Available starting with FlowX.AI 5.5.0The Organization Manager is a new microservice responsible for organization and tenant management, including user registration, organization lifecycle, and platform component health monitoring.
Dependencies
Before setting up the Organization Manager, ensure you have the following dependencies in place:- PostgreSQL database for storing organization and tenant data
- Kafka for event-driven communication with other FlowX.AI services
- Redis for caching
- Keycloak (or compatible OAuth2 provider) for authentication and authorization
- SpiceDB for fine-grained authorization
Infrastructure prerequisites
| Component | Description |
|---|---|
| PostgreSQL | Dedicated database for organization data |
| Kafka | Message broker for inter-service communication |
| Redis | Caching layer for improved performance |
| Keycloak | Identity provider for service authentication |
| SpiceDB | Authorization service for fine-grained access control |
Configuration
Authorization configuration
| Environment Variable | Description | Default Value |
|---|---|---|
SECURITY_TYPE | Security type | jwt-public-key |
SECURITY_OAUTH2_BASE_SERVER_URL | Base URL of the OAuth2/OIDC server | - |
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_MAINIDENTITY_CLIENTID | Client ID for service account | flowx-organization-manager-sa |
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_MAINIDENTITY_CLIENTSECRET | Client secret for service account | - |
SPRING_SECURITY_OAUTH2_CLIENT_PROVIDER_MAINAUTHPROVIDER_TOKEN_URI | Provider token URI | ${SECURITY_OAUTH2_BASE_SERVER_URL}/realms/${SECURITY_OAUTH2_SA_REALM}/protocol/openid-connect/token |
PostgreSQL configuration
The Organization Manager uses its own dedicated PostgreSQL database.| Environment Variable | Description | Default Value |
|---|---|---|
SPRING_DATASOURCE_URL | JDBC connection URL for PostgreSQL | jdbc:postgresql://postgresql:5432/organization_manager |
SPRING_DATASOURCE_USERNAME | Database username | postgres |
SPRING_DATASOURCE_PASSWORD | Database password | - |
Redis configuration
Organization Manager uses Redis for caching. Configure Redis connection using the standard Redis environment variables. Quick reference:| Environment Variable | Description | Default Value |
|---|---|---|
SPRING_REDIS_HOST | Redis server hostname | redis-master |
SPRING_REDIS_PORT | Redis server port | 6379 |
SPRING_REDIS_PASSWORD | Redis authentication password | - |
For complete Redis configuration including Sentinel mode, Cluster mode, and SSL/TLS setup, see the Redis Configuration guide.
Kafka configuration
Core Kafka settings
| Environment Variable | Description | Default Value |
|---|---|---|
SPRING_KAFKA_BOOTSTRAP_SERVERS | Address of the Kafka server(s) | localhost:9092 |
KAFKA_MESSAGE_MAX_BYTES | Maximum message size (bytes) | 52428800 (50 MB) |
Topic naming configuration
| Environment Variable | Description | Default Value |
|---|---|---|
KAFKA_TOPIC_NAMING_PACKAGE | Package prefix for topic names | ai.flowx. |
KAFKA_TOPIC_NAMING_ENVIRONMENT | Environment segment for topic names | |
KAFKA_TOPIC_NAMING_VERSION | Version suffix for topic names | .v1 |
KAFKA_TOPIC_NAMING_SEPARATOR | Primary separator for topic names | . |
KAFKA_TOPIC_NAMING_SEPARATOR2 | Secondary separator for topic names | - |
Kafka topics
The Organization Manager publishes organization lifecycle events:| Environment Variable | Description | Default Value |
|---|---|---|
KAFKA_TOPIC_ORGANIZATION_EVENTS_OUT | Topic for organization lifecycle events | ai.flowx.organization.events.v1 |
CAS lib configuration (SpiceDB)
| Environment Variable | Description | Default Value |
|---|---|---|
FLOWX_LIB_CASCLIENT_SPICEDB_HOST | SpiceDB hostname | spicedb |
FLOWX_LIB_CASCLIENT_SPICEDB_PORT | SpiceDB gRPC port | 50051 |
FLOWX_LIB_CASCLIENT_SPICEDB_TOKEN | SpiceDB authentication token | - |
Logging configuration
| Environment Variable | Description | Default Value |
|---|---|---|
LOGGING_LEVEL_ROOT | Root logging level | INFO |
LOGGING_LEVEL_APP | Application-specific log level | INFO |
Multipart upload configuration
| Environment Variable | Description | Default Value |
|---|---|---|
MULTIPART_MAX_FILE_SIZE | Maximum file size per upload | 50MB |
MULTIPART_MAX_REQUEST_SIZE | Maximum total request size | 50MB |
Secrets management
The Organization Manager requires several secrets to be configured. These should be stored securely and referenced via Kubernetes secrets or a secrets management solution.| Secret Name | Description |
|---|---|
SPRING_DATASOURCE_PASSWORD | PostgreSQL database password |
SPRING_REDIS_PASSWORD | Redis authentication password |
SPRING_SECURITY_OAUTH2_CLIENT_REGISTRATION_MAINIDENTITY_CLIENTSECRET | Keycloak service account secret |
FLOWX_LIB_CASCLIENT_SPICEDB_TOKEN | SpiceDB authentication token |
Deployment
Helm values example
Below is an example Helm values configuration for deploying the Organization Manager:Network policies
The Organization Manager requires network access to the following services:| Service | Purpose | Pod Label |
|---|---|---|
| Kafka | Message broker communication | flowx.ai/egress-s-kafka |
| PostgreSQL | Primary data storage | flowx.ai/egress-s-postgresql |
| Redis | Caching | flowx.ai/egress-s-redis |
| Keycloak | Authentication | flowx.ai/egress-s-keycloak |
| SpiceDB | Authorization | flowx.ai/egress-s-spicedb |
Monitoring
The Organization Manager exposes Prometheus metrics for monitoring. Turn on scraping by setting the pod label:Health endpoints
| Endpoint | Description |
|---|---|
/actuator/health | Health check endpoint |
/actuator/metrics | Prometheus metrics endpoint |
/actuator/info | App info endpoint |
Verify your setup
The Organization Manager pod is running and healthy:
kubectl get pods -l app=organization-managerThe health endpoint returns HTTP 200:
curl http://organization-manager:8080/actuator/healthDatabase migrations completed successfully — check pod logs for
Liquibase: Update has been successfulSpiceDB connection is established — check pod logs for successful CAS client initialization
Kafka topic
ai.flowx.organization.events.v1 exists and the service can publish to itTroubleshooting
Database connection failures
Database connection failures
Symptoms: Service fails to start with database connection errors.Solutions:
- Verify the
organization_managerdatabase exists in PostgreSQL - Check that the database user has appropriate permissions
- Ensure network connectivity between the pod and PostgreSQL service
- Verify the JDBC URL format is correct
SpiceDB connection failures
SpiceDB connection failures
Symptoms: Authorization errors or service fails to initialize CAS client.Solutions:
- Verify SpiceDB is running and reachable at the configured host and port
- Check that the SpiceDB token is correct
- Ensure network policies allow gRPC traffic to SpiceDB on port
50051 - Review pod logs for specific CAS client error messages
Kafka publishing failures
Kafka publishing failures
Symptoms: Organization events not reaching downstream services.Solutions:
- Verify Kafka bootstrap servers are reachable
- Check that the
ai.flowx.organization.events.v1topic exists - Ensure the service has producer permissions on the topic
- Review
KAFKA_MESSAGE_MAX_BYTESif large messages fail
Service account authentication errors
Service account authentication errors
Symptoms: 401/403 errors when communicating with other FlowX services.Solutions:
- Verify the Keycloak service account is properly configured
- Check that client secrets match between configuration and Keycloak
- Ensure the service account has required roles assigned
- Verify
SECURITY_TYPEis set tojwt-public-key

