Infrahub configuration
The Infrahub containers have a number of environmental variables available at runtime to affect their behavior.
Here are a few common methods of setting environmental variables:
- Exporting in a shell, example:
export INFRAHUB_ADDRESS="http://localhost:8000" - Using a
.envfile - Using direnv
note
infrahubctl has it's own environmental variables. See the infrahubctl documentation for more information.
Main
| Name | Description | Type | Default |
|---|---|---|---|
INFRAHUB_DOCS_INDEX_PATH | Full path of saved json containing pre-indexed documentation | string | /opt/infrahub/docs/build/search-index.json |
INFRAHUB_INTERNAL_ADDRESS | None | None | None |
INFRAHUB_ALLOW_ANONYMOUS_ACCESS | Indicates if the system allows anonymous read access | boolean | True |
INFRAHUB_ANONYMOUS_ACCESS_ROLE | Name of the role defining which permissions anonymous users have | string | Anonymous User |
INFRAHUB_TELEMETRY_OPTOUT | Disable anonymous usage reporting | boolean | False |
INFRAHUB_TELEMETRY_ENDPOINT | None | string | https://telemetry.opsmill.cloud/infrahub |
INFRAHUB_PERMISSION_BACKENDS | List of modules to handle permissions, they will be run in the given order | array[string] | ['infrahub.permissions.LocalPermissionBackend'] |
INFRAHUB_PUBLIC_URL | Define the public URL of the Infrahub, might be required for OAuth2 and OIDC depending on your infrastructure. | None | None |
INFRAHUB_SCHEMA_STRICT_MODE | Enable strict schema validation. When set to False, human_friendly_id schema fields should not necessarily target a unique combination of peer attributes. | boolean | True |
Api
| Name | Description | Type | Default |
|---|---|---|---|
INFRAHUB_API_CORS_ALLOW_ORIGINS | A list of origins that are authorized to make cross-site HTTP requests | array[string] | None |
INFRAHUB_API_CORS_ALLOW_METHODS | A list of HTTP verbs that are allowed for the actual request | array[string] | None |
INFRAHUB_API_CORS_ALLOW_HEADERS | The list of non-standard HTTP headers allowed in requests from the browser | array[string] | None |
INFRAHUB_API_CORS_ALLOW_CREDENTIALS | If True, cookies will be allowed to be included in cross-site HTTP requests | boolean | True |
Git
| Name | Description | Type | Default |
|---|---|---|---|
INFRAHUB_GIT_REPOSITORIES_DIRECTORY | None | string | repositories |
INFRAHUB_GIT_SYNC_INTERVAL | Time (in seconds) between git repositories synchronizations | integer | 10 |
INFRAHUB_GIT_APPEND_GIT_SUFFIX | Automatically append '.git' to HTTP URLs if for these domains. | array[string] | None |
INFRAHUB_GIT_IMPORT_SYNC_BRANCH_NAMES | Names or regex of branches to be created in infrahub during import e.g. 'infrahub/.', 'release/.', '^branch-'. Note: other branches created with sync with git will be imported also | array[string] | None |
INFRAHUB_GIT_USER_NAME | User name of the git user. This will be used as the user name when Infrahub commits code to a repository | string | Infrahub |
INFRAHUB_GIT_USER_EMAIL | Email of the git user. This will be used as the user email when Infrahub commits code to a repository | string | infrahub@opsmill.com |
INFRAHUB_GIT_GLOBAL_CONFIG_FILE | The location of the git config file. This will be set as the system GIT_CONFIG_GLOBAL environment variable if the environment variable is not initially set | string | /opt/infrahub/.gitconfig |
INFRAHUB_GIT_USE_EXPLICIT_MERGE_COMMIT | Whether to allow explicit merge commits when infrahub merges branches | boolean | False |
Dev
The development settings are only relevant for local development
| Name | Description | Type | Default |
|---|---|---|---|
INFRAHUB_DEV_FRONTEND_REDIRECT_SSO | Indicates of the frontend should be responsible for the SSO redirection | boolean | False |
INFRAHUB_DEV_ALLOW_ENTERPRISE_CONFIGURATION | Allow enterprise configuration in development mode, this will not enable the features just allow the configuration. | boolean | False |
INFRAHUB_DEV_GIT_CREDENTIAL_HELPER | Location of git credential helper | string | /usr/local/bin/infrahub-git-credential |
Http
The HTTP settings control how Infrahub interacts with external HTTP servers. This can be things like webhooks and OAuth2 providers.
| Name | Description | Type | Default |
|---|---|---|---|
INFRAHUB_HTTP_TIMEOUT | Default connection timeout in seconds | integer | 10 |
INFRAHUB_HTTP_TLS_INSECURE | Indicates if Infrahub will validate server certificates or if the validation is ignored. | boolean | False |
INFRAHUB_HTTP_TLS_CA_BUNDLE | Custom CA bundle in PEM format. The value should either be the CA bundle as a string, alternatively as a file path. | None | None |
Database
| Name | Description | Type | Default |
|---|---|---|---|
INFRAHUB_DB_INFRAHUB_DB_TYPE | None | string (neo4j, memgraph) | neo4j |
INFRAHUB_DB_PROTOCOL | None | string | bolt |
INFRAHUB_DB_USERNAME | None | string | neo4j |
INFRAHUB_DB_PASSWORD | None | string | admin |
INFRAHUB_DB_ADDRESS | None | string | localhost |
INFRAHUB_DB_PORT | None | integer | 7687 |
INFRAHUB_DB_DATABASE | Name of the database | None | None |
INFRAHUB_DB_POLICY | Routing policy for database connections | None | None |
INFRAHUB_DB_TLS_ENABLED | Indicates if TLS is enabled for the connection | boolean | False |
INFRAHUB_DB_TLS_INSECURE | Indicates if TLS certificates are verified | boolean | False |
INFRAHUB_DB_TLS_CA_FILE | File path to CA cert or bundle in PEM format | None | None |
INFRAHUB_DB_QUERY_SIZE_LIMIT | The max number of records to fetch in a single query before performing internal pagination. | integer | 5000 |
INFRAHUB_DB_MAX_DEPTH_SEARCH_HIERARCHY | Maximum number of level to search in a hierarchy. | integer | 5 |
INFRAHUB_DB_RETRY_LIMIT | Maximum number of times a transient issue in a transaction should be retried. | integer | 3 |
INFRAHUB_DB_MAX_CONCURRENT_QUERIES | Maximum number of concurrent queries that can run (0 means unlimited). | integer | 0 |
INFRAHUB_DB_MAX_CONCURRENT_QUERIES_DELAY | Delay to add when max_concurrent_queries is reached. | number | 0.01 |
Broker
Configuration settings for the message bus.
| Name | Description | Type | Default |
|---|---|---|---|
INFRAHUB_BROKER_ENABLE | None | boolean | True |
INFRAHUB_BROKER_TLS_ENABLED | Indicates if TLS is enabled for the connection | boolean | False |
INFRAHUB_BROKER_TLS_INSECURE | Indicates if TLS certificates are verified | boolean | False |
INFRAHUB_BROKER_TLS_CA_FILE | File path to CA cert or bundle in PEM format | None | None |
INFRAHUB_BROKER_USERNAME | None | string | infrahub |
INFRAHUB_BROKER_PASSWORD | None | string | infrahub |
INFRAHUB_BROKER_ADDRESS | None | string | localhost |
INFRAHUB_BROKER_PORT | Specified if running on a non default port. | None | None |
INFRAHUB_BROKER_RABBITMQ_HTTP_PORT | None | None | None |
INFRAHUB_BROKER_NAMESPACE | None | string | infrahub |
INFRAHUB_BROKER_MAXIMUM_MESSAGE_RETRIES | The maximum number of retries that are attempted for failed messages | integer | 10 |
INFRAHUB_BROKER_MAXIMUM_CONCURRENT_MESSAGES | The maximum number of concurrent messages fetched by each worker | integer | 2 |
INFRAHUB_BROKER_VIRTUALHOST | The virtual host to connect to | string | / |
INFRAHUB_BROKER_DRIVER | None | string (rabbitmq, nats) | rabbitmq |
Cache
| Name | Description | Type | Default |
|---|---|---|---|
INFRAHUB_CACHE_ENABLE | None | boolean | True |
INFRAHUB_CACHE_ADDRESS | None | string | localhost |
INFRAHUB_CACHE_PORT | Specified if running on a non default port (6379) | None | None |
INFRAHUB_CACHE_DATABASE | Id of the database to use | integer | 0 |
INFRAHUB_CACHE_DRIVER | None | string (redis, nats) | redis |
INFRAHUB_CACHE_USERNAME | None | string | |
INFRAHUB_CACHE_PASSWORD | None | string | |
INFRAHUB_CACHE_TLS_ENABLED | Indicates if TLS is enabled for the connection | boolean | False |
INFRAHUB_CACHE_TLS_INSECURE | Indicates if TLS certificates are verified | boolean | False |
INFRAHUB_CACHE_TLS_CA_FILE | File path to CA cert or bundle in PEM format | None | None |
INFRAHUB_CACHE_CLEAN_UP_DEADLOCKS_INTERVAL_MINS | Age threshold in minutes: locks older than this and owned by inactive workers are deleted by the cleanup task. | integer | 15 |
Workflow
| Name | Description | Type | Default |
|---|---|---|---|
INFRAHUB_WORKFLOW_ENABLE | None | boolean | True |
INFRAHUB_WORKFLOW_ADDRESS | None | string | localhost |
INFRAHUB_WORKFLOW_PORT | Specified if running on a non default port. | None | None |
INFRAHUB_WORKFLOW_TLS_ENABLED | Indicates if TLS is enabled for the connection | boolean | False |
INFRAHUB_WORKFLOW_DRIVER | None | string (local, worker) | worker |
INFRAHUB_WORKFLOW_DEFAULT_WORKER_TYPE | None | string | infrahubasync |
INFRAHUB_WORKFLOW_EXTRA_LOGGERS | A list of additional logger that will be captured during task execution. | array[string] | None |
INFRAHUB_WORKFLOW_EXTRA_LOG_LEVEL | Log level applied to all extra loggers. | string (CRITICAL, ERROR, WARNING, INFO, DEBUG) | INFO |
INFRAHUB_WORKFLOW_WORKER_POLLING_INTERVAL | Specify how often the worker should poll the server for tasks (sec) | integer | 2 |
Miscellaneous
| Name | Description | Type | Default |
|---|---|---|---|
INFRAHUB_MISC_PRINT_QUERY_DETAILS | None | boolean | False |
INFRAHUB_MISC_START_BACKGROUND_RUNNER | None | boolean | True |
INFRAHUB_MISC_MAXIMUM_VALIDATOR_EXECUTION_TIME | The maximum allowed time (in seconds) for a validator to run. | integer | 1800 |
INFRAHUB_MISC_RESPONSE_DELAY | Arbitrary delay to add when processing API requests. | integer | 0 |
Analytics
| Name | Description | Type | Default |
|---|---|---|---|
INFRAHUB_ANALYTICS_ENABLE | None | boolean | True |
INFRAHUB_ANALYTICS_ADDRESS | None | None | None |
INFRAHUB_ANALYTICS_API_KEY | None | None | None |
Initial
| Name | Description | Type | Default |
|---|---|---|---|
INFRAHUB_INITIAL_DEFAULT_BRANCH | Defines the name of the default branch within Infrahub, can only be set once during initialization of the system. | string | main |
INFRAHUB_INITIAL_ADMIN_TOKEN | An optional initial token for the admin account. | None | None |
INFRAHUB_INITIAL_ADMIN_PASSWORD | The initial password for the admin user | string | infrahub |
INFRAHUB_INITIAL_AGENT_TOKEN | An optional initial token for a git-agent account. | None | None |
INFRAHUB_INITIAL_AGENT_PASSWORD | An optional initial password for a git-agent account. | None | None |
Policy
| Name | Description | Type | Default |
|---|---|---|---|
INFRAHUB_POLICY_REQUIRED_PROPOSED_CHANGE_APPROVALS | Number of approvals required for proposed changes. (Enterprise only: not available in the community version.) | integer | 0 |
INFRAHUB_POLICY_REVOKE_PROPOSED_CHANGE_APPROVALS | Boolean indicating whether performing changes on a proposed change branch should revoke existing approvals. (Enterprise only: not available in the community version.) | boolean | False |
Security
| Name | Description | Type | Default |
|---|---|---|---|
INFRAHUB_SECURITY_ACCESS_TOKEN_LIFETIME | Lifetime of access token in seconds | integer | 3600 |
INFRAHUB_SECURITY_REFRESH_TOKEN_LIFETIME | Lifetime of refresh token in seconds | integer | 2592000 |
INFRAHUB_SECURITY_SECRET_KEY | The secret key used to validate authentication tokens | string | None |
INFRAHUB_SECURITY_OAUTH2_PROVIDERS | The selected OAuth2 providers | array | None |
INFRAHUB_SECURITY_OAUTH2_PROVIDER_SETTINGS | None | object | Check nested parameters |
INFRAHUB_SECURITY_OIDC_PROVIDERS | The selected OIDC providers | array | None |
INFRAHUB_SECURITY_OIDC_PROVIDER_SETTINGS | None | object | Check nested parameters |
INFRAHUB_SECURITY_RESTRICT_UNTRUSTED_JINJA2_FILTERS | Indicates if untrusted Jinja2 filters should be disallowed for computed attributes | boolean | True |
INFRAHUB_SECURITY_SSO_USER_DEFAULT_GROUP | Name of the group to which users authenticated via SSO will belong if not provided by identity provider | None | None |
INFRAHUB_SECURITY_OAUTH2_PROVIDER_SETTINGS
| Name | Description | Type | Default |
|---|---|---|---|
INFRAHUB_OAUTH2_GOOGLE_ICON | None | string | mdi:google |
INFRAHUB_OAUTH2_GOOGLE_USERINFO_METHOD | None | string (post, get) | get |
INFRAHUB_OAUTH2_GOOGLE_CLIENT_ID | Client ID of the application created in the auth provider | string | None |
INFRAHUB_OAUTH2_GOOGLE_CLIENT_SECRET | Client secret as defined in auth provider | string | None |
INFRAHUB_OAUTH2_GOOGLE_AUTHORIZATION_URL | None | string | https://accounts.google.com/o/oauth2/auth |
INFRAHUB_OAUTH2_GOOGLE_TOKEN_URL | None | string | https://oauth2.googleapis.com/token |
INFRAHUB_OAUTH2_GOOGLE_USERINFO_URL | None | string | https://www.googleapis.com/oauth2/v3/userinfo |
INFRAHUB_OAUTH2_GOOGLE_SCOPES | None | array[string] | None |
INFRAHUB_OAUTH2_GOOGLE_DISPLAY_LABEL | None | string | |
INFRAHUB_OAUTH2_GOOGLE_FETCH_GROUPS | Whether to use Cloud Identity API to fetch user groups. Note: requires additional scopes: https://www.googleapis.com/auth/cloud-identity.groups.readonly | boolean | False |
INFRAHUB_OAUTH2_GOOGLE_CLOUDIDENTITY_URL | Google Cloud endpoint for Cloud Identity. Using searchDirectGroups by default because it is available for the Free plan | string | https://cloudidentity.googleapis.com/v1/groups/-/memberships:searchDirectGroups |
INFRAHUB_OAUTH2_PROVIDER1_ICON | None | string | mdi:account-key |
INFRAHUB_OAUTH2_PROVIDER1_USERINFO_METHOD | None | string (post, get) | get |
INFRAHUB_OAUTH2_PROVIDER1_CLIENT_ID | Client ID of the application created in the auth provider | string | None |
INFRAHUB_OAUTH2_PROVIDER1_CLIENT_SECRET | Client secret as defined in auth provider | string | None |
INFRAHUB_OAUTH2_PROVIDER1_AUTHORIZATION_URL | None | string | None |
INFRAHUB_OAUTH2_PROVIDER1_TOKEN_URL | None | string | None |
INFRAHUB_OAUTH2_PROVIDER1_USERINFO_URL | None | string | None |
INFRAHUB_OAUTH2_PROVIDER1_SCOPES | None | array[string] | None |
INFRAHUB_OAUTH2_PROVIDER1_DISPLAY_LABEL | None | string | Single Sign on |
INFRAHUB_OAUTH2_PROVIDER2_ICON | None | string | mdi:account-key |
INFRAHUB_OAUTH2_PROVIDER2_USERINFO_METHOD | None | string (post, get) | get |
INFRAHUB_OAUTH2_PROVIDER2_CLIENT_ID | Client ID of the application created in the auth provider | string | None |
INFRAHUB_OAUTH2_PROVIDER2_CLIENT_SECRET | Client secret as defined in auth provider | string | None |
INFRAHUB_OAUTH2_PROVIDER2_AUTHORIZATION_URL | None | string | None |
INFRAHUB_OAUTH2_PROVIDER2_TOKEN_URL | None | string | None |
INFRAHUB_OAUTH2_PROVIDER2_USERINFO_URL | None | string | None |
INFRAHUB_OAUTH2_PROVIDER2_SCOPES | None | array[string] | None |
INFRAHUB_OAUTH2_PROVIDER2_DISPLAY_LABEL | None | string | Single Sign on |
INFRAHUB_SECURITY_OIDC_PROVIDER_SETTINGS
| Name | Description | Type | Default |
|---|---|---|---|
INFRAHUB_OIDC_GOOGLE_ICON | None | string | mdi:google |
INFRAHUB_OIDC_GOOGLE_DISPLAY_LABEL | None | string | |
INFRAHUB_OIDC_GOOGLE_USERINFO_METHOD | None | string (post, get) | get |
INFRAHUB_OIDC_GOOGLE_CLIENT_ID | Client ID of the application created in the auth provider | string | None |
INFRAHUB_OIDC_GOOGLE_CLIENT_SECRET | Client secret as defined in auth provider | string | None |
INFRAHUB_OIDC_GOOGLE_DISCOVERY_URL | None | string | https://accounts.google.com/.well-known/openid-configuration |
INFRAHUB_OIDC_GOOGLE_SCOPES | None | array[string] | None |
INFRAHUB_OIDC_GOOGLE_FETCH_GROUPS | Whether to use Cloud Identity API to fetch user groups. Note: requires additional scope: https://www.googleapis.com/auth/cloud-identity.groups.readonly | boolean | False |
INFRAHUB_OIDC_GOOGLE_CLOUDIDENTITY_URL | Google Cloud endpoint for Cloud Identity. Using searchDirectGroups by default because it is available for the Free plan | string | https://cloudidentity.googleapis.com/v1/groups/-/memberships:searchDirectGroups |
INFRAHUB_OIDC_PROVIDER1_ICON | None | string | mdi:account-key |
INFRAHUB_OIDC_PROVIDER1_DISPLAY_LABEL | None | string | Single Sign on |
INFRAHUB_OIDC_PROVIDER1_USERINFO_METHOD | None | string (post, get) | get |
INFRAHUB_OIDC_PROVIDER1_CLIENT_ID | Client ID of the application created in the auth provider | string | None |
INFRAHUB_OIDC_PROVIDER1_CLIENT_SECRET | Client secret as defined in auth provider | string | None |
INFRAHUB_OIDC_PROVIDER1_DISCOVERY_URL | The OIDC discovery URL xyz/.well-known/openid-configuration | string | None |
INFRAHUB_OIDC_PROVIDER1_SCOPES | None | array[string] | None |
INFRAHUB_OIDC_PROVIDER2_ICON | None | string | mdi:account-key |
INFRAHUB_OIDC_PROVIDER2_DISPLAY_LABEL | None | string | Single Sign on |
INFRAHUB_OIDC_PROVIDER2_USERINFO_METHOD | None | string (post, get) | get |
INFRAHUB_OIDC_PROVIDER2_CLIENT_ID | Client ID of the application created in the auth provider | string | None |
INFRAHUB_OIDC_PROVIDER2_CLIENT_SECRET | Client secret as defined in auth provider | string | None |
INFRAHUB_OIDC_PROVIDER2_DISCOVERY_URL | The OIDC discovery URL xyz/.well-known/openid-configuration | string | None |
INFRAHUB_OIDC_PROVIDER2_SCOPES | None | array[string] | None |
Storage
| Name | Description | Type | Default |
|---|---|---|---|
INFRAHUB_STORAGE_DRIVER | None | string (local, s3) | local |
INFRAHUB_STORAGE_LOCAL | None | object | Check nested parameters |
INFRAHUB_STORAGE_S3 | None | object | Check nested parameters |
INFRAHUB_STORAGE_LOCAL
| Name | Description | Type | Default |
|---|---|---|---|
INFRAHUB_STORAGE_LOCAL_PATH | None | string | /opt/infrahub/storage |
INFRAHUB_STORAGE_S3
| Name | Description | Type | Default |
|---|---|---|---|
AWS_ACCESS_KEY_ID | None | string | |
AWS_SECRET_ACCESS_KEY | None | string | |
INFRAHUB_STORAGE_BUCKET_NAME | None | string | |
INFRAHUB_STORAGE_ENDPOINT_URL | None | string | |
INFRAHUB_STORAGE_USE_SSL | None | boolean | True |
INFRAHUB_STORAGE_DEFAULT_ACL | None | string | private |
INFRAHUB_STORAGE_QUERYSTRING_AUTH | None | boolean | False |
INFRAHUB_STORAGE_CUSTOM_DOMAIN | None | string |
Trace
| Name | Description | Type | Default |
|---|---|---|---|
INFRAHUB_TRACE_ENABLE | None | boolean | False |
INFRAHUB_TRACE_INSECURE | Use insecure connection (HTTP) if True, otherwise use secure connection (HTTPS) | boolean | True |
INFRAHUB_TRACE_EXPORTER_TYPE | Type of exporter to be used for tracing | string (console, otlp) | console |
INFRAHUB_TRACE_EXPORTER_PROTOCOL | Protocol to be used for exporting traces | string (grpc, http/protobuf) | grpc |
INFRAHUB_TRACE_EXPORTER_ENDPOINT | OTLP endpoint for exporting traces | None | None |
Experimental features
| Name | Description | Type | Default |
|---|---|---|---|
INFRAHUB_EXPERIMENTAL_GRAPHQL_ENUMS | None | boolean | False |
INFRAHUB_EXPERIMENTAL_VALUE_DB_INDEX | None | boolean | False |