Fix docs for configuration and update object storage docs (#7283)

* feat(docs): enhance configuration documentation with nested parameters and types

* fix(docs): correct title and improve clarity in object storage documentation

* fix(workflow): add pydantic-settings to Python environment setup

* fix(docs): correct link formatting in object storage documentation

* fix(docs): add missing period in object storage configuration reference link

* Update docs/docs/topics/object-storage.mdx

Co-authored-by: fatih-acar <[email protected]>

---------

Co-authored-by: fatih-acar <[email protected]>

Author: minitriga

.github/workflows/keyword-scan.yml

@@ -20,6 +20,6 @@ jobs:
         with:
           python-version: 3.12
       - name: "Setup Python environment"
-        run: "pip install invoke toml"
+        run: "pip install invoke toml pydantic-settings"
       - name: Scan for prohibited keywords
         run: "invoke main.scan"

docs/_templates/infrahub_config.j2

@@ -34,4 +34,17 @@ Here are a few common methods of setting environmental variables:
 {% for parameter in section.parameters %}
 | `{{ parameter.env }}` | {{ parameter.description }} | {{ parameter.type }} | {{ parameter.default }} |
 {% endfor %}
-{% endfor %}
+
+{%- for parameter in section.parameters %}
+{% if parameter.nested_parameters %}
+
+### {{ parameter.env or parameter.name | upper }}
+
+| Name | Description | Type | Default |
+|------|-------------|------|---------|
+{% for nested in parameter.nested_parameters %}
+| `{{ nested.env or nested.name | upper | replace(" ", "_") }}` | {{ nested.description }} | {{ nested.type }} | {{ nested.default }} |
+{% endfor -%}
+  {% endif -%}
+{% endfor -%}
+{% endfor -%}

docs/docs/reference/configuration.mdx

@@ -76,7 +76,7 @@ The HTTP settings control how Infrahub interacts with external HTTP servers. Thi
 
 | Name | Description | Type | Default |
 |------|-------------|------|---------|
-| `INFRAHUB_DB_INFRAHUB_DB_TYPE` | None | None | neo4j |
+| `INFRAHUB_DB_INFRAHUB_DB_TYPE` | None | string (neo4j, memgraph) | neo4j |
 | `INFRAHUB_DB_PROTOCOL` | None | string | bolt |
 | `INFRAHUB_DB_USERNAME` | None | string | neo4j |
 | `INFRAHUB_DB_PASSWORD` | None | string | admin |
@@ -112,7 +112,7 @@ Configuration settings for the message bus.
 | `INFRAHUB_BROKER_MAXIMUM_MESSAGE_RETRIES` | The maximum number of retries that are attempted for failed messages | integer | 10 |
 | `INFRAHUB_BROKER_MAXIMUM_CONCURRENT_MESSAGES` | The maximum number of concurrent messages fetched by each worker | integer | 2 |
 | `INFRAHUB_BROKER_VIRTUALHOST` | The virtual host to connect to | string | / |
-| `INFRAHUB_BROKER_DRIVER` | None | None | rabbitmq |
+| `INFRAHUB_BROKER_DRIVER` | None | string (rabbitmq, nats) | rabbitmq |
 
 ## Cache
 
@@ -122,7 +122,7 @@ Configuration settings for the message bus.
 | `INFRAHUB_CACHE_ADDRESS` | None | string | localhost |
 | `INFRAHUB_CACHE_PORT` | Specified if running on a non default port (6379) | None | None |
 | `INFRAHUB_CACHE_DATABASE` | Id of the database to use | integer | 0 |
-| `INFRAHUB_CACHE_DRIVER` | None | None | redis |
+| `INFRAHUB_CACHE_DRIVER` | None | string (redis, nats) | redis |
 | `INFRAHUB_CACHE_USERNAME` | None | string |  |
 | `INFRAHUB_CACHE_PASSWORD` | None | string |  |
 | `INFRAHUB_CACHE_TLS_ENABLED` | Indicates if TLS is enabled for the connection | boolean | False |
@@ -137,10 +137,10 @@ Configuration settings for the message bus.
 | `INFRAHUB_WORKFLOW_ADDRESS` | None | string | localhost |
 | `INFRAHUB_WORKFLOW_PORT` | Specified if running on a non default port. | None | None |
 | `INFRAHUB_WORKFLOW_TLS_ENABLED` | Indicates if TLS is enabled for the connection | boolean | False |
-| `INFRAHUB_WORKFLOW_DRIVER` | None | None | worker |
+| `INFRAHUB_WORKFLOW_DRIVER` | None | string (local, worker) | worker |
 | `INFRAHUB_WORKFLOW_DEFAULT_WORKER_TYPE` | None | string | infrahubasync |
 | `INFRAHUB_WORKFLOW_EXTRA_LOGGERS` | A list of additional logger that will be captured during task execution. | array[string] | None |
-| `INFRAHUB_WORKFLOW_EXTRA_LOG_LEVEL` | Log level applied to all extra loggers. | None | INFO |
+| `INFRAHUB_WORKFLOW_EXTRA_LOG_LEVEL` | Log level applied to all extra loggers. | string (CRITICAL, ERROR, WARNING, INFO, DEBUG) | INFO |
 | `INFRAHUB_WORKFLOW_WORKER_POLLING_INTERVAL` | Specify how often the worker should poll the server for tasks (sec) | integer | 2 |
 
 ## Miscellaneous
@@ -185,20 +185,109 @@ Configuration settings for the message bus.
 | `INFRAHUB_SECURITY_REFRESH_TOKEN_LIFETIME` | Lifetime of refresh token in seconds | integer | 2592000 |
 | `INFRAHUB_SECURITY_SECRET_KEY` | The secret key used to validate authentication tokens | string | None |
 | `INFRAHUB_SECURITY_OAUTH2_PROVIDERS` | The selected OAuth2 providers | array | None |
-| `INFRAHUB_SECURITY_OAUTH2_PROVIDER_SETTINGS` | None | None | None |
+| `INFRAHUB_SECURITY_OAUTH2_PROVIDER_SETTINGS` | None | object | Check nested parameters |
 | `INFRAHUB_SECURITY_OIDC_PROVIDERS` | The selected OIDC providers | array | None |
-| `INFRAHUB_SECURITY_OIDC_PROVIDER_SETTINGS` | None | None | None |
+| `INFRAHUB_SECURITY_OIDC_PROVIDER_SETTINGS` | None | object | Check nested parameters |
 | `INFRAHUB_SECURITY_RESTRICT_UNTRUSTED_JINJA2_FILTERS` | Indicates if untrusted Jinja2 filters should be disallowed for computed attributes | boolean | True |
 | `INFRAHUB_SECURITY_SSO_USER_DEFAULT_GROUP` | Name of the group to which users authenticated via SSO will belong if not provided by identity provider | None | None |
 
+### INFRAHUB_SECURITY_OAUTH2_PROVIDER_SETTINGS
+
+| Name | Description | Type | Default |
+|------|-------------|------|---------|
+| `INFRAHUB_OAUTH2_GOOGLE_ICON` | None | string | mdi:google |
+| `INFRAHUB_OAUTH2_GOOGLE_USERINFO_METHOD` | None | string (post, get) | get |
+| `INFRAHUB_OAUTH2_GOOGLE_CLIENT_ID` | Client ID of the application created in the auth provider | string | None |
+| `INFRAHUB_OAUTH2_GOOGLE_CLIENT_SECRET` | Client secret as defined in auth provider | string | None |
+| `INFRAHUB_OAUTH2_GOOGLE_AUTHORIZATION_URL` | None | string | https://accounts.google.com/o/oauth2/auth |
+| `INFRAHUB_OAUTH2_GOOGLE_TOKEN_URL` | None | string | https://oauth2.googleapis.com/token |
+| `INFRAHUB_OAUTH2_GOOGLE_USERINFO_URL` | None | string | https://www.googleapis.com/oauth2/v3/userinfo |
+| `INFRAHUB_OAUTH2_GOOGLE_SCOPES` | None | array[string] | None |
+| `INFRAHUB_OAUTH2_GOOGLE_DISPLAY_LABEL` | None | string | Google |
+| `INFRAHUB_OAUTH2_GOOGLE_FETCH_GROUPS` | Whether to use Cloud Identity API to fetch user groups. Note: requires additional scopes: https://www.googleapis.com/auth/cloud-identity.groups.readonly | boolean | False |
+| `INFRAHUB_OAUTH2_GOOGLE_CLOUDIDENTITY_URL` | Google Cloud endpoint for Cloud Identity. Using searchDirectGroups by default because it is available for the Free plan | string | https://cloudidentity.googleapis.com/v1/groups/-/memberships:searchDirectGroups |
+| `INFRAHUB_OAUTH2_PROVIDER1_ICON` | None | string | mdi:account-key |
+| `INFRAHUB_OAUTH2_PROVIDER1_USERINFO_METHOD` | None | string (post, get) | get |
+| `INFRAHUB_OAUTH2_PROVIDER1_CLIENT_ID` | Client ID of the application created in the auth provider | string | None |
+| `INFRAHUB_OAUTH2_PROVIDER1_CLIENT_SECRET` | Client secret as defined in auth provider | string | None |
+| `INFRAHUB_OAUTH2_PROVIDER1_AUTHORIZATION_URL` | None | string | None |
+| `INFRAHUB_OAUTH2_PROVIDER1_TOKEN_URL` | None | string | None |
+| `INFRAHUB_OAUTH2_PROVIDER1_USERINFO_URL` | None | string | None |
+| `INFRAHUB_OAUTH2_PROVIDER1_SCOPES` | None | array[string] | None |
+| `INFRAHUB_OAUTH2_PROVIDER1_DISPLAY_LABEL` | None | string | Single Sign on |
+| `INFRAHUB_OAUTH2_PROVIDER2_ICON` | None | string | mdi:account-key |
+| `INFRAHUB_OAUTH2_PROVIDER2_USERINFO_METHOD` | None | string (post, get) | get |
+| `INFRAHUB_OAUTH2_PROVIDER2_CLIENT_ID` | Client ID of the application created in the auth provider | string | None |
+| `INFRAHUB_OAUTH2_PROVIDER2_CLIENT_SECRET` | Client secret as defined in auth provider | string | None |
+| `INFRAHUB_OAUTH2_PROVIDER2_AUTHORIZATION_URL` | None | string | None |
+| `INFRAHUB_OAUTH2_PROVIDER2_TOKEN_URL` | None | string | None |
+| `INFRAHUB_OAUTH2_PROVIDER2_USERINFO_URL` | None | string | None |
+| `INFRAHUB_OAUTH2_PROVIDER2_SCOPES` | None | array[string] | None |
+| `INFRAHUB_OAUTH2_PROVIDER2_DISPLAY_LABEL` | None | string | Single Sign on |
+
+### INFRAHUB_SECURITY_OIDC_PROVIDER_SETTINGS
+
+| Name | Description | Type | Default |
+|------|-------------|------|---------|
+| `INFRAHUB_OIDC_GOOGLE_ICON` | None | string | mdi:google |
+| `INFRAHUB_OIDC_GOOGLE_DISPLAY_LABEL` | None | string | Google |
+| `INFRAHUB_OIDC_GOOGLE_USERINFO_METHOD` | None | string (post, get) | get |
+| `INFRAHUB_OIDC_GOOGLE_CLIENT_ID` | Client ID of the application created in the auth provider | string | None |
+| `INFRAHUB_OIDC_GOOGLE_CLIENT_SECRET` | Client secret as defined in auth provider | string | None |
+| `INFRAHUB_OIDC_GOOGLE_DISCOVERY_URL` | None | string | https://accounts.google.com/.well-known/openid-configuration |
+| `INFRAHUB_OIDC_GOOGLE_SCOPES` | None | array[string] | None |
+| `INFRAHUB_OIDC_GOOGLE_FETCH_GROUPS` | Whether to use Cloud Identity API to fetch user groups. Note: requires additional scope: https://www.googleapis.com/auth/cloud-identity.groups.readonly | boolean | False |
+| `INFRAHUB_OIDC_GOOGLE_CLOUDIDENTITY_URL` | Google Cloud endpoint for Cloud Identity. Using searchDirectGroups by default because it is available for the Free plan | string | https://cloudidentity.googleapis.com/v1/groups/-/memberships:searchDirectGroups |
+| `INFRAHUB_OIDC_PROVIDER1_ICON` | None | string | mdi:account-key |
+| `INFRAHUB_OIDC_PROVIDER1_DISPLAY_LABEL` | None | string | Single Sign on |
+| `INFRAHUB_OIDC_PROVIDER1_USERINFO_METHOD` | None | string (post, get) | get |
+| `INFRAHUB_OIDC_PROVIDER1_CLIENT_ID` | Client ID of the application created in the auth provider | string | None |
+| `INFRAHUB_OIDC_PROVIDER1_CLIENT_SECRET` | Client secret as defined in auth provider | string | None |
+| `INFRAHUB_OIDC_PROVIDER1_DISCOVERY_URL` | The OIDC discovery URL xyz/.well-known/openid-configuration | string | None |
+| `INFRAHUB_OIDC_PROVIDER1_SCOPES` | None | array[string] | None |
+| `INFRAHUB_OIDC_PROVIDER2_ICON` | None | string | mdi:account-key |
+| `INFRAHUB_OIDC_PROVIDER2_DISPLAY_LABEL` | None | string | Single Sign on |
+| `INFRAHUB_OIDC_PROVIDER2_USERINFO_METHOD` | None | string (post, get) | get |
+| `INFRAHUB_OIDC_PROVIDER2_CLIENT_ID` | Client ID of the application created in the auth provider | string | None |
+| `INFRAHUB_OIDC_PROVIDER2_CLIENT_SECRET` | Client secret as defined in auth provider | string | None |
+| `INFRAHUB_OIDC_PROVIDER2_DISCOVERY_URL` | The OIDC discovery URL xyz/.well-known/openid-configuration | string | None |
+| `INFRAHUB_OIDC_PROVIDER2_SCOPES` | None | array[string] | None |
+
+## Storage
+
+| Name | Description | Type | Default |
+|------|-------------|------|---------|
+| `INFRAHUB_STORAGE_DRIVER` | None | string (local, s3) | local |
+| `INFRAHUB_STORAGE_LOCAL` | None | object | Check nested parameters |
+| `INFRAHUB_STORAGE_S3` | None | object | Check nested parameters |
+
+### INFRAHUB_STORAGE_LOCAL
+
+| Name | Description | Type | Default |
+|------|-------------|------|---------|
+| `INFRAHUB_STORAGE_LOCAL_PATH` | None | string | /opt/infrahub/storage |
+
+### INFRAHUB_STORAGE_S3
+
+| Name | Description | Type | Default |
+|------|-------------|------|---------|
+| `AWS_ACCESS_KEY_ID` | None | string |  |
+| `AWS_SECRET_ACCESS_KEY` | None | string |  |
+| `INFRAHUB_STORAGE_BUCKET_NAME` | None | string |  |
+| `INFRAHUB_STORAGE_ENDPOINT_URL` | None | string |  |
+| `INFRAHUB_STORAGE_USE_SSL` | None | boolean | True |
+| `INFRAHUB_STORAGE_DEFAULT_ACL` | None | string | private |
+| `INFRAHUB_STORAGE_QUERYSTRING_AUTH` | None | boolean | False |
+| `INFRAHUB_STORAGE_CUSTOM_DOMAIN` | None | string |  |
+
 ## Trace
 
 | Name | Description | Type | Default |
 |------|-------------|------|---------|
 | `INFRAHUB_TRACE_ENABLE` | None | boolean | False |
 | `INFRAHUB_TRACE_INSECURE` | Use insecure connection (HTTP) if True, otherwise use secure connection (HTTPS) | boolean | True |
-| `INFRAHUB_TRACE_EXPORTER_TYPE` | Type of exporter to be used for tracing | None | console |
-| `INFRAHUB_TRACE_EXPORTER_PROTOCOL` | Protocol to be used for exporting traces | None | grpc |
+| `INFRAHUB_TRACE_EXPORTER_TYPE` | Type of exporter to be used for tracing | string (console, otlp) | console |
+| `INFRAHUB_TRACE_EXPORTER_PROTOCOL` | Protocol to be used for exporting traces | string (grpc, http/protobuf) | grpc |
 | `INFRAHUB_TRACE_EXPORTER_ENDPOINT` | OTLP endpoint for exporting traces | None | None |
 
 ## Experimental features

docs/docs/topics/object-storage.mdx

@@ -1,53 +1,77 @@
 ---
-title: Object-storage
+title: Object storage
 ---
 
-# Object-storage
+# Object storage
 
-Infrahub provides an interface to store and retrieve files or objects in an object-storage. The object-storage is used internally within Infrahub to store rendered artifacts, but it can be used to store any text based file or content.
+Infrahub provides an interface to store and retrieve files or objects in object storage. Object storage is used internally within Infrahub to store rendered artifacts, but you can also use it to store any text-based file or content.
 
-You can interface with the object-storage through the REST API and Python SDK.
-See the [object-storage guide](../guides/object-storage) and [object-storage Python SDK]($(base_url)python-sdk/guides/object-storage) guide for more information.
+You can interact with object storage through the REST API and Python SDK. For practical steps, see the [object storage guide](../guides/object-storage) and the [object storage Python SDK guide]($(base_url)python-sdk/guides/object-storage).
 
-## Supported backends
+## Supported storage backends
 
-At this moment Infrahub supports using local storage, or AWS S3 storage backends. Support for other storage backends will be added in the future.
+Infrahub supports two storage backends:
 
-### Local storage
+- Local storage (configured by default)
+- AWS S3 (or S3-compatible) storage
+
+You configure the backend by setting the appropriate environment variables. These variables are typically set in your Docker Compose YAML file or in the deployment environment for your containers. See the [Infrahub configuration reference](../reference/configuration.mdx) for a full list of options.
+
+---
 
-Infrahub can use local storage as a storage backend. It can be any directory on a filesystem that is attached to the system on which Infrahub runs. The only requirement is that all the Infrahub API servers and Task workers need access to the filesystem.
+### Local storage
 
-To setup Infrahub to use local storage backend you can use the following configuration:
+By default, Infrahub uses local storage for artifacts and files. No additional configuration is required unless you want to change the storage location.
 
-```toml
-[storage]
-driver = "local"
+To explicitly configure local storage, set the following environment variables in your Docker Compose YAML file or deployment environment:
 
-[storage.local]
-path = "/opt/infrahub/storage/"
+```yaml
+    # ... other configuration ...
+      INFRAHUB_STORAGE_DRIVER: "local"
+      INFRAHUB_STORAGE_LOCAL_PATH: "/opt/infrahub/storage"
+    # ... other configuration ...
 ```
 
-More details can be found in the [configuration documentation](../reference/configuration).
+All Infrahub API servers and task workers must have access to the specified directory.
+
+---
 
 ### AWS S3 storage
 
-Infrahub can use AWS S3 or any other S3 API compatible storage as a storage system.
+To use AWS S3 or any S3-compatible storage, set the following environment variables in your Docker Compose YAML file or deployment environment:
+
+```yaml
+    # ... other configuration ...
+    INFRAHUB_STORAGE_DRIVER: "s3"
+    AWS_ACCESS_KEY_ID: "my_access_key"
+    AWS_SECRET_ACCESS_KEY: "secret_access_key"
+    INFRAHUB_STORAGE_BUCKET_NAME: "my-infrahub-bucket"
+    INFRAHUB_STORAGE_ENDPOINT_URL: "s3.eu-central-1.amazonaws.com"
+    # ... other configuration ...
+```
+
+For all available configuration options and environment variables, refer to the [Infrahub configuration reference](../reference/configuration.mdx#infrahub_storage_s3).
 
-To setup Infrahub to use AWS S3 as a storage backend you can use the following configuration:
+---
 
-```toml
-[storage]
-driver = "s3"
+:::info
+You can switch between storage backends by changing the value of `INFRAHUB_STORAGE_DRIVER` and updating the relevant environment variables in your deployment configuration.
+:::
 
-[storage.s3]
-access_key_id = "my_access_key"
-secret_access_key = "secret_access_key"
-bucket_name = "my-infrahub-bucket"
-endpoint_url = "https://s3.eu-central-1.amazonaws.com"
-```
+:::warning
+If you change the storage driver (for example, from `local` to `s3` or vice versa), **existing artifacts will not be automatically migrated**.  
+To regenerate artifacts:
 
-More details can be found in the [configuration documentation](../reference/configuration).
+- You must either delete the old artifacts, or
+- Manually update their checksum values and regenerate them.
+
+Failing to do so may result in missing or stale artifact files.
+:::
+
+---
 
 ## Object model
 
-Objects or files stored within the object-storage, are identified by an identifier (UUID). An identifier is assigned to the object at time of creation within the object-storage. Interactions with the object then happen leveraging that identifier.
+Objects or files stored within object storage are identified by a unique identifier (UUID). This identifier is assigned when the object is created. All interactions with the object use this identifier.
+
+For more details on configuration options, see the [Infrahub configuration reference](../reference/configuration.mdx).