Skip to main content

Infrahub configuration

The Infrahub containers have a number of environmental variables available at runtime to affect their behavior.

Here are a few common methods of setting environmental variables:

  • Exporting in a shell, example: export INFRAHUB_ADDRESS="http://localhost:8000"
  • Using a .env file
  • Using direnv
note

infrahubctl has it's own environmental variables. See the infrahubctl documentation for more information.

Main

NameDescriptionTypeDefault
INFRAHUB_DOCS_INDEX_PATHFull path of saved json containing pre-indexed documentationstring/opt/infrahub/docs/build/search-index.json
INFRAHUB_INTERNAL_ADDRESSNoneNoneNone
INFRAHUB_ALLOW_ANONYMOUS_ACCESSIndicates if the system allows anonymous read accessbooleanTrue
INFRAHUB_ANONYMOUS_ACCESS_ROLEName of the role defining which permissions anonymous users havestringAnonymous User
INFRAHUB_TELEMETRY_OPTOUTDisable anonymous usage reportingbooleanFalse
INFRAHUB_TELEMETRY_ENDPOINTNonestringhttps://telemetry.opsmill.cloud/infrahub
INFRAHUB_PERMISSION_BACKENDSList of modules to handle permissions, they will be run in the given orderarray[string]['infrahub.permissions.LocalPermissionBackend']
INFRAHUB_PUBLIC_URLDefine the public URL of the Infrahub, might be required for OAuth2 and OIDC depending on your infrastructure.NoneNone
INFRAHUB_SCHEMA_STRICT_MODEEnable strict schema validation. When set to False, human_friendly_id schema fields should not necessarily target a unique combination of peer attributes.booleanTrue

Api

NameDescriptionTypeDefault
INFRAHUB_API_CORS_ALLOW_ORIGINSA list of origins that are authorized to make cross-site HTTP requestsarray[string]None
INFRAHUB_API_CORS_ALLOW_METHODSA list of HTTP verbs that are allowed for the actual requestarray[string]None
INFRAHUB_API_CORS_ALLOW_HEADERSThe list of non-standard HTTP headers allowed in requests from the browserarray[string]None
INFRAHUB_API_CORS_ALLOW_CREDENTIALSIf True, cookies will be allowed to be included in cross-site HTTP requestsbooleanTrue

Git

NameDescriptionTypeDefault
INFRAHUB_GIT_REPOSITORIES_DIRECTORYNonestringrepositories
INFRAHUB_GIT_SYNC_INTERVALTime (in seconds) between git repositories synchronizationsinteger10
INFRAHUB_GIT_APPEND_GIT_SUFFIXAutomatically append '.git' to HTTP URLs if for these domains.array[string]None

Dev

The development settings are only relevant for local development

NameDescriptionTypeDefault
INFRAHUB_DEV_FRONTEND_REDIRECT_SSOIndicates of the frontend should be responsible for the SSO redirectionbooleanFalse
INFRAHUB_DEV_ALLOW_ENTERPRISE_CONFIGURATIONAllow enterprise configuration in development mode, this will not enable the features just allow the configuration.booleanFalse

Http

The HTTP settings control how Infrahub interacts with external HTTP servers. This can be things like webhooks and OAuth2 providers.

NameDescriptionTypeDefault
INFRAHUB_HTTP_TIMEOUTDefault connection timeout in secondsinteger10
INFRAHUB_HTTP_TLS_INSECUREIndicates if Infrahub will validate server certificates or if the validation is ignored.booleanFalse
INFRAHUB_HTTP_TLS_CA_BUNDLECustom CA bundle in PEM format. The value should either be the CA bundle as a string, alternatively as a file path.NoneNone

Database

NameDescriptionTypeDefault
INFRAHUB_DB_INFRAHUB_DB_TYPENoneNoneneo4j
INFRAHUB_DB_PROTOCOLNonestringbolt
INFRAHUB_DB_USERNAMENonestringneo4j
INFRAHUB_DB_PASSWORDNonestringadmin
INFRAHUB_DB_ADDRESSNonestringlocalhost
INFRAHUB_DB_PORTNoneinteger7687
INFRAHUB_DB_DATABASEName of the databaseNoneNone
INFRAHUB_DB_POLICYRouting policy for database connectionsNoneNone
INFRAHUB_DB_TLS_ENABLEDIndicates if TLS is enabled for the connectionbooleanFalse
INFRAHUB_DB_TLS_INSECUREIndicates if TLS certificates are verifiedbooleanFalse
INFRAHUB_DB_TLS_CA_FILEFile path to CA cert or bundle in PEM formatNoneNone
INFRAHUB_DB_QUERY_SIZE_LIMITThe max number of records to fetch in a single query before performing internal pagination.integer5000
INFRAHUB_DB_MAX_DEPTH_SEARCH_HIERARCHYMaximum number of level to search in a hierarchy.integer5
INFRAHUB_DB_RETRY_LIMITMaximum number of times a transient issue in a transaction should be retried.integer3
INFRAHUB_DB_MAX_CONCURRENT_QUERIESMaximum number of concurrent queries that can run (0 means unlimited).integer0
INFRAHUB_DB_MAX_CONCURRENT_QUERIES_DELAYDelay to add when max_concurrent_queries is reached.number0.01

Broker

Configuration settings for the message bus.

NameDescriptionTypeDefault
INFRAHUB_BROKER_ENABLENonebooleanTrue
INFRAHUB_BROKER_TLS_ENABLEDIndicates if TLS is enabled for the connectionbooleanFalse
INFRAHUB_BROKER_TLS_INSECUREIndicates if TLS certificates are verifiedbooleanFalse
INFRAHUB_BROKER_TLS_CA_FILEFile path to CA cert or bundle in PEM formatNoneNone
INFRAHUB_BROKER_USERNAMENonestringinfrahub
INFRAHUB_BROKER_PASSWORDNonestringinfrahub
INFRAHUB_BROKER_ADDRESSNonestringlocalhost
INFRAHUB_BROKER_PORTSpecified if running on a non default port.NoneNone
INFRAHUB_BROKER_RABBITMQ_HTTP_PORTNoneNoneNone
INFRAHUB_BROKER_NAMESPACENonestringinfrahub
INFRAHUB_BROKER_MAXIMUM_MESSAGE_RETRIESThe maximum number of retries that are attempted for failed messagesinteger10
INFRAHUB_BROKER_MAXIMUM_CONCURRENT_MESSAGESThe maximum number of concurrent messages fetched by each workerinteger2
INFRAHUB_BROKER_VIRTUALHOSTThe virtual host to connect tostring/
INFRAHUB_BROKER_DRIVERNoneNonerabbitmq

Cache

NameDescriptionTypeDefault
INFRAHUB_CACHE_ENABLENonebooleanTrue
INFRAHUB_CACHE_ADDRESSNonestringlocalhost
INFRAHUB_CACHE_PORTSpecified if running on a non default port (6379)NoneNone
INFRAHUB_CACHE_DATABASEId of the database to useinteger0
INFRAHUB_CACHE_DRIVERNoneNoneredis
INFRAHUB_CACHE_USERNAMENonestring
INFRAHUB_CACHE_PASSWORDNonestring
INFRAHUB_CACHE_TLS_ENABLEDIndicates if TLS is enabled for the connectionbooleanFalse
INFRAHUB_CACHE_TLS_INSECUREIndicates if TLS certificates are verifiedbooleanFalse
INFRAHUB_CACHE_TLS_CA_FILEFile path to CA cert or bundle in PEM formatNoneNone

Workflow

NameDescriptionTypeDefault
INFRAHUB_WORKFLOW_ENABLENonebooleanTrue
INFRAHUB_WORKFLOW_ADDRESSNonestringlocalhost
INFRAHUB_WORKFLOW_PORTSpecified if running on a non default port.NoneNone
INFRAHUB_WORKFLOW_TLS_ENABLEDIndicates if TLS is enabled for the connectionbooleanFalse
INFRAHUB_WORKFLOW_DRIVERNoneNoneworker
INFRAHUB_WORKFLOW_DEFAULT_WORKER_TYPENonestringinfrahubasync
INFRAHUB_WORKFLOW_EXTRA_LOGGERSA list of additional logger that will be captured during task execution.array[string]None
INFRAHUB_WORKFLOW_EXTRA_LOG_LEVELLog level applied to all extra loggers.NoneINFO
INFRAHUB_WORKFLOW_WORKER_POLLING_INTERVALSpecify how often the worker should poll the server for tasks (sec)integer2

Miscellaneous

NameDescriptionTypeDefault
INFRAHUB_MISC_PRINT_QUERY_DETAILSNonebooleanFalse
INFRAHUB_MISC_START_BACKGROUND_RUNNERNonebooleanTrue
INFRAHUB_MISC_MAXIMUM_VALIDATOR_EXECUTION_TIMEThe maximum allowed time (in seconds) for a validator to run.integer1800
INFRAHUB_MISC_RESPONSE_DELAYArbitrary delay to add when processing API requests.integer0

Analytics

NameDescriptionTypeDefault
INFRAHUB_ANALYTICS_ENABLENonebooleanTrue
INFRAHUB_ANALYTICS_ADDRESSNoneNoneNone
INFRAHUB_ANALYTICS_API_KEYNoneNoneNone

Initial

NameDescriptionTypeDefault
INFRAHUB_INITIAL_DEFAULT_BRANCHDefines the name of the default branch within Infrahub, can only be set once during initialization of the system.stringmain
INFRAHUB_INITIAL_ADMIN_TOKENAn optional initial token for the admin account.NoneNone
INFRAHUB_INITIAL_ADMIN_PASSWORDThe initial password for the admin userstringinfrahub
INFRAHUB_INITIAL_AGENT_TOKENAn optional initial token for a git-agent account.NoneNone
INFRAHUB_INITIAL_AGENT_PASSWORDAn optional initial password for a git-agent account.NoneNone

Policy

NameDescriptionTypeDefault
INFRAHUB_POLICY_REQUIRED_PROPOSED_CHANGE_APPROVALSNumber of approvals required for proposed changes. (Enterprise only: not available in the community version.)integer0
INFRAHUB_POLICY_REVOKE_PROPOSED_CHANGE_APPROVALSBoolean indicating whether performing changes on a proposed change branch should revoke existing approvals. (Enterprise only: not available in the community version.)booleanFalse

Security

NameDescriptionTypeDefault
INFRAHUB_SECURITY_ACCESS_TOKEN_LIFETIMELifetime of access token in secondsinteger3600
INFRAHUB_SECURITY_REFRESH_TOKEN_LIFETIMELifetime of refresh token in secondsinteger2592000
INFRAHUB_SECURITY_SECRET_KEYThe secret key used to validate authentication tokensstringNone
INFRAHUB_SECURITY_OAUTH2_PROVIDERSThe selected OAuth2 providersarrayNone
INFRAHUB_SECURITY_OAUTH2_PROVIDER_SETTINGSNoneNoneNone
INFRAHUB_SECURITY_OIDC_PROVIDERSThe selected OIDC providersarrayNone
INFRAHUB_SECURITY_OIDC_PROVIDER_SETTINGSNoneNoneNone
INFRAHUB_SECURITY_RESTRICT_UNTRUSTED_JINJA2_FILTERSIndicates if untrusted Jinja2 filters should be disallowed for computed attributesbooleanTrue
INFRAHUB_SECURITY_SSO_USER_DEFAULT_GROUPName of the group to which users authenticated via SSO will belong if not provided by identity providerNoneNone

Trace

NameDescriptionTypeDefault
INFRAHUB_TRACE_ENABLENonebooleanFalse
INFRAHUB_TRACE_INSECUREUse insecure connection (HTTP) if True, otherwise use secure connection (HTTPS)booleanTrue
INFRAHUB_TRACE_EXPORTER_TYPEType of exporter to be used for tracingNoneconsole
INFRAHUB_TRACE_EXPORTER_PROTOCOLProtocol to be used for exporting tracesNonegrpc
INFRAHUB_TRACE_EXPORTER_ENDPOINTOTLP endpoint for exporting tracesNoneNone

Experimental features

NameDescriptionTypeDefault
INFRAHUB_EXPERIMENTAL_GRAPHQL_ENUMSNonebooleanFalse
INFRAHUB_EXPERIMENTAL_VALUE_DB_INDEXNonebooleanFalse