Skip to content

Latest commit

 

History

History
1268 lines (809 loc) · 28.1 KB

File metadata and controls

1268 lines (809 loc) · 28.1 KB

Configuration

CLI Usage

Usage of image-factory:
      --config configs    Configuration source(s). Can be specified multiple times or as a comma-separated list.
                          Supported forms:
                            env=[PREFIX]        Load configuration from environment variables (optional prefix).
                            FILE                Load configuration from a file; format is inferred from extension.
                            file=FILE           Explicit file source (same as FILE).
                          
                          Supported file extensions:
                            .json               JSON
                            .yaml, .yml         YAML
                            .env                dotenv
                          
                          Sources are applied in the order provided; later values override earlier ones.
                          A default is always applied, regardless of whether --config is specified. (default env=IF_)
      --log-level level   Log level [debug info warn error dpanic panic fatal] (default info)

Configuration Reference

Documentation for basic configuration parameters.

http

HTTP configuration for the image factory frontend.


http.httpListenAddr

  • Type: string
  • Env: HTTP_HTTPLISTENADDR

ListenAddr is the local address to bind the HTTP frontend to.


http.certFile

  • Type: string
  • Env: HTTP_CERTFILE

CertFile is the path to the TLS certificate for the HTTP frontend (optional).


http.keyFile

  • Type: string
  • Env: HTTP_KEYFILE

KeyFile is the path to the TLS key for the HTTP frontend (optional).


http.externalURL

  • Type: string
  • Env: HTTP_EXTERNALURL

ExternalURL is the public URL for the image factory HTTP frontend, used in links and redirects.


http.externalPXEURL

  • Type: string
  • Env: HTTP_EXTERNALPXEURL

ExternalPXEURL is the public URL for the PXE frontend, used for booting nodes via PXE.


http.allowedOrigins

  • Type: []string
  • Env: HTTP_ALLOWEDORIGINS

AllowedOrigins configures the frontend API CORS with custom origins list.


build

Options for building assets used in images, including concurrency and Talos version constraints.


build.minTalosVersion

  • Type: string
  • Env: BUILD_MINTALOSVERSION

MinTalosVersion specifies the minimum supported Talos version for assets.


build.brokenTalosVersions

  • Type: []string
  • Env: BUILD_BROKENTALOSVERSIONS

BrokenTalosVersions lists Talos versions that should be considered broken and avoided when building assets. Those are versions that are known to have critical issues that prevent them from working correctly, such as bugs in Talos that cause build failures or runtime errors.


build.maxConcurrency

  • Type: int
  • Env: BUILD_MAXCONCURRENCY

MaxConcurrency sets the maximum number of simultaneous asset build operations.


containerSignature

ContainerSignature holds configuration for verifying container image signatures.


containerSignature.subjectRegExp

  • Type: string
  • Env: CONTAINERSIGNATURE_SUBJECTREGEXP

SubjectRegExp is a regular expression used to validate the subject in container signatures.

Set explicitly to empty string to disable subject validation, otherwise it defaults to a regex that allows trusted Sidero Labs account identities. This keyless verification method will not work in air-gapped environments.


containerSignature.issuerRegExp

  • Type: string
  • Env: CONTAINERSIGNATURE_ISSUERREGEXP

IssuerRegExp is a regular expression used to validate the issuer in container signatures.


containerSignature.issuer

  • Type: string
  • Env: CONTAINERSIGNATURE_ISSUER

Issuer is the expected issuer for container signatures (overrides RegExp if set).


containerSignature.publicKeyFile

  • Type: string
  • Env: CONTAINERSIGNATURE_PUBLICKEYFILE

PublicKeyFile is the path to the public key used for signature verification.

Alternative to keyless verification using SubjectRegExp and Issuer/IssuerRegExp. If set, the image factory will use this public key to verify signatures instead of relying on keyless identities.


containerSignature.publicKeyHashAlgo

  • Type: string
  • Env: CONTAINERSIGNATURE_PUBLICKEYHASHALGO

PublicKeyHashAlgo specifies the hash algorithm used for verifying the public key.


containerSignature.disabled

  • Type: bool
  • Env: CONTAINERSIGNATURE_DISABLED

Disabled disables signature verification.


cache

Cache contains configuration for storing and retrieving boot assets.


cache.oci

OCI contains configuration for using OCI Registry to store cached assets. This configuration is required.


cache.oci.registry

  • Type: string
  • Env: CACHE_OCI_REGISTRY

Registry is the hostname of the container registry, e.g., ghcr.io. This is where images are stored.


cache.oci.namespace

  • Type: string
  • Env: CACHE_OCI_NAMESPACE

Namespace is the repository namespace or organization within the registry, e.g., sidero-labs. Some registries allow repositories without a namespace.


cache.oci.repository

  • Type: string
  • Env: CACHE_OCI_REPOSITORY

Repository is the name of the repository inside the namespace, e.g., talos. Combined with Registry and Namespace, it forms the fully qualified repository path.


cache.oci.insecure

  • Type: bool
  • Env: CACHE_OCI_INSECURE

Insecure allows connections to registries over HTTP or with invalid TLS certificates.


cache.signingKeyPath

  • Type: string
  • Env: CACHE_SIGNINGKEYPATH

SigningKeyPath is the path to the ECDSA key used to sign cached assets. Mutually exclusive with GSA signing.


cache.gsa

GSA contains configuration for Google Service Account keyless signing via Sigstore. When set, GSA-based keyless signing is used instead of a static key. Mutually exclusive with SigningKeyPath.


cache.gsa.serviceAccountEmail

  • Type: string
  • Env: CACHE_GSA_SERVICEACCOUNTEMAIL

ServiceAccountEmail is the GSA email embedded in the Fulcio certificate. Used for signature verification — callers must trust signatures issued for this identity.


cache.gsa.keyFile

  • Type: string
  • Env: CACHE_GSA_KEYFILE

KeyFile is the path to a service account JSON key file. If empty, Application Default Credentials are used (GOOGLE_APPLICATION_CREDENTIALS environment variable or the metadata server on GCE).


cache.gsa.fulcioURL

  • Type: string
  • Env: CACHE_GSA_FULCIOURL

FulcioURL is the Fulcio CA endpoint. Defaults to the public Sigstore instance.


cache.gsa.rekorURL

  • Type: string
  • Env: CACHE_GSA_REKORURL

RekorURL is the Rekor transparency log endpoint. Defaults to the public Sigstore instance.


cache.cdn

CDN contains configuration for using a CDN to serve cached assets.


cache.cdn.host

  • Type: string
  • Env: CACHE_CDN_HOST

Host is the CDN URL used to serve cached assets.


cache.cdn.trimPrefix

  • Type: string
  • Env: CACHE_CDN_TRIMPREFIX

TrimPrefix removes a prefix from asset paths before redirecting to the CDN.


cache.cdn.enabled

  • Type: bool
  • Env: CACHE_CDN_ENABLED

Enabled enables the CDN cache.


cache.s3

S3 contains configuration for using S3 to store cached assets.


cache.s3.bucket

  • Type: string
  • Env: CACHE_S3_BUCKET

Bucket is the S3 bucket name where cached assets are stored.


cache.s3.endpoint

  • Type: string
  • Env: CACHE_S3_ENDPOINT

Endpoint is the S3 endpoint URL (without scheme or trailing slash).


cache.s3.region

  • Type: string
  • Env: CACHE_S3_REGION

Region is the S3 region for the bucket.


cache.s3.insecure

  • Type: bool
  • Env: CACHE_S3_INSECURE

Insecure allows connecting to S3 without TLS or with invalid certificates.


cache.s3.enabled

  • Type: bool
  • Env: CACHE_S3_ENABLED

Enabled enables S3 cache.


cache.s3.presignedURLTTL

  • Type: time.Duration
  • Env: CACHE_S3_PRESIGNEDURLTTL

PresignedURLTTL is the duration for which presigned URLs are valid.


cache.schematic

Schematic contains configuration for caching schematic blobs.


cache.schematic.capacity

  • Type: uint64
  • Env: CACHE_SCHEMATIC_CAPACITY

Capacity sets the maximum number of schematics to keep in the in-memory cache.


cache.schematic.negativeTTL

  • Type: time.Duration
  • Env: CACHE_SCHEMATIC_NEGATIVETTL

NegativeTTL sets the time-to-live for negative cache entries (schematics not found in underlying storage).


metrics

Metrics holds configuration for the Prometheus metrics endpoint.


metrics.addr

  • Type: string
  • Env: METRICS_ADDR

Addr is the bind address for the metrics HTTP server. Leave empty to disable metrics.


secureBoot

SecureBoot contains configuration for generating SecureBoot-enabled assets.


secureBoot.file

File specifies file-based SecureBoot keys and certificates.


secureBoot.file.signingKeyPath

  • Type: string
  • Env: SECUREBOOT_FILE_SIGNINGKEYPATH

SigningKeyPath is the path to the private key used for signing boot assets.


secureBoot.file.signingCertPath

  • Type: string
  • Env: SECUREBOOT_FILE_SIGNINGCERTPATH

SigningCertPath is the path to the certificate used for signing boot assets.


secureBoot.file.pcrKeyPath

  • Type: string
  • Env: SECUREBOOT_FILE_PCRKEYPATH

PCRKeyPath is the path to the key used for PCR measurement.


secureBoot.azureKeyVault

AzureKeyVault configures SecureBoot using Azure Key Vault.


secureBoot.azureKeyVault.url

  • Type: string
  • Env: SECUREBOOT_AZUREKEYVAULT_URL

URL is the Key Vault endpoint.


secureBoot.azureKeyVault.certificateName

  • Type: string
  • Env: SECUREBOOT_AZUREKEYVAULT_CERTIFICATENAME

CertificateName is the name of the certificate in Key Vault.


secureBoot.azureKeyVault.keyName

  • Type: string
  • Env: SECUREBOOT_AZUREKEYVAULT_KEYNAME

KeyName is the name of the key in Key Vault.


secureBoot.awsKMS

AWSKMS configures SecureBoot using AWS KMS.


secureBoot.awsKMS.keyID

  • Type: string
  • Env: SECUREBOOT_AWSKMS_KEYID

KeyID is the AWS KMS Key ID used for signing boot assets.


secureBoot.awsKMS.pcrKeyID

  • Type: string
  • Env: SECUREBOOT_AWSKMS_PCRKEYID

PCRKeyID is the AWS KMS Key ID used for PCR measurement.


secureBoot.awsKMS.certPath

  • Type: string
  • Env: SECUREBOOT_AWSKMS_CERTPATH

CertPath is the path to the certificate used with AWS KMS.


secureBoot.awsKMS.certARN

  • Type: string
  • Env: SECUREBOOT_AWSKMS_CERTARN

CertARN is the ARN of the ACM certificate used with AWS KMS.


secureBoot.awsKMS.region

  • Type: string
  • Env: SECUREBOOT_AWSKMS_REGION

Region is the AWS region containing the KMS keys.


secureBoot.enabled

  • Type: bool
  • Env: SECUREBOOT_ENABLED

Enabled enables SecureBoot asset generation.


artifacts

Artifacts defines names and references for various images used by the factory.


artifacts.core

Core contains configuration for core images used by the image factory.


artifacts.core.registry

  • Type: string
  • Env: ARTIFACTS_CORE_REGISTRY

Registry specifies the OCI registry host for base images, extensions, and related artifacts. E.g., "ghcr.io".


artifacts.core.components

Components defines the names of images used by the image factory. This typically maps to repositories and tags for core components.


artifacts.core.components.installerBase

  • Type: string
  • Env: ARTIFACTS_CORE_COMPONENTS_INSTALLERBASE

InstallerBase is the base image for creating installer images.


artifacts.core.components.installer

  • Type: string
  • Env: ARTIFACTS_CORE_COMPONENTS_INSTALLER

Installer is the main installer image.


artifacts.core.components.imager

  • Type: string
  • Env: ARTIFACTS_CORE_COMPONENTS_IMAGER

Imager is the image builder used by the factory.


artifacts.core.components.extensionManifest

  • Type: string
  • Env: ARTIFACTS_CORE_COMPONENTS_EXTENSIONMANIFEST

ExtensionManifest is the image manifest for extensions.


artifacts.core.components.overlayManifest

  • Type: string
  • Env: ARTIFACTS_CORE_COMPONENTS_OVERLAYMANIFEST

OverlayManifest is the image manifest for overlays.


artifacts.core.components.talosctl

  • Type: string
  • Env: ARTIFACTS_CORE_COMPONENTS_TALOSCTL

Talosctl is the image containing the Talos CLI tool.


artifacts.core.insecure

  • Type: bool
  • Env: ARTIFACTS_CORE_INSECURE

Insecure allows connections to the registry over HTTP or with invalid TLS certificates. Use with caution, as this may expose security risks.


artifacts.schematic

Schematic is the OCI repository used to store schematic blobs required by the image factory for building images.


artifacts.schematic.registry

  • Type: string
  • Env: ARTIFACTS_SCHEMATIC_REGISTRY

Registry is the hostname of the container registry, e.g., ghcr.io. This is where images are stored.


artifacts.schematic.namespace

  • Type: string
  • Env: ARTIFACTS_SCHEMATIC_NAMESPACE

Namespace is the repository namespace or organization within the registry, e.g., sidero-labs. Some registries allow repositories without a namespace.


artifacts.schematic.repository

  • Type: string
  • Env: ARTIFACTS_SCHEMATIC_REPOSITORY

Repository is the name of the repository inside the namespace, e.g., talos. Combined with Registry and Namespace, it forms the fully qualified repository path.


artifacts.schematic.insecure

  • Type: bool
  • Env: ARTIFACTS_SCHEMATIC_INSECURE

Insecure allows connections to registries over HTTP or with invalid TLS certificates.


artifacts.installer

Installer contains configuration for storing and accessing installer images.


artifacts.installer.internal

Internal is the internal OCI registry used by the image factory to push installer images.


artifacts.installer.internal.registry

  • Type: string
  • Env: ARTIFACTS_INSTALLER_INTERNAL_REGISTRY

Registry is the hostname of the container registry, e.g., ghcr.io. This is where images are stored.


artifacts.installer.internal.namespace

  • Type: string
  • Env: ARTIFACTS_INSTALLER_INTERNAL_NAMESPACE

Namespace is the repository namespace or organization within the registry, e.g., sidero-labs. Some registries allow repositories without a namespace.


artifacts.installer.internal.repository

  • Type: string
  • Env: ARTIFACTS_INSTALLER_INTERNAL_REPOSITORY

Repository is the name of the repository inside the namespace, e.g., talos. Combined with Registry and Namespace, it forms the fully qualified repository path.


artifacts.installer.internal.insecure

  • Type: bool
  • Env: ARTIFACTS_INSTALLER_INTERNAL_INSECURE

Insecure allows connections to registries over HTTP or with invalid TLS certificates.


artifacts.installer.external

External is the public OCI registry used for redirects to installer images.

If this field is not set, Image Factory will proxy requests to the internal registry through itself instead of issuing HTTP redirects to the external registry endpoint.


artifacts.installer.external.registry

  • Type: string
  • Env: ARTIFACTS_INSTALLER_EXTERNAL_REGISTRY

Registry is the hostname of the container registry, e.g., ghcr.io. This is where images are stored.


artifacts.installer.external.namespace

  • Type: string
  • Env: ARTIFACTS_INSTALLER_EXTERNAL_NAMESPACE

Namespace is the repository namespace or organization within the registry, e.g., sidero-labs. Some registries allow repositories without a namespace.


artifacts.installer.external.repository

  • Type: string
  • Env: ARTIFACTS_INSTALLER_EXTERNAL_REPOSITORY

Repository is the name of the repository inside the namespace, e.g., talos. Combined with Registry and Namespace, it forms the fully qualified repository path.


artifacts.installer.external.insecure

  • Type: bool
  • Env: ARTIFACTS_INSTALLER_EXTERNAL_INSECURE

Insecure allows connections to registries over HTTP or with invalid TLS certificates.


artifacts.talosVersionRecheckInterval

  • Type: time.Duration
  • Env: ARTIFACTS_TALOSVERSIONRECHECKINTERVAL

TalosVersionRecheckInterval sets the interval at which the image factory rechecks available Talos versions.


artifacts.refreshInterval

  • Type: time.Duration
  • Env: ARTIFACTS_REFRESHINTERVAL

RefreshInterval specifies how often the image factory should refresh its connection to registries.


authentication

Authentication settings.

Note: only available in the Enterprise edition.


authentication.enabled

  • Type: bool
  • Env: AUTHENTICATION_ENABLED

Enabled enables authentication.


authentication.htpasswdPath

  • Type: string
  • Env: AUTHENTICATION_HTPASSWDPATH

HTPasswdPath is the path to the htpasswd file containing user credentials.

The file follows the standard htpasswd format (username:bcrypt_hash, one per line). Multiple entries with the same username are supported, allowing multiple API keys per user. Only bcrypt hashes ($2y$/$2a$/$2b$) are accepted.

It is required if authentication is enabled.


enterprise

Enterprise contains configuration for enterprise-specific features.


enterprise.scanner

Scanner contains configuration for the vulnerability scanner.


enterprise.scanner.databaseURL

  • Type: string
  • Env: ENTERPRISE_SCANNER_DATABASEURL

DatabaseURL overrides the Grype vulnerability database listing URL. Set this to point at a mirror or air-gapped database service.


enterprise.scanner.cache

Cache contains configuration for caching vulnerability scan results.


enterprise.scanner.cache.ttl

  • Type: time.Duration
  • Env: ENTERPRISE_SCANNER_CACHE_TTL

TTL is the duration for caching objects.


enterprise.scanner.cache.capacity

  • Type: uint64
  • Env: ENTERPRISE_SCANNER_CACHE_CAPACITY

Capacity caps the number of cached objects before LRU eviction.


enterprise.spdx

SPDX contains configuration for SPDX document generation.


enterprise.spdx.cache


enterprise.spdx.cache.registry

  • Type: string
  • Env: ENTERPRISE_SPDX_CACHE_REGISTRY

Registry is the hostname of the container registry, e.g., ghcr.io. This is where images are stored.


enterprise.spdx.cache.namespace

  • Type: string
  • Env: ENTERPRISE_SPDX_CACHE_NAMESPACE

Namespace is the repository namespace or organization within the registry, e.g., sidero-labs. Some registries allow repositories without a namespace.


enterprise.spdx.cache.repository

  • Type: string
  • Env: ENTERPRISE_SPDX_CACHE_REPOSITORY

Repository is the name of the repository inside the namespace, e.g., talos. Combined with Registry and Namespace, it forms the fully qualified repository path.


enterprise.spdx.cache.insecure

  • Type: bool
  • Env: ENTERPRISE_SPDX_CACHE_INSECURE

Insecure allows connections to registries over HTTP or with invalid TLS certificates.


enterprise.vex

VEX contains configuration for VEX data fetching.


enterprise.vex.data

Data specifies the OCI repository where VEX documents are stored.


enterprise.vex.data.registry

  • Type: string
  • Env: ENTERPRISE_VEX_DATA_REGISTRY

Registry is the hostname of the container registry, e.g., ghcr.io. This is where images are stored.


enterprise.vex.data.namespace

  • Type: string
  • Env: ENTERPRISE_VEX_DATA_NAMESPACE

Namespace is the repository namespace or organization within the registry, e.g., sidero-labs. Some registries allow repositories without a namespace.


enterprise.vex.data.repository

  • Type: string
  • Env: ENTERPRISE_VEX_DATA_REPOSITORY

Repository is the name of the repository inside the namespace, e.g., talos. Combined with Registry and Namespace, it forms the fully qualified repository path.


enterprise.vex.data.insecure

  • Type: bool
  • Env: ENTERPRISE_VEX_DATA_INSECURE

Insecure allows connections to registries over HTTP or with invalid TLS certificates.


enterprise.vex.cache

Cache contains configuration for caching VEX documents.


enterprise.vex.cache.ttl

  • Type: time.Duration
  • Env: ENTERPRISE_VEX_CACHE_TTL

TTL is the duration for caching objects.


enterprise.vex.cache.capacity

  • Type: uint64
  • Env: ENTERPRISE_VEX_CACHE_CAPACITY

Capacity caps the number of cached objects before LRU eviction.


registry

Registry contains low-level tuning for the registry client (pull/push concurrency, debugging).


registry.jobs

  • Type: int
  • Env: REGISTRY_JOBS

Jobs is the maximum number of concurrent blob pull/push operations per registry client.

go-containerregistry gates concurrent blob fetches on this value; too low a value can deadlock under Image Factory's concurrent, multiplexed fetch pattern. Defaults to remotewrap.DefaultJobs.


registry.debug

  • Type: bool
  • Env: REGISTRY_DEBUG

Debug tracks registry response bodies to help diagnose pull-limiter token leaks/stalls: it periodically logs how many bodies are open and dumps any body that stays open too long together with the stack that opened it.

Set via config or the IF_REGISTRY_DEBUG environment variable.


Default Configuration

YAML

artifacts:
    core:
        components:
            extensionManifest: siderolabs/extensions
            imager: siderolabs/imager
            installer: siderolabs/installer
            installerBase: siderolabs/installer-base
            overlayManifest: siderolabs/overlays
            talosctl: siderolabs/talosctl-all
        insecure: false
        registry: ghcr.io
    installer:
        external:
            insecure: false
            namespace: ""
            registry: ""
            repository: ""
        internal:
            insecure: false
            namespace: siderolabs
            registry: ghcr.io
            repository: ""
    refreshInterval: 5m0s
    schematic:
        insecure: false
        namespace: siderolabs/image-factory
        registry: ghcr.io
        repository: schematics
    talosVersionRecheckInterval: 15m0s
authentication:
    enabled: false
    htpasswdPath: ""
build:
    brokenTalosVersions: []
    maxConcurrency: 6
    minTalosVersion: 1.2.0
cache:
    cdn:
        enabled: false
        host: ""
        trimPrefix: ""
    gsa:
        fulcioURL: ""
        keyFile: ""
        rekorURL: ""
        serviceAccountEmail: ""
    oci:
        insecure: false
        namespace: siderolabs/image-factory
        registry: ghcr.io
        repository: cache
    s3:
        bucket: image-factory
        enabled: false
        endpoint: ""
        insecure: false
        presignedURLTTL: 1h0m0s
        region: ""
    schematic:
        capacity: 100000
        negativeTTL: 30s
    signingKeyPath: ""
containerSignature:
    disabled: false
    issuer: https://accounts.google.com
    issuerRegExp: ""
    publicKeyFile: ""
    publicKeyHashAlgo: sha256
    subjectRegExp: (@siderolabs\.com$|^releasemgr-svc@talos-production\.iam\.gserviceaccount\.com$)
enterprise:
    scanner:
        cache:
            capacity: 4096
            ttl: 15m0s
        databaseURL: https://grype.anchore.io/databases
    spdx:
        cache:
            insecure: false
            namespace: siderolabs/image-factory
            registry: ghcr.io
            repository: spdx-cache
    vex:
        cache:
            capacity: 65536
            ttl: 15m0s
        data:
            insecure: false
            namespace: siderolabs/talos-vex
            registry: ghcr.io
            repository: talos-vex-data
http:
    allowedOrigins:
        - '*'
    certFile: ""
    externalPXEURL: ""
    externalURL: https://localhost/
    httpListenAddr: :8080
    keyFile: ""
metrics:
    addr: :2122
registry:
    debug: false
    jobs: 64
secureBoot:
    awsKMS:
        certARN: ""
        certPath: ""
        keyID: ""
        pcrKeyID: ""
        region: ""
    azureKeyVault:
        certificateName: ""
        keyName: ""
        url: ""
    enabled: false
    file:
        pcrKeyPath: ""
        signingCertPath: ""
        signingKeyPath: ""

Environment Variables

IF_ARTIFACTS_CORE_COMPONENTS_EXTENSIONMANIFEST=siderolabs/extensions
IF_ARTIFACTS_CORE_COMPONENTS_IMAGER=siderolabs/imager
IF_ARTIFACTS_CORE_COMPONENTS_INSTALLER=siderolabs/installer
IF_ARTIFACTS_CORE_COMPONENTS_INSTALLERBASE=siderolabs/installer-base
IF_ARTIFACTS_CORE_COMPONENTS_OVERLAYMANIFEST=siderolabs/overlays
IF_ARTIFACTS_CORE_COMPONENTS_TALOSCTL=siderolabs/talosctl-all
IF_ARTIFACTS_CORE_INSECURE=false
IF_ARTIFACTS_CORE_REGISTRY=ghcr.io
IF_ARTIFACTS_INSTALLER_EXTERNAL_INSECURE=false
IF_ARTIFACTS_INSTALLER_EXTERNAL_NAMESPACE=
IF_ARTIFACTS_INSTALLER_EXTERNAL_REGISTRY=
IF_ARTIFACTS_INSTALLER_EXTERNAL_REPOSITORY=
IF_ARTIFACTS_INSTALLER_INTERNAL_INSECURE=false
IF_ARTIFACTS_INSTALLER_INTERNAL_NAMESPACE=siderolabs
IF_ARTIFACTS_INSTALLER_INTERNAL_REGISTRY=ghcr.io
IF_ARTIFACTS_INSTALLER_INTERNAL_REPOSITORY=
IF_ARTIFACTS_REFRESHINTERVAL=5m0s
IF_ARTIFACTS_SCHEMATIC_INSECURE=false
IF_ARTIFACTS_SCHEMATIC_NAMESPACE=siderolabs/image-factory
IF_ARTIFACTS_SCHEMATIC_REGISTRY=ghcr.io
IF_ARTIFACTS_SCHEMATIC_REPOSITORY=schematics
IF_ARTIFACTS_TALOSVERSIONRECHECKINTERVAL=15m0s
IF_AUTHENTICATION_ENABLED=false
IF_AUTHENTICATION_HTPASSWDPATH=
IF_BUILD_BROKENTALOSVERSIONS=[]
IF_BUILD_MAXCONCURRENCY=6
IF_BUILD_MINTALOSVERSION=1.2.0
IF_CACHE_CDN_ENABLED=false
IF_CACHE_CDN_HOST=
IF_CACHE_CDN_TRIMPREFIX=
IF_CACHE_GSA_FULCIOURL=
IF_CACHE_GSA_KEYFILE=
IF_CACHE_GSA_REKORURL=
IF_CACHE_GSA_SERVICEACCOUNTEMAIL=
IF_CACHE_OCI_INSECURE=false
IF_CACHE_OCI_NAMESPACE=siderolabs/image-factory
IF_CACHE_OCI_REGISTRY=ghcr.io
IF_CACHE_OCI_REPOSITORY=cache
IF_CACHE_S3_BUCKET=image-factory
IF_CACHE_S3_ENABLED=false
IF_CACHE_S3_ENDPOINT=
IF_CACHE_S3_INSECURE=false
IF_CACHE_S3_PRESIGNEDURLTTL=1h0m0s
IF_CACHE_S3_REGION=
IF_CACHE_SCHEMATIC_CAPACITY=100000
IF_CACHE_SCHEMATIC_NEGATIVETTL=30s
IF_CACHE_SIGNINGKEYPATH=
IF_CONTAINERSIGNATURE_DISABLED=false
IF_CONTAINERSIGNATURE_ISSUER=https://accounts.google.com
IF_CONTAINERSIGNATURE_ISSUERREGEXP=
IF_CONTAINERSIGNATURE_PUBLICKEYFILE=
IF_CONTAINERSIGNATURE_PUBLICKEYHASHALGO=sha256
IF_CONTAINERSIGNATURE_SUBJECTREGEXP=(@siderolabs\.com$|^releasemgr-svc@talos-production\.iam\.gserviceaccount\.com$)
IF_ENTERPRISE_SCANNER_CACHE_CAPACITY=4096
IF_ENTERPRISE_SCANNER_CACHE_TTL=15m0s
IF_ENTERPRISE_SCANNER_DATABASEURL=https://grype.anchore.io/databases
IF_ENTERPRISE_SPDX_CACHE_INSECURE=false
IF_ENTERPRISE_SPDX_CACHE_NAMESPACE=siderolabs/image-factory
IF_ENTERPRISE_SPDX_CACHE_REGISTRY=ghcr.io
IF_ENTERPRISE_SPDX_CACHE_REPOSITORY=spdx-cache
IF_ENTERPRISE_VEX_CACHE_CAPACITY=65536
IF_ENTERPRISE_VEX_CACHE_TTL=15m0s
IF_ENTERPRISE_VEX_DATA_INSECURE=false
IF_ENTERPRISE_VEX_DATA_NAMESPACE=siderolabs/talos-vex
IF_ENTERPRISE_VEX_DATA_REGISTRY=ghcr.io
IF_ENTERPRISE_VEX_DATA_REPOSITORY=talos-vex-data
IF_HTTP_ALLOWEDORIGINS=["*"]
IF_HTTP_CERTFILE=
IF_HTTP_EXTERNALPXEURL=
IF_HTTP_EXTERNALURL=https://localhost/
IF_HTTP_HTTPLISTENADDR=:8080
IF_HTTP_KEYFILE=
IF_METRICS_ADDR=:2122
IF_REGISTRY_DEBUG=false
IF_REGISTRY_JOBS=64
IF_SECUREBOOT_AWSKMS_CERTARN=
IF_SECUREBOOT_AWSKMS_CERTPATH=
IF_SECUREBOOT_AWSKMS_KEYID=
IF_SECUREBOOT_AWSKMS_PCRKEYID=
IF_SECUREBOOT_AWSKMS_REGION=
IF_SECUREBOOT_AZUREKEYVAULT_CERTIFICATENAME=
IF_SECUREBOOT_AZUREKEYVAULT_KEYNAME=
IF_SECUREBOOT_AZUREKEYVAULT_URL=
IF_SECUREBOOT_ENABLED=false
IF_SECUREBOOT_FILE_PCRKEYPATH=
IF_SECUREBOOT_FILE_SIGNINGCERTPATH=
IF_SECUREBOOT_FILE_SIGNINGKEYPATH=