sh