Usage of image-factory:
--config configs Configuration source(s). Can be specified multiple times or as a comma-separated list.
Supported forms:
env=[PREFIX] Load configuration from environment variables (optional prefix).
FILE Load configuration from a file; format is inferred from extension.
file=FILE Explicit file source (same as FILE).
Supported file extensions:
.json JSON
.yaml, .yml YAML
.env dotenv
Sources are applied in the order provided; later values override earlier ones.
A default is always applied, regardless of whether --config is specified. (default env=IF_)
--log-level level Log level [debug info warn error dpanic panic fatal] (default info)Documentation for basic configuration parameters.
HTTP configuration for the image factory frontend.
- Type:
string - Env:
HTTP_HTTPLISTENADDR
ListenAddr is the local address to bind the HTTP frontend to.
- Type:
string - Env:
HTTP_CERTFILE
CertFile is the path to the TLS certificate for the HTTP frontend (optional).
- Type:
string - Env:
HTTP_KEYFILE
KeyFile is the path to the TLS key for the HTTP frontend (optional).
- Type:
string - Env:
HTTP_EXTERNALURL
ExternalURL is the public URL for the image factory HTTP frontend, used in links and redirects.
- Type:
string - Env:
HTTP_EXTERNALPXEURL
ExternalPXEURL is the public URL for the PXE frontend, used for booting nodes via PXE.
- Type:
[]string - Env:
HTTP_ALLOWEDORIGINS
AllowedOrigins configures the frontend API CORS with custom origins list.
Options for building assets used in images, including concurrency and Talos version constraints.
- Type:
string - Env:
BUILD_MINTALOSVERSION
MinTalosVersion specifies the minimum supported Talos version for assets.
- Type:
[]string - Env:
BUILD_BROKENTALOSVERSIONS
BrokenTalosVersions lists Talos versions that should be considered broken and avoided when building assets. Those are versions that are known to have critical issues that prevent them from working correctly, such as bugs in Talos that cause build failures or runtime errors.
- Type:
int - Env:
BUILD_MAXCONCURRENCY
MaxConcurrency sets the maximum number of simultaneous asset build operations.
ContainerSignature holds configuration for verifying container image signatures.
- Type:
string - Env:
CONTAINERSIGNATURE_SUBJECTREGEXP
SubjectRegExp is a regular expression used to validate the subject in container signatures.
Set explicitly to empty string to disable subject validation, otherwise it defaults to a regex that allows trusted Sidero Labs account identities. This keyless verification method will not work in air-gapped environments.
- Type:
string - Env:
CONTAINERSIGNATURE_ISSUERREGEXP
IssuerRegExp is a regular expression used to validate the issuer in container signatures.
- Type:
string - Env:
CONTAINERSIGNATURE_ISSUER
Issuer is the expected issuer for container signatures (overrides RegExp if set).
- Type:
string - Env:
CONTAINERSIGNATURE_PUBLICKEYFILE
PublicKeyFile is the path to the public key used for signature verification.
Alternative to keyless verification using SubjectRegExp and Issuer/IssuerRegExp. If set, the image factory will use this public key to verify signatures instead of relying on keyless identities.
- Type:
string - Env:
CONTAINERSIGNATURE_PUBLICKEYHASHALGO
PublicKeyHashAlgo specifies the hash algorithm used for verifying the public key.
- Type:
bool - Env:
CONTAINERSIGNATURE_DISABLED
Disabled disables signature verification.
Cache contains configuration for storing and retrieving boot assets.
OCI contains configuration for using OCI Registry to store cached assets. This configuration is required.
- Type:
string - Env:
CACHE_OCI_REGISTRY
Registry is the hostname of the container registry, e.g., ghcr.io.
This is where images are stored.
- Type:
string - Env:
CACHE_OCI_NAMESPACE
Namespace is the repository namespace or organization within the registry, e.g., sidero-labs.
Some registries allow repositories without a namespace.
- Type:
string - Env:
CACHE_OCI_REPOSITORY
Repository is the name of the repository inside the namespace, e.g., talos.
Combined with Registry and Namespace, it forms the fully qualified repository path.
- Type:
bool - Env:
CACHE_OCI_INSECURE
Insecure allows connections to registries over HTTP or with invalid TLS certificates.
- Type:
string - Env:
CACHE_SIGNINGKEYPATH
SigningKeyPath is the path to the ECDSA key used to sign cached assets. Mutually exclusive with GSA signing.
GSA contains configuration for Google Service Account keyless signing via Sigstore. When set, GSA-based keyless signing is used instead of a static key. Mutually exclusive with SigningKeyPath.
- Type:
string - Env:
CACHE_GSA_SERVICEACCOUNTEMAIL
ServiceAccountEmail is the GSA email embedded in the Fulcio certificate. Used for signature verification — callers must trust signatures issued for this identity.
- Type:
string - Env:
CACHE_GSA_KEYFILE
KeyFile is the path to a service account JSON key file. If empty, Application Default Credentials are used (GOOGLE_APPLICATION_CREDENTIALS environment variable or the metadata server on GCE).
- Type:
string - Env:
CACHE_GSA_FULCIOURL
FulcioURL is the Fulcio CA endpoint. Defaults to the public Sigstore instance.
- Type:
string - Env:
CACHE_GSA_REKORURL
RekorURL is the Rekor transparency log endpoint. Defaults to the public Sigstore instance.
CDN contains configuration for using a CDN to serve cached assets.
- Type:
string - Env:
CACHE_CDN_HOST
Host is the CDN URL used to serve cached assets.
- Type:
string - Env:
CACHE_CDN_TRIMPREFIX
TrimPrefix removes a prefix from asset paths before redirecting to the CDN.
- Type:
bool - Env:
CACHE_CDN_ENABLED
Enabled enables the CDN cache.
S3 contains configuration for using S3 to store cached assets.
- Type:
string - Env:
CACHE_S3_BUCKET
Bucket is the S3 bucket name where cached assets are stored.
- Type:
string - Env:
CACHE_S3_ENDPOINT
Endpoint is the S3 endpoint URL (without scheme or trailing slash).
- Type:
string - Env:
CACHE_S3_REGION
Region is the S3 region for the bucket.
- Type:
bool - Env:
CACHE_S3_INSECURE
Insecure allows connecting to S3 without TLS or with invalid certificates.
- Type:
bool - Env:
CACHE_S3_ENABLED
Enabled enables S3 cache.
- Type:
time.Duration - Env:
CACHE_S3_PRESIGNEDURLTTL
PresignedURLTTL is the duration for which presigned URLs are valid.
Schematic contains configuration for caching schematic blobs.
- Type:
uint64 - Env:
CACHE_SCHEMATIC_CAPACITY
Capacity sets the maximum number of schematics to keep in the in-memory cache.
- Type:
time.Duration - Env:
CACHE_SCHEMATIC_NEGATIVETTL
NegativeTTL sets the time-to-live for negative cache entries (schematics not found in underlying storage).
Metrics holds configuration for the Prometheus metrics endpoint.
- Type:
string - Env:
METRICS_ADDR
Addr is the bind address for the metrics HTTP server. Leave empty to disable metrics.
SecureBoot contains configuration for generating SecureBoot-enabled assets.
File specifies file-based SecureBoot keys and certificates.
- Type:
string - Env:
SECUREBOOT_FILE_SIGNINGKEYPATH
SigningKeyPath is the path to the private key used for signing boot assets.
- Type:
string - Env:
SECUREBOOT_FILE_SIGNINGCERTPATH
SigningCertPath is the path to the certificate used for signing boot assets.
- Type:
string - Env:
SECUREBOOT_FILE_PCRKEYPATH
PCRKeyPath is the path to the key used for PCR measurement.
AzureKeyVault configures SecureBoot using Azure Key Vault.
- Type:
string - Env:
SECUREBOOT_AZUREKEYVAULT_URL
URL is the Key Vault endpoint.
- Type:
string - Env:
SECUREBOOT_AZUREKEYVAULT_CERTIFICATENAME
CertificateName is the name of the certificate in Key Vault.
- Type:
string - Env:
SECUREBOOT_AZUREKEYVAULT_KEYNAME
KeyName is the name of the key in Key Vault.
AWSKMS configures SecureBoot using AWS KMS.
- Type:
string - Env:
SECUREBOOT_AWSKMS_KEYID
KeyID is the AWS KMS Key ID used for signing boot assets.
- Type:
string - Env:
SECUREBOOT_AWSKMS_PCRKEYID
PCRKeyID is the AWS KMS Key ID used for PCR measurement.
- Type:
string - Env:
SECUREBOOT_AWSKMS_CERTPATH
CertPath is the path to the certificate used with AWS KMS.
- Type:
string - Env:
SECUREBOOT_AWSKMS_CERTARN
CertARN is the ARN of the ACM certificate used with AWS KMS.
- Type:
string - Env:
SECUREBOOT_AWSKMS_REGION
Region is the AWS region containing the KMS keys.
- Type:
bool - Env:
SECUREBOOT_ENABLED
Enabled enables SecureBoot asset generation.
Artifacts defines names and references for various images used by the factory.
Core contains configuration for core images used by the image factory.
- Type:
string - Env:
ARTIFACTS_CORE_REGISTRY
Registry specifies the OCI registry host for base images, extensions, and related artifacts. E.g., "ghcr.io".
Components defines the names of images used by the image factory. This typically maps to repositories and tags for core components.
- Type:
string - Env:
ARTIFACTS_CORE_COMPONENTS_INSTALLERBASE
InstallerBase is the base image for creating installer images.
- Type:
string - Env:
ARTIFACTS_CORE_COMPONENTS_INSTALLER
Installer is the main installer image.
- Type:
string - Env:
ARTIFACTS_CORE_COMPONENTS_IMAGER
Imager is the image builder used by the factory.
- Type:
string - Env:
ARTIFACTS_CORE_COMPONENTS_EXTENSIONMANIFEST
ExtensionManifest is the image manifest for extensions.
- Type:
string - Env:
ARTIFACTS_CORE_COMPONENTS_OVERLAYMANIFEST
OverlayManifest is the image manifest for overlays.
- Type:
string - Env:
ARTIFACTS_CORE_COMPONENTS_TALOSCTL
Talosctl is the image containing the Talos CLI tool.
- Type:
bool - Env:
ARTIFACTS_CORE_INSECURE
Insecure allows connections to the registry over HTTP or with invalid TLS certificates. Use with caution, as this may expose security risks.
Schematic is the OCI repository used to store schematic blobs required by the image factory for building images.
- Type:
string - Env:
ARTIFACTS_SCHEMATIC_REGISTRY
Registry is the hostname of the container registry, e.g., ghcr.io.
This is where images are stored.
- Type:
string - Env:
ARTIFACTS_SCHEMATIC_NAMESPACE
Namespace is the repository namespace or organization within the registry, e.g., sidero-labs.
Some registries allow repositories without a namespace.
- Type:
string - Env:
ARTIFACTS_SCHEMATIC_REPOSITORY
Repository is the name of the repository inside the namespace, e.g., talos.
Combined with Registry and Namespace, it forms the fully qualified repository path.
- Type:
bool - Env:
ARTIFACTS_SCHEMATIC_INSECURE
Insecure allows connections to registries over HTTP or with invalid TLS certificates.
Installer contains configuration for storing and accessing installer images.
Internal is the internal OCI registry used by the image factory to push installer images.
- Type:
string - Env:
ARTIFACTS_INSTALLER_INTERNAL_REGISTRY
Registry is the hostname of the container registry, e.g., ghcr.io.
This is where images are stored.
- Type:
string - Env:
ARTIFACTS_INSTALLER_INTERNAL_NAMESPACE
Namespace is the repository namespace or organization within the registry, e.g., sidero-labs.
Some registries allow repositories without a namespace.
- Type:
string - Env:
ARTIFACTS_INSTALLER_INTERNAL_REPOSITORY
Repository is the name of the repository inside the namespace, e.g., talos.
Combined with Registry and Namespace, it forms the fully qualified repository path.
- Type:
bool - Env:
ARTIFACTS_INSTALLER_INTERNAL_INSECURE
Insecure allows connections to registries over HTTP or with invalid TLS certificates.
External is the public OCI registry used for redirects to installer images.
If this field is not set, Image Factory will proxy requests to the internal registry through itself instead of issuing HTTP redirects to the external registry endpoint.
- Type:
string - Env:
ARTIFACTS_INSTALLER_EXTERNAL_REGISTRY
Registry is the hostname of the container registry, e.g., ghcr.io.
This is where images are stored.
- Type:
string - Env:
ARTIFACTS_INSTALLER_EXTERNAL_NAMESPACE
Namespace is the repository namespace or organization within the registry, e.g., sidero-labs.
Some registries allow repositories without a namespace.
- Type:
string - Env:
ARTIFACTS_INSTALLER_EXTERNAL_REPOSITORY
Repository is the name of the repository inside the namespace, e.g., talos.
Combined with Registry and Namespace, it forms the fully qualified repository path.
- Type:
bool - Env:
ARTIFACTS_INSTALLER_EXTERNAL_INSECURE
Insecure allows connections to registries over HTTP or with invalid TLS certificates.
- Type:
time.Duration - Env:
ARTIFACTS_TALOSVERSIONRECHECKINTERVAL
TalosVersionRecheckInterval sets the interval at which the image factory rechecks available Talos versions.
- Type:
time.Duration - Env:
ARTIFACTS_REFRESHINTERVAL
RefreshInterval specifies how often the image factory should refresh its connection to registries.
Authentication settings.
Note: only available in the Enterprise edition.
- Type:
bool - Env:
AUTHENTICATION_ENABLED
Enabled enables authentication.
- Type:
string - Env:
AUTHENTICATION_HTPASSWDPATH
HTPasswdPath is the path to the htpasswd file containing user credentials.
The file follows the standard htpasswd format (username:bcrypt_hash, one per line).
Multiple entries with the same username are supported, allowing multiple API keys per user.
Only bcrypt hashes (
It is required if authentication is enabled.
Enterprise contains configuration for enterprise-specific features.
Scanner contains configuration for the vulnerability scanner.
- Type:
string - Env:
ENTERPRISE_SCANNER_DATABASEURL
DatabaseURL overrides the Grype vulnerability database listing URL. Set this to point at a mirror or air-gapped database service.
Cache contains configuration for caching vulnerability scan results.
- Type:
time.Duration - Env:
ENTERPRISE_SCANNER_CACHE_TTL
TTL is the duration for caching objects.
- Type:
uint64 - Env:
ENTERPRISE_SCANNER_CACHE_CAPACITY
Capacity caps the number of cached objects before LRU eviction.
SPDX contains configuration for SPDX document generation.
- Type:
string - Env:
ENTERPRISE_SPDX_CACHE_REGISTRY
Registry is the hostname of the container registry, e.g., ghcr.io.
This is where images are stored.
- Type:
string - Env:
ENTERPRISE_SPDX_CACHE_NAMESPACE
Namespace is the repository namespace or organization within the registry, e.g., sidero-labs.
Some registries allow repositories without a namespace.
- Type:
string - Env:
ENTERPRISE_SPDX_CACHE_REPOSITORY
Repository is the name of the repository inside the namespace, e.g., talos.
Combined with Registry and Namespace, it forms the fully qualified repository path.
- Type:
bool - Env:
ENTERPRISE_SPDX_CACHE_INSECURE
Insecure allows connections to registries over HTTP or with invalid TLS certificates.
VEX contains configuration for VEX data fetching.
Data specifies the OCI repository where VEX documents are stored.
- Type:
string - Env:
ENTERPRISE_VEX_DATA_REGISTRY
Registry is the hostname of the container registry, e.g., ghcr.io.
This is where images are stored.
- Type:
string - Env:
ENTERPRISE_VEX_DATA_NAMESPACE
Namespace is the repository namespace or organization within the registry, e.g., sidero-labs.
Some registries allow repositories without a namespace.
- Type:
string - Env:
ENTERPRISE_VEX_DATA_REPOSITORY
Repository is the name of the repository inside the namespace, e.g., talos.
Combined with Registry and Namespace, it forms the fully qualified repository path.
- Type:
bool - Env:
ENTERPRISE_VEX_DATA_INSECURE
Insecure allows connections to registries over HTTP or with invalid TLS certificates.
Cache contains configuration for caching VEX documents.
- Type:
time.Duration - Env:
ENTERPRISE_VEX_CACHE_TTL
TTL is the duration for caching objects.
- Type:
uint64 - Env:
ENTERPRISE_VEX_CACHE_CAPACITY
Capacity caps the number of cached objects before LRU eviction.
Registry contains low-level tuning for the registry client (pull/push concurrency, debugging).
- Type:
int - Env:
REGISTRY_JOBS
Jobs is the maximum number of concurrent blob pull/push operations per registry client.
go-containerregistry gates concurrent blob fetches on this value; too low a value can deadlock under Image Factory's concurrent, multiplexed fetch pattern. Defaults to remotewrap.DefaultJobs.
- Type:
bool - Env:
REGISTRY_DEBUG
Debug tracks registry response bodies to help diagnose pull-limiter token leaks/stalls: it periodically logs how many bodies are open and dumps any body that stays open too long together with the stack that opened it.
Set via config or the IF_REGISTRY_DEBUG environment variable.
artifacts:
core:
components:
extensionManifest: siderolabs/extensions
imager: siderolabs/imager
installer: siderolabs/installer
installerBase: siderolabs/installer-base
overlayManifest: siderolabs/overlays
talosctl: siderolabs/talosctl-all
insecure: false
registry: ghcr.io
installer:
external:
insecure: false
namespace: ""
registry: ""
repository: ""
internal:
insecure: false
namespace: siderolabs
registry: ghcr.io
repository: ""
refreshInterval: 5m0s
schematic:
insecure: false
namespace: siderolabs/image-factory
registry: ghcr.io
repository: schematics
talosVersionRecheckInterval: 15m0s
authentication:
enabled: false
htpasswdPath: ""
build:
brokenTalosVersions: []
maxConcurrency: 6
minTalosVersion: 1.2.0
cache:
cdn:
enabled: false
host: ""
trimPrefix: ""
gsa:
fulcioURL: ""
keyFile: ""
rekorURL: ""
serviceAccountEmail: ""
oci:
insecure: false
namespace: siderolabs/image-factory
registry: ghcr.io
repository: cache
s3:
bucket: image-factory
enabled: false
endpoint: ""
insecure: false
presignedURLTTL: 1h0m0s
region: ""
schematic:
capacity: 100000
negativeTTL: 30s
signingKeyPath: ""
containerSignature:
disabled: false
issuer: https://accounts.google.com
issuerRegExp: ""
publicKeyFile: ""
publicKeyHashAlgo: sha256
subjectRegExp: (@siderolabs\.com$|^releasemgr-svc@talos-production\.iam\.gserviceaccount\.com$)
enterprise:
scanner:
cache:
capacity: 4096
ttl: 15m0s
databaseURL: https://grype.anchore.io/databases
spdx:
cache:
insecure: false
namespace: siderolabs/image-factory
registry: ghcr.io
repository: spdx-cache
vex:
cache:
capacity: 65536
ttl: 15m0s
data:
insecure: false
namespace: siderolabs/talos-vex
registry: ghcr.io
repository: talos-vex-data
http:
allowedOrigins:
- '*'
certFile: ""
externalPXEURL: ""
externalURL: https://localhost/
httpListenAddr: :8080
keyFile: ""
metrics:
addr: :2122
registry:
debug: false
jobs: 64
secureBoot:
awsKMS:
certARN: ""
certPath: ""
keyID: ""
pcrKeyID: ""
region: ""
azureKeyVault:
certificateName: ""
keyName: ""
url: ""
enabled: false
file:
pcrKeyPath: ""
signingCertPath: ""
signingKeyPath: ""IF_ARTIFACTS_CORE_COMPONENTS_EXTENSIONMANIFEST=siderolabs/extensions
IF_ARTIFACTS_CORE_COMPONENTS_IMAGER=siderolabs/imager
IF_ARTIFACTS_CORE_COMPONENTS_INSTALLER=siderolabs/installer
IF_ARTIFACTS_CORE_COMPONENTS_INSTALLERBASE=siderolabs/installer-base
IF_ARTIFACTS_CORE_COMPONENTS_OVERLAYMANIFEST=siderolabs/overlays
IF_ARTIFACTS_CORE_COMPONENTS_TALOSCTL=siderolabs/talosctl-all
IF_ARTIFACTS_CORE_INSECURE=false
IF_ARTIFACTS_CORE_REGISTRY=ghcr.io
IF_ARTIFACTS_INSTALLER_EXTERNAL_INSECURE=false
IF_ARTIFACTS_INSTALLER_EXTERNAL_NAMESPACE=
IF_ARTIFACTS_INSTALLER_EXTERNAL_REGISTRY=
IF_ARTIFACTS_INSTALLER_EXTERNAL_REPOSITORY=
IF_ARTIFACTS_INSTALLER_INTERNAL_INSECURE=false
IF_ARTIFACTS_INSTALLER_INTERNAL_NAMESPACE=siderolabs
IF_ARTIFACTS_INSTALLER_INTERNAL_REGISTRY=ghcr.io
IF_ARTIFACTS_INSTALLER_INTERNAL_REPOSITORY=
IF_ARTIFACTS_REFRESHINTERVAL=5m0s
IF_ARTIFACTS_SCHEMATIC_INSECURE=false
IF_ARTIFACTS_SCHEMATIC_NAMESPACE=siderolabs/image-factory
IF_ARTIFACTS_SCHEMATIC_REGISTRY=ghcr.io
IF_ARTIFACTS_SCHEMATIC_REPOSITORY=schematics
IF_ARTIFACTS_TALOSVERSIONRECHECKINTERVAL=15m0s
IF_AUTHENTICATION_ENABLED=false
IF_AUTHENTICATION_HTPASSWDPATH=
IF_BUILD_BROKENTALOSVERSIONS=[]
IF_BUILD_MAXCONCURRENCY=6
IF_BUILD_MINTALOSVERSION=1.2.0
IF_CACHE_CDN_ENABLED=false
IF_CACHE_CDN_HOST=
IF_CACHE_CDN_TRIMPREFIX=
IF_CACHE_GSA_FULCIOURL=
IF_CACHE_GSA_KEYFILE=
IF_CACHE_GSA_REKORURL=
IF_CACHE_GSA_SERVICEACCOUNTEMAIL=
IF_CACHE_OCI_INSECURE=false
IF_CACHE_OCI_NAMESPACE=siderolabs/image-factory
IF_CACHE_OCI_REGISTRY=ghcr.io
IF_CACHE_OCI_REPOSITORY=cache
IF_CACHE_S3_BUCKET=image-factory
IF_CACHE_S3_ENABLED=false
IF_CACHE_S3_ENDPOINT=
IF_CACHE_S3_INSECURE=false
IF_CACHE_S3_PRESIGNEDURLTTL=1h0m0s
IF_CACHE_S3_REGION=
IF_CACHE_SCHEMATIC_CAPACITY=100000
IF_CACHE_SCHEMATIC_NEGATIVETTL=30s
IF_CACHE_SIGNINGKEYPATH=
IF_CONTAINERSIGNATURE_DISABLED=false
IF_CONTAINERSIGNATURE_ISSUER=https://accounts.google.com
IF_CONTAINERSIGNATURE_ISSUERREGEXP=
IF_CONTAINERSIGNATURE_PUBLICKEYFILE=
IF_CONTAINERSIGNATURE_PUBLICKEYHASHALGO=sha256
IF_CONTAINERSIGNATURE_SUBJECTREGEXP=(@siderolabs\.com$|^releasemgr-svc@talos-production\.iam\.gserviceaccount\.com$)
IF_ENTERPRISE_SCANNER_CACHE_CAPACITY=4096
IF_ENTERPRISE_SCANNER_CACHE_TTL=15m0s
IF_ENTERPRISE_SCANNER_DATABASEURL=https://grype.anchore.io/databases
IF_ENTERPRISE_SPDX_CACHE_INSECURE=false
IF_ENTERPRISE_SPDX_CACHE_NAMESPACE=siderolabs/image-factory
IF_ENTERPRISE_SPDX_CACHE_REGISTRY=ghcr.io
IF_ENTERPRISE_SPDX_CACHE_REPOSITORY=spdx-cache
IF_ENTERPRISE_VEX_CACHE_CAPACITY=65536
IF_ENTERPRISE_VEX_CACHE_TTL=15m0s
IF_ENTERPRISE_VEX_DATA_INSECURE=false
IF_ENTERPRISE_VEX_DATA_NAMESPACE=siderolabs/talos-vex
IF_ENTERPRISE_VEX_DATA_REGISTRY=ghcr.io
IF_ENTERPRISE_VEX_DATA_REPOSITORY=talos-vex-data
IF_HTTP_ALLOWEDORIGINS=["*"]
IF_HTTP_CERTFILE=
IF_HTTP_EXTERNALPXEURL=
IF_HTTP_EXTERNALURL=https://localhost/
IF_HTTP_HTTPLISTENADDR=:8080
IF_HTTP_KEYFILE=
IF_METRICS_ADDR=:2122
IF_REGISTRY_DEBUG=false
IF_REGISTRY_JOBS=64
IF_SECUREBOOT_AWSKMS_CERTARN=
IF_SECUREBOOT_AWSKMS_CERTPATH=
IF_SECUREBOOT_AWSKMS_KEYID=
IF_SECUREBOOT_AWSKMS_PCRKEYID=
IF_SECUREBOOT_AWSKMS_REGION=
IF_SECUREBOOT_AZUREKEYVAULT_CERTIFICATENAME=
IF_SECUREBOOT_AZUREKEYVAULT_KEYNAME=
IF_SECUREBOOT_AZUREKEYVAULT_URL=
IF_SECUREBOOT_ENABLED=false
IF_SECUREBOOT_FILE_PCRKEYPATH=
IF_SECUREBOOT_FILE_SIGNINGCERTPATH=
IF_SECUREBOOT_FILE_SIGNINGKEYPATH=