Overview

SpiceDB is a database for managing authorization policies. It is used to store and manage the authorization policies for the Authorization Service in FlowX 5.0’s multi-tenant architecture.
For more information about SpiceDB, see the SpiceDB documentation.

Prerequisites

Infrastructure

  • Kubernetes cluster with admin access
  • PostgreSQL database server
  • Network connectivity between SpiceDB and FlowX services

FlowX Integration

  • FlowX 5.0+ authorization-system microservice
  • CAS client library configuration in all FlowX services
  • Proper secret management for authentication

Installation Steps

Step 1: Install SpiceDB Operator

First, install the SpiceDB Operator in your Kubernetes cluster:
kubectl apply -f https://github.com/authzed/spicedb-operator/releases/latest/download/bundle.yaml
Verify the operator is running:
kubectl get pods -n spicedb-operator-system

Step 2: Create SpiceDB Database

Create a dedicated PostgreSQL database and user for SpiceDB:
-- Connect to PostgreSQL as admin user
CREATE DATABASE spicedb;
CREATE USER spicedb_user WITH PASSWORD 'your-secure-password';
GRANT ALL PRIVILEGES ON DATABASE spicedb TO spicedb_user;
SpiceDB requires a dedicated PostgreSQL database. Do not share with other FlowX services.

Step 3: Create Kubernetes Secret

Create the spicedb secret with the required credentials:
apiVersion: v1
kind: Secret
metadata:
  name: spicedb
type: Opaque
data:
  datastore_uri: <base64-encoded-postgres-connection-string>
  preshared_key: <base64-encoded-secure-token>
The secret should contain:
# Raw values (encode these in base64 for the secret)
datastore_uri='postgres://USERNAME:PASSWORD@postgresql:5432/spicedb?sslmode=disable'
preshared_key='REPLACEME'
Generate a secure preshared key using: openssl rand -base64 32

Step 4: Deploy SpiceDBCluster

Create and apply the SpiceDBCluster custom resource:
apiVersion: authzed.com/v1alpha1
kind: SpiceDBCluster
metadata:
  name: spicedb
spec:
  channel: stable
  config:
    datastoreEngine: postgres
    logLevel: debug
    replicas: 2
  patches:
  - kind: Deployment
    patch:
      spec:
        template:
          spec:
            containers:
            - name: spicedb
              resources:
                limits:
                  cpu: "2"
                  memory: 1Gi
                requests:
                  cpu: 200m
                  memory: 512Mi
  secretName: spicedb
  version: v1.42.1
Apply the configuration:
kubectl apply -f spicedbcluster.yaml

Step 5: Update FlowX Services

The following services need a cas-lib configuration:
  • authorization-service
  • application-manager
  • authorization-system
  • cms-core
  • data-sync
  • document-plugin
  • integration-designer
  • notification-plugin
  • process-engine
  • runtime-manager
  • task-management-plugin
Configure FlowX services to connect to SpiceDB. The following configuration values are already set by default in FlowX:
FLOWX_LIB_CASCLIENT_SPICEDB_HOST: spicedb #default value
FLOWX_LIB_CASCLIENT_SPICEDB_PORT: 50051 #default value
Required Configuration: Add the SpiceDB token to your FlowX services:
FLOWX_LIB_CASCLIENT_SPICEDB_TOKEN: REPLACEME

Helm values configuration

Add the token reference to your Helm values using extraEnvVarsMultipleSecretsCustomKeys:
extraEnvVarsMultipleSecretsCustomKeys:
  - name: spicedb
    secrets:
      FLOWX_LIB_CASCLIENT_SPICEDB_TOKEN: preshared_key
This configuration tells Helm to:
  1. Look for the existing Kubernetes Secret named spicedb (created in Step 3)
  2. Take the value from the preshared_key key in that secret
  3. Mount it as environment variable FLOWX_LIB_CASCLIENT_SPICEDB_TOKEN in FlowX service pods
Token Synchronization: The preshared_key value in the SpiceDB secret must match the FLOWX_LIB_CASCLIENT_SPICEDB_TOKEN in all FlowX microservices.

Verification

Verify your SpiceDB deployment:
1

Check SpiceDB Pods

Ensure SpiceDB pods are running:
kubectl get pods -l app.kubernetes.io/name=spicedb
2

Test Connectivity

Verify SpiceDB is accessible on port 50051:
kubectl port-forward svc/spicedb 50051:50051
# Test connection from another terminal
grpcurl -plaintext localhost:50051 list
3

Check FlowX Integration

Review FlowX service logs for successful SpiceDB connection:
kubectl logs -l app=authorization-system | grep -i spicedb

Configuration reference

Required environment variables

VariableRequiredDescriptionDefault ValueNotes
SPICEDB_DATASTORE_ENGINEDatabase engine typepostgresOnly PostgreSQL is supported in FlowX
SPICEDB_DATASTORE_CONN_URIPostgreSQL connection stringpostgres://postgres:password@postgresql:5432/spicedb?sslmode=disableUse Kubernetes Secret - include sslmode=disable for internal cluster communication
SPICEDB_GRPC_PRESHARED_KEYPre-shared key for gRPC authenticationyour-secure-key-hereThis becomes FLOWX_LIB_CASCLIENT_SPICEDB_TOKEN in FlowX services

Optional configuration

VariableRequiredDescriptionDefault ValueNotes
SPICEDB_DISPATCH_CLUSTER_ENABLED⚠️Enable cluster mode for multiple replicastrueRequired for production deployments with multiple replicas
SPICEDB_LOG_LEVEL⚠️Logging verbosity leveldebugUse debug for troubleshooting, info for production

Customer-specific configuration

Required Customization: These values must be updated for each deployment environment.
  • Database Connection: Update datastore_uri with your PostgreSQL credentials and hostname
  • Security Token: Generate a unique preshared_key for your deployment