#compdef concourse
# ------------------------------------------------------------------------------
# Description
# -----------
#
#  Completion script for concourse 5.2.0 (https://concourse-ci.org).
#
# ------------------------------------------------------------------------------
# Authors
# -------
#
#  * Julien Nicoulaud <https://github.com/nicoulaj>
#
# ------------------------------------------------------------------------------

(( $+functions[_concourse_server] )) ||
_concourse_server() {
  local context state state_descr line ret=1
  typeset -A opt_args

  local -a concourse_postgres_configurations=(
    '--postgres-host=[the host to connect to]: :_hosts'
    '--postgres-port=[the port to connect to]: :_concourse_ports'
    '--postgres-socket=[path to a UNIX domain socket to connect to]: :_files'
    '--postgres-user=[the user to sign in as]: :_users'
    "--postgres-password=[the user's password]:password"
    '--postgres-sslmode=[whether or not to use SSL(default: disable)]:SSL mode:(disable require verify-ca verify-full)'
    '--postgres-sslnegotiation=[how SSL encryption is negotiated with the server(default: postgres)]: :(postgres direct)'
    '--postgres-ca-cert=[CA cert file location, to verify when connecting with SSL]: :_files'
    '--postgres-client-cert=[client cert file location]: :_files'
    '--postgres-client-key=[client key file location]: :_files'
    '--postgres-connect-timeout=[dialing timeout]: :_concourse_durations'
    '--postgres-database=[the name of the database to use(default: atc)]:database name'
  )

  _arguments -C \
    '(- : *)'{-h,--help}'[display help information]' \
    '(- : *)'{-v,--version}'[print the version of Concourse and exit]' \
    '(-): :->command' \
    '(-)*:: :->arguments' \
  && ret=0

  case $state in
    (command)
      _concourse_commands && ret=0
      ;;
    (arguments)
      curcontext=${curcontext%:*:*}:concourse-$words[1]:

      if [[ $words[1] == "quickstart" || $words[1] == "web" ]]; then
        _concourse_quickstart_or_web "${words[1]}" && ret=0
      else
        if (( $+functions[_concourse_${words[1]}] )); then
          _concourse_${words[1]} && ret=0
        else
          _message "unknown command ${words[1]}" && ret=1
        fi
      fi
      ;;
  esac

  return ret
}

(( $+functions[_concourse_commands] )) ||
_concourse_commands() {
  local commands=(
    "generate-key:generate RSA key for use with Concourse components"
    "land-worker:safely drain a worker's assignments for temporary downtime"
    "migrate:run database migrations"
    "quickstart:run both 'web' and 'worker' together, auto-wired"
    "retire-worker:safely remove a worker from the cluster permanently"
    "web:run the web UI and build scheduler"
    "worker:run and register a worker"
  )
  _describe -t commands commands commands
}

(( $+functions[_concourse_quickstart_or_web] )) ||
_concourse_quickstart_or_web() {
  local command="$1"
  local ret=1

  # define common variables

  local -a concourse_web_configurations=(
    '--peer-address=[network address of this web node, reachable by other web nodes]: :_concourse_host_colon_ports'
    '--log-level=[minimum level of logs to see]:level:_concourse_log_levels'
    '--bind-ip=[IP address on which to listen for web traffic]: :_concourse_ip_addresses'
    '--bind-port=[port on which to listen for HTTP traffic(default: 8000)]: :_concourse_ports'
    '--tls-bind-port=[port on which to listen for HTTPS traffic]: :_concourse_ports'
    '--tls-cert=[file containing an SSL certificate]: :_files'
    '--tls-key=[file containing an RSA private key, used to encrypt HTTPS traffic]: :_files'
    '--tls-ca-cert=[file containing the client CA certificate, enables mTLS]: :_files'
    '--external-url=[URL used to reach any ATC from the outside world]: :_urls'
    '--concurrent-request-limit=[limit the number of concurrent requests to an API endpoint]:limit'
    '--api-max-conns=[maximum number of open connections for the api connection pool(default: 10)]:limit'
    '--backend-max-conns=[maximum number of open connections for the backend connection pool(default: 50)]:limit'
    '--encryption-key=[a 16 or 32 length key used to encrypt sensitive information before storing it in the database]:encryption key'
    '--old-encryption-key=[encryption key previously used for encrypting sensitive information]:encryption key'
    '--debug-bind-ip=[IP address on which to listen for the pprof debugger endpoints]: :_concourse_ip_addresses'
    '--debug-bind-port=[port on which to listen for the pprof debugger endpoints]: :_concourse_ports'
    '--intercept-idle-timeout=[length of time for a intercepted session to be idle before terminating]: :_concourse_durations'
    '--component-runner-interval=[interval on which runners are kicked off for builds, locks, scans and checks]:interval:_concourse_durations'
    '--lidar-scanner-interval=[interval on which the resource scanner will run to see if new checks need to be scheduled]:interval:_concourse_durations'
    '--global-resource-check-timeout=[time limit on checking for new versions of resources]: :_concourse_durations'
    '--resource-checking-interval=[interval on which to check for new versions of resources]: :_concourse_durations'
    '--resource-type-checking-interval=[interval on which to check for new versions of resource types]: :_concourse_durations'
    '--resource-with-webhook-checking-interval=[interval on which to check for new versions of resources that has webhook defined]:interval:_concourse_durations'
    '--max-checks-per-second=[maximum number of checks that can be started per second]:number'
    '--pause-pipelines-after=[number of days after which a pipeline will be automatically paused when there are no jobs]:days'
    '--baggageclaim-response-header-timeout=[how long to wait for Baggageclaim to send the response header]: :_concourse_durations'
    '--streaming-artifacts-compression=[compression algorithm for internal streaming(default: gzip)]:alg:(gzip zstd raw)'
    '--streaming-size-limitation=[internal volume streaming size limitation in MB]:size'
    '--garden-request-timeout=[how long to wait for requests to Garden to complete(default: 5m)]: :_concourse_durations'
    '--cli-artifacts-dir=[directory containing downloadable CLI binaries]: :_files -/'
    '--web-public-dir=[Web public/ directory to server live for local development]:dir:_files -/'
    '--log-db-queries[log database queries]'
    '--log-cluster-name[log cluster name]'
    '--build-tracker-interval=[interval on which to run build tracking]: :_concourse_durations'
    '--default-build-logs-to-retain=[default build logs to retain, 0 means all]:number'
    '--max-build-logs-to-retain=[maximum build logs to retain, 0 means not specified]:number'
    '--default-days-to-retain-build-logs=[default days to retain build logs. 0 means unlimited]:number'
    '--max-days-to-retain-build-logs=[maximum days to retain build logs, 0 means not specified]:number'
    '--job-scheduling-max-in-flight=[maximum number of jobs to be scheduling at the same time(default: 32)]:number'
    '--default-task-cpu-limit=[default max number of cpu shares per task, 0 means unlimited]:number'
    '--default-task-memory-limit=[default maximum memory per task, 0 means unlimited]:number'
    '--enable-build-auditing[enable auditing for all api requests connected to builds]'
    '--enable-container-auditing[enable auditing for all api requests connected to containers]'
    '--enable-job-auditing[enable auditing for all api requests connected to jobs]'
    '--enable-pipeline-auditing[enable auditing for all api requests connected to pipelines]'
    '--enable-resource-auditing[enable auditing for all api requests connected to resources]'
    '--enable-system-auditing[enable auditing for all api requests connected to system transactions]'
    '--enable-team-auditing[enable auditing for all api requests connected to teams]'
    '--enable-worker-auditing[enable auditing for all api requests connected to workers]'
    '--enable-volume-auditing[enable auditing for all api requests connected to volumes]'
    '--config-rbac=[customize RBAC role-action mapping]:mapping'
    '--system-claim-key=[token claim key to use when matching system-claim-values(default: aud)]:key'
    '--system-claim-value=[configure which token requests should be considered "system" requests(default: concourse-worker)]:value'
    '--base-resource-type-defaults=[base resource type defaults]:type'
    '--p2p-volume-streaming-timeout=[timeout of p2p volume streaming(default: 15m)]: :_concourse_durations'
    '--display-user-id-per-connector=[define how to display user ID for each authentication connector]:how'
    '--default-get-timeout=[default timeout of get steps]: :_concourse_durations'
    '--default-put-timeout=[default timeout of put steps]: :_concourse_durations'
    '--default-task-timeout=[default timeout of task steps]: :_concourse_durations'
    '--num-goroutine-threshold=[when number of goroutines reaches to this threshold, then slow down current ATC]:num'
    '--db-notification-bus-queue-size=[DB notification bus queue size(default: 10000)]:size' \
  )

  local -a concourse_credential_manager_configurations=(
    # Credential Management
    '--secret-retry-attempts=[the number of attempts secret will be retried to be fetched, in case a retriable error happens]:number'
    '--secret-retry-interval=[the interval between secret retry retrieval attempts]: :_concourse_durations'
    '--secret-cache-enabled[enable in-memory cache for secrets]'
    '--secret-cache-duration=[secret values will be cached for not longer than this duration]: :_concourse_durations'
    '--secret-cache-duration-notfound=[secret not found responses will be cached for this duration]: :_concourse_durations'
    '--secret-cache-purge-interval=[if the cache is enabled, expired items will be removed on this internal]: :_concourse_durations'
    # Vault Credential Management
    '--vault-url=[vault server address used to access secrets]: :_urls'
    '--vault-path-prefix=[path under which to namespace credential lookup]:prefix'
    '--vault-lookup-templates=[path templates for credential lookup]: :_files'
    '--vault-shared-path=[path under which to lookup shared credentials]:path'
    '--vault-namespace=[Vault namespace to use for authentication and secret lookup]:namespace'
    '--vault-login-timeout=[timeout value for Vault login(default: 60s)]: :_concourse_durations'
    '--vault-query-timeout=[timeout value for Vault queue(default: 60s)]: :_concourse_durations'
    '--vault-disable-srv-lookup[disable that client will lookup the host through DNS SRV lookup]'
    '--vault-ca-cert=[path to a PEM-encoded CA cert file to use to verify the vault server SSL cert]: :_files'
    '--vault-ca-path=[path to a directory of PEM-encoded CA cert files to verify the vault server SSL cert]: :_files -/'
    '--vault-client-cert=[path to the client certificate for Vault authorization]: :_files'
    '--vault-client-key=[path to the client private key for Vault authorization]: :_files'
    '--vault-server-name=[if set, is used to set the SNI host when connecting via TLS]:server name'
    '--vault-insecure-skip-verify[enable insecure SSL verification]'
    '--vault-client-token=[client token for accessing secrets within the Vault server]:client token'
    '--vault-client-token-path=[absolute path to a file containing the Vault client token]: :_files'
    '--vault-auth-backend=[auth backend to use for logging in to Vault]:auth backend'
    '--vault-auth-backend-max-ttl=[time after which to force a re-login]: :_concourse_durations'
    '--vault-retry-max=[the maximum time between retries when logging in or re-authing a secret]: :_concourse_durations'
    '--vault-retry-initial=[the initial time between retries when logging in or re-authing a secret]: :_concourse_durations'
    '*--vault-auth-param=[parameter to pass when logging in via the backend]: :_concourse_name_colon_values'
    # Conjur Credential Management
    '--conjur-appliance-url=[URL of the conjur instance]: :_urls'
    '--conjur-account=[Conjur Account]:account'
    '--conjur-cert-file=[cert file used if conjur instance is using a self signed cert]: :_files'
    '--conjur-authn-login=[host username for conjur authn login]:host'
    '--conjur-authn-api-key=[Api key related to the host for conjur authn]:api_key'
    '--conjur-authn-token-file=[token file used if conjur instance is running in k8s or iam]: :_files'
    '--conjur-pipeline-secret-template=[Conjur secret identifier template used for pipeline specific parameter]:template'
    '--conjur-team-secret-template=[Conjur secret identifier template used for team specific parameter]:template'
    '--conjur-secret-template=[Conjur secret identifier template used for full path conjur secrets]:template'
    # CredHub Credential Management
    '--credhub-url=[CredHub server address used to access secrets]: :_urls'
    '--credhub-path-prefix=[path under which to namespace credential lookup]:path'
    '--credhub-ca-cert=[path to PEM-encoded CA cert files to use to verify the CredHub server SSL cert]: :_files'
    '--credhub-client-cert=[path to the client certificate for mutual TLS authorization]: :_files'
    '--credhub-client-key=[path to the client private key for mutual TLS authorization]: :_files'
    '--credhub-insecure-skip-verify[enable insecure SSL verification]'
    '--credhub-client-id=[client ID for CredHub authorization]:client ID'
    '--credhub-client-secret=[client secret for CredHub authorization]:client secret'
    # Dummy Credential Management
    '--dummy-creds-var=[a YAML value to expose via credential management]:key_val'
    # Kubernetes Credential Management
    '--kubernetes-in-cluster[enable the Kubernetes in-cluster client]'
    '--kubernetes-config-path=[path to Kubernetes config]: :_files'
    '--kubernetes-namespace-prefix=[prefix to use for Kubernetes namespace]:prefix'
    # AWS SecretsManager Credential Management
    '--aws-secretsmanager-access-key=[AWS Access key ID]:access key'
    '--aws-secretsmanager-secret-key=[AWS Secret Access Key]:secret key'
    '--aws-secretsmanager-session-token=[AWS Session Token]:session token'
    '--aws-secretsmanager-region=[AWS region to send requests to]:region'
    '--aws-secretsmanager-pipeline-secret-template=[AWS Secrets Manager secret identifier template used for pipeline specific parameter]:template'
    '--aws-secretsmanager-team-secret-template=[AWS Secrets Manager secret identifier template used for team specific parameter]:template'
    '--aws-secretsmanager-shared-secret-template=[AWS Secrets Manager secret identifier templated used for shared parameter]:template'
    # AWS SSM Credential Management
    '--aws-ssm-access-key=[AWS Access key ID]:access key'
    '--aws-ssm-secret-key=[AWS Secret Access Key]:secret key'
    '--aws-ssm-session-token=[AWS Session Token]:session token'
    '--aws-ssm-region=[AWS region to send requests to]:region'
    '--aws-ssm-pipeline-secret-template=[AWS SSM parameter name template used for pipeline specific parameter]:template'
    '--aws-ssm-team-secret-template=[AWS SSM parameter name template used for team specific parameter]:template'
    '--aws-ssm-shared-path=[AWS SSM parameter path used for shared parameters]: :_files'
  )

  local -a concourse_placement_strategies=(
    volume-locality random fewest-build-containers limit-active-tasks limit-active-containers
    limit-active-volumes
  )
  local -a concourse_second_placement_strategies=(
    random fewest-build-containers limit-active-tasks limit-active-containers limit-active-volumes
  )

  local -a concourse_container_placement_strategy_configurations=(
    '--container-placement-strategy=[method by which a worker is selected during container placement]: :(($concourse_placement_strategies))'
    '--no-input-container-placement-strategy=[a second container placement strategy]: :(($concourse_second_placement_strategies))'
    '--check-container-placement-strategy=[a third container placement strategy]: :(($concourse_second_placement_strategies))'
    '--max-active-tasks-per-worker=[maximum allowed number of active build tasks per worker]:tasks'
    '--max-active-containers-per-worker=[maximum allowed number of active containers per worker]:containers'
    '--max-active-volumes-per-worker=[maximum allowed number of active volumes per worker]:volumes'
  )

  local -a concourse_metric_configurations=(
    # Metrics & Diagnostics
    '--metrics-host-name=[host string to attach to emitted metrics]: :_hosts'
    '*--metrics-attribute=[a key-value attribute to attach to emitted metrics]: :_concourse_name_colon_values'
    '--metrics-buffer-size=[size of the buffer used in emitting event metrics(default: 1000)]:size'
    '--capture-error-metrics[enable capturing of error log metrics]'
    # Metric Emitter (Datadog)
    '--datadog-agent-host=[datadog agent host to expose dogstatsd metrics]: :_hosts'
    '--datadog-agent-port=[datadog agent port to expose dogstatsd metrics]: :_concourse_ports'
    '--datadog-agent-uds-filepath=[Datadog agent unix domain socket filepath]: :_files'
    '--datadog-prefix=[prefix for all metrics to easily find them in Datadog]:prefix'
    # Metric Emitter (InfluxDB)
    '--influxdb-url=[influxDB server address to emit points to]: :_urls'
    '--influxdb-database=[influxDB database to write points to]:database name'
    '--influxdb-username=[influxDB server username]: :_users'
    '--influxdb-password=[influxDB server password]:password'
    '--influxdb-insecure-skip-verify[skip SSL verification when emitting to InfluxDB]'
    '--influxdb-batch-size=[number of points to batch together when emitting to InfluxDB(default: 5000)]:size'
    '--influxdb-batch-duration=[duration to wait before emitting a batch of points to InfluxDB(default: 300s)]: :_concourse_durations'
    # Metric Emitter (Lager)
    '--emit-to-logs[emit metrics to logs]'
    # Metric Emitter (NewRelic)
    '--newrelic-account-id=[new Relic Account ID]:account ID'
    '--newrelic-api-key=[new Relic Insights API Key]:API key'
    '--newrelic-insights-api-url=[Base Url for insights Insert API]: :_urls'
    '--newrelic-service-prefix=[an optional prefix for emitted New Relic events]:prefix'
    '--newrelic-batch-size=[number of events to batch together before emitting(default: 2000)]:size'
    '--newrelic-batch-duration=[length of time to wait between emitting(default: 60s)]: :_concourse_durations'
    '--newrelic-batch-disable-compression=[disable compression of the batch before sending it]'
    # Metric Emitter (Prometheus)
    '--prometheus-bind-ip=[IP to listen on to expose Prometheus metrics]: :_concourse_ip_addresses'
    '--prometheus-bind-port=[port to listen on to expose Prometheus metrics]: :_concourse_ports'
  )

  local -a concourse_tracing_configurations=(
    '--tracing-service-name=[service name to attach to traces as metadata(default: concourse-web)]:name'
    '--tracing-attribute=[attributes to attach to traces as metadata]:attributes'
    '--tracing-honeycomb-api-key=[honeycomb.io api key]:key'
    '--tracing-honeycomb-dataset=[honeycomb.io dataset name]:name'
    '--tracing-jaeger-endpoint=[jaeger http-based thrift collected]:endpoint'
    '--tracing-jaeger-tags=[tags to add to the components]:tags'
    '--tracing-jaeger-service=[jaeger process service name(default; web)]:name'
    "--tracing-stackdriver-projectid=[GCP's project ID]:project_id"
    '--tracing-otlp-address=[odlp address to send traces to]:address'
    '--tracing-otlp-header=[headers to attach to each tracing messages]:header'
    '--tracing-otlp-use-tls[whether to use TLS or not]'
  )

  local -a concourse_policy_check_agent_configurations=(
    # Policy Checking
    '--policy-check-filter-http-method=[API http method to go through policy check]:method'
    '--policy-check-filter-action=[actions in the list will go through policy check]:actions'
    '--policy-check-filter-action-skip=[actions the list will not go through policy check]:actions'
    # Policy Check Agent (Open Policy Agent):
    '--opa-url=[OPA policy check endpoint]:url:_urls'
    '--opa-timeout=[OPA request timeout(default: 5s)]: :_concourse_durations'
    '--opa-result-allowed-key=[key name of if pass policy check in OPA returned result]:key'
    '--opa-result-should-block-key=[key name of if should block current action in OPA returned result]:key'
    '--opa-result-messages-key=[key name of messages in OPA returned result]:key'
  )

  local -a concourse_web_server_configurations=(
    '--x-frame-options=[the value to set for X-Frame-Options]:options'
    '--content-security-policy=[value to set for Content-Security-Policy header]:value'
    '--strict-transport-security=[value to set for the Strict-Transport-Security header]:value'
    '--cluster-name=[a name for this Concourse cluster, to be displayed on the dashboard page]:name'
    '--client-id=[client ID to use for login flow(default: concourse-web)]:id'
    '--client-secret=[client secret to use for login flow]:secret'
  )

  local -a concourse_gc_configurations=(
    '--gc-interval=[interval on which to perform garbage collection]: :_concourse_durations'
    '--gc-one-off-grace-period=[period after which one-off build containers will be garbage-collected]: :_concourse_durations'
    '--gc-missing-grace-period=[period after which to reap containers and volumes that were created but went missing from the worker]: :_concourse_durations'
    '--gc-hijack-grace-period=[period after which hijacked containers will be garbage collected]: :_concourse_durations'
    '--gc-failed-grace-period=[period after which failed containers will be garbage collected]: :_concourse_durations'
    '--gc-check-recycle-period=[period after which to reap checks that are completed]: :_concourse_durations'
    '--gc-var-source-recycle-period=[period after which to reap var_sources that are not used]: :_concourse_durations'
  )

  local -a concourse_syslog_configurations=(
    '--syslog-hostname=[client hostname with which the build logs will be sent to the syslog server]: :_hosts'
    '--syslog-address=[remote syslog server address with port]: :_concourse_host_colon_ports'
    '--syslog-transport=[transport protocol for syslog messages]:protocol:(tcp udp tls)'
    '--syslog-drain-interval=[interval over which checking is done for new build logs to send to syslog server]: :_concourse_durations'
    '--syslog-ca-cert=[paths to PEM-encoded CA cert files to use to verify the Syslog server SSL cert]: :_files'
  )

  local -a concourse_authentication_configurations=(
    '--cookie-secure[force sending secure flag on http cookies]'
    '--auth-duration=[length of time for which tokens are valid]: :_concourse_durations'
    '--session-signing-key=[file containing an RSA private key, used to sign auth tokens]: :_files'
    '--password-connector=[connector to use when authenticating via "fly login -u .. -p.."]: :(local ldap)'
    '*--add-local-user=[list of username:password combinations for all your local users]: :_concourse_username_colon_passwords'
    '*--add-client=[list of client_id:client_secret combinations]:pair'
    # Authentication Main Team
    '*--main-team-local-user=[list of whitelisted local concourse users]: :_users'
    {-c,--main-team-config=}'[configuration file for specifying team params]: :_concourse_config_files'
    # Authentication Main Team Bitbucket Cloud
    '*--main-team-bitbucket-cloud-user=[list of whitelisted Bitbucket Cloud users]: :_users'
    '*--main-team-bitbucket-cloud-team=[list of whitelisted Bitbucket Cloud teams]:team'
    # Authentication Main Team CloudFoundry
    '*--main-team-cf-user=[list of whitelisted CloudFoundry users]: :_users'
    '*--main-team-cf-org=[list of whitelisted CloudFoundry orgs]:org name'
    '*--main-team-cf-space=[list of whitelisted CloudFoundry spaces]:space name'
    '*--main-team-cf-space-with-any-role=[a whitelisted CloudFoundry space for users with any role]:space'
    '*--main-team-cf-space-with-developer-role=[a whitelisted CloudFoundry space for users with the developer role]:space'
    '*--main-team-cf-space-with-auditor-role=[a whitelisted CloudFoundry space for users with the auditor role]:space'
    '*--main-team-cf-space-with-manager-role=[a whitelisted CloudFoundry space for users with the manager role]:space'
    '*--main-team-cf-space-guid=[a whitelisted CloudFoundry space guid]:space_guid'
    # Authentication Main Team GitHub
    '*--main-team-github-user=[list of whitelisted GitHub users]: :_users'
    '*--main-team-github-org=[list of whitelisted GitHub orgs]:org name'
    '*--main-team-github-team=[list of whitelisted GitHub teams]:team name'
    # Authentication Main Team GitLab
    '*--main-team-gitlab-user=[list of whitelisted GitLab users]: :_users'
    '*--main-team-gitlab-group=[list of whitelisted GitLab groups]:group name'
    # Authentication Main Team LDAP
    '*--main-team-ldap-user=[list of whitelisted LDAP users]: :_users'
    '*--main-team-ldap-group=[list of whitelisted LDAP groups]:group name'
    # Authentication Main Team Microsoft
    '*--main-team-microsoft-user=[a whitelisted Microsoft user]: :_users'
    '*--main-team-microsoft-group=[a whitelisted Microsoft group]:group name'
    # Authentication Main Team OAuth2
    '*--main-team-oauth-user=[list of whitelisted OAuth2 users]: :_users'
    '*--main-team-oauth-group=[list of whitelisted OAuth2 groups]:group name'
    # Authentication Main Team OIDC
    '*--main-team-oidc-user=[list of whitelisted OIDC users]: :_users'
    '*--main-team-oidc-group=[list of whitelisted OIDC groups]:group name'
    # Authentication Main Team SAML
    '*--main-team-saml-user=[a whitelisted SAML user]: :_users'
    '*--main-team-saml-group=[a whitelisted SAML group]:group name'
    # Authentication Bitbucket Cloud
    '--bitbucket-cloud-client-id=[client id]:client ID'
    '--bitbucket-cloud-client-secret=[client secret]:client secret'
    # Authentication CloudFoundry
    '--cf-client-id=[client id]:client ID'
    '--cf-client-secret=[client secret]:client secret'
    '--cf-api-url=[the base API URL of your CF deployment]: :_urls'
    '--cf-ca-cert=[CA Certificate]: :_files'
    '--cf-skip-ssl-validation[skip SSL validation]'
    # Authentication GitHub
    '--github-client-id=[client id]:client ID'
    '--github-client-secret=[client secret]:client secret'
    '--github-host=[hostname of GitHub Enterprise deployment]: :_hosts'
    '--github-ca-cert=[CA certificate of GitHub Enterprise deployment]: :_files'
    # Authentication GitLab
    '--gitlab-client-id=[client id]:client ID'
    '--gitlab-client-secret=[client secret]:client secret'
    '--gitlab-host=[hostname of Gitlab Enterprise deployment]: :_hosts'
    # Authentication LDAP
    '--ldap-display-name=[the auth provider name displayed to users on the login page]:display name'
    '--ldap-host=[the host and optional port of the LDAP server]: :_hosts'
    '--ldap-bind-dn=[bind DN for searching LDAP users and groups]:bind DN'
    '--ldap-bind-pw=[bind Password for the user specified by bind-dn]:bind password'
    '--ldap-insecure-no-ssl[required if LDAP host does not use TLS]'
    '--ldap-insecure-skip-verify[skip certificate verification]'
    '--ldap-start-tls[start on insecure port, then negotiate TLS]'
    '--ldap-ca-cert=[CA certificate]: :_files'
    '--ldap-username-prompt=[propmt when logging in through the UI]:prompt'
    '--ldap-user-search-base-dn= [baseDN to start the search from]:baseDN'
    '--ldap-user-search-filter=[optional filter to apply when searching the directory]:filter'
    '--ldap-user-search-username=[attribute to match against the inputted username]:attribute'
    "--ldap-user-search-scope=[can either be: 'sub' - search the whole sub tree or 'one' - only search one level]:scope:((sub one))"
    '--ldap-user-search-id-attr=[a mapping of attributes on the user entry to claims]:attribute mapping'
    '--ldap-user-search-email-attr=[a mapping of attributes on the user entry to claims]:attribute mapping'
    '--ldap-user-search-name-attr=[a mapping of attributes on the user entry to claims]:attribute mapping'
    '--ldap-group-search-base-dn=[baseDN to start the search from]:baseDN'
    '--ldap-group-search-filter=[optional filter to apply when searching the directory]:filter'
    "--ldap-group-search-scope=[can either be: 'sub' - search the whole sub tree or 'one' - only search one level]:scope:(sub one)"
    "--ldap-group-search-user-attr=[adds an additional requirement to the filter that an attribute in the group match the user's attribute value]:attribute"
    "--ldap-group-search-group-attr=[adds an additional requirement to the filter that an attribute in the group match the user's attribute value]:attribute"
    '--ldap-group-search-name-attr=[the attribute of the group that represents its name]:attribute'
    # Authentication Microsoft
    '--microsoft-client-id=[Microsoft client ID]:id'
    '--microsoft-client-secret=[Microsoft client secret]:secret'
    '--microsoft-tenant=[Microsoft Tenant limitation]:tenant'
    '--microsoft-groups=[allowed Active Directory Groups]:groups'
    '--microsoft-only-security-groups[only fetch security groups]'
    # Authentication OAuth2
    '--oauth-display-name=[the auth provider name displayed to users on the login page]:display name'
    '--oauth-client-id=[client id]:client ID'
    '--oauth-client-secret=[client secret]:client secret'
    '--oauth-auth-url=[Authorization URL]: :_urls'
    '--oauth-token-url=[Token URL]: :_urls'
    '--oauth-userinfo-url=[UserInfo URL]: :_urls'
    '*--oauth-scope=[any additional scopes that need to be requested during authorization]:scope'
    '--oauth-groups-key=[the groups key indicates which claim to use to map external groups to Concourse teams]:group key'
    '--oauth-user-id-key=[the user id key indicates which claim to use to map an external user id to a Concourse user id]:id key'
    '--oauth-user-name-key=[the user name key indicates which claim to use to map an external user name to a Concourse user name]:name key'
    '--oauth-ca-cert=[CA Certificate]: :_files'
    '--oauth-skip-ssl-validation[skip SSL validation]'
    # Authorization OIDC
    '--oidc-display-name=[the auth provider name displayed to users on the login page]:display name'
    '--oidc-issuer=[An OIDC issuer URL that will be used to discover provider configuration]: :_urls'
    '--oidc-client-id=[client id]:client ID'
    '--oidc-client-secret=[client secret]:client secret'
    '*--oidc-scope=[any additional scopes that need to be requested during authorization]:scope'
    '--oidc-groups-key=[the groups key indicates which claim to use to map external groups to Concourse teams]:group key'
    '--oidc-user-name-key=[the user name key indicates which claim to use to map an external user name to a Concourse user name]:user name key'
    '--oidc-ca-cert=[CA Certificate]: :_files'
    '--oidc-skip-ssl-validation[skip SSL validation]'
    '--oidc-disable-groups[disable OIDC groups claims]'
    '--oidc-skip-email-verified-validation[ignore the email_verified claim from the upstream provider]'
    '--oidc-disable-get-user-info[disable not query the additional claims]'
    # Authorization SAML
    '--saml-display-name=[SAML auth provider name displayed to users on the login page]:name'
    '--saml-sso-url=[SAML SSO URL used for POST value]:url:_urls'
    '--saml-ca-cert=[SAML CA Certificate]: :_files'
    "--saml-entity-issuer=[SAML manually specify dex's issuer value]"
    '--saml-sso-issuer=[issuer value expected in the SAML response]:issuer'
    '--saml-username-attr=[SAML concourse user name]:name'
    '--saml-email-attr=[SAML concourse email]:name'
    '--saml-groups-attr=[SAML concourse teams]:name'
    '--saml-groups-delim=[groups are returned as string with this delimiter]:delimiter'
    '--saml-name-id-policy-format=[requested format of the NameID]:format'
    '--saml-skip-ssl-validation[SAML skip SSL validation]'
  )

  local -a concourse_feature_flags=(
    '--enable-global-resources[enable equivalent resources across pipelines and teams to share a single version history]'
    '--enable-redact-secrets[enable redacting secrets in build logs]'
    '--enable-rerun-when-worker-disappears[enable automatically build rerun when worker disappears]'
    '--enable-across-step[enable the experimental across step to be used in jobs]'
    '--enable-pipeline-auditing[enable pipeline instances]'
    '--enable-p2p-volume-streaming[enable P2P volume streaming]'
    '--enable-cache-streamed-volumes[streamed resource volumes will be cached on the destination]'
    '--enable-resource-causality[enable the resource causality page]'
  )

  local -a concourse_tsa_configurations=(
    '--tsa-log-level=[minimum level of logs to see]: :_concourse_log_levels'
    '--tsa-bind-ip=[IP address on which to listen for SSH]: :_concourse_ip_addresses'
    '--tsa-peer-address=[network address of this web node, reachable by other web nodes]: :_urls'
    '--tsa-bind-port=[port on which to listen for SSH]: :_concourse_ports'
    '--tsa-debug-bind-ip=[IP address on which to listen for the pprof debugger endpoints]: :_concourse_ip_addresses'
    '--tsa-debug-bind-port=[port on which to listen for the pprof debugger endpoints]: :_concourse_ports'
    '--tsa-host-key=[path to private key to use for the SSH server]: :_files'
    '--tsa-authorized-keys=[path to file containing keys to authorize, in SSH authorized_keys format]: :_files'
    '--tsa-team-authorized-keys=[path to file containing keys to authorize, in SSH authorized_keys format]: :_concourse_name_colon_paths'
    '--tsa-atc-url=[ATC API endpoints to which workers will be registered]: :_urls'
    '--tsa-client-id=[client used to fetch a token from the auth server]:id'
    '--tsa-client-secret=[client used to fetch a token from the auth server]:secret'
    '--tsa-token-url=[token endpoint of the auth server]: :_urls'
    '*--tsa-scope=[scopes to request from the auth server]'
    '--tsa-heartbeat-interval=[interval on which to heartbeat workers to the ATC]: :_concourse_durations'
    '--tsa-garden-request-timeout=[how long to wait for requests to Garden to complete]: :_concourse_durations'
    '--tsa-cluster-name=[a name for this Concourse cluster]:name'
    '--tsa-log-cluster-name=[log cluster name]:name'
  )

  case $command in
    (quickstart)
      _concourse_quickstart && ret=0
      ;;
    (web)
      _concourse_web && ret=0
      ;;
  esac

  return ret
}

(( $+functions[_concourse_generate-key] )) ||
_concourse_generate-key() {
  _arguments \
    '(- : *)'{-h,--help}'[display help information]' \
    '(-t --type)'{-t,--type=}'[the type of key to generate]:key type:(rsa ssh)' \
    '(-f --filename)'{-f,--filename=}'[file path where the key shall be created. When generating ssh keys, the public key will be stored in a file with the same name but with .pub appended]: :_files' \
    '(-b --bits)'{-b,--bits=}'[the number of bits in the key to create]:integer'
}

(( $+functions[_concourse_land-worker] )) ||
_concourse_land-worker() {
  _arguments \
    '(- : *)'{-h,--help}'[display help information]' \
    '--name=[the name of the worker you wish to land]:worker name' \
    '*--tsa-host=[TSA host to forward the worker through]: :_concourse_host_colon_ports' \
    '--tsa-public-key=[file containing a public key to expect from the TSA]: :_files' \
    '--tsa-worker-private-key=[file containing a public key to expect from the TSA]: :_files'
}

(( $+functions[_concourse_migrate] )) ||
_concourse_migrate() {
  _arguments \
    '(- : *)'{-h,--help}'[display help information]' \
    '--encryption-key=[a 16 or 32 length key used to encrypt sensitive information before storing it in the database]:encryption key' \
    '(- : *)--current-db-version[print the current database version and exit]' \
    '(- : *)--supported-db-version[print the max supported database version and exit]' \
    '--migrate-db-to-version=[migrate to the specified database version and exit]:database version' \
    '--migrate-to-latest-version[migrate to the latest migration version and exit]' \
    $concourse_postgres_configurations[@] \
}

(( $+functions[_concourse_quickstart] )) ||
_concourse_quickstart() {
  local -a concourse_worker_configurations=(
    '--worker-name=[name to set for the worker during registration]:name'
    '--worker-tag=[tag to set during registration]:tag'
    '--worker-team=[name of the team that this worker will be assigned to]:team'
    '--worker-http-proxy=[HTTP proxy endpoint to use for containers]:proxy:_urls'
    '--worker-https-proxy=[HTTPS proxy endpoint to use for containers]:proxy:_urls'
    '*--worker-no-proxy=[blacklist of addresses to skip the proxy when reaching]:url:_urls'
    '--worker-ephemeral[worker will be immediately removed upon stalling]'
    '--worker-certs-dir=[directory to use when creating the resource certificates volume]:dir:_files -/'
    '--worker-work-dir=[directory in which to place container data]:dir:_files -/'
    '--worker-bind-ip=[IP address on which to listen for the Garden server]:ip'
    '--worker-bind-port=[port on which to listen for the Garden server]:port'
    '--worker-debug-bind-ip=[IP address on which to listen for the pprof debugger endpoints]:ip'
    '--worker-debug-bind-port=[port on which to listen for the pprof debugger endpoints]:port'
    '--worker-healthcheck-bind-ip=[IP address on which to listen for health checking requests]:ip'
    '--worker-healthcheck-bind-port=[port on which to listen for health checking requests]:port'
    '--worker-healthcheck-timeout=[HTTP timeout for the full duration of health checking]: :_concourse_durations'
    '--worker-sweep-interval=[interval on which containers and volumes will be garbage collected from the worker]: :_concourse_durations'
    '--worker-volume-sweeper-max-in-flight=[maximum number of volumes which can be swept in parallel]:number'
    '--worker-container-sweeper-max-in-flight=[maximum number of containers which can be swept in parallel]:number'
    '--worker-rebalance-interval=[duration after which the registration should be swapped to another random SSH gateway]: :_concourse_durations'
    '--worker-connection-drain-timeout=[duration after which a worker should give up draining forwarded connections on shutdown]: :_concourse_durations'
    '--worker-external-garden-url=[API endpoint of an externally managed Garden server to use instead of running the embedded Garden server]:url:_urls'
    '--worker-resource-types=[path to directory containing resource types the worker should advertise]:dir:_files -/'
    '--worker-log-level=[minimum level of logs to see]:level:_concourse_log_levels'

    # TSA Configuration:
    '--worker-tsa-host=[TSA host to forward the worker through]:host'
    '--worker-tsa-public-key=[file containing a public key to expect from the TSA]:file:_files'
    '--worker-tsa-worker-private-key=[file containing the private key to use when authenticating to the TSA]:file:_files'

    # Tracing:
    '--worker-tracing-service-name=[service name to attach to traces as metadata]:name'
    '--worker-tracing-attribute=[attributes to attach to traces as metadata]:attr'
    '--worker-tracing-honeycomb-api-key=[honeycomb.io api key]:key'
    '--worker-tracing-honeycomb-dataset=[honeycomb.io dataset name]:dataset'
    '--worker-tracing-jaeger-endpoint=[jaeger http-based thrift collector]:endpoint'
    '--worker-tracing-jaeger-tags=[tags to add to the components]:tags'
    '--worker-tracing-jaeger-service=[jaeger process service name]:service'
    "--worker-tracing-stackdriver-projectid=[GCP's Project ID]:id"
    '--worker-tracing-otlp-address=[otlp address to send traces to]:address'
    '--worker-tracing-otlp-header=[headers to attach to each tracing message]:header'
    '--worker-tracing-otlp-use-tls[whether to use tls or not]'

    # Runtime Configuration
    '--worker-runtime=[runtime to use with the worker]:runtime:(guardian containerd houdini)'

    # Guardian Configuration
    '--worker-garden-bin=[path to a garden server executable]:bin'
    '--worker-garden-request-timeout=[how long to wait for requests to the Garden server to complete]:time:_concourse_durations'
    '--worker-garden-config=[path to a config file to use for the Garden backend]:path:_files'

    # DNS Proxy Configuration
    '--worker-garden-dns-proxy-enable[enable proxy DNS server]'

    # Container Networking
    '--worker-garden-network-pool=[network range to use for dynamically allocated container subnets]:range'

    # Limits:
    '--worker-garden-max-containers=[maximum container capacity]:capacity'

    # Containerd Configuration:
    '--worker-containerd-config=[path to a config file to use for the Containerd daemon]:file:_files'
    '--worker-containerd-bin=[path to a containerd executable]:file:_files'
    '--worker-containerd-init-bin=[path to an init executable]:file:_files'
    '--worker-containerd-seccomp-profile=[path to a seccomp filter override]:file:_files'
    '--worker-containerd-oci-hooks-dir=[path to the oci hooks dir]:dir:_files -/'
    '--worker-containerd-cni-plugins-dir=[path to CNI network plugins]:dir:_files -/'
    '--worker-containerd-request-timeout=[how long to wait for requests to Containerd to complete]: :_concourse_durations'
    '--worker-containerd-max-containers=[max container capacity]:capacity'
    '--worker-containerd-privileged-mode=[how many privileges privileged containers get]:type:(full fuse-only ignore)'

    # Containerd Networking
    "--worker-containerd-external-ip=[IP address to use to reach container's mapped ports]:ip"
    '--worker-containerd-dns-server=[DNS server IP address to use instead of automatically determined servers]:ip'
    '--worker-containerd-additional-hosts=[additional entries to add to /etc/hosts in containers]:hosts'
    '--worker-containerd-restricted-network=[network ranges to which traffic from containers will be restricted]:range'
    '--worker-containerd-network-pool=[network range to use for dynamically allocated container subnets]:range'
    '--worker-containerd-mtu=[MTU size for container network interfaces]:size'
    "--worker-containerd-allow-host-access[allow containers to reach the host's network]"

    # DNS Proxy Configuration:
    '--worker-containerd-dns-proxy-enable[Enable proxy DNS server]'

    # IPv6 Configuration:
    '--worker-containerd-v6-enable[enable IPv6 networking]'
    '--worker-containerd-v6-pool=[IPv6 network range to use for dynamically allocated container addresses]:range'
    '--worker-containerd-v6-disable-masquerade [Masquerade container traffic with worker address]:address'

    # Baggageclaim Configuration:
    '--worker-baggageclaim-log-level=[minimum level of logs to see]: :_concourse_log_levels'
    '--worker-baggageclaim-bind-ip=[IP address on which to listen for API traffic]:ip'
    '--worker-baggageclaim-bind-port=[port on which to listen for API traffic]:port'
    '--worker-baggageclaim-debug-bind-ip=[IP address on which to listen for the pprof debugger endpoints]:ip'
    '--worker-baggageclaim-debug-bind-port=[port on which to listen for the pprof debugger endpoints]:port'
    '--worker-baggageclaim-p2p-interface-name-pattern=[regular expression to match a network interface for p2p streaming]:pattern'
    '--worker-baggageclaim-p2p-interface-family=[4 for IPv4 and 6 for IPv6]:type:(4 6)'
    '--worker-baggageclaim-volumes=[directory in which to place volume data]:dir:_files -/'
    '--worker-baggageclaim-driver=[driver to use for managing volumes]:type:(detect naive btrfs overlay)'
    '--worker-baggageclaim-btrfs-bin=[path to btrfs binary]:path:_files'
    '--worker-baggageclaim-mkfs-bin=[path to mkfs binary]:path:_files'
    '--worker-baggageclaim-overlays-dir=[path to directory in which to store overlay data]:dir:_files -/'
    '--worker-baggageclaim-disable-user-namespaces[disable remapping of user/group IDs in unprivileged volumes]:namespace'
  )

  _arguments \
    $concourse_web_configurations[@] \
    "--enable-lets-encrypt[automatically configure TLS certificate via Let's Encrypt/ACME]" \
    "--lets-encrypt-acme-url=[URL of ACME CA directory endpoint]:url:_urls" \
    $concourse_postgres_configurations[@] \
    $concourse_credential_manager_configurations[@] \
    '--signing-key-check-interval=[how often to check for outdated or expired signing keys(default: 10m)]: :_concourse_durations' \
    '--signing-key-rotation-period=[after which time a new signing key for the idtoken secrets provider should be generated]: :_concourse_durations' \
    '--signing-key-rotation-period=[how long a key should still be published after a new key has been generated]: :_concourse_durations' \
    $concourse_container_placement_strategy_configurations[@] \
    $concourse_metric_configurations[@] \
    $concourse_tracing_configurations[@] \
    $concourse_policy_check_agent_configurations[@] \
    $concourse_web_server_configurations[@] \
    $concourse_gc_configurations[@] \
    $concourse_syslog_configurations[@] \
    $concourse_authentication_configurations[@] \
    $concourse_feature_flags[@] \
    $concourse_tsa_configurations[@] \
    $concourse_worker_configurations[@]
}

(( $+functions[_concourse_retire-worker] )) ||
_concourse_retire-worker() {
  _arguments \
    '(- : *)'{-h,--help}'[display help information]' \
    '--name=[the name of the worker you wish to retire]:worker name' \
    '--team=[the team name of the worker you with to retire]:team name' \
    '*--tsa-host=[TSA host to forward the worker through]: :_concourse_host_colon_ports' \
    '--tsa-public-key=[file containing a public key to expect from the TSA]: :_files' \
    '--tsa-worker-private-key=[file containing a public key to expect from the TSA]: :_files'
}

(( $+functions[_concourse_web] )) ||
_concourse_web() {
  local -a placement_strategies=(
    volume-locality random fewest-build-containers limit-active-tasks limit-active-containers
    limit-active-volumes
  )
  local -a second_placement_strategies=(
    random fewest-build-containers limit-active-tasks limit-active-containers limit-active-volumes
  )

  _arguments \
    '(- : *)'{-h,--help}'[display help information]' \
    $concourse_web_configurations[@] \
    "--enable-lets-encrypt[automatically configure TLS certificate via Let's Encrypt/ACME]" \
    "--lets-encrypt-acme-url=[URL of ACME CA directory endpoint]:url:_urls" \
    $concourse_postgres_configurations[@] \
    $concourse_credential_manager_configurations[@] \
    '--signing-key-check-interval=[how often to check for outdated or expired signing keys(default: 10m)]: :_concourse_durations' \
    '--signing-key-rotation-period=[after which time a new signing key for the idtoken secrets provider should be generated]: :_concourse_durations' \
    '--signing-key-rotation-period=[how long a key should still be published after a new key has been generated]: :_concourse_durations' \
    $concourse_container_placement_strategy_configurations[@] \
    $concourse_metric_configurations[@] \
    $concourse_tracing_configurations[@] \
    $concourse_policy_check_agent_configurations[@] \
    $concourse_web_server_configurations[@] \
    $concourse_gc_configurations[@] \
    $concourse_syslog_configurations[@] \
    $concourse_authentication_configurations[@] \
    $concourse_feature_flags[@] \
    $concourse_tsa_configurations[@]
}

(( $+functions[_concourse_worker] )) ||
_concourse_worker() {
  _arguments \
    '(- : *)'{-h,--help}'[display help information]' \
    '--name=[the name to set for the worker during registration]:name' \
    '*--tag=[a tag to set during registration]:tag' \
    '--team=[the name of the team that this worker will be assigned to]:team name' \
    '--http-proxy=[HTTP proxy endpoint to use for containers]: :_urls' \
    '--https-proxy=[HTTPS proxy endpoint to use for containers]: :_urls' \
    '*--no-proxy=[blacklist of addresses to skip the proxy when reaching]: :_urls' \
    '--ephemeral[if set, the worker will be immediately removed upon stalling]' \
    '--certs-dir=[directory to use when creating the resource certificates volume]: :_files -/' \
    '--work-dir=[directory in which to place container data]: :_files -/' \
    '--bind-ip=[IP address on which to listen for the Garden server]: :_concourse_ip_addresses' \
    '--bind-port=[port on which to listen for the Garden server]: :_concourse_ports' \
    '--debug-bind-ip=[IP address on which to listen for the pprof debugger endpoints]: :_concourse_ip_addresses' \
    '--debug-bind-port=[port on which to listen for the pprof debugger endpoints]: :_concourse_ports' \
    '--healthcheck-bind-ip=[IP address on which to listen for health checking requests]: :_concourse_ip_addresses' \
    '--healthcheck-bind-port=[port on which to listen for health checking requests]: :_concourse_ports' \
    '--healthcheck-timeout=[HTTP timeout for the full duration of health checking]: :_concourse_durations' \
    '--sweep-interval=[interval on which containers and volumes will be garbage collected from the worker]: :_concourse_durations' \
    '--volume-sweeper-max-in-flight=[maximum number of volumes which can be swept in parallel]:number' \
    '--container-sweeper-max-in-flight=[maximum number of containers which can be swept in parallel]:number' \
    '--rebalance-interval=[duration after which the registration should be swapped to another random SSH gateway]: :_concourse_durations' \
    '--connection-drain-timeout=[duration after which a worker should give up draining forwarded connections on shutdown]: :_concourse_durations' \
    '--external-garden-url=[API endpoint of an externally managed Garden server to use instead of running the embedded Garden server]: :_urls' \
    '--resource-types=[path to directory containing resource types the worker should advertise]: :_files -/' \
    '--log-level=[minimum level of logs to see]: :_concourse_log_levels' \
    '*--tsa-host=[TSA host to forward the worker through]: :_hosts' \
    '--tsa-public-key=[file containing a public key to expect from the TSA]: :_files' \
    '--tsa-worker-private-key=[file containing the private key to use when authenticating to the TSA]: :_files' \
    '--runtime=[runtime to use with the worker(default: guardian)]:runtime:(guardian containerd houdini)' \
    '--garden-bin=[path to gdn executable (or leave as gdn to find it in $PATH)]: :_path_commands' \
    '--garden-request-timeout=[how long to wait for requests to the Garden server to complete]:time' \
    '--garden-config=[path to a config file to use for Garden]: :_files' \
    '--garden-dns-proxy-enable[enable proxy DNS server]' \
    '--garden-network-pool=[network range to use for dynamically allocated container subnets]:range' \
    '--garden-max-containers=[maximum container capacity for Garden]:limit' \
    '--containerd-config=[path to a config file to use for the Containerd]:path:_files' \
    '--containerd-bin=[path to a containerd executable]:command:_path_commands' \
    '--containerd-init-bin=[path to an init executable]:init:_files' \
    '--containerd-seccomp-profile=[path to a seccomp filter override]:filter:_files' \
    '--containerd-oci-hooks-dir=[path to the oci hooks dir]:dir:_files -/' \
    '--containerd-cni-plugins-dir=[path to CnI network plugins]:dir:_files -/' \
    '--containerd-request-timeout=[how long to wait for requests to Containerd to complete]:timeout' \
    '--containerd-max-containers=[max conatiner capacity for containerd]:limit' \
    '--containerd-privileged-mode=[how many privileges privileged containers get]:type:(full fuse-only ignore)' \
    "--containerd-external-ip=[IP address to use to reach container's mapped ports]:ip" \
    '--containerd-dns-server=[DNS server IP address to use instead of automatically determined servers]:ip' \
    '--containerd-additional-hosts=[additioanl entries to add to /etc/hosts in containers]:hosts' \
    '--containerd-restricted-network=[network ranges to which traffic from containers will be restricted]:range' \
    '--containerd-network-pool=[network range to use for dynamically allocated containers subnets]:range' \
    '--containerd-mtu=[MTU size for container network interfaces]:size' \
    "--containerd-allow-host-access[allow containers to reach the host's network]" \
    '--containerd-dns-proxy-enable[enable proxy DNS server]' \
    '--containerd-v6-enable[enable IPv6 networking]' \
    '--containerd-v6-pool=[IPv6 network range to use for dynamically allocated container addresses]:range' \
    '--containerd-v6-disable-masquerade[Masquerade container traffic with worker address]' \
    '--baggageclaim-log-level=[minimum level of logs to see]: :_concourse_log_levels' \
    '--baggageclaim-bind-ip=[IP address on which to listen for API traffic]: :_concourse_ip_addresses' \
    '--baggageclaim-bind-port=[port on which to listen for API traffic]: :_concourse_ports' \
    '--baggageclaim-debug-bind-ip=[IP address on which to listen for the pprof debugger endpoints]: :_concourse_ip_addresses' \
    '--baggageclaim-debug-bind-port=[port on which to listen for the pprof debugger endpoints]: :_concourse_ports' \
    '--baggageclaim-p2p-interface-name-pattern=[regular expression to match a network interface for p2p streaming]:pattern' \
    '--baggageclaim-p2p-interface-family=[IPv4 or IPv6(default IPv4)]:type:(4 6)' \
    '--baggageclaim-volumes=[directory in which to place volume data]: :_files -/' \
    '--baggageclaim-driver=[driver to use for managing volumes]:driver:(detect naive btrfs overlay)' \
    '--baggageclaim-btrfs-bin=[path to btrfs binary]: :_path_commands' \
    '--baggageclaim-mkfs-bin=[path to mkfs.btrfs binary]: :_files' \
    '--baggageclaim-overlays-dir=[path to directory in which to store overlay data]: :_files -/' \
    '--baggageclaim-disable-user-namespaces[disable remapping of user/group IDs in unprivileged volumes]'
}

(( $+functions[_concourse_config_files] )) ||
_concourse_config_files() {
  _files -g "*.(yml|yaml)"
}

(( $+functions[_concourse_ip_addresses] )) ||
_concourse_ip_addresses() {
  _message 'IP address'
}

(( $+functions[_concourse_ports] )) ||
_concourse_ports() {
  _message 'port number'
}

(( $+functions[_concourse_host_colon_ports] )) ||
_concourse_host_colon_ports() {
  local ret=1
  if compset -P '*:'; then
    _concourse_ports && ret=0
  else
    _alternative \
      'hosts: :_hosts -qS:' \
      'ip-addresses: :_guard "[[:digit:]]*" "IP address"' \
      && ret=0
  fi
  return ret
}

(( $+functions[_concourse_type_colon_images] )) ||
_concourse_type_colon_images() {
  local ret=1
  if compset -P '*:'; then
    _message 'type' && ret=0
  else
    _message 'image' && ret=0
  fi
  return ret
}

(( $+functions[_concourse_name_colon_values] )) ||
_concourse_name_colon_values() {
  local ret=1
  if compset -P '*:'; then
    _message 'name' && ret=0
  else
    _message 'value' && ret=0
  fi
  return ret
}

(( $+functions[_concourse_username_colon_passwords] )) ||
_concourse_username_colon_passwords() {
  local ret=1
  if compset -P '*:'; then
    _message 'username' && ret=0
  else
    _message 'password' && ret=0
  fi
  return ret
}

(( $+functions[_concourse_name_colon_paths] )) ||
_concourse_name_colon_paths() {
  local ret=1
  if compset -P '*:'; then
    _message 'name' && ret=0
  else
    _files && ret=0
  fi
  return ret
}

(( $+functions[_concourse_durations] )) ||
_concourse_durations() {
  _message 'duration, eg: "5s", "5m", "5h", "5d"'
}

(( $+functions[_concourse_log_levels] )) ||
_concourse_log_levels() {
  local levels=(
    'debug:debug traces'
    'info:normal log level'
    'error:log only errors'
    'fatal:log only fatal errors'
  )
  _describe -t log-levels 'log level' levels
}

_concourse_server "$@"

# Local Variables:
# mode: Shell-Script
# sh-indentation: 2
# indent-tabs-mode: nil
# sh-basic-offset: 2
# End:
# vim: ft=zsh sw=2 ts=2 et
