Configuration reference
Every environment variable across api / agent / worker /
controller. Defaults shown match the source tree as of v0.X.
api
Env var
Required
Default
Notes
API_ADDRno
:8080Listen address
API_SHUTDOWN_GRACEno
15sSIGTERM grace period
LOG_LEVELno
infodebug / info / warn / error
DATABASE_URLyes —
postgres://user:pass@host:5432/db
DATABASE_MAX_CONNSno
10pgxpool size
DATABASE_CONN_LIFETIMEno
1h
REDIS_URLyes —
redis://host:6379/0
REDIS_POOL_SIZEno
10
REDIS_DIAL_TIMEOUTno
5s
REDIS_NAMESPACEno
secrets-bridgeKey prefix
SB_JWT_SECRETyes —
32+ bytes, base64 or raw. Fails boot if too short.
SB_JWT_TOKEN_TTLno
8hLogin session lifetime
SB_WRAP_MASTER_KEYyes when SB_KMS_BACKEND=local
—
base64 32 bytes
SB_KMS_BACKENDno
locallocal / vault-transit / aws-kms
SB_KMS_VAULT_ADDRyes for vault-transit
—
SB_KMS_VAULT_TOKENyes for vault-transit
—
SB_KMS_VAULT_KEYyes for vault-transit
—
Transit key name
SB_KMS_VAULT_MOUNTno
transit
SB_KMS_AWS_REGIONyes for aws-kms
—
SB_KMS_AWS_KEY_IDyes for aws-kms
—
Alias / ARN / key id
SB_KMS_AWS_ENDPOINTno
—
LocalStack / VPC endpoint override
SB_BOOTSTRAP_ADMIN_EMAILrecommended on first boot
—
See Bootstrap
SB_BOOTSTRAP_ADMIN_PASSWORDrecommended on first boot
—
SB_BOOTSTRAP_ADMIN_USER_IDoptional
—
Opaque user_id for pre-OIDC role assignment
SB_GITOPS_ENABLEDno
falseBRD §26 ArgoCD endpoints + observation fan-out
agent
Env var
Required
Default
Notes
SB_CP_ENDPOINTyes —
https://api.example.com
SB_INSECURE_TRANSPORTno
falseSet true ONLY for local-dev http://
SB_CP_CA_FILEno
—
Pin a private CA (replaces system roots)
SB_CP_TLS_SERVER_NAMEno
—
SNI override for private DNS
SB_AGENT_IDyes —
UUID from POST /agents
SB_AGENT_SECRETyes —
Returned once at mint
SB_BOOTSTRAP_FILEoptional
—
JSON {agent_id, agent_secret} alternative to env vars
SB_CLUSTER_NAMEyes for discovery—
Stamped on every discovered secret
SB_HEARTBEAT_INTERVALno
30s
SB_CLAIM_INTERVALno
5s
SB_CLAIM_CONCURRENCYno
4Worker pool size
SB_LOCAL_ADDRno
127.0.0.1:8090Loopback probes
SB_AGENT_PRIVATE_KEYno
—
base64 X25519 private key (wire envelope)
SB_AGENT_PRIVATE_KEY_FILEno
—
File path alternative
SB_VAULT_ADDRyes for Vault
—
SB_VAULT_TOKENyes for Vault token auth
—
SB_VAULT_KUBERNETES_ROLEyes for Vault k8s auth
—
Alternative to token
SB_VAULT_NAMESPACEno
—
Vault Enterprise namespace
SB_AWS_REGIONyes for AWS SM
—
SB_AWS_ROLE_ARNno
—
Cross-account AssumeRole
SB_AWS_ENDPOINTno
—
LocalStack / VPC endpoint override
AWS credentials are read from the standard AWS SDK chain
(IRSA, instance role, AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY,
shared profile). The agent deliberately does not add new env
vars for AWS credentials — that would invite operators to mix
sources.
worker
Env var
Required
Default
Notes
DATABASE_URLyes —
Same Postgres as the api
REDIS_URLyes —
Same Redis as the api
SB_WORKER_GITOPS_ENABLEDno
falseMust match api's SB_GITOPS_ENABLED
SB_DISCOVER_TARGETS_JSONno
—
Periodic discovery targets (admin API tracked)
SB_SWEEP_WRAPS_INTERVALno
60s
SB_SWEEP_SECRETS_INTERVALno
5m
SB_SWEEP_SECRETS_STALE_AFTERno
24h
SB_SWEEP_AGENTS_INTERVALno
60s
SB_SWEEP_AGENTS_STALE_AFTERno
5m
SB_SWEEP_JOBS_INTERVALno
30s
SB_SWEEP_GITOPS_POLL_INTERVALno
15s
SB_SWEEP_GITOPS_TIMEOUT_INTERVALno
60s
SB_NOTIFICATION_WEBHOOK_URLno
—
Generic webhook
SB_NOTIFICATION_WEBHOOK_FORMAT_SLACKno
falseWraps payload in {text: ...}
controller
Env var
Required
Default
Notes
KUBECONFIGfor out-of-cluster runs
—
In-cluster uses the projected SA
LEADER_ELECTION_NAMESPACEno
controller's own
METRICS_ADDRno
:8080Prometheus exposition
WATCH_NAMESPACEno
"" (all)
Limit reconciliation scope
Secret material — naming convention
Material
What it is
Where it lives
Rotation
SB_JWT_SECRETHMAC key for HS256 login tokens
api env / K8s Secret
Operator-rotated (no rotation runbook yet — tracked)
SB_WRAP_MASTER_KEYMaster key for the local KMS backend
api env / K8s Secret
Don't use in production — use Vault Transit or AWS KMS
SB_KMS_VAULT_TOKENVault token for the vault-transit backend
api env / K8s Secret
Lease-tracked; refresh via Vault rotation
SB_AGENT_SECRETPer-agent bearer secret
agent env / K8s Secret
Revoke + mint to rotate
SB_BOOTSTRAP_ADMIN_PASSWORDSeed admin password
api env at first boot
Rotate immediately after first sign-in
None of these should ever appear in:
Git history (use a K8s Secret, sealed-secret, or external-secrets-operator binding)
CI logs (mask via the CI's secret-masking facility)
Docker images (env vars in Dockerfile ENV are baked into layers)
Application logs (the api strips them from all log lines)