This guide provides a comprehensive reference for configuring the FlowX Admin microservice using environment variables and configuration files.

Infrastructure Prerequisites

Before setting up the Admin microservice, ensure the following components are properly set up:

  • Database Instance: The Admin microservice connects to the same database as the FlowX.AI Engine.
  • MongoDB: For additional data management.
  • Redis: For caching and transient data storage.
  • Kafka: For audit logs, events, and messaging (if using FlowX.AI Audit functionality).

Core configuration

Server configuration

Environment VariableDescriptionDefault Value
SERVER_PORTPort on which the Admin service will run8080
SPRING_APPLICATION_NAMEName of the application used for service discoveryadmin
SPRING_JACKSON_SERIALIZATION_INDENTOUTPUTEnable indented JSON outputtrue

Database configuration

The Admin microservice connects to the same PostgreSQL or Oracle database as the FlowX.AI Engine for storing process definitions.

Environment VariableDescriptionExample Value
SPRING_DATASOURCE_URLJDBC URL for database connectionjdbc:postgresql://localhost:5432/flowx
SPRING_DATASOURCE_USERNAMEDatabase usernamepostgres
SPRING_DATASOURCE_PASSWORDDatabase password[your-secure-password]

You will need to make sure that the user, password, connection link and database name are configured correctly, otherwise, you will receive errors at start time.

The database schema is managed by a liquibase script provided with the Engine.

MongoDB configuration

The Admin microservice also connects to a MongoDB database instance for additional data management.

Environment VariableDescriptionExample Value
DB_USERNAMEMongoDB usernameadmin
DB_PASSWORDMongoDB password[your-secure-password]
DB_NAMEMongoDB database nameadmin
SPRING_DATA_MONGODB_URIMongoDB connection URImongodb://${DB_USERNAME}:${DB_PASSWORD}@localhost:27017/${DB_NAME}?retryWrites=true
SPRING_DATA_MONGODB_UUIDREPRESENTATIONUUID representation formatstandard
SPRING_DATA_MONGODB_STORAGEStorage type (Azure environments)mongodb or cosmosdb
MONGOCK_CHANGELOGSSCANPACKAGE_0_Mongock changelog scan packageai.flowx.admin.data.model.config.mongock
MONGOCK_TRANSACTIONENABLEDEnable transactions for Mongock operationsfalse

Ensure that the MongoDB configuration is compatible with the same database requirements as the FlowX.AI Engine, especially if sharing database instances.

Redis and caching configuration

Redis is used for caching and storing transient data.

Environment VariableDescriptionDefault ValueStatus
SPRING_DATA_REDIS_HOSTRedis server hostnamelocalhostRecommended
SPRING_DATA_REDIS_PORTRedis server port6379Recommended
SPRING_DATA_REDIS_PASSWORDRedis server password[your-secure-password]Recommended
SPRING_REDIS_HOSTRedis server hostnamelocalhostDeprecated
SPRING_REDIS_PORTRedis server port6379Deprecated
SPRING_REDIS_PASSWORDRedis server passworddefaultpasswordDeprecated
SPRING_REDIS_TTLDefault Redis TTL in milliseconds5000000Used in other settings

The SPRING_REDIS_* variables are deprecated and will be removed in a future FlowX version. Please use the corresponding SPRING_DATA_REDIS_* variables instead.

Kafka configuration

The Admin microservice uses Kafka for sending audit logs, managing scheduled timer events, platform component versions, and start timer event updates.

General Kafka settings

Environment VariableDescriptionDefault Value
SPRING_KAFKA_BOOTSTRAPSERVERSKafka broker addresseslocalhost:9092
SPRING_KAFKA_SECURITY_PROTOCOLSecurity protocolPLAINTEXT
KAFKA_MESSAGE_MAX_BYTESMaximum message size in bytes52428800 (50MB)

Kafka producer configuration

Environment VariableDescriptionDefault Value
SPRING_KAFKA_PRODUCER_KEYSERIALIZERKey serializer classorg.apache.kafka.common.serialization.StringSerializer
SPRING_KAFKA_PRODUCER_VALUESERIALIZERValue serializer classorg.springframework.kafka.support.serializer.JsonSerializer
SPRING_KAFKA_PRODUCER_MAXREQUESTSIZEMaximum request size52428800 (50MB)

Kafka consumer configuration

Environment VariableDescriptionDefault Value
KAFKA_CONSUMER_GROUPID_GENERICPROCESSINGGeneric processing consumer groupgenericProcessingGroup
KAFKA_CONSUMER_THREADS_GENERICPROCESSINGGeneric processing threads6
KAFKA_CONSUMER_GROUPID_CONTENTTRANSLATEContent translation consumer groupcms-consumer-preview
KAFKA_CONSUMER_GROUPID_RESUSAGEVALIDATIONResource usage validation consumer groupcms-res-usage-validation-group
KAFKA_CONSUMER_THREADS_CONTENTTRANSLATEContent translation consumer threads1
KAFKA_CONSUMER_THREADS_RESUSAGEVALIDATIONResource usage validation consumer threads2
KAFKA_AUTHEXCEPTIONRETRYINTERVALAuth exception retry interval (seconds)10
SPRING_KAFKA_AUTH_EXCEPTION_RETRY_INTERVALAuth exception retry interval (seconds)10

Topic naming configuration

Environment VariableDescriptionDefault Value
DOTReference to the primary separator${kafka.topic.naming.separator}
DASHReference to the secondary separator${kafka.topic.naming.separator2}
KAFKA_TOPIC_NAMING_PACKAGEBase package nameai${dot}flowx${dot}
KAFKA_TOPIC_NAMING_ENVIRONMENTEnvironment namedev${dot}
KAFKA_TOPIC_NAMING_VERSIONTopic version${dot}v1
KAFKA_TOPIC_NAMING_SEPARATORPrimary separator.
KAFKA_TOPIC_NAMING_SEPARATOR2Secondary separator-
KAFKA_TOPIC_NAMING_PREFIXCombined prefix${kafka.topic.naming.package}${kafka.topic.naming.environment}
KAFKA_TOPIC_NAMING_SUFFIXCombined suffix${kafka.topic.naming.version}

Kafka topics configuration

Audit topics

Environment VariableDescriptionPatternExample Value
KAFKA_TOPIC_AUDIT_OUTAudit output topic${kafka.topic.naming.prefix}core${dot}trigger${dot}save${dot}audit${kafka.topic.naming.suffix}ai.flowx.dev.core.trigger.save.audit.v1

Platform Topics

Environment VariableDescriptionPatternExample Value
KAFKA_TOPIC_PLATFORM_COMPONENTSVERSIONS_INComponents versions caching topic${kafka.topic.naming.prefix}core${dot}trigger${dot}platform${dot}versions${dot}caching${kafka.topic.naming.suffix}ai.flowx.dev.core.trigger.platform.versions.caching.v1

Events gateway topics

Environment VariableDescriptionPatternExample Value
KAFKA_TOPIC_EVENTSGATEWAY_OUT_MESSAGECommands message output topic${kafka.topic.naming.prefix}eventsgateway${dot}process${dot}commands${dot}message${kafka.topic.naming.suffix}ai.flowx.dev.eventsgateway.process.commands.message.v1

Build topics

Environment VariableDescriptionPatternExample Value
KAFKA_TOPIC_BUILD_STARTTIMEREVENTS_OUT_UPDATESStart timer events updates topic${kafka.topic.naming.prefix}build${dot}start${dash}timer${dash}events${dot}updates${dot}in${kafka.topic.naming.suffix}ai.flowx.dev.build.start-timer-events.updates.in.v1

Resource topics

Environment VariableDescriptionPatternExample Value
KAFKA_TOPIC_RESOURCESUSAGES_REFRESHResources usages refresh topic${kafka.topic.naming.prefix}application${dash}version${dot}resources${dash}usages${dot}refresh${kafka.topic.naming.suffix}ai.flowx.dev.application-version.resources-usages.refresh.v1
KAFKA_TOPIC_REQUEST_CONTENT_INTopic for content retrieval requests${kafka.topic.naming.prefix}plugin${dot}cms${dot}trigger${dot}retrieve${dot}content${kafka.topic.naming.suffix}ai.flowx.dev.plugin.cms.trigger.retrieve.content.v1
KAFKA_TOPIC_REQUEST_CONTENT_OUTTopic for content retrieval results${kafka.topic.naming.prefix}${kafka.topic.naming.engineReceivePattern}plugin${dot}cms${dot}retrieve${dot}content${dot}results${kafka.topic.naming.suffix}ai.flowx.dev.engine.receive.plugin.cms.retrieve.content.results.v1
KAFKA_TOPIC_APPLICATION_IN_RESUSAGEVALIDATIONTopic for resource usage validation${kafka.topic.naming.prefix}application${dash}version${dot}resources${dash}usages${dot}sub${dash}res${dash}validation${dot}cms${kafka.topic.naming.suffix}ai.flowx.dev.application-version.resources-usages.sub-res-validation.cms.v1

OAuth authentication for Kafka

When using the kafka-auth profile, the following variables configure OAuth for Kafka:

Environment VariableDescriptionDefault Value
KAFKA_OAUTH_CLIENTIDOAuth client IDkafka
KAFKA_OAUTH_CLIENTSECRETOAuth client secretkafka-secret
KAFKA_OAUTH_TOKEN_ENDPOINT_URIOAuth token endpoint URIkafka.auth.localhost

When using the kafka-auth profile, the security protocol will automatically be set to SASL_PLAINTEXT and the SASL mechanism will be set to OAUTHBEARER.

Logging configuration

The FlowX Admin microservice provides granular control over logging levels for different components:

Environment VariableDescriptionDefault Value
LOGGING_LEVEL_ROOTLog level for root Spring Boot microserviceINFO
LOGGING_LEVEL_APPLog level for application-specific codeDEBUG

Localization settings

Environment VariableDescriptionDefault Value
APPLICATION_DEFAULTLOCALEDefault locale for the applicationen
APPLICATION_SUPPORTEDLOCALESList of supported localesen, ro

Health monitoring

Environment VariableDescriptionDefault Value
MANAGEMENT_HEALTH_DB_ENABLEDEnable database health checkstrue
MANAGEMENT_HEALTH_KAFKA_ENABLEDEnable Kafka health checkstrue
MANAGEMENT_SERVER_ADDRESSManagement server bind address0.0.0.0
MANAGEMENT_SERVER_PORTManagement server port8081
MANAGEMENT_SERVER_BASEPATHBase path for management endpoints/manage
MANAGEMENT_SECURITY_ENABLEDEnable security for management endpointsfalse
MANAGEMENT_ENDPOINTS_WEB_BASEPATHBase path for actuator endpoints/actuator
MANAGEMENT_ENDPOINTS_WEB_EXPOSURE_INCLUDEEndpoints to exposehealth,info,metrics,metric,prometheus
MANAGEMENT_ENDPOINT_HEALTH_PROBES_ENABLEDEnable Kubernetes probestrue
MANAGEMENT_ENDPOINT_HEALTH_SHOWDETAILSShow health check detailsalways
MANAGEMENT_METRICS_EXPORT_PROMETHEUS_ENABLEDEnable Prometheus metrics exportfalse

Platform health configuration

Environment VariableDescriptionDefault Value
FLOWX_PLATFORMHEALTH_NAMESPACEKubernetes namespace for health checksflowx
FLOWX_PLATFORMHEALTH_MANAGEMENTBASEPATHBase path for management endpoints${management.server.base-path}
FLOWX_PLATFORMHEALTH_ACTUATORBASEPATHBase path for actuator endpoints${management.endpoints.web.base-path}
FLOWX_PLATFORMHEALTH_ANNOTATIONNAMEKubernetes annotation name for health checksflowx.ai/health
FLOWX_PLATFORMHEALTH_ANNOTATIONVALUEKubernetes annotation value for health checkstrue

Multi-edit and undo/redo configuration

Environment VariableDescriptionDefault Value
FLOWX_MULTIEDIT_TTLTime-to-live for multi-edit sessions in seconds45
FLOWX_UNDOREDO_TTLTime-to-live for undo/redo actions in seconds86400
FLOWX_UNDOREDO_CLEANUP_CRONEXPRESSIONCron expression for undo/redo cleanup0 0 2 ?
FLOWX_UNDOREDO_CLEANUP_DAYSDays to keep deleted undo/redo items2

Resources usage configuration

Environment VariableDescriptionDefault Value
FLOWX_LIB_RESOURCESUSAGES_ENABLEDEnable resources usage trackingtrue
FLOWX_LIB_RESOURCESUSAGES_REFRESHLISTENER_ENABLEDEnable listener for resource usage refreshestrue
FLOWX_LIB_RESOURCESUSAGES_REFRESHLISTENER_COLLECTOR_THREADCOUNTThread count for resource usage collector5
FLOWX_LIB_RESOURCESUSAGES_REFRESHLISTENER_COLLECTOR_MAXBATCHSIZEMaximum batch size for resource usage collection1000
FLOWX_LIB_RESOURCESUSAGES_KAFKA_CONSUMER_GROUPID_RESOURCESUSAGESREFRESHConsumer group ID for resource usage refreshadminResourcesUsagesRefreshGroup
FLOWX_LIB_RESOURCESUSAGES_KAFKA_CONSUMER_THREADS_RESOURCESUSAGESREFRESHNumber of consumer threads for resource usage refresh3
FLOWX_LIB_RESOURCESUSAGES_KAFKA_TOPIC_RESOURCE_USAGES_REFRESHKafka topic for resource usage refresh${kafka.topic.resources-usages.refresh}
FLOWX_LIB_RESOURCESUSAGES_KAFKA_AUTHEXCEPTIONRETRYINTERVALRetry interval in seconds after auth exceptions3

Authentication and Authorization Configuration

The FlowX Admin microservice supports authentication and authorization through OpenID Connect (with Keycloak as the default provider) and allows detailed role-based access control.

OpenID Connect Configuration

Environment VariableDescriptionDefault Value
SECURITY_TYPESecurity typeoauth2
SECURITY_OAUTH2CLIENTEnable OAuth2 clientenabled
SECURITY_OAUTH2_BASESERVERURLBase URL of the OAuth2 server
SECURITY_OAUTH2_REALMOAuth2 realm name
SECURITY_OAUTH2_CLIENT_CLIENTIDOAuth2 client ID
SECURITY_OAUTH2_CLIENT_CLIENTSECRETOAuth2 client secret

Service Account Configuration

The following service account configuration is deprecated but still supported for backward compatibility.

Environment VariableDescriptionDefault Value
SECURITY_OAUTH2_SERVICE_ACCOUNT_ADMIN_CLIENTIDService account client IDflowx-${SPRING_APPLICATION_NAME}-sa
SECURITY_OAUTH2_SERVICE_ACCOUNT_ADMIN_CLIENTSECRETService account client secretclient-secret

Spring Security OAuth2 Client Configuration

Environment VariableDescriptionDefault Value
SPRING_SECURITY_OAUTH2_RESOURCESERVER_OPAQUETOKEN_INTROSPECTIONURIToken introspection URI${SECURITY_OAUTH2_BASESERVERURL}/realms/${SECURITY_OAUTH2_REALM}/protocol/openid-connect/token/introspect
SPRING_SECURITY_OAUTH2_RESOURCESERVER_OPAQUETOKEN_CLIENTIDResource server client ID${SECURITY_OAUTH2_CLIENT_CLIENTID}
SPRING_SECURITY_OAUTH2_RESOURCESERVER_OPAQUETOKEN_CLIENTSECRETResource server client secret${SECURITY_OAUTH2_CLIENT_CLIENTSECRET}
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_MAINIDENTITY_PROVIDERIdentity provider namemainAuthProvider
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_MAINIDENTITY_CLIENTNAMEClient namemainIdentity
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_MAINIDENTITY_CLIENTIDClient ID${SECURITY_OAUTH2_SERVICEACCOUNT_ADMIN_CLIENTID}
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_MAINIDENTITY_CLIENTSECRETClient secret${SECURITY_OAUTH2_SERVICEACCOUNT_ADMIN_CLIENTSECRET}
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_MAINIDENTITY_AUTHORIZATIONGRANTTYPEAuthorization grant typeclient_credentials
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_MAINIDENTITY_CLIENT_AUTHENTICATION_METHODClient authentication methodclient_secret_post
SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_MAINAUTHPROVIDER_TOKENURIProvider token URI${SECURITY_OAUTH2_BASESERVERURL}/realms/${SECURITY_OAUTH2_REALM}/protocol/openid-connect/token

Identity Provider Configuration

Environment VariableDescriptionDefault Value
OPENID_PROVIDEROpenID provider typekeycloak (possible values: keycloak, entra)
FLOWX_AUTHENTICATE_CLIENTIDClient ID for authentication serviceflowx-platform-authenticate
FLOWX_PROCESS_DEFAULTROLESDefault roles for processesFLOWX_ROLE

Keycloak Configuration

Environment VariableDescriptionDefault Value
OPENID_KEYCLOAK_BASE_SERVER_URLKeycloak server URL${SECURITY_OAUTH2_BASESERVERURL}
OPENID_KEYCLOAK_REALMKeycloak realm${SECURITY_OAUTH2_REALM}
OPENID_KEYCLOAK_CLIENT_CLIENT_IDKeycloak client ID${SECURITY_OAUTH2_SERVICE_ACCOUNT_ADMIN_CLIENTID}
OPENID_KEYCLOAK_CLIENT_CLIENT_SECRETKeycloak client secret${SECURITY_OAUTH2_SERVICE_ACCOUNT_ADMIN_CLIENTSECRET}

Microsoft Entra ID configuration

Environment VariableDescriptionDefault Value
OPENID_ENTRA_GRAPH_SCOPEMicrosoft Graph API scopehttps://graph.microsoft.com/.default
OPENID_ENTRA_TENANT_IDMicrosoft Entra tenant ID
OPENID_ENTRA_CLIENT_IDMicrosoft Entra client ID${SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_MAINIDENTITY_CLIENTID}
OPENID_ENTRA_CLIENT_SECRETMicrosoft Entra client secret${SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_MAINIDENTITY_CLIENTSECRET}
OPENID_ENTRA_PRINCIPAL_IDMicrosoft Entra principal ID

The role-based access control is configured in the application YAML and grants specific permissions for platform management, user management, process management, integrations management, and configuration management.

In production environments, never use the default service account credentials. Always configure secure, environment-specific credentials for authentication.

Sensitive information such as passwords and client secrets should be managed securely using environment variables or a secrets management solution in production environments.