Skip to main content

Infrahub configuration

The Infrahub containers have a number of environmental variables available at runtime to affect their behavior.

Here are a few common methods of setting environmental variables:

  • Exporting in a shell, example: export INFRAHUB_ADDRESS="http://localhost:8000"
  • Using a .env file
  • Using direnv
note

infrahubctl has it's own environmental variables. See the infrahubctl documentation for more information.

Main

NameDescriptionTypeDefault
INFRAHUB_DOCS_INDEX_PATHFull path of saved json containing pre-indexed documentationstring/opt/infrahub/docs/build/search-index.json
INFRAHUB_INTERNAL_ADDRESSNoneNoneNone
INFRAHUB_ALLOW_ANONYMOUS_ACCESSIndicates if the system allows anonymous read accessbooleanTrue
INFRAHUB_ANONYMOUS_ACCESS_ROLEName of the role defining which permissions anonymous users havestringAnonymous User
INFRAHUB_TELEMETRY_OPTOUTDisable anonymous usage reportingbooleanFalse
INFRAHUB_TELEMETRY_ENDPOINTNonestringhttps://telemetry.opsmill.cloud/infrahub
INFRAHUB_PERMISSION_BACKENDSList of modules to handle permissions, they will be run in the given orderarray[string]['infrahub.permissions.LocalPermissionBackend']
INFRAHUB_PUBLIC_URLDefine the public URL of the Infrahub, might be required for OAuth2 and OIDC depending on your infrastructure.NoneNone
INFRAHUB_SCHEMA_STRICT_MODEEnable strict schema validation. When set to False, human_friendly_id schema fields should not necessarily target a unique combination of peer attributes.booleanTrue

Api

NameDescriptionTypeDefault
INFRAHUB_API_CORS_ALLOW_ORIGINSA list of origins that are authorized to make cross-site HTTP requestsarray[string]None
INFRAHUB_API_CORS_ALLOW_METHODSA list of HTTP verbs that are allowed for the actual requestarray[string]None
INFRAHUB_API_CORS_ALLOW_HEADERSThe list of non-standard HTTP headers allowed in requests from the browserarray[string]None
INFRAHUB_API_CORS_ALLOW_CREDENTIALSIf True, cookies will be allowed to be included in cross-site HTTP requestsbooleanTrue

Git

NameDescriptionTypeDefault
INFRAHUB_GIT_REPOSITORIES_DIRECTORYNonestringrepositories
INFRAHUB_GIT_SYNC_INTERVALTime (in seconds) between git repositories synchronizationsinteger10
INFRAHUB_GIT_APPEND_GIT_SUFFIXAutomatically append '.git' to HTTP URLs if for these domains.array[string]None

Dev

The development settings are only relevant for local development

NameDescriptionTypeDefault
INFRAHUB_DEV_FRONTEND_REDIRECT_SSOIndicates of the frontend should be responsible for the SSO redirectionbooleanFalse
INFRAHUB_DEV_ALLOW_ENTERPRISE_CONFIGURATIONAllow enterprise configuration in development mode, this will not enable the features just allow the configuration.booleanFalse

Http

The HTTP settings control how Infrahub interacts with external HTTP servers. This can be things like webhooks and OAuth2 providers.

NameDescriptionTypeDefault
INFRAHUB_HTTP_TIMEOUTDefault connection timeout in secondsinteger10
INFRAHUB_HTTP_TLS_INSECUREIndicates if Infrahub will validate server certificates or if the validation is ignored.booleanFalse
INFRAHUB_HTTP_TLS_CA_BUNDLECustom CA bundle in PEM format. The value should either be the CA bundle as a string, alternatively as a file path.NoneNone

Database

NameDescriptionTypeDefault
INFRAHUB_DB_INFRAHUB_DB_TYPENonestring (neo4j, memgraph)neo4j
INFRAHUB_DB_PROTOCOLNonestringbolt
INFRAHUB_DB_USERNAMENonestringneo4j
INFRAHUB_DB_PASSWORDNonestringadmin
INFRAHUB_DB_ADDRESSNonestringlocalhost
INFRAHUB_DB_PORTNoneinteger7687
INFRAHUB_DB_DATABASEName of the databaseNoneNone
INFRAHUB_DB_POLICYRouting policy for database connectionsNoneNone
INFRAHUB_DB_TLS_ENABLEDIndicates if TLS is enabled for the connectionbooleanFalse
INFRAHUB_DB_TLS_INSECUREIndicates if TLS certificates are verifiedbooleanFalse
INFRAHUB_DB_TLS_CA_FILEFile path to CA cert or bundle in PEM formatNoneNone
INFRAHUB_DB_QUERY_SIZE_LIMITThe max number of records to fetch in a single query before performing internal pagination.integer5000
INFRAHUB_DB_MAX_DEPTH_SEARCH_HIERARCHYMaximum number of level to search in a hierarchy.integer5
INFRAHUB_DB_RETRY_LIMITMaximum number of times a transient issue in a transaction should be retried.integer3
INFRAHUB_DB_MAX_CONCURRENT_QUERIESMaximum number of concurrent queries that can run (0 means unlimited).integer0
INFRAHUB_DB_MAX_CONCURRENT_QUERIES_DELAYDelay to add when max_concurrent_queries is reached.number0.01

Broker

Configuration settings for the message bus.

NameDescriptionTypeDefault
INFRAHUB_BROKER_ENABLENonebooleanTrue
INFRAHUB_BROKER_TLS_ENABLEDIndicates if TLS is enabled for the connectionbooleanFalse
INFRAHUB_BROKER_TLS_INSECUREIndicates if TLS certificates are verifiedbooleanFalse
INFRAHUB_BROKER_TLS_CA_FILEFile path to CA cert or bundle in PEM formatNoneNone
INFRAHUB_BROKER_USERNAMENonestringinfrahub
INFRAHUB_BROKER_PASSWORDNonestringinfrahub
INFRAHUB_BROKER_ADDRESSNonestringlocalhost
INFRAHUB_BROKER_PORTSpecified if running on a non default port.NoneNone
INFRAHUB_BROKER_RABBITMQ_HTTP_PORTNoneNoneNone
INFRAHUB_BROKER_NAMESPACENonestringinfrahub
INFRAHUB_BROKER_MAXIMUM_MESSAGE_RETRIESThe maximum number of retries that are attempted for failed messagesinteger10
INFRAHUB_BROKER_MAXIMUM_CONCURRENT_MESSAGESThe maximum number of concurrent messages fetched by each workerinteger2
INFRAHUB_BROKER_VIRTUALHOSTThe virtual host to connect tostring/
INFRAHUB_BROKER_DRIVERNonestring (rabbitmq, nats)rabbitmq

Cache

NameDescriptionTypeDefault
INFRAHUB_CACHE_ENABLENonebooleanTrue
INFRAHUB_CACHE_ADDRESSNonestringlocalhost
INFRAHUB_CACHE_PORTSpecified if running on a non default port (6379)NoneNone
INFRAHUB_CACHE_DATABASEId of the database to useinteger0
INFRAHUB_CACHE_DRIVERNonestring (redis, nats)redis
INFRAHUB_CACHE_USERNAMENonestring
INFRAHUB_CACHE_PASSWORDNonestring
INFRAHUB_CACHE_TLS_ENABLEDIndicates if TLS is enabled for the connectionbooleanFalse
INFRAHUB_CACHE_TLS_INSECUREIndicates if TLS certificates are verifiedbooleanFalse
INFRAHUB_CACHE_TLS_CA_FILEFile path to CA cert or bundle in PEM formatNoneNone

Workflow

NameDescriptionTypeDefault
INFRAHUB_WORKFLOW_ENABLENonebooleanTrue
INFRAHUB_WORKFLOW_ADDRESSNonestringlocalhost
INFRAHUB_WORKFLOW_PORTSpecified if running on a non default port.NoneNone
INFRAHUB_WORKFLOW_TLS_ENABLEDIndicates if TLS is enabled for the connectionbooleanFalse
INFRAHUB_WORKFLOW_DRIVERNonestring (local, worker)worker
INFRAHUB_WORKFLOW_DEFAULT_WORKER_TYPENonestringinfrahubasync
INFRAHUB_WORKFLOW_EXTRA_LOGGERSA list of additional logger that will be captured during task execution.array[string]None
INFRAHUB_WORKFLOW_EXTRA_LOG_LEVELLog level applied to all extra loggers.string (CRITICAL, ERROR, WARNING, INFO, DEBUG)INFO
INFRAHUB_WORKFLOW_WORKER_POLLING_INTERVALSpecify how often the worker should poll the server for tasks (sec)integer2

Miscellaneous

NameDescriptionTypeDefault
INFRAHUB_MISC_PRINT_QUERY_DETAILSNonebooleanFalse
INFRAHUB_MISC_START_BACKGROUND_RUNNERNonebooleanTrue
INFRAHUB_MISC_MAXIMUM_VALIDATOR_EXECUTION_TIMEThe maximum allowed time (in seconds) for a validator to run.integer1800
INFRAHUB_MISC_RESPONSE_DELAYArbitrary delay to add when processing API requests.integer0

Analytics

NameDescriptionTypeDefault
INFRAHUB_ANALYTICS_ENABLENonebooleanTrue
INFRAHUB_ANALYTICS_ADDRESSNoneNoneNone
INFRAHUB_ANALYTICS_API_KEYNoneNoneNone

Initial

NameDescriptionTypeDefault
INFRAHUB_INITIAL_DEFAULT_BRANCHDefines the name of the default branch within Infrahub, can only be set once during initialization of the system.stringmain
INFRAHUB_INITIAL_ADMIN_TOKENAn optional initial token for the admin account.NoneNone
INFRAHUB_INITIAL_ADMIN_PASSWORDThe initial password for the admin userstringinfrahub
INFRAHUB_INITIAL_AGENT_TOKENAn optional initial token for a git-agent account.NoneNone
INFRAHUB_INITIAL_AGENT_PASSWORDAn optional initial password for a git-agent account.NoneNone

Policy

NameDescriptionTypeDefault
INFRAHUB_POLICY_REQUIRED_PROPOSED_CHANGE_APPROVALSNumber of approvals required for proposed changes. (Enterprise only: not available in the community version.)integer0
INFRAHUB_POLICY_REVOKE_PROPOSED_CHANGE_APPROVALSBoolean indicating whether performing changes on a proposed change branch should revoke existing approvals. (Enterprise only: not available in the community version.)booleanFalse

Security

NameDescriptionTypeDefault
INFRAHUB_SECURITY_ACCESS_TOKEN_LIFETIMELifetime of access token in secondsinteger3600
INFRAHUB_SECURITY_REFRESH_TOKEN_LIFETIMELifetime of refresh token in secondsinteger2592000
INFRAHUB_SECURITY_SECRET_KEYThe secret key used to validate authentication tokensstringNone
INFRAHUB_SECURITY_OAUTH2_PROVIDERSThe selected OAuth2 providersarrayNone
INFRAHUB_SECURITY_OAUTH2_PROVIDER_SETTINGSNoneobjectCheck nested parameters
INFRAHUB_SECURITY_OIDC_PROVIDERSThe selected OIDC providersarrayNone
INFRAHUB_SECURITY_OIDC_PROVIDER_SETTINGSNoneobjectCheck nested parameters
INFRAHUB_SECURITY_RESTRICT_UNTRUSTED_JINJA2_FILTERSIndicates if untrusted Jinja2 filters should be disallowed for computed attributesbooleanTrue
INFRAHUB_SECURITY_SSO_USER_DEFAULT_GROUPName of the group to which users authenticated via SSO will belong if not provided by identity providerNoneNone

INFRAHUB_SECURITY_OAUTH2_PROVIDER_SETTINGS

NameDescriptionTypeDefault
INFRAHUB_OAUTH2_GOOGLE_ICONNonestringmdi:google
INFRAHUB_OAUTH2_GOOGLE_USERINFO_METHODNonestring (post, get)get
INFRAHUB_OAUTH2_GOOGLE_CLIENT_IDClient ID of the application created in the auth providerstringNone
INFRAHUB_OAUTH2_GOOGLE_CLIENT_SECRETClient secret as defined in auth providerstringNone
INFRAHUB_OAUTH2_GOOGLE_AUTHORIZATION_URLNonestringhttps://accounts.google.com/o/oauth2/auth
INFRAHUB_OAUTH2_GOOGLE_TOKEN_URLNonestringhttps://oauth2.googleapis.com/token
INFRAHUB_OAUTH2_GOOGLE_USERINFO_URLNonestringhttps://www.googleapis.com/oauth2/v3/userinfo
INFRAHUB_OAUTH2_GOOGLE_SCOPESNonearray[string]None
INFRAHUB_OAUTH2_GOOGLE_DISPLAY_LABELNonestringGoogle
INFRAHUB_OAUTH2_GOOGLE_FETCH_GROUPSWhether to use Cloud Identity API to fetch user groups. Note: requires additional scopes: https://www.googleapis.com/auth/cloud-identity.groups.readonlybooleanFalse
INFRAHUB_OAUTH2_GOOGLE_CLOUDIDENTITY_URLGoogle Cloud endpoint for Cloud Identity. Using searchDirectGroups by default because it is available for the Free planstringhttps://cloudidentity.googleapis.com/v1/groups/-/memberships:searchDirectGroups
INFRAHUB_OAUTH2_PROVIDER1_ICONNonestringmdi:account-key
INFRAHUB_OAUTH2_PROVIDER1_USERINFO_METHODNonestring (post, get)get
INFRAHUB_OAUTH2_PROVIDER1_CLIENT_IDClient ID of the application created in the auth providerstringNone
INFRAHUB_OAUTH2_PROVIDER1_CLIENT_SECRETClient secret as defined in auth providerstringNone
INFRAHUB_OAUTH2_PROVIDER1_AUTHORIZATION_URLNonestringNone
INFRAHUB_OAUTH2_PROVIDER1_TOKEN_URLNonestringNone
INFRAHUB_OAUTH2_PROVIDER1_USERINFO_URLNonestringNone
INFRAHUB_OAUTH2_PROVIDER1_SCOPESNonearray[string]None
INFRAHUB_OAUTH2_PROVIDER1_DISPLAY_LABELNonestringSingle Sign on
INFRAHUB_OAUTH2_PROVIDER2_ICONNonestringmdi:account-key
INFRAHUB_OAUTH2_PROVIDER2_USERINFO_METHODNonestring (post, get)get
INFRAHUB_OAUTH2_PROVIDER2_CLIENT_IDClient ID of the application created in the auth providerstringNone
INFRAHUB_OAUTH2_PROVIDER2_CLIENT_SECRETClient secret as defined in auth providerstringNone
INFRAHUB_OAUTH2_PROVIDER2_AUTHORIZATION_URLNonestringNone
INFRAHUB_OAUTH2_PROVIDER2_TOKEN_URLNonestringNone
INFRAHUB_OAUTH2_PROVIDER2_USERINFO_URLNonestringNone
INFRAHUB_OAUTH2_PROVIDER2_SCOPESNonearray[string]None
INFRAHUB_OAUTH2_PROVIDER2_DISPLAY_LABELNonestringSingle Sign on

INFRAHUB_SECURITY_OIDC_PROVIDER_SETTINGS

NameDescriptionTypeDefault
INFRAHUB_OIDC_GOOGLE_ICONNonestringmdi:google
INFRAHUB_OIDC_GOOGLE_DISPLAY_LABELNonestringGoogle
INFRAHUB_OIDC_GOOGLE_USERINFO_METHODNonestring (post, get)get
INFRAHUB_OIDC_GOOGLE_CLIENT_IDClient ID of the application created in the auth providerstringNone
INFRAHUB_OIDC_GOOGLE_CLIENT_SECRETClient secret as defined in auth providerstringNone
INFRAHUB_OIDC_GOOGLE_DISCOVERY_URLNonestringhttps://accounts.google.com/.well-known/openid-configuration
INFRAHUB_OIDC_GOOGLE_SCOPESNonearray[string]None
INFRAHUB_OIDC_GOOGLE_FETCH_GROUPSWhether to use Cloud Identity API to fetch user groups. Note: requires additional scope: https://www.googleapis.com/auth/cloud-identity.groups.readonlybooleanFalse
INFRAHUB_OIDC_GOOGLE_CLOUDIDENTITY_URLGoogle Cloud endpoint for Cloud Identity. Using searchDirectGroups by default because it is available for the Free planstringhttps://cloudidentity.googleapis.com/v1/groups/-/memberships:searchDirectGroups
INFRAHUB_OIDC_PROVIDER1_ICONNonestringmdi:account-key
INFRAHUB_OIDC_PROVIDER1_DISPLAY_LABELNonestringSingle Sign on
INFRAHUB_OIDC_PROVIDER1_USERINFO_METHODNonestring (post, get)get
INFRAHUB_OIDC_PROVIDER1_CLIENT_IDClient ID of the application created in the auth providerstringNone
INFRAHUB_OIDC_PROVIDER1_CLIENT_SECRETClient secret as defined in auth providerstringNone
INFRAHUB_OIDC_PROVIDER1_DISCOVERY_URLThe OIDC discovery URL xyz/.well-known/openid-configurationstringNone
INFRAHUB_OIDC_PROVIDER1_SCOPESNonearray[string]None
INFRAHUB_OIDC_PROVIDER2_ICONNonestringmdi:account-key
INFRAHUB_OIDC_PROVIDER2_DISPLAY_LABELNonestringSingle Sign on
INFRAHUB_OIDC_PROVIDER2_USERINFO_METHODNonestring (post, get)get
INFRAHUB_OIDC_PROVIDER2_CLIENT_IDClient ID of the application created in the auth providerstringNone
INFRAHUB_OIDC_PROVIDER2_CLIENT_SECRETClient secret as defined in auth providerstringNone
INFRAHUB_OIDC_PROVIDER2_DISCOVERY_URLThe OIDC discovery URL xyz/.well-known/openid-configurationstringNone
INFRAHUB_OIDC_PROVIDER2_SCOPESNonearray[string]None

Storage

NameDescriptionTypeDefault
INFRAHUB_STORAGE_DRIVERNonestring (local, s3)local
INFRAHUB_STORAGE_LOCALNoneobjectCheck nested parameters
INFRAHUB_STORAGE_S3NoneobjectCheck nested parameters

INFRAHUB_STORAGE_LOCAL

NameDescriptionTypeDefault
INFRAHUB_STORAGE_LOCAL_PATHNonestring/opt/infrahub/storage

INFRAHUB_STORAGE_S3

NameDescriptionTypeDefault
AWS_ACCESS_KEY_IDNonestring
AWS_SECRET_ACCESS_KEYNonestring
INFRAHUB_STORAGE_BUCKET_NAMENonestring
INFRAHUB_STORAGE_ENDPOINT_URLNonestring
INFRAHUB_STORAGE_USE_SSLNonebooleanTrue
INFRAHUB_STORAGE_DEFAULT_ACLNonestringprivate
INFRAHUB_STORAGE_QUERYSTRING_AUTHNonebooleanFalse
INFRAHUB_STORAGE_CUSTOM_DOMAINNonestring

Trace

NameDescriptionTypeDefault
INFRAHUB_TRACE_ENABLENonebooleanFalse
INFRAHUB_TRACE_INSECUREUse insecure connection (HTTP) if True, otherwise use secure connection (HTTPS)booleanTrue
INFRAHUB_TRACE_EXPORTER_TYPEType of exporter to be used for tracingstring (console, otlp)console
INFRAHUB_TRACE_EXPORTER_PROTOCOLProtocol to be used for exporting tracesstring (grpc, http/protobuf)grpc
INFRAHUB_TRACE_EXPORTER_ENDPOINTOTLP endpoint for exporting tracesNoneNone

Experimental features

NameDescriptionTypeDefault
INFRAHUB_EXPERIMENTAL_GRAPHQL_ENUMSNonebooleanFalse
INFRAHUB_EXPERIMENTAL_VALUE_DB_INDEXNonebooleanFalse