Infrahub configuration
The Infrahub containers have a number of environmental variables available at runtime to affect their behavior.
Here are a few common methods of setting environmental variables:
- Exporting in a shell, example:
export INFRAHUB_ADDRESS="http://localhost:8000"
- Using a
.env
file - Using direnv
note
infrahubctl
has it's own environmental variables. See the infrahubctl documentation for more information.
Main
Name | Description | Type | Default |
---|---|---|---|
INFRAHUB_DOCS_INDEX_PATH | Full path of saved json containing pre-indexed documentation | string | /opt/infrahub/docs/build/search-index.json |
INFRAHUB_INTERNAL_ADDRESS | None | None | None |
INFRAHUB_ALLOW_ANONYMOUS_ACCESS | Indicates if the system allows anonymous read access | boolean | True |
INFRAHUB_ANONYMOUS_ACCESS_ROLE | Name of the role defining which permissions anonymous users have | string | Anonymous User |
INFRAHUB_TELEMETRY_OPTOUT | Disable anonymous usage reporting | boolean | False |
INFRAHUB_TELEMETRY_ENDPOINT | None | string | https://telemetry.opsmill.cloud/infrahub |
INFRAHUB_PERMISSION_BACKENDS | List of modules to handle permissions, they will be run in the given order | array[string] | ['infrahub.permissions.LocalPermissionBackend'] |
INFRAHUB_PUBLIC_URL | Define the public URL of the Infrahub, might be required for OAuth2 and OIDC depending on your infrastructure. | None | None |
INFRAHUB_SCHEMA_STRICT_MODE | Enable strict schema validation. When set to False , human_friendly_id schema fields should not necessarily target a unique combination of peer attributes. | boolean | True |
Api
Name | Description | Type | Default |
---|---|---|---|
INFRAHUB_API_CORS_ALLOW_ORIGINS | A list of origins that are authorized to make cross-site HTTP requests | array[string] | None |
INFRAHUB_API_CORS_ALLOW_METHODS | A list of HTTP verbs that are allowed for the actual request | array[string] | None |
INFRAHUB_API_CORS_ALLOW_HEADERS | The list of non-standard HTTP headers allowed in requests from the browser | array[string] | None |
INFRAHUB_API_CORS_ALLOW_CREDENTIALS | If True, cookies will be allowed to be included in cross-site HTTP requests | boolean | True |
Git
Name | Description | Type | Default |
---|---|---|---|
INFRAHUB_GIT_REPOSITORIES_DIRECTORY | None | string | repositories |
INFRAHUB_GIT_SYNC_INTERVAL | Time (in seconds) between git repositories synchronizations | integer | 10 |
INFRAHUB_GIT_APPEND_GIT_SUFFIX | Automatically append '.git' to HTTP URLs if for these domains. | array[string] | None |
Dev
The development settings are only relevant for local development
Name | Description | Type | Default |
---|---|---|---|
INFRAHUB_DEV_FRONTEND_REDIRECT_SSO | Indicates of the frontend should be responsible for the SSO redirection | boolean | False |
INFRAHUB_DEV_ALLOW_ENTERPRISE_CONFIGURATION | Allow enterprise configuration in development mode, this will not enable the features just allow the configuration. | boolean | False |
Http
The HTTP settings control how Infrahub interacts with external HTTP servers. This can be things like webhooks and OAuth2 providers.
Name | Description | Type | Default |
---|---|---|---|
INFRAHUB_HTTP_TIMEOUT | Default connection timeout in seconds | integer | 10 |
INFRAHUB_HTTP_TLS_INSECURE | Indicates if Infrahub will validate server certificates or if the validation is ignored. | boolean | False |
INFRAHUB_HTTP_TLS_CA_BUNDLE | Custom CA bundle in PEM format. The value should either be the CA bundle as a string, alternatively as a file path. | None | None |
Database
Name | Description | Type | Default |
---|---|---|---|
INFRAHUB_DB_INFRAHUB_DB_TYPE | None | string (neo4j, memgraph) | neo4j |
INFRAHUB_DB_PROTOCOL | None | string | bolt |
INFRAHUB_DB_USERNAME | None | string | neo4j |
INFRAHUB_DB_PASSWORD | None | string | admin |
INFRAHUB_DB_ADDRESS | None | string | localhost |
INFRAHUB_DB_PORT | None | integer | 7687 |
INFRAHUB_DB_DATABASE | Name of the database | None | None |
INFRAHUB_DB_POLICY | Routing policy for database connections | None | None |
INFRAHUB_DB_TLS_ENABLED | Indicates if TLS is enabled for the connection | boolean | False |
INFRAHUB_DB_TLS_INSECURE | Indicates if TLS certificates are verified | boolean | False |
INFRAHUB_DB_TLS_CA_FILE | File path to CA cert or bundle in PEM format | None | None |
INFRAHUB_DB_QUERY_SIZE_LIMIT | The max number of records to fetch in a single query before performing internal pagination. | integer | 5000 |
INFRAHUB_DB_MAX_DEPTH_SEARCH_HIERARCHY | Maximum number of level to search in a hierarchy. | integer | 5 |
INFRAHUB_DB_RETRY_LIMIT | Maximum number of times a transient issue in a transaction should be retried. | integer | 3 |
INFRAHUB_DB_MAX_CONCURRENT_QUERIES | Maximum number of concurrent queries that can run (0 means unlimited). | integer | 0 |
INFRAHUB_DB_MAX_CONCURRENT_QUERIES_DELAY | Delay to add when max_concurrent_queries is reached. | number | 0.01 |
Broker
Configuration settings for the message bus.
Name | Description | Type | Default |
---|---|---|---|
INFRAHUB_BROKER_ENABLE | None | boolean | True |
INFRAHUB_BROKER_TLS_ENABLED | Indicates if TLS is enabled for the connection | boolean | False |
INFRAHUB_BROKER_TLS_INSECURE | Indicates if TLS certificates are verified | boolean | False |
INFRAHUB_BROKER_TLS_CA_FILE | File path to CA cert or bundle in PEM format | None | None |
INFRAHUB_BROKER_USERNAME | None | string | infrahub |
INFRAHUB_BROKER_PASSWORD | None | string | infrahub |
INFRAHUB_BROKER_ADDRESS | None | string | localhost |
INFRAHUB_BROKER_PORT | Specified if running on a non default port. | None | None |
INFRAHUB_BROKER_RABBITMQ_HTTP_PORT | None | None | None |
INFRAHUB_BROKER_NAMESPACE | None | string | infrahub |
INFRAHUB_BROKER_MAXIMUM_MESSAGE_RETRIES | The maximum number of retries that are attempted for failed messages | integer | 10 |
INFRAHUB_BROKER_MAXIMUM_CONCURRENT_MESSAGES | The maximum number of concurrent messages fetched by each worker | integer | 2 |
INFRAHUB_BROKER_VIRTUALHOST | The virtual host to connect to | string | / |
INFRAHUB_BROKER_DRIVER | None | string (rabbitmq, nats) | rabbitmq |
Cache
Name | Description | Type | Default |
---|---|---|---|
INFRAHUB_CACHE_ENABLE | None | boolean | True |
INFRAHUB_CACHE_ADDRESS | None | string | localhost |
INFRAHUB_CACHE_PORT | Specified if running on a non default port (6379) | None | None |
INFRAHUB_CACHE_DATABASE | Id of the database to use | integer | 0 |
INFRAHUB_CACHE_DRIVER | None | string (redis, nats) | redis |
INFRAHUB_CACHE_USERNAME | None | string | |
INFRAHUB_CACHE_PASSWORD | None | string | |
INFRAHUB_CACHE_TLS_ENABLED | Indicates if TLS is enabled for the connection | boolean | False |
INFRAHUB_CACHE_TLS_INSECURE | Indicates if TLS certificates are verified | boolean | False |
INFRAHUB_CACHE_TLS_CA_FILE | File path to CA cert or bundle in PEM format | None | None |
Workflow
Name | Description | Type | Default |
---|---|---|---|
INFRAHUB_WORKFLOW_ENABLE | None | boolean | True |
INFRAHUB_WORKFLOW_ADDRESS | None | string | localhost |
INFRAHUB_WORKFLOW_PORT | Specified if running on a non default port. | None | None |
INFRAHUB_WORKFLOW_TLS_ENABLED | Indicates if TLS is enabled for the connection | boolean | False |
INFRAHUB_WORKFLOW_DRIVER | None | string (local, worker) | worker |
INFRAHUB_WORKFLOW_DEFAULT_WORKER_TYPE | None | string | infrahubasync |
INFRAHUB_WORKFLOW_EXTRA_LOGGERS | A list of additional logger that will be captured during task execution. | array[string] | None |
INFRAHUB_WORKFLOW_EXTRA_LOG_LEVEL | Log level applied to all extra loggers. | string (CRITICAL, ERROR, WARNING, INFO, DEBUG) | INFO |
INFRAHUB_WORKFLOW_WORKER_POLLING_INTERVAL | Specify how often the worker should poll the server for tasks (sec) | integer | 2 |
Miscellaneous
Name | Description | Type | Default |
---|---|---|---|
INFRAHUB_MISC_PRINT_QUERY_DETAILS | None | boolean | False |
INFRAHUB_MISC_START_BACKGROUND_RUNNER | None | boolean | True |
INFRAHUB_MISC_MAXIMUM_VALIDATOR_EXECUTION_TIME | The maximum allowed time (in seconds) for a validator to run. | integer | 1800 |
INFRAHUB_MISC_RESPONSE_DELAY | Arbitrary delay to add when processing API requests. | integer | 0 |
Analytics
Name | Description | Type | Default |
---|---|---|---|
INFRAHUB_ANALYTICS_ENABLE | None | boolean | True |
INFRAHUB_ANALYTICS_ADDRESS | None | None | None |
INFRAHUB_ANALYTICS_API_KEY | None | None | None |
Initial
Name | Description | Type | Default |
---|---|---|---|
INFRAHUB_INITIAL_DEFAULT_BRANCH | Defines the name of the default branch within Infrahub, can only be set once during initialization of the system. | string | main |
INFRAHUB_INITIAL_ADMIN_TOKEN | An optional initial token for the admin account. | None | None |
INFRAHUB_INITIAL_ADMIN_PASSWORD | The initial password for the admin user | string | infrahub |
INFRAHUB_INITIAL_AGENT_TOKEN | An optional initial token for a git-agent account. | None | None |
INFRAHUB_INITIAL_AGENT_PASSWORD | An optional initial password for a git-agent account. | None | None |
Policy
Name | Description | Type | Default |
---|---|---|---|
INFRAHUB_POLICY_REQUIRED_PROPOSED_CHANGE_APPROVALS | Number of approvals required for proposed changes. (Enterprise only: not available in the community version.) | integer | 0 |
INFRAHUB_POLICY_REVOKE_PROPOSED_CHANGE_APPROVALS | Boolean indicating whether performing changes on a proposed change branch should revoke existing approvals. (Enterprise only: not available in the community version.) | boolean | False |
Security
Name | Description | Type | Default |
---|---|---|---|
INFRAHUB_SECURITY_ACCESS_TOKEN_LIFETIME | Lifetime of access token in seconds | integer | 3600 |
INFRAHUB_SECURITY_REFRESH_TOKEN_LIFETIME | Lifetime of refresh token in seconds | integer | 2592000 |
INFRAHUB_SECURITY_SECRET_KEY | The secret key used to validate authentication tokens | string | None |
INFRAHUB_SECURITY_OAUTH2_PROVIDERS | The selected OAuth2 providers | array | None |
INFRAHUB_SECURITY_OAUTH2_PROVIDER_SETTINGS | None | object | Check nested parameters |
INFRAHUB_SECURITY_OIDC_PROVIDERS | The selected OIDC providers | array | None |
INFRAHUB_SECURITY_OIDC_PROVIDER_SETTINGS | None | object | Check nested parameters |
INFRAHUB_SECURITY_RESTRICT_UNTRUSTED_JINJA2_FILTERS | Indicates if untrusted Jinja2 filters should be disallowed for computed attributes | boolean | True |
INFRAHUB_SECURITY_SSO_USER_DEFAULT_GROUP | Name of the group to which users authenticated via SSO will belong if not provided by identity provider | None | None |
INFRAHUB_SECURITY_OAUTH2_PROVIDER_SETTINGS
Name | Description | Type | Default |
---|---|---|---|
INFRAHUB_OAUTH2_GOOGLE_ICON | None | string | mdi:google |
INFRAHUB_OAUTH2_GOOGLE_USERINFO_METHOD | None | string (post, get) | get |
INFRAHUB_OAUTH2_GOOGLE_CLIENT_ID | Client ID of the application created in the auth provider | string | None |
INFRAHUB_OAUTH2_GOOGLE_CLIENT_SECRET | Client secret as defined in auth provider | string | None |
INFRAHUB_OAUTH2_GOOGLE_AUTHORIZATION_URL | None | string | https://accounts.google.com/o/oauth2/auth |
INFRAHUB_OAUTH2_GOOGLE_TOKEN_URL | None | string | https://oauth2.googleapis.com/token |
INFRAHUB_OAUTH2_GOOGLE_USERINFO_URL | None | string | https://www.googleapis.com/oauth2/v3/userinfo |
INFRAHUB_OAUTH2_GOOGLE_SCOPES | None | array[string] | None |
INFRAHUB_OAUTH2_GOOGLE_DISPLAY_LABEL | None | string | |
INFRAHUB_OAUTH2_GOOGLE_FETCH_GROUPS | Whether to use Cloud Identity API to fetch user groups. Note: requires additional scopes: https://www.googleapis.com/auth/cloud-identity.groups.readonly | boolean | False |
INFRAHUB_OAUTH2_GOOGLE_CLOUDIDENTITY_URL | Google Cloud endpoint for Cloud Identity. Using searchDirectGroups by default because it is available for the Free plan | string | https://cloudidentity.googleapis.com/v1/groups/-/memberships:searchDirectGroups |
INFRAHUB_OAUTH2_PROVIDER1_ICON | None | string | mdi:account-key |
INFRAHUB_OAUTH2_PROVIDER1_USERINFO_METHOD | None | string (post, get) | get |
INFRAHUB_OAUTH2_PROVIDER1_CLIENT_ID | Client ID of the application created in the auth provider | string | None |
INFRAHUB_OAUTH2_PROVIDER1_CLIENT_SECRET | Client secret as defined in auth provider | string | None |
INFRAHUB_OAUTH2_PROVIDER1_AUTHORIZATION_URL | None | string | None |
INFRAHUB_OAUTH2_PROVIDER1_TOKEN_URL | None | string | None |
INFRAHUB_OAUTH2_PROVIDER1_USERINFO_URL | None | string | None |
INFRAHUB_OAUTH2_PROVIDER1_SCOPES | None | array[string] | None |
INFRAHUB_OAUTH2_PROVIDER1_DISPLAY_LABEL | None | string | Single Sign on |
INFRAHUB_OAUTH2_PROVIDER2_ICON | None | string | mdi:account-key |
INFRAHUB_OAUTH2_PROVIDER2_USERINFO_METHOD | None | string (post, get) | get |
INFRAHUB_OAUTH2_PROVIDER2_CLIENT_ID | Client ID of the application created in the auth provider | string | None |
INFRAHUB_OAUTH2_PROVIDER2_CLIENT_SECRET | Client secret as defined in auth provider | string | None |
INFRAHUB_OAUTH2_PROVIDER2_AUTHORIZATION_URL | None | string | None |
INFRAHUB_OAUTH2_PROVIDER2_TOKEN_URL | None | string | None |
INFRAHUB_OAUTH2_PROVIDER2_USERINFO_URL | None | string | None |
INFRAHUB_OAUTH2_PROVIDER2_SCOPES | None | array[string] | None |
INFRAHUB_OAUTH2_PROVIDER2_DISPLAY_LABEL | None | string | Single Sign on |
INFRAHUB_SECURITY_OIDC_PROVIDER_SETTINGS
Name | Description | Type | Default |
---|---|---|---|
INFRAHUB_OIDC_GOOGLE_ICON | None | string | mdi:google |
INFRAHUB_OIDC_GOOGLE_DISPLAY_LABEL | None | string | |
INFRAHUB_OIDC_GOOGLE_USERINFO_METHOD | None | string (post, get) | get |
INFRAHUB_OIDC_GOOGLE_CLIENT_ID | Client ID of the application created in the auth provider | string | None |
INFRAHUB_OIDC_GOOGLE_CLIENT_SECRET | Client secret as defined in auth provider | string | None |
INFRAHUB_OIDC_GOOGLE_DISCOVERY_URL | None | string | https://accounts.google.com/.well-known/openid-configuration |
INFRAHUB_OIDC_GOOGLE_SCOPES | None | array[string] | None |
INFRAHUB_OIDC_GOOGLE_FETCH_GROUPS | Whether to use Cloud Identity API to fetch user groups. Note: requires additional scope: https://www.googleapis.com/auth/cloud-identity.groups.readonly | boolean | False |
INFRAHUB_OIDC_GOOGLE_CLOUDIDENTITY_URL | Google Cloud endpoint for Cloud Identity. Using searchDirectGroups by default because it is available for the Free plan | string | https://cloudidentity.googleapis.com/v1/groups/-/memberships:searchDirectGroups |
INFRAHUB_OIDC_PROVIDER1_ICON | None | string | mdi:account-key |
INFRAHUB_OIDC_PROVIDER1_DISPLAY_LABEL | None | string | Single Sign on |
INFRAHUB_OIDC_PROVIDER1_USERINFO_METHOD | None | string (post, get) | get |
INFRAHUB_OIDC_PROVIDER1_CLIENT_ID | Client ID of the application created in the auth provider | string | None |
INFRAHUB_OIDC_PROVIDER1_CLIENT_SECRET | Client secret as defined in auth provider | string | None |
INFRAHUB_OIDC_PROVIDER1_DISCOVERY_URL | The OIDC discovery URL xyz/.well-known/openid-configuration | string | None |
INFRAHUB_OIDC_PROVIDER1_SCOPES | None | array[string] | None |
INFRAHUB_OIDC_PROVIDER2_ICON | None | string | mdi:account-key |
INFRAHUB_OIDC_PROVIDER2_DISPLAY_LABEL | None | string | Single Sign on |
INFRAHUB_OIDC_PROVIDER2_USERINFO_METHOD | None | string (post, get) | get |
INFRAHUB_OIDC_PROVIDER2_CLIENT_ID | Client ID of the application created in the auth provider | string | None |
INFRAHUB_OIDC_PROVIDER2_CLIENT_SECRET | Client secret as defined in auth provider | string | None |
INFRAHUB_OIDC_PROVIDER2_DISCOVERY_URL | The OIDC discovery URL xyz/.well-known/openid-configuration | string | None |
INFRAHUB_OIDC_PROVIDER2_SCOPES | None | array[string] | None |
Storage
Name | Description | Type | Default |
---|---|---|---|
INFRAHUB_STORAGE_DRIVER | None | string (local, s3) | local |
INFRAHUB_STORAGE_LOCAL | None | object | Check nested parameters |
INFRAHUB_STORAGE_S3 | None | object | Check nested parameters |
INFRAHUB_STORAGE_LOCAL
Name | Description | Type | Default |
---|---|---|---|
INFRAHUB_STORAGE_LOCAL_PATH | None | string | /opt/infrahub/storage |
INFRAHUB_STORAGE_S3
Name | Description | Type | Default |
---|---|---|---|
AWS_ACCESS_KEY_ID | None | string | |
AWS_SECRET_ACCESS_KEY | None | string | |
INFRAHUB_STORAGE_BUCKET_NAME | None | string | |
INFRAHUB_STORAGE_ENDPOINT_URL | None | string | |
INFRAHUB_STORAGE_USE_SSL | None | boolean | True |
INFRAHUB_STORAGE_DEFAULT_ACL | None | string | private |
INFRAHUB_STORAGE_QUERYSTRING_AUTH | None | boolean | False |
INFRAHUB_STORAGE_CUSTOM_DOMAIN | None | string |
Trace
Name | Description | Type | Default |
---|---|---|---|
INFRAHUB_TRACE_ENABLE | None | boolean | False |
INFRAHUB_TRACE_INSECURE | Use insecure connection (HTTP) if True, otherwise use secure connection (HTTPS) | boolean | True |
INFRAHUB_TRACE_EXPORTER_TYPE | Type of exporter to be used for tracing | string (console, otlp) | console |
INFRAHUB_TRACE_EXPORTER_PROTOCOL | Protocol to be used for exporting traces | string (grpc, http/protobuf) | grpc |
INFRAHUB_TRACE_EXPORTER_ENDPOINT | OTLP endpoint for exporting traces | None | None |
Experimental features
Name | Description | Type | Default |
---|---|---|---|
INFRAHUB_EXPERIMENTAL_GRAPHQL_ENUMS | None | boolean | False |
INFRAHUB_EXPERIMENTAL_VALUE_DB_INDEX | None | boolean | False |